diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 07e7bc4be0d..c86fc85e347 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -608,6 +608,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Convert aws s3 to v2 input {pull}20005[20005] - New Cisco Umbrella dataset {pull}21504[21504] - New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017] +- Adding support for Microsoft 365 Defender (Microsoft Threat Protection) {pull}21446[21446] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index a2f19000095..e7c2d35ff37 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -95523,6 +95523,433 @@ type: keyword -- +[float] +=== microsoft.m365_defender + +Module for ingesting Microsoft Defender ATP. + + + +*`microsoft.m365_defender.incidentId`*:: ++ +-- +Unique identifier to represent the incident. + + +type: keyword + +-- + +*`microsoft.m365_defender.redirectIncidentId`*:: ++ +-- +Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. + + +type: keyword + +-- + +*`microsoft.m365_defender.incidentName`*:: ++ +-- +Name of the Incident. + + +type: keyword + +-- + +*`microsoft.m365_defender.determination`*:: ++ +-- +Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other. + + +type: keyword + +-- + +*`microsoft.m365_defender.investigationState`*:: ++ +-- +The current state of the Investigation. + + +type: keyword + +-- + +*`microsoft.m365_defender.assignedTo`*:: ++ +-- +Owner of the alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.tags`*:: ++ +-- +Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. + + +type: keyword + +-- + +*`microsoft.m365_defender.status`*:: ++ +-- +Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + + +type: keyword + +-- + +*`microsoft.m365_defender.classification`*:: ++ +-- +Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.incidentId`*:: ++ +-- +Unique identifier to represent the incident this alert is associated with. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.resolvedTime`*:: ++ +-- +Time when alert was resolved. + + +type: date + +-- + +*`microsoft.m365_defender.alerts.status`*:: ++ +-- +Categorize alerts (as New, Active, or Resolved). + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.severity`*:: ++ +-- +The severity of the related alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.creationTime`*:: ++ +-- +Time when alert was first created. + + +type: date + +-- + +*`microsoft.m365_defender.alerts.lastUpdatedTime`*:: ++ +-- +Time when alert was last updated. + + +type: date + +-- + +*`microsoft.m365_defender.alerts.investigationId`*:: ++ +-- +The automated investigation id triggered by this alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.userSid`*:: ++ +-- +The SID of the related user + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.detectionSource`*:: ++ +-- +The service that initially detected the threat. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.classification`*:: ++ +-- +The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.investigationState`*:: ++ +-- +Information on the investigation's current status. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.determination`*:: ++ +-- +Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.assignedTo`*:: ++ +-- +Owner of the incident, or null if no owner is assigned. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.actorName`*:: ++ +-- +The activity group, if any, the associated with this alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.threatFamilyName`*:: ++ +-- +Threat family associated with this alert. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.mitreTechniques`*:: ++ +-- +The attack techniques, as aligned with the MITRE ATT&CK™ framework. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.entityType`*:: ++ +-- +Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.accountName`*:: ++ +-- +Account name of the related user. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.mailboxDisplayName`*:: ++ +-- +The display name of the related mailbox. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.mailboxAddress`*:: ++ +-- +The mail address of the related mailbox. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.clusterBy`*:: ++ +-- +A list of metadata if the entityType is MailCluster. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.sender`*:: ++ +-- +The sender for the related email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.recipient`*:: ++ +-- +The recipient for the related email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.subject`*:: ++ +-- +The subject for the related email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.deliveryAction`*:: ++ +-- +The delivery status for the related email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.securityGroupId`*:: ++ +-- +The Security Group ID for the user related to the email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.securityGroupName`*:: ++ +-- +The Security Group Name for the user related to the email message. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.registryHive`*:: ++ +-- +Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.registryKey`*:: ++ +-- +Reference to the related registry key to the event. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.registryValueType`*:: ++ +-- +Value type of the registry key/value pair related to the event. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.deviceId`*:: ++ +-- +The unique ID of the device related to the event. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.entities.ipAddress`*:: ++ +-- +The related IP address to the event. + + +type: keyword + +-- + +*`microsoft.m365_defender.alerts.devices`*:: ++ +-- +The devices related to the investigation. + + +type: flattened + +-- + [[exported-fields-misp]] == MISP fields diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc index 513ca155be6..5edbbf027d0 100644 --- a/filebeat/docs/modules/microsoft.asciidoc +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -12,7 +12,8 @@ This file is generated! See scripts/docs_collector.py This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets: -- `defender_atp` fileset: Supports Microsoft Defender ATP +- `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP) +- `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection) - `dhcp` fileset: Supports Microsoft DHCP logs include::../include/what-happens.asciidoc[] @@ -25,6 +26,84 @@ include::../include/configuring-intro.asciidoc[] include::../include/config-option-intro.asciidoc[] +[float] +==== `m365_defender` fileset settings + +beta[] + +To configure access for Filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-create-app-web?view=o365-worldwide#create-an-app[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +Example config: + +[source,yaml] +---- +- module: microsoft + m365_defender: + enabled: true + var.oauth2.client.id: "123abc-879546asd-349587-ad64508" + var.oauth2.client.secret: "980453~-Sg99gedf" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" +---- + +*`var.oauth2.client.id`*:: + +This is the client ID related to creating a new application on Azure. + +*`var.oauth2.client.secret`*:: + +The secret related to the client ID. + +*`var.oauth2.token_url`*:: + +A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. + +[float] +==== 365 Defender ECS fields + +This is a list of 365 Defender fields that are mapped to ECS. + +[options="header"] +|====================================================================== +| 365 Defender Fields | ECS Fields | +| lastUpdateTime | @timestamp | +| severity | event.severity | +| createdTime | event.created | +| alerts.category | threat.technique.name | +| alerts.description | rule.description | +| alerts.serviceSource | event.provider | +| alerts.alertId | event.id | +| alerts.firstActivity | event.start | +| alerts.lastActivity | event.end | +| alerts.title | message | +| entities.processId | process.pid | +| entities.processCommandLine | process.command_line | +| entities.processCreationTime | process.start | +| entities.parentProcessId | process.parent.pid | +| entities.parentProcessCreationTime | process.parent.start | +| entities.sha1 | file.hash.sha1 | +| entities.sha256 | file.hash.sha256 | +| entities.url | url.full | +| entities.filePath | file.path | +| entities.fileName | file.name | +| entities.userPrincipalName | host.user.name | +| entities.domainName | host.user.domain | +| entities.aadUserId | host.user.id | +|====================================================================== + [float] ==== `defender_atp` fileset settings @@ -114,7 +193,7 @@ This module comes with a sample dashboard for Defender ATP. [role="screenshot"] image::./images/filebeat-defender-atp-overview.png[] -The best way to view Defender ATP events and alert data is in the SIEM. +The best way to view Defender ATP events and alert data is in the SIEM. [role="screenshot"] image::./images/siem-alerts-cs.jpg[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index cc994b45cac..2ffff82135e 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1118,7 +1118,20 @@ filebeat.modules: # Oauth Client Secret #var.oauth2.client.secret: "" - + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + m365_defender: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index 8e793bd2f9c..ee06eea9228 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -10,7 +10,20 @@ # Oauth Client Secret #var.oauth2.client.secret: "" - + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + m365_defender: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc index 8a3facdc259..7e646e1b4fe 100644 --- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -7,7 +7,8 @@ This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets: -- `defender_atp` fileset: Supports Microsoft Defender ATP +- `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP) +- `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection) - `dhcp` fileset: Supports Microsoft DHCP logs include::../include/what-happens.asciidoc[] @@ -20,6 +21,84 @@ include::../include/configuring-intro.asciidoc[] include::../include/config-option-intro.asciidoc[] +[float] +==== `m365_defender` fileset settings + +beta[] + +To configure access for Filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-create-app-web?view=o365-worldwide#create-an-app[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +Example config: + +[source,yaml] +---- +- module: microsoft + m365_defender: + enabled: true + var.oauth2.client.id: "123abc-879546asd-349587-ad64508" + var.oauth2.client.secret: "980453~-Sg99gedf" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" +---- + +*`var.oauth2.client.id`*:: + +This is the client ID related to creating a new application on Azure. + +*`var.oauth2.client.secret`*:: + +The secret related to the client ID. + +*`var.oauth2.token_url`*:: + +A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. + +[float] +==== 365 Defender ECS fields + +This is a list of 365 Defender fields that are mapped to ECS. + +[options="header"] +|====================================================================== +| 365 Defender Fields | ECS Fields | +| lastUpdateTime | @timestamp | +| severity | event.severity | +| createdTime | event.created | +| alerts.category | threat.technique.name | +| alerts.description | rule.description | +| alerts.serviceSource | event.provider | +| alerts.alertId | event.id | +| alerts.firstActivity | event.start | +| alerts.lastActivity | event.end | +| alerts.title | message | +| entities.processId | process.pid | +| entities.processCommandLine | process.command_line | +| entities.processCreationTime | process.start | +| entities.parentProcessId | process.parent.pid | +| entities.parentProcessCreationTime | process.parent.start | +| entities.sha1 | file.hash.sha1 | +| entities.sha256 | file.hash.sha256 | +| entities.url | url.full | +| entities.filePath | file.path | +| entities.fileName | file.name | +| entities.userPrincipalName | host.user.name | +| entities.domainName | host.user.domain | +| entities.aadUserId | host.user.id | +|====================================================================== + [float] ==== `defender_atp` fileset settings @@ -109,7 +188,7 @@ This module comes with a sample dashboard for Defender ATP. [role="screenshot"] image::./images/filebeat-defender-atp-overview.png[] -The best way to view Defender ATP events and alert data is in the SIEM. +The best way to view Defender ATP events and alert data is in the SIEM. [role="screenshot"] image::./images/siem-alerts-cs.jpg[] diff --git a/x-pack/filebeat/module/microsoft/fields.go b/x-pack/filebeat/module/microsoft/fields.go index 2576fcb8ac7..d76c98c273d 100644 --- a/x-pack/filebeat/module/microsoft/fields.go +++ b/x-pack/filebeat/module/microsoft/fields.go @@ -19,5 +19,5 @@ func init() { // AssetMicrosoft returns asset data. // This is the base64 encoded gzipped contents of module/microsoft. func AssetMicrosoft() string { - return "eJzsfV1zGzmS4Pv8Clw/nO0JNz3t/tgb3+xeaCX3tm5tt9ayuzcuJqICRCVJjFBAGUCRYv/6CyRQxSILRUoUQMl754duWyITmQkgkd/5LbmB9RtScaaVUTP7J0IstwLekPe9H5VgmOa15Uq+If/yJ0LI5tfkvSobAX8iZMZBlOYN/tr9+ZZIWkEP+KSEGcgSdEFt3X2MELuu4Q2Za9X0f6pBADXwhkzB0t7PS5jRRtgCl3tDZlQY2Pr1ANf2j8eUzJQmXM7BWC7nPUIuAnbk7NPVpPfFXbr6tAlq7Oe6pBY+8Qq2PtLS5X6584s9OLo/nxaA3yJUlsTyCshzLsnnT+cviF0AoQK0JStqcHXS4PLlBuMoohqMEksos6LJJVktOFsgmsZS2xiiZjtIswWVcyiJVeTZx4DVswPYc8l4CdJellHcb2C9Unr3d3dA/zLAJZcXLaJnDtGD6Czd6ZlTBzs9Tj3gDjENwm2wY9hRCF7b4dY+EEfWaO3Y5vYYWs5tIX4AQWoMn0soP6l0iP26kqC3ztsBJPwJTYfAdQ2MzzgYxKDPo517MCFXyhg+FUCWVDRgCNXwhjz7LG+kWslnL8mzD7By/7uUV1rNNRjzDK/ZnW8ME47FM85wN5LT6MHel6ifnay+UoZbvgT3g0+62fz7AEUlWNAVl3kICpu2tcidyPug7NmSckGnAkk6q63733sqVlTjT66BNZrb9RVoo6QE0f/hJ/8MuR99lisqLZTXambb7/5qF6APccYuNFD7M624WH+gI/L9yLvuIJMZgj70wkwp+zf3hqdF4bMB7XWDXUGI27IfJ1g68c5gUqqKcpkWswuEiSs9BDVen5Wlu+FRzHh9P6Qurwj14NwjgKLCPcv3RYrS0jE+5du2eWIbt6UPwo4x1Uib/qDhXqbCEqR1F3xdJ3583dcdku1Cd0TH0XOlnSZVU5GWdR1Yck8GtkhKsCulbyZcWtAzymAitxFUS9Arza2TdrqBgfEwRPt4M+FDj4aAGOkQI6sFaMDfWU1nM87IghoyBZBETQ3oZV8V72SjofcgZtcSOkDK0D7ZqIHWnWmxRd746mPr7zeBKjPfORD7VrjHOfu04MZ9jnDjzhIKV0Zr2wT+a7oiFRhD5+7f1BKmKnBizwvhwSl9p+bkApgqQccJ8bD4LlLHkrO5gSBt4UhLDDggnJn7geVBqVXSgrSoznJpLJW2RcPEdZOhvXkXBA9Zo4gd9zih6UltMD0pMWCM094W3BpCyQewv3Mr3YsYdn8SEauBWLNQjSiJhCVoMoXu3NVUGyDvwVKHGiUzrareUs/fqbl5dUXZDVjzYqgpcA3MivVLYgPelHwELyz8CZc9NCdxTwMsQRzBSaHk7v3c4uQF1BoYKi8OkxJmXEJJlBSIlnV6LaloHceqMvMi2YXZs8fvwz2/vPjOq9/+xqPxvtHe4ZYyS4Sa+/3Sg41A6jjq9v604OfcdtRUW84aQTV+P2zsZPRkDEAfdVJiJ2MAefykjG7J8rR78vr/78n+PXGr5tmQh11fNf1HgYTsbsuTwW5JjxF62VHTYFSjWaa39+Fsy3X/H4YZugsrkPYpIkebktsC/WZPET2QVq+fImILp1M9RcS4PA6xvBpTKzme7kkrgR4jPfKybQZQprShRvSamJ3Z+2DrFnDYDPSQgZLwMCtiRw8ZQD9gRYxzUQ59PyfgYt8zFGWfZ9eAzETsIxEO3pt97BRqdSP5lwY2arTu6A8/Wm8btedKMvc4UKueumU7Im6WPK847HP3fCsu1h7Id2pO3i5BWnKNwpk0mAhASa0hCKoB6TN+CyUxYB2QrS9vr2HGDZZ2EwawH2ywdJswAH2vTRl6AtP7l447mAO67sGT+/FgoUwmfbV/Ln9RxvZFpNg9kQZkyeW8/aWJHZueD+nr4e8gwnUX7u4Pi/UZe3m1/KELiY1d913mDqi36mtl7vKn3Oz96f9d9tphcC+DbNiVC96R1veWlYSSOV+C7JxkX68i4Fh0nP8irwVSPkXl7+uIaIw6NFS9LjR8ybDX/eAhbjDSPV0jl9/6pckVXqSXwZttKfm0roEwOpQgUyDA7QI0+Xwp7Xc/EaXJz0JR+/1rMqUGT1EbIJvxeaOHWUpDuo9Rd79iujEMms/4TOBfcN+eq1xutn3WcbvyV+9gUHpFdZlNqetJtB7ZfU5eXv22pe9RzM3a3VJCzNpYqMIjGtB20BbgT6rxzHP/VprPuaSi/c62tnKAD7n0rz2JEZdXv/0UYUFAf8CJh7Ogw2jI5RSvz+agDhXHY1+fBdAS9Eli17/gUuTy4iFRUo9vP1iKYI6LlT5pJ5tgRXY/G20VrcuNooUXxZku50oIYFbpr1EAO+49Qs6NO3PcEOZZ59P9thTVd2pXbSF7GP0ELb6KTZ+Kqlopg8lulZJkuh5sGiEavjRgrANoeFWLddgn92EsfwLKFsTwEsjzvxC70A15/eOPL7A8xwDIbpU9nHgSyusdOGFqJQ3kYwX7ak4F5kx3PoWmmoZqGV6FR2gXAnlOp2oJPWb4JN7hKx/Em7EaaDV6f9hXc2wemVVQ8mZXT0vBqG9immPnWOAzwu3fm9d/+e6vxov0VzUK0Bbpvw+o+buzB9/RNWjymryVjNamET6y4kzKe8n1GPQHBj8iuZWxVb5/Tf7ZkfuSfP89+WfClMZyDtwmv+hL8t+F/Z/ug9yQbaZ8E91CqUp4srauXEHBqBBTym7yasAeOaksXhtqvV3hmAiyrBWXtq2ciSKKh6MArVWm/LSNPmhqYJwKxBgxNVZpp1nLtdc63C+WVPDSH4wYUoTMVCNL98IIQOS5nAfl6GDy4vaNGEBOEQsM12FP2GhkF9ZC0fKpvHMBHWL4H0AqsJqziNURTOH+h9EW9s99K4Tds0/tRqNVs3bbJuQXtXJbM7Q5uSRKO2PMKnIDUB9g2pN48b4SpmnFwJhiycuizBV1fdtKnjlI0NTiJS8dB3t24ZJr21DhjPYt37uMuDh4xZ3Z7WsUHTM8FeGqYwF3rcGgQwWZRvUcbPexg5wwOlPS06NzwmfC7eeEzhIKGgr+TXniR6iUBXIdzjvTgA/tdD0mKN2fNhDzFQRewkqFqQXPmdnwpM15wwdq/5PQzZzMzXje8da5NyCc9fbUtVZLeEL+a0QYvXiZcfEIMXq3qjOOrs7ProLuy6h07OFVrfSuxkvwifzq0iCap+H++OyfKjTE0XSPuVK3Tflm85WNwe71HLTMJ+T1jz+RFfK9AioJFSLuKwjdINSMbPxHZAUaPFhqiQBqLFFyp1xkm4mPriZ+3UyM3NUcYdvAu9+VLpFxmNUEbCGVUPP1biBuxvVAiyXkR8IWVFNmPRPdpV4j/ug0l6SRIadHbPnMRytqUxd0+0B9ziDCntglWhSVUzKVbMMImq5GZRpK1h21kjLUWH2MQgafg2Ks0S1EY6ksqS6JVLqigv8Ry+9VuorypwxZDkezSDXTwZN0LyZtsO6QeSX4DEITrojTkSlZjijYm+0ujM3pZ9lDEJdMVbUAGz0Ao05Uigq81XxHDPbqzbR9pIN87daOHuexo7x9MkePX6WkXSTapk19aqqcl02WU/lIjH/bdqNLy3YH8g8lc3db2CMW3eqtiunTawfN/AYiKtuNPiMWbm24fGQJ2vTKKcp9eWCR/X3oYVsDTUXmpkyPKV1Cme8dDEk24Zky3YqtjtFm2nQf7MfXh6+VVtUEoTZYlG8YSKq58mp91QjLv7UcNKF1Ldrql00vm4pKOo+V5hIiMLzT2oseKY+rIdw+M0StpI+MWVrVu57BgLFbzaE4vH3WELbgzrpRJZgJed8Yi2ZSH6i7ldSO5OVSC0du0l4BNps5vJdwCk0IN7ld0PNOwww0SOYPBHWqdcmXvHSaDZ6HuCC7bgXZpx3mxYm8rbk+GYWb/fSxoFt3ErkVa0+scULP6WsOqZ0mkiTiG0246aMunJdOGnfybDJYsksnU01qCVQNFLmHQuz4n/qqoAb5pYHmZEfJnW5/ijbycUUNQSTKkXODyH2XmqkJlYIthmaQafPKZnh951UOXOsiA6p1kUN7rlOKom2gr5NDzaAr9V6RxzEhd8zH6BszeC7v9eYcKzYPybVjggWbB2KnG0JqRxBlkVa7D1esTSNyh51GrCjVWKYqeOVx6IwXzMpWs8EJoTKwYMuAHDkgsATNbc7SkT2EtauHIsBeZGefyydv8eKgd6B/pbtKF2xjSo0PwM74xvCJa7c+mDPWUyXoyvmzmSIb0LkYebkpmGhdVGUIskTxDmbzqTbht20rvW8JKk1+vQ6psdy0CQG7fjVcv92hsSpJU2ND79ORhfqgw0qWm4b03d0d7cLTCFvka110T1Ekmwo0Z/eVRVHaTlDFtoewfiVbdzO8WPL3e0DaEmSJIzkOyi01/ccjdK9pQ7tq+g9gcTvaIZa/FnzA7tAIeg9iXtLn7FX3zfBChqr/IGaCl2tBu9xiqSyhZBE6XsQTaIWaF22iyqMI9fYg3luon6Jnypbsw6b7vms1io+44q8EZ+vct2ePXLhCBEJzbdmfJtBHUzciZ950nIEfGwFk0BG9E6dKWrjNrbF2CF1K76/b9EOlZWncf/BRpaJFKNYA5sDj7EfvFBJWuWXBWOASVr1QPyoh1mo+bSz0JMQwRz9MDXLaev/5i4sOU9Nkwm4zToVna1u5j2loCO7mF3lk+vpbxLjFCjDHsLbhoNnkfOkl6Am5Buj69E/oHLCVd8h0nynd4jCA3YIJk2B8n3///V7fCqXJVKsVzgAIPw26pje7RvtJX5ZXVNvUbroOcGqPSrhTalAdeqo7pUTZqY25rpSqIQQUc73FZzKMCGuzi/Rm0fAzH94K4qPXBACTkCIKc0mkkt9qqAEtmX3ZDyYyIitvH/3YAC2vx73iPsLWhn8GlK24XQRl2ct6coELTrHaRBIlv50r9/c9LwEqKUVEccxIN+0FA18hAg5JNSM4KIWDmXTTpXwQM4r5kU1d74DxuS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgm/wo3byVATHfwbTvHF346rQCfXfvwNi1v0vi1TPqXs2SHDy2F5gVgQaoxiHP2lbjei9iRu2Dt+A28IJfVibTijgpTc3LwktcaZKC8JWPYsrihTTY+pvbznQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgsTS+3h5meJi8+GaqqpvhHcywbZSsuCzVKuTTMiUZ1PZll0kxyowBmbNGiDX50lDhnZ9lb5oY0t0uJNTI09X3eqZSl/aQ7lTCd1zeQBlqgdpEdGrQOxUMFPebbzrUJrzct3Fi0BUiq6jrT3byboldBFr0fr1+LLx+rYPnlVwP2/V0QWc/pDDTaIQRF2tYE7H153+/pv19Yk17xkX+O96R/DOu1l1jDWXDgLSRI4i72wxoTkUReU2zPSLXuGSrNu++j70H0L0wo34BYDfmqJYDKTzGYXX30C2oWXQ3FOfnDd+Hhi185m9bY9OVGZ63kHZahDlCumUmRjP3re7fw0pT4uS5JBxz7hrJBFDtfoSN8DaohQLC4O3UbWHn4eiDF37NsM/Tk36xmKqmvcmo/QcrlI3qe7xeS64bc2pPX18bQQTGPX6nCZBGrsS5X933ZBz3lHoLLrtrvGOf9zJfXpAPXtI83xl56ot+HW4v4nq1d0A/hi+/536+vECWhpK3TkwMvQfbETmfBuhJmPhD5GTBipu4kbo065y97LejuqFA26sLe/3Y0hvfJzw1jvXn3cLk8uKgJpvKP3dAk3WIvZblRqOdkHNfnxn6nQr/i/3aLCKotz/x3TfBHTdtbFe5qWz3GDVSgPGcUf5BWSmypJrTqRhUAfqmDFySWtARQWBAmqz9UbY2tK+q+pUnTlI5DaOtL+Run69fXV7t6tAktIz1HoWxuuwjBwreuRZyE2nxSJJLack1n0uKwmLkiNZK52xe+2wgv9whvWp1N4VdHfGvDpHeXcZTVqrIwfnw6yfCJRNNCU6chUG27usT8vztLa1qAW9wdK/TcxEsSu9J3C+CkbmTxzbRObV5WuKYcXPjVO4j8LpHKV7PjfkhPA0fubnZE3K1ms/noPONsIuz7Ld+LCDggNrpQoNZKFG60+Nt9ZFJo1uh9xN4Foax9yCVn3/0OsaLrhnH5UW8jOTO0Xmmqro4cd4V7krIvcIxrt6/Z5rptw4dJbE+dYbjZlTZsDErLailj5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+nAy9YVd9J11peIgcESOtkZ87IUrJe8rafspx5daJoJPaMUp+2yqoer8U8rZm8qHWGqhJnhtsLLVNKsW580dRLh7N7HCLT9Ut4eWr8ffLvazNKTB0GH0eND72d8FhEb+67TuWefre4JBfDOfuHfOccamaVDHOXh2JmSe/U06SpnQ6DDyyPyQGnLsz49aROBPCyT1iGsbAmFkjyFu3PmGqBOOORNvsN25ZcFnCbWIGCG7scZrnA2ULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikz81n03SpnMcA7V1DcXeiSNOKxOnnf5nDVoU4eiWy9hBiwLKsImIb7t8PRipMjQu7mG73HuhBKvfHVJXsFX5T/tfkm5NKQES7mIOBmmqrG9742QpsTJczNbjy3t8tgQj/GH1EJVi2zZPGekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeR26k+wVa3eHbMGurwL2v3lhuG2zMSKKEbWyDYcOmh17XpFGsnn+H0dSYZpBVTFWVu095jtG5h054L9m31mrJS+8/a7vIVWBGE6FKxY4PNN7fW/YzFxutkfXz8uKqwW2NSU+PI+vb1fPK+n+o6ZF+p6PJ+99qGgIw8dtV83yNcy8wodjv/PXVJbkcKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0vfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGZyg8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9rz777jltIAqTNW6BNX0vgk/9mkKsvLXtwrQvceMEjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4eO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNfofK+XKj1EzVXCLgc7JXaFaU5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyZFb5+W9vyfNQK/FbI5yuPOUCCzgwD+ztba2M++QL8u3Q0SB3ozA3Uq3kliFkgDXYzGK5DX1k0iajJ3DB7aaFnrdV7h9CadI7mFO2Jp9HzTXBp5o+RlF+WHiLxVySinI507SCvekYNdU4tTd/n4Qt5fIKlyUfVOmTozdtAXtZZxGkyAHtC1MFHCNyWUjbfeM+wIr80kg0Jd+rEgR5zuVy8ueXhCv2kkzdf8D9h0oq1oabyZ/j8UXL6mIm6GByfmodalvDP78iuCj6ulBOrtvhV2q2t1GDVVkx9T+dBjzbNggGtDvIUYSWVVq5u4PZb+9/pxrIJ58A/Oc///b+97OPb//8Z59zu6Sa8tEzuVL6JmXJ8sEL9nu7YD/CNuoEozK1EhFqdtJ2KemeA8rcc7HOYMLMlAZpOEspQHqupAwYV+m9IJH4QCqgxYry4XDiB3sHsPd5aqDu+qQuUTfNNNOlsNPSWJ268h3rtbM5xPpvabJ3tK35yOckPbbYZTMYbKDShGKTTd1LqHdxIGZ81NHUkprNEXssqdFuRBEyd8t74kL56H6C93dcOOSD/v9xuOpGZfaT/x7liJU9H31AZC+Sj3I42jjuPvyUOkHS1tbO9uzS57bLaG+z7LBP5gt0uw1O7uHIdNuymp8iHoZFXzPKheN128zlKsiMy4t+bRt24nLmoIV5pIXBeFZhm3NdOBXxCHqOSbzGdOtQfXSuqqqRu56oAXbyuMZND8XuA9zaf4O4Tt3hZo7TrB+K2zWV5b+qeNRsg5ullh8jGR6M3XDhLeRMY2rOuEqWJXoqCx6xX1Eth0GHp466kVVdqFzC+PrD+yvyq/ejbpJS44h8OWkqwfV/vCNfGtAjvVsbIQsNu5068yY39Byia/KxLTqLpnV1WjpL+JD2garUYwQc0Poox9EhqDYSHHsw3DL9gAYqqK4y7JYDm8G9QOuEBcgd0KZMNpV2C2babldboEtqd7XCh8KdgmSLiupUZSUd3HVNB+OLHxx9omyQTpUEZrFIfhYYzNIWUHWAZ3NstZQBrJr+IwPUmiafhOE7TiU/Xhh0L3jqByd0bqvAqZ7JkZYFZTgYJX35iYNtZELjvQd4Oq+XP8hbu0j+vjNZMKuL0iTtu96D7iAfF3m6A+CloMklhixAzrlMWBQ5BJ0jN1oWs8KsuGXJ5YcsZkKtDK3S5670YUu7zAc9Q9SFyYLLnOKEyxp0NV0nS3gfwK7ZTR7gSypynBVeF7VWVhXpQ1IIfflDgR7H9LBFtrsp1LwoczDbAU6f/8ZkUdHbwtpUboNtwO5EC8jwKFRcZkKay3xI18IUYiqK1GHRLdh/yQg8eWfwHuzUvRD7sFNX9fZh/5gR9k8ZYf9TRtj/IyPsv+aBbVUt6BRyiJQOenrzTBZVI1D5nq4zvJMt8Pomg15SNYLPqzqP9u20TCrmqZOQAmSeQykx8IWl943IwviExAw7aDTLY006wHmsSbM2TZ1hFimTXVl1FlPVKutMD7jNIEKsss4wywUbzZoswBvJbyWVygDLcAiXPzmuZHoUlj+p2i6AlhncaqqqCyYy+LAd4AxBEoSrp2ub3i3qIJsskOumyBDTYJpbzqjIUEBkCjoHydYJs676sCUV6z+gnObAe1lgG9AskH07mDxY+8TaLNCn83r5Ux4ftCmm3P41S6MxZoq0s+J2AGuVXFSbLNccoQLT6avcjPfxJ5u11QMMduH9/OmdIx44qn1ZgPtu8uk6yPVgz7iAHDaMKWY5NpHPUhZnbwPOoRuYgteYpFhkEXW8Xv5QGlsPmvkngm00ywJb8BnkMGMMOporKHmygtFt2FzmOSWVKhsBhqkc3A7A+TyDbFK1WVGbdOZ/D3osgzwJYA1zbqym6T0hG9gZND4NdS5W62y8NtiJXGeSrz4z3x/xDNCtBlplUCR9KVAutPMp16uF4qbwE2bTQ19TTbMc8HKkEDYF5KWfb58aLjeWyuRzjktjp41ONSywhQp+VlAOqE1yXNPr0W1NcmqwOLlhln7Y9bGdBvbBnNOyTH0HeJk6rNq2DsrwFvGqYFqpKktXIgc4g5nGqyJPcmToeJSDzfVN8vZMtUnfspTXptY8MVBBLbdN8uwzwSWka7GzgWqSTtTp4GLxbXq3llC+62kxEyr5c94Bz5Dy72ze5FLHAc0gcZwNnQHV5LkJQs2zHF05z3KBa6VTC7Bq2sxzXLOKG5ZDLFQmy4HNMQdCgsXmSsnhJpfhvgF06ow/DzV1Op5crVJbIFkqypQfAJ3cElXpNSOl+byIzON6MNyVBJ3+zaoLP5Q3Odikk6k3YP2I1yyHLEPhZpiJk1oYBLCppUFdeEdScnSpMe6XBVukqvMfgIbbmicPBNSgq7mm0g567qaAvMoCOP3T6zuRff68MwU0AWCt5gU1dcKBAX3QmqaGqoGKHPqdBoZ88F1HMwFPz2QHOW0L1x5kpcsMGKd3ZJoMvmHjfcMZ8gEMpE4E8AOPMxgnBr6kPwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7EOB+iadqcm3c5v+WHmg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznYYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKnjVWkY+NJIOlu+yRjMPyfqOCl+RcQ8ktOae6DN0MDbZ/j6PjJ2dl5NLYhFAEg0P0CfY3YEqQWKlOlw/BZT7Ova1qodYwGCx4kH8z1SRr6n3HM+Z46H1GOO9MwxxuSUV3Gy1sYrFy3uwOA8mOpOAGhzO0q4etxwZKxDR1rbQlw8ajhKwW1BJuSa1hNnYUHpCWe58hFDHGB6ujQ4FwGTq7j/SFFlzmnsjfQ9Wt1sfTEKvmYBegJ5vPm4VqBi8aIRKWoLtxRFaRmmoD5D1YihPB/V2lHQuev1Nz8+rKl72+IBdhxNdLYheRKUXYDPgjhNHHiLYkH8D+zq0EE9/n4aHOwrwZjuzubhEu7ok1QDVbTLjkUfxw5u4J+mvviE+chYHJEK8EbSTO+p03OMe1beIeb+C+0699D03523F3NHVNuMP84hFj321EkbCm6W6dV3FZ8gluLd6KMXfBKaZRjwikzeC6DzihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Pu47OV798r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2fY4d28yZKecrZ/4fnG7rFLi9aoYBrx88GWg3pknjveYTd4zKlBohP1+6wIYNb1e1S+Mbj4Cu7UfAd5kr79vVRNhJCDTEAOO6M7p9Xpak0lJ1gvO+gw7RfWqLauzk0rNE4AW0f0jXoint141RIb5b0gzn4kguYAxGwBEGoMXwu/cZt5vXHjz62ZH5E+Y3r7znp00eZ9OwwayT/0sDumEQav3w9fI/rmHjcFJRWo+Glv5BMSQmYW0FW3C7GBAUhkcqQTmPXcFR50b1NC8dOlCfdEyXUnDMqiMNgxPRBLB4XO1xqZEzj4/GuXqxNHL1eOttK7WS1pn7gqeDUFAuV3SbwRlxnruEslc1QIycV+yN44v0AiL80Dlt808IgFiaA6smZMMoZ4lv37QKD5eSX8I0JOZPr7l8D6BZteSMtoeWEqapuLOi4GM7ixneE5TPPvtndC5yxuLUh3P69ef2X7/7qbN+L3na0HPsminY4p0XaiNldHTd0DZr8U+eTM68CGohc/Nanrv/Jf+blBuetU793P45MXj4k257tDkxx60zIh18/vXW0gwbvPEF/ackN01BTydZOqwzqmdjNBSHIoZfk0/s35FLa71+/JJcfLt7+5xvy+VLan34gz1eLNZHA7QI0YQtlwqg0pTUwi5/67qf/9d9ePItyBOwio4zb5QfK1ElF4+N4TObTd89rfu3P4mWLVPyKl08L6b5sOoD5kQ3j7vzAx/DdUUw31slvXNuGCvLu7EMU2T+UhHy+rONOxv9REiZx3jp0vxoRioQcFp64BU/xDd6zD3NqYUUfYUQ6nu4rclaWGv20/pTH0OmeXlbVx8Y5HxoLuTx/f+VfpdHwWEXNCaMfW04lr6mGt5tcXjlURrxfjodHToJIwkO39jgPW02s8NO1TisgeujSsuTuw1RsAra9Wf7xd+6EB8CZhHjBVbjhF9tHYIDKJtc6i1531yeNkg8BwyulbSeSB0K3xAAbbgC368OS15yY954eLuftY9KS9X6M8RJiduOpvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrL1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwCBrsW7sALcGST+saXpLP7TP2Dh1g35Or1gE2eAl+HdPU2lE9J1AmRkzjFungF39JqBBRZaLefBAT3KjGxLwlaPcGcmkVMRYfcy7J58tRgcIwQTabvEoush1QVWcY++YAazCpM3od2AwlLv5FTJ2Kjv72DNj60QqFADlPPikScXbKR0YtdEQD9SoPFb0AjCQM0wlmhJKflV5RXQ7ndBNyNsdkL02ou/G3mEs3BbsCkHHVM3HXxPvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxFHP8ODso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eDuFrGn2nLWCKoJ9osmLRLP396+eafmajaLT38HVtgFZN/eLWQ/uQX9bezh/dbh7dA9a+wCpA3J4qNomyZl54S7JfT4JcdR/2xAjyKsGsvUaTkdlhxH+LphDIwZwRk7jx/XHO24xBPEizgVd670mkQKEwa4nUI4beEIOzg6qYQBPlMr6d4VJ7diymH3RTJQlLapWqbrRzfyblLiu5ZizYDgUHb0BD/Mjj7MJTHcNhH5SbC4AIKIDlAX1BBaqtq9LnYBXBO1kpst84yz9FZJVY3k1eJMDsN9i/rTKhFOueeydPJHadMxgJKfuQByFhCbDNhwF2ev7Ajzd3I0Ybyj/1HSFUZZcB2yFtJyIUZjhBEp690fwAifr3cd6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIpwaubeSTgUWkc3I+X7cuFx2YicjkrsYbmmdJIrAFoZJh8scgWBk/Q6/3Lvbe2U392302G3KLBtpd8vZUmv0JZaBF+wYs/5OWhC+x3OQoDlrSUKGYKLfbmoBtwt8amOz3UhAdsK+mxirx4OfLU3HtN16NJpe76cpqBd+rYx0RU3Tzgi3vALj5LrX9jTUMBpECruQrCnEwY3AxoMP3AZ9x6N1TO/uRzta39+Npu8Kk2zI6Z1JCw7jQxQOaEOKNwLhDsLg66Xu9UHq9En3zl+0JLTpwzuXrJfqaQTIATneCZCv9zh+f3jLUo02OM2W3U0+6pNKkJR37A7y46THMSVtg8PYKfVYgrbjp05eudPYRVGBXahHiJLQLU8y8WiEj41uOPZS0iqr12lPVOejEsFf6xDZcy4zeUL+c/LjX/5Cnr+7OLt6QS64sVzOG24WUGIpfBQXoeYqe1+gfZEwzJadeTzCNuMHRzLGtMrsVdxX/+l2NYZBd2PQI59s6PN9rgvDtP+u7rfn+EOcYjFTKmNt0jeZYlSk6k63Q8hHWvLG+BWI0sTwiguqvXhyYtPdIYbvery8Cu+54eUpO430M+U/u4PQehF3+mJuLnm+Ooszue+uY1gjVBr2/L/BSYS/GZyF4LiBXllGGXdlKp0zMWAQskFWKz2nkv+xJ6ta5jsKd2X2EZzun6kRds+4jtaSZur687NbDl8L3+LL9y7aymr+BaiwC0Y1kFpDqSouabTgrieerqjlIK05mB4v6CmpfUcflVjf+hHqTAfXXZ1nTnDVVFtshrQhdb9YPWGzoyBs7iJRZ1CCphbKIllS2Z7z4YTPz+2KXfDsSqslL7vmYeFztK5F0FQHByM0/3HP2rZOG1dwNkTy8kRUdkuGXn92PUJmdHgoZk4uuY+eL3YV95EWcJ3SmXIo+H01T7hFnan3pV4l9DxCqNdRUWOlhhirtJf4DloFluJqz/BTE/epZ3HqK16WAk4n5d7jeneVc5Ht7cm9o+RcOx7jNORehdV6HYbkuo3OviS1oG7L3PusNAHJ9Loe8/JjKuQJ7Mk7ZNDpzrb8RRlL3lO24HLEpCtpJsnxzS6vP0vM9K81OPHh9CPf5MxMyLuS1uQ3/IfXj0olfd3p34ePJ1nQJTjNSQDV5EsDek2wB6GplTTQalTx4lRHb4HfOY28DD3wmIOsedsFUnryfV++cTxbkk6A6uYAfQzNUe+KKU55yusw2z3jbWvprSZGzjYMDy83RDdSRu1Y87J7eXzk2beRGqmxCxCLYGHm3whKVlyWamWIqYHxGWfuNy9jdYIhT3Z4QRx5Ht9Nzg15jh1hQbLNM4Shyxc9bpFG4jv+DuaUrclns934tovAVruFtMmza90KJzDYR177vqmFqGCtGh4y9yIOON71AYhU/29VmmI5z5B922TnV6jHuvN69TpCMVIYPWjhO0cQe5q83jFSQ4ZvcL23su4tkj7eBXRIzWkcdl3AYHtvNgmZfhsGOxRvSHG4+BnLBlKOBBytcEOSS5hxGXz1KJywq19F65Gmg4jdUYVimXDbOGB21L/UgrHz2eamPfRSGulN2fmwraVsUZ24Bf5mVWQ4GVhH/e3IMuRlymW6CWJJ74YjGYsK8z6eESHVL9vBbfFttDfl/ZGpnQOs8759B7CuqW7PlPvxyw0pqwUftFIn7nY4W9Ynv9+JPJt8Zolva6H0Ot+G/83UVP7LwY4xLSLbXdRb9Tz2NDm2/O0VQj9A26OpRAOq2n7r+6kaPQUFSKtVfYzoKFUzHTgX7nTGw5rO2oYD5QiIo6/uOO09PFdVTeW6u4947XCcvrdXlqDdM1RwOVNxpYCam9w1Qgfkx44V2WK2grxd0WdfcuUI/NwIsSb/0VDBZxxKcoF1z945GEVlBdOCKXXDHyno/jtMiV9/Yz9TMabNJ+82uwmH141FlfvIEaaH7/rHbokwZSe4o71PfkI+rWtP+sZz4Jjjd3B88zTMiqTNZHfQdjh4R4R+ZmJta3eROYWrrlMut7HznsVa6dbbjyHmj+9GtrzXKyfxcWp5UeedQ7SHFW7lg577Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscGtBomqV3jhx8JOd5k7RW2jYSZVJrVH5JU5RS7glcz/hsqhevQp/Pw8ovAp/CXlNMbc/FaDj2XmBnEeMnnti+sFz9Lj2Rq0NyCnDQDRnUnE5A61H4q5Duk9CV1/xP8j6qHv2BEi2fYlnvW2IXCkMa6usVyqyxMmO31sft3fH7hNmEOv+j/4dhgla4wM/eb0AfRp/hNPZQ8bT83Mc/fiCnOP6cdRA2xM1Sxnh8znoMPwTtrIw9zTnhayh4x4jexvuFn1mep2i9+40/+NYr+T9W6PEd5tc8z/i3hp+k0mmXP77WyJhriz3G1gvqBmZAGXYqdsK9bbSLz4+XNBtdbYJUIMEl50z1jZOb+tv4gkphs9PUVGx3d+om3r4aXTQspMm3JgmudKJkDFZKp+37mExFMQQtM7qAx1sSl96vnWLk2sMTu+TTifJkOg6g4co8vNrTO3c/xj1pOdxSN5feu7BcVyEGiOKZc4XfTekGhzZUWTKwh092iRv02hyAeY3ECzqTM0NvtmMK+k/SChbfyAG43VKk8vrs39/f0Wu3DtFfpUj01c22GaqpD4G208rFccWxRBbALsxRzmR7yaE8/Ygiw2d6/p1di3CMA00jCDcSME9Wi5oPmgK+QhKrsej6woyajQgzpba5mQTPvtYLqngpT+IESR2BeHJulrvE4TIsRtYm12xnejktwmkiWEvrK1NwXEGbRbQuJU5GMLoE7hNfC7byheluV0fuFFMVVXWPnF3xNvjERxC8RL8Fdcgdi3N1C6WlaCyMOaxBt66lb0M/z1Q29ZoRbH1pcZFrfgp0qpjCHsMCGKASMWtAWQrW1ApB40zcrebCqsiIiMx2xO1be4eljDz8Pd3Zx/Cu/dqZ/nuQbFK7/r+k/ds4+amWCrR5GLAWTvHWYY5N91k7HacbyO5NeS5R8K8wG4dWNjbTtTdAU8Q6Sg1oskkzd4FXD9LbkO6wGS76GAJGjMFZo0gTEkGtXWG8rXfw5H2CqtVTunrGe8M9naEtkO0VtoS5fj7y7+exVJwo2xPfe6Unp8+wXK3wGDLxTqlvtlJtFHMv7399eryiryntxWXZTfWO76tjraTp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ6Qo2H7sIvyU5u9qx5SwLUvnyInTpDVjsxVCcblMeuVdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoR8puDOOq0YrvgrqVL+59SUwTSVGnhvzNWK3k/F+mgrIbwY2F8m+vws9edr/lcgYs/qsZ17CiIqrI0KnofYdQWRKjyMix1DDnxuq1s+xPKSxqahehWX+HA9nFYYAkOqVOhaYvhPb1WkzpXhfyTp/sMAdp9fpP/zcAAP//faH2Mw==" + return "eJzsvd92I7mRJ3zvp8DXF1NVPmqVu9rd87k+j78jS2q31iWVpiR1z+7xOXnAzCAJCwlkAUhS7Ot9kn20fZI9CCD/kIkkJQqgqma2L+ySRAZ+CACBiED8+Zbcw+o9KVmupJZT8ztCDDMc3pPL3q8K0LlilWFSvCd/+R0hpPszuZRFzeF3hEwZ8EK/xz/b/74lgpbQI35cwBREASqjpmo/RohZVfCezJSs+79VwIFqeE8mYGjv9wVMac1NhsO9J1PKNaz9eYC1+c8hJVOpCBMz0IaJWW8iZx4dObm9Pu59cXNe/blxqs1dVVADt6yEtY8087J/3PjDFoz2v9s54LcIFQUxrATymglyd3v6hpg5EMpBGbKkGkcnNQ5fdIiDQBVoyRdQJIXJBFnOWT5HmNpQU2sipxug8zkVMyiIkeTVJ4/q1Q70TOSsAGEuiiD2e1gtpdr82yPgX3i65OKsAXpige6Es7C7Z0Yt7fiYesQtMAXcLrBl2F4Ab8xwaZ+JMa+VsmyzawwN59aA7wBItWYzAcWtjAfs41KAWttvO0C4HRoPwE0FOZsy0Iigz6ONc3BMrqXWbMKBLCivQROq4D15dSfuhVyKV0fk1RUs7f9diGslZwq0foXH7NEnJueWxVOW42pEn6Mj+9RJ/WRl9bXUzLAF2F/cqrr7eceMCjCgSibSTMgv2togj5relTQnC8o4nXCc0kll7P9dUr6kCn9zA3mtmFldg9JSCOD9X966a8j+6k4sqTBQ3Mipab770cxB7eKMmSug5idaMr66oiPyfc+zbimTKZLedcNMaP43e4fHhXCnQTndYFMQ4rJsxwQLK95zOC5kSZmIi+wMaeJIz4HGqpOisCc8iIxVTwN1cU2oI2cvARQV9lp+KihKC8v4mHdbd8XWdkmfhS7PZS1M/I2GaxkLJQhjD/iqinz52q9bkM1Aj4Rj53OtrCZVUR6XdS1Z8kQGNiAFmKVU98dMGFBTmsOxWAcoF6CWihkr7VQNA+NhCHt/M+GqNwcPjLTAyHIOCvBvRtHplOVkTjWZAAgiJxrUoq+Kt7JR0ydMZtMS2jGVoX3SqYHG7mm+Nr3x0cfG324ClXq2sSG2jfCEfXY7Z9p+jjBt9xIK15xWpvb8V3RJStCazuzP1JBclmDFnhPCg136Qc7IGeSyABWeiKPFNkHtO53uBIIwmZ1aZMIecGLue5Z7pVYKA8KgOsuENlSYBoYO6yZDe/MxAHdZo4iOOUxoelLjTU9KNGhttbc5M5pQcgXmV2aEvRH96h8HxKqfrJ7LmhdEwAIUmUC77yqqNJBLMNRCo2SqZNkb6vUHOdNvr2l+D0a/GWoKTEFu+OqIGI+bkk/ghIXb4aIH8zjsaYAF8D04yaXYPJ9rnDyDSkGOyotFUsCUCSiIFBxhGavXkpJWYVSlnmXRDsyWNb705/zi7DunfrsTj8Z7p73DA80N4XLm1ksNFgJnx1C3d7sFP2eXo6LKsLzmVOH3/cIej+6MAem9dkpoZwwoj++U0SVZHHZN3v3fNdm+JnbUNAvyvOMrJ//McCKby/LFoFvQfYRecmgKtKxVnujufT7bUp3/5yFDd2EJwnyJ4GhdMJOh3+xLhAfCqNWXCGxudaovERgT+wFLqzE1kuPL3WkF0H2kR1q2TQGKmDbUiF4TsjN7H2zcAhbNQA8ZKAnPsyI29JAB9R1WxDgXxdD3cwAu9j1DQfY5dg2mGYl9JMDBJ7MvP4RaXQv2uYZOjVbt/P2vVutG7akUub0cqJFfumU7Im4WLK047HP3dO1drNmQH+SMnC9AGHKDwpnUGAhASaXAC6rB1KfsAQqiwVgia19eH0OPGyzNIgxoP9tgaRdhQPpJizL0BMb3L+23MQfzegJPnsaDudSJ9NX+vvxZatMXkXxzR2oQBROz5o86tG16PqSvh7+DF67HcHf7s1ifsRfXiz+2T2Jjx32TuYPZG/m1MnfxY2r2/vhfl71m+LiXQDZsygXnSOt7ywpCyYwtQLROsq9XEbAs2s9/kdYCKb5E5e/reNEYdWjIapUp+JxgrfuPh7jAOO/JCrl87oYm13iQjrw321Byu6qA5HQoQSZAgJk5KHJ3Icx3PxKpyE9cUvP9OzKhGndR80A2ZbNaDaOUhvPeR939iueNz6DpjM8I/gX77ZlM5WbbZh03I3/1DgapllQVyZS6nkTrTbvPyYvrX9b0PYqxWZtLSoheaQOlv0Q9bEttDm6nasc8+7NUbMYE5c131rWVHXxIpX9tCYy4uP7lxwALPPwBJ57PghbRkMsxbp9uow4Vx31vnznQAtRB3q5/xqHIxdlzXkkd3v5jKZLZ7630i3ay8TxL7mejjaJ10SlaeFCs6XIqOYfcSPU1CmDLvReIubF7jmmSO9a5cL81RfWD3FRbyBZGf4EWX5lPvhRVtZQag91KKchkNVg0QhR8rkEbS1CzsuIrv072w5j+BDSfE80KIK//QMxc1eTdDz+8wfQcDSDaUbZw4otQXh/BCV1JoSEdK/KvZldgzHTrU6jLic+WYaW/hDYpkNd0IhfQY4YL4h3e8l68aaOAlqPnJ/9qts0LswoKVm/qaTEY9U1Ic2wdC2xKmPlH/e4P3/1JO5H+tkIB2oD+x2A2/7D24Ae6AkXekXOR00rX3L2sWJPySXI9RP2Zjx+B2MrQKN+/I/9mp3tEvv+e/BvJpcJ0DlwmN+gR+Rdu/j/7QabJOlO+CS6hkAV8sbauWEKWU84nNL9PqwE7cEIaPDbUOLvCMhFEUUkmTJM5EwSKmyMDpWSi+LROH9QV5IxyRIxItZHKatZi5bQO+4cF5axwGyMEipCprEVhbxgOCJ6JmVeOdgYvrp+IAeUYb4H+OGx5NhpZhRWXtPhS7jkPh2j2G5ASjGJ5wOrwpnD/w2gLu+u+EcL22qem02jltFm2Y/KzXNqlGdqcTBCprDFmJLkHqHYw7Yu48b4SpimZg9bZghVZkerV9byRPDMQoKjBQ15YDvbswgVTpqbcGu1rvncRcHGwklmz2+UoWma4WfijjgnclQKNDhVkGlUzMO3HdnJCq0RBTy/OCRcJt50TKslT0FDwd+mJn6CUBsiN3++5ArxoJ6sxQWn/ax5ivoKHFz9SpivOUkY2fNHmvGYDtf+L0M2szE243/HU2TvA7/Vm1zVWi79C/nO8MDrxMmX8Bd7o7ajWOLo+Pbn2um9OhWUPKyupNjVeglfkVxcGUX8Z7o87d1WhIY6me8iVum7K191XOoPd6TlomR+Tdz/8SJbI9xKoIJTzsK/AV4OQU9L5j8gSFDiy1BAOVBsixUa6yDoTX1xN/LqZGDirKZ5tPe9+lapAxmFUE+RzIbmcrTYf4qZMDbRYQn4g+ZwqmhvHRHuoV4gfneaC1MLH9PA1n/loRm3shG73UJ/yEWHL2yVaFKVVMqVonhEUXY7KNJSsG2olzVFjdW8UwvscZJ7XqqGoDRUFVQURUpWUs99C8b1SlUH+FD7KYW8WyXoyuJKexKQOdQvmLWdT8EW4Ak7HXIpiRMHuljvTJqWfZcuEmMhlWXEwwQ0w6kSlqMAbxTbEYC/fTJkX2sg3duzgdh7byus7c3T7lVKYeaRl6vJTY8W8dFFOxQsx/rypRheX7Zbkb1KkrrawRSza0RsV04XXDor5DURUshN9Qgw8GH/4yAKU7qVTFNviwALr+9zNtgIaa5pdml4uVQFFunvQB9n4a0q3IzY6RhNp036w/74+vK2ULI+Rao1J+ToHQRWTTq0va27Yt4aBIrSqeJP90tWyKamgs1BqLiEcn3cae9GBclg1YeaVJnIp3MuYoWW16Rn0iO1oFuLw9BlN8jmz1o0sQB+Ty1obNJP6RO2ppGYkLpca2HORtgqw6dTiXsAhNCFc5GZAxzsFU1AgcrchqFWtC7ZghdVscD+EBdlNI8huN5gXnuRDxdTBZtitp3sLerA7kRm+cpPVVuhZfc2C2igiSQK+0YiLPurCObLSuJVnx4Mh23AyWceWQOVAkXsuxZb/sY8KapCfa6gPtpXs7na7qJOPS6oJgihG9g2C+y42UyMqBWsMTSDTZqVJcPvOyhRYqywB1CpLoT1XMUXROtF30akm0JV6t8jLmJAb5mPwjhlcl0+6c/YVm7vk2j6PBd0FsVENIbYjiOaBUrvPV6x1zVM/O41YUbI2uSzhrcPQGi8YlS2ngx1ChWfBmgE5skFgAYqZlKkjWybWjO6TAHsvO9tcPmmTFwe1A90t3Wa6YBlTqt0D7JR1hk9Yu3WPOWM1VbyunD6aKbAArYuRFV3CROOiKvwjSxC3N5sPtQi/rFvpfUtQKvLxxofGMt0EBGz61XD8ZoXGsiR1hQW9Dzct1ActKlF0BenbsztahafmJktXuuiJokjUJSiWP1UWBed2gCy2LRPrZ7K1J8OJJXe+B1NbgCiwJcdOuSUn/3yB6jXN066c/BPysB1tgaXPBR+w2xeC3gLMSfqUteq+GR5In/XvxYz3cs1pG1sspCGUzH3Fi3AALZezrAlUeRGh3mzEJwv1Q9RMWZN9WHTfVa1G8RFW/CVn+Sr16dkiF64RgC+uLfrdBPowVc1Txk2HGfip5kAGFdFbcSqFgYfUGmsL6EI4f11XD5UWhbb/g5cq5Q2gUAGYHZeza72TCVimlgVjD5ew7D31oxJijGKT2kBPQgxj9H3XIKut96+/sOjQFY0m7Lp2KixZ2cptTENDcDO+yIHp628B4xYzwCzDmoKDuov5UgtQx+QGoK3Tf0xngKW8faT7VKoGw4B2Q8Z3gnF1/t33e3UrpCITJZfYA8D/1uuazuwarSd9UVxTZWK76VrCsT0q/kzJQXbooc6U5EWrNqY6UrIC/6CY6i4+Eb5FWBNdpLpB/e/c85YXH70iABiEFFCYCyKk+FZBBWjJbIt+0IEWWWnr6IcaaDk97i1zL2zN889gZktm5l5ZdrKenOGAE8w2EUSKb2fS/nvLTYBKShZQHBPOm/YeA98iAAtSTgk2SmGgj9vuUu4RM4h8z6Kuj0B86tL5am2NGJcy6oJtCi9+PeMpyXmtTbMh/Q+DZcKvMG1X0udEe/+GVXzxr+Mq0MG1H3fCwha9K8uUTil7tcvwsijPEAWhWsucob/UrkbQnsQF+8Du4T2hpJqvNMspJwXT90ekUtgT5YiAyV+FFWWq6D65l0+86F2ejaIlGFCaVFRjFS+NhRxcLYJclqWVYnLt0X6YWgMm36ruufvgpTS+3homuJic+M5lWdXDM5hg2ShZMlHIpY+nzaXIoTJHbSTFKDMG05zWnK/I55py5/wset3EcN7NQFyOXF19r2csdWnL1K1K+IGJeyh8LlATiE41eqe8gWL/8k0L7ZgV2xaOD6pCJBV1/c5Ozi2xCaCB9/HmpXB9rLznldwMy/W0j86uSWGi1ggjLlY/JqJ1+3+7pv19ZE17ynj6M95O+SccrT3GCoo6B9K8HEHY3aZBMcqzwG2a7BK5wSEbtXnzfuxdgPaGGfULQH6v9yo5EMNj7Ee3F92c6nl7QrF/3vB+qPO5i/xtcmzaNMPThtJGiTA7kXaYY61y+63252GmKbHyXBCGMXe1yDlQZX+FhfA6aD6B0Hs7VZPYufv1wQm/eljn6Yu+sXJZTnqdUfsXlk8bVU+4vRZM1frQnr6+NoIAxj1+h3kgDRyJUze6q8k47il1Flxy13jLPudlvjgjV07SvN5oeeqSfi22N2G92jmgX8KX33M/X5whS33KWysmht6D9Rc5FwbopnDsNpGVBUumw0bqQq9S1rJff9X1CdpOXdjqxxbO+D7grrGsP20HJhdnOzXZWP65HZqsBfZOFJ1Ge0xOXX6mr3fK3R+2a7MIUK1/4rtvvDtuUps2c1Oa9jKqBQftOCPdhbKUZEEVoxM+yAJ0RRmYIBWnI4JAg9BJ66OsLWhfVXUjH1tJZTWMJr+Q2XW+eXtxvalDE18y1nkUxvKy92wo+OhcyO6lxYEkF8KQGzYTFIXFyBatpEpZvPbVQH7ZTXrd6G4SqzriPy2Q3lnGXVbIwMa5+nhLmMh5XYAVZ76Rrf36MXl9/kDLisN7bN1r9Vwki9L7OOwXwZe5g79tonOqu1rCyJi+tyr3HriekIrXc2Ne+avhE9P3W55cjWKzGah0LezCLPul/xbgMaB2Oleg55IXdvc4W32k0+ja0/sBPAvDt3cvlV9/cjrGm7YYx8VZOI3k0a/zuSyr7MBxV7gqPvYK27g6/56uJ99aOFJgfuoU283Ios7HrDSvlr5Q1FgfeSstpcLKA1auN/hGusRRVSypepkIvWFVfStdqb+I7CRGSiO/tkKUkkuaN/WUw8qtFUEHtWOk+LZRUNV2KeRszehNrRVQHT02WBtq6liKc+uPooy/mNlhB5/IB8KKt+P3l71Z60MgtIjuBoWP3VmwKMJHt7nHEnffG2zys2HfvX2uMyZkHeuNs5dHomfRz5SVpDGdDgOP7B8jE05dmXFtS5xwbuUe0XWeg9bTmpNzOz7JZQHabomm2G/YsmCigIfIDOBMm/00z2fKFhwYTTHVgJiAwvfNkirGMYIn4MFz7+9iRigy8Vv73eDMRIJ9KCeuuNALacR+dPK6jeesQOnKJ906CTNgmVcRuoD4psLTm5EkQ+fmGt7HqQNKnPLVBnl5X5X7tP0jZUKTAgxlPOBkmMja9L43MjXJDx6b2XhsaRvHhjjGL1IDZcWTRfOckAKm1D8B+cqXzRu+j9a0WvECFKcrTOQy0l+u5HXgRNo/oNXtvw3TJgvc+eq1YabGwowkOLHONhgWbHrucY36itXz7+Q0NtIEsiqXZWnPU5ptdOqoE9YL9q2UXLDC+c+aKnIl6NFAqELm+z80Pt1b9hPjndaY9+PywqrBQ4VBTy8j65vR08r6f8rJnn6nvaf33+TEP8CET1fF0hXOPcOAYrfyN9cX5GKgUPVhJKta67NLtiOImNjVZsPOohrST/GH+djqsHLvREQ2kUXqjK9Bxt2m0uGxEItlRD2ax6+W4J4MDpB53nMB+9RhF0DbvoewGSvap5wRJ14Z22ocpIFHuPnjKXntvKs65TXVdPe+vnPVc5qHKAzWeIC87nsRXOjXBELprU0Vpm2BGwdwhAS94sW6Q6TNrqQLyjgdPmSQ1hVOML9yCkqNdFpwZ2gfX3+8dzdvrJS+AJR7gB1MyYcbaDY7HpGIrMwmdVGsovtnWJlFzQPq0a017FfofKuXKj5FxWTEKgcbKXaZrg+RkMB0P3rV1VyldcFMm1nX1UXziEKN7bqMDSdKuueF7ZN0UWKxObg4mFV++ss5ee1zJX6pudWVJ4xjAgfGgZ0/VFLbT74h3w4dDWLzFeZeyKVYM4Q05DUWs1isUx/ptJnTA7jgNsNCT5ss9yufmvQBZjRfkbtRc42ziaIvkZTvB15jMROkpExMFS1hazhGRRV27U1fJ2FNubzGYcmVLFxwdFcWsBd1FgBFdmhfGCpgGZHKQlqvG3cFS/JzLdCUvJQFcPKaicXx748Ik/kRmdj/Afs/VFC+0kwf/z78vmjyKptyOuicH1uHWtfwT68JDoq+LpSTq6b5lZxuLdRgZFKk7rcTj7Mpg6BB2Y0cBLQo48rdDWS/XP5KFZBbFwD8+9//cvnryafz3//exdwuqKJsdE8upbqPmbK884D92gzYf2EbdYJREVuJ8Dk7cauUtNcBze11sUpgwkylAqFZHlOA9FxJCRCX8b0ggfeBWESzJWXD5sTP9g5g7fPYRO3xiZ2irutJokNhJoU2KnbmO+ZrJ3OI9e/SaPdok/ORzkm6b7JL1xhsoNL4ZJMu78Xnu1gSUzbqaGqmmswRu+9Ug9WIAtPcTO8JC+W96wk+3XFhwXv9/9Nw1E5ldp3/XmSLFT0fvQeyFeSLbI7mHXcbPikPELS1trI9u/S1aSPamyg7rJP5Bt1ug527+2W6KVnNDvEehklfU8q45XVTzOXay4yLs35uG1bisuaggVmghMF4VGETc51ZFXGP+ewTeI3h1j776FSWZS02PVEDdGK/wk3PRXcFD+ZvENapW2x6P836udhuqCj+KsOvZh02Qw3bRzI8G91w4DVwutYVy5mMFiV6KAse0S+pEsNHhy8duhZllclUwvjm6vKafHR+1C4oNQzk80FDCW7+/QP5XIMaqd1ac5Ep2KzUmTa4oecQXZFPTdJZMKyr1dLziBdpn6iM3UbAEq32chztomoCj2PPplvEb9BAOVVlgtWyZBO4F2gVMQG5JVoX0brSrtGMW+1qjXRBzaZW+Fy6ExD5vKQqVlpJS3dV0UH74me/PtF8EE4VhWY2j74XcpjGTaBqCU9nWGopAVk5+WcCqhWN3gnDVZyKvr3w0T1jsS8cX7mtBKt6RgctMppjY5T46SeWthYRjfce4cmsWvxRPJh59Ps9F1luVFboqHXXe9Qt5f1enh5BeMFpdIkhMhAzJiImRQ5Jp4iNFtk000tm8ujyQ2RTLpealvFjV/q0hVmko57g1SUXGRMpxQkTFahysooW8D6gXeX3aYgvKE+xV1iVVUoamcV/kkLqiz9m6HGMT5snO5tczrIiBbMt4fjxb7nISvqQGRPLbbBO2O5oDgkuhZKJRKCZSAe64jrjE57FfhZdo/2HhMSjVwbv0Y5dC7FPO3ZWb5/2Dwlp/5iQ9r8mpP3/JqT9pzS0jaw4nUAKkdJSj2+eiaysOSrfk1WCe7IhXt0n0EvKmrNZWaXRvq2WSfksdhCSp8xSKCUaPufxfSMi0y4gMcEKapWnsSYt4TTWpF7pukrQizQXbVp1ElPVSGNND3hIIEKMNNYwS0UbzZokxGvBHgQVUkOeYBMufrRcSXQpLH6UlZkDLRK41WRZZTlP4MO2hBM8kiBdNVmZ+G5RS1knoVzVWYI3jVwxw3LKEyQQ6YzOQOSriFFXfdqC8tVvUExS4F5kWAY0CWVXDiYNahdYm4T6ZFYtfkzjg9bZhJk/JSk0lussbq+4DcJKRhfVOskxR6qQq/hZbtr5+KP12uoRBjN3fv74zhFHHNW+JMRdNfl4FeR6tKeMQwobRmfTFIvIpjGTs9cJp9ANdMYqDFLMkog6Vi3+WGhTDYr5R6KtVZ6ENmdTSGHGaHQ0l1CwaAmj67SZSLNLSlnUHHQuU3DbE2ezBLJJVnpJTdSe/z3qoQjyKIQVzJg2isb3hHS0E2h8CqpUrFbJeK2xErlKJF9dZL7b4gmoGwW0TKBIulSgVLDTKdfLuWQ6cx1m41NfUUWTbPBiJBE2BuWF628fmy7ThorofY4LbSa1itUssKEKrldQCqp1dKzx9egmJzk2WezcMI3f7HrfSgPbaM5oUcQ+A6yI/azalA5KcBexMsuVlGWSqkSWcAIzjZVZmuBIX/EoBZur++jlmSodv2Qpq3SlWGSinBpm6ujRZ5wJiFdip6Oqo3bUaeli8m18txaXruppNuUy+nXeEk8Q8m9t3uhSxxJNIHGsDZ0AavTYBC5nSbaumCU5wJVUsQVYOalnKY5ZyXSeQiyUOsmGTdEHQoDB4krR6UaX4a4AdOyIP0c1djieWC5jWyBJMsqkawAd3RKV8TUjqdgsC/TjejbdpQAV/86qMteUNzrZqJ2pO7KuxWuSTZYgcdP3xIktDDzZ2NKgypwjKTpcqrX9Y5bPY+X5D0jDQ8WiPwRUoMqZosIMau7GoLxMQjj+1esqkd3dbXQBjUBYyVlGdRWxYUCftKKxqSqgPIV+pyBHPriqo4mIx2eypRy3hGuPslRFAsTxHZk6gW9YO99wgngADbEDAVzD4wTGiYbP8TdAqEBrNKoJTCnNZgkEr65ie9m0ylOcA5UX0RVprfJQVdwIhE28Flt9mrWOXlVzkYvYiRLBbrHPJeqKdMaevpmZ+NvKEY3/otf29IxNd1VFr9ZaF5Mkcei14gnuwlqDygoWO+s9SduK5mUoBRtMrg0tY3uDFxkT2tBpAs1gwZRJoYYvKpGgdJORqhYx3ayhsmiBiqIntZHkUy3IYOg2eiRhs7xfKGcFOVVQMENOqSp8NUON5d/DcFznrIRcGusQimSwiT7B+ga55CSUqtPGQzCRjnPnZcXlCgaNBXfybyrraEW9H7nHLA+dzwj7nSmYwQMp6Wahhe4tVszqzWYgyUFyprE5QzO6X3osoER0XVVSGTIsPErIck4NYYZUCqZjW+EZYblPaUIRYry3OloIhAlf2X2kLjRnInVH/h5UO1ofpyZGzsDMQR13n9dzWQ9uNEIELEC17YiMJBVVGsglGIodwd1ZpS0LXn+QM/322qW9viFnvsXXETHzQJciLAb8CXzrY4QtyBWYX5kRoMPrPNzUSZg3xZbd7SnCwd1kNVCVz4+ZYEF82HP3APW1N8Qn9sLAYIi3nNYCe/3Oauzj2hRxDxdw36jXvmVO6ctxt3Nqi3D7/sUjxr5diCxiTtPjKq/isOQWHgyeijF3wSG6UY8IpK5x3RV2qBZ8pOMlVs9N2A4c6+dqMETB5xq02VK0e/9o5afXyncqA7blcaM6ib3pkWrjTtfdKdswOUT4Nrb2e6zQrt8HZx6z9//u/oZ2sIuzRijg2OG9gVZDvCDeJ25he7lMqAbiwrVbNGRwqtpV8t94GbyibQXfIpfKla8PspEQqokGwHZndHu/KkWFpvkB2vsOKky7oQWqvd2myWuFHdC2ga5AlcypG4cC3Q3pGnOwBeMwA8JhAZxQrdlMuIXr+vWHtz6WZH5B+Y3jb9npkxfp9GyR1YJ9rmGzTSINH74e3v0qJu7XBaXRaFjhDmQuhQCMrSBLZuZjgoKQQGZIq7Er2Cu96MmmhWUnypP2iuJyxnLKiUUwYvogipdFh0ONtGl8Od5V85UOw+uFsy3lRlRr7AueckZ1NpfJbQJnxLXmGvZS6ZoaWanYb8ETrgdA3KGxaPFO841Ycg5UHZ9wLa0hvnbezvCxnPzsv3FMTsSq/WlA3aAtr4UhtDjOZVnVBlRYDCdx49uJpTPPvtlcC+yxuLYgzPyjfveH7/5kbd+z3nI0HPsmCNvv0yzui9ljHTd0BYr8a+uT0289DAQXPvWx83/S73nRYV7b9VvXY8/g5V2y7dVmwxQ7zjG5+nh7bucOCpzzBP2lBdO5goqKfGW1Sq+e8c1YEIIcOiK3l+/JhTDfvzsiF1dn5//xntxdCPPjH8nr5XxFBDAzB0XyudS+VZpUCnKDn/rux////3nzKsgRMPOEMm6THyhTj0sabsejE+++Jx7zG7cXLxpQ4SNefFmg+7JpB/I9C8Y9+oIP4d1QTDvr5BemTE05+XByFQT7mxSQzpe13874H1LAcZi3Fu5XI0JxIruFJy7Bl3gHb1mHGTWwpC/QIh139zU5KQqFflq3y0Nw2qs3L6t93zmf+xZycXp57W6l0eexkuoDvn6sOZWcpurvbnJxbaGMeL8sD/fsBBGFh3bscR42mljmumsdVkD04NKiYPbDlHcPtr1e/uF77oAbwJqEeMClP+Fn61tgAKWLtU6i1z32SqPkyiO8lsq0InkgdAt8YMMFYGa1W/LqA/PezYeJWXOZNNO6HGO8gJDdeCgvrkeHli/VWubMqpzObzTQcYiVy4qKGRy3plMuxZTNagUFmayQJogCo4bCcqbas/TAIGl0RFsODjpNUO+AR9T9+ylc0R0ACkppIPOR3fHjjOKzthA6o5kLxU9AujIqDfFpgi0xTZAtzFMch1T1T6oETKVF1nji0qnlmxa8ncfx5mh9Z8ILaLDnZg5KgCG3qwqOyF1zjX1AB9j35LpxgA1ugo9jmlrTqucAysSIadyA9n7xI0I5DyoTVfdBDHCjCgPzFqDsHciEkUQbvMyZIHcXowIlxwDZZPIqusi2RGWVoO2bJaxAx47otWQTpLi4GzF2KDr62xOgda0VMg5iFr1TJGK2ykdCLXREA3UqD+W9BxhBcgwnmBJKfpJqSVUx7NNNyMkMg70UofbEP2As3QTMEkCEVc/IVROf+sYtDeX9pzoHhmDJeIyMGMyQCR/nimEJJTNWLPkWG+EpLjgVh3jHf4SDsgkQ6bkoBxNcd1l2LykLa8HO0IBdv3liv1RCjlUIFvHqwT3uxZ4qw/KaU0WwXjRpQLw+f3j/Qc7kdBru/g55ZuaQfHnXwN7aAd1p7OE+t7gt3JPazEEYHyw+ClvXMSsnPC6gxw05Dv1OgxoFLGuTy8Ny2g85DvimznPQegQzVh7frzjafoEniItYFXcm1YoEEhMG2A4hnNYwwgZGK5XwgU9XUth7xcqtkHLYfpEMFKX1WS3i1aMbuTcpcVVLMWeAMyja+Xg/zIY+zATRzNQB+UkwuQC8iPZU51QTWsjK3i5mDkwRuRTdkjnGGfoghSxH4mqxJ4dmrkT9YZUIq9wzUVj5I5VuGUDJT4wDOfHAjgdseIyzV7QTc2dyNGC8nf+LhCuMsuDGRy3E5UJojgFGxMx3fwYjXLzejc/XiM2J8YDQiUyZPRCY/ATmdMFkjdplLstKyZKNRCjCocGdCzrhmEQ2JafbsTGxaMVOQpCbCNe0ThIEsIYwanOZPQAGxm/xpV7d3i3bnbfRbdelWdbCbKazxdboC0wDz/J9zPpHaUF4H89AgGJ5MyVkCAb6bYYWMDPHqzbU2414sMf5d8faqPHHz2ZO+5TderE5vds+J69euLESzitomrZGuGElaCvXnbanoILRRyS/CtGKQuxcCCw8+MxlUI/cWvvU7n6xrfX94+b0XaajNTl99NS8w3jXDAdzwxl3AuERwuDrnd27nbNTB107d9CizE3tXrlotVQPI0B2yPFWgHy92/H73UsWq7XBYZbscfJRHVSCxDxjj5AfB92OMec22IytUo8paBt+6uiZO7WZZyWYuXyBVxK65kkmDob/2OiCYy0lJZN6nba86nyS3PtrLZAt+zKRJ+Q/jn/4wx/I6w9nJ9dvyBnTholZzfQcCkyFD2LhciaT1wXa9hKG0bJTh8MvM35wJGJMycRexW35n3ZVQwjaE4Me+WhNn59yXHIM+2/zfnuOP8QUejOlIlQmvYsUozxWdbqNiXyiBau1G4FIRTQrGafKiScrNu0ZyvFeD6dX4TnXrDhkpZF+pPyd3QiNF3GjLmZ3yNPlWZyIbWcdnzV8pmHP/+udRPiXwV7wjhvopWUUYVemVCkDAwZPNshqqWZUsN+2RFWLdFvhsczeg9P9PTXC7ilTwVzSRFV/frLD4W3hSny52kVrUc0/A+VmnlMFpFJQyJIJGky464mna2oYCKN3hsdzesjZfqAvOllX+hGqRBvXHp1XVnBVVBkshtRNdbtYPWCxIy9sHiNRp1CAogaKLFpQ2Zb9YYXPT82I7ePZtZILVrTFw/znaFVxr6kONoYv/mOvtXWdNqzgdJNkxYFm2Q7pa/2Z1cg0g81DMXJywdzr+XxTcR8pAdcqnTGbgj9V84QH1Jl6X+plQs8CE3U6KmqsVBNtpHIS31IrwVAc7RV+6th+6lV49iUrCg6Hk3KXON5j5VxgeXtyby8517THOMx0r/1ovQpDYtW8zh6RilO7ZPZ+loqAyNWqGvPyYyjkAezJR0TQqda2/FlqQy5pPmdixKQraCLJ8c0mr+8ERvpXCqz4sPqRK3Kmj8mHglbkF/zB6UeFFC7v9B/Dy5PM6QKs5sSBKvK5BrUiWINQV1JoaDSqcHKqnW+G3zmMvPQ18HJLWbGmCqRw03d1+cZxNlM6ANRuA33yxVEfixS7PKV1mG3u8aa09FoRI2sb+ouXaaJqIYJ2rD5qbx738uzKSI3k2HmKmbcw0y8EJUsmCrnURFeQsynL7V+OQnmCPk52eEDs9BzeLuaGvMaKsCDy7hrCp8s3PW6RWuA9/gFmNF+RO71e+LZ9gS03E2mjR9faEQ5gsI/c9n1TC6FgrhpuMnsjDjje1gEIZP+vZZpiOs+QfevTTq9Qj1Xndep1YMY4w+BG89/ZY7KHiesdm6qP8PWu90bWnePUx6uADmdzGIdd+2CwvjZdQKZbhsEKhQtS7E5+xrSBmC0BRzPccMoFTJnwvnoUTljVr6TVSNFBRLdXolgibJ0DZkP9iy0YW59t6rn7WkojtSlbH7YxNJ+XBy6B342KDCcD66i/HEmavEyYiNdBLOrZsFPGpMK0l2dASPXTdnBZXBntLr0/0LVzgDrt3bcDdUVVs6fsr4+6qSznbFBKndjTYW1ZF/z+qOmZ6D1LXFkLqVbpFvzPuqLiLzsrxjRA1quoN+p56GqybPnzW6S+Y24vphINZtXUW98+q9FdkIEwSlb7iI5C1pOBc+FRe9yPaa1t2JGOgBhddsdhz+GpLCsqVu15xGOH7fSdvbIAZa+hjImpDCsFVN+nzhHaIT82rMgG2RLSVkWffk4VI/BTzfmK/HtNOZsyKMgZ5j0752AQyhImWS7lPXuhR/dfYULc+J39TPmYNh+92mz3HF7VBlXuPVuY7j7rn9ohfJcd7452Pvljcruq3NQ7z4FljlvB8cVTMM2iFpPdgG0xOEeEeqVDZWs3wRzCVdcql+vonGexkqrx9uMT86cPI0veq5UTeTs1vKjS9iHawgo78k7PfQNTSZlIE1kHZcex60EqasKuyVxkVMd87e8RVj6dPjLlWvGIy9yjGnFVWmM0q1Usb0iPpgaV0Vk8m7IjHf16WicdNfxxnbTf9QkECzwYEKhaxTdOLP1ou7lV9OYKNkJlYmtUbohD5BKuydxbHBbVq7f+36cewlv/Dx/XFHL7Uw4qHJ3np/OCr+duMv3Hc/S49lqtDaZT+IZo1qRiYgpKjby7Dud9kHn1Ff+drA+6Zw8AsqlLPO0tQ+BI4bO2THqkAkMcbPudu3d7u+1uMYJY9X/1dxgGaI03/GTVHNRh/BFWZ/cRT69PsfXjG3KK44ehgTIHKpYywudTUL75J6xFYW4pzgtJn457jOwtuB30le5Vit660uy3fb2STy+NEl5tcsN+C3tr2H0imXLx93MiYCYNcwtYzake6QCl80OXFeotpRt8vLmgXepkHaAGAS4be6wpnN7k34QDUjSbHSKjYr2+Udv18Ha00bKVJkzrOrrSiZQxWCqdt+55byiIEJRK6gMdLEpfep7bwckNPk5vk04HiZBoK4P7V+TXNxjauf0y6knP/UA+XXpuwTguQrXm2SLljb75pOod2UEwRWa3Hq2jl2nUqQize/AWdaLiBt907Ur6FxLK1j8Sje91UpGLm5O/X16Ta3tPkY9ipPtKhzZRJvU+aG+XMowWxVA+h/xe7+VEfpwQTluDLNR0rq3X2ZYIwzBQ34Kwk4JbtFxQbFAU8gWUXIejrQoyajQgZkNNfbAOn32UC8pZ4TZiAMSmIDxYVettghA5dg8rvSm2I+38JoA0Mu25MZXOGPagTUIalzIFQ3L6BZwmNhNN5otUzKx2nKhclmXSOnGPxO1weIdQOAV/yRTwTUsztotlyanItH6phrd2ZCfDf/WzbXK0gmhdqnFWSXaIsOoQYIeAIAIEFbYGkK35nAoxKJyRutyUHxWBjLzZHqhsc3ux+J6Hv344ufL33tuN4dsLxUi16fuPXrON6ftsIXmdigEnTR9n4fvctJ2xm3a+tWBGk9cOhH6D1TowsbfpqLtBniDo4Gx4nUiaffBY7wQzPlzgeD3pYAEKIwWmNSe5FDlUxhrKN24NR8orLJcppa9jvDXYmxbaFmgllSHS8vfnv56EQnCDbI+976SaHT7AcjPBYM3FOqGu2EmwUMzfzj9eX1yTS/pQMlG0bb3Dy2rndvAwzLUmiiPT8tMYzG7btFr1KZyyGD0822U5ZtPDJWy+dBJ+M+Xkaseas8xL5YszX6XXo9iKkB9uUV64VkAz4/I/fd5wm5gjiqEmGft0o7/EmtAvFN3o21WjFd8+6pYuufeI6DoQok41+bM2SorZXyac5vecaQPFn9/63x21f2ViCnn4T1OmYEl5UJGhE977DqGiIFqSkW2pYMa0UStr2R9SWFTUzH2x/hYD2cQwAIlOqUPBdInQLl8rl6pXhbzVJ1vkIEwvJqUrFJArqeXUHJff//hDVsAURLHmnQ9veWuqUQ3vyQRM3wlQwJTW3GR4IN6TKeVrechr81kP37+URc0BTzwTM1/O4rKBR848MnJye92/qredPCZy1AIvNtn6aJb/ZbB779wV0mqXym4RBZUC9NPazdIMO9IVCFyMykUCcB8FX5FKVjVvAuCxsxHWm3CjWSExActaXFGUFjNA48z34JT4Q/P5IysLKqpMIzhaQj6XwZJCo2akza//+KA43LPmedWLornYyu0CDKjS677xANy4KHEvKdYG2WTUMbl16eYVKLNqjixV8J5cSXOyoIxbcXhETipzRC4pX1IFR+QG8loxs7oGpaU157tf3brDcUTuxJIKA8WNnBr3rY928cZWolfO/SZwHT2DHbdj18xFf9CRcHpvHd9uhvk85xwsBai1MKuRlFA62/StP2PUE6UoZvzktTayROqBJre9s2WFHTzQsuJgxciU0xmh7mRaOs0Htf9q4zPM51TR3IBi2owdvODDQbQd31/sWq9zmlxLrdmEw9pef3Un7oVcildH5NUVLO3/XYhrJWcKtH6FKsCrT6AlX0AxUtQGK5Y692mKw5yvHd/HzuUne8NdS80MW4D9xa2qu5/HMkhAGX38wteT07QRC3pz1jfqVuTKL9QtG5HqxVC87BIhrARXEcEhWlJNmmG2Yom90duQWb8HNHlNNbmC5RE5ye2iHll9q9mqb7ZjgwWoYa+3Z0rahmqzVRW4636LoPN4cgW4yROvGxYUJDjYjsXjVJu7yo6aei/ZkUjthtpxKntXVsyjeevqx8jS62b97iqsIEax2QzavubN0dyKtdagbgYulGdivOmiEZqdZcfZhsMqQJjHfBOKWH72dnelaFy5UcEMwwQ1N6bPonYxytv3fqLbAyGu3SBNxMIjNEB/kRyRtWvkiPQvEStuRM3543dtZO3uovOhND7VteFe6Q19YCvS/4oaebOE2/iSXA/u1E6PhrApEdJV4vIaACLYunw0N1LFteZufRmEhb3TUPk9stCoWPmiWxsq9COFo5MJP9GS8VVswJiYMkXS+8IrmVFwC/kcNbaICsxtU+vknpiWPNrxlLt3yLatw+XF7adzcnJ7+y+nf//f//N/kamiJSylut+KHOOSGfh/rAbBwM9Cf+6JO3GPNfsmWGOx0WjRvzmBxilx5Ir4uXvKyCNrP7FFc/WvHXXWecyc8NWgjshFdUTuFD/C/o1H5Nq5Ney5Z/yv8sH94xK0pjNwP5zyWhv71U/et/Y4bvnianG34omv2NbPK+rf2o+DVlLGJ/LhjOmK0+iHBUjhCAdR+rGfBDSUgfFskOv1y54BMnf7468R1f4TwplGH1wJhhbUUCshsRpfewatCO9tz8dh1Zvu3giMdDRbNajhoStCVrqT9Dh0CnJWDV7ong2wJRsDYzh36rks9IXmIuArgLMFqNXJsNDQ88+1p934gWKw06tUf7N6QGzzq9HXCFJv3oHbvhvdNeKO1jPRx5ejG/jRDR55Bs170c9sERH8p6aKqEWGZbGIHYAw0T1Qdd2zmV670dnU/b4Rcs03jsm5852+Jz///fy/Zx8+np58yC5PTn++uDp/2myH2ZyxJts/Dv1XxHaJFqNvF2NgseJxXK0LSSKB7ubrsL51kfYVZcMd9nj4BVgzPvaR7kI6PHA3zDNwsiqJetEAurhulYxHY3NzCgOacmoMCHgipEaAI+FNbrHws83v/k8AAAD//7KHlgw=" } diff --git a/x-pack/filebeat/module/microsoft/m365_defender/_meta/fields.yml b/x-pack/filebeat/module/microsoft/m365_defender/_meta/fields.yml new file mode 100644 index 00000000000..3656cd7c1de --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/_meta/fields.yml @@ -0,0 +1,176 @@ +- name: microsoft.m365_defender + type: group + release: beta + default_field: false + description: > + Module for ingesting Microsoft Defender ATP. + fields: + - name: incidentId + type: keyword + description: > + Unique identifier to represent the incident. + - name: redirectIncidentId + type: keyword + description: > + Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. + - name: incidentName + type: keyword + description: > + Name of the Incident. + - name: determination + type: keyword + description: > + Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other. + - name: investigationState + type: keyword + description: > + The current state of the Investigation. + - name: assignedTo + type: keyword + description: > + Owner of the alert. + - name: tags + type: keyword + description: > + Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. + - name: status + type: keyword + description: > + Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + - name: classification + type: keyword + description: > + Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + - name: alerts.incidentId + type: keyword + description: > + Unique identifier to represent the incident this alert is associated with. + - name: alerts.resolvedTime + type: date + description: > + Time when alert was resolved. + - name: alerts.status + type: keyword + description: > + Categorize alerts (as New, Active, or Resolved). + - name: alerts.severity + type: keyword + description: > + The severity of the related alert. + - name: alerts.creationTime + type: date + description: > + Time when alert was first created. + - name: alerts.lastUpdatedTime + type: date + description: > + Time when alert was last updated. + - name: alerts.investigationId + type: keyword + description: > + The automated investigation id triggered by this alert. + - name: alerts.userSid + type: keyword + description: > + The SID of the related user + - name: alerts.detectionSource + type: keyword + description: > + The service that initially detected the threat. + - name: alerts.classification + type: keyword + description: > + The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null. + - name: alerts.investigationState + type: keyword + description: > + Information on the investigation's current status. + - name: alerts.determination + type: keyword + description: > + Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null + - name: alerts.assignedTo + type: keyword + description: > + Owner of the incident, or null if no owner is assigned. + - name: alerts.actorName + type: keyword + description: > + The activity group, if any, the associated with this alert. + - name: alerts.threatFamilyName + type: keyword + description: > + Threat family associated with this alert. + - name: alerts.mitreTechniques + type: keyword + description: > + The attack techniques, as aligned with the MITRE ATT&CK™ framework. + - name: alerts.entities.entityType + type: keyword + description: > + Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry. + - name: alerts.entities.accountName + type: keyword + description: > + Account name of the related user. + - name: alerts.entities.mailboxDisplayName + type: keyword + description: > + The display name of the related mailbox. + - name: alerts.entities.mailboxAddress + type: keyword + description: > + The mail address of the related mailbox. + - name: alerts.entities.clusterBy + type: keyword + description: > + A list of metadata if the entityType is MailCluster. + - name: alerts.entities.sender + type: keyword + description: > + The sender for the related email message. + - name: alerts.entities.recipient + type: keyword + description: > + The recipient for the related email message. + - name: alerts.entities.subject + type: keyword + description: > + The subject for the related email message. + - name: alerts.entities.deliveryAction + type: keyword + description: > + The delivery status for the related email message. + - name: alerts.entities.securityGroupId + type: keyword + description: > + The Security Group ID for the user related to the email message. + - name: alerts.entities.securityGroupName + type: keyword + description: > + The Security Group Name for the user related to the email message. + - name: alerts.entities.registryHive + type: keyword + description: > + Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE. + - name: alerts.entities.registryKey + type: keyword + description: > + Reference to the related registry key to the event. + - name: alerts.entities.registryValueType + type: keyword + description: > + Value type of the registry key/value pair related to the event. + - name: alerts.entities.deviceId + type: keyword + description: > + The unique ID of the device related to the event. + - name: alerts.entities.ipAddress + type: keyword + description: > + The related IP address to the event. + - name: alerts.devices + type: flattened + description: > + The devices related to the investigation. + diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml new file mode 100644 index 00000000000..2b2a6f936f7 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml @@ -0,0 +1,43 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +http_method: GET +interval: {{ .interval }} +json_objects_array: value +split_events_by: alerts..entities +url: {{ .url }} + +oauth2: {{ .oauth2 | tojson }} +oauth2.provider: azure +oauth2.azure.resource: https://api.security.microsoft.com +http_headers: + User-Agent: MdatpPartner-Elastic-Filebeat/1.0.0 +date_cursor.field: lastUpdateTime +date_cursor.url_field: '$filter' +date_cursor.value_template: 'lastUpdateTime gt {{.}}' +date_cursor.initial_interval: 55m +date_cursor.date_format: '2006-01-02T15:04:05.9999999Z' + + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{ .tags | tojson }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: json + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml new file mode 100644 index 00000000000..f1ea7c03abd --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml @@ -0,0 +1,301 @@ +--- +description: Pipeline for parsing microsoft atp logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + - json.comments + - host + ignore_missing: true + +######################### +## ECS General Mapping ## +######################### +- script: + lang: painless + if: ctx?.json != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + +- set: + field: cloud.provider + value: azure +- set: + field: '@timestamp' + value: '{{json.lastUpdateTime}}' + if: ctx.json?.lastUpdateTime != null +- rename: + field: json.alerts.title + target_field: message + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +# Events returned from the API is always in UTC, so should never use anything else +- set: + field: event.timezone + value: UTC +- set: + field: event.action + value: '{{json.alerts.category}}' + if: ctx.json?.alerts?.category != null +- set: + field: event.provider + value: '{{json.alerts.serviceSource}}' + if: ctx.json?.alerts?.serviceSource != null +- set: + field: event.created + value: '{{json.createdTime}}' + if: ctx.json?.createdTime != null +- append: + field: event.category + value: host +- append: + field: event.category + value: malware + if: ctx.json?.determination == 'Malware' +- append: + field: event.category + value: process + if: ctx.json?.entities?.entityType == 'Process' +- append: + field: event.type + value: user + if: ctx.json?.entities?.entityType == 'User' +- append: + field: event.type + value: + - creation + - start + if: ctx.json?.status == 'New' +- append: + field: event.type + value: end + if: ctx.json?.status == 'Resolved' +- rename: + field: json.alerts.alertId + target_field: event.id + ignore_missing: true +- rename: + field: json.alerts.firstActivity + target_field: event.start + ignore_missing: true +- rename: + field: json.alerts.lastActivity + target_field: event.end + ignore_missing: true +- set: + field: event.severity + value: 0 + if: ctx.json?.severity == 'Unspecified' +- set: + field: event.severity + value: 1 + if: ctx.json?.severity == 'Informational' +- set: + field: event.severity + value: 2 + if: ctx.json?.severity == 'Low' +- set: + field: event.severity + value: 3 + if: ctx.json?.severity == 'Medium' +- set: + field: event.severity + value: 4 + if: ctx.json?.severity == 'High' +- script: + lang: painless + if: "ctx?.event?.start != null && ctx?.event?.end != null" + source: > + Instant eventstart = ZonedDateTime.parse(ctx?.event?.start).toInstant(); + Instant eventend = ZonedDateTime.parse(ctx?.event?.end).toInstant(); + ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); + +######################## +## ECS Threat Mapping ## +######################## +- set: + field: threat.framework + value: MITRE ATT&CK + if: ctx.json?.alerts?.category != null +- rename: + field: json.alerts.category + target_field: threat.technique.name + ignore_missing: true +- rename: + field: json.alerts.description + target_field: rule.description + ignore_missing: true + if: ctx.json?.alerts?.description.length() < 1020 + +###################### +## ECS File Mapping ## +###################### +- rename: + field: json.alerts.entities.fileName + target_field: file.name + ignore_missing: true +- rename: + field: json.alerts.entities.sha256 + target_field: file.hash.sha256 + ignore_missing: true +- rename: + field: json.alerts.entities.sha1 + target_field: file.hash.sha1 + ignore_missing: true +- rename: + field: json.alerts.entities.filePath + target_field: file.path + ignore_missing: true + +######################### +## ECS Process Mapping ## +######################### +- rename: + field: json.alerts.entities.processId + target_field: process.pid + ignore_missing: true +- rename: + field: json.alerts.entities.processCommandLine + target_field: process.command_line + ignore_missing: true +- rename: + field: json.alerts.entities.processCreationTime + target_field: process.start + ignore_missing: true +- rename: + field: json.alerts.entities.parentProcessId + target_field: process.parent.pid + ignore_missing: true +- rename: + field: json.alerts.entities.parentProcessCreationTime + target_field: process.parent.start + ignore_missing: true + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.product + value: 365 Defender +- set: + field: observer.vendor + value: Microsoft +- rename: + field: json.alerts.serviceSource + target_field: observer.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: json.alerts.entities.url + target_field: url.full + ignore_missing: true + if: ctx?.json?.entities?.url != null + +###################### +## ECS User Mapping ## +###################### +- rename: + field: json.alerts.entities.userPrincipalName + target_field: host.user.name + ignore_missing: true +- rename: + field: json.alerts.entities.domainName + target_field: host.user.domain + ignore_missing: true +- rename: + field: json.alerts.entities.aadUserId + target_field: host.user.id + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{json.alerts.entities.ipAddress}}' + if: ctx.json?.entities?.ipAddress != null +- append: + field: related.user + value: '{{host.user.name}}' + if: ctx.host?.user?.name != null +- append: + field: related.hash + value: '{{file.hash.sha1}}' + if: ctx.file?.hash?.sha1 != null +- append: + field: related.hash + value: '{{file.hash.sha256}}' + if: ctx.file?.hash?.sha256 != null +- append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null + +############# +## Cleanup ## +############# +- convert: + field: json.alerts.incidentId + type: string + ignore_missing: true +- convert: + field: json.incidentId + type: string + ignore_missing: true +- remove: + field: json.alerts.mitreTechniques + ignore_missing: true + if: ctx?.json?.alerts?.mitreTechniques.isEmpty() +- remove: + field: json.alerts.devices + ignore_missing: true + if: ctx?.json?.alerts?.devices.isEmpty() +- remove: + field: json.tags + ignore_missing: true + if: ctx?.json?.tags.isEmpty() +- remove: + ignore_missing: true + field: + - json.createdTime + - json.severity + - json.lastUpdateTime +- rename: + field: json + target_field: microsoft.m365_defender + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/microsoft/m365_defender/manifest.yml b/x-pack/filebeat/module/microsoft/m365_defender/manifest.yml new file mode 100644 index 00000000000..d7b73352f79 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/manifest.yml @@ -0,0 +1,17 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 5m + - name: tags + default: [m365-defender, forwarded] + - name: url + default: "https://api.security.microsoft.com/api/incidents" + - name: oauth2 + +ingest_pipeline: ingest/pipeline.yml +input: config/defender.yml + + diff --git a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log new file mode 100644 index 00000000000..4fc4cf141b6 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log @@ -0,0 +1,9 @@ +{"status":"Resolved","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","determination":"NotAvailable","incidentId":12,"incidentName":"12","redirectIncidentId":null,"severity":"Low","alerts":{"creationTime":"2020-06-30T09:32:31.4579225Z","detectionSource":"WindowsDefenderAv","firstActivity":"2020-06-30T09:31:22.5729558Z","incidentId":12,"serviceSource":"MicrosoftDefenderATP","actorName":null,"alertId":"da637291063515066999_-2102938302","determination":null,"lastActivity":"2020-06-30T09:46:15.0876676Z","assignedTo":"Automation","devices":[{"osBuild":17763,"osProcessor":"x64","rbacGroupId":0,"aadDeviceId":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","rbacGroupName":null,"riskScore":"High","version":"Other","deviceDnsName":"TestServer4","healthStatus":"Inactive","osPlatform":"Other"}],"investigationId":9,"threatFamilyName":null,"title":"'Mountsi' malware was detected","category":"Malware","classification":null,"description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","entities":{"deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"File","fileName":"amsistream-1D89ECED25A52AB98B76FF619B7BA07A","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356"},"investigationState":"Benign","lastUpdatedTime":"2020-08-26T09:41:27.7233333Z","mitreTechniques":[],"resolvedTime":"2020-06-30T11:13:12.2680434Z","severity":"Informational","status":"Resolved"},"assignedTo":"elastic@elasticuser.com","lastUpdateTime":"2020-09-23T19:44:36.29Z","tags":[]} +{"incidentName":"12","redirectIncidentId":null,"severity":"Low","status":"Resolved","tags":[],"alerts":{"devices":[{"aadDeviceId":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","healthStatus":"Inactive","osPlatform":"Other","rbacGroupId":0,"rbacGroupName":null,"deviceDnsName":"TestServer4","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osBuild":17763,"osProcessor":"x64","riskScore":"High","version":"Other"}],"entities":{"deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"File","fileName":"amsistream-B103C1A335BDB049E617D1AC4A41FCDC","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356"},"firstActivity":"2020-06-30T09:31:22.5729558Z","lastUpdatedTime":"2020-08-26T09:41:27.7233333Z","alertId":"da637291063515066999_-2102938302","category":"Malware","classification":null,"determination":null,"mitreTechniques":[],"serviceSource":"MicrosoftDefenderATP","status":"Resolved","assignedTo":"Automation","detectionSource":"WindowsDefenderAv","incidentId":12,"investigationId":9,"severity":"Informational","title":"'Mountsi' malware was detected","actorName":null,"description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","lastActivity":"2020-06-30T09:46:15.0876676Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","creationTime":"2020-06-30T09:32:31.4579225Z","investigationState":"Benign","threatFamilyName":null},"assignedTo":"elastic@elasticuser.com","determination":"NotAvailable","incidentId":12,"lastUpdateTime":"2020-09-23T19:44:36.29Z","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z"} +{"alerts":{"mitreTechniques":[],"status":"Resolved","title":"'Exeselrun' malware was detected","threatFamilyName":null,"alertId":"da637291085389812387_-1296910232","category":"Malware","detectionSource":"WindowsDefenderAv","lastUpdatedTime":"2020-08-26T09:41:27.7233333Z","serviceSource":"MicrosoftDefenderATP","severity":"Informational","resolvedTime":"2020-06-30T11:13:12.2680434Z","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","devices":[{"deviceDnsName":"testserver4","healthStatus":"Inactive","osProcessor":"x64","rbacGroupId":0,"riskScore":"High","version":"Other","aadDeviceId":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osBuild":17763,"osPlatform":"Other","rbacGroupName":null}],"firstActivity":"2020-06-30T10:07:44.3144099Z","incidentId":12,"investigationId":9,"investigationState":"Benign","lastActivity":"2020-06-30T10:07:44.3144099Z","actorName":null,"assignedTo":"Automation","classification":null,"creationTime":"2020-06-30T10:08:58.9655663Z","determination":null,"entities":{"fileName":"SB.xsl","filePath":"C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5","sha1":"d1bb29ce3d01d01451e3623132545d5f577a1bd6","sha256":"ce8d3a3811a3bf923902d6924532308506fe5d024435ddee0cabf90ad9b29f6a","deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"File"}},"createdTime":"2020-06-30T09:32:31.85Z","determination":"NotAvailable","incidentId":12,"lastUpdateTime":"2020-09-23T19:44:36.29Z","redirectIncidentId":null,"assignedTo":"elastic@elasticuser.com","classification":"Unknown","incidentName":"12","severity":"Low","status":"Resolved","tags":[]} +{"classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","determination":"NotAvailable","incidentName":"12","lastUpdateTime":"2020-09-23T19:44:36.29Z","redirectIncidentId":null,"severity":"Low","assignedTo":"elastic@elasticuser.com","status":"Resolved","incidentId":12,"tags":[],"alerts":{"assignedTo":"elastic@elasticuser.com","firstActivity":"2020-06-30T10:07:44.333733Z","investigationId":9,"mitreTechniques":[],"resolvedTime":"2020-06-30T11:13:12.2680434Z","title":"An active 'Exeselrun' malware was detected","alertId":"da637291085411733957_-1043898914","category":"Malware","classification":null,"detectionSource":"WindowsDefenderAv","determination":null,"threatFamilyName":null,"actorName":null,"serviceSource":"MicrosoftDefenderATP","status":"Resolved","creationTime":"2020-06-30T10:09:01.1569718Z","devices":[{"deviceDnsName":"TestServer4","healthStatus":"Inactive","osBuild":17763,"osProcessor":"x64","rbacGroupName":null,"riskScore":"High","version":"Other","aadDeviceId":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osPlatform":"Other","rbacGroupId":0}],"entities":{"filePath":"C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5","deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"File","fileName":"SB.xsl"},"incidentId":12,"investigationState":"Benign","lastActivity":"2020-06-30T10:07:44.333733Z","lastUpdatedTime":"2020-08-26T09:41:27.7233333Z","severity":"Low","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection."}} +{"assignedTo":"elastic@elasticuser.com","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","redirectIncidentId":null,"severity":"Low","status":"Resolved","tags":[],"alerts":{"assignedTo":"elastic@elasticuser.com","determination":null,"serviceSource":"MicrosoftDefenderATP","severity":"Low","alertId":"da637291086161511365_-2075772905","classification":"FalsePositive","creationTime":"2020-06-30T10:10:16.1355657Z","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.","entities":{"deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"Process","processCreationTime":"2020-06-30T10:31:04.1092404Z","processId":6720},"mitreTechniques":[],"title":"Suspicious 'AccessibilityEscalation' behavior was detected","category":"SuspiciousActivity","devices":[{"aadDeviceId":null,"mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osProcessor":"x64","riskScore":"High","osPlatform":"Other","rbacGroupId":0,"rbacGroupName":null,"version":"Other","deviceDnsName":"testserver4","firstSeen":"2020-06-30T08:55:08.8320449Z","healthStatus":"Inactive","osBuild":17763}],"firstActivity":"2020-06-30T10:09:10.8889583Z","investigationState":"UnsupportedAlertType","status":"Resolved","detectionSource":"WindowsDefenderAv","incidentId":12,"investigationId":null,"lastActivity":"2020-06-30T10:31:09.4165785Z","lastUpdatedTime":"2020-09-23T19:44:37.9666667Z","resolvedTime":"2020-09-23T19:44:36.1092821Z","threatFamilyName":null,"actorName":null},"determination":"NotAvailable","incidentId":12,"incidentName":"12","lastUpdateTime":"2020-09-23T19:44:36.29Z"} +{"determination":"NotAvailable","severity":"Low","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","incidentId":12,"incidentName":"12","lastUpdateTime":"2020-09-23T19:44:36.29Z","redirectIncidentId":null,"alerts":{"lastActivity":"2020-06-30T10:31:09.4165785Z","lastUpdatedTime":"2020-09-23T19:44:37.9666667Z","actorName":null,"description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.","determination":null,"entities":{"accountName":"","entityType":"User"},"firstActivity":"2020-06-30T10:09:10.8889583Z","investigationState":"UnsupportedAlertType","serviceSource":"MicrosoftDefenderATP","status":"Resolved","title":"Suspicious 'AccessibilityEscalation' behavior was detected","classification":"FalsePositive","devices":[{"aadDeviceId":null,"healthStatus":"Inactive","osPlatform":"Other","osProcessor":"x64","riskScore":"High","deviceDnsName":"testserver4","firstSeen":"2020-06-30T08:55:08.8320449Z","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","osBuild":17763,"rbacGroupId":0,"rbacGroupName":null,"version":"Other"}],"mitreTechniques":[],"severity":"Low","threatFamilyName":null,"creationTime":"2020-06-30T10:10:16.1355657Z","detectionSource":"WindowsDefenderAv","incidentId":12,"alertId":"da637291086161511365_-2075772905","assignedTo":"elastic@elasticuser.com","category":"SuspiciousActivity","investigationId":null,"resolvedTime":"2020-09-23T19:44:36.1092821Z"},"assignedTo":"elastic@elasticuser.com","status":"Resolved","tags":[]} +{"determination":"NotAvailable","lastUpdateTime":"2020-09-23T19:44:36.29Z","tags":[],"alerts":{"investigationState":"UnsupportedAlertType","status":"Resolved","alertId":"da637291086161511365_-2075772905","assignedTo":"elastic@elasticuser.com","determination":null,"firstActivity":"2020-06-30T10:09:10.8889583Z","mitreTechniques":[],"resolvedTime":"2020-09-23T19:44:36.1092821Z","severity":"Low","actorName":null,"category":"SuspiciousActivity","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.","lastUpdatedTime":"2020-09-23T19:44:37.9666667Z","title":"Suspicious 'AccessibilityEscalation' behavior was detected","classification":"FalsePositive","creationTime":"2020-06-30T10:10:16.1355657Z","entities":{"deviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","entityType":"Process","processCreationTime":"2020-06-30T10:09:10.5747992Z","processId":1324},"incidentId":12,"serviceSource":"MicrosoftDefenderATP","threatFamilyName":null,"detectionSource":"WindowsDefenderAv","devices":[{"osPlatform":"Other","osProcessor":"x64","rbacGroupId":0,"riskScore":"High","version":"Other","aadDeviceId":null,"deviceDnsName":"testserver4","mdatpDeviceId":"75a63a39f9bc5a964f417c11f6277d5bf9489f0d","rbacGroupName":null,"firstSeen":"2020-06-30T08:55:08.8320449Z","healthStatus":"Inactive","osBuild":17763}],"investigationId":null,"lastActivity":"2020-06-30T10:31:09.4165785Z"},"assignedTo":"elastic@elasticuser.com","classification":"Unknown","createdTime":"2020-06-30T09:32:31.85Z","status":"Resolved","incidentId":12,"incidentName":"12","redirectIncidentId":null,"severity":"Low"} +{"incidentId":14,"incidentName":"Activity from infrequent country","redirectIncidentId":null,"tags":[],"alerts":{"category":"SuspiciousActivity","entities":{"aadUserId":"8e24c50a-a77c-4782-813f-965009b5ddf3","accountName":"brent","entityType":"User","userPrincipalName":"brent@elasticbv.onmicrosoft.com"},"incidentId":14,"investigationState":"UnsupportedAlertType","status":"New","actorName":null,"classification":"FalsePositive","description":"Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.","investigationId":null,"lastActivity":"2020-07-27T15:47:22.088Z","lastUpdatedTime":"2020-09-23T19:32:17.5433333Z","mitreTechniques":[],"serviceSource":"MicrosoftCloudAppSecurity","severity":"Medium","threatFamilyName":null,"title":"Activity from infrequent country","assignedTo":"elastic@elasticuser.com","detectionSource":"MCAS","devices":[],"alertId":"caA214771F-6AB0-311D-B2B0-BECD3B4A967B","creationTime":"2020-07-27T15:54:20.52207Z","determination":null,"firstActivity":"2020-07-27T15:47:22.088Z","resolvedTime":null},"classification":"Unknown","determination":"NotAvailable","lastUpdateTime":"2020-09-23T19:32:05.8366667Z","severity":"Medium","status":"Active","assignedTo":"elastic@elasticuser.com","createdTime":"2020-07-27T15:54:21.58Z"} +{"incidentId":14,"incidentName":"Activity from infrequent country","severity":"Medium","status":"Active","tags":[],"alerts":{"description":"Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.","detectionSource":"MCAS","firstActivity":"2020-07-27T15:47:22.088Z","investigationId":null,"investigationState":"UnsupportedAlertType","severity":"Medium","alertId":"caA214771F-6AB0-311D-B2B0-BECD3B4A967B","category":"SuspiciousActivity","classification":"FalsePositive","determination":null,"entities":{"entityType":"Ip","ipAddress":"73.172.171.53"},"incidentId":14,"serviceSource":"MicrosoftCloudAppSecurity","status":"New","actorName":null,"title":"Activity from infrequent country","devices":[],"lastActivity":"2020-07-27T15:47:22.088Z","lastUpdatedTime":"2020-09-23T19:32:17.5433333Z","creationTime":"2020-07-27T15:54:20.52207Z","mitreTechniques":[],"resolvedTime":null,"threatFamilyName":null,"assignedTo":"elastic@elasticuser.com"},"createdTime":"2020-07-27T15:54:21.58Z","determination":"NotAvailable","lastUpdateTime":"2020-09-23T19:32:05.8366667Z","redirectIncidentId":null,"assignedTo":"elastic@elasticuser.com","classification":"Unknown"} diff --git a/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json new file mode 100644 index 00000000000..1f81a57a98f --- /dev/null +++ b/x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json @@ -0,0 +1,611 @@ +[ + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 892514711800, + "event.end": "2020-06-30T09:46:15.0876676Z", + "event.id": "da637291063515066999_-2102938302", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T09:31:22.5729558Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.hash.sha1": "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "file.hash.sha256": "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "file.name": "amsistream-1D89ECED25A52AB98B76FF619B7BA07A", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 0, + "message": "'Mountsi' malware was detected", + "microsoft.m365_defender.alerts.assignedTo": "Automation", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T09:32:31.4579225Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "TestServer4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "File", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationId": 9, + "microsoft.m365_defender.alerts.investigationState": "Benign", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-08-26T09:41:27.7233333Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.m365_defender.alerts.severity": "Informational", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "related.hash": [ + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 892514711800, + "event.end": "2020-06-30T09:46:15.0876676Z", + "event.id": "da637291063515066999_-2102938302", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T09:31:22.5729558Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.hash.sha1": "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "file.hash.sha256": "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "file.name": "amsistream-B103C1A335BDB049E617D1AC4A41FCDC", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 2071, + "message": "'Mountsi' malware was detected", + "microsoft.m365_defender.alerts.assignedTo": "Automation", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T09:32:31.4579225Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "TestServer4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "File", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationId": 9, + "microsoft.m365_defender.alerts.investigationState": "Benign", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-08-26T09:41:27.7233333Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.m365_defender.alerts.severity": "Informational", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "related.hash": [ + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 0, + "event.end": "2020-06-30T10:07:44.3144099Z", + "event.id": "da637291085389812387_-1296910232", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:07:44.3144099Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.hash.sha1": "d1bb29ce3d01d01451e3623132545d5f577a1bd6", + "file.hash.sha256": "ce8d3a3811a3bf923902d6924532308506fe5d024435ddee0cabf90ad9b29f6a", + "file.name": "SB.xsl", + "file.path": "C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 4142, + "message": "'Exeselrun' malware was detected", + "microsoft.m365_defender.alerts.assignedTo": "Automation", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:08:58.9655663Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "testserver4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "File", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationId": 9, + "microsoft.m365_defender.alerts.investigationState": "Benign", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-08-26T09:41:27.7233333Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.m365_defender.alerts.severity": "Informational", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "related.hash": [ + "d1bb29ce3d01d01451e3623132545d5f577a1bd6", + "ce8d3a3811a3bf923902d6924532308506fe5d024435ddee0cabf90ad9b29f6a" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 0, + "event.end": "2020-06-30T10:07:44.333733Z", + "event.id": "da637291085411733957_-1043898914", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:07:44.333733Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.name": "SB.xsl", + "file.path": "C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 6249, + "message": "An active 'Exeselrun' malware was detected", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:09:01.1569718Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "TestServer4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "File", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationId": 9, + "microsoft.m365_defender.alerts.investigationState": "Benign", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-08-26T09:41:27.7233333Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.m365_defender.alerts.severity": "Low", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 1318527620200, + "event.end": "2020-06-30T10:31:09.4165785Z", + "event.id": "da637291086161511365_-2075772905", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:09:10.8889583Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 8376, + "message": "Suspicious 'AccessibilityEscalation' behavior was detected", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:10:16.1355657Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "testserver4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "Process", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:44:37.9666667Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-09-23T19:44:36.1092821Z", + "microsoft.m365_defender.alerts.severity": "Low", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "process.pid": 6720, + "process.start": "2020-06-30T10:31:04.1092404Z", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 1318527620200, + "event.end": "2020-06-30T10:31:09.4165785Z", + "event.id": "da637291086161511365_-2075772905", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:09:10.8889583Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 10542, + "message": "Suspicious 'AccessibilityEscalation' behavior was detected", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:10:16.1355657Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "testserver4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.accountName": "", + "microsoft.m365_defender.alerts.entities.entityType": "User", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:44:37.9666667Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-09-23T19:44:36.1092821Z", + "microsoft.m365_defender.alerts.severity": "Low", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + }, + { + "@timestamp": "2020-09-23T19:44:36.29Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 1318527620200, + "event.end": "2020-06-30T10:31:09.4165785Z", + "event.id": "da637291086161511365_-2075772905", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftDefenderATP", + "event.severity": 2, + "event.start": "2020-06-30T10:09:10.8889583Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 12598, + "message": "Suspicious 'AccessibilityEscalation' behavior was detected", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-06-30T10:10:16.1355657Z", + "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv", + "microsoft.m365_defender.alerts.devices": [ + { + "deviceDnsName": "testserver4", + "firstSeen": "2020-06-30T08:55:08.8320449Z", + "healthStatus": "Inactive", + "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "osBuild": 17763, + "osPlatform": "Other", + "osProcessor": "x64", + "rbacGroupId": 0, + "riskScore": "High", + "version": "Other" + } + ], + "microsoft.m365_defender.alerts.entities.deviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d", + "microsoft.m365_defender.alerts.entities.entityType": "Process", + "microsoft.m365_defender.alerts.incidentId": "12", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:44:37.9666667Z", + "microsoft.m365_defender.alerts.resolvedTime": "2020-09-23T19:44:36.1092821Z", + "microsoft.m365_defender.alerts.severity": "Low", + "microsoft.m365_defender.alerts.status": "Resolved", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "12", + "microsoft.m365_defender.incidentName": "12", + "microsoft.m365_defender.status": "Resolved", + "observer.name": "MicrosoftDefenderATP", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "process.pid": 1324, + "process.start": "2020-06-30T10:09:10.5747992Z", + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + }, + { + "@timestamp": "2020-09-23T19:32:05.8366667Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 0, + "event.end": "2020-07-27T15:47:22.088Z", + "event.id": "caA214771F-6AB0-311D-B2B0-BECD3B4A967B", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftCloudAppSecurity", + "event.severity": 3, + "event.start": "2020-07-27T15:47:22.088Z", + "event.timezone": "UTC", + "fileset.name": "m365_defender", + "host.user.id": "8e24c50a-a77c-4782-813f-965009b5ddf3", + "host.user.name": "brent@elasticbv.onmicrosoft.com", + "input.type": "log", + "log.offset": 14764, + "message": "Activity from infrequent country", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-07-27T15:54:20.52207Z", + "microsoft.m365_defender.alerts.detectionSource": "MCAS", + "microsoft.m365_defender.alerts.entities.accountName": "brent", + "microsoft.m365_defender.alerts.entities.entityType": "User", + "microsoft.m365_defender.alerts.incidentId": "14", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:32:17.5433333Z", + "microsoft.m365_defender.alerts.severity": "Medium", + "microsoft.m365_defender.alerts.status": "New", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "14", + "microsoft.m365_defender.incidentName": "Activity from infrequent country", + "microsoft.m365_defender.status": "Active", + "observer.name": "MicrosoftCloudAppSecurity", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "related.user": [ + "brent@elasticbv.onmicrosoft.com" + ], + "rule.description": "Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + }, + { + "@timestamp": "2020-09-23T19:32:05.8366667Z", + "cloud.provider": "azure", + "event.action": "SuspiciousActivity", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.m365_defender", + "event.duration": 0, + "event.end": "2020-07-27T15:47:22.088Z", + "event.id": "caA214771F-6AB0-311D-B2B0-BECD3B4A967B", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "MicrosoftCloudAppSecurity", + "event.severity": 3, + "event.start": "2020-07-27T15:47:22.088Z", + "event.timezone": "UTC", + "fileset.name": "m365_defender", + "input.type": "log", + "log.offset": 16091, + "message": "Activity from infrequent country", + "microsoft.m365_defender.alerts.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.alerts.classification": "FalsePositive", + "microsoft.m365_defender.alerts.creationTime": "2020-07-27T15:54:20.52207Z", + "microsoft.m365_defender.alerts.detectionSource": "MCAS", + "microsoft.m365_defender.alerts.entities.entityType": "Ip", + "microsoft.m365_defender.alerts.entities.ipAddress": "73.172.171.53", + "microsoft.m365_defender.alerts.incidentId": "14", + "microsoft.m365_defender.alerts.investigationState": "UnsupportedAlertType", + "microsoft.m365_defender.alerts.lastUpdatedTime": "2020-09-23T19:32:17.5433333Z", + "microsoft.m365_defender.alerts.severity": "Medium", + "microsoft.m365_defender.alerts.status": "New", + "microsoft.m365_defender.assignedTo": "elastic@elasticuser.com", + "microsoft.m365_defender.classification": "Unknown", + "microsoft.m365_defender.determination": "NotAvailable", + "microsoft.m365_defender.incidentId": "14", + "microsoft.m365_defender.incidentName": "Activity from infrequent country", + "microsoft.m365_defender.status": "Active", + "observer.name": "MicrosoftCloudAppSecurity", + "observer.product": "365 Defender", + "observer.vendor": "Microsoft", + "rule.description": "Brent Murphy (brent@elasticbv.onmicrosoft.com) performed an activity. No activity was performed in United States in the past 41 days.", + "service.type": "microsoft", + "tags": [ + "m365-defender", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "SuspiciousActivity" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index 09c7211e179..63bcc20897a 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -13,7 +13,20 @@ # Oauth Client Secret #var.oauth2.client.secret: "" - + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + m365_defender: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: