From 994c6a5fafb2597bb7edeabb017b05ef38603122 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 20 Apr 2021 15:48:06 +0200 Subject: [PATCH] Cyberark Privileged Access Security module (backport #24803) (#25156) This PR adds a new module, cyberarkpas, to ingest Privileged Access Security audit logs from Vault via syslog. (cherry picked from commit 2d51864ef6ee2e41702859ad66d5d6106457bced) --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 263 +++ .../images/filebeat-cyberarkpas-overview.png | Bin 0 -> 569960 bytes filebeat/docs/modules/cyberarkpas.asciidoc | 184 ++ filebeat/docs/modules_list.asciidoc | 2 + x-pack/filebeat/filebeat.reference.yml | 26 + x-pack/filebeat/include/list.go | 1 + .../_meta/assets/elastic-json-v1.0.xsl | 161 ++ .../module/cyberarkpas/_meta/config.yml | 24 + .../module/cyberarkpas/_meta/docs.asciidoc | 171 ++ .../module/cyberarkpas/_meta/fields.yml | 10 + .../dashboard/Filebeat-cyberarkpas-audit.json | 1574 +++++++++++++++++ .../module/cyberarkpas/audit/_meta/fields.yml | 97 + .../module/cyberarkpas/audit/config/input.yml | 32 + .../cyberarkpas/audit/ingest/pipeline.yml | 1106 ++++++++++++ .../module/cyberarkpas/audit/manifest.yml | 22 + .../audit/test/105_add_file_category.log | 6 + .../105_add_file_category.log-expected.json | 300 ++++ .../audit/test/106_update_file_category.log | 6 + ...106_update_file_category.log-expected.json | 298 ++++ .../audit/test/107_delete_file_category.log | 1 + ...107_delete_file_category.log-expected.json | 51 + .../audit/test/124_rename_file.log | 1 + .../test/124_rename_file.log-expected.json | 49 + .../audit/test/125_rename_file_cont.log | 1 + .../125_rename_file_cont.log-expected.json | 49 + .../audit/test/126_unlock_file.log | 1 + .../test/126_unlock_file.log-expected.json | 43 + .../audit/test/130_cpm_disable_password.log | 1 + ...130_cpm_disable_password.log-expected.json | 76 + .../audit/test/178_get_user_s_details.log | 1 + .../178_get_user_s_details.log-expected.json | 43 + .../cyberarkpas/audit/test/180_add_user.log | 12 + .../audit/test/180_add_user.log-expected.json | 704 ++++++++ .../audit/test/181_update_safe.log | 1 + .../test/181_update_safe.log-expected.json | 49 + .../cyberarkpas/audit/test/185_add_safe.log | 2 + .../audit/test/185_add_safe.log-expected.json | 97 + .../cyberarkpas/audit/test/187_add_folder.log | 2 + .../test/187_add_folder.log-expected.json | 93 + .../audit/test/19_full_gateway_connection.log | 9 + ..._full_gateway_connection.log-expected.json | 579 ++++++ .../202_old_backup_files_deletion_start.log | 1 + ...kup_files_deletion_start.log-expected.json | 40 + .../203_old_backup_files_deletion_end.log | 1 + ...ackup_files_deletion_end.log-expected.json | 40 + .../test/20_partial_gateway_connection.log | 1 + ...rtial_gateway_connection.log-expected.json | 42 + .../audit/test/22_cpm_verify_password.log | 2 + .../22_cpm_verify_password.log-expected.json | 149 ++ .../audit/test/23_action_on_closed_safe.log | 3 + ...23_action_on_closed_safe.log-expected.json | 137 ++ .../audit/test/24_cpm_change_password.log | 4 + .../24_cpm_change_password.log-expected.json | 292 +++ .../audit/test/259_add_update_group.log | 4 + .../259_add_update_group.log-expected.json | 190 ++ .../audit/test/265_add_group_member.log | 14 + .../265_add_group_member.log-expected.json | 667 +++++++ .../audit/test/266_remove_group_member.log | 2 + .../266_remove_group_member.log-expected.json | 97 + .../audit/test/273_remove_owner.log | 1 + .../test/273_remove_owner.log-expected.json | 50 + .../cyberarkpas/audit/test/278_add_rule.log | 1 + .../audit/test/278_add_rule.log-expected.json | 46 + .../288_auto_clear_users_history_start.log | 2 + ...lear_users_history_start.log-expected.json | 75 + .../test/289_auto_clear_users_history_end.log | 2 + ..._clear_users_history_end.log-expected.json | 75 + .../290_auto_clear_safes_history_start.log | 1 + ...lear_safes_history_start.log-expected.json | 40 + .../test/291_auto_clear_safes_history_end.log | 1 + ..._clear_safes_history_end.log-expected.json | 40 + .../audit/test/294_store_password.log | 10 + .../test/294_store_password.log-expected.json | 521 ++++++ .../audit/test/295_retrieve_password.log | 13 + .../295_retrieve_password.log-expected.json | 880 +++++++++ .../audit/test/300_psm_connect.log | 17 + .../test/300_psm_connect.log-expected.json | 1481 ++++++++++++++++ .../audit/test/302_psm_disconnect.log | 16 + .../test/302_psm_disconnect.log-expected.json | 1417 +++++++++++++++ .../audit/test/304_psm_upload_recording.log | 1 + ...304_psm_upload_recording.log-expected.json | 52 + .../audit/test/308_use_password.log | 11 + .../test/308_use_password.log-expected.json | 867 +++++++++ .../audit/test/309_undefined_user_logon.log | 5 + ...309_undefined_user_logon.log-expected.json | 299 ++++ .../test/310_monitor_dr_replication_start.log | 2 + ...tor_dr_replication_start.log-expected.json | 75 + .../test/311_monitor_dr_replication_end.log | 2 + ...nitor_dr_replication_end.log-expected.json | 75 + ...set_user_password_detailed_information.log | 1 + ...ord_detailed_information.log-expected.json | 50 + .../audit/test/317_reset_user_password.log | 1 + .../317_reset_user_password.log-expected.json | 49 + .../audit/test/31_cpm_reconcile_password.log | 1 + ...1_cpm_reconcile_password.log-expected.json | 71 + .../test/326_cpm_auto_detection_start.log | 1 + ...cpm_auto_detection_start.log-expected.json | 47 + .../audit/test/327_cpm_auto_detection_end.log | 1 + ...7_cpm_auto_detection_end.log-expected.json | 47 + .../cyberarkpas/audit/test/32_add_owner.log | 16 + .../audit/test/32_add_owner.log-expected.json | 993 +++++++++++ .../audit/test/33_update_owner.log | 7 + .../test/33_update_owner.log-expected.json | 436 +++++ ..._monitor_license_expiration_date_start.log | 1 + ...se_expiration_date_start.log-expected.json | 40 + ...56_monitor_license_expiration_date_end.log | 1 + ...ense_expiration_date_end.log-expected.json | 40 + .../audit/test/357_monitor_fw_rules_start.log | 2 + ...7_monitor_fw_rules_start.log-expected.json | 75 + .../audit/test/358_monitor_fw_rules_end.log | 2 + ...358_monitor_fw_rules_end.log-expected.json | 75 + .../audit/test/359_sql_command.log | 10 + .../test/359_sql_command.log-expected.json | 852 +++++++++ .../audit/test/361_keystroke_logging.log | 7 + .../361_keystroke_logging.log-expected.json | 649 +++++++ .../audit/test/385_blservice_audit_record.log | 5 + ...5_blservice_audit_record.log-expected.json | 227 +++ .../test/38_cpm_verify_password_failed.log | 15 + ...m_verify_password_failed.log-expected.json | 1196 +++++++++++++ .../audit/test/411_window_title.log | 1 + .../test/411_window_title.log-expected.json | 84 + .../audit/test/412_keystroke_logging.log | 1 + .../412_keystroke_logging.log-expected.json | 85 + .../audit/test/414_cpm_verify_ssh_key.log | 1 + .../414_cpm_verify_ssh_key.log-expected.json | 80 + .../audit/test/427_store_ssh_key.log | 1 + .../test/427_store_ssh_key.log-expected.json | 49 + .../audit/test/428_retrieve_ssh_key.log | 3 + .../428_retrieve_ssh_key.log-expected.json | 233 +++ .../test/449_create_discovery_succeeded.log | 1 + ...eate_discovery_succeeded.log-expected.json | 42 + .../audit/test/459_general_audit.log | 3 + .../test/459_general_audit.log-expected.json | 177 ++ ...key_for_jwt_authentication_was_updated.log | 1 + ...thentication_was_updated.log-expected.json | 40 + ...rithm_of_the_vault_certificate_is_sha1.log | 2 + ...ault_certificate_is_sha1.log-expected.json | 77 + ...g_add_account_bulk_operation_succeeded.log | 1 + ...bulk_operation_succeeded.log-expected.json | 40 + .../audit/test/4_user_authentication.log | 2 + .../4_user_authentication.log-expected.json | 114 ++ .../cyberarkpas/audit/test/50_store_file.log | 6 + .../test/50_store_file.log-expected.json | 278 +++ .../audit/test/51_retrieve_file.log | 2 + .../test/51_retrieve_file.log-expected.json | 84 + .../cyberarkpas/audit/test/52_delete_file.log | 10 + .../test/52_delete_file.log-expected.json | 502 ++++++ .../test/57_cpm_change_password_failed.log | 1 + ...m_change_password_failed.log-expected.json | 85 + .../audit/test/59_clear_safe_history.log | 3 + .../59_clear_safe_history.log-expected.json | 116 ++ .../test/60_cpm_reconcile_password_failed.log | 9 + ...econcile_password_failed.log-expected.json | 756 ++++++++ .../audit/test/62_create_file_version.log | 8 + .../62_create_file_version.log-expected.json | 382 ++++ .../module/cyberarkpas/audit/test/7_logon.log | 12 + .../audit/test/7_logon.log-expected.json | 659 +++++++ .../audit/test/88_set_password.log | 18 + .../test/88_set_password.log-expected.json | 781 ++++++++ .../cyberarkpas/audit/test/8_logoff.log | 15 + .../audit/test/8_logoff.log-expected.json | 845 +++++++++ .../audit/test/98_open_file_write_only.log | 4 + .../98_open_file_write_only.log-expected.json | 187 ++ .../cyberarkpas/audit/test/99_open_file.log | 1 + .../audit/test/99_open_file.log-expected.json | 43 + .../cyberarkpas/audit/test/legacysyslog.log | 1 + .../audit/test/legacysyslog.log-expected.json | 40 + .../cyberarkpas/audit/test/rfc5424syslog.log | 4 + .../test/rfc5424syslog.log-expected.json | 193 ++ x-pack/filebeat/module/cyberarkpas/fields.go | 23 + x-pack/filebeat/module/cyberarkpas/module.yml | 3 + .../modules.d/cyberarkpas.yml.disabled | 27 + 173 files changed, 24967 insertions(+) create mode 100644 filebeat/docs/images/filebeat-cyberarkpas-overview.png create mode 100644 filebeat/docs/modules/cyberarkpas.asciidoc create mode 100644 x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl create mode 100644 x-pack/filebeat/module/cyberarkpas/_meta/config.yml create mode 100644 x-pack/filebeat/module/cyberarkpas/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/cyberarkpas/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/config/input.yml create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/manifest.yml create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log create mode 100644 x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json create mode 100644 x-pack/filebeat/module/cyberarkpas/fields.go create mode 100644 x-pack/filebeat/module/cyberarkpas/module.yml create mode 100644 x-pack/filebeat/modules.d/cyberarkpas.yml.disabled diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2b37503f969..a3c43c84036 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -542,6 +542,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Change `okta.target` to `flattened` field type. {issue}24354[24354] {pull}24636[24636] - Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994] - Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041] +- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b082893d758..4476737e72a 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -30,6 +30,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -34079,6 +34080,268 @@ type: keyword -- +[[exported-fields-cyberarkpas]] +== CyberArk PAS fields + +cyberarkpas fields. + + + + +[float] +=== audit + +Cyberark Privileged Access Security Audit fields. + + + +*`cyberarkpas.audit.action`*:: ++ +-- +A description of the audit record. + +type: keyword + +-- + +*`cyberarkpas.audit.ca_properties`*:: ++ +-- +Account metadata. + +type: flattened + +-- + +*`cyberarkpas.audit.category`*:: ++ +-- +The category name (for category-related operations). + +type: keyword + +-- + +*`cyberarkpas.audit.desc`*:: ++ +-- +A static value that displays a description of the audit codes. + +type: keyword + +-- + +*`cyberarkpas.audit.extra_details`*:: ++ +-- +Specific extra details of the audit records. + +type: flattened + +-- + +*`cyberarkpas.audit.file`*:: ++ +-- +The name of the target file. + +type: keyword + +-- + +*`cyberarkpas.audit.gateway_station`*:: ++ +-- +The IP of the web application machine (PVWA). + +type: ip + +-- + +*`cyberarkpas.audit.hostname`*:: ++ +-- +The hostname, in upper case. + +type: keyword + +example: MY-COMPUTER + +-- + +*`cyberarkpas.audit.iso_timestamp`*:: ++ +-- +The timestamp, in ISO Timestamp format (RFC 3339). + +type: date + +example: 2013-06-25 10:47:19+00:00 + +-- + +*`cyberarkpas.audit.issuer`*:: ++ +-- +The Vault user who wrote the audit. This is usually the user who performed the operation. + +type: keyword + +-- + +*`cyberarkpas.audit.location`*:: ++ +-- +The target Location (for Location operations). + +type: keyword + +Field is not indexed. + +-- + +*`cyberarkpas.audit.message`*:: ++ +-- +A description of the audit records (same information as in the Desc field). + +type: keyword + +-- + +*`cyberarkpas.audit.message_id`*:: ++ +-- +The code ID of the audit records. + +type: keyword + +-- + +*`cyberarkpas.audit.product`*:: ++ +-- +A static value that represents the product. + +type: keyword + +-- + +*`cyberarkpas.audit.pvwa_details`*:: ++ +-- +Specific details of the PVWA audit records. + +type: flattened + +-- + +*`cyberarkpas.audit.raw`*:: ++ +-- +Raw XML for the original audit record. Only present when XSLT file has debugging enabled. + + +type: keyword + +Field is not indexed. + +-- + +*`cyberarkpas.audit.reason`*:: ++ +-- +The reason entered by the user. + +type: text + +-- + +*`cyberarkpas.audit.rfc5424`*:: ++ +-- +Whether the syslog format complies with RFC5424. + +type: boolean + +example: True + +-- + +*`cyberarkpas.audit.safe`*:: ++ +-- +The name of the target Safe. + +type: keyword + +-- + +*`cyberarkpas.audit.severity`*:: ++ +-- +The severity of the audit records. + +type: keyword + +-- + +*`cyberarkpas.audit.source_user`*:: ++ +-- +The name of the Vault user who performed the operation. + +type: keyword + +-- + +*`cyberarkpas.audit.station`*:: ++ +-- +The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. + +type: ip + +-- + +*`cyberarkpas.audit.target_user`*:: ++ +-- +The name of the Vault user on which the operation was performed. + +type: keyword + +-- + +*`cyberarkpas.audit.timestamp`*:: ++ +-- +The timestamp, in MMM DD HH:MM:SS format. + +type: keyword + +example: Jun 25 10:47:19 + +-- + +*`cyberarkpas.audit.vendor`*:: ++ +-- +A static value that represents the vendor. + +type: keyword + +-- + +*`cyberarkpas.audit.version`*:: ++ +-- +A static value that represents the version of the Vault. + +type: keyword + +-- + [[exported-fields-cylance]] == CylanceProtect fields diff --git a/filebeat/docs/images/filebeat-cyberarkpas-overview.png b/filebeat/docs/images/filebeat-cyberarkpas-overview.png new file mode 100644 index 0000000000000000000000000000000000000000..768de758559ac5b7152ef42a5ad6cade07907cb9 GIT binary patch literal 569960 zcmaHT1z1(v*7l-AN(AY&KtQ@dLIgymySuwPC8hPyAt~J;os!ZbNF&|dv59|fJ?GwY z@44T#;vS6K9ECBBfT`cy`S5DsxN%9CXDfn1-AFf{vD2Myl-jj!+DyB#?1 zI(ktkUlH|j_vb|JlgQcKSZeHjuZ%nXDEI$ixjODVI!j^4043k!{Pa$W0WT|2nCYbjEECD>K7-Z+5n8 zuDRLz^Oa@8Q2+j-g(N)`{I>~mg~34B4h2t732y2McN$rH+ZVh~eWNPodB|So-6 znbP%6_Uuv|r74jw{N1~+`Gd_0E#^x^4x2xR=e@n)H!u|Xr0-IE>q0d1K>GdoF-Fv? zlgRIxa{FOs2kb}Db=)3gA|fLK;9biP%lB?C5H6ToHmM7~Xo(@e z)>3x$@MU#1%h~SklqPiN8U`bGBL1et0Il|62&rAT-tO-17gji8tf|FzJbQZ&emU&R zKQCX}y_(cO7;i4Y3+?PK^KL@@uI!qwQ!j{K1$*QfLwGWH+LB>wceMM|a_H0|2Jzc) zFLpwLs?P@d(U{nC?-gxK#uH?UB81ObDph)wZA{4UO*f;2%PT8i_UjHeJSHb`)2?7| zaM;X=&>vpOk}YE^IzT;6x6<^+xD~cYg33Q4$cUn*araQ7e7Js>z){!{(z413A$3ZN zER-26Ev-CYxZ?uL)ILv$1mBiQPxvO}=KWqM#}|$j z=U|`X`VXx4o81!{va>wb*F&}#^kqmiwa+HxNXUJ_hrO(vP5b5>dwicLe73Yk<#z|? zsInX9{3EHmfjfC57qCNyIPXrXw5p>3dQ>x&kRwFC#w#-K{U5gWlp#Kmf{S*!@U3x2#yh@6hM9b zy?$nTm~Z%-2~BtLUwH46Poc~uc)z_KG85T-XL^kN%)=fT(wROBX4*nLJUS6>=}Mg- zlRsN|N61MH*PfGKy1;?|+uY=>c7$>88+&aqs_P7lj2_UrDc8prjuc1>e#%Nkg}{Ge zB?4D{0!&oL$aPn3d$ZzweaLu5*N!kT?1rJD<*xIroTp%mk~A(k6z;CyXs{uq7C<9E zpR&{502xs~XPv}&JDwu<_4Sz@hqmIN=vroq*8;w@Z1|CA}i zZRnX^no%gtG3_#P&591c!Pw19Wt3dBl`!k25&pZ|z@5gjqX z80&3#xB&eyg<-U?-RM<5Hm9}xt%MI@6Y@~gjC^34s{LMX3G8l}BdOEYq~9?q=X~b8 z00Zl-RWA20KP>M86KtPLf3)}3gSoEx2P@Z#6=N+-=E!U8ve|`QY-QorsSri@5hXLS z)Byk9j=NRSNr`~_(FTU}?$FwpcUoJ?lZP8*zqOFqz-Y$*O;**#&FS=X(2Fd&=J&7F z89FpjhjTHvPB?$sc-0s0v0XZw&m0bR*P`nA263#Xc%Mw)W2Sadsp$M(h$s_pW(K%P-Y;cF?iFMNqYLgej+UeV?fXVlf4fAYt z(4&_ToGcb+uYi|t3Gxfl|5V}~8fLxs4Ts3&XxSZT&m1@j>6X{h-e&MSUQ_}fxCI=u z-S{sHJVB8X1NNG$UPcy5$2$-%b%JWYVi_aor_ImhzQ2RL;=zUbu z>fSyN52?{jW&8Kkl~}~>+3NKhsJ0tL2mWfsX&?|aKDuSPPAJj76DoX` zeLM6fr0%r-s+7+HD`P{8wDQrd`J{(;n`mEX^w@4IV`7A zu2lUr#buM6IC<8h!C$O;hreSCnH#cBt#R@OABfxxLEa`87Tu1&R6LfZb{Z0+#GDm@TX z$d)6&*&a|w=76<6Te)4>n2yscsDIN~f|#X9w>Erj<-RgI%>Sw}r?ViPINo*-hn1}& zQ2}uvfe=yL)J2=$9wm)gcu+&Zj01Q?lE&2hVk)jUV7HP#d*w(XXg%!xXLcVopu&TW zv3>!>e%;&5<2f6re-$X%?{$NKB;#=qJ$zi`+D)-jc~zjp@0iX(WM6#P%-FD@3^E!Z!rW_OZ-l zef-@!HN;;QwXv1q-2RT-U*;%bQ`hZy{Rx2|Sj6iLhJHj1imF>>utkYZx})b^f5_df z--U1^sUC3+ma!pV_nrFWqr~0dHgR z{+Y_IGfXH;Nw|p7T!9gN_i0!gQ25U9)OUr2>I?29=4S$(UGxo+doFEE&q-qcfLr9p zfFi_iDO3VLTg^{kr_oJJu^PMeUgIX6Nm2HmuW65{C#(-FxEP_?O|Iu2yIxnQA&Z1Yd_6Nktz%5kjvwE*UB9<` zN5$T|&a?J@af3uIE*A?krjnnlzJei48riDE(Pq zLSg)aflr4=2f{|9l0lKPXWU_3JL}7+m1+#vyJes7`Vt7g7sgPl%UzgRM{j@Dgy>f5 z77r1mh<==Mh@hNQoL>UK@k)F7$I?D~ErhI7cB$@AdyCkR&f|}mw_Evdo;#9UY^G!{ zYoBxYQ?DdMd;h^hxNl|>IKvgk7aMI>_AQCe@D`+_tx3AIG=1a_p;tfw+860qxbp=o^op#*OOHWqV>(l2b8X% z%>+gbSj0wW;ukkZF3R*sACukFq-U{#{`{dY2Zf}P#+!^f=Kq>54~TwDc7w85u)6{l%hYuODdfJ0kxv zBK-anh40ug#w!L|cD%Qzt4KevS#+(P0F2hzMWO1uuBe)EsqF(+jMe)r9g+~Q_MRDE z!Sey=0bT`3Hv?BdS z56#g2RMgGeC~5l#sZs;k6(j(Lv#5@;UtI>&F|IZU8zD`~Lv@ZfTwv8+Umiu=B*Z+dwqM7IJeKv*Z^2LKp9C!lyM1f6s7v*gLMm_ z=`wTdpF6Y_HJ+DGv~}d>j*ObULChg#C^!dUXO68$<{er`QcfJ@(vGm?ZMIAQ31^Cw zCZfH0W{>-n7Rm_Rb8WgtT_ZLxKSot}qNFvRLJp3kj~U%J1im6&U0}1*LIEsyh|WIL zOy>b}w(U&gM@h^2&&3h<;ncXcA85E6mEhgmHhQ0p4Wsem=pH4;EZJLt{g^xo*Ueu} zY9J~+{1C6$;8}P~^?WSM;=mDqFL|Ny!WZ<3M`vqV}-?;g||N zwB3lB#!Nb>G_t|E&#{8uV!Qa{As1K4&}MnLRj^^|KFrMx7L4-I7KBH=lj%;jlivuf zlFS_}KA%PSge8bhi*eeg{9`a|N|yYg#^dDKEyME1Mr~9KaBI}QdAop{0K$hv4_98_ z4>JUsoeHa4=~4FB4&LG+Z-x0JV zp`D74zfmkHI>0Cns1Ry8vCR#+ z)AIJ5LXtu{3gh{_-rd-OWUtl0{sZZ|$4fXFj0Ae^5%p^%i4S7E@0}PWd8mxuM$xhQ zsqb$cQTo+|xIYj@=U+jm4WRplI7USCWleBQ_aK`1_AHsM+-=TF-QUuW*jeEFfG~+` z(^brW29n^Yh3@W&JtoAsB9)n~Q)hchx`91=M^b;_%sQw90$!N6v_!TOdlg&xwG(@{ zvc>^L+aorlxfFPhO%QjtQVBwb9Rc@#gCIONziwXBHS2EG&j^9I{mr}O?!8vlj82ra zhMjmpGCnf+7^egS+cJ?K7WQlEuyA)H&*1tDd~I7GX%#lvLU8rZ4;&;VmHPHa$1g?5 zk^YSH{)qh`iUM2%K|Hmt@p#|SzBF87d zBef@Z1I1-q*N+V<61s4OS+9@Ez3A$eB{TFS{-)YC+n%a*tv$}RjbuU%g%xHA8xnPC#r2q&hD0@I|(aZK@%MuU%wWJT%2P#m2^$Q zG}};3Ez!OO0v8>X)5okniDnVw-04sCS`kZa4R}X@LsWlJ0|~nD_@Ys5v9e}sw2OAu zK$Ql(n+N-}Sc7vau*WFaE*xopas4v~@a$XwA*92SKWjH>8YVp+SBdz|B^87hmhWSf zSE!h8qwEjkApD=R@yz!IYoIMScwIa`qQJ6FEz?6d6XgGiFD@|eK{R-K>qkziO9R{k zJkt{IdMPr3`)BqO!W#32q1c3m{y0ymAYG}TBTI;_!iuEsPE4I--?hCRr)Jd%z#z4* zu6suZe!#Q!rPSZ0iy@(lndc5uMhTgrTz&5jo$Njp75a3HSjyf*dGF#z+jf2M^m<=e zLycql;_Bw%)lhTE=k7(E%=kQq2`cLfW#^3~+YrBL zoEsI=qND+QP1ePMbgP&CHfxdW&okS7%0qzvJcno&4Mae#vrRSb!l9q~zVLE~4pDil@OLq*(V4Ad?}Z!GDN%v45)DbEGNs?Hm}uR-m|*yf`ufDw=o z^hVH>rYNh2=<|NOTTV?&TQG~7b)LQE7M88*Zp!HUj@jbrC@)5en`k9%Jw+J7jKs{f zYwKsP@5v)=ZW;oL=_Y4~|o z3A8m$u0S^#Tx|mwl+Q;Puf&^m4g|_z3+=01$(7Z5%OtiQoh7E+*?}eZLWE<~!pA*r zsk=r-z0TlRN(&FZ;v)*b`8J8#T5OK#XC+p+(YCdtqoI{2OXAYXN#buO0oy{U?N-O> zPBy6cD{@4Jgl;9Ga9<5z<>ph~=UtSvcynXiZgfXfs6)~AYBc-c=;U5+d0=GrM~v~s1*@dGbRA7(SJ>QyR?+gNZu99>E7Md$=pqzP6fp{={Vm@mu$V3}Wnv+1*4> zjFOL%xS`DytJ3#3x*q|$!or?Q?-wh1;`blIf4=t2dWS|4==;hWPwZS6pInFaX{m)V zq%ed)1Du-BCqX!S0ZZ}5s(c0fkcG-KPA6|NkfOFzJslp@X0GR>1|kAV5Uz(A*?ND{ zt)e$ga{dufiy(-7Dj^Q`-M*$7--$fpcx0>7gbExg+_*(&D>~4Bk;xgO|8a+oM!)qS zw_hJV+@D$UJ6^WmW;wFr$>B=k_C}LT;0~OU1n=fHIKR#>-UplW(C(Ki0cBco4I>Hw zH18Z>VS$PjUI6y@rAy>X0FB76R|(-#f5`l8J@D&(y*8fzc5(18f4v;<{}u(Vq`zLg zcYg~3x4~a8^4q@|y1$0_AB6Zr0v~G!cT#Hy`^*0%)4zIIJFq!;ww6#)XU%#y`+3K& z!P$s^zbvIZb5@ULcjKeq;yy8M3$&VX&zMT$A1ZQZ0?aiA$i;jQlN$fdhQG`0U#B{8 z3yc_)LFeUZMnWSB)cwcLI~(B`_N16!#`<@efUvV3}ox29ji*u~oqC{zItj zd!i*{ZEOpCoS&whk7VMhsTEu?QgBw&$2N-uBLC+c!CECjN;z!>U(jgsM!4O$CGJIm zS%8q~Kh_IleLj{$eZ~3y#+^J3UI(}99=8j`jY(6y1)mL+ZQbbqvAUMe+!`qo)fgV5 zXJrPpva{g^;DS#W&le4p6&HRialiUw;r?r$+pjm$SEKCi-b6b$%QWyoaYzeM^Nfsz(KPi%~}JbOssjddyi9RYKYdvmQ#{~vo!SBzAR#qh7^^a@gR{%VPVPiaJ0}2W~FU!Z>I4}#HvbQ@ZwHdM- zih6R+WaA)V+?{C688W6~*YjEoJLo?)FJ9{Xi464eWA9s$bdix-GBIqF!5%Xi*-XbH zW{HCr=+E;ct~FAge5`~dcx(w!ql3BABt$%3pi}VmSdMxXE=x>`8faY2ESxlSopTd; z7k126^SE9v(cYoCm;Ph&2FXP*=dK}sEJllXT=8?dDE&QV$}p@mGHeRI)<)QbOeZCW zc*)q}dsc*Dqdp-~Q7SWY^Yk#mkXbhCNe&9#S-P0X9etC21x3aAz65p=(cR93iglWj zT$AscOd1VgnZdM0?7V3i8Mr-XnUZdi!^Yoj4x&9z*DcOeDFtmw0z^BEQj?PHzHb;S zYiUKu=L|kzrMo3|PhLhwhQ=z1*OT+I(*r$EBEovqvYe-QVF8y+zz$PzH@qWL>8#dT z3gk?><$BasKO45!(*I`s!$S7eX^5n9J6s1>c|lH%*VSQ9xV`FcL+@iXed7-;7u{n{ zVl(WpoU&K-E=sue+SY?yG|Vop%v{VktppjIzpZIWeCFkkFvQm}+S(m=TEVds&zGno z)i$@}v229Gc;ozvD{$Yt)!*fBm13_&Zn%6E01otB*zd`je0D1+xta2P>_K3U56P$$ z3&qjCarhYXZEMjqycA-OijaY%Ftoy2((ck2F}~1|xsB-eg4s}s25d=ErJy~U*4@A# zo6XfVS3aybZ-pK(oOlgJwMWa}#zYq~RE*hvg7j_u= zm4=8)HS%n!R4lMw_0GGQxw%Ag31s4NMP=p^txf6`BHcZ80do@%YMf^5$}phjj!q6< z0m3n%8i(_cncd@c5flT)oxx`Yp%c|N@42g{oOdRV6Th^1F!$+4YYtW(sXop23ZI-* z+jr&Rab2j=WN|0mUY$Iio!{X6JmeJ?DqdOFXM~VDw#j1s<&T%J{R1=`7t;ntI;R3K_cnx;_{1N?^;$QShf&N1_Po&CA~~^Bb41?Y{*xJ$syf^#a^%AlVITz8O=OtWtxJl9m&z#bV;)hQ|_P>v~?5jo7M8Btr9*<9C5a>En zGw(I+MM;ynHeAYupnFbQLSw3El5_~tGYr09#^!$hKy1!r%TG$ijgW__8K1zoPP~L% z!SG@c{uAZ}7{8#EcVGF7M;Jz&ZDMs~1K@G%?yd$Ot7Z1fh# zdBKq80r%v{81w4;%rwYda#CF8saV4wFrF)_;_s~Dsd+|JA~IjwJfz_7!CzilLV(yw zunrDW5uYc~L-!)HUeHB7n$KOHjsHVl3cPRgoV!gXM?JUFKlN_934@i;`IVs^o@zYG z7;}*(6p^$SqvBhnN@_J`o+uA>Qc8(PNl}0+7lwn;!HNFXKj{Rl#oIY;$sTzMT79OJ zE-71ZJUUWEkV@gjNCl$Kz2eKH(nIt&bR26qPKdA)zA|&c7YN)pX`WAy5SVFE!ZDuPg9#D8)1k~Q)V_c9 z_&u_ezd@(Ls|J3|W~W{3*WcfAszT^!s#SM}eF;OG2m0N8m(4l#)%Nrxu(ZNrHXq8! z%9@sY+KyMp6EqOn6Bc!rz!p0!zhJc9t#ZN`wT@^%nh-D3=~jD8Dfq~W5WQt-(U`^j z8eJl_5pUMw5<#>hi(3E98-9ie^Yxza8kh6L?vwEv?Qe5NKmVgiP9P3#Ha9z{Xb?wEW^zvDxz=k4uRF;|@cmRQ)2T!J+$7qUP&% z{oFbS!7@I+5k`x8^{$@KS369K6~Fydi5Jsf+QLsfUnTf}53MZ^e#Tepyw234;#q!- zC*Rx&4#-Gckti2y5mv7syIm61A}vyT1Y9HWG4F@wEm$-Q_aGlp&LM#Pg&&)*cwW)9 z_hA)YYS^Efe-zbKE!G8`|6-8kGaJTjP&)2R3~SEMM+aKeIejh;jS%_(pUnLIRNrHX zhh(;J%0NybCN{s+$dbFk1M$~!Qi=zRi)vb0cbHNki_q!dgfAH1ynTYsyrfg{;c;a$ zjE9K3owV3WIGrnTAi?Vz7tHd|>E=P$jREcj_FfB!HsRD=D>ub)`FO zC-Jd$5XRtw*fqD=-fQxWoORi+AWVsJq5rXUZenF;N2x#mz4B}K za-;IU;bnGXhZ4e>t_umCdr1=CiP|exFK$bfho5Ot=DwJp+o&b`DjSgnIvmrIHN;w% zUu|9`xHJ}H!gShHZHfC9t3&tVCdBqFdps|JwOq3w-ZnFHq@f>cVLHIQW`)sQlX>8! zc4&xZWnW{sn@=6P&6U{Wma%Y+tJf+uyenF=l3&KV z&uHf8Rt6=z-^cj=Be2YiC?(MTRJ?sPPSJe7d*JCAh*%ALSIj@vY+um3`Ri*sEph(5 zE%}8qyCYQG6n*tFQYg^=IxQEMi8u2R(|lImet7I<;g9wGp0KtvWX$EsD>7+mP(PjLQp%AByt{SHOcn#ASHp1k)AU`jbQe5 zSxhKqBtzm%HmIGO659J%<$n>yNx7yHMp zF$=iCv`+>ef`bowNARQm3y27uswnc|2FmEL@l1>@a!=(x3YPIU)(l$Sa(@6J%J zvUi=~0YTo6P`@{_-e$ppcju?O54a4O>2}+RX0zVP^zs7t76W8$C@88}dF;&qXmFdM zg_!p}OEijkB=|lc$lBPFBZB}P-)uuWjT+&jK;5;I>cs(AxY;jEPx|4X;g(;3WtheM z%sRe{rtf33Nb+myXpg5GM*iWzum~9L+^dd@i(72%=smmaH3fsif1O$NR=r##M1R^b zQbKAuZ07j2yIa`S7OkhZ7sP6uy?w$3CtWAqr4vo){y=P0&ywDkM={+j{3eW0T3y}C zhSQn8ITWJp8)9H>aKMq~bt_AOI;gLMJk^^A>vYE$391s^@mHW0lRL2WAf*6~$4X9s z{Pinb?M(q2WZ<#_l?vEsA@8507{DiWha`M6BfYt0x>G?A!rjc0iU?Uve+8F!9h6qS zl5V~Y&IzB-t}uGyK>&ZxfHNhrb7f4Xjxx8-W*TU2ILH)UHB+C;FyM|gT02>4jJ`8h4^F2G3@tBi=y zbYmPtQ%-4np^RD868|05YnFedaT2fyP^X+OEMSz6Rw47QA96BBnY(I52iU|x+llNc z?#>)Q58n(!)#FCTxh ziKSrb5Dy|On5omMIV{rIU=CQc(@a}Y)}h-gR)g7bEziL-HMSHEZnhI=kJ2y9>NbiQ z^RX{mISvnw+V(;l{DJf!OO@=|8s)vNQi3MsuQ`m-WWZLO=1{!IkXc}=h+GJrQD!l) zuX7G86^XdLf252)-UFHhbAMm^-0&b`ead`{|&2r$PrkH>lmY zIF@x#9{^OqQj!In5dgu|-8Hzd(}=oo0zh%s=MpTow>>>QaGQ@$Jq?|b{@Cc_`=U)@ zc@9NarcdMXKo2dg>;qtV&E(8|t+?ndYw;H_FUb&e54{ETrDzM+?6ptcmrzL~R zpOv5Vi34vDA+5PQ8ZFoDK}5|kk8&}jL;z{%B4InYR)KP;_8Ud!rLZZGdq@`sV5 zi~A15^I(HB2UGB&TqY=d7vl-ud)LU+`v6b^(_6UnWAGu~fUK-+naj1tOdx0CF?FBZ zhzYyi+sA!2NE;Y=z_O@I?x8<7yp%1Y!H=D{Aeukq_N2zb$B(IT+rE{J+8+RfyTA&h zdK|~dg{P=oGUFqa;}^PlzXqF3w>%Y~kdWnUaEe$;=Dz;Y9R*^|f-3aq^Y-k{*e^dy zJ)yvWB$8NA@30pQu2@BOnk0;r^%Zg*{br=p(e(1cT=(sore0R{jS^dmr?v zSJi1COU)cD0R$UIQgmp%?C{C{w7>NvotG3+kV_IjVQe|ToAj~n^f&*`-m|Yj!d^e{ zrX|%cGNct3^B$I3J`^SePm1y4Tt-Ze#}iUQLr56jJT(W(xv$!%xPP9rLm*Ulfwx1T z@Xl~xqs|T$0@)tW(1(YwugnZW8pk?Vhew^#@irSbqH8=wTgibX^F4JhtM+$QQ9!G% zLoDgV6Gp4MvbZu+X;pDAF4R6Zg-wWoEaPhr7uhUGO{m#wI8(m{g2deFbAqJ zZ}2y#Ui!vhTi-j$re`{t*fkrA-V)1r<8y(yH~2;D0c_=SFb`^Z`)VWKjLZTE+#Ov4 zc~3R_@qJ$K_T#2~%m4%g^6OcF_pfG6hf(IX>nDIBe+idpvnDcJ#vgZPMu212!#EE= zU{xUJ#7%7m5Eq0ko%!#M7-C1QjNTzp?Yh%0dJ&+iI{s70-_iR@>PZ zd59xSj_XNe|fghBuTf^=6H zXx%Z_>?EIHD}700^Omq=_$`n>MHz|)Aj;5WKy9p_UdTS4Zf3OUq2E_|dEtc#BFR#8 z)WW%XjY(}c>}Qj`a`Knhk5_jmCa{OReNaKNq&NQS*FZo5v3E6^JooB*4^-aC&Qp5t1P_u!R90P!-!Pr21;Q8{zo|HXU;XixgfE)dtuiq)of-We>%=_*-JUk_gD1Cv;A<=`4M zHVpKoU1`wu6)Td8j6ba1i>wR#Ss*pPydDIs(so@o@9bi4#A5##wRlB1L#EYmn|S{c zbKHdHLC%D1XQhEwiWkvh2AhQd2thDFpxBzqJg^He?kYmBAXX%W~s8vny?JAz;M+?(fN+hhWXq&l2a4v z>?DV)@nFSi^zyC32cFarGS*1 zU*NrcPXI$?V_!bp=nxG>$5r%-QmfT2+7=Z%^t4Z2;;L?F|5IwS!3jkO1QNHJ4sVJ3 zWXf&CrY~+`AL1C-yf!@U)k_TBb1hVrG~Zjwt03sYsWZsxxH7Bc zMIOBKRza!RBCiNhM#aqGFt$_hu(hz?^24*ulac@sIzZb;fXW%#DRS5|7truPnsNxt zvBG5l;hku@4S8acZ30N6iZ>OwQ$V)&zP3gm&R9_E^jQf{(DtcWz9EVA{14y1_=!i{ z=MA1D6NHeKtKr9Vs&Q`@ZPZZ-ks?k>e~P%xqH0RIx4%h>#@^o@5z%M$ln|h>^vC9F zt!;8iQvq@ohrt%MsazD#sv!0OW%uIXE(@zd(Pfe-#65u6?#t55H?ZS-eTbW*bgY#{ zFu8P_Pp&WIA6~n(cy@T3iIrbDMWmW4&!~F4`2gA0@ic_JX%wE2z4WlY;8)(*ez70l zugTUM0g~h**GtQE$fD=~yVM#@COr&)2cJ%)V7TJ98qRep26nC7s+<7+=yHWo4GZE< zbif5}v&OyodO?%$I#Z>|v{Fr@F@=heOEq6kzo$?J&La3+q3Bp>cnVR|3nj+ey&+q@ z=>I?si*H^c?Ne`fIjy}Gf_2;_lV7e1F=|&33)#m7i(*3b8g&CZh%+O~x1>5wBDueSDAP34VD#G8LF>Y9*hUitRNI*!)kxE6< zsfP;TUt~I;T3t!{KBc3ZU*{NQ-rO_0DioflaBICn4H#VZI`MnSc1cG^XUn+lJ7GS` z-CFsGe$i|vCA9Ut%IPCw;NTD(%eDUm3$wKq1d^nM!Z-5*8Is{L7ayN_CoEI`yPDyU z1{!PKOLzlr*qXfzi!iXolN6!+0yEnkui&#yw$l*c>B=6?N4R)DUtA`k1RB~sKjosK zW?9vz8s~uxyb~8iK}Q#QFNa>RiMhKvEi_yqz6Ww%ZX1r-C0pI#L7>c*1U>KfT2Y6vcu3M7Cm zFLhdstZ`fw&|Ac9p9lrvKYv4Qy2s1xnCFFB9cX9_b9D>v_^EvoygY4kGnh8KE)koY z41BBCc$F}{us`fp@$4S?C)T#c?K`yh+7Yev&rWj-3*j&wq|>jYc!Fp37D*To==vH+ z)?sDcw#2LJ6^OP8Js{_9NvxdTJ3zbJWu?)lQR}8jX1}*}H|h#B(}Codl+)@9DCEHX zH^bQniJPrKJ4MWta z;YwvDE&cTA^U!sn=V)trQtK6I_@h1<34SkhfY{o;Y0d#(*g+D z=jbSOVbf?((;tAU4%IC6CN74FfI(FNhK%+Q_iY=smA5};RYislv^YPZ zNZTy*H^TQRz}*GlKu;gkO!$-*4`-Bt?&Bos)>zMwrqiCaeRk>Ne;+V16#%Ec0NkJ{ z7)@lb2ZfZqAk+Ob5Z^^|mhYb{JHBsiYjVJ>iwYfuy!TpFfuQd^9&QfmzmllWKlU;XQY--sc&_rtipMM)vd90hK zA{x4~ZxHnXE49xPk`P*Iv#u6J_1t+kye(QaeZl@kY?0p^%bEuTjVN=#k~+qu0TDfB z6@UHQa-0mUqfZoWV&Kg2TI19jhQk$d+XOk?JUMkBTl-~$_OvmuQBKchBrqWWt5!!E zi+oQR+ZK)K)N=@*dm_|;s*H?^0%nm?Cd5E-YHS-zq(fuVs#FvNf_)jE>fLfOwW4`cjd;Z;7D<4r`ovo668QpT zhm4K1G2I;#saW=cFa*F8Ssn-+63`178ZP=O(xeY0b7<=6E)dGYLxOI>Xy`5%Aei|$ z>t0rXPRQkqQcabMq3Lt=yXDh1*GyajH$%@(;3V~GW0~HAm}rmbB_5Dz&pjF(S^y7z zg!=*WZD-2noJ_48RI7=bk9}teNTCK-QV=SJ{Z_bDv z_vXGlNQ`0;PfOasvX7$`aA#7q5eQaW#E!#Y-K*7v|$271e5=5smwiRP&Ww6$k zfKkoLDH&_9x@Z$GSNqOrO`67MZg@st2E$h6$Nm>(1R4sOfZ>QgHQ)adSOHKnoVjWG znL1JE4j~4rsskN%(L+#?%lnel zyE%9ch*=%Qg&9J}acWuRA9`!f>n?_Y=`~xdqQUSfS0R%Ivh9l{81*3NQ%+Xl1kWE; zjqX>2yb16*Kjtn}eHaw45kNu+C$vC4G(5KevpKFWj3e4}CXT!dI0X371rD!p0&#l#+En@5iV53>FWz1t%IvvkAA8e&i^jvp z7tS0~nJ)few!f9Ie27A1v_U-BiYuqC9@-Uo*l%@DPEpaYTq7rI?brG6Z zk{c1gkRq=;%gf6&43!!UvC0Z*4bzvC>*Q3x&AROE$z~2}(sXZuE@1#%BzB6%lSf8J zLn;E)*1}D)&LA2nwnC{^hWO1rBQZ5~tc4A7y!1EvH~x>Hugc1qg_8$M1*4e1dKt!fD#bKlPvVV5?tcd>Eq=5l0YzNc1Y@gvcyng4&SVAu73mQw3G_Lsv&;DKM z`AZ2B?-BTH3j#S^CSm{l+Eg0{y#XPo1g8#it%-c_SKT;@ikZ8E7 z_=Cwxxvx3PF_OHJ*j75=6T%bb%|c}OxA`Pk4!n&Ws}+!g&i|HoX!H2nh*>&aNqa#3 z;NFn)`q^N>Yv8v=0Vy{$NI|lb{@PCf8z?#;vVYh@IJ?Hh4 zZQAPyxtcjEd!^3AaF&Dg>1S`J*^YeoF__J8k*Sjm`h&akku@@=`P%mP^07VWiv z>Ho2Sy75(nKmdvVwN04AC;!(Zfx44gDiAO8w&&%4uRt5K#8l|g#dg=PPQZV4`hf0w-to2jX-iv!vCDhd$o(8C#=rXfe*Nar@Vnm8{mHhpgnyr@nFvLcE;^U) zK5a>%P;echDAh6zySy{$t8Y@?*`Ex(xK?m>;=?-_y$T3I5n1VaPW(lhu?D z?b%RMP#hbzWEWX@NByr}fVY2kBL4n0Ng|x8tf&b;w`{kdc<4n&-VY)90^#tNp(Nq+ z&EdopPySj5`0tFWG~3i1Hdl@Bduab5{)pF~kJJ8j_Wx*we;j3fnWLF<#KmDNLEq47x7#2^rfE3XWl>8B7?JgX!hgh zBf|IOSMJnekzfaSpO|}JkD7eW&HeryM15~*!RcEePt9HjY|s@{Kt%*T93%`kdN2Q4 zE6!y;#uQ8;M{_FM$d_EFlJjXaAWc%wLV?h`FK4_uM7zjeq0ZozL5U)GJ{uC#7 z8QAb8H+WF%5OnpqmO-C=yjdRod8HW-Jwz@DI&n8VR3IlUP_Lf*pDX@9rW~F`NdrN7 zlSORq_f~>tF%KDqiBGFHo5>=V`mghYSIOHNYUs&o5+ldMo~$)(xfD?Bf->C~Z-zJP zE+})>afhXA-x%ugq7|PV1^NCM(7CaBX-N)uObNWmLk>9(9%KuMXBY@egm=Tm5Vb(gdtv zQ;iE>xAmp!cztB_Vvg3=RVT))hs9crLu>n+T;+H18&QK_cgZSh4nJHy@j7{Q+2Abb zb;WQ8n_^ku^n7&0>;vfhcv#(apLQ8}#1LQUR9RIqJSt~Ucj`p*l@vc3&LvfsG5b$HNn^Or0 zV&-gKuvUp}cb*@{rRV+NG;OXbCUjIq`9n_XzMVTJc$}NH-rK#HM_dqzK~laz^zwuL z*KSXGf!LeEyI^<{TAI(7uyvv3p_hZrt}qI~c4{;@bZlLNMM`@qZ|>y1QI7s8g*)7G z%6Yy$ufnJ#J^Ok~3&;lY@-QUS$hoqB+1~z-rw1W)$$Xx7X05}05B69TlqP0Vx$B@y zgH?Qxu-<=s?DT+otKp#)>bFl<+pl_s+DshXGzR6{U_qgh6xt&^!&j9e=_dW4yBG3F zpUrXx&)@(Oe(9T}Y@0Slq~z5yZyl(G1)xSGY5v<9czp$Lk-r@q4P7WH;81I*TtEg@ zUa$J(Ahn`9(uzOMfC9p6)d_Mp9YgV7#i?O`c)Q>6PVoG!x@fYFxL5h!AZj<_G5RJO z#KcGQ#r#3{opa2ss}$3@yVjt$Y}Kwuio$sndxgbIN*aKiVn09_f^I-OkP7J*aK-bj<}||Ew?P#KG#Y)dU3QB)0sr%AXrStXHq#`1xj4nS zmM@P~z(AlGsI|lK?n{_=AXTr@Bd*=x{;?YpcX(m`LHbh(iktZ^axn9nU<(pB1V#)s zjBi|ZntkhHtNpu6j*KVq`_`dmW?sjb{R==Oc9{1Jo71P@<0Z^!=e-FBeQgP3V{^I! z)S?wdr-iwNodzBB`;}lYAhueTf_eTqMjWVIE{@GE^jSp$?E{sT<)>qnYcPRs?^~eA z0&mru&Bg4ma~0zYYCTV3wdBk1QJQysSof@B6%!Xegrg z4>O&w{lUgPNY@QNp^E7SH$;m68T5C8zFzzi!+AcpbL6z#n$Hu0_2RKboae-U)Yd%O zz7&mGjeoY=K}EOE<_HoUaCdEdFI6uStiH;k%z;ksuU}>7TYh-dc)Ck@Oq*|_z}=Aa z#+#NE0v}~N#c}%w*k#1hHf+sgP}Jk?&JH|D4S4cJ ze4kM-%gga9wn#FyKmR@qaGx0wX}Sn&O+$MfG}0J^1T)De^fJ%)2BUbWFdbm0W& z`DP%h(E;6DATSrb&(V|0W_pte_$ufC7H=fbw&+k4%EUsn6i@Opokm# zyOgdGFLhb+spniEU@K%fJUrbycjp`cV>`*2-N2BV`_DeMq3u0ODYf0a(NTk_zXK_W9P6# zIx9OR(QU((&VDoR^^9G^u}02HEgMI(aYEu$wOjTs^Q7HSZdl@b6U+b>5=`Iv2O?M@ zxWTX{(Qw;PSjhb}A9VEcIvwglFE52aMsOhepQO)Tj=-P|<$dLe|r7rpy_c!|x{S zn*(>>u`IBdj86O_*hIAE- zs1?rE%xsP+v?fkBOuaY2NK90pUll}nkbdaysX-#SVs-kyA`98)9+F@3&k}z=PhyCI z*W<;Obr)pw)3;-foaN<_L1?IS;F}`Ri*WkL-s2S))iOIQFcYW_RaT!YN1Ho+iRS9H z`Ee^*HkJ~Xm(tyvFYNNNzQ*n9R@L@6Mr9{9m~1HD-1%bKJ)pyBs+$wK)ZIm>ceFd2 zo4?mysP@Dy@n@5~iL->;BN}exD1q~7(`TV-P3Uc6x87;FiFO#uN|@(>s=mUQwe^vj1mrYDL2NFw|v2~ z%dDSrEg^0PQ*?m|?KvkNKUOH(!2I@E+_>^-D77=uuje2E-Wk%-A%&#)T}TDy_f&@kC!w=kCi$EC(Kg ztRaKWai2&QW39)&IRQ>jA&pWKT1Kj@cg>F5JQnE-9NdW~BloUl! zq?<(}B`uPRM!Kb?_BBtxd+%T0zkM9vI(!~wSTl3SbzgCw=RK2^%@A9-@Q4|ilOiYi zy`Z|iqfSk~)EZ$;e{ylim4v6D$F}&AzH+qIYJM`AmTyHimV~|hQNd6hM!C@Fhnyon z8}WP6tC55S_3iw9>-jc`x3o`*SfBdFE=yOGV%VJRf3-bBVM{Ic7-iI*^O)Vo1Gl=& z{lF%^+Omq;4N<^pmI8U*R${KCeE4T>T? z`=r~|`D1W^8!@0`4XIMrGOQ^49wxw@ayf$U+O@LrT(QIp-zq9!zFEwVH!Sxe*dcOV zOt|224@uU|+{8!?++51@+{--Y6#?~3XU$W5p{TM2wG3x#3-{S_CXPF{-Th zhwPB7B@_f#M%|&YV6Fb8qD;VBS>~Y@d#UC*r)!>9pmUTmxaG!q<}>FAO}^}%ABaaZMoi_E`#JAT4p;Ag4^V4p z^ooBt$E0y{YTupv&onx@T9p)ut|+#rb!hV{u9*#39@TX`9w#fdWW?uDGf_u!!|o2! zH{`ss9@jU31d%$wU1cS*`=&-WIyhN+jt7;Kfj!{H@yrYLDx_A6Y=C3+e1{@8kd zv`e_q8*Vr^dj4lIdEHb7c8J*L+ggHjhF>Swsnagy3<-8B9rPp=`XtJQn|ncl21}cs z;zoXn>rK;om6k^~m!$lXMydV$`SOqQa`j6pjpcotGqS-g-|bbHkWwKua^48F4PbO0 zyybOpJlm$h2;1=U=ZRu+nW&RLQwfwh`vy5MYb8v=T|);sY*{q6_sqe_90y_xu-`K+ zPFY{l4p*q+9;r70@Bf^Qx$i!%Jz=+C<{9{8&;HC;NjOnNyJl~l`F5J!gPOU5*dfaO z`Jlzso40icqV9ym#o=QctZ_N?aPKnNDT4w$rHM0Y$F`<_(ghB`LR~@eYNP|_1!h>j zim^^xvMdBuv!@&dG1ez9*V1v=f7kY?bcq~VDgRAL@aPeliO6jNrTdSE>r{13z-Lt4 zrs2aBNM6|KnvL0;by_XLy7YYPnizdI!RBs)9SHj-4AF<~isHM{O^IJ?%XhaM5#Hdy zxnFt~cqT2Mon6BFOUxvgf1v3v+9}}rt!EAuG@<0mD@Gbh)=n7*YCJ>jglhj^xCd(2s9Yohr1nF_NPBy-&3_N#ZhO!8w&Iey3w$0SYniwUS!nL_wMy+}UKtfG`{w*@b;e6Yy?-GS$zlz5bX>uvDPA&%H00*H zMsWHsn2Yj9ax(2nlXI%OiTI7~aZ;k6$ zh8F#7y+Ki#dz4dchaa2GE>Ycn3M1zs$yH0r5(%cP_G(sO0pRU30#L8Y0 zB8#6cIJn@M7#EyZc40$YoS5q3Ldfj4ic%-8Fh1O@u07)tE`?bT(SB%C6fWV4m-O9H z=)(CU1_7%>c3pym%Q=NDgL*4z{%Q**?(M7Zc7~#2l8a?GN0zE0=M*vU}ch?D==In?fG< ze1;5SGYfa&B1t{l?`FKtarOJ|a!=kZ*0A%JUJOU5SG@Gp@AFqJ5&Imm(;4qdBomxy zG_+Q6CofkfMp|Sw(P@1p*9(v4@Oi0k)F#K^Qbvuu*#9tj|C;%Wjx;e`xjzk3e_Dq6 zj~oNh=z5sXOu2rq!g;21<6QXYaW(-A#X#GY;&Y2avcu7K^a!1He$cL`m^nW3mZir` z{)ms~M%`pYTOXU(5^D3&QPVUWV`tRX0`gA)pFI2-}!x}Dj@{j8jXJH z?CA7rE9DeZtItTYu`f60VU6>~P9NAR2X{^1Dq|p1C9NI)foPO;OfDUUwL3K2Ch6;1 zQIEi~BRuq}%h7t%?qmsczd2qAxz0YhsiPGDZr8+8o7`7+mxia{7P&wgA#J-&%@GUq zK%`tezi(6mvCoax3GHPmt-EzOk^!ql4JbbGhMeCu6bG2GFP$QX-Qr1mQBFMM`|8>~Qj^ZI&z z#t$Yr7ICMRrJOC*FKhHXc)l5tscj075JJnw$0N}h2OF^-$ZekQ&6iF#U%y1 zcf2mVcz1XaXj)8LV4*e~E) zeZH~rTR^pW*<$_FEdw>|lRSEXiG{l6YbCFPD4%Y4YHN3od(_avlmxG>_Ly`&cx}Xg z;ef2I!T8cu^Mq}kFdAfPO`{bsnD_dL<@Gpx1nh&%Jo4#X}Z9<=Q_ z6nO5(50oEm5yn$bp+1cqCmPO_puF&m&#{8>Ry zF1ZvH%niJ|X|-rnJ0yG}0l#XDlfZs^I`YLm)o6|TBL~rVCTg~qiU_J8kzAazjrxN;M@>seTvix}%9!x-)+0e3bD zDZ0Ip!=z?GKjxwZ4>L!;kS-WCMqdDfcNjI%tVlECXt>##XI$Me@ zg-PhzRP}&s=hz!ApY}0Knqok}c2l~BD+;BFd{mgV!@5g0FKU3rP; zQgm)j*xY>bv9(3m<;&BqZ+gGSE}m_o;|&ddl6Xjn6-{ALB`R8W8(fMf<^;b#-q@*i zw$wOyTUA#&q4tE`FY2V@-i?c!+0iP48G}`#&RR8YU=XrjG%ZOmJ zz*A8OBsTW+4w-$6!dY_J72#VP0uy>h1q`+)5XtMg47u8*2y1|#XU`9bZTu>5ux5Li z2G2*L=0(!x+vqPq9w0WB$mM=mx1cg`BQ8kws%8^GDqd_S*VuT92>SD_HdX^=Y)}_{ z#EVCK$0MwtRNt#F**-6RJodT(_78CToUzn(O_PIq$((LOkc?sF=;AjRg& zlTl8b87)?GM%u_gp=756gJ<=M_>FYJLu_Q=deB9H5Z;1jhWZ zccP`M@J^Z2mFOf>O~qHuTj{H;&mafw8!9y03I|8WVX(UXHnwPqPT?L84NaE#V(65b zvyBX-W$}_LYnFa|fi)i&cd^|E)&y06F`$L4VP2E%wjvJ624`L)gz$QAGeF)nJwda` zMla2Gg5B%HLig^fQ<*q%>D5TCn(KDaW1lJdzO^+40Mdc2AUJ2)`>tm@X!wCjxEA-! z=31f;tn|SO0l-C;_U!C`{cyu>jY-{oKBJt*@_scsGq93%x+(U801fJ`i-@330e4Vr zV_~j*73x%U2`mXUCz~x|Zep;kQCky-2S;3{sZ!4TDp-%TE!y3(5(`>;%faPT(KQ^} zwyuPTFLtoTxeL)JO7(t=#YhvT+4y`UbWw6lH}=}BBpE&E4NiY7@GF-UXVQ*C><8Oe zkg8h$F#hH|RvPV9NRB;zYvJ8gVMdUR#g9b-$oe|>7p!s1tAA|zOG*Z7beC;l$ss?t zv4X>FbCaFwH?}dbydPo}2E(ljIC0NYq)--IHz!S*3}5sjjl}S&l8=2N^eM7AeNyN3 z&P-FYzzx?Bm6wmYWsxtRtf;pV)r)S1ww}*P0IvBs; zRWC$7gEBQ>e-C-$qk~#Dc(KI0e4(uR^fZUpe6ErHXqMVXYfqS z979M#3YP}}D{~@6yd~{Vz*GVXwz92EBx>6~>y&oc&X-I-tX7*Y`t=01Z{vZrONBQF zM>LulEQbfYd=tef?RA%RHNDHk51cZCn3pi>S#I7WgM*)PF$H5E@hTC<(#TfKmqTcE*dwn!H~ z0=FI4vf)Aq)X$ma7$NZiY-OO_^?v1$z&ZL;0b;n%X~pEwcu+%K^{O^pI2cRiS2*ME z&v#j7{;uRI3%w+Pvr1KJm|~q54l<^rO>q)n<)z86nX( z-A^1S=XxUGJUzBG1>t1Cbb@iP1}dy|+x(FY??VEBXsVjDreDUoGS7=GX4@Xp+sN&x zFhNc;@8mYjA^^Dub#t>oafsVdI{g4|KK?ZfW9EQQ2DokL_|KnoNf66A%?MB=NioZS z0*V93rebK;pD~Q**Ebos7D7b{=c2$#&T$L4k3O%G8+-dav%}t3iDPBw79I9KvNpmE zT5&F}Zz7lHHkf;cy^9`U%PP#IVreU`<;U*%Vz&Vhg!}RCh}O?97Q46O5fTL?b(x%y z@qPa~>oUMl;CSwWgSyLb#}#KdTaESXl|{$HHD?|o>QI7}^@b8M1JPYd$3~CMcgNnxvojs?+YU>FWbfhc&CfY)`!&2zyLtrCGtZ-(aG4stt#!t$c=ZboZ`6+d z^mw%K7szUs{bR>Bb(EhulgyT zm2`n1=ZJ~%>@B2t+Gksz)Nn3AUqP<{$u3Eu&`J#mO0u`EYS>U(tE7BDz*97ZI8N$(Du7h{$<%AnEaNWT zroIZtEJJ~YQOkE}o7BG_zehv1K7kr;>>?;8NuVQNe~LK7+8}+=iz=ju4ZFUM)|n|< zZOl{KzA}Y%a`4#SEvX8YSOl0wm#KHP0MQ|@>mM>}yUmgT^;tgepWP)EyKUtw zYl%qIfFxDY;_AGzH<6F`nhwp9cEQ*~H_p=wUJ@)b0Hin+lpS;ZJg_2W%)O!fhyDK? z#~|`5mIMH_2?0PYL~d~<5AW0c&>6ud#D_Ne8Z;oULbpMbI=)C8Zvix4)hm4(1Q(gX*u%cLQMnDeK*hhwX z7u3$qHGOuL!mu1{)Ti6(62DjW+byhDkMnhAF5JNEoX-2{wBxDF_#G0KH_dD{<=w!w zYZr?B@fHJ9?GvFObuqyjF#BC9gf>AZiAZL;e|LA6`DlgrU567jq3tIoS?o|T)3eScl9ty?64{QIWo zdGwJEo8$LSM9U~Ht`S37=#L)ZA099)(MfIS4{3rj&_5zq>G7@GPm5JQp^0{w8YfTs zygitn?I4f5r`d%ix+qC@{2!+gYa1){6!AoRqPqK3tD~J-kh9mM9sxOZ*|l>#KF6 zP?Thq>7LM3FPL5L%h_!(+N$vwBENbZyj(WKCPn_RdK7{3ns5<1A+RAp>|>YJ%Y-EG zr(OL~_uW>)P-93Sv<4?&-d(V9O|AUN1&1ayI6x&mcK0sR9cz5-=eN`1?A})fy=6~b zX*oOttW&>ZO-Tr_qq*8k%HcxZ@; z^~Eze%z|g5mwPfG73B;_X_bKa-x44=^Z(6XmXRVOhOd4so6>Hi5EA<=t%NZC5mDix zez)9(nw5po3JdkW*8X*vaB#*<&up4j0q8X4bDVv2<$Da7YK2La(Xf@O$DtjMsQbf*I*PyNM=Md7roGYTw)6 zNGT=f^N&WvK2LSbfUx@WGZXq_r1u79+@_)pM)`-af#=fO7GX(pbCJTimpVov-l64T z#;x}e@fYP-!DBh3+z+g~-`AS>e@c}>ZkRL1pC*+o#|!1d{1BVf=ZonMyo9Cb8j_91}Wo*XIu{CvM|Wo7CMIKG?EnN`K}D_ zx|lmM#VE;GS<#n%pr2&1o8HD^tBR>&N#(VHYEK!7-xEgm?_c~_?S&52jPuOWbXF7Z z`z{lIxV2e2oAV7x?cSo~Uv3w85{o)~I-bw{zV+kcY)9Yc05!Xz!zEv10Rnl*j+}F^ zL36ABDv%WwxvEVfOgtPG8@sNYH9~c1bDT2UdlzH4oETaO zuvIH$sb>+$;|RXu8ql|apr20MyEDDdAEPZxbH)7Lu@Y$#@D5ZU@L#Q~m~ZpilKcl* z{i}2A1b;m7@sFR--d?&_MdahW!PnSw{;JAVykq5eEyZjny!yNN7d0ZhtA}>OU%0Hf zRAzA=b5=Ju5=s!u-`t&+`19uQ|8hwJex#+5|8htsL4@_Gm`Kr*kWUoW%zvu?Isjdaw^c*A6zSruj8JmedN_Oc_=K5SrRX2sne($fv{bgV9 zTvAqWdOu&9N!>%PiDdr^6LT;P0xSJeDQxit-pS6Y`hS8#-~)Rz@E~k&T5=yeJ)PHr zym;WF+H^MCs`qa{peRzjE{X7Fb(t+SaqMx6vI3cn5|GAsyM(sx9s4%F?paYo&KhVW z*Wl6!r<<5j{WD_8)fu{YqjATd0slvnJg)L`_rsOJgxwEBnhq)Gp{WGkxh`7s8Ts|! z5`_xTbOPpohZ|0AfM{!$#koCd^JD%wKf6}e1rGQ(G@`uyR?Its&iUy+N=Af+!up?l zBQTJ-h>gg{QSAi!%`A3yj}_6WxU&n9|Kl$DkZFBNq3C<@i-b7Rb&ZOxR3|9?J_Y}> zK)O}K?^jAQPC3$%{l2#wmc}Z*9f=Nqc}l+BFehASsg8=k#Bd)Co7Uk>`MU87tmw}V z@n_p3K9kOvGVIwVn|3*+4N1;n@IhxB@r9j|igc7xkG1op?@ku5;!Y7%JsBH&pSoW` zxo$p}g{;_d3ZRgtlH=zx%pRmjS4R`1qqmk@9}@%NATr;owtRSM2y?h{<2FbLsCU%$ z(Q-f_eE8|@+|lLNA57K@tydq9guc0U_RIX1fW<%4R^Gjc*tZ2;R;-Jv;k~`Go2Cs# z5q1Oqh7Q17?0%phjb)I$cYpfbN63D{ZF*g++P(21v`Nbr0zabC%wGQ8*}FRnh1*-= z3X+UBRTY0e0swDzYvR2aAV}eWeaJ`fZF?=AhN>>VaQ0-=FsmylIrNH5W4m^HZ2N+f z$AzS5zpS<8TsDf)q$c72(&`Bdq2HKrpuvjCy+ZNP0REQ`;k5iW%jl5 zx3)5LgZUfDyD5+#`y8Q4T%Y~zG(Fg7jPkhvAI3>~RxfSdGL!-k6p?Z{JZlRT3kh7r zuyA6|S)UqG8pGF%06+c7pa}xaj|ya#4&t#}wLnQ|MQdf27+C1q6hWbGC1$-b=eebX zJYF+B4jJ`o+rs0$-O^Yinbab@(dj>l?FCz_hhjm8Qp7%}mLu_3+DK*GKZ|XTjFrb4cF|xX7>95dVI2}Cu!WnfP<^Vy&nYbNIj%K2h(ugrwRmPG-?Or_O}5GdwaL3OC@?CPJ zG(Py&-iw2l`3CQN0jkQku|7Mg!7DJnA_IgD=1nM~-%d4B?fx=)756MCP+E788@Yb= zOYPxpM*?q|Wts!aNgZBU<8fhxrRc&DI3IyEv9~mTuSMoI1et-OnzK)Uf#fb&L~*A- zyiz;X4*=kh$w7}kLKJB-zr^9sTXL74`l=ysZDkfVh*4>2RO~2CIi=`7tJkOiRxiw} zjJJ?jJ0EY>YOvTl1qHJUqIS5@PhGXB*h)Gh&6i6*`!F>T=IV}g=BE_0%H=5m-hjq&ku{#Kqs%7FU1(9E1|}ANjCxnd)k4cu*gk zVj5Wt)Jn|h5mC`1ldji>F_JRmrg@w%;v+%TYqC~21dP}yh@5K7m0+EL6pE5v;t7=C zF`}Gu)<@L`{V-!{n(p4y1-q)BcR?F z0GMkWP(D36*7NvPP~SsR9@^Uw&j*M-b}Z33wr}k;qP@8Y9T9Xr5G#J|rIlZ6_gdU8 zKxHPvgZl={@o$Bi#Sc^UT^FjCWR7HG7R^z(Dfe^zgjZmQdOZlKav+DtA|1RK=?$|^L=Tm}lr6&3lFH0()w>;_H^#Bk}`|GLfs+KOPa zww+C9&z9CV^p?HMyfB6=2Rk3OcUwvx`}wss4DO7ebw3A^FVhoO;H(c^2C(wz)Pw4- zvE`e?z^2*V-uL+n?~1cNm(poAn;iqx+N#Hnb`jSvBnjh=(w$&_=*4!56=S&j({1c! z`H!hqgkA#L9yCtlx766o+xMB^NRB?c?zA_|-xGy~l@*6xQ%%>UVJZMeKEIW8!2Ky4 zyR=vCIc)?UsU>0eBFF=%=lPmss1Tb_ifx7vj^r}i$igSauC;Q?OR*l1k=%$C=gp;u*a3NcQoEw*hpXcYVpH%U;V{4gj+A)h}vZ zs2t?^@axdfPd&S;4{@vMC8X$e^qi(-4;<=r;BIDJA-hj0PgFt7tW5AG?V=o6#XQjZ zCqL88P{)_IPm~3=!gd;225Nef8fz9dp9K3I3Q^w8mx(F6weW zC~+?$iLj<1(}Aw~)BQ=lL#>St2}}Si6^b-zR@XM(kgz)M8+#vcV~H2za;9$}40#XZ zNv?lvB|)hh(D!vxMwy0qF%-P6Zv)izMd zH<<%;0@|`1Ja!oD*h_fLZ7YI zvipyr5WJ!LRz3wfr@?_W5U4*CyPNEV zR?#Tb8NLeafM08vJg9oH8%tS8hbZBK?RGCa-e_kW54v_?8MZ_a9cD{Ycvte?7&IQb z>jS7(g{RQhVn{Gs7MZY!pos+~NSz{vs1v?zQRyo9s7YBbzDeDK4dwa!33qX|0`}@` zknZ{wswod{2F!@;Erzi9g0Cye%^0cd_$N*3XL3^T;i0#P3h4qh9ZYs$r4!NOZ%VMZ zzA|SquKt1AiP~^qn7`{_H`tIYcoI}K^w?!A;(PPGLv=ZQfiSUx$1GE}0Mddb(kL+T zj0Jor$o{a7$HQY~^7>w<)Cw>UFMeh!Z0dCX2s-(pFmo6qsaUXPo80*KOFT^ zmdJJd1%v%EQVV(Cgz7)OMAKxRJJr7^_3W-uu8ZdpupG67pgb%ITY>Z~1L;JWEh`7( z)at;pJ*fv>v!)_%j$!L1&lq7VCMIQhyt&xqU=gFz8lV$FwpE`w{Z1vLfcY07Mv})4 z*6&G4*$U|Hb{isTiTn<-`Lnm!V&H;huP2Dm0 zz30AriPY2}kq?lq&ms5t>Iv?~0W{cF^M$V(*rc6UBCHoreY$DoFlA6Co(dXf(6qsM zr`z6xP8ekhc<%&5dP))6dKTzgb7dFI^Upu-bP{xeP#2b^kU-5%b=*mgM~u*!xIuh~ zU7ZRm4f{%8!|4X&54rn&VQ~2aqT^wy^x3Ioe_nr70WJoXL3G4T6A@+9P#^EO=R05heag=%M!Y4fj zJ5D8ZnZAO`AR2FUgipEp5Qk~DEir8%Gqyywp`=37%)P=v8m}#9VF-i!m$W*b;G;}^ z^VW^OE3zNPrL0Jsgl6E`SmPP@^E{a+pi14uJd+{v0WJ1POm*L#Jg@W6$-u_@sJsgF zl(0s`fy*k^n15bT+i~AEdtRU>8yu}Pu~3)7)JaIS>PEmTyWoui`-hTu*xu_E5mW2F zo@%yuU{^QSIkaJ!-7cVvu)YL7b32Ry)suqD$pJ~0plU7&KZ{{|<2nOb-%Wf`+&cMW7if0FJ7gZ0UXmDhxAcK}ecf9Z>y;LKVpU>ZR3IJ{z@ZyFAZj zRGDoMQxxBD9<(tR;c5Ddoh~ker!zOxv4{pKQ57~6=h{h08WUr| zaziF=Mr2$nfv5{g1hjILSmQwT)d_O8d-q_mcNesyJd4JsjPm*9*A0>sNrSA8OZf5- zCw;Y*3n`Bb#3CIo?rA@I*c`q|bZ?3$(ySAKPDLStPuzYcMsHa;(F3hU`NK6Ew(erp zhHalh6)K<7Gk(=vlxyd{Ky&>^y6|alSE#L^pbCMi2_z1|5Q4^KQ^e-Kr!jo}ni&9< zD)_c>2Dey$eMh${ilkN$1~2S=p(G#;j?yu|2&`cY*Ks`6=j)_QUxOTUad{ z6gS4l7Zys4aWbipi<&Dh=^({FaSYg_wcq9wW!*K&m5V?h^-AV37r!-@4DnQYerfc> zCm?-~0#poCP2ka=--xy#s)7n{ExAaAhfcr{55iq(nE-d=8VH;V=l3HXUCVWjX~wyd zfnpjTik$uWMO3c}F5_73BOdyCorio*i#-Wi?Z)ek67JPZaj@L?iVp*aO1sNv;%6A> zSfsqr5C@F5yv~jIVv}WlWPL61B*v+qGRhKnTsgvcb8cZqWb=U(t|Ak=e@9OnA0~aO z_PqPbHA0_@0)1^K^R=prP}Uu|G_Nm|;MCtQ^apRhIo z&M}St_2$=pH6w!iS6@FKhIn+hP2P3!2gv=3*um`ugzHUrYGIOj8Y1dlPrRc30@w+7 zNa4Ikf_Bw+A!j=U83l;F36yqCBzh`ej~^waBKyj$eQ<@Lggaw zA|4sdHzOLByWdJ~x(z|rQ8xn1?3yw*3a00n~*q$5zp6j<$kbFh|jdZau{fL&7qR-_HTa>?H(%aNp`@52!&nw9Q$ zIu2&_ka`<98~Rz)U0g&9>2R_0U)O}$MEWW4=CDG?y_ww@Pp>uKKeX)L0Qy+>jNA$D z@V-~iDid6rmM(^Tc24s=rY-y*Yt$(Mx!t`*BJqvCU^th=^@9tl2?XfVoS+x)IFE*? z*w0;Ofz0OK@HdDFCc>)8N1|=?P$e)Nj0;y)geG4n{f!U4&WY5Bt6vrodBc6|w2a64 zi3n@fO~>W%o{|sz2G>C=SqFu+J?91ebz(`+O^#sI<}1i8!(EmU-k`#xNU9pu)5Bf% zla-_VEfM4p0O7ryL2n19#W4%{hE$CAJrkufPMlJ?JWk7HSV*~30(wp`b3a-kD?tzr zlNeYVgI_>vMo^iGZ$3=_{0Yq`fs8JWiag^#qV0c0$Cr0<|7^P!eid3ILqI||8btk` zr1t!eI$xrM2(@)7*JW2GIu;0wV8@^&Sy}1S5|WFP3#44vbK7CPM+c=%rKRhk7WeiU~o9M}kC|)PbCP&u{ z*FaSrgxG@$1nL50OZA(>mhCY#X@x{3R!v|ka?PowmCS_hR~CYtM3faTX&V!QZ?K1Q z_|_K#2ukPi<+=UBAR(mZKOJN<2Yu-683J`7jtXP|HOVyA!w-kffEq|+s|*ipyf54B z2;_X!<&Q4HVw+146PLMaNaT}H_@oFg3A!pDSzP<3JJsIARw7ceIWw;cywLdNqWhM8=U+N zL{IZJCqBBn0kGEric{%+jgTdNwXqQ3>MJ-7R#;e`>N00dqM^H6eS7pi))NFC@bKEp zpnC$V0NjlQwonR+j+*7zy)t!LJGvCSISByWX>UnGLLZ2rD43c<34LaPw2UL|=9IgW zYs(}^m|z#imF$aotcy5n1yEY;9&DK^K zkc{1e*soO7uNJMOq*vj#ntIwCY|G+KIVv`bHfe(+krIgedjb5a&*lVRs94YIZt-j= zrtMMjq1hAj)X&vipFk$>UUj5DvBk7TNOoi(bwWZ`=|*TnN1C#v*w*pP5N z4|rO?w2=Fap5Hla+daSg!oRmc-TwQ_bYe{`qS4v+1K(mTuf$C7Z5b1Po2F8#rXTa^ zJi^G^bC0~OV%ugN^>I!v3Jv|jZ@94%wE*SlK z^==lsN3r1Ep=qm&ePI|1vc)R3YHB&AH*fXCyUf|jJ#H2?aB?w-`9qDupE&Zd%k>S& z9v-hcwUpr6GfH6>Oq`vP{*cXl7!y;hAzQR_J9FG{Z@k%$F3}lE3!BF7k{p4Hq6O=} zAG@>u=0H4jKI@aGJrpf28@X4Q^d*y(IC4+LsIrSo%5%Sgg0;h0WxwK&*E#<|Je75( z1Ackidq{3t@zeo}yWyVXL3>WG(6pjyV$05SniSs2ayHlubS0}86tnvkvcvWZL5fQf zg|$nBK4IWC0~4MUIucei#cl9&F*OeV{FfLE#ANm2jn3C2E3J`lqMq7FZBoX-&Jn)t z*(y!!7-f@8gG*m5vI5>8FwrOZR*W;YR6_?5F>(H1f987`Qzci_{Cly#SVp+-Frkm) zkHdeq$R0aJVGHD4Bj?}bAu4D1^CMD>@|WQ(K$*!WKMDQUL3WO!{H63G>i{^DSo9y6 zhoa(Bls^2`n8OO02vgtxxCzj%*DG}b=?s-BjitFU`XWWnPL=_*7b&haoiza})#r{A zYw=61AIpi;e>XsJeU7{s$u7+#6>|)E5uqusn58!miaX2e`8|b|>ALXJptoOsY|*YK zYfzfI@Y>S*DL2PT?}Wbue84rQUl_%gf2w>LI~-U)66NPc?m;T3oJ)bhve8{=;ZISYfdLcfkI*Udew*U(|LUP@Dcc)@YYS0tNrc-~ND8 znH2vsg6K6UIR3-4qSqik_MgE=ukn=RU;Y-oM)D=U|JjVrlmD@b|If`ZI^uIWZ_hU! z7Zf<7lPkA%CvLcH?O&3;v#J+2U(H4!f8X?U9{GD^Aoq_l-1vS}82ER(p0&&--rDW) zIBWN?shxkR^9R{8LmMWLJ=i3tl_gb!+Tc}(rAVy_{DD_~&lCt&if^e1_7S=Wc+=MW z_hzFVYxC8h)tS7T)5&#d#Ik1M+topDy^xw;OdK2-0`#8^QK2(4B02d&z4H=W5^17D>)7Bd*;0rRrVDjyA326LdV^l?i*Duz5}5KW+W1c}?5T+Y6>+z@a^PN|Gg`jB^K0LfxmsItSz(Ix^H2=3d zUTf~&FcH9)XJm!*<|N%ctNW})Id>kBy?y)k_lylXAI&*r%~lAqM||%S6KV&>Tl@3^pGG@ z@TaW(o;G<+y}inNJM61}s6K+g@&CBtt5vXYXmcfa>0#I^6f zAM~UX5f$Y)BSsY!rL&)HzM10D<5`I@%zEv(Y;@|;qcu1QK>$;&dGW56I??`{09CXggzE_?S8SdqJaZJm2ruh&v5)6h#h zxwzmXDyq%d=8ME4Vq#l$4|CD6`A>_!Tr$d%LE>aAE=BJy4VHx5Hg&XL*jC0OD|&e9VSavC7 zJNB|^YXfC?>mCdro(4PxLsV4sZbREpjHnDD49sN*Wm3eXww^DBR`keLNQQTGv|QDf zY>8y0xb(HH)#Isx=dCHfU$8xisdJ5yv3NqVYv2h&+RpvE&oOccboO|8LzMH`bLR^5 z1NxSGgWH1=!`T{O_E!4y1+uNS*seuzy?*o7h4$qLZ(a1eF_8b0+`CPTJ^nrA13&J{&X-si+d^C1llG6EPgtc~Ywroa%g-mztC+SiVkbbo-j*F%Kf{$KPTw}4~?;}!%{~08{$fiI)D-6<~a&lEM4{}dRQNK{(5CHSQ^C#Gc@qbtME_`nt8Ai?)?>Rv10f3@axOO@OK|RXb*0( zS8xi!J-7EOg=S`EsM~d}C(t~vsp05cvsdZRCTEl+e?Lq`P49G@mu}wXQw14iLwe94DmSsY5CNy@^6dZP|s_y z0Zgfo>?Lx?{(%Ai;*g%oUNByGoJ`Ot8G?T>Pk>&1a*}E=p)yLt>cBV4L^Sr;PU}td zu$0RZaYy+n`9x{A;8O|#r$#Gf5#)Nz_8$xM2o)RH<6*{cSCOLp(YAQ(_*&!LoWK`f zzISX%U_YRebJX4AH-gRlUCdp!@zj0{+G_`lf>=10jOw|RT?bv@{&phdeWxFcuYt01U5|~_SB(dZVz!%2#Hc@daua&UCjPh& zlNov^EF$9Oi6Mcj^`WtkS4K}Eqp1V|g7?y#D=J`OO}D7r;XP^IQvP>jND;7)leW0S zu1i8ErqBgio8XBUc?~~@5%zHw*Wx}gzp!v3@fg^sg0k{C@Bl9&V~@bocnd{YfBiaY zKeZr{GYB3&SD$_|PmPqtCSb?fs;k;sbb{(|TWK#~`Pv`YMD+d>WRt~;vPTKoG^t)Zc{B1S2;FKk4-H-nY~a^ z*Y7x;!YM>XmJr@!bxrXn&DHY=9WAY@lJ@dI`H?58SkA7^;w7u4?jJt}SZp>A_T3SN zmGQC1HjC=<>bS8>ug2}$q=;xQ5?5(2Byt$bTc?sV{oDO0J<<5+ zJI?Ky3H6oEhD3OG+8xQadn+&BZ}SPOU<~Za)m>%4-Ojq_C(zI$HNA&CG9R~&&6nR+ z*Jt|G#q^`Mmr4quTz~s-#jw2*P9#5X*^WtcY5n&5$wKKyW&fTSqJ8U@N~&PUKt616 za_mj~-gzw19W&PW(oc3b2cl-+w)4~V?Qq!xMMbNjwhU zRyjQR)gmJ6#5oFL0x!J^6*4EUu8Nmo4Biou=UKZS4B1&)zG=PlMQ(no#qeyo?AyZ| zg>HlI8`M8|4tl@1zqL{Bct(NDP0Vhn(9KiUBjXER2Zqpm84>TW`Zooh=#`^Gls=c2 zv%+GU63w_J_Q6x+;>FOZ2oMx~dq6CIK0cGkJkPDsig7M+sD}78#brvVh6&2^3@U z-~D&IU(P$cL5m>H3v_rLjI{KXQDND!(%tI8zVai;w)(uM)7S>H*t0MHKEkwKju_Of zZ(gV(yyx8m79Ftm8*>G+N~=+?UXNe%z|YOiefEV7BdarnGNK92iVa z(ryoS9X*wyw@e>d&9N4Nt2J)XL4G-fc8S*_XcI# z(N6lK-%X%}N$?VDa6K07@eRM&6$HJX9_beo(>hbtbOGw#k-~#7$GhT1rm!Ule&!0>6lp(NPVvCWT(C0cGU*P6t zh2+boUL2HZY9d0u=pQnJ83;OVvOG8tV}$RCyDv#2C+|6*g~QajlG>QC>1P5T(ss~5 z0!Il>9+U9H%WlxXH`!=Ce-@s>mXbQLsJ2tbr9DzM-ciATD030Z(>%j_p?DYJ(){%c-E%L<$!`$cDr&6|t~)zTQRACxHNNL++{3vJ1+KlsA{pG?est7y)@^C9 z$*14CzAM!YdMe*Rb)JRN$Hy!cq1dscKt}uXJYXm za=1$dwRsO10&-b z0warMU@3-D@op$bg`N2FWzJ}A|Hy50;A1>jtY+P@H^RXiFpk0 zFkS6*tIB}rqY<-9X)mXTtixl?%HHiz%F`7=3SG-?4bo8gtvcwN1;RZaQheM$E}+V1=m{$)1F|sY)}YRIcyHl)d}=_ZWG1lgD0k zd;YxTY=-q3(&or2zgSZGOkwmCIO^?d8$>Wc6%`fqX09}xTSq42vXqZ^hrO`6DOf#J zEP1cNK=R&H;Rtu7;v);ur%scE;>e2D>M<~sUeB)yMq$e(h&~Tp>?THB=f=L*&LR>j zs<5SF3JwcbR=Q7bJ0I!JFuQv2)vI6(Ldm2ni*q!e?bOOEJAat-zfVkY8p+xxvGE6b z`^d7LwYB$BT|9H~VpU9M57j=F(J%J7$?u9Mu##8Uns<_^xQBF2v0&iwFe!(Q5t8Op z!azX%V7Egz3*z@PqIm>{b zJ;e%HnZXGZAu<-95Sb`0PHKU@^E~)R2}9NmAP90gW{HBg9zNr^IRa)LK2o z2M>pDlg?8Uo*kGZ%IlfE9^Nn$%5P7&H`mG7M0LiQiA$B)5o zA}@jzk=ln(W5YS5w2y*sn9}WH`dlSlLX~03nXi%CHT03=l(|y=?dpimY$L>Jh3i1h zc9(ZooVM%LOUzNTSWF5LwCU{r7BEJ#Yp4~;1l@hJi);_?`YojJ^!P4NMda=G4TZBm z8S_JU55PL@sN;hN`=t^Bdz02)X|wr}3Q6pF{_I?&f<%0SO!SqvyBA92ox_B9 zO(?0In0(gO2n{+qb8s1Lq}aGUwe8)&O&C1a+Jr6-Uy;W+ z%-gsxzfmza>DNCFisg(2oYf3^xs2p((x@F zb{OEHEgge`5=7<>(+`t>La&f`O%^&7o$Zowdiz*tRfOxmG-IUNPLm_07%h zWo4`coZI`s#u4O5tPbpcw&TY=EAJFQ(J-snXNZ(8`si&|N_az`HZ+Vf=@(Mgg zwz~klI_%m?nrj%ub3k4u4j%FFNQ^`y7Y}(B7`RM~h0_ma!cQr7*w#^swQthjeS_JB zyiW@kADBEEN@BGf=EmZBszPgZhx?1(ugBGd<~kNTDU8bj?jGLz+fHjOgBU^nGr`sRCM|-w(;t^?tgL9IbEO<#1*fMdozQ-7N*4mjh+zsh z9C=(xfUikODE@@yTmDyPeF_>ge=gXb-2ya#k@nrFrl;^^8Q*XGU&nwZU4n?s%P;7Q ztF#b$RT!W2H>Vdd4v8h5=+A_Q+2SM_7G5{-pakLn_%nF^d0%i%T10@JqMXJ{^nQCO@O#_f!vwx(vT8K=2kU3xeSbOM-2s;7pAr33CG@I(@8Y7~ z?x*(FQP?)p`PEftpClBI>VrJ)uNcnEJly{bv#WPE3|YFTgas+5{>63BA`d& zy+TOw4|4$g+WKs>kh0O8uO$}cgW>PreWmdr?08d6(%hF@PUV3z#>K-aax+#e_LA{z2>7w zB)N{u6n%Yt4W8DH%TuL^su@z&9RGFQPaZ(NT7V>UQEJTTRrrJ~L2>PM~g4Giv8-l4NPsge9Cl{=Q- zX)du_z8(*Xld0w)A(!j)oI-k%_7#=``BEc0weu?lBchlY5Q3Rf( zxQSs-lj`d04>>W=ulm;OKe(B& zFQ3A1Wq&PMdNZ4sy63wiX^+$IP?JQp7F`){6C)$Sj*Za~5GLLSPX|GHcfKgeq*^zmM@(fe&O&BbUuAaex5W8iK}22TBrQ^Y zh)|rO+~(B>;|eDQY+Af+>a^0aB?j5j_NE;4H>}3NGmGs9vIq)suG8gf6&PBUE&C{Xblkl|xYED$;UVwS z{k`L61gP(Qz5_I$>Y}Hob+jH$TfI|HbE%sQ6LZDHUesO|eOgHd5e-cpPizawg$d$M zU(o1_3vVSKUALr8R;Pgk%3Ix|5pH({E_Ku6ous)r@yF6B4~U$yvf~k*rx8C1@MChd zcXVlF>XQp9ofHl_g);fw!qYSzZ%vk#l-%(}mpdvd3W~2@2lz}hH`m|pO|N4NdR=(cW3jHsk1ytrj%jXiB zF(WRV^TS~hFEY4x1{`oL501Kx6nglcs&If{Sl5$O{=RqDpr|t;qOY%i9z#9qV)_yNEIOh>!6M?yx>5d$g4z+gN#f^6@%Oa)W|+RtXoT`LIo*oG0s78 z+^y^oKk}=mAnJQVqN4_UExNf|9txJnv76SlAqIXL7WT4%T3r_e9( z$z*#kn1Q|h4kUXZaQIVYTh8`QNcGIlY!bpqDH!F%zqBv_tR%zch5V7(i;jFG!wx{M z>p9RC;Ogv0@Wm#K1ygQ_SW*AxzO6(6#nZcPniOiJeTuRmEObSFBy@mbt{_e+cCRJY zVf8CjC9zjXcy%u|P~Fw7x^FY;@eCj1?*D_E`rk zgdof=-etD)c(EhP1D~&aGU`5*7`Gho=m2k-Oq}2i`?Z6o*p;)VbL{W&+wq@Wa~MwA zgh}``+2uV=!4~vDPxFhLIQ4D=iks+mB>+r^L^O}hRArOHNH46D zsc&&3y?583FVi_qO!WA^T{<>&KH+Nrb{^E)JmvuqYcZeD;JWi!eNX0GcG%YF3z07*W{Gm zD|aEF`L42=On8`1Z6*a)vC$N)R(9J`#UOVx2B(0eu%5t!;giI640$Si)-Zsi-kBnv z{6!iqAbCRM!RDU!;nL){Z_nPob{e+VDIv`Ot2ZX_gN21rZEa^KxU8AQV4b~~$!=a+ zLUF&Y;gaZWijYj7u@0$_f)Ms@8&QtEH`2-Z&H5W2`{OMv2D_888@P#1ox4cqw5dxz z?x^`^Hfkk8hOL3b>o3OBAeX!8W~T_8AKn?y)kLw?ennF9$hB*YMkZC2)lYA?!&LVd z7Dc1@NXb=RU=OlxxU)b?N*kSU}Dp;S&CIbM90GZ3YJj#7SWsW8PML%b^NvhJ7 zTet4N5VPs9dZJTwNa+A0F+kuG)TH-aR)`IYT>!>NuUYn%Bw6tEJ!?`BCBwoJJ%pGP zn=BtDT7|TEFH$8L=ZRK@fNzlS^e4}rgehiVkOElqAbFZSvNpT`doI4r-8%@ea-~gB zFi3Hzc7TNga4+jHVTP}13VUKfKx|yxfvBMGlNc6!YO3vIL5^~*=EOvCD3N_;@FH2L z>-Mr)(hj?U7PU(=a|~Q~>M|Ef2skzFh<)DQvRwFQl0M=mYu2Mj_<{ou+FPFCf zG@Gi2)3TEbAwzb8y+iqqB(2@&sC*b;@aWtP5$u%VCi}Cy58h3Qj?I37UU9Z&rM=XL zM23BoNr5J(htv+mmf$z}ZJ2jM^)T}YD+RD|(I1l-A^KmCX1taGD+?ds^CD3QVx4qD zJ1Jb`O+o^bRi`-va&JmJPQf4sM^#|z>vk^wd5xN*z$6_?Ts-Qz4NT_F7imfzH_syk z4$Qq~{Y-^OMc;z0L#+_yoF^K0T#!CW9h|_fi zGL$Q6bgg-jE}reumAdy~L%j5jFwso=bMaDAL-?RO0GlcWAJnkv{d|Kh)N$!kB{w>e@$oy*Ny!{rpjn#I6_HR4 z#uytDc4gs~M+zbd3QxjQ-1+HdldC=<{4KwM#6RqBk3bSonhY@ukq|vctd_PZa6L&G zSs%lqVWZu>dw0_1q)w_*U0d57+nm?0hqOe(Z^+6fl!!g;=v=HDUlp}JsFG+RnOvj?XU}@piqvPD2KLE95N}A$I`1`T5xhNey#R#GHXUU?> z86F-Fp5k15gC+z_?8lzhFm2H?82F@xQWYu@+yZiJ}Mzm1_bUX$yaynLlko{tMj%MMQblf|A)Z9h>1xz{qD2{$RiU7}H^*=5)e$-X{y+9Z`OfewcJT ziu8(_(1+!lDED`N+6}TNE+Ng`a$%xEQVHqP74>@|`)dCJX=!BZ0l-}WPKWj(y<*xY z=SWGm>(c|Ae?#O@%KGIt4B0RTCRP4kOusV*X4M-x`w7kXL;A zWRPK8#&@u>Z|4g*(+gtH(u9ytNS83ZSO5XAssK~`XU7~NJ1K%%N(Cp|v!Uj3W<(so zqQ14@H?-v+KDebl&b$t;5>gibz(a;tA!9L4&4IhCYiJNefx-`}4)$>ZPOT`X_2}$W zHT(Mf+Tpi2HS_;9)?z-Ig@>*!#JF2rBTLlYJ0Q<|c%hOv1Lyjf975KRF2~*Rv02FD zyQ(w&C1qVc0r~-^S1--~XCC_lX~Ak%!F;%2h4|GtFc$BQ$m-PY)x0XWE6P9*m~ zf3;o}s+?C68nuR}HeU$2vO^Ul^6gvQy6GS(>7{6Ta2Zf?9_0;;^OunJ0|)dsV@P)w zIpOF`AIk}Kar>*_lCuc@lTGmST;AkG3pa)rS|U1w0s{dCM(5>CI})I-CSVnbjh%+2 zKLyoJz&*XoiRR#x8g@JUTW#hx(tTAQ;0{H3xcFch4*2cKtuT5vWXaE^Wt;cqr56k- zI{_*lTHVk<@i(2R*vO)j{Hi>^`5YO*r;aY@9Me2+vf*533{D@VN%e$@#6#s;hd-8; zm5DM@1YcsMCDWdly8qwyh_5aFj>4DTOk~-ca1_P*1NsE4fVVmS)&nZUwCD5VDb@Y& zse>~<72i3H-fCv%`E1jo18l48;=_`t)XzaxE$ z@5sxSFLzQ>mU9+t+<)+ZKU?F2|cL>ci6N34i)r2QR}+WFwGfS+I2T9$&f z!M?w$fjj8C_~yJLW(Ht*POam{`G&{pVsv3}sa}!M0EIM_QSg$u;=+LImWY@D3Z($YlCEGz-RLfJI*j5TMF zDs`qbp?#%#`;p2c;MYLqkTkwD+36-{U=aVk0))BpQ%Vpso0Q$6xy)7=kJF9FwwYO0 zY++eRQY$dFTu)Fm1-rbesK~jaFgG_Wf;P>XsO7=tBd9jQz7Vdi^1K=Mw9MgHP0uU^ zC;*n2yMHeO*{g58Th)VnD0$r~=~qCKc%4ujSdWuw`#mUFtP&k~#yjfTy6zKFc$Vys zYlQD~)egX~X$5^oP6tbGzTvCKTuE+aIeN656&V^FjCl8s44GM)RE0HW=HsIQp6nUp z(`U~fEG#TsRjay!ujwkit?UWH1I)L|+(`Dt?-Gz_VZuhPatvoJi>}vK(F2u%AMuL@ z#NvvYq4>%W-j`b&2se!w`mJYwcys-O>ws@FtppgXtryXfp72q*GT^h2gF6Z#!HRnQ z8koO4v^I9}F5Nd7!baw4sx#@<`uax20306Md=U~;`tPFPqWTB&(yszS0ForO{;gyFS5joLi=cT_9d>D zUueHB5s5oNCRkj2E*Q}d3=DJ!2K!c)#SSq2wtVLtD;zNT=35)9SJgn$6Y-G^pFFGb zO|3|4?O_SkXQx*D3K5yxe-+~r7OaFnKiQKlp(zFk0%|G0fVMpXLy*SW$*+;Xt^j^H z)n4}9LRd2$()wWYm|D2$^#xvo&W>ycsIDFFrh#H+gWhE(LU^Qro752mPuyl{FR%tN z*YCkuTV_`3WEL_mXAi-?LJOc@M;nLP8n*b&kq?EpF<+=jFX?h$Vnyv?Sev(GV>#S8 z+IfMgHw2Rc8qyrw>9UqY)!DJ;9y(J55m_G_RUtE;PvTZ;m4`spg3+ey{?aT0#@V^+>4X&{wAE2NHj@YT>%TH4e6 zQmdZ4Wtz<;(Tv083;Db;ETH;RnRR7le)2SRgS&P=ey=+zO^PW_G}!eeuC2`rHh)u7 zQ=tQSpmfsg8vmq z`G$bdp=9{=!B7ey-Jx{&O9DsufHdfDEx;+{kHiTISCGs>ZTJ=k z;ui~0&apn&-0Y>oO*B^-+RO&z{#r%Yru#i!L7_0Yus;HjW z@^P;~_Z0n&+VYpNj`ST+-201w_!o@)tt9xp!s!nKm~i4~m~QTy3%#3T$(_L1zN+H6 z1Q`3TjD84Ub0B{mb=hgzmW)c1PwWiUNbAHvci z`w_{X`m+Dcl34D2yu89c$H>} z30G~VJN9XjqzO~RPu7Ma%(X;Y`F;Zvqw=Mi$to_4ieQiCK?%q+KE1e|W zYs@JR*K{{nC7-<1!OCNNr`aii#F}u3jh~jEbZH$5IuPEd4<~Lg>V? z8+0I3=(q%g*-(wfBL<=63;vsDP6K&LM?}FGXhOPvWRF(Cc|Uz}$e>yLy!=*NW-UOH z$ZoVw3A!VvQ>9GDC0e2~GYL9x+kz4$A~x0<%?|&$lK-$Zx@nU4#p|HRqPpWwnVokA zfw9EIyl(HJf%4JCKp@|#X@WE*6v$9L3ozwcTvi3135f~i{>LTE*X3C8+-_>YUr`O$ z`nz={$QohL7)xrFQ|$YJogPJx==`Ee`vAza7?vH0>zDGZ_Tj2Y&yU3>@Q#Bkb);Yr z^>~Rp`7D143LURq1onc|CeS1ph)*=RG;-wWqe8jFHqHPv8@|zehBp~1w`Gw2Llfm9 zG4|#1dzAciDzFoH!WjcyvB-!E)6(z7tDJF{=iBs$5=v6_EB*Ohn27<7tS^SYkcbZp41o7G^u9;}RSw2N z0tF`HDg12t()cTHA%7_G4t9t8ks~ zoFkAGkQ&0}fRF_&20O}pdzyvLw@eOXc=v(Fv$Vw3*4}(af)avI=!wzD(MfZO5XuLF zRpCZ+8$qGZ7a}wvavJ2{>ayGkrHV%(D9;Pq&wSKEkoSD4=KUbk@Y(?=g2UB!&zH-A zZGrU66NEo#{S|IY^Kx6V-2y)iGPB;o50oK#Unr{!l|e~KV9n7~t!GmjnxXV;*8>Fq z4Fr8RbI6N&LzipK`X=)*!)F&s|GTS?nKgmi?;ZPcHY0~MnAiIM%QFQE^Qwrye7N zB?`>9;X!I(r$FbSjK7c>+gS&{X2TZn8eUeDB_3t3MQc^T-@yk1&_}R06Wl8A;MFZt zg@MMYskvEpJ8^cY1PD5$8&gNem?*VQ6@e1F$?46{U+{w{Qun7rKxe9YtUOc6g{E@a zq&?Jodg@>rZ*8RW56#TKL^*@p1ButMHx*koOW$&x-=HRcTKNt9x=cR5jNHnjeev|{4QRU)exdXfU|BGRR}!hyMRMx)-Iny-2}K9R6N;I zQf?FOxb7zcfE#!iEvWG=tW7OfFcIb|CiiGoHUu_U9s|-)^ew8ReK;B563u}4|3iIO z^>@4lo~X7U$Cq1&Z=%M1PAC&}IVYid0{ZQL-N@kjbEGl4F>>yac@A}xjzooMDI&h1 zcf(x)EmAzKyt5bKlQvBw7XD6w05MuZfrT3H0`Y}=XA{h3%Gw zLb1^-lLm%{CDp3?QRxEIN(t-udYvISKv4yam4Mg4&1^(Nd)Kkn|EcLq5JDKoZ7*st z>L6C9e=D3_pdg!UW~(46cT3=&?H#)Wp+ksj8|g%LB2Y;IzCe38X$ol(LR69?gZ|X+ zNswTHJwB`<<6htP@bzn5RH-Kx@Blb`_7nT^?auTgZFO~Q4DNcH`+Ew`vqxRvv4pqAc)d_c=PI=ognAsgTM>3<@oF1=9yx-RoKX26Y)APp zVF373mX}Mq;%d>C($UcYPnQCLV5f4oGu1G}vE56uF;*m3eKVNg+-?e(rHP57Zj6|f zz9p9C=H?wh@$3fJ43H14?32W*2y%>y|63y0Qy@ccWo5l1DoEfUp*W%V)nAG?nt-DA z9<2p06TLM3xKRii|N2(;HjHu!)GY{!5`F| zK2n{v(Qr0{^oQD1-P13%PLpqm=0gw`4Bf01g5MK$d)Di_I;OQ7S$?jDiX3EV5ZuYK zSsgq5siFID#m(UdR`^A{aM#X((bt})ZiXid2YVJ2hrd*Ozw7k=A2Rh~WxNQv*5xbK zj;?39US8s&EgLF<8p1Eq$^V3bLJlGMPOIqCOd49@{D0L96G=Ne{+477|0hrOAmX~Z zti>fIvsIi02M--8>YFzddi3AeI#j~gfvgN&-YvSk@T3e{ia?Pht`lfkUiSXIt=+;( z<%|6Kw{PtHYen+R4vT7i33Kx*W2(oPb$&G7Nlum77ZsS~V{ppYtXrQ*V+0!2M@l{jX8v&g_7upWby>jYD^@^WY7A@r1S@>XRh& zi^Fu63${M)hQ?(b4E^>i;p%rT?dPHuG@j?yRS97{3|8N%FGM#tR@+V&hCM zgl0FHOM=HmrYZsmPLQhjy&lqqZq~k9k#)4W&B&+2C&M-TdCi^Eheka2!7II;*C}uJ zMTv)qh7#nd`yW?qm^E#7MO&j*NofY41;x2#4wfe>!>BZO)q7W(^#SOOh+S7NaB-`y zKZSO(*-ZAhWoJ8#=D&Mq^zK$V-C41B;$yK@yy$-ITNpizj&CfyIR9gIh|LaIJ+u>&Td(#WtR38tI|#Ak z!r5oC;%Kl_lwo3PD|^u%G_dOY?d3qLPf#CapBdF7$#vak1aUT8z7Tqh?z<*zc|-dI z+5w1m?KrGiJ57zEeTM{_DR}Z0M)JzbA7cp6zAvyQsHmJoznq;UPiyyqmaT8S+Hlbm z#AF^Y4Cv+dfi??a$LExAg;6h=aaUD*%}>b(&<-!OtBD|;58iJ!-!gf1`^+Kc)*&B^ zS>x-=c5^Z7OtMP;&sVur*1|azy~nG$0D~@F0ZtZrMX-5m|FnqE8+r_uZ-A zm-AG?iJb2^qrivc*RNSo0*JAy&u6KrrG-QTUpg$h`EGqv(_trukVyH(=)($Pa_1JK zKe@0HU)GU#PqvHz1S(-@m@s3#as7Hj-2;{#lKhXiU*iO}`Z+GrtvFh|la6bQOijHC zBFMQA7y$5GJ2i-;T^c(&#%6Ho0t1d-6#{=Z;SobeBr%fdGQf)7-^o>BK|vpMiowd( zCiLbM#5PnHHE78QX?>+o3;N#Obsrj?(3yGCa1HI(feC~jrU$_pCTQ2$}K5k}4ix)Y#y0PPnMkejPebce&!kiOZ zG#}s!sO2}w2Bn_5%Z-j}`z$r0Ih~Jx4QU!xK|lF%cuS!^&$;B*0cgX5c2D840@m|` z9U-R>R#w*j!OEvdb~0wAoXIsJHFdX^mKMkY0+KK*6Ybod;nC2oS!ZBi0D4Q(ORS9% zmU*WSRO)0rRdmv^GHuQ+3~X0&yBCf~i_ zXt@K>v-B4`9#Id+{C zc35beQrV7OseQ8{xT}7p&*z&+@&K=q_?2sUlF1~tDp z`J?SdiW(ZzX7J<@qlq-?aY0<(aUz6@rl7Rc+ch#iOF3IUZhXsZs;|Uo^o_*0b8Kuk zlh1Zwhb4I-TpD#>`bwGAD#wrY_^-5Ly~=3xc4C)aRO>zq3R+&Jxh)u)RBI3_{j2QV zVtHD^<(zO>DO0MDy(eYl*ae(niqPIak~ClsVb_tp;AWEU-@7ZFoeuh#v9M0+xlY6g z1lfmHpH!z0wg#WsQ)YsDIL>F%4_)M!t~i$H^WY&i+gXYo(zhFw5pmFF!a{S|zh!D@ zNV+}Fl#1?GP^Y;O7D5z3`+iTUW<+LZm+5jC7%0Xzx`&C_s%NWfsHz5A;h;B9CeLa= z^yI}xGt?dl4@%m$1(O-gcIzClDY~873!jO$Kf*L#@FyoHWm?qO%WPp>Lx)KILOv=^ zZ8_UH%ph>%@W#fY`I|%(7nYr;MvtgXgV3foqk_#Kbi8Go5Ul6ZWZMqp&AWG>J|yeO zEZ2gQxm;acV%PjoUs(Ik-i+4k&}y2hsKdXyrdD9NMvmVrh7v5_TRtvOWUGu{u{RXD zSd)0JGV8{h+;j%DL~9CTL*8J}c9y_%W!Ag&QkA&0Tkrt8ibO5yh&Z7-@JEj>BI0mb zS4XGxR@h+>@j-cG?UI_B2wD|~=BNhkX=s50WB~mC`GnB zB}Q*064aOk(%z2Ut{TzCV?o?d)(F0eGu63qCO?>FCsgEtc7bw{mA(*k*7((ps?2bf zxYsiI zR7~XD!o7O^_0_t(Zyi=3xw~`T5IzB*I$95LGJUkEVob%Fw0~tgB_74?A>{@2Jqb;G}BVj0a>Eg!& zRFc=<^4LA!c2Zb2__r2TYNDRT93v#xZkBV@E5n;+d#yY?+^eGbpM3hMrkl|xMrl8D zhD_OhuAz5}{HU^Utz6`Xcm*n%)iH7OXwj9lqSMyjvXlpiRO!Ebpnv)p{i$bGT1JfQt-x!IJjD&!|P$Gnjob2FG+l3PvS&a2WeieEoemLE& zuXs*rPULf(G?^m#v&hH=r*kCv8_O40TS>*X$iki0j^wYqBs#U{?kLK%NH=Rp^`t15 zdlZKLK`vBuU@6Z>%yqn&H##H3^cr%)VTQKAq}}~S0^h-Dr+g=i=iMgdvu$?hC*~|~ z-OF}xE1%ZduwR{8PjB15-+gIGF1+>(lIx`GJ1Ml>n={?o@6ea1OpHAu|2ZPSit8oe zVAY4S-jBmxj?cGY$+4xSNBC_v2tJ3eE=L{T9nf(KkprJ}=KCJS4|;>xC1#Zj_mHj9 z+*H_)SYEGx@p90bgXaByWE=C-Xe~nzZAydWzi)yyyxgCtuwr|nghnIrG3WHe#C@p- zExkL>=yN+dg(AsS9-zZA>XAG_N?iJCQG2<*t&I#Ow1Nf)55%IxITuhL(r_BKVc=T2 z8A5l#^Fa(xQ)__-+;q^k`olU?MV4tNQCJ$1&EnXRX}-#G4pL%C2Pp~_m7YwIrFcBe z%f=!+Pbh#!Q0o?{lMxhla+HGPuO#@RjsD@#a$Cs_N5m=%9;a}Swq0PjE1w2QX*Yt` zeaNuQ-ch(N>3`5*QAXxcDNM19N*=v1CB5(?|K|^S=K{yu_U`kwC%u0(k9XLNf5v)* zQYqg;WUfZ782%Qikx3ODJ;WY9{(6X7Mn%MCdK3SlUIUluSuUO@CS~}VDh?Dw96N1t zjDU)p=vnuy)yC(A#=iOmu0JRI#g%TacWczivI)jgd6fkjDR+=N2-VM19}JR$Pa{Jf z>%uO=fLE2tVe*W-+uHR#wdHz)zZyQaW4-LB1%^CRJ$GgO+1YV@3E|6YCLLfr=gao^%;2)U`?&zxz%gaRa3z>(SBfZmKS%%g-}!8|7w_lW#Ffl zAiN);_f;fOK3IiL#gK+=MbKt3imN)aGXZ`_m*hdOj-mVG-nn+wRF|iOOYo2dKkI}*9XpTI)`Vc2@4w< z^d5h32oVbRk685vMP3(PFGTrnJpZb%_hXs|Bz2mB2UX3OmM6IYk4P&XeQ>7$KZ1{j zQ>}D+Yg`o;%O@`Ot9H;=4M}vP>Tlf^wpW>&&9uegHH})`zA!U9w=A;N66xlq?YhJy zwmvnDG27tAzl@JR*R!cSXpyDK#dC12mUeX_&$c_;nF%avWPIE;CN?w?me3zUJHNC=c@?tX8}Cp<}5SXhF*q5tWF z?rJiPNp&U`)IC1n=h0>Mp?j?=d4(tw5V_Kx4FR4fa-!Z7-3b5Ieg~be`%;wN@zY!4 z!8l<1HPXUUGj|l?6ZxaFVz>B~8eEZ(jieTC%MHP% zkQekdjdGg_hO%)$=`$vHVbvoq&lz1BL1#i1mT0@H%I@H9BI2`jJ`X!=q~26eDAu2V zvrBiU?Lj7OgzgVk%si<}$pvS8n zoK|ERHRB(8P+mSeHP39Y$WQIqF+P8K>lVItcrD+SBh|+~K7BXpKCstkwTD z`)($zk6(3m=HBiYFf!*4G2?gIe%Yg&rlnapZ^-2Ayy?;{tVLJ#me%+_sT|IssAGqIKyfl-&_Ku7!BVnM{2~~9b==OdO zUE%cQ>}F)xG>{25eebd+yG4e*7nhi{!(g|x`JL)R$yIGGWX9GUQA}eYzxG~#26e7E zeO%!wqy}0ru6^&3=Q4Xpg0+qI@4Gg*J2@wHnyn+OU~c?l6E&i$+G)l%gvV=~Gh{98 zry*`=7(C)BIQ)MYP842mC9W~mSi+-~;n5}O>UqHe6Io+Sop8gw*BuHx`4{K1pRXCc zkY3r3O@kxF{sKDxar)uh!s#xV()KjHys5SH6ILH)ImAW&F|*J|HNd~)Pm5~PLvEJJ z?@xJk_sOX{5ceMZ7Wcell+hI&pyE#_5D%(ykBVZxbLUP(M1;7X#pdQ_ruhKj-28lf zSC{a>GWd>P*Xnnl8gnTz(U{Ht8liV72?FUB98F7A)+1Wv@1uL*yYa<6N9?w@oHv#W zwo4~FGt3u8t{!G(E&gh8h?SMFva%9L&_X{3Ax$1Sy#<&3Ki$(mtn>o8M@NU*e5=Oe zc>^vBQS!2C4cDS8s=*rNf}wIFG$$ps2fl2VPxTCHoWx2soGmb8_sMexu^)sl7Kle( z+0NTcj`Ry!9UVew<^#S4%`m+`A1m-9T|wF!g|J6!?_M<^{p1ZF}u6OT3C37Pj3nBek7qJN#Tq`9Z& zZ@k2O^?Gd9sPH3-f7_xBxA>Y`Jb1c=4{vR6hj%tu&2K!yQh4r#wDy(C_SOlZy)Ev> zs5_raetP|M>WRY(OgXM=W+#J4A(uM4GGxp}O9$N3DTqgeM4nEJ2kI~>+4(!n*;l<} zE2S@*L~gXk?z48uD>V7owkzm~e}@Mj_uPHwRd0uw@EmqwdNX>OmFu#I5zuny&l5lu z!4uSFR5UcvF);*06!eb^hCT-#uc)mJuU`j6#NRo;V)M&$;o~m4FJ|GlPOiT>2%gsN z4W0Rz6~6r70;453`Ug%<;L(&<-~q*fL|5fuV02cqgE$jXorf8nmN!*y9nXAdEMyZ6 z4Md109j*A6)Te0D97Rcg)^J?ON7!zJ7Qjf#;T6mCMmXP%svRr(7j~k*0nlY-V_jRA zb}lV(@WOtGO{|Srr^CYoOXG1BqBMkBe`>Ie7t02VoJTG zG`!~F>3NEa>)?jD*;oj0`xO;lGv!6`rjT2}elBJrI_hG1V{D^RZ`+r1xKT5_Tz(&% z2mMdD6^uabh6DBnKoFumwK4FlTun$K!V2t&bGrRFxAXQy;*z9#R-HEJ^Y^W}%huye z&nesQc<%n-w(O_v$dMxLToe6I&%I>Oy_MLx+>OV=uJ{ewm~F2c{t9hWjBQ}9qi0Ow zJHM7hQ-83g{i<!QlSi21u5m_3jiq-^ z7C3H>emHKowX~Ly5mvFh8*KZDUh)HU&2;sOWDAN{y%n8Zy5axbxeE!)*_7!7g(8ki zy+v+BNLg_=s!|13`n;4B_#q6fBWWFISJ#|_p+92So(voE<`hCWHP$eGCFqnj!5uiw z7{Vntp}5>2IL)it$Y2?t;^lov+V=3?ZxcBn$Jz(LYEWZ&fi^P0O5fO60=46G2RA1* zgHdh)1d_CK4P&P^mO_&tkw7#2!O$E61YUvvq$Z}SyzFR9Z+Uv(^d^0s*tFRfV(6zp zRz%jgc#XRHzkzTY&%LeFqLQ~RicSHx)!y!n8JFhZJ*=xPana%Y`FyvFcJw zr9vq}tVD%R^v-|>D4!&%oq7Lpe>=_eL72U2V>Of3;US!a&gH$(;fT$A=JdgKsklwd z3nsDm&RAPAM@yyNP78WIKAZU^kuUHNKpg^M*V$u$OQkBGzW+Xr&z@1i@gW41jKbn~ z?;hLQn3v}dl{+sfdFc3YQa;n3Pf2PybzoWG1T&B$XZlrvadslDD_j&DKSO6hHzPQn z-nw{Wsd{B|jzb*Bgu_!1SfP$Mya$K(?0lap7Cd6GDJENMfSUf{L(3eazVh(MnKFh4 z#w+Bm3=ac2Gun+TkS`U2-jF$(37P2Kp<0^oC4{zCnve@Mg#b3;J!);b6Fxq3_D14F z;%TKGLjK1F)28~llluD_gDjj9PJKX4>2=ZW)fY!iS$YcVMq&`!aF=~B!GQ%gMXP4i zU)SRx)(rdTjsI0c$lac%!(dP{| zUmUxE_5pzQH&8-DPw!|=n27hgcPHQk$uBF=A@?KI^Tu$^{4)j&&7LT1TAk-=Y8jee ziT@70?)&`>z4n1SECLSU>$rN}+d%wY*jGnOBhQTU^;w-ejSv=Q^-kpx0kT*RNZC`pau0n56M=cXSxcgy_>40X7yU<*jc3eZ5sr zEt5qL$%MiR65)?LHIRs|4-a^TZ}w@7n=vT_Pxi!?hQdg9imd<%FG- zP+|w%#|i4=6y+gUaNb6|2R?s34m_0C7B`_g-&C)6^34iNN^&yOlbilcAB^Dn4+7LT zZnPo*_DCoG6WjssU#A=Hq-?%=9DIznew&XFW%wajb^ofjSJ!fDjPWH{OfY8ppL}2s z+|kJ89yL5}_-YVQQYnH=vFlThFP3}X_5=lCVLS9x{g(33cS*6& z`{WA3#H!5VeoqhUo67Keaf&KyWXR*k&j>FhcmgVlK61$76Fzp_J!2M#AvB8Z*>nAn z!J^$({}ChtvLsd- zSASB|uG#TSpywF6ozYnTH9;z)s_HoTT&K&;)(mvF8#73)u8B5s(WwY(rpa%S6*i74 zcJ=f(PSH9ZsNcG$wYv6>bZ@KbJDaZKF86A}Qp?xgd?10$;VEN6^VH*QhYf*e$!W7` zcmgNumfvSngHt^>(~zutc&i;M(`fekBMFbfi$U_a7-aQ_ZMV6r81F^AdQw#s-VkR*zQSZzNmJwzL|GtsI!yy(@XR5|b(0 z5dHM_fEV`UFgUxF4gq6eyJIRm%rqCJn%`dQ&4gL{E8KIi`Q;q zPTX9NLHJ#kdb12EuiR+$8Mh5bH-7Cga>xhR?AKTCfnV$`O^_N?<2VPNwL{2J%a;GD za^nLqiY`uj=!d|--oM3W=k+vx6^^dcN*6K{+$3q3Gbx@ji^{P@U_hCQ8|Ul_d->&* z|HNhc5Xa9JT29Z0oyoB3?H<|n>l^*gYBg|G31rx9U*URAsN?S&Svze`peAL5R zjL0MfAnz{(o0HJv_f7yK{db1?uL$&Cane8B@&8Y#`QH&Jq#4jV`xW@~zYYyyX4cUH|Lb?X zmln~3u81ET-uWHk+N;X6;Tkjfk4V9wehVT0am+yReC(>6&Fb?bEHDAw{A+{RVF2a- zIwe4vo)Fsa`REftvZKu!k5Bp;m+t3u_z|i7!anLCz0f<}=J}DG19c6c``dTb4du~_0{Q)u$LU;-(8T_rN=umh$G)?|H zy`h(qNWSmkEF}A!w8-}EpKPY3TItrK3$vz9`_?xdjdvo~8s4XzI822O#~g+=JshyiPXKu@X8i4fD1T*8%$AP9&=!=R=k2B&&d`mIp1ubX#qW3_a4;)uTjezIi zvrDVlZ=7AToi~?49k1NHd9S=w-u%Q84~hsNiAT9efLj~ZgcA5m=OqWwB9hD{dMWAu zkFu`-t7_f4UK<3I6qPOo6%nPoB~_FVMWstXknY|pNJuD%2uLG{luCCB0@4!FAtK#f z|6HE9=X~dU@jv&u&y{^)ul3e^=Nx0qIqRi=Mt&zYntUx&yFQ2pa*%I4+)7pigaCk< zc5Xv?m!9s5B!&Gel=Tm^34+P3AHhAyrd~5{g_Q~5fGwv@MqEcNesKdXU1oWso%eJN zw;IC? zdtVQM1YO@W7v7-%6`JQI zM@X{iCJK%7`haP2UVKlDzye?_+L*U4h&=r?O^H<8EyqtiezpZaP}sG@5Gl1;X-U@O z<5=zQx_tR+%?Kn>gpvjYH5aN|A4i!o$~}nAa1dw{3*Waad7A^uclj`R;Uj*ck=}qe zHx%scenKe+d4=ZQLN@8(hpYPFja9zuq8s4Y`6CLs0{~t`6JAN@k(^Hf4--^Z$%vB* zypGC)ofa-0+P?%p8|s;!Fn&tmn0g$rPkFC=p1%=S|FFr)MV4oWaQFc92l!%r&-3t( zr=&NE=)>tiPKxtVp$yCVny!1EG${(dJ1^&ImCxHOsfB*XMSJ0brtlDVMV;pcpUqQrGJ^n$D=`FHd` z^yw9dj#vwE*UXV2xFi4Lt#&_)*C|pw7SDMyT9nHv(t~lqUWA;_iyP&T;nqL8XF{Am z*9%l#&En_7mV@PzY^wlcH((aSlq+O`FWxF%{h}3uX&bc$f=YWSK6YM=G%JsF2?pf5!AXrwQ%~Ul_5H3nYrb7GTa9vIS6?hqt2)n^lO9nJ^XC<~@ zi-QVxgt*vk;oQj!T0EO|ZS{(?{c<4`B#|KQ*~zkYk9DvH4Q{SOTM zbCco#>(9GBL?S${$_4CgV4V(Z#|~awE*_qM&La($R+w$KRs9P`_UVDMeVdk9&l=}B z#f{(?ngm_Z5a-Y>3Z9>594OmBF0D{OwKmf&^P${48J4M|FvCdvn+X!W(3ZJ5nN&h7 z86zcpZoRNC(>vz~b_yk-v4fT-$m>gvB@FQAEZddjfq{X{q8p`}pJM_Ha7PNiIg`Kk zyPRgcViJ1{SI@&kJl|?K7ytuietrt*?Bv}vA${!{acEeWs)`DhLDUg6axFjq$C&Tf zbqht=e`xHnWd2taNYYc4u_GHhYus2FY6R(ajdSl z>{d{<8J+E1_2m3TQ%d_|7JEM!`UM131M~=b*oUB~1_1egfFA#0M1J#Pfc#T2Kn4n| zm|zuvyo8QH(2eu(K#?7RFDXN4#aY;y5uCc~JJ8}Ly_JNN)WF*MC}c5DTIPnI%$^eX zNJ}Wr0slMi@B$*cnwlDF28Oj6b79Mrp5bB6U2f~?fuBFm0mSAbNou*B-ul+}R1u`fYQgu z2dQgO>MM3&4|w{NoQ8(Yi*d~VIIH!>ymo~Zl(yf}va;fIb#?vDi%IRv`{Dap-~@Bo zepLNEIzpTDHGkcLuAUx(u!iqFJ+=eaAgx_-({SXgFtq6?FP9h%c^tiOcEemHOr3YV zBKD>F7uTwPx$grSI-@X>M$37tdX$o{srXTy+e-8@JBoQDe}4QbwRjBISU*XIYJ z=Dk63O3K*h=PW>Z!cLG@SEsZbD)rYcaZD&EaFSne67f1Yf#O0{04J#eRP^wv6^7Os z{?Ukj@*D+^2mw6$#c2FCVMnQ-Vy|4eQfNOFN`Fp7RMcjD_O8*rdkF~%`gIH7di)u< z{$v0C`6X!>6{s8XCsTBU2+L}q`uymEL+h9_FXCGDH(vQy6e25oz6ucn_1d4`o`|D& zukmi&j36IG#Kc%)>|biflRpPS3ufXF?#N%C1B}#@Yq+#4v}N-S>*mA)n;YOT{EOHA zPqJGd!!^h?;lYEr*8gAL?Y|xQ|0W&yZ(jT#flOj$}DSPP(>#1Z^ zD-iND4ppr{%RctoMBqL2=Q5RaPSyH{`EL$;c@SMmukT5a903QnA~-XX7m`BF`!>=X zE#??DjkjpQ_W<{3OzvK|Zaoyu{>PI1V`Nb?fpbZ{g_~zRiO*a2*L@O9rNFqk?Vxt{ zvItziDZ70R`q4J$CBBV2@aL_yT`s;7Axf_V7aHijM&LQ6`<}<4m@HiKWT~D08M9*E zo+W(?_2QOraiKbj*8@av-@dH{(G2`e0HfHt%PhEJ&+N~7z-t@-x7^RaQT+el(C%l6 zmS?)(*rgj@vY7B3R=TP|i9+{)nC{w)yzh4y927@^Hx%QaEi$|TwN6hWS7a~U^mm4f zXy78E!&&MBzJ)&gfmWgOy+-7Ynx^Dban?Lz22npT5{9GK{S9zAJlKC`UpV;qDcUtM1uq1glg8RH4$uK*cAZ2szXOwKY(wI{ZJSV0vpLJ z6107%in_!SZFJ4(Gb@vw7V$#YIsD-Ix~86CPFHWx2T1om8MYoBqu5&JZJJWr&L)GQ{b6 z=t{bRw8428i%iF~c=?*CV~g~-i7G>G_89Td$ByA>6yp=jiYJ~zb5AZtLZCoRcOXG-YlBq=JkR)Lpb8G$Bj4!RvI zx?K3boMiCm-yzgX*(IKXPevVBAPfO<*_})QcmYPS3;0kv|CSV8?%|{)V+8xjz<~%m zd_nhd=aJ(kxOMd6!oVdug{qTPxQa zw;eXEyviRzO^OF(3_1Xv&pyZh_cQ3z(1EzBUor5Yx|X4BCQ&fD#J_8hDd0hR!! z0zz%~5|kvtjfW`bYV3=K9-5#sL#r@hE-WnhQM=jXe#33pTNwvaRDr=!06xEU))AiA zh(8TLGm1M7aA;EH(}=Pp{X;NxU*wA;!IKB;Y=RF~7JTGDJ@hZ8g*QLMRgB1byk1cM z!Ny*zN2=ZIwcNOx0%i#DWDjVdi@hWG-dtilkACUM#381$MRvb;az6Jek}BsA=XI(Z z!dZoYr#7wA1jyiLlT!z+6s_#Am!ZL}eTmrAwPN?~K>$$RThv?T=I2*U*p31}0JZZU zKbCR18W3mka35eB3OL(FR?kj<%&**05^4qL@hQ4sZszg9}ENABFV0+qli z){W}q$vac?LvAMz#Ca?M5U6EM{)d#X!~R6x#>qD+NABk}>qMBFuFd3wsP3Q6D0-8P zZRXp`?#^&9?>kV{7liNpJ+>)#r_=;7s=U0sjmW8Qa~Gw&K)ndqLsEJP0o)dwFdHTp z&`zW$6dy^}r{B(lc51yJ*a<;@|JuG3ZZ%L#Re_yUh32M1LlR(w@j}%(>#x9R08y$B zgd)%?wx0$o>1!ni5Ddt`+*+i|H%ZZ-O>PTB9^uQBZB`PPo{ zPb~2ND>l;d)NGD2BY$vn;8U06HQ9e5m z7nJD;LP*@Mx{@)F-E15t6U7Ps03dPoGr)yGwbBu|Z?z}wMFv|Q9m0-2C%`Ca~Pv$zUA$VuvXAea4V<(fKO2I*SqGm!``q{BXtptA1E=@9dlCOzaP z27q#|yARHpEi4JkbRt=&E9%~OyJnZfwqqG3B~zaa{iWSW`!y&C2qIoOI5x7g{?0dV z^_2F^+1uNX0lD7w2?ekHF7y9V3cE(^P4f#3ve&daDT;HvOFlLcBi~LIHiV0N@;bP$ zAYs4S!EGR~VZqBYUCLROMHBu+0$SXilB_Jq-cZ%&RWj`0;2@N)Th3-6CHP_t zdxr`)-ia7%2L!`)1)FaE*WZo?9Z%nI8<=wN8d=`&L~+apP%sN4IWfn0O&>D#bqmSm=!nPBs0Rc{gng$^=}P~J+C5b z5$bqq9mcWGGW_qShy?5J@Bh0J4FZV(01FHjhRT-L zpmj;1=iYYU5IoBXo>dmRCny2)47^1r$RZKk_)xB2B+j3eR#8^vH$1|9^(T2Sqc~wi z(;0$FP}uFR_2@45oH%h}1b_)%*9tRY>^=Ux!kel-Pg~Q)=jHG5PityCcT1zV5*eg6 zfA?O+vxSEe#IQ#7T1T*JDW?X^=Bo34kcO1(r4Yf7r$R0s{Y3+zYRkV7Na$`ngI@_y z)Jeb&K)>YY=O^XvE|#TL^k{Eqqe(X`EbK8utBeXjUuZeb2DcVO00$C)x|HIIVD zh5K3A6%|b4;^Lr!N^Nm)a!RVG&;`NOS3$r-HlXK-ottbjF=kX`GqgzhFhPER`IQ%0maPA zUlu*rb){W#TM=TF-3YFz;38Xmy`>;&qls8KGo>tOG8-eaL~?Mzay)O82BfvTAkJ@v z<#Wb|{+GM}`Jg&qu#7LLkzvT?=Kwbc2jS2u^+Q*ahvygo8@!&nuyu+eG;Gc`x%D=Q z^*l-(W5ll%4#Yf5G0Zwt8LZjU_B#5<8t-*Y4x@zeZvKDWDK{SLgpn+n4C^_~n$HG% z1a0P6wV5w312jZz@ zlkI&c+y7jkpOLp9&E^A*#34AGM}A46|2UjcaGZp8tlUcsbs;(D9nw2Agob1fhKmSH zRyYiR-|Eg7K7lVl-M1FPQATgMWpW(7S^?PwGyw|o zg9~s%XV`w+Zv!z5uyncf$nYDKr`=#+zak9e zjvfTfMcVls4|pML-ui38(C?2{P4q6fd9;oyWHH>l%cWRzWE>uK0q zlCs}bX7?YXK^BJCYST8w=tXT>#>c{1#^+TL`qE!O1aa6NPrMdSyM$l?5ItL0XICU=)tXZJVW+tkCWcHRK4;$_v}`8 z9>~B0o~yE7Q1^Xz@EB|mz7)t!lBcN6IOG;qo^nYvtrQMXZNZ)qjml0a5@?<=p~?Sh zl8_V`hxthY`B(OVub!*-2d;`NK;oV;a`Wh)GK16G)=H_z_x8>fG=Uortw)?)%QPPK+(*MtG1G3Sul%$~z~do}HvuRcp$j=!tqe znOz;g+Lg%L(?7CE`6iO%xpxA4_~C!^5+DBk`RjcA1t%|x6I3WL)qN{{TCJm-Sh*Y< zhuIWBqUv#=w^hu0QJe$acYc09&Vw-fHc5;jrtN{-&KAhc_w`_yui2qj#kHk$5m}uJ zm3=EdI!@oKDgMg~#9db~G!E^_d))-n@|WpmzVUJc>dkXfM_+U#CXI$h>wdB2r`m^! z$jM#WyF|TT27AKC`uV*ROq+ijZplX+PTLMuiBIo%!sH~s(15p%{fMiVUFGfC`K&c> zV~rPPhVXCcGRsiA$t?OXwyyltO*)bG`}E%{P-8cr>_}HoukL!|i~&1|b9;L;TCMZY zpGF9DKuvDoq&Od@XUt3V(mSLrj?0z18sFIV5cUaVi6~*x1?=OOu5)e^$hS#yJsMR_ z?N{TJx6jia~?wRbBRmDf5gf!-{GZ1#QXl!vOsB$`}i`Nf|gltKUF zpbrb<;1uxu_!8AIFOd<4+xvF1t2M8=;i3=3tE|fjGW~3^Soq;6D+eMld42EYtLsH+ zc4rYshx}74ykx#1y6eSXzKGqtMNN%RK=At?@zlg)oRJdpHiJCF+6Og@eiSk+l*FW( zTtW}(+TPR1)KJ2@%`-*PJgzZDKjt&2g5O~=rbFe8oAt0V5PSMVM>zI?5yxaCxGa|$fb5jYy{9=uL z!R`35`}kLxOkA{YxqSTN@f>HmlTMaldOCF62Et$Tyk#>%b|FC*)xG^EWO_++1iMiF zY<7bEeR7I;u0prvx4|i)gR7XNi88y9;=WY2bSo77?k7=-`WZqC9<43h$h*on zwXRx9JlAN#KqE!-i`@Fl1pi8$vm_0|v_aXuUvBEAKBRdKi=CIg=i2ciz3ACYkA*)e z_Tt(%ogOnGm?k_FYY4HAFXHfMtccT`ra`^UKfke-c6}u;>zk24G*Hd5lEkj&b&%z1 z;83}|j%V_;Yu}Od*OGnfZPiY1#x(WEH7x808YA?-oh=xRyand{R0~7t9yLhHs zyvRj?R~M}$p9YKz1@90TyY1xkkgkXxVCrh`K5B$cZDnO)I`oc0^jy&%2biB8TDd)nRb$QO+)^ z&lQone(NE#XvGa)8fcK;f<2z_7aB_qU+FSWv{Hmwb)>((iC9rXFb2)nHn z69r|KQPX~CG{G;Y!^ja-LNPqZq0om;uPCfSNJR9nu!=5fiNNdF4LjJw$qgKUn4_Eba!wJx`5y1*n}`j4ORqZpU7^X#XJB?jk6$V^y5gdmj| z)vCY_+G@>!$r^`r-}h!~_^_XRLEQ*d6u<+=1?mT~#L>(kMk+};NQT**`Ftmkmzowu z?x9=*KJp459~g<#Xqr3t;^62UN1lbbVW2F*_niU&nEMy$rl(0DF8mD19!xz?pm*ZM zbL<;BMW@?{p70{J5u%Z>!g;XzPP9w7L8@0 zRs&iD1QH9lMa=3R`=aU900<+MF(q>FPe`Sp-<}bI0s=H2?OLIHzzJBjJcqD@GOKq; zA&_JS!9iu3fs!G;?Br6{dN(9ii5kK$A0CS|%81+MCZWGxJEiH9xGd;f&K7XIj)eSKjHH-5Qe3e=%L7k15 z!q72sW-UdxAUffo-=|gM>*E=+pu+vnD_P<{FKOp^9f-w{R!HE!&u4&3O$~nwl5Fjr zP!kjIpBs&@2U4|aQpgdf*?{WNSI1%R&_E0ea&=tfWwutxY9RgAjPfT|LkPdI4OW<_ z@EG4;B@nLd-gOcyguYbFpsU-8!&6U(Fe3!&epgS~qaSH;mf|6Yhf7JGAAIAK6aWUY zybQY89Q7FaoV+mJHhKrdsQn<1DLjlk{`U{@fes5_Ut@DD8jH4yU=***9d zp>7MnG(aOR>*B`Z>OsYuK}#>O!h1$B4ka;5{a3Fy;Ug&TwWrcHYOCXQUJE z-FyC%vq$xf{@I1p5AV)t`%o{)pA(~%W$!LHa;54bex|vB0gj=e;n{B?quYVQanUO6 zv~L6JtUaDIFfEj6d}x%Yy|;EsolV=}Vx5;I-5y>0YVwuhM^SCMo&LdnQe|D8cY~*< z?uSXf6wUOb=GN^$oAF4-t}Q&$9Y-cu#8{L3qQ9oY(RSVA8VkIGQ75`uaqyS9@)|6>1Mx zb$tEG7tAOc{BBw!^Ik1SXHl0Tc6x?v>Sat=NK$>Uq4D5w_l#9JfmNJTS(7C%qD6$6 zq@?8L7q|MzEAQv`+1lZv$E&E=`hn_1YbGf*0&IJG`{Lqa+qUsODE+?M3ghGBd%Gb( zyHl68eEK9;#xE`&l$OSJfs=D4b9Lz0x#Aax=Pn<=C>L=|crP4g+}If3&dv@$kKfVf z)7ufc4ouvLV>_X${i#&zqx#(EoeBI4mX28Z-c}JkZzg~J*NSd#7XDh%;tiT7>4{u7 z$rF;8uMa63-g0qdI<~7xKHhaf!~bFCWuiGQQ*HS2SCNt24W5C5CWeI~^2@?>S^o9T zcKN@S^oa1|%Z+r>(k<~u{0>TV9wir*HQH!9&TA`ca`!>rMdLZ*+x1s(-#Q_Gv-N#p zq3LqHZ7P3z=i`9-*tg4T&oi!O*PC*hw{I2DjdumU7;*fX8(5j0fGe>!7dp|?_He1l zC2RpoQu+AcJq{7Pd%+Nj+Ml4Lq`Wpn_Hrv+BeSly*1KV+ipPV&NM^;*+MUvyDS%-~ z<^v0T93IVyeM~fNWmnfNckAU799p^fh|rK-RSDET0+ITwxH#XuAck41L0rV%-f=^Uu>@^m%U-TowC#KqsPugJVf^)>3k$B)lRY>rpNcIO41ivMujQ{;Sn8d2xdUG;UxrDO3%SK&<} z2{|!Wll$wCqsY~(jXuK{IXTD2&d`mPyP^{o8>^F$`6KpWz)$BGOuTU!>yWE%;c7~H zbcA|8>m_|5*IA+M9RlxR5>k@!?+S58`XzV9vlHVCE%*_>WXWVrSO6Wb6>)lTNBZpY zb%BnK9AXX2e$2=t*CV`kW?@6T0e*hOsga8&Kfc~k;hghFR3aK0u7DO}wy~H7E@eIi zV#MhQ<|M8Z;;hl>r}*ujP{dtk4S}MG&+|e;!v^<|!W~!El*RYS^0wDvnl4oBjhXQY z3h*KWCe%nM8#i)VO&_^zME~^Z(^s!gc#%npiuz96s|m5HuV>A7-^q{scK5=Cw*|Rh zEZ2Q?UcGuXaASwz5Vq-6jGCc=nWeIaUa2M&5>?gItj9ga+*dHIvCYNJ@B2-dpYp5Q zII$Fb`Ddh!o*NmU!N(Fqd2(_(f}NkTT0u(3GD}pKK69S$`y}pKwC;}FVR%d)Ls2$~ zTUkD&Ut>ljYLI8wrs5A_?G&5*7G`VqrYRc;E#~T0?(b*L zQ4j;iv;NXz2-kXtiJFx)b!^6}WrWOY_qfvT1VitjedX@%54tO~nidueSDP9Oc7Is8 zxX>(kEuMm=8jqlFu-=1#TqajbCrLlQ+OzKX*likGB)BELU4%O*Wr?lbEbdj^$ag+m zDIOSwD7*>gB*G`*5pdPY>qUv1zj~LUmA#3{!Wd(jmYXm_pE)BF#(ddo?Q2iGiJAQJ zTG4%X!og0vSDHM{WoADJcG?-%PQ)nhomQlv2~2oLh>zVNhOd6}_!y#eO}U1Ro55s^ z=gf?}0seFeY0I~b9R^$}=ESmzH~83qx2C5q@6<3IoZj6jJJ^rYCd=J#JrECoAw1YZ z#6(4@pfyL8sFxd4T3WP~^VUZTbV$@l`FlEyp1UEPXA?(wse8}FfNe5=9;|(sK2pd_ z4DL6MRIb`l##p<@;~QCt6OL63c!U!i^X*M}5xAAlqjbJ*?j#CuNqscib#K3UBS7Iz zG3SS=J2!)VjH)Ir_yPvXs6~u4ydb@b6mp6CeEh7E%+7o|or{OKW-fF4wmc`^?<2s& zuB@y`k5JK4K78}$OkhxmjN|G-O+t-=%FUZN2nfVKu?Q-=+icTmm3SVXpfDHoe;pZF z6`3<>y%rVoUTLQ3w)Kx$;V-SN<4e{lM75t-L6_1cI1*D)76MZ?(we<5*{f4jejmD3%P)Rz zmicKVW5_~DMYS|uq-(uizfzrNdps=E2A(OaP>+M~gx`JtOcOG*yriV`j=qfODYv18 zp+E)bQ-YjKx3j;E*4tH_6ckjpl|0Luy2!^zZ{j6JMpVQP`Psx?>;9iJxDa=JL7d7L ztMmE`)TyY z;AyQ7%H)|PWXGTBRw`oWUyNen=cO|GdI+v>xh#@|ym0p@KNgKs@R>R{Kaa*kl33pq z>5aY}m@!QMe7~&BXyVR*oT6h=6(;`d_ptL7bxN?6D}O&!ioBgFa`;oPSxT56aSc`> z*4cU>bI2_y%|+gqCf+#Q(QR&Nc}c?+UqnQdo1fpO;9#cgy2)WmN(w_GqeJMP^D19Y zd7p7s3|+68`r*FZfrG6Ig%72rfpK0%=XU4k4qVCj`SUb93OA$OJ3nTH45+H!J@a7v z*CF-Vi|MxQ?Cg~GI#|gQ^l`j?y?Jx&Z2WlHd*tjOK(Y> zneR4NDYvC%$V~g(Onx04mhn|rtv!BL;2bjR-W?S6LbmKpEbsn`IR_jaciyLpKjUKR zS0aVmX`^&2OZ_=Gzre!yU`~>^4=s1#R6cvAf)0s_L*sJ3|5N2!I51EYHT6Sbq2Fb> z6Q~Vqt=Q}vK^CVvxxO?vACWX~Ir*a4-q`B^d$cepC?qLe@r?HaI1GON{^)7bbL!Mr z^BO;X%*P|@)vFWRUiC|i%*;uiy7QFK{LNd+_Wu1Vhl!%2HMt}tPI>$B^72X}n=71D z@W8{co6!dE_y{oP$IBtA&_JdT8ePW^^}CoyuXjRrmS4E z-_3wda(Ouh!H$mVpL)&9hs@6CiWYVpGPyrRgCyfhz2TvQz1}WTqMVbJpYI44eo6)1 z%(z;dzJbAwpH^mOBIwl6Ij&1npHrWp2$x2vkJFJM)$3Nh-=5Cw*rT zW5@mI^DTX3v)b|ywjpwFk!gr`qX&?x4>?=ZK#E*Qv@PE5Ca6Dkg*B zXxwI#D0&>hkR3fr?Ts4G#x6Pp3(c2CmtRIn&7tS`s~LY?J*)RxCK*D2kB^~dL<9r` zMq#d<_ck@9Lmdh{Os)1i#XyI&sFlg{chWF;YzV^86&;V z<9t(C_usCNJRs68g-B_a$ZCZVF}2zy{+fqYU1?1d$83Pedmr!Qf8+1rk5f+ z-Ds>MSWFD^hs(0DzvJay+1iGvp|fN8$%1 z(tU#T6nCMv37cUtiADq)uGBp(vP5k<^0oJua>vA?5&~zqojuAd+Ew`RrZU?1tF;G` zB4$n=!jeQ59nN#?a`A7LBBII-=ck7Is|r~Jy`1wRIFBC0$OaQWaC~k}iX;f8vZhn< z@C^E@qhG$+QPX+ZoW11en03@_Z#2ZKnnctsBO?PrpslnIFaE^K2p_N3mKMSpdRmR0 z5jjhjyX?r9mKF*Qny9od9n)$~P9fGWV}Hax9v?prO>MErGxXzZp8<_cYbQ%fr8|@2 zslL@b;J9oq4RBT;lpR$0es1DKkWjsNi2yn#nqx* zH@hG2rjtE)7>zZW&=^**_;@U9o=~gw^|`xFOm&GL(wcwn=pV+%5>Vk*KIU9$x$do< zTiZ!AMscP<`re&qSGFC&5;r`QINh&tMWRlb^A2-MAEEXcxs>_yd%?foL%32w4GnCk zdXMw+pV>PQ-CDfa^R#VuSB#SKYrjTz`5t*rZm!WHK^vXLK*+amcfm`uGS`+hVg&b7 zFAJlm;(c|wBUZni6Q?p5U$=qmlqjt`n0qy_Ms=`}%Ss=$yYS;1Ps*8FTVgt&rtC;r zx*OnU#(2E7ny1XHdud5b8kCgpLYOAx0M`V1BOKg9p{xBkY_^-;k=r#!9XYK7r1XXw=hXkeEZ@f7a2AJhn~?fur! zfJ^Y5)Zn*q^C21Z)K$%68oMvFIW#77nnu++AAH<99N1JXIDcyMyUkluk00cZ(i!!M z5$IIxE{xF&bRs&2(|4MED4T-hP0eN7EQPU5+J>vP?-XQI*>R=tv1ic}pt!auyU0Lx zsISCdeN)@%MSXpAvK7G@#c;{|W~ixl;MGSah1DZ-lo9G< zPo9!-h_4>I*yO9TXuTom>~V?v$Y#|iGF>sk6PelCxYnJ`zL@w!U|(60K+k~;-pYUt za~ZXXbD@vz3AFtm&Y8Y7H9;f4)99VtD*Z@xZidB$se@Kh*Z$tU$X^4vseGNrzM|*( zkF#n{;hy!#Ge1)+2t{R$&Y~M;2ot|qwpXkf%Y%qP-H!Rd1kA`~hcmQ$9x4ly>>4DP zeN)oKs?U{2&6?h+ywqjZ!8>D`mZo5C4wd z-H)EY893&Rycf~Ph4Vy>OmmeLdM6a&HPGs+$dr{`mk$uzCJUN5BeUWqbOH#2N>>W!3!C3(xhTBS+We&SkD4wGkz3sdI1yQhB; zU$Nr#>K!>rilp3{pw9FUe@!HBKF*~cSBQ2V8Kt`ZUqq8+iow6d2*9d9U#XTOMe;Her@A;E!4 zi8B1y{1%D!X_YlYFfgN%b*EOn9+U51dS>e5dE(K9N$IfJ8A~olq?djq2w#$^!Hkr! z^0LDO$06)P*OvE0Ja>_|u{5#=Ifu)-`upyEMc$udV=8DFuJ!38JKeMtK}S73&(|<+ z3p!%4O=`q)xN-V?3RMIbPxi}9$`H7d8MePXh4|`qEpqVU} zF7hq76hRn6oyFZC(bmF+3`7Dz@Y2nhWp5xN)b3JWq?$_O#byqql!-c|bx>xpVO*tM zWR5bhvhc!bi8<*EbC$&Uo~P=$<}6n~;$QoiT~gJH(es{TX=oak*ljtoPZgsYcgt)S zdB5a8)RQ0SpRetH`prcpGW}cu9jC6^glsu!Y2V}wt+lu$ z3(Fd2NZ=*qEm5Z{p2%#E68f?(_{xaM6cDNTFW}^M(kG4{^w@RSRV{TM-md;Oiz7vK zaMXR}+)>>^0{`xfto_3QSEL-L&haS9pXrGRl??3r@pz@ccvTTAp*~{LbfTfyL6CHU zqORdqqoqP!V#-HwAW>NAuSf8` zCR}vMgqO(2)=o>`>p-|l>~Bu`7SeoTd210{4TtjyJIfnM?~Fhrq)-_gn@IJp3mt?C z_Ak#Ovu1?e?}RUxYDizB1rkYlinz9eu=|m?9TBo~tD$1p{QCLQwR&q^M%+pUd@KWr zge%75+a?i^RVHwel(qHp(rQaOBG^r-p zFil8SYkK_*IKTiKLVyW2&+jv|WOmmtz>!MJIpF&Qv8O-y#<}l|pYQJ6^(?+ROoNRw zKsIe*6Tn^aDaY#PkKyc6*t-`?YWrYN#)v_oE?lj$`K~!?Ena(2Q$4nm-$x1k8}$ zo;K`q6?d)E`c?Hy2Z!Y+yUw~?`*P$juhy%K8QI(v>genwXJR4?zj|+VZ9yHBBB%F8 zZQ!y5JdO?U5jDvnjL%gzVJdH@d!~5U&`UB7s}G5gh}-J%I$9?(KfRgoAV)}@jN%J8 zWKDuLPQZ%lBX1YD=QD|_zUo~>FL44KFmhJxn32Zw?@No%YowR7398{^TPk{`_9qw` zY&Sk1{#aAyV9UUuL!-l3xgNLlPCdTBqw$C6u!7v50`T5-9R=#Z4b z=;Bc$KNro0TbWAQvRFEO@$SR*dDF%wUYKreohP+^T!(yo6xAOX9dhl{xW4@A)$zYr zf)BblQsGze;EjK|<^zL+2{+FN6$cF-Mp!lMxNlIr8OJR>7no1U^Cu|z30F#24o9g3 zf8>RUA2?6zha$Ay*X6*fGi2J4njofuh)Vs8VmMAxp3SeDks7@jWpJgkdk^hWNBS*L zG$fu02~@Dv|Dd{K3{G|R;Ps7x<=*4(9%+3aDtr85rr?aCOB04c_%1#k7B_t2XMl4e zugXm}X|6#?G~b4%rw`)ls$l=c{~aYI+PQ zD2sNGlXC3XF=8E^Vp^bgj+4ZqpTE1N6fwB);Xowc@L^5lEAOD1m|Pn;b6 zNW$Z}EeQX;Q|h@-pBC)2)PJ4Tefyk>ZHcbX&e*z#@~&g&kpsst%Z)cVA#L+7`j1aJ zlJ)cnvr^PBi{V9_ZWOrT|G8S@^qwPzM$&`1h-s?A-G5sMuSHa7+%QD1Va{`}lCFK~ zoB7=7zKpyTX?s@z&yLRd=$#M}%gOIQ1MEmSMEX5uz8_&#xV`JF=~S}d?U+^EKe&Po zOJetI>zv;ysVFE}xvVVeB&6k3dsks_u4Q*eLlZ6^RY<2 zVIn%2Y%oy1;NMB+ae8C)#m;ebmY)0Mz4!m}LMu*8jH2brC)fVF^2t@gY1A}I8_!t| z=(p74{M55{hc6e~V+!Vr#)+sT8}>b>X^|O57ooC0v;fgc@5`sWTOD$DzI5rDrkax; z%x(w|+`fxR_p@)ho*&i>c6$*T zc4hm*TEkjiuG%Ha1CLMld*oSK?$^qAiTeJO)*@7{vKnnjyhj)56ZlSj&u(uouSjC9 zAV=gtpo7!h2NsV*`^K0r)5p^@)jk&v$=w|7I5Q<+KKEkLPEmf_%4GGyhPn5!{Z~m} z^B>!y+dsC4C#`XRxMt66JX@bBD4q<|t&sc7g6Fw+Yh&DYDe+i&!bG9-C4Z(CqbuE3 z6~}*;bRY?1S^F@on=&4094) zW+s8cyK*J1TJ~Q?@mtp7N;Z$oNjQ)^d$93o+cCsG*KXa7TaeDWbbf7=|4`|fJ;CoA zw}qKAN=J9PHk_TOS;aQLo3z{RY>*w!EBz?YGxMrOIXkXq?aSKem8m*Wor;RQafgMC z?;?|waR(nOJJ~(0cUNh%Je+TTq?h<0<0o^pbf~MM{3wx$v)6vmcf;M0u(;8!ZySpR zWoZXOyRkdn!98oaqT@e}7nh1V!wCv))+rx&+JYc0h;w&%W#7WdHz_?ow_ZBJS= z_klGBZ`yzF7}DL-Q`6l|nVz1GbaP;$Vqz>7m!BNM=H%pj{&G>){ysl*(~K;8aWZXW zkqLoUflV~+9Kk>Ao_DH?ngdj31bOXiCOhgI)A$y57j zN~NjgUs`?RE3tsgRw*$}tD+oxMK<9@nV7eSo8-f-yuW+i#IH?A%4KZWI-~NU=c=V( zR^c&+W{b-$oX;QRbZ1q+ca(dQ_muOU)Fn^u(A9kQgEH+jn?8!HJjDxbgB(>Oj`uz{ zwG2y_@C?ooHa-h|72qvBICqSwyF0Z)dum~>aV?+yGpBrMtmBm@`AzW0&&wUpR1~DQ z^=D-jk=VHQotccF7NfF%(VfJ@rQ^!67$hZk8DHdy+q2=@7qw@Ob?;F7=}gg!`h z*Lf0EWsHt5zwm}FQ(~jpvzMCQFB6o$uT9_4UFh4^cp~z=Uz6<{M|uH0|KsMjitIAs zUV*Fo+iWWIFM!d3@T_8~o!g zY=qnI+PMb|7wL7#Uvq3x-`;rwL&7k;S^J!J`_!9Kg^w@z&wovKT`Nexl~7p9IH7!F z^?@Kc#nh+EJXQ2Mp?4o$_1JR@4eV>AH0qif8qN@*h)r`{%Wuk3OUTb62v=ozOJp9A zvHa8VMR?Cl%*=IRU#jm^bbP*aB0W9)1*eqiwP^3^u;+I2Po8fyfBsAx`?1fYxIerL zcEjZb`m9Y4QeAUa@d)`$^HlQ|{zC1vgt_k4QBJR{o*s^r)+yf2A-aUVLGcfdZqPCDuj~)HKTgf4D*cgo}p|_tBird-A*^6FX zHX{+y;rz@gFtk+s(9YRFhnuG(Cs3fr%7b)xODmhpK8usLbWnZLRjqlnPE3b2vFzb5 z-?f($T((BS+1c5nw6p<%fyBMNy?XXv7n}O$?g0p0dg4Un7bwD%Rw89=W@$+ZAEnIW zN2ay6tAd;*x|q)B3Bcjd!t>f736I+G7UnC;@^vP3aya- z_1Xl#=eN^p>gv1_5xfJDwPpk>>@Hxc|>#^;Jop z+`am$)OlJEx|5(i(GaMls;WBOn=*d0aCgHaH$#G7pulR8!DAn@y5^(7hn8Vc;g4U- z&w?Wb@y^V&i9NZ&HFOL+IN0xrQC(e~P;=0Tyb?s~0DryE*6lZ45M*`BUpeZ#cJu5q zeeCtfYa9Iss2}nVoL1g-2=`Jz;;Y*&E~>LMmrGk=N?gs>tdW+MON0HDi=|;qSW?|D zfaCo2dhG^$L5_?zo`vSRPWhumhmzS@Gqcl>gOBbS?&emqegHk1>+9>!Gc#l1 z=X>Ms@X$i&lUJedwKw&$~SDx)!nwli^^dYIKm-35>EHhF*eZtJh$oPcP(AAZ* zvEhPl)XF+KoQIVVg9;Tg1H!`Oy}YUxa%r1_G&A~X++ir+T3dU|Vl$64m8@cKg%}S< zL3H6G6O#)twR7jrEoI*A^xNBWg`#+d5X4zM92xQW@#FQa#rsJ~N&3#tY8oBj#xOK8 zVl84Wlqk@INJ|1=f9Tt(iigrwvKT2WC}0v1p@Giu)O2(s`LVsiWJ^s?P#^fr-IH{c z8sgZ}a`3Ed56}G^P6w^lujHZZ$9p#mx!Kue93A-~yx4dARz;@8%@8M#mad(fZKf(= zF1K!-L9gul_W>XRcSs5u66|SF*4-_d;TqzO_ zO?uZOWZJ!B7T2`CZYSoxb7!w&a3ieOog9H$K2rAfIWx|V8Qd2x820Q7YDyNGnwaE= z9(@1)U9cdM#?;VZ>WRwqo$<%{;)a`1y&GYJ?&Kk`DtDBEytpnp(Wz-`2g7Yy*w}2N z6$UKL%t+>nVYwC8MC-?PZFZ09oOSbF1`vsWAmO)J9n+FHP^xP`&Rodl%&^v4eW8lD zt{$>BCn&Qc+M1eg2nglno3?gXMcKwLnF_VHwoViXjgjg^s;+ z?Wa$lmb!f#?`uW|@71dphKNHT5OENNV!m(z6VDG*$Y!LvwiXlG!oWr7P7^Qy_{gv+ zOf;jSrl7D;4k{^PVqw9j_ywAr`?0&*+cgjgnUYER;%|glve^%uKoa_sO{QDhZNR&PYm1YL_`%_dGV7Ha0N8fV;?)l$2Q0 z?7}u#RrQn6nyMH@IdfgQbUKVd99_hbj-H;BlF}cPdhN=m=g=pcfS|s@eHTHX=Tou! zE>~_|-sJK!fs&FEB4upMT3%6so_#4{+P0ss??hLk{5MDv$j~Z!_5OXa`NJH0)c80t zlo9n6A|fIJfTG#*GK4S9(+o7^q!luE@rWmJ^^NS=M^FLH(pFE8QRV)9rpOj$b#+{Q z>vp)rA4+I0?EL)s({8Ds6Fo&JISNmB_f$tm$?7X@E}eDQ;M0rSu2fW1(~Tjt-@bo; zmXg9oM@NS&FygB$!EU2X7TGJnTNPUZD>BpjEHt#Vn7O!!U_RN|*;0D(JNA3dO|J(Z z@6X*CjssDR{#;N{&6NQ)Jj@c7*D#it+GjB{J3F~LS_YwBq@$s|`{-Jiot^i9l4PK0 zGWIJPL!$%e_hkq5Nyl8Q2#Av#qXuJ(<9daAivEny>5zGwAvrM-i+5HDZY;0_+BoOs_}hNd2L>R?4C;^Sk- zRG?i}56AFv)><5YDmPzV-W!am_3TMT=V9FfDxD^AHg%9zUh?%gAS6RQv9QNK39IZjSaUfR~-{EHa1*n znnNx@j)`V18V?_Sgslapafy=?J9{U@4lUoMR8-DB_3&WDqE6cucU_m-6Lbb?7boFS ziar-H5fOe+s~682iVJr3_Ocva5iq^Iomg5*11E9#XY4J}#HcmF%DCI&N`^)hgJXM^ zwzdNY!}#UGn?2vZ-#(2*+-3#-&MM1@i;FwCmITv<3iofa((m8DU+lC*X<}-6qp7s_ zalQkZ6;IQXlluacW7d^sx;J z3JZR~E{?G89U6Km>au#1i*38;rs#bwtstoOdq#4+%!L>#)O>1^R9RCtF);zDjRhAr zBloO4&?E3TDD0erwoRW*rGi3MMn<#&73iCpne{~4Ad4GZf^3+U4lY0*Gs5ATq0Vwv z5|$PgXT^_6-NU;3`~7osuR`Qguf2wh4Ce2oI;eG1{ABybXXAr|15$XDyu5r@`j4%x zt%>0RO9-&<+CNeomxNNswCoWU3Ry$fuh02noL@N;IinuzeCD1$r>mCNImwU=9Pd5> zr%x+Yq6a}W9&V7OaAV;0yEx;{pAioP-k6edT}eHMys2pgGq}4R!tH}g#Z-=;-C#JXudLrL`FoI zSL6WsQdSyNzOJmoVq}b0G*YrC+1diz9{ZIm*U`{MxTU$7l)mMW*!1+YowKtX=!H{L zQ~7fO?(Xgo2X$JqqpfXnW4g)C#f8c<<=0#RwayYP1A~8LB-Is8P9dGMY8E4Nz!T@% zVgS}Pw6?Z>=F>}_yOZV#rKCS*XWO+nTs+sYKXBh;+V)7JZ*X<5XM4D8tS?>N4f-$ zLeYqrgmJBOOcD)D0Y&_qETcy1>ys8dmI=gLY&Z(REt6Jy166fA=Z<4-tFM3WCjsaI z_bOVrIXNeRQJ_8PV~EYfLW;ujGS5$n=x&vA)gMMkpa=fL!!d6k-) z8i?J~z5JF%w@X4hT3H=qUHaLx9PxnYBCno_Kk-UR!gMoeh z`)R6Eu-{NbkbJcVd{$`up3xEwa?jlF^~T1=&6_tnhlur8DxWPqKi@X1)$fIfNJ4YSOR`izwv#a(aC2Z2>_8uWw$4~FSk$JbreIV-lZVKF zkdV-e!^5YpuCCQkSS`UmT`k@Ir6*BOL1jo*1%w{&yJK6kB5whV(a>OKJ5xr^wGbO-rPDz1vrk4k0Dt*t z=lOKPTmXmJjFw`ntE*4`!WInkOGr469?kytlE^?&ZtgQUz%bpqni>oUaIGEGV%&QP zk-*~OAOvG-6IMc*(`L8YU>ty809AHAIeH_~PU#-@DMtbs5%zbaFG4F*qN22DXvH3( zIjv?iJ!k`{I#g7^v@O$%m<3J0_1j5}QI)f12ZHUUDov8rbGw(8AbgV0ZS9M)u5Kvc zagdgV1_shgN4fqQ2%sN)fFxbqtG0gu@>UF>y^61FA_@=B(6c8%wuH})$NQJxl-Vk61pbFRZ2@D_` z-y_YFw!6a;ZAFR>@NVA1)m3Bb8Y4jJ*_O!HuU-KsPgY#gJdvIRCdA`EH$RVlraQLr zqes;P15}_uU*h7Td#2-a4xAvxpQV!*&`M_GuQ;%lNztC z#L9g1PE2GjEiLsOPfkg}AAj1f9jcJ5!UPZk@@oOL)P3HzBG89G$Szoc`HuLYOeF_5 z?l#ug=;&yDV`JmaVtN`H86zWRDB{i|B!oUB8N@Tm$DT<$meUeePJaW^Um6=Xiad$P zwDfM>dbwb^w!cv%p+9mPNiFfB$)-#K`Ka~N=>b|xcKo`e6`0!>47U=98Lz}T5oFTs)AzoglD|yFG6-i0gm#nz`WIj6Kv;l1H z{R5jzO0J=G92OS%kUeLbF>Ut}%@S5M=*StoEQOW+{x}(VyL?x#PE1cH3fKq;hORt& zhB^6#44Pbm)as08`@aD54uf&UHbw%|nhv9+XYlZ_rh!|DHc`awk2UGNESoap4aTfSX6 zb38QO?J>RGem7#_F*+#00Yb(K(D_2M;C|L7#PW+_?Sfv{Ji}Le*In*ZkliG|F`vCVUE-ek*2`}V=CcG|dV-$_|VSJ5EO*i5ll2u+>4rH1atgLw0k87tX zcwMP=cs!t>*Gi1 ze?eX76#`=I%ye2p0)pno0I)$ll#!9~J-9!FLe;gjD43NUqdH5uYAzL20zy2`!$SfG z*3QA9henIWaJn!p?Ut}CkC>RYV><=tnMZ*Br1bSC-p$_`K9@FdKW+Y&)mIBEr^9pm z!|6E@2oDnz1{y(Mx#A1w1rR!mo;sKpCg$e+fx5bKxC-c2Vt?y;XqW^bx%LB92OQfW6zv$^c%~9CCH`R{>P{akE?H_wAys3jmCMy+hkV&;cb^&!rtK zp^cU&$A@J)LvzlU)d$3*EC+5Y{(C|L(7cI-do=BGNuNNob!KMf)bxG5ATBEUM33L+ z;gZ7{1gt!-&kiiKip7qa#OKYRuqoW~E=(5?`TAMN3`Ep8j zHV^2V%zS+Jw?aB+W>~;(wK3C7Hi`NHs?tqRsf&t)04)k)3sn!dje^u8rJ?!a)WM$P z3AI{JM>?ydsk-iOU55DG5&B(-~maO;BZ@oSpT9v2^iSA{!gIU|xky`mpOmu65U{%DaI08UMkB z-%Qqed}L(g^G4FI^Vw->XMB8o0)m3bB(4k%3NkaxY7BICl7P8{rHHk#^7U)dOXPTB zKtQkrpG^B+hG^+q2czEu8ltA9Mg1|o$-B4|t!Hdxv_|FgmFg-9Nhp--I;3a~W->IeG@xj3^i$Mnrjp;XIjIaTz-QJ}~vPT$&mlDDxZ zKj2Q@Rx0RUz4Ve^sUSc9JeX=cJw2hhbL8Q(pN%=*b}$7R{#McW0n+h`igJ|F=S=ey6qAr*{1pqJ83NT`UESQIKi<>Vm)ggB z2sL8OY;CDL85kJ{L{`c3B6f*k^PnX4P`9NZ>1%Yr(8aFq;fqhktH5?YJ($kcIgoPl zGa8li0aevJ~zwmOnbXhy4M~Hs|3CM6UE{y+H-5*3-}hLkx~=l)~Sw z+^f_`x57Zzke|AqyVg}|C|xmJU~S8WoPvgWN)W+ zP9ehLc4XG!k$Oo5VI1iSz+ita@SjHeveltHoM!i7G&d+zx2?#pq-I8X zK|hgGbrg%$5wjm%C1P;@#Vo;u&CHyrxl(z&!`5XT8WLhz(Bl*@4Krd{LaljG>de(^ zt>IhKt%^x`om4|Y{_x2^hn}BqVG+MbaKeQeh9r*dDsycDFucctQ z;f_s{p6l?_#hB6j1nq15>xK4NbZ4f0$?Q9K{7|RzSfx%<-yI{N=SY5Ub(ve!2|Pbw zf*2?hcTv*oS{b!}TAT)vY{S<7+|FT&+1UrM6(xNIkqpNeD10ROo$~djrICKnpk~C6 z@bDA_3rvxlWg-7uDLHi&&5wKmr7T4a-@gam+AkdCLmJ+pHU2Kt0C#C?eLV}hazP;1 z?yCC<$*32OcRuQ$OYle){9+=qsdSb2tKHlx*?o;BwJy)NO0)PkXeKm?eK8&Fu$EfLic=N>aa(SALogL4ktLH$j-|1BN?JgS*L)#XUl1v~olZU(N z=GL3oeJdekd5y6;J*%Q3(Zda%)!EZimeHg}^`G;Dy04~&0~R2VZeVlAK-(~GH3uC$ zAtoTGZf-sUW;T$|Xd@tkmO%{-*Z{R%q0%x4`uu*d&EZGg@dvwxnAb5KjB>5&$pdTM-Brt;rLxmQR9hWaPOxnAo|vxWGP1 zvN8_%3~VhMBlj+bPeMIus$(4ujQ~hc zMmL{^`P!Cm;OM%|Qha-K6}p>aBFD$ORk9bu&qPul9d33og*WqDyLNfFD&BMd41Al> zW9#+$0R(1_dcFGX%Kes#-m~&nq_b_*{XPoZ#7_>2!vXz*+OYwJ6-K%x4mZPl7JdwW zSSN;q>W@x0xqdxgJQ`U~iT8Y_nc)v29q6DvUNQ^{*PtJ5I@CP-7{I z3?-IdzC6>l4OUS6kGh(g!=FzEPI;TQ$6}z(q*5?5Fd%^M>;=rXL-HgTR6nrQ%D~_2 zUy>mN_{hNST7`ye33)6V*yNm;+tQsmjw$5 z@x!`NO&yhcx{jiGc@8*h^MIKRr{Ay)B&UTPZ?gslwh-v9IrsHSz>ILvp{##q1zDvG zNaw%++bL5>5R`Fs*;-JZ90v-Nsh(R|$#6IVWVinFXD#?EHujgYj366z=|lh{AwHfF zK^NbKMFtoqLrqPwJ$2NH%lP!X?^B3oS~_r{Fy<1anMZwVZTTEqz|xyOeZTNgR>HzI(hu`-2TXsLU}Ue7)~WQ*XA!c zb4E{|tmsaGilG_V_H=KZ2|10S1;)CCCkOlcc0Xrs8I+K*-AyPicD-Nr>J>=_!o$UN z_cYX#_;_yu>g3lxx%)xHud=dWy0p7n<*>=?5Eo`P=CP|&esX*egIT?Ow7I+61hjqO z>r$525yy`oKZ1Al|B$u<@co?+<%gdXG4$_PeM&34k&jMUh8YYqC?fCQzV!u1IROEI zl?5MU3xf|GvIlM4jv!_Skl486T2%(P&Y-@ujF;ER=M$}m4{NHcy`cb(2Y6e$1_uMc z?MT1v2{Q}G=p!MDvrT7y;@tg<9dmfNpK4vwh znzj+F^<(dxG=u6rIRk7uBBqfnzkq=9?BV5a9A7NV))o5?c26vas_ z1$Qy$4$*(({9<*LVObtAdog7AqS@-Xnyrk1IVZa%|D>n*_3JY?9%N89xGW{~#pqu} z)yGr{+H?f1^?#B}#{chIefiS!G5=F#vum~9e65ZgY*!0fS^4nO;;nlB$I`om5t_swY6!wh z7N2%lb^On>(kUL`H$Fcq$ILe995l<7N)eLH;Qe$rL*DuWWnTe}>cAIeofPQ@8PVtw zGNt|~J+QXTz$tLj>`mLgXBphN*v1omMVHpSaQ;8T|JP*tN`ELfp~*!DH>8b{mf#}C z77o564qyHg_#tyd|L~zFE~9eMY#V+|76?oh2q~%WsJ-VbH2J@88U3T{_bor{hCV(X zcvM*PD5nPgHOn32ru}m-!j()*t>t04JaN;%FX`_wrKz_3re7W0P;u5kV$XK;is`>g z;n=4+iCww&k6mamEI77UbcKw1*dGg4NIXK{q=tQm_wQ4^p<6KX^yuSf1YJ9KT(4xv zuuRVxy`g?dG{ZVUeMFl_f!k>Zc20RbN1^3X*V?jAPjOouw4-`9&%{s8hPN2V-N66~3bT7Hv??8Z* z^fgtVlgQf#scwq_yQGN2V7kclWx$1Z zZL7s6A;b!azv74D$Vio2{`Q=)_5q-#4??89=i0tqF2F;WN0L(X>NB+bCdUXbSj-MK@fYi;`Z~<_)K$=CME6-VK#>ZFb)j0-`Lhoe z+vOj!4vKLTj*gql`_^nXKd0zje-Zkj;Ysp+^*iyr_B2BnDRo>JJeO59 z#5__aL;f1GuSu9**zWXmoTlkT(>U2kb-kvob9vA=7c)0&Xh^;Dqmk*IxT_gAmNvHB zN?X#inBk7>9O+Lbb`9FqFGSSnOTn|d(s#=^HIT$BfA2J9^M0=lLIG`k=$yM_cGonATXE4@Zmb_K+bF2KmnOEBg9UakH0*NGaXcQB+${#vZNDYAF0Xv?X0Rf77b zmr)RjgOxC;z~(U5K21gO2Q*-wPr{h!tbdKre0H{v>l`n+ANV!{MH2t&^lT+Rfg;_@ zYYy`mNGQFePtNp3{crM&Mx*;7&?sU`q~n89Q*Vb!!il%^`-6t3seLraDqF9BfWS>U zLA*1vFB0?f2`mb5^jZ(j9^n$ymTuF=obm?47LX;^J~6c~H`NunheJ9*An3=CGKZf( zjrsli>IDfV(&;x)Jqr)dh6#RGh`ek!`~5*Z8;jvC1M9mhM|fDcgf%<#q6UImVwH?_ z^1+Rt8Wg&`s?T51DWrq;QqWo|Kr@$#!8cz=cu=hE(w`^#0)MVG$*VERGuWIXXCa^utv5&< z$>g`!5o9;NvcujJZ8bmDpm38~gpQ0&QCd-vP^HkOu3B0)+i;eB!BJ#mqcZd|DYjBV zRy%T@=zHnUey+vsC+J!12M-PAI8fmb&;_64lazn(z$tuN0!Y%8ca^oMGc9Q*w74QS zw~U9H!0>blgu$%*YAsW2xV^-rMInuScU5 za1#_Kl0RfMn12m> z8qLk42R7$ba+*B?51FtNwwtJCVhM})-SfR}H5PkeM?CCtxsU&`M{RvGHNP+e7*b4- zn=`Tr`_$phEQQ-}YG7NWALw!KoLO9?swiw48^%S1-G1_)^(SfycztW|&6^*T$P>%^ zKDhA?e0jONhL6r(REqL{_DqW>hLb^3sm$|ur~fnN7#1Xo`V}k*>UU1K22)4*0;33Q zIXwEhY93WIFrV(x`mMD#wq%n>e?tGtfd%$$g_e<>J^^GT{Z84qX0#q4|qKBxjQk){E$;TGxO#65K!FeM)A4L zM7Eo4I(oU|OP?i%l=fWd2Udlu$EeVyT;~-%XRVI!S?XBc9Y(jW*H8pPvUS-E!D|}z zqJh$&=g;o~8%a%1cfkKZL@&}kb34dwlL}aP2zBbUYpAI+WNcVw)Dw=nAfA^RcIGQ~ z4_-p@_!@(w$Oo;Pb5H4k1x$&2*lu_C7%f~(BX&FX6JBsEeX%-C$^CF{qvA2-L<|1< zMKx7#y)sy$@HC8eSNdh091|ah)=2v%cl{(RtKu{9d1q0_B%!x_p=z7rOJjVd3NHwlt8ZYklJzrj83??v@kZ%df{m(1+ zJnqPuyxV)&{lL=`gNX53;HN3Wu$7#woyl6iAO@7GDYB5Eh%M&T?o@ayPU2tGS(-T@ zfRLY(7E@n5-Ysgdj=SdGZY}BIp|)G_bz^C>PhxIHn@X?9As!Co=t_`#JCbeh zc!zKpF9{;VnAOKvIMOLSH5LVdY&IYcQ?t~A*c_i!FhFFq?Du}_Vuuv+h6dKDeSVq@ zSDDeW4oQ%kBwsM3epR?ny@Xy;$*9eroA^8iQ;*OR8Mrg_Sy*p=kACN4*f214eiPVt z!+B01ueS%?AZr4EY>FSxesO&>4B~%b`-#n(f%CuD1W%i0?PJ0u)N|7m;=T-1GENpD{X#zgMuPr$~{pf z&2D#9C*ShqDlp&W%CD7UE9`UwKA})_`sMRwc-}otP5(Oi(7-0l|DsD81dWW?BW}~V zwl7RSI6bprB62nI0mN*c{!lRBVk{9XfS(E!AF@qKE+_!J9 zN|j_8cqG1Ql*#B1Sc>O!i7RfO*9(w^)l!sEFlD@Y(sBbiKbF3}T(U_#+H?(9FpORj zxu678TxGpAOeOx8e9 zRt3s(G)AobTyXM=q&F18M=xX4!y%is7g?Ue1MagOxggsU)GXH*XFBRDAJ>0lL2poS zR6HO^N@&Z7hM|nV&@pRNuo|5JvYe$dzgU zDkq^zH@Aj9V-ia!*$(AWK!3nP7ohp3%ThX$UhbCnX(ij6&G-$ot`Z*XGWr4|IS5_k zGdVbUSkZM=FRMfSVBxTK+I?+T_Es}}tb_-SdxUwXMZwf@DULT4x9-_Bs->r1h1TPj z3)7xd=#HpO4@uG}Vf?s^EbnN#ylu)S*cSvWc%1`cE}+^rDFS0CO+HLZKLNZg?N(FQ8txlBjwmeXBgO$eiU zKZvU?BIqe8LHAR?bNJeXmWHcVtcBI^R@79l?TauvC#|N|hYn~y3q*p|Y1a_EG%-_m z%DesO9FJZ0fRT`0C&`9syAu`Vm`yJIfCmH;li`lWhe;!&W`PO^w*T}`60 zF*;>C{108Gk@dk1vMK$fo^E5jqJ)lSb#$5^E}^~U^Rq8PWIQS~M@|~I#}1C_okXfs zyEUdI>ig=p?4ef$)ycR?9tQHc!ILLQ96XIcTOfw zE!p*Rd?*!k8v#~6%FqLZ0dWux?roL(=6Y)pk}Wg?-Nr5U8&j-B9M=K<2j?H*GW>Gw zh!R~pE~P+_0?q0ED$>_wQro=qJ>0H`%U}B}Ac*|Thr9DR;yZm3!dZCEo?~K~yVGd3K01W&QH)H|@4D#l%H%j)=1`OeMV zV{Ety3Iy`DI_!*YR%y>{;7JWQ^ST`ZfeW7cyuEF)p&>H9Y2IThI3(|dDP`)ly6h!r zGmKe%bl9jK^T#Mgo>BXlSZboikskysDXx6P0nI8W+v#V*uUxi&2+YjQO#$R^rg8r zJ#WBL{P~mN7ny~GhzD#(>e1zNm(&cxcPe=2^WV3-CjmdE*_`8+vauPH-L?k=q3sMT z8L0*^+ECdvq+4}tLJTX-1lOCk$H|(g6;c1MlO}@&_ zmW%BqmnE3GOk>zj%Y=87#9>O!&znz3XS>YbjT#W_+qTcdNO0Ki0iCjGk0uXl z-jbgfM;*5RbWGbt39pF+rm0)|pgh~O;1GsVDJ_2(|GX`PSgpQ4t8C|Y0om%~D#7sv z)TCo&8at_K6oMrsO;SG(VmWt^QXCW^#kjTM#_biMdsYW}UU@Hs^$%e7H-}0U3BIUh z>Auh^!fWu<-*{s@m9PN)zrSTZ05;>{MkxM4Iw@pXFbN6n9X{u%a1Xevt1 zgPaQiy+opN&r@$YO>sM47nurX7Ju?R$7r5wgEu_o&gMa0X^QcfZhY2p=d~64HHnk@ z!WGem?K0gDD>O)DcUn5CM8(O85Yg8g_S`UC8LlFbCW)rAozI{gbIansdNq&X8m#?) z03XPlbZ+f*fD8@cLh}=;4y9ZOPt+aiXknG7Ps8FKZ)l~=x2FWLeF9yf(Dm6e(3AQA z*m*Md4nYLIii+Tr$dXqo5oWz7UBih~g8*od_D8QO8r&V(6I~L?I`3Fvt7mS0&KnnF zqW;!>1leV0udlIDT9Y65#A@*A1-&M8YU=C;Z@aYjdyNkDCgFkUC*cRcrfVnd5Cp6N zf$B|Lhw_XYmCry6#6hk++>a2>{-S1yMrv^<3)6yTt8}WirL`kQKCD&o zAzMy&US2AeAw@99P^_i_TR=eo4HNcG+6B{iA9#3#^C$os>u{17N0HZ}p?iv%?oJXeAejOC)|NHo9tK-h7}5 zpqO~ZKy!f}7%rfWy3gnMCQvC{bmo?}-7FcgrK?lICCSD+(6@$%jPCTg=~cm=Qr1-g zWOXRB_5tWNutIQ)mV=v{%9K4y!l)3nVg2;$2aJi&ZI=;-)=SfeS0>XH|2U2U<(SSO zT4*zhK98&RXEjR(^ADLq*}L^UeV1x_UGZ8=OGP$l^8hl>J691Z0Uo116qs8|8h|Sv zT`f6keRNgeSJYB&IBEh_X{$}`|$ zZaO=cnou@Hb!PleMu{(2kbISxQyw<7wf2U7GQUdplu@cm@hLiy;>)JG&ubP2gKAIYZrwfHhLfLIiy`{H zgM;RemG6=(I;QCc22uN2QswNwS>e%c*iQ(q>C1pi8iP$Fe=O}c7;qqwU)lS4-u3I` zSC)40^z)OVu?G;aQYBynl?W*I%Pk%9Y6{Ca#c@V&nhECx9+jcL~qV?p;8@ zGr#}X%F(eIgHP%ohm)SSoA~S4`5w%Y z3IxHbDGr^&y+cIn=*-dU%%>_yW?_9%6&0MCPgAclbO%A)oy5Nut+{1R;SI9?n7FsZ zr190j)A;(whQBXIl3K?jr-a+qa?*Yb=WbZgl_>}5oQu$K-{+#F=c>sc^}BhuZMV!u zo%Wuo;CWu7udS*-~X_0(|CSGR)A}f<8@})3%=6FRZG!1I7ot$ICfw0gX6xv zzSQ`_Ge1gD2@i8|OAB5Y48{=kMA2zvMpip#Q9f%vJLeL3iRZuQr2p= z#;Q!!=K)&_&xsW8#kKP7dy~4^m{MLA*XMNav|S4{#$FuMai(7saJlzMy~e7@?_ebv zO=NFqq)8Hrw3Lkn625(HR5YT`CFm1Ac{MpEi|viNd%%e7KirPD_BCl{SSX6~UF;Rm za8NK%Uqn33eKkq{i#l)6h4+POMc~91KYT%G+QRFwR;N=#^$O`cy9ahB#pY|64H-fA z#wuP~Zc}tVY@3uIVBw{UP42&g=x1vw8wgCiOJf-Fw}{1;>7)upIxQ7-iQBp>I@g4; zHh;xrM-0f=*?l(;yz~2@92(`KUPZ_IU^NWXRd4_qlVejODuaEC8O5$zA-zEq@4XU) zlMM8dPI<@u$cs%Jycg@2*Vk}K$V}MpQo(6l(=>q`d`uu4*col1{tG(lq`BGLhL}=H z+lwM*>Z>m{?%{kbNw%ZjGbRlrST-u>i{j*o(h?la>U!jJJHvA0$)&?BIX+bj`qpxF ztMrsU+K(zr&;%L=(<@_@k$czm6Q)Am(*XH(UwpracG#D^CI5G(EYM=1ukj@_2IJ7iz# zV*B`<7e7VRuEOGQ8WTv~CZ_M3pz5?0bzNlu5hDK9WXyS?DBhnnorI|3a;yBCPvAX- z0>W=NaJ;)~kb5FB^oWV-n2&avH~cg=7M_1aO>+x3ESVn|Lm&YGa(Q8y2;)W{4qba% zO?RRTkEhn2tVBG9egsB=bTO`e0>`iK7*?0Q%Y6R96)a|-U;=#SLP)bgop?HfP;dd$ zhxYpx7ztXeS^g$bXB&-%vLgq6N<1UK3JVB9F`3lJZCos=#nVoRYr2W$i4?Ib(wge;o494h?H_9=}9&eT?a zJ4VkyDWD!ZSce}gCgf29-}qJi#CyXZA%m$uOl^ETo6c!$em_6xb|Qtxu){kBCPH-r zB>6d%I`_;rojP?{x>#n>3?nq4L{VVqZm9)UQ|d41g} zXkcCR`Q>QasZtY!bptm@NoH=`M+U)Y5m)o_3+kTMHF`P$V9b8cz5U&Pjb80z)?pk{ z|8z| z%5L!MVU=w4UYNW=`-oqgL}u<6ny4ss1Oby@-6z&S$`$t{2xfw|8mGUNr8IrsoPA$h z;iR~B&Ke`ZlCWbiC<~vPN&P;y4_2k}3*e$wlr^DOgEITz8zJzGG|6$io|hbUX30Wr z*nUL+L*9*yqbxYydOG41Z>;6;{pGrAj4l(x29i*+J4E|>wQHufn(zDqLUMxgI{o&52oq_KRg~|3e`{}G;`;JnGQokc7?#w}nA^4uKIwh$ONw}w znRGg_r1G{fr3Rv-9Zt!!<0TaQ{8DXJQ}YmyvS2h=I~>oH`FtvrNPb3Bg;T27q+ju% zJsorLV@}uxRBJCWgrf66z0AEB6QT!dP;_z&|3Egk&8!AGi~=u#B0$(Ohd=prv8s~< zsG>bQP5LRembWDugJXjEOnac%%JagNGX0Ugw86xYFkO%R$?19}1i7r`GI3P-9HSW5 zdqvc_ZZ`Oe{fCPEt-8$7gL~RfaqX=|KbmIk=9oLM-&Rt^FZ%S z1_g5SbpOe{#30R=1}TxKs*cI`y7YoE=<)OT}-*JGq0be{Nk5T*aiCk89Zg`m-8_6 zh4m-jBJj4vvqctA!50ZalAbrI(15TypYMow4`|C#m`+BbA6=Ub0sn|A1U*XUp0_iJgx@y>Ew z4Fx4GXlbdt;Kcy4-c~eL6BuFnvEQt|d#Ua~2zWc#Cq?i7XN;Prj?IfW(NGxJS+x}@-QZfH|}@YR?A_q<*fA2+ z#yUiRsdbI0{Y@3!Gw<8!7*WcPy(DqG!_*S6amt?wC%cfB#j;_nuJcO zeNC{cX@xe|)jD=b1`5fhBpLjQo>aaVb?=6bpTjIjK5FGA4c{$ouMXX{#IIk)e6tFn zII{AWyS5EG3KZ`G_237S+Zc#)DWzHvxK#DQwOXX*>?Z!0}NI z`JbuIo6z}dr&asMQ1P&OFv9kQM$BP*l>J>SKXP(nUmzrQ$qDNFaboJ4-iH?=caU91 zK~8`q1_PIEZ{fs0j@@1|MWMr*Uq~J$>xD7$+cHAPaH%KHndY=#W+yxHkTpPEGWU2; z7Ixrx;M*Nm=XY~bmI5yh2BH`+aZQ^eMPklG;plEOA=%i{6Q6Xl=f=$6i@y8xPa$&- z2^G&Hdz_3}hM%Rc+eiw>Cuz>~)PD{6)3<7b=l1)r&Ph6HjrGXrv~6$c6^O__9AMOI zln)Bq-;Vv*(lO!3<+0wOG{A?vl?rJe#+@CF;XzqX9&cZi1Y{-FHON_PkxJxVO}Plw zxtX3-C%YSPemT8qE9gh_KkSA`q?`f9#CCf#dusR`jOj|*WA+792<5+7&e>p zfB5#lpOA;s=yt{X`gzwp|bJ-$`b#-`Fltznh zj9yw4|LX$d&YyJnDJ8U-!=@1(;y>a8?&_~KJr4?LvF3yDeH6+)E>l`;Ziy=sM+cP5 ze_JY?2`&;`Yj|P_9FIsJWV{*W?JTh;vhQMgX(KfYoe0DkZc!Vvb+vw3C3J?_6|0+M4H0bs3Nesjk&Z{ z&=2;6Y^in=O_c5rlvr=?BF`9EvIWPbQ2R@Qx*X2t6OlMzV*cW$D!(8rC2yT5+SJic z<5?Hq-k*oEnjR@IgG-hh-yd=G4F;VKr&d4zHhuj|q^@21NN&TAOP2?>FRK#izeTO_S#v zp!zFx;6hw`G+_1d?|ddqLVo;`9Y7-adyJY+356 zu&r>n+99cxnN_J%-pObf- z=EKx8p|hVYiZBAm_o#%5#k!pHVr_f#{4#R8O1R7%jubS*1yJMRT^tWHpt5ip5>Lsk zB*4b@WDb6eWx6~=4NjiAIS?pz&+>ZKoD7H>tVlsTyWn%#vdTI9V=1~6r z%Wxx-XgW9^lvHJashC#9B5t!9EdczWufQ2>;ryq5;e_sJ4P8D`5HDz6_(r0Wf4!l~ zTwf~xas5-{*OxE-5%2cdL!p@1=9 zo5mDzB9WFGYR?+KQXRrY3@c*)On(aex=G&yJl_W2*gMt}cR`x)KpO2Me%A{mNN86} zlKZ`HK#{r0Vh_*{-uqKEV&(>Zma!T-H`bW?et#ibfM&Ci%#cP*$XspV4!XuJzaGlS#)%tzwXK)KMe7`IEd*u z*WbX0oP*oP;XH@F?lscBNKL^vEo{%nrW|%jK*sp_jE(}m-k1IfDrfp9hlhImKIz|S z%}~i&XG}b;(?J#9z4zBH>?_hb2nc)=_ZiUYLr3a3G;O|YyU;a5g@Yxd^s-f|QQKE= zFRC#S4`>Un9=P(N_EJ^B&v1Npjo3f0@>5M6PsThUgDzIee62{Ji#nl`hz_Ld$}<$M zFHQLbWv5z?W$7{ASkKU>MX#?P+Ul$UdI!$yfT?H#c9hY41zc|45T0O1ufN3e-Cwsb zK|SP{Hwf)Mr*~)IM|~z{E}1jezN1&=vDyfFPeLQ(Z#LVDbJ;$Ak-3&WdHqjI!KitI zRZ;k0(&`PR4rdS2$NRUJ2;R$hh$qT)IViylSpK@*acYQ0;brJw#;SOd8S-gzS8d2| z{Gxa*4iE`t9Z_y9M5f|S z{5r^kDvr7i)Apz#pX#-zP2H1p)1|)5!#dKN_PAcvYx7Om2sNyMWNHYj^8Etc{fvCU zabH0dc}|cbUQ1oJ8_Om1G+_H;1W{$l=@A6np!W}&lCxR|s9-fwMD)m%yRm^eyU?be zkVPR0GiNY($5V~!wg>LPny7z*OXzL3R9JPaLjF~b# zX8EMy9%|7Kk>{3xF|xnTNAV7gx^q$h7xx@2#4GodK;-NKrXc^dCB}D~toAT7&1mG? zu94l5+(`Bgu9(xV;~+t#aB_ieZW4xy!24yEWol_$Qo!%x$Q}O zZ7gBLbz0cMLT$F&mU610RQI%qeVt=v@IuM93wo}@55*G#frt1LWH<2D8g*+L@!(X~ z-5b#o`Hz`y!I?jdMgKtq@*Y;GpvO%F)8t{MZE%DpL41Z^?Y&mF*|+lA((3!|-)!3| zi3MzWZH63e^QJb=O`XFk&n=6)AwH2?jCGcWGyv~>NcyqhVdm%nH5t$5r@XNcfM~h7 z&eC}87TL~uDqY}re?F!4*-opobttG0!G&@NK!r;+knBB&u|fT1=E5SOb#M)}JaFtCD66c8I=D*)PO)8d9B;Iw>}*gnX_jiY@>-Wes`srzTM znMm%^=_RW*jQ-rBx81?r5{$d8x;f1I20P2fVzBuVMS1FPfcQ@Y>E2 zz44ei|46$HQm32smg(%E54{Ibizuo3tsiN3cMoP_3TguYDnv|ORB%nw90a+s&M;#l zs<91vET6t7!492F{O>G4_NQ>B`nqeMKbQy$b17hjkiRX-m^ugC~hU?R+0M1cEI*H04`2vagag-bDW{R!X*hL@H=l}#*n8H4U4NBvf0jh<8->+vEOn9d*X z4HOfIQw6qABIp4_gHM-|fK@XQj<0z972*q*t1)0-`;yFuTu^ZwX>$Wl zK>H^&!=Wv^uL^*dJye)lq=58(&Dm8ws{iC{RVFW=WrMh_Zml%^+e^c@^YyBtRUVM? zEj1aA6x!zqAEewdirizvpt9X84;iWW% zw15kA(n7N$w3nx8>!9iQGk*POE0b83P8{o%mPYd;I2h7sXFzL7Xqx%D<{tULO0YfQ z>+iuRaR=##lXQFCk!&3I%t{u()bq(_4KL0deS+9bb0T1nc3+1SNi?f?Iet2IZE)g(HbI` zD*DYD_$AxgeL_L&AHi2}n78E?Hwwq-L4)%i5ClbD#LFCG!M7=7P8A|Vn5zXcz~VR68*~47MuHM6>cf&b3D}zHh`lNNL$^R(iyY) zgOYAf>#fILi=J?jv_pMgFY0ai=!lLG9(Yvt-0eA}*BmV>fix%~>DQ6OFnq~EoiAyR9z3M2J{m>dfZ~-E>U{7M*nCFtSO~jH z^}ys&JIJw@C{V=o#y2+s+G({};;?_A45eur2%q{-DJ2SM^}X4pfNW07IcxQlGIIaZ zK**BVB8PnDWgty;_2}}_H_bWQ0~Q2p2f^L8lW6r^8V*2;h;vIwZ82&Ao~Udo0A{rU zgr+=Xyt*cKJV%P;ajGW#z~3orYO?U0PU|xo1N|660Cl^~p@l}6j*u#fjS62Hk^n+$ zDAFzdXmj+on*1aWI6y)AdCCbci^)4NC(WJv8|Ih%5&pQ|%8hkLtZiE(Wek*3cZNND zSJ(==J(+#pAC=pB?ecFUeNS?btt0WTfs;n0Ay24dR?pA%C#^1BhM(nrEzX{+3>`Zf zOaFQ_G^fO5-=YOd=bWru0i8V4QxXo~$8W6s(M4KE3$YD)!2>Iqvp-uBN%8SxgbDm1 zv4Q6s9aocpDr5}z2H2YMsP7PX_OzzC%^$|Q)J&ERHu&{r8AwcB%W zabZLAlw`9&i@OWl78T}M`sHVQwlQE6w={U>YHYYR)sTPTd{2!RRKF4V4S|i|by`NH z^Gz@0gEPwwy+|ELoVv5`jLlppcf?FVf$w!F14o^&fc)%>o@P}U%)nerCROd1wkch= zd~LR_ir|b4u)9{q+xsNGFAMjCQ%}y*KvAXyshiMJ7;TXA}G(13oG+RL$o&bO)%+Z;u>9nqUD99E!J+y%%T(XreT` z3W=dyb*|##0;8UgrmZp|k1#kT1}rG(e$sBs)#fkjfyv3EG9Crhh7i>=(8^v7zww0b z1wP0iq9-1jR)k(fbsXt_BLzOE?7%E{#JAd{egvzr#$G41s4R|6_KyTnwd5; zTV(icEStPfTCHlMQF6=p(4A^QH%`FAYWI&wsmi|0F!-E5%L?!IG;QQ;zSw99<|4?p zs$X)}I+{FJwx3V#SQ;^a8;Lf@$*3VLgC-6MCS^(Yt zs0OztwR$&bcp=Zq{s$Sm3V8`xv!ck@RMi9vq+`F14_>^~6(RrK?#jUKAek|V->$@A zq@M`v=B3{gJ?r>Z8!l9NC~a*`4@yETZ(*>5bL#(;Tr*S$QR{HzFmq#x04r-99*F`6 zjqJt>M@p2cdB7-)7WXx<`~7#~Y>f56Y{uXys)%o&ECz-?_AE{i6(Z}2!Hm0;_qsJm z0sa#k^~DQ0J=+BZ=#aSL83vg02x^)E=gkSuj=D&iFHaz9eet0tS<73-dK(`RK`b}( z8AE_Vlhqo!J%&aZ+H&U{4aIqfH*9CSZy(ZgVL1bp$Yv)+Xx8*jQdddS)HaGamofOF z)wvgeZrB?MPzOloeQyS8-&Mn9oNf04LMmSI&46y#40$9r(nV3~1ZYY8RxKi4r=nB$ zhyCKvd|H^%>)UhR9WNRdk2Ri~j#=2-mF}0D4u*(r8Sz6_9s}r&J(} z|4}{s>7h^D(tuxpMnmO;BiD*zjBD=y$Y56RUu3XYqdj&~Vw5aA>e2`VZLpQmkZuMv zz^Vs##ZW#AT6Z&fshfs}sRED$(D#>srZ1eg7_BR3@2y|(BnAKsD%n=|Rfy*6*Wo~* zA$GSw{Jhzk6~Iu=ml;PS(9LHZ0T!|8xhKWOa@(+jw*!iyR<937uji|Y;g& z8gZ@Qw%T)gQ~@^jsIFxsUMEtaBCKvtuAUU`Ml$8KHg@zq;td}#?AgaL&!g=+B#p74 ze%sRik0rP^vttKoPeI=h+DjD2Y|Nj4>{l)5PFX1ggGIa(bBkKUNJd zR{tnOFhrs2xdkY-x~;9$4IkG_Ha+aewTuxCVzHvUX*-qE1VSS2Q$b{|mLyRrF%#>M^q6feg6hUzyi7arL? zkU%Snskc}xXq>_45ij|)FR{b4YtnC zZB}W^ZV>@Wb`_LrQWSKJ$m3R_9>;mKy$5=J0NERA#rijF0av??E`c-LoD*U|)5AtdMm(weH`NC1Ar)6+SR4^5EH2R(|n`{>;iH%W!4>%rA zL={#($FJcAdnZzc1oh zyFwWOGqB{HcyD~!e=ka8=a0Tb10h&kn*6QT?#qZaXv@JQ%q>PDF3MU;{(n74RJj@4 zqc$iO**;GD0`b&ag$?6w{VOlEh^9JU?;^^Ywrg7#@dUHoqZjA;D8{y2aM7`jTT^sR z2tYXlR_ElkV2`lyn_$F9rY|_>s8xs&C=61=L~Kl`BHMG>dE4IC8;&!l>fpU0U$?A{ z5~0BdQt^4B4ny%dw-QB(v=d=Ds9%i1T}>b=%v+p~!d|a@vO{W>(a@ztJ#=aCvusT+ z#MS`|s(NjGMe1^HwZ7GdKl;ieu<1(LWl*|lzVL3egoKaUQCJecyb@4M^h+b=udc>D zp23$!nxW_~z#I>#ufylwapN}MKHp?Fl07WD`)Eu0>>)}30Gu{MYBK}eT-#VCWmwEH z5IjKFhzNdhs4s-!)cvKYigb9oLc=3Gh8nbLusTPtT%2OVk1IzT>VdND>Y3!R9TkK0f#QYCcf!Cf8qSteLB!1-?o5x9XnC6;O5B%7eoDK}e zgoup;*o=Q-p12uc@N?ROOpPP4Qt*{oxPy)mZeR8U5@z8F-Af!)9Gt%LP{Ekcl7$A`|o$fmX0bQ_?vn zhCVmB6arp3d6||EpW=RddSj2SqTU*Q5&QWbKG7SvXX%`_O}G2n*p#^g5^O{6%QvL< zw95!)m-{|5ZS}MWm+&dgr$z=V08MgV1R@UW4F!N~DCY4;#S7N(sH6&1N`*OmV_*&c zX{KSBFuwiYum(!|Hh4~7oya(3H=pD01juryk#mG(ks()C#`+ZYEZm1OL?1pzfvPQt zb9lo#uzf2Sfvj;qWKwEkV`liUDVY-tU9t^O zL{nPQ=0}g(9oR%P6`6sf2lL7l)h7sd^}Xk3fn^K9^%B7K_FsBTx&$Mx)c;3^j-_@LAZPqFMZtK6UJ1ET!IF-0CIIHcqTrT;f z{_x5#xf}&SSa&_XzbOo1idyZcz6k|l-# zWAXtpxM(+==y(C)I$ zRA6UIn{cXp$Rlvwy-b{SLwGD1#HG$7-H|3Pa0f3vmxt*6rY|>+OUgz(KB2mM8O)%A z|A6!pnIeodRP1stNy#V#ORr9)gGV?2Gbq7_UY{Uhih_r;m5*RP zpg~3ubO6#HX5$|D{E2lCM{mya_%FO`h9Pxd%GR(Trgb^zk)~2vkVN`E75z9>G5Hxn z06H3_Y-Qh93b8f7&#!lzjJ#&}Ng??pYosk}<6(f&J_S^N@?A96Wh=0JE#f|x{p=oQ z-4Ga9{znz-gzUi72C(2ryl2smU-9?f--+VWO&}L_oRF9edjZ4H$8%pC>n*g?~|I7^d4U=O-gU2 zF&3b;6tJ)=3c$Qxl=y-FpqP^;Gpscq``+EG(YwTWxN@8AsxS2p+~Mh`Q{;H*Zf;%G2Rq7HKojT_a#IWM0x^|PPeRWt%1){E zL*&F1PuwOb%<#wDx0{T)G@foLeLkt*6tZ<*$LcLW|brWR$`3_J%DO(@n#?EkSp^zteI)i26QUE$8IL$*Xtq z!HniGSl!e-$A;Yf9%V^nHzjmpY`hJZM0>vD z^+4B=s&d?`OYA|*{Ve|0mO;F2oChs>b(9o-=rW4aNxSA*S??2$+*lwSDOo5S9Y?}m zSq{Qtk-p3Nk$-U2APgh@kr~tD7c`}*rzUwJB6s^_={|6`ATXHjCSkEa@((@;Qa?Il z-9VG-vcjvl^hPlx;!w5xKVQpumG=tg%>-9h)%;Ka5lahjRLJ-@xt}~AIar`;CJ_fy zH&Z<0!ttW`m4Y#t48e`qGr>3rzRLM_zZ#P>Yj1$>_uiq|8il!Xm}N3j-CYZGuGYDroB@rEleOe zMJ@V+4!7&w`&VGHvFtx;g@g||$Vq98Q}J;m8ZVO|W+l+Tb7n~pL}hzt{Ya-UjOm3V zJAAuItb{CS7x8`KZuAGt_UWZ$=p+aXLz?H%^(&Z_l4tfE5mld+IUf}WU%4ejyZqx= z(~TvtDv%i_do9MQ+Of-uAyhuDr_sC&Ng>?h%TP^m6zmMBo(` zsKpN>U6_Lv62fwmWc^sQUTGVKIn7Zf2260z{8sT$iw=`H3*o>^BMG$UOb@|VVExNu zizSzHtLE^4$yZgD$64usTe{y5uWhOFyhdr}pzc$Qw`;FR+o7wdA`7X`D|~zFtDGd~ zoAnaw-?xp|Eeh6qduqLdl>*_Cik<#qpgh^kr#m+h{e|?bg!MJB)Hsa-OfXF}n|Ew> ziDV1p1%b*?y)UIvMT9U3B7R5CApGc@N}=nUJcyv2S7GBVWI-5A_g`gM-yzh6DXhFC z`}bAj#4ZBlRGV1Wq{01GJCXn|+lamUf81|36F0B+$l`?<&!e*#W^pe1AMTh(x|MCZ zt+7y6yv%!jXK4pTw#^M`6>#5rl8&ks^4CC=h8KU0=ds%`=Op~Mt+C(O1GcK;O?@qnsG)G8O`)~rWJ z`lVq5gxI;;eSWj2N)bdDzrP7j3e<*SGQ!W3j9 zuO&d^v`#nxEn6s4OmZUrjOsLrBth!9^Jqs(k~^gNgG>eKmveL)%jHE-E8YIIZZ5Q4 zc4p$715KgpB|Y#zTCKy14h|G99!pnsL^*E$Uze|@V^1|bieT{o=HNLffF20zPfJT`-qY5>cj^e zO-je5{r|f3Iq`70{G~@7_* z^5iNmp7Y2OMVD?D%Dpu}#BFUvKLt&{G)7=-MCZK?5)`;M3YouV1(4b$_QG7!xHAqw z8fAbp;b_nD>RgBp)9fvoI+&c)@#(b$r*}ElPAL!a$G%h#@GarM?{g|%jryvyJ2%QB*u%{O!9w=V>(q2qgxuhsXD}8>Cezd!tG92nIkyClHYqGF zZTJKi;;_dJ|J9fkmHZIQA?%mD8lQ z>JI$n-ioc0GZP94AQ!%4*3dvWE)?!B7FB5!&E@8(9O#PT#l(jiZHjrd5#b>x{l9Wi z&K#cmHrx^)`QSC&a&yFfh};I}N{hHBCl8fqSEW%*T6XWMp1I1=>X~`x_!;~Ae7#_2 zcEWnDTQ92YZhiraawj?dJ~Ex}W{9Jb$?bNrR`8t1hHs--=h%ecFay1Ed*(|y!#4g2 zUkF}a*M2wss-5T;hA>ZoD2tl|5T4}rY|0U*zUFQsz;8{j2CYAD+28<8Iqo%P6_?^T zrqum!$61%4dbp`^dB@*NLFS8t^Mm}9F%3|twl`J^6`}9a*0T}(>emTqgql4PrA`h- zte#+Yd{W!;55lyl)ufH&AIR6h&WXOr@l|?r!t2K$e9iYd&w<|0n!j82_`S z!lD>&tm$LCM6%m>Cciu1mQ|-NfQ@IT4BkAjB{G^z0KfAVeY94L6@SGLzaMz@x)~Sa z3zGLE*3qe7ywXOzYuj|7bomQBxUW#UxoVjBV;FqxrI>&Dy4iyRI-Dv;1l&#Bp4#8l zv^Nvd^PamkV7tdz-Jf|S2y+$_4{wj^29!;@*&st3fJEz_S&x~N$-B+lxZ7aS5Q0{C zoM;{H-Hpu+7a~DSF83bg=H2=gtMI%P=+$&FXKV?f{Sn+%NRdS{rYwF?2kE#4UK&yr)b@cGPLMr%~e!o zM?y~YAN*H_^$Q0(w2+hVnDv%i?wq3C6fUfXG!cxg(e)PQX|>~qbDX)c7fqX|NXaSw zrtSWLu%pHBvfe|Hlho$t=A_$ABgC4YO}VQ3-|m?(B-=gIE4n;^^{MAH@ydwZ3ZK_! zeyTbro==Z+!e8o_we@+6f@E0EY8?kayRBkzHb&L>p`qcGjY&MPJYU|5g$_j@wKyjJ?OQEE<0>EG z7Kxg6f`NOrH?6?eyVL*Ghet@(y$h32J%})6hl|SCPQLtf;N*>BWeD4*kkmvXZTeyl?C7%s z7hh|k!7#;NQr8<}?@6Cb7WG8m*og>l6GO5=N5 z-T`Z6MrVB+C^3l%^{2LrY>z+bP^WzZYbl_wFm-G>fd^WmPeM>h}|2hXAB zyj{OtMR1~mtS!PbodMCz*Q)&PiJAbinA=BJfVL}EC<4k&#Pd7+ z{-%C#diRncaQY%!-s-&-uI}8a=BdR@VAm5h&q;F?v$2|+D>dT~hZw= z;E2NHp4hyan$y`IN%zqT70(mx_BPajrT22Ehi`9&XgBH(cvrwYfJ*=)gP#{}+1{cu z9$A?QZ1F4wIBG(qe&qgM`mJG{P>;7A{K(84PdR*<#rcQ$($0>^p@El*QRH!{tFKpY zC3EHeW5bb9`w=kFl$&ckUG5koX{vJX-eY{llpVwvwf;QSrLw^0Q#j<3 zFGQ%F8(Oa+0>!NT+2ohS{}x)8WW!&)Q~aF>CB1{L_mCSk?Dvn~_rIj&F^7-q9CS(P zTjO=o=dJ)%<=SRG;T3aEt6v9nNI_HaNyRs~6l`QR$HnZ}+4J*RrP%E~Fh>@#I6dQd z%+Shu`;z?O?YC1$DsG4UF#vP83WS2mD9l(O4Z1UsS?H>raXbs&U>f7oD$)yr@VU5i zd7oBX8}d0nFEcydPn0fD(5|8bZ>*w3z`z6L7KUl46NKFBs2>~4EMXdy`Eh#xDDs3E zL>ewn(vSRHM{A|>p%WsxIaE*|xz7chmY>R)s>*=kM2U_71Y~SDDXXD{vP#+Rhww=J)A9_P2Xha7n)oq_$`e$8wA4c2*gYO&l?F9*6 zt(ZMj(=PP-LIXX|ec+eZWOP=7q#Cjs4>R$#0%yoP_+RD2R0h%6TTlY3!l2@sstt9C zvV&T8hJlzx{!J(5ujMVDJZy>BH>T>|#frxK0dD@L9w6vL>&f^H4^V8WpqDjwLXF&b=Kc1E11)2Xm4aplf zeh9YW1OF^E=yj-p9zJ|1Sw*PJ?>ed4(j`@6%&X{`f(bocoHszukhXVpw1IQVMrtkL zh_|LKifJ|Y!?u&xdVjNEHq^;=9U-ThS=V2>_|i9VuBqrBB6=ew<5=QXQRo>vRI;;c z;Jc6E>c{j%vM)|q`9o9XqnU9`22hgsy;^gnJ9NC^?rQqZA7i?|A};Tm>#>F^Ot{^J zj#DikKXHjEbNJ0w8w7u_K4mvQ2?7A>9#tRXX4w(G0{r-rxAZwaqjh8~^f)aRcyjm6 z_hhHF1s;ciLGM@rm240?KS^I^XQWObN;40kyncN;Ba9;!T06yn9UZpZ1U5eQ(>-x0 z3j~?cjqu>e)37Jr{)0*t#rS5(N{27iO}e_yS2j1$_B!mrBc{gqXKvIRdLIcTtT@8zc-r#C=L$dfLu-!|Bm>v6E{YX1p3?2i zjK^(Dh4H_is-FSm+s}Ed%dEc^Z`64S3t)Wtn}f$o*Adi?K5cL$eZcwn!jbnNMPLx6 zbxo=Ls!h3PYJZ*WVrqc!f?n|f+b^X=3L2jvGdU<8V)K0yA3!z)dwz1N#=Ez8sk?f- zeyb!(ND(1d3mg-%uRgO$=W@WqyPTLDAc7rGAzyt1ubvL%fb7Mz!tgH>v^e$bacW83 z_b(D2LpFyZVIWD(?H=UKEP3JrkT2S;rXAfs0(8`B_qNJINZf0P!5IJbcr*nmYEiv} zy!Zer2rOt=?TY*5rFI?J94UeI={$S2)!Sa3)gSe@&B{Ee!JmAX zT2ceF$YYJOb%z9TxL&qgu$xJ}_dt~8`v_K40CVH}T$zYqTaXPZ)hyF@kZNeg_)~(G zeu2vtW^{B#Z{<}y1wQD>BP&9}((d>V`xJ+11MHW6yg8}MC>+V;KkNcD^7oLHpI zkB185;sBc)6@a0>+AtzGc;MK*_;Hu_Kas=7Cn?E*%UpR1f z6(j+@`_)*AIuf|m31Cda_UJ1$ef6?@x6Jl9=>+ro>arCBPN=Lz8GswPnO)s7s;M;V zDZf(P_jWon>h4r;(^hNM=F-$A4P#_&W(YNXiAB^((oUO^8~iBJ)kDCi__e`a>QDXB zAjjq?Y&5&;lgCQ|G8oe#%I7C|z*&yAB7QE3J}dWwu0Q!wZZ$;+NW<3QyPIw`%VQ_T z!=Mavq!(J6f_qOmfI@4f!xMj*s2h9u(=fW<59{YEABXerU`!{yd}HT5E~mp-MxxiW zXy}#01AN=LETczQ*eG{U=!4ojnsMLM%tT}P+u#g3{D|8JH%Sm6!!im?EO}m>+85WZ zslbG@r5H6Ie*#?gr+1#}Lr8kWrapSo*xq($l%&S@$(U_Kp!Mt2(BiR6z=!kCE9t)L zTl-VyJeKJRgjdMdX1_Z;RbSfa%6@mD(+acg5~E>^r!mIG#eE(Z7qJy8J6=PHJ7IiL zo)8D{BxEXK^#qwJYz>>8B`q>Ogrzv0PH{#$zjkeySRJ1uREbf{}i05Y@4{P=?;WPgqCVaxUuUKNysZQyq9| zB33IiPY=B6=bJb?Ab+MBx<>ANfV@;I{_Zivb*;_$cyp>AXQK5CtjH{|^7@XveE$T_ z$!mBV;M*i_b1VD7KsWw3^I;q`zMC+&Bz5Gq)YWVDKu}Ol3!CTJ0YylB*G5nH?n5jR zL=1ZgU(D+>E^7eoMrCR2LsfLm;5_V_OI(&Za{(xjLh9}NnSPs#StbJ>c9SF;L*LKU z<8$uf!Yh)n37^!FjdlP2Fjq#;Nzb!8GkX%Z#Zlgq(pWI(G%L1&W(VvarKgl!MDQ{} zzrH)o717#2oJS*c|L}bpZ4Em}Ah|R(Q7S}F$E9FLlkx=HyQcJ!lcLjerEZ(=f?F^Q ziqBoDA03kKAwLj|RuADb3YzIWls%5p3jRTVVj#E5U`JzR%K{BMGX|rdTNQm7=DvA~QH%R`N(+H=<}+7dFZTI$F& zI1;zcdq2R(v-|l2OXcs4Bx0{`@v5gqWKuK%xl41(xLhyzqIZEE|00WCTA-{U;F<|6sjNswYq_sXv1#*!zNf2z-&Jr|ZChXO(?Lt=2@)CYu(GC3EtrCW=X;@slj} zyzi1;G~4R$w`~2?H&z=?3%9;oS+$9Ac6O{m1+dm?LysK!MoIOS99n363|?OMASXqzhjd~X&H3O|<%o@n*#};?><2*K+!A}vX-;*;z#*!>a zq)Z&gj4JWh>kl8hs% zzgD-g0$;sdyU%Z-rQTAnH2QXTEDg}F7Wz}Ex#`ezxMHub(%A6pnGT^z-@?9aY>*N8 zYt=Lca@5gpUH>#a_KbULQa(!g7|GeNko^kfAAKKK&6G0*lZQMp;a+A@8Wz=|hbuyo z?OAWtB1>w|7$W(dd`?Nd#&R*KjFa{k4mJDCA)2AwfJDoI*3h5&i5}$X2k?bd71K{Z zpaah`&eRRbH$$ok0rrCc{xItEgB%nIBO6C$MvJkz4;mV$hK*-GVbjZ&ARo2N6lA1`0JwDw%6M7SV|JdiX&{4)Q|j(5OiZ2A*$%pE)vbI#UlcKj zq{gWSmXjWd-$!Makwtw!z#c#CO);|h^9Qfasf(*aKF2>#Ltm@!;Wu5&^8|}~v}|!5 z`Rp>4@fK~(-p99Au2XN-uqfVjfnnm;*SX^(J)@UxwYqVP{zKcLhr%;GY?oh zRnyGH{hW)d>w=Boo&d3dfy`4W2spW*S>%YhHpAy8IZbsR*lw-*%ut|OVeT1PtM_)) zMb)YI09L`U4-QSp;uPBBx#>&aJ3-JtoEdLQ;B|=MzjEc!z{DE;>oSXa!2|{%y7%t4 zOpi^X^En=%VRmPQe%@sRT6rqQip)z)r!DZa`ED?X!3) zEWeBRO+}J~p8Z@j~#DPW@NWbeYq1N#g21q=(^&4&GW@qG-1Yv zXsP8B*`{(B(II-CKW}0%wsK#=V1H{PrlHFqF2B{A5?K><^Q+-_0l5h;-yzKXam;KK&9>CXhV!^;FBsrB!8#x)_83Q8lTJPGXdKX46wpP zz=A$!A8y^QJ{I?9&jTe7C=fD+0un&y`(aZrtiR{;WDY8vNKCDyK+bqvQrNubQWLqd zz074xg(EQ-GIUaGZe7B^0!z0HYU&+Ami0JLOPZg@7K zySX}cgRT$%kD%l6cYXb{Zy2H)T;>c7&2d_(u3zWwb?vkRv=MN{hF9}^UP80%)dq$z z@T(m41|WT=9eIggyM8&X%r;No??Afb{fPZRd~Nk%Xqs}S`gbFdH%>&r4>G*F!T!F_ z%|J?No%JnUhP(1Dk$?{eLM!c|W$PnIyb|++;oCJqBZaaw`#}jKb2>U=!zw@!>H;(@ zhpw?fi@tf1ppqcAse;|&&M|5c3W&g|=bnllC|k@F8JHsMb$JbPNuMHmWNleZ!%awA z&&C9D)<4cH2NZGK5lB* z85qvMzXAq1z+}T+Mc7e)7(GxLk6OpMOP~~2MSsxp7rQDOTp~d9>oA9e8!YM3^B8Ik zB|A!tpGmjMyumPs9hY>6?g}bKskMD^Myu&2Cng?Ufthtqq&(hGT{eGJQDG+9HtM{Z z?wlCy(JSOKV+FW6pGT?~mGK9?9JX9hUzFYi%-H$eSNyNlYM{uynC!IZLfseQU<5AUL1KVB|7jCiCR*7j-?x*EI`SXPRmn?r~5Zd zU{s>kH$m>|`D9sCtimn&w(>qX%a|i}VC)vMwHqcSPO;Z@5Cb1A3`IXxJQTshj( z3POO}>lxi+D|(^~1>XsQ284y*Dh{qtS?))v9D}W3C}v0qcT>z5 z>-lj~d~3o-y5Jf2JTZbWy4|U^y&{_n9#3Wb*4U`XVbCL2w+?eO5}!_FB~T2xrm=({ zAMh)<;?#Fm>j1irb=#J=_d26=k|UwF^*p-Lmeb_iEdM?3NJX(gd1BiTaj- z8hW;8Bb5T~NL>MsRR!P&26fv+K(b$}do$wRMSzls>%T{g7bIT8lK_zGQ9DLAs8?9e zsO#GZ3ixS|twu&1G4yg(b$MUmW2XO2=7A_{GucHrX^bavn5FpyXa zE60?<&14>GHb0z*l>V~vcHeSy_UDnB@M(u6&?fMv>X4WMg!i=zYW3@gZ6c9#phf%b ztS+O2KjwkYyVfM_yZ4PPW!uHhb~k)i6|#DESO-&HYcfWQ3NhwWFPGOQC+ zRy|Hmd}zuk{ww}6ef~=glmbIn{03bpIj=~|y!|UzvqQG$_yS7fQ+-8lM{*qWUK9qV zSbXpOeD6pp*Zs`~uJl1H#SZjoK|5(=ZyB?d>Lii|3&b9lB9F)9s78&aL7SF_*JQ03 zCQA6H6dm$N3^=idGu93rw`~F_`cQEo97l)MN~LFeB6y-e6~qAF51CkbcQWXw?=uE+ z>zVKdW%cehwn5~~ro3s-r+$qkxS_zIr5Z8D^u$-o-V&`{BW>pct0A;9_6r=aK(2GDj2&VvG8A|z8%1i>I&cF%jY*?`JL)?~4`{X7a0XXn z6EpcA?O+|W9{3eB;2_kKAy0`Bo&h{SMlU+@FZn+l=8H>6nO9QEIc8`59WKlORqEBC=?PR3Awx}r^7W+OsTzd=-t#uMGE_oyNK zZY!1ag&?{w!&F2v?@+K~GXcPY=~t>}p7+1SVHlV@0wyhd>nVj!NSEM~!S_#Jte4I0 zEWIn|v#>8(7w%xj=^rc?w%`ZquT*Pt+8}uI_nZ5hD~ch5?%`+|P9z)8GAVN-B^7!DZv_K#3Or zmM*3i6SAvJuGifHvx#@iC?U6s zr_#6~pWEX{+1GUrfX!PyfyRd>O0tH2TXGSNRcStvpx0Fl7A|8b@NRXEYFV|tgkpr)Gw<0epxaK`9Uu-)2d|100dix_pF2gxZv zLEGHeECTKKS-EFuuCE@ySgV|lrZ?5KXA{8(`R4j)2{{;sYv@}4_Z{h^Xe}V+mCVQ z;^piCH~tXHBgG7%V#|QZ%*F|h`^3VGANw=gT5vm-Kp5}fGBTT=DB*xIY%|Qy><588 zxxqgCGS~uNTcuTJG`!&vw#x0^%+S_pUg{;`JZ>*kD zVxo(Ss|Po0-Uz>)T{cP#rp!VX5b#8Xt-z4;&uZ674VN1 zjp0c3koJJT`}MOlU~$Gp3?Kfb+`JhcDQip|^&I+#H$Xgg0KNs(R7==XGp(PWJme_X zWcPn*>W;!IHo2-lWpZ1@yB$_m_7}Q#VZDIXm``*=6{O(vA=?zr-gNGI*G`nPV~)<3 zL#;)xjGPa`dPT;C`$y-uWZhRLIx6^VwkiESk(>>+-F8@{_s?JSkD2ll!|Qyia4oW> z81*UP&H5-N8*Z4#f}mVJbYutLnd7BwB1khn_{OtMg5+Yi5(&jRuJVJKBC7j|0iGM3 zrY%qtu7B=nv@XzD zYzDd4V@*Vu_oZp!MYPqaQ&ph0ci-ce8HML)TJ|SA+hk(6O6f{Ey%1hztp@lyQWDDtek^w{XZ+>mgrR*tBwF0&9N$P#z1*n!eB{9T3jLQ(F&dqPT{FDw@AcU8()}^}SM7eI6^`&5HB)h|%V`&0m_<)%zI^Zv-n8My(k4HNy z3#C_{sj{vBI*<(}2npOkE%|0vb|v3C^humXvRRT%x!|FRjB_4mRQa3CQ!6aea$gfI zh9YgSSF!oov8x^A$iA{B2wDW7?iAl+DLle%+8ycyL;|GAsvjG_h&A?T_81xfpHX|A z96g{FW7HGF?myo8iJY;1vExSoqp0uH9Ra0KqOd?N zqDHV%u=foUwpmJyS+--42h(jeOR1pSv$OS<28ZF_-aO7063@Wad8dDM>RpO$c8!q8 zU|I_^5AKm!toPtg^oCUw;Vo6L2h#64g=nL_>+#}&e$HknXJJn35DH)c6VcDgh5?1( zEumym#_8MFId<$p1*~(m&ks4VjAU~la{hRi;gGO&klSU&3r6*36@Yw8}KQ*;UV%@Nm?jS%;mTz}=} zvQE>2r3tp-#}nu74ZCOVfV;NZfo27kH^658P2A6u^%^MSKkYz55A}-3k0fKTFju-M zN*dDW|0XSm%6Og=fGmyL>%jpZZ7Ncm-Nqj%kn0EE9s}A7w7`v~=4{YCQ;8X2f$X0A zVsZx%pZ9SEC;$+O&V*%Loz6I$IldS$q!45$R1P9XO0(aYIs4{eMMq>=DSh*P$zZgV zTpBqL5)M#M;NkWm7IC0Y=nEaNTC*Dq%l0jODbc6Nt9`3lw#lhoA;F!lLbYpyfg> zEG<)P!Hfh#vuu#-QF^vkS-HZLRJpk$7|(zYo~tri3kDe}A3bjp>%CM+y_2IiTsY?S zJi%3InZy-)#gWJ{`}WH#iz?X$c^^5zn3rYcHZ)e=hl`h4N@M*?aN8mKrpsZTi0&8D z`t&SGov~FRKqI}6b{w8zd{7YBd;g1ikJxI@lo4>k^}SVRu=C>coUR@LDserc145h9 z;%$7eviR@47)!J&Op7GIfLb<1XumW?QGU&7o7hn)6d=sXtsZmzs;A4VLRx16 zW7jbgEzIu%fs!R}A=R~9y{rA&tHO<(H-Z4Q;5mq!cI1)@p=e9ns9v#lF2l{OTB$aX zWGp;@{orLUhS@gnK! zL+qSua zkHw*a5cMqhrzYi-TP`h6AR}_}4Tb!VK$CcticrL9dJ}v?KsPE(H)+5}+TWk)djgvjLUtXIL5(M?y|AEaD*Zk?VVuEsgDUfQ1b+95a1x$3L5T-~K>G*%Tq-{vIey9!)nY^CV7Y5HMN+uVGga>+uWfkV>RxbeUZ@ ziXy}slc?Fw{O*To&eqc+CU$97wFhtg|j+t4O|FFZjFm&;TSftX^qkgJg$!Ck`#ak>nBIrIu;G5?_)rz@J?281`}pS5WV72+f zw$%4AUwSJE!4w-N=%By^073ljCSCzHPxvR6Q=$@yoB{+Tpjs5(!Gc-({%ag)+^?6S zGv86Wwq7}dAnbCAh=y6epfzh|yD(3fQu9N<)H~8aeIo+R&dCW11x2;PS0M7OAO?hc z*XduI9a*kY_;JX9IxIKjsxa*%fGO_F)l|x$?8>}H92ye?cWigF*H9;)jblMoWhl*H zgysG?rjYp!sV}&z_n(_5-ajy^j%y?UOu2*=Oe#1e&?wQ(U1PZ`m=KrU>-v5SK?DX zfnZ){OR}^UTURE|x7zn!AqT#n@_X}#y=|x=6XgEtNbUiX6%8F&Lia)YC0jodi|;Y> ziH4SsV#7WfavLU_XtdmsoXxRn?4R@5j!O+Lm_@s7bvnrw#z?>%E%RuOB*zjIEj)6k zzLz^x@_Ff{N-=>^6C84Hx#h7hY`TUiLG=1x;A@+c-D5wRE1Nea4(Bi_!3Dd6mOA%K zv3Skx#pIf0!gOk5D7?*`$b47dlGl(bSZ4RchJ#qBJY~XJh@{$r9{!w@BQ+GT|C3k5q~|CR1xuarn{UYpI8oM(oDo>DD@N+6yb^0sPmQTnNMVF zn!62?pIxg!X<}B%R9qI$8@w88z17<=H*DanCNb$;RAfJq*Pu2XCQ%#m-FBd2F{D2CHnEy1X9~Z31;`)i0i#B64I>N0#a&M`>m0 z(^KD4!8CchiI-g>L9zLBD#U)0RzZbgnk|;`OXTr)ySlZXn-U=}psX=OkUlBaOJ60< zOA7-0Sa0sx=MCR1_$pUql%WrTSG3i#IYuvG&AkOa-N!Ei@!1Leiv zL7iBGS+)Gm>CrC31nslcPdAei<-K>ZCT>Q!UTAd z5b!fO5=0$Ivc}33ll4AaK1TCKC2)+&S~f~|Awf?qus`y%*Q)aGW0apj(b0K8zSrdJ zd;FgZbions-~yeP(lIMPE@J98pL@L@M?c+rq)ck#dDxXMj**qhDD>)p1$-*4rbpv! z@r+JW3DIt~Wsl~qzvQ>-Ch=mbt*V5SShL$ANKM4#?KIep1^!5?B~IyD7@u;aMCi)` z7a_>sNLc=m_E}uAuoQ4t+d8Z2R(qIZ*{Xb3nxMxX>_3?A9gi8E#yMh7hLy^Jm6*$r zWYPy;K9xs3WTb`4sWLdo9V}DJ7}%&UMkx4bDpB432$M;xZ?88a5hq)WBG` zlVJkLZRT6gy2x22LCg_Og4@>pAY2M=@L++#7USvJnWaBlk9~%QlA-B6RH=Chsg_+# zu8aX-rt{Bg+IQC6A6AclxIER`-1J6Vw-Ecm*fbZZVGVD@?zLjpO^+1MmrC1@Zl22i z(b?LW-<-63J$~{^-)JXg^FySV@xytAA~9j+pXe<6#= z!Nwk1>X97g%4SeY$HeZpx1wTXjpErT>WIgLX=4@nBy3ZzE&SSOVIm8l&EUI(C*j(+ zbo91}&<+XWFstT*h2^f~3QqMjT3fWLq-REOJSz6*?v{gG4YfH-(e{z-rK`RT+pV~ZehiDz|V zr}GXE$Y(>#cuQ~SZw=MdfZzi7Zc8G?RJm`YcP%2+3sJM~)Ij~YAum@@ygRsOzpCJ? z;L_AT*L2hyiUM@_@$pjWZ)a}FtasG&7v6(D1E1fW_H@LR+;v3&8A2zMTPd` z_kNb$d>tGUi%BnL+eL_h+!Na1rP!1AmUT-$PyDdju2|8I6RA zU?u+foIM2CxLYk_bh{SI%b|Pc&kF!QM*YYggB2>rlPH#(R}5>P9p8f7YOQnVMK&=o z$MNy*4!!&MqzqT0c*Ja$7Vbvir%XI#dT?-qn)|w%CxIEyei!5WK5COGi&b4;1=0Iz zMGe#OiU-1f8Yg&1xcunqyXO0R8YRm?bq~+r4JqZUXQ}=6we<{>g;K7%@M;uz21OP! zex@i3BV%oSW+}W&>|Yq;jhA(ksPF=3V)TPr*c#zQIdE6GZh8zn2BGCY7bZSc5nMyP zcwr)~15y65I@3p~h>>k^<+nwyH)LLX?lcnTZi)!T9A4$Ny6(1sQat<_|FaYB$546? zetYtgcZm9wV(s9e1iu&#p4=}pE9OdR0eUb!y!1Op774)TXaklxk~%JpT6QH!M$d- z`p!4m_=mIUdPUDKe+51NX=~hES9SkRJqEp%lGgV=0g8#czrbbe|8hOFDi8v2@pqtj z`V>k>Du-{mIkheggmdX#BzlQ87*!mZUPt<(QpJyUg#vSZCNx%AwZMgLeyOoZmldX8 z^t{Y*%_jzIK-wV`Ig^{-H@HEq{+(4UL8|)X_NP<(;L=aYj6^G9t7T@nT%b1!4G;GW z4tA8j|DYthii8pM!p7S#T4;p!9dMPZ`RM&82t|9lH-U)}8p28c!*3mQr<8j>PQF|@ zJCWuhpC?ah)Y%Yua-t;KQSf;|=b*953{I9P&tmu{fmF0c>!Z8zZNdx#7~DTX3Rcl< zpGZBSXL@)#I*Q){aye7$0%fV<-5$aQVoMbB)Z zof@!tKiM%c_1ADNi3QPI&y4}}SAl$Ow{Ah@DU!gS#Gq&%6Nyv*Z7NEioK-?&Y9pC9 zM0D5ilX-E%qY$vEd;7Cu%1JCQ%XSg{`$o_+sIB?AepVLl2! z+u_9a7-R@QCeA-P?Z82|t1$Yd{0&Crpc9Kcx*;kx`lxi$Bdw*|vNG~fTvZtVBYJd3 z4RD40*NGMvDgtpV=zNu*Ot`5Rss!u7>eAIgj4~Ti_==b5< z;`pV}{jTGT&+->M+}y;s_jhGlK9=2|NS>aq9U}oq99|4hDipKc_B|PiN z_^tN{7yGlP_Ymy3dE$?dMWrepZ3+d(eBGFFp;E%nGSV$7ye>7W@sR1vrHdRn(G?8$ zo=b(WpGKoM@@<)jC3vtg;C%gtV-cy0fAFDT7j11Q{ShN)y+5T8iFV%Vd+>Dj6u^Yl zO4X8b<-xxAzmH-GlY+3FzTaANGESRB>}cD9o_?6a399IKGcGtvw*zIyrblJ*4``*vZtXeVvqn%&>#`sM##l1ZQ5JjNPTIYV z@u4f^hdGX|g;WR=x2?F!TZWKuV!ga)tfzxJ?9g~e$P}@lG0XCcHkk)Tb%UJmF35rH z%utsl{5X;Qg<9;onafDs5uUbxQ6IkJiSHKU-hOUhsC!6X^U3Mg_h1^L>N>}=x0~D; znn^>{d_sw<2^nE-7CmJ472fEn7gra@OSwt2rp0nQ*Jd+P1z+t0l~uwX>(20d(fTly z3my~BhORz-2$TQVqskdtNadgu)J6;He(faYCmR>FN!U>oStaJcQDGv@W)8`21-8tb zB;b3eR|c6@SEQL7XHiSSk51?gr;VMo=wZh&hKr1z_nEm{Joq^}})qY@@VU5WkD6`U|KV#dn z-1aW@(-?oI(}vP?sHqMQL(}K-)cPquNUZo;=gD}5UAvne z5lhZ=xNMx;S07!+jYwkZJCX*!zAEF!>ZY$kfkw-FNzqIUS2m0;t`II)KHIlaOzOXF zW2c>&MfiX`q^72}@3~hadc|1JGPGo1k?4Kf`d0K#9WQfAQq%J_Mgi7+{ zCE1Wb7CNN&vPdXO4P#we-H%ujp(8!;^i;JTiE|WE_!R*MxWm|cHmLozUNI)igMknG zXUpZbPUL;g*;qpxt&b=9T=3@T+fK@u_A2h1I+^*dVUhE*{h;YnwIpxQi?Ml1{on_k z53ZDaxF)XO4c}XdjF$I&v2NVK%^-%55hA1*1iw?ims+FfA8mG8qoS@xc~Vr`AI)vG zyXPd@PBr_!13Zt1WJ5TX+l6oG)u-2GI}|NQgvGa6)pJ$lQlg$rQf~E6wNuY9k4ekP zQGHNUc#)CT-52@+AM!D0gf@{-#9iL=Kou&kDDQ4euD3o=Ley!}K}Eh_ONW9QE^wV( zyz@QPOO^vSMCv;)kw#Fea!>f8*oQ-Njx<(Kt`-}ow~q< z&#gLMM3}wq=RYF8hqm+zA8(_gA+OMuR^TQ95vK3=!@4*74X%fT$1Y+n``OLwznRJK zkLfqO5vi|Z1IHyojW{`1s?Lg>t^(&hsJx#K?dw0M2hMZT9O=71kK!wREUwptiVvYn zkj=9}6{Akk2Q?xjG3?!Q)vJATW5#{7gb8HreKQDT9EjqQW4;KIA|LZ`@vTxQp^*y_B6n1D*a{U z^_W^J47a=d_|U;yL~5~GTuAbVf5Oaao!sa0G|~lSR_F`a51MV+V7!7z*Odgu{Rz)257(%#%8=`D}FMnT!d(ba{;P&{Ph!w zizls#QpFkMevk~@_-)B*0{b_W^;E#XT>YH_9~?J-#7?}ugHvUg+i;Y^3{LdFk%#U^zl8=4(yC83 zofNX|Cb$!PSHG~2$xeD3Q;N*bE$&hXDeX&dxL*u+0APSwpN0YtWEh@p&jTj!N_j>q7)=X#MK!Q+ zUFjotBUe~E`MyD`wMXn%=lkKeuhh!&qVfb;9nR&j7BgjwvB#Bbg`$Q=uHM1T`DOl~ znmbvWk#qwo;3kzkcrKnv;x{NtN}Xcycgfc~J+t?c6$CmPoMM~iMFthK2gxURpb`m$ zSsFk8QKLCVeKpq*Nx8-!SC@8;cklT54+g8b`cXU>)k zdvc&Brenx3bm}$4`+1D{Jf(oT&@=f*x3_Z^u z=p5|~AXp%Ko-0$pD0MjlAKrXHeUH|%cQTst&dxbeG6?$9|gwu zctP|#Iy&#pU)rX4?{xcov>VeS$3_LkXd^U1^xc{m^*Do=GjhA|5iNMn;=uP#wHYG0 zpu-iJz=XQyrLm9bZs1Q+TGjc{uCsCe&PB?WBFPCdm#yD?=nX>A7j;kx$4!pV5ai3% z{srejTgkt`BcPsk7IRnMn)l-l5&rgrm2T>-4f+%-&90k0v#8k!=KXW}l)%FoZvu1T zdC}cjn!g(hv0HSC6P2TTQ3bo$AVDUNJ%yLA;{e+ok)ieRpor&vGDl&Dq%W7| z>oH#!R!?oTVYm&Ajro1pT#R;IosJfs*7jw&s{q}oNdlDvz%$JtG>?e_%yx+{l-oJS zJ!?r`!c8<6L{_gPh9xXS9dvf+^o+E1pqOb&c z4VqnNm3b|A5YNT|?s$=y_|m3FAYvi|u}+1mob+4_>o3#JyDbLI0pD60;{0XvM?;!k zLjd`sQCYbJ84#_ARM2MD^S3#1p6Q1na8w?SB7NfwD{3$v3wg`#x+4_zk!xyc?6|r` z2nwPU`rK&yl4G=1u|2yX_Z!~?$n*8?t)(2@9ePkICR#iZ$we$&W)n2G28BRYNpD+; zXi<^N;*^P=`P<^T7*|YTr=lAAA<0HEd>NB#$hUH;fYLsneimETIK&E$<3Gjum62s1$;XR<=4f8iU3t zA7;WoKVT8mfSOx};AdhAb=S;2^q6`}z4BCio)HRkjB6oUY?>GDNv*7`&a#!=;o+pR zYd`LgTm52`k;(PWiWFzUl z;=o*rgN$OHheQ&I_Om_uK_N#7lKiQsn&W`SHcj|^ED2BbtiCkZKp;5*zGON9E}0&K zOQxHWdFpOjD}116mMKR!>to7ysv-h_E@k?`(20jW$ot`(Qx-rs0Yb+>{VP$r74mY@ zFIw?e?q~CEQ;MGmjQ>dI0+0Q5liow#N|cgjD?bauiZEe_l40etq>%Adm5WaE=@Y4c zX{C@W@lRgte>wx&h7F@Bz}B!Nr(+vmid{Wi8I_2q(ansPo>MBI@|P z2|JJwAt`R}nWerrRQ5Gc3}0Uq#xu3OXGP0OfhKn<#yFxLfuwJ{-cG^?ucEa`9B!3$Mbh~NNXtFO))3aN7S1Aew~ zulkOGoIm#8Mupl(of{S7e>ha(OTw0?{`_Ks z;Tp3qaiRFUL>iYopaLfrhGWZ#`ET)Q#YmuVzTBiBR{<6Vr)Q%`=TO?OGU{2&vciyq z{m>9~&dzVY%EoyhEn9i0J9P9K>xUd_{Q~ZwXZq963gUD`43g>N_oB9mdfE0*D?#7% z-Vx{4k-_BE3#2s}-A%Ro|Hcc3q_l=AFeKG#kLQX1IF3aoyn{+OAfC(Aygd}lX`XHR2 zbDHtD2pfl7zf$!$IwSQV97=kHLhFZQW+`6^w5sJYu`eb)J=7bx3xm>AORrbZ@Dmke z&~l7urPh%A#=#HRe_Q_n2V|uOZ^vVZg>*p&#w0wRlBdx`wHk~OOU<<5x&kQTAM$6g zPg>dIzZ;9z!@s&@_1e+`E)U>|!=`+)@q&I}NlC9y#+HStr_b>V(*-v87%J-?f^o3; zR>G_Q5_zTn;R7P?$LDdvO11XHK-*VuVI(Nq0tEpmkyLxdP^H(q~>r2`*WLeJhE zG11g%2ZC(?-K&QL4a?D9!<;kfIH2zYe|4*!$W?loO5hl%y0xE^{ulQCj|qq9Zj$)W z&h$=`sM0J7Cy|5pmx@nN(d}QiuN5>lmdPRnGez_T{lHPbfl`IGu&^L$`QTQ?K_->% zTvj;@#r2D%&L+0f7qbL$9Cb$p)Ozeu#uucJRcQ?1J<24qU(LO?kuG%(c#xm;U^II- z$O_@!%=0XHlNSnS$wPHFwgAfpj;-%f()1<>zknkIEk#Ta7OhLxKeLYo6&AWCj;AUE z>iuu`dlwJldpa!+G=zmT@M|Al5dtPqGV!M!qyN7C*O`AxOJc|L8ah9346mVc2vd;} zQi>)5j1~jKtwbTh;7`yA*NB3Xe`U`ax?_D#XMsYXrFkS+anye1rKdJf6P?TRTg!g%qG}p?`D$;EBkY6?bZ% zBGKQi!jPz16#5-p&iU_Y<`LTne;q(`gX8%Dz*-7?03UjW8l8@t8Z)Ejl?=2%)nlfh zJFhaL(S%K^*JATH&w*-8u<5+!t#R_kP-JI0V}bvi0|kCdp;X>KPJ-@vNCH&{s7{if z5IUAEKq3l1GY_^u{zkGQRYF7d?nbhOllW)u&(42)f@h%p+!G@dec&)^HEasPxnV^3 zMt}6@aBeZ6h>N_!`8~;li8yj@nG`f^@o^{YoYEx8qs3{8yfj<$Xf^Dc;jOs{3AZ5| z)p`&T@#PNh&Mm3?@&FxRs8Qwp|7D2~Pvf~IkLzjSyod~_mpDI@k?zDln7Kr*2V*A1 zRwFiZ_frz49%@%mjk$`84{oOBoQc!JxV}-Hg5iv5 z02;pwXUCEH4R%rMBI4{uwqYJoat`vl8@jfNIS*buIJ(rc@BzZfTMv7z?M|dpc=4U# z=Pgq@qO1DWAC0HdTd)8%$aVYx*W$t+?mCBGH*N$*cd_O0{ulZcWKlYMIh*eaUY5FZ%rt zt5TiL>z{S};%fy1(`&Z;1AVnl!%g$IkB0xathAv91Xbrk=&Phhk0r4AV1k^wWzDqo z>O8_+cKsS)@&e0lXWRK}li&87setOrSYj+cug(Z0-+y&3S}eEhuy{{^2^|BC!lym{ zyUF_Bk-*u8ymMcSWu&;Q{vwOZaa5fjW-DJ-8W-PtA>(q3a5&Hw6c;q30Z5u=hr{iJ z)iB_BpaUIi6+Q1jZSP?HV_S$#enB^99U_%rrnIT=sLe9?VT;Oy?Gq@ zrzwA)5PIH}*MA-JbSkH5=3-ILje;A~@*RqdRN3y@B}&Dy4v!hR4At%_wN!#5O1hM( z{*n_q;c_FS-iiXGa%bDo7tX>$sLaY{HR+LjDd}H0Cll^pC@c36$D^9D0XyIS46skT zXu-=ExUSyfnJof9QsfI-SW&)b0bh3vYRPtCK)BXGpIWO^S=0P*ujS+XgX-5%>{UD1 zGzXC+Xz6R{HDoXPXrRbBoUFL-QECKS&vtAH|5gWN1I_LgA)8yfBBJ;~15i{hc9Y>p&2FmHGrhir5 zk_y;1Q`eH~fMml0MTV(Nwc74MV5v;Zuk77x?z3Sbk|XoXX$O6=P@sig`A7N>L9Uvt zwgH|FAi&+4CtCd%p9$KdY%bw*7NU-!oCvI#Ie^Nl6hr5OVRH6WE@-#=8?Ou?w4wry zu#Bg^Lhi}Z3~QmV2q`qsqDM$lP7~v|vwaSP_4V{{TAxr+MIZ2}MZn5B-QbK6 z5d23{Rua}5{CgZwESdR7QXYGnK1hE5X>H(AOGC8(=rPSsfe{c;fBo?1!a@c?!-~MZ zwD6PXG>`@sR38fzts{O?_5m{=U0qyw<}>asCOO*~TBIuPq0(Ch*T1s-6C{*M^zog; zj+bRVKO5R~x*`@_RW8a-A*=-sWumGpvi)(ZBy04?{Z0)gHbgDTsK(eTk17)aU(Xfw z%*NtD`P=78lNoB&&{<{o;9Sa72vuP}Ik#SM$J*KV)mtEswe*@YAeG;JqRpj9aladI zNSHy{*J6&m?dZ}Y>|%TS_n)5vBG$7LCu`x&DZ_6_ghRtnT6lZIkwrp+R;9!|3#2T& z%?Tn>&uUoGbx4w_UPM+n^(`lT%HHAK1fwmFJ_rr!X?p@I>Z80t(L3D}qz#?SEt23M zBUl??fn9!*GS{+)*=qD`uji=3dv=!4vjRolyjZ`t^dw#@A3-*i>;)VC_`J^+cV)$F zzOB5vng9F?-~@h6t$n2Gf1E%ei}QsAn|~xe%0-N#uWe%p^Z9?Jw_R26zyGT<`7rtE zjY|Cj+y^!OuZ+*1WA{G4kK$R9dHOQN=TzVR>p}NbhS8 zELsVzZlQ7*SX2qh{i8EgOU0Wq;G%*l4DS&CR^^rW?*HrpfavB8+T%^*mBS4Pb$;B^ z5b57)bL0V>G6(g~lfHmc6rQ~iC7a}iQR`b(!=pEN@^BQd(c8s94_FAY`yKM;U-ci~ zWKS&+eA^gBrAjIj12!VM`-U0q$?DGhQH60)Mt)Q30(1;13KR!VXZ-<=3oAa8H0u1nS}8i|kA z`%9yWzKoQjmK&f1-CfW@-I}*8Y~I`jy@MU1wdUXGB97gu>@B$aR6Eqj>gJP1DlSfV zpqTKj+$}L3njq5eIrb3_rht-=B2#;@$8MQ_aMznz5BY#!<*ibVh+=m2GX7IRPE z7|7H*JC3U&jd$;=o=|@3o8vkkdfp~T7u2@HcGGhq+6tDcHzg85Ay$cf(G1TQZJg^( zdleb!fpi^WK%#wAFE*7xb<9NRx~T?pXOze+YB2L$tJq6=H+BO&W$|BOeL@Styvh`4 zANy}QpUmc%iFRRi4TbUs;-vi_6N#WP?r<*cA_l#^mvZIlTb?fhce}Z%vhjPM7NvR_Y$UmdiuI*9Y1r9`j z0F|!tV>gpue9ee>0ex2qAhLQ?7<*U*ehTll&i!dP!1#EEJ5}UT>r)EZB^UaDk#X^D zq2)u3;orDOu=;o-^2?z5xfd7ToD79vzbP_9_7)jm5kK3(D2>}}yIhixJwk+r(SEcom7Pq|jApS{P zt{@eCC-R*xD(vKH^`UxUjgXB_^`SNg!8(71HAth>CHGyzGl~mMj(IjzG-*T#-0*pn z5Kg&&q?Tek`4PO-JD1|R87fMh65K*@;u2jo%64OEPH(3Xu}lV1s9ng$ljWkU!{Z4N zNYLG7cEZ;`$RLoW-#xF90{wLKNmL)DK4n(pJ~4UE8s2xHcNLA8vbgG^C{%2k7&~ui zl8b)e(R*xC{(tdcoyh(ORDoMECD9EPo*EIQKq;-kySM!M@;sjeV!v9zp&{ns{iPc#~VS zsPDe7{CZB6*;w=n9z#51g%K)NmdM6AkBZ7A&n)of=R*e-+6$mWi0Kv=VFAh_fl6+a zOhw%zK7CMXZU-{#mS9{$bP_1j1qVL4imZ&*x1Gsr`-#XSflQzJ04MkM&$g*l*(nY~ zL-^kH+JG{%aer_!{u7!VktH?S(S*cowXc76mc~w@S0Dp8I=eEhr%HXT$7^j_l>BjQ zH$_V(FU0lp97vVtHxei_MhgP7A!eL>N)LdeR1P0sZA-Mdlw)kb2gY24oZ7VvQ%mWB z=q3dg^jr7+tcAX;D@clNS5++Zb`k1c3x(5r0U0F;+Y&&mRYC8ukE@=Mm5~x zIz1#6Qj^QRdA;57(YLP@W2d8)lc#IP%`MsGd(|@gsoBm%#RrjLhv2(^F2H6TqK=Ck zHwgOPbiWq5G2PWPX3)(vnr6q$kd(Kj0qxm z6&-|1;>zu~7~S#}*q9~nW}iVjWfrZ6woA?Gpm;nrH2x`I2VWg`qol#EToi~k1~9U3 zGN`m1A13{5fGZEX^MT84zHeugBcCsB)&K)%TbF?2sCYH>C=Up&vi}ilIR8()4S^vK zkQ`|ep4J1Xk{20h*VlUWmaO-BMzV=malUn#cT?E|4~Vgu>lRS|+zCju8;%PLPQEcC z2%8p!`d_ChBq|UoZlNRi>L2kqy2SMtkJet)p%*|!-%g}fTHwJN%Vgh$v-LCdz9;#;VxM8kmm)f5hqE!UKC>B`5e>_oQy6PRY|O zy(-WLV=;knXG%~U`5l(KWA!NFMqm#=%r<^HPR59OIaB^wN?SA52M*;fbaeRk8%%Hi zhpEIL49Zj!8k{&2p7tVX@~mG$dNdpLabNNd`O+&Lmx}ua&N-q%YTdG75dX3jSCF#4 z)AHUxDr$a`li=xy%@Ri9Lv3}aUV`JAgpN5P@M#MY!Pkt@O~T$TlO~`W=rOXvx_i9K zuBX6WGo6ea%!bS=LzBAup}U;*A5R{kA<wQ9`m8?S5Zz${_F>0uaX)Rbf$a1!H9 zwxUuKju%SMjh&oMAv<*oZVtgJhhKH!iF|IqyF|=|j@L_&)^`JcmhDo*A(LY8nsAAU zh-lJ2=<7GL+QN#Xl<0AyRVQ_KBZ`Yo$A=n5;6`I65}P~7G31}kz(mP2*BnOWOF+K_ z@h|3ZYj-g8yisrF$s1sZYAv?ood2N(62mv5*tL;e ziD$Q>;@40aor;iv?Ar!8fam$#5i6VO8j4qrU9IU!i3^tG(y$Q|4(E&ZzNJ7CH*nLR zLCXoOVb<&BPulgqGIm@NDLbtnf*Gr=ZT7n{ae)g39XQ^YCkQaEj53E0_QQU)|E#9) zYr6`tk^c1o&>*q^&laMc`#U3jYMvI^r>4{uI?#*5n4BNH-Uk9Vdfueu1TPFf`~K?TCB*hVtM(v8%kz1>r4B=VL$+%KtL#@N1l&90uR~t3#8a|%D>WroJn7H-Q zoqa|b$Z!dbogv{)Fw=ORpg*+#hu324IN(}^nXk(G`%G> z;A6Em<~FqI-A>_F_`-h_wK1dsr;Rf{c*8x?@sXq=X1wbGR;;M&^_T(|w-&rP1W3^k zQ@Q*HNrS9r)ln(7?vPL^-RZ^77o6g%85;n35nh#=1lrB^9M5J>xgE=;R%8#M zgY2q~0fkBGJ=vr9ulP!#C*~;qtii}L*FLh+@pmY>E4{(pvXb~=3%YqA9p(z4ujlfU zF_mkPff?fH5a}GFQxf&K4FbvQDWbC)=QV@GWm*oNdQ*vCTu_x@w{Hvq!}HtZ?>f!V z+*iUO$Z^bt|HuXrBF|hQZb|nTTlQ$5_<6AR(c)$<5&*o&RvftjtaH+uRd&lzk!y6_ z65Op-_n7>>V6ia2T$irGiv+PvYu2CsOobqzo7UwIbqxO|>}>z^-wDf4354~`j}Jl3 zR{LT!Yr&42`-lg;0NW`farbxs`ux`*uEAf??CYU}mIj*GHu)-v`Wa*?lrv{3)dcH5 zUy?}MBwWw#=yI9X1X?PyDC!ytJ2?7Dw8Q8IR!a*oL|*qmbQ|M4$&1I`STp7BMU0e1 zC^r$8A3zZj7?(0nL$6q*Gfzw5nq=83{SBpNE| zt#rcz#1%f-@#zBk+nO<_XQ@LI-Y4=jTXs@xBjRU8$yV}@?aCUawYkPe;;4`yo0ZmD z0?E3T9CsPHso&wh-@9B~zXfw$cKig;zBjIbD~ygIfA%{;Ph)6JKX7TGj}39Wr&D$o z^Y~MNW}h{B^vF(HJb6`EU;d|qSxgkp@gK>CMo{XZe}AuKz`-6}{z^}08^7j?u6IM- zKpm)3Nm;tHh@<1(!=ENaT!TIza!j8-+D>*VBT|tT3K7$<88{{5A02YjTp{S!VbMPwxPS6$ z$6i&NzF0jrz(Y1D+S>yUWYCp>F*q7W0#n z-ekJe zc|2F`+WhSn4A;Up39bk~SoF%a4l|&aETUHvhOjFg$$7gT*wx>Jsy-!Ax~qk+KYnb6 z;$SMn-B#|3#8yhBWebgFU61M`*E!!kpV`bkVW{d8`I2f2wU_Ucnhuxc*3G?bF$T(E z`|+Cph_}V(BHfBHQPiM5zTEfu9lC@RavA>$p93312=d>+0weoM5j(LP(2wj_wKP_Y z>hewTvfjkZ-Yp!e%<`O4DSejnhk?xXE-~aexP%M3?1`oR*<7sXFEX0g>a-Bdik#Xe zLPK{81yo}#=0P<3X6TLkqboot>5Y_uoLJkWeQ$y*38jq#5dvO1=ys`NKDI_UG5dwj z1v)eWg2(unPwRd%DRN89R@fsYGH=l!Hw<03lx@Ry^OBr5iyM8=AsURXK4j$Kgono8 z0`RCTpWr2$b3m8+TP;z`BWE{JyQ`03={ZK&XJ`!Ds9?O*fd}ux7ooe=>5a4y9p3+NW32#4L_0IrAu+$)&TAhGo(g(J%dl?- zh9c})ABS=c)Ky|NBcx&}ny^~nxSgo5OJJi+2=4ZmA#|u0Q$Zanwi8)scEnndST5~1 zjK9oHkoIFj-+BHYTVEX(<<_FpJ)U#k?|kp~`(v(a9LKrbYp->$d);g8{Zvo?!mA=q3>kWVD|2!ryn|mo z(c1Sc5W#HzXJ&WN>HIb#+rJ0r3-Mgh%ILy4wN&qKVoVZ($O;E%uB-=Nuk^oj)(CpT z`oG&}r*MnmHVD*kYxBcBxn>gi)V6{I(j=nFal4*%jWVhK%6}d^zldR-5}*8gsGSn&Rd@zN)E)dp0@j z&-ch*MX&e`5&cC2i^2;cqiUN!BNw0D%EiBM@oB!Dv{GPl{tI&`yw{1Hm$1ZHg{qLEQZSKi8YpM3ReFI5Dw#3Efp!cS zOdA6_;}X?b52RujK<>!& z-^MnTVy@qU0$#U@G=2wTHqU8)(_497*N@fs+NtqxA$1uaF}~>uGUN8h0~@BpxBoCB z6UJ8Y??hnyK4;men%MYxvSsS-jR+|(*Lm1qTZf0pTTtwwz5sseY$7$?diFs^{jE?R z=wtytun#479i46rhYjk>^0!?vKXJcNztio@{`&nRhI-?uoPPS_6K|8o;dqtvpI8_< zAR9myC(A!&VHGt?bWoG52Ob)*xMLvMr@JkW37E>mKe_tx56oLJx=-W$ZWw9;Gh@fe zotw%bZU1*Y%#vuPcO;!6n&3BBJNjp6w$rF(C-wt4grQt0nH-W6YbagOc-4cn;(F!3uq9+=|gx?t&#bGVq@Vsj~Ko&jRUnY?vFVw9f> z>fIE?y?H1=13gG1W?jrgcozrXf+XmOnm1F`nry>@+w0aElV^A79UJ@rZU7Y`n|9H%dgp%#~w&*eNxBncb+Q(`dEnfk;YNlg} zHP}(nZhasCRp#+!|KqU^0=Er4*n!8c5bM9Kc86ztq)!CKkYCC8UnYRfF7(kY!u(OpRj9M)f$eZd1>|qy#$c&V+X| zvd=h_P-!zQ38=IF#FsC_Db3H+0x)K`ZbFEy3-M=IO+l@kU2h=30;mWO$b5H%K<>g> z5%7S5Q#`Z>U;_`RjU<9WJ+C^9O+vgz4dS=ii~nMprGA0PXj-O2!RJU{~t@d8odP$F;E;#TA(da^Mw{nzD_0f{^JXx$$<+*0yD<3RRkDr4(9^{iqS(E z>^=`i56XXf-QqdhzKscrxp1jjA*lLSN2>4zNIqcb=Dl##N3DbQ@vEbl`z*;?)wSFO z3o|OzJ7?w81a90xdp9q>Z6k>`gq342%mb*eU%%c(wG~y56usDFMlv-Vn4?%4U=!DIpwW=R;&ec!BrcEc>g$&U_3C0Bf;ygXnP;eUh9Ln2= zg)zQAVmkhZ^LVS#f+<|)mrUJ>1dcuF(|h|<4D58Dxos!SAF17sgq0ARMUCDbJweN1 zELAXXw0QeRCA{FiF6IifjiE{TEV4jXueR++OzmWve^sPcu@Qp(J<%?sDaub%8qaEE z4sy#|KQ7-mP};pBaBhwg1a>LC0!uKdJTa_( zg7tWM90C})W$r;gF#G#vxaqPlhDA*!E;P%aM4VyI$uKp+(#wH3 z$v`wNj0Y|iZqZ~@LhGNoD%KXX-&xbR6xZui_9x>0IT+RS0K!B7HrRs!T~CU37}Szq z@1A7<=8)ov(nSyccKXybOUCCgz`3r4)MRCo&k|k!UI!~r-=z;e@+D9}xd$9cE607P z!r3{hX$-#|y!Qfamzm4C?KdlR*&V`2rvQeX&!QtnrFM{jNew(Gg*-@a@GZ#j)i{vI zK%%@erpNtGk{ww~2Y*sDX7*yUEVkO2{XDprQx}&Q#_C}Z*XM|J-(13HJrEHzcC;u) zY_`ZKn314L+3Nu2vp88sh>If7a)KOy8cEcJ3H4@F#3Wst((Gfne$| zEXhjN(W}>S-?yRI``*QuQV)I-rOFaacB&e-Y0oBiM3rfwc6=sZF&Nm_V=B}O}XgIZbcn`X$;F+33|4I+zn>q z<-J1Kct+}l0?)H9nL$198CAer;U~`BOv`4e-KsoMx~%aQhjRF(O?Dx>RXa_)x9)?` zZ@C7B4>K6&V5lEfQR3?NMQc<`2*gjtr^Z;_CZhhG*#kX9C%>iB?=XfW*F)Wj8<-3t zQ=mtYN(e@A#fZ%ptF~f(`3XDLzwz&B`InMDw*?u=|H1)Ey7sE^vZyfC@SlD-IQ~hK zZG4D6iliOCl)QlrTx4ftyu%mFTh%-oMT6|-N;<_ULp1c~Xs9W+3N!{Lh7>RpInsQ# zw%^+Xo@P)3tC+GX?`w6GR3kqCiG~HbuA!~qeO|=Q!NLywi(sJ3#9845^G~VBI zw5RT~${!r_?j47|B2qnkL^<*td5}cFXn$|XOg{Z#6h3_ebv*YRI+{o^oq zt&D%jJOu!oMb)iqPiGoHer6^R3|0IHt+;8qF&RtVTl2x4ybv~P-Bvh!c&KH0pD z!j5f38d}3GRtQfX+-hGiAOB1#^7@1Zn(ce=(GEJGs3(GG>g-dcAup*#49L`qx*!`a zQL5226^3YyZGQh9opH<>KT_JwHG74JvV!M;)$Wy~b(U+4HlWx(I%M4+P_(i9m(J(n z4JnM=#{y>fI7f#zgZ$bvKteuDto_G5Vwc`c#h3@`yRAdfd@AV;tKZN65sL`C$>>AUZsf?|Ba)jI@^?i z-y!XLX+>lFi2(V@zU#c*d>Xe4*EwvlY45`Vm=IdW^!@Iv?)uR7N`ak?ov|+&3)J zhTaEylS560mEOBfD&ov)T}pV_)-KbK9gt`OACssy;#40QT8fv3=dLh<5h@d_^^H=M zFjiApyYy&;X9_kc-nSi@fQrDEtqP%>AC#=57x=UH{;xSMa*%icWZxv?p`+!PP6xoq z5sl8j%yHy?6AiL)dWWR#jgec|e|X+XxCR(z7=6v&(@IO6EFWo!e+C(2$2T-u1gx8~&ISh~kDmk5@k1H4psD^k z*olq^^?QAn7{T0l1^V413#@=fQ&<9hklvgkMo#(Mj|1B;S&GikMqxJ=RNL{)CJTOG z%*To|Nuy*UOAZSpCz9cw>BFsAue z+69Sb)bP*L{AQso)BZz1#KgZw*c&JzF41)6ekZxl*COf<;6OWWbVZx4^4i>;IzFG+`=FpdA zWu-wr{`><+&*s1zG+NjQD+nnE2!8FcGGbe+oBn>5RDkz?O_Kfj&q04TbAEJ~)J^q* z+5^m5{*4yu3Y|l1dvo@c1opJp4E$TMe4vLjvHB0J)&}HjfaCb!7KJjRv%F6M>o=1kVV7zw^}Q%3tY7%yk4%v#fS08ZRk70GHe2sE`@Tu?CDGvkX;%GK zVua=APJw@)F>1lE&`RFjp9};`H(*!nu`&}#Ch!7H0tGOsw60eohjxxEtF-6-7{CgS zGG_F87Y@I(G%C>to8|Fm4~BQQ*G~N-Yg(cjq5x*TySy}q(nV}>}2rO!gHGV>4UTY*!)9d{`5GpkuU^FsEG`P6{DkcAliyct$sl1UA zmVIqN9&_f$*bS)uD`lb6k7zw-sa}nyU!kyYHL-dkVMqCXabm0Jx19rRdtwEA|K%6q zI8D3>_<);l4uQc(XI`N%l%k5w(E4x*AKDgXR>nV-;?XJOq7buPuvPR=pfJ=AMWR1L z)xw#WADpxQS#+cW1a zL+0k~fHP@yee!w+C8l)w?e_d&BPu3sfqomDqfScN88SrPtAl)8|PEb;9#lWw;Zwj z+)T*NOaym)LwATwET(z&ZNO6q^<11^-SiGAGQSV&ws_RSXSSup@gX_-|vnWq=5-q zP2pl)R(Lvs#1Uj7sAeV~d27lSZ{Yq6zATN}9CE~X8>8yB@0{z|oWt5f<}R7hSBC9J z@B*>_>mASD2mw~%xkR0Mtv)Z+ER#@`Y*0e9>+GNy4}JMcr_q+6qb8_V9O6d=WRX)+ z<<-O>bkLPu$n|IU(e<&aU066S0&;m@5aP=N08}~QSfZk#UK3NWuMfykA_5d@mc0K5vX|fI89~LLw$p}XJzCZmnGuN+tP77f5&DOWzJ3`PA zP?sc2m{8wGN)e?s)r0?76&@s6o1pns(fL~M_Sk>&)^-2c}E_^)pQmjG8rJY?EUp8t;wb+~Fk z31pgzAC-=4Y3P#ec7Rc=L$A)n+5VFmr3o~{sLmScyicO@r;^o5g=AJe2lap>bo>Mp z3KmCo#^%#(p;Wdj1-;-{^JrDsH>*g2ZWV9-irr{`Z0SyZ;)Rsp{TbVbGt|ggRD1RL z3roMVnTmNG^Cny5uyc0?>oP~Rx|`B2MR3c zuB?)cq)7ezFE-Aq05Lfhp{3=*!6tNsFnVeNr4OU9(k` zcTtRdHB_pp~ z2BsD*hCfJ8z8Kzh&cXM&93|DPxrRatqaj22>@`YZy{HkjH-VzP7JNZCW*$Tnc`X>B zr^a`6D1{f8L;xqg9v`w(e({Y1s?Jt|LoVh%qHm$!C5lAQ?=q#27LddPWem_CR5X?) zhn(^~FasAr+oR9#uP7nWm}?j@CaoxMC&=c8wi9WW38T_*#LGfi(Z zW5cG+-18>2zd%D5oGx>>GI-slK$pl-6m0nOdc~Q-dtnDs^_Y+N>bGHi<%5zTi2@k8 zVND~Hq*&7XF{t?4f%D`i%-QDx3Lty{=^ARhkOr3@m;}#IzlsZ*OI}t_w$^_V^!z&X zzJCl3?IdqK+u&{5umweY>Ny>CAfC(PT1Gb>T!+r(G~C}CGZ^T)q<lqLOIeHj`(@`E&q1 zdPnz-v&{_9wOVC-p8bH_Wqbp1%$*-Hg<5~oYv3`5nT!V`ns^9q>CO`D{B@hp6)=Cx z@}<8^fdOrY+sD!$8!|Pq1p9yJSMhy)SE+P0dU``CO@Oji7y_Ta7dhzfd|c*<+i= zmXOg+NbDrao!be8ReTbocjLi4*7qFKLx4UZJ*i8oXsRbS6h8?frd>paA5Im(aHQ0< zLAE>>i!aS^wW}z*k%sIx=o6;?`Z72^CB5I+*}?5vSxA#o{;HK;^J(t?G)dKcpn$hK z=qq|Yg-9)vI`jT@X#O4jhyNHVHcy$PB_^sMck&vwGanV|iGO8~1((#(&4Kz1aMA~K zEXahQ`(PA#7!4^x%?F=N$1crAQa%>Wy1GhbdH9$1wu5-6If}us_I_Vdv z_6gR;G3P8~v;AN;`&y`Y}g!wgVcVGd`|U%8{Q%{*{yP5fBR@xb=`kE9pnMuX^cwVXHf> z!}IUSFc<$2*#&xslGnLAk)eoDjE!F;dOq?;3(m88*(Yu9os>}<9~&{wyNRtNE~!C! z4&8}RHdKO`x*@3QwOpG7L}W;%epJUsga8tN+R?AM^xtL@Q1!hmH6DuaPE+M|UX^VP z*dl_y)s}z75$iEi>Q~C&-<)p#wwG#MA!?Erxw8LR9Z+erPmW4NvLVz5zMng5C!Z`X znuqwXIB-E`U0-4^qi(~XN5&m74mEG;@&y0)l`<1BmoCc?V4JrhFMOL~qPpFV0XBg< zc}5D1B+*2s%4%Hkai^6$p^sw$?9}tJxD8zi>Ze}aU7yMWL?-88`Dv)FM)qHrln5K3 zCa`eQgY7?6NqUDg1i$hXwL6k999ea`I!`Cc1lcc6DUqZ_?F6{5JbBYgFH-6N~U>yFMQ= zXOHf-Ji+S_SoTS%qhrXYLU8xhvbJtg%1Rg^&MRSMD7Ca04 z{>Z~|8eC3{YqjebqzKGVdl42a7N|{n(#Dh{F){I=kwYq3Jn(dlba_nH!S1C*9HuJa z0$Y4^+g=H)ZWojXuiYtcwl@9MV*c|dV&?0C#G?$sIAO@)JL~&$Ykj2V#C_Jy6DA13 zv6ngx*A4I_hjPkT^7UY;cFQ}Ycm43G1aKTiLJmHCH!>}?dg{bS{{VK)z0)ata(h=XdRq}|l*&eyBIV&v6@%-0Lk{Rd?0n>dcLiv&`>FUo=Y zu^nerjLP1v5_RKZB*6F~`}B?m2B`(Hknr$#s6~}qn7@Pk_9Z&|jIDI}$;E^g&g4Wd z9=lMIA@X50xl>e5^@krnn-&awhhJ-W4UHUJ*L{-a5O7-4Nta{)@?*KU5R_XZ5Or55 zOdulG6nEYonJ2ilEs`q}yD*+kq!v2(p!xN%Q^9_kaek@3oy z!hGP*iV+?a49y8SetN=Zh+G9l}Baz@`CRas6LB$2nt-hF63%?H&53{NV3Fhwo( zGAO0rKXK`P7KPOf!+D{O%+M(pFlXPy%H$QEq3R9=pN2#jbA3e-*42N7BtHH11Ab;+ zhZh%nS1$q;;K@ghm>g3hBp#x&26XnqI|Ox;$_<#{(;j)MkPm)J3+Mg%$?m7c+ZDfx zWp7%ZW4E{!#p>sgVOIb-|6vgMg4!RGzk4~;b6{Q4nQFE2UNpy^ZnXuwBhS>FGu=GG zrp|~HRp0MrQpM}IGT+$oM^b+45KUlKiz#)U58-nUm`bC8yr_!c! zfv~r7B_?p)^xv2e&&|C}eQ5ew-TPwr;v)xKm7s6RIrdoT3u2PMvvmov(p_`ajsp-& zgpZU|6k8PoKg}RT+7kcr>)3dmj_RpvEU&)nKG4G{`RQe6=Qypq>a$!R@-^n1Kn%0+H0QPnpFQ2glpcun zj-Z)XCFZk_fkar3nuoIDUNaR1R;Aov7Q^HTv7jTcgW*Ed&tA}^;Bjzph#Ra+WZ&ArDI> z!Mk6i(KA9B+udkq!vBLqBP4m}3nvt@6{E_(WLMO+_5rVA%Zm%5t50gBBhwwCz|ISg z;!CI{QV-$Fb2F8HJ#49@ax08REsJ3O#I$26{hRGD7S9@XU%lLG%Xlyn2-kh1JKsi2 zZB$;}`oUm=#3QWqc%1~MWrt6SSOze*tPY-bMN5qfEK|0~DJry0@LW9YPKAZ+tjAT3 z;V-rQXv`ca5DXjULnGkNG#U;H4~DlN%gM9N6F3WUE$#cS`rI>M-sByQ#8rVeOVI4V zE3Wgk6;n_xxB=H`^Y|!t$d{hSsIzuXjt0gX&o~%5mNF~#_{j?w&1-`bI5O-O92LYL zV*;xrHizvVEfA|&mdMs*4|xeG`5uYtQbc@I4jl4^S2WOtrfYY!n>*lL3c(-^CH^m* zu%#Mu6&pQ(TJoDX6 z-h|d>AJSYjMw4h7?xqo8EHSZD>3p6Vzm3WAMo6Kq#Ln%H0R&*8yqtQVux znenHj&}>G2xxzT2_arR_vHC);OEuRzn-H4yG9p=+FPB{9Mqxo(Z1G+?kai0Z1QmaH z;$e(sWRi{z%_ffl^t$s2Kj-CJDUml*x;aHTOWN&EuH zQW&nv{+p8O$%WTMzyezih+Y*#tJnT?o3jTNQ26fvd5kVrxKZl1~nhnYbOC zf9$Yi@r2{0jYuQ;YUZYrrx@$P+ddlJS1tz3BK(z|Nu{p61e3~+xLb4*xV}25rcFvc z(T%cZ8c9do@5#3}zi2Bv?Rr4aVr`a<>BT25n+fd!ZLCMe$SHd4AD&WncktWd@*dzd zZSY9*JR;NbiAXm<`0}$*Q>mLi7=MFT!C6OvR|I+}?s8g9NwHj7ZEjlH>jU+tYzr;D zKiGQtZFkll`GFhEpFD*)sv^J|L(s2Q@|@3=w7?;HaOL`IYsK~1`0xO8Xxea~PMdBI z#72jbtrKms0oogqGvlv1nlUc4ln0g-7+7qHN&%Db6we*)W{C@epC!40!3J&X@-A9v zx`M4L znTPqF_c{!6(Mdpq>}n90wHPnD9|bQJUiKhCn4OCc-sKKW6DYyh}6YpZ^zsQo*#Kzu;<=Xc|2f+QE_ z`$)c#OBXGg8!K5zHyS1hK3c9h`JL9O`|E=lrH1{v_x#fH z<#zbK(@+O(>SZus-0#_}hA2*fO!s$*%z!AbvH+t|QOzo9|2VV4zXX$ZLiU@7{WjNl+)kYd5L-N%0HyaEl zZgi5fZ^Jb2_?$J6KFv7RoB7^|Q38XkrHy0p8;^MLTyUVL^(o#aaK3f?Hxv?HypZ^K ze4&sw5M6X`+vBR3&2bIjvDU8EF-E~}@`b3eU7L+IVdSuQZ%(^-m$R)`&E?3<(yU38 z!PP^`YLrbc^8d5?pgMc>>TLs9{;ZyH?h07F7#&~QbZ;OWghN<$b!=}*1lV=_+gI7v z?h!5|m6z0NQnY|{nnyG^8;!jjnEfYbu)r%AvFfoq+5tFR+2@^=6bY0S<9X*^y)qyX zcjFF<5l=#WEGND5Lp9k+=l9=aWge##^}AzXG-5s?&q@mpN}&T;9H`4np}BU)A^TwX z90n!rs83NLl4`;8Kqh#R01e)2QFpy#(>ke<*M~iOtf4uO z$292WkN?HS-Yoh4v-xiVP4+az1mtsz3*Cu?EljsoGj5jsDJm{{LtKffqyApHE`C;x zIBg0sAQC<8>t0;LDXd}Ya<=|aM!eS?l^O6PZW*1jZMzt>h(bWrXPshLF^K`AL>)Q#?)?%34qiDf80}g# z`g&5Uysh4f6wvWjb{Z|==?o2M1@6Tvb0zb1AmWIA% z`*aQ;u;yCi9L%w1n|$W6`Wa88g;p$@Q-wvK^k)zY(uWIYZ*VzHWrv|f;ZEQU5$TRbH4}XPD1l4A@I#lRyg#WYGIIq-* z9Pb*%cH@$fB{js{#KZr|CN!MFoT~zM91Z$pl43$f2iM=`P?6=q6SWcK69jzYGV3-i zdz+#?-3>>w^)N`+t2Ntouz=sQXg5bwP>~EVpQs2S)=b{`8Nlu>cfz5QC2Dys6<+Qu zL;0VH;1!-c1L+qwrRpIaXRlPb3{-|VRJxT@Xj9w*DH|Mk^ip02Vf=UImr;Nvhu1cT zE+Ob^+-Xw0B72tVIgBb8D)^P2u1-yIqfJv)ou|td)f-VO-)grkF0}8L6dvj);HgV! zPM0Jqvb^93awi~!Ah^lLKDEcTL*qlvNTgbPD-SurTw zW_yIfVyXv>XXdiLY=`>1h&F(o$-^PBenv~vgH`QagWC|ItGgJ7%!TS@D7IGmlXXt$ zBU>gbHY7dl*w;`<>Y6ctOMQ?391(CK4NE6p(;192~igr;~f7DONlRf|4pQ6pP_6tkC1JSkHwc)=YIQE<#HSwj%LfCP9@tb2DLy(y_I9Q%{@_} zUB8Upza*5NIMaM@=WJC>7Em~mz{apl(`e|2%SDB_LDr8=AzU48dXeTGfwP(^DUe4d zwD6%k@ZpKUEFTAS6C-7VkZS}Pu%M|R62NnG(~tOVTyb$DbB97$biZ$oq zth8BMjj&=It#f@>CbZ~2aQEdzUUHnrmtY3>608cWCcwl2XM$0~o zVem8VVMONY11AqOa6G23GxB7m0@ZjXQJ*DRj(S6Dkm@afuG$w3s?mih=0Aw3*tIlb zS$9PX5BO56t?vhAw>r-o<~FfJXuC<=WLF<+sy%SHDba{`)2&h)d73F+Xtdy*iuI*` zrunP-R>#NOt%%`rRBLm&GNgHj=6r{z9`%F$WG#YwcVcW1H+@%9e6K$U43SBUmFryb zwnR$2`hD(6_N2@_yn-;sHE>hS^ueKYfT0oFqp7!L<_p_JG_nDy_vwO8hTNY{*544m z!t=g77E5m>hSH6 z0G%?GHz8ek)YhGE!nWvD6HM>WyoWqwQ|QBJSlYQ?=rrFy`TvD$lkKcsciMd zF*|%OH$w4t9 zCbUKH3ZTBx>*x^hcca5S!NsuucbUl_qiNKPcs`V)4I;e?Ef_^&x9!O$wh7bc**ZVnU z^L%rxAMQNfJ1B$K2gZN`+R${31@hJOf&|ssE z!MFDg)D>crjPmnk^FDI)DSKqDr4sbfl6gGyKXR`NAnx`z?)O=1pfl`({akFfoK>4p zJQn!Tmhbzqlj%L`m^rKLFT0-K`Gr|NMs~6OB3`rL?T?o7(vyrO7sBArbyn#G;x_(u zR=15XLq9yDrS^&JdiDDuntYvjP{^q5BcELR2XP78@MOJgBE*CQ0pj{)PmNn*JY)*L zr?v8amnUV9=0z~&kbLkgS7jX6C`EO$%+Y1k$-#K1BvZnN3mCJ~B@Ym02A#P@_@RgZ ziRDMXIcLiRUPrGm`;t&-&Xw9`w@EwKhh`(UC2ugHu=9gBi3n!|(U_=?CWjqOZHao~E}td&PL%*EO}WepqWn<>UbunLWlEQJNX zC|hv6CsB{D*Id?h?P?$vpHDBzck8hf7e?@dwTo@yLhG^5F}|^aQlY7Y<<+WZSy zrk}lP8q>wi?E?XhUN_fR&e7!2{esKp^_7IG*vfSAkPGxF)=mj~Y5xworYCm==O5l&Gw4{t0*?&q|HyU7 z_qbglUzj@(P-{shkSMPG__4BAuHRzd)KvN?_xq=Xnc$~U+q99_t`exP?(x!fgG;sM zEJaCy@?vod`Fac+;;CECO+kFA_u%6CiWE~~K4(*6+Gm*dpQEi;JmalD`msQ>Kh|0+ z6MR2v1+&~3u}Y34R^OtFotg0`7s&86QrKlje+fM8&|SvK{tbBc6KHijS$RAlL1>?T zEdeX%rD7Dx{{a@K4?%F3r*t=h196w&RNOChdu-A)5c;>4c841=kkUAvzx#xZ?6LM?@_kZDEL?$aEwAc1GJ9iN0Dz9sGC%cvK8?oF zkL3?G?rFXO87D|{6&HcF`hf6k-t6hQ=IXSZ@3#P1>L1T4Ba(Z-gdnkh{17 ziqs*-D`oS-w&vg=aFM(XE0(ky;bGrcaRvJ|?>f=8=|Oy z6xsNx%d4T|W?N(QR3Wn)WF6LKx5?7)MEG{Hp_%6!#0{U$S8SCPOrHeV@-qf={t?-Z z5C_YTJFu|PJO5%@VW-RlfNd?0J)M2anbM13ta++eg*;tipDp;Ss}b$BD9xO*g99H7>ZiI80sk?|CL7TE4sIEV1dIdr%-iwP~W8RvO5o zd#p&yqxBe}!4oA>9_sph^o0wNZx|Qj9(aDlf8-UqgnO_tDNsqvymTW^ZjMJ8U}0yq zR#v$zN{$|_T|R|=WM}3-X1HEgbZ1j~`!hKJWVZJT{dV*G4f&X?HSV(}FR@oLeKK#@ zTA2@dI!5nC5l&$2JIj>R*!O*kd0Hg!&~${BJ!L-$o&2`KS@Maoa@8>{W`?@R*@YU3 z$~M%-9$deJUs_$ML>?AgKjgA@Rmuxn)2gVEIlu19!{QY7{Il#Y`xuCDB4x;qADYM- z?vr&jVw{WM4YC#e*-bh;`JghXJ=97~j_l0XV0Lwup_KA@%BwbpbYZwVPk{!J*3k)Jqi9`;;SLSQ|Yy=xg4Hi^{WJocnQ`YB}cLk&bk5j z=~p^{!1t|kud;buJ`8s@3gt8piX~N#njJPYQ)&9{>*uV#DrpXwQQ#ebyj}jXcK4(6 zhh9E0fZ^2<>S|%lE|;&eK&S0rRQU4>8=n^j@(hGO)H)?QVfsGA2Q%h&XCeK@x~$Wz z`0b(D#_Efk)GYk(ADw(3M6v#hk>-kn2(|uC-umK zg{Re@T6z*X!`|{_p8FU3)uF!Ep}&ldc(BbQSpE<~<`EbIgeVQtbf3vgks&x~r6H&# z9V#_IB;{u$O8vB_M7&CwXDNH4>U;Go(8kymb@YK8;5P7ZrKNs$oh_+~EwYSa89e0q zKdm9AGrXn|j*;XRMP=HIx0e#daKlw&z@}z{cdW@ue+E^HB6kF|EKL!F9lSq5- zNV!)$i#M2st^!49p|Vv`GxxKwTtRhMEnXK-TVICdN%w+SzHjZrXUCcXwOh}uR_CUW zFhm2q!b!hXDav9?()MriQ(WA%qlIaEm|d*mbe;D}Q*SJvX*^%(2=s&?ux2l<$0il)$4$Q1IgXuL>Jwi^198CVC>uw z{&1bQ=X+!6K4P5-G{(P0)vOE72uug#lXu3cR+UmZHe3>HE20SAI+e~kDPA-9S?l$t z<4joLjN~d2bEM= zo{Xn%S2&2zO&-|(s2cA|j;xU0v2KnS)>|R!wU>y~=tB~G>%>PXqCzKfF{!VccV4vw z(BK}Y>SVzx?mOXR9DYemd|7t9|94+&VekR0kQKp)=OQ4;u6w$$6{z0=O^{(ML)(N<< zGNTyYk7BEC!#r5SffPv*rPm92+w;>dQJXAYUmI)MYtK_p|mLsppInxD9cVGc$aiI zJ`sa;0hhzyd<# zEEkXPsaU=ue@VtvtWaeLlj@{a{hrctoC8R#BC=P-Di2aCqfoo2u<-V_31)*RfjMgr zzI$UQM}f`5h3d;$7hfJ8fsmiYPP2Ol>lUDyjP5r4-eC)%tJc=d(x`1JK(~wf;dFJ2B?|_OvuB=f8 zU03Y}(D_e=9qwY>VOo3%*t2D{+h7pXw`*RNP@aT=6PSoTN10N-a7{8?MTB->E2=5 z;4@jeB^)S{3{h&&c;xF|rJR2*`!GE!<}=^GAZ7{t#j~~MzETz4d!h<@?sKV$@h?Q9 zWoSs_7+Ecim^}zbV93;!&1hPt6#dP)t!MU3Lg=V0GP{+!w)vD-iCU!nSRwx;t5cuY z_J;SD(1*9wvl-ECpg*D+_PeK}PYrklI`VM9FoW{Fyb9emheu~0EW}d%SKb$?4NH8` zj8jYscDDAqPsECyvAH?uB?&I$4&KulRr7L4{#PZw?F|y7HmS#w& z*EpF|gb+`|+Mv_v@&`L?G-85nGP=B6sdYXPnUr_rxfghB9OcO_B^c3LlRbA{V;1rA z-EER;OHnD*1?6<`oN=uGnrIIy06s>a;^j~O{mDsKzCCWa!0%TO1&$MF{w`{QAqlEH zY#0>oISQ1Xpw&juDfofS&QS9^atn96b!ls%G`A#YTYAa-O<9!PPN5VA-J5Z zNa|F4Sf?{i({k=RuH#9jwr`&yb=?NswT_yw0*X<;7<{7ohvZYqlTT$6xKR z1n(WoXPSzeR0Q_+n+5v$Q@6JApQ9GD$n*VV9~K|C%e!qe2we2dmp9=X(ab-4HODl@ zun;wMMO7w=?wNSnbC>R$2o!^sWDd?UdZT&CQ?kwC7` zt=x#f*=lWD$!A{yfM%4upRnrZ=*Iq0z97W#cusnHYk(GL`*nzBi zakV{r-`X5AO5^vTX{82UmdZP-5XCDA<;4>7$9tYysl+M5`k(T2drqoTO|&!UN%ZbK z`Y|cc+djCcE8r+@IIHq)p2Uzr=Zd?Z&Q^J0tmgLdr+mU2Beu)95rJOLPcBJK@KgFvj>ALf z>OwD0UV)D79WAG_HaGG_77h*!(e4+Q&!=yc>1>J~_ZjP5yT$*U>;0$>vVEtd>5dkZ zjxEHzO`cZmF#m-{R$sDzDnVEo|69K7nzd?hP#h43a5V3vqWbs~pJWYlPyDcc=FURC zbC~3GBp%$_ouCXaz#6Vx`_jMD9MeDlA|<<%y1XI0e8vY$xj~VrvEf{9Iq)c?V_$7l z7+dpBt@oI&z)1jn8pyUlqUBKbM<0}M%G(W~%d+C3`plB2LQzW?#q@9!zi$89B&F(*7Mxur3+g^c`3j2CA<=;iU6!7mR zPUyCtAh}i_)T)shwWq~0-{!cK9@TMvW6WZ4VI*~L?Nk9%%q1Qq;o1AwrQY)6JvTOt z9$LOCapkE1yQnGPRuD+AaVL=zu`wiMNg=7>9d7xzgI}~w%G;h}h~1CYw|r2rCkzHB zxzK}?0m27Gy7DK7IOypn^uSa9lrmY_3*{)cZc~eO1)iE7&F;^QsVPCFl_pTvyTa?w z26d`sg;L|cEzE=$0N#tVCTj?AB0wI0$3NN08}vD@E7)BYziqMcB4IvPwBKG~`}CW3sewLx{_CC)!ug=}TPaIe$xqLzg5gc#N$xSAKXJzNt5o;CfEc%PwuwX1P0q@;T zvl5KB|3UsPDZvfw>p#l$fYLmFYACQG`03NTyKEW7pEkx8-T@Px#yr+0FEwI+)6;Bn zA{%F|8^W=2ZVbQYFwK1GmWR#p=igd@?dyqxeO1}eMOwJY`4(S`|IGb0pb+G}xCP-n zXdboOsKRuAosvS~H%<~6l|%kjeQrPBQr%y;H58D+*>Jl41XM2RlJ2N<2c9h8e9IuM z*+kkqD4D6?MJMGi+>(!rSJU|QF?R2JkNajU-;`Jhk}Cx7q9lQ$EgYeg!499P6%6lXB}+n;=toi^+|&+%I2_Sp5r4YI|8 z|GOUuKJfx|`k&ITH}11+M3ruRiSzLmH6n@6{t8?~cObsr`#g3w~*~EriX-+A}wtK4fnY*F&P3z3oD~ zeEm;|m?uq%TeMSs3ukA^>}-O5lg7SmGQ`xwu+`dRZ$fhWYbJNNA=qi@pI;Oc{F z4s@D@bM>(X+LHQTS)#SV3+H6uXiXeAwN7rNhvwgZQK6DAR=_h-fA_ilKgO0I8=ow| zPhQ!NcEuT}Kn=>Jrmw9%DZg8hs^bQKN|Bpug`n#x1vjZ zmOY2{*Y5dGGn3jU5qb9+ynA>~R2{4Q-srsYm9FeB1C@whv+1da(c ztpDlDDcYFn~T5awu`kNWIEItYZl`;H~ z)Cv+b+zaErB1V&*!Giy zVsy%}ZGrh5=#L4NQHQo1!<&P^qS)rYLHod#sbkcxC|7GhIQoXO8<@i^Z)S88)Jb4Ewb#v>cQ8{ zcNLV@{Re@#`Fi#}b?_3@4Q!S@liokg?y=+9|MSK4^eo0=e`CE{;O(FJFY##BQa2`I z=p|N{+!_BNP=nqp0iul4`7Kne?R8#qFdDyCm4b5><3d*9E&F(q2iqreH(f5%uE-Hg zxJ!G(8zs5%^vh?L(M-2mvKt<9>T}(`2MPMudWDbLK7mIU-|QgOAnOSD#MS^h^@A(uueFNu0W1Qnq`$g*~UP6Vm;T)yM-kYDFKD z(W+G%IRuGsjVn7w9IYDc7Te{$l$b0^<8X%0{xIc(v8rvb=8x1a$uR@s6?bf=$dskw6fl*5>f`TzJ<5%*azH=G`c+6Sz0-n*$93Or*O; zaaZw(@r+|$8XqaU&oAnCe&@PlxxTU3TW!X^yXKBkRGv?eO}AKsNdi034p!0*S4XMW z?(cUXz>q4U%R|Zs62?sb%Wu~cR3IYEBT{zDAP-5J@e;Hids?MDx{)S4LI_d&@plY# zFg-FWAKUgDOc$54#_#q^LK01;x&lbz%1sta%GN_;fcaH}Kv&+=(%iONc|md76`(bG zJM|9^wQ~f^zat%Rp4Owg*xy+;*|4|&)b-RTvusHEdogtX>1N&-HofTSt=)8ck4|mP z&0!kTk+s}2@jV&ROD>VR%2omMw>g0VyLvj_je>|AYb?j1`4iC8QoMD5=wIzpM6yru-+FKh z`lvmDHm$lJ7t}~92V9k*D2WDiN4qBm6KSa{7Ui`B6RnTMe#w^qwylnB`a*j!Xsk`n zX&0II^SpJI1{5IsF@I&Y;}38|F-KIgUT0pQmDf54&xJZ>j*l6fQ@$thgD|K`hm5D^ z-!H&?8MN^s0jCMcrumS0>OigDkvEaknOrT|o4%YeHyv+!Y()nM8gZT0;wBU0a^+hq zy!J&r`Ebr$kISNclTiEi;G+_zJ~=X}z$J<}AjkX{gZLLH{bYIy5&R<0+u1tzyesSG z3xwCfjuW6f?FwNXR|BWGLn^0om5YfRe&mxq7@9*=PQKeN{a26oue#bjB%^{Cq_CCV zN>?`R))=#Y$l$!~Z$i0{D);KL4wy!Dl$1&Gc7#}tFUhwIN7#23&#`5nhSSa)C`mcS zs!m(EU@4>v$wK@YJ(KT}F6e@*q7;&?cmB%Fu0VLS6lXR|1CMANSeoM``1>YXbryOH z2pkpXUgA~p3Fkkrm)Me$b{*nJq5f`Br#{}F8J;6e;8S0}Q^DwkL}YZq9-wRfgK z!AhCQKL>m7EJYi_zFQ8~3Q#297QLN&;f`&Y2bm@toG-x+J^b`0FCh29iyX*bDm$E_ z#Z0hVAPT5M(@FbCy#-3t32C5t1fcfuW0uIW%56L4V%C-HN5y0IA+0vX^DP;LyQIs* zWrsRd*7TzGvk}Xq&Zyu2yWR+u<`-w+p4@FYsFYglt4oJAR25^Y;thv_bvadVcyh2BCpM&m zBdguJGFg&isLtKf-b`J{9Vz!AOH{wi=Za8RR0Ib?c@vjm(D>towN&AJ1AeX7Gd;LI zOm+lSdrk-AhL#$YGm36`d|;$1fnMl6zoAt)`+;i9eNpfEr}O>oB<#Y<`4DqaeW&Hn zTfg4WLIV0$%wWykWMs){hmEe4Pi_Sl$YxL4F9i16&UXi@akizKA<96DZ9N#CdOZ^X z{4UJB!pJW8N%x?KXK}G#u}%HV=QGH0tM{M(DRe4=_&H-zsGH^GjI;^RO4gY9)ZKAJmD z7uYwjO@k4e)b32d~;xn|0PPn&1Yx*A47MBo7wv*U1LUA~gK1 zp2&Mht*ud+?ySjNSCWGdbPA?vbnF)!H$CFTdH#0Ere{w{gwf?R$(q!kZQ$$qL{yyd2Z6` zdf{qWZtV%6v<=(ueu3fK3AjEq$_GPv;6(+kIn;%Gc1hJS8G6(_*FX5873s5uDg1!B5iFz`ZRD_UmrSPhc&tEsHvPo`9}!Bj;!a(-5Jy(wn?A%TAD`ZP_U0wKt?2g0$LUYqUNJHl zHl}NEx$Q;`%4!?`NJt3-o}8AKhl~5n{2H|GmEAC3jnOHy$Is8-QqwdH22hh$*gy^` zwO+A*s=xtOpqmbTP$wV^QFvsUR~IOHUs?}=-mu2^Ko&TP`xCy*B2V9@0XU|JumMf| zW|otjuEt5~DZ}7?#efTOqvwiw3AV#0G=jo}Q()7wuu4O$N9lk5y!l$T%Y^SYFz6rA z&ao(Y|IGuH6gN$Os3Dp=nlX^kC*ngl^<7>8B5oKG>_9K!L{=cS`+4BA;Wa2Y4NwzY z_xBuc33e)9%cNm2853;@O2oA?_)Xp?6rB{9sCdL4wenY2yQUWH;n`FyI)?JP71B3e zl36eyDYc8H%TxXg5IHhY`_mm_>aFVCCvTkV30H+dm7c3~gBZ|4P4N1)W+1r6$Z+mu_Z1dEd@E zE+(8_8-xQwmMaF5@25X1Tx9=*I1YbH#634Re`L$g&5#3tBCv?pn(DC3l>m8uMIiOX z0%8EwXQC@VvI=}FC+Gk*Xr)eR{rMu*tyZDz(JBRspPZne=Njo1Nlh^1thFyzuHYDp|D?n%^m{3p|N%@fnY(*4kk)0~YiW6?xKbrQPHMy28-KxmN&GV$g8eByGk8v zGLY>Lfegm^Uaze;LIzywep2kp3~GPouF`bAA2xf;x~0{0PJJ+YGPOk+uoSs3ZsM-&U-)J5LO>KT*3{HEHZUgZ2T|H;g$wUh;dc!j_n+!KO;TVp(~q68 z#f>Z2bo}dlb`30$QpDner=9G1u-Q^KWlUWWVC3UjQqEI?ch- zYXhw7#nHCb3X3R5qK)OX-H4X0B}hO`hcIddFfY*V?ARO&UZcqe5Gfn{uTS%3nVb(p zN(bFb2JMW>H<vNex}f1V9aT*J;A37@lo#-Y$LaEJuMBgr)nHCV8eA;oU$JsA zT5_)2(o?TzxF5S!DteiVXcf+4nImOAQ!aay5KXG*FZHx?7{}|56P4MuwYvy{?iK1( z;}C_-G%Hoexl7h}c^pf)R;v2jTvMF)^Sxuaz2CmQYFl`cg9Ydf)lJ;TZ5dKA3U$Tm z^LE`;-666FH`T$OU*pP^;=`5U#Wq9~N56Qaq&VuWmCTZ&ASRXG^!G9-NNJ-8h~r>O z5{ho#VyBArls~AQLV6p3&K^P*+4^N*8-jP=~?}qt2(@f0&FkHm{?5^&_^K zNCys+wy_9oeS|4UWtTz_DUe2U-h|0qC_`kUr{E!&KgX0|Te5N8d*aPD%R89*8GrXe zex(P@H${2m?u)e z?>+g<2plQkT+84?ob<+{cvsFDFH+#^=IZXk2ZFl6NzXx4Vq_^Ak=qp!J>yQCTI-3c zs4BU<{zCCSyT#pgNqTVHrW>mnxzpmhKO?zSyo8QLJvBFM=jm#)v8?faT|P7{aY^7$ z5BKPL62;ADn<^t9u1z&u-W`;zyC&>4WOP|&jYZ7?_954Lfqh(XzV>`PZmuK_YbJ%r z8p01s3e*efv~-$b_qMDt=Ks%uDZ2;=`}+(_HHbU*EQ_E5j_m7!J9P7Nfj zGEgrOvc2uH?xKRK7QG=nD-PHAQXEn?N-g4uU&_4Q-zudXPfu|fB%w@zx}?`-tC;EgxRh+~ zIJMlcYwn}jI-i*k8R!|HpS0O_Jng`pfJYiMDd;coYKJXk?40+m?wdAt5yxm&GRo>Z z6h}2m5EI;R`A8s7u~Lu@CN_?7=fnD*XE>#NPHp<}sB z=)x1eFfe;Zb21i}ybGhe)<|7lU;3%wdelG zB*tM*O8G^$z^@fY&zeCw#ujsAH|KI<`1}HG0Vc$r4qcK_K1&B`o;CB-Dg&)cfgcEH zI;?G{YbHqN@DlM;8uJRQLtqDr0a~zjX?zD3k8VEM-*r(nYgaWsw)S!6%aiQue56mr z4ta*L!GgF2Imr}Yht^_)Ep`Yw)IF$77HCAyK;@{MTJ3 zLCknO+Mk|Jo*|O(`!~m^Uvh9W5X~+hC{Cq1zma?IKl5TG?rbp5k8JL}Q6z{Gg$B*) zW($<^=1ak^#AiLq{lt29f6vWt9oKuD#Ld^=pQ0Go$zZ25 z6E2IJ5;!KWFY7EW)7~~Dd)mpHksI(WfHHDH>bA0lQL|i^grJ}h<%dU?(##PC%gSz zota2cqurYcZ;^_CTOay=RvXaj?bJ8~XqM1k1@tkT5UF93Q%vnY;@kk zIN!^7E3r%8(!qDfRG99?&>yf7E15Y)vjO(Yi<0urgObFf&U@rP`sJWXDzC&&Fy&4| z;y$wtlHJ|qO!!1uH9DRBXWRreq`A^-mOfb966@_5tMrAt8=7U2Wxt+gZ3oVpF42T_ zamj5-)SemCleJ}-(?^?5JZ{_NKJ4M+bUvm1;!E0HF|9-^<;6r_wQbt_aI4Ez5nY&% z!rk62&ky&p_!6SpVKXYt)Wv}v4rA=^-UN5xo>$6$i{oZ*^x-#O+wL=LO^51^UmAmk z4PB>sw>)W5-yPNjY~lxmPi9J{<{_+@AFp0|u1qq<7Eb+=_Lmd<47!c;stToxw>7-J zfmBq4tKXTJkEp_y*H5(xvA9&8NzBei(pltgG*z6$yH@a}L*=6GNS!dP{#`NE;YnFF zI4kUa^u*^}FT1J9xZqqxY3R@L=!D7pe*M9nQb$+G%P2ouy5bu-RmZF8W;xL*BdR{J z$Q}y`;!mED&mmI;F?6nlA&pB%q-z_SE}o3dp3;A_LqcxBuclQ`(fB(wzVCD9A*JYS z+?Nnb+U0|*bAL-0jHZm-X}?PFiOIQ5PW8ZtrPyZ|>)It;5m)Q5lKm1{X8!G7jJ3>_ zE71{r&|$%o92>eN1z%Duxgw{griQ|{uhz@#z8)B)vTjAgE;~@#H8o({D^<8hjbZnv zQ*bg=k|(~cy4j*BZqZn>;{Eu5neSDOoR;?m5sCEktEfb;)i}BC&dwmYY6o){D60d* zQg<^nOiXs;Wr+;;X_r{DRb?_}yf|nqf=#iK_ZZI{FS%UqGhY&-)=5kH4lVXAg-LPo z!=3r?FJ$vC&MwSEJ?x3g@r95({wvGNZG8TFGRN)?17#_8r-yvdwiYqW-;1;%Biz*P zcY;oSyEWb$LDhSiD#~6%~ol=4nDa zufB;%JRma>e4SLQqY$Y5z*l|Eut6@S1ltIfe>a zOXAnyD<|@P=uqN4dbjL3&~q1LH7gcWr`o%1AQZ; zY3UxjLVmk~t3X10?zsI|_ck7D4tR6-NeQs-cSq_n%nyb2crv?&vP*Mm0=C53e^z_) zm|&ijXCX}7RZ<2NLig3FIc4~lnb`R;`;DWbcJQH%ZX!;F%*e7RL}Ws2>*XIB*;Hxf zWFrTU#3_9~iyEgb;;8ozt8TvMGib7($TXd(V>GDoW#o6*vT})a-tP^2dFU*BBNwbL zT%F-5I7tN#TwugUHK5-R3+@l$e8}~F{B+uq=|n-d*_@<%$5zp2c5cL(N4J)+S%~^W z0y93*tD=$LCL5B(OsI12xsl@o8NbNsTUxIV#$_t=>9EHaoRU)_J11^7((xJ+RY`_( zIakQ3;2XTAD=ER7f7?FUs8!-t5gb~4L{iGJD|4ftUwS`0dv+gbm`nWXZYM(2o!K8BL77a0oYX#Hs@z7xn zN$W9G`Bk6E_Fu1FC#dA2U}6;#f7?Iy0~fgCiHzphrOv)*-XNk*H1)+*d0dPs<<6^> z^}04%>pDJ0KlXx|IMjap!w0W*adVq6)Z)H#aO-mm3GK->amPFQFhLaR(i(~0eEn9? zlnVOXZF8Hgz{o?@=Nw&`Tk}bP0`Vi|b?r%N=1Jv=OdgD$M#@X}gw@R2je%hQ-VaD= zB$rsccs$+e5r3DK4yp$;QE}>f_X;&hzs54YaLQbdWs;Mn9s?P6E@`O#jH*gNSi~KV zz%7JQ8FW_m&eEw*mVqZA6R((=?TvKu&NbG_#Lg$3ymt-0b$?Mkn~=l2C7zIMGTcGf z6?rsMB(85XhDO377SEB**DfUI?fMJ3ANI257z1*GK5^? zW7I#43oqJmIkj1JQsV1_VU88?PVF?;X59yM%oCd3jx|1?S5y}AbQ3Mt%XtT-Qy=eD z7u!XX{_d{oyjVoYbprQ)gqcl-KAh%)S8(=bc_=n|rqEkF!>x@kwbu&!SgzG9bVaj7 zB8L{3$DB*8?wiTX?p;C6F^^iSoA!zDuC|7vRcty=uKH9mA4;vn2R6kct5*;u7Xc2? z75avQdE{OQb5mQ1|G61-Zyq^(7Iu|4(s0Lb{A;>{&z@WJ?ofll`R_Nko#HlyA>#|e zBp>1^*VGFj{9Nl0g-j+pr|5R0fSHEFXf}4q+Yq7f;I|rE;?+ELy`=m?={G80Mp&QV zeiJ)=ZKR>siT^}=_Ru?gAJyFQ$EjQ#M8Wt&Z3!0)7qG`)7Vm`KFB_<&NDgTs1N+aN z+1R6c=EOy1Tx6eR1 z$(dqH6j@c@KkLD`RuGd2;^d!Sv>`FZM$9OQ_Bdm|0YC+G8{V=m_;AA&hmrly)_Cl#4RoR zVD@Iq)FIKAZ)=eejXPAnXkOOtfw%DVs9u|gGV%pCAv=t)XPs=|65StIp{Mu;Yaz9L z+Y2RqBbcA%jv}Btmio^MLK6ky)&xSge9-+1=WDCfTu-Vb&bMa(E~Eo5dmt27`mR&K z{HjA%SnPaO|HQ7ISm6CK!^M!%8aP=iwKJbCcgL=})F(1DwJt#2g3k#6Zv*?lN@N(b zv(A5GMHNZwKGdMf`<9KEx69fb6*z>IOOm+sO80aA6ILI%y2yM4RYcq-wAki6URi1A z&2F5v1Dy|CWKb>9Z)06ZccQ5ANPBz7D4p1HBDlpCKxR_=Vw3A%TfdJrOa5iYVNi>$@)we3@S1_ca`;tMFF=&~S$&7SbNJQMa)Haen<6I~ z6-W776|P*F4vdHxg6!2Q`w9%`nTO$t^Xw}QxaC*hL?ON+&16c zF*{Y@JK?J<&@5``-j2imvpzA-lo@TWCQobQ@iBU*Jux4CUzEg8<@?5xhsrFoSyrrP z`zOuav;JrtLk!BJ>14-2D0d?9Vn?jxa3;e43;eWIYitO!XgG6;Ow}FEG;2JPEYu0w zABjeAOj<#7-1mf(6&Qo8A}e=seoK%|AIA6uV|^imYYF*x$jKrQLo_C8zZB^+7Oty<9GyM z*IGk{b#(o$nNWiU=fDH!S)vf_KzpaXTxRe`SBB~AZupb#i+wpC+OV!;zG*u<3dOC7 z@5{>++&lD2$jZ=u+i*0VSmBoC4v-Rj8kd{SBq(%4KM1_;H{)eX69-*Ncz$ zq+Iyx8Se~!$b=@gCNe!N|z(?gHGBsmF_F5pu zNPW+?H){nKBy*=ZiqxO3<1ZfvHk#WiTN;-@;4 z`fX34!#yfU3J&9~x6z~wNX4+Oxm&x#0{-`yJ06rc9qB@&f4*5gNxDSlZ6dpKfYtv^Oq*B?>uXzUD z^iB2o+9$X~_<2&9q`R$`w{ePuM@-@NoL-}YTN6hrD&fT!>JK*phCVRZJ?LXLaPxkC zSm1vV#C&nV;i@YW0s`npgEO9-?+*3Fd8&UW_tAX^RmO0@|NU)elSn29I{k(fUj|Hg zol$!RrTh(3?Ppo?$AdlvEZa&nzeGYDUHYUl#X-QHl$V$H;xJRi*V%+HvzE;!*l@2^^u^hHtfs7kP2<&QS>*&+mvI<~ zyk-wW&?|ifxOBMo`U^~nzlV8(F=pe$cdH(*nO*iN27WPE?d0UNbmcckTQVGVQD*0| zDpGPe#C)9<_>4w57S(brA@wg1J;MHIRyoXojjA{9;BkIM;T5b|>iStj2_!?owe?hJ z3g@)*Dk(P&|JEiwXv;7#`wHg%iCkT8d2$_CGLnO@2A%)g4p@MVnbc8=!Ntf zTe;z9q9u(7ev|ID-|V{};V9cD%Tpb^*>b(Pnp4W#bw>^=CI#x z1$dNrl&S$GjtPry2)3#%W)C~$0Vo{7q)^iXDwk~ zYSwSelRg31{Sm#GvIcPsl7KLfx&CZ+_nx(8dZpLgxz`dn;SD_+FuSOC5Gz3VpU&{D zH#mR(odnPpP&D68>jc;pLiM&}W2WAaoFM?z_JPY(t+A_RlB;LU6!bAx3b@QGe2jYf zuK>>13buHJ2o6*;!Qsd&lpuZpYasC<{!q47$r-R4MDhk}4D2@HR3|dwa@IS6**Eo$ z8NQa@;D?;5!y+V@+U8Su5E0homDJpH5FZR{l*&s z0{8>%Zq^qT0G)Fsnmc@RpBfgr@wN2dICSLfjF=R^jYVWm@_?Yp7^RkGE;(pdDMPv5 z*|;A~)#qoDD&`zc_U~b%V83K8b}t}VzRD~8{Xhh-ie8TF!#hnAvnY-p%_3rB?k zgI*eYVl1>g!%}~EwmmBAy`$Un-KE|dbuoO)2PD@5jmL#1M+3cm{NNC8Tf=_*t+i3a z9xSxhFGFEyHeXf|Hs&^9>y6Ym_c%9=J2@N)FQM_YPMqM+3b*!LeB|xTw=(v`hSuxy zc^2Y2Ctp7z_O{hmMqU=sl3DuH6H7J*o;0Vluj_Yn%ZS}?Nt9KboSrit%=IEeyii+} zLa!XXiR_xD{@DsagtsNJh}@jWP;l?wDry$0M>X>g(EYvmKJ^Z)N(Zr9hGSf?hH)JVW=-W!jxrmBN$jA`MK~>gY|#Acm6l3OfQ4%kD)C!~ zJeS+9p*F#w#BYviGU)lL5@Lw`sZ_>Mw##oBNoZN=I3&9N%Y{CXhD8AMWGNbHN$HSM zA#wWk%Ua!s0+}X4mvkxMz43fyTj?$v)1@mw=;P{XiHf+13PxtQn42Bk-XKvR!OC!E?_3r7Zh{*f2htoO9NEGsb0N#| zb+bX36J(0|(vO)x-jl{R_qY+l9E7cwRMTookjqo^kxR08GhJT&;A>q{S9<4C(lq&# zN7-~?3W14<^xDM+POiT~6rTSl7(C424AEV}QXz5u^($Y!ylsf=b@b|X#DJ0#orN*E zH)GPw*2Qo!@7DSqNQS#ZVO+Xcquka&!!D!vnn>EHi`^B510dRzcv|qmRLllz{6Zy< zKW3ufB|%O05Wd^*htCL|q7hv%FG#Me09I7bQ_j-S8K zEDVZ_^Spm@ZbSLY>6q=8W+1Yd4o+V>qWOrI4ZNt434=Sp&_1`jvjJb0JN1>#eYC)L zTq*{!Zr*TXf>=BJ^m&s#x9^v26yR+~TQ^GC-3T$0?aqC1AK9DSy994djDDJJ%Eedh zv!1WP1ty)EosQN=ywRSNckYy#Ar`z7{Wa}_KMDAbdwvdM=zako6V3Vh)$dOY;n>Es z&E4`f-g|P*kbt95+OZ=j~V21#;{EIX?_YhI5n0; z{O7ZNNpDC}w;Bn(b?D~3$BJ@>)$kh+zUwe?9B$#JixnPh>KLUk?R$*C_o~c`QHMO2 zL?WUgrRm(Zs5r>Fy=~qhq;$K5R2h$ljaFc2{1!hCFHOLYzjnkp@|vSJZ|D1t9>dkz zn&dFO z=cQ$;1*@^3Tht|53A>HFGVvl7EOET}qYf>O;8Ab23@@3{3b_kv7vl-M9rrvZVZds^ zpO-VAKj#Uhm5OIm(#9!8wvhR%oWnK_X73?r{uN6PMr}MD?HqP|u#D!zR5BkM$LgB%$s3x2WtAB{M~xxu^K(8tTwLE^Mm}NN+uK|u zvusMS!^MX6-e=DnU|AfyOesh7{0srf^~X!o#oP|n8~r~@w9JI*UKdPUKSOmwW%`6v z@|1t6z4!f;1Cq4v?#mee620;dJ?a+vuQDe#9Z&Y|OG@4eK+#tVI3L}BELhD39a8h+ zI9_~WHmpY}6ip6ixG9DzuvXg#3%vVDot2e!n@KWz5Jy@6F9Ykpjb2!m9MaUnL}}hv zn)ZfB>lP~?nW2VTV6h{yRT5QzmyX)iCBH}RVSD4|cq4r@{cRPJRl48bqLu~LI)H!X z66!$Y6~?nHHgSK_xiAL&pmYE>&OFflZd|Pxrpx$wEJroR{|XaBJd{Iw8&9vwwr6vq zVCy1tZ}HJXrh(b?iOm{kkuS%|viAi9;**jLypOhrFgS`5(6)&1WVy!$6Z?BhtTP_l z;YKC?YbOg8Uid=qdDJj|M^i6kH-suiT|@4aq!|X=hcXC}MXc@AI8V&EI3t_d8|Jfx z%(_&vpKTE{NIGK&>{B$Sd8D#bAdgsNIWBb%QS8OIxN?UFTEYM66Gs{$Qy+P*49(XrpWC%5%mRBx2 zJNv~{NJV@^nV}JVn`Lh%Oi~y6 z|C!4Dmqd~Pwhz5>=a|*&JS-b6j z)@M9yU8$+E1%gV;2b==U2~7b=5`ckAyxSJAU7VMObqtoW81ks;Iy>sX&!O4oTjB4_ zWqedmcxK%N+~+h_;j>l9_x)23w8rKLnqKu)4?OY4?&$1X*+RR~xW^*6WMb;kpQ2XEH*hB=B6XuWcSu4|Y1dSH<@nP-hXsr_6iWkZdfMl_?t zhn03dh4`tw`j_pqtUg~0cl~fIRXXhNYX%`=&1G$xmzg%M>!{6%kh4Ps?2N^bF@l_Y z-*Vwj=E$Fg%ixWJM-Hx%jMqi|mFzO}EnZQF>7FF75G;PWu!>{f2>t4IP9C0>i=e(< z$24#zVZDoLyockS-RS7(PSZ)_9zjB-t?J8{bih_3FY?rtErk`UxBd(!{D&fq%n)ZsFai! zAzF<5G@)))MBG1ILa$SoYls;+eGWPO(L0(ub;hajQ9jQaHZ>gO$?@q&R+-GNM9aBf zPFfm0mY+)HbtF2^mf+j1q)s8ujSCwe3<6;f`Fc^3MCh@E`^Ef|3 zhyEa^>gma=uz`m~coSWN#%(%5x<;d+_R||K>spq?^VhvNY-$$c<*_vq+=wQT^1UjF zEo#m5l3K7Iizmxu=WI0yR$+GDuHl1(#1{UtI&`lKlWU8=*Hr1Bl;TkdGtK~o)R|KO?!&|kx=+IKehC|5Ap3W&sCbj zaCU4g{m@t`W{i0JMrb2Kk=#U`c*dhW*o-gpBPEYX%XP{)oUAC%?Mkw;qE=htU!_q6HtOPVFth>*68z zQ)HHo_y=iY$b6}yjMPD%Jl*u@r>lANyRJ#`Qy&`lZ_5po%Goo)P^y@?xWlzXhvl6e zLykj=!T-Fm&TCrNq@FLUAwCw#O!6-za^8PRUA0wsm<1*XNfciP1EU&G7=bLcmYP3m z#|^-sAvN{(U&q?TEymkde6Z9~lMEbK(qxbC0mNQUYn-@=A#cM`qnaG@c>3<${VSC5 zRcB`i^_Dp%1Jm=rM~PCDwzrRP@YQ>#akd=%H*bj4Lo#_?g!piucnu&|?$gPEpy_sx z2P@nz$SZZi0YXFd`E`z)Hz}g9uHIe%0>){J2Qr=%k0Y;eL{*<|{BF@`^sPhM>s1&! z-R)%85Q?6KJMYfbdi(ReKKYL*{f(>h4x;q%HNlFx=P-3~SMXWc;cLz^w%S42{--ig zUAnJxG&&tSsbgQ|216VPa+P{Q>JUeF2dzYG9sef^>$=K*;eu&+>86YZ2og7 z?u+o?H*Ztnw#&p)8;O3}H)2?eUA2(=NfNskcL%>_y;N%ZNvm0cmBwo;2Z^v}T*XWn z-d8kK(ELd_K5%(y%_=M$ZG5?@jbg&4yRA@Vi&7{kI`iU}V2f#2^kqVu7LjkVsUmk6hCt;QO*6t;!e z2D@!le@{-%?6>Ibb^E(YJ?<&9`Qv{Bx%_K0_Qgo9RGF_HKkqhTrzR#iA}B#(xc58; z*^zCy^l((1d(-d*i-FuN`ZZa7i02vvVrp|oT;`L@d-H{+&o8vKN`MtdjsP5wUS&^* z#Y&t(yqAx6X2BC#SL$8I7%r~j$s_i$C?Ui|0c>NWyt#b?eZ<^#`qh}!^^)BW|Mp6O zxeeDVA)CR+cto@VG2D-o(QkQ??%Ux#@7}It?;Nd9rve)M+x1NE8na(~{U&jEM+mx1 zU8qx;Vw8Ft`>v#9Ymq;hUL3w$_(7w zDuB&bB04tKY5Nm1V$k@vw=_F@_$7YCHLB(1ZHOBCTz2tK=TvYXQy7yk(}_D>eF7##1r zkfX;)0CHThHB1zcmS$219Zt+1m=$=x{Vq#!{+wvma%R~O^u!Rg(3-k|LEEgIQ|2A@d&FH6?L(pi0CjM zW{ZJ=#U0!{$uTaqln4wCXAv1-khhzvU<84(*nrUbySWI>?c20#oj=Q>=>J~QCA`$^ zEtI$g8uz!cn3+4mVY;f%8s0Eb$b*I8)%3p16`%m$fuLK=Lal!t7Bs&@)W&HmU#mLW z3(_xtJd@UFled^am^Rsl-dcNaBxs$vFdZCZc^^QXcu>!cuL6tZ6nDb%Brg($Zd6$R zMh1z?1h}}*&+bt{W?D+N*pH+H>FoC0L*paE1oz5UL1<_=-z-3pW8a~U<80M4f?|Qt zw78sAU@1(Ot(@2%ombw|-`h3c9@X)SQX?zt=-icm>4a6n10y)^bM&mF+AqA3kzAqv zn3?lR<&{$Rd^<&@o|%YYORbWy&2-9$QIuDXowin?0lxh6KaAJo_2o5%B|J}Rg<}A+ z*wUKmx;Yw^(ugN$HW_!ru(@Zml77o~cKq`{4mz%}SV`Y7T|ore^lo70)eT%+3OesN z01E4>J|E&dxZ#H=Vp{0#?-5Q|=y+4R&kd~YKb9V@{z`O1w4@!sD7?p4c9$=lcv2ybG31&Qg`$lkNr0l0M``fq7KTw{h_JOS}fK~|# zm2Yz?jRea~UHV}r-(yoAfiLO8 zK7aXw|0_#BH7>E*y5y5@EJQ7fOLOvUbX7i_0o4iyLB-HpORwr1mWhG_J7@!!AvYCu z94WbXFbLvWOZJ^8{6kE5c=)rdHxIT9)YP88alZMQ%G-BlM)jJ9m9k@{#V*u%;#sykEz`uW-3V%q2RSyxVZa$#+V;e+*+kBh(WG`+}vEf!y=Hz zJh-~fN@I#zLe42&WIj#XWRb@iH2iglZjAP~ zc>jKBcS+akdEti8+Q?;QlkHqXGT>grtCvQ(8eEeOa|$`UGP=#C-0InbYssR9(F%2^ ziiC5wBGMWfl33as{`B;$hQu3>W?J}z>+81{>3jSWNi*01CA6FMmoM;GSTVg|C1#NB z`aaY^BW2G8$lSZ7460BX5hh?lyNXW*oDP%=j4aV44CW)tR3JfcZbMKuK`lVe{qFS7 z{p~z5w(FX_wYe*l|K=t4SKjPP8I8 z?%yY)pil%9k}IMTR64G+_2J4{4sd<0)}O%O^sABCW{8Mre|_&!-E2l_*U*DGQ0yss zEErHUJJ7g)PDC@9_-b|$u<%(Axw`@nXaj!zqLg&qOz+PG=RH>zmb1_e2Wj4Ca51IW zVn9GYKI@xmJW11p{EUei0J)?%y(3lt(CO(l%@cZ%482@RF~@*JS!>}c(+EecU;>iV z>_`hT>B5xq&{z{)|Gr#2)gA!rF=`ZW;LV$?u(j8fkrff~VEB>1{HdF*Z01<8?7*C)p(7l0W zV3s=?su4;{HbHWEO!U+RN_PHSt~bOMp1SJgx-%n!N6es8)cYrQ;Y6nsvbPsWah>8A z){}5nI$V)KZr%zJ_gtrm${Ac6$hNC-+_#RwGO?VJ(W}@^yV#VyfZiX_tEx^=$Q(HU zaYFh_IBq|YH7K{Vfl%8pTP6i!pjP(Im zRj~Op`#Ah^1)!$eAeOWbw3*BA8v=z0sV zD!O)mcnC=WK}s4Vq)R$Q8l|KJ1eB2OZUqEELb_8#TImh}kuG7=9g>^w_^<5~?|aU7 zzPa|L!vwLG6?9Jw}y?oMEdLoE~mJOf9#Z zs~xSlLJwb_Us!VX9-vq}JAWSe)(Eprw`%8SdSh^`DK)nxGBo3Ph)_O#dW{p6YY?c| zFn9HAUO^JJ&`4EeQ2sF(k6Lq*)8p(`+&ifFC&3+D051(Y#h;x3pXG?WYPjkO9U(fv zu}DgKj*uBZiM5|<)MkAKUjl=OU~_8F@1X`tAbrc-qcp)63JA+L2AmBX4nw^km8sIM z;#e=u-2F!aD%Nt%g3y8U`{0q#`{m89pdVolOs8P;v z1-5*balm9`l~Nz4K^bP7F`ibfoR>2y0(Us?^?+76b-LR-+uUX4I$7G@AmkT7E|9#E zQl3Sa+xz$LbG#y(isou?{J&?@O}d?{u0J(;e%$)FGZVHs0dOk-R7n_{{%Rkr5$-$A{|3U&G{ezY+znz6A8!p5tg^v(A?KAtVY4?)X&aua|Qy+o; z1Qx_TqPv4vV>-nFF+NG&qgVCxR;dT5*;nTYgz+v8G{;-I3sluI5C~FACXQes^A}+@=5JdAf^_7JvjeEt%ggxYbCbL`-}~?5E`< z!lBk_b|44TXEQvj9Ca-Zd|AHAhMGRjS|hU=vAn#@(s(Cv60BOq+Q)B9Z=R$+yz8Hxo!$A;68(d$aV2t# zhoNt7Lqg6KJpwqeB7m^+dSLPR(HY$!XFx3X!p!c(%HSm~!16L0`1lJl&ee_4MDk$6sP6NUZ1%{#i zK-_DG&W_JYDa92&QoGsN?c=xFtJjMFU<6mFB@eVH-Ak2Jz)C!?v&Mm7cGKU>UuXkZ zApfDYCIzxJz?LpmGEg!zGoz3KWEX)1IIVH!Cv0m_{z)LJ-8E#_3jk_leLV??&wfWQ zXWW`>1pmn@@`2B~*#KXLK;d1e|7O^GKvK!P!s-O6MOan0))NJg=Y`9L-^30ZR&N4VZau3b@!_w*9{KV1L8J9_6JJ_$v~Mt zG0~{#gNcjz^_1C8Z1e#<3)Bj2^1% z>t|oqgY_OCcQ5ps1a2GH{e6f0p zfH&Wk`c9Ijnw&U=(+n_^%gUX&lAb7r*c;3)S2lGJjZ!1wCa1{PiLn z3%7`8~}HY-yhJT6|ph;pRT%F(r+%=iYBxL_us}d@|nho$dh&C6-ZhhmU3Qk z%&}Cv0r5&h$irK;gzYjP0c5`C8yqrz##f!t=jiFKos+yGGrqz3ezrMoIqZ5_b~cxd z2|H$bN>fzsZ(YfDVxJ=7hbi84-F>ykcH&unc_U&|ADv+cwIpCCFh^db9+tX5UxqB> z{EIybkGn-V^&1p{hsof*Zw=GDXTVEKi|Kz-?^p07BPs4F$e6`Z`P=c^|_fc!6x2rq5-S(u64?(R-f{ip^{+K-dY0e&&7oFw;@;bq`3Z0SABdLZb*o zhQ$V(fA(%F;wdOKg1F@k%r-I4N0hBFch;{#Z0nZ4<~9@HbtzF=q)hh`i*PiaUmXa3 zXJ^8nt3U^EXqoUT89}SXz6z}OGb1b>&~$~yB@1bHLhU9|N>;#QRIxJe z>PU;#-ij}X0(ioJQ8o=%Q@y4B|b|wUBo^ zaCo41fzvNR%xFE;lu~inz4lazwCd#&|1qWDcOU|ob-p8($%SuV&+EJqVi7Q);J0G% z<2nxo40vkwH!?8@#z0#W)i)udj*~1(UoG|yFWE0z9Q|GewEp~ zX>C5BD#*((_RrWCo@u=Pqu>@XF`*8nR&y3P)4}K*wT~LQ zlGX~iA7!3Tv;U-_mxv>;RnYHKo_{s=7-U`@8Slr3J;$p}PHPFDrkC1(R;w5F$V83! z8-oyi9C1{RS{9EvcXyQaq7ZO?q;z;UoXz*0n3a_?xx|y-Cd%(;?|i&VrFfi{V)734 zBffV~MP}G115BE;Yzb!V{%A7y2t>hL&66L+l01*!{=~v&6j;Os8xp?^M-MHpy;4n3 z;1u5*jzZw~A<3Z;?{ff34s6iycAI!_YNJ0<;TW&!Bn3#)MGl!eAJg$C=6PXH8pD0v z|G@pn^3a38JDf+2$LSe5xvR+_e z5uiDU&ncCwN4%&(Qn2jtjtdizmJrKmNEL(D02%N(K%tuc7h+B*6_S9+wa^BB;r#EN zHyLE;{+^G|mLyhP2;;u2M0(H$y5mZ>o2qJLe|}Q@xRAH|q!u(TeE+}U>~AM0oPM~l=`M-C67{lR5EXb1gb<^;}$0QZ#D(yQ8);Bz4R#n-|c5lhh^Gh73SI`r#Q5cVY%desX-O@u&ZBkQr*8z+LK*GFQ^6$cm{nlj7fIt2^$8$q#fh35f-N zs<4h$FIQ0P;l2^zo4QPl1&78=!oFBaj`tj6-da?8oQkq9K6nYpm+lJlinz{yx?&Dy zSR+OB`R|ecLwjKN#FNhxO1{a|wsQWWSV>4!*u}}hz}Xy_+VIM8KlEo8C!*_T20YxINAomPz8&HHu_43uKCiCa$s*{+>;NVn4U~|2V=+EiX<0PkddZKGaQn z!xNr9%tKkg!_JVatEkBL1@Wu=QvpYv3>3u1TB^laFtd-SeICjgy+`3Y)N@k%XNsf$ z$LK3>yk=fP=C!54E6rrZNa6kdvR0DCLlPVTf2st;o_SR-x;b>f&CkRWqQOz%1Cker z$^3g1>}hV_7?korMW=F&#Sizomi~<9=y{c=p6C^zw~_)lMn40=MUe8}WAt?6`L#g; zr21D&1w*lccmBu3|NOC90D}g3?x)R$XuX!ca9`C;TX49S`!~5azVyOKgd6d4+ti z>I5RVXsVi4Rc3hzJYav=aWv@5YO8Om6iA(0iguAZ)f`6F5bRlq+6 z#F~|H6SpDOS&_UaIrq=ih|$h&H6pI0{xo7^Vx$e@3E#Q?VVdRk0)guGrL8r+Kx3+a)}9n-3t_@-a|pDG~<;l)*DKz}%4d>PwdR$)}xsO`UJn=WxY*-bHxGI&};`_ypTaCji4ISRaZ>#NHYZeb_PZv07)md&Z< zdZ=!xWb<`^#Y6#)hlj`V%8G*seJlWL>PNs!B*cFol!6Z9HCiMLaW%_HMe(irbfD=v6#uRK!J5Ss194*GQnQ|%fYyh``yBDUrUgcKcn`H0)nfxj?rH=wm7@gjkWFZZHND-C@0 z2ng;vxLAEhpAlE55^=jm-W0I@VZt-&*`#8Z@%=kpJcr&84Nh#;EcJYbUCq+Q7;2^N z3{B7c)(OH@@Y`U48l2Zd9nHg1LJ#IYa8Is{SV>Vz;lX>6d<}sQY&L!VLuP%Xv7=&%bQBv|9U^(-3PA z5dWj5@XaHT<(D~IIS7rjvgYWS_Q1Axv632DEk;Z@yF)2%4FF%?f2tV-zMDasU+vTT zK(P`O8ObRw-lS;$Yr8FSPh_PO)gPOfVU0Vtn8seO>M~dB=!5(g`9~>FHW#KC>cX73J`l^Rlh?}yyn-yr=4=cN1*GcND;7?}37gmwukkMSx+!w=>8>njY~ znYwVmXlyz)fxreAuHZBfx9{TTB#D{|FD#rOSvT1^IAEgVQknfq97qzjLCaIgDBiCj z26A8XOAb0+YrcMrd6|w2QA^8}+Yf2qrntPvs$HC$nc1@HAu25V4on&#G37ir;ADKg zksP`ic})sd24LjEq9l6#0e}JSE%Bx2_Gszc@&}Q!#{mhCW2|;A)tfF5Moc!uy$O&o z2Fy5J>!sqsAt3<}NPb@X-PgS-&8oGyEbQ#2%MUnL`}H!Ph=5tiM(j)F42|nk^_)-C z%YJivp)qr?dqmy}?v6r22`;lfQw$9aEv|YxUr7ThwUCzXb>me*i;Gl)B=s;)5!r8Q(<~U zXGF$V%S2}&9xbgINV`XMIEuzmrd~xlwaH&a+*oZg@~VqXJyW;`MIZ7E)%fED8 zM3PH%S&Fr_!S#w$Og(#=Dz-B660#Pns;z@Vr@k&$0q3LYtf}o?q*es0lA!nTR;?xF z6j&j$;ByS<#Z2<9LdG>fcEGcn!ospb)X!xfnopJ71!_I6exr{S90ZMQOS$dK10O9qTQwl1wuBKS5cuMl;=B~*USSy{BRp| zA4`+J=rxPcq+no>KI(|v?X9S!WWy1eV?`(jlNlAln`@%X?uC{0#v8;}mEa?~puP#2 zo}N~OVILz)_8k2lAtEP#?Us=c7l)6JpWi#e6M0NoZ!bb$F?^)bv2A&Flb0}MwS^kI zX}wvuv3_M*8&NEH<9mf}%tcCJ%jvbbf5?~duZ<(CM#F{%3~S6sRgEp$fl7X-Tl@ny zkTH@skgZi1C;R>uc7lcoRMdYb6Ijxv4Kv((tQ>9IQK~Ht5XNyZWCQF8c%9t6jS67k zK(?E8fQXPVDlyUIXf}RD+M<=Jal~GHV?tPotG8|C)kZouDThHo+?)A3c z`R(=fbqX=pRKP!lF4iD0F{juNhA8+}ofuN5D!ocIAweLRV9o7!2l0XECW*anatsHr z5t#)F7$G5!j-dq8fcVzDZe;+?-KgelC2I+>phxRkLn3`ldVAlh93fa5SHb65Vk>PiK4`e@i zn54Kg{x(P{*50Cjn)A&hy8p=M0aO|$CT$CMkGd1djsnszrY2^{4{$g^k_@1JKRPAU zSB=+eb<|pFv7I+A-;7=~Zl7_?3qloaaA1gRn(}g1inlKUT<&PAtG{wf33@k^U*U&_ zdwmk3VVdFIBC;!T?oT4ItwXJ^iDaN*do zg5w`|HPGGnp$>$><;Rc6iPDka|zkovA-2yuopz(4yke(@FUD3Te-X7 zS6qySqNcjbt$dB)Bj52yS+Pnl-9}xCkMss-hR4c@j%R&+FPbv!b!G)(x<2IRTYUKN z;gz#Bg@D~`uL5*@c!&%c_${$t_9a|v8Ibc_yZAKOeAqnvQfL=dO)lop!*#pufke<9 ze}8)?r9+ptx;{qjc$j{18*ujz(eA%{Cu>w~M=u(=iSvW>J?V_uo?X*nb&a~#$76j8 zKPpr@g@$c_yr~OzXf z?}>GX#T5mRWSUQgKF;1WOB^&WpFEw+0CzA;I5kW7A04?kJG(A4p4?E3^ow7gGkt_U z#1{=AbB&7UP1+v5UU001pgF%?x&2DDf)m!!CNSxLeomX8z94_CE|oAtwlOgwgqA~F zymqbxevJzJ++RH-@x{yFbVNTmp}zbmx(8k=bBuSp+f7YwjuH=}n36Fe93bIH!yI{xHQvit`>zwA!x+h{A8;2FS6-rBhF zD?HIe*9LW0H@9+6A80>tC8#qauxBM2CUZXY_$FNC=3J=hGOl#7$MB3rluAVzc^8~n z_9pvXp#;boxcT_Jh#$`I@x|wCI4u)Jd-sxbbxa`(l?Kv3J+ga+nyK;J_e3J2^L2({ zENcf^@VmR|ojIn%b5{er7{P7aFf#10FpGhXeALVW8FuZvzDs&1?L|lrFuM>`QPuR( zj91L?^JV^A-eTu>QgnGfTo*8Wwtv}tY1KRV?ma4v|0mc3baZru(y;6)&pcr~Kln8q zd+BsyZ(1$p6we`dmO$Mjc`YDx3{M;eC-Qv>XaY-i{ANG?QTsM)HS+# zoXwHMVMjlYRQUg;v;!D>LTM0U0bW`4r0icQR&xG_)@{?m%mvVgjLT44hQly9Uj`LR z(aSKyZsa>qQ;qvQzY~dpdBn1bU;e)9L5CF*!kjk}r1~HbvGN{e_k~HQ{0RIGa&wBm z&3ayl0g(#iPX|7c?cMX6+2fn8m}h>TPip{Gd|uez5H^Z0@D4OVG;|QdLS;n-1+T|p z0JV6aOUm}onm6)Z>Iz?ccGn`8Pr5gcIz)Z_<|5^&8folKBAg66+m{KUpTke0^@f(- z`}r+)HkXyLl&aB(yMZYUx#yZ3ocpT|F+Xj0aWQPWzV_{PTR;e5(~^F2k-Aj{M2Bqe z>WVA*3hBZ7Zce|ILid{hycLHZ%{w*9)aCG#>kRlS2M6YrlcblV@6@#R8K7KSlt@v} zN7wb++cswnw3ThX@GFU)@4u<-nxEO`U{Z)hqO|zkXndi$IJ&EXjpIg;dakK9WS(St2)%v&_j??bdR zzMa~WIs0qFYa&2^pMA1j;s^GEAJ)?S6t1fgb38re%s>|Oyow2jo>UIxSEc+euerz= zXcOj6+N~$N^39zj0j&Pd&o+%v6Z+heEygJ>X8}8y`0} zZ37jCn62&YRydxCScDN*2)G`5)703QwhMQ2bBht@oVh4(Zq68Sk32XZrZ@RKC79{HCtHzMgr`3G^mg+m!(I@<-2ysni{~7f_t&r?Tnk&3;;I-`?I1+{8v%FAZOe z*&@3o@AD$I%R_MDB8?+BICy`uc|F>CE9t{aCnw&8IqJ3ZhohUhQ?^{B?R_Z%PM$L+ z7vKL;U~OC<_H!N}{p31R^zKnd$n$cZ26EJYCJSaAON=GCD*gG}w|g0W4$Mm;SNGn% zOw^Mg^#3o};JST3@ULo#ck!_#|5>U(Ylbfc+6VXczQ?#l^RMbeoM2=@CWu>BrT?z{ z?-~cHLOh7(o#_6q{BK`U4aWr8vAPV}v~B?Enm<5wLEL4Hi%$Kthp zp9BmAhqW1e;A|IP{lvqieLleOjOWVw?VGE>HJFjn%}?XD1ulrjnN->cZq_9csn5l6 zp?E#p0M5(zu&HqK99 zACG&gK^r8`;LpnF3H;wQrc@W59>Cof4&AZO&;DvQ8})xR8&h>1b@r@KWM zHcOs+rEiI2pb_z!@!Q7j^%ZL)H<9%-zK>AD=z5Cj5%r(&Rp{)$)&@9tXEFuXBaHdi zFX(NPGqYGRJn7}{mJ1r_Sm=Ku zKlVGYbD$*ej=#d#4N5E%WW&KpoV`4|+khvAb@~Ts1^K0i|7*sX-_BLV88s3oUgVO9 zD@s-COpbkYL9_ernjRmwyu@-hD9egh0EtxiHnB@%GkYnC5;=bBYlFSGh832-LicJg zu0O1h8lnmjNd4UVolIPC-7ObWdghiq#7U`gZBZotkTfW?^7mNm&?kZq>YFN0qvMOZ zek9mZ%H2ee1h+~~9&Ekb&CGI^6Z1R9JWG4_ z_ONisgS#oJ4r`!!DTr4_WFVCL(QKpSYHycSDy^^2JLgOb5-l16(EMb61s`8vMi#r1UJ*{N=aN9V;N z7c!O&F4PyYFu6UVheOFji67U8bUg;oIYi^T4XkvL0xZ9*$ zq)v)J#sTH9{uV-I=?4%dEj=&&J!kg!x9Ps=57=J`RgMM=2as&vHPDH7@@qV0X>l%= zSlYApgS(CSFp0H5sr=DZH`*4zt6U8!?N)LlFq<{)KZg)LAc3u9u)@vzOKJ zT`T9W`8iAeGe7xnw~S6I;21BS&3=$SoK`m^B#=@@Pbxx}qcfpPsOzY_%Ne;0_X+oX zp)hT#r|^4j?^WwgTTANKViP*KOG$dI-~{og_Na z@v{HX7@t&;xjrs$rcSe9yk9oT=hVTZWkT<6-r~wNmt)SVMDUq>r8JRcZQ0fxdd-VK zn&QK-PC}DcdPBkiyOdmVnh&V9;L9tb6t}k$4i9)r>2DeqS6=7)h5a=n6V)#sbQZq9 zYnF2U>5<+LnQLf92jxIuq3K?G>&u$?3kQ4BcbjH+K+$t%d5kXdSihvDLlZ5v&-l6O zg_ZVFJt8^Z{7b|oi^&^941bh z;4`QbSc!EdVt{&e)~L+p!jL(#BvV>rYkX2MD0Q?SLc*`T%&kP;S&D4Uh4sq8`_cI7 z;yaS7a!~<9h9fZbVfI=G+FG^RTV^`c$1U^TTNG-H#(7{$__>$@x#4maZ^M=pDE~hH z{?uaWrK3s}GS_psi$z*fe;0ej^Xac%N^as`y->`{YgUf&x}<4LX=v#wM};5hu#YQo zPQ?CPlr`%dk}5h$U~O#?mkLIIE>U{&gFlsu6R0j947B3|&mH00Xo}Y!=WeJI>xUR| zeubFgh5CLCFY)zy4@M~?+4m`J0pXv()D6EAI$ z$q9Mzw1(M6RPnAph04Z1=eCOEcrji)ME>jT8O|?Zwnvgy&UC7QRT*6bg0~-AIcLvo zysvG^!JrQ`Q7V4)MXN0K>#L{lO(u7qWzQyN@SW|yq2DR9sa>Bvd}Y)h?2<>qS9gis zVlPN|;0a6$1|^!(B-um!q@q32@Ue}@D>V-Y(~=qoCYsRxXh&xD_0d_^ZB(%Rtfp#BuKe% zMHTh^;~vFFWh5u*y56;rl0GnEtoQ%th(GP2rn>evUbFQ|G*ho;%thA1GGtmT22Rfk z;U6 z)Tn1pr58LoFPYMjR*CuvkVO80f_xzjmKSYJa%{o8A? zz&1J7-%3~MGBG>lJL$8sjjh2w_YFuBur74}XpK*&CY}NADIGYKYLA?xe}EbF@`4xE zKUvRth*lGk?9{e6{JJC(18#c%qm#anEu=fdsMZ*bGkXTl(V@CLif^RCwpHz;@uwIl`| ztEDPEZEoW{x)uYQ; zCC=EcH#;LUOCH7TD&M?fe1?>`@m;yDT*=t+QSqGQ$gZQp2_}^ME+K2oPSV)1%gud- z1&J9MQ>f9r`0e1Jjv{ACtR(;DwakcEc{p$u^(i>6#M?960^VGuRy})y^dR>a-C$Yt z>4CPM&jaeCY@hGg!6HZe*|)5-1KVB(J`M)Tgd0B2e8%nn$3&TE9VJ*td~q<(m)Gv; z8WF6B9i{k454pLbjGv%0LrKFXbJQ)HC~5AmKgr=Yh!5s}*=yh)4}zTwrR$lB+Tpq^ zsrXPbPzS4b9vtuTU4E->{A6rSwex0sgJHbH;Jas^3|p)Z%Z*Tm$=x=*2(251L_c4@ z$+gWx*=esi6!-o7wIP@UDhN8ut7n4pd{5|-HOQtN}Ud^t$CJ`YEJdy@l1;pVx2e8hzCXM&?>v`IXRFt&+{@M)Nm{T{7HU{bfJQ2>Qb5Q=TaZ%02v?DU|&UNZ6ARD{kaL>X0~pAZTi3aJ=~& z5BM!93}!66#*0_#6Y(l#3W`Xl_MS)>(9O}3+-^sQ2(lgi+$J+B|96)xI7}*X@tK)Ou0)Fa#gnNB5?yk_fVGUm#0XwEXShdeN=Olghq{>P9^E#h< zl`R#%e>CbR$Rv~iOHxXnTP+(BwZ&GY(SqJd(R!cmy*^z%gU|O)IDvOYzo-G6fwas4 zs)StvYfKZgZzOzWS;a%TC zdTmzrKo_d2a#`H6am(^EBCW6YA|<0zVuj!}2cmU#UMt%(M@L@KSS@xw7hb2!BVoJe z-aH~AT}=1GK3d<(bbk3us5Z#85FHp1-9B6M56TrErql%L-X^ng?2OsC)-G~V0tWE@ zLGbmn9hFNCtNA^WogGWQ`XMui9ANk-&=K?hEKg+Zs=eNkqW*LBDu#aJl$*iQ2+k;F zG4?SmlD=8-n{7rk!FXT8sD}?5U+h#F2>nZ& z&%~QNu0;})lUuK^#nXL{O&j(%Ql7(|#A6Df*h%4vyi*-ilP*6%IIKNh>qfKQPL@LhF%{1zRqOonp(^ z)CumdPThzw1;qA$!W8FG-*p1v+jP!}X@a5_Ldry$haSX=*GQ6s&2GzQNmYpqe{68) zeZ4d75Ft9qeX00_TZ}hlJJ+_`L`05|6FRvV-%c}mF1VV0xAoTH5B)?x zJ_CXOkmetS`WFW=X+n&lo#pS-W@d`go$RALG+SF+k-VF>!B>PP3bi9XV z0wAgMFtRwy*Bvts##>*%`Ted6_%;-$=$`YWjkZDaoAU(*a2?oZ{~v50G%fe;_`FHL zLz2go|5+>-G(J2+3>$WGVy&HC)b&SRFDP3qWWYOiyK~qX+Nk<_SBJ>wiLKBs-0aF@ zV8YwpBM^R7zYD7Juzvc6pYA^DS+3VpSI#;T%}g zQvb5m4N}*wdDxC{27-p49bAl%!hwhnO=R+8+B}$KOW`JQ16-VHpkAzyP_!?9KeSlO zYMntpU*~I{_?U|d_9lZts4nM6HD%lYbeW5iQRxi$&-~fZ)t`J^2hi0RO#YrtUp|5932dl81~;8cX~SKd|Mv8X?8aJiFKEdYSB( zPteS0RHxypk_Ad}?)Lzh&Eyu!;;wBEtIr{E&*!jaM#22h(<`9i@~ z8Ny1mJ`0n!YUl1&7D^ zm_Jpn_`L=EZkg>C(Sj0F*BC)nK};PN8>~u{15iwan%TwtVRTDbP|hS#A0VBI)PD?c z79^U~r3GP;xKf!vwKebM0EWao9QVr)YjaYA@1t*oG+dsV98L!5qkJu}Le@rK9pq|2 z9Zkg1%|Ri{xl305YqiyB8JRPqSQ3y&O*~)M|J<#CtMrpC%A^^4V-zc6|HHfS!*zbT zN{eg3xB;EQhTLaLf)p&LCkzz0rlRox*V#S+EM|La_=TSQ@8}9LrogCI_7rDs72vZ* zqg!vr7T=B0W3@PlkjcfXi3mn++_ob~*uM-bedRqJ)njTqtl_4T?P^aIe!mA;xLcWB zw~A|Qvnr?w{Xb;?r7j5lnRq8KBo(eJlf@kM(2IvK!(XBl47mUfT(G=hV-ex4ud&jy za3b*UW3d5x!Bu$?6qCuuXOg`L{_z#5c!;^$;|{S`M4bQnAL=m$5QlLI!Gx0PcZI`k zBwfO~A}yjXN9aHL;WHD8j|qi!86tZLV6#Eb{KgjSG0?BYPTd;pZPc$n#)SRYczoi# z-uVbi1y*72qbi?K+neR(sB6qNxZ+Hc7Kqwt>vtosYU4D zmt!^f`xer;r7Na!wfmr@YtIG4k=JV?8d|0d>*W_^E}r!7$Hg=~xwS3NU}7;%Gf4>K zx+IU4aX{!c8rFH5kSGQXp|G?dp_Cv+e2~#^t_NWf0Pjp^FA0`W<{0k7e-UGF_`pc? z(^q<36agY9{_ARF+E1s;D%Y50MSY8pQe2*W`BYvrWa;?G%3hMMDt&}PEsH=*Zu}jM z?LT_~K9T7KkIhRK(nIXF74HQaeVQb<~oVtz3s_QTjE{v+pT)V6O<@kXK6Hngdd-*a+Z}|A7qZwRoqzf)(^7G(5Ekf zX-1nzd>Q>Mo$}lo#q#|QL8T1R&jC*zetvDpZT|+wYheq_aF< zRZTbb3U)~mvtTfCUNQW`1eJvv!Atq{Bx+Si~UHIwkYBE3%^k7O1Z$< zy6YV`;j=}N+m!pn0;e+)7Qe^?2d2IzPVGf) zzr>{N$fQ9YWKrZTWZGbKK>sBS)RY$Rs6sYo$sfSg{h_U7Nf$T{7-Y7C$t}w?F&;S+ z*N!c00NDW}@{fW1fjmg|(R4T{ZE&*nJ#iXk_HeWzkZ4o-?;8u^2a(z?qz~I zeO%XRzqWq>sGizH*zlwBH72q>>+to+#`|e{TW4w1%vp|EdJe1>T%~+Y54G8s?+N@1 zRX1~h+M=DK=jg)&x9cI?ek80GJqE7}Uk{{xX-rgHdv|x8cKj8p|5%={Rg8m~v$#k8`RW~X2YxMedNRdcqHpO%y#u(rV22OiwglyMZ zW3uq`Fg#z8Jw%-!iw6lBL=x$C|Jkz0Wqn@ISdt4`mdj_C+{5pj>DTl`kpvS}>ba;I zwjlAA?OQ#*qdf72{q3^iq1}*xh@eaG^yQ;43fL|*}vzG)+i91{x8`tr<0Y=h} z(7Q^IhpO}hIzojUeB}xKb=%N>)!_iIW%23aBE?5!7N|!!P>Ajkg!LjDTrkHWFN3W4 z>Q}CYRf<$0V%CAiOMa@0z8+FCK8mwyoILUcds4ic4Iv7uck?Ic;PJZxr04Dz3& z_Md8GmgqEdYoW&Y898%uu@HLhmf&@FYD&QP+S{I{NCh8*VqRTFY$I9sTXl70Tiau> zRfX=3V9UFCT+k2}(fvW`NIuB_9P(V|$NR|AlJkdDdgK<-B~I$K zbUFPrPv}w-07x)WN!ODgAO3C=DW3n)je%N|o&jf}e(bw37L7{_HaS+$7byn%&G;Vr z1^mJ5W4Fcf* zg_jt~$5f&>!EU>!b~paPen%8dHR@rVz6V~Hi+gJ;1x*5TH>~IAomm#}RwX}g>SphK zhJ|mYm5_fj_-@%Y4F5LOVw`|@d(6N!KH}QpVYrcduRpd*e8Z(S}NNf^)UwA@u`4rNL|yYK6};Gqwv4jNf$MHIAzVzY}R@NZ)^Co>GTv_>IoRK4{8Te6(y`cp^xGfku)N|Jz~Y$^9& zR5C8?F2DY+oU9L{GRDdBb`Xy>7{Tyu_GiWHB6cTf=Nms`p3vG(D!5!T1V-sU2!yQf+GQ%! zLwx5r&mn%?(x1p*i`qhszBt3`F3@RXU35&5#swSbuqDHN?|*|*b>6kDGzXaCAv8V~wX^6W8d({b+> zGS&5{lf74gRD8dz5eRC-UwJ`03X{?-dk!XIg`9(FM#rT)k z%YfBFUC0s>anf1P{h{h5kDkKy7{5BpU^8PIdvY#M!#B`*MPc zRGvWhfJ5!H`*nx*-aMXPsN3uXhCwMFbmunO9s;4JzWn{N;q*dc;m4M~7F>m~OBYIJ zKzdMg!-U=PkqF59vrH)Uahtp}RN#VZj`QkPrjP+-o87mlzzpRu%sc#XT{?30t%p|a z*98+44i@yX7r93>oj91{JB_MmtvW*$}M643@fep={$3g!Q1R`WdbZ+9Ta0 ztU<@|q`VY5TcYS<_9+3q^KT!&M@LrPEGlTfQNf^{Ksaoi&{T&|ObB$?jwvZu1W}~Q znZj{mU7i@V>D5_X;lRbag&9>Ryih6w_K>-nkO%MHhZ>v2uv(-*;I{M~h-#!np?}>G z8P&}U>+jz?=+NbUSHiq~9TIeLaZQTkUikrX}ZPqE$i zCnS(S1IEI<2EN-UXF~Uv7#sF~1j|*$DIj(gbV$EP-i3?%@~yky?1i}vi~D(9Fd|Sh z*sMF=Qx=?^^K-E;CHd&kwClwTDLJesvJqa7m!0+P7TBd!bMq#6x7f}PZzWE9Zw~JU z3*l)72h)yklOs^*y+IW!8BG_;rlW26!uQe)G^pX|IAia~?^;{K(58iVpz#Cm>w%Z6 zKT;dEGcFIg&Gkg~5ZHYu$0aeed!7Pc%4qVS*8OGUzPSzY9>7rGlW^o7lk^tf{azQRN>CrPXCIQkvjK;dv05T;q7&!dWNvF%l_GO z&#FMU`VHHFi{huj&QxzrS=Ka-wRrW&aKd2koA|16#-uyZa{KI1ZspD7GJ{6@%FEuj z&@VE6X(V&Ga$CyqHr6lX22!I(&tu(`vzy$=T2=Q%d{H02{B@$7)8Iq^;6ycnhQJ>S zL=QK|hInjAR)cSozl9#w2iBGfBGr^DA?ZZ@4%ZUhJ1kVKHV6RRbM2Xr#u-ZF((JW| zqr+$hLFs+Pskbr@b>_c7sQzhbFN&rp9u!)(+sOzeC_=t!T49kly12lU$G=Ykskt{a z&>C_4-tzzB>n*^de7o+^XGTy4B&4N98Y$_L?v`!^3F+<_5d2l@0|-1*A)m zk_PF{Irsej-+SKgf4=uS*X1=A4l~a%ckI3PT5I1AZ*WrPh_53QeAXNS$o3o`Cw|x| zzIk){@fi@7h1`$ROk!4#&H(_$qHBP_i5dSql~0C6l?Ar7StdR$Y8fYBb9yc@v#Qof z#`GmNn0&N`;_i;K-*PnvoTz60ra~1nuB*NQmnmEXK%=g!28`Mg*K z%C-m_RF=B-ZnvNeo`=D(G@dPIg4&tVS?Kt+qW5fA-3}or#9rN-T6e*19~E!wVCrj< zx+|1tr(gIG$8zgEXP-UosW&fqVP7&vsa~V&v($q}$)CK0abSI3^!x9l$ zfXgF}3&`xoE%XpqlUBTDmAx47a$Qf7g=>~WqX>BAa}V4afWiM}bjZaZ^efa_zt)6b zy=*(VF(ZNX4g6d(!Q`T4DQ#6p2ib?G4DvNHVM(To151P%)EI{?sRVxvt=!8D(h9q& z+jO}qIS;k?Tw<1%O=k~#EaXdkjVsT9HScW~V%|Y-;-IT0{Xx$_0x)HSEvQ7znu+15 zn2EV7;t|1>IK?KA+-Lnzye6B}q!akW7+IeCH)&8?w1a}&KroJ;L#^Kk@cMXjYv#)5 z(z~Md+4~#-lUZm$3J9o%0xxFp|B(=ZfU?^?G5c*cV=$TSJycp$+zE*Cco*ZiN5_Cf$(&Z!;?wFJ{h4{a=~I_;Ye&c9Px@=lX6>Pv zx*m}|FGJ>8w$0X5{i(h2x3T22&BL+a>5gvni=6fv(*Jpjo=NvD-7n}1Wsc)7RIpKV z)_g#J$cI_sQ9O>E=N=?#BF0IO2NMa>c-Hjq- zkBdfs-jI)`d;nsH3=47B-`|8x1=cXA#NO)=7n>+w(A#Th>YmOKZp_A~=0=(W14#n^ zY)!1hk*as;#)P!?l5%RiAI8!r3E9Ojub~h8>1)*FVbfKSvG!N{0+&G&AB;p?KIYKe zkXf|diM^aYy1p|iU<-rH<^)E|CNy=Y;kmwqP^<%c;y;ypBq8Q}u`~NqlKHv7OE$g0 z_Z1%-tEyg>Z<}3?2=27Ib79$c&4O^@;d#;%*RZ*Hk_A$Y>C6|jvgwvj2mRgNzDJC` z@K%4WBlzm{&e@JkHi4J-$&y~~&D^_YnHus5F_4Rk3-sk1Fm3O%T(75|{0OGS3+EB6 zL!wifO@GGA-sS!cape?1^_Bc!#F9+JG0G*fYnP9P9EgpPddGcPsxWw^Dlrnx+mbUw zW3O;-w^&sJ=A`s<3r-%jiXjqx|@|Ke~{lRd54 zb)H!2ZZV&UIw|qrmHO!!pczO_J9fO7cz!QnobS~D|4ndJ*`p)CCKyOw4L$@;o58#~ zDSjYAmoeGMLLW>Km`?!10EknTe?dq|$#|rMp6(youRfHh-OlOLPsI-{&k6*&!1za^cK4S)554=QDsBJKc0uWxhn$ErY24M zDRe0E5lbZ}C+`9gCTqy+NpLVN*VQ$D1LIoYTp$5D7&!=~x%dn0%><)b25m(_CHt}h zb^&D(ep`x>C9Don2n^;` z{kWQ`I3CCWvW!((L31omN)md%@xCm%s&WfHVM@p4cqIh0jm2se_=H^_33#`mo-wnU9`J|Di8eQ$bj=w^eSp@c~PvHxV$hwJo&Op`OO3 z01^1b%vPGjriaCQ;^WB)o@JTbq3~J+ty8JOBb?_~jqI2vlw&Q6o#W#_$dD7(p_B}b zB;0t9MfQEuc~UII&7`rE6gb@p*D>eyz@m*KMHbk?)}l#}FI9?YO=LX>94Bew*>Q)8)i#=C0iAP_j;^NAW8J8^gcxX+x z$TIFbEiN`nUFJU}$mGLYJm}&H$R1l%ZX$VWs$I1GUhZn1e&bfkAB-$sdPwaKtVn_$ zy7B)}WEVBWUIJi;)|}DCgeOn6ir|^=(z@z)zR-gG*A5atZ0_qx5TC$D7$nnfSr4}P zcSrF}3Z4Dq>+@e$XsC(KF55uTFV)K)o?h@+_`36mrDeRm#fR$FE$N!}<;%ZMNUCCm{ywIu91!O?+~G=1o=1i zy_CO50BJBK;73b2tF!76=<7%}xdNPTISXv6wiZS556>uB z;PcN8PE2HjU{BKxGo3{jT9gtvwZt;iLZuZ-$fUCg#4>({4*dEx6E;UHw0{Cj4D0R! zf^{xF2JhG+|6*im!iso=vILwY^XqaAZC)zdBw{|%9pEdkroeeP?%ME|2aU>px0aP+sW%k#cOCJUzO5`#v&<5*ncG`Nc9?3KP1qjsEpyygB?~ZYZ9j`5d zVzS9_V+5X97>f5&=(|gLt1dJ1CmcBsmDx?DDa`RG={9oajr^Ls`ExEMHQe2AIk+T( z-Tc0vc-|~2MBHn5OaWU<#(WZ`ZopRH8$hiFkT|WGv?&U1S3Zza?0<9FG_h#yUF%yf zB2GKpQ)x@$XIXwG#36*arw?oJqnmGma>CF54S*b z(ZYZts*@axzNj$<4yhadf_Lz$Hg@tD6FuQJzq-olI`rq6{4;wKsKS#4=v&UVpJyjj zTK0q=E75M?n(?JJyExOJ>e~h~)0m7pHlxeM$^`$4VQ$(GO7Cktnhushyi-5k2%}+Ft=+0jE|i{r`Xs2leIF8j&ZF1a6yJ zs<26?H_zTHkRpv<64?QO+dXj~?&5+ty22@1M-L%Yarr>jXB!F<@kExL&pFNRaFQ*( zByR)F@eJx^YSM*$y_3!H`~3W8_`+(V``cJ{nd(x{sPg#(*B>-cvG}mKD?4^ z4?g%uemWE^$p@(jjCm~tdEgsWm|}$6n{k+lH>rA&5((Gi&Zi15*zw%0X19Aw(%!Jq zHWq^O&E4^G#}Usix-S#Tmz^#b0gma`k6{jK_UGMOyCD4=ctM+ z2C_D$h}kMMa&v63NoK%qC1fx&EM&xHFZVET$(K1r4WaaAt>ok;LU(`DJT(Tkj!?&_ z3f*a-;(e1tU+=k(9C@M>HOH$M2KZp0EHwLjPaF7N|7}Tl#tDUu;|;+z%c`XKnSPIr zaaWQvLMn6cL$?wwQY7w;s1S(CINZo4>JC!630ohXatV>r?1N=Vx=8Saz;-20UgNLA zW*pBk_R24Q%}x^bAxWe9_|Ed&dh{r%M}NP&(bss4i<*y1EnC8=_*Gg4dZBZc#fx$G zrJ}wClv(O+oJ7Yz*32d9zYrV;q{O}a>^%73QY@C_)lG`-2>|(kV4=$wQ=0YE7Sj_L zNhnPux8}v{&R5Z@>lhfVjW74~{zjUl%In5`uVDqAik#2>fLAEUxegN9Ki%Xl+90Xb z1+V45axbDzQ<#~D1OLVlcXdd?8xnBc9A5|Om_>WrAq9lwrx;eCv(^7wXX}S+I;%W@ zD%4gUK&iS$V%HtKr&Fe@XnYp1Res=e8EKPc_xz`yaf)#a2x{*QpbbX=O=Q_%Yiewe zA*N!)=a2kYiSEhp+Lfd!q*vrtE801EeJN`8P9NJl`pwi$^+?AX_%Ck>r{4liX^#Ps zAxhWHZ2p+@PC@;El3DkIFbCCJ=#|7c*E05a2mjvEIQ@ihgzP@o8%S&lK1y^4*%bke zk^?=dv?|*-09Wn4y)A{I+~Rj^fK@aFE0HBK2lXO!!!5`UU(wqr2S8^X^OhHEd%-0Y zbCR9|st*t}+9RS-;MXQw<`E9wwltnMZ~&T;&SgP;kRKlu`})cnK)`cc+h{HLAUOvl z?f~og?*j8j$RUOl`3hGHnzF=vV(tWYnX&E;zFd_7NXF#xKkiB(mG21vsu+-nTY%ni z05mcX4N87_>Oe-|Pj{NhgBX@VH6!@_2whDbDn62y;7zOi#vV<~n=$_y;p9&W-0c2r z7V3&^3*5}*ILMv{R0@6tIPL+8)ihaCe`J7_ywqdDe^e7j2uCJ2fe|57b|Wac&d}C*9#MmW9zi&)LW`l>)`&K={xf1NJA=a zNu*Gx)%P=}YqvRl>hg68iTrIbdXs_TMvu1menH!(DE^ohWcovj2X1v=dC{ zxon=J+^XuPWKV!Of1Bba>5y0>a06g((O|$P)d2_cF}t5mr;fph*Z$}G%t+Dp#}4d+ z?3m>uN%2g}KiMBO5PpjPzM1$_^E&;Q>ePE-?kUc9X#!I#V=R-qdI)dTvq65-^OKhZ z`3VE5LCRma0BVg2z-nC+j(rBN475Op>Rv}lOj!L3(yN;~z&d>-P}DV%O<_*PIR9`1 zjbWRk8?)s`@wjrld=NDa1b0nTcWoA2hY#$+Q#3^%=#Y-%<5UcB ze~t!&dUliwE_LYTdessW0TFl8a6#!b01;|W{X725V$6f8+pJ#`5-6!Q{2>tu+?ZRn zTnad?-&8TODhJ)0I%B*_nDroK95Z9VMT{)LkC0d_#)G3^Ap$p}kK{y5TMp%yYQ-wk zoJ$mDcpB^D#wBDYy_Eq(lBe%%7*@vB^R8@)?H(pjTIIIw{a9yB!-y_7VG3Q6KdE*R zcU^xsLFDEAXD%0X>j*N6-D7}tHz0&9VYX^akf|-dZx&Bu7FaMm5xPh}QKQ>lMIM_x zgq5y31W4e=1K?ZsYLIZ_6{cNyvL^FmiE83E!SqL3C^O2V=JRYuU~zaI;(8aj5P9}B z@{P&5a>zJGZDuj&!q7gbO9 zD?=3NN|;YlJ*(Ex!e<&&wI1zg@^J8KK3i?MSS@CZnSRMEorA z3-Zvx!{Cz8c!OBpllb@0?`T4#ahq5qOV1QXh5^jh1>5cCykykV8ytR3r!4~2YYym< zP%Xl8Aipym0!aCwXLpb8tJo5Jq>YukzIekpsvxd0rM@_67kz0z^ec2CmLiJpQOviy z_o3VqCBaYdLK{(K=p1bZ5C4CMz>N%fi~-j)xUricpE+bd=W1hZk76{!;Wp)be)xtT zio=q;(1O{z{eV}tZ$wtZfGx}?WqL>;%M7T6u~HsZzd?)B3qoDI<)$xY&C%@gN3p?$ zLL_2)_AIY})lQs*hnY?aMRO@CJ>B$}R$rYytdu^sFy8(Zp_`FVIflvah%0Jkl9Th! zKN$xIbmc;d+*cdc(nT8O0wPJ29u|XFP5$?@kM_DF`1ZaIxIaN+r7%y-H*No}EW3uw zmFwz*P;=$OW}VoT z)jQJRm*bTdX4X5LQ*GOMiC*mNb#%X3+W(S&Z7K=`?)}qEkjJ^)X}~L zxYBmKEZbGJ6pPAKPWu&KbUF6Eiv#A*Mt)y^p0~kT_SZG!0!ywRan)^aCqN!ue^siX zL&qI78Uxmz|1yYD>7xT+wyy`t5lFz>sZw&JaPA50R?+RgQg~&KKYT2Z7fnnZtg(Gi zn0O3|ePH9Gj>LF^jZlOsDmvvA+eKzxvJuz#J-toD-kr&3J|)C9-&lYNGY~MEMEDQr zEi7fqmp-$tkvHS2^ggIBq+1DPAQn?(ZT+#gP8xSVMd9^*NZc50v}*x-;3E}TN4m$N zYJu#W>YHtm5Z$KGcxgmy$0k%jhz!vr!pPzd&J%EwWytEM(Z*#d8zB35(?sszlw-@;3|Mi`Y0OD7iS7g!?;TAROQf472ixT`KLd6k6~+%*#6~g|8EE$ zA-M-vx384Rtpb#I{#G@>J`TLXLrz}Hx@d<} z!Uqq>Efcw-n|&$J?|mjxm&cfrCpu4=|Ke!*j&bN+nJRPp{_sSRvwmy+dijOrh-aBW zyHwc%!90yam_Syo_jJZ2hSB{Fd7%109wv8*7eaVuNd{s{2v#V8zTAPmtHvz?{0gNV zFtTdP!i#aeig57^;mY)y`NnY(qUn+clXmioaVZ%U!(|E`nGaA@ZT2er152S(YoX)B zcbx++20&s53`lo>c_t|D)c#%G8N-SMoPhSPcAs4f?()zQz`5ZS1^_yzs;5aY=JNpl zl-C2OxW@Hhgqp8Z%aWDFIG!nuiM7z?uqjE z_2qharT1PZb%KVKcT&eHtf)=t*s?_7XLk6pUSZKui+w;hx zQV$K@I#K^@JTllTBr{XF|Fw3i{$8&{jF5cUP?(-}Dd@0B1N-?kI7Z>WE%=yHc|k!E(?t>);Xu|P0 zdIH|O*neP9_ltMRsT4Ai9I^gZ8S1^sGFi62qAhdDpw3B~Eb~Lf6!z-;EOo@>t!Z>Jpew_`r6Fi?Cy-XXg2$ch$8wrQyCfav1F9ej-j3u~> z+hzoYDkJ3n7MXt?hb8^^4#(epUDkw;7$&Yv!Cz#(e-tJnk8VD7`{@!bkUm`d(DAtu zi-~X$>9A37io)X-l*84J4(7@xj$nyl-L-_p`!#UB!snRp*v}cwf(ddM+#1TCV1m^Y zXMxiii`aQ1ki|nd2pqY;sPDu0nX)M=JC~4COUSOJc*ZONY_%i;oz1_9NJR<%zwV4@ z%wOfBSWtX_$e-;o$MP5+nO}5}-cGbfo0k7WW9~m~-C!Jaq2lg|112b+ucW$uw`0Uj zZl2mZqZ^H$Y=5?#<`E({_Kr$1o+xy|<8_fs9&|IGX2nU~JM2674e^V3|8=yPT476F zEi_IkH7+e~5KEX2_4Sx;SM4@e{2VyIZ_#Oy%75gAZZ?hG>ieN4L=}4$3ru$z>Ypfz z?8I8SaR-15dtWwECmJz9vRU32JdkP<_cmTz;St7@i6lW$7`ZMcsQaSdB1!95e*MmY zJh0zk+?llS=!ifQSNHeb+Log41aruTU-}JiDlBDkciEniHJth5Z0Ug->z>vJ7wsvZ zB&K?yjM0Dn{5wg2hUtXL94cQ{gI0JWG3O~j)aaIF@1c)bUJD(G`IT?!Xk6UE%bB0~ zTY21$`#sY5x1#u6ue6$)ykt{5t!OXxWIf1w>eVNe(sOo7HFM7&@bJx7cXDJKZQPnZ*?#Lsy`o#H*0P0>zd;%!N}%bo)K7$igdgEa5sH#Fc@%>z zks=6YK9H&I((7CZFR!XhCzf2Rs-Jo0b`RTm{eWvG2W!DAE!)_!TOAD{`3jT*>^m`s zG7)ISj~m7y>rNE;ubh1^tlZ_g|H zS-3$0IhZhFy5b(EG27^$O^hE*I zMiHul1T*UaPRwv-Zse7qV}hg7KG*e;)tQZJ@1kR!6ZQq29!d*@{Quk&U%kiOz^o0L z20Q?Q29E_KNNObvU``o9NS5DFRL73Q$f_QXE=I}sPydw5V4MQ>+e+%f)wRWunvNc; zbn1_GOmjs0-Pv57&w^Hy@IkAcPPCPoxCgly%hA1bttWq`gC9erWFN6z`0;g-znYyU zJl0Rr<42^+XAmIu3I{H!Km{pa;uxQ#G7K^xSo#YY5|R5;$e}+2OA%7+H8<5F?tfd% zmCIo-n6YWTOza}#K!xrp9QXcrYx=)VPxzlFDFD1)8v#)@U}DTGRzuY!n$SuecI7DQ zo|K|M_47&Pcm8&K; zGR&Oz^q>&ON5$t{WWEMi!!=jRC)XYAV10h>_-B1`4o{_*jsF1{VJ!SL50_D2v%tMP zgS^I%tR$ryj7x`F6tH?vS*V9_@IwQ}=m(R*52k-CO%PU39#%8iEcsgN_X&*jNZ6O6 zgRn80QO)_EZU6s@E_zTc`QLTStnrA}r}fV+h_PO|D%q>DL&mp{4*{tPDtiVQoj_jS z8MC^2`I+T69lD(Eh;0}B$gR)iYSflF(}1!WLQ^)km1KXdB$G`nJ`2}Nqnj{jHsI2t z9Q4@q8GF6?z(_yA8OX-yHe#20k8W4_vq)!@63ieVujhFx`-x>&G4GM9mgAjRduk%H zNmJ=%myai@@gtHG)q@`{dlbD|*7N!7X^5oNna+rj9~rX*9Z9kVmEC#Os}XsGF952+ z==;F;hik}SiaFs&ivg@Ya6|+4J&E&w-+ra+5bj5Is8}rDAlyXG9mG zcvu9148jbUl}LHf4;K{3AMp(HoeQ}f>=UL6%ngkrs_(2W&Z)JfJuOPc!VOcoa+@}c zWf8y9Wu-}9H}H)GPgvJ#l@ZPM3V&*RSlJZw&-lPK5~V zal372pgHZduBme2<(uI+0{R4e*gJocCpzqdw;7*QV?`IvfOer@97J3fIjA!6ZwK11 zTNw7a8jn`BVBblzR1yEbN!9L<()KPOT0H>K%5F<;Bpt&7RaAf2dv8bemYQi&@Pq)1 z)C}Wh$UO&#t?Znc&;gyr`e8eH-w9&7o1me*Iuy-1$6=EoDX!%E;oS1qBvRJ}EO+n74HToCHUuIS2E}M_bml*telb7h2 z4QrpNQ2gw(Q^a$JBj|ZxeXzT9FhV+VN&1(FC;f9Lf23Yw;by&=#E)<6`pp3xgS_w`*Hu4G50qWBWVw&pL=jcNMaJXY|A$o^CP*OL&x>Ry~bfJWH`EX4R8-fX@Vp9zt#m?SV|HhbRE8SFcv0Q zw`un;!ol==FqPM>FU1fnVJ7SP%9r`enWDzmJg|2$mg0)=cV8@@25=yrssR$cQyk+w`=iK|FbirjefWJ z(a(jWctjZmWn-5bRT?zph;fO%>jW7fVVP5tsGrIla-SNq zJK5el1~opq7vabAslU9=uk7y%qbPc)lr`~T1_p2@S;qPLO%`K#W4=mjz+E3r9Sm#i zmYm^=_)B-2-WJyht?^pba>m!#ttFergh*lyqW>Bx7p+H~F9jF6j352;M0SxF8zJ(T zrMgxz8KN>f&J7O2xpGfk8*UmZaQ_q26Fu=##fPUJ$#rhMYdFAnJW4JxKMhsONGRtukQtR{jLOS?)ThGPoQ#+ zEs|yQIuRo)fV??unjs};)E&nWOJ8n^Ald&0T#8_LupwdawTU(Xh7@s*8C=r@&XlJj zsc%JJX&n(Mq5u3$UllSlolAi7d>a4v)%F#Nw!)FLB#^lauXJ`InmOn9h^@%dwQrxW z!!g6ZyJum0#~hDyKI+;xU`Qg0>(h{IVwIO(M9M>(fUGVmb@aR(`N2!wWSN(e=9-9+`Dfgi8Xn%5^73@|6C795H z2t8PRvqZL!hi%(TeeV5Q!|TbgVKUMu^wYR9S0J!^brkUH9V@*(D@q`$Z!1AMyVvjtS7{*JE$T4Qd0Drss{7)q9b+ZHqf8o%34z;z2fVTp;~AV=ro18UfZ<6p zR%!U{KA-L16V&e1PsMUgKgK(kU;2Z-R|bf633oP>()nzcsh%bC&$m>UMGo43p3u~x z0rC_lV=te8E3C+5wsXEs;C!WaP;^VGE(mvPvBY*{YERzs+XMx>S&6DozDbw;@r-f!Ng!$>n-CaLxE&FjyH6I4jEc`q$`!9`f{I?nL9cy&Y(>#BR=A6wD+W_ce^8B}8_%cib_r`KKD1X`w9>k}ytnXU2`jfNSI6^?=X~C5{BUCxs4Jm5+*I;-Pqg-Mwa)9y zSE08T#B$%B$3si0k9Ga^ZSrkSBY!^rX~nF(A4i83Lg$m6;V5~)_~a`@%LYM| zPhW|=-A5Ec$Z{ywwh8Vp?G$9Oub~QA>!IF&z4^Jmxv>j%b`dW7a)0Za-v1ms4yf#- zKvpf*XfpTc3U^Wg^eP6%64SJnIj5=%^BWQe0~m@!y~u8xY4B~@mDxys%XUb3x2FG9 zg(o27|N7*9DmXK8{6T+U!y)3|wIe+E(5@T2Zi-oNkmqYiIfAUQP;4#zILFxu=L!rS zg}0$o0R%n?d>&sd*7QyLub{z2+y@k1ml6|Cfo#{1Ob1isB;&%}6}^tYY&= zABwH`ba~6+?95o@L8wahU`Uhr(Qld9VUncBtYftm2`A=HHF6wXESwEq3Cz}FU2 z7r??6=VlFk7RcJGhE(fd{Fposs$r(T<>xL*&us$N(!n8|JyD!rDAWA}MGi}BGhK25 z12COE)xlj!a~ww_1=4Sn8To5XdEiyYe4g_yu^a&OnQV9v33z?up_7M(?~v%C916Vx zjmb@(ZApa3fEZ_0jZy`clo-d6qWc;AsET(`8UsvGjQ16l5)0LEEH4kD{;if&;fJ~S zK>yc6@9jG8{(R$7V~aWU#_o-u3&Sk^0GYZ4SF-sF1H@QAioI*ej}YW!9rffA=2I5< zj3d_qc0-oy)QQG9S01jmv;{>G%lOO5+u=Mn&yYjxvKkXJ%1bA0N*|Q`x=8TEIoNQXYjKO2I+Vsu$bO@zH}4T`|8EO60f*#!Prn z#7?2N2-n#onlwG82JtgXE@kgPYka%PvF}B#>#bRJA;aa&*%~XHHM)p#n*Qk3)nkQ3U5JL-e%L0|zFaEw!A9HUL2s9c_%MGnAo=>%}Ah&2U=a0`HZ)=l<^=TloI9BV+8WZK98|Q!djbwRhh%z# zSdwdbDl2c4`I2R~^QM{4j0cMLS2*1f5qmk_9Q7iM8vXm~zu^zZuC=YOr5x`pne!Ax8NC|Z zj~`cLltTC6O(7vNjHkiK%sM1nP;B6OGNP4N4Mq#l2_Epl~@c(7tF|MQ9g z-4nk~vOjfYsp-P(O7H3-dz&;LoDT`Ez8wD?p4wEHN$KhCjbCPkAL#ywh4hNtY*tMl z^}JLSvKu)-9Uow3(VGidhLMirW>5P;LqHBe^+2s${8BU zw+^(^j|!fx%RSt|3b7TiV}v#tVIvPK^Ds(rEh;$VuGc4sz|@{%{l}^O2zTkbtAS`0 z;u|+;#4YNgcr``!YM8tgY>t;W(`)HR_dFQp_U?#?DD0G?pK%b#=7}dnE_hsMFhRcr zVuTmZ;4Zo*&`OU4ArfQ2_A!p^;`SdLS$-nqiukWOL(Z=8$*(lE60~Q9o}ZF~8^``` zglxKx-%Kh-WjJH))EIy>j*`U8KC0!3DZYWH-tlwB%6T(X@MyJ>aDQN>a6m+g@4f~H zboa+=hWXG7SG9cWHVuP9)?L5+{XUc4doaasa`BLZgCb;o%NZRl|6A(*Mb#=)T`M$N z%Q9MvrISpcv%)POEp?k~=joHDIO5u7hQ+8*p_WFufh4jUH~KUTd>>KE{7f<@u_Eg^D3&>Ia~m=qxa0S2h*|E?W+!10;V z_Lfx#IxASCz&Lm_`(YS&b94A?gPOAYxcOK;zcL1JFv-xgj*M`0;t(MQKmCgS2@V)TH z6AsDlw7s?ilu5YUDu68vJ~D4UDA-K<8hzt?*u;5J8#UC}N80XQH*E&)Zq!HmKD)j; z@MkVG>aWgiYg5&pcHM2)(ll+~(9*-2Aw)y7eGuF7JKpd2Fnx8iN9wN=Gw#)<=e|+1 zWFfXXB9F&{A3F(5MOAHv8_n*@63AL=f`+({7^RU|rLf_S%u@kULS);Ay9mkG%>Oyh zKZftJxF(Y#!Qo55PQg)%t@#`qK*IL2yE6 z11+WN*sVM^REyG>Pqr_?K9s$2&+4Ym7mSf2euj(V)f|nQ6$h@t4^;^QhG9m}#-pz8 zk3V+hO>6COf^UAqpyE&4O7!hBF;Dw*y{)%h;e!2My7bGcsXXOi_(g!!yEE}WILuE= zUBfuE?uJcCYB+z-q?969=1ppB=>2SZ?b!jV!DNgmka+}q*CIe4j+MlDjqOZ}ki_N; z!FXaR1Lqd~XH&NSQ=Gi+$&H7an;ScSop~BTu_6|%F!C2&=Pa zP=859m`vQ9(T{7HGi|LQv@#&*et4<*LFV~cH^vhT5r5*`Sn@9YW1d>SRs&%IM-;0m zG_HOP=C~)HUH9nDY|2;e>UzW6yGT%II0thU>ok>qq~H2%-D5&P>shs`BeKbb!v18q zSS*=sH~KZP_2>)%V4bUf;QN*BV+#C}6CWR+_>0Z-oY;F_r88#YX82?uPzpG`0rXxn z5x<4+#6*t2?TEjRX!nD!IG#86N@Y9U)CjC1lOl+D(X5NKNGPknU0Qd_o}}@~kpRGX zzkenk=RZZ^I1?DlA>RNoQeA_a0}2yHQrHu-xnn3>Vkx^vAX+=A4^^G#w@&SJg?*bJ z`80nm&RET(%_DuYwRLr|}iSM$DT{%oANc~hDqaZ?rYN@Z_xnv5J?&7}K)YsUDbtoTN6$v(Tr zbtIy-Zv(7AVhvITh?0^J`Ro6#N#DbF_csJIAR3y?wsk~-F%sKRax59t2w3u}Pj9D& zkQ*GL847V;vu5g&QuyxD5-~G#q0d<{CYO0l9;!USM|4GcAes!&B;ci%lf)entZDtm zwy5_`u*T1ELvI74%bo#BW9()1WiJUbadY^hTl+#IXO{eN8Rv9Qv*>T5UcH0@Qx9Xp zwOSns^9ns%Z4&OrhekQp^v7xIwK+__OXgol>#H0_$5!*8Jax?6By}czYgC-sC&r z`P7b4bIuT9qx|vUTUuP4dq7o|(bJvo>cV~d@WsWy_P5eSBelES6Q z$(okE$#5@#h{t=tScv)l$0T0rBO|1owv1?v>P;1c39UrS*hl4o&Cljet_-Lj6{*{t z+u6=el<6Zh)hULs({B|h1ZevKjK8}0)QNkb~vFP>=u}Gd%Tj}Ic z(@q3EEp+FM7+=Pa-fP=0O`iU3Wv%Pewnl^kjjm(n=N=m}HBgBduV2`*c?RgHAi za(GGZSNxLxTi^6mNNpgf`AcI~*wYZ7uC<<`4=JJ();S5O&DdXTM76wP%~{=Y@s%V) zd>-vG!j_3&EU&U*wf5CKMDHb<|Flv_@$vC<(A$Yg19~W2n+f=EjQL$RB%<}q^zi3a zmj6`L_$QJd!p#9=A?QJ2q&-RB3F6|w%$MDq#BMD7vX(miZT^z;RdNWq8QwDlX!ZS| zf7OjaH$AR;#*EdfiU5S~JZ83?N{>ZsnXJ8fU>HZ{Xo*sFbh%8+@u^XyY#=EX=Gnw^ z!c2YrB7Vb`n61JiNnadmi?<0fcmn#ppaK+shjbK$X;j{Zr9L4cZsMuUB9llmzeW(- zr7G|5oQ1!;?2Y~{kUe@co-PBw%^UTu;P8pE&V6lezv!}OUDLrRXAZ|w`$o?fpoz)&JF(Q ztPqqyCU{R>o{|Of8n2D}4~lFgrF9E_Ju3sJYkdNX=d??(h0&Mk$z~C_>pA|pbuD*& zWmNVu8jU3N2an#doKDid0z>raZ6M$kwjZ(iUxR#?W2RbOh1uk!a)cv)WI|Vs?7-MMcL#URD>+$w5qA=XpnMx9a@qOxBx&gGL$j*rl z$pqQzyU2EEL-4P-2EY>6z!@XDar3vPB$C4<9)giC(#j%Iutx@XXctea=iautTPz(S5QbI*d(H*zPUqm z=Zf_88?9!anfKQhkHT)!USC%oW-=F&4i5JhgUV%Rugd)T&f=@H(g}}>i`|10R5a?M zzhXBEU*grTo?_Bhx{KsGu?4gzCuEMNm&?CPS8>pK-P(dL3qZ`>tU*n>&`BN`x*XVzIvES9(oU0Z|P|6+xvo zM_~S>v1>jo(hD5eh_abtsDmofVmEg>?W*xWR}X7lT$Qs}&!8sV%6RH_nwy!-yE03T z-R5o*orl=I8s#c;L1pZbPB+0(Ssmw77jN!f{s4rT+S>f{xaA zeL#{c`8k9CTak@oNF~L6Yj+a5>&3*gX|*~mEjUbUS=E0Km`akdoQa%NQ^kuZ`f22>{}f6unJx54e5VmCJ_Wi2lfj>!yuALU=CLkrJCa-u9r^_N z95s?unAPQ!*wAg-%$;qY?Czl6%#c=BHA!6g#7*e$pG{Y*gVzJh*fD>JN8I}&33@gb zEaIQ^qb~`Axa6ABo7&>HCkrPu)BVncHW7%Ka;j5f%GXx(x)@&MwS$dmU$WLp+_E*_ zIZqmP1+_)nV@p>fu)sO<|O5q0>Js9w}by7|KH8o72=@9Btn3t*E6 zGQTS0e4|DEIhp)D)d{+^-_NU*Fg7|J1rNF`uqDot^Dd3m_zZ-UW{eV&rEiK+woo>DA3LyAJ-N^ z&0oH>@1XV>gN{oi{qT!g+Y2vIH;?Ux%n^VSBRF=dCQJJw|38K_j1hxLTRs; zWC9NN$o`l4rq{o=!fqX@DgpCtZ}VAoGeXKfPTDd?(lPSMBsp@J7(H*`RJJu9pTTl= z@f(ASM+?g(q#%hU2u|;a&RvO4kTYoXJ0H;(x_cMDatu=VuV^3P-g5-ns`fC_KGx+Ogy!?^*!o7N)}_ z&N~$#WK=KvA0TDtkXMDQUj;fJ;de$gOrtC5%W>yAZP!d~lJ$v^QNw*JDP>(hyf%1VbY_Q|rHS4-Sr#-7hV#(9oJDNDKzTRiGojh=LdgjQ^ONua;cC?_Tt~mzoqe zK$Slvu_==hgzMb<4rTz3mjAftH5$ozMFFVr|3d+ATi{uAP=$1L)k?(&izrZm%QT&H z$w0Ah2>=JEdEUwJLn4QCZNjkkJE!|~+mO1>l!fWXjXIOpH5c0brBOYNcC|x*;c_HA zATpSIfU0Tii)_a3dOZF6HeeQc8qB6wiHV|4=y_LJPO(32NW756EOP?@AOEo^hT@B< zN6OvtjSE(j??XMA5v!af&CxUw<{ErCmrWw<;`R-OL-|Gx_WFhwhrh2#XEmM(CNsQO z|1SRp^T~Y`$xn{|n*7D|lb|SC)WFW(uavUMaINC`-%bV?k$kq$+=`z^fp8~1zfe*gQ%;EaK1 zpS_QJvDTV%{$lRQTPhH^y}iES%Z84zIOn8`wlp+O!3ria!C_BKv2Lwc_N zWaM;Or$ccrck_#js|7<>A=$2K&p|KB{rz*z3TQl6RX;~{hKh(2k<%2-*vg6UhMPnY z`kjl~8XK$Oy_&Kp!9dD*F|GP6z`^@SKgJSjp2$O38bAsraJxUD6YyvR{SnW%No@S3!Q}KeT{-q%W+}}H~DOHZ4wkM z6F_%=pF|+=?yD&J{R1ZsULj@OH@K?s=Gkv174Jv!S!W!-X01JiUY4?NdHQWKoYco& zB~qbeR~$7EO=$1)QMW5Dn^t}d+76xg-W}%)uZej6;b%vK^_xU_w=wK}S=?+xT$Jpe zLO}?xX>fF2lict6T>5?+!4u2vS1ng0BG)&T9Qx$?VQJ}Ue`B=hZI|q?8IQf&Yq#^I z9F_9d6%Qbvt9;l&Lp3t^TU*KG?^l8inP85oYIW>BgL8CqOYmui88vrpbz(rqwqAsL zH@{Ut=QGjHlfj3jrDdRtmG6g)+ry||yxA^c7T2dycfCJOEL$$AQ;WADzsgFN_wAfu zjjs}tUq9a5Bs^bM5$SZI3Vn5maBvQ%3JT3R|L`oe~8e`3n8uKs%$xu}P~sP`fK?18oSMZ<%;qvf7wLh`xfS3@wLFwvV6 z^GjIET|au$)zM`kcTjO)4RFGME$3h z!XnMSkX=#GCJ4nc^cKTExx+{LbV;9>-vzoj&7eiOG2d*y-6Qy{So5`qCWd}EQYk0T z3~C5{Y+&&6i*L=VikxBx1nOitQu@UCriSM3Iv-4sqa`LAws&+qz{HFiJ_58@ z8?)(z=lZuam$TZTsxZbqRHQ$O8+E52?{0s;yg^tpMPwDrZyMcQ`5CHRvt_=YDpr~N zel+R5wIFJKMril6IDAhJ>T6kD+i~Da=1vr_*LK4Nl`H#|S4MWTlbe?$d^E+gT!N$9 zg5+ZF_a45~Lp0&~e;Q0m2JF!yFseVi%kAhaHNuQ6n#%|9n?)fj!-14gH58|hpdG{f zPbl+sG}RrbM$yq)kHWSw;E4Q&a6-DfEjBql2!ej#y&nacCQ<9s3dl5tw^HBal!Oyx zCQ%NY;UXAsEXI@A=?MzZFKnfp7&|)Ar{#kax(UqZj4kKd5R6l+Aw%I-ogzf5(rXeo za+CSDn(B~+yjYAc0t`j#g+E#`A^9D>ho-OA*mc+eY#XFtv^}Van0+&Ss$fmt{5+E9{ex@)R?_>I*zyy z>%`Dij%&s`=h}1A)=BS*vSiyji_933iI3tE>F!KxF@7qP2)3U{{&74C!k{W{xPo%o ztQwh2-jGZKOw;MQ5dR?7<01P@$vv4lD}X5`EgxJi9b6W9M%Jhy3jn5J$le%mWgXqZ z3<-g%DUz!C)Vg!+Yl|W>FHXncRli<3%y%)+0xtP7Qb29B z!yq~1FvZ}6v%;*f`zGyzup|zc3XA9W$Tpx$opjl2?5qJ1Tu*j9y8bj_b!|NS#XG~@Y4^`5Wg z?K3F=0+8k5vJsTe7|Wkugy9$3&1VRn)TK8I^q0YpH^dM*({So$1|o`U2F|xfy|~AX zasC4u_$oy6;>Bm^4Je-N)Cx+L0V?tZacSwA_g<4=q9a*c+JM%oCsjP;kJ&*C-s5Bc!1pr$Ynpiz)>o-oQD}el6rO2DD1*>H-(8@*!eYjbd91q`>jK_Edj}5Dpc9sNuG>qYGle&U(~BxHD=8cEgYJ=&Y4hkFL{3- z5}+LY@EjiP z2$>Vr=n>RNCBkSCJn(i!hy_3JI`^G{;G&Tzbx{UZMVN-fH~S3R&rSeY;GzAoq8I10 zmWZr%LkxE0Os;Y?u@cty8d_SY8dDpwKpzLkj~}GG5J7@({Aq5&ReOdNCX<~m-mHqT zV9a~IIKPezF$y!a*FCkg7am18`gzVqvp;-yO}SBB_DmDFTJ{U4?MHbtt>Mo1Db9Yq zr=sqR962}f$pbphYUw?b_^T&hdI-j1VASJ>l~m7fLvd|a9(S3dJfW*9uAb|;qT=g& zm@Adj*sJ&}%?h5k0Vky3QGFhXN;H(aMD-s?ZDTboIHEa~*5AsYX)OyY#PbTJ`Jer@R$fl;qO?mWAYr1!IeGL}ka!R)Y^ecY@AX`&lNBk@N(}(E z4nEqw8-;7|Q}R^pW4U%hi?4rZIXC<7(j<1C2HqO>g^|S9+zkxW1C;Sy6L0)pqQdn- zJy!+LDC(LbAF@}iYcueo2LKGDIc~>5;uCog0qMHPOOzGHYcz#T;QUGi;Xf^7 zO}aaI)K;lODj<}}DwhU(EKtr^V~C)&g21j0&*99nxJmEq?XO+(;0Y3+rv({e<|q-6 z3wq-D)iBJ_$zmkOLE{2vV}}j{ZyA{Gh-72djOrh$?uNY!U}J%}RdgM@S4}R>#N5l+1R2_Doa957Aee6-h6^a#ncu5^-s8 zM;P$>`TvR6x1ok$?4?JDOa67xxK4*6l$;1@0{xI+OQ5p%5n8U97^(pjb;)JIpth8rL`|28x+b26c9|fKwc(S5?{qv)7%fjJMnr{NlYjK13 zS8`xT-S=iZVP&k8DlJxVA^bE8I)dy+`WhN1QExC_He1{sb}n;1Q80g^Q0V&IAz~(D zVlX`A6$V+bNY~mWD&17n$)4146jObmZ>u@zL$yxG&*l08i%uMR@S3Y*)KN_ zqIMs9&ziI@&e9*$M#_1QiUh07_8j!hIeE_u1h-U0F0RoQg4htx39! z^m_K4wuwYM1c!WT-(mP}CwAVSZyf@6x0T)o^x;jUTv^g~(o=Q!nxNyM3-IOs?R7n% z-{OG9T^>Rv9oS2muP`=2(u2j>;H;Vp|IHhYK^p$YI};UbQ#?K6-nFF8Y?#S zcWdxc%Ja{@xn@53g7B5A>Or0~X|SX0I~ot>vtKp8?zImB3azti70DF8Lx+=R>6Q(o zGP(|zN`7Y$u7r&LtbfE+##2jmvJ=3$ZqB9lHq|>^6bRum}NnZ;M#Qm3$`G0So z)~5w|_hb49-)}Y!(wxgtouje_o(wbz6HH^Pz9=9|JcgYQ=NZWs+as3A4!8?fy=V8@ z-1mU70B1pj?;DbR-2`AMP+A^idmyqizB&emc#=Olw+_g`=qj&<)b&^wd_UpMRd0cA$^~&r zo)gYp6If4U!F`0vn0rUCzQUO9B>ccNhw)3%8(qvF!OZIeS5%2%&p#HmrOEtw)-|JErJG;z%t-GZku|Zn@~NY2GAYE%<3Z z0r-t))U^k;)c0up0paTV!D*W~c>+>JkN>Sq$*_oYUe9<6=blCj*)hTuyzNXvsFKbE z*)o?b8RF6*+vO(jh-g28aZeq(!&^-6lA5Jz)5k^+hk$sNwE0g;PXchcR5$=*!NAf{ zy0tguCz#il0}mJmIHn|w>@`#dWb}IF;bjv9O%wdXoV(!vJsEOauY|$6XMrO2xp9_2 zuCL`;RV2}y0O$<|+_M@_8Y(EN=#gI@P3An|Ap&J^TL(eUPvWCJ4455y9+2J&FM8$x zdDbFuy$JeOi(Q1-+%lvjY|NXx1;OlSM$F`lZG`<*Q&}4ZW6%2~bu#m!`9LaM%&o^k z_ra5+erU}oAt_g>L@j?dkYsW_!Mj{l4(4M*Z`Rh` zm$&ZRUN&zc*6UX2dh`;LZFzl(s+m})wcj7nn};K+3~A%Q)EJW;X=4;jIQ`cCHtAEr zkF?n$ReEd7>9@D0Z>2f*Yacl0;1$ZB9y11a2O&uK=x>n|Y3 zk^s_6sL~Q5!;kY*Uo+x_V>m+;8kq(dyn5M77<+F*uQd ziRI^}rmS#YMXdT%pTykn)Q(Xr%En!kO6jxSj<|_a;`$ZC44c#j zJhla)bB*YLqOtBjh*6VyitO%^7@=5tLJxQjC+7o(`{rZel4%5f zIN>@}L^Z*g9Eh3sP8LwMZ}5(ASNq!sA{)j6wRTDNyZO)>PUOEHf|&yu+cuI2L{?(- zp9SO>dgep-76Rf^L5C`W`)BAquFe6;NIon-dNdD6)hM58qFH-G~yE;Vej?P4wgVAM&}#DrwU4 z(^M7loB;q*;o3a7JXZVTWx*Vy_@bV;HYRZ<`i_Y5!{+;;uA!TTiIq)nn;D%aPv~6j zXM6)Lnwuo}9Iz486xIklCO(S70l9|(!v7{p2Z>b}p|_Fl^6;R)dgd%a*N1r2R!R*> zew7RfAfMta=kE9>h8|LZl~y1u6}XV=d6DW}iHz60hAXHF=6r=| z+*^m-l}-MjP}lGKm*``pVxj0);o%E?A^~qr^i5e!MlT;Hz_n z-i4Qv<{~bwVzdT6T`lcsKoP5F?+xu1|ACR|JY6Q)&oOvd^XE#A2?>VUFo@d3Lx&w+ z`7Y-9x4Xqi8aaE%4>m!pqeJ$iC$c>ElGM=SV`SOAFD6Y z!(g1boMdSE5KH3w6i#pujs_(=a-Zee`5(vXU>pc0reWBA2eNQhsFEhL9rxw(C>x%F z4+c=pa_&*Ny9ZYm&o%6YRTk?bV8Jpu_e_o3u)1Q%Kjs;Jj;SNH;jgLyYpZX^bg zea7>Puet-GXw8qjT8Pg!iWVePn!1l(66e9ID&FGHiaHNz(i|@GnSA=3eTXeM=_0+< z(Gke9NQoexDrRE2=@rs)Y#CitW7A=5lOag^=g1;cmDwXu_V(-}#fME~tO^y3`&H1n zKEY#A^G*ltk7L_FO;oY>hAS^;^{;s0D2a=@GwKR5Q5q-=`QG{leBbPW?KCuUoU8Yt~=j*_SBZK+vbIb@Fwq)smHL^mviwch?(h|MrcSHKgT zboi?=4V~LY?^~ptQ@ebPEmgvhzs~pWl&R;xba#2&p?OM^w=UESE$*ukCB3Vhbn_qR z&b-bHD3au{uK`{f5O#0ATA!$%x6b`*S2KuHIrulrP%`HluHV)0G@w=XB+Vkk%|pek zG0leSkb|5E1H*id2kfbUs(+LI%^Uyp86^z1OI>9E@eP_3u;5sI<^0@eC;DA@27W&? z7s6Wu9Lh?eT3JOGVTY$3p}P%jtxQQ4{Q}{GQv?iYGU}STZ26szLawu{>HvAMh~kDD zoBd&UHMaJzbY7W`+wvb*)S{$K>!Z*E+%ZwKhV1%BMcmL+-moTxTJVJ0E5NVr_DmLr zO2KEnqf>adOvBqQr&F7!_2N-@U=G4{IYRpt>epSh32UB$7qP0-v59(?Jrva`^eD}L zXZwFEN!p|@@UZ?zB?RWeBv6hXSA2lx&0<(+;i^vqK^OQu#`h)~C?D4$qy)E-ma4$r zUk~T!g?nopfN5n!_`CmY-V+SAJ&AIFCNU!9F~*JDa_3yaJp4xDCAR<-aqr^jHVn}{ zEF%VKL>J3QT@_m;T7e$>{=ij{(feT*JK;W&-mlTm1bpILJh5=4sFhv$?y`GV3OHWK z*_;R+rM?Mbf+}9z8Am=@J0v1^;{ERhu0s35?l?EQBxG`@Xz9p75IX`Nc(V zF4*(b6KJx>j~mVSWHz4$6yPK6twvye-f7QhyrI6FSMnf-0r+L*3iL2!_UcPLqX?yx zee_QIlT=X0OG|obrDss-kwl|*b`K(X%M6$llyDZXa9X`~vf4TLiq<-!bpW0%v?B^kpehk`THkr=wXYD<^ac(` zliX;9m4T$DHNEq?(3Uj^C^opRElgv7s?!~=2SW`r>Xbq zCGX_mA0cG?1uynbX!Y-T=`mwps~Cz3FBW9k~%;-X&ro@DAd7zf|~YaCvKk|352 zDjS98aE*R{4?vz0Rh`~bgHjx?(M)@Z#1;d{7l1@>B@_Nz|F_89B&B24bIw;7pg`>W zKpR61&75wLI$5P%y+$(DgG7ez`r~{j(8L1ilVo<$^|H%{^NXeg6swH}_@5OGwg=ky zzfXK#&BeX22IBN?+!-x#s^Jv?Yj_R zY#s9BD>0kWK?b;>)yy6VJ2B=6n`U;*C|&%Xf#B;NcyS>lQv{`;%#DkG_LzU+;!9OFzGrG$*mwj)~VTjFBQi z#2b`V(FtmT%yMA>>r!Jb{DAAI&xr9`nE}8cw-P%uSs}x6|(hh5;6}=ydBrp`g9Hx6hGc30`Sbzt4 zp@#3%BMLdz4?|0DxyrRWK;!wO)eo{4Qn1$x# zOn;obDK`|PD^px32=pUgv!CzDNi-&lCDdOd4ytoi4QH$HqX)_MbP-0%v&yWa)x(i^ zUF&5Y+v;=s)Q+*d>yDi7`K7`2sVMqSwK~bLeD?evx-8CPFc2rtg<%@o3&3>8OXu$n zpYn;u+oXHN;=o0b79Q+7{%KY&h9o!$YWn|Ih^hIn5Yzw2uP-)?6wW<#RVo;Ivzt$w z*-a2MOYA?27XW@t`Tc$Z`^%t1HW2OClutCgKD(DE{>r$M9yOZ-1swm5_~JF4C!t%W z4rcC=mOi(hAKD>1D^$687tx4`F5hZ%pTT64zL)1n0WZc^KSax2Q{mS)3c2^zZ_>U! zvmDe(6%?`vOZ=QhGaG@bSekI=!JwtIiTOb^V?3xmXLZF6i+*zY=y(oIRQAhw-0Y+h zMJ3ud(u=v*=p7Oy!#R~H4XG~aE^$|BYVsd&5!CqG!xvr64q#c+uXV|QcV>%&_S+IO ztFz7Rti5ZbW?3(L^@rI{%qXmL@d_{NMahB0m+fy!{GS^+Jk{3(_zD@>DEx49O~_5h zt8_?+|9da4pTMTb(;BN_2*cEhAL??(z6oo*-##|OkxO_8{K(3%zz;-&-a1*X^=8O@ z7{uz^E<=XTx~1|Oz+}Wz!|*2H+GSUAQ>b<8he^YYA6`+lw`*m zR!!3X-B$13-Wb!`sb?}WZZiENgP(oRJ_lsc&`DT&q8E?neE#a^>c>x&F`rLivhLR zoq>2?C)_GdW%aG{ax-XDTX!fPS}i+U!dwl}vDCq^}p5CbFBV;G{<4`$qZO&gv? zI+yf}xQ`MkqM^W_=&7#w$l`}!R+ss90m%!?i-2#_+x%zpz63>uegpA-LFvV*{O{F| zaA?xKR6MU>iXYcAbznPBq7L8iD2!i)7??@SrN2fkeJ zb_Xyu26lt47+F98H=V6}bVpWvmy6n}&J8K_{T-9{HkA_bp6b1EzSWODzOa1kcH*TI zS^QJ%(lV)}1?hDV^HT1IS{waLiyGhGiaW3^@l&%68n#mTl1Xew#F#ozReb4Ov1bdF zT1G6M|7@%6d*qXWf?u()AvLj?X7RCcj%5C&(aP!Nqbb7t?68=lX5903)MFhoLbjV! zZAu)e9IC2sq)r4PKUEOdAkRT0?(ABfaIjaHSq}if;J#f zpA+7Lyzp|9tNr0WEw&ZulKJO*z0;tMFBEG97A|h?%*Hd zEQGc)Y^JPA=xPf7df~%9%c<`h`?&Ks%6682D{WkP__}FK)aUC;ekJBO`T{5J8P$k8 z9mcciB!hio%A(cAtC<_Lo*D&%8S-y-NWexi8pI2dg+}e_&oX4_fE0i@((h5HOUV63=H&4r#u zZU^0ye+N5evi0u44&1(@s(ZKK0JdMK5L`ixbXLt@2>BI;=`?9)YdfZ=1>dmwex}mq zSNAy^$~y@BCY1o-&Y6c8EPsr_XQF}OJ!rkOMq2u>$OR4bcY(J+Yc)V+(7Mkpaw%Av zR7$m)9Xa-x*;;JmTK81$?%LF-90bv{2IXc5XX6mYwJ6{e`ks3|#(xvUgkn2b`oW6R zJ@ML>d03vwC$aT)EGxD-+D;0yPw5;nqcdXW^y{I%x0BAUnIGk!1W+8}SWG{h?t~$B z&07A5Xiv9kYtpz()!v$?5ega7x_En_v5+YFl+9UlY+}1^K9q~HcRKh z0pv#~@}6ydE)F^teUsBMz%`dJ zvKbbBHkUPLE1mQrM|)Kx!{a_JF{+>Q)WdecI&zONV!ND6Y5Ej2wkU#;4-!mm(tGr% zUaMX|Bi6T#Gz+6hM`N_hTOTUN2B5LXyeP}NmwHT&>4Y?)Hnew}faC(5RW^8IbkJ$O zHKep!BnlgCcpGIsv}!EB-L%L)h%T0tusHD+u7#1CPt~K-AfRS%{ELkT#zOReFJ@n> zm0aT@EG;ZN`D5$#ft=Y5c`!6Dr@&Pmfhv|qih-8q^|DoGOjYN|)-xt?RM1-uE)p2w z=;vht2S}d-xat|U0(B2<%%40elNsEWd-(bc19)%p7~GHmZUS5veF0b1sZ*t0UR3x- ziG#jLXPgHwN)halP@hF7m#ofu&F_M4ZcyvZ0&AZb>cPIFk@vD@d$=;l6(nsC)8;)s zQqE70(H(f}YmC%?Ifd((5!FZ~DsqQpJw?pa+0XI)8NwDw!Ya_1yK|oJdrJsa zC-_3c*_Ao{OEPy&SRWBZK{urS3F5YIv;jE96cCpB96`uXJ&1{4t8PGt$85ZSZzONE zYEZt#S2||Av^t)0Sf(UKv$)~cD8;u;tJnSV3VWkyi?&7vzgURFU74f&^ZPc9pI3*P zVf+Vi4EVMujPaZEm`}f-v#1|9dA;>7u9O-aqK9#U1_siWccJCJQs^HM)NC6DFDebt zDcwp<C#!cqaQr?^tEEGlGb=)b(vN(?fj)VSMMM(j^Q$=C^fyMHH*2 zs&?@blGbaMQxDU{s@v0DW~t3NX|CMfmL7Ixh-Jj@$QnJr4JuI=vUJk;edMHY1Rbp| z!_`hD)HOe2z0zT-@>9WzYv7zCFpna&dWKqsNwDTltZp z1sy_v;hGDgPSBBsy{%E~A2 z3RfE@GveiEC#T@+Tc}Z1>c#G1X<*rOkA_%C|EJ@UN~Lu5p$hPl5u8>F{~@P4LRjki zg&2uz$q2WlGI$pzZf6NZP7xB;_hpP<);e@a=r+u^DIMaYQ~`Md)$-jj>@J4Rh0eIT z4PlA+a-(U>XkKo!5cK+}kV%57dO*w@b%BzgS0DOB{Y?+cNC7mD$T~uVQX$*mq< z72AABK%v-A)Cdwd14$9{LaEEpi<#R`qf9JE2c|ocz{#!`*;sE)$v~3joZCZXceQ6< zX6tHiJsv%~TS)|~&yJ%=Pj*Hy-X+zqXUs3jnoeDqKdRxVRopXK+P{PdT6Gdcz~#ksb*EY zeG-S~r(SdqhnyHYr?JYvNx?;V4j!v;6XF{Z$|{25vi>{B*S2wGvE+?EsCjhgu4GXM zE-Er!6x@cb4^YMFEsTGFcl>#F-R$5@7=1G`?nI;h(DR*IhWwEXnhBd}b(~;XECq^_ zr^ZfhEpqi{iSnH1d zzmi?_R)SD`zZ1}pi&_%0mn?4zSzZSnHoj13)-Y(+=m0I}b97)|2LKV>ysYD8l%tdL z`@4+qXEx4j4TtYqe%xTwuSm_iP;ZbeypT?v;?4=Z%1tEtg=xv~DNcr3{i!n^JQTCR#;*CUz_oe{(IDp1w6_q3)Z$)|Z_#x@Y_Np~X)1 z-rbEKtsiD}v_!8XM=cb^0Ua&a|jc{qrhS}2Cwy{9fF3J_ zrF4@qJX)NY+fJZWzO41_Peby1G2T$RCov8mF z{Tvw`Y8}mEuEE)$aJiv(_9a#*)OokIOz*eKcb?N9ZRRDL38Ny?VHJE2RpW%mjC=Jq ze`+x|N~+V{O$u&OJ5>z-AS-Ex3KvZ?i{3@-Xu+;=VvbqKnyiVx9Ed*f8z|sFf{;}( zph@0YKN7p!;rn5=Bq~|h61{<<#~~Ut9Hx#-wqPu$ zDha}gNY7mdLwZO|!X0poG8|m+p?xN_eSvG{sB4lL`Q_pWJP8R};HKk4`?iQxnHJ4E zvb&7``qH6Wn&l9{E zuO^i`soW!a!=rC|{l#{=`wj!*%4sKpNQF2dojI!q_Ei^>B#t?Q875V(OBpXA21^uZ zzC4)2Jko5Iv?ork{kU241GL6@8`BY+fFq=bW%_z15GN-v9WPS`x%;!QdlgwHI1t{l z#!=p324>!Iv(#xG1mzEg!b4wQo~Z=-ii-qERttbyePa8;Pbo;pjw9~*i?XD)agX>8 z7U628qQWueo$tzS`ipxODZfe8G$bn)+-sWQ?mDA{yY!lKuZm2gL z%?xtf?}Uu)avs)=Y+%{7M)3Luj|jj)Fc_>DzV&+92?s(`Cl*Ae6q<|WI8|@2eDbNa zQWy?aYbFhyJF@zfoAb$pW6md+Fa62(#VwJ|C#>ViffM5+D@FVW?O(WJXn08=LaF6+ zoMv)(a7zKg?;b)v)#A`nR&psCq}2BNE#yE2edQx+2<7nCUYJqmu(#ha7$tc)^|em5 zu4K=x@_Utl|5aAE&z90=&V*M|?U}D>{*#5yW7P@u!G|uys^76yQ#w6V^D|&i3-UUj zdVAVXo;<4!Wa9N+W+tkKiOhy@Iiuh_W!Z49HfoSk%yjiAy`}c{23ff7C{@^23 zGM@R})5OGCwIUX?;8VpWMU%@R<>JRW=5H*^w`d--6Qp&_ST4>`!6d3@E7c~WQ*uq7 z{GX$D_ZzO&;Fidm{{`eH-YbWi^oo>GPE3G};!#A~+D5s3go(ieKW6)IA`}RZ`=-&S za{vd<4+*(jyA)cgv?Ie6Z0CWVnaP>X#_&-Jug&$usVuYGnl%P!Tyf9;~_}~m! zD{j9rpDM}iM1bFoPokYnp2zLU*Z1Q{6EbIx6DV7oP9w~LDY^U&wPR^dWq06P?Mt(t zuq!^(djp9HGh&iVn3B>gj88PK_iRl#H9MTq5-Y;$GbdKK8Y+nvC=11KfBk@+TupP0 z=FEpbrg_kY1owXQZ!veE8ZAXgh6wJRFLCfhy#Z5 ze0urH^2Z!@H9t$j1oyg?)}6=9&799TYc{AMN9F*_xpFEfl`;2e8Yk|4KAhMiI2}}I z^R@NBoH+|Ww=_?HPaq~_xx>`$+L!y1MI1?(-UIPK^Tt1~Mqr`Mu&jeN*PiYb(NpWU z%AIUbYxLscDR0c-$s3cj7y_qE%K&;>zI20$*-t7}wJlE>X&zcAwT>PKycGXVV5o^k zuZ&eG+yXj;BqSs>4Ec|SdY0@I<-tD*4i%+)XOr)$?LmWy8>;PVMK$s}U1z6e+Z@ll z5#pfHx|~(i6v5S~#f#}}>43izU=)V^2rQ*dKy38HX%V8kD}hUO0Mvu7$D3cQ-+sZahf`= z>|Vn)Cr@|WATlFdV9Vxj8ajmKjJcp3Qtq%f(UoIB-JE7h#-|jzaF7C}G2^u@GIV++t{pY2gpE0@4T-~7S9NhX<%YncJ6Q6nx z;nl<9G_v(KhHmS|d*w-rYt!;{vXU_Zs+-6fXXAwe6};LhMPKB{_F13Ft%Zi{?eG+| z3AluPW6QyCSm2@ilER{mdu|aLamW16BV~(t`wPym{u-x(KL%b?v3I&Us0b3vLV-Nk z(AY@Zk87~Z`d@~#J=;IYMKucFTRM^@IUk#568Ub~Nl&eCzV`Exk0@8vVie2L*&@qQ zj^NSx`H+xEvtUTn?!d~bpv%HzRBIcmd2m18 zE#$AZ`McU{iswl!>N9tH zd+hy-2En^ZMJ%{jSxUMPUVx70IJfihtDw~%)kpr?_+yQe1@!n4vGKo^mBqQ-CinE+ zU^{<~>(;lG6cB+O)7bnSpGN3sgSCdnmbs)`y7XP;V?K?mWFd+k&#r~bgOZvBnUm_o z#KbMauoW`za?qWh^PfV_ga9I>;ar0Pxm@H3K&ny#lvGa$KSHW&&-Tk1Oh0j)lEMiY zoS2L+weRSX-13%(uxHpWABAk6|C!^t{?*2G`_!T{|Lo!U@hz9gcZW{;93*dN2h@y6 zw&hr_Fho{-sav`|*5z2W2jD1+_mrP#1Q==L;``IRZylc)i7d1)(w#bbO$Mt4qGP>y z=U(-=eXN9`+s(|q#sv||Kg)xM!p&-spm7Rgo^!V`D04)K&VAROQODjaApda?O&&`6 zR~-06?*IYp)~wj%iih2|Z1pHlys;GX@iq-n8^^a&lI) zv9(?9h~tyo@ew@mg9tFT-FG6+_Gd}X2U4s^$IxKo5#EzTuX+46kPbgO4v`9q>T$=z=vB3=l9oD zfUo@gY=a3hZdip>13`p~W{q!Cg1Wz_Z8QG7ERkw(SqiaWt?$j9y-8~$5`s-@h3|aQ z{5V1P?g5$6i=hx@MKoW15Pj9|_IPm*s&t@S7|SaTuUMN0bPVZnQ*>YUcDCjcOsZs{ zXmP?X7Cah$d@iR$$DB!u4z{zLJY}vqCqLkftH%cw6%_;Xtx|<0F_NdxjarBx1P<<& z0Eh1Mm6a9v11WHO8!9>+_IQgbUq+wjaZfe7_$Z6$+p7zOhJ~R+tp|Omk&%(;8KNOY z8y_?J8D2QjDfy!tW3x2@ifxoK$gvUWd=WylV1%8{Cn@ zoapG}1jm`)+SO%lc(?udfnOj!5@bvAH@Ewn3Ud!kVqP;Nf@sQFQJ=F7acE#da(EPS za7-`Z#3G?qJAITW-T)9eJKhD7P#`{#e5EZSd-kRm$!mkqT<*^J2e0uqLQdyWdr5S5X4avvJ0%rBkXCw(IU~dT{p8 zUdZ5Jc|-t83;L^kED4XlAkBX7S@lFA4Q@)ym~ z`ILJKES0n_oi!@%SpWF4q8}UZed*+=;}P9ipj5+6GcDuU-OrwJ9lauRmk7=N2+ij2 zBZkf@rDuw5ot;uGI!{0xCb`=teBeg`IllU1eXtjrMC;9cidXhBZMj4A8o%uBIN`iD z!`qMDJ^~J!|4DJXQ-Za>2YRA7e7~U_tq2IuUP&|Z3CL(Z61?8lCvUZJGx4xPC%-vR zfc%_JXnoFejFv!`%fdHEcZc1L?r&X#k)!hWXH)i8W$$j8y$@%mo{5Tv^bmGN`JUP~ zoo;xYpY&u(GqM zpEEfh5&}AcTwM8r))SYYkI;!52ahEJ^d}kf?}k%SE85x8d;$k%Ewu0LiCXskg6!w@ zg~I{p-{uEvA%%ky2VAe`^vRd<_pUKTz0S-!aSPGzPKf^FoFs=BD4!%m<4Hd+CwfnW zEJEBiDGnxLpnKi#o(DOEIbq7)mBt;tf8gw4$p;f_WVgKH#!CsX+JoB7x%0VBOb`}a zPTcU{=^pa$?2Xzjr1Pv!#^Emx%yBeqb%G0Ey|@9}dgr+X5v+z^Xkq=p`$g;cOH%GD zRP`%|UO3~N2HmI3pX<^qN~^TfLdp!Rf2us5*9|8$9uBKGrdwxTQhKW`JTxmP+RFRP zoMqZvXd&UiiaylNh`1?E;-wsQS?;HJjc1x;y+7pE;-5ykJSHu2?(^c(`#z>vi) zMJ2v)SD(|O!qw~F=h&9?vd;vC*?u20$nNmBj(ZHw%C+#AX|(bc+!V=@<&#v7A@!mb z{=WKpN`7O*XIl0~U$5m|!o;1KDY5%S(5)~b%d?3hbe1HWu!y@9kS9_=``Zp=R4Id$ zcpLje?4tfA>xgUNACoTd4PL$kBC$>^-(&RqU8TGy*8Q2tLuk5ox~)sFap5ayS?TxK_lSn0XDwSB#(YpesBj@+%YHQi$WJdawWNTA1sk>4FC zun*>r^vpo8MoV*1n4+nQ5i#~ul_LJo|Irw zSdJ%O?K^rCx7@+XAZX5upy`0Th4FTA6&)TT6H0HdER@bQN4%eZF?~;=rC3ql2v{?? zJ)=cW@=pv{ko)l)q%$(1;(ep2dmxGl8F-L3r!?&syzkbI@trSnns0nAuITg2nEdob z=Qby1_{Zldd3KI|Pv{~#Zd+a%7#L9GY&2e84G`-$p4`d9WoDCU=R)!E-uV9yVQ&Ey zWwf>pKQn}MNl8d|3n+r5bW3*%(k0y`(%ndibax6fG^l`dNeM`YbkF~A-t+$7S>HP6 ze5_e0Iy!6Z=iYZ*u{RjC+41qQQL>Tr*d_G6@b_=_1ZX{vX`?^xLSE^doBr79x?^CH z{dq7ULBF-@XVP5c&g30~Rf&XZdM`-MO-KEyu`mqku;kSY)_COA%#x?doi z;$z-STmdsR0a|xkKwv?EpOKh=mxEyzpFaPR*1?bC=&Amdzs}B_6N__Bi;5J6kb$D(o{Jx!gT87rj0ILJ<2ZXckJUsE zY;2&s<)6W)9+7Ouau|pGTCj!%L?8$27%uhBA2VWMmLK_i)k!z(H`S`TWLJ2t0LxTr zHaP68v=HS!H>JUR{8;_n)abj{`&TM&2$3ZdI|4bFOF5q3I~rjD!2mqKYwgp@OW6Nv z0fcY2mIFRC2V9}&yvjlmWBib-#JLiJi--=m8G3ZtwRbhtU>Y9J`pHu zf}Qt&OvmD`3i*FM@q@;3g$D#&eEGe5cz+$otxwqpQ=kKu?^kfSb@x1PLR20;VJ6^O zA(R#zTq_!JaR-Wd>T95Y>Lk07&xtS)I7-!R+)37_vUHCpdOOC&eQpI6@|m_x@I6tm zz1)k!cjCc+=qPUY7UTZbdx-WwRD|1Ok6g{m>VXH0ECoqScgRq^)$QaiX+qoY?(Xf5TryubqU_uGL%aKy~0U(L!u`juV(`=A2F z!}3Rqu%Yq8FG99mi!a$aGiVk_GeqGp6x@CJH{miWlr7C$VKe*E@U_=J4`t{{CAmq1 zhK5WhM$AXpO_$iseD%9e{V5&=A>%*^?7Ef!u`l|Cs6dnccMH|z#H{kQ=_rVnENz0t zqlBHqwBqrxCQWQ$WM1=!ke>0~wNu|mp)8i!FW2+D1XvPEOgG+&M1|*)&R*?I<0%OY z-mAJyqaU}SaKkeL6$^9Mq>CJV%{|oWkS^Chto&=zx|1nQzt6@*BKn;MyeH0Gu*DV~ zx3@=w6C?NYFxs7hHy?$lpL7_zdwJaxiJH8WR-dNy!ba7B{swnk{GSGG)RH3^Id@SVXFT> zc2y^Rm;GV4e*8W41>M$7Bp4`K-KCk<0-0&wu>zCM(<3^P;9@1|$Lfiuav5e+!` zI54;o_t`QIob*dEfOUKlFSJ@_MKFdt!&inZN#kAwU%L0jJz^7yuJm?ZUg;go$Mztx zZ{c<9+tg55!z!$3|I)KNrj-NN z_bHbI%H_ZZiIp$-;D`LCjSC&51NY5iAjV|$3@O-53?e?fu*$!_&) zifgyx9kGB(HLjQ~#S9Pi^*`e}+*0jJorP|9dS{J%RdENh8Jpb}Ak>dk{K0#CyJuxmp`drlNIcs&hKN)r;gU#y_J*VndE~WU$d#45P zFMh{9Rf(Eq;&L6S{Y9Ej4Ay17EUD!i-Gy_ zgIos+I+*;j%^DU*m+nYmw@0Hu;O#2D|M|hdrMoZL`>68EndT)KZo*2yN*~PE>)E)q z4PPThJ4w61?k5TZ5a55;i)$3{XqU?!VgP~b-Kb&$_rJAsf1h^@aD!K7KV;Kr;Y4d`ybJLE@JOZTh|BS-wj$(uVAPR>maO?`H%??=@>2o?PJ>?#0U3$%R+%i(hN)i< zlmtIE@Ei$p27qY0+-rcDselb&2HOaHv@zySIoym*w4QZOx_&qi`U=L~4(ZM;NC*qQ zmKX_%3dKhcgMWA({-K9Hg@#1jAe;!2m)hSz0kCchXuO2T2t-J=|9S(IbcvDyd8j2= zBln`o7i!KlVP`2MeciwJ6Cv730#m0Zyf0w$T!4KpF`c*X$dij7uaVj;q8r&VMlj-RUPPUkzeOX^ z@(f;_-ymvQwrvUlylo_R8nf=Jk`jbsCP($S8Z{1Q)4Gi-vq^!k4kVlJz;<@$(rbv1 zbjMY`Mu4g(()7#0yJLBbiKHlj2Z#_qI!2^t`VUTyVijGEmI;QT;iz1O_?DIiml+p( z0-yD8!>$#CF_L34G+7Pge0Ub$_Dy_i#3K2gQ*KAJMqHQPL!`d4Cg-Xp&$yN;?e<|; zDoAwOi9-lBYmh5oWwwTxe&C9rN7t_fYTC;?o9jA1EYQW(d~N!Wab@x8Qx4c0n>siX zfkoZa&72&_Xfe=T?(TRr$}QX+y|%_i`cQ~ja*zQXoKH?(w|y4{k{FLC6drozYEfiB zw$Or|)6w9>+;$*(%rV#8{{16`?^%OyHR#o!MVE6yfH}LT>hGmLk=UpVb5;=hl{Dch zH{*%~kOEFFE_%qx!O8HRzt&)I^L5cs_G1K~yW4{{LeOG-D)9mtz|Qi%busR#B~117f^03!nw zkP^Y5A(Q4Km6$yoC<^JByOJ7R*Z`3Y9?r;`UH^J=S?~Rngpu@41+5(l)DCo zO`e&z<@Q{vI;QRGYCKIcYD-R2Cfd(%J_;4I8>KbTo|4OJhweNn*@jea0FAm<)5;A? zuOI&%9hh12Z|8p$l~k`ZNn|H=rdD&VK5@RAw79KkvCf1PnBwm2uT_uOzTmOg>1=3o z_`)&mR?gVmgPzqlee|9;NdcV4TI`hf4l`HX+7j@t%5p96YP_~9>x(azc$fO$`gpC2 zAO(Wdqxz#aL^q~HLJ*Yt=YC^ePc~RLI#g6wS2cCIF)B<^hFmx5KQY?#EQfTA9K06$ zn&E~#cZt|(wEPF#Xln%$*_Ycwu$~{?7}LgkzqMgESW*3d0Asp;OR=?KgHUG@84wTW z<-oS8BZZKnQeg*SqTruiIk`^4PS&=z@WgX*4VckH$UrOu9U#0iyH zH*Q-X>rM<*Lc)K>emA5XD7o$mh>Xd;3XdH9Fl4~S?RIBw`%TrhZS3}+lCcwz*`g)D`Ylil3((Q`htQCf z-el+qME@P&P0!-#ZfQYfAaZOmOpR?i8EDpM%-{WP;gsaFxfR>#vngjJ-m>>Z;ZQgs zA|gWWd!$-*+-`r1;^?eXJVVw(0#pZD@fgD<^Jt@euLy0q3K`( zWpiIJfb=)Gm;g5x0}+>m*h_pFR!$I1#@~D?`|43p6dpi|13z?LJFdGJ3&_mQ&F(sM z4#9i`mwAoXf<~Y7`qQTDes>GnOJ|}x8NdW8FBogb2yz-H@)*9ark(-p9|P`?0~aZn z$Ev)M0+W2#o~kLB_bZPKqZCJu8KS&*Pi!kE_dk}a+nE_i zBI-O7u^s2(Dc!uh{7!AeTY3m$j2#V<8{>>ZA!cjKwG9a_4cePlLfj3xZXY6Cp{xl8<2kLzss=`P%+quF8a_-_0d8H-l6Dg{I4 ze>Z#ic=%rwv4@i-^Vn&}nr5v9fUEz;6brz~Aq6Vz|3N2xe&C5mx%HTUmAN_H*8r&s zixeQclB*Mb`#3%^6hz4-qNVVo!tgLISDas7FTOfzp+H0N4VQY2XZ}Xkm(V$f&RRhV zvJI{MBwlbtx<8L)NlO*^E%dU-N)oRCj3#^&w zkZcR}Gr*g*UIVRvgempU(R_QP2)3mE){A>#^J_fNs{$IG`G6>v~ z#^g0nVgM22Ff96nmyqaLK#z}}AoFPxk3<&PgpWdudF#V>heMAOxJ5G^;VCT{j@Sxq zI3_)mn}%Rnoxm75Fr&Z~1=yGexT_1O8P#;$8y_LAA;8DGRpUcogi&j-#2pSOCR zZ3%Y7PZ<9WLB%${K2yQ~!PQ)qq3ijI6x*-a*NWa6l|@U`r8;c=1?M;Clf31`tJ+G( zfmHfMeHKB2HCbCN-PeeGZzF~8`LvOlzxxxj z=v`0I6xrQ!av?h##>K`WX+H_x(Ub_m$6I{G)bGs9@?~6#>ZmdrlcYjOU{=uuYd}2OfBi!7EOv7)z;1GaiJQsTa%`cxHI!_-F>C390}j_mRUp z1SD_4S_Zx;PEQyJ|3K4ED~nc(0XAoniKu+pfvjmz_*+dNU0V&r`)2=s=jeesNWiVz zBa4X%Ha22Qo%#q{S|l>1vX54a!mn2nxm!ii_UbmUaCkD=lm8d}BqQjdhUGL>;a03VvJh?fx?$D7gv zyM*PR3+|PBYl;x}kvSpbW%HlfqFg@mJBYrpFZWb=xWF@$X9myOj_LP;<=bIojEtu7#!2AU-Xu7t*i324t-rFkbLSIRnGYi2gCt2sN$ zbln-Ed>hk+IjT_BN1gC~%FUkkh2aBV(M{4yUv7IzAGQ6eInWz=RG>2N(ErECbHH@xzqbl7P+jGhR7#Ii4_35fJH&2i8skboj1w zx4+3$2iKe(&Y|BC&HXABEH2=306a^ed8vOXr*;2%9hJ`NnE-wSGW`7q!9X4y^dK3v zXv2lHV>GdRQ13EZl4AQTqvzK3NHoW8!t_@G7Utwkg7op~WN=z2Pz<5eeasd$DAhTR?(!^z9Qr3D#k92~+$Yz0y`vY9E%(RL_9R2-Yn{%*07^Dcm#X%xqcqMY`;oa1 zhO~PXRsHvK3$d-Bu=&^QQ>cz6a#@JIFrtAccRPA`oOSn*JreY&3-U7B?4&* zupy5Y%@JoO=yYGAmwXET2|HIMiK!`@;J0t-83sGs!nN5qv+7Zi12-60Ro54Z?y=vu za9(nfiIuyH^0Y-@IV95hj1`)VmHy6<>MCo$zOV8cDmb$G$oQeW(VT5tO2PK8JBI2r zkT5^fYhaHxUqhe{ln(!w6<5RsDjq@jFSRiMqO%$-;HmgXG5~kYr^U9CpcYdCOKd0- z+M|x6mNN+4?)f7lJP6_psD4!aJqGDS{O_USv)DzB$Lv0-nKPm!7^Ywf zlB;z?69B_oOZoh?GhLBQ$JX?7#Mt`|T$OJHu*2T`6ei2M#c{NK*AyQyw!7w+5^C!l z0)kltoC%#zO=sojTgPuKiVwO#3{vq958Evnglsx>kg4m*|6SWylVJqt;6iNxr)7L` z+CmLL3j?Sa6?9x`qeh8mBia(@!9m2RE=j#2vzy1YBr15%Of-%2Ljg z07S=O^Dk+waw3Pg$Ko*DT3J%F=*vtzP~epOm{tS(9+b%NQ&t0k8`L#~_bE19v!X!D z9!rGxoTVEe$Pd)$?)hDGJShdWFP!t|?t*V_Dl;O!D;LuHepO+l&;E6`|32bd#ME)J zXJuLHp`KE)S9|Av1Cn*B0c$@;L8n=xY>IAs5|QsH~$Ih z@VAToQ|6EL6XwjVbYQ|F7eT!XGkhqQ?eu;5skCY#j!!o=D`A$sGPF9+E1G`==qPD@ z)maY9R6gD7EGbRd(%u&_Wo=h!$gFDBn;$8^sZ#qpr_8amm8@15>_)Y1d~nF>Su?Z# zmrGZ&Zj1Kj;^!pd&J6sr(Yza}fcGOBrw;yG(ZzZQz|oPBqn)X8aFWat0_PT%&n6cu zf`H-xN&&r^g33BAUdw~zMj{CKYDB_LtkC0kd2{GTW$f!k4u(4$+T~iazdy&$A?)q~ zG3P?A%TDas!5IpL^wOH584%Kvh^s}@F#MH5E75|BLIHj>9h`@6*!Ps1&jdy+TwlW- zaFF?qxZfQjLSAs#xB)-W)29{OXi=<~c0>4igG#aUVjPG@D=M$@3V*RzPcRi$F>2-N z$zt%^>U6E$?T!UkmQ3#$+y8F)m8NGy1f}9w^i7em8bU`O9oVdC`Wo?}bt84ctE&2I;KU!RR>YCOV!Cf< zppL+=I0&`G@a+gGSzj!gT&e{w zcYWBwV}hr#N)1yU^vF-&^Y+J{^$eH18m~&Q5ib+VzOF80jk#VUFX-*uW_2V_MNN)~ z*e(hWd-v@5J*>)o;6F>b>n$NBFOgq~iaKHd2XnN8geJO-EHsoP@r35GXcP~1lS+!6 zK;oy04Ujn;qaJvFS(!^>d;d2$d?V$|_NaQ1Fwc^=6heCHgC7-2ee|Z+>-T##dN+Vq zuC&Eido17@F!92Mt6dh8K+nzaxHU^KO`OgVkgv;N%;KTrXkm*fnMH>z@7r#-C$vEI zH7YaZ>omZ<9;Hk)TFLq}V-VS>vCFYhPiB}|$2@Tg6vK{)=U+9^P!>mV0Oyg1_JjUW8Y^bI1I4)DV;P_{BbVzkd1F{ZU~>~ zv67-|nVu5$#E8i4Q%9MqGp)nojroP=T{bo%*w#!1FI=W|ws>Ks_%96)+x7IC#wb%$ z_vwwn8?c53T_0LT|EREcyx{7pwg2Y{zebnsL3ag$TA+-iIupv5B~*qDBsmYtMKIG4 z(*j6h$yt`e|t5w?tpk5MMAQRbT_QQ;=606H*UJVmm0XgA6%Y27*-{#sIC+0D%IQ z{#AiAYcF!S3^;vmUUyHqlhXqp2l?FZm^vl3qam27K|}VF;7#qedhH%;ft;I^D%l4}tdJ)hHVrvi~;`FKWw4%+u=oPF-6tY$xPU3FMF}>IV89E4T zWRR|CRijbF)Y}F9WntssQRKZ2LCv@{rI?b8?h`O?2rl7nCwv;4nVHtp$Xg`0ZA9UmIG5KM?(Oa68_b75>;8)3M*(l$>HeJ}_xUa=@Pqm4ABtRgz@!KY6sb(o8(0T;WlGwk@X2kyXO>UOmeLcl>)Ss6*;Y43yK=w5m8A~CY;0-=OJMWkd znNt3g*R$P3+r2^4n_> z4T~Scq^3*tu6txEXs@)Q$?Y9wl$f}MYiHAZy5)?FF-B{<^MiG0+=}xj55It#YiW-` zKb1phimB??Z@-E6pP1S;BksW-j>k=nPfQGC?F0T>Zk5FNX$h>v@=F3H!9cx+fuuYE z2waC_Qb>wGISC|x9tM414ea|R09CEuNO8NpyXcHVoG&BZy_urD&-@TbT>s>PNj>y` zwE&zSk;Gw-4Cv7k;;1>D!ZCS39H!Kh2FfiCPzMDLL*UXZVhW9aDnkQ1C;+Q%IPpi% z4{qg10H{o7i153BQG)d@961Ef++fsyf6$+aguyO)`cC*X%1%p(#JE&%-*WRO)n#Y>Jl*n2-HIFTwkX z?8-(aCVE8`b`W=MYRo3tT{vnNN=j`Yzq4;V&DG=c;t=L6c-!Q`J$wqr=8zMI#0TX@)B(FN?SL_ORZ)dpGMLiKk-83Ya|i(0~FVQnIPBk3qNu zg`WN?!KgTaEH*rF6gzDK$M!K$^J^!l(~>%G$}a5t19l?KP7q8l2~O(-pw^t3nusJJ z*0>9%sKyF~yMTQ*1jJOm7~KA`=UHBcXvU4d06Vpz-~J#5pSy+VxunJha5SGdw3i>= zdq}87@3J5l$VKK;e~Fj-`!-FhTaS+QxAn814*VOjOAW45jGwY8=A^%94)m2obsRK$ zh-!)K?yrp~$LV*)5mcKr}?+C;1g9Ep=6v{wd?#H{ySf{fZYSmSFP36eDoNC5V@`w4QC zt&JN@(6n$`U`|m05tCSPPENTw2q;d*^9;R(P*~_!V-8LVqv(epWHy$2+PpD!Ds5vV z<1^XXG7FWLKky^WTk>WK!2rO?;UU-zr{pg-oZCzno83>za24n-%Er`uU=fjKXijQfZuYpbRzGEJ1)7Nj1={wwpU22 z2<}q7m;&(}w4)2p@t&>H=;_iT?SYW1+wOcs`i@-GJ+DA@?x7b$4A}DYUg^kGJMMNi zT9gdR&~hxswbKaO>t~kL8DWcYSZo=h0#Rj}?-GL4z

Mj|wy+VdUs(JikAzo&Tqw zNJ!-62hj|m*s>&EG$Zd@t{5x2<1b;{s)1t(QQAfCIm9G$IAEt zHab8K`$4PiMc+$GpA&)?MNI~h9PhifYs{A?MF8Zg*AFvm;3U>05^$k(<0QCubYl=6 zhJCNLm(sB2) z8CeBj**IITdwJ7oJVhA6RwFss`j%NyHuk^(@xxgeLW1#Hj_LYZ#dOy`rj|&oae{FA6 zmCS!{`zkD-`Fx#Scz)KgEIh=fGd0$ekw7tjsb9MlpvUBv#B4{O&}@>dS##_;`9_^@Xg?f)h$p9j)v^JR@rR&Ot+@4 zE$9IqGxxISSiL|4T&Y*y(-7bg-X)v8DWDGm;GvM!=zJA1Q|AAA`SlGKj2qZNDJ~Ek;Du^;@DvdYPP(2#ypf zMB#5*%c9gams~-O2@qtl*=`4$8W5LsF4<9`AxqYuW+~x1tdM!$^fT}zyd)zD7gp_>>U4xHl2{RS#MD}Wetkldxx!Ydb%dKjZ5TDNu zhimGX878GOuyJGn?0upFt2K&cUVh4cx<;?E)2dnixew&58se|DSR?L*zFBgMnj=$1 zxE4ENqSkg^*KHggf_$`do10&gp3)dYTBLJ*A4rdklI=t3^@2`F#LFR+V0{7?dMdTpzKpvGZA6CK|-sa2R zD`qukNNI}>D)1N_Dfz)E2$&8IyrDrcGV1zNDFW>EQkzUGYw3>8q5)-11U~7E=4}ul z#T6>ia546N$aSrR$6UN|i7U=>u-safCw2;DuO?MkH(eqn!Goo>9_h|V#e~FGq3A4t ziQ-TMn4BmcgFe(BvL;=w9f@;2J^G#CkOH=I5@Lqag=%pyJ2Y>#_#YI|L;Cv~56y$ehPpzHg zZ(nqC(syNGAX~w+sFBgL{_@?D5fzZL4p#FCGa!C0hWnpu*pe=K_OB+ohru13G(lMD zswW9--2cSJzd6e)XgU z{~RQYmjSK zmr%a1Ne)=K=^QvTo~yo+-9ZHu!(Y(`nW)@q6Fz&h6d_BEjXJ!*7BH}TOigp_Cu;OU ze2id4s!D-~_xwIE_T~c`O=n-S*WU)UH$ByJd=edjuP!j$e(s0|MxC7aFXw{>W|_IR zeT&^UHnY-tuK3)~Y_(0%*=nT7Uk~X;;qvJ;s-l)(t`8$+cO<&oM_G&#j+x+veVD2` zb0jb4qUmdCYO3XKk9IY%E2Ao#A)fdUF^VFyFT3elQn%dlj6>QJsiMlUmCHE5~xNSLTOtP|LjB% zNHzmCQD~P|$O&S2{?(6g+Od5IC4qze!yeP-uER4>iX0qAU|gtE00nH`1lqLKKg>Im zH$OA1o?XAzAA46;mtQ@--ky_8|3Z8b2pnitQ~~l@d#q_2%^k{|f1JpZxtE7zUWbLS z>g8uPxQf!*D|TMnPP(+!7n;~W3u6-cj;tB9+A=Jpz+%4cK228rW(*EyiREJ8NnJWgazmX3eFC zTaYz9@1M1co zR!2z!{j@Yk3247xeGG*^;3tX5gXs7!4{f>{8o0Z?&7P1NU`+pd=FkzJAiMoBP)WFD zhZNb0WlCNhE0v9bEu4W6St>D1Lq9@*eTNu$#k~-Z=Q+#%92_V?3xrGn-52J*Hopz) zA-xnWF4ml~yLOPP^Q9l3LSN6SQlg?%{qi{ER_`&IItpOwI*stJR@0phQRLHYYzwGG z4kGMO#9kO_Ro_ofZ4QuU1jR&jKp`=Zhmwk$*{}s04-X!0tjsAWQvQaKBl3clRH1ub zT5n+J9i~!%%%K^Sqq2BxQ7_jyk!g&S>FOJr0@x#fl82=8uXU>o7qJd8#o*?Dy*~(0 z*JqjhQ{wP{Hwe+w=zyoczY!7e2RAP2p>3UgiAF@70haVokfJ9vk2f2m1+cDskJ=27 zfy^IbRCMf|oFlc4<3JuJO>Q+BP^d#F$Aj96H=Hgf|8`l;`E8;aJ}_N|@F*$5Cm82$ zAp}=A^%DlT!p@r(@81Ltzw&&Zi8Z}b2424S0t?*upkY=(!-AshS@%8A9Yh^l*AbEV zof(<9g72m2FT44)yiwfRVLr#65=-qvclEf7A^H!(^Vj#2NPOOEK~0GxB}CR^v0sEz zM1GopvOA)qQ7*m!$_x1zwX#%YRsJjjt;4H64a14^oo$T^k6|=VKf~RH+u%qyu9rrS zzd!P<``w?-fl}|rNWE+Aw;`nfuY2q#FSN=2z-UbzmGD&taE+7I{|$K83$7!%>3?3w zOYH~haX|KaD-^&Y{<6*oq$hfUxFGF-Aw;Yh(_IJ>I3NRB;$!1tYaE~TI5c03B9NLTN$HGrQbVv7%yPA{7oBp2(lX3}df`6+OS9qdzUqDnz!I&}`Dk-b=9W#?h|F;sBPVYj3= zs2n7#u-GFW@80pmAZ5RW4+dpO+1jctO^LMgo`{OrKw|fimF%5;8WA48{VDlWz(D7d zaZski(sEkR^e71`0yH0|r-R3!N~9~lonZz&vmP@4wdUAl1A)XO+Q^^>98@+EK6Zfs zkuyLZF@*Uq1u|!_6?16d@}pudU8I+*Dz@z3AWEA|}W+`fs;de3WL z)KQE8QMOKz_xrpLfA{bfrcG|)`p}FFsUO2nYToK}9UlumpKh*g?|3v2gzb<|N0pDOeo)er)y(!lh@nqMOABw_q66z;CpRVyy$hzi6crzC-A z8szLLw0)DjiZ%ofsoAZzEv4cRF2P-OZ;4M)_Y)ntOEqw@lV{4be?yciyOz@7U8wX* zajt5-{Ti9bNc=;HdJUD@3W*>rASQn%CmlUqApBIc(!7#6*Jxq;&4IL3vs?XvVx=r^ z5!;l!GkD-jy!Lo{rq0$D4|@3Z=;9F4?}bSH<)$=ZEqv@Sz2omAjs8kg^10tYSh}}Y zLt#qIRC~g6Rm2`=YWXR+8I1oQn*kcg@>2g{GrXY$WbppIK>MQt41JJRMD+G*V#B4q)qp^u`vVBv0yjw1qlxeb_&jF7=Rt^r z?2~%W%VI30^#sFu=3t+BmR-^s%*MaCCe45Q=uk;*6GUvA6$uJp#nWz{dC0c4_<4o^V(UqMhr% z_Hm6`E4d=cqJsc5W?8P1UMtkQHffX@G_}6G_v}O&@dxX}%fZd=U5fp|Jl7==ZWbzc4bf-$$9AeqP(w7SuR}T~SqO?q*NPR&J}KYshxr(bOg`Qr{HO z*hr$Y>=|?xlQui+88J+vKRZ9)2Nn;-c18-qmE6%aslf-g8;BUOp#*B*eBRf_2a3Q$ zy(&I22g4+fG48F$ks!sm&qx;&cq~%b)W+Og0B*zdQ$1HcgcDmKnj}U9#wP;=)wDGQ zu=VEW?%}RT(c9zdp92k+HiGD|fv6Vv1!35D{%+El4G*Pd<0#{J<;q(kwusy->PwS3*S8sKU|X)Dzh)2d0|gMF{((xBzX6N)bVS!w%_4;(xrlnq`>(Z^4TWn`|HsYnKS!OVSBe6v5`vsG zERmqP9puh^`GT#u!&Tw9uz^Q$-?2ftrB)P?RuT$h68ge|(5!cBRAnWlUFU3f6u8p9 ztx6h~?U~ONM2hb^8l{>VJ35e(hLFpLpyhoS;6Hr|)_^$N&w*6n!0XEgrRf)s>;s+Y z1#9$)wNC(M`f={$K$s<9!h$x53N@G$%LCoipg6B|E;wILanobM7X1_o9FL(*i z6-Ql6aI+8@e9CpZd%9TK*|7{l_oNG&+_vg?yW_0yc@^$-wHs~pY%(+SBp9C@Zt+Ag zkQp!UzY+pPYF~f-vSx8Hzy;X%i?tMp_1Rkod-p;*mICenr%0>6QmQL&xVr^4_IE;I z4^;r&-Pa`&u_n4~zEgX@{Em);lI#D#N&h^q&t`ub0fu6vw@w07L+e-*$P0Cq03QJ@ z3)sgb;vtPnb&=!)NJdm&9k^a8lYDwEgv0)*MyF!-MOJMy3^&P|N~pbkc5bfkV1(1X zsk)(~DV;ojas_uKh_rF)U{VM`r$Eeai+m4-PGA6s$r!9TjjLq`SwX9PV> zSSU3$3s?g{znmHk%9a~Y@(um%27T(DHT%4JdR@U$Z*mzBPzi{IC>^cc{ zfF^qxP)4QbYNRztK|jPeBt}cy%C#7QyVHOJobITm;Nu{NbrKu3g64hZ zQh`fZWEx|@fEg=o@dMakQKq4Gc9aFxcpsI{Uz|xJJ%>Uv-CwgR(tvdTaN&lnmT3fN zK{zBmrN!V*7ufM3cU9y4aGig0J|ayvfs=SsDgD@0_hm$BL|;{biNgSwaAqzKEepC* zK=pL5b;tb}SIJQn>v`~GL`}ZOmlX5^+&bo%(2sscuaZG|9P+iH#%g2`t7DvAGM}8&Zx#-~e$w43+ zXLcWlf&vfEs)+*r)iG%97Eyn(q!e2))A2`p?(ioDk3>!z9ZCD|DNQ?Ba-T!#UoExx zK2mA~!Y|usv&dYSBVV(PM2Att+Ai}NE>3Ke2Of6@vU(m06EG%3NN9fEb419}V=OTp zORatiXBuQ_39&2iT4oyc!WMY-s@GHwqe;R)r^_VXNIx;svi^xyIktN{HfQ@|hvLT~ zX^-yJZbm%?LR;8@$H&(JiNKG-m+Rx`Xc=#_foR5Yotn2bR>NjvnUvvxfqSHmd!$=P zpj{QB9kX407mvrh^r_RJZ3<ErC5ML$JiUn$?AGH}b6V!*4k^S7KTv2^z z)h6vy{)>##V*`EorlFHc91nR6MZWsA;u>NVyp-*?7BadRLEs&-?NtrqFP-ln`B(e( zMApbc2m-e&bil*u*VHM9lxhB`kfFifB0)%z(!yz;V$%`h&=8<$RHAITx30LnTy0n| zsn?OG{RvGP!%F&0kBr@qp(yZ*@Ar}FH6kVMNep8;mSuXhW%}^A&m23k!2a_V1LYRO zs$-8)hP+As~;X)%Ct7rYlbg+7nXg%03k z$6b@`vf}{WG*4opeJ!%cKxaz)2Eod2o)$_@a8c>M;7^^{NY^)tgQv?L!~ObcwHljj z`y|sig4?=s->wO0DU>(Kg5}i6cv&7IP{Pk#-+HjH97~t2bxVv1En?zFS}5lAJsFbo z67H61yBFPLPU~7a7g7B9C&y^nifVUbRsj!L98cbObo?@)1w3xMg-9G4k8C2^r6*E> z{$l#rRH>ylb+jdn9cWJo%tnKEJJ(hM>*_<~5YjkWVsx6PIN-1ZGUwFmxYR2r-G_g> zch9=_-Mcm#dbVA=O`Cg6>p=qu+q8k_|7rocOdGo#YP&6KWrKg(1@*lR17A~iEQm#i zTKUn&`IVZvl^TV^4VU><_x6=D`COtSFZ|<2VA{gNM#abd2f30 zF-&d!nm1=oUP2xb4VV!Gf{QI#O~E}sC4p{ryG#b&Sfu!GLzXn3C#XG(F2K~9~*0bi^vvv;Ocahr{r^IQYz!9)> z7f=w8S5qyz^~mbD^=+=#*xx*dgKyh)OG7dFx%s+<9+BULN05L=P|MxoNx1#?1F+7D zLajXm)gTVcv1(%n$mQTh$kg8nj-IPzmeK%GC=dhoNZ0(EvzTz3?)$)cR*SoH z(JlW{-(2a=vft0I+>zkOQX&zd+OH5I^`kEzlzeBO=W-Nk>wCW52g-ZLUXZOnk*vZyLZF^ z@0n%{My5uG`v*7r>O6L+*yzc0GUv#3#wtWvdGmQz5|BTxXu`IlC6=ZolXyh|x}+rN zDI}R!WCjmk!*@R{Z-&h52F>h#7+B*(e?{_(^WBrQi8tN464!^{Hf5`wQ+jhrjH(~` z=T=XiPkdB`$H@wWTgiT7z)wLovA3Y`vv+b_E~@toqjjd@8`EMw$};siy#B2kr(<0wKZ#b`=iu4S*;ATYVCTt zPsBE;yZStuT^=j-_hmv0rbc_xSdA2h4xU@{aF1mKc##9NCf9_6YC4qspLz2g#TPBW zofVRWF2)m}#ss|o?JNhN(!6b{Lta;ZVJ|jO*m#y$in>^sPAy!YLRl;H9ep}O^_3ihu)eFA}L+>u~V6XT?w z$bpt11~XYEvyJmy-<_gs6@ow(G+mr4gEnPg$L|guu6H$~42Vo)rZ+~`gi6`@e0*VD z*4z73p@aqCHGn>^S30xj{wBcgt|lQ;7#CTC)$#LfqT#Ry=%a1Yp5QzRG7O zSYTZeC&YwCzwQkC@)!2(KPFazern{EzCI~^$e=|iDwJE-0f`kI&J6CyAy4E89n!zD zXn$o(=plY+C{Q$%TeM3C)6EMIi@ae7+B{1wxkPjlU_VVN$c2UC2B}RMGgJF%@ewiy z_=EBM>?unnf}{gKu<)1d|Hs!`Kt;KC?ZX4o9STZ!r=&Cp(jhr?NlSMQf(l4CNJ>a| z=g=L}(hbtxG2hL3&b!|KdcSj?wG?#Lnw#MlJFb20Ya<$oB-$~6^rMO4z|3&Ste{QT z&O?pr(t+c&!5}+eRXyyUS6C(jyy}BXgL`Zf&@b3_FNOI;p?%PMsROhD1KJ++Y;LR4 zEA+mtxuZcRjj2?Pn|4TEpkIUjPP+0fTaVG%HkNZ`PR5a!fl&L!MZC$jg{Ijb4sEx> zjL!Uu{h@VZE8iALpwPpDg#OWdPb|{0WFuqT1|b>K+>$^udV7aN7Fe?UNc-S4bj$lP z5@5K2om3Qv2JW|Vc>=agNBG~@mn&jS2IR&JH;*PJj^~d&tr8AW@K<*1b3o0(=gf)C zWoq+4(4(TNfiH>jkB%b$;g7wVi49QO#i8V%@I*4OAMxNa%4qKFP}GGE&u#|F&~G15 zZhdLn|GcHyC`*8h;nYha^m`QCvNLLc%=sDJMdI`E{5=g~AbfkUMU=LHC@Th#cRb{P z3B-eiE1w%Op^RluS5oz+pnHj;ka1%mLt5a1eMs62^ozacS=H{mQCvmJR0(L`)i9QR zB!iS`exzzf)*ss)ai}JrJ0_Z5Vorm;;2~}9K~NnntSYvdYI|F+HS_mvc-KL0%7df1 zDwm43xt*G=P#79qiaEQO$o&RS)Y|RuJ|_6!SD)X5`kclGWd`WVElkJ9TI%bvl=K<}^Mh$&coh!XkB%WI;|t;UgHEc4P8S(T zit&Z8*Q|&};(bP=DH>9s()yg;cmrK{zj|i<{XxRYH{!R;ldO7wbo=4jC>-X~fGZ~+ zyUJWBok~TAF`kyYg+*T}NV|cZe@Xh5WZtC6uo??D(q$Z~%QEGqtF9#07mKgcbPlHI zZ@rFTPNqur-`m^!l%68{h`adOBL1>PTYfJgqXuY=04qM!fet=|Q)?^fbauX3DrK`R z^y@_a+frc#?CQ^qT|*(jl&ytt|Kt)DveG~w>EQ%l_y>3ZF2Sr)PY;+Ih%inI#~|Bg zIrZJ&6_0~Nl7&c;Mz0VB0}&2>njmS|1$*zX%Q1381?lY=9uTu_@$1G7{*#vjwDZ0 zt{KZRxN;RNe)FHU&J6QBh?-#*I<8w{3pcn@p*I@r zY`u?RCfhC!w1vr@M*d0I&V3lh`SW;P4b7IO`L(Qw`xT3hXVW!AWNz=lxv|^BC}3ji z%+-1@J7^*tks?Dbt_U>I&;L4=22QQt zQX8Jmbezb?i6^sJWLc5N2vi{h8Y?Fsa{!Gwl%tM2n?#H4@bIm%lcB~JJ<_bcWE_O5 ztK#{;VvBHjZBY8St`^b*A5})^UwO}r@`_(t1vG$vdrN?SyAF>I|Lf=y%VqJWxCutc z@8jSkZdZf$83hlQssxQZj4Jr3QAWcPt$8o5G&9riwp>;3QRKVfnL9KZVtaDW1H5TZ zyQtb0THd6+mAyS14{3*hU=`$&w_TXC8J9r@gXOVn7!nY|)=|lTVnF-!|C4b2l{vhs`y&aejR8Kn4J$~QGB}S9 zzI>8QEx~+T$6xlifTps5W?YXXc`_V9f%eJ$o1rp3ESCqW+!piA^0-%gvJ#O}0}JnCE53hxJ5L~|<(S>$&QbUY0?~w`r8l?pXu2;Ud4}i)~e3iEC=fYYY*LWmj-M{CG1Zik(nt0`ea2|1k>ZomcjWko^ zdhx(o%TKxYGpL3nO=49`Ae1I`coc*hsS>v5uzjoJp=>UR-ZUsj)4rtz7CYOR#tii( zrbdWp!GVRs?GT;@Fx3-vaG(a(^$|_F@_x{41R)rn6KA7ozlQL9q*E(j^?+Ce+>7+{W3uyi@+v`AZa7H!cfh3r&ppSWp5h%c(x5in_Vtamnd)ioH8#Ny+JkAK&A9g}jP_~}a zgymL_U(TO}IP~VMTO`FscMe zHBh4=tL&>B9N3zc3Aey&RGmsE0b<4W)rBcSLBNq3HqJK%d0h#>GhDwN%_=O1*Circ;c45??q2mvc4)t%+B=3cUmVeIO{`{t(#;R=GZkBQLeu2WM zo3f3FEP_Sj+v%KnQ-|2dV7G)#v^W5=svxqA=gbHz zvhkoeTBBUa!CWB0k5;6OmZhb^1yjOJ^uJUMVZbP5_<3>i8ha+&Ll?j28>L?1u?-es zD8-A&gw?g^nCnoDeyD=LCk43#2wxwthO%sd`pN|8nq=q%tu(Of+Ee@I2o%ij8kGpl z@W()FAxokd_e;rNduqZNIs)-V_+M9*>ak2Q#R%x(H+&mvP4Y6PeFCr3xd?F8%r9%T z_=E)GYD-cC_wJhYSWwDcz#39vT)N!u6@_?~|?_L2vc%AGDyMWe*e3H9m3?sS0pcfEy{) z3+6cGti|Vca#knWwkPU^-uR3QWQBKLRQ3pxFPh)nei+2|gNyBk1N|1|09wf(iJSt! zSF_}z8SU*LhkC&HC*yXJ?%QJUwcr+kc&?Wxg3Gjb%y)a!D=BF&* z4q@d7t12zXrU>MmOyl&bR1V&Jf^W({S)F87on+?&hRyU#bF4Kpzbd?Th-J3JP1cG@ z^w$L$D9U(<5C~y3u>F)W=0IWO6hBG zc_CzM7_S(mO%87i<+Fm^g%Hz@Bv!!*G5THn3xCRpVSzSpEizQu6Gfm7O;f~e*+F7Ck^P;x0+$!`#t5yXIffXeVdZ^`@>f!E+#~> zY~k!an`}y-A`AF#9c-=`=od^g-@*?8oh8=?3&9$R6 zV%X}84Z9AX;i#+Eyl4QPcsf$VVp1=mbfl z@39+tG-SPDoFUrOL9?9*=2&OGcH3O>E3 z!G+$qkA-UfSfhVu+kpe)?PD<-ClFtR<%-maS1X%b2x5m0@Mb0wZu_Ri0??A~(#cY~ zq;rCPU<=ps_N5pX6fIiW{b9~d>LN>DU|N9$>#;sX-Z?3KQVjS7(L%;K`zg~5brdly zh|~+!HlK;(d_KL#qZ%^y9JazGuW7iUqE{y`+q5Y&CM^?o#GN;F@O`%q>xlw=V3_8; zI_b=4R(rHR7$A7Opoam2EBuOxn?N)nm)&Jc-8)veNU@}_JwrbXP*S>Kk1n(|lHKp3 zslKtXXDfnC^!j8TMDyzUOW8vAz%5qmLraFH@8RPo)a9GU(c_adZ6QxLwf3vsMLvfs zWM~`T<4w@@U70VTw--KWg&um3`FK;4v9b- zTki`(oTL#2FeimGgz+sN*Siqq%h>Cw%1Jct!5aF`ZuukKLWT{R*JiUx43JWm$BkX6 ztrptZ&-3v6A{_sz(@1;W2LOQuvST?kvF`|K=Ag{y(h^7_iMl6fbtd9s6pTil)Dqi- zC;gw)$D#+O>$a=_UPT!gCn{L-x%ZKJ!tgFsvk#x)>hkvPaGecqlQ;7+*uQ8nw03*> z9iU+Q)x`MR?`@aEtMi80Z6{MdbJRTPhEjvN)g8NxjMs@wW@&-Khv^%hL!&IzBq$U~ z&9jgM`MnXpNps)XIVLgdXL3M*}tx08ph$S>cMm6n!*fWTpOA`t|t?&FzN`sC<`vJOnSf(nuk0)3D|`c4Ik#>x-vz zW9m@=EwgXXSHPwKapT65t5B5fd|iwtmaH!HH6TjkoXdJ%&w8I~t9XA9Y9j7m6MFHZ z(M+8l1&Q-_S*i!QG!taTg5GoGwsFt-w0pMyx4m?hu$;okf!#sp(WT49ce^u9xnf)U z{q~O>fi_Oh-qG7&Ymzl3=3_F5<8+Db|)N z?#Ttb){8Xq_5(~1$lz|3{Uj7{=tK8thpms!KKDKZAO|0xfKkYepvUos8gNurLJeDV z4b+aOn(W2gE!iL=qJHZ<4h0xbN8uNXeFDty>LR1lvbOHI|IEyc$2#HB+SBn_f?lC! zozPH?Av_++FZUF=FSkAYeX(9b)Z*^A<9!-P-T6*WU;mSq$DImyq#xqS#RU(* zaRcNLXVpOj5upI)qnGdjoj?|(DJvG*6~_6+u!QzxY&zT@y@!8@NG*xy=fIl%bf0lg zQkNjJV{;Xi#@Pv@>>&@GLFp|3b95PA=s+$`l}E}{A7yX&Vj#oa87#2sOTFb&Wm&lT zwMK1Zqli^;FWbl}NW*Y=;!k8wJW*?Jp~L3{T8y`rDKl-dKoSDmpQz-D%ln zs_Z)K+cFiZm|IpYqNQ!~*%EcL`;n>7rfyl{%-}PB&tan0vxkh;JJFaqGqRV(*CTtP zy`nx3JRmXdgf2oL_ycy_$lMQ6ncn<()83aH*ix|0VvmjJz1d9#AH)^=sQC&70Ic}j z&q4ksCm0#9Q+Ee9w}_0^8!~f3O^^(Jnc>a!9*XqZ@88p_-oV>5MwYKHv5hPFK{7VT zJ!>RnLO0LLmL6~;B9)J?4DZ;S0#M!$QO6IgD!V%O4mb&@h7` zk|xF$3upl$WXL9T8%m#!svqlsLZKMe7duRn0>n-iP4?5$-=r@@qgj=+K!dv#s_sU`{8N1I7Zk zZ?v>lA_gvjFRnCgWi#TL;7V3+k0_N-*#xD8#?UrDZg;(sd9)-xH#9hbqJpSvoJS!75nm)qt=n{D1vu^`}&LX8=!%sm2KZnlA19{7r_>0BUWwo8K$?>xdU^{)E!S3gj z%c~p1GoTM}evg;Ppd5ls!^f?wANsQ$WuhKoGjii)4n6@uyzmKjJ^Yr1#dc-e-q*jW z3`UZesP&69>7)j73zslmds1{ozU~dXqyrU59G4g__YT~$8NkMLfuM&Dj$h&zk^caK zjm=>N0Kh+e9j))qL|B=cdJz^OqXx&YrM!n=^cK~!CE8#4YQn=^_zSHKn)6R}ZP38b zOVw)!t`K*vScfk$W$Ad&0Z`iZ!cgg?2G*kw8hG~BGcDuJy97Dl z@pCY18H&3?S1)plvP31@Q^Aq93NyqK0r?JzzZeUkNCG5-&pv*V@ZwS;T=DURiAR2MNq{L5`IvsqoPZ(7IG1hs7pupkH_<7BwrGyql0=V7l&In;=qpIlDIX>Aes%D zE3^G$eXxk&)#K`FsMq?#Q3kyy86cA@3~gN;CXdHB<*#aKK%V$faClV0R8deFNr7Tg z?=nwhSo(a~g-;~Gy|LCt^n+&%gqe*9Hsi|%*Z`{M5ysBC%jYKmn5HnwN}aH>OO~Py z7H3Ikfn5PnqR^7j4GcLTx^O$CSm}3~fx;;J`o?+nZbf%4rlbk#lW!SfEnRDmRpxA} z{}zkC<0!=3vhuw&JxwKr=T_yU6P(4H(elD-_cIiWRuo zAcpibV@IoJks|3`zz-}fD~s+w{Z;%iE9D>2T$3pHUmIamo!cpBZ7#fqlpy<@+2#g` zd~JK0l`zI|LS(*EMICYu>V8pEBJz(;9`=EO^h1=1O4Ac!ms6s7nzxQPl}|;wXi2nC z4GjqGQ}KOxmf*Ck0*E^y0L*UM9pC$1ci^bq?`(UjRBPr4Kx|ONI8(yOT6O-13-B&o zd7Wld>p>Wx0=|eWNYD7rFb2>4oygXaTDhKKOvHi&(TEFRdz7-V51f|8@;ITa&HngZ z9#f*lJL8UndhVvT4pz zb4Q!m|0;fZMM%Jw0`$Zr`KFnvNMl4TA}q5SSn}N9j~YskDy?y1K$4<(pM#mTnc=3X z3GWvbJv<))WwayvpDS4MYswpHDD>94e!K~gVO8jej%c^H$Mc`6 z{_gYgVi}i{WT1rmS>UYngB>=O>(_Kc@;@dq?){W&6$Wk8`r9+lE2=>dV2-r=m+>Tz zA77|r0+-m^o)<#=s%or=OW38Jic9I@Wud|rFHThG^#w1SpCM~mlUkw5pXQ$mO%`tc z;g?v4eP33}crtHw`~U$tYUJ1zVyM0R1^P2f<=`KWoCG7BhmX^=3W#VwT0pzjXtjto zvql1bIv5a1Q`P;Yj7_6W|DF|Yp0e&D74RH6Cu6)p?lWq~l0G}9^s!mvArzMC;4HqpBWYQ5RO}j@#1RZo4~%v*S!D!p zJ0}OF_JNQvldmJ6&&10Kh|rP|GUN(dednULCuAh43b%g{g#1~7HZcm#t(ng9mWE!c--j@0CPlITI*CZL63#dWDOC-(ZaMJ*HVd1}wj?lgc-^OE z{1+w&fgDO(wghf3y#@c9`1}|CM7pK#K;}*2>fc&XTWAQk6?V2xM|D_X1T3?3r|eqvkJg*yq3|lLeHleB zjWE4HyeLC2Vgu4@>325n*x#H1HDO1Ha+`6tKb3mpS;Z+^yE+w8(=1X|d)Q)$FThmd z5H4t!_2VuC1&WwWw-Y0#@@}^+pYc|ss}@d;{>-~Gjq6G6=zNpCJ1;4_v0gIGM$r{= z+|%oQ8uBMq9K8*A2trG1>vCQS>azKP*aIrAu09FZcSWUJxdRuAlJW1NDR#K&V0ZUB z{3kqT;sBGf1njg0fZ~PIYXbTA@@BNjgj;q@GtI1XMas#!&V4ba)%F{E$V4z~i+kmN zqc$u&9YZHC0|I|wN&CptG*R1X@qVeY!yg^V1dI?DBtXKWimt19cX*U9Re#NmU)T!U zFqFOdEpxBk7!7G)I+>AqtY82U>u=0_3m@oxCcA^>YXi0>_(@8(&NX!#;r^RXc@*2oxyyp#(0W1RC5b0lHAD zVj!T26RU`{-|{(GP}99$S=E~Ftw*cfRe5UQqKWitf-f_hY!JT4&MzNW(1NDk`;{qW zKr0&6{1mgVP&HeXxzWl7Cr)opWWX2gcN7fEiu3LI<%>q)E|4&9>{OR z7YL9TLAK`1=6N-)d)=23Ro`07g~nw|!~lFncWDXWaoP^t%kDf>yX|mVsNd}217sXW zi(m0BrzgVW?Jw0H_c0?~B7E#{%E#IYixlZ%BF+bthZZ3CAo&SHHK-| z%>B?W-`sMYTGIwZX%RE=0{zVrx!da}SExJy?-Y}L15)f47dyyQZMAWp(tc=G*vT?1 zaP!g$3f@M-RX)Eckq$$qBdG?Xt;JpD)2?(4 z@?oG+2gN~WT6O!*S3BgDDotE+yIjs9bZVY0)?}0{T!4UB;ea9^YJ-DRO}AfO*I5}m z%<~PXFZSSyQv3XOt5rRas{e9FCHRbvLICs+07=8jO2y)@#4VmO2b1%ut!pSvja&fc`?Om z3|raEn!7WEGR!XJ>B3zPQLF?`FF*ZB_?L0LFNv8!U`k&)iAmB5;xm8o0-|Y zE1|kI%lkLh89^Z_XWT$%FEK0@lwcqd^!5>$9EUADrspQ+N;TS^d62G!6 zE%vQUbYe(~u)e2+6CQJU@cKkLu5#U9BEsBls0}g)g58>Pd?GY4+D&r#C)dN)ld+2o zIax0LVzg;-+R)C%zswr%E=KT~gFxv~jp=)U3j|!<+G%$U@)dUp z77}=^0dFu6)884_L3QVZXwD_jIt`Mvjs5la8<7@L?f>EcsZ!5`;?9%Z#+Ucj zfIW;#gy-9@JH({7~F02K>ut#BnD^>uT=aco{KxMhM3VdUvCq`w!9}Nn zRhHS<&mm|og-fgN#(Li;L$TKc-4zTa^6!9B)O$tx*z)*3{Ki}V>PS|w^Y6tuX+Q_v zYspxpOI)R^x#sNKic3a`mqiIxI`E;i5x^1$qRL#*Z-Eb;Khk4?`}r;etm9wjGSTJM zO;j|2(7E@PF?%ybC!I$;e0!dK^2SVr`ujEx5@;ta^Z5hVX_NAN31 zi0Sz}THBm;o42l2b5r_PQMZZ1DpdqJwd9lxBzxbD|B#+#Ikh}g^j?ooc+OEO?&fEQE*r) z9W3`Q+W}0v=^Ho=PZMlSwwvSoWiOM*>EOdYbqW3zxss{18)<=L@x73}6ncp=R_@hN z&cNKHc}G3zV&4!@C7iW7_%$L8cKry+Wy7QH z0ERct$}v61g;Ryny$00>wWQ=pjAG0bybm#`8(+(jD73~-&$`_#DQxt3s5Z#=iTnd7 z6r1;Nf6vhiu6kOn_`Q6&aA^tLKa-Z>&nlk!TtVs&7JTz<-KH|#rZ`mvpGuhD;?#Xo zx>}suZ8i(?4@tINNEu&U?G5D@9++C}D&KEx;LMyFCa`LS+|;e@DuLLB*swn?N&v3& zJ$(xPEuP(C`9{Or%Bv-ukHvp#)HS;Mhz^~uy^F!b_N`H#%wq9$Cv zYp{p$^SwF8A+Qun(;neg4t(KK)9K;)c&QM@~REpan_Htvvu z^;aFU8O-DlS-D*#&zW<@*8w&Op{}^pbT%^q!smy;7ydOH2ynz?7m&a-4x9LSIINwz zF21G68myh=hYBUJoVC&;2MSQx1ZLpUXP4L+ye|H6*?HF1?yloNUpVr^ji^<`t_i-o z=@>Nui12Uwme!?d(DZ%mjylla<2j`8{sQO-_&k)aE>rW??%~Z$)`f*=i4>|?<_UzS zr03sl8V?dJ$n(c9O%U6g&p+`T#^_dBSjor_ju}v91wO##*PLB+*!io=iE3_=+rXET zI&0!O^8^Owsxl`d-<7aGrpP{anu^ zqhdR=VjGG6UhZf{=H8VGmOx@6eQKYIXhbcb&+ik5TtBF^j(0745q{zIny&U5coy9a`zVQN?%J8ZZNGox3ka!SA-q zjg`SX)`;I%=QH@sc77iG7_P*#;TQ(zpuvZixJsR3po#&UWs-#~&7?HFK&-4q?slYg zfk%2cnRdy4Vu+4#GQffPMfL#qF5jk%1wa>}K_krlqRBdNVA}2da4Y6pYbz?iJTQj( z1f}M7>tOfj@~-H*$+5i2t!11bzzuc7^@94l+TcyZ5|M;zPtg-Fg?#B;F&RK@cn6r* z?xlI_N~Uzk!FQc(e<8SR^}Q*%>r|Sv`Y?aV#+x&rQZGt7vK22bgfZs9k)9IfDR746 z2$M+%g~=ebn;vDw{;u6Yi`>1eS!;H)qNongeuBnx|8e+!S4Bq^$aKmFC}tMbQj}(@ zGz67R9K!alGY}{c@&BnUgFlD}US$u5!wiqZk-?~4l^sSTD`v~3J)>}VLGd6E4T-tl z(|e2t6>kH?^P8j*-q!1~mNWa=0>2SCN^JiOD+LbH?_TN8RRR=V!-))IUT{%=%A`8l zlMnvQi&(LfP^h5OpXc`~UTV**8f%B|TC(iXUa9Bka=NBlBkMMpqEV_f@F8;z>vA%< zMEP8XJ}uCcb^6xkvnp$ZMQuwxtRIg|k!Ag)Q~AfTU~!R1o$g1DKjDSsDS%&{T;VMa ztlN(%Y&CqDOZ*8S{{hv#(t?n!|N8s(QXsBaon+;LQaQJef#X^oB2Cl3PLshrAp_F< zCZ_ed*C`0TOiKVCvfB@xrvjyDkUPxoeo6;ugHOmu+9X+zsL8<#L2l*?^YNdR+fYq6%a_4r?4iS9PBI-kzx&W={GcZTyMd=|Nhu z_pbD?{M)iBII*u~_8Gi3@pKG?#Z!TwF(Yqpm}`Vnd68Y3kPDT$`*QGrR7DRR8U7hW z+0)6-ja{Ynj(ck3aN?5>vfVkI^#|ONiUL?uEN*2%qh_W$qD+3jYJtXP=R?XeP2!94 zgZMcIw%?NVCU{<7b5@EqKKD4rM*dX4xT_v4T=ttkR?^LpZJC4e;l&UHzWV+}gJq<| z2pBoSZa7rrr$B`Q*s^R*QJMOFIG|Y~Co^VWe-*9#Ke z14~Y+Z}=>$u?ijrP1F26x^Hdfmu`=y^9772*&lV^zganHT=;cR@gDId`j@t;Y9n=` zpefE@SF!Vu()!bSKKmlwCV56CdPZ(HtCm)4` z99Fu?_9e}GW)Sj8x53k?ql+Pmei@tk8wR8FNuIM*A4-G0l!V zQ229!G9eJcYGioy<-Q4?om3I!dKHRwFI?A5g#}MVRxFM58g2~L3K*43OYt3VC3xXp zIK}h|%X}JvVrH$*D2GW*0+FexX8yr%YQS-tX|280|IMJHt6}y<_J-Tft1E$Jdhg+a z_ccF&;H@*Zw~#p!2xR-)HK&44WM0m7^Grp`0|9L3N^NzMPflzEY_arVCb$G?JlKes z=&xXvMk&;SpEbQ8?cJLv;%mFqO*Pj4w$KEb96u$Q?`c8H%Uie#)iIE?(6$#AWmL+Z zCwZUmiGkcZ|3JFpm!J62o1$vXsA zNnZMu$1ME*u*UgnJY9}(DN~7y?GxN|uif^8dD8yrt~UL^N8xE@lCV{ytQHtRehV{7p0lazS{4?W#IYsNMXF z>Tp=wZSw?7ztRZ+;R-_?Cgu48aM7!HD?!a*jine|Bu=1|urWQ7Hiw>Stto)_!kUk*AI4BThKm9myxx>E@R_Q0n8 z>u>f24?cwwc(4C=rYOjuHlpWIT=Kg@Is#_Z*0CzRh@vD^72xzYo z&rpt+4F=rC0t&jAvfgJ}7KtOm@--Zs(<*8ZsU~uSRO|h+wI)Wtf^Lqlri~Wl4kh_H zhL>q)@4c)*1kNsnvgMM^7%x|ny1k(t?YydD1gDethFPWr(%Y zycS@7zuJ|Qq{0)Yd$Ul3(xP?tY^rWZhz|d`w!t!MLh@){ufT)1?^)( z$^f71XYzh%50D$9)dC$kG)&XFYE?`olTpkSnk3`3f&`vV?(DR?LxrB&$*S~6zG}?h zL2dL8-+v7>LZ57m$$u<8Xmc@=5Px|X&I#D2z;_44ZE<3D$+jOSUN@1tbk0}; z*v-~|JLvC8fog&aZ_q^c5^W~lT7=mR9}~R8EUlt|2p`Zdhwu`f@8QvGXm#wGt+-s> zn(N94W=@>Gar2{2BsA#%gusQo4QebXD{B=Ih5Tx>tD$Y%w2lrhRqXF3RdFgE=2BTR z-u4oh{I16He9&ur-Tq>p2HHJuH+cu3 zFJ=_IcQBThFW=vJfo%WRMIa9(@CUeKOaPw$3Bem)MfQa6_33DGuW1Xn;e*BDLp}y#5nLQNLG~TAY^b-&ZXPyiHp(Gb}OXOd}T|`HW1OV;^iFtc7oTIvvb?HY@cs-4upL8&EJdc?sEGbScq8Y}9xzEbfYJBT^7isVD zlopchM1mi3fN@|O&w;-mz5@Z`6Yc!DB1v>4%5|ys+0D6Y3I-9 zlo^H6YwkCTQLNiniqKoKmIH{?~(WVT6`6^p>dQ zNC3*3iqw^~05k?X^zE+o(hF_EC$dv_8*mqKOL2GtaYWa}zC&9MSP2it8@6VRA@hCs zc{YO6K&pTB-!^}YAHXluzO}Jp6T>^aT(f@;uo1dd0B&OV;W;rskl9CG#H6CqRwj`- zq5o1B;yp)ea}aA_5~f{ldWA@dp4j3_Jg9U+mopuZULWiW4Ysw1^rF>lX59P=Q>d&l zBB-*W$%>Ak`;3kByEckKQ|~5W+q9w5wtwlK@0E)2K}yiw8=rdbiEl-hC%s-)P9j5$ zQ1jKHpZLldRt~UPCK0`(L-Uw`sP3&@Ec3i-QfSY*%iB8d%z=}zKUf)q;mM4w=ibOb z8kLlx-?LPU#XN`EoRsudK>R>Y8dV#_ZEdVP*|}}!{$)}^7SzgdUYF+Pw9+)7#7U_DE=PDzy8)EQXNWm<~aFxRj z0D*vFs)K!dM9X654C5~o(SXI~=R>;K51v14DcR#XfDbnT;QBKPa%uN}6dzfs8$Q*oCVGTR9EJJK{`sh5Pc@<5$ zoeSr9CO=eq@1RkuU;VN%#)JWnF`6++oKrB=9dWiN9X>VM*GF=RYiI zl%ORI!cx1hV1t=ke}=2Mdr21h^ZB9Z)JnUOS3dsp3Kf(BkB|8oJLLj#-u9us`ODqg zmlUJeN6W>r%TE=SPG76VO1Cu$MnL$gn2s1eciN9F1s}*UjpGep6CD(hrV_mXcm3f4 z7Hlkl^o*I0Pk*vDxx}_^Hq5w=BW1~D^^tzi{Sv|wiNnI5p0Z4yMbaD4M9 zXD{IaH(>n+64I#;-AlEl7ZnOkaEpiHy6?etC24FV``B0SUS+*Gtw>R(U3KHHsAvpN zmc^{)yTn1~fl_YMWOSYnN==>73s}^cESKq9#O0gob@fx|v~M9aepLg);4AFE8tngG z7`A~t*Z)U$<9UfG4t&(03mecYD1>e5aD5;e#QF%RaKxkg&Qp(n*!mhYtY^0GSY2WuukEhS_4S|E-FHMUhF3H zq<}`xjWED~TtWoWAmD%_k#tBw-)KC-w3e-nPbTaEN2%s}&&3TUSKh+`4Dnh;=}pcR z$62E8@#1_iWhbo>wi(jxV^!|-B)TSCdJ^|5@GQK7fkpZ3cL+f?B9_fw3a3}R=*|Zc zpd!)L*;3XZcRu=_EwIIwl+KW4<)%v8a!both=Ym@b)9B;7L)YJK`i@Ap1;e*N#c;X zgL3Bk8L)Jib|9?GdsK_YN@9|jdhqvjmxvfn$r zjSKG%@b_qJ`H-)7XOq;R@#LAoq;Cy%E8i1K2IQLoE7ci}KqmTKlKbW7C|P578z>8F zWy98;_Q4!~4aQ#S&AXBrA5`2FOuEAa`O%{dUkes0vRwqreR#Z`-6M0!T+E!<>WCGN{EyB; z!G&dx*<<0fb#U59DUDI>G>^YO0S&%^PaxUfp&kO^=7hlisy&c@8_6Pv%Rh5v1Mvx` z$v3=@^UbD$p}2XJcIZ#NVjH{Y(uGO}1nT4|e>`5gu#xp#A3tMab_Zku_Uv$tOFdu6 zbB%}acRaSK)M*16B3(6v{!V7U0v}elG-bv6Ix_h%ADn|0zec|l-jaj2pQZvV47ToG z(^Hr-xP8X|TeJ%p@O;qqL9l@T9D*)+8DR_4C+Sd5& z_GhA7xo))|mm@mm6aETd0msmXJ9m59hKa{+ben+CQ!CQ{2Lh1V=EQ)@uZ^O^9YVu53*v*y(xlavS(h z>We4pe^IEjp1#3~oZq50F7WDyiDaZB-L+_|TRB`}c0<1Q;@`QCcFYUt>maHV-{OAQ-!No$eM%%Zy{q5fd&-FMGI#@7EbA?;iiX-i4;qY=+36Vo3^xX9=WX3V zx*@*0Z}46}39OnMzwn+H0A^?!?`~2h5X`K&HoUNUk-mxNFiR5rMFPl&JRFYRnE&Md zz4W^qU@#%b+w=_pG$vC!b5uZ$7kfSp>_T_Ob&TcRF3yN}umVbEl5D32 z?i=2BWu>*8d|;nRvEEj|kpsj6o)kZR1J~pKh5(JB1_&$o!l+^~5J@g;vg`yAE^C!|Qc6;Ii4LrXrHOn~+Z|}O3X&%|wSI%x7 zVUNAnv!hGxLF6J|XZCvk8Vfx_v4H^Wp;#H85%2_H%$vuJ6P9#pMrfnD3+`W(QXITKa^!L&NFoDc!j-Z+lus|H5Rbf%1WdkQ$yzSlDzrl;| zc;o#C4<)IHc8Xdo*ujbfKra3y{6mQEym`3+h>=%K=m54aVH7IywG+^-v1?Mhuys!< zu(c_^#C(?>!A`k|P=A;(9p?+4_>`s1d}fwceJ~{wIi1B=f_!(LS#`vYv3f6qWBuQ@ zDAEpb1z9kyUlbBB%$r67L!lk}o%`vOKKGMT(KePEyiVBkSBNNk`pW4VNygm*q%%#h zY-J=(D|4z8=s+V$+_vBsWnLSF-P@ncjy@8S5Jot< z`Q6pQFkt7qSMT`+B!ITWiz(XH>u!4u;cehy$I_5AOzb)6auELJXNv+o-iay#NA z3mdNNAKiZm$QqFEr+;H@lz43WH3Nz}p_L>-_;W3rsWi7=T0b|~_0HzxqO(|| z>$7;*clpAelb+lM!6oCS5uK0b#QO=4OveJNfHmYQc)$N}=0gO;U+i>SK;u)sQ*#3= z;Bypw8#&^Zr35eC&wtM@baw2&PT<)C?x8LCQ_}VXc)WOB#X?1RdtSy?YR)-Oo%16K zgBs@ovjiO?WoNssdxu>GCC{2hdw8i~Ic8m?Te`(OT<}E9c-S{w?ZhS%FB9x)@mBt82cI@;>3-AR!OQF0-X62hD*EzY3w|*J z`P!f8d_6aFxc0PV7LZFm{()^kMe|GYj#Tr_&+~N1DLstdz)v6)c!8hPPC;=Ry=`3r zZcu)Y7VcVf5dPRoHovr?sIIEki+gaea>U$`R2Ult;2*H=lKKJInV7%-?8#OAd|S2Kz+dbJ zNX1ZoP%Td`2}aPVTU=TmGqv&6n%cdee^+w9m$&Qj>qCs==X<|>+dZJ7j|)^G-Zqs3 zT#mN@el|49W@>6n+z=+fM|tt^U_FRVdv(n{I-T>cJNr72`W;oA5uqoZ*}#Gyg{VSEY}h*^UhvA5#~`HWxj$@2^nvGb z%l^^uukC@rC;?@J01{kvYVRL{*MswHH=9g-NQCLE5Y82sTXwg+eH8!zZ-GnTQ?J& zhnpXq#o9~eQlaXIp81<-rMZz1q$zIt8xkQUKCUU+PaiDs#YW|9i03+XH@}Cyo0pp~ zjV8C07yE8W^__BA{p5X$srA90*KFeT|Hs%@M^(Xn+aB;B-6`E54bolGEhXI`9TL(= zH;QzNw6t_L2ndo=0@Bjm@b>wB@BZ_~{qB8Z91M_i@a(g?&f1e5(w)e<2NkLc7k3(o#iyFsfga&tlJfZK z=;-G_g!Jd&>?dD{s{i|%=8bv%xeynw_>!mMYT;zjaYyz~{Pw3gjhFH*Tj(uOyR>6H zTNlZpN(GR+HL(Xfa5KbeL%^--F)YJH4E*7NKY}_oR8Ae7s$wI{7Vzfv;TmM;P<@bF zd69GN23y=c4?^Iy2f^}iA5XRJdUe)^=D*wU01dbs2rx8aIQo0?8PMfAIDsJb0+_;r z+9~#U+R?Y*)DiC);D_1qa4zC|no*gAurj@Y@Iw`qFHth`X8-qB^ldOmYm`DFS=fG_ zn*P<}h{W79i@aee6ezVVeZS8H$iq?DGPvyc!SJW;8@k)*(3{c}e4WDq(^thU%f=4T z+Y0r(9@xlF5$m1y4!2Et(TXORd+4f~xqtm_HAwFPz%(LEa{Q2tvcNfXl^^TKJMXn_ zsD~*&F2z{q8wdYIs}JTM2F|`%S(LTw=BY=^T=&-rB$Yj)dDD3CUJCg?fTnU`RkCxp z?^M-l)gxxc`$I;yFfc5rp7G7PvKY+{&SoH@SMZ6rROinCui9TUL&(DdNk`}5-9yg% zEw`&Su{+ee8Eet#<@;bUDGnlS8^HuKy!TKOKui3;-S)N!6T9s^vbfk{Sdci3A+1C7G$f3B{Ga_;jxx zFc}w$9u7(y=z+k-4{810gn_p15SRMwO4)Y%j(Vw3GdJUC9>k@qtmtFoqqyD z`R9@acF1)5HmyuNaIg;CTm-KHtRF78`e=RFx=d11$@3sPG^_zX|5A=*q8LdWJEHd0|PqRCfo zSJPwx#mIqzS=eYY>=kVnywKo01q90H5SealgMfSXE|W9Kf{7XAz{|x`!bP`B<4%*a zKTDpXROM2r?>?P0B||%J4+HSlYMu`c6mhU+bf*~K8NY(7QcoJwqDxzusKD0G($=5F z6_2&)GjeA4k#p>KrH;~Ngfz6dY<%po4IXw3U#e+}omFw>F1EUDS z%*j>>EOU4?h~e92ZOoRDG^c;o(|0PRrZnbxHZRvlv*JceR?cJ}vb_J)F13T%EPvV} z%&f3>V53NZi{NQE-QEqqU{Ih?Sm11Jupic-wFaX_iuz!o-TI5+!GgrW0_63{q3?n_ zvFlv1#$$!V2Mq~^GNM^~H!jird@6xhB=X0HdrF>t9gD8;^ljK9ROGr!5)1XKr?sf5 zyGLzr`O@^LeL9T{bL%046-xZL+kXcR(I??4M^(c`@FB7EsNNXl@bT>Z3x~de*}>uB zSn`Ya8Df9>@+%L`6cR8>!7+2Zn5D=DXI|-u(@?(B*l^qTB-8y;vbR6C^XQEkdGH{r zs?(@}1k3TWH?<3x8Qixd^Db7jd`N*C8ra4G?!;gj zAI^#fj)#pO+Gn0{Bo3_{t=@t~lk7~%)nv-m9Ld*Y67Nh2?Aq>I?YX4FX87w3F=`iv zc8taU{=K|%vwIk*S5DW!`b`^7cOOodi9n47uX9a49VM`71G-6eK9FT7e{woY%aO@z z`_JbHNJqyq+Juek&0HjwIKc6Hjd|(DP;9&33{{4URD##iwF(^{Tj>eNV#f&I1%FRr z5-JaLfo9}HPeYlE8(bDb1?WQVeq8P*Di)b6e-UiJr8PH2yKuw8JdC3=AKwbnWT_;h zsqI3dQboZ~gho31E}vKJ@=CV94ex%&bJS#jg>2#Alr#24ZDfndFYc6aeP}B|qdL%x z?N!E<=Dt&=kx{=Z)5~UpPl~#)pXY17BQKE@B*s%?O1NbuK&kUfQGAJanpP1NxXU0` z#msx|Yv}3FOTsBU_>$@8@477c{!TLd!wmnx7rgM=VnI~Xww7KrB)5*WuLBI3;*!Fw z8h*Wk;~mdNvQGoC2%yUWUa#__>WyeB7}9O85^0VD$~GMl&XXz+hl znWrn(b}cXe{+ANut7yYle8{6vUG<}JL#UwMRel~5wYl9cGSf733dvdcJS%k`N6p+` zDMXG|osB@87N>Ey0udI7ok9Ax@Fq-hzIf_+-fyQm!X27Py?2sjlW<76Y_To zV$EK`;8=&l(gpNlq&tqp&epbjHy7rG-&V6_27(BqY-hWt{G>!FDhKoKIr9BrT26wR z`0%QoaPt!pMMf`(ZNSgpV*T4FRfF*By)gbuErICk9ox89xT<6FNsQ0~phOzp~#7Y)wMZ?pI%N3EymG32YxPg%nraH$pod#Y`sdxZli}n>R47b1@R2G@j}N z^eXc$h0=bYEjv+oSv7a3SJ`HKcQ-4?UZl>3j~y$0v=Xd3oowhfx;o$Sc(=uXg)EyO zZ(XIqR*nln9o(w9TA&$w53<8nPJrrV>e5yiCT4fdwd6+jd149OzXCjuYtGcNTBU4I0~cFK_*o^~Fx? zkzkgtfm+X+bN5$1aL{pgwMD49b;z()r51?*{I@IFT7~=v?>w8e>;Nr6o*gsh>UQ;W zY5Hfu8hPD|-{4c&xEAVL?ZQUwyGGU*D~xYxdVJTDamUNt6XfYZoCf#c1ohyU`r4z= zx51fq5We|bH&(1&%1M_KwBQ&H9uj4;)EdT?sZp|>Rw!7=SIz#1`COt6s9OO<(w$QK z%gy_LE*q&xzN)%&scfM-9^0rZpEk%tDp9(K#+MD79QCn(u zx>Sj-I8};_W17vI%+)~5uco42q{y`0#}4QAF}-p=_WFT=-!z&dK=r2pu7Uuz%QW@h@Myzx~rBO4?;hbBj0ww}r6;#NWG)ZBawq0@j3 zvt9hX%QYUv#9KxpI^gX%{0e~tPf#?u>S=EJicHxES$BN>q7W6>~ zKfL>94fnD6-bDU%vQQr+7tLO<6XN5=9-4VywP_CKC5){Ovp--uwVlI>KJE#vy9rDj z)ar`UXZ5E_#|5&7=7yX~g0(h;|pWcL~C&Rr0OwH;DD7 zP5LpWL@8U(ROa0KdkY4kCXt)cXI1aY=a$>hvf0nXhbp9=$uxR!M0c!KA9-V;-!y!a zEx3L|&7CmQXpat8(p2a6C4CA_dR~mZLE(K|@zAdONMp0IFlq1fFiUZgE!NMa>Ome` zbhT0TgTL8@1m`O%!+=Cl3)-#&8k}q<$A0{`PANb zpR_X>q(*Zw!D>yGgs!zkqxfN8daZZuLu>7~q=AZTy!#8|kB4;$o<< z^8RqSrC$6i^v2Jh_7C#cPs4+jwT&CeJ^-o#u6=qD?fV8!w$A|%_&%@GQA}8!_*I>l zw3TA7$eRm*3~6$)wgAP657oMSml;YY34V`h9q&^6Pm$vJ-NO+K`#8^x+}S4tug0+l zAQ<`~>uj&%J)>;3yr+K{7Bd(Zm6mVbAio8%diu&-6+ygcIQFq=W0r{6>d@>aKJK3A z8|0U8F}?H8wKwFNxQoTSjye)H;fycb@v+@?VOjQ=n?Ol&V&H zB1cH_8txjuVp;znU!*=_4IXMtn>vYl_;zKIY{8(G&r(?LpJ-5pgP_!&LhQg%(8hitXaR$B7zrPR4{6iVuPHSqa0Y2f4IgiBxOOHSjEBc)DKz6b1RH(-Z=L_~9Tqp!XtKyP zyb)&q0DTwfA5#wnxJ@irgzGB7Sry@7p;~}a7ZSLjXG!Q|VVxwo1YlFF{56^|1|plG zh1n-M>0gIWa+u+whr$#1!qQ59Xglhm(O0FxM_kp^m%k{H8Q+D=0oUsAuD?(vCyvDs z5ouV-L(F-voe!=OY51cW;7wX!hRwXe1@*0oI-JoDK&{hjIY=vr@O6xZ*y!RzXn

PtcD!SJvZ@Ictsc1fM4q-`%w(t@uU8T!No{S-T%`=IO@#uW!u#?x@t?oYl? zLH(W6Y<0|1`}CDM!+<(~w(}C|lVGU3YF~ zPtz(SjFh@;g=?y$<(X7A-kLVw#;#V>!Nfi{I$P9Y5ByAs?xn_pN*(pBIEw z2Z;9$adaXne$+bG8>0YN+9ne|Hza_D>B=d>iTb;kNK|Kc#(zIoXE)by>fo;ri0~t) z9Xs zMafdG#0HI#NqHqI4EPF0nu$icmPBBR-QmEp$D!DkIupTB%kn)sBE}+0?HgpUS&~yy zjt9gZo`8P1RzEfHMW{EWBi(5Qp|NYtE?3SdP9^j>IQwsZ3OZ)Nj+gSw%%axnnaqfcMW z;z}$~;m51BJDCGgX`kQA(MR}OX8>Gw@>i2Sl zq0Cr_*yugW;+Z(dmW>m9HOxshp#8BYK>hL&S!u|cgFcx?nY&?X5&1(PMeENQ>6Y@r zLOtAC*WoYd#moEe=S+H!APwfzQY}GqCLlcos+T#vBia8<0RNka0K9LtEYqwnY|a5{ z0VzT%e?pukA*c^8P>4x}y5?PfbABL@5wz4pDi?#?@O1UEj*1T@ZF+nBxGtB;o2^LoSJ6-Q*&b!<7 zA|N;o8u@oz^(}#W3cD1VVtmwOQRejnDsWUgUDmaj3s}6hj}4 zPXqn${R0H_zqW(76#n(m&m{zl$^W%540u30_a#yNxw*@!cAc0yJ@$Hm$A{u$pjskG`KOm9L zq@pRPZ>YnN=eWN`e_6`wu|-H>m8{Vau$dyJTvxl9^M&v2ed=4BgJPn5 z8cC?IqqGzp(zV7QZK4|UG>7duNVl-e(J_G9!5$GA`3w|p7`D7W@90J6TMV+RXu=0^ zd2l}}#fXQZ`#i;N+FvCcRW|z_?9&fd0|B`PFz`MKzO?G%+3{mdgq zr1Cj0;5F_8bcu;etBc@G1hcwAqjgAXat#*yK2efsV*YE+Hs?d=lo>apKp$n2VuBB5 zf;TUmc1tU#8n09mFIE*_`>XjUNW9&)GR??tL7uIWZMXoraZg1$81C!5mcwGbZC4X{ z$H3&`DUY+3VXzKdgEPxSVbiJXF^Q1Yfh(-Zj?t#@U> zww@fR;Is<=a9-&Ni|Ps?iq7SS3sUm?1-Gl+p0SmFl0#_lPt+uZXmQF2173YxxM^Ef zkfUMc9pxI{b?yeGQ!+2G)|wsciI+}?ZCAU-@hhw0*alN( ziYg9nAw)kfz7-w?>>3gA3U#&oSSRTABjt+sPo3CPvom`>mbm|P6N*7QZF#sR{<+<- zefAdKx{%K}JS?oRWv>LH8(XsTI`d|aBvaH4&MgYT#y!kX?ny!;g}RdiodXZyQye6xCS!)M=vKZu1P3kT6|K_z`4y87%Q{kb|hp6uV7?^$?C zbg-MX^uNC&dE;kujLmZ^RbA4)^|}Q)-1ad;qeM;7Hc9d2r>J*$HE;0To_&fsAD$R~ zgXj7TuV$EW!;P_0zg>fE`reQ(W5}_+RaYEzepH|GeJG)vUacs8_J8-G`^of4ED#|kIB-s>t&eQK7K9pR^iXxiEQ`SPI3yW#orfC(jz~>&f#XHy1CwLQb^9q53oVo>!DQx&_%01{8mF`yk+Ctof984K`-2T9Gydj}mf zmIh72F?N-7Ww*b54qr*i3aPjLGhZh7oSyW)f+qOWm#PC z;;l{}0Vy>v^>s0F&>QL~KrlAun>o)>A2s1rgCu^FDY za$T0wpRO+F;O^Z2>-XjbxEWj%p|kcy*)B^x$8ktlnAPDgH@G7+mQ<$HH@WqUMgN*W~4!uDA_**o<6p2g<-*x0d^YMM&0 z>ER&c0T=EDf33|;QlrfoM7wmBa}dR&d=Gt(@Z)m$Lly7sTYdNZd>=;Vn*DMFmW>w< zKaNIj8H>U}h&EzZ!A}%8L@+bB>AKw__?{t0EKZ!mVBugY!07>V2g=iYtWy$4fY+ui2Oxd{hP&w}36UX@ootytXe_#Wb5LW2JeKQu2Wb#Rg zz{Wrb7Y=pK@)OECC_G&2$#-Pfhe0#9uA*ELiU3$x-=i)=9zQ7F5+}zc`ZPXN21n$}?Yj)n2b0v)7uBF>yto`<(=x=h`GFfd8V@66nO^S7h%xL?R+zpkOj(GzF~Iu{w? zKTW#P`R-6)448A%A|w8ZTt5x^%St7#u%Fng^$69P!tl{uP=Z8E?UzWi#oX?HbO3(` zxVIkLzCjKOs*VPlUy-`{I89#jTCB5aZu;Cn!uvBWI(iZy-m7$(R-1E{qHYfYkW@uZamanI zTm~5mf4UuEsXW{!8Y&`@`|VpO%P}V@c>N9KGpTFg;HwN%qaH{*y;ozgNf_Pa_)gKY z~L(YWzw(C@`DZO zScfmXLLK?g6c;Qsg?-NU^)|>Mt=GS;z3%2_ccGoSnGi@XE|gs8gqSOhr2@nCsHX-ZLDS;FinMJ~{St0LY} zB7g;^V~f+H4>oDgw+lWU%Fw>QzxM1(Q2!N!0lDFgO>^|P_gx~fD%;904)eOyYvwBxWWC=#YgoEynXh?aeFMl*wGqqoA2nmF z3@bJJl_;Iu*!h`|#+6?N;@HGU5ivp?yfX{tqYFcaS{A=r%@V?_n0v|i`2_R;0fFqy z{e{ON-;Q?0C75SqKuxTOK6$90o@!k&FEwphy<^&f1&#Mr73=M2)pEFIfo$feeNY5D zY%69v=y{bU*(wbdw)kVtqvR}vJ}}#Z5CfH>cvDMXTcQ43luf66mI50+XcW&xK{UAO zjqL^1?Q?Z}NFo$2Wir-;GGb%H@~TyILO%E8ZtZR3%K42tQ&NH)*0{}EHO5cQ0!v>= zB$`5KKXiZWds@_kkTQwTFdXb9jM1=w8o!{Qmiehnsrh@JCQJA3ad)$YEC*KD!Ulrp zr>}$NobuHw<(dG7ntLVaXV8wb&1w27nzFB7z8@wC=3xocWO3T{;~F9=T(3<)8o)j) z*M4A48!_QT0AyvSWi%(($nyAXLPQuRAaH!7Bd+H{4R3$D+d2%`Ckwr#F;%sp%yD5G znXVL)30jsXCMNy}dbX5g`+vlVfbAZ>^vYuWlDFUpU{p>&Mkoryr6mS-r=eDiVxo;-F)|9V07y?a~f{f&?la zJ{ioAEmXgAD|Y{fgd_EwatHMt616;>P3RVpP(F3QDJi?Ym&eRbRuFNu7Xcoxtiz z!m=f(UNJFIM;Ak5U8MN%Hp&pZhz+k}<3kC`WT)W=++2jt^7ppzgd*9Xru`$u{X>b5 z{{-vE~eUa{~wxBi}Et z_`?it4(&PQw{s8K_D&N5KsQmoad?QR*TM&Fm!?2UCj;*Rh!U~exhyqyThrP(Q!YJ# zL#t{)2#H?(gL-^d`D32qRv0|%hjG8z+4?5q8L+P(c09s_JaXTo=XfXV7FrHF8jk9hN#L~DIvup~Y8UjEJI_wITjIy7j$5-D zaEbW%2p?t=BSJd26gcQ|`acX1|X}l4M-}PfZ?U^uYyF!MJ`*9%v%L2_36jp8~ z^rsbZlJseTeI}BCZ3X;HpUwRFm`?e(`gGPK{;cs5aA!KND@QR(pkGw^Y(ZY$4hA5t z`f;Iv(&(lj_kyzDpAz|B-iAA`{=q*Z6%M%+yL&r}^Iq0iD3ZPX9&U>reeGAI>d|V^ zBOJtl+{8R^=n3S@M9jN3i3N{B&e(;d4O;b?A4-16et1@<-!($M5kcQ4sFv?Arg%*#(Q8 z!iQoxrwI!2I-d5-`}u75g7u@ypWs)^(@=59)x!uK3>%`uuYAaNS_MCt^Ik6l|Mf8+ zL=G-tG_i9HePw7XzGu_9fffQE_}iw7aQPt+h7(oWuh?tmW~9?{-a}GHH+F5_qVeiy z4-<-inQ(Ag-q|SG*n8ULz`mUGcfeX8Yk{)S{qzbiijFqI@;hmc5^sZq^X}&H^OWHT z29L|D@oGK^)Ie_TsXRR`uF}_acW4#ZLeerd0n<%$Gb|EiZ70de_KlnAJy-XK6bSLm z@SrozmtEGKY>CH%95!vSH=h1LbiP~)0D69?Yc(WmCJ=b=n+V-2}xyXZT{b8z(`K`qZghARj)lOpAXWqHm zr9k1~6r}FG`b8Te{KnxO3n>IJ5kTrP;O7egvU(hoN6FxyZfejS0a7aDzCBFjG(wk% zARigL1d^Az3C1xcK^zUZp1A2zo#4%zzcq8YscDFwnyq%pIk6GYJGBuO6AjVeJUF&Z zYr=5xmuxb#*QKST@L}S2iE2m1IpnMB)x~4z@Wvcynw~?l zcS+vc*yDJwX^h&QovbvdI;cFFbHnYAk=!QhtZbnGGb4QOME~ zFHl0_oO`hp8FuY?9`A=5R!}V6Z`--}qfS%809I4t4G(C4Z~}o;MTe@!s|pWUiS9qX zS)f?!QSES&hkTV`OBoo7Z--OmZr>5KTPvc3^y8EW&dAnoH2Ip!E_nLB6Rwkh>}_5Z zd-#4no_Y#bm9fT*rx?*+;^u1>`On`6iVWCj>W2ryca8t; zHu>V)NyCT%Gk&)lv;ET#yavzKGkygsNUv>obpPhlVo9?=lgY{}Gp|C_E>kC=;^nQ^ z#v_prs;H#S<}NL@g|@h&AGs^z_;PBXorMnBe%0=iCr;Pa)eo8AJRqgRLXmR9wn0nr&5NFv&s)tHNaT( zOl|o5RFRjKB6_yzX&)e&jWrrgAanJDqV`>YPPfOG5uXWsIpn@P+LNt?Y;B^XBA}gVIMSxvRlPUGqd?HJ zwd-_pewipZd@okmk^Yf@WM}IcF)>rs7Ca>+rmFF3cGqd`XMk|eP8<4i!AdmOqYck32xQ{~1qP(z+C6ae+L~5qd-P(D*paBa-)(*U+!GZN!Q$Tj7wQ&wyAUeFs zH2hnKk+N_6u4k;e`)rUvg>qOJgijxo;zHm$ZR-C3R>46L0u96zyCnzU%0UtC=t`)F zV}zbn%I#WMrS*|c+B^{*xX!MgBL#{TqVP4tCsaTdhg`w$aZ4!wY+w4_moREDP66`+ z+z)OxE(RcmMPdJtW(|7vl0GfO)(Aa*A=-;2$mh_H2w;~&`mF@ok6wR=QUHx)XZn#GD{b}6kZvhgx znTH1)TmVw~OA#Q%R~1inTe(vcM+OOuAb>avxLbRP6-jGlO$ak?9Dq_2@pA2`*-ve> zj8l}iY4sP_Dn#Tf0C`j4{PHFc!XGUB1CWo^c>^x-`2xu_PGe01L?jR~*Q9!I5cboxR z_@$~}_&{817=Zm@p1&V)y41eZ-}f=oz&hmPUblgxyI}^CnqLqI=%TazKj1;`gRo%z z@~3D)$QOt%*(K;7q=c*0Ay7!R4XLVV0Gg_>C)!x+75yf`6eMs;5Uxrv&en2`QT6>m zjvtw7n{#W}!kW~wmUb2}v-Ka3C^|_}+p$52N413?zYBRC+~WUnn7pqLUp_U1lRrvF=`FlG0&JfF(2 zZ|ck~)G%s6;&WF0cL6+X5FZXab#QS^HB ztARh7?Ra>R9dO_d)S)W?XaH@Nr#6_c%b42{5Q2wK;e%YDfqZR%(Xiwp2A(rQT4TND zH7%|SRy9#_qWrqsYrJR#;nNXjn6h-cf4TNSHoGt9@eGPVN-4H>*NW1l^i*2-Y04;g z0wYiR(gE3`nHj5V26I!3SI6~C@MQ$$=1GTkULQJJvpPS&fGZFQGO^f-%m?_os7|Qf z$5zJ=r}TsJei#&7jS^WFjl%VOCTetFZ@XQ9d*LMjIgW&T&?&ah$r1QOa&Si{cL&DS z0BGQ>dMzyYWT_Yki-iQv2HT9s12FN{mQ3@M2}pD?k?SU$*9o!8u$~tvkqhrNOVj{U zw!iz^18{6Q?A5vH#(RSg?~O2f;a|^+5sv<-B2v~hpd5>&%YO#AwaCHW7aOjOQ{kF*YKDL3HAbQPOtbf2DvDM$UVvCzvOUJ>YZ7N;pq>(3? zn>zN{0E}y6cEI4UU4=l*Ze>Tlgw1RA|MCLB@a%5oBb~32Sk0WhGK7WT1X$2;`Mr)f zU``>swsR}%O}>4&#!Q9jo4X{%K6DXCbf{!`!}8^FPLBdW%C5-4Pe^C`o}N7QhNhGcBbt> zHRDDbkO%6Qcb!=GqXIx{W@Y~+G`aX?hI)Dq?0PLfz=Uf>X*@)qEu#&G!DFswGH8JZ2kBA{% zSnmg@R*W+Du|w0{7>0Q?N7GZgY{X%a2t18;Rgm;1RJzW)Fb`=ZlWY zz5_>2v6etOnsZhc28&7O`d?#ji?)K?aeYphlSGH$Meau=rKGejG$AnzI56_0&T(bX7twYt%j0RjRmZuz@Y5i5saMXVG zJ(s*{*hHVmu&@?AZnGH%OC^n_CH`qw<0+D`eUpYz9eDOkmeyk$I&fhC6!U zqFWBrlhTbBO?)z#ug3v3?d8k)+kfi`;0>Vf<^CKj-(kb}wOz9D<9zi0 zIZIq1!fa@)m=gIs=6buO0e;P*a|x;pz|X_M*8%~!2WIa8Se+676cF=Zjrs4Fqd`m` z4;se?Uq-oR_-{Q_iAMRGF<{L0opaiORXy8K1>ND&F{O^`KzoUrW zM0^z%es?mdXSo9G(y*rwxZizob=1SYTYuX_@erp`5@A*y!7lnp&bR0+yL1A|TBu%m z53pS8@KtC~#cOcJ14R?K%l;$&kt+1TyQbm6lV8>+^7uEP0*5Zh(FXNI0K|j!0n&Mb z0zHRlc|XJ&Z2rELAA%gzldBV2a56>7f7@%-S%chaEhq+@-&zkbwaIi84OQEAN0n3I zYLdF+J@5>0kz+XilBt(EuJj(6xolr#t5>#Km>mBaswL3y^5%g4^Rxnw(#?hU;Bgbq z_EdB7Y|h6qGk=e~1D?uZWGdq*PSioZdds7sPfX52STf{-1o1F*DFQ`cFTsTnyNqQ6PDWcf^L6pvAu@DkR!I+kS zQ`s2#jeqQQm+J#9sW@MP{{qql3?2L%)j9f*tEa48m!GIV_@#R~Ds=p#6VEDaPq7i0 z@UolQB%r6gt+9%JJy@X5w22L1%=urWD_`W3CQ@A*U!>59bX`7P`hlZy#`i&#-wUX_ zS2@DMWnhvV(BqO{J&)mNA|kbz-?T6M&SpGV+sKjH%~5Aa!mUw^8Z^mqt~43wGWi#ME(jqmR! zSp{&E(v4Trc23h*{py|f;7dzS4IPlsyCZgg3V0J%)-8==B#>x8(rL{9ll*(2+M*AL z(a=Rs;3)xSJs?F4tW2w4i5##lzt}!Ek>o}HApSIb8YN3F9Ju{}<^|SyoRJ6ABq`85 z>6KK>*+(I8LH)}9$b+FLFkoQdVYhYwb(=()AWx!$j~+VQZhtXElo~7?6R&J$s)AfO zIhS-AVddleiyAb^th2T0tm7r_;8}^t*AE6uF9+hr_Tj_nxCGS1(*|K2;yPMWc{7%<`lOKv|h+alQ8?=WT!F2&SXZ9Sfo$qo1;{cmZ_SLAuz z8N2334g3#Q(uVA4o5{F5sN=Set$=OU2*MjaNyCe}W&!!5CJi*j)Y{)IKMm7aym(fl zP?c)j;Bepmy+Gssq}dVyeEO5(`9k7hnrumpFVK&Z&Uf)qbyetfW?2br{UE~y)J@AL ze|-o~U$4J-j#smzKxcBlHEOMK#7{a%>zQqn?wK&4|0O!8Xz?z4FvD~0B+w?9)uyf{ zcCxU}vISpqpVpkG%J~2|Duhm10|m=8r6`-;psElJ?Td7bgp7vC-cg-XiKO z>sYD0uhg&W(K>Ku;TB`Y~Az(~^4i62-RwrmRccp4cNJn_!8ph?@{Nn5)i zBYq$Z0g-Cx7rzUzc7t;Pf2pZer?Ucw;a?*fGt(nIJT^}-@d&2kfR~p55H)EQ_BtVm z4Lxx2lgJr!@BsCAS(qcxq1SAT>D6y(C87DMY2bT*Q-=jRkDC z*ZSnBh(HMF`s7=`YhFjB3``YZQ^$h6JfieNqH<1GJu4z)KAoS#@y!FNMmc2NW@if@ zSjlR(fP|z5F{bQl^hJSih~($?i3!@kIYDAsLU_{{mJ8teoNO<=hPJaS0IS(-(v6#ul(Q8~-C$Iq}t z2FR2$QHgTzlKL6yY;Oq&DAcW|oO~kjs9RxG97Vn35JcfPq6!`n`CubVCBdHL!wq)< zpw?BM3ofzYu1!{@&sP=_AX^;qlht)3R&)GPf{U47s^j&T+xPiBFlt!~2A}qKd?vUH zU)N=Wu^0^!3^?JqkP7%c2=FmlJvsNW_RhrM2={V!sKs<+#{FChztR|40S_2QCLe0Z z)Av*c?Ofl29^mNlP&UZF{O_o=HUP{#p~$s!q?wF2%H=6eSoK9MtQOx2CC2n@c~B{T zOQAi0eqo$zy1zE4s4wGu{}U?RjHH{Wh-FIya2}_iLzy21HBC@-6!fW9EUw6|gM_Ds z>H0SZ_UkDOt{2w=H&)$Os~;hPiBAA&XInrFM!e`ZMsat*JAL?>8hqdMm$`X!64mh` z?(~Z}RBVoCsKLVo4(XadX#a6=f>|_z{1SS!r)}g{1}a3{Hx6`P>Z0daE0;%sB1B}l z|Ml;40u&RA)cEc6-#(xd$mF#@*Q3jpGcnUf{P30>R}uQ9kd}>EyDY>rk@G{V)vm&% z$W3Kcm+6P(ME`gaU{;XkMr&BYxQKv=&R#Igu&}X6mZ-Vk*Y0})j|K=~{;x9?@deLh z%He>ATYmxCQ1$TDRZIS1#>TL$f}9&j9%iag@ejIswfFYD!GI5$ z43@NvP0c^i^#U5!oLT_*H~^8VS86|8_@^qJwb9wJYG3*mbZHj_SqwXVY=i&^E!i2= zBM~PR<`3}V(UsNH71H+hgMGsIi`ca$Os&I~tTltk{pr!H-wYrXFCcIwX~F|CQ_zYL z29vXd>B*;<*FH5%D986Iw8?>dnSo0=fpdxvOCL@cHE} z`g)m{8VusB$(bA;Srp{JPe-Ep^UY2E+Hy5jVmZ8NOsD#19H*gfRC^{zi)}P9@n+B8 zwdJp0bXZuJ;9exehKqeQ>r!;SvzqUBUu?$}9c-RAg<(E;3ix0DH=vH0MF1JiI7^BS z53V9oT2S$R3*XjUo9ql|iuIEPDZ08y~nRY0@PT)dcT%>c@<)kcv){iK)`L_A7fdrOyUTv^TH1w^+VWRG-3@GZ|79-&Zp6SElB} zQ#P?xKqgRpUk1;ESHG_VA9gSLE9Gm89&&NIaqpjQvmQ%*Ey!lF&MhPg9ogWuoQZ2> z;Nr*LPjyDAxLV#9k+Dl16*e}+)$NrQML><~1mjw!(FsPAiK>7HqfY}y^dQb^QUK^c zA7!@cmF2#v2Y@KR2v2VXz*=0ze|8w0+KM!HnS`^HvB$5c$IiAvn{ftp^J@kQ_AIYk8txa#xfg?Kd zPN3&S37pd;1;kJs9dnEzO@xijf_Ws=xACo3Aa)5sK5~S;Kc`b(g93} z2o@GlR$y)CU!nt_4@e}+l}$=qalpR|xQTsHEyF@!7)+Hjs+HJuqa82d(}t%vH)R=l z4#tY8uwy~kzZdB3>CUV%zf9)FE>orkRI1sK1^uBl8v}KQ=4eFBP!zv(pioPQA`O?4 z%^p&iWEFy5i>Ic~mbX;az2O{6QZU4L$Kl$b4CRM)q31<=vO+;-Z>o3>HQX3^z(I1{ zC~@^=DVO?gaQ)oPu^0RSmcWPp?K$s9(As}C{K^6*e$_@B*a{z~K+dR=g@Wn;oF5V4 zLbsVUI)j#z<92$U1xQZ$H|A4~a=i-7F z`u{V1R@=cZqD((b4JQWvZ=ngusYIZO0fRDLq!`6X#8*pfM0HR3%Xz_rWuye_h_?d% z?E)Ek*@_2AmL6hDA4+@=T*DF=>;8u6?k;IiNeL#q`ReCy1To(LF!#z|L6YnjyuM1;4#KIu-9I5 z{%WpGNyUx*_;@tqZ1;&4nE~$e$JSz3uDPj`a$LxF^{Kv+w*J%j<;r#?au&*BxY5B{ ztC({-6Oq9t%!MnCv+0{)V&A+Nze9-dO3oW)IN-G1ZtF7)ym4QnKQL)ibjXy)z3uhE zP=A!3Q7BN)(WH5x!4@miBI?-ich{UfN$@lganc1rXC+>R*+T{y(Z6$_yAo^m;82@i zf8zmQP63SF3(}GLfk5dFM)@Y*SX?F<&_2MR8aVMn+exK*MOE4u!n8N(Ot%m=e;YD2 zvFR*LBIHxNN@P)&Oj{Eqja#`wt$ssu&S;|yg`k0yuzVpzGwbS#2V71u?iVaMw}N{+%LS_3c>`Jw9I%i=LAb~nh7f$1yK5J$OE!IWzns}OJ+gkeOs z0S9h~`1DGN_i;8_p({)?Ec!o8gVJeraly#6c0(o;ZQ~*qM#TSKrtS0+_krgH4;Kr( z5m*}15NsgujO#&wF;*JLcX&vGKx$E99skm@^-_JiG8~nvo_?a*u)5`)c+&F0o|BgL zWI6d{J}vp1tz@o^%!k7FjD?z|4%89pXJ8(owS*<~`x6S?X$kDMy1V)5XZO8*p~ZTq&|RE_kL>fZ zFKd~HWrJHb=omyFbNq@h{dk}J^MYLsbJuejPLGw%0r%y|^^-I9$A_w94lmY9lOlIJ z?A;CgMM^Uz+5}`+0w)!&SNwbNOS_O|$+nvotd2j@vTnOmlX-2I{#4gxrd{MUltQS9 zg{GnZd4rE+x4;)0KK1UPbdGOKS~(H97RrvdUV&u6%3Gu{!jm>)(i`3+0QH7g(c|-2 z8eRhHQw!P0tT9W@Ol3lSwhvhehgk{xTuq-5;;Mzvw=H)Y9kL*z2Kt(+g$rs{Om$Pp zeV{QBgm+g=A-62o#SfM-5*`S&!DH zy0c5?++;pbQq_!)EZshsGz}^L;yTXxKDg;QrYVs|C*oP+uVA|E6uE`Ps6>a%`W`Nh z^@HVsJ1kj7QHoU*MQIfRdhp@yQgJaowa>Y!4%EAsb!;td?cpaB6nE?IR~&D){}d*B z6~{KP2wZaYjo{Q86A;9+^EU8L^uURJl=^i<8Y-v6H5V^j&eCOL->L6Jv4%<+FD>L* z(z)JhW%1CW0!`b3OUri~1X(;*prXgZL(Z>|rNY#;9VUov;XwLge|_~WB`v1WY;oNH zU$gFUi^NF6=J~-K({mRyT0xZX=wbfS$loAWtx||eUX8cdPQoSjld&Gh90g{fetn}n zQQE4b6WoFX@oPo4=tQPH18oVaBm1$Q)g}A2i1K!FO+)e+ySDs6vl%*sdy$GCBw*Rc z3T0wH)%;!m{Zf~2ZPQ!6T19D|-Uqly0XiO=Y;HlqxoV=caX;qUE``u}Y6+8#kfs&) zM~awEiIRq)6FVV-ltO$t!83RRj3QTq49hha%5Im1smcAwtwJHFDMHDiVn6(c1($?W z%NZ#6_N~5`Vfz9ZzmUEM>uV)-fiPsQC+W5)WFqBB4W0THRC;ntDu{Fb*^+6~+W+!ZH%pRx|_AN!kg_oTl`z zj&fA&d+E>)(H{QXWAnumL3iR7-t=7wayqt;0l@5<&x8*qeZ@dRk`K-YGH=loH+YPZhMO5~Y# zuhG6?C#Y#;XCQpu4Rpg-G_oAp;w_S6b+zah&LGk271=C|5I6RdUZg&Lzw=c3IW0f- zV9oJix2}d%H?Z{ylt~K8&3Cjo&|!GL?3G( z8<(k<&9hf+vS(XA5W3hez)xCJq)1V1p?4V6h~&N#EaniRQxqwEclMkjvX|h%-IuEo z_(&nqL)1;hGDVN`qn0kgfse9d_+|Je&uqF_e&DJ?bDn!VK!B`!Uah?JFo84ToSAL zUZmm99gNg9eikLPa+|aG_9x2OBbi9VSfg}iQR2AbbK3(;K z?oJlh)M|YGv!FwgngMP-ng&Age`NvGakCaQTW?Q=q1N+}Fny_EFhwC8LdIb5`$NF4 z1f@4-EHGv4f}+wJ15$#Vmqdxhxnqsm^&u$6xg}VUfArz}OMaLlQ;ZRVpLmckQyS#5 zImH^H%@-lslm*YGab=jb?O1WzIE`XlGdp&8aVrDk6<2Rv!;Z(+^NqNP&z+S6&>|KP zUI$Kzrdb_zlE}FCj5wUdxZp=haJXEZ6{h7>?w>cGij}L*jvYm}Nr~I3HR% zZ@mcEYz!?1-}OzI!9+Y3H!_C|!s^xi7IZ$IBY`L69sg-(_p>1$*)mX&9cO#F=v>C} z_tl!yz5ayec-idOZtR(G(0(mwfhT-1O$K9@B5!qV(>JY6y-DHbE*&fSY+@{FtCSA? z_*a^4Pes5wAp8&OFjGjhrja_3%T~WK(p*%vSYbuG&NKBEsnp#mclT;hhB`YeamSHR z5!$Si(X6vn(&M%9muJIr-Sg5Y=L#Q#K#KS6<56N1t<)Fq!L>Gfoaziua>(+%6tcaz zboHL9+VrlTUUT{#p_XNNzv8SPDTskIFfN9_f$`Af<>b_(3-Mephc^PzOj3of-$$cC zP=g1Cfe_eZn2_W_8*){*uid-UD!EPCd6|>ktjt004-2nGdY2?6LN}ACxWWHYwB-&y z_ucaL@wvl3$`Ky^l?E~qu7v|ru7+*v_N$EfpY?unG_f{HiFZpaKkkUTXdqH@oPS)S zd9>D<5Qq-2>$sYCJ34`nPGxDSy^-ldP=|pol~XnJ5Gn0(yuHQu`o9l<3wCvS|vQvkL{p!!d0+>|qK(0V|AU z?q1FcniiuBUgf_pY_-M>Bv30nGW{rOJ%1bK_As3VOQA&WLuzruEx<%Ai!es>Iq^DA zyrac$ULC*d^lEZjTI3_rkEWmKC5gJ3)YZc;R{^I9lOv>^@6K`lA!&1W3)`toP6Fqj zq?{jY_e?m3h?|SDe)~>8@*YtI=EU7JH%>S&;B~_KkdG%tXLQ3mjlGkR;Vjw2$|gqP z;V}el;kiEMJWVUS-@l^Qp{Oi}flG`M0<;3A&o&?uq==pzFv?vDT&+y&^(}T4`_Dt)v^)fORNz z&W*?-#c~LP11<8j7oRw#!PoE5w#6pn=>zlUoGb^EEV-}Te&A{g{k_`VJ=>qOv|5`_ z*=Z^M0=|C({?_fZ>#Pjc4bwQ1I3>@_UNs=?b2FaXd@9uvudZ8Z{oTm|PD6^;(4kub z@NWs~ovP^?{kt>#xt=|}u#S~V(ndAg^=x^tZ?P?ef1+=Q9*gC12-a~3Hpo&bTT!Mn zi6rUiUXBR}^d2(m78+oR{JG9nW$IB0sB2^|p_ky5{NCZniTe4#`O*#{P=+FgHCBvZ zFTQ>;+WE?D;YRC$Bn@@0EzK1{5JHXp#dhdEGX&p5YR_;v$gNL&L+VwEH`Ao$=0;77 z%B|D(8t-p5QJTCr;HH<|pYJ&VUBBfO%K}N_1VB&x^<)i7L=9iy#^qsTo8ZARxknLV z#StMDqB#`el`b4PyC1_@nY>05{q6CvJVrxcIx4Kl?C*m)34>Hg1DW3k zsYnoV0FuL%`}>#Q2fHjBvKK8Fe4-R;Q#-qm+RrJ={Xf=9=Ka>Y6-4#Q7P#fJaW*e_ zQa(DOTZ_T7b8-rbUWnSMB&^M+V~-g&OIL${2>adBdE=05M06~U3a-jj)J$nDt0tIPKQ5DVs!#vSLa7`R$_&d$C6}(mFhQX1iO{6WcKFX52g^6wo zEc5*Ilu@Iz$9+s4s|YUo+|lo(KMmgR9?cm$1js3$Yv)`kx;mS6evZR__^2_*SQb{% zER%?>TD+yaI_kEh0-=LuKF7!eXq&6H_sh20{-P5E;)lH3Y@T)GRK2=~>C6M`8|P z2lx-J3#P+{RmrPVmNVduwy@xH*uDia{KHdOJ35IxA-9)-Mu0?4P!Jd zt#|F<0IBljcCsO(<1u6u5<*oKoc2AMcQN&PzDL(S6qI#c0_&&|n&FX+ROp`V#rThe zytqwStg!anMw*ZjG0LGIHxT{^zuPM*z?r|)X6e;ow|{#7-G;d7!$$2${&Bk9!rXp5 z3K|r9dZXE1i<_CUxI~XdA2pGLs0AQ$DEs%viuje`5D8H*z8t@O9#SxTJu8#b-WXMV zF4g7~%MljJeYdtH0hzHVpd9A?il4P^)kc_RmWn96wbIa$SgL_H!Qn}Y@%3o{V9$z` za8BWkw^}C#tH1H-B8yp>WgpC(=b7NfSv8Ygo=z)dw0>1sz{jlYZN%w?`LRffWIHcE zxWx zh(H7|`ns=xtAkc)hw?sLn4LY}V)UiaqC82k=Hms!aY6TR0nR?5gBB^OhaLLaTrM|i{PD1p zmWC28d1bBwWLL4FxhGF9se)=rjOkTgxPOjmQFxGXSYNTzVY7zeFv&h}<$frbB_f~= zN9OmT@hlAAoKqLfa%`A+-ou(i9`PKZ@m!pIn~jn#fG?yUC1QC+xrQoRr|=dJa9fI` z13?!}2~q5L$KA}?;Ca1}c{ANZ*D}h!6`akY@%&l5M{q?$gR^5pr@+@EkCoHR$r9!S zWl#$+Eoz@8U(eqhC^Yf!24AY9REX<-^WU_$A+`VMr#bv8S`*i+kB65rp^f~v=9iHt`(d>PBLPE zj2QQmt&Wze3>6Q;O2FVXbbm)^CDFs-!}1Md%zP*|{Jlg^yq%ghc+0-oqZTb8GUIYndtkA6o2Qz>gB3w9J-b3==|M3 zT}ENnVQyC99}S=(P`*Qsz#rB-(;GPy;Cv#O&`xFHL)m8nKPJ^&ZzO&_&9|+?TZZ;l z(~gY|YxI4lpOn`>v-7x%Za%3J{w!j@LUeXkEf&dnOu`1b$aT3ccz=tX+Nyr`qFk(v zIIf8>oB{*P`!9IYAagGDu;SB;80a+r1$Iql;GUNkjhUMA{ZGpGS3EaMUtfl2rcBHK zs6j&9&6|qzj+efM=zVZ-3|^0R@eVq3x~s#P?rEIEPdT^JgiCxME*>IYKJDAD*ERAD z;oj03i5M5D&=m>55Q|($(;8=Jwn|c#!h5W|38-uJ^erSi|PFpK*z9Ri-+Hx4I2?Bg4_zIK|AcORoR*k)h zVv8wH9E|6#nPr~gCcA3CS^!F!nbI3jl}Szpfha}GXuf#8kmk8_ik0>oC13<9e;Bp6 zA2L@9y-*E0ND02W1Fo$XJ!28QK@_<`2{~dsI#wXil{(nMyrnJf8_QlT=2Z|mw*u&m zOAjoK$RpoLfi6YqhmbD7C(KF|LSOCre319u1yZ+cWF(~Jo|A9Yk;_lel?@OzVT^x? zXa5FE>A$lf%u~-Yo@3=0UwNA%ZTrQKmNdHbF_o;MQxpF5AR^agrnrRfy zayL=-XKW;`eEu8Iec0)6E|M9*a&8Ml;>lr2>B1t(xm~0mKg^3QbG`RT0Wy|D7~VNT z)9A1QYz*y^|598}*zb^K==W&il<_f-#FycO8xDQaEjs+wuJ*s?$RlI}LxyQhf9j;( zuw;7dec>tK)O@3y()aC9Vyie5=f^uS%ey8fM2{-JV_k3PYXR@ztv1hSAj37^c6!i5 z-YpHEgz$ZMNZz7?eB#yci^e<@;bPA{o0Bw@vkIEm1Nw~+$9-e1BQ=I!*Fo^|hQD-` zH?h7^B?1&=1fCBl3ZMp^c|gTV);Qi)_E#fa(uP11#T@ggLBWdp>x+tv zC%c7T!sxXK>$`l6jHiMHRh(UlidU9Qv9h~#hfoJiegD|mRn=SPZAOT2UP=RB(n!07 zb7yAt5?#4-3sSB${CFi+Z%BBQ=Sol~;iO2hiWq;q7)K(h_LnKpGAPm{C`iMEXlF7# z4TG77tuarp+zM?ocv)Az*ar0^7pKyN_yes^lxzu*JpKJxvfpp@$2 z@~%~=JgQ^w=J1wfnPY_DX4j6K)#)Kt-HUj3(cao$Id`l0RENo`$0e=PwhnLPw|GGJkoE1Xc02 zZlh`NvT!yc$k1%o68y?>cGkYqi0b!W^?LEfMmWrrW0mjyb5~3o)7CoHwH-tCxrpj( z*4ihW^>AGM7#w|+ovd?X3P)o*13CTG)b?)_(Y-(3JQtyCBAX-l;J}_OijeWI+>UII z`;nbmRr{ZsW)Pl7*uJ{kOU7pQKIcTirt!>?ls$R4dKaj=>eIH-T0wbPXlXwv&5!j? zNyC~#oycr`9vPS2Ud3Hf)Pk$Trg;vpqoA6SD4Y^6T8M7utW1!H>`LJ+u73S5`JrtL z>2Fyvx2I3HL5IICG5fyc!xpLqNV5iYq|QVYk04Ldz`JIL>RHO6CXS%mzC(;>gb7oN zP-)?rKXHPbD^jIMGNXvEIPLxAev)uPjw=T=W2%(KXr8FEU z4?yW@Z1K0E<7;T)Ul8vj(`k%~6=)uZO_^T!%6jA$nU6zEE9L6u-RNu+X6Cs*eeU%m zm}BC1+yc5&L724%bc~F$(Vz@aKw4A`tM;7v_tqo#g)FZ&)b{U4{_aeK`ZYo5F~c#cP#>YqiA3@PE`i5F>}QhhO*# zu0=3)4Dh)9LYAxuz}7{EPlt0(dvCQ^>}rv9R$3U?c7S}Rn9_w`g!24TV)J%_njg3K ze2*&}9i7V6hdHob7v_vilmBtik@@+S4gGmHN&N9rxAd+jiRbZf*8TBubkN7HLcx`_Nk==Llq^WE&F>^a* zSr)RczNzxyS=k&x{SopN|0zwSovTn#y>*acnOrXgYwj||LsB3me8rwFZH@3Kg==OalSRY* zRE!A!gqF&2TRc;MFUXVLTs@1)14<0iJPBa339NiyD`5Z%K+&k{ ztl}-|{<5%ytU2>Mr`KprT|Uf&^NN1m*%k99WW1mPKdDqR*MqnWxm_ni%Sw!#m--(U z0prJCyeo{YMNM|{uh%xhgCX62fW+W;W;b_TiJZ{z=OQT9y9qIGv2of!DqrDa`E)91 zdBY41{F7y=x-Gc4_)2jv(jBVI%wxQjXXW7^I5wvTBWf>rj$OX(nAqiGO3dm-yw{6l zmoJ+dx1Jd6BgpgIFV1`jhxt|B_MqvR_*tlhGT>5(I{AP6h~MdZczkHruy&Pxn;794t-! z%pb44U~=dn;W)CbZ@hSvZQRs5;w7m{c!xCUaQ$avpYGwu%P|LFzPL+ht3Oc}GiSvQ zG-^d_#i%q7yE0CfA5Pz|-%m1SjRv9`KP^A95~91IzBg4X`aGi6D^O6-i^nPlf95CD{~%ODe> zoe^}%4xT&_V*TbTUD7e`M*<`(fVMZValcrw8LaO~GxgA-u72eX^3-@UnlqNE+UhHW zX?&*jDqvy_Jl0sOoj6djEMse>Y*wB=DQ?s#EA}8Wc3*EwGwxF^U~_Sjd6@}^7^q_U zQ<|?kZ4#xZyd0jN2Rpsq81ZnGFdZF->c8h+t7!m=rp6mH=8z*;L4f7=U9kW|%he*K z@G-L)oG=Eq6m_=!yJft_VV;Aj!@5mA{?yPZ}*Cpw2Gc_0J!S z9!W!^6Eee7o;(81HYo@{wHx31p0LM-{steGsX`z>Bs0q2dU|T%^_6dS#f20G$`7c) z|AYQ@6a}m2bZ;Q>x7>I&6}P2K4@`k)b<|{QeBmrtJhF-N1}hV8{Uzsm^mOMQSMe+=kr0A6N{bS4$F|Ip8rL(2@0hb?&c zTcW}y<;6W>gLp7t7q~8}s%&}{jE&P8B5fnZJWB^RnSU_wt5#K=2+$xtisN+ke#G>& z!}#6QR8rDpdrphveIE!OW3uq$o6pO$%jNO*YAvDf%T=wlKFykw&UfU3@g&QqbP1|r zAO7A_D%7z1-FTf0@z|V}@~wr-Wi;mOtT%vQ?$xINIt4(tyoA%6U1Wl*h0lwvT*mc(87< z5dzNySeT;zafQbW*lAjkG?{&?kjig>8kwVzCI1%BZFu&uJ_W%w0F*(%_s<$VMJzIj{ z_Fvuz+*5PgWrIaTPXgGiL3Hqwonx&^>n9uqI89Qb@V=b|JZyx(rjY-sEGe7dR33k@ zeGLJ6@7~B4;&JDgQmcZRIk8F5ok2tcC`_i(=+gC36w6{`_?@vQ1`;kTdzH7S?#KPs zpa%iC5B`xYkMsWi+AFQ!XEKdes$m|fSs9l6I-d^+K@AfuASrQ)=h85>aUUeoIH+F9 z5+lmaa(#JQ-m2Nyb}yH{8FJe8ks~>s;a58PpS>$JNO|jVgrxbNbLEBeC!FNIMhWx@ zd3Z`6}uP-m;HEbC9!yW+5GJ};d^pCI_hapm_)Xdz+(P=FJ3cX7ywMFy*8j`N0rzr4od zvfj%}7I)cPh*ELWP8Y6r!q?2K?yGHcsr0eaqTYSM^m1G$Y$Xd1rsbuM?clI?#`_O0 z^zd|yH@f_Zm$QUd3m6#%c{{B$g{**bI}~1RJ@{D?m*N&dyys*ZP^0}a+fh)z(&%N< zN9GUu*_~(*TONGIVvG_mA}B1IBCt2Q5_zPn=2MtwaQ0uwLp03Qel4F@@*2*mL?
`& zRp1OTb)(P8$redsQ(QO6pcIZ8xt%(;2vguiFaJvGn4ZQpc)4o|dbq0^9ziboR@m=f zRNmhHm2hb>@zi$bvP1CIp$O)_5Yf?E_iATWz8|0Jt3_v(881t^b=$wIzH=7D6ETWY zQu3fg();@FsuOfPfK|Vw6f|0f-okf;S<{p&alK7`>Og2`L~oMNvaMEjJoG00%{rQ- z>luB%S|HoR1OZfM&y)6{$C5z``X{CkcC4w5WN$1FGysNc&hIbe_={{li=T>9TJ3n` zqZUf=QDvar8oe25AUDR0W39eg`e4)6xT(Kep@Y^ybJB?8$Ze+dTayewWEzMyemcdF z0Cq4n!7F7!#7rWGOuxUr1FH<=8o;j_*%-~g+aOc;Ah?&p(gvUcCp?oGA!6M7^i*Jd zSkX*6;(QN!6uWC5#!|k zjxi4uD$vx*dzrEqOD-FW+)0y-+zpXMfM%&b-HE>1CcMt6`Dt7CsLjj2xVX5m!TnQ= zetwt{L&wAUxrFDs*Aa@~Gi&W+2^EW}N4bvkQJ>GhvH&`I-`|WZ_kJ7l)5{8wixK(N z{7aB&ScQ7$u+xGwm$;wD?dSiW0TB*1LbXnTwWJFe#W8=>85n5%*sI{_3f9ttqWOu^ z_r=xs@&F-aH>1rMJZTp+jt8^R0H3D?-`hG8%l_6?(m!V*@et1ps2i4I1gjR=a~!$n z0zT!V>d$A5k3a~{{yt2B6)DIx z4XAkaiv{C5GsdxkND0wRw&}0HU;`NvlblyzdlThiN;QxwR+{8pLag@=4@Y346!tg@ zj>7W+%>dw+)QePe!rYTv+f26%TYg7%M3~Mek$?H1MvIK{(z+Pnx0U-Tx#SN5|AEtR zp;Sy$WKCSa#%MG&J72GS2Ta<=v9>PJaNvG=XW1S|h;flLap5%cNG<=Ty*d!?8{u^s znHNGFg<5lwr2`2az=;jd3QyAU*puu^;U;#b4$i$=h5S2P`izm4?~q&@RuB+LjQ-n9&1PjuGeChHkyw z9nci@#EuM{w~snMx@})qF#*aV{10V$T@`Hy|7fuoqsx!H=3^anrfN(O^IpMjsz0Eq`|x6OO9Jffh>?QqRt>uKEeY<1b^}7s75bh6ry`D#*4x^f z<>Su`B!I@WTst4(y{3Lm2RtEyFL)qi^Eceb6T5joNd>&RBdfHbG_j*9k4)thdB*q# zZvkVxS}Gmt7f_-m_QAP@yF*JOZlVL7u~tA)Y>-^=1<3-)f5K2qOu8E{e~wz<`(K{6 zs{hk1P~pn|BW3Euf!Xs5(V^<8wE=PN;|>ft$lzq?Eb(84oa$y>?IVvgxI&y=c!q+^ z0?>Y}!gYfvS9`V58j49(aeYCI4y~9N08c>R3)Qen-CqGGjmsGi0%H8-Ii;T;?X&Tt z3~>fRyU7cRTalkqWw4G$0VMJ@-J?lhHo}1 z8zN0rkUm7y-Do+HxTj#;YsLoi$cwsB`eNHU=p z%zU2A&O`IZ`?&$Jy#&H@y;&F1Oae8NxIWr>RM%{lCf{d9{KFhK>&AZAt7lloH}|b| z{M_wzA-}QlKX`nJKkZ7{@*ET4!uTCwjrr36Ril<}2<`)k%IuUF(UZc%z(~~0VsW!> z@z8zC@H6oJzN2ug;3^sZs6_&j7Qj_t*9++)cra5J;6!A8kb!9yN+o%Vffk5~{Bc)m z>r#j;+i<(3tvv9-R0nz8{`w-`G9$n$&MQ*Cm+a&3JzgX0_a=4B>%kjt>qY?gb6FuG_1 z53#-4h_Gn~N@EBXsQG3p^l#2n*QabRGnQ4E7`~+kSTYI%j?b0rvFH53tY#t8LT0Og z=W7rVR6iEV3CvYG&QKQAmuC{36O?p1Xf6kwvzc%30uMu>F3!z&2E9Qss{-w>ec0BQ zU!5lWLn%F&n_W+Po{-5pyS7VT39KxmZUh9pYsH+w(%@Y=wxSf!^w%itJk#|?*w9cp{} z`35y%RAnLQ5UOHfWeDngeD4F5ywUC;qepY6cDtdaV^*kzL(Nn3$n`;&Obh(25Ko-{ zo?4hMr!Sy>KvD-V062Ja?#_{e6pLt|=@dcWK#)>VPD4$R@%eO}SJEyCnCyMsKM3_3 zLZu2}l0~6`eFJ1vfb<3_Py=S5N*7?p_7`gA~ux6c$iHO;w1Qf$dsTSjHdo^=JUUhkpuO2ElNGMn|@b zayJ7Z|AS2+Zc{kmo-c3TQ@7bT*1eyX`Af9wG$nE!{+cVQ|ClQ{MF^&JXS9QMq7m=z z95K`lg$oSO~g8VhDv3Zh#G;W)R$dySul9mPYB zHQwXMtr`@=yExT4$2ufEIO5cx1Ka1K@0r}Z8BeTA+!hijWGTdp)wLZP46=`_*uFq% z7{l)d`?|&gJAw5TTnh)--C)%L!Td#1Hsh_HqF1q*Te<1xI8mcqE(~lJ4Z7i>y(USH z;M@!&S`lx!mV|AT54>xQ4LbX%0Fgm@Pm6WZvWwRIFcgh$+t+Z| z{IJw|){0)2=6V>0ddgo71jBjj=C*cmo z%AtYAdKV~c^;;l$|E>Qm>|p{?M$1VHB+o_6Yp1`l(lrL=i256$<)C|8@wz)W09pW; zp$1W((Ye(e)F!Dygk+;?M!|-iW$O!)wtZ{TJ9Cg}`mXp`*J7ss##x>wezGNysz1vm+gcxlRl)a!~1hkxT&VoQqp=t!8yy`>h-Hyab-vrme|KV=3H} z6!aF>@kIDMuuF2FxjX&dogS~^L;$;lscCm*RkbrE$o7-0^~TNaGw6^uF~M%K5#tYf zrb^>#=B3`e2mqe_W1s!!P#}71=`^^#2JWxRYsx?4Xk1^@L40!aX5_fH`+bEsFm$Tx z6(X7&<8#*;`4JuxLhx!g=IrJprRUX9*vo18%v<%F^N#n0_1kK1j&_jwd$rtdfpAN9 z?1pD^sv1-3Y8&Bo64GSTT)*AkG)i*RHmXi>H!|6CaR&AvSa#K&S&wIrByIGxm${4e zV|>WwHvGP3>AUXkZYf{N*Hu?A>jUK0` zEbBJvs=?(RCuEcR;~0lfx9-o=v~wi&eC3z!*wb4uQ2PJpVFTqJ#KHd^*A)S=_rc*2 zY;)%Zd>z?`SJc^vsp#(X%nM(LoUSwuYcX4*T$}rW$;yiAUu5r8_rtmGZxMc@lP5?*NccA?Pde&Gv>gb%X&7>lV6b? z-=Ce1E+NxHn%-QV<%(NEcAph;MGN$Oy_1gnjeo%Km*H|k z(;ud*f2i9L$*TcQW)2V zW0$px#>`m_pqUA|n6$lICNnUIKP>IKXrh9YELbP@;>4ixc-fz0)-xdHx#sM8`ou@O z#OEEI>~ok&7*?x&dUcp^346EX4P#iK=7Y(Shzy(eyl#DaIB>jF%(n zd`L>aSD`1pI9kLO8wgPo81#qi_CNY~IwQHlLJa4YF>SX`>=!tc5m-MzB7{< z24Dmb^#{U%Yzi@6&MS-D^^v08@CFhPF9Eni%Nc!-xU}6E3-$ZS6+=6ajuJb4K_&=H zMS-CYw%~`(90z{%kZGsCJLP2mhJ(I!C+tF)1B68W4qGWQ3G9omFIISN4K_Pw(m1}X z5(6z-;J+`7ow~8#wddGJUJ_mNjtceC%*nNM#2SPmwWYbv@g8%sFf#*S$1Djnl%piq zvv;-eJCAGwME4VQuLvqOZF~1eock$%{pN8#NAvYuxJyQLDW6ZvW@kuKHLhO-^=fl( zRjH75JV)j&4aDlg`Q|bJ{9Fi|n*i`r85l2@ zjjKmg$V62yfHqD5OR;S4C3IJ_3QCAjng;KOFSs*_+%Ch0uQjt=l8{d>b-L1xV~g1^ zg1jGAN21WB3xR)~XJwt@37@|y z+T%Zm2fb=sJgN(c4)>DAdH_`d1LGd$Hb~G^+GW#`2eC76DpgmeRIaMzLOt#yp#&8Q zuN&MSn5a@O)T*hYr2{8{hSyf67}e*S$sw`AY)HyHsjzGv|#refYYI;{VZYU3PBI($US+-<0WU zYJXisL*uk^M0;?Ne<3T^z+3y*6jAb$ltsjUp+wB+^*OwhZRiIfXC%Fs9eef#Qy+Z} zm$HLq<+<~URhGmV_r-5fCJTjzx6EXB?|wD`vHmmuAP%egucP$DdfYW``g5MI@1lBV z@VbM~I#p68SEFFnWY7Rl0zpY7srt6NyvYI)CVl!s>em)m8mL;SH$pC&V4N)81`0pl z3m|Op|45D`^B3HHpwuN3hJiqOEOVevu^*4Jc&=KY(ogaHhLs@kz>xmo%Mi)|y~VD9 zDyLCRKcN+a}m-WR}}>+MN%zM&}wp_|5KZx$|eAR$cF*G0tCo>H_?RAzZpbzj_i2h$G+ zhVLI_|9bQl|47{a2!g=C|93&w;VMFz2oS$xQ{7$tIcq__72`{XqcE_oz=R`+8xFKM zGbNzMOlBg9$p=w_@F7tm5(pm_7{oo*%Zsx95X?~&;z>6k(`2Ab8mNdtt&U+dam)Z!yRveZjRJ;%PVw-G>WtZFGXX zRWa~9iY{`srD7w9BACw*MNyT=!WJ)BkhD$$^TZX=k3C4OEc{DhuyC%QMNW`P6KdmZ z&-~i8usM*SEUFs|f))X315%604I%`f2g2dj@Gc}qnjJLsUVELWfrBXB`Zsll4w0i! z*V;R7K*bz=C!v~LC}va09ZY3Qta&mUF}De8=;V2C@QYz!jl5lDk$V=y>2mD#ywv6E z9I4B8qRX1!xGaCTaamFV_v>gKcL53Pqn!+eq11CP--{4?c717qGN5JE32@_L5zG_o-lV1>V#+W zwQ{Qz-{&`Sr4~dr6o7FMF=)_i_27}n{+%g+J_WIS59!7Ueyt$>PKF}Aobq!~j+%Am zj9J$5zVC^Py?0L0xJ857ma)w3|rn(^|1s^%0f%#uV_%byb~ znHLxOH$Yi)_#R03AgBZ`iFmHRPI1SCP4=p}|NgCzu9n~ylZ=GQ+>@NjUh<;l)1b#o z3pGYy=PyMb_hXXzqbg;G%Qel?_u?4_%)evB3EpI*K#4hjD5MME5~I>K)(jILD1k|- z7hEb(A;&EoZ&SEVEC#0snisetw6lc2fp+`i=!jfizo&UU7s-uQ<eiLf^tvC9SN-KN(V1jEY$?#Mj8iZIud^KhgL=lm| za+VGtL=A8?F2m;y*46WqT?yeL$9`h(qu%w|1(jZ5Xh&~M-R7x9yjHC;u8_rUn;=jM zxu8-dSmf1B%blNobaG z%9{NjjEfLG);W8JpTcAK!o@mbOliPbZSRl6s+6#zdXRPf9y!`SGjy;^0Ky##zJ8R# zRBEYhPcq74F%2vJ4YOp&&>s^WTbYK`s{qMh`R|bFOhFXCUS30-Hd(m*y)G079ggfn zbs~i4T=(=NM>R6Yzk*+2Qpc$%(v>?s=OjGVsZUxvHVqgbY?>Mljm2h~E#j5Wxmtjk?RZLDKiFjZ z8_O1Zv5~v&Z09Lr$86YgxG0p>)yjNrO%y$E5lWfCz%J(?=7fE>?kp09>fJ%f8~mO6 z4#!1n)NgtUKfpVhz=Pr{oRFu87ayBN!5C~wgpG@t*kV)4;`XitH zrN@PXM2>Rt#+`haFs;XFZ?v62iHAMp?EMB$3XU%)ea?MF^c=7}Z;}6NAAjUh;{e%i zm6mX=1E-+&`^*^kAYpbK?YXZGgq3H<B(HG$D>W6R!bJ8DiLy4c_hyO z)v{SIt_w0QGp%c;J05T1{1tBhaP@SuD20oS?1DN8YM|M)C2|b&vNd0Uq1>9>-8X#h zGfan+$A`T?L+Y&$W{dKgCQyE7JO8~&lEMF(I-GwUv5;r4P%a-o0M|Gv%pafjL#CcC z_tC<^`kCV*^%mdJ4TO`{=hVMbD(r7=e;QgsgGe$B=)Ww4y7k|Z!5ZiK3L?$Bf>DGM z+JTSjQ7Q>IL`HsLf@*;i>Hcaa>W2+KU>1K=O)NA&g6RT~hInJNtE(k%v9c`PNe2Bu ziJjgezh2o=ec`d`_~2ICM}mC@M-gwPKe0GgwECPK)wJU|7Ge|)A>D%&8}=R~&5(O8 z8$qz#2y1w2H&Y-|r3HN38h5GSsHa+ZWuVPbl7vdr!GeH;!8*Z~;wx!5kcxgqr0hNM zjoeCOc~SXU+jI#{Kz7)t6hJ1g@WiMX)q>~6twWHa-~{IQe;I6kbp0hmKL+F<=bT_^ z)~G>>;o?_B_=8)o$g(L;=sMklI`7{GfLNgG`NiXxgZr?)gX0mR#6@Nv=M*PuO8Xj% z>4wrV8>gkPH{=*QlxS>o=Mxn_&A(4Rrc*_{n{${P>z1IXX*GRi?Ie)PdIS{q`OP*U^T?W@G?4|$$0`fE~2 z^R~Gl!1&w!4>uhCMI4M$$y-SH77mN;i&Fe)q~t}_e#R84?~-}8(`Z)H+(Dq(but#e zfW+|+PCEP_04Ut^g2=J3!AdG!tJQ&&JJfpb@8R$$>8NDkLusMyAwm38A^cOr-cOr_ zhc-n|I~k*jAeoPR%89f_p!4w`SNH#8?5%^ce7Ej#5JWlzX$cjiyE_yRP!JG7=@w}a zkd_c>kd_t+1q7tKL0Y7{q~oDGejDHOet-X*b3X6PGmbOH@Z9%x?O1!QwP`SlEJfU} z9|)XacFB-bmZYIQm_iHn;YnO!+iM@SpK!j2O*Xt3zN2P$K2R+o23c3Gw;o0lHF@?dxs-^Ws6WF6DFtES(kclqWhk{Lzh5q1A;^@F8ddG zQTWy4Xx7|rdZ9CxBQ7bNY2T(CrM%Jrku#KF<0_5h^?*zG7_k;1*Ijom21LaFT>ny2 zuNBi*J^|Uloyzi?es~FH$U@fJTS6NymK$V#AZA*5V4l%-Dk^F8@s*kaU2_xXKsMLT z3X7H_dxzh(xmf}7TbLDUXliNb-;^Kl5Itlel1};z(Rrr$E&bv3sv|1G|K$R>19=Vu zYG|Oyfj$CA+@Sa{Q20i@MDSvE)e%JM%^LVCbDiR{eHv)Qkti)ECrdGJpn3!p77I~_ zF#PGqCRqQ}D``0PE9VvozdhT>hotMPgujIPKV&kR?XzWzLec%|=K5*Xn)Z2l{@tBK zK7N3!D9+C{VgV1X8st5$NbF75&Idj_u8So&t5n!K!U!DzDkA%!DpaB$f(%BL?Y)@s z9#%cj^^;^BdIn?U%#Z&PoD%07PJ$S9%H{Ln@+YP z<7B z4+ewtg7op2{PZ)1K_5i=W~gS0V$F`1yxzcpMN6^B(qfVO-sdoqLM>hFh{wjM{TitP zgOZHH^Aoc&Fj1+S^j+&hiJm}$_OOHg8zt z$SL_7$M4c1&72pKUmi_+0#EJIqY@G3xr4WL!!QiHp4#n#a5?y3#n!!n!DH)KX_4G( z+U=B8r!G?I(o%f)PBd)dYwWw1OielWAWhbj0~JXN)=6jZ&O7x^*E=p=M=BN;O=Q9e zXT&*b3OZEKW+(HSGw7cA?A+Y)X}0x+NG_RGZj1B_T_dEM&29dSbbC^QIJ+OzeZ}Yo zZ*`7rpZ9c-**U#Zf6kmQ7$h$#5){7n2HprhPRkG%lr9T65``E8{&b=UyN3N=*=mce z)HpJ>?d)t#>ddiyRs)EXvR+4Ze940P&$Y@$P(=KiXqOn{l}WmlEco6qoXeHOZq;%o zN0np%?eMpu4s)#D?{QFIsJrBY@G`I>>!~AGO8eX&<(gspP&Dmo*Sjedc`ukGb4q8< zUtYIrrDQu6Gtamw^^U`VoEv0Pty+k_wfB>JxhD6G?hD;Bd=!U+E3na7H;h{KhkV?% zmhrO`@ejJ1GtQ7lY5eQ&4m~QCq!c)|8;w0)c#MV5y!jfQl#%3s%3 zceaUC%8lo7(y80DxJ8r1I-}%q#DBCpNN|=mqB1OxmRhdCUCuydTWC^VNR0RTJ;m$o z@F5a1FVyYr^x$o0YWxoJ?$r>kApQIh3$CJrFFo{&vkuqji_Y%71`h(E2q{1p_@d(z zBAl$}7)vJhpJ6`47Rsv_SHdk{9N-{44QtRpYrPgc3t8F!NRE>wiHe=eqUbC2~nX>obH)WRv zvYqJp<@Di02sHMwzx}?3?@j|cjG$H*xI&lWLenKlT=H(gAFd##F`^9!eh}WCc!GH1 zN^Ci@Cb9+px5*YgmK_iPweM<1Ersf+ty~Y`D$y!oHz7Vcp*0 zTT5)+k*V8pkY_7Gw>sf9l4F&-+d)h0FLFz>k}4#x9C&LpyD9avdkwRDv(qVcE%~0O zH@*~IKU>cCDEwXGfsHnEw0c5?SJHlvU|oBipB%A%lw(D$ttHAeaq!k-vCY(N|EEo) zom=hsyc6lpdT{U2&Pl{9{lbyk<@q709f`20_$%={DB(0>x9Qyry4qU^xeU(V#^^si znBrn#LKX^>qW5>H2u@|ku3DfRG{69JfD#pq6=%$7DS|u~%dadgIekbK4(ewwO!ovU zJ3o5_E=bv~Y%{67P*V@2iP7V#$O-*^cs3e~Y{n_{>uva?YwS8Pw~?3(u8&A^PC8VI zYQ_F@-Eq=)$UzGz%~o?U7sH)^)oy0Me%PA%Q|ZtiZ>pK{FzNsQo@!n3PKJF|L1e!10qi5b%1XkEpRFIl1DX@q2s!$6eaGwl4S4&^-F?NJi( zmYlL5jF=%9D;CJ&7dzDIm9=3FNR&1thtAoLOQ+p-H=cym?HtUu+(l9DIMSd=6_gpY1JAO(lK;% z^v;IMZLR#fl}c$3WsoFU8so@kIeyO8H_=u~Qmf^Sx#i=He!uGIP}8vv(^XQ7-a3la z=kUKMe!vB$Vs{`KiY)19VN=J(Y574iYePK4>Xsn}9~9<80j*ej{~M!pKTe97xZx6Y z#0PB1+`cb67Si?7Tbsqz&4kpd)5Bwf5WBW&srK~L*1BGwqgvN$GK#oEUg3P=F1mqu zIP%YIra?5Z(>Vpm7f2Fm8Vz`2ml#%7weQ4~!(%<>6A)Pglid}Z5 zpdej@)g9&kBOF2BUz{R1|Fr%8_vvx7VttUl^*oiw*Q3SA z^v;;p312C``=1`$v>!fYk6p5=t0iUYLh8EryPO<{xb-HE%)@TEuLv@4Ju+2u-*lR= z{0T~_jP4X1p^~?0jCD9i9yc)KsrEb0mb&1&IMp}czmlBKkrNwY(Uad+KKkUGe$eC~ z=34kOZmntQ02En~Aw^@;t^m1{LvPl6;8>>vMw{|ZND3I{sR(-NWx>nzrue5bv{EWiwVm@Ww`f}Vlm0$Q5 zHTJgW`TAu;*u^Tz(YmbelQ4?lds|JHyVl!Fp63c@$DYT+YTx#ihL9#Q=rbvpuc`{L z*BF}9&s(DUfB9);r;AR}K_u}*MJ?%_nzVOiIJ;I)t!pg9d;dTk@hkTkaJQebM*DtD z3*dRNPi`<9XXc1Iy!IgmQAK8dg@+cQ-=Ej%TA)6!?qAZ&`jLW4+wr+;@mT=sUAfi+ z)z!l3SCSszP^J-qo3W2G^@YP|9*lZ%(4if@AZd6fh*!mZW|sS{-C@4BUr!5an zccvdQl_%+7S8dcx++8ccBNV=+P@i2!TWF*?;Be=9#)Mb86BEy7+!VxI^?tHyHgUTZ z7Pwv4rtqaMIKIpHtVkuzOXK9yXZ=RJAh-aTjQnXYSUwM1 z1t!m*7<@3_w&iPL0obG__yN=DBm5viY|Qh-#+N_O5;)dN)52E{cPJ~#?9q>#upWPV zz!U0x?_l=0pWq_l6*}R_c%sDfHfKtIXAKoft~XSpt@ApXDh6_)Fj8yE$sZID98lyg zIrboVQiUax^rmv_^RRh+YLV6cIk~<2-(JWC`aLb(uHLDbK(G-|v@6SyFEQsnQDCvD zP$+ugH%-yJ5@B+3{^I9is(M`J>DFKErApyFw`7_DOu{Fj#mXJn0%8L*CsHTdbfpS~ zC9d<9I@TjqLAi>ID=F4cStFBq-J^f-4-e7C;_+++CtgT?pnjPst9bmQ%(N&9J>I0W zMD|?X!io?ouV_|ELxO$z>#=8NH&giy(|DGuEunw?y4{|^rLf`T&iSB%h7|YRP2tE5 z)CQ)^fisK6#~98&3emh1Xg*J{m?}Ir=K}Q0aH?7YGz92f675`fJ>GR>b3C$=6A|;s z>XmWqvi;EZj?usAkjdfGo8{~MME@7S{Yv{T)=Y0Qs9$MO5`nIXf$Y;QXEYNg} zW#wNyQSR7(U00jPUY}Y5_=yA~f0s5xw-A)R?nlJI&N{V35VIfVEsgE*zihE+=+( z3T4Zj=K-g%IEu}vjz3)lOQZiE6*A}Fx7!hT-p-hcT};>oyGd@1com zatU>;DJ^S9a1Q%V&OMlWhe3+f2GY8xU98imxmB4@ohWa%_CLpen_MCm)fI^uU*xsa zLlqjjf7psJ7^xyzGyC$WjurTTsHw`jA(^_fWj{WeL=U*)9++3g&g@;^6zW^n`Z z3|cYp?jgl#c766(kvnS=r=(HfAsxSj$2aL5ou=!t|6Zl}|Iss0KcNFKjh=)~hp z?rnaAYK}Dmw>3$RqnhYHz_ks+j#4|dqizhnYGA$hUP=FQPIgv1T1SwUIR z7z}TGA8d)6gm+Ms;lybXg+T)|p%LWI+Z0mbEVmYfE#ZAs{B-(2`sw6~KbIzsr96gv z%+!&f8&oQiwbPRKNZ-lpdySgOvL#6h>N-EDCy^4=^*U4Y&*__?>NdY6A5Ya}^>Qa5 zGlA3JSs*m0Z(htR){T1bV|l~#mj&)pH7Yvhb;!}5?|g_J`Es^2Xa*v<(wK@;1vuan z!G2U3^gh}S1m2`;QEOVJBFB;>kmgtHNJi1b>57dQRkWp+`OV~Z1ayCyDzD|w4QSTG zttB)>ZM{Ke1xB*qaxkjqGAk8r{uMPtD=d}2d|MQ-sv*86$CkJ?c-nqChVRz8iflv{ z`@TJE*cbkltq6&~ob&(~P9S{XTXoMC(5`i37=As!m2@*g&$rzpsM&FJ_z;bmE(F6{ zkB|%Lk>Uqz3269io{B)ves%o*ozZbcE@%qjkcT|LmMW4Kbw+8Xx#x=A_v<30|ScG3Za3@;~9Ke^* z=(oM2_2Um^a+|_;+pMp#=ViLZV0@DCxF0&jS&0WfWpY?zL->M#N*OK=hR<%?i}m|L zFa`o}mAS4oyj{xnn~zkc|EQj>1Jx_R!d=OK{3s3!BQBeRKU+t~wp{a|5UK zlPc-k^V?&xi`0_%bK%Hx22w^yfkC`JL30Eof1BrmzkT#8_XuP;{N^T>`bKO*^Y~ij zoZqhoARB_pmoCYyk{k#0W>n|Z(^hFw?5X1xG~nW^nRn-w(&QS3I=ko3bu4FT2#O3w zb`T3;^50+ko+?Xezz9l9P~b;=$DymEMxXntCx_Xak?+3deh^e40$*JI{PCeA^a)JK z&2ek_QFJ9AXxnIqXJ+vk-yYgX{^WuwtVVEW^rtRfuyqhod4qeOHmz%~%kaSOQhlt^ zN#%RP-ToQ7puim&cH6p_hO3N~>z065z9v!|eXXiYCynheA2yU0d*HUfzOwwOtk;mHD5ZnXjO` z=WnN%v2R#9xLav-u=Q;ZjnW(M$IcMvrSFo#ZF(Pfc0=x~EQzYBM%zF8G3A`k z_mqqeTQO7rMA!a9(7-fHRlTj_)Bi=#)h+2%;^7bRZ&b}>Z5xCUioNN=IHrzBq`WT1*pV2c^{U_o**Ah#5Psh1Zce(h6{18rQ zA1Ur7*f1H{F>g=@W#F@H7nsO!wBF#zlu>^0_Gc5y2$u*;*?dOuj=+{3$31~!m$^1d zhnMBGq@RChepEv(#LOZ0I)8$7d`o=yG_yY!nhQb=#ZKcvONZ}b{xb%fn zQi9m0|H&6i@tJzgHZEL;qM}hp{hD z7N~j~fcHDbR7qkt=06!$vbJhbGgav4?PLOGeXQu1v#k|^7JmD6+3&V6gcClBwa>an)zIma0?FD(P(I+VOZ-EDflo+3NPo5vuGL54h4#J92YWyB!*hu z5Uo3GHE>mxOn#0Zg5L=Y<|XMLheMH3Y|c$NwEGHU3}l$m6J9o69X?{u?9{GB(V)xF z{6hip0pr_CA0-Mxdi}GOwnz>HN>%%{U_V2^&<=ykVM5#T^~(8f$&^YX7+2$QXh!E7 zw$J?dF5M$sjV19aQu$4X$g@kMXkl`i%dR8KK#9#M`}8O)bX&QFDr`Z!Y2Qk#sOz~m z4HfrWldpzF;`5L$X+2Q^bOR;7mi1{(mtzapA|Z2gV_&?x8h=X+*{lf*OHBFcF6VID znvd$A-_#wdJLkAWSwarv`+3ohdC>}xN6d!4*&kvYOMjSRJQYOfOfFm_=L9{{ln1L1 zWa{4A5;a<_W+T%1gAz3=GBqk_!)ss-bY~q8-oZPSzfoH#V(go~6}NENrz8@*HZVA* zK0h<(X|8C(scE&#H)Y2vc;OhwYw+wu^aBn0%0HE1AF4<{is+mQRPSKMW8yuQm=AS9 zo(dN9J=2Gx8uaoL!GejS+EB3`9$>im2ozQDB}ZYiy!sKZ0u$~tKKpcG{5a##?;S=g z)K9EbF<87cxCf1q)VH^I@KxTO)Z(FU74&8}3g3nPs*? zCqh^Yi}8ZkTGAL3cH}|iO^+J)Ap0$ub=5&?Fa(<91xjY|YWrTLl&Ce^c2A9{JC42I z#|>=>p?DgQzYBp6;vnUaz1cH*c+&zKRst4F;VG-YBnf|PtjtOr%jRAQoOLeB_z-{eh?;o5e-Yh#9h5EhmVT# zPf@&?g`P0Fo&3h@#f#E15B-;!wdaqhzYo73UTA8MASaJrnQC4|E$a_@;BbynY}{Q} z6{kWiUtt;PuNezP!6k;b@nXCuR9#Ivr;m(Jx($E5g6Hvws*NkS;$p(XjUuE$`R6r@ zeF4e|O@^mt+cpaV&L43o$Lv6UB+N`8T2TuD0B}bzI)HK%3NS=%%vJ3qbF4obsQc&C z_)}r!5=%XJL~ti4{5XY)+tpK6VX@kX%X@L_6WwNoRna@(`h;}&x@1(B?6S`pjQG5G zCH0f~{UhtP_6Ri4Q2=yGUvoQM^7)U$c}ALjCu~W4U%|%^un7K3M})r{7w6U2ao!&1 z9>q29vQeSw5t*z&a)BYt;lrWB-qziuy`zUzO-0`swZ(+zp1ZLe!DW4)X zLc$cV6X~$TwRWSNE6d2bPxs0FdfEeStl|9dl|D;8{9bXYly&-_!j>dhj)L`p{64^>S1f5wcMk@UNb2Hd>H|J9rNjnE!#5|TOy)X zF11SPvH@EH)Yl*4??>N`W{a}8Sv}}A_$OQ>)OaKVd1ModE|z%%Z<>Fo3;mcrjAXMd zLox$4MKqWT`3yRsl`!)kQt{pMTRMM@@R*->vAhB-j9p-Eop*4M&^BmR(618%y)qd7 zV#dSL6T8_9!|ylp$HRti+-F$Wfu2SoC1=_S+?@?a5W^7U)0LrH)mb{2N*!IOPY#+o{5!FUuALDk@0bTUn*9H zV%U)Pg-(*#smvI6te&|@u=Z*>y7zU(uLOG-RJssfc6)mhKRshRVuS)GZCK-8m?4?t zE2OF5>nI!=b7_Hg9CUuBhNZN7Is3N`QXZFmc!<_&D|fWHrx0Evuv|W)WQy_wjtr$T45WqYGC8OHp;H)MXiKdc8Bn;d0)L>KxT*)6Nrp9G6qcFE0AVyz z5g4uM!&Y~|fRDES?lRWgegk8oBR{YN0MOd2AjE2ezYg{YrlF4o@ZUiw=8SD?De$)t zLdj}^H5VVi#v{Fl>DZl_cSFp-h(+oA65U%5?VnnVI6qE0QdM@uo_3&`iBd;4-RkQB zOJ1<|UpzP^$4z-3z}Jg}&86`@ipDX7meZF_%!_`aC83BZ)cv;a+(We>I-ZmeezUITnfacfg4F+V0fHeh*=Y1WXB(`+*p|a)@Fm~dhj`JjGqN?mh`_BIU&_zv07aN!_w8DL$v7a&Nl1%5hlhQ8lfshYi zEgDABQv1ZDhk zA>Sr!<`di-vbkwC=U3v*e?t1L zncF+J9)3-VQ~5E}9k}f9V89Ivp3QLl4VRGXS9T0{-a(zCWlHrw!W+OF0od!B;HUgB zbENF!eD5Or3)3`0DxE7myj^sRZ@GA;Ao=bx-lU*9=?_BI-vKQdisCZa2u?|S7O8(K z5Q~%nV01<$Ea<=Fc+^kP)ngGC#k0Fn@nv+-3<>@p`*Bsx$809$^0z4@*AtdXS*C8h zcV3*scl$MM$rT~Cc+&4_8u<#&TO#EvSnJc^d5>PNM8kJ{CHg9A`6Fvs^?FhT?!S-v zXsn=|pwg)=UBODptvSB(e|f7=lgp=zFXHec%Gc+Z`Ga6ro_*PpI1hW^{l2g= zqoUk{Ipv>w3elH_Nq=b*k~;!1`qXHtBixe?FERI+%k~Vn!-3~u+${kIT{ltZxDQ0!ArKsYOz>{gRHKrJ0f&0k}f8HakhIbnTK) z1MkQ%^~Vf^F1+L-t4$->QMM*dkHnsw(yL`o8$(?C3!N;VEK&gWe)kQj>eamb-vfCc z9zs3Sk^A`Mth>`fxy9GcWNhT3BmNE8w+$@H8dt7suC!Tc(%0lteFD_`JfQFp8Mlp= zYIYo>sE7rR5CyI({qh`2b-~hBk7^4u0$;a+n*H9)sWz0&D|OUQ3UZ?9ZO(CFhU6GT zNE~Ts<@qa1f;It4l&Gs?8H*f8!bq51eIEL|C4)LlGk53hulsK){f{bwMCjiy?UL0P zwv>}&ELNPU-S8RmcB!b|euE>#3Y`gr!R3;Kk72u9#pWd|2FN9i=pd{BPZ%SfcUnv+ z{`-_|{^oE10e$CTx&=n;(EWnG1uimtip`(x#g;DuY0cEnj| z5yJxY5z*he@n1M`!^7(MWyMBX8lw#WDhJJF*4=@L$v@9Y6q%u{PD z7;gnov}@nC9S>%7w(#L4pZQ2Fk-;&=EUnSC2+Y*du{8@_pvYzad4IpZA2b~^-5L`t zaeJRF9W$sSpUvr@xtHT;7mJ@C=8V72W3BjQ^6P3QG_D!&2%_2G4KhomD?0nt4iRoV zu&srp5Q;Y_AUZU&@LU#D1_hsbhddD>jt&X?ey7((kRM1tZErJ7=~`ocjE~v?gKKF0 z|AiX;doWHTy8T{`b!Y=0=MSm_#Mq5N0|Kg8Jg8~!-*?HLeAwRhT2pbQjc}wd@aRt* z?W0K3=6)H%wfO~2f?h339cL=fOzw7`C!svyDa)x*6wqZ#XK-Nt3{jpwzU)hNMUuO#0ahF^2}qjS=y+4ep%UW@BIGy3{VS-sC5wmx zeE;=rCE#%CXeL@R3ipY%U&mTgxw*3T=>PmUn$zic>#&z6?b1{t7!L1I=RD)gKqcI& z2$IgZzjrN4h~9gI&U*4zwL{6$Co*VU)QjxXO#$cyvWYZTOt{-`S54@REGTpiYe%w> zowx|Qrp@baIvo9q}%g;_Ta6?Z;?hi+>6i3 z>f5u&`{Y+LwGa`H$2ydm66!Jliaw2wjiK(m${cl300l;qm|K>*jwk$Nnv*Pouu@ z9a(@fP{~OC*~h#(n(tX%U(~V(Z1I~j<5WbF$A17-NijlW;bQ3sdbLSA+^nXegCgMK zNig;+2@0yr&$Mv<#yC*exLz&!XDJSgrO+B>%YKD%}5oF8$-Bd|BPU6SK% z%7)8My>|&Vili_pEfOs6seUbv6)ZHK{@Wkw&mIdl;0=VGp#6AIrU^V9*?XjtoC!^I z)3G9%nsWL`xDSZmDxUm8yVoI>A`8Ah?Rx(0(OO5NadDpC82sIYutp1sp~3nTUv}8L zdNXsCZdw-Tj4I!!$Ky7=A)Y*`a$Py+m7nk0X&h7`F!9meD|zC78o7EpO#LCj6VBVs zXIGO3J(RzV!oO0$za^nb=5`u=+-Ip8`7l<7QT{W^ZMFKqRshpuVpz^?g7Re5*@S&A z`ZY_XcJMG1wb*Ho5}5at`F+*YR{bdZP!~}GPeCeZ(zO^EW|t@Ki{}63Mtc+Z+Or2 zc{*Oa+ly$78g=PCEjT}b5xdp-NM`vtrqdtqBQOhH53P&?)@7@`f&hv9+i(8&`@lE5 z`5;5%5ud$_Z&PZ4b$Rh=K<4gQo9H_u#cg0+D#ZjGA9nF3exd}7)CKM;+)YqpSF>G? z^?IkW^OVUB|GD~kJe0hSx!hvYk)f3dCS5C}kA|SQh)=XackoNj&<{}5LoNz~XH=mq zVGz&RBez8fj|DNskoq(pT0t9^ z+~~7Pr-o{ezQsNN+N56VQ^zr`-=4ArsFHF0kU2>S{%htOiK>ds9lB1)AGs5q`N!&h z!d1;>JiJVJ^=$B-eF^d@x`u1TT}(a+);7S33m13m{lL7ivsHltS4Cy}o8GfY_=Hd_ank;4g#2%L zx2T0U^pUx`r^HHA>*UE;v2DmsTR{pqN-NlX;l z4A9kj8f2Rm{T#(6cu5td>r&DeG&#i(!g=Tt{gB|>*6*=>!)<9^q`*R%ToM*U?S z{EM#oAIfjb?XfmV0&T0E#r@Dz?nk1;od$B4nh_lgc%IwR808i|{<>d^Z%c|iOV;ET z*g{XaTufRQ|2{35!9aQ&+F$^Nz*Sc(zo@S$wLiPbT(1CwX2E%C`1iHKbZ~d)o)+Nok?m0_7XCqpOd^lgH`F z0~_^4Qz}@2vb^63iN?g}BO@qw0RaKk3yfa#+q}&Vje6fs|5CF82=5=4$NG=NQwlowoMhK3b+*oKvnVLP}L<0y)mq zlj=5n+y|vQEHJ1})oe=aF#Q3|V0H|#sqV%{7)Hs339|5knTWbM7Vwnvh={w943PQ~t z)!U#?Qf~v>qR-EAK2Kh5xpoPi$3~ZB%!WKF^>n(6KG*-3uJFHu_J2#1!B^po-|Iu9 z`o;|m^WhCzj`F;Tk}iDX`B^cS$2_;=uGZo#m&#M~ z9$l8;8`n5GGgn zwij6{O%#rxC|`~3+a#&tFGoK`p+0-~R-mZSXrD#8U@}WZv$=n6|1HK3z1Nw2la{>7 zKaH|3*^KN9G)-csUi!bmsmFj;1`xoSp@UA-o~z}>0G7tS$oC(n6ZewW$DdpRCLB1V z9)HCJUsOXYcY7~{lkMIUjFj;@PV2fD*n9ka|3xG#(%@UG#q+}`?D{I~D$DFYbBG0P zw5D@5uXvU}ocF#^=V+()kA++BnC%NR=Y(Qe25;VTsYF$!GT!p+yWlUJQ z#tVZe>`F_B9(%%_tk?j}fCLWxSc;-;h}y>HK6&^{!wvkjO7|;T!!3d4rYIu%@8ftUEP208 z{b{~5M$K(cBm*aV>uuQc&FMBtPtqjeniY8Q*h1q6^xK0bTRz=flVc%5Fp%PE-|Ojm z4>beC!mP>jZ0d<`B3)Xa+MsX*Iu3AeGz3c3Gw1&jTpq&QB2HevX!xaJUi@LI$Q{yW zF#}dpRoa}3F3e? zTP$GD00vA1qNR|5&jAT7R!9f7CN(+YCLCk`4@U`@Rt5^r(|3%whe=*iUK@ywqxqnO z{onEH0OO}E&P=`1>%Q8?$YYL)w5D>Hi-|(5O82pfLMADhLr8YkIzj zip#4*NkySo^cL2mriGK~l_dhu4$Fn_!XE5Dcuh;hrIu@&dSwEjYvvQ{G5h5Qqwq)td6O<5O* z;{P-bk?a1BU9U}Q_>DBIiROl7u(U%@;PLK+)upn>#;w+zp$hTs1k0^rsT94N56gXG znMkG>w4C*S!dw?j=xJah5W!;_G6g6l)4+c=Qt@tre0o%`^@b*lcAs`wBAnxWl|S1j z>Ab;v#cvK@V5awPXt-YBM+J)U$pA*?x_Q_+g>ucpOy0YTF znsBG2JqRepFVTtN-FJ(#Z4MG+7>Ihr34ub%%jg4(Um$|5;Q04r%sgcnOa zWBOI2iI|VNB{0{BCu8YQlv%J`)zNr6uSggvY{PZG8|9Qn9+^~gzPWVQtGQvQ5BbVZ zG=QX)GP!~(c4dkP7I{TCayS*f8(#sMj}N41P_99)t(|^btP3Kwh+B270m#|GzY$QI zcP*-(o~HZ*L67E(fq~J6or+C@=+4xUANG4Ud-0{0=GdxIXbV_}^BR@sc%vk!w7jyl zLVwcu)Hr9k^8+?)?ZhKti^9YzC;NNR@*WYG&OpIx<6bznM%ag{hI#ks;-Kh#X5>YP zP!!jBV=fIRu)eWhFe|!@YjJOXCG}d|llypTt<>K-!R3;RK)bR0t=*r8wu4!?z;{j!Z*R2U^no>kC;QzmZuujk4qcMJ+qq{Bpuhj}i%@yh^*s%G z=`qp8#r^+IM1kfjC;2ex{DFvjX@$9tg|~IT!2Nhf1GJga;MQjbFJ4_1E4S_mG~XSc z(N{XqbEHdC+7js8K^J?+a&vB8@4379Qp5fjhgqJmsBF3l>?QIxc}K8le*+4bS@Yrw z#`bD%>Vu(S+>AFxpJzMFA3()v1sw9YNUTEoG~JK z>O8hSj#T}(EJZA6;klOXzrZn4eFeUCW@_~C1YD~&fnW~~6p`DCEs@UqJI>a_KQKF| z{3HEt>vl7wRV%^Cw;;Y+Jmg(VbF#6hk{_g&+*9<44#j3Tqwo#J?29n(&X)9N@mCut za@7Gh-?UugqxkiTg@a<*)_t#UUQa>BPng}E%a5ofsR@c5XLpt{rk;T}!8 z?Wvo&`YqQW_%@o~l74w{%E)&a6xg2g=QkNd4xqx!6jv#;$37PuQe{H^R;|699;V=G zz1}(UDN4|aox$FXmt4XzSDW+@(y`2|#Ht!#h(OKfl69%;RB&{dtl7G*TA7dT9UiJQ zi}3vK^#TB00gw1nISbDN>YStfjr}yDo?earNpA+7KG=_mGcybr7Q^i=c@($D*SEHc zD=@-EeMo)Sd=alGbb1(v^F^K1rX5kbG}W!K9R0jwsn4394iU5@v-9?Z8JnN9hkD)`DSv3gwtls~b;fEm(l8HLzvnX)=;ZGrU^rM48gYkdZ@rL> zV+kk`Q`ZF&Cl1bo)SVNT-X<;yRExc--@wI)3__t@%O70`|B7{LLUDz_*WMuf5a}V= z!xARv=gAcxhAJ%g6!(`!F;J`4H{1-rvsWOS@e2O3+}!-6$qNl*PV`&1Hwk&q#-$Df zrxEoq38d|B+Smii0}y@;ep!l+4Zm5e7)Dr@dP;*o>B#qBwP=fEOFn> zndj#b2SE!p>*zv&o@JXYFg{*Rs@m8*_im}F*&vPA^S6b;NIcAD7Mz!FiYTrS@LZ7V zP>$&-q7(WK1?!Qr30?MCwpZ)f?guz}b7W<3B56Ot`_?iy)zjvUoUNL`N$%j}c;+7U zY|_^t$cOg#yH%0VFA=A+_mGz*B|^1Klm9kEbKy~4}wCNdOKgLb9VDQYZo^X^an0ov<#5BRLBZD z-3}3J!umfk>QeGl3g7)-PFS;QecVl#)oL4iGuGv=MV3Ilgp@BjRU6ZwFWMHjrl21B zm~6q8Xii@~Pkqe6o3UMT)4DIv)c^tLwv2bgE3|Ggy#^#Tm`9U6O`z26SbN!=+V8#o z;D%*t=~lAZ)F-dXajG{tq2qA>0UysF)LMB1!mc}eXP~f(CqZwrh@NgQ^SWj$^y_r$8n=W3UJA?CPhVKh8JY-RBD0HF5YPN ziHpQ=mD2b+J^I|d*FP0Z$(S&5mrXkzHLarm+kc8C7Z1LuKNN;TSYVn#P2ue)$KJi*QOq5}y5{^W7H3UcaEyqw`tUmf$G8 zIe1)%=1vQl$G%Kg7aLq|W*l8e$o-%NR^KJFYV~H!i&~2arjJ9YigYrRs9x%O)7*Ri zk6)Dh{g?3LgN~|~ceg$wV56CI7N7W7W(8~B8*UTBj}bJ$0w)@Bu z30O2vR==Rf=UB$N;;F};=(XN@D1T4rP4uk)UieE1nGUpdhqCJs!dJb59clzxA!SK z%)h3#chA1nx>5&~C@f^VmySX7a{ZH6(I!^m??nJ-PyhLSGG#`EKiU(ci6T-ME)|au zSUiCx-(l)Y%!sI=NEga0BrVv^*~D6s@b+hQw*LuOv?=YI#ahPslfI*R(_go3Vu7`m z-cwq(D+&%fGZTd`n<9Bpwm`(h+BE81Y&q&jzDgRlbixz$exda{EI%O+e!|^2oR-+z zWWGx?{6}1<2|>#)>fP7Bg4h%bKOskO^=>6bId=2;PDOV2Ano+G4Wg-M44aF%^gQn9 zhsPYhJ}SHsyrH^&i#X5hjQ)|_>jY&2ASYVnxw zCh8g`MU(UP&<7{P8z3oz979fqP@t>|v7bN22Zc9~tGk8c)vLa|V3~6ZBlCB9)Or)D zLXbf?x`1e<9uS3ekJ6RO-1t;1zOA_ss^0aS{hgPw0Pu=7NpG;pU5o-Ji)-rLZ6gGp zKV>7f@#SOrYss8~t-r2b^}{O8_>TVo$}nI%Pdb?W+O23LhtiedUbkLtu9Q!g? zU*7g;tiOqy#9zy>Y#X;i$r`!+%jHroY&<7=N$HJkQu??{RCPx>_Z^w-lOL!kQ#0xv z2kMyD8J@fWmeQd|vXUu{aNlQ$3X@BEopRzb-$?N^a;Y}D_u+pQPfEIVWgAGW=zjivGM4j$bL?CxzM!C4LsjOR!Jx94IL+;8vfl)q+eih$ zGgjiXq&{JXVPLI5m9ure`6R#lOBpB}EHjK|`3heqWk<`~mz@T6ihAN%xvE(SN1oAE zC>1x)mbUUw8+o1umt}M;L>w2^VxiA(tFOqUtBiKk3}&kV$wGg`QpuBVy%ZooUe@R1 z`l;RxEYe3TZ5OBVz$FDqDRqU%?xm-n_-Rne>`XUU@SL2WG3Alfxn7`^aw8n-Y-eI?{*MerHFU52iQ#8HkvXkn+W^`Ha4UzrS_; z^C7lG&?HXeV1-)Zf6*nO(xz5x=jG#-!HPeUCk3~-G~o&CQAdrvc<`0({0oJo+&dw9 zw^p^M+r4u1@r|ctfnR4yU^C$_P0%*tZ=u3hl+5D+z39vzInnL`ZC{yJ6Q2Zus0X(j zlr=yFA=tZaYho{%&NcT(E(A0&OO2U|r_&`)FDq4Y_|i1fm*#yz=f)O5+~0 zz1KgpOMOX+v~?gC(0jSF^ox8woA-q(iZb}&+!wzz#TNAVD$xF)b)D#QD1i)Nrb9wc zlv;3rDS54?^+#zuxbWGSqf1b)$a!?57P70ip9RRy!OR9EUs8x~9yee~4c{&q^etL8 zHL{W8RbVdOlv*N@Us6B60~o~}Sjz;-?tkDiz{g-iVpM1P^ecUy5pA?75n%CxD*H(< z*!{t*+ZGy#vKgT-gp5a`?^f!7C`@X99)B9RZ^fG-7G*Ty7<^3Mt98ly71V#NFut!Fg2vq$;Fy2|#f?d;?ao`*O@q5sFh{BiM?Q*Rj&7gN zuRW_nMtc5y_^4q?{9V(EPt!_Mow#R^?&SgAvg0W{ZuT_ZvCVyit9`cb3)A?E)16iF z3q7J2>9;+1n(7*y-2%#Fj zAGEI;*9}6hOZE6I1kb9oyN$QKziYn9??E#!mkex}k|wnVU$##rl$FIicdE5sfM!LC zv~uMShZ-_%lEaPP4#PM~QbIh)m{O8n_?RChgktwLzSs-{cbha%D_-3=lFN_PrKcQ;ZZB_h%--Q8W%Ai3%8l#YELJimL#{o{AecgA3R zV}Izz&HKL3T64`g*IJe{lLA_&0>d8tCzh#)cSc&}A27cg&)g?FOuDBGD}DI*#^d#@ z$F4w2gyu9?3e zDL%cw3+T|A_gTCf+!unAIUJtxI@@qgMXVpZ#fpr0XH$N9&ru8h#5M77xUUb5Wa{=_ zaZWA@*bM!*B)11djR!IIMG)@7%%$c@C>Hd@7zimXaE7Y4TYt`cHsk_3M5ij)JfS7A zRMwy6p~Bfd<&u`+V^hdR#5uoN~)m)Rnc zn(P*}Od4bv+Vy5@{&<@RWNtA3o1O@foq@ojw7DJ)43W)K508~Z^0cOO)(rP^(3lWi zR`)V*(Ue~uBJnglq{^kw`?r(p*>zm25`+X*wPG2ISgBK=uuOTR|XHgB@>NZYmmH z0M>pNw$~d3%UhACGuIMkOR}t-87e|s<|ntDzxJ6u`i=>$!g$)O>!+L*)PE4<)FEV> z*tAcl`u$tnhCqmW-E>iVJm+o!;oAE=3ojq8$wGBb;Gx)LV-|%G$^|(|hy%AzbBcLu z*xr#7j};4;?{rdsaec!Y%f`Wpgk zz{|_Y3vYiLFIY~m@o6r1!X?OG(14Z{Rq^Ibqo zTdMcr^UEQQ0HQ@Y)8L85}eE{NDuZeQ%5q2GERrc zDo^#qx*km-{BaaC5s(ayqqLM!x|uOCB_vi#uB?zZMOG#0Ua~x1LvFk zE&+*tS#agw)Hv}AfDMGXu`DIO(OmDqnF3#6JqY+7n5k;ZAJm_BO14*NTiW2|M|chu zI9E6N3LB?(A6+fmv}k=Ou9Na@jUqF<$@fc&hEA z12y4ixj#P)SupZs!c{9KpTj-3LLgyn=6kvGb0n~Y%O*PTSCz&n@51khM~>#>paZ*~ z$X7Xwf^W0jLt82%7yop=#VEbEm0<(weFu(i7z+hW3Dt<;M~ZU^8zN+%^NFiQ&}Yv} z1$UVsaU=GOqNnD%dRYs~BXm%t&C4g$-PT48S?UTS%2nRw;pL5Y^L`4EMzQb@J9$E0 zh{ip6V(_-M>^pYXpMRYUd%jl|Yu=*BpH(^NzwP#}$*Q}ucoh+{pc!iaZe}yL5hyZ4wHLne`Cyn+~izk1Mqc$>Ne%~V6vt!zdlUny(xL{n> zrY0G>ID=}YF3Y)0>pOThXU%mY=A-GfD{r+GKb6P6Ro%PH5T|rPikVM@KQaiMhAqAj zx_&xoFWcfze%shcPq{0NO7zjeNk$^S8H!nRdmT3?@O`c+HD_+vXmrqsxxFKPjq1Fa zFO^&LF)PYb$crDSxW1VIoNba1p(#@&&2OC~ffj)mkJ158VarCz5=yNf; zEDXBYfp7eYd)xaI_o&V*sxTKE z46p?!?OhQ~Dr4LJ`EpTBGw^j?qkCWVOHV`RB?S^B=#s^oCR?F;Frnr@*)~hquq7+c z<1oDr%G);RWt`p|f^MU)Y<3T&*LLFNSX{Fo>{<_ozj%KhdGx1`hUAP-x6u_YTE>sn zYnxQ3`EH-mz{Q1#RX)Pb)fE!29A4sm)^NFJy4b!c43oY*j`Rug^}%@FBhAAX8xC7+ z5o*=4@j}wOU71>PzOe;&xuc1EujYyr5A0q%klla%<|;`MZ92CdAE$UQz(iG*lw-CQdMt^8baX8LA6T+bM0o0q!7? zG{Uq_ix8HlmA4)?MPH<<5F5JS>Lj2Y?XO;d{b{!pJ_?d^AhqrVY9!uRrF(61#Of7v zhcl`WnBYFF@YwoIM|`%Ca)Une=xI*TvtU7Qmxh@*ZZ*b^)jzHE+Y$l^oo#JG_ZvAr zk#%+amq)?E;oOUt0?y8}ITLOuxhfWyttbnvb93aki9V-^I?b@V7G&MV*7=4=c5WAx zmg|Dl)?ne=kBx_3lpPO$>)`O7+S$cfpQCs+oLlJOXS%{}gd+|;H+y(^cv?qCalEg` zVWHsrKN1@PxEC%3gsw*y+re7}yen-rw_SXjnshv`$MsrE?suNEfq%p2EY8P;0p-HF zkicxD1qlqdZ`nLKFUkxFqy;MyWP0#itFr>;zIJ|1?8(?IoQ+&t+>5WAFdyc<{X96j zFH?##Tt&Z8-m5lzpGlpef(o#N%?cgnStnuP9eNN%NBI=EgQ-k{=Z06)!vh9-(v?Y@ zQG0$dB|hWEw%R&BrP9TIS|B>-liz*khG6`Xwq1*QubM<>Wf>JLBs9;4SH;|IzZEDW z`AR^LBB0p@ZlEV!xGa05GE;;})tA7{_aG;=DJZtpK+Q$K0=#!GbY7EGk*FXFcnf&f ze&Jk2CQNzrZfG-YsyIWt_w8LHN&|?^b3H@yq&Cf09+xgK;JVt?gHdd39JE?iqZaW- zVl}`YO?mHQW_|tmtzQK{?89$!%tjvGZS>X>pF58w9xUBR%9dl&mH=>T*tP~;k5`cJ z(V4;fmmE@Wa3dlkk5;2am9dq9L0nwgbczZAvx!q4^v{UeYqx+ zNMnY7|AEPS$c|W18DeTLW2L@ccxf~Uh$Srl7!cXD_*CRCn91Hhqd5D?R0tC0!~9(1x8wo2wow+=>G`9RRg$N<2s zI+vxo#{1U8bLuth2%W)AXICoScWt{TLlTPnHDGPE6tR=ZZ&@T6RpqD<<=nV1B_T>5 zKE1=oCKX5y4lYMkC0^JhRd5e4H+}A74jP*xAh$~>ixQdC16!+ggbA2f!6?BxaF_cw zu-uy;i?F*ALvX1(4Uu#kdHi%+f*#IoJJCHct8NlV$#|Z-TEd+VNAXfxm_Kp1rY6j@ z*zsDR-LlnX@lI=CaK7!-l=1Sw1%?j(N&T0_7*-+|C6ma?)C3G-YTxnIb-!H53bi#1^V0JVP9Yr30_ujMq5=gVa} zJS|S?YKJ_46(N^_yl2Dtk4WOYS7B3nyPcW1z1?s^5F=Rb>KrKz9Ky2j4#8*w`#h|Z zD*X$g_|zWp-ToS4nMQ5L4evUI0=1QBdPj4-EE-O(!O7^bnQ+;>5+{@FA3e9P&@QjH zRMYr95mpFP^tz@i!JRrfLkD{)4VO{Rq3r^7C>Mk`pC)P_5SwFZFn|ZQOT#{&!9`cs z{p!EUFyAQc)w0`akO?!bI^2w-&TZ*HH6ms zkO6-)2;Kut*6*SPhIiR3Efk>4@JbOvK}oq<zpx=TU%7#`|IsF9v$p9=~wPYtj)zE`+KvUr-@*GUhkmjE8o%ss`Oy8F0;c zd)!ukoiL=Z4@HI!lI&nEUl-c1n>sh{iZRPH3LI$g&~Kp-B5b235ByL`tX8We-<^Mp z`Xv{qdnPQRdJz1%dod>Esh5oo3n+8g4Q#iXkA>n^ha&& z{yC%VisG%6)kX)jrv!5SZudweqfqBH{>9y(pUqzrQoXcd=aT71kW54}=)PE;Ec;05 zhj?LcN6gPI&Xwz^OV>HhjU!_)`avjoUe&?e0RN8_kh;U?f=bk=;>@3WAIz)bMe7r9 zOTgb)VObSp?FNwpc(TP&5Q5k-ZlFY zA=?!eS);<+mV^h8Q*0ZfYu&TSM_{M(Tj5`cFbt4M)Fyvp`SW<_&<5!ktPSnGWqOOJ*%7>IpO8I%FpnGF-(9Um?jP4rU^I;t5cO zUobWi2xvxDP6&Zwc{xa1Hn8)<)lJx+H=ajR3!TaQFt|W5(3jZ5^MnebARloY$m;pz zA?|`B3UGWG)S5bRhz3U?^L-w`|LhBHn>r8SGFa%(3(p-T7@AGvvD@vh63<8AJybFI z3XCW&>{g^Bu20eHBp&-R)HR!S8__@h1bl3~!gonsDHhs7!KMnGk4xyOW2N8+tBXD!3pnrkb*o0GVT-2XyYOfC#Y0u_aPZpvDT>)m6?fX1 z1^ANF)pOAg-xewRewYXQeZsrkW?Cr)ITGiJhU$I?YSB`q5@GybFF?TsAG{)wz|Dnp z4vpf*=CLmy0l@zVQIITs8W~6g)+8d)`YS$lJnO>sj=z}Z^L79tn4!^mmX3xVrmnE( zPv4s}uKvnOe~_ZN+G|Iw-G2#$TF)w%(UNz}XH3Xa7y=nc6z82=&Td3n-*?2AbE}bA z7y9nRkiPK#a!FnEu>L-JyG?Uw<->(YYIe)nE3dV|aI1#L3y8pVPpmFWLhT}d5U(hN zwc9`d-igHp;r3Tx+ZcU}T)X8gnX6vGJ4vA!u-mu8S?R|xXMVUD4axpcOkxOmGxYv6 zaq$-J0hbIVFSeNq-w+Dj%+wsk4|~ELdMx%FEo1wTtlJZuX(CWwwvt{}>3QH~8$JOM z6h1iEtj5LmB5u@0W=lz$vTuaRCUs ziVUiy^RwN3$2eG6SnrA^k8NQ4rhmcjRU#}qaq+qE74O4ilIpq6uV#*r@S2Vq&!RQ8 z+TCeZ8|+*%QSU09Z8kI5 zk+4)2yS^kBA#7^fGT3&CK2)4Y5HkSpNr1Fe-t^^0L8Y|E98a+LG}!{(p|rtqpC z%tW$66-+tb%2Qmh!I-$KxzhxdBB3;Dt9)$g5sWNLsClzT=8ZK4NkY!+$DN$w@KOGu zRB$}t0nq+7yruuQP`79gukxh-iH++Eq~WQaD=t+cBDS6)miTp{fM#aI#`_eq45ajH zn>ja)&Ai{d#KX){7UJzpIl+?^pF2)Z1Np2LC}w0JxJ`5O_?<^-tCltmq4TOnW?l2~ zoqbC)csNfP#k%%ymCyzX5*2$LA2Tx=yet%F8BNn<`Xk7dDsN<`%XM-UaL-J?&S$0~ z1wxAWvowh;F|PQeOHaP(kIR=wkO^}F%Bx<}qvi{*M{qu+jOWfSvwv|9IE|&X^xHVT zXYM*?4RtL6nRhySl`de$w&$T7NUMGpT*vXlx2B**aY<7&YddAW-Cw+?eRzaoQg6uw zD1-r!5`Bu>0}7dKCA3RU0ry&8z55fKhX7DmqD77S;_vOgY48c@2zVd>GG>;R?5~d) zTTbjex5QJ$$`m^vLc4QKL&@+VCU7Y@3HQsgV+S~6mMLa6yv=;?57s4CXdd7>zK4_H;m!6MbLd;8=LDQ)#iLE)GvDn7@dSn2ADRW>qIu_6xr`#ePZP{OZp zhFb!4%IIL=O_3DAp!t(+S26%j&h?tKJG~Rdx#B-*=S#jw6(6ZVs%nRX|3a^Fu7e>^x*{YdI(wcKEOtF0>tWc<=JfoG zXq~bs__?FY)IzX2)`xUNxY0F#u4i3)7CL z>|Cl)&mJ*A`4+clUTU2v5a9}~zSfhbdUKLQ6_ObI&k3EfPR~p&8`Iv^P#BNQWSlOg zgjh;QmB?DOsVkCsXd}5D-ki!obZmklsxT=u^fYWV`H2{jR*){rM0Y_`$Q$kOA%7cz z=L2g6YO-by?d*wfvjO-j<2N4CqmJ>@ZJ3?+en4O(u{c--c;V(~+C^W^I5AR$G)1jG zX`gu9K4g9_HR-A!!J;*j&r!1tIc1fGe)3PxgUCvKQYWy-MYK{TQ4{-tTEnoe_d)+Mjr!;ZMph&D%M?^bgfia#(o>RZeX=R1EQU*`K1H#K9V`zW%O&@)mi@^j&L5lb$K0~6It!tZJzQ!%?G7&zCdNjr z^1I-(4AaG|f{C7vI#*22y8tq#$=Pbf%Y_F7=q-K99%&Sv2&{9v+Ntig11|8Yz9yB7 z(!jv%@+4-ymXtG9$6r0TG)C)1uL8Qgz2{jdQ=dL zCs&lc_&hH2GW8M`2xp_HV02c{7Z;J%MD<%6$J5=SH|U}IfDH2c#{*_fG4Z`r#06Z* zV_U@Sm%(O!hb+dw?gS`OWZPZ+I^4em({_pP5m;laBl`V3n@Y#V2(yT^Y~O2Yk78(6 z&HQZ41Xfu=n~Fy9@3r#5aC4{)M#)9BFpB?Mz$7*1goAJd!cM8k5?` zHs5G0O-Fp=>x`FuUNzKztlV0hF1poQ>xXbIkIUj){gI;dZ~e}&1uIT{jT+Gsjs4Gk z{ixRgfPN2nZPT4#hp;Sy8Y||#W;7Q16gU(?Y#N}$nEaB+ed1oH`9w4JxO+jbSl3V9 z$X~9|Z+t^6o9EhVd+FlxMsuP&%(00yF3d`#Ap9P^dPrafWpaVHg7p_6mT%>51>N*)Oz+MY{p-!)=e>T)@@eC9p{{O`#jfcrWB5;wzO?;fhb98b# zhypZCMJro7Vh9P_x^djhv*F4V*SZNugWnZn;41zs6I(5qyEYXo?J8wRlY1HZ99!){ zvMJ9JVfUbG{dGl#|5C?AelbfzeEChm__vojHSnX>c8-jlW5+yuggxO&{Ow76%!Q=q zeitZrT8fOAMuKV}QJrMKL+4!EOFO=^f?eQ{qFIiK#*WwYCa+4h$Uq=SuM>rvHfYcQ zyQBS8KYWtQ@PjT(6)6+f?w4NpGo(CUz17wn_C1e$lT%^6kG6bAUOCwRX`|BoFtq8S zwodjL72}r45!o9e^3S$7I%(gjPg>E| zfM^l@7PHvIQdze5=lhVLb|7>K;yU48x+4MU*FMzQOlwjD+<@qa=TQ;QTPGN~y_5MA z3N*xB84v1=rsP%vQ&p78iN()!ehqd+-l7hnL z0M=KoqHk7K?EukkLJM}_3OX0GV6BT`x$h4SjFL!#S_=rU;~P5*8?sFcVac6Oh!{PA zKLxF@B&90pTZr=X^6mq%oHGs(trB@8sOd+`ajV{Fx=Q&QxF-2;Iq=Vg1O}SVrrBV? z*(^y7B?A>W6zJ>h_wBff4tLFCGEGb=l6{T{A@fO=5xgi*afS zisW$)4vP;09yHzGS#2}-ReI7Va#Li5QT`;TfSdJ>?8uvMtKQja3Z97g##ILJsCJ>2=P@|A@Wbn%@aV^9dH zOVP8<-?o^s&CzBC8*o`UUo1Ph;a~=pEp7l>v9ye<-rbh)x2$CEv)MN_7Rs`&u0Ck} zVfMt17Ho-JKp_XSe6`=`9?Rf^1bbecSm86cP6Mwi{FLTQ?$dhVi%kddl023C`vyYf zI}xfobQM3RVz21ig3|=L^zrSbP@NyCGgmHtT+=tnwkgn|c&ZRJP~G6mA)>VcCVwfz zQwrs8(et+q7H9YR>$uRzwle#3N0W>a$^EOgp^sWE-m{I5@Uuw4OPWRk2?4S|=rWiB zEW(!};?b_5KfY4RSJp@`UGQ$dF4?vEfKH7rHZU;6&5-thd#kI#{LST5cGpSr?2r30zz~Y-ZUF@+x#r z1P+R9?Q_jfb8JBD1RFTj4_7%Hy&Fezzgh2b>PWFC;;b!3CFSN{xf4Hy;AN|AHXRHg zdK%+xtS>kV)f``aZn{g&`Te|+b;tK8-o*q>2}9AJsu|=`+wyj>I)?Y$-mOo(#{#2NM^4sGuc)}Fj0D8 zS*T&^9Kpfx3`kXA8N^mqLC%B?Z%CYq7w#XLQGMcFZpCn(kn4{N+Y&xbhfMUwFCUlW zDh_R0ub(A9kCTtY|5}CoI&@d8>6s^Nkbj8$qGYz+|6)orwQY;r@+!dVKQo5TCFEK7NMToWD?h zni*@)io0P#9MG!v+sb-X3lGN>e10H_MnhG0$R0gv>_OyroNe#(yz6+qt zohmjlm4|DjDusZfd$Crwj?tR?3Xtibf3&^aIoF3gC)rP~7SboF-g6dolo-i_GoU&&90Ijzao^7*IDbST@O}9n z59xLR0*+1YZ(cKmDy`xDmqU65cQZ3yEJTdLY6{u8e3#~4=MURM&_vMb{Qs(t|5lES zixagPF=+#Ep+5{A2p;L^uk$;=|JiS^SM;#Z5=4qWn~JQmYC7Iw-oaH92henyg^9_O zwX)@H4<6gjBzRz+fAt0NF;qq{dddA-{gaa^;?5wdTr^>&AK&iv)9&@>b4uVrUfYn2F~qVzr`xfJvU6578mvUY=(DGV&BpsAXk717tFN13+QG5Ukk)XmE^1AWd)POTbk66_STqv$1qOz& zMc2H~7ZCiZbpIu>{EtP$_MH$g3_J+Wf4`CbLkLhfh@y>+jvLFrNv2wknB&Z%UVpI` z=3#LTLnsJxGFE!=4Wq-ixisf_p(06_ZctbyH#F0{)e%zm?QK9qsZhTtXC`z8PkFY@@G)p{r?M zchjTHsdZKTOVq9pSdGDQlK}vvq=h2I@+A-E3M=obN4z69P?{;s6d2_xG>0|)HMzlT z1CN5Gug?sYXA+kU1av$n12snw-IyBO1a!CzC99D=`~$d|1%8gMEhR@QQsn5^0D@Dr z!8!Z%*ZvXJ(y_vyAL{hr_eKI_do6iNneozsGhUxM8Mx{^g)BeRxT)jJKxNiuIr|Af zakJNGb;@B6B(Q_0=Bzfk2lTCkzX5<{zx%u5^$wjck%8a^lExes_pLQ$7R_1q%L=g~ z;ZQgkulB1FEIH>!GjZm0_>uPWxo zgsiMnoCvlfhAqkhq;S*b$~Z^JV5{~!Rw976A!@sE2z+M@E74oMJ1ykimwVOjF-1G5 zEAG*kpLX!Pq5_o5f@G;9-Ib!eV}9v}Mh4UI+!*DIqjT`55tudhivO(Y*y?MGOS!-O zmHi$V+#;L2nzX^ME(-iW)&+1mgGg0lJc`rnuRex+{{{dUFr1Wrtj>t)qoRla1C+61 zJwf(B&%**V1gNdVxDbj}{jA2>?L0=n>rj~hbsqmTVbsxb66F0^IR;{W34iL4xLBaR zM1@G;U`s#7LcH-dV?)iiqzPg#BsltTO2c}Sq8B+obdh8!h+b9W|J)wsKv>=HLxTl`CkRo-6Xha##xd$)s^-4FFxIhDx(Z^=i{H|5@H;Acs^#uSOIcBs3roe z#^K^6#%qL+%WMnB03eE0cUvaZNt2fV?^&r5K`M!+Aq8oFXYhOmnDC+eC zM{TCsZ?Gh+2CU8k0nxTylZQ$f3RDTH?vPVti6BH+ew1xrIi~S25e5?Zi9&s z;D&>Q1&&KJdFHwqd!pn>%fwy7L@v#fur>oHF^2aFoHbG2wj$cyY-m52Fk!_z%Gl=B z$doSkd;4TAveJYXsq}U>A2AhDWvF7zmP+}+xOhOHQ^lD9rFhBV3X}~|Om^y-Ge1CF z0;U-tVf>G9@oylUs~e6-V4$ec79jJz6M<8Yg#Mx)W2cUZVovLmt0WTOWC8ajAdfBP zN2P2p$RSJXX}#FWK%HztFyk=68EZ%(8*g3M_^6&U3okUiU4-G)`-wJ-AeKKT-U|t7 zw(`Q&Z+(itpVXC^pxIZU|Ca3-xq)hv10o{Nl?=3AX*IXT7E@alFFceIy758s>^iPq$_s*Xw>Z(`|VuIV=ewC~00jyrY zqk=n1j2{1pYfzO*AdV)EVu7y&xG%~xb}SIg*`WXuvJ4hzFp4w0&vX)Hsw7d7kzfEa z`tL+#G@!sgia}g01vVCj_q61~c&os8T>X|G^aHKEXSPgqE_}jWEZ|^E2AUTTBVYWa~8oK;u19#OJ z2!lcQH{T(8AEu#f(4BA20`Z)@bCe@sj~wJ}UfT41eDmI_lp9Qt<1Uq*mT_PQY4P>n z8t@;|qJ8;vJS?v9zUvB%8|x1{Da$w3cIKvO8<`%q8cTfFYaFy-!=)iLL<)sk`Y-=OKxyQCi@^7KT*j~h&VmmJ~N zB}f4yPZK@pHI=5VSvc1qmt+Wf^R1D?JO|?kn z4gq-~TMmr*@i#d;2|QEj;FGP}8@V~%<}lAu`E+KF1Kic^TB2K37PjiiAZ&V7bPfC* zY_9XgG)ItaGzP{cg68$vKbuwn_>A|^AT~A?T>%~h9G>dBdxi#RYyHRI@eL9Stp{Uw zVe_>R_g*hujFMor_VX+0fgtIeO}DaHpCp}czVkZ`MHN;%gKY!>75ZJYd&6W;yo3Pr z3`_#)7kX;m519t-zsWQx`yaJhZ+NecWo6`eCKJX2rT}U4TkR-C-nzwN9Rq920w%ADND^7lJAM7KpA#DgjCWW z=3CREvuG9lmJWn?aK4{dcvOvzyy~|h`AOh=Ors+mGLw#hw%@o&%63}8mG(;+Z|!(` zXgPY{@|}eja~qE%&r-^^Zu24uV?Aqj?j;D=^z-j^n?9@f5{;M3!WL z&<3_VaB8zw(K^L&1U#7hr9Ofgp*i8kX3%M$gc$&X)ZoNBX2Q~%d9qs8hbM%o z_g3J5q+C%QSEdIETv7zW#U|iutA`rnqJgjhKqocGrNB5=Zm{c-1oRYc?8EA^!iVTu ztg@i9&RbkD_L<5!=M~&KkqNv#S+H2Fc>eDj^2t2p->E|@4nKbib3L=57Km2QPD^wA zzg_@$>+!%IJYT-5?XmBTWu*59u{UmJ;x({%T*PDhzf$ltRM?jtr%Q^!a4IYnF5c{UM-nr-;5>i_BJ2N2V(fsTtTELIP>LB0*4~ zAqWE#&8h5)34TyPg4K}sYIs2yd^m3SC-kZ462QpWUyte8{IOf{V2SeY#q%-1nBYF5CPb&j2|w>UO!L7QRjfUjxLmIEwYni)eY50B~*=4MB4407wJp7+{~KHyb;4_VN%@zS|+{XYy*Mv%4)M2$4fD`FA9Y8AqDvG~M_X_w3Y+I8c z(WmLMwC^8@FicY6J_71P#yfIYFk&e6zJn9>vNU#PmM+SJJ&%;z9(o!Z#!(PM74q?) zImzni>rZaNJHBj(J)7sEH17?(Cj800&uQ4U7X4i{0piRQB*omQ z73zE{zde7TWSRa^??ZKdqJjy~w*E*l7+IV4quB>FjSuC@A&SDT;KNQwwtgLS+b|c${_r1Oo`@ zucFP=41!C+8zc_x9D7vXHSV|61lDjJp1aWeu{Nm^~Ykgu!KA=lk%} z-fn8GFSLaNH25OX{C`mVGu=v*r=U)zgmO(Z0g_W^ zJC0>S5%@Tu&xQ&o?}05A<_@sI{W?mV#5FZQ1PQob8o2=iSa~15|2c?gT6;TN`U)MPtH{ItEU!B>^HQVMI@Kf^b;C?V%NR^-^Hcs8U9zw2K4ddl_`%jCCV<=P><$p!%2(2*zFbc$;l0e( z6?1jHnMx#cU=%S)_aibyjVY%Bn#3tkgx#|wn|x-99V)LHJVZOrf7DO>-~PN)@$RMk z1eVrjM+GZqrKslu*$7zqOzR;(6ml9eO1=#z58>xilb~Nz-U1JC)SK`r7RNP@$Ea^P zDz>VHE&O?gYhSevjhjy{IlHFS8Y6?IO*l|tj(rlws>K2&!7ReYk4e&i;XcVLTwW@R`7W@2LNj~{U(YUA*L8m z*%NU-6;O9ltFA4}E1f~?PPMbi7s0PuC-LgfJs@*|(WS(~6*`zGLG#|Ig}IW#c}C|! zOw=M{E9NcB*xu}Oct&ASZ9)gpaekn1&Y@)H;#st!b9DACwt`VtL6kjJjMb2d;NfEa zh$l60;KUji0HwT!qUwf6T@2D_cXzJ0{kkW!1f6AuF$PZ2e^I09uZy_ z0){{V0I1f+;?yn)%AZJxt3iE0KKK6OwO8bu9RyexNryFIW-5IEfab^!8%NC zp4|O@l02C+TeMt~K9fa>{J3-X(LbN)o=O#wcnNsT*fPB!f>QwYzUXL}{!Rq_7beYH zi{`&urx=Z_pt*pCG6rbPMqAzysG;*0=?iO18Rn1`TUan#($<8`vpUA=3~b@N!IIzhkD4Ab5xizJfX9OX@=ga!%UGdN)OND`Tg?yMen z4v7*FGilg7XrwFW|D0;h6_G!6m3^4H#IOzr?HbYUW(^9F;|Sw*Gv553nT$2HnkC<2 zKK}+JgS8I+UQJ-vy*5MOzR7;~#lFLpy9xe5P050JI2B9gtC(Fsr^~XBTvkh0O0R3G ztf^x}TUUbzSGJ&&hsQ>PwRXFk_QCelC@~9j4qC0GzKgV#t7K2vk*nxI4;5%81L(N> z-avG?Dw`!~Sl0AlQrN+txT{tey>^G}&BS-xltKOy=ZNRXGPkE+uA|4TntCD?7^xhH z7^vPxFGr4Ix-#eCqCCG-524aU`{&puXq?k>spkw@Q3C_B4V{j}pn!mdi=@Pjb~m2T zEz<4;4Oas{->P%(J)r$ej)&$GiLCDH1S9}q$(w~LKW|loN}er|X?nw275-Ygxfwe4 zAs>~hm~wlYQ)FA1|6DVi0q{z|mk!uuV1B07R23`H=>o-~fDglV%vD1XGAKBJj;19X z$q#suCH~~58k0F+;JsJ<;NP)>Z%wLrmB}BQacFfe45CgDn08vz5pa%J;_$m&NVHU9 zQyT7qIgWB_Vc^fnYwk90DZ6+G*~BD=)9c-lMDO8e&21&?O?f`GLKpD z{+3JsIXc?6lqwoWVCfn&Y&w)$%>rT^$n|N0L1Y%3`9Qqxefo7?woN`;4_Kc8!4@|^ zs9dEO?EBm{^QNCp2`J=VHP7EX7={z=mR}v4escbhEU6aW;=J2~b!={H7u~4AYy^&c zwr8=&{mB_adEe8qP(=UxqUKd6n+CM)s5;-8uCc~PVW;mcuizh|!nkEX$I6~6)S2P5 z-7TG2k7qb@l33@ivV(ic$sLfE)Qtorb+FE7`)FwXl36*gc7OXF4|A^Kf4#Z2Z2tIU z0={y5Oxe3Q`(rkXGOI~{``G~(!Th`VPdF$+IBi6p`r(k^pn|n* zi9l0!FQpgL*(1J@vr8^2hw;x*<4w)ZdV9(7+iR!4wfnohql%9cb%PTR*rt>Z=V)$W zuF0>C(}Ldk6?gqG^P#HV&2azpGAU|MjIA^}>QlxLd{>DR0UD$f&0t(5J6(8dZVT|} zQN_u>b<~z6#`6Vnu^+=8T$Efjuwu>uuwqfKwY{XM7jqxF%QX#%>jzafvv4}C*z@hJ zAIHAX^k=AfAV0SJ+aq;6pDg#VBztiswEMiNTE01Z6lFrr@_Ar-`>NJ6J>wvspdNIy zyFHI2zz()e5znGZy6Lcwxp5OHN2?$_C7Si^9@2S57vJZa!ledQa&~xYUE=s(A)Aox zbcjiZf+o1PQN@WU{$Ls3^6-DBEuP`sb)_-?`4iK#~lY;%T-i0NabcBzlfKfI@ zy;~;`I4L#jct(wO)^Pz31&-3n@>Z+W*X(VEmmyP$Lm5778twUZ2*~rZ(>)(5G=ro* zG@dzJ(rgysCRV)!-Ez_LPfgBmGd`@3SRnVgu6!_gkLEgYw=E{t(0>|hY%d%s$&GFF zBj8mZ_19F()YGAg_#kp>pR(+Yr<>d21xKF8G*dCFU$q`vjkZ5&eiS^>d$dWR3a4R# zTDQU20riepX@u-43VO+RV3KiTu;e2@4fz+%_MaL(QMugA<(5*W7b% z2M^EB$KFIwoX z%YF~03V_b~j+Mr}$@NyZ_s5+Bvq=%+Ok|Ro?-RDz11*2%%$fm*6&-JVvVq&@Nz2aN zu(9|KJO>Jp;(0YXA_`Q+FYO>|1z_MzTbAD8(3NqhWHiOHcJ%#{ZZUGLl3=TRbFU02Dv_3C2UvX9jZ^` zuCuC{Aht-E;W&*CnIhWX&VY#*Q0<>3sPGiZ1G@!KH9GrcfhptnFG(569a2FTI>{`j zmF-u&2doK4y)PRz&-0Z(y8$i7HHqTuK__D%*HdM9p;9a&rAfqwj2v2aBAq5)mfBC~ z0yYWa^#en^jQmy}^@KS2vw90=GnwTb4j zp9vOg7Kx{Gi59=4!Vh(^5l(HGERC=%p1x3zbtb5C&%AMoS-r7mj4ddgo}1t2AD(I3 z#Xb`}O#6?`50<0x!sB^sFE+{_hBmzT0}#2I?qeHeS#WPaUw2y6VA^2C_`xa7l^n8m zlRfQ?Y!6=V(-MSvY5#U2CbTtF7>{FMQp z@!=W35#Z(kg#!?#9{CIE#;*+mXQL0$2Y2VDuoheMXW;5M-F8zcMF&V8xDrN`K)uU% zeOE?4uZD^t->`BadyN#^A0?MTzq2I01+Z39%`A9@daIQ3j-5+Edz^C zYbVZM8(=bb;jt!at3G|u!-SiVEE0kExTVC!I}2ht|4$yb+FuS~Tc+x`1xMqlcX;K$OG7A@@_-V(DYq}{07PFe4qr7_rJ5q1~ul1`uy05?dr(P&TEk_23PM(83Lv-tP!uqcXAK*j-W^hn<$PPOw z0spAQqI6vKT^S96`|`W*7`&9mE!QXAsRGMq%~DYl283=_pJJ{9>{)TpXYIEZWoyASLZ^ZqCy zBX825oyjt)M&G!B(E~Gq&40FhEaYe*7toj*79nAbGNrp5412bSAFR2U^Yd($*q6G;dz1H1B&oA*;l8{yp$~zQ=mP1j!0z=iNVYxC{3#8uVQ;(e{y(vvT$0`)e+u0qW$ z7b$-1x2qK;zl33jN3T7P`r-&~-WI%C4&Bu4SRE!~8qUyWguFR!%h5A5b9A3SRAiQc zsA4~K#wiK@|DAE&e>>w4wZ8qj^@93qu#e+8*v{XYY&9CwV_hpC$yMY2;6qXr)#nszsS?3E_)K7NuhVawAvuLA3>QDo>6gq zbQh2F$3g;4|D@8{ga3}3HUy*X3fFe5_LSF3D$&1Z`D)N(KDKiPT5p3jryk20Z!Ur93ul&7_30Jrkcjm#BVoMGz_oIG-&Lhk*RybJ z2!zt-nDhR6Ve>~qG;OSGT-^2nY1bx<_sjEC5AwPs2!zM}mPzRLPr+Lxed*!HLN^yR zrL#${d)o+!8%hbGKZc2prpHl6Cb<1Cgs!o{$R37H3uMS)Fd9P*e~9ko)JioYhdC&x?9sk%JrfX3*;>M!3jA0!jA$_3xL zm5Z|f{EW!AaYVC0Y_Vd=hu2puR{BK0?U+Nz>D-g6O;|L%vrRo3_pzy+=Vw;NR+GNC z%~~>j0;uG)5$EH{!dLTks#FwHjGWYJZ1M=^$NOXj0kU88)T%&QFk-4yl+)0=c1Gzq`E?=5DyMO*W zoyc>!agzICGX$b-V9a zLb3za?nAHIknV05Jv^_|g0;ueatwK3(-#1)Rlp^rD}fmTOV76#a;qbS z?Eh@eHuJTif|7RUU!7`|=nY603!2$EQw8{+(ww$m(B4+vIZU0U2%2!~B0z}7tDISW zjNiXGUtCIDyV1U!U%csScRH54ibd}bU-U=iOx8Xl*JoGnbYF-&Ja9v-NXs_byGpae zRp)Fon>DHrXy_4HQn<3(Ib*6+YuH)6{fglwM>Zn~&DLg`b9cVGhlwJWS2{0wkCgE* zQ;>h+B-Nrfu`2D@ictORNK|6q2zVO7%v7?&oazjO7qWf(hOV_gikQuARrRX7y3$07S*7s(1OJd7&$Nd_%6v>PYS zAHbaQ>wVBAQe67tb_jV}shLC>xjz^f)m2Q7I?3smy+igX*A*iPB47>I<2p&E! z!zgQKoQj3$t8lmY|60w_yqDBx4o$X;$vlf45X#UPJqxB$))zqB|GI9}H@d<9g>fBr zgeIszypFg0b=@$0VwWAOBdt-s<#w2fj4HkJiu#TeH>FSp(sn%KLq?JLWi=X_z>Ee# zSIqNVEz(L*iwf#lJC(MofFCt^;DvK5-oSS_yj}De=a|=iIrY-f9rO#ZjhW-KQA!Ta z-L-li0pW0uC_Yq|pg^W9ADp<|*|@$ei9p3HZ{j`wW9pK!vgHFS+zuNTM9B4P{BN3y zjSjG>RWaP#6M8aLO<$jF{ssTLs6%&&^HmkGL(tg`oCWaq{$dB)w*6}%mBjxKissi=-vqoqB{B3HG@3+EdhC&oZOb`#= z_KbK%p@HFB0t<6zy)D6`o3{|VwNn<(zsBMj$C+em4{W73{=$y#12ZyIhs|6)o%_&k z>*?;tnd;;=8P7(^%Q(*1t!3Z5(i-wgw%oO6#1Zr{D0nVgIM%u4+GWE_zj_3JvwSUL zeK*jOp{7q`CoNR2EXoHx{_XeF_@&ck(D9FwB;(ZX$U13P4o|1&jJH(lc&UO|>DiXG z_$kx{Z{IC`vv<6f7fNkOkIH)W@QL`+8{c;A#fz014Kcw%j-;!(Eob8rrAcF`*44K* zZ|0k389oFInbj(SKwFi-WV*z!%VU05Cfqs*5s3SdRz|^nTU=NjGP!|;M!r~F+jpYB zRtMY=9qq}7Y7fTN@46MU@5-64F@>(@$y-iO`_|4RZ`K9ji>|Hl5&>c*inhPecC$hK z{?lc1izmzg{t^9T2npY3KWQKhQHn012b^Jg=+gdB<+$h8{0PCCC)ndW2S@0Yp{I+% z?xrg0)$JkUYSdtavlu*tADlOmv!mTz5-?h=Zk?_i&(TqN{hq+$ggA&?_J&n6V1>${ z%z8;C4VMrF4qab+FOHbIJYpCZt-Co|d{S7wg-o-P?XqW4-3Xq7>FkMGKRwA4p6UQ( z+IBU_?&>YeJxtiSoJ#!@CzCu)gsI{sHi|byK-y4R_*~6KuDP`{Z){1)I{6`~{Kd#~ z_Nt}mCQVq?tO?Ki0ZFC{^yryVl?T5cicAfWlzh^JISC1{BfM8~gmohb2{5zhzCX~? zRiHHr@|UkSnI6x)#Ue-k5tZF=F^;tvU&-3tFz zs2KHMT7bbF4kFB`H3`wC@cnZ>w1lBwkcc(;<|{?Ex|;*i@KHYQFkpTocP(xN|Co8$sU z@z-c;Ycus;3hx-)1lF6Q_n{NkW#`j56ZB8F2kQy+nIS3jxDJ&@FilSbHSK6d$0f-5 ze&hEnm8ikByEyrviZqT#he>{rXO-y7WBBjfFFjJGGGwbw8yj`o;xc!TU;@Hus!zU| zsDBI`wCtYRzjx`Qz%9-b)%cS9owLPYtaQPH=oO}`v0Q8iA={5>HQulc8tt|H7SAm7 zFiJ`PJg9iQ23D}{L5r`dX5-!a7l=RfEq+Jh^<`Sl|6{{S-0L?1|n*DT|7awCyifisZ8dxCwK zJyK;#PLx0Xs4suNF=O;)&3;n``jsBn6h&`E-lF3#eLjp!vHe%0M2`iUBV5IF4=6}+ zJ6_gyS=Rk{!01N7@eP&!no5vefyj>0$uCqNgA*D!Z~D61G<4edbE-Vq=~YF^)6Sd; zGw;v=N1}8WXLT__Yp7lT^$rOZSReu4@wY#-Mze0VZ4;%Vebc3mmK=-`q>kj6#0U( zWp)FBEZVW+O1J@uGJBTPecuEXeiE4e=H`q4%nvN0`j`2E@++0|RDs=>WNIwGZDZB& zk)?n1S&CcO&{E+ntws*NNs}znz9&$PqE?KfnMjTsaG1YwA`QjDt@X1-<|N*bbJArXce`()GjqIi(~Z*jqIj|XY8^#V0pgANj2VxPpB zz0wWa9qz%Z50^%An4PVKuvaXZ(WwGC%(DA z`<^qf4lCrR)zZ!P-g=4ujycofKpb^7ESh**bEC$oEWiGq@T=zHaOU{NZFYnH-?f_( zutJ;zh2H-Kit%3fg>hCzPLE z?xo=3p0Bnkwf;te;=t-HeY_%$?j2@Z}=G070_bj+-tKMlnD? z99og5E6qwW@2pckjxkhanQ8t(N2Ny-d$WhUYjJquyfr#3C!Q@=<1@@fnBdfBsYbUm z6fr%Ea%SZC;mK4K>P-b%%u`Nw6JK-8`TM~_?j=OyN377ab?%m-tU^loj7S@+9Xsj9 zr0~umS)(4of3=Uq;DGSaqbyj)6z9=5ba2(hAmo)axJQp)ORMQ#?q?Z%%hTmic8z;pG=;u;1wc+TMKC469+Rr@p4dH2 zbuvrBWm(mNGtnsV*l^7rs$dYW^27V83^J4i^NQ(kYL{;;1~^s|0k0ePzH-4lJAzpKRmF-^{Yf#|5sbXqXI86^N_ ztg1u`gbG1E)I4PT)ii^~>OJ&=zB4pe^E1JI!{kZNEIR1v&L4)9>PE!}w2EPSi&yBe zr)DQ;p?6r1;+2m_J{sl1?0ndY0Ty1Mx}a=2xEAIl^7)kP$IF@s5|zA5fej*Uob<2Q z_4BypD(~JaNnjUFXx_Gp;i6>-R33kxto8qutyvn{w;8CG-;I58M_&hfC-W{~@bnjE zbuE828Vq<=`d}i;HqzKPhpjv2f?pIrnmjD!8f(7)b9jIjJ+BsftH(B(PbKe1I={XD zHO`jlhSAbkdzG6*qqG~kee2QrM}shlTF-?BGH)W>Qn_9S}8Skm~&Tkk9ps9qYA z5(P@c_&2O`WMcT-~n9aJMZETT;0jH?V5P?jJx+ujpO!! znS=mtUA5*cAeU5e8%B&q_T}Eh=Kg)WAvCVVd62f+otl-}T}f{xa4*odH%-YZ5QM&Y zyVo)wd%*6m(1Whsq(?uQe7|Q6y#a9+oZ_b}6Z=A$+?3Idy7u5TTD}2u zY0P-(JY}yGbqh%WFI| z1UABRFk_~jNK>r%hg*P-#=@1{#XLFV`NjNW~!_W$CsDth8M!$7`{ z0_Nk6slFdOV)_i

Q2$1_FX}CXs>{T2>Z0mY4I3g(%H)5NI{oWN%i` zFT`eVGZJzmn|(Dj60W1;ZT@Guk(eA^)Kqm`=3ujZBVr4tHQAf8T78fvQMBB6Hr5c>g=@xUv6mi6Fa~ZhF>ch0?X~(L-uEXt#V)5y zRm&M0Dvl2F^yYSf02?Pd z9~@hdUkG`hV~3$J#w$hO;UbGop!ft~9Z}g#k&*~I5oiz1ZUl0p~ zRHiHPWUtaBT`vEl^TD#xj%ZKTqp%b07E%3i&lN~}=yGa1I2@1^oDOmgL< zL)ZK#FZI{>_NbI+m`)I-m$tWo0Z%6JW&9l;4{~yFn%MZ(R^w+>0sOjp@AUN>Z(&Q2-dwUi-^>kPew%+K4Bd+vKFFL z*tg^`16+K(k|RjB$f%&@KBBrOn90P0{R~1=H&C?<^3F4HUf)@sxU$#6Q{OCIJ+Sj` zRH+qEnMMH@-5pE>lev9t#TiHGe(Rus4+;mv`9xtqM+Ug;x4sbq(XsJgtwtCf{}GJ- znL^Ou$ufi}HrE48Izxam42{Xgu&vyRY@DdtEv28oWCLJpQaSCZq2#9I`m}H8o^u>S zFS{NE2lSi@GZLwoHX)Wu#wvqlFYy^#ca{-g>jT>Y0FE(V`j}H4^{wgM|Ar#}>oQZ8 zM*qiKak;gw89U_%4b{f3)`Y-;fVlsZlX=X&igL&5vV!@UU1OW2QcQmM2o2$}iS=|; z;?9Z?XB2Fd9nGPlaxNz8CzTH%WBOKq%qG%k7bp&`e2VUF$O`TqlwG-3%o0MEo-G*E zd!~%1%kNFK`8;xc+obedn32l>3m-Y^pK$PBgA{v5#+J9KJ&3IC=snPyUdc$!D)8tYwVO91XIGfW!9xh?i^1B@xwGQvh+Dw%gdD zQfSbQomyS`lYahK7Ix^Jp4$6igP_g1r+Cwf9we-MbLL&=wP5FpdgoZ_-7V;{E@9iL zyp9=UjPp;a(qGnj{xTG~g5ojQu(_XBA57JmSCzpd8k<|28hDLbkH+Opj`KP>Nl2t% zy$VNSY$d>rB2Eaz3nLcaw#0I!xF0Qolt(M6`J4@aE%b|)3NqElBP%lRs2Mo@!d!Wv z2~OwkvB8o*npPA9ngerhc|g>7k@Lyqbm5|5#~qwDy5Uf6N%~n0Fg8`-o7zyeXqYTi ztp>+LpLAXmV^kBXLnGkl1IkE$aHZ*6U$&&hxyXRNS%Hnkx!*2?|4(L`f?6m*_H+i< zGPv^Np>J*8xb@h$aKr_1vtuMm0$V<$6+0Wo{OK@jFEA`Ta(0gWa<P+m(9F1w=?>v?V)6PgH`AA$4(me4MI-i6 z@LwJ0{R@uVvG3Ur1m3@X$XB&(|$$*OKOcscE{2Tev35ii>FZHfhl|NczXJ2uhQR$`EFYc7#6P^I% zU=423Tqqu6MbM7%omlN;fG4l??udhf!fw&p zc=7%Rop$6g<)-IiYMjm+la8a!!qKm)^!cdXRbA8th-K^FJ9;Y0D(O>rMlX$@^lxp4 z|3)wTb!PajHI32 zZ}BEiyci&nmX30aR9kH%r?+fQxyZ)sgdryK;Y+WbTs?4QXtn58k7&Mzk4;Df!atR< z!*z!2iY$bU7j5R7dut{-@GzjF_5Hi~%{?q>{m;-uCm~Q|!hHUw6~%U~y|zGSeDQ0& zN7jrg=g;mld4x}Hn*OI%!QtPB&AO!4v4e~e{{J1Z{|3D9l2MESdjRN4csC*`))1?M z1z#EuuaMK%2%rGPZJ&KHDFOhddo@ZF?*niwRK4l-1$-|2;<^#4JJC~y!Tzt8e z#E{A(=YMv(ckE;{`g?3rJUXk4mYMV&h-zEOOEL%{zEr@)xYnJe7_E0Bfa5PvGjEB# znzF%}<>NC^x=138&*S>J$Lv+Z05;4?cCEdBR@^~gYjLm6bi^{$?a2P3J7wJ~c=rw? z`44^e-%YRoc0P=CAX%D+*3Z66u}I^~iDTP%L6g9et-x^k1^U-K>g%qp7&}1{)CF>K zO59UHqULG9nHesMkg$>bB91`5(bi<|HmTL*xJY{=4-OW1RRYrN?V_&^VPKCt%h!)t z_HS-=Ulu@A9Zld6@==G@k%+Ad+ED@xfLL1#WwjU<*UCRMG%H>_P{dev{;&|9>B~t< zr+#pEGn@Kw2hSyS&hoCEz;EY4MrqsNUW@eE9kR+l8(#%GMD&GNZ2u=@Oz=?j?@&`o zK8u;OrR7j0r8|A_vz+C_s5b?qoaQsL0%2R)uZqSzKTj{H!jZtfY37r|!_!syf?)tq zF_7eAfYNG_wrlrI^Y|jp^76;WjVId)mfu+c4e+MgdUoWvQ{60XSerqcXJus1$;8yP zY1cm6h^j)p?rp#lGg@Lwcp8{8%pa=2dOy`Q>|<8*z0;lhBZ^TEGUhvf&o)BKNkN`! z3_3Nykf#4{@WlUZcVJL4fUBsrVzFO^p-C^YGpmy2DdWmm#MSUvL7A>>c0;v`18waX z6<86+g~Q zsPzJm*oS~BX~MD0W?9uDi01d7A)bFTME|!EWyKUf@c!U7_IvCtvyF+0L_Dyi9InM) zARt^lyXe-#6VYi^KRz8XR^I9SAdHbOi9(wm6t6^^qC}UXMw1R+Z|K2aQdruuA8TAMz9l1{ou8@dx(Q#lzAR>K_yc6d&T0z2BqMA0xo_>yvkc~I}{2Ka| zj91Bj=&-X@bCM zbLkFhDOxU?Y|^Lr&i(7W{p&9MSi(Y?oMhOH=YIZ9QqV!7_%BKBovdx_*o5 z{`D&Ss+addpx12>@cLfFzg&r&fh!1gC#6exgfjN1ra={&@CbR+71JyCT-Xa?%=)>n zc#@3JbEE0u+8=C0bzOVz-6fJ|Y5CZ`co9)4x5NizfXrM%HXhyjV!X(#ad7g$ehcgi zu**mK?lju^4Qah*5~X&01}y3V*!FH*fmr5p~hu(&Bzmhh7pfT zQCWOaK3Ng5HU{)p|b&Eq$(wrNknZu z@G)T|dv@Ws4MOO{*%b}MJQjqd4-mYRV7B-2{5mrVRAV0?f+^iqY>}0yRIiMQ0b!#3 zXY~C)9x~C#VB=U&49-DQ+)M5fBA*C9@j(-(L@Lv-LU`q~Xz3HNlGjTww-@|~7zkP1 z_u4S<#EyQIZKN_qC~Q7I5GugmYyWaGab=&pX2i>gDNY+sHnQ@g2>1H-?8BsuyjP9b@omwYcYXWjicZl&Zt;>;}W3^#TFgn;xzN zj0?CXYQMW_!#ou~dBaTVqSNC=Wf(w)Cw|Spdv{{yc~DSK@EEfqoUbC37pCC_6*`yj zKO2>}-mD}gzzvln&}j*qZoj)Pc698|K%|r*BBlQyZQ`$-ZtW`|3!h=)hOY~= zPqU)U*Rr9Se}8#>F~TK7m#_?`$=^5h-sBM5?=WlFDq92x(b%mvkces6c(QD((l+H@ z`_)eN!SCWd*sy2-Ql#9QyQ_A++%apAKGCi^H*9`1lBP>AmCrB54{X0&+oMf*#KXfA z^`L+v;Jka>bEC5mXmb}(z}Hc}I!C$P4=+6EryuFGu7Tx-X9da8$$Okhg+hD}zoyV6 zJaSs?S6U6#@6H27N!-Fx;hUg2cTq%Jo7}gW|D^@+#t6%2K#JHI6SnB6UyOt8r?I$Z z?etxjK=Wl2$tcr;7I$Puw~C^?+eT1JsSNHTr6;e?VdtyG!P!fzEek>@;LUT!ttVS| zYjh88Jnp}+FlA`E$x5H)XaqG<(x3+IP4%edR=o$wI}g2jHGW~~MV#x4yl#m{0atJg zIZ%bm(e;)YOq%U2_&CkG)ysl4d~bVdYVL^`+9EX0nKA@}b+&`gg2goj?>We)o<{&r z&sW%7(bS~dcG~dky`CfZ!j-12SA87yb5U|)u|e^&0*TUAid^7WmbDzB>U*t$kr%qK zm0lemUsj-3xXwKkSP0mwKD6s;iSOR2zoD4auO<~6$!~W+_Boxy0Y9L)tcifD^;)38 zyiROouTnBAHC;8q^wo((}DpXp|COQ1PjB&ne%5n<%LY~Mrb56@W8Wy(zP z%ZjV1r&UpTvJ@FJzYxjmcx_J=g`pS&3QRfI=FxLIWNKW^V>*7XO(kbjpJTRGA^y$2 zT&E|Y*H!OT$tbfvM}c$#h^i(}GBvr1#+*JXQcw+lxygHSuOxXk7%lj+uZC`ah7Mu?b zr}9VD(yv5Qj=_+SKuZ!0Jy0njg@uNITJq5!g7SaNB4`jAvT~Ql7ZiW>QYs|{quPP_ z`>vbnM?$Pb*;QxA!ayj{`OGU^iU%^umd zJDQ!Q=r=}NuexP-E6C@2tRGBc&hXg@a4wdrW_bj}aO&q{RZXv|6VOfNxD4~5HjWB2 z7wiM~Kxrdx_!I%C7EC?`U_T?O<}TUD(bo=AFATRk&Dh@BC6jYF<5u-X%9EyMN2Rwc z{N;4$$rMX%tLQMv4JZw5UH!0e8+olO$n`6&?u!XF2-4Co<@z0Tsn~%4Lb>i5mL9Vw zFN^mY*iKMxhme-H+wZQgC_g+apbF4IzDCgZ+2H^Ws;#SG=H^BmCwYqqOnu?zifQe8 zj;#-3S?j5g&&R74s=z#mtMGiojwIo{#9i3AR(lExHoVa zxgP?Smgq@~c3Yb;6GZslq1Ul19^6gmqGij`W-Bt&DtF}f%>r9H7`Sa;8Lck_ws|nd zWJH^RZ+u+HBWoc=83cAa=AUy$u-iO^Nn$ha#BhERB0EhxDpPe$`svoxp3sx86JW}Z z&WlGBmoH!e8wVE&sa;yikl({>D z3_It?l);q|c!1e~ln1%quI7qDa@M(rd2vXiUsR$M`Q26#cajs5=!-m-Lk(V_^y*)a z|IQxN-(GrdYeqB1Yyxr9D{Vn#MurNkffkM^0LNn zF$RF`ja{;yjeQ31rm!4C4R}#wJkjMTR}lfuB~bi8K+0Y`hMeh*@@%Dgma}lHLL2aJ ziv$;fd2zV`^6&8N-(0!~jz=2>S*Pan9*C{u{_vPvb0P0B<$?P*V5u^k&uEe!fxgA$ zH5felgM-HuoBcYT$nj|C3-W*8iNJe=I_eX9{F?z8&^9$f5P zZB!6ai4TE4==ts?c0MWr+yr*qU=Gie(^`@sY`ED!+>sqgks%7j=j}kC0Q&qL(fS`E z`|mOnxX|=JQBgr;V}0BetKA2$Euim@Ww+F5C}M#HNtNodB-au?n9Yxqh*K2_Zfhd| zKX1-^>jvL>IuD{s$7OC(FFIg4?3M-j@o9@FFk1^$uC)R=DpZ z@6sLAXcE;NM1;t2Ew>Y%17nPnw-hepyq-{8$Muuzl`aHVH|(x0=jX}})hMzzW{-z}wns*yzJmU+ zyr!IT2jNr27!9v9f0sKIJP8452K<%ZwN{#@1=L0I7I zkt{{=RSq%XQO#VorL!}MBXoVfCTNya=~mZ<{g=$Zk0&q`4W5b-+>lWOWdHOCj&$ zdv7C=OB9YooWMa^s+j@hmUvhf2LV%Bh)}hosVnOB`<>!U0K$Ha<&(rs0CpcaM=ih9 zr*)~*Y3kdrkE?KYb6O%Wenii$Q8UFxR5K%T^|K4(ceMaTfF?dXzpVa|(qITccA9IG zSaEr|2YRG7R7R5>>HXIXpK<_cLS+!Zm4C*KEmns8(jbQ){4g-dUut7y^5d*l!E)G1} z`R`)-hLu%s_~7?-0>>nw`oM#shvHHf}WFhUVNR9eUe@_x#_e>fZAhdxYG6vy%-> zxia8Rbd6~dSfN*?){x|FXbX*UbHRg$Wlg{T0L4)o99TXyB>G&qyzO#08S&}8$Ys^8 z!Yo1*m`C5tzym1*chM3BzByb`AdUH<@;h0n{pg@k|Iy((!^*ozWSTMky7BC?7l_=1 z$GPQJA6SGxtf&K4Hhg4l&Nc0U&sJP<*|L|D)H9!564pBo)`EG!`RK|76_#D4;E zpDCn@sgd&I!0*6^$#au+0W27BHQNVY?-lB7X+{p^cA3UIBdX%!;`K7|rprM*s!|e6 zZ37P2AXgl)!)18r+o`{!s9(H=ylTIhTr&(la=`+vB_O2;Z3*1m6xMg@rMg~a@>ufT z92vpr=%PS4A58?`fhK!oW#NkIH3*tnl>V=0U->}l=T9N87JR6|&cb&UIZvq}&y;*L z^H!9wrvQQhW=7LxeqFxv^Q~ZEpQ}bYG`jv!q%Gm?qIiY}zXkd~I!$JtPsC`8u5H+M z0-|MYmzHx*S4f_}zos0(f=#`Ovu}?%LxN07NH8~cshA~CZhk;=S_iS#b|?Jf=1ekZ@$U8|01&0{Wg0XxR1`@HTBHnAC{<)l>WboOYXp5$ zbe*99&9oUGawWnlxXVA`2a4X*Ki~uuVqU5UtC=DgbqT%n4m07QNPnwnG{T)HefLGU z&hyuzE*Q5lfJMWIv8-YGh$;E@+C3}Sh4SXHOBw@!XUe_2?t3JIfwxO|Be3Q@wUutX zwhrI~tu7D>H0~r~boDsNFZ(3Lf)f|(SBlGHVZbLEOP7`42aZViK<+LlC(kF_+rDTS z-3RyDd=Wppt~5o>ogx*Enl$tw1tGG${d56n)AN@j?c9KCwW!Ivx3 zkxsqc?l%f}!JW};WmCbnWz$%NvvJlMQv56(_hF9RIPGuv+bil$xEqC^EZ`2x_dBn$>AxJAVvMO`e)Yu8HAZ%5 zJ;A#^@AFtrFK;i#54<{U4FcP5MYcg*1pal_9-Mu>s^;o`T1pfM7{RqJLU_5bDPxq~ z7KFg~ReIt<6=!*p0AbMW9y9e)_Q+gg(PM#JI6{En1}MN}g`T$h zu4@8aNB=s>WUGWpgX2|0f&{RER+@;YPy~*+ab>E)q-8tH0BfK1GC=>eac=C~?=tYX ztz(~pJGRzS&6e9spNIo7%%G=Po0Ah0akH)dgz0zee zhEfcKuV;6p*-3~}h@1h@xcVJql~*YwnAQ;**AgGRxEDUTCEKJeP{VLnRV3t`b`N~3 z+^5JOtTx(xoa3vACygKakf6*+d#^Vy{xN;_2yLb^xCoOjh1keQlm_4#6F!{*$-))& zo<{tSU)BM%S#oIxz%v*NCFg~0{RB1l>XE6xB?2fqq#=hJhnPdgM3gOj!fV03vV!XrpN z6hC;6m>F~tb`h|%vr88}r{zNL-J){3Dtb-`4*xq$V%|;u8eOF1lppSw{DiN7(}{6 z7+`?lniAB~vRyYIAM$Pv6ZGAa*qq4Efyln68kSZ$s~K}p#2&TT&* z&pt(D?AZ#^N9B>wWFJbCmq_7IX|iJtv-6t%F8g@;jYV&G+#AVk#oTz(uUL;B5cXS) z_gnOg5c3wf5aWmFdo?=a_Sz=7%-*YKq25T%s|yf5W&p*{R4P;X}lx}1A{Y~XwmKYag{A{ zdmniE&8DBiZh4@;(0Uf>wXT~VAwAI0+VBe201tw3(UNz~cY;9AiEOWYAYwB%(}Hkp ziP51N6g*+wm8YtH=1nh4gzh;{+2)bUFuS?jmZbN)KmGL{vh+4XaBo$XRf-UqxLA#v z`t`%D>*rh`nOmC$YSsvs*>=m9AyVhdqI+;F;rS;k!6QM2MHt#$`dcT%HQn2Yr*1$W zOT#K0ATZW-O-J%;@(lJF4XF0gzBV@fOaom>KUG_RzHM|1ffVxxnEz^RW9`ElN+D5? zWtc*QTI%0-m)x@^O)vhtE-wvnbf+S}(4|73q+WAI&0TBfs~7F5{mXb=^?ZG|^OxM| z4Zh?*`y7>N4Q1J9(>)|+I6=1oXx`axN_b=69`2a0AI%rH3F>?QsKu|KgD4)aze23x zWK9F&smf;=To59CGQWAsl%?V%P<^v=8~(ht3zcIhocrlc`it021t|2uwJL$WuLvYk zs(-n4`BVG$>YxJOvFYjh=K*B3DoJ4-$}Xsh=`0YH^}x-qK(_Vky|>-xcdT%2iP4v_ z8QWe3`bp|4C_K ztOV?71jqQq_D{1@-b6IHskSSF39dOT+I;DaW$uYZ&Y}668>gNuKg&cMnYt-zrj*z5 zk2_6j&2);S1u|LNIp4|)Br1p`NwKn+KAcTpD>K4(HVw#pHExR6X-9FPPof!> zzwAewLU6TU{uaNg=&(+%=PX1ObNV@AqbuR2Ibqs!=f}e@D?LnNkY2h+75v`LCj`sl zD}-L^jUruMc-_S2=!E-)fRwA?^>fAG;62bvgByhcD!+gMdQ2RM!HEqTvw)8URl6>W zMPI3foCyGI%?DRTrn}5aRQz_mYqAy-Ei3U;D3NqQ*8wzkaQgj8JxTb)%%Qy}G}b;v zWs#F~g}sA79HiCTGJoA@^`G@&KjEh98+80m#y80IQT@>$SwRZx_%EU3TYeb~1e;9a z{6yzyRTda#92;oTjY2dkqm60MIR{LXa>FK9~_757DLo$m&ngP}v_VL-GFl$z>=idubAk8dP}%iOw3 z6Ba;CT`6GsFjvpu-b0atP9zWG^`1#hpbAWO2u4A$K8akiEb|5m#)0Ou>t*Wgj(< z0Jkw(2#X8wu*rJ6Y~^ezEbuHj;3V@<^p{GtCHL~}m*62tRpj^+Fu`p$;v zPh#A%Nd7n^J`b251cjg*sNZ)I7nXvitScRD)41R0R$WcoY?D$i5J&54%vSviQPVX{$crwPnL@c4Zi^HJw%l;*p)R@Um$or zI{*iKAHhXmJolX@szDVBb3SqgFI?Z4Rul_9ENxxwFV{6tF!v%YM4RF{i_wg0X69`( zVTxePH+{A-WdyQAFF;s8iYvXdOMu2{e<_nR5J}fb(x0jP#v_9#5yHSp4LGWBoR-{7 zV#8X{RQB>h0Fg>iqq1}`%;=H(rKk)(spvoX*1uG2Uc6?p-5XEnGw}E0;{GH$iwjqz zuNqG#;ka6!nM_8yKliDSAkw~8`y~><@Rn8t83;}l$y-n_*RGWcjy4;)1o7u?zY0SGvxxz z;$jpbDChP9$D8iRNOE-zlA}kAZ$Xmdi<{txJZaz|`l{t1<$U?59KMrrcz2PiA~+Hh zp@X}hUgmHT?$Z*BYN7u4AV^2J|9S;iySmX^}ny)#UEKp zRtWuDd7ch|P585zB+tLz^OeoZn5-y2Y#?i~(6x zSEk1;YMLsDcc?{VX!*lW&y00xzL{hU*brcMzlEs6o0d58s{J7DD)!6Cm;y$oc$-jyuVW^7g{aBv+olM}jtEADQ;aUYc z9g})(TPis$#iDv@C#R0L5dKYUcpfZ5RqByAqDF2c;UZ+;}m|%V&P{Q=wvac*$ zkj0aX$zSwX84sZP@^?xcG`RNV_itf@^XWpPB?mC?2Tr(te@j8_yN?3M0tGUhkB?Dc z-FSQ5lSTpI4(-CRb#-d@FhiX&o&stTPD#QUEcGdznB1rRVB-0NwPA5LYe*^`q~c|1t+DSNZua+Ny*7(5!1o>fr_iUE9`VfF_r%%V^;24mx=$<0*If; zYnZY!K7JpGboIpaVEKi1s|}IJ%DH@OJD= zH@3GO$B-(B4i3J;zoq4{{u|Wh`}cQBKUHbd{+P(GZmwUBBK5!V&*o~s=Axja92@&3 zm1rQP?*Dr53$Jad)Pdp`2KCF=XS!R}^LY6X{?%1FA#UeKE~XROtOWN7R!$$DoFHmE zreFLdj*p;i(6=P{wMQn4y86qJvn|c)7Sk{M9PuS))DUbcOeqC|T!<@m0S4#K6$xdc zSIWhTFS{PUJmHqbL!qG!Q5CBic>mPGAy_~Gy6f_*#9_aG77s5Q6*e{wflB%#Br*>5 z+})nB>E17O#_J#*G0JZ&!l*?e`GSJWvqV)ZE(GgZ z?Xe$I5yWgiP2g|2{6U(TnQ3kB){n?7E{G7tU}8jalZ-G3hMZBHLN=^!wiH zmZr0;!0CAYgtrs@XQX(HY?U}y9coZPi(L;W;KhfdnppR>jL~Iwzb52mW`;01+SqP6 zoqm^`YPjJR*b@mOZRw`q6Q~%ZNY+xzsxT+ zHykk@Uxtw?Y=Gp4V6E9*XSJzAo2-@k_!O>-0i_Ma%u{v4*Ff^pm@4KafF0(`gfKNd z{TgZB+2L?im{}mHfjIE)EWm}w@6uE?yN!&`l3iNf>w%3AM#pfh`-hJoWJ_-eDTYi} ze^FFg4Ele1UJYMWcAY8;VG;4BrY6`5QQ+6abz`s*qt+y53oU!x76W2-Gc}~Wy_TOQ zj7;G_g+(AgzZK{Hj{U~Ab>HT*0QkEBC+Fcs_OwWS`|%H-)y)`sk!&*B{N5D?bzL2_ zY0*Ai^{|u?L;~vc)l;|KU&m2?lyMs49qW^>p==1+&zNYsk(?#utb#q>1j6hPEQ?(- zA)N|Jic-=bjf8@9r-XoXqaY#OAYCFz3P^Vf z!q6by-8Bq(uJL)l@7?F@^X+&4^&ro1#fslr>$lc@&zTI0N)~jG<_P+&h+Vd_X>euX z%rsmE`c|?Vo5Y{^S&5yUfa^BazR0z?+Mc6B zTFZnYvkL3bCWc08On-;*BCuIPKcQ=@P9_`u!!2RvtoWQRAx1jD$*g$wttabt)1uzu+~99XLx)(bZ`*wsA7ME z8Gy#n@bF0m9=y5~=x3MALnLu{J^F!>rX>sT67c^%tbbh>JvgwkNwBdh=g<0Dk9T&) zS5;jtIQeHd$W`{~v`(ksohMg8(^&wdYT}1PcsSk1peb%H%vMQL+SujSm%@g|oNcL_ zS^|`4@d+eM0`x@23_6=Ul`)BFk((j+%`DCE>(r(VG$X>tl#;Qq2q@0ct6g?WBtwWo z`9kh|MnuSsq^mdb6NP?fPO*8=v-;q*X1M3@^D>wcVzpv^SuE$jfDJ1a^Z?7QaJ({p z#>dC7?nA_B*uo|T+lge7lkZ1|%=%m)i~43m{5cw;vOD$gAnr?4;j$`*9m$4)5i|I? zUw`_xp8cP3DpVS`m)%D44S$OH%OOgt!)N2@`h_$l1GrW;Z(rytGC6B|3Vfj&o)`)I znJ81Rk=NoS_ONM!_oYvUz1==M<)xL~JIOaPoV$`fWs`y}Kfh&RBz{(y+S!RtND1SU zjeD&h`A~>Df)9Q+@mXP&3R}(abwDCI)#HAJZ0O(`fv?%@llUb#Gt!i8S@7LXxhS;9 zYUT1YuaG;bH9A)|`w1Os{< zC0ZVdhki_>lRUq9mAK17 zL89#gaXSS7;9Qs*eUpbV5y6|FWH^%iZ4UQPlCKrBHJER~1|TtFrI>=uSrT zlFW1_t~tuW0W*?S39FQxQT(XWFU&_FUP%HbSKgogg!h)$94{dGE;&5I>NQg#l_ZhP zGidxpPv4I&n|q9w^<;AKh>|)287Nf5ARt%GKR;+gBoGG`VZzt#Cbn}v)Z@G^$EMkY z_Kuq{MF@Zen-J$=@&^Xcx}Gn#)!!=A zbMneD9(+_V(w5oTfeq-Jhu-$yt5<<)F4SuFjp zc<6J%H_w<^vDVg!?kn1eG;?Ay42I{!K|+D7@RCXF-l917>gL~jia!7cL-~m8fV{EQ zFTN}0iG zWEF)ij)(O8*cfE4RSf(IZ=yzmX4Q2>eh*0@$zd?OuyGbK%c{=7Swf(SOYQ`>MsiYA zmOn;K*|6mX;}91$Zz2}Jo~mbK9Si)$3vjnDdoJ&iHnv<;dL5W}hiuMJ7GTUsTAJn( z>KD3!XtGR?ulHC6z}H9@agbshM~PQ9;r*O`EbOx!{O$1m#f3DJaQa4eAZw^qfcv0> zUvvkK7gjz->v1em)a0TSiKXH(SD9>OP=uLJ+sH~Z>g9s@#wmCZVKrJu{#0>9}g z3~};57!dhqSjSJ8ZxaAd8OpM%!yAOkhwxwyhw@XPT6!5+`Gf=i`RCets+)i9TZt^= zgn);D6+$5$_36Z@q6v-8WErP{hUcNWxKqfql*VomgD#hj3W~7krd27L*sw8}dk- zRwPE>OC(*)(RN+NzkRplB9)8}{~m)9FK1rJvp)Y?LFI*Pu79#H)Ltx*mF7Q{0?}Cp zCvadrOw8O^E*fM}{IBYA8uL&;_%6||%Nq66DzC)dkpW3;Q)X$nMLoBhhmFMiI88!2Rs*{a`g$6~glw11$^W zU=9_uph|Oitt0ZcCJCnSWQAZd1PaTOQ62St?+nVGsyUKVRED{uB(ROdjv|ol(t0Or zKB<5|C%gG8bftRN{6+VZ5pJIkg=E5h+XzRP(%-!oDYJ&z`Vosyl{m-Dd!)-L__qm^ zj%!x!Yjhp#_*5p!*B5{tz(nHm! zr)KrLe`gNaP{Qdwn2Y*F#5U9o+!t;@%0N#tDl~?)Y)Q6@V;a(=&N;Kfn$~Y zs@nVG38bw2scMFH(v?jHzJq#Zl68N=e=M7fX+0jcErVVB{J*-wSGSdPP9`ePbe^F8 zZF!$+Qs5Q@=&bm&G3nV-ic%uQ)oFK8;eL#j-w&^wC}2dWFY=QKi0*$XU$n|&{@QmT zj8B>9(@%TD>(kaBUJCGfBcia;mMSxUQS5?pL9)?Tqmx zWDF|y;(M}zvjx#4nc?xB>K+*LeLr5IUIynDjhr>6J;a8+l&` zK<4HUM1cnhC%=4XmT#V2oQLY+$)tc4rmCkE2m+^i{Fm(h-x7|nqq^4QD6k76xaN%E zNJS!b&6V-5ZmOwS%e?V)ZQ<9@>Qjg*<3CTi_eZa5g`I&e06ALi1uJAu_U*^8vs&== zPN^f?|9HZ`fS#Bt(^(D2ECJ(N#T!Ou?va%UvnF}>%xAVuL}A!r(Yaj57oIF;RWa*3 zeVi0cJ~g%F7{+bGKC~*za-RybvY;yz52(-MqAP;Nu(^eMPByShxmWKCBVw^2%ANcHy$U$;|AU!apy* zdfleAktV)354X-@M!Fxj0pANE$d^LuWo7(7V19JyOBF;0*zrB7&FbwpnEOh6uG;Pc zl1;iupuRCpeCV~A2K8l}l95aUxskIO&TnaHhi9Kp+}ABOS|?fVdwAxK?rfv&Ck2LU zNWSkp329}AX7bmzCw~v8_4lZgiJEL(;b1@kmHB^Cg**mOMDHlo(hl)Rfn_91d1BI1 zN{txEE@BG!8GFS{wALRf@>am;Qfk9pxmw>lVFDr0k7*H7l0+1rvX5zKUp7W|3={IW zhVo50a!IrXynyy|XtL&Sq`&fHBvU_jSL_x4&$QLL!ADjIO$72sWJco>RT&hG-5K}z zFG|M?AY!1xWwV;6pRdw>eu(!(uJ;=Z`B|#c;R&v^tx{wE#`m3CLn59Dk63nE&BsL| zez!wZ`558>$_I!j*0}UB`h(^5ZDCd0Y#T=mqb%EhN$dz3uq2KhNnPR73S<6~ictM&{ zkorZqUUUj2IvPphKOf))%)uY}>cvuGT*Asx(4)|y#ZA$Z+i?xu=$J1bkWFbnqA-He z^swRb5d{X^{~65EI>r)qa%zIG0CLYr)+}a#Lx1zM`(uLra_zMKfjBt-DIhB8<#~AR zKfu7i3xCx)>lZ15bT3g%Y# zM-u!6t)bM}Vm%Vw7f0i%wv}3Cf1V$^fT|CqkRW%QUptxlztX!5k$<85TRC|pgwS)< zsJEYr^1T%=d-++VJN26uhyZ$`Dsb5l8{t1%nRe^G^1bd%!0o;^D!{Hi0&~^GLp8)F zAd$Qbw)u`zzp{-I)wA3`ZlbSfp{G5XJ_8-r>Dl8bADPo9mAeZ#Eu9D+1x-Hk{s z&Bb~5eVenbeop#WtritrGj-Br5cxmErpm&kh?2|25|*Q$GgSbaH__AguxDj0kG|s$ z;hQ>o+!1tzi9GVML)Y@1YiSR(%>4xI|Hchd$qREJ&k`{)PNP&ixw9UH77p#8PpT%S zC4WAR$9eY0ddX__@MEBNxaJ(PLoHR^oN-D1HIrE*Q6V|nV%+MmU3_HjhrO^#U{IWiTid|5I*aX2Ns^aejv74tt1a{vd-c=P{7RCl7dl zrwRz4^F7S;ypJLx^a8yDTW!^DrPm_oef4eE5Gr{{uP9vF_#}L{BJbM>pS8$!)9X&B zyrpEO@*#oRlP^noUn6rF33#;rqdpu%w`svMQQ+++LDV86uSY~C#Mi7yhFHhMsm|~| z1>8p-0~v2~_h&%rjA`hqYW9Wi>A><@UO3O%Pkq2RJIk*2 znq}gR8VCKr%c$*FahC7Oi%g(4l0m3w^tmBb0y>VjKFqgr-Y37*8@)q5lf%S9i4KHV zkD8h8^pg%Ja(Djc5JtZB&c_ZmcL@qE_cKNeP?y{s@yw-K+PC3SvDQ&k_=9%NJJFte;dVJ&hpYFu5rgdWr^gQT!DrMX2k zBMAn^_65*|m|$Zt{Saea3@s~XX!(dc7^p;&gS&jRdW+E~rUIp#UQo>%DgQ!Pw|sQ! zVSTs2z%{uUbMjclo(@D9gx+5KCDs3@yw+^_SU}r$=*O716)VHl91~=Qnk@n@?ruBXOqF{4v1SNjep6z@`@(A6AK1|+p(A0qt}3x&&q&5Kb(c;U zdvlS802n+jAk(NeG1b|EJfPpWVKO_s$P2sDeiOQLQ#92FzrtYH4;`906wq!BQ%6b| zN4esk85OwG)1vWbokVvRVsq~5u5{+53D46B;SS9ER5MW$CP2oak9 zm6!bQl)7ajcB@qYO^hd>9-*Y1y&mpeQd%@}6X#^^u?hjI$6$FmH5DVSs}(Mvu>8JX z=?})R4X=9yJa3K$%G-pbg~^gjOge-&_Lu^3$O<(bLrU-bR>Ig#-9n5ClMKB-INcmO zY(Jy|IBgP9+TwK}2*DNf#NcJ(U%k}Qhh}1x-TiX-8?*k^PWj*SxTo`IM(QvJjz$dn zKmtqJ2cfvyKvYs{04S~vgR}n_9H=3RH&x98;i|+5R=)KMiz$LM4nA6oM2ucOm=6tu z*`b`1JK9dI7@=g4G9Xy8TZOd6-zJ>2>=mwL@jI3e21Oh6{9^fqY>*!om7gklO0@e@ zKIYffLEp$LvpkD7P$k6KU3j7Nb?~ZiyWgk;VI!j5e^p%nThf<1ZY@fRMRFALhbjKZDX5!pK7~9CQ)u*NkZ8H0e?)jiME-B?R5Iq=I z#MU1Zmw=+EopPQ0i>Csbj*tinkjRsxDpdNw=%pZvIVDu2Z@kllBXctk1a!sMQEBi# z5lAxcKRBhyDPrZKd;4pPmfW{#OJouc5O0zpBN)S>O-KurU4j~C`GXrzFKuB??BswL zFU~U?+K>;TMtSeW-cXv+u6QW|b`wRz5)U%IA7tDu{qQqnjB@W#o}8*N;D-m2I7UjX zT!&xKb{bW*5*+O_iGPNHA=m+fAt1ZJJ9g00^L%IrU)PQoD;&=Hh$nl@Ow!Sq5bNZ4 zSk({(=w{&D6XX?Y#(e!J=o1>+;N_@m<|OLJI+`CR?^a&}kOZ6Fx6m_V#1trP0} ziP?t9KpZbCzdSdjQ9XEUpN0E6BdfD7hzeXVFq|gOV{_jPzi$5>UTgNy!m;p8QvwF? zFV+9$+*qxeb8e@=t14 zon(Ke^t}ChMh?#mw}?(T?CJ>x1cR*o21_;<^3*>0J?8)SpyDNJ)aa`QAKha*u_2PZ zFT^P?E9)ofj#vRx4N8)p2Zny?PI#ca0ymfV_(S@LB!#W@)f+yO4F%GCi}-|i`hu+4 zl?ClWgtw6W+hB?yyB_=&8YTWU9zKS|*)!5aGPM zWE$_3q5QkUOXj2am>8j)4aI5~(R-?ki8j!4bFRIay9(U(PV3sumYyUd%+oXpK(I;ki#lb>_THr%2;1od{W(R`A>1z6|M{`BYM&Egj~)G8SvSDJ>;nKd+9uX}D5&Gb$p^B`v3?<5)LO?K>i zD$Z(FFhbpTDxT+yEh*^mbOwC=CzvW_c*#Lmvn;W`{q8O`16`aR`7P|QY; zBzm!o~nV-tJFS<>3JLXK$u=+%4Pd--x8 z_YE;b?`A_ZGP7>`$g}k31OnLR1bKx4)WteGIeYfbeUyT=v!P`N$l>qHVJfV&iGlTW z*`w9E+C5KeFJ(D}9>7RfyxmZ{_PKhZGcyf=@K(DBc-%hcdnXniw^0WAMeoL}O@dg6 zH6RMOOIr_No;-5NKsY&tw^?7jCn z+*axQ%Lf;sNYfvaIPN}A$d~@`UhH)msuuEU)gP0y>ot=-u11&TTU&YI6mN|L-ZKiaH!!KcUEDEVe$j;;G9S zM?hA~G)0P)-i4)KDVto)6GQw52bFCXypVqtYJ>ivZuOn}IID4Z!iZZ|&Qc0=7;0&OHjeI!EH#R^2 z!OqK9*0q%I2t4=}!sQC_<)b6G{W+RppY0=3oLEOT47 z)c{?F42?4~=MsV6VQXH4FZBs?yCF>0K?e|FKe-QFGHK03{hdh8DRR#H9sLQAZ-xIs z{q*+eA|>-0wqogvfi)Tl`n)tW-@aA#A#)4$ERInf>g(|g>Rno@TUTg(k1^E35sw#4 zb)}VlX-8A_1he*Vg9Gj&k*y=_er(;jv$eS?t{5g&YI!$|J+wxt_F6Xzw4HNurAQ2d z8YOq9{lI6C{J(y+*q!ym0==9ckW(`euv**9)QiqWm5)Z1C_qK=XBe0`2q?5r#S6kK4Sdb0VR}tNCYG5?8b)+Xlh3Sjs=iOGJ2=-yf3IaO)Cl}(GX#} zSF4pjfL{)m)Zi{kl(1gsxBe-@5%%w~NZC}aj5I-j2B-!6?&;*x2u10CP$+3zfaYcc z=ZI^vpjY6c7j8fY8gL@_0pGB*qmsMYqiH{T54086zVm@GMSTw7Imr>QFbHaJQ_LM6 zp4ZbNDWr2H6{P#bsey``2fa{=W2~c@wx_uUqqzlTj__%H$a1~MIx({t`H3hddFkx- zK}ko(Rg@2C`m5-X}K2w;|e{kpD3{P0fHGc@K=la9F1hY&A*U)a~5kxq|60Of+d>M}Kw z_~ib(GCpZ}F11!|Ym3~lx0?-N>I6KVhnIe*+6`+2K%j`ILOhwde7XQ#N;QfNJ`uj` zkwOF(AicJ?q*^T}0^n18yP}~WDj>vsE|rAN4soMt`Fti6Sy%iCIhvx_110+DuPR$cDU|^}SzGV#j1a{M0+e3i;6di#yWL!ki!VNhSyapg|_(k8TOuOdyBj zUGC1R5&8=^6Cs2bJsdcBmm8%}vK0V=>)O?a!%GuRAfT^GsZqepvOuE!#W>+p1`t$V zrYobKCL4BZONMj^^>Okz_Qe{n6{w_ z2{fzMT5bXukFGVMdwymEoTV1_mA}=c)ERxfBijc)*C%C%oH3KJLNw~IJ4On(2VLF4 z8%JUYBD$}xr9vPcaOtV$jn4ma^)bq>Iug*Jsw4TK03PMRdWyT>_z(GWP1?}@0 zScX4vSN9f-R^U8CV`IB9I-XeK5P`d%m)CHZNMK+~8%R2$bD>lT&riFNZGnPoZhbyS zhtzQG}~jW4ID5IEQ6GTlMw%UT0L$DT!@zw@TppuCNXm59qbK+WngMfDe~ z&kBoF1d&N)QfU*?Ko0G>^KDn=kl0sGWlLxuf#HV`PvVUuPtf~bqNDxZFR=^DPO+CpePGm``pu@xkX1Q48~a6KUV)!8!?#8cI^1^+y}Pu zPx4K1fXuBmc}L?TF-Hzr5?n?TFA8_O+h*tcpBJtsg{TQl|1!h#m zUwN6WE}n@|aQ=H0C^9#242G5an#kOI4{5>7jxn*f zM)fkcLS6oH`uLg#T}D4o6>4^A!;BN5`R!m z;&gG$(U138k(Cfe*ZQ$PsR{)r7#{BQfx)HOL zHDGG!hPCkEm!AvGK`b*E2WC85b{uBWM|2L}g!=z(f86L!7E*j#3{EtmgY?A1gh>&Q zPgZE&Zis6}SI9ZTT=qI%Om66F05j8J0yS|jNY?&E1Gp3WkEF*Ia_+~kYTbbnTTVRD zT`znntVbNEWWP(Dp67b6{8vjxyfc1NylSs0=il?HI`ZReHh4oP3s3=dB7^ncWomaE z1ZOyu<*x0IkIL;!viTcXjFeqQL&=b_YCteYw0us!4MD_jiP#UWLdIy zl=#<91u*uTyK%>T1SX3LSKx^gy+9$y|BFIU7kiX%O^<~QnE*-k*`J;2x>EGCw;_ps z(LfKEv15MON9h_|_A#H#UlYM$o1bff^cM*f=c59tS&9F*)U?R`NAzPDIF)Y&Pwz1V z3J}{7pe^2@B7qr_UIi#68C(-8RPxt0g3^uBaiOEAFSZ`t<(;*G15y6_K#6EsD)sLC zW)>A!L2nIM2_-}1RDVuc5yh}&)n*ZZB)@|Z@{)|!^6yH$y-RWLR)Ayk{@by`06ZWj zc-BSbByX=mz zL2!Y`*KsDEf_E>(I#~GVY7Bdp&UXZav7m<+ZnOtGUR9GKWp^TqRzaj(rYFJ%J*xL3 z_u`PF5j0z}V@w4jBp25eSb&3=nz)C?9m}0`<4F{Oq!}>rG(SLGkf=|qa$(5vVty+n zRRv>FdbW%Rc9xavF77YfHG%uYLqQeu+pvB*^uTXEl>CVd_?fcB&_{UFTxJVx_DrQS ztOgyFH)*x!s2~-*YxKSvh8cjd%*mmXqpP-G?|qo6Ion;TryMVM);TX}oybc&L23wI zMMslpE;hOi>eup{Ub>Dq2X(s5Q-13~;UHhKTYycuU83LC7~`v356DtoaxLI@f;`D& zU9-Q!x2J-TSd-0n_A^{jbLDcBwV-G6KsXZd50ISRYx>;}L%FhTI7uq)UMAg1n}Drd zNhG&8^X{WFKem{YUB?n|I447-vvpz3Jrh#ogvqb=&z}Z+-W*UF2J)uj8zVMx=ze7XI8D2y)7a0CM!E-$OWTAmw~>%d8;0fJ%Ixae0q{A_1jTHh*IA zr(xRl1z-wRdt|NkINAtU;=45Pe?@w&LiF96srtxBalNDk> zDQr>g<=*2K>;@Hhz)TDbe|H^gq*fdkq$}@S^{!okde~<*w_w7jsx9d5=7+4o!bp8e z<)UuQRj+F4T`n%)ze){7&D)P4I~E65xZa!eIUij@@KNBFkvDJ*z;_t){joupeEPl9 zM}n)D*Qd#LpxoXjvpo%MVYw1&3A?)1zk5O5aI8B2)zY`xTeW|o@lF{0b;gSby{OG4 z0lw3F{~h^EB_MdGtC*)5X_o{au!5dfrGn<+V)*90o8pP3*33 z>}P{3YYdF1i=}~pX@}9NTxlCVQW$b}gmWbs9~Al#*p;6ZA~Y6!){qUVhU8bAVh=G} zfodm!(F2~(xI3wTRR)gRpkf3TnQ}bEM~JFl(=O4ADIGYaA(w6d_}J2hoh(7DvE$`n zY&^z5xui{%=|%6mi_2);U>!w{%x=U1ss3mG7=zy{O02JBX_~85D zO}+lmZ*4{{)7z2pZKa{_(tpx`cd~r*T0wC&zyzXDeL49w!^8wojb#a_!N$Yyf z(?jH{ldQL2AC#i&oO+l8X%7S(=X7s5%T`_j^SW>xMS@pk>@%XYdpU* zY9z@tZtVJ*D)#9<4ONB-1;qt%UVa`C3Y4U7Z}c(1zszVZ|-HMqfkUBJ~Em3rPGR)Gre8IW?^ z_P-tjabG-0Ioin>t#zMlS-5c?oqw9lV<%cFjJ4y|fUm^S0o?L0r3ZLEejii72?aq# zGZA0{{u5#9CmM^ErBD*%S7|dJb8H$5@g~aefbF;<`U>dv;&vk) zajJ0vAWHvCE6<>!RGnBkw4R8@em3vLBDC&7l zS-Lk0rdt1%y|U^<6e1=IIVsD$UbilZVKQ`vYR>fxJ&W5}`C6DoV4q`pkK;~Y5(|+~ zg)q;OaT*5*jB}xf+og~CTu6OEw>Xz^J0BQE;EFX6Hfv|CS@{{SpV}`I|GULFD z`s#!b__2j|9nQwVg&=0K2uqjDc^7y9Ypc(&b6(Ev`f`lvOdU&(v+Ki&+p3I{Jmj6& z@jdV-zCw=r`z0`??>(RCYWgyp07xNF(Cv&&yWYFW78ftA2`xcqRQA|*+Dj&pT+B}B zF}^lsyiO!S8we-w85TSIvr+lPYaR>ewobxtK2}5EcEglf*o_K6ohEHitB?*0jB&S4 z)E?d~nLp8s3m8GMfU|Alw&9h-@@8e{&cf`v6~BoN~W@wQ(7HN?talK4xpi&dm6Ejl~IrcY|y2g{}y&KV8~T z7r$$04`O{!_=oGMmJjmBZqeH}yC;9%m#Lp^RK~;`h9!tyqXOkWwd7ph`E>V5p+rJk zo^ayshx9BSxlb5qa5zpkTS9di4v2N}_2a!V&uTK2L4ZgQ+XKl$kZ;Wu02Q*ygY2;5 zW5e$IYbzaon)YopckbE{<@9E8-vaBeN4x+&hB8K=_eMISTpQnY5&~L4S-?yfabv} zEXZ=Qw@e>E#c%CH4xsz<%(~%%o-Ke}2zydbWxBij+GM#%rFk(-S)gp_ZwO1H9Xhh9 z{i)*i-&tjj87RaEHcIO=xy#YF+~Bs+4+En!gcV7>RLRv(MJ)I*coDIBEbm#L7^o14 zk>zWB5R`suH3p)wa?a#;x`lKB?XLlpzDr%3C-52pr5 z_1A$OAfERs-w+lG$hW0y8nG8^6GA0ntWEwWZr9}waGkm(Kj8B3qw+lz-xzo7$NdPw zkmF1Uc8K?U0PiOKJYqkirmZ)B8tSN%8T%}5V)9eN?Zt{j`7G1^l}kgpaSiKJ;A+3u z4kj96THH|XdTPnzaezrw>!xjRUjbt|CI|sW+k3}V(gJXOuSR)GNP$tAsK^b4Xz8p= zucBu4iya~Wu#}4JCEn*ZL$sckXi_3jEbV_S+khx}{62qgYfOv_pr*s>v5!?m0H~zS zYm8y?+NX9?J~<0^9?TOrw@&;(a}MVdZ14)pX+5}*!Wk_AZaitIIDh8ZZxc7?oN&%ev}$#1zi?W|@2eX^T( zFs_BQeo0>-9e!EL>^*lS1uNHhn>sGn^CQ3R&wAx||NR@!xr{i!Up*L^Qy)cliZ%$cM);V|LdGfg zKo|o`3mL&aRAdcO;J~Y#&IDcZ^k4|?uX67ynZlY~@kqmtYM**AK5Lw;qVQH*(Ayhj zafQmiPobZMqu=OvaFjjd^XJdOh4r^i2e-uR`nO_QCF7n3L$~f*cASAi}rvNBpyUbDShYQ;#uZ>r{S2K=u}=yLgn=5EW~tF zfa(Re2C>4!%Ll~n$c`k(NyGSE{su35-;<8Acd*wb!<_x~^D{TO@Ae_A; z8-bdCK<`9e&}sk2HGW%{;w1Xne8~*VWI!c#(V+?%@@|e0|0j&j9p5XxNzCT1ZQHFfOkSVaWD?oB!>n@GgUQn_Zf2Fa&3e zm;l63M)LOxA-1A1+sFs{=q z7+ZNsa^`<^{PbW9L|%qrkzV$;3Bg&41; zn;YTj5=eX`(uREtZ8U@=%A5sJNgmrAT=ewM?3Z~d_xB(JAHtVtI9o&uG}A)YTLI`P zCBlb;jwrf=(jp`AlrpQuMOgd0JXKTk@A$`J3hwN^93(}AqUtS6K4~h>2{`_ zZ@wlcFE8ulRM{B*`LhD^gMyr|KTDx*ys7=s@oC#*{ZE8+celmNx2X|({``5~FdNuO zLXwoc)&rUb#@wsfwVmPMjAoV_?Y5jwm%k?_-hiJOAMm1lG@=@_@8BkW0uUWcHG4m` zb*zpT z6_8i$j9vJM31}zsiGV1hz>##9m~o=Q{sB-NrKWz8`DDTP@ty64&>Tdk%4@f9j1uID z_u79HU5){;M+RPW0RlZD3#;nJk2uiDW&Oh}xTpY8IKf7wakO~OH<6~tUSE|B7oVMe z1FHr^s~1co=21K{>Hv(cq2Gb@x%Y&up2+{hBlBaPRRiB9vv$D9tmzqrpS&EA3e;Myv$y?8r3=bW1C9;qt>|Da{n};AKnty_ z5+`~PyQ)m@Qm7D_2B-qvNirA|(}!@r3umSQ-U5tPOv*zB^-r6wQ$#jo;!%yDv}&cO zS>N~U0hoDxH6)&w<|Y3a@#SFnSTwL$0Z2nZt@mWoo~)#5TCRaW%kp2oBT!|a$bY0 zpjS^$KY0O4jBd6opNWI|`eRn5dAfbHf>T0&k%b+QZz%zV zB)TI)dNdAp4lW&`u(LHfn64cz*B~4 zqn;JBihC~RFYkEDCUh|ERvRQRTdPdw9V9?lG8t-E(gzLMooDLlF9J({E_f8RSK8<` zTXMfxA3M{Qfo41{-HsRm4-(c93%CF461zJwl>M8rp9IH;= zv|+m~o^{RM)_j<~6wREhWHE4ejSznEed1#2^3LVGAb1|>p34p07h~zF>;sSQ4L7Hz zGd^-M`TgcW7H{gjuT9U+u1it=px=9wYpz-inB;;~B6OXG?`O}4Ch@DfKTx-zSNh=n z9j*&XGi}LC$RCeLU9O!h7}Sf+bYp?6ti-Jvcp!bq{#IBLhqmbV)#nqN=3QIO!X2XK z%k69(#Ei?HHn>6 z+!>ZscBBv62>K+w*}YO2*VQZuEV? z$Br(cSBXARS&I(W_SNnzGfh`2W=O1-&e49`SUd9cAdRi+vYspl7W>%<5s&d4g8 z^}-YGbonpEcsjzf!yh2A0+(XyTZBIc4-bdRH5GI?bqcC~x7P1({1Iys7;Js-0Yq?> z2e9@z)OrKyyas}9{p28DbdU#ic;*x`a2m+1{JI3kg2sW2%Az%^jLOp?mzK8&DZU$y zyHWE}j`b!vdUtH*RMa*&&R5jz2)YC3k)560g~_EbAQ2Fd&HHlqwk!qC3tn0PsU`P^ z9Db7V_H#l!?d=4~5QKpqz7EysT%7&AqN1YgS79A?8A5(&8-s>1Vl72QI=98UyLyn; zi9M6DrsyGzq|EWxW9h;ik;MB~&j}!^>gwT1qP|0Gn@A9}PY;FNPf5UEwr$MKjozS0 zE;rnszZaO3W!CsNWaffw`O z<@+bf>2;`LcScoJRpGPvecUVbrfT5DK^PSGK^vp-HL9>OkF}}& zyB<*%_K70VA4i93j_nhR(NWl~`YoZRZ)ByL(C7#4rbb3So}c42dQh=NZe9C5Eq~X+ z$9{ECgoNEX=YI!~@eB;>kEv)iNkZ^cI=DOrg&~3+c$&8>cF{1K zx_3b3b_9!P_;DQ@w5taX5Fk9L!}eq36vce~bf7Bu*PK_!Y4qlSv%mxv9{(SK) zQ*h|_HKm5exYb+7#a%dCtvmd=j*gD#V~CgE8x=LTt9>b8PPQ`@_yYq20?w->z-4H~ zJUC&?UPs5g(=$Tl*E4kHNK@0(51~-Y>NiLZWc~NoKNfw;tjNWHUe~lCOcu;^t${N1|w8>RT$&PegvB z@$Ymo;O88{!!aG)0g)X`(dGsc#xd9K?@A^12`48ef^=&RgwAmEhB&sEkywB6fZfN& zaB9G#{uv^E4`AI_wtei5>_>ZENT)RKs%jv+H`*f7=|+`Hsifc2t<#0>sMIwyR+e%t zk5$tRl``*@-TjV1qld6>4oj7dnCvyo-ks~e^N?PXMO%!}g{>Yu*Ek^sg7CdH-@&;1 zf%Ej|-`51JMEx_BE38DKs;l0GivMSaaPUWd|rv=$N%*BW#(HU^{6$%vvK>&z^pv7|5q6 z(W_P#E1pr`_&ILFXSG)3;(7Miu)4Z>x@p6ojME@{bZf(Te-;h#F_jGA1ZGn5B&+c+ zXJ3TuLwOFw#>Q>GCX0Zt(Bxc~9sbm(myHHx zzVj8bqn3l?>zTe2aO@<+cINYbtn!{I>ACs+Z*1m2=JyQ@e1AF%GUF11N{PZzOPj4@ z-t_}c%};MibqZdJ+3}azt$el9sk2Upm$aDnsMrk7c3t{TAm22aM#1f*A=wBxk(=o+ z-D$48dJ~+b2c_;sm3o=M#Lr@_QJ7h!$wW@>~dYXPyv-N6oq?DUW*2|6VtvZsH z-m4-u?RYT=Ve5PRK#~WQI->_S?T13IB70}WhJevA}ltr+~w8eZq zr1*TSQ8fBZ{>Tr|#0T3k&U!}Yf`8OKE>hQC!);g~+DS(w<+zHq$U_=$ihaByx8<1z zZ@pss+YG?(&8J5zQ7uy<^s>;hXGcuOC3Gd(zZ-X8O8#Se@Yq>D@OFEeiRd-E&8 z9*w*eqU-k{km)B;H8QY_Rk*A5?0A{q9oMO^VzFB@P|P#-Y^>JyMrsdcMZ-+SKo`|deo+%fJLw|;a>)!u8ZJ=YA+eCFJH-zte-H<=)JT zMr%emswn5Vu%@OG$*hJ+xYp9Wkfx8eCe@tkw;bHFL+~Uhzb6YCD&=uA5$P>+5tUuW zKK(a){xt#KZil=s3^)4Tbw_C69{ADuH6D(TXO(|z#@0LK#-@2LR8}U2PL|^;d-q7A zdlLue#C_Pn6-5nC%lCR?9o4Mv>}*a^u{2h`EdSfkGRwQQnYe0~o}3I$~wYD>nZOK-6h~1IDe7=`kv!S@>A;sQRd6yq1q;chzVz(82x31OnlA z={T(FF8b9xvpBcJ9xlS6F`urilA-oO+N6oc`D$&x`i?YZH9IHh66izdBz5&@<5lPM z{Pg?MDT?93?CML|>MttU7bs8QxqeF)S$T2}%b>BzDGEvAGmCHyhVtQF$BIn#rA+mx zLRAyR(xzBjnCYM)Bl@asxX=i@lV;|y23uOzJ#N=x_AJp;uIBxAzXf?Ps0~jiBS)Y% z$RWdczt3RqU1bxKYl_UdrTM@tQ+5#Y5W7Dvab5YlmF)MA+g;gY3H%9}mU--1RheF5 zD^2X}Shv5IU$Y;G{9v@~xxE~i|8FBIB}!5`=1N)$r4;n<`gs`_8(VuwdddUrY%Wd%w6TGmUQ?| ziCQ{6?UvrZu0&Q(Nh&1#1sCcNWny`jGtME-k(@4b%Z&^aJJ+p>zlqEK>bhK<{?hzg z5rKtL)WIh~%>2jaf+HVEX2UDHlG1nrH!{ma(Rs(f?HKP!PkFr4<8)17o!o34up>D* zLDEwN^SJ=XRHEHX*|0_h?xqq$%`GYv>d}vh9QXa!)XW6z$3hJ0!NGo8EZ`+PC?v5m zhnqRrU9h);Ev>AK_jOSyNfB50tBHdhyVrjm&-HsX=61K~IkM7F8{vNE!h6{{T(Rh9 zAGK?bz^^0VS_>RY+1ayNi~qO9oSoO!sjfxbn#PMtT}sMia1ZByp`XzSHH~E2YaR7U z0vZ1vyhw07I9!?&#gQfIsHvXuZTy!c4aA^Rwqie2Ue&XJyg>v1OD-eizx^-=$ogJ0 z`^~rL7NCxt=N$bVoz^dpF7NFGdTg(BiqK@C$5+Exg>l%OEA*x=F2%ugVyTIViC5^k zQ3F4@ zO{<1#JUBB~+1S{6VUG01$ZD3}SaH-zd30&C{<+@ifHz44 zcAw#4;&;69Ec1f3`?049YoAopTHg;X+J-vVWZKvom-ucj^4wR5wcY9~a2oV+AU}{+ zM+5`}^d#9>;&=JYRaPRpF@A68tS-8ChDUpY(r~)c<<~bhm)U+fselm69{Y;@TB14# ztH^oa9$fuvH_Q}==3K`orqE>Egv86tZDC(RqOkKq^0(w$oxzUu7#1ouIQ)H_&)u#V z)xytH=J~8TI;Q0Xbo)~uA~+2`!E>I{11e3hPmnnZP20mKIqJGhTaVrB82tEGnvv8S zS_u_;;U`_mKQpH7%FErS_o){z2EBOkg2cpWWrM^|+p>w&zOl`~G2Y)gl#reOmtS_fU;&?x;@+A6)}WYmTkz3iHnx_UB;yjHqv zyic^KN%W0e{cvWXSVfjACsgN)q6R-ZMS9@o(k!}b`?9olT>M4&T`Eq89f{&i5!fq} zdnNbG8Q*5m+tV`(VxZv_kcMxH+}F>CM@GgpGDtY6CfyBDBa$2{_Nl+?UOnpfkO3~; zV{<9X8&B0E!a1ivvTd+-jZ44iPPGTFH#DVL15~G_1%K~8O|p;^^#^==Osy<3%lb6e zdg*}Ebd*JJnw_sf#m7q_jY%VwILq1mce|;?7>DB2FpaIlj2)Gp%W$gE|nXExzaxf;@|*Dc;gnNf4= zt3T=j=uxdz>AKvzOniXs;>OQf@$Q=aqxVTZ2-~D0yC?3Aw`xW&P6v_0QWRoJk+c0N z8B>gc>GOC)^7N}yCok3WJ9MdwxveONhilBQn%FtL6@a5e8I)p8etmnThDgkNcdM_< zghN9|$0Uxo$GO@Y%EW}67`7^)!V<83cF3?kg9WXkPe2CucDF=M(2L*m#L=g_dU0LU z%4N4f(`_zwE6GRZ^sLYDkfyq)&#}tkmP{-gT6E@nEAysXjn1wuR0dM>WJonC?(Q>M zPoq{sXa%#7zY5Ia(`Pb#NiJCKq9i%_HArTSd~60P3>ZRWzO%6GG7b?l;V{taM|E2d zekEtjkEF$CW@ROfP7CyH@eB(nzSc)E2(1MoS})PCFNbJrfG_dp*w)vtw+ojAZ1?U! z>XCD+R61IGyd;oPCJHV^K@Q`Srjpb+H}<7|vrXziBmK6xr^z1Z=tQxd+N*s?#O_d} zTK}QgSL>n%8c}EejOr0`*~su2YIC~}M~)ySLo~)4Icdha{Ny6qZR;J~x*J4y=GuJ@ zY97PaH#q|}P)E#qW*suq)2|V8)6?G$8CVb&jhL@cU9=^{twd6}%&S+N=Q6ZxI&Y;v z(-Lbmlg&xAa9B1>jmiZ#_sD<7vD|t5>-V=47xhu+;h}(+n~0okU8(_B6r(f2o}wJ* zXXr&*FZy5wt@+yb8_OgtCQ{??lgvuwiGVa*u)gn^PcU8|JgbHFezGupZlz+65s#PX zS2r|dxR!@(F{nYE^B*o(WR}JEnb{Vcs~tC^cW|I@-7nu6w`_;dN?d>7wclv58ftQ? zu@AdBkIosIF5&Um;G3|ae;P`dgMB3y zod0KEKR8Tf>fm!xxFwMU zN_uZI77Z<}n1WAQ%QYlqW1Cn(budH9+anb&A`i;mkxORXj}h4Sgs@_XTdJNG?8rW( zj9ZpamXpg6GM{o5ZoLLKEOM3(<$!~HSzn+{Hij7C!-t=iMwL*ss!RqHbI$d=d zdCl4pwFbMW6z*;k{-L2e|8`PDZ8a^vq-oAMdJes5H*)#BA3EjFQtOdiWcTiWd=%#i zdVz$V)OOjh#)<1hN^X=rM^?{b$;6DxdnEwUh-x770H>Ys2w#z&lc&^lw( zZuGWsqBAXiKb~*_$0|f;@-Qt+9d|mC0GLd!6|=YH%FfN!*`3x-I_;FaI#S{tfS42P za}RunL=UibWgQ)zx+1DLAM~DnnfWVAOG~~-lNS&p;Lyy?E!<01jCt5lU6%YUD5hTJ z{HEyC=>(K+K`J{+&~7x5lAg(^X=spPk3c10GBcT;naMtHW9wu~ylgY^^_(AE70FOg zj|FeMzGVS`EL>VP8JH$SBjfdll+QmY;5DA1tL^*t^to6`_-%0QeJBaAX7T|X88>jTPfAqGoAAT<0RiczYCFkw(g4* zI|m2Fj*S;KA)3Es;iF*Q_2K+I9kMaO{iD&fIwqq@G9ieSBI3x%=x)7LoK$-_;w2&E zGkG18Oh{B>Llb_L@eU{I*|MF<&#tNI<9D&DA+>ZO3P`k1WgX=!uN=id>`Ghp9RIM%gAe2Ho$G z{E@(7l}WnNw@%&jDQS6u&)3An1Sk+SclYuEh9DZTwqb@vfzt94Uw8Ms%eKfCRN@wR z@s9waWkMV#2`StfxxLT*AbIGrLcHwIcYdorvf)~MT0C~Ny2WFL=|JX^p6Ay|?f3oP z%y+D|n(*bp!|%cJBHh;{4s{6gHdW}4mm9SoJ>Dnmw7k1X8#+q&SlET#fICt?DhlVa zGWJj*`lF@4j-jC~`CD2++xgMz`vz5RatQF!*K8)%X_q|&7~sT+m5g(Nw~O3}2j2~z ze-nU)B7y>O!mgcmK6sIJPiMj&MO{-9yVEt><(fm&V~@Q-uLrVihFoWnL93q_%(NS+ z+uFwMQmu@bhG(EjO2$a-e|DWqeOv)AgDB_h|0E@I|EWdnQvu`Y>?7y=&@6m8UvbrK z2F|!qG2Z3nk>;Li&nRK1t&h17RKX_*uQTSqH%sx{9W6cnwo4PB6^@5xi11EKCFs3ZR!8EC{YpT*_X@~ zJFhiJx`&KxY;tt`v!7++spzbGL{Dg;bi0qD9%W>ZOA>khKtvR3M;{O2qZeExy{KDR z+tz*6o}uCCL4ug)*5zLU-1;Qu=X^eeM!6ed(ZmZYgN#5`2|3MRXL%YgkDj;KeLlpU z8ZX2VkaQoycQoc1CAaAB97tKK1ybC?!iFG)>o30lVreENuLJaa!Co>mIhpT486ZTB zfZ!U86uzC>C>kFt9B$iogig>W5un&ly5m{7xdLWqx8{b7vNZF0k-gcUF0BQ!Qsu`X z<9GfhtHdkBNHP2e$F7RW2b~|I%+h|_br^3z~`vR&B;aQNT zhcp^vgA_!HTdHuTh2o~Yo{CCmx;sr(HklG5>SYS}MHUOfU(%-g zxN(exK;$PcNHa7vHD7R|l12`o4c0~If-Nnzr9@hCa?kO+^mJK%etv+~oygcid$^Ii zAs6jlcgDLe1i9%Y&z-TYblaTgUuTH`TaDr|+KKmu+!a246^{&2_YlxBJ=TWo31nHh z(a|(&0(&8gzMGI>O%s)3@8$6hgJaBuc!_vW@tr=iY1b{q*n3(K^maEE?V3UXUH$y1 zGWDc#b1~tPX_Yu(5;M)oiLKN2@p5`cMhHb$Hs)K8*w(kt}I~0kY(zLR)Y`Jv@D`^lA?BW};(wpVwG*^HjeleZ? z4mLRnVxK@lmQ%+Xo)2^J;lRMav~>#vidK^DRkkqZYBp5Pvv*4I;=E?=PiANFT(a2H z*j*Uvo?VwL=mjDle~G4b-Egnh?* zo-eg{P0V^ttJ^MxV2y35$S>!@n*ajrvX)oD9RruYDISmlM^BolU?*1HCZAL?joKP0 z3T!XGOU)WujA)#A<>tvZ!665^`Q|8V&jy7!g#gW)s5HWSj5unAo6m*B+~H=^ZGyiw zbEmCSj4{6NgLl9#G6&B1^2m7$Mt10;n{t#MZurd-jJ-Jz;Fy9NHAGJ2rSuhgB8pBr zgp!Qu&`0QV#pEAI~Sdv4kdK}#f-*5EBb+A0J$r-hnqvrn9 z@aEqqw2|j*+YNLUc#sc6v@}aZ4!K@=aP8l(x`>Nwe4$pB>_K**1hM()k^h|MG`5T9 z=9fnXdpoQb{$u$O+SERX$WYhs{w<=8l5Z6&2P3?^{t7Q@{QS{czsTedqgNArT%2K6=8{Bz!nr<1@pX^fGpK z4IK^FaoZD3AJ1iO^%z(b9Z50ahOGXZ2VbJ9zAgh+<)y9_Jr4Xdli1u0#0p?EFsamnjz)(JJCl%KAgVsrDRz+{gZJj z+jSvnsmA-=TLwpCEPIMQMl@Njq+NwCnHt)I+%Q9~jI)*R)QVghp9+`S3|7eeOiE>k zUon(1$r{)ae^Jfh4!m^N`zcK85U$8;ifS<5A&Zzgd)iW+OvKKx&RimYFO2B{X3?# z{z|nAN!f!rVUS(=*F{QCMsTt)IL!@qjqtpXSL&LY7C+L};nyFFw*A-R>>I7KGBd;B zTHNK)cfIy{mZ>>lna>Ps6^W$z>1FD0ZnUWJC*V<8c3yv`RQfqHd7bvB|3@J=PN+2W#yGwY$KuO5pt$vs z&!z@s_tGuC`e-ns3V5pcKeq9NdR9cx@SU{R-u&iJONvyOj6&}ke~iLTiTjYD(_N!S zj<4awKRh+ZC$eWeHnua^RsnbxOW10`FNUTwM?|N00_kG!*FGR`0|8&sRo&@3OZLDi z!tcvf)TLLX*EFx9jFXBZ%vG`Ut_O;d{I@q!;D{!*@9&?Zx#^tPHJ#Iu5Bp^@eVP8I z*NrjpW=%U)nBd+$dJLfSWr#zjmJnVXVj7Hqn-<^w9G2Ryo`!CNQyjj^=tAl@+{EY#RMEXU+$ix{!r?uOAzSbQ^x*263MkYyln3X3xxLF< zTlo4RM23&eCxTVWR;8tpDf+C*RMURu&FP6#3gmH*8@=cThsr9A&ShQY5JbMyFPCQb ziJ)FzeR*YS;Duw=kB}X=J7EP2;9|f-L$v&L$LUyyGPlXFGH6Q4Qa_KJZjo2@=`giP z=OaF^M(3QRIhP``_pVQ-NM&V-kwlW%ye93aC^EM-yjADzyS-|Lh~-OCc4>u?)E%`h zAp_gR;bMsd)Nm;=pM6+^D;M?gUCEybd)Tej8Ib5-q$d>`4RliUs?(qbdr)6GSVuyN z`w(eR7VLkKw1HE&-A`NZbFv>3+LKX= zLwrEt`E2rS{8y72UUIwPw)Z`JWMiX;8WD$JBSQ6|79x?kdJ_)DR_VpY&s)y!(reC_eJ;Kjtt4m{DbG<7Zv>tH~b>5M9cdr#uR^h?Coz_lDbuguqP|5m%128kXt)HW#F}#KNyYq7BG&Ql$oi zi>Wk!BVdQgQaMvYRn{{*G@N&d#`9-eDmTfq;`eJIq$eN#r*IVb$P$2Onu-fQma(qR z;H=XDp|sV*fKoS#-!}!woXeE86@y7VMJ)GdZhR57T?-;3i5x2;uVdlxweGkXDcpp} zq8D3AwkO6@t2}X~U7(#8{4l2tAahx+>~2Jf<2kjDMXO)2Mf5{a5?zMm^vK z00Lg;A?hz#YG}I82hkpcT%<|D{U2>M$5>kFHR$;DGUQoWNrf0?1HP*io-8|X$OmgZ zXaqr4)q~z`I~*i^N_%lNc85Ci!8&7Y6MG0dJ7(WR0!o4p8v!?l{#MVb|3br^pOCP5 zutc7JE>032=nqi}D#o(S6bPn6J}2P?6tcgCxAu?lPw+BGNg=BIYG&iou;-md#W>Hb#ukIByJqcXRhv%#p|hw&DU$w{^LhOV z%Xja0rsjAu%h|f7P%;Q*fEu#z51TmE(v~h+?5ENXRuieuor|2cot9FF`>f1s%G13g z-^VOhx-{HZp&(LZ+f6C<(}P>C!fPruI93!Wq$gJ==5zc=S9+oXg&lVLj=W+0pO$Nl zt4X2}cv8V_RL&+BUFwz-kvE#W;S|Ydu}hi~U!6Q$<>f769jX{#oeo2qPfvY$@?nby7jJx zUO+`AIPK`34+c$t)OmK6ZQV}mg`QUKNY}dwGceuDY27K{$;@X)nWn{^sPj5E2IToY z9_c=7miQlbyv}sm2vy@2m1P&8&^2x2sj$T;eo3w(W=A>8r#}(d4)~IV?7W{+e09&* zsjyP zUSIygbOq~x=9TMu(cI^(Gl zcSAQe+)KcYT*Tl6%|DYZ7NfFrbJ3sb8`ZV7&tg?b26JRW;$~Y0 z);}|x0D{CdF+E-TDAj&qX6C%+b^QeK*3I(hcC0zP=rks(PcKQXn;OXnrZ&;DgRPbK z7=$$H8x{Lj9C$bOq)T4Emgnk^bf(y69eP{NT0CyL ze}Y!TAnA%%9w3J%z)29>faqbd7?@XxUa#QGK6t0&+lYt~U6f+Xb(v#~UUWCY(tPru z>ig3)r0;`6n6X%75=RFc;73M&>x|s`Gg#w)TpCEm6VX6OwD7^ zxjs|F@r%EAW`3H6dnH#HRm0Slz`J^n-o#~T;wndEANIs{Oe2;b6Pl5eqv3N)CCqmv z{BK`W)Jtkl_-eA7>`CR_RUKfxaV8d;uKc|-FaawWF=)2^bXDBUop z8SWpZAzH-bO9xlFIa-a67B>zi4}49_KYR=G=6x$eo?2SFz?^;3_li=NS%QudjMdcQ zb#n8XzcQY>yb3PwgpF6L!e1^9bi|c-9N850D zOa@zq#e6TTT;Vh)V3yCocZY8*USpx8%WUdfo`9NlmT%Wdq$!bkF4CBl-|O+~nu~9< zi?ISt*iG**Hoqn>B8#|qv5)Vj`}+nZS&ixafXwV{)es(h)S;XEVg5ZkzdkaHxoyiL za&8|z#OJZ_82-HaKtHYZLsDGz(W@@I)>D&{FX(gm8PKJDA@mX{?~+(Emj#~{J8pV7 z>Ayi|-8&pH;C$}u_D%DbMk?B&Y7@yg%2CktQYTw#O`^F3g2$?%{7EnIj=}z9MM;UKRiBM|p154}4Sof+)YPbF9Rxh-1Z#4pRy;El z83VkQ`$3Pmd@y91tr-?-dxMwmU3iA!En2}&DvXS2t#k6u^^^U zVs9p7a)^j5zuT^T!*g#2b~8IUL56Pbe~^Knp-G8>&7h?`t(t%0_QLlE;bwFkXq` zJa?a#5mgV`Mx<4^AU|E(%BMd)4}YR-Y*Iz|$=-Wri^jI^hEI8*le?R#A`2vVDsGBBQ@vz%B)0Z?(Qc z0TBb7{;DiCavsyTg<;T1jJ?toW7D{LW{yVeNde-0pci3o??p4{$@A3v3KacE_?_c3 ztI7GjLEG{Oa#9=n**nuda1)>=SbBxS`jcZ+fumX)0vaIE}2G~bn8wNc2!)347j~Jlk&h( z#VSg$%I&rjH{ZdPLIK!nXlulDXK`>;gw)_uBKhxLghgWo=^0+6}LWqRt(qFJmt!}#6Gi~iW ze+VrHP%=_qcV07+`k(15&nhRDELO&NqKj#~ zYcF!b%s{UAw(yDCubB6&4?-0imlObigAHgDiZW|KrXMgNA(J~WO#Fl+mjTCTVL}VPi0M}6|{?Sf0R=zKEIVwH5&bP z=uMk1K^gjrNbr^r$mg7R->{Hn>md@ZwJ*Pgjo3vWLpxg2*Ns%zq`|ieG1t?+Cc`=nZm3)9GjF zC9dE}Th8%-J=zh_tLYn~(ZY{!@IHhJ=sF))AF z?N=Kwhj#oIjPZ6MoSlkifptpW5`MPUbcgAb-(j8YF9ryoKQV61K zC<%}dJ4aTF;^@jdHpm)x@e%|k*ck8yNJIg$PHU~>Iy;w(IWF!H=rh(UjMkhzsZlWk zG_qCCN7EuhYC_eE@vu^ya1xiED}=wk$qY>M_|(Pv7=0>5>u~OpbhH9yG7?S4lv}MpqCvTPToO4qV{eKKICbpXt80 z^_xVL?VDxjxu0?_Z?VzJ8@a~lbCfki71{;;L+&Hi@gh*OD$M;P#j;0@{5u{J%N#6W zD61CYn!>}OLY$w6{HHPZcqpNYb5fr_hy5OCU5!bJ0UaYR%K=oTqto6ZJdE9pb{O>? zd&zbPbU@5|OFtlF+lOPiu)S8*aFl~r@rCqvkI+qZfy(7S*}bxNs_lpmtKHt^W0Ge6g{4TsfMMlr~%d)E7z@pKC&sOm;g9|Y` z4K|6l27SvM>$lQrq=>|ty{&ZOtywVD%^M={lFQyx7*F(*+GP^7&== znH$(_=$p{cMDxZ9duvwW=-z^LrsAr|Plb^Q`Ke;gj3s8^F~P@4gYgoX}~Lk(#lqnpG2ON{`=FKIM!#u8M{odX|UXqzS^@7yiG4{}X4y~LpP?}9zpU|`0pZ)|W!YfMj>P)hW zo!Ni<-Q;_#IQ5O8+@frY=Ml}q{ii>IcBL2fJQROVC%O@cIEas;_3v+ga-3V!SbxYO z!m8C3^UN?Hgf6QT#mUXx*)cvb?-l3*A;45W4^yTwKRFU z5CxM_bV43~F&mAW7UJ8!BBf^tzAeJ&*DeC8$)x$0u&cOAXWqOKcI@jwdD2ulc^%wc z56tJK6YcCbJiG?l_gdM-ZtybRsjjw?CAna`gW&14>~DYl_4Q@F%`D+znYX?#$lpG% z@)N!vz4gP$I8|@PRPzMWqsVM4<$Psa#u}#g@FVBUP;VLUD&)AmlK3*OoScT(e1<-J<0euj2=V1bf zP&(8+rs>()Rc%Kx%482#bWWjDB&oR#FU5?w+HZlr0H*mycf6qC`>sOp1Z!8gfYsBb z;nw3q`c|UQYu&OvJwq)Uinv2}44LnCagEDp1Vx>z7$&6y+Ve4exkDH1$5vsSf&uTN zzxJtip(82_e0H|$K82*!D5gBdf-+M!bZ8L)TDs*P)#Z!NYWKTEYxy|?k~kenX0<4_ z>pv5S$YK>G(t?7lNH9&dz$aO0%-hd8HfY!k)eO-oLjo3Zw-q~v%Ou{2ioxnV>C3@n z7wJ$;+P|09H%#%*am`*W=5}(~Z{Xq$CbSbFHY5ukZQrB1tvBS$w&vMB=Qsxm)gUm% zLXr^wvZ|^?7dD=&>*%CV^AxyD&N{T}<@1fH`eTmE3aqP!MsVwK#f)f`KvVT?aM{@` za?^qhf58=bcf56xFLSvK3}LzY$4xyG2tV(bA?7y*sU`QFwir0(V<$`Q)+URck!>ap zE!3k+4J?+kO*(hQ46JmwlxR*n;OAk{UWn=zO~<=5pp7KvbDJ+}nScT>iMs4&N91VJ z=G&H#OJa{J636fAh6Li;!t>spPc{IVYVFQ^JAz<|V! z_=Ra;p~fz*&8Vz}j`IVrtHX~ON^TN1;z~(&GXsJs0ok>AnTrAROBOVf?}vjUbf^4X zj>RBp65QziR*d_Lt4`6^#Fvbr^7NFvRYe07EIX9`gA=FUyAwa{C`3ZiG8^C$)8dU| zy!psS?-FFzh?#kHc?{O}neqT@H!b zKOfZK<5PqjH|{u%ecfF=hy4t&FVGKj%RxBSWxBc#%O66V$3C5Ya2GHONvZdU-CJ?| z9tSwkwgOvol3C~*z4ZY@y*K7eb`GDXaelSwlpQo!>QIPc{dgSIl7Ys0eG)!n9- z5oJp!a5c?kj5V=KkOd-Ohw?L_SHNlyAxmzR^H>~rv!+^Nsd*HBvPl~HNRYDy8Qt|P@+_U>zLbc z3LW**cHi8!t^}?7K=m`U=)t(7(@8W@@D_MR^-*a5iOL3y)f(l29-xK1Rd9j^z&CU+ zTQ#t`l@TV!pH%YOcl^Oy!{~xnhkWtf#vBhw5t?T|`FK{=9QrBw<`zdjc#lp|-S5f-p-OF4bC5+h- zdlrXWS)>gOF{agpKJ`kbI|Yck4}shi>Lj^Rc*05L*7&ey() z=;}g@Y_!giwF)2i{{-Sb=qprUuBSXL_9-0jt~~_nH|i}F-^7&c@=$zP=fQ89>>-J-9JyP~x2IAj zg|%!bqpBYQX50!<(VAu#DM}gg@`B9aS#Pq-BIxROCXe-b*KuJ>Vl8_`V*%4#O7La;3nPXZ&PB={69GA42uCpJA4j;#xT|78a{2ty$9>_iY{|MHc&GHfq3 z(w1ULTHUm>~A@$u8gII@}l!{T}~Td_pQOf5`nV zMHv25VM9t0&rSy31v1sD>kCfBsVn9ArJ9y@Sp{>xy{}OLUJ%V=TNU;3|sk@1DC3@&8M|h~L($ z1B7Gz0?yO5dUd6E)BzrBdxBi@@4_ppNa;YKE^xp?I(6mwGB$%npc6?MrTTYwS%P=s z|GD7@wRqT&|Jo4Dz`HdwUNeBbQ-CW}6K(T<$Kc=kY!43cBK+ zd+2D$d>*3<)%MUPwsb=d#{e}9bNjWckglhXj#ss`AvFDC@cXPIp0mT{6eJU(zT-Ds z2fqn_z=qwl8mbxZt-8Z2HTjo3-{5 zpv;k(&AGOFttY?QFb`-{HJ~VW0aq1!wEE|VNH}hkAugXc_G7LfHh*wX7x1?X@Jf_B z{ky3@p&Em%99fN7yl;w3Na1bD#yLj|Snj~Y>5aaS3ha;02?YY(Vk?kBK!zfWj$9X% zn1G||1-|D($VHT|Qb8PY#eLPDxK_;NoXCA>e6|4E9YMrU`^x6G@;&ZeyNgcxbQU-v zWyn**#cJw{NH3XBG`fekn4p3&-8Il@w zfS10H{-UPZUF6VR;<4PfUl>>6j#VrSl5(QN8#K4JT6N5H$bRIGgoKY_rBpe-`?7Zg z*&w`O5-Q&RUCn7-k99y(RP`tg|0gi89&XuR>DjLf=igrj8!nhyAm9ZwaN z&j9mvfd@tEEle^>9RM9ns_XITLutFVKg>s<+>_GWhnx=uFJ`!T%Lb7EQdWaP-dVss zJN6&rjsAr3fEVeGt&F1iD0&ZJROPzb4DcIBblmo8{Fb61z=Xbcor z5YqYmI|l`s;JCM~42)~p1X*mS{crlnD@($Uk`d@R451#F{SpD2(Nv(=l}^xJhl(U< ziTCB|n0Re&vKReGRPx9FeF6EO(Cu>Go1vng#X#mxJTi=i zdKhx<(Z|4YeS%6v&qTA2Zpot@9bB$nt&U#lV$ba7Fp!~Y-IN#5xYiZQheu&tjfCa1c*+0Q$9*w!@vBxy$}R z0;OU;p)9a(wxxQ&M9cz3xN9ou*iU+mX(AfgW1q_gq06+f5l*#+@5Q(;P2LJpuFuWR z4uzC3sFeRWHo+cJ8>!Mo1PE02In!f89n{Rw$jJLsPO2iEHmlhR4@V=#(jR4}1TnS394y4O7S!18n=ba3Ya!J%C@{LL^;|@r69csk#2r)+6P8M! z0#BC$rF$~YLr}5oBpi}qmNRRM>jN7{pygtJar-dOws&Y)Od3E`4e-_nNVPGmF>=2M z?#v!6@h*+X+x~JK12^pf&U9&*(eQbSRAM0;na8(2ctaYQso0K#bt3<;SIgS_hB2%B7UO+06uzE%{JS>dbAzFG@M3*Wn=yM~> z2Oxz#g!;h)k}T(a`I+=y!1G}&URpQAKh$Sh>$}TRCY;2E8v4U3zGc_(&E(KB7~hBe z9DDpjGO`zlB_jia$By!5gZl`!PF+#jAN@Ff!^AQgmsZS`<=eBAfSk&N64`VUmx~6V*^s!wKjD zI$|v)Ro$?~-BVHp?FZeaEh?b05PQ=73RCve_Pb2rrtbPYYgVBZk%TL@PN^g5j~N;sCt=;=!6y>mX`7%{%7ia#tWsNs13WtrJj zTIxZv;ZGU~=NzO|-k(2r>Kyf*Teoh}>MNfu)jW$Mb3J?Z@H_ADlTVr3@lx4Ca z{yU!;rjd9LwcVa0@?qf&sSi>5AL?$8G0M7+8(d(EeT}Ga=M(9Z|b_uSSWqd z%6GZs`53ODm{AdDa_ITr%-UM7ms#f7)|EzIDJ?a=*1J|txjSfj@K1de3Mucvp`q&^ zEcetWwgiGoOK9iyI`mbrTThOsZWOng<2uH|Nya)3NseJoc6iJ-eR`|(+)3HsmYH*6s_Obeh6F4#r}!A-A@#RUz2oe16x9R_#mUo87QTR}>$hkS_j43Bg5o@v z%o9cKRK=L!AK_S(wvV>FCA~l+%b2#udFEouwDymO9_YBT6jL^K73K?ZlfaZ2-Kl|R zB)iRCY`EtH2iw6)9SVwaa_HeFXzWRxZ4>J(bn$IEC2JXbVZMprsj9Mi5f)H5z)8AR zWE|zTUUJqokWo?PsGyg**hAJ=K z=Lm{<;l6)cGZkwg@$Rps{fM}HmWbu2x)UcrLvPy8UX2sy_!9mV3nEKSHTm;lBSWVX z+GD_f!c7e>KcDwvK*(bdw>_?L#U14P5XAF%X7ZQ4rLcPFdB&!u&XJL476jhwg3M<@ z#3xVQY`no zY6JcBpSE$Y2K?a?{t4&Aq^jMhJL%!&< zwIRfCRDMOp5tYvCD^!1ceG?;njpohk#`WNmtkza8SrHFX&|X@>Kx^(l3W%|$t-Gb1 zoo-)HZ&BKcMK#f-Z@xeJtWB9Yx4E+M;eyR^Q~(d^<0gLPs9&B@ZL!e!yZ2tG+IEAW zq`9bH&x3wGKCSh7YisMWsN-Gx>I93{|HZh(WfNAMErFQv_O)@!p7s(4^XiFjoYN04+CAO zgv}&44XRnM$Na*7ylHr`_*1*L8={aPBO8Whv6zsb;v|S?a9QcNem_=VB=y7^J{9d| zY_-RIoomK9?gGI@`VJpBN|Jp2ogB1V;2C)h4Woq6BFg2(Vo@*tN2S)(>tUYrEhmnh zW4((STX}ch?Rwv6trZ>zQGKn#9*SnG{Zkx$Dwk`kfXly`${%$fp86u}xXzuBJb6w%R8#-u0CV19fy9=c7IB!ah%ZaB7{}*>}9oA*HwTnK4fJ%rGN|&MnB8YTKi6|i| z-AW_U9f|^ifP{pU5+Z_hN=t)?G)Q-Ysj~M&8W3`<2i@VCGvPc!FnpU01!l9Iji)(uBi2+^4RYlYF}Iw zPlw&z-FOlMLj$gjH@L~uaLCXc6HkWwoq(>e_w1*svGlk@uLtI3mOj{Q90v?8!~I#M zf}CQcghfS;ux@D&e}(vtT%)=}@U~pZtdD1ni>FwLM982a_fDJNR zvtQO!_uE`N=9Sq)E-SI$v{-2=s=AXW5)zG5wc|RyXuT%fGg1xlaOvQU-dxvJH5lBwjKK}dw zz!hpb5SHL|NEf1Lq{1USyuh!w$?HHUSAu=1{)JMXYQj1%;ZmN;nZUtyQSP`=%A#+aJI?i{ z?21~jgMMp2m%72-6VGOR`-L6f9^Hmu_|9qZ>T684XApEDt==EH0$W*M11^+D!} zu-CLSiS#5U8d@l@mpScxQB)+|qmStE%-V>bjB70_F;icji!$!blU{zgHa=y(ss;{8 zO1gn?z?`tVa9ex)AWTSotFZAco3%}nE|e&nu#JkmT$!-Jp=cXxWB1CS=Pxx}uiP)YcmUqn zGH*trr~cNrGTq)feoD2Z@<{La*T~O)UtfNsal6Ro3x5AwbP;aDwLB~}1s8Sv$&?iO z+8MFaSnu+tUiYf+h+ZiuuxCQ$3>)%ZwX8g|7zhuXN|A^1CY z8KnJo>@#1Igg*hpjsm$tq8nI~Hpf)vD5c{|>rMf=-|M##PXTQ)q}lV96Kw8YiMoBE zZe_xAZcm>cfv|uRRFr-|guL-+IUR^kh#W_7#3=&m?q0_8N@^Rz8ol|#(`)JYIV3Ul zwVQpx=J9A4tQ;Qp(|`!KcMFIGIV%~Dc?Hvnc_;V0-yW8$(CK2LzMPfri;S;B}j*PC2PBmm;i&r{t~?S*`eH6kTxf*Q?>q~*W14-PUN z_Utxf<{?VUamph<{N#_R)``S|%LMEZQtT=QNpQ9Rsd1afFaS~mz)2dK1Haa~sXtyH zW|9(!eH-+wrMGr3IW+&`6%Q}iKbxH>VA1wi)&Yt9LZzyUqTr@Wi(Gb>9R&ArmS@7k zO5f*%2TNS(z0Ti5tpWak?5KFp*UTq!o~Z; zG{yeff<=ZpgSx+d6ISA9Hi_lvGi<_T>v9YSP7Gbb103siFBFKkZ^y*@ViUKX6?MtsUCq0_%k9 zn^;;(f;b&V?u=k?2(Vq_&^nSbFf@@!>COphBKaR#c?vs4~#&v zepLktFG}iZgDqdGTU4#2q_YC0;qKv{8E0FIyk)%7;Tf#e;27;PkKJ?7x#!((GPlE_ z`Qgl`{H;4`ted?$b0Vs2Rjjb1|3B)bjoQT>%=%C9YZf^FPQD z+c{FbaT*;CcS+`3BatuZxO-Z72ODB~u-<{unaV0wS@2Gb)vzYw>$$q(g9m)hq4@$b zRf9)ecrp4Haj<9foVU%oy7}Ivl^lchTgTPqd1>_Qm94!s@NA^9=K?R#h=wvgV{<0+ z$_Pt+-|P62afSAn7fMAK51)o78FMn?g$U|wydJkK|E9;)xKbW+s9JabM?DQ+)QV}h$org{<@5~ zC_f*fFq(slh=`02dsq!e_?wnulHaLhHKaUCSCWfh{P?CK_$Xxs ze-+-P^J%Dvk1QiwCpnlh_e(xqALf<( zac4c@(z9IHZfP4I_vMzx$c*vDEUws~WLiqet=mzPY?^C2gD z2|rmc@1IA$|7Iy*ohUq<-VpeZE86op-6~t1l3lX;DwBznXci8VosAqqgF(>ic)mvEtJs_>mTNO^WWczAjB!DR1+ zrtnpEtd?~+*qf@c+zaiQE-yHYo1RArhyRBA25FI?^AN?sV~*Ft5$jZUcrlzfUI&+C zX@*I%DhcswvUTOufffKp491vuj6&}mlL-_;2P`vB+t-`$yc{FMujzI*I6BvuWtx>V z5!2~t&Fj?+BcMy}ukF9@B z#jI_Z8{UVdM2w1-(%rtN9$w>cYlA$1`=$zFQvz_qAzMbq3orY3v1-<7uu6Iy@8 zcwp+#qVv%fX4|%qw!o7vP!TYXQC|NX@8^^h`(u6{@uZ1$@`C{(*sj zFJE>=2W9~|_%%$rl4y`{9#`99mK2DmUV-SyBcOhS@YCL@j?Zfw?60_ITE0SJ-0&qR zC^bB&>6=j=K|Zau!=heW_g)`;=9a{*1ZfBsXA570z;m+^hsx=Zf}?L z(tmS4govyzFuJ@LQfju#mqnSuS|I85*s zAx}2YbQUO1!!JdW5O#DbJpzOrSCaM(r4!g5nOX=$AMgQdJ~Z?S3px=c@2+7*vc84Y z``UrsHe5qmN@~&>vfU8dY4*Q(S}HOZGt&Nr6|Qrnq$TzLnme3DPLuxiMMQ@qjtwRT zTvoV0*66Gua#QNBFCM3VMOndE4FCA6_E9ci;Rz9Sb_)5lvq+FAp4UJAO3J(8|H{oK zqfs=~(Lu8O81K*3+l&AG0?rp8!-LaohK2}XXyGf-8lL7~M~`KV5Qw+BpPMmg$RpD! z2d2*N_m|15f1BEu^%c!+_kkO&ecT@e3>^@*l$YgN{{9QX|Jh%_8apK{c6ZvIN_u=^>A{mF9whi=fY&+Ze}J{59XY=h4;{_lLDuM{_qA z|3LSa2U3jAD~zj0;H3T@KEvAL6G(78zjw+Q^{;}=>N(pR%m#WqZ+EX(Leum6jRVkx zA6;_sNb$u5j7dz-D8^=eziL z7%}_g$;Q)(yYd{!=zOct_C4hns#e2E+tn(Q@s-bBWoX^I_W%c>6LWvbx6+ItoI2%_ zG7qkN*Dmv!j(AYU!69kk#y##xS9KuU259*?92GzDHD!U{VcZI-f}M!0x7B#zZtn{U zXg^yn_2saVr}J4fMCV0fA*~#i#Y#_b8WiKm^^=mEOTPX#*jP%Os&+6Ilf_c|y(@rj z&Y#cv(be?|XoG*Ao-+sqx!4UjoyqB73n#JX=scZRj3+s4UeN$k_PUslNWO*-xaIew z^BnBDXeb*1A;7!=BHcr5Bx|C?N$?tPgqBX>gdj zer0T}d*I_|^D27J$6uF9NkT&21VDfF`}aBLT<>;-xUf^dNvIrk?`LHv8u6N7UH_Fo zc^$nHk*32$f)Gje$`9-0WTSCcN4}thZ|D%|l)2#N^}p)den=x^jmP(RsHWL|)#-4} zGQoKh|98@3qXW)~9!H$1?KP0hp&Ix=WPq!JjBpijup?i4YuO^k*Z`L_o|AAuAb(>H& zIH7tzY6)SNm|i}R#X_bMM48QMD)pxWHS74J96H9zwDfI{k4uixgTP2SdK_-_P43sp_cEQLY`z4Dw+zyto-$rSWQidr6(~a*5^1|ynQtD ziHcqGT)^J2D#aw|EfC9V3Rc*U2aEBIn_G$?qd(fi8ihPxU@-*L84%g#;4`@X zmw$H-wI)R}1BPCJC$gl|tn6P?YwZ=x(4q|Xo8_;qXVvss;d!g1WI~P9uLvVma){b2 z1HwaPJ-zrytHOo4mE*Hor86Z{uSFew2(>aS2;|qa_PMW2d`uG$brOCogO@<(UhZSjcxfs|!^5A7b1lYhcpjaC`{e~UCQyNkg+gLnr0<9We9Qj}1a^G}BL|A&!=I-WxpPhx3K>%^z> zFIXdHZwH5is_(VT2+o?v452^TN^=lyay+(b(EGHi5;!n$b@=Dwk5&@4(w|XjK}Rod zQu$I$DPN~IM5OsUGj``JfiU|Jb z8e&KCfA$$~5;Tz>PtbJ4>$Lmro~ogInB{oj`c?00mC44pbsR7z9^OBwZs-NpJ69(& zKRl<$1Lu%0_&8P7_+GTMBUhoycx6(T?)Ex)^z92!RmtW&U(m(_u?i|4e*I)(>{<3{ zqnFY0qVR*eYbOq|BmiNt1Jg(HXzI$$ddf5#u-VvhpS^*U_79-%%NMw`g8*S9e$Dzs zXedeF{?gDm{`e+*=-Jz>0)w|YBQKz`CIjV$@dfHYnKF+93ZQ1Kp%gjz#hsFtws}BO zcAYn-wU4UuBv2i+hk@yjLatvg(u0)h@YYQm{sRbK@SGNxjXDcGI2{22LA}K%xrgzI z%++SG2OFhoi>-HOcV_h4f12c-`Zxn{*sMyTR7j`#=?lmbD`a&fYo||ZH^QG{y z->JY4?X$=i-&7wHubIL)FodfJ&CgTsn8~rJ0xy6j1}!TNELAR3hZ3#uTO86o|qD#A0qvjWAqW z;DIX&yKRt>(2KkP3jJF~C*tMfBLlYro^7Ia;4T;thl1L4Tq`OEG5B%~{a|v>SfsA8 zArOQtD^9H_LYDFz=iODF=2LX z@s;Azb;d|ls{bvx&n=y@ufPGK%q%cvo8~31E-vq)`HxW>PADJdV8gff@GoGut_-N{ zR)B6MAoiNEGW-Ng95A16Ix!JG2~eqr!!#g^36VwT2R;OBu=3hCIkqvbA&_@SX3_hh zArV**EX%{eFcE!`p=Nn)Kg-Tzfi$5ZjI~YKY4gIp&_cyvPuVPGb@lUwGn~5RsP@Bp z{0YOraP_hxmiXsYbTydNz$i+(rONdH1sxQv75Dl(SZnoq4Ia!UR2G7cu|gshHH(?QqBF>RBM~LD>RImS?Rz#tqfC29mq-31PMT z+AuvHFUnE82-HYwMU3B#sE4|{`IM4#rf&YUX4g0^ zn(R#Y$W={wwSU@?yWR8Lf3l=q5k!^=HylSC@;OlP#Fzr_j}rb^dQhH6wHd%TSwoR7 zXX#EG|4Yz*_~}riln$??jQi1WApD}(ITKCqcS^Mn`_2UnuqykLo#qL8nRsZVQU%$rApl&1};<*qJ zk|69%49^4_5QJUzN{c^ORdSDju=2FYFw_KId#;|?N~IxX6`l9Q4F~O3u@;3o?D_|Y zJ4f`w_X|ju^NxPM|3xH%K@}+9nnyMTgOOQUzPCCOi;5_b9|Hp?-z3*T8C|=O%Sc7| znGt8c^ARL0aJn_|0QWuMgzAA^qq);oi&BqESyC}{@tispGLy~rK%EN!0|f+e5|Cpp zHL6L!=I?ydEhfy-EQCrJEpQ7AP9A5`kC@oGxhX@P2FR|fAlrfB#Y6rMqqUc>!vT%IYWJ?mP9OeYi*4qV53Tr`{}sjTnv3EL3C zQ$q3L%VPKZ+#07&HPnuu%Vv_6pPHwpvMkh=NjeUG4JsknRXa2Ih~x5b11fERyOkKP z*G*V1E!`Y;B!IdtYR7H|8mu1#G%CaCSlg_Du5GQDhe`pHg>3SZI?HjjqvKE(@ zLG@v7Cx|_eO$Bf z1X~g>gNr3Qlv1U>LF>R+0yBLx`#Q7$utiKcDCb0Zlzu#WS#IHKE$FU4v?;Nnq7pnW zutrcMP`r{klh|ADA0Gx|ItEdKWkra^j*68LDc~ePhhx1p zC=Efj57!GK-Z;Jy)FQx70DoJ@S^2#_e$v~0d2Yg@Bn(6M%v1bzt091wo5QY+kEo6D zIK)AkhN6*Uu!!L(=GY2Z$&k1(bV+xacEV2qPz^+@ST63Af`SziQ2YaZ-OTz)@UW6l zv$HO+gwoP}oGTqfZQu|=EycJnX$n6ri#ZL>6hJhF@~~lb;#A}JCiIe|B{sB3%W=-Q zNO}dMqd=&Uag=k)>tJQODMDmDE)-_HeG?CUa`Ys$O5x%7FG*hAZq$JCQ-gnK0r)?% zeC7`+WwWM-SEb>%BLiI#IKS0Zl^5F;A81>o)cYGqo!c6)OHys%Ib$2YJ%#FM*}h5w zTbip2JL^TL3aRYx|1E(OhSCFw&YtXk6F3_vgW5W{W>lC3-vC6sPj4BuJFwZ}ca8u; zFA=|`MphB3BVDPEejOD!*%_YD*V(tF$^=h7LQA6p6;{hH2X*|JI?S*vq0XkhNR3yz zMB8|H@6h7~6u>}JYUqA@&`*1ii*5%Wmk~Y%CiEPN^f4nP;QnfWghfXmv@><0gxii{ zHtZrN!THsSDie2oXgh(W*RR`*<(qzRcdbGaVSitrcz&$dZAuV;7s&94V5(5K2J09t z^uY1geUzNUf#NU_c8-`TF$MzA9HL5?j8{KVbuw`7;F5g+x{AOYFd<>M8TrU0)c9vTpN4{HKLHb`mi@5Z%Wbg&nCZ zZ@hpy!8VAZApVeHy#u|Fy*&}q@+NpJ#QYby1%zG9Ap9%mJ1gWYKQk=I0ALiAoHp@b zgy+_AwB=k~eOt>{CK>Z8y7u=fJkoYffU>XL zcUn2dpU>vaaQ-@!EEzAS-aUgf@8+?4o@W`ulmuYCQ$$RbplR4otAu!mGK&GUw%|$n z262>3OALAIFwraE$ROWX$qfv1$F^`$#6pF#+0OyBf7dIC1=RFp<%K(2oOC zD0-vF8Y+-lm&$_X@@|Yy?8P)3(oxGpj^jrcv*sW}Jo!q78A3TAO47E3bNN-E498po zlZK+4+6c&KVU*g_dNIe5H(T;H2)}+PCmOQCnx2Eaxwtap;I$*j8sW(e^5{_Q;7m)o z*5riT0;Bj|9*MnuhFnrZzeDRo?rN~(J(VD&>K(TDo@HnOEMbthj=}SEp2YuL6nU#5 zS28*)uL076*HPimK<;s>oR1eHV^J&h z$SY3pP44N}s=JuLVpIQ5x3qv9?jq!6v-F<+rfbIuTqhWj#XoXE@R6Vvcyf3H3#w`c$n4@e4!i2ICP~vp zq3DC6nzk`1BVwdsA+lp)QlN0<=Cj}xtB;wP5~`6B8(#|Oczf=Hpv0$$4e-=uIX0jC zumjM{LQE!iZ5MC}1gF4TeuNM@4G4uFq;2Lx>3Ri+pAeM%pie@44(7W?uz1z%*`re|bHQO~jj0MjvFK?cJC|Or-7<&ARgpjGqmJIm`+9Tb`N99Z5 zoMt)1$X)@7y){^EOS{7oC?il+f@PgJj=1aqi)+eCOEwRC$6R^M-v--Z*n<}Sf<71v z#wi$jyCWY#&P9W1I>KYGG@Yt)f^G~0UDHYtp6J_XatqxXwIk`*hmqaKZIcrZcAO$8 zUxk#SDL#BKQEMo`=_-_f5InEtuV9eE*QIcTi2pK?>D*jUPSy2P6 z4G0vKsKaTB?NAi0O%4Y!({DB3w|`gjRsYpCA-R79YHL(xa5&P}hZ`4}P~7`U#8_;c z?XqY9y&ZV>TKC;oGV*OzsPY*gR4V4DEw9zW8G3;2DAG3XJ+dxghqS?8NrJBMF8I+h zBRr0(9(u{Ha?lS>Cua!9YI`c^%z(J>_{pjG*Un-tkrxZNE(^-UhU2nh;P^si?$}&g z8|Zl8WlcRm^(HxpyqevF5h;u~gOSSqJDe)Z)zYib54`Fb)`Sb~D{*mgi8DUzA`{7- zVR>j<0GQ)tg)rX`H=VW9@L-7>F0hgV2?UyPBG; z*y6?s^vLb?gqM&V*5w1`ewGk#uvi@z94Az$LQZ`|W`CU(^a`f@qYo=8B2n!g7Ome`K|*7BHH=>_`8=7x_pzx2f>FZ|#Gf%b)= zFYZNc<&O75DWFflecHUd+|Hg|sBcHmB?F)?G$dL2NNPhW4N={FTG}wc9pQ)IMx$`2 zNMJgzfLL8w$dlx+VpY5dE<>hLxM#8^z89DYut6*?uCA+_=Ct7DBu^mp zA|80apRJbr&dzT8fXMzmG=@N>Ev=+(?m!#W$$_{IJU=S^0yc;cPd@AIWVtU2n_&(< zrJJMr!j=wD@uL(8pf}JSkb0WCzevdoE4H!n+x3xwmY&PYon++YqyS6+DCcmSc{_>G zKuvaQV*}0eKyFo{6#*!#%xzQV9uRe?uo;LzqzWhmPzm8xac86e@5E;%4@r?fisS*I zrCMJ5tsJ8V$O?sgFkt@Jx5QwczAByY5BQaK;VP7Yflnf%6cY#076d6YD@RH0Rvhxyzm(Bsc z0!Z>cFYgT87hQrA(ftS>C4wE{%Ew1 zrT|qFP==rdvRCp)-N`nJ-$sU_reL zooawBAnk1L@4wVjz8|29AZQZmaCexsiS;a)fzPXnRGJDrJppyokv+vjA>)DJEZv1{ z!(N@7Hk!r5{ES5uodC#9RLPQU#%ehTnXF8y4slg)-cuVLQBtDo=>}v02_vd11Cj<1 zE-48jBqW4NEYNNT@MFOgJI_*qSToqbOKR_9MKaQ@PEmdWO$tck^w0cOoI-OQ)8e^C z(eS~VZimks?$NDW^JoeOT1^mF>{;|K;)thMc07}AAw9*94==8ysu~QFRr_P_)<1G^ zIJ`~f4CGV5jlBRFq_vpQg1)7xMKh#sz?eZF0#^3mjN&i`%sFG=6zlR4^}k34!D8;+ zcc04>5l+xWKsaP#wIZ$>i3L2E7M>SU`&nReg{<9^=syu?Ziw1?L1A0@ybrAFsAzi) zTy3b;ZokiWs8DX$^AX~Q{aA0z1 zaq!J@LnS#PXls68T(xstdRA5P{)Du``O0&Ot`&LeWkHFskE19HLL0TTy z_r)vIHNJ`#F4q?2<;a(wcnxKrSt*-h)@9UKVN70c&Ov1PRLJSDbt@Uf62!On{-Vb*of)!WTAK5VqnV;Xp zW%GfDVBmfqQiB&4kXjLL+qP*T z8f-gTt!HY%kj!deSJ6|lH&J>wHMrsQ`-bjawCr6}C&4nS)Xoznb||>>2^2%nVLHAF z+BWIe8TsY7;lYo5xpifOn?#Bydvhy-X#%x@i$wcy-#nb-vf`ma{iqrzDiQtBpcpSq z+2DOy&b+gx)5W!~zyBrL3{mL$9Wed~i|0)IZ#3+3<{%R7%>^9uZ}p@1BREgkq3Q8s zdOGD;4JulLf=ZFI1vG?Ox5ZS01FRW7^ZwI3S~!qv!r#TU9+CZ3{HQo0B{j8Su6%q^ z;LFPM1LKEx(gJ0Y&tBXns@Me`&63VNc7A z%8)wZSjuV{U3{Up$mI zLdVNjw9#Kr8VGVCRL}0HkId4=Qzc@>4>$lgtVVuSk|IG7*^knpr|o@dOuH;pEpS_P z2!N>u)=CEO399jiHb)1?&Uz8qa^gS24?hzNRKLW|sv%@X)jrfWZQZRi z(qDC@hySHDn>h1FhIaiIWEXVtKmWY`e=n)R5cO06KLEwaKZQwgyuWp4JfeTd4s{$( z7`m~v|2q#6rioouv~mjzdGv@LZISqtUP*|tX-Bw_heY}R>B&1k;(HA^E<)!m+WxVh za9jnv&GyKVBR6c6A!93n^gy5agvdGbdr^1c>ts&;(sL2yB?&AM(+ykMgQ^Sn%EILc!|~5EPm7Q07XC}ipvKta`FEbItD5xQ6V0CTSO-#Gthb`6!IXA^ZR1Iw@h&50;)s1 z{^LJdEc|ItPY=++v~XyJ>;KVIg821olZvNM2IK~>Mh!yQ{_VB?c~$Xz!g{v|8^reI zVNRh%oz*a7r-SJs0`{MM8`DGhZkeCv*0+0qx`0s7PBMV~-(K`z?63=`N~OQVps&rD z@qM4?D8XUs?$Ma`oG+|7ua-d6mmBANC%t z%8b6!W7i~o0hcY-+(!VWFCCWyt4d1xP)OJBsardil=|yeQ>EnF3eLUf8L{h)P36zK zHfYFnIBz&AlH?v$_$?ffO+XXqwuWXfs2~O66x}7yTp`nv9SaoV4-N5_eXw3>y+GFy zlpr&<$pmdfAXXgPPgy8_GA9@mw_U0WzTkgpfxvdQh`~Hr?@RF#(~A1Qqat3HpjOj8 z9~Gieubc;JrdVNjEIzA|hTJzXO6vE$VI0&7ZO)v?q8z(XZI4R(zAi}ra6FgI+uT;mm2IsKt5Ii2P zV2yX(e@GV}QMRlK?(Ki;GaO*08y!?2%I(x#?nYM?;stTQX#{CEp@R!))_7|vNimE| zBCkaQ+{Ak4rzO0EgfQ!c$3+B)B(uSfp&=Xuc$B1_G8p+^A2|#}V+xn5y&KM7yzKFu zNb|Jy%&?)I!+c#C=)Y){{yftbG%4f`_si|&@C+&Y@kabig<8yi~& zH4#!4Lm|)dc2r5v6j2wgh}P}|^uE@8A}PG`qg{mwAq*J2NEZpvXg!CR0EFd~P{jg{)m|Bz{w7Mk_jXt66Lf=0< zASe(2il2Tazhp!ZTrbFEvLWXQh{&jd3K39R=blPaYwMbstu`dY=t1{g_oJ#$_N&G2 z7)Dgm8K@cd!<=VaGnFo+U6UMrJZlO>)MX7@F}@NTLFKw38#M4Z%9pkfyS9x8-YtY? zX>Jj#k?!v>CKX@Lfi*hdn1Xoa<_1G+DphxP{Lr3aME2g*uc}rOPF)mI4J@NuL%sl~ zKv>8hk>xMFJkYI&Aq|aK7mBLZeZ0HT4qON<(EWs3J71defUGh-VS%BtV z=&Hze&VVLz0H;t^K#RAqU4{1d8TnRKw0RTcun@u^E6+By1(`hTF7OocUzYRq**gQJ zbtJV5t?;4iy5@E0W+~_f4UmV__3}{#IvwnC1Q{DmjJ`K420gK$V0e*l(6l9Q47xi5 z)Bptcsa0E;%*`I7$_VKCPwvA*pzY(26z9P4rjvKI*Pp&jpg9bo7<@L+9g~*%Qw206 z@CHB|5P-G^@^u^?3M$$K!*Q+5nfQl5Q9$g53c2-eEU*KA@@Ooyq62!An07NJ=VHj6 z(N-5o^U=1j!a`5al`lUX%Um&ZuoDdI;c*pqn|VA`!S(@_NI;4UY!z_9l0Vze5YOlz zQ9*hKJWAdrNIEFmILlmcAQ`N!=vLnr2|t+Y$i5lVn=mcbSyy@!hm@SwyM*!mm4rxF z-jO-$=hvWj6EsD=Q|qXR1$xoyX6)uSop$pdif36Z9r)UGb$65Ot~7~+7n=9b&^k8L z(BiXMhCzM|t$H<3f`KQ2YvOoU|1hoyDr~yd@DbSmqy`Z7VERQpKYg@YQ|M4r*3^V8 zV&32K$rXWPuAY8xvAUV1IC)9tIw~eb_g;aGMfT$y(OqW1F+={m*zfuTmof}h5&tW$ z;Lm3im%WV3Lv;r}1%fR1D_bRhLJs7tk}gCr;b>Be(TupxR|Et1+F=7%H2e+oWkI~k zeZhgLeQ43E@%J-9S3tP8DO?0i=MiW;gNF2asAjH06oTtEeiI}@04YBQ(GP5x0u5(% zpo%*N90m$T_wKnBI>%S*L9=_?>1UJLr-F}4%tX*WLZE9<(}SG< zwf+3Lty5J>6@N7Uh@frVhI%2TV~)G zab34cSiQm?YZl2dGDlc-7&>TNwFU_vAh#Q6*e1~>s@kkb0-^v)G_^+w<$OnGOgj^f zM`?otm}ys=>(gG$HqXz=bTt*fE3U@Jl_BLLd-xEKJmj1*8GJoaBIQ$3Qf?q3hfSko zWTYLUvRR#n=nW$0EW8r$Y;4A=%!mulWiH!&N}o@2=?&6$>i^*oz*^6*xC_4W;x)}T*d5hONG=$2rfQ+C?mH%sVdbaEj0%KV^2 zxG2~?9=mWvNkTuTv1Wp`Ai*i+Yt!~O#7gb-iG_!@|KceOdr2|8 ztdGQGUI`U=qcg9)a*^V*N5+`a4DLJX%g>1~OtTeR7 zbQjz0T#jH5uwg^e(^n)qsNmwqs(5YGr+<#{F`5!x5o*?2DqT%by(nT&T*{p*)zDCi zd3HAf_Jf!HFyB1#W8N)CR8)=;Ari&%QzK1xvT820`^M$Njxs_*ZFvZa1KIQ z*6i%@+X-APbHc(?Gm9lBf82B-BpG13O-Mo_$vg+rju*-aEvYsK^_Gi$(TsRJC4%6X6^^_X!&LM*`vPbiiSt5t)&qUq+~wVPkk~c&_4aLuQ(7=UC9|! zV4*$k3=>Zb*7?2C2uxK>cxjoE`d!~tjVIBd=b}vGi03Z?F1B7qJ2@8ODe|vo1>-uc zI2qar7l&2sHgHe#c@m@~fQb=P?x!?5HYPq$bA3%ie-y?x7Ag;nl_{Gh+ zK1aSaiM$#&WQEy1{$8HR8g{!LEYb9C{MhZM83X4WTDFPq%{)?A)~6A(J|U-Bh>m9v zEho7$Vq-%x0S6l*7HuVg$D5*x^v-p3I3}g1Qy*1$cnj1knXrfe(?0Qih$?dGL#gp( z{5Kr1qOln<72$=92W&9#FV43lW*ccg+y30RlapnB+Wu^sR+#num2m6(By?%F;rJt_ z<>6A!!jzPi2jTW!3u`vXg7Xc_z1saWWWprUvWlpk6qUwFFnw9zx3;UXM#SwyBV*Byx_@dt!~N4%CaIeYZ(=XDT#4zySD{A z)C=e?gw37QCAuLhrh5-*PWoijdc68*=ja2|)kZ%!A7cDy*Yg9z4u&>im8a>Z62cvL zT^af0T{Instwehf5z|Jn=~>>n&o(PcPHg$g=veDQV z_u^|(gXOh4;sGO^#=IY};f&G)ow+r&w)kE)D&8^D^lWYiobjFudNQLlwN^jJl@CkC zo#QMMvPR0tXAH#7%-VEcH(@Dnc^$DM8zlHbL!FLp;sHW6bEW=itXotoMeXN1r>?Oc z>>ERxsgZmXeaYxW@z?GOl4p zVqr@R9sg8?NJg$p$HG2r8=9C9SdH*XrmstnPm@j33;2TzzEUaad~Z4V(qUiBn}Cs` z4`@8t%TS12$Vi|_oSZxdbAx>TPWd4H{xQkQW_SDB-8U&6uc`$6+gIR*6C2SsWzL2zn4fSQSb8z;QwbSxwiLY*%WkNXJvv;d zgU^DaB|P?`ZhNeuq_BNn_azdJPw|lccjTdKxwNP5xi%8SoayW1Q|mbD#Id)#%hhn! zf9GV4lG`H7G$)~VHLDl%UZo8TV8A(cI1oTW?{&MWgI}sKzFuh-6}7H@i&YvtGGXyY zl?}{5vt2_qKQk>eE9R0#8L6pwNyFZUe_ zOqRXVDjAXxGXHk6Wh_n0R&~X$Hiyn4*gg88qN*d`6;*8*sVd77b6p*mPe~rl9z*3H zx_1n~p+|`tQZPNJ_1}xUt@ZY;4m0l+I=Bh6B36TB7J>}Z-PX)k>^C*M2{z|HX}5#- zyhm3Edlqz1ohstRI-g>EicDDXTcaa;+u}kJ?9A$$eBJG?)1w;~xOLr#sy;?tXUe~^ zT+Q6~CWqt*b7X$j8q0YNjyZlvWuA!K!?$V`I`&Rb2?>IfU~XoW61Er-c`DNp&^~55 zSGu~spVF5Q#)|u{&Oibd0#XbLlkJa*bMoq+8}FC z9f6IY0>Hjl1^DiIjPsorqV;^VhzGumt`oC%$?3Egd{Pf0lZ&h6l<~mc#B!7HJAyz* zIM)SyMc9uJ>Z!Fw#j2j5zBSFuh^CXe^T-;(@P`k*7eyUT!x{?M44jlBeSxDZxws?jw)o-`X>f>%~OYswbfj>v->af4SfGGJC%qTumVOj4FeT7!HeEKbX9Yg$-_gBZ@Z?90M7#y zE(j#IZBiH2?PZP>exGDEytf2OV!gJt9FvIR# zt}V2Nq+ZN%Er9y{iH|8_|I*XJ0ucMse6)}B+SRLm1q)}u`4L^io?(EPq7kL_=e6E=-(ji^t{6PsuS0WR{|8~f zEj$pNU(o&fkQ>E^5Rbv_gvSaqf5l(wi^d8}_N`_`DpQh=OGM@fos_RhRJK_ogqJha zb+}?M!8l+7ULns$j%Nt@#coH{3+y71a_^5XPaN%9qjk#-#?xNC2=D=$f znP?n(!C`t47jA?2NcMmmO234;*6zv>w_nWTV^h7!P{pg#JbLDxnrbVZW8k)rkEfLP zmCHtfYN>4&g{_2Tt}CK+Vrk?_g0iJndqKgO%a36R*6f_5logJ=zHs`vF!wgDpHEs@ z768iqT~VpHGHs8nLFA3lJ_HBQr(6!o6WLU(TjV~cxFg_DMi$z`5MQ_Us>yK0`2DMm z@>lqPP07tE<1Y$)=J)9~lZLzpAP!|78)P*>KhB5D&M!Y;+1sRjN)l+ZcU9q%rXv&Y z<-RE9o%C_jXJ2 zIa5t@sQGw1A49x2ng+-#Y16w;05pK~JWf!T?Q;6)`Vhu{y?x%TQUhx?E!O5dGNpcJ z&4m*%Tq(I1Ip|yF-P+sR(~5QLRUU@Dl!dUcmn*if^DyMD=AKsB^m2cD*MCzO+i?XUtA<5)CE=3@U{w0W;-kMXJw(3q6fwGyD$hu(nh0B0dKzl#v5I zK0c@?d4A<3*@6VDCRrDmpC`q`npoo7xCKglhvMm#eM6cHLgwSP_+e>2LQlgcUs!H_ zr0M7w-088@(h@TNk-k({HEVNoGby9&E-5i==)wajjL=fRZFZVtqu{}_9d&~eD~v1Y z64D)B7&<#;Ev%#OOnKi4YrABU{v8>pM+l@#LLPG>y&3XVYroDyc0AD%q4=<=9|&UpFf2LGgnSi7m?y6AP_fB#KmbtBghTUO3ST#yY$gO zdAv)TyAH^zX7mih_Y{cIkcpp^kC1*3atOB`kLM|+3R=#*wUANAimF`cG4&4|AOQC; zAEd2zu2h0lp(7*&7Y!mk4XiKir-b9=!Dk6OZL1|itRjH9-K8W#yvp}%o=h(~BZckX zwpQW*(%p4jJgt9estuspiI>hWM%zI)By{Jv#6Aq`K&0AQZjrFEqK9u!ldo5G4G4`J zHw5rmS&UBuJ@7Hh^X1$%qnF?3fBD_-E9Jze2srj9qjlPx*Uga`fwccD9i5DRJJULq!9YSv2~p|pFhLp>QBgp#X^~E)MMOlpOH{f+ z>c4LHK4+hO&W0KF1!z$7jRytb47w=9=@mt~nQV5vW-&j7lc_?lw;rK=dVQ%w7}hdmCrn+K~JrEP4E7=o$i!hY$IBKh&i0!u741y%-OH((&SECNc{;h90#=J;In_!f^= z;u&7&{mjD5ZAo%NznX=M%Rb7~yVKUDOjr7sMsQ!c6WT|zDfQFKGRvw9+u4@oUw^Z| z=iW1yXNDPHHWIR-2Y@0lB0UdS%-&-=CS4e-Be-YCb+d>va)Evi-JG-H+EF-p4vjh> za`v&mK2XqjsfH#8UPbjdSh%O+VW03T>Fuv=eW9$7v% zABE2osqQvrK7CI8y@Z^rp2*ux_0IrAd^|EqrdK*zMQoC~ohz3qJWbkw-8WpDeS&yN zwWPgdd48Q`>#n$y5_*!$^0Vjo`7((o#4Qv4G6CnyCf;iel(u+P*}s!XII&D2zxLuL zhPU^=v#opU{XojKwTE6*YA)39Mu9WZq)oL>fxcP-Z(o;n%yL!d+@m#EJhM1k6t_kT zzyl|fS@P@AAg-e9CFR4WqYjvDzKu>i7ypXkt)?v*>oV(_3IDSYkGH=`a+Kib;6mS(}-fPhGDe+uY*(SdY z0Y=)E#U7KYonIK7X}u6`Dbek`+fU_e@a5UOWy#6u6yJB7M_ORTmjGE7`ERf+@esfL z%;wz#VvE%IzNnDbGyn~JwpZ1pWIHFH5{>St^mo@EK75^nT-BqwHd5AOwcJIn{pF5Y zndLjiMo0aa9~P3HBH6#EZr~=@sruYGdzow5llli<*i1&g&+XSaCWj-uXh-g&SIaoc zQWqMZ$*5ASooZ*arjH!T)sQ(H{1Ch|_mHFfUx=CfZU#B$WH-1PI+x~$|UKsd2_ zjrPC!@Ig3;(rPG|D{Kb=xWi}mWX#yf*y}s|;Au#MB>D=cepm=Pi)|~OHQeGBXls4-MOs~t3sYcn$G&$# zU5-+>D+6gG-ikWd*=6de7GFpqd$tVp_AB?0@7xN5LwKFh;EmHZcEqHzy*;>m)rn{* zGJHbbMR(Y4>6BxfxnuLrEHz!%w3G$LWFakGR#!GWoJhway*mEgr=ScIx%Jtx4QAGN zaV>B4i460UQ&lwsx$gxdgW}@{MMJf^E z?3Z@g9qcyz&lr)La`+Gwl*+Z+cV%X|2D`6S9WYz9hmP;(hw7ChE(m3d(J2nSeN$cHWTAi{ zKIPxyg2%s&fR3+i!^`FQ>=$j1+V>2JSiLM{V)i<0cm!YG9_RcFFa~*n**`x0%BoTG zM?W~cj12znGnu`pi6v{R>zM$7IGMI?B5E#D22%$AbDUS)!jGcPf&4C9i}q*VwTEIq zL7J)TzXG3|h^48Z_Z@dUv3$X` z<*AFD+y?u(YX8=>ftS5q(W48Qp_E6L{I-6$1NYM!gjW5vx?#L%xuRVJ&~;s5y4w&xMCj@fJTzyGie4em?)$9m3) zKZL#$%+w{)c27Q{Xbt}*1pQxshT{b8d;E1^!In(R6eztYk8b_RnXTt&&-p`>{>98* zE+K6-W-nE?#6R}lzpov!Od$ocOKTZ=&THyd9R82Y@j2^Hn_j(Qxb>GPU@dvM$+viz4A=D`TCARp3Pc`F?V_-8Ic{jdpGiZV(KcD+oL*W%6K#QIU z6lIo`ZJh}hxRPFCwEcQsoVpP5PNj-@@6BIIXV(na@0f7uO^*C^u(>oa**|)0d2^cf zvQNp8N|f-e$RmbLishb}1LFc{xhijyvreErSPqgW)QfrH>;qB=_%XPpk?eSn!uh$` zA1ja}(%>9Ha#t7MarCj zyg}x!l98sK5aDS4(q*hDfFX8#t2XIOL7s7Xc%YH8N z4DrV8jWweEBja-%17lYXn|1HHdms2FpRx8Xnw;039Yy6d$A)HaOdJ`VasDyR4u}T? z=^aK%+Av{#`vX%9X&EJAf8aA??zf#Ut8OH5y8mX^DDM}(Dg?I^{i4m zPJQlPHaFsD=7g*Zwx#{=N-qIzLbP{3HREMMo_mvjuu=!m91_QKY;%k|~r>LES@ zrPvd$reG8dny%ld=8<0nv_Ycq8QAk zbd50rxS7v9Izs`53j#Pp5&>L>8{_BQtBpNWA~z|ky}uWf!^IOaH6QG3u4 zo*{h^m||ar=EocXsgcxPOp*WKVeP+jyB(YRk zJIy_2Wp{mrbZF11o*uT{F=Is)+KyI;B{9vV6ii5=k{tC{lH0`S^M$JCy8y3{ zaPYt&5YfPM+4H$#E53Oe@gvP6p@ic50)vy>2nX;GM`vSKUR4eP=mzp>B|$<6J9o}O z*Sje;Wc+!?;wlCnxnh`06%rg`+s>WTNIUB91p6cN#b5OJ*BTBEo5o56=vcEP5rU+f zVBrv}kYpRlh-2ldrTp!IQOde!p@V*RG%<2Ty_eHG|n`Wz|({ zj6eVwfyWOD#bLdK6s#g$q2s?im*@vof<5NIH&4>ad&iPYu-5EEw02 ztRdTCxp7|C(10PCmw_=WG1e~>BY{Ul`jd04%_~%9HUGq?mYA$i(4q`vvw5Ne!NhTw zeM#nkh}OmJuHrkPu6O;(nJRLdx7?joY6!pSx(1RBlBXJDyY|LxVOWNJ&6>S{EikK_ zIJ#V?dNy9sNAe1t$)lK;8`MtIjpE>~MYPvI=1c~2?X3im%GN2xQkR=9I zLohYRsR2ZaGEByzHMSTq7D&8X+7z0||LoL=)MI(u>lSiJ>oa@WO#TRaoWjg4Lm5iv`7vp4<3bNrRoh==DO9G zeV_RpmkE)bH}pg)U3Zp@*tK*?tQX>l`lr^w)>$QT&#y`i*uvw*kWIVTNh}M)V+64X z@xxJ@(Sn=^OiNLTih;Y^>OEn5J3F5Ur9+*9V}}tFRT&{&c`y!p4l<2RgBL$@XIXu> zV<*DTodQDP$EqAP?exMavTLZjqUr1whMM~XqpPu8u%b0k@FTK8H6)GtgQ*s5M^L3%*YX3^2nC(Ot_1Dqd2-6!g@ z2wk?1R>n$F{;)A&70%453p}R>e(W8IcoZ!doGzs__p4H53GqC0R05x+;8eJ|$mbhi zKvLS#Uw__Iv$ig8eB3^8SxFyFy2vwNfC{=T%L!iUcA#xa>?Y#ci83-Y*ha!*O*Jh6 z(C*gGlsh-I*#v8H(d@^^PCAG-oaN%Ij*+2zV)hLnZylZXLtpv zRT3N{@KN;QRAv)bp=I%%Vq<3Y`|;c#Tf%5a{;^Yq9`TN9GZ*dDW3!g)k-Z}J?`}pD zb{Z12a<8=^lUg0JooKS{sp}pfcQ`&^4`suUE9lmup>zyRX;x2oRu$(c%mCUX_4i-w zH7v>p!atqp9R^oMYN%YdGbqH2U5#8kti*Z6Uj+Wfg0?&T0%wMcN@iADcj~sEdD4Fb zrtQ;o3ItA?{?DZgn%xJT=bmo${kRg*0z9QAq;#9T5QJRa_esFek#$)Rk2i?BZr;=Y z8(l_jS~v;ZLId_em#42`%tgsi1`A3WYjY#@dsG8XAJK;3P@`19SwGKN=tGgmhL3Rk zh?Afre}jWLjgi7q3-jLz0G0>%H1?5cI1`4|3;?a$Vmf1$3vtpcMHG zwzkS)Z(FqRv^8k_svh}zV?Q%9tKkoSEpmT)9hpQ554B9;#!+lcqJB^paSbFd(2L=? z5QT)Iid~YVB)7TX!hIs1s7uCja9h!0KK|R`Fz{s5s zhkqIi#rVVg50yL6Dy;&?kne4yHh5GPp_N>lJ45~kYkZre&M+G=yjK;+Ri4GAfIVenkB8J(tB_URaNTra$cLzZ%rL_ONb7DZ3)C~su6)PSljj#X$ zeEB?q5ZB^k@CUq>0>=4p8|q!FNR$(Nk~gvYG6B`DA- zu$PF_o)(gDhcf31wWEYUS<=>3N&KvEs|7fBA+;oVkwb_2?lf^58H{bB9RAc31HW=c zJe(A;(fd%z(XW=hqtX6(L$b*_3QbKrGqn&KqyF^|o@F}MgytcB{ke(vErVLLR&_Z^ zC}SsjsrN3Asd-uNI5KivDR;qro(4wx_EA&ig36Kd{K5D0zHI?nHrnx#w2)ePrjyW~ zAIft1AV7oev8y$39q;fuLN}#{EAnQSDV=~DN4cGn<-jo!Dm=eX72T26gcPhcZrQQ0Aw>zyZW(gaf z)GK}e?#h4b#(d)n0dAAWeR5=&bdNc)jK73^TjV>$08kd)=4TkSh8-Z=(lry>vTMWJ z-Z-DYf*;fCh*T{Cwu*g9F}+RTQ%$2Dsi}n86t}%(g+qO7r$(9I8mnWiFTJ3`)pL^+ zz@&gqA__ePDY=PHmLQnKg6-8&Be9jxvtKcN*L)}lnIX3qpfBtwRLVS?h zaFX2f6QYzKNqD0O5(k{9;NHyA+#~P2HqmJqtGu=|jv^^=L&j`Pq z?$ISaX~dHc8nTnU=Y<;>EnXZw`36Z*2?_di9id5_h&%SpiG)pr#l$0>T5>u|)iWYb zZGRq4HByh(U83i<-a>_O>a}`rjHb{)@64ej5owLN$OYx6HwmtwA7|l(t^L6OcK!eZ z_VCG*lXK?7OY`-M)~D;bvyl!gmakH?DLhnY)L33X7IDF(|u%h0_L*?sqrz|wplmZZ*%T%7nw;y0ygAd9(Z zi$Fmq{w`#Uhmo3_>C8Q^EYbVq{4%@}-jiggQ_%p_Z#N5CjC3{}(_cJ3XMvPq;~dd6 zwm+V;JTDFV#b7q@0Xteft;l!J*jiVqFTQj02R}XqdHK;T=VxD^ePI6Jq=vavN$=xl zvqvnJpZJNM{s)Ao(l18*PHN*J!n2u$dpk@-GfVDRY%dNJ1Mw;-aUL&zbJ=&<-_URl zE1=Y)-+nVU!^WC0tU%~wFevrhHMHg-~ii#CR6ey9h0Uluq8)kgH7a1rvkf@WR@!A zi*FY1_soNNw#BUpo;oA%Dh{zD2|oE1UBamdU}MuLpX2ns!y8BqXSC@dl?cX%2Oaxg zi_PH(n%=tph~2%j{U6@qxP*r1GSCz9(1CxH48AGymZ8kFqZ9#e(`a4Gd_%23Ql3S` zyB9%>UXwGjP_%YtVQdhJb$O^5b)H$|B;lai?JnymzJ8yX*hKED;65Yr&;cn;%A^6H zh|rvI+T8XbRG0MLP^dy%f2G+8y7g+4_m_|hLt)g(6H2=c5i6-9Lhb-a>*MEf68MsK zG~KI4%m(IGo4mup!Q?e|>LqrJf%-K!%f`s2^v@ClXFm?&J5p{y-{>wq9g*4{U}=(y?{aMz`&BKKnI=SWE~$Rd8`T7zBx5JKe-i>j zq?1bXXc(lmtZL&94vKU*0K3ycN(3tC6>$tB$GLo2@wvOYH!1(!mT>y>z{*Z;(CcrI zNPyG2{<*D9BsGJ{%ch&erbxXYB=za$l~4z=+MAV}lf$ON912I@NH54;+4sUCzGfzq z`36x)=+3@Mf~5Myyc5p&A~}Pu&XHMl?eN13IW3;U`_1y4zWJ`%*%#mJ5F1&3l<@F? zkZaYejXERR!LyM%DLpzhOPX6OZM5(FF={?sO^xabPp?;s`}Dd7>qkCK31q$ZU3nL* zF9OX@poXMW;KHe5!KL~3oHq)eo3|^LWEoB$&~QfBxePvmnXi)Y+2*qy^UAVA0J#(p zMyo6fFKLSUkHbOdyp)P!8BK59sYtzh5t&m70tSn^@3zfpGN(S}iZWxQC_yu%XW3E9 zBkS^r&UIaR%$qlST(0t$RXu3l?O+MYiM(r&$ICvu@{6?N1?Gpv@i`3An*Bh{t_Hd?1&sIJ+FHm{c5+ zE!^{q5M^a%W|k7F?SzBGZVvbwlos@DzN__4ygXzh4$M>%6W1Y;? zCnHUq%@F+@-f**X-pkzUy4#Sn!;d48qK9GwXzKR}XRh|@(rRmdkfC3i2^^U`C5{|P zIFoXU5vcKuw;vEu4nQ)uYHV7}E!E?{X6I>)DIAM0r_$d@Jiw70Af%BXq_Vcj{2Tv_+f>e)b!zH* z9k0JkRE~x1N(on9?KPTt$Fgm6U4&fl&7tkfg50@lPqer};a@a#0U_D^{5*f7GO{pq znOQYpr$M<5YA=ITUx0}19cRkuPt%`Gf#|;Uuw#$-k|-B{W=cCat#2OD#JXi*6)yf8 z&jYEE=4|X>a;dyR10R*bd*&OQ-zK@Yo7S!;CBoOdy+^(r*#UPNxsI@GNfjGUn0IF) z)!<0?MWbKFfg3(`3HZsG;iU>)@(H-Q@+zoxzSvKTrNF)kEC3W=8~~23h4EWtn5~Ho zhCs11d9>6eKZm%b450jc5rl+y5Rs75Z7eiSaDY68d+G+Qnx}xq0BnfDp;6bGP_iND zejC(35OvcM-M`?z*nF_GLO4YdCnK6lO%Zdpx=Vc>7%0GB$Z8m`6?w>SpX7dTQ~IPA z*AkkVmf%yxH`E&i{Zm{c)@d!H>*(zM(zMQk{4yX@a^;O`qhd0)lQKVMXF~w*T%oQ( zVG2ZWPQ$~ZP+1KZ1lbnt9}Z&iB8DN$hIP5|dYR{}hlbG!gaCdE;*`~?*EM8u5 ziYI~Me$Y&5BOUlT3lBjKEj%#rLK;MnsNB8`*pfWTD6KqIcu@Fu2IXD2=p1q1HKeg5 z1WjW9+S<}Te*9p}Tz5S737vx7eG-5p6u`bfUcjxA&zfoqslmPQHnf~t&gb`5iG6fE zbrb{{p#-&A+su%5_3%)i#55pJYq`J~bIYNlb1Qjd-2Aa+_}_1y$wW*i8)|B}NqV_o z;HF)lxP$l{B?HIjMoEyVU_a$Y-5GR3BZYwc*=U1hCc1VLzyngV1wFj|gsjqxd%x2r zKq|LJAg4mM%`z$pAQvjC%Wy4*T|#6eM^`cy0AEM`d~FX zG9~FMBw|-3J;%Q;h3F5db0&+I;6W9k+atlW)f3}$g6|ecy)77tM~B18tsQ$(r76~c zX9LA_pN8V*2(BKd0zkKE&{68sdn63cW&ZZnXrLC6}}j#5q^KQr_a; zK5EA6yv`Cp{@z%hCEIpUY^*%{N>FGvif&32Dc5^DY1_%{a>m!->I!EEZf;Sgq4nPT zl?9oy+Ix;Fg_{LaQcqpQ7z!5(7N-0R)+NXS#HEwEP0FO9Kh?jP77b|+PGMvu#a*%D zCGKFqw$wJ?d`(l7DK$yIawVUI`K8i??1iZJq@sN4QO!)?no}n}aTFeA#6(UXDf121 zu<`cgijVH@zRMWY^(~VsAHpGP|NOPls8t%_C&$XS13KzEM_$&lO08Ya^o$;}xXPL?~nJ22-iV2-_hPZmbN$t zm;VT^Ccl@(Yt(*BO$DLUdO`C?YIu-LHp{kMmDsYT6b+T&rAIQ{y@LoAWrXHi zjC+9<8Em`MB}y_Tc_|?g`qAzY!PhIWLr=^&0J@M_B;x{MGwjJ@XV0&b1vl$AZ*OO} zxiFx)LmMfVQzZarSP@gn>&T1W>%U1zN?t*oU11VLof#}%T_@X`vqY5lN1u3BUYLYE zN!lJ`QU?G-5@UyRC(j5(zQ+WU<&`spckbNTJ<4@`g|pSYIqoMAm)}`$668*Ibk-&= zFOQc*?!TYaZQ*@;S07r%V-D~7;?*H66mX~OaNd~k@c@wt&QtOlky6RjuA?un;jp_~ zG2U`Twk2C2xv4J4h!H&vAL3Kz$L|+b7f0#+JCs(j0MMX0W#Sg- zy4YZLELNX}K#?p;sJ=u`HMF%2F&B@XaE4$Na0M1bT5OQE*vYeAASjUQIy_8JG&grb zhbDqkhYZWvhLC6}M1vOM+H&Pv)Rocs=3F{V?k2*vDq^M?09QbHlEc#>#=gFcw;or_ zAl@$zddiOK6mrm*ROMrT~WZ3cdRWaC&yhlQpm8wurC}G3Qn$G zHMzEIt*v@D>v&{5I&XE#K5cDPeOc-5=k`AN;|NM9`ldAXt?X5U9KQ}!^(Vw+H4RvP zwS6sJT6Yy8Z21zm&FV2V=C1FnbNXLc$Zgy9^_86A_kol2GWN)f6zF9rys&Wml)i_d zYZeX~LLT5YCG2HVfMBpZ(WDmf=^q@g*RVeKd{9i&;8NHx%xlZnKE(=-8iu31! ziQ(aF@cFODTX=eSPisH>C~CBdl$pqVtf>hAiiujiOK>sgoOxYtk$Mh&*8kV!Fh>07 z8+kQcBBrXgwPVDcEST-_`KOM?BaPVXv3mdbl*LheiJU(NNHdhjakFX}F#OG8FyZOKa zCp0wbImUU^dB(EHBQWf?q4Q@NJ39xzI$_<6k%gSP7M{hl0avT}+MHuO69zRanqN4N zGn&kh>YzUmD9wC=qZpL8iVyq3BXcQ#ZI@5v(9n=FGBhMY2q(_m&vJV2j0~NY>XEI$ zKePY=k9o&>|EZ-)Sh`F>;)+tq^7C~KH31kKiqwK~Xan2(XUaR>(R6%Yi{Cz(xHx4z zqWHqS4XL;Rbnev`jiOwled_b!b(T#5-2+)HCE1RPqBdiG)}5c7%^GfB>`NQ$&^^Sd z67eGcn=PC5aH%ya4MaX@=qahI@C~+j(i7?Ky%aq1ajuK4%QwcPUy5zs)BG}5{`(lj zQ2!obKw%hMSpnHVqJuj>83UkpEsQd8{Ie7(EQY=wfc-f{Yq$rQ6v?2Vo)iqJMm9du zLi|Xwy@b_juiw{mBl9at#pjS3fBeAxjZ#M_{-FyqdV9jY$C9k_Ml}HjHuIh%HH1b1d&;w*O-##Xn-{xXP|F)>p2;FYLOGqd@@#l z^mQsv-|DokuoUg#?05=PCb!_QvW%K+A?Wy6|!S#5lU|lA~RXV%8LzFXV@#C>u_jA1xzdFI=M}Mt9 ze}8MR!J3e%;8o$jS6H*ai_$rph!8RHbLdW?Fu9;eR-57#WcWn8PQwzI=cI8j zzj2=mUj0)m7re9r{5}v%5G(=BmzAO8Cu`%XXURz>#WElfz-Fhr4A79W7o`#sY61%O z<3|`;AVF{Ogs>yc(Pq@o8qXQqkj|o&an+#dX5+5@MpwGUS!1S84%`Z!i$p|it)Y9T z!>#*rLH*7AM1JjqS*xV)*Y*&%BjWONsZhui+suDo<^%CiH}a`M(Xx= zDP@EgFqthujb0BQo+0vm>-T0m&#Led(FPKJ?q-dzm?SLf{88#eL$T43HLGuDgiq7J zlJ>ptBcBZfQd&LgsjPO;SZ&Uazb6CZ7dO}~G@B3g@hX^voqziU?>#)TBQx^|lelL@ zYB_!!Z#g&)O;BTw^l$63YoSU;cp=YzHvSL=9ii1gOKLTy^PW6m$;nB5!$J~-nVy5x zB<&55Z=GBoD$%Ym&pR(1?=Szr(uDN-H-YB%hj&r1&YqQAxCs6qX>{8+_Xz6KBS|;O zlp2&Up>X&Vw0vYs2xhNAI=?{WZw&|4^cFbnML2YGO^{{gJv;j-w$pc&7x#mf={Aw@ z;p|)rA@%hJR_FHf5p`zGzOcS4C1!iECY_xp2*ULhL)Y6PQ-ijpW#9G?#pbVbO3cJb zS2q%ICw-kD#l}1~;<$rR=a0Co=v{3K6hmxY+`5aKZU``0XXOz0eP+g9w;Ur>Ue8(2 zQa86sy&3C0JNq$_ec%C;#J|iJ^vfIMP)>zOF2>pEVLUZ-AhVjUcElU!Jx%rP(Yzzm<9|Vbou)Xs5G! zCEEjPf)7x-#M;dc$-x^~{aB90NJLN0EGKv6XZcqY#L%h6RXoWdl)*cQla;WV`xMVV zOa=;nAm%_F35KEfFK zp{U`n*4U;fyjR4YM|!YK!I4~5ldxnW)_s98FSg|pmXGvQ^>?j_c`7QWAN@;eEmf8f zGEQoKq^lV+ZDL!Mv6=CKZi}Rj-Rc>o^}h4m!n>}|yL|C)QUyyi#Q7iwRLYcq{&!R=1I=f! zM&PxoYHI_*J4UbeLRTMX8l3)_sOF( zL#mik`JL>P@S6gj=^hXzvik(~1Bp@rUqxY5*Juu~sX531F=3bW)#HHPbwRd@3V&~$ z3~QjwLi-qy*ALOH21^3K9t}KbVrqQh(dj*CzI|>Pi`;zt>K{iQauR45ptS!3J_(fY z2#UR)O&Jf#U%|Q3xd==Uu?HR&DR={QyB`f2A=zvKp1TA5@2W`jc6fvuJ)&t>1M2dw zn}cje%=xPp`S3a1*%0gum<);(B?wB(r*7YuAuFE%cA?w`u*(SQQV{3=M5yFY2o;@H zR~zI!c2;c3+9XmD{s%{e{-utNGid?LswfI8qU?z_K6kEkAPJ&O1Pt{@m)ZB znT?Mh2m*9?f3|LZ1Y|?lz?uKoBGiAXx=~2+Cvw%_wiq4X|4^a-J9Yc@16s~Y0I}m( zUWG8`sh;-Yc>v!1=#8_; z@L<$QO1nq_$Rd(U44Ldt>yJZ?li25DO-~#+O+2Tk@p^aE)Q9GI8hRbSLyO$snokx-HrTQm zv@J-Eq$ecsV&kGEEcOEH=sU!;iIzJ}PW z7{|vE)!N8TY`#pf_P5)pIXw3iyiKyQ_Hvr*cLwIlGbFEBsp~$cX~{NCQOkO1%4U>E zTz-^e$H{rMQ!b@7Rg`kkvRSrql*j_Tt}u`=x!nYBPu?=)xxd*8l72N zhK5Y;eUBB%*}W829t;WrkJC7D<2$j9P(xE<Gu98sywE zfAA^Y91)e9OMxLzP6je=4gYy3&~x0a`)9NN`9*YBvMyT`VI?AHS(^d^ z5`EWe0~rFonwp(x`MB^fgd&Ra=i{dAAk=86{-sHmdQBiRZWn24g`B z?$9^?dWrB6m0y~IKf$wJJEgc&A?Hs%3cvW4ILdwj7j#V2e!#2WwchUjrS)w=^QNy)+TXZ0L09z7_6jDp8z-#$r#C_8 z`L*)|KGWj+VJzSpSIiB3yn5KZ!aSd+1X zSSR#1ekH?YtG38!$q-&~HjDKV*}Q&YuW5<*zHzbC7Z&FhKb8_l zDSq1je|XM+ZtojyX)!iV?9AnV^P@Cg2hU(wf8s%He!0kd^VL5$*0Nu2F8eDlwL$Q2 z_u((&{vQu!U=57)h_IBXc=DS5@ZB#XJtK%GPeeM*$4ODG zV@O_sjgX!O_&S)wfAIx@-15e3)Ao*2Yvnq2Ha0dE*}_!Y^;CFnZ)I3bae5+)!$_y% z?Zb2@Z{nkwc!8uV#bj}zDDhb2Z~TbhTC1(KS1k77bb3D;;XNGJH1JklTZnScUSgxP z`{X4>;tq_r`Rtqzs7M;Gaa^kXm)jd#a1{E@4cMp&R#+YGS&_%UnU zF%*+-FTq=)a=)Y`lSU`k#kRC(r`v_Mq3^XzbKQAIu9rFK44W0&|Mk&9j&sP&(M%>V zLNds8iucUG(+5t+$GOZ0xHWS;q(5!9X#es+hWd)xn^4oVk2NiqS$2n8f30Wlmfx~> zrZ0`IX|-&(%{%?PBHySANn5!UKwb*)@_EeS&PSPlz3Jc&+a1y3gKTh?mBD~J0WX(k zTQfK>%DfqzFDcqd8x+Ax5#?zm`D0;4ni-XXN%h{tR zJvWOKAME4_>N2OwAJL4A8M%zV)$#X-J+DX9@b^~p$P#;Z#eku~Z%U@xz3Fk4HPZ_e zOi*u>n7hXpms7Mmk#9YGYJZjDpLaxru#gke+bTd8)aacjqF*vt?__kgtsp>pDkS(0 z|I@P4?5&jfUcp;CottnesEt_(mBM&#w9|0?e&__4{1)vpH8j1vfC#CxCdS6w z8h5Lb8|1^+HP6QM%Cj$i*=?*+F*oZ5uP(1;mD zDeG^2>kZG(2Fm_&I{QY3O8V=waM8ex-}_kMQ0ZuIZ#eQv;U|QlClk3?iROW_@y4wR zBgw1b|AHynryO>6aH+=y6u$guUY~6)vORf-g7~19?w>EF&G_1ali#7R^IeMeSBEM} z%;0@mFI8nV4b_AnR0?99vP5Xd7F5Hh)P8V93^?_>OhC1`W{Zrg9y(K5(Gj*oi&St! z;cuh4pv`WTTlY-o?SOQK1I1~#x98`^$J|CFdpeEb2gpmgfRq%BwaDgt{l-3Xz477g zF|ofk(h*ZDq8_>&_{R{3nawy&q^P}KjrtzUA`)X`DdFQkAJPD*#+Mx+_xI;l9u2J* zg5P2Ibi#i#(GPhNa;++{=jy$h&c0IOI*RIiPSaJ@+Ho-M8`HhH4SZT+LbE_iL1(Q3dY#7T}}q#0=m6Jjg^1@ zq=!Cn4EH;~sJ2ek^%BRWV*=koJk~Q2M@Jgv2s0D~M|viv(?-3i@cY})nCWuaPPg08 z0eA(j?2|J3-wLn(uZs2l_XgvZ897Cm?vWt<0)P_)=#meFyDqRIfMH~Q#Y3VI#EM8< zLw1ha#%3(ZsNvw1Yv#Mp;8yq&gCwMtf0s^_V&l+0w_ZbE+fR6pU!uWZ3 z{Zy}{Rh68{#5Ugs6zF>&CqdqHO{}HNZ*sILdcB*kFUh@E@6O?~@P7Zr2g6gLgXjTM z6p;Dk(f0NCUqSv0;0CeyWBsx#&_+<42D)-*Qms>J%e1>xYjzw`3w`90z#INN0c1%2 z(q2Du;+&}^o1%$HZ*X;;gxj9cqMeBEG1E$frj8E()9bA%ybsT4f2{D_=MfEahtwtT+3Kf_6j+N=CF?L(k5 z#>Olp7;R!iN%$wTVR>T`q^fr5+1XDac0%B4{5<79Q8Hfi$`N}Qj)?G)Yh`02!^&#% zdcS9py?)64(VlvR8FMJn2+Gq~|=^{= z{@Ka?KN`i`iEt@R7LMyDABLoR>`?w@vu{9Ukm|}+Wg*?-=k)aS?fd7X$nf=Efb`M1 zxzJDR12j#wr6+mzD=3t*#w{et5Vn7N@D6ECTKqn?zzha$0i14?`faH7_ORZUfMUt!+d%yHRqhUDVc9v ziCtu}jJdFHr^s($G(X(;&E}N;ETlSYK{szyTW_6>w^X~J#D?S_O}cXv zQ8`^Z@C_%KzM@R*jnQ@rLN8Q<->zEasu0J67%j(DwqMsd49Um8B({C|c;J3U@HJ_v z#rAn`mnY@yNdSN5l3au?$basz7*tfta}64d(0fwOkSOk2iH)A~=P^ITWuuon6k@OG~{Jt3Ge#uB7X$RhYg@Kw} zverDFSIl;IR3FEhgiP`FF{Ymts~6hGY3AE}`RNz+?6{Y^kA4+L9%;IF>^JO_+~tyGx|ui3>pF+X zJTvn~oX&3j-4zt=cbA7HxjSb|Dq8k#ID7U(-G zOgtARUfWMCDDIuNKl*L^zQgx+JBKw9jXUDNw97bB$a6PT_%19d5@gy`Pag@YqJk^kHd zN)1aT?6P5omCBeSX6De1x{W@~>F&H+x0(~NEypZ;o1?9i1PoDc%gYrQA8$eA`)MSc ztTXS&T%y6>uEBZ1ERP+uB`SKWf)b2dl#UEzaEnBf|SA}&R&B+MWwy~~6#XK2kUi!WxSC9@8%`- zRNi59)PMIIy;SN;v9`ldmr7W-toVsg!?b2yl${jB2)2T+EPFP?#%^VAEU1ZR^w4anuZ?=4SA^5g6m8X7gpvn4#Tlk*`_0`F#GBRrAIVtoliJp*m zi!EqzoywbBzp6^I7Pm+*q-t(Ky&!#2<>xAad?(RQQ*p^LebOh%gCNx`$T2sp{<5-Y zOTqJdvz1JYM`(UhROj}rDJK%6yLNn;+43gTzt2$b8QPG)saQ_i6)5eWthwcmtRvss zw81qu?REc=8vFVkY6rxKB7NhJyVSDdxg4a1VUo>;2HQ*mTS#fjSE&hjW{3CPjTo}975Y=Rm82JFbJZanFseN zl;8=3bna&Qcf0ou4gx|Y75v2M`#A(Id3H-!eV~WNQu<$WMG*2k7HU%&0hs(i7?8)N;&Z2RF2)xl%* za;-BERmS4p1RwJY?JtjR(c}1P*Z6!OOSIgz)#vu?Lag^{n$N zd1WsGDMnPBFB7@Gbg{Q8SS*f?&RX-!X@HBalRSmD&PROw-b^CO5fMDk%9rb~_?CaG z>yPN`>+^n7(U;|+S9~04#CMlufg24L8r|fS8)hPfg<Ep;QFjH!~G9CKEI-(tTVs^AYTdS_B)R; z-wMs6IW3!U{N%(+uZhQrAd9E9mI7tXAG^W!JU(?{8j?_w^D?_$fAO8f$@wiI{m|nS~I4kc~V?7RUYTK z79Qq>X>QKFDU|7O`!!8>_shP8x~@0-+tM(?kF~8U2`t9QV)NYj@E;{GE^YrZJHCF|@pCgJQP0UF z@u>30{xGphlb`d44Q4g{bt%^S#tC7H#I~ovGA@q$9|rK&xFk5F=@Dtpo7hC6!IsP# z1_3GYp3{xSg72|;IX$p#dY;;=Yw7iE>CO)m6W3h5T10|$liaTNg)Omu`(@l)J5o>_ zQtro5vICObQ3IYwBOe^H_!$i6ozMOZhMC@`rPH>j(NXm9UIVa$ugRl~taG@EsndJzMWO9}m5eLETEMJYI4Ed~i>X}h=bN-y^02?_Sn4uh zSy*)$7d0u-?QCb~{)_R_wiS>e?NP;i+yzU0HSND*!4^D=E<7dGILw9o<@wb+Y~8<$Ze? z=;_z4wTe@e{X^Jd%_8_p@J7XOTXb!iROk_4paX1jdWKeDqmk@jPxtlSNLdjjn6>6B zv-KbDAGua!@TR)6*P+AeT~WDDGwW6!!3a6rf4e|Kbhj?j0y`1F*R`B%L36p?{cob{ z)7pL%ym~d7=V&TB?M`*ARV5BHftwYH>D7d|+lALn#di;%jisa8ZENdS?b6iP#OOM_ zkvzbFhYpVz&U<>S*qJNUM3wzN5?-?5UKzo$q@vX+FO z4@=;`Fl#|BUD&7Xr?+dBOiWD)fY!s;8Fq9MS+^76M)_SFx43-~DFUUp?!Js)c-kPP zSBojV4$Fl!2Kz}4L1`)C^?F)Eo4(|SfsTZ!sdSSz=PeC25|tp&v02R-O+f%q9%B=V zSQmg7?dL~qvmVCA?%5(Se{ciD2CIU4)LlWP)z^>)g#ym(rw;>1pj7C9x#F;J80+o+ z;@8G^{aIy!d2x_K%LB9%oA{Z8KfzCBiq~zI@*! z$AJ>dT#uDv6O)tJ2ggo~wHgoLDkzpFCc@{stXW#+YcU;S;321}Wte zo-0h+CLRWw=msobrX>=1$h+_4wR18yDFHT6l&HCP|g`pgum&pKBs;+N5`!9Z zyG;-mOyzx|zCdE|dY9w0@Mwvud}RqF5B#SCWUZKihGk8FGF|1`{=C4(Nb$kx$uWj~ z^)$0L`SHtZUFtkW(s63TWt6D;UUOd&|7D)_`}gl4GYxT;rU&2mj|)%BzZ-ezPw(PyH8-Ug#;tNEiz`S0|ZS}yDDRv!}lxN2*vMsW9!h>8XJLI8F? zcIwCKjHyM&t=bGlMF<@WmwLTvyZQ2^BhF1IEf|9ZVU%nl<-uW#P_M7eJWrOfuZw&0 zuqQa%ADn^p7CA=G0bfQzTRHa&S1=Gv@24Hx&-{P9y>(Po+Z#5z0Ko)~BBFp`5CQ^9 zOQRy90@4kl(%l`(5ky231f*NKyHQZ2L7Gi>Z@OWB@6zM>o%{WF$GGF};c#sBUVE*X zZ#>U4=ZvTj&6f*M*Fd?7(7bvu_X5A-ivjO z2rLRJ8MLRvgW-55&AP5$UJ^-<)`iV90Y(H@;3rvR=Q+%)jA6nk!69XJ zMFpG#@M${lNTu)o2dCK+Fv(EbcgbveP_4c8Y1tz6?51h4X?~h*@zXLKr5U*J(S_#+ zUB-P-HmGR`hIf2{5WK=MFza9JKZv}%-A#blE#C3~DoUdw*zZTO0dV|2uvw(Z3IE#$ zz2^|^!g#A>3no?qGfuZ72t=N*AZAAmM8zJ7s(Q*fbrIMWN&q5n)VW=|&U{a4lNB5> zNXD)}|F)-gZ5H@_TS2#lf>r@07=&c+x6GB7p*_DqJcxGkvpN}cYOR!>fn8ibK}d<# zF2d^g_r80AA;IYAJh|%5J zjC9U%FpN1?6tVbha;L&i7~+&?3!knK=pNmf`1o)vuI>Yohjv+dON%t1#1MPF z!45)b1k2O!02_}g4p>hMPzQ6LS;buj%jNco`zV-i4Xxgu?xA-P11=E1c2 z^U~gT)21EU4>dk=%5a*@jlr60nOw$ZW{`c1A9%B4=l4iyVHO!27Nt?ELUkZQ7$pBu z-G&zfX<7nz%;zZ~=?H#bN8yJMgI&S@9+%YmSW9;HuWKX)3-hW)fT|}AZg=LN@^+@f z@1_m7Y|L{7EH-%d7ZA}}l2$Kg2v9He6*1W4H3rkRNZ+V(P@P&Ix{jtwQHHtb#1NYA z&d&PMRX+R`gk#^xn>{w%*|W4^c0}`NlF}z>oEe;kO4UH1fOIRt{!V2x{3%c>IDdAw zq5=&VY747sS0{QF%YJA_Bp>m3w&F8pEwt^-!RL~@$noPj2c(Ff4Zi$!Hg{+ir>NyM zz@Zprx7SjETv{T3mZS3C<}l7cDhy`T=SORIU0n%~*Gmat-oOlh^O2q>pXjdc!_0V| ztWPo6-73?AWKB6s*VoKQfL|CCFd}0lb-rr3<^!jr1K|?L17^A20?>P2j4;fHI`GJ(OTb3!5RvQb2YfBE9>eP@=4muHhrB; zJhQ;hk8!fv6JFbc?DrQR*h?UB5x+WzZ%8B8BvC~IBCM4|8(Z7)j--1lMKG^HNjEMj zb{cHCWzIdwFoBjYHBnDs*PyDJaSh6Rb0j^ZcyiL83!yerweqLS44yPyKTW}EL{~8gnVK(F`?*5C=6(JM z;80b_sl7P$13v`0p0sw;JOUY>*Fyh>x2iQNSY6)N{oyMpL5VbI`gM18xd+mS6S?BPX>6kI2a6aRJT+xyf5k64XlMxQ zABRUq-whrQ1%Zl5@7d#?;UP2MCC#MrA*swc8d+rUo|pu2U)%5ma?|0uw$A**oBl6O zPEI$bd&GfR6{YrQ&`hh>RKx2IJX<)Jh1dO90!H{~JR^0mfC8ejQYyFKt5qm?-)7^O zN?G4^r`<>S?+6vx7_Sc0^f?ipVh)bVegHB4@Vpv4zJ9;m)V9L6TY^JsA$MWyV1+r*cX_)NATqoaPr@a;PMlo zMuVjGjP8}c?*eJ~1sva4s`Cy_L@orN#;%Kt;1BqpQ#{7KTHKp564>Czi!rSLZ)3Vu z6@;r=^|>3?Yf|NTb+FRUj!H-anK8j_Xm2udRsN`Z4*sbY##uGYML;4hvwgKFaBXZT zw3AAPa6-}I)3LS&7Upk~+fZPNXxUpDOe|?0Fyv)?qah-IJ&3lwRwMjjF8Lv-{+N;lwLrDTwodHriT>+c?B&P+u(;Zfp#Z^ViFX4H*w)W~Zd5~<4Id7Fu5W-F)?aL{rPh$>Wf)N55 z0SdE_pXB>tZecF>@I%pVQ7pFnuc-kni4CD4{G4+*ZME}Vik1sJS4vyl^tqq^Id zvwgRWg@cMJ97W>F>_anR@v9+h8>B)z|dsw<>TYNUxI>mxdi7Br9vXIpjMhRK;!578@G|~a+rgj`Mibx`lXO88L0LPr}mfE`U z6tc(8ZZ{7|nBnj*bgJAc*@0j*CnMN@5W>MXOEl5vM2aw(jTDtP5SxkXAh9SPitB=R1s<{K8t)MdhufPho}#Ryg#;VkEFB49vvoFw%X+e7Y1|qz2m{> zW1*nUVF;|By{XmSp-)2LRD1CqMcs+IchO(3V;up&0EW&Mg?Gjo#Z^xKbww@b9T$?X z8Jq!i?Jd4#^h0;B*s-VoYi`N6SswAjCS~QGm~B;`ZLNNON9KCNRyGt+X0ykeFBAuH z%Z%)cK^vHw3rioaW3R$-HPpcua`oaJggADJB=wa;p5n!%jjJk;PwbvY0@R3m2xlzd z6YSAnWLwzd?-0!?jnY1GzfI&}z(l95Y3h7i584ZGfG^e62#VVRDk?(gfu>zhKfrBl zY+UX^XgX$u`8*YT8B2ejvXBrE8-=PgF<9RQ+ncp@JQI>7a~`<{9u*bM1NRQNmQT-5 z$cRLm!aQMuwG9khnF`8EKMLM_vilW4B4|#620c#q7;e`TqIoAMe=OtYV^3*q0ww|t z^%9gs6F6rPo}Gpr2-kfAul)m=LV^e*?J0P1OYFy%OtyK+^zkHg_X9Mj|4Df_B&e|Q z1F`Uza)`={pHgOP$yOM*;z0)g+WFz+w8&j&=c9n!^bRUFbQzyF8_HqG5`mtF?=M-Y z=NI2rgH-?kN3Vbd3ky?U?r2^6W_;L>{Ds)vs{=fAVM#X+ZU>&{rE*pSEH?1;3y;q} z82-yHAMer=p;%@^VrljCezs>&KFFwF)2go4-vEKbZw(nKND;&l2Z)}J9LW?15RQ^6 zJmw#y5U_OguHcp6c&jHcImWc!cyK?5)3-W1%a0;6pIcy8d|xx4ttElKA+dm)#}pJ0 zpQJeY+VscPF+|feDT2@gBG|*8%=6{A<h+r1K-M_W>U?8@f5NQY3*%nWe=g9e*Dn0ON#t>LAS>z%nCpw}=E#P(nPQC?1Z?SL~AQ=dPo>E0az6^2lXr&><<#AwWy1KX_ zXk%jAKJW6=T;JxDprE@L$S?q*KF3N5u1FqhbIsICsMPWB~v z!GV=`1M}W4r!S5;(av8#LfKN#L}gc}Zw2wi9X;4g6|?vSP3=ma`PbZx+Q%dUstnc1 z(ysafi02Fk91TzY8=@3fRV92%N<*F{U)g46{)ifKVc$guW8?4|Lcf+^MF80W_ytvE zT+!K*L}{2Esl#2D04xIANc~oTWTbIx3GjZ{{V=vX?#u^F`c~Nz!0(Xk0D&?(x^t37 zh*{Ly`Xq#}o(bH&uXb_)u7jyzxuM3xUsn2;eXmoN@eZ$Nd8-;=f}o6v+0`TlUD02; zdgJelB!4ti0?{L}8}!J=&Ng<;mL6JQ%vG5gv9T4LH;O1v@63ODv!sW+eQU~uihhfW zGXQDp+JaSKpz4si_Ur=UwyiR4kyV<*vHf>bU&7hbHh7zi&nLQtS4sN-O21;Ec+KMj zp@)?*gZj$xBynCTNTlKt)u%SXNw&D~J%B!V>Vy#^kwAACJDaN|NDKe%ZwHi}qZAZm zbz=+0Lg-L-?(ahIZneS3j2|Y0>COR=dE2@Ur3_A@Fv01+#&T^jBf33ZU9i69>W~a( zZ>krzghBHL*(?{FSRVlIwK(xKYuZ9zDL9XSReXZQ#B{#Wm9ZyNd;~(gcH%&gT`e(> zj%uNJ@GDqM6gQs*$)32e9JtOS0+jXr#9=PE-xQH++Vq34M8(F{DmgOh15*@d=%cZT zxc$<}Evw~HR4RZ#QK~`sLRv4B=Ot_WOR;*2~{BY=s}yXXy4GFWbS z+eBpI0$#X=JQCKZYF7-rd)I2W)pOy2yL(j!%ip@5 z!!@|47WQ`-0#*0_vj6_u5$W-Sx0{f?$JciI1mT6iqT7r*di-9X?V`WXm8Godw~ImT zKom%4@tB#Joo0PUG!KEafF=F>{GR#7*5+o(e!1I2?Yu~i(59=qG!5XIYlX-RS1FD5 z^f0*^FzJN`^v&`I8{gTu-=2dMUoS_6dec2OIJg_P-UrJ@1;<*SDJvIs95fiXEUrvJ zJOIXpy08^i%DkSQa3=k%S!u*8rLWxM&L0(@!>P2_3n5I~{oO3J?qAHL*JY7L7+sNO z^SZFpBuLV3>nl^B82m=MdVJ;=J5}6<05`SoH;%F4Gv|E82e2*OBc`H<60I)4g9MeGQtJ4!8y90<~a@2du6T^buG zHttQCHG+kuuWB-9&z&Q^HP~b0D-IN{D%ip=a1FYWW&uO%4PX)^^YJMus^> z8$ju-!eoXkyF|ZaUG0DWhUH(QFI0_z+T&yYTV(qh4pg!Q9r_ zgu;0g$1s20Omze$5yXa1QAI?~QUAD{9K#=uCjRr^Z^J55@QuLaSUn0(;sU1+>z;D< zv_ac-8SrlS3h>MKpc6Q+zjxSJgDxIuZ2B#BfOtOrl$tk$f3WB6tj%4n%C4@i_%YkW zM#KNL)_q6V>wCRnp|)ch){R}TJN!*f!x6M^0WbrTVAIJB@rT#FpZ-q5&|`5cpDRbn zPMq|G!UIeWWRiz$^D~Z604aYIhrJrpr!Nk6B&gciMRn=<1w{gpb(_Uz=`h3qOl}_< zx~bQwa2tS3;2%&R2%?WD|ABLUD5D_uMgIA4G3={R2f7wK1jGQNj`b&R!j;)N@(G`m zg^8pqKf%^TJ*XxH@^Joi=Y)>a?b{U57L=fhEs5~@-?*r(`uQ^iU4?qmP5a#fRT1Pr zkP1O`hsp@Rr~zyH_xJA%5YUjKv#%k>7A3loHb};SNJFYGBjx|M+WNI+9~?6S2r@** zBaq(w14yBu;NE7PPu=QD8z6A^r5gWgRlj~NqHLKL*3Er|VuFr zSU+4P-yyCX-x?Ki<$3cxlqS?~VelOn$80e|2y?>sjkiXfN;m&U!12&ty<@pzhc^Nc z??7WcnZGiCy6a0S-aCyA%+zYiUgm>3_6r)nNM>x?18cNTig<6_xKv00xJIsVbBHDP zNoaDQm(7bb-w#&U4=>r($9^{`7c4%i7X$vdrmbV#0WmbL)80cD zbO2N*yPtj*W=nF4qsZKbzE+hFpxW?qS$ue22^1Efh#y(R%$XOG^Z}87qeaWZ%j=%v z^^p6LU?nQEpdv6G?wahKWR#Bl1}y;`lQ**5j9~^53WQOfpf`s^g}^+XbZWo!*sL-~ z4ipS#7tk{xcPAT-G(|oE!~a{n@&y=Ecn4GgK9ZYj4jGk&;N{Z*@It=(&(ylH?QkD5 zHu|SWrK298=YGL58AKGC4W_FF*hN$-50v<~Z}f=AYg2dB{-UG{PN$&ZNW(mLixz?avNT*7+$B>oT*&j+pvj8T;(Wsgahku17vRraSa?J6AKzJC{KIYGsxrt zKLuG98y>Q`Byi+6$3w~UN&=;WfLyS-_)O6lppw-!+J0gHDf%kh0RhQAiI{GHejQc? zfGVB;?b;ft-OP8}sMa&EEQOs07Bm6nx3VqSt}G>ScX%jM=qSv_*J(Yu=oA2Bi0-dn zzVF=~T*?$;0r(2|FPI;TQyCctPqqXw&pAe6B`SPqDRJh#!>%B74NO3;LbuR8*mh`0 z2PX7{Rpl^D5%)uTemEf}$F+_IAnc!P+7~x=lS-Oli}>-i>726m_0*9Y*VR^!LNtUR zfWL#~0x^kOQ}@lzQXZ3jFWj1Y(k<%e{@=m5pJP8+OUqJaGkfD)BR!=#^sTG5_t@BC zCXM@k!Vg2_7@wWg>a6@#Slx@KlEojA^@N5QS%-!B3D!(c4}t24d)SUrL4ucM-}(w! zeEi2idHQ=#blV}1*Viwge3gZ?Sr?H?S%3!QZlE594uMRxwivpw_T~VvE{mn^E}P|` z;lQ??ut-L3F!Is{bR*SH!ZkdC`9hh_>WXmQg@n93CjdeyTuLOR&8Q zUSBjfh{+K^rqhAvfgs+y{`v5$RB9)Z%AzsI{xs7bSNE%}I(27cg}r-SSpj-Gkbd3W z=P@%f!$T6ZN?$_n%4!ck+1h{N>8`)Wwkk0&>afDM_x<9p9-KgKtTZ_el!UVo?I0;- zWmJIu#;<>40kq-G4)buiI0#ROh=?MHJYee%I3egSU^htSP0Y-`bR@O5V=&Vkz(x!z zc43$26ibp<#_RaeWEmKHWxRtBT|#EIxPdfmA|rV6sMp)#~G zwuT8?*p;u`RoxE|%UTEh`BYaN9^~rngM+NWD=W_;H!3W0SF%zZfe}9;tE|i(#lqx> zF1g0-V{OoqLAP?KO$cvfJf=2C49R!0{Nsv7Af$tI86evRDTLCH^NH$gv+wGioo(C#To7sO` zh0N}M_T`5vuZ8&#Z1Ot0_%hBoly?NuW9DI%y1pTAbCBhL5m7(VP^YqL8EndH1C-$i zIGM4ybl^;03vEyKwrv)ZAZR)Q%9(rMd%>VVT51WlNxH`!mIc@B=cX^HL+eEdJAcs` z04*522kVv1$xj49(b&O-auS?~5^2f1oK#!BJ0Q`He}?jn9cH&eSV^r60K0_~j`HW( z3bR_BOb$mz1AmVXSl@>#Il$O}Z)U6Xj*N_4UL!rn>f4d^ygyPqnD{U<15&heKasZ1 z&L&V}d=I8Zf|V8c-|kI+dG_d_$oU2^@?QoY4m9oJ99#1W&!(HhO2xny?R;aY^OWaE z0_%?;uuT4*p!vQo-r=;nJ|8h6QEG;OszECEV3+RgUW&l6UQA`DbuWi3g-xn${RP9 zaeZa2ScWAx?A9&ZJ*B9LFRsyRBMZ)1wzPxl&U>XU^j|S_mo-Fh-~K9&AA2PGV)Z92 z6DJ=gJnuH&l-MmAem< zD65C12*aAx!4xjEeZef0r6)xnOV`1w=XSVO=YHxu*T4}E`OnRA(Uk z5+@K$0ZzkkJm~=}=hY}Pi!XKQlZQWzOv0*&9k+iR|5jV5XlW_gwqBuSUi)|v3iByb zsK$~%lHXv6dsvi z`0a%s98Q~im+i>}c=}EO@%eJU*h)hom&>=_K^3##*#t@;dc;z^!^#`3zeQR`*J_KHKwD0Wtvn|8j z_6>7P?7SZp>x0euV7q zD*0g3B+>gU25Q9m@_kOiE$R zkWzP+{>Ct^jok2IJ-^dJ0>9fTd*8yLnXua}8wH-SJ2!JoZAV5<--^tPSy}3HeheQ) zyKDw+E(j$r4X=kZFFl@Wuw_8<@x{}!_Hp~_ol~slZz2!% z!o>h+Wu@*5K_5S+CM0xftTRYfR9%dbeHJx*5E34qbRo~}BW96ja7AA?QdU*9u!L9j-m^XdB$&T2w4jE+|RhWe77D?7_^}SHmzC)E%h(bR(Hng(8 zZ(hQhak_rjKyS0v?_!c!ocGywvcXpJXUvzwvdzs!9Q{H*zGo@ZW&3+W70%k>MGI|R z#_so5haGc_nw`*}L6JYeys=yAPfAT??pq)^sA+Gx?r$+(Kte)7EqDcnBDBRLWV^`S z8Tqp<`V&UfCVv}u}qtPzmMy@qi~RAINd zK=|#OJ=Yqq`C-88D)ybS;xg;4sDx>uhZ9q~w4NN#dsR67Vd|MJ#hug;<|(V%YXynl z>kfld$BfoFZmO5~qVw3lR0gYN*=KhK-Cx+xT@<#uGV`vQzELTx&@riHuxVU}l3znd z=T|E)3}9wj@ncrlG`5>fw(7t)Qz$5cqoFgM*6n9$^ua-v zKaGH7z{JMxdbGPQDHX!=yx*T@hw66s-UgwEZ^-ipt0E4V{`14-j_PnTY~2B;fm@*b zJtnN7TV(c4(|s-&2aAKs?ubF;wxG*)F`fJP@S(K+@Fdw)Y>`<17KFj=n|@cA=ZIk(SRrKC2j z{hThi^{Pyrb6~f7d)5+&Rm0uGT4q8I2zraN^%rq>MT*85O97n7P`hj?gM`H+?W zEJ*%W4k)}YMP59SM?k*LxRNz*l&!>A%$KY4F48Gx$a#Knz?u2!P1m*4gpF_|t7|9o zotlZj(Pr`w8?WW;ycMut45YI?R(uC5In+@)eh|0hKszm*!i#9+({;FXyYuze>)Fp> z4n4!{67eZt1FH(JA!-PltV%Ulg{Y9_hAR+^BtX+;etXDKV|USVx<%;VhJEE!lV%L~ zS7WgJ8R}K40r_SJdaPOjOi3MyWQ^`zWAvd7&}jix53{}+i90lF;Q;CfI`&33R^20!ck_OLHtUpW>Yog(B+`e_#Z*?Q;&=sXQmSlVt=@YnV& z`dJ7M&>Iz*4IUTBfa}muvxC+d=2kG9dSXh49+UMXzqLek>vYEys{ohnu1Ut8W1e*M zEsFe8v_dUi`-BfSY6f-=%joZXR|m_T*r;T<+8G*FWfAH)IGNfB)m7VDV_56!P9IE$ zhHB0`M8g!-yy@A!3)TgWjU=VMqP~}rBWU{~$o??|4-rihMUMUcdm9D};-U27cl#sA z@>TT841ByxzrP=mK(ACI#1}>X7IlqaQ-0Wrk8t_kJL=Ij6sFJkQ;?Z8YvL{?f;iA? zl!T`JTzyc&ER?#sZBT^%!eOyQBWO2OLL_52J26pzGO^5oNu5o3^5I2u-9*%UK{#Nv zI(wwQz`06zY55hzA?VdYF5BCQ(lV<@!ztMHc<1cZo(kh}Mc@$X$?hJvc z3ba!e`c4KUynK1vFZ_lS_?@g<7fvdu&5>3>s#5?1d1Em;9naHiek^g?-p`McQw)ly zTvhueEJ`?O$gxSIM4F1ntm{WRSto?&F2d1f!a`BukIYZj<9$8Kd-JYHW=>T2tT+$+$={_6zN`^|N#BEV649Z1RdhjAIT2 zA*v8`a!j$x`D^(+h`!k~fVag}B}xz|F*B1B2w{NSRh^VSS^yO?#-#bBioFdsQpr*~ zAqiM#$0ZUi_AONe1ZQ zmIKkCoQlV^qc^`EjC85xTHyulg*{rsFL9F$clqrP19Ed)jwssN7SI{CjeLMh!uW1! z9wniXH8YEP`V?cd-s{s}uItTjyY$)3$CI9E&KaaZ5DT~Ek{dtb>q)|jx(h94Aw87?r!mB@L$^WoDn4t1>1a$U*Nn%mqc>d!R|A!6`< ztl=VoMk7NNB9P>EmOQkFStpK;GBoCzjIbV8iqw@;Q8~MAZ(YJ{yD?|GF%y(bQ*q|% z;Qz=vDimaUZ}StMwPj8FGe%v1A9=8@wJUe|m6c?W8Tp_(M*AS; zN$H{`A!Y?JOYw(nj4)%poYfR!kIFnySh8urdDLM;vo<-)v+*KVg1%B!`agU#L9eT25zMBTQkyuc)_N99F z0H-Ib$2b?hinFXkFg7&}(+_F`HimD`S#B_sKT7= z9ZJxgyWf_oxz#r$Qvo7Sx~{>(?#|9@n+N_jBO^MJhh^a%-(`IHqfl!|j0knL$|R7V zQ=Zvf6r3avwiXwH;6SNsh*F5@nzNm_e4=5e$|CtcBi}w2?@5dSKx72oXUQ;1kPCAg zEZ>KQP_bVc;?(g+?V-;w@o|C5-BXl;au?Rlg+?DeMVVQ0;iRXR4{n+4;{K#T=T^c@ zEArOIG!1~SuxJ<_Fm)Bwls=1jN*H}jzE8K5@5zaw(Rq}OoAMG_9pJ%e`?O$ z>l&)H5UWMKD@#=)&txVK;SbVQNUd`e-(9n;ToQ3g-6M^jJB)Y1Rgp&TYRCWjsnZ9J zMIV=r%x$=YW}2L-Dp}!MqO@Xh>O^KLCh6AVx&J)kTB>4~HlH#a+KL=7b}$dpDDtI2 zBc{a3C7tkX2+~&hy#G~hk|Jo

1PvxdRp4+Vgns>4d`fiVAZIhN_9o5sIlc&R2L0 z42m8@)&BjLk)Z|U??i4aKUWK?V+ko!lMa!9S_BEC!5mBbI;-?5?{`^JeHt>XlGG<# zn9*X|I8In8r!|cG^~b~x-u~bH&WaaQI;~jiLKr+B%HLhJ#GExilQp2IrC6F49Tf7b z;owfgmB&o1j}(gkU!^gZuGlWgg@Cr2%xLsy?R1v>uYw*FoUoVBo|(^A|F_-YO)_un zVM7TAzUY73>Yw*cujaC}t_>%%iKYn(D++~+2G#AQyZl@0|GeQ=-LdAADUeZYkc;OSrEw*+&GS#RgEowvH!GA0F&wB+j#f`k{EiCrc#Ez}lGcI3{wiCEiL9JUX zLZy4zk9*8T+JnMN{_~W7@4+pvS#@yNp7vaW;_OX(qI)OtYKT04iPwl?OmjB$M7>u^4hdEQ3dF*B@cuO{q&lnsMc}!YyQ0pa!hX!ZzeTeDX5O3kgAP= z7-82aPbeC8?CA_*QEqnL+q~F@!Ir1pd{#$zAo4h&=ifpi`JxD)+t=q62Q6j0t)JXy z7VU?+It^#1Dkvc8)XM74P|vEx5;5t{99tYHs5_+&WeQ5`o(b0)Hd_5S+h1tvedf&3 zncf_-fPJ0ka7yX!=boalswX)#z@Cpi1bpwGmjfY}F*38^v|)}j>p;r_6we&`Fr5A# zJD^$jopKP1nd}cvdy)1VB8OO9&wwHyHi zhzWaiYtQqOaMZ{@F9Wk?N<{C#NzJ@!EwdlDMkXnTA;rw2&w-6<=(vRumsPsfza75O z)0evAWXM(_ps)@Z9la`{C@ZV;xyY)E(sUqS9Q`%=l)WunrwxEI!en z2O(kdc|@?Ig&((lzf=^*;1R3w?=k_M+sN{d56{p#bfw9NtQ|VPb3j|R)M+E^I6+3) zE`v;{8Gdz=%-Y6QFOS|Q_dWY?J>2^*7d`&HuR{j6Ix@53@UnFFR66>7xt4i6LAA)? zk9M@xwy0ME_BG$CjbCSH=j|wS#zxW2LNxjaQBj<19|w6rV{A>s_6j5CLcP4IRK?qW zJK969!vt>xD%w2g4$1xJbb(E2-GlxaK$pT>g@+kt*4S_ygH8|R8rn{O_HEn5?bFR% z@CYw5=|UgdTDJc%oX4Ddyu@m9u2H4s-{Okq85ANnbbna<8bF4JaWOsmxc9MW_n?h4 zI@H^_B8DS9ySwXol(cKMgN1irTa3ohOXaKluMWZO>8*%MC?F^R(uifjh?E#kYW)efR)p$PXjXNjg}o~Aj*wVc zLt`K!4)z0@45dDRui#P6?moUpeCO?^mKM{~v$lK;PB<0P>4+VRzxK zh{=tvAJb{Frl#vVX{!#3s*0>3Wjm?4scMQe=CzK$^4Z@-sb)zkRALA*s!!eYBE>T{ z?n;lkRL zqIdpd3rB)Fe#UA;cse`6o{f?Ne_8hQ|{z+=^$0>CR_p&ow3vl!;_mxFwdb%W|>bB#%qe+viJ99)2*ssj5 z6T*jKsWxRbBmlC1%(*1*=_R88OM$%nBQpuSrT@Oj^K+HYbt&NcqfaS+PbkonNOx>A zS%1`ieAf0*`p`)WedNpvC)Gh;7{`8@%LXZ{M)~cuZj;AiI+ngiJREnv&2?8~K_L7& zv6cQ07y*&0(JfxA!BCtcgJ9W5*NiV!&U;JI5AI8My>FN2p51d40}7LXa{vk+^gbdr z;iF|(XpTaB-5x=H4w*i8z5aOt%iuEs@6>AXQZMV3_yjLt@*mX@!WE2swrkG z|31Q}yK4eDg1poPd@sPE{`8W0LbXL|4&KO$ygpi>nmRW>{(&F)Hqd%=hn^Bs1?#tb zskke`!opr-6W@l#eUz1tJ3I_5$4A?Ib!)B3SURb3;JATLp&;6_(2|3ddr6Lqz4e@E ztz~?by(5WDT70o!u99;9z9gHEl>`~x5i#Zdwk&A@cbj|yK`HVH*9X#I_AEt zcyl7j(R9392<^;%Vu2=OrufeWGczfEhfRT%(MizXkwVcIZ5@xam_sv~4VRc}VJdL1 zO99cgZ796E+WeQlwOB#kzaW!=Bsr7j?qZ~wY+7VpxZR&c*;no5d6b#L{j2I$d8w}#tE1{5v|{@8&-=!mT zwTxSk<6$9)LvCBd;FX8FJ2pP%ujOe!450CU%6gbeF^kU?(WXBc zxxZ14lPFmwoy^V#$*P7lW7r5zXLY@7HkskA*3@AsU)S(zet2*93`GPH) z`XT32N0@yBj55u}%@+`UO*7NMLV;_@0Dy?hgHg(C zNJOwO@3np7;gyGjC0p0Fyl?uZQvqjTJcw&fK=ul$S zuBb2X22O0gNgRI9tlN1Oz*bpr;vzw>cTuRdwBpyCDgYye_8)A9ctx_Ik-akkJKe=J zzw;U$kk1%fI|Z_WtIl*+z$oiXJ9GFSxAiw#PE4jJTF%vFNwplkymM^oX)t&mP)B^; zBc%x)-CPivqcy9g%fJ-Ni|prXfW4*Ua(PgGdwPj zdoI-)-$y=Kue~cdX%3cOEyv0FF`-xBhv2%twLWz8f=wydoi+_CG6>q)e{ortuepzK zrtuWsoeJhr@S^{=<1v=yhDw(T*{UL)Ml)-Bb*QA*+o)73UTpUTv&MG^Vl{sE_k>Nh zVq=xk`_i#qZ+WYDO%`m>&ThN$Yhr#f+-OPSerG|>-*Uh4S^b+0fGM2z-|~;@@I7N_ z`RNf$Hg}P&Q=1sM`pV;|`>p;fcq3owS+pN)|3bxo7o@Fr_2iqmMJ4%ws0s2Pilu|@!yV24X#}F%7BZ4pbr}9YoxiAjIVjR-ZNrw zmHV`Iu?MTgA*9oaO5E;6(f@aFhNzv!7yVO0B!>K7#sWV3|Mja6ybyV3W}@h?f{IG# z&piAQ?#BuW=^zF8P$xeKf5!wFrtlocaF1*R0@%rGHe}Y84G?5ky?m1PDm9)1Ik%qr zigK|=5Wn+MoR#&O)^7gtT&d%HVQyYla&B(GnhE%sF*PX&GWxFre|<`wjKMX_b&nLl zLxavw$61BaL<6l$HQxAQlL5Fb`mtU$*DeE`xZ>l-y;nNSnL+o!#8w#(?jtFGr328n z{AWE{l5%#N8Nf4Za_0F zY`AIIdN|4mrRa>UsS9)MmofylAN?gO#;(gSZ~(|h{Z>r{;A;b=Ic>^gG2AgJ2VCwc zK)@Td4tX{Un;L6JfU2l3Y49VPR)Z2i(0)?k>0jfXLihx?{ixtxHUe@B0Hi;LY~|n5 zzhICbY@%F#9P=imE3>y^+5>_@`1f7vQ+LAn_xUdn%A>ryQ?}t6NyleaCMHF=B~Td{ zz3}L^gQuWXfk&sB<0kaNj{=x)3#m*5poo$D_9uOe@PE>uS(^04wU0A?Qb8B~_vX`A@{w*}XE~ zNdEvn71gqVEb3){KH&6XVm8*t2HDltmO;}NW=aEWTvtIDa^pQ54uuMNfXq=b?lI-U z4d>b>{nXb>207beZ;3J~jo?pUmbpOC(-K+r+^q-%4Hrb%ei1@cB2qn>(_C8;U#V(= zuigkFesKSR>`xCJl!Bl$tZS)2l_C*Gwwx*+fJ_5upLIHH%5kI!+Zzu=1Gmo4EivUT zt+J?il(hnOMXzbMJp$1xa?8754rne)fJ**^nH0q17FO!sq219jot&TlD1giCE7!(D z>hy!7Bq@8m2L&jZgxmlo9-R!AnZ&nnE>FBf?DjwI0(0|T=h=q(rY@&8Y?jr%K1;O#BFvY$ZL9IVv&#muTRo&j7NWwby`Bst%0uB4lY zIb}Vwe3O{=mbB|GNhip_q~4#OwbrV%l0wxeByrH%pIY;5F>KAvD#=k5fhfhUsOZ>K zng@p<69e>){%p00dv(VM1Yce3mf7$NgPPB#=p#g$BH2UIu7grFEAog&DwFGkvQBQ_fnO(4#c-SkckZ~l~1KR7kdkOV8cVU zeLXL~{OD8rB=2C}LLVt=YF=CspfYnldmh0HLL`D(xJ!1An zpx-m@d&50mef6jC)d2^BBI5wC!wGL4 zTXAO7>>4L_O`zhyC2DQV3ZTQ%X%V}6Z(IXL6g(6i8r+U^k0z(4Qc6qJfartac~i4~ zslP(|;LK6u@z0A4$iCsBoFBDN?3Xr%_TIpYE0Gb76zz5K^WEo z+OMYNwC;3ekcQaeK3BPgRVip?^)x9LA0%}yn~LXKs+eA$H;W(-HAXuLv~vvg?zg#N zJOW{AuvqFhmEbmF$DmPmNnyk$t|0zFV?(~(;5~Y}M1z@Sg~k4gsuruDxx#R|*^oOD z&6_*}`ln22$C}$B7T?^*yz!zw$@N^loqF-jZvXs;esZ~*LULk5<-7ev_docj;rn|# zZA$;_%cJ1abEwg%v}$&-9|qd{nH=L$*SfES9v?O@ywI|ty=Yc-{yc)V06M55-V!>6 zX}6g)9!ETso2dX!)|%Bn7^Wf9_bQ;g*^OJgX}Ri1!mfyJYWZ#>!CH77!nAn(>TA2FpNc zs8;AwaGX0MO{(s*RAydzoZr>;6T^F3v_~{g_ktKOyOEV~TJQ194KPxUS)d{F#D64t zx`?S!Dg6VTX>UI3Odd#sUAy9=0W+*^bsYU_{>Bw|74=EL^@4r4Dy`qFhVv-}{=I3q zcXx38f_3wY$N8pFpiQ*f42rS60o?0OBoLvz8>#QkWm|S^^3Oj7P8^ju&4W%7fVZ8J z^760L3*Oz$>P7KOj09zGQ1Q-~c14_g`_x;HZ(K(0%O z4^n{iqQSGpq&ZXH!u%~3@8r8R4`v=K%7EP;Wh?6Ni3gR+7wldsxH}8UmBqzkV2G2; zO_+-2^Qeuiv>jdKpI`n!M$K8SgTHkL7}t%3$g}INCp5j|7di1OW`y|%+-?r=eAV01 zu04rVhtK(u{1RF#D$;aVTm(fdOj7Fi&kvlsH7;NaA){(NQV*VL4ho5TaTxmKX7WPuT`Xxx32&;zszya!kqN|6HYlAzoK(Pmre zM!2Gy+UJ`ohn|@DI_WTiK~N4WJ378fO-n=F4ysDp!iu!P`o3t|{h**wGQqs*CSLmz zl`Pwx+@u{g)%2|?b`1vqq<(4(Hmy=QQrOtzyA;NDX`h~)oID&m^hNt!m}e7sNQn57 zS=H^0h7a%92CL><-WB+;F=Lsj+6^@zbZu!v9vi7p#Gs*}mX=N-RX68_jH+)iyC!W) znm9_p$IFW78-y^t=m0@EgGzo>p2c!Vyjq@JJPffuR88R6_M$D2(Q#@E4XRQb;*SSb zZsDZdwk35O|xiGKB z8FL}V`uP6im03q+O>j|JAVH%iKFXToITIL<`1Xl z{>priG(c$*rUyMY!J^a16#O6JzB4MSt=sYd0*V5n1j#503IYm9Mo`3n3Mx@@5Xm`b z5S1t(5|k`iqDao5AV|(R36gUxpn&Ri?)~n2-|K!o`cIE;e%#>|EUNa|YpuEFoNI6D ztEvEIQ;RBpd0 zZ%`IX9jn~ZlJ&K4eKNB!aLri6cK0KMm9P`N@j}6K$bUl~6Cp;DG}P3ekPft}fN3Pg z)E+mg^FHTW>#o&%VMo%XL{3QF1LadBBqXgT;%YcmrE>SlmcBPQukI|DhrW?CU()1G!HE z%~{^Rn`SrPXz;8%A6KU_Fe83)%z1`&eauggwFov*tJfJAP zpl`4y06)KQ#mpeA;LTwOv}mj6?1#4_ zDOA}PMdJ^#;UcThVUTnz&Eg&F2@x8zQSxH5 z6P4a9mN@fD8b_MULM@NoHLE&+FJH~xP&zSRl_p2BPk&!{g{i6i@of<2jGW7M(_zG_ z^n!gzqde|xA)3TbWZTU0yfI@=v@`Lumo7P!mkJ`JE6a8qTqgPQd)e-a5MtU=lvssa z>k?oY`WE(zKr)DS>=A0M9X2?&&xxJ8kEcB$@SWtsJP{?bmU;nE*g`A^NpRuKNk1QT z6fO#vxlTvH*g_XL@fIIBtbdW%_PDg%r*?iD_ed;*U0;z0=RH;EueZ{E7j24LczlAQ%2)a<1`@%SV++n=aAsW=6wHIn5<+wf6yKsXtB5<_G?xH`Xgf_;(Jd7at)Lh&%;))Wx}Jb3dE7FYQ=v#5KMdc6d=cff842+a--1wr%QN?U%} zVt&A4>Q)R!?SoS$i!o5Bz+EV0`@$llU((<4|z5G6$Y(w zH1ug=f#`wr%2s_A+5ZQw2hY z7f1(uJ@;lg_By@Bl84&MI+N&A|4`ZZ?*THDj!B;iiL;;qm_ujFZad*u2AEI~ zS3LNG*b|z~mZCWb2GTg6{T5wVqR7 zzYw5NptqI)&~8z5-pgSH9S(G5XP1=;F7r51+$ODtNs8@ZhQS2kTZX}Y-AN6lw;T?( z=E4nS+dQECeTs?iETV$yj~d$mCfsH8**cg+3kvV@#YL4LBva6(r9Rfq_mTL*Jj8uG zh8PlXU{95$h(;<`DKu#(h+TGM{fEp$UkqIncVRdBok;bqp>D67h5IU~a#DZ826VIL z0SnieW7zW7&IQ!aap*B2<|x)nQH<9akpklh)-7u5w&Yp2?$l@-0X!#Ic?y z#C{tyengSQcFgvvICQChYXLIsZVkG42>yOyU%;J)E2s0wYzfNy#hexjglkTUA#nXT z0ey#8uDIh`W6L-MWQ$9m4F_sl1@A4zORA$mNS|D3xn@K=WXx29Vsx4_8P} zAlYXt`+D1;x22`@wa2AOXgC+1`MjtL(fV^ z9~I0-60~J)GM&|!-$nPlaut=8qfefjd3lw86(ID>zC*}h)9bsKPB3R)-;53k1N!Dc z7Yu!P%jR5y{;YeRzxF5m?;>M^--qg`50pRdrGCPRYH*`NmS#?{xHkAU(;4xLS0hoJ zr!Qvp%sJ^VWNcgUyU4`LquAX+2ix5(+xWZ2S=%g+PMMxCu=U=;pgelk^TF+&V& z+pKG9J0e`yHO&eZp5ZP~3ZFKdP{b*#6!~p&D~OcQGLPQYpc%BYFRd>=N88 zLH^+v3kF~nQ5r7#Y*Zf>h83RxG%{j+K73|z^DTE|hyATNv13IIiG@5sIZ_sk?r!Dh z+F{1r9&`>r4i8^RsD1#Xu*3OY-f6HNi!)5=U=A4>$%M)SeqW@#cc^iZK zym{J){>iwNqBe5bs%4E0B_^NeCQq!&&pDqni>Fvo*_Ynw{EV$P#M8csWk+i0GZcwD zc^(=)e?Blv|2ltFwQ8g31a57TgL8D|^`}dMg6(4WIKBoSJb{LqqFghNY=AED`j5M3 z9HkxgQ$*700K?-c~Rijg(&F8>a*GcN~zwn>$^ z-7Q&vE3c$9Hc?GKCieL=9HRSWoJZ>h`;_@u#xPgapK;7vtgPyk;oMP5m0k7u+pG8_ z#XLC{I9hWx9Xp4y4y!xEN(xGM$BN$4_eDi^I31_TcKdBx`rTY`!9;M+wTjKeB*890 zV|^sEAp7_T&SzK&XeoaC=hiKrh8LFkvg~rN>~y{p)+B;5CxslZU;`zrC45&&@J22{ z*=u}FaxdjMCLza?6oa%|-|c8gCZ^GGoIxd(QMc-a?{);oC#DlM@Dk1s+=Gt98dS+# zzb2VtUU&6m7^&ibQ8#eIc$*ED$wQ6vcccL_>j(7Zh1#9g(0rNBKR5cCrPYqkZI{_# zG#|E;to>|k5=k1gnOWTWw3*x5y918rZWvb%3%5&6F(7o*>&QVmPA?_lA&&pWxTy5{ zKh<^FEd!%a(_wO zhlGKOPM~_&jb&zMD@O9TaF`twuzl)_t0dlr*6voWzJV4h9=(8?TJwhjBscrYDW@$V zWt4*h?0`;Qz+l&{O)(g8g<-?{;Jr@<0`QePMxl?EuM%jS{;3i68F66O0qmr0(-+-| zt%Av{-pu|&sBm2B1-D^jK2U;hv=(_=Yc`oZk z{1&7e^!S0hL2;*d92V8s0Ds8CyG92rQ2u0D6!Sf(VcyyZrV|GBCeit15z95p4{}q| zX5&W^J*kgJPp>Qu7H?G_^{Z_-9!O|a?nfNW;#?p4kQ0*^YuBpL@g}dV;uf_mjD`hp zIF~KQhxCF()#K$b?fZGV8YhUy(lG>Qq!{xts{?ODMKk`_ zY&wwhAKhAjs8CjSZAdr_2Lq)#DhdKFU#RGZR&aR~^Dwsm1JNmY=rZ0#;m}BeA&E;5 zfEO7|Yl#xit({VdEB)#E6P=I;G7`Yo?WCD0MP30j>q@L^!u71xGDUIcOI3Y~12E9@ z2y5*$Lx;XAnTO2_r;6d`Y50AAUg0NrMHu9qa0!Go83AM){HUsS4pMQ|%WSS>Hwe|N z(!Mj$@b{st6~j>X0Y3b*QzV^WQ9WCf4M&fk2deNQJZ$)jq(TXc{pQUs6|YThLgq~V zX?|2Bfoh1-J8&q((Zln4b7Iwx2#83@U0e-ge^k1xR_)>5J|13ZF@XN5bkv;hksIab1vHMmhuxN?9KC6Gt))^?ehDqZ30KEo!*a7InsW7{11Y`_KPc|8;R2_J0W`$b9H~gp5$oBV2O7-Ov0q%nJg>QxkT1332*j7(nDYE`Evt)=)2*cnva%sr>|FV zpks87^Gy+Pqy-nCFGaUpWUhKQjH04LuE0E+jeSc>F<5?+rM{gH>QLw(+|l1hq@=c4 z!f+e8F%7=2Ij{f}!Fh6VBH3Nv%5I5z_A5W3-|x>y=f7YL(LqU`cNm<(>R4RVeVXm{ zS@PZNVY|Xy`(6i)r2xA;4wo{H@@I6<5-wa4qJ7$eOj77bN=l1ePYi6CI6*7@^r^xV z$xf@a*ZxWANkRU;a|shVYp-K&;p0Du8<&==PL?_&`GjF+Pr;5V`Gc$j`{=xTJmxF= zA~NIC;ERiGPNC+}c+>N4KBJ#9p3_T-mqpKjdL=A;N?W$-awIk^rhjx@Q$P99+6^6@ z7Yr*A$`eh!i)-7_Z!fK9N;o>TEgoDaY&&k_^9rQ z*iQXc1LbCSTorw2+vPsB=Wn}uGdqWwp9W0gA$}&$6xiE_i&t-R(sp!o_|AItB+mVL zZrVPO#BtHywKC1kdS;0b*52901rMpLtn82>iV=3XRY*!o`Yz)nJ_2iX_J;DkN%6O{ zCyx;se>HusCDh-YR4Z}xx%Ly^2ClM_?qD;XE;;3wj)uwN8i8cPgQU)hF>!l58GhJXL>r_UA6v*}(C73Ef!9E?SMT z32{diLip(2@#k4t#vNtjco{tpL~SpxUWQG`V*FHWC2V_?pGWJ{>%a@|>8X z${W~~@Y4ZxH?A1MQLXLreV5qGg}F7VIGC!HpZb+t;=JzQ&QCV;=ZAUml(`e3QkE)b zoV?{9cE#)-usTdV8GDLI&WCH|U39;3At@rmI8?LR>g4<|Z=Qap`ouH&O-eX`_WtNc zGMhEA7fS=IIBq^9nIid^XHZ|xL#p2%Qc|o{4+oFIckeV@m8Uu=6`>vxzZs^NoH}!* zk1g$jsq97jmn%}r%8@F{vwC&Lg%?a#Z@q2{s_|De$-Ci}#({*{-aS`&sMuels2E(o z_xOtX!u)(~To%FcSVpg}!tWFNeT%nAeS@CA)#BEug%!zqEL-1g&|d#dELMtxlUcVu zqwx4AsvtfC9__uRi(($!G-nEn3eUT#vE6?8Mo&@qn^3!m1#9Q*cX_15RsT#zX1t@A z=2)L#x~4_p(AR6cWN;ALzy~`-lo#XgG|X$SXJL<~t3uB!^pR81&r~6j%QU-R;e&$z2<0&)^j-A0>NWu+%SFTc~B>f7@hw z#HMtMZl*2xuIu;W441&qBOXXj^J$Ija_e0D#_50t4-vmV+w|x&3S#7W)jLGf7sFNM z*_fW9a*o!AQ#qGa zKDch6Nl6k+<7bk*bm;TMamgS{=F!iQz0O^D$0Jub@7cESUd*~r_my|{34RUofmX|% z>grDC69P%e97mDb{?}t;nh>^$=hyRts>L#OnM_x zeh>$RqjJ1Rm}%C}q%SFFCA(qu%SLIOh#MK~X$r>tM`4PbBW{8kjA<)7Nt-v}khlzv zehIsM21wSuxiNLZh^<5WN=e-24?P8OmXdM{I1E^pYt^oLoP>~Qx%qxi+*4OPl$1Y&XMj{;?U`P@b&lX%Wk#$^aDYk2z@-XioZ%{J6J&gI@C-?W_R8 zPu%{aYDrxsTL2!#87_9W!_?okKRA*tnr)qa|27_Mdawy0dF<2dg%?UfZPXY-T^`Mf zGwdTQo9fBt0~|BYuf{@hJFw4uBxcXTE=PrM#^JH?b$PTXi0=$% z^IGA3zCZev>efst>kiY8O+wkYFoK(ziewZ10n<1amuXyk{3;eFftx?M1E=A2O6pEV zU^2xQTlVhGEXQZJdEgEya>h#tlZquEkTSV<<>EMg3h_v^e4?4&AR-ST5J-`}!9qiQ zna~L)mwYgFUm7K>)eC;go3q(DGtV{1eGh7>ERk2@=KdZXtrk*o-Cc0rXsZnn+q}Lkgns_R7eg)4n#My zvE9D)Dc@>xwp-;)H63iWCHwMWJ)M$<#>IZSj(NAQy1l9lTw-3Z_*ns)*SkhXy_4-E zYFs82{!G(c5P3;k5PA!qkw&c+c01J=3rj53MJxTgi=4je8oWCw;{%1F^iV(=dT&g= z9i=??3T7!@w~+W;xpoW@i<63z$c2)9!Dy6xAUc-Sczi4~{dKRgbchr8ZG(FWka8eP z;=vOV5iQ?0`#Z^{cVj2|mU)940&IRO%gF@`u`4J`0L+JGn9 zTSLXDc>_GsKQs(d78X3I?J=Z~$SIk4ZbPboq}gr=74> z5L$Mfv3zIACz;QmTV5_+nEZi39VB|Ry2Oq(n4LQ<#Ci&L#Zyi9YORm@B&TluY`eOS zgQtVSjvX}7MQZLT7Q~Ij<)OpI!(Vwsl?!%b#PrLK%K?~LUKiyH`wLv0gEz5EYhB+% zegff&kPY12_;IjyZf{R9m{?uH0jp%h0w7F|s?lkvsP>p=+jLu84r4pDmS-}bu0x+Y z#2Lv01IqEU4dYK{6BZT<=@U7JNTc2Bj%l5hg&2TL0Iw(oOFQhMre6vnXH8C(P_&aW zy!wfCTGbv#H52GmW(QOT1(hlb;+8Hsi z)>q4nOBYMD#7Fbt(^0`zu=wx{J{e7Do9`=D2|P=WasDTWV{YOZ_(hXvtEi@D;&#yO z0h!PeP!H5n$wwpBP>1BhKk@VP`%k+xkuva+(9z$$fyC@>Hxk1E$>fR>BS!P0Yj$(^ zORa4bG#moak9)-6Za-=Gr&l%0NIYGitx>w;9l{JXtqvp@*T`=t>StxHxy>xO-+Iq( zX14rs!sN^i>M+&IJX+h!%G0kJ^0tq4^oRB5)e}q{Nfr&70;22btEwAYVu0+GnD^!R zF%5l(RX84(F8J`YD7V@dooR6^4u9FW`jxCh_!Wwo$Lo)2$yZyk{B+v;qS_%$?CI~d z^I$S6%w2=!s-M=V#UpRXG!m1~X^Y`al+mr(d->(I<~#I3PFpU-o%iYMeG=`#H+ z57%Sw^(k6NViS)5X*Cd?3%*CohXFh#r0R&DT5}reb**usAF_7vMhhUCFE!ks(?-qJ zIYQ`Jp1%`-UmeA6-MkGaS+8R?1Wjd=)2}6VW7CZ>BATy79SlAf_*$5nz8W?6 zaX+{inOz{5re6cmx+rM=d3Qvbg6J|~Koe>7sQJB>->eOW?&dbp~#3_dZd8G3Gb>XiszPm54Bc*U> zH?37#mO6S!Z7du(f7*k-^3bYa?RANc$J$pCPciqvu1vy-BZkl_E_uZ(x8_NwG^H;! zHLprZxQ7bm+B;x;&9`HV-_O}x4}*Im)+etZ$2_^zrpFhN51*=S?! zNM&$(pn@9qnXBv#xwy~JYFxj9wZDv~-J4|m)TsK~#&2+LAt73pr&NEjIG-i(EZt1{ z9DYjo*-k*3+erk{q%`3Td2Qc}Ecq)Z?Qe+Vl9UuQpR%Q7bt{(Umzy-eQ_*%%8ei4g z5B>y4l}Fa){`}r3WVM_#@}sQ0STSO8fR~r2x?>vC^3asu`s)J z8KbbL&ZxF)F&K58W8Z1tT!c9-4#iB$MF7rDK(kkD9$8D(aJVoZCvIzhEVSQ(an zE#5vJ70ORdp{H_`w3 zWZka^&yTcCF5BDL>Fl=*9*;hI#e5+==Th!?$)&h7%DT&M@I4RoG9kRm?mjIM4PjR9 z_a*RfcRU5@m3lL9?C5g2i(Jo7`v$8)ho&ZMZ^i@7>dtAFFJ64#6&`n$m%HqnrIjO= z32xtnxstS6ljivh^lVh$E?l3!5j1tjd@#xjve@6C2O-tfyK$VnKOsqq41D_2*K#T~ zjyx6=NR@K?wA&c=aA|T_{2E$5KtS(JD8{eeRoy2GZa)!2K?L~kBb1hNi)K_q zH2CDHEjv6RrzYEDA6xE2ux-GR{EdRUw4(VF(7|OzTFVc1c6t#~>bfzIrZ&B1IjCX2K6?kM6zbc}8)BcbaO9A^7?9-QLl>YcYBkp#v>ST~)|V z0@xxht|%%@0&b0*{q8Ni$82{%k@)+Z4BXWM`V0vY&Z2H~OY%;V ziH#}|nOp~3C*h@Nodd%DU)X@b{9MfSiLL`ADv7VY8#!VP#p z8)cM^$AY-VM-i?1$xA=9R7B=_65HYWZq;nq3L=0{6&2SkEIfRm)3`27PVw7#T*P^O zGJGJuDdaY6&adKn!N#Rcn3X-|!mp}k8BR?Oolf!2W%fPuZVHvD!tQcJ^vF$Tb?;yD zslXn89mVYg$1Jn9MX6djL-QQs-(8-9AjY+dCWx5qrk%Gz?Cj1Z)b0PW!3ptMr0v zkd77a-qQQQP7aLFE^#`6WJ<^Cz4ym-n= zG*@o*CCgQ4LZqEM*z3x*WUYQe89_pS0C$GT(?SZc?Oyo6j*q=)}~TcA*Ty<7}Q3f><8sy z3gpoC7wW)wrj(Q2SK06%e-CSt|B z%M*Teh{=~I@7eQ!s}t>0(m;WO4Zy0`zyzSzYGF$lIX&7v!j&s&q89xzjK1eHkteau z2F|p;M00z1sZri5rK=ULbQ9Fhvz-KxacCUgSDAh9=>1fpT~K0D5&;x|>$UwCRedC! zuPRsgsZs_*R5+?@5I{}=u7aB=`L6~gL|$=QKll}jP1^OH|Riot$PX6 zZySAyblE))x>mhit{#`Oa>J|g24b7QEV;pCk+|?Y4~`XyIfuZ@vy=_0zknu#u=P~O z-UQwQ8e%^a-3G++RqlyqWwzh-0m@&8mygF#2xud7^9-S7I++V17|b}c-(pv2KniRX zxHT_Pgl1=FhZjk1@3SP3oF02b>n&r%n10NYMuyw(Hh04->kD*@K@AnHFTJ6Lu49)L z=4sZLwPWl(ReF*!k0T?h-XONw&^tTsHh&ddcx zg=qQV_U5RU#1;W@v9M1aLhpGQt0$!4DY7Cj*B=B4QrXM~FdH{P&G#v3G~qjr$+63R zX$o1k7d1AHyI`j$0zF(WRq|$Kc6rVf)})BC!#KPRVQ5hmb)xFKt~5Q-aFYvfA6vI+ z1ghj6&ws?K2I9DAPm3lzYXgIzhJ1+DS?;GUE-szDz0>PeMhV=KUPpKdX@_`?PIm@J zT|SCR(4BRCj1Vy+&P|u+a#uePc`|bz5cEJ!dcVtAXvRQLGtKz{rL2JBbUZ90yK8}i z18l2DInGY`q5yJZ{~bI`?ZTmsfu1G%tF^G&I$Jvpn-a#*$@xb_DB0TmqG6bqcnPt~ zQzp;rj14d|f^-JyNDrzny46e=<-V=pOQwVm5APGj06jBRabTG^#}A#y8zo-t&4^`P zNqL8uNHelHAL+akhDJux^@qgpTkm+a=8O&sfe1Aq2ThDgzj*>&h;Wj1YQGoXh74iU zS~ZHltRc8O6iXVAau#Kj%RV;p2)zZ4iy%a*{>^(ULlcvRLJ4ezl5x+eS@FAX84!HB zgGDWC%VPb9TF}y^+_L^A@^!dc%NuuOLAqp5s#zUDP?3C*G%AYUar3UXMb-Pr?!m$0 zz<2aF49!=f%K$8&Ib`G)EUuYb4o;U|PtR};EGsJ>sL(Gr{6u`}CZfRMDHJCKr9|$) zRh9BjrN=lIlOW++7U7eE9 z=<5ptR{W~3FO?vfOTNu%+Cs|JafhVOpDECW7+6+Fgv46aMo_138yL`_Jm5%ZxbCMW zA+5qf9zX)Qs$X*D+@|lQ=d5tSZ5tECwb6bEwlI}qqJdzt0 z`qNTC94!syYmGFPiJ}<)a=!^6r1c{=!LBX`$u!I@=t`R{uhzWy38duQSCuXxZuv;7hweuco%Lchgwbo`7$xI!g}QsGm|$wxx}xUC+OZf*3f6vy= z&Tq=Kx$l&%%2grYLkpgbKT*o5N^3H}O)J-?J8e8-&}uqb-x{^ODJ#Bw&jFIf^{|g; z3XXsxbj|rI?d&{`F0KViDr~$w7;w=?e5o~!CbnSAWA774l3v7l9qCXZBH&Mhg2)`@ zV*J&Lo3#s@xXy>a6_?3nZ;$VHZXp%Zr`+ntJRqo1&K=*P&ooa4pdnmJcwr8|2QT4S zzDntD@)!y>Ri0C9h(Z~?WdZx5=dM*0PzE%-z|1%d3YK<>zu!zgu(Wf)u&|kzI*P%6 z=EfxFFElz?U!4oweVI4>y+(L5am_4LeUlxtMgb&P19Z1fKmmgW{%T;Ld|{K#OvMtk zx4)ZnU)3L}mvbxH`puXEW7GLaxaI|QeB>lZc*AreaXTkiXq2wRXWBTB$m75I>YAcH zunBz({-c+9RY8YFK76B-t$=Q*vxlbM$0MHL$D32QrsdrKkQoEJiGDK)1 zp_!8ToT9{A({B-F-153`@tNXcK9G!^qbw{Aic`D$&^tn6tsLLskl~K-A5T0{#RfXw z7x!l0x6Sg%amm2&LcvagE4igeyFdwJoU6TsCBY&i)v`k}W-4X9k(=AAYz)$EpS&a4QESD)j z7xZ<|^sDOh`uDIEoUfs6N!eR6-gc_b5mT!lWmmm#`;3K(wVD_jqFh_SGcEF`ZC=a? zWbsI;>x20PtC&dUK9B0>1p?1V`oo)6RDUHHPxFOg$>sEY+ZI=@!1)}aYD=7wD?}Q! zp^{hRZKqoXPiDA;@KlpfhYRABCRWR?cCRuuj}}I5il}8P0m;M_N3YErFzo_ON<>&t zZ8jg=XKdCyAg&E7`TA1Rp%T!dN|)F&%WjT9EIvIt_aZKn&V)8ZN-TElUayStS8NgB zy@!*^nPnQb46lCmy5$2Tz!z|c!F+)vu(HC`LLN-92`>?_>bJSNxW6hGV9wLehS5+P zuX0mnZ~+40?J+9{i^T;8`nhs*`-3yRlgBj6&F3 z;c2U>n^p@(5+bWMvu0vIaKY1FSYTI)|Mp->v|(znTfDs2STX!kwD+vvME5A%>v_0z z-^eog4+*peUNK_p8okhtOvQ6(2#C5f1?gi6(BKy2&_mqGmh43r7RGiKF-}5RO3@h} zR>(kHUcc7cVp7e1$I89Xec&Yi+rPb(m$Vo)>f-g{VNE5eBpw5I?)h&TfEms zT-(s_c7Y`Xr~+K#OtyFEd(@PrMBfl~o=!?k zBgr{xR$cbR){ZijE;}eO*&YmqMcX{_R;C)=BO{a66_VO(7-oX-^JImAFj@7S%8{{2 zbm7~&Cu@UJUy$nX5Nzubo3x5?F*y{Rj&$=?EEdSs8yC8D6ngYc2R|#2r@earwl~dN|)ZGuL8G#YVfp&ek^J+s64E^~xZ~Mf<%S33Bh?;;v4g zGB+%@{fm`tp&5LNPD5unGy&@Onwv3Q5Ov(S&awM&x8r@N<3U+&!bz2MOhAAJ0dWYZ zO%x!({;lTAVw$f(Qd2K_b#Y&P%|(X4482fHi34wBw}p*q96rE5UmlnK?QTnWS>KjSqG;i{&#=48SKY}`2E{k_5FGL|J%pC z$w`eY#}D=#J}v(EZ*S=?HGyPedlL=9A3wNtcyCnqKbP$S-E&x`o1Fh;tqdJ+8X>z2 z+w=$4^G)~0E+$sb7%UK0~=jpp~nFvn$ZA6Hfzm`x1hEG{AW_` zKUESFnXAbPGAvN4K-=eNlzE!bj2>3smEpfP`TUIrGR4*LeM3M%`G0Zi2L;g-~N z|J;BnR?SY&a`hz;b{YVkI+9yU+65~boNHBRT0R=I`b+?YUBmsQLk9jP)nl*0>H>O; zdK+$8i54(t#yr@9>JMs{uwFX`tse}ac_(^caAzX$T923$+YFe5z!3p|19kGl@HWE< ziNh`2#B{I3>vAV~;78QFSIqZtO){iM+dQN)GCl3Xc~ai>0oZEynMb5S%#k=U(%ysw zNpX)h1}CSsZjYlMkd?EH;4-)&yDun351^X*?oX6C(5(WUf(pazT7dBYa}F@+x=@B; zNg&6-<*e2<{m-)nP(MT$ZJyC)(XDDNw3R(`x@UDgF!uQ_xBgj#1r|G^E_bIShAe>4 zVI_=w-_7r+2`FiK4Tm>vLFd-WHf)qYR8&t}X>IcY9>mbhY!Oo-pVnSGw=6Lke#-Y} zM&+RJq!^mhz@#!c(>k0~smg4MnmhW})vxoLe2{m;B#-YTR9Wbt5lLBdJm3~a4wlKxkL-y-Dkw?F$+hr==D2^w6m{gx zebi61+#FcH04m|x&C$}mVa9)@WeL;!QqVD=jXnS);MwdVVLvQ2HTggj0RjSux##0t zKL0rb^<`v*Pa5_$>;?D?luX#t@kKlqp6b&8Xi)*@BOQJ8+k#c`<#xDf78Top#Diww z)Hqv;q=fq!XXihwPl5S8)^=P9L<`i<0NgG7sTgZ76cu$u@b0enH(onQ8b&T3$0l5J zq)9@j;o5fp!mJx6cHgOK%LA8ITjjPfuBl14G?WsD`{PG6J-w0K*@&m(R7yle1yTAl zG$)7Kbx-jczQJo$6&NYgcng#OtR%m{4FUvRq%w`2&c5?jtJl`KI2{;I>_Pp%BOlk2LeL|!*VYRnx5E` zc!?$&j^l+RPe338pMmihSOWm!b0Al5I#7Vls{>>RXuCT3g9tK+B|l$1aSn_j=WXp@ zXFU80qTPE?ihvVT)ae6?B%|X?e*Q_9Z)7D|TS-LVg8?Fr$h;6ml^(6?L7Zzuw;w4z7Gs@zba7+5?cfy1_PXYnz- zujW@zz)1&n6%|_nSiwjZ)H~%9aTwcClED9Y`?J)7pFUz zVy24`X2p#UXVyyKzT8rcV(2R@B9lODWBBPvS4Q<{67J}A!m;pZ2#bh_C^LH8;;!CwZy^>woDfBu$Y2S^9qUT4ypTvNnpLZwVDl z65)K}e$;~lfqeV-`i02zliK(-AQD)@WfX`cYD{}91MtK$Ib~JS#Dre6$~oH^C#rA# zuqG-hO(i84|lLM6|b3zcFBJww}$ClyyOe9X#lzRHnx<;}jh zxHxJ|gC6lT@IqVo>!8VWUTgYusY)Nj3F=M(qtAWy53gossIS8b zljp(d7XVf$A)6iih}=it!Ki_Z#M}I(&*q`B*(Ei|Z;eAPr#)wFq&t7*qb~_wb1cN`&h$+0Ys{UNOUzj)L>eM~degS9q&Jnq*fiy5BF zg0=`EL;B4SNM2xYR8sfR0L}WrqC3*zAWH(?z8+FF>0pW`d#YHm0JN!vwFX@g8e?#> z)!PM?kG}!3(-L-iT^&~g$fGg4rMV0ZqkA+V%{*k&jP>B?fbS@8cTAX%p9ZjXsPQjz zSCED>na>%7?O*P$bs&x)&cO>uEyxaK7-&ouVEX^f;zgwP-&nlfJpVsfynyXto6!QB zZ}tn%UgJf~5MWYm=qJRBuJN{+A%?I++y+ZQ1_IshqN?mZWI%XO_s1i?l+{|!7!ML# zZzymfnHfx(s=6Ype3Is^pI^TV!b{j(q^W1q22&XdR-(u#Y(B{q5 zJgd#idf4y?JYXO{BLOM$Ee}V(ZnIKXxq5wIpZ07w4ksv?)ZN34Y3|`RXR$}Pc8~p6 z;sBfYL*V&B{I9GF%OHk@s;F-ib|6UZeBdTRNz%5q9G$};^RaJ?cP%_(s@G0}4Opqw zrg#K473|mJkQjc|KdW$(_vzxS_NSg0=G#H-uJ%ub;K22~jwWzK?ESuuZaH{C;CY0h z3;Z%x4cQ}Cs~>etg6k6;1;>Di0j>kwzv{~0zaPBP1Ag?a5^uuNia3IXDwJvPtPt-v z`rdt$IrS3C{B98Bi;p*L1Y{3f>7d;P7nc{9Eg(67hWAV`b?Q#15okA%Xj_)2WOAux zI&NHIx!=o*8rFctHoxDX2691Y-ys5B&ihC$UkF~<6pBc??XvrFe{{xjfS(%59KP9y zBK-sPL`~D^LP3X@2P`-N3Kyi`YrqXd35JIPoev%hrUz_gsH%HbIt^`wpxz=i5NA*U zFJ@!$fDpdZP6x?BJnrwX`wf>G1GWP77OzA?`Lg&H_^y6H#sG8xN`rfsO?|lo^`jHV z&uB1s>?wX7>3%1L2o2c0DPKP5ut85bnFj&BQ2N{MCLET$W?7;3*4`w#BSb@}m;zt0)Kswjk6GAQ)SMVGf zikwu<_@PTNtXrr$>YnQ9+InR^5Y3dZk>Nv8GVGo3#BTB+rb88^P_3YelU{h64eKc8 zwBIsSbsmc4emPw)VmZ^#%8V!}-FywUvrfIe$!lD0#HbY%MR7BAFZ2C|OhCf$^-~Li zF=@PzlX%2s_if4Y0Z829q(#X|aOT&-d&LsU#1#}4>Vc3225G#I^1>b&q6*jEVlAyI zXHwXW-SHX)SHie|xtH2XZgVOP^zkjB_r0@*~Ir3hx$v&Y!0oO1% zNoOkBO$F#-6PmV%sKo%483ZyGT71+mm%fHV4p1yH<)`+}p(K{i>ak39UOd3pyOU9r zU@FH0K}2B_Y__G0?UuV$k`BcqldD}RRoAhTQ&{}cj*cp;qpmLga}sgTNRqaJgV<`x z@qNQAxJR7!+yJSa$xZ?X14t9wP1-(y1pJp@gYruMg?h{`NYJw1# z8Q3e}H&&)vQ2Vb&qRR*FsF6sWB^O@C(C`=wCIqiBTfv%~*~|UlA|eSW0NkaQ`W9h8 z-~zH`+h%7cdw!q6RJPd@nvi~rk=yH~0T-^xs}`1tDg!2_g=g_Z8AFZS5&RRsp>8!R zD-5W!^Y+pqcEufULc5)6rD#*CoeF9g#EqnB1B@q3YC0Rt+@zqyw_X&o3!kQQyR7x)4|tYO!Bw575tK~}IeG#-j%Z4P zM#--roLw+M&A9J>@Hy(kIprDpr7mOwVzjv>NYdEP-BtGFFU}twAXh z8kH?4x4$N}KU><1*x`T-jli{Pdt?sllO z`M3=}zNh(5o>wXH`qDGY!L{jN)H6jHX_^HYnlMJ`9cFk1H*Wrs1h)IH3g}el)X}2-vaUsjV~b1g7^5z-WdVI?#cKvMfao4Phn^nUHGz zOfmBaXv87a_`Ong2sZfNns06$JqaoX&tU(qOmUs($i{#$DB0dHrvPab0ayiKyeAjb zMkt1pu1Vpi;ICOosu{0j%R}DbwSQR)?7k2WjLsl`;y8;;TTkcC&(BkUZe){_X+zRE zD>=_*1Md;KLevI5jadoUTWO<`5e$>z{B~9%o_h4QdxniP$kvC>cHmX&<3Si&O23cV zyU&&01~-h;Dv4x)vHeYDm>8hlD!qN;npUMd0klZ~OHniIYPAG-EfW9sll{L6>a zy!_1BvqR>sd-#V@w^ZnCGfd=CTolVkS9T6EPkBrZNCkiIuKN5QwgCa^-mY_d2zz)B z`v(u&BOGFfqz76#EID?@-$q ziRz<=-pR>T^Bza{ytfyp_k>|%2YJQya`0p(17FxVJ_>yua30ASkMJ7_*<>6vWDpe) zuAoMOzo=uVk1cgfPf(G3_B!h7zwP1LlMTbouf*~9uwk&6s9aH|O;Dv9^CI+;po z&uMt#Z&*C|+Y+E!&|~9{+rAR5P%Q!0L}>Q>vE=I1HP5q^fZ5ocue)M+$=mppc4GUx z@+l%uL$?qAGK~~QPN~Q<(&YtHB`vrjPh#+Kv9cygP4H|i@)&uCUS5(0e%E;9lmPlEs+ zKz~--L!>a0QsO=pak)nhGO41@%3t1+M{=|3M4nrvsF_9g+N^(B@%CR60``io{x;Hp zBSCD;P&J4hOVdJ*JKj`w9BLyMSB5Qm8GVi&CGv#+=qqTdP~H?0o|WuBf>8wU!LrA}7*15l zJqL#)#kTbz3>H=Ci;MgJ!7Tg9u!Tv`Eqq+EC;1`nDR+m>DI^lwCTKjic6KJW7exSG z`cNULtQtt#F?K`-Q(6A1NADiDnm3#Y1XCU$W-(k6H5XSlm?EgW!_sgcPe4C6Ckw!f zrzi!;NVt$D2r`19u`zY7Vp$h5LhLDHQUX~6)pfxq@*6;G9lI+!`2{vSXl)BK7Ec)v z5PCu*s1pA1Dv6x>az2RD=_NSHN8ns(fS-B_qc-D<;7a+pjmiMld014D;J@S2EqgNFPL})DX+t{NHNyH@egvkV?qlT z>RryIw*Os-2i#R3dc8)E4(Sds9wyqwCTshJ3=@|w8Flm|*G3D{xo*Czh-qu9(l;GR zzhz@H-ZR>Ygv_lbl$H|0YTV)Szo*!%*V9{B4{uajSy5688R+TB5)o8_L=RgMmdhRh z5Zbo_hz4#DAk9FbLG@f&bGLOYK?!*7UxU}^;0VhKD!2~V(y|=p?#h6>_$zdmFp_s9 zOq8h3r}gD@QUT(4R6(tjsd&Hy$fE&^83lS44+;b+9E-8L&v?2Ex~;3P(#L{6*=RX9_7DcCD)rmq0p$$=RUZxCld@uG*pMf4xT1b|zY zjkKQL2ccBZm6zK72X${Aj%E9{jb0R$43%Wa5GqrlL1eBBJqgK}Op#2PLThR~p- z3`H`Jk<5gMA_-+q$xNANYrmf7_xry0eYfpff2{SbZM~mA9&Hcq`@XL0Jda~P_I*E& zvwb3G^O^Fgg160Nur~!hM7q5D;JoiLZ%wu9x-CEWjDT9u$wl^b^xnzh*4+U@6F5BJ zz+B&>H1Z!Aedxyl{*-w9APnT;0ktXArFQUqEs8*>Ci5Zyg|s&k00XiqY45STZ2b*SDg=|)vZ+ZzD*ZwuQ$MQkdPL7_*)d9a1y2bnT#sX zpG9dEX6RekZV@W&LZPoar?dSoN+R$gscdcKU8TklOz)TvTKP~q9gCQZb{Kc+|M*lA z@uzPoN2-3tn}gMh!o)g-{auO2p0%|;|79PSJg`+(_qfX3HCNYK_ZKidQ{q)$TPkDI z(oR01U><|Rah}l=LW0nLLbPGt+t zFyvzpSsM&8oXMJ;-1T~DzVACTUmxw|CYHTl@%uU%3_wMQD-ytZ28~#41H_3s>CC*v zcRfh^O(o$!Cc=s+B@*%)vF7aN7@7vkVFe(-idSbdOG+IV9`&B2C9-s@t!Fg-FJOo4)WH-D0#L;fV_Jm;_5g0RAJnidSOOJacnA`O|nd!?5rRaUHS#25} z(!ENG11L9p7pC;{{TGp5Al_<^aV4DLBG6T=@Shz5hrf?U)f0DRbzxsBUnz)7NMIs+ z4#`GjCYio#b$@38$1Zp!$p%u#O!08C*kx}h-~mC?l$YXEmP)ogWoUy1kGoUtzO$z| z`2xpIo%6XvjPm_+8e2ByDY9{;63v5<_yL>iIo_+Ppen*Xrb{GQEbrS zDlH`(-e{@>Q%`h$jv2?H@jn%8b$_U9 z+gvJ3Tu0E(W7yTf?Z(~q<;y;Onxn!h$tD!j+8eLIb~GccJ75r3Ca69@lORr5#4Z|q zANIJIByF3>m(jok0VJjS3Rtx<-Q=&$c|q7macm5Y*<#aY?o_Qh&O{16Y{11v#LmeN z^vuq>t<)Xztr**hdOxl#xXhNAPgYRcUyU^a!FEO3b9TdriYbJK`N>ohR3$ed>40uH z(w;giF78CpTdPWHe7A&PRYj#5D4Z5JI5B|kv?iVda9bkgF#XVH+$w-R84w=i&W2JK zP*-FYVwTBB>O0epqQr77_(|Cj*#Rj@NpxXvfjdhXI$72?S=Y_tlOKrQwWSX)_j9=f z2L`Ot!>-VaDlGQdo}*j68qlmC9Mwq)oA<4Fe?FyL@ohY8QsbQhHNSFcFN69*$-ptz zvcQkqLEg_MBRcXr50K*ZfB5=uBMkrV(5HEK5KjL~U73`eho&BXrTou2_#Kn~UvzL> z?%*q@P375*mpzvMH;Bu6kf4A-z-r9h6AvED4Ep;qugCy#pk<7HzL-9^pD~RNPrm6l z{3bw9SmS0&%E~pCneZL{k zMI9L(BX2G!$q-LT8vjk7jbM6JOpO6to3jvp6~*}MH$Y5B;Y%RX7%8vtj27QEALB*l6!`uv_8=6c&z zoLo`1mX5jn%Rc4_)N6|o)O+>}4~%_%UeQ;*Vl3zUlDa0W9-R@^XU;r}k+TRbmL3?A zTZ32P@FTM2a6lcz>sI(<#qGOyOd*a}LPJ9VL$+!@Onp#IH;TqV(tX(4`r5l*27nl! z67oJn#DvYOZ&@&OlXN($A81z?81bv-TkVBHO`V3Pu5ofRv$Jp8?Af5Au>UR~TVAwV zKE0!(kJ?I(?2wU71ge8(1kRH)c5cv-4kjV`p%solU-{S!Id*Ku&gUYPJ_h!QJ$O%2 z21%vw*W(%n7|^&i3(W<{uEpL74RgaWijHKx%SaiA!IpIFaqGBu5lEW_j|ODxqgV|3PI;nkpW4}A&1`V z@$uQsIi=Oz0kii%JPP!P8kDBO5hE#`?V1I@93G8W?*w{CZeW6rY#^+D;B3$P?*@&a zn?*58f!>oNKvp^aGu0sE&U77;hX)9R4@+w*!>9;?YWdsRHy287SAPzKRTG3bsNX+V zH8sfL{TZ@90i;R*#fbY9`8_S`x(>@9 zA~7KkyD#1g74Q%II>}q|HJjB0qeEK#gWJF_d$)h(lI1LJI=I(O$CoWh$s4fAu=HI^ zj*t)+51bp&b-0t99B z?`8L~XRnJA6E~m`{%w1f#yUp25<)tOyklZwDB7}zHN^127L-Hd@h{NR-0&24cuBFV zs;*sEia&NPQu0}F=%W+T{cHX8VxKGz&oA1{OqDLFtw@_MmaR3L^vEvQql|JLJKN|p zso*#1p;YSVFg=ANvgnP@rf>!a$F~D%c@Zi z&~ysF!reTP#2zQr>)g2eS~4lF3#Bk+9Ea#n6S{m8eC5|CrHuOTduQh^9k$xzH~hTX+a~de(g4f9#8YhRGn(Dg3-X zY}D8G6zr}fPgyKvYZJ_HneQnuu>SK|8)8z1hw7h#ZNSx_wZ5yJJBm>w!A=G0@7=pb zx?97pnp3OKS#rH~kCuB0(g4M1)^K))aDh{VS;944)ET6|_sG+aKc+B3;Wnx;gTiY} z;JbKHi6As=KsAM84HtSDO?_D3>#GNZ$<|n>Y^@J& zx^^;W3Vz)dZfiM0fM@hWOTLEdQtyR_9bTL6bh8gxzHv>xE)d3Bzc|};cOoAA{*?9NrqxGn|HRXMT+}_VSs`^W!Enm_eCgyzHno7 z7Q62Rd?B^be2U(&4maeLzKeGG9o5C8$>_zQ!hLsOIQgIRb9gDs^LW z4WOFL5_?XNRi1N#EvZqU3Fka%wD5VUQp z#=Tw7SVDq!#ecXmH&>!}j-kXuk1n9{-9+MWa@@Hto52e*l@qMPu|c+Cc`oQk5jGNH z{UExuK4~&!c$iINs{<4IM0SRDd_HoyLj1z!svoIs-j#hfwF82T;)eYrU#)FXi;@lr z|9glFZD=h2&1%z`Hy;XBR9ZkX891^c(@z|B^KjIyk^rGgSh@a6x?u);q z!{P@6WjAb&@B8C5yqD!pDSv^JVP1Mp4h_y8P#jF#xZRL{2Ss^Xh-yHfVNl%W2+Vgm ze7|ia;PtHQ{Pr;;;Wi}v-xBER68;0OTH}m}X)bwXZFr!W~rFTu}TAa1>D-0o^y_AS9sGd`bH6DA)N}Xn?;mSC6yw5s+ zhN7nMZ4T3WerYdG{B0GjcE-3xM#IXl^bWk&W?xrBDx!he@VM6WwtaVkYVtX9W&-s)NhL@aN8hksyS>tX)u?jKcqfzt{u~_3~ms;Jd zvp2zHe3@lg--*txPG}2b(e}Xl2Y-^3Jik0jB%VzkUBM6V39^ptQ8gGD!OQ`#jt5=@ zX3sG#otfMqpV8Rv!z?M;ZK^&?0ph3+!vRHEytHe|oMvuWdU9A1zb|NuHAI!{;*5Co z=$J^PR;;~d^UjmhhdztjJF^n|aD8**y2lSbR{VWBwS<|V|H)aAs!M0Ol$&Xh+J3Mr z@4TmV8~c#Ap&@2|a82L;ON>Ud-l6Qlx^?T~=p@~{!c2cYOPwq($|*BD_dH`fP>|5m zJb&9?;}2(9kHVU;tUkIWb@&qF(niOV3<9uukBqGYW~SeVT(NPR=Dq~<=B$^_|}$<<=DW}GcycB`oJ)v4INy3YB5S4N{ zhQ;@(WEkAOD9UT2d}NkOg4VA|H>x@AjRN_Ak6a=NKdkWsEq7aAPk-#_J#>L)GAw2b zFULd5<(JdxSSZ;zvF(NJSIUx$Z-4O3#9g~vBBHx~XMn6OW_URLE-j=6SV*qBrM`BJ z`n`$LWFc3!IG^r^w+<8Ddxl5WZXz;WQ`_z>>q>JemcV;rG4GlcVj2ww&aFHN@!o*fxiU%SW~j}5Od>XRO` z&8^Ni#}4lhD0@Y9&k@m?9`3RL<6_G4-@~089QOB0=AN-Qe)=-4bms{I@{JS9-nSZW z3ZQX{kC@cDfQO4QWhc77$0KU&9@nTF33uj+YxdJCEI& z%^kKpR`DDmb3dm#ebjZCZyP!vMH)m;wb+yeHa+ObnN7NpS|>JI|DKUomQOWi?~TOq zm#=f>+|tP)LPd4E@8s%%n+-woXB_y609)eB`6U)SgWK9Irqj^}dG!{5*&>Ve_9Yl= zN1q{{m6WW*Pm!jor(~jg&QSUWWn|cC>F97@c72hey8UhiZu!|rTYA(r&dSjOF)DqqHm zc8hFGY}|gqHb{EL#>b~j)7>a_bV5&OaAbseCZw=tCS`VGT(-%F5F#xt?W}nxYh=eC z)vp*z^PY){DYZq=qn4JIcGnSa*3$Di+kB%6tfPYE|x$w*$E5Z-brPoJCh1ByryynZ!u z(beWo9!jHrOr_CKjn<_8Vbv2#AzytaqyKg;?E#vq1B7Mf&pMYX5u@vGn+F_6=S2{@ zw9+Y(T)O_UIU7A&gbaDV^@WFY%^&Y$Y9kGIre>MrHz>E2eQM(in->ybHFzb$eL)m6 zv5vfHFjl%nZ)8M^nKYkXSX|`hmq6v)rPSnK&+{x%>sEKM)ea`9gbS*Xt|BtLn~@;0 zkL;nl*W-=&&;A$nq499tH*`dX>R%_0o8JHB?*B1Vp>PtWd6O7-MyqV`Hl}CAX5i&YqqUTt6e^Y ze7a=&b6&a1Mjt`n3Qq?pEtewS|B0%+q#Q)gMv#`^rk4f$!WvPp(D`05C?u&1elub| zYM8Sv{`a)|z3@5LBno-+pjzEbwyN60OE|6UayL(#`8vPjWwY&9#Xvba4ZZlDW4t=^@QcuM;<=LdA>i-|jFub}{N|+Vo@BmZB;R zb#(^vZNEFmRfQ-=#(ef3<~9FwK7n$5ZDjhv8x{A8f-qm%SLh6TXMrfB-~8y|s< z7{_XS4Hdy*Sme!kzanjzqJO-w`A|-j$6nPXk0YNC6)U$=`{m_1g`W0gw&_8SQf9-b?Mqv7kEn3$YIGvZHpOPdGLr|JxeT7)jozkg6c z^iB_9C*HHEI~?<1ulfm-GaG>#iqbAm&%Boz+`FMc9%%bdJ79>ZOe^qqt(4X-!KiUc zOnsP=nWfckHPJ41Z>BA|c>KI)QIyEq;m0EOJq5ba7DZoQo_@%~`hjO?49yZ;co$z;(b1gQ0>P4v_e~Q(x4HVUsV#F3nq2s&FtzPyHeXsrIbJB$) zgVJ|4e8jP{wXKcey~#VgZ$yQ_(~q}s7&y;fR{`vW0}pP-rI&C}DXYIVnP!UL>z8=j z?0hTdVX=~}e;plfmW!=0%}#k;@MJ9gy9@8ZgZY4@pSruRBiWJRdZOYarLX>231O10 zcSc{II(Cz0RBO$80|o=uQ$@cV=2BhgXv`J*D^slVCk7l!AB0&Ci&{+{M)Emsp_r6W zQ7WCOJ?o~elO^|Z#mP{?tYQNLQ5x2Z9#ulnrjtWXW8O`nCys{5P*YRHD#Nj;TdAq3 z@5bDlQKKklNv&4 z8tzIfT~&8%z7t}+w{_^1-p_m2$;5R*JFg>ewsWjQmiXG*O^>KzfY?`KbM7_Ix$P&z z1>#0MuYcGW89bpWPH|Vre^$mi+$C{zv)6dW(tO}??W{Abo7|TtI7Rgb9^ZZZVz@tJ zS}&XHfP}|S0(8M7fBCu%SLO%gHuyPiU>N>wyq0jnY0_jdcCG2ciif+WUB>cP*=H8n zwM&A+m%zh24_MQjsYZr~YW-BAX+%-7Tm5$0dV->$#u_CY>Px}Nt!@tC#JK z)nW!$PrN;z@L#U9hM-s&5*5~B^>jl`~d(Ta|NDeo?s zpURF9*?9{oiV3e6RfJu0c}>=Z5f!9H{~z12FfRW`g4cE zDCEUw9+yAcqTSI_8YLakzggYoFcGjkEA_&@d+$rd+<}x2Kd&~_NrqzcY?Iz;O?--; zuNKlWS0YS*y>7_JxIjgSFhvCT-rY7mG&XjkqUnLD!fw&|l{bbup_4^(Q8x_Eb<71c zTE5Wq?JhD-PEi-MO^FCnaY*^SZ~DIUN*W^i`bSu8mi7}4?Ga|bKNx!2Tj(;QKHJfw zDQ{Pl%N3aEa5=x#y6sxTN@3wGW)b7SWV`DXVp1w9^-)HNEDdgFzgZY|F}|?h53iwM`kHNa^24s z734(ed37O&;!>=y8x67QU1X3J_yrY(z=$~ZxPP^2_0wNF@@+QZ9^XRRKdT>_ZL{@8_w9hK#9GCQV0Y~?P;3}Sv zJIWAf?_$S1`mMgw{^1pa!NA$@`BX0l=rxVJZz(vpZwDURtwir$Q1$l{yPj3bt#WS|KVr{G`_A2SnUy|k z`SeGg(u)|^Q565Y$noT<%hj1vx9!Uw&NX+*ya@~0>0)WcdfLkiE76NSm(q7^j02TL z_AO;+=go0(5dlH3y@=n}n)WnFsTG73ZYK28brigpIF^?a<8pIpKYrXV;XX`@1mU09 zSiiJd^tS!eZ?^PwTM`pCIPa#Amp5YIMWkgj67N%W-h3nRcJT6UfY&Kr(?65u>wtPr z9DH0oEstUcb-|Ty@s9_c@5S6p(AV7Q%d)bBvO4>n67V4M<-XP_j~q$u^Glgic}uIE(Rr5Z#zoN|(~&%+ z83?5SP*Bjb!28Bzs6J6?(^PS0(@U!sCieQ>*uXW;T-JmG;x_8Jdrx(Jm*e@WJnBNF zTbhWY^C|1!g^T^ptvek$P<)|To#fi&R9|cpF~mKkRhBs+lQEdQdptfTB+7xx3IbrwkBANzcHnuM!U^KxNf<1Ufk>1 z1Milo0*8#0*@zFozDmXU`EI*BjfFw%e6bkoI66iD-Zm0znH(Dne!-x~TXVEt_Ug-) zZYfbw;=RcZ6;^HCHWP4cdZkY3DJzT)U3Oy`hEs;KBg1UrGi>Uy0>|;zIj`$&<^{&O zGH3^+SeZ)J7r73QZ=W_wzERqHTjQ8E!KI?jM7OYzGS)f5irRIXI3EixTe|Y5Uo6Cj zk3w6n3(Ip5Y02q~&L>o;4`FHXdT3DkKBpoc4pEPey_Y3Qb~j#-?iM+@{UT0^7<5X? z|E$@5K%lZ{X>oDu&a%_Xav)GG??_+yX%UfGg77>lH`y_v#oIpmF_L*dn-M4?k~X~- zTezt@A`=wDc5tg=%J~KDa}}M}A~bzH3U?^$Yx>U4%xw!6y>>xkFw0c|1-bfyx?e?E{W-ff@@{DTHe=| zUQ5%QNqj)g388Ok8Qv9_qxu&)C&YJd;t(>|4l62x!hL@+(4fG$zp=NNW||vjTA2`^ zOtZ^PrnS>6hlMdmN9GVCIIQk4>;irXkF%Ha_4dufg67x>kR8x{FLYrtqw6R*uh|YG z@gt}twMGx&x)nr9Z?%P_*iPntcVcKCE!hAv=0r^B6U%)-aUx1{?N33eb>#e45n&9YPcYK>b$V**P+!neLZOxL)JEa%O4igoOnk z_+X|?x~Ck;G=${pEW&=3mhmYwN+NNDcQHy}+f?=*DBAwaP}gDK1Iw;P_C`Y?!qQlm;^#ffy3e$yp2i93 zyBwCM?**5w2lz81>1MvS#`(40KE0@{Q_|w1{0gJSLNF!2$Ytm(ypL-2jq%7HMnssv z#un{@Q=5o(`}0M@bl7)U`srDEKgD)G6u6L@YO_U_@6@PIRDPLY`RhH-x97)!?!kQp z^*&D}o*jH*xJj_!b4SN*z_}{fhy95Lj!~3XoO)?nEcUQ|c;i;K&39n7yTiP{PbxFw z=M24+WVd9VPoed{5~-xoI$~7LL65y2*Q@QBCxim+(ZeonuNZJ4)!w7^Q~KsU>BKHk z797nfuxHUt{1T;arTMFGpFaKe(7HXXzfUJ|;aR@<7-++strM>j6O~^@RGmao%8aOv z*NCQcJZ1lU?m})xLRneQSi5TIsIsDf5IVob6ZnQ z;zKuUTj$I62bR_coRcJWVI#6oU2ODTRQ6vP%tqADH}_00ydk4L_v-s=CNc5+BuRBn z)H=T;9etN1^??wj>&Ddln~&gO>kf4GOsp2fgQaTrjMm96DpHvm z$8{N2YtF=kSFf6fO4#f2-2WlIv%g&y_Iav*YbyG(m6gkak>sO+yt-9|*x<$^#Qbvw zMG?m*eoLBXjMw;%Uuy6}LI9HC0V{fK@9C{02byXQdQg-%sUQK9cA$IhXD&5z^ROiY zE@H*TDWepG{2sk5TQe2mzU zBNt3edd*^QosW)=PD)FA3*kXy?v2su2zf3QO5bwzeH=cSx~EColfs(!sSJZTiFD?z zO*PNb>SqOtoD(UBSkIm8DW(JA9%jh}){rHUtb}@)R=f7utxc8sp>Ps#7t1& zzXwC>wJAb8MY&OPKWm-iyKzl0p~#(QXVZLDuBW5ZiA77@gFAASqZQiB3(x zhvZdVjXwn9AdqBLm9Qe1nwpj6nZ7+JdgTv3-paE5#!hj&9Wp`gUUsXDF&X;ko8- zE&h+cCg3BIwOy0HY0E6gV3OCDRav6FkW|Bx{J@NRY3biy0KPS@;*w}ThlB)4ob4hB zswYfH$Ys7p?h3!Kj-36HD@W;4!@`WQPkLn_<7Cf;3zFNnC*?Or@=i1!@cKiA)nlfr zq9O$Szz;c&R8~-_G{%;(%>0l}Nj`C+a^ympoxNH{bIB^Mn()O!6H5f^*FlNDjjfWOVTR*TA=K-ONojTHbRp!{RJQq|R#3!opeE z?qUUH0_=y-0B6s?e?Mb~@`%xQy(4;CSZ|LA z8_jX2pFUM_Z`tg_QlL_8X@Ernvur12PWlfT0e?3SH zoNIotv+N-*=9#sMC&+nd7`{daD{yf*13Y9<`WE_b*-7a8)DTH2%V=VFS^0P>$JZ`5 zrn^(`K+@q^T$tT-=AnR$mmDIZGKiMx`C(L@J7>fQsRS3iX!(8)hXxI z%6U*i9vW88BYy76g9x}bxJgScMG?yv`H*$?fKp1q!sfv%lHn1l>#iI);Iu{Ez4&q@ zy<{|f&$W2(?zx`S*u)oWOL82uV-MD5XIn3{3D3;dgt;Uo-F=|Ow_&4@;FUK%u|OKx zFJQL<6lTQp(zx>dpk2g6GYtct-G1(0JQsoEL%fc3=Lbkvbx%ID=_$BoGSNQslxK~1(aiZ7ex|SY3)bO=#)d^x z61&sSF#z4dV8H=wx(n!;RD;n>1Wo3a(ZLIl>l0V(zD_e@9W61ibAEOt3XYu;iF6PZ zUn?}d})=X7WJ5;X>s%xs%{S_sYI}XO&dy#JW-uwlOspSZTGe`<2Q=u!95QI zdk4NA!L&6xtQJVRNf{XxxX=rti*M04JuB}P%@!t_ zm#R(2NiPhdAZz`;?sc8>>D%$tYo)GTQCMR8IQ4+`QfHCz&>wd=(Mf+x-LW0P@E@*Z zV-5XdeW5S8$o9EB;QQjjR{`8eVWUMR7(>W3634uUc3~!?!Dn}F`}MriRI+=3jU-ue za*Fs19ayn;pt@0fTJ`=SlffM823Dx4;+^bcIs&g8*QLLpdeyqI)2COI((ibcY;L=; zjA1PA((>66b~)-_J<|pA{F=U{VY{B)|BlK~jVVUk_WTys4ew2K#C|gwzPSVKcVpyH z2C#+xErN4N;EKuf%1ABw!Yf{F%@8<1F?2;DNW@s1if{w%LbXiR%6v;idwXY(0+J?} zW=cp$)oa-21|_pQ36o;uyVi$);2c8JFW=!#f%LJxgH!I_q3cMt2zF%o{{hpicM|)A ziZ&w}|LF(%FZ`6^JGe3L&iyfu$M!)S>P1PPSU zBuZbX;rAkqG5Z3~LO62>svK4YR8E2bmWH&ZhWThuy5&V8&*-@7E{nhybU^a3m8u}H zr)G&RZtTmK;wNO^6)iB|@N>~Cydo;mM$$yfx9JBO-iK|VzB1pq_Jy1G1bu5>UWq61 zNp|RpWM@&0fPCP)IGlG=i82E=l9W|0Wbrh#DiHNLyGi8=t{g_*oJ_;A!0Jt@qOcZ$ z&)L491TP6$Ktm+s-s_rd8PJjK%!PY4zo1@?%tZVw{`DVyO_+y!^rgkc0=nA%QMsEq z+mZ6j2BM?A<6eOaAHai&`B@sH(#sADiy-6rt`P-1yHO%(8N|6qXVg){roscs5k6Kw zP`7;r_+Y`e)ccDO<4CiGMuB_R*PDox^LannP_gEKoq`TF}fW`M@1=%IsK3aDV?IUNq#l` zp+Q0D*Lib27N#)GGTKLLAb#Gy*R+5ohYkzsULJ2pvSZb~RWXiBqX4XAru`Pp!xtbeo+x4Gy1`+j*#nW8t6WJ>@i@P3zZX9)+^$Wa!}#u-%sZ zr(SC!qSc~*Tr91qd0;#qa{qb?<>33@`O?p2KIuz+{#^{Qog{`6$dG^=nDdXV$tf)8 z#ALu>^X=`3>e~(9j85vEGP}uxn@ZmHzR8QHVd{7xHgen0MAt*E`0BzbgZhW5;#IRk zy7t)Z25NK=(D_MxwzmIHklRjz77=aV5Oc#@e$~M68?-H;n*XClw~sieE=hUR!864e6Yl zGB;B0s5mVZwLb|gQr1?yi#n4n&OwssE0VwihPQERM|jNsvL0cs$phUV%N!PS*?S>6 z5e6Ffmam$~dtdw0*ZV`Hl!bN_Wr;#e)jJVQ?H7gzfW%M?;Gp3?HFqk6J=JNu&PRCw zGW*!35b8z8M!u1B6HH!vJXX7kj02%}?B1R6ZX&;bmmwS~zavGd7L?Tkwo-;!M|t{N zQxVMnn2a1_^6Tp^Wb2X3kMw7K{bRi4h}1R&(<^Rs5+$Wbeuzr<*0vj$(qNl|@qN-Z zq<3U+@aksBv{>{}g3_BI48U!h+F)a1LNu4ggxrmsau`+M#-b;oH0a+iZEKtG>u}J7 z{^U9V?r=TTZTf!R-HW>nsD2@Q2MiU!Rp$o`%q+4pyj`!zedGw97(}S+a9>qnx`Du3 zXq2!3rn3^cat+X_NK7s66V~gs{K80DebbgS)xRo1zsWMb4A78?cgb{+4#n^ZybVlMZTmLxcaV9v zxKcTL*Fj8YU%^e%fK3484;12TjF|#V>MIWW$)(wKqPukL?ay*n(wpfSS5mgy2!zY@afyPK-d(rNjua=8hY(9-hUW>N3iWTVLbuU)U=$0VLWD$ z^ZoVIB;Qu*w4XGIp=RV^XcOFAlp-WSy^IW^MFsP~W)z8}r&UW!dJAvDPg}o3Hxeu^ zURY`l`j1afc2yh07I1NY?5x~&pC5oGB`nQp<>`h zl8B&)fw#+5aP!gj@KPou*VhxB!EmKU)hSfUl)*Xyo`x6Z#jj5v2whs7+)m0(Le#WZ zX^3}K!b}{6N@ruQSa>U>2@*-`WrT!MJ4+{G8hj-F9ama3)WbSCJyL$B)lAfMv%8Rk zWUz;{Rk@#FlajS>5!JSB)bE{So>Dmg%EDN3d#oA*@edhqav1pNp5(?e?5pX@}jkOL4x zCmyA(-^Fa1d&Ah*nGn6|A%PeK(UUBDPcM1AZVu5_@$|fHJtk%TBisSKER47=xGnE1#2Jp8)e7@pAbrC|T>Hy!zA#F+!(HVfSQPoz!! zWFc~Ov55MZGv&VzO-Z;eGn3KuXwrk$7m_7*aJeSBa5YAk-Ndpuq>;8)rmI=9*B z$(nmqzFb3e+2NmN#ZP^nXR34l(LHhKA75lJ;$~i5vX*6{f3UXYKF0uLVY^6-7?T!;dIqlxX%%KJw*B*6OdVt-^u| zvjgB{O*zh`wgh1zeMb~g_`6mk3hv3X+Nw*-$ZVC@;EkPFBj4(hZ#5DD;-K{qESG$tV(I+KcB}y)C3(4{FT9JSllAD)b zAMdvovqIdp*m!n0kc|I>Vj5Ri3c(KozF5+ZkBv3c5|<|GnU=)h2}Ca>3aN~CWn<$q zYc8?`fFm3n5gA(3y_BW}9QH9zd@WGV?I-*W3CsAb9)GouRzids!Si_vhpLtMStEwp ze&;1=ouT>oFJiO5Xjf<9Svi|7lmzyN7TZ}jGfMetfsL_qzUuoQwnuhCnqlI7={nk( zD0myhQi7$0KDZK?lpKrF*qMb_X&^*#{B*Ox@L)uVzV>id6{5gUg*ET+{izNl6w+5T z6&^YX$QYNGM+fmT_(j@?HD;Ir)!Lq$^lFy%y_8p{>5JX2Xl~AgGM%i~;4G!MlO{Vf zE{)K16HG49H@{Gk(4*ag`}a3r>&a^{7UFVrDSp|kM6 zQQ@XmCwZ9{Y)fyf>$1^v<74yVC5%g~%VCJyo&Fb7$u{WhI#j^Q?b+A*^$$$Ex+oeP zBRU%rJT5^^lx;fyOi&NDuX-kLW|^BDGt<+5yJR6ubpC$${OfG9KR?~>I#v3+x6cWc z__7ylCR)F=26ppec{whgzW4PKoMj7Lo~E3RZnqdQT3|owxc*apJyeWvkH*`y*~5Jd z2nXeM4-In=$?CusJ?vALJ(frTJG{yrHahTbAJ0=8$7_AC>n@b}dw)}W;ucoB9k7u@ zQmWtAK+&K5&dA_hF7?Q`$`ozM50Sib-jf$a2?;MrkY_*jf9CfD(%g^=wHaZ(Q_7R6 zCAjO9Y@C+sXubfQ=j=m|gq%2Ob$2`b)=>^QEOb0#(#N|y;q0Iwadoh^QFw05u0+&4 z#mf9j!^#E*?CsQ?ieLNB@of2hLjP9M&#$o&W=AbhVSu7ze7MomV`wGq!Lh^JPPtn_ z%_NP8q#oWIEAyZIL+PFr(S+DCqA_}W*C-{F%$;4v^8!HY;-!% zBwMc>V)4?r@?0-U1;iJ`&ciSHE4)B0{jjU{3Tqo5elnVumml9d_!rV5%)E5+!g6-? z?eT^70%gwBgw;Nk##)HVX81^?8ydJUG0*k7TbVALjTfLXJ#MKfu`!ZK&D*B{_p+M12bdU`70neG3DWaxXGAec&-5luMQ};Nc(=OPW#C&4 zgFa$*FO=9INiNL8-gQY`pFbZ&6&jG& z3_9YTB||P(#jMSHvBc0Zcto(+Q+kq)r+R&CIfBrc#_^3b^Nb&>yYd}SRB?lkG87^b z10X~mIO;$RA6sA>7O6zb^>B}HokZX7F~;OaIIXj?veLJbnz_aZ`@6zf$;+IzGB-el z#;JaGr1?m?uCJ+uvxw~|;Xk%MSQ$Cmjgz=rGPesE_c|Wa`Gal&Tkq*l6tync^z)84 zoJi%+8!57$fL|AGE?uhoxusmb(oZHK&>#|%EF=l502HWq<+lj(p6BqhiD^Fs+h^!# z$N$`)l2TG6c0y^5EFQJkpZ1uht&6Mxh>>vxGdnsQa=})`=2oM=eYMNE@&CrnMfN&K z>l|#Xs}l?xkVdZ$;EP)10-##UmLc+>ETs%Fu@YQ}eBPsbGH^mIF3Kq??Szz_)(jUF z@4EVl?n=^Y<}6dxk?#esWr?8}Ltbm%zVr9?*}VnWb)3?f72~~_G1z5z?%Wc+-$p=({6Pg-q1t0XBIdPT$I-Zy62$^iv#`1Xjqq^)a{%Y=6VONGQ2v*MjciL0bc z{kxokV|Agi!lbjpPjb1G6Ai z{g77lUqr$E6s>aH!#Xx8n4oxIunH1bAhmX9=iu5U_!A#miNn05J66+@D_9v#sTKL| zRYHPxo_&oCjvOiBdl{W=9M;<9BFWii1Wg$vO*J_GCeP2S#dypbGCnBGTrDOn_S}$l z&v^Mu3-flKV>{*MF{rs^hF980JPcOyk~f+=3Tk9`=8{I*&?pO8(xZUKfPqLD!vyYo zB_2ehL|#lIDlCNsCo=JxJvo?AR5W8CZK#Pzn9^{WxSQt{wsDIC&6!05tNw5C?wMI~ zp)J<_v1?iyYpsGCfal0GB(p-X;BAtpk9B=3<11nzz6wp5Z7`|ad3vjXj?8A*o>%8%l z-srEt;@x@oxpgYV&q>dQ)f0W)PALu!GQCg@wJ5?m%qRKt;gF2VP{A(jdX0Zpec%BT z|Hggf^~NuN12@4vm-x{RW>3$hs*;Pl2j=iG z()7gU3tD6{+^qSWU*xt4*t(tCvKOVGrHy?}!Bm9ST>G=$GY8u3Ud;TZJKmWrKNGM2 zXZ~Htd0Zb3?XfJK&>xWNT-^Pvi#~0}P#eBEa4T(A`;Vqi)WB5p=Fj=$uP;wOcOOur zLWzA`6Tf5d27 zyM~-+E7ti=@RH}#`4S2u%n7=|UW5av5wahvyqo}$n*vk8{6kt*-FI_56i#^`A33rjJbi9NpLCm% zymUASNTjVZ5UYGU^}J>~6$vsjqcDY=Sqb71UY`ex1!z<8;A5QiLk|}szJ*%PyZ+qQ@*!kgLM zE&1X_(mL0rxsl&JYw3O;Usl#fI1wU8&)xoYiNmPm^Y;$>{*^0k4C7`$lsI5>)imZp zN{;n|ybfVyO9?*(PV=y|yc&WkR!e4reP;$v>s4#=&uR`uyI4H9)E|ieaYaA#o6s zo}*g}w3%39{@fMSQ|H#eQQ#0$Ya1>zkiUae4P>RAJ9*h;dYmb=Mq}~|-;BCgJ;f=b zVt17t;Ec)RmEqYJ2*O<=8(Zk;GMjMjDd@I77A$A;D<<8~Dd9#7wps+px@w}`ftw6O?aMUpXZnGQ%`l#-!OP>LXh7|{T%N!YI)H0 z*h=y9lPz0gV<*p{VlRIx{xPoe1ru38r&!!teC z)9$tM86JhB5I{f!ZGz(VPe{1{{ed1Ny7t*U^H;j7N&1A~E_Jh%%eu0M5`HAN&i(lI zstgc=Y_*EUIb3Te3J3Rn?&--alr^Ur-OTKx2+zrX4H-Ws^6M2#%f$JZHJVgD!F~f; zoa`(F`S>LEVNqMwxZ3pfzh&MApmK z4MR0$d`rGbxmc;&{GWihmP|jofp#{_@$@OPi^#C1KOzFx(5lPWtRr|LhU39Xt`fR) z5{FeS?Hh_M?;ZQaAsYn0KB;CSp~1(^4{K*?>!|Zj>mGCs7^+bW59za8sZzAJwS|$5 z1#)$Z{y`+O+t@;uzh7e5B~BcsDe-98^=nfE?WLx5s@YPWWh{X#EZgIr>@*r-i8m7^ z9zWW<;fGQ2T`oBvVY!TS?G42F^ZjcPkLtqgdmbrM3}10t>{)AhUZ~HZp!Hh7s*)Ne z$W?Gl+=1^+;hUE^=$WSQDX|J(+QLF57cN%#&?NQ0i4U)nhxx4K_Uc`|kz+_5!4`KVw(^_VQ=-j$lO> zhK0SCDL}aq5*y&o+y3kg z0MAF*urQG4^<0Y!E7y*c@HEb_l*_i?ysk6CpJJepa@Pj8@R@7ZEAn2$dGXdd&lF8@ zRoS@0#F=*wTGN=zh9GFfJ-CKg8ewbs&(3XVP=jSZHD&WR^_DkSmGi1$XjR~yXJa!8 z7W3cZ_swjHcUPEYPNwpE70z=#L(6Du2%b9#rWvoBefaGe2{j7+#U&2MP#_fR-2*2_ z9%P`JN13U;U*I|Ii%%XsGBInSBM<7b4f596czUS8)S&0QJ!`Sx02=JtPk)Qp{1oogBi zUp?a{BhqZPrW=#Vl;rAir|AF-ajor3drDax8Xb#Zk`mNfhN zNUM(U$ML^va4eHU7s~ zmUr_+3SMz6?Tk)p%b0!Pt5ln>{eeIsc2dn@KbN5d-ZGeA6--|Vc_BO0P+soa(Rgme zYwqG3;IXlC8ucFS{V}Cn6O#pWi87k0AIqC(LUxy3iE`DBJXX%+_OJLC`|95YHjVWC zzmti)ZmJk{;Po zOm=cT&A)g7vI>gYt5Yu*%wpM^_!6LhXj_cJ=qB+b27k)&F9(~IF#A$A*>{1_1#KBU z3SB=uB1(9MPMH3Ea#HOB)MH9W9}yieYv`(ms4Gkh;H*z&w1$)F74&|~WzT|b7_!9^ zH|GzFfO?$`FL`ro6ep1g`E8CdU8y{F(+ApHY;fhvYkE zI7}?u4_J*Rl_WD2Bmi`~K0~t;;R~Guy_Mpz4ww0Hsev}1l{|VrwOXIs{zDkZ)h&yGTyizj)y#N6A$vTX zos{>Bu+s!r3yvp}11$(tHqaztlIZh`-mo>~1IjJ9NXUr@VT}L~Y$>TWxANBhvACU@ zI*J}Gm>AflG?EsIG06c@PbTe0M-gCcM#lKoG6V z+bN&2b?7Vv$6JNY{ksdzYVaSdBm3xzyqo)N491EO#UN|p`atV%Z!FO=xPgHyVQr@N zuqlE6YuQ3N_E^LwU#tp1m4TnA7q$JHwO;NRSwOGBiHX}yHaz5n40H|Q+gn)Bz=EmO z1Y$k`?qHI)RxnycfPe9?%>?-$kd6q3qfT#kkDr%ICJO*P`?V-H+Nsy8{*t*uGzhqgx=8WYV+8{ygx2BoFHY zx;by%7iz=AomN{S3w@X*8208c;%+Nh%?P z%t}RMs7Rx!fy_$CT!=_Q=9$c6=GlARtKV<$wf3=}=Xj6zJ)UDf{ZXwIU-$hPuHih- z>$-xJ`*v6@Y601CXkhEQ+(uT9p}Ie1r$yizB6nFz{s{^LiY+uqQ4qqZ_~WV?tBG=1 z3Lk@DLZ0ClN6z-l>^I0IAq(7vf*JXdl*G{EByc?7gdzqqivgdo%qngd#>V_Gb^9iG z+_$a5*wNF~&$jS%wJg$p`Xni$FUj_NaI~&NZduXWuJ>0l6_w;-ug5^p{Vg<< zfbMow6cfMN+y1lV4i?SWSW_Bjloa#07>+FD=V^4x?- zge*RXl#ZqNTpAxciq$EIe`LVG;=i0Xart zj>?m6vcwm?T=?+5WZxx}m=f}OhM*>A5xb)akw;)S@yEARmbe9z)e@^x!!yVA1u60& zxgayW#k~JiZoD*y02vqhyk(mgt{xe~W&c<01}c3uDe{rMlaB=GfrPam)W+A*Eq^?9 zT6lD#s7$-_+>r87y^qdlq_LIb_)s^O>^gu+10Gn>7HUEf#~nn!j))cslE`E&Ek={7 zQ1SE;va3mY?*I}*+rXG3gqC()L{gH+(Yh*}co3>9;W<(+m-+N(X~I0(bKH`?kM?Nh z^mgh!_j{XNea1<6+m_V!qIs$sh)?u+;jxK){jaJ|JQxwEm^piOVDjwN=vQwk^BWr_ zH6$K}yucWR4GMOj$A%r>C-1ZmU32lYM=QNy9#JDZH@}*9s<$O}VOc~34g6y6TvwgH zwD}Fqx7EaP#>alI!qe{BZ$Hh7PF)@>EcA2xj`UbOml39Mz3`qhzq|Wu`ojFLrcg1) z=H-F78%BZXt4aUm4DmQsV$%^u9?o*f8^02yesR|ojZ3@P46g6^U4H(&S+9{z;W{*v zyQ%n@qNGj}?RFazuW?FG(q3~`<19IN69Cq$Q8~JV^YY6zgV*QALoUicbm!f`$P?m` z+_gQb!@|NMR9QtZDSw_`CH7s%``&%%m{@2%%e=5hyl4&cw%2B8t|$7PS-|#teqRSh zA{@S=M;X8=gHehbJ6a!wInH}?9~Na44L)%D@`cL>QKmAP2dgpc)!3DL=vX7SWJ z+b*<7IYcGDa_Q3#bj~~8d^7vl++#`80Dbjes-$dSBnx6@e3-#c`b9&-pE>9Xj(kUH zs`=eJWvtht!|Hh@u?w~*yM4LucI7M%^*mm39P-BSI-tUz1-5kzIF*?oZ?uzRlDJ3!IyeKQ>zH3kMzUMBn>*7haDhGy1>Tg-s z&OA2{u?XJB@LqY+>EL*ojfSj{s5_?HG1)1N9&Hl%PLVH9B|JzZV?LFq^v3K~%bRRA ze3u(8YxI1eClXw!H_NzQg#;!gamQsQ#JNp6J`8vnh)kcV_pM zm@3NpOuoniA7YqnDmY;IW*a`KtQ2&x3qpPlKG&Es9O9UoW4HyyN^wOJn2~F>BUu6pxlik zps}S(h)A{X>aoOdDhPTWoUYns|An(=o;4}X2QPv`v+uOOzm>FQ`IiuTk? zXarrd8z)UXIMrTk0&ezGnajG^*s$dsE2E=V%mn2KlK^d{KkWcPKHFO! zPVVCSv*C)?YEO%<4IP85o_Wj8_i}S(VSD`r3B8={6e%`qJJU|BHEGfP+#p-Q=WnUQAk{u(zXEc!@+3zZ+Qat+W)RDQ6i%f?|n~LEQ!gu z6%WZrw~E?XGAy;fJbF@AWXH}8GpoIC@k?%JAegu|L|?8nICXBj^Dc&|eMgQk5VW-2 z2ASY-x$mp; zw`-nr32_{7epf1flqZX^YjnF(KE6+eMnqQF8tAl23F|KZRYnj@;!d*JV_1&ZE z(1sRK$c?W*Z#OxvdqM3vr=3*L_3Ufx%GaC8M~6kf7MLHVXb-=wgzL~e|B^trv7qEjd*Fy3m$SeU9(-|Z zm*j<=a0Az;v#C)+kEykam9FJ+S(M{s7a@kw)g3;nlt-JvSp=Ua z=r*Pdlgv}5z4Eu;(b=JBBC4A{LbeK{EqHmDcI=aZ z>9rCH-iS|m%iCxib<-Jc*^G>EY~30|mE}dV4}C)R^^MlGcOR3;_Y16x_;}V!J8AFi zvWt_HzCIPYDxL-3bmMijHzwqS!f4PV$|$sd317EY{&zUby%@8&N^GKe#pMXcXP$~r z&Jw@wtbgbl-SxRh_-IS6?mikLtOVO=xA**f9l5wyk7i`F{&iAt3*Ywqr1p%iA*Z6o zB%q|cXA`TOJbLFpwjOn(@l={Q*4{0%8h!0CGWARIoFDUtEBgpCxG0SGW$oSDB))|8 z#vPSMu{uf0@rs<NCu_Y#$94zl|1NW%t z#yQ&1;hyJI)aO*2L`$!R$;jmR_?+7@5{TdKBuGEC|J-3W${OlB?CqAPSu^6FVzWiNQHz3XJ;GU)qrU)-Czn$8Op3{?)h(5CG z1H?TdJEvb9`kjjxi#1jjm^)cqTJxLm)J__JN#bo?$>|?3ZFuIcK6!X@ik2z-ExF-z zt2|XyY}vH61=f-{zq}v1vSdhKT2`|q>fOn+?(-^K z#G^;p7Y;wTiJ?R;_+bjd;K1I`6>{p&Hz&9}c64wsIWy#Z-E|K;&H!%F`!z)Qg*}f% z12;82V^1Z}!-9BDC%=ovw7g_ zh*yQfHt!WUzKMAASNzD-{p04%ER#%P8|Nw`N7sLq$%e-Uiqo`5ll4+lQ%RLgg9m+_ zSuea_4Ido4;P7f#@$k=5$JPsuj_G}y4xYPw*#Ps8?mx(^7WHviNHf;`9Rl63CNuJYtR%ge8SPIuq+i3@wviqMa4L6g-us4${)^;t^)Q9FEc7vWmL!ND=?e9Bc7>KP5K=`{ze zT94E`ysRS<;8IxWO%5TDmAUYq-6=HD=oKXE~3w|R`m_}hOo`)?t~L;UU67bZB9zyCrZv;4n5n*1|rH>Pm?{UiRThBKW1 zNhvR?mvOb@^KDwz|MoAg9JDU~<#n0=$6nX%)BuI_O5vk`8Rx>kt?%AU?1MQ%v(n9~fLAtL?^28g) zP$tB(_p~$ocxB!7?(NK_&rZDckQ`I@$Q|SUT$u~l_N;8 zI7`2MPHdsMIz00Xh;G-oL_k_gTU#JvC#Ls8tsQpMQY=cR?P$Na%yoFb+8ByzinUk<2DB?orvzmQ#$ zyXu(E*s*Ti-q{L|y?y=np>(=5mgI3MC_D+x7hZ6P=wDu0WZ#1ZSgOlXf=9hfi+>I( z9{M%hAZq9a%W+YpA^d*-*tv{d((90m_?KF2Y!SOrS)eQeBTJpb?N(~iwO)2`Nq__5 zepv*zpVEHnd&xRtxy?peLbG{Yo6_W~MC}YpsudKImwT#Y8-*aeCrV zyjZsG)`3~<$QHL1)P4 zo4-^Kn3J&u;&PD@yEAPN;@&A@7DlG@xv#?uK^3P}okos*>ucA0GvgbkYHR6-j=a-X zE>7Mht!kh6_?J{m$MnXRQ%^WmoR*tLFGR)Hfc_v*Ve^#xx{Yl;fEMsvkz% z?*87Q8}IlAUx*0Sb)iLMarX4OQy#7UA17E9aUo#A9cDR|n?!|ORsruJQJ0=ucZ&_a z=G{q~o>mAfYQzIzxL_<_3{w8sxbQe`V6^nuXg&68DAJAk>DN{^Z zZQx`f^oP|jIv#&d-Y?6HpgjeDIH#{gaX43PN_JdNPf|qXMRm3!I5iDJiAPqJMY4II^U^~Bj*YBken1&?t>Fs|0t6d8@@rp{D|2CPvhq?!J!7nt*M4R|JDMGnT}Fd zD%)&Zc`9hgSbJIxO*D^C-NB^?*v2k`N56d0p4tJX!R?XS;Vxv2}_D9$j zIfSQdE?v|^Z!OZ5 z>EEXX@i#m#KFYPQ$^IH0@(ve1VJVu|jNDO^pA>P5MFC*eSr?l^osQ~kP zA#T_=%@8i@wrSpldKElPqGZQ#!?VbBi)18^Si7=irQ8g zTfE)!WYMJO$FXo05z$8YG@MLa-n+$IQtliZ1WtUAV$fc&>*(BstwB*GQL?k`!vhLd zQ3LkzlzZRm#%Ah_ihOTeO-$GJTA3H47u5^0o|(EtYW@^deK}F^>n}~D8tmnuS5-Z@ zO0ZIAFGeGxo(hlynJJJSukPLE1JtyVk$V*@U{APCJf zGDY*ZwyyHNWm-2v)i*N2vhXz1?LeB*0u&DG*yvj5O>Gq z)}4D^$~I)Wn~zK;7o~-fA56O}!uozU;m7C2Zt{>S=)7W!EUldTR+-zDd)fypNtE2g;xERt2?%PM=V&V@0Hh||M-QSdltcxh4 z?t^ryt9ln~Q!6|t+ML*F0!g^j$NyM9vhCjp1j!4A4?@_)9Vo0f)5sx0XtqYTCAQ?_ zipQ%RU0*z(8L8pgI{ljG^Y@m8qW!^xRJ@Lf$;%?wu4RA9omA`_8Y;Z)rwvmQYp^mi zn0~lrFpJs~co$j4)9Ik_NgvK>V964MFC3`TAcHrB(MW@z;EtVMxVU5A&bVPLGQzny z?J1L`pX_#;_QBr=5&%W>0erVv7-?C+>!Bdq|6*1^K*w+sH|gtG-v}2h9Y=?_yOMoK zD}BSf0!k;omo5hkP{dQ^`<4m;A>x>vI6<~7py1ubM9EP5+Bqhe*k#qSeO8T@Wu~q! zkBp`Eiz?_Hgf%&BwIkJz=Urg<0~cSe5Eq*rIX`Lzwr+uO^G=$|h*GuxOlz3Ri9^f_ zzF_;@N#*9u6QTuj%0fcjmH-*H1$5)h3+LOC+TLY777SRlNHVVmIhx`|2 z;87&1u`??tJG#B&rR^)Lw&CRVj>}En;_o$Oh_W(aNP4ASnIg>lg3#%?q#MiE9hYK> zt7BK(J+1oC(Ap$mz2pXZV4pLBn1|Enx? zoH0ZtxB84sfAL2ba`VwFlpEirRg_qK_xT>sFH8$jsU><$EO+4`e)ssV1&ZWnd@OIt z>QOW0LkeEE8;y;Pk(dc2_P-~F7~svW9zA&S*K>r?G_ck68LK!Yoarzz=yML71yHHY zL}9X4KaDtZUWYQy%i|fPIfaoSSM^ips1ZXQE{-n(VrbG-Yc_x9&JhHuCR#;Z$48ui z*7!cED7E&Qq2%}C!!L`c(+?x~B}pxK%+R`%+JoRTfbr7cq2WLo-Z$JMokRX8QmBu5V>3aw zE5d3pYl@R$DjMM2;DKePxsvgZgKvd30 zEXYI;t_w`ckaNM@91WkPc4mgmS4T;Fne92!+9bO7?kK*>+vU^uTf(MFlQ~Rsb7Pfr zoBnFg(uH5WJU;P5oMaLh?!im=*b|ryxeCV$=3i+v3s7UB%O&{cZsEMQ9FYVG{vixs z`)t2oF=LvC;#y)8_{`E$?kyKjK8`)PG02xL_bEe?okIr9ub~*3E1BKvcZT7Gy3QldGS$7u0yfbeO<-K`C`OduU9ZJIOl`8>XokJ;Pa9!go0Q>ED^Zn%h#_>;*1R z@63lw(NIs(5sA8e96&XEm`VS*4l!O-er6Vg;21JYMYy5eHniiS-6SLAu;qa;g74Um zqroh)VguC6|DKefXBHC-YpmWf3d4N!9cV}7c6a+J>?(gY^WBV(TG)17Ps7ad2K$w! zG>Qll!QyenQ|s^q1d&DjaA-s9oy>2^L&Q+Z6XY!hBcpyjeNCw7%J$4iU2i+DVKq3~ ztU5#d8|Yo{sod>6(jTM3o#4#t?gVo167U^p8%w$6@#$R#t$Nj|}zTUXbD!?xPOUH4#dBg2*?g zX_d{3496rk$(-murHE96^Tbg@zSpO?f_gKxa-nC&o09Z}>57QRJ6d8h2M0w-LG&QF zO|2}AGA%#xBunD4JMZZ$)qNfO=d^_7O7veaUhyXEHQ#6p*}}S!93jwVronh`I+B9~ z-Mq;k@gQPArSD%2i+-O?FBF(Rwe#*h4gZWN%~Bwy3=0R+hnXVIHb@}3*)3l7#IS-S zGYC&CPs|c%q~v8JS#v#?fLl<8Ih5dW>3C4 zgzGPT2d2nB{SiS6R`jACnWtx~AsxK$G99H8yfUm#C2!_~kqHAz6?+F!7*Ap)*d!P~ z&AbYzc}TtpNn}LGum14(wx;pokjFe67(hsxNmyT{pxB?ilIM`kFxRn~r6kPgU6dY__`F zC8^rQeJt|U-PZKL{j2)!JsCA$^8>Gx0#k<*Z@m9mBur=aG3_%HM!LFE@K&r7B`T6H zXDN*JnLF+cueAn;Tlq}BA=lnwqjqLi)^0GY2p9b}1d0#6n);!vdOLQUYE6(>8rCp& zbN1)6gpS79ZSFed@UabcP9`s~7$7p@n$*G>R(V#x*$r`OF;1Oko$zgYP;YA7+m#U0126b( zs(mR$sQ+HnjoU9jItNd5!UFDwnI z^WKverVRHx{f6f-!w&~+8W$UC zr*+|7i@A2*#FdIV#8b>icjOF0WMu=Ql+xVWSLw;quO8=iA*(sV<^7WQ@zhp2Z4g%v zBLmrbM}~Jj9~d1~?)UO0;Z+%A{uwzJ8&YEE#SwSz`NTaHzr97KE6=ejG8T&P)E#6Ce75zA7k*pO!b z*W?Ab487d(rikKqw)WYAL4t~h&!$s8;oilH{1&wgNzz&pyMQm0g!xpn%e=`~_EBQ)cMAB+wKeo^>PlVstH8N&Qzx<`B5AKht(?}+lQCs5O!0^&vy!L;*s0>n)i~O5I`$?hu^QcRRsAGmu<;Z=dTQhTfOWx$OMFX8?95spOS=Z>~1JU;oTK zh=TWi2*T^w(hFusF@s^yd+Aw|2655NKi5!CsFs8%fK|kmZiNB_@>(#lliX(mx0|Hs z;NmLg0gHUHwkPvXZDASP$Xp$xy$PCmS(L(v|xXu-#H>QH#PwaZm< zoA}qW&AM)E-FXOmlocdw*(>{-J7e_U)B-zB@)zTN9$$|e#^m%mfy^D75#Ip4}h;=z;CjR$t|&g;4T zAjaHolam=%@ve8@#`%tc&`t~}26T$yc^%zl&bSyyHWJHcbylgElW->nFH$3Dh9Q7b zN#V4eU-idTFHLJn;2eek;%st0!|oJ|fr>2S$uZ`FD0Ugw!W1&@BE5m!UP?dGa4*ja!f5)qQ4;evHX#3_tl0 z(_ei6l!JjX1}amdz9}(GO7a)M^rPKy<$+gLf-Vi%1xNbz>wn&8`Q*ic&aoVmGZtgx zuQ}U`iYC8Ekj zl{7Nq0Uc7wy2%5Q)I>3MxyoO=TDIy za#TY^+{7mc5`E5Y662_8c+_73`6BEAj^YorLd9K;CDajFeSfQmn(!!$bH-Z2Y{W_^ zL3M&#d0uI5#4zLfYW%#~F9N=Ax87NJrYlh_?V@FRAdm$L3F~Dy%ax`1oj6uokcR>< zIf5Jp%BSW4)0@;%Na$GE)P`7lE=ykTTP zohn~ufq{$=d+wW-$hxa8zDcQRZ6&{PLIjOPd684stZavkWWKkDLV&AP|F%i1}Ab{L({zGnmin%p41b!o}IZ3g!$)XimLJLx~ z1TECAkO3iV$ZCJuXE*(a-yQlQ%DppvdT14`^8ClE!i}s`|=uf-84nd+PXZJ zF6U#CF9+P3gEN#C*|@HFkZ5o?W0Nua9XpZH3%tZ})dvL`nUZr3mIfQKV9S^}h z$5KyWFlAO8ayuBz#;4G1;7OaBFMnm>7|K%_&}|msFypbPu`9hdF+7 zZf!i1GFT+dwyvAz>F~ZrjZbnoW;XOBCIAfn@Zk9cDIE81+Z)Ufz!E*`0wqC^t9%^WuUESW|ZYQj`uIG8_hpZ#4q0;IhV$k}=I-e1o zLWk13tvt#Tch#VsIkeNf?)#@&vR!?4Xn5cKRrNIPo|3MVo;m$AMWatiWN1?H9b37| z+Q8s1BS3weq$EZX<4X+CmZ>=VudLE;6CotCBf(2o8332w^CXZZw4eEk76xMU zUa#`39RxXi6EbR?=WiFB7*x!T){l>`BU7s3K)V^O)mNHMIo_=Z(-H?`aBmGG*J@8y zYlm%`w!Z-W#v453O?!J>uGOZvUXCnXjH?FjdEfCn@TSDZDoCZCqGWc`kC{JYMmOl$opslbM`5r<*;v+(N= zKNiMh1B&j$=G1IHWh|xEX0*_C@yckV>`V*&D$jq2i!O>>wy=}FCBSRQ|14p9by{sx z)8N&<2OY2jnh))D2m5WZ-OOhgLyAn;CyU?i)82XZ?oo_hJJ31tDeJ0(Y_g7s$xmu? zNEV;V_F#>&-tDefefay1O$8U;pQXz)8`gKXdv;u(q1VB-@Ql-KA6af~5?YKefJ*aO z@E0FX>4AqYnUBVMduZy+a9d#5LgUq}>hm0@Wa^E2_cXcj97o3pwtcigUg4kKgkG|= zeE&>#O;DgAxWG|^lomX$A0>MqoF6tc(h3!4I*f#3U8&!kI-O2Nd*b?T#Dn3i|UXaA+Pq5 zO{_jYPq_SNnd}(1XI_uNb+IjEB?rKwrt0a&gh3Q2LXCtn1I~~-Nyp{&2uI$I2m_P^ z7XUn-jGUCrY9gAPG-lQVg8&`?h9y5i*HLrf`Gd?2P;-#FSqQ6Y?5tZe`3=O7<_#F+ zt{*)9M)VuqIZpuap-I;JpOGp-Fi^=BGZcCYOFa>zelIO&W@b#`) zCgOzIEjx<3Wr=*`7Dkg}kQunz7&LH1|IYMy2$`O zGxo3k_S746fOo24l0gk)KZNWbQd3P(96<6Qa97ZBM5d*Un2tVrfm~x|WRqVL0BaD# zvR~a^R~$p=mYp4Kq&twPz#|1zEI3q~&SC+a2e@hfvSK6)0PlnBgzCDxP+}9AyF8U_ z(AJm}Wdil~=%VW%&0~~WxiUNDq}we|C{xdUB@pjJK^$vOO5fqyjIaOnF(^1ca0m(( zpxq#;GV(rtB$Wq~OWyGLxBDI+grkjDNJnt88ptOp8me-5ji3CdtXA5V4sWtGT{k23nGQ-q4InHAtWXQA4x@=3@argmXy{fn1Sy?2DJv5KDW!Z6^_QnCK?$Q3p@k(oimfUKsTv^D&K(|l{o@ifH5Ens#9;G*q)WK!HA~L9I`Q?= zLH9-;1T2z!p1Z}5rN&VAHIS0r@sJyQDu^?U!Q?a7Xcsy=@Rc-+rCE2f$L z$*>IfE=D5%x|rM<>o3EXT$GXuAj8rD{$DHObdDa_9o`;`Lnds<{XbtKuFs6P;pNAZ z3}|>~E}tfgD;|9BOBVl9nHDaSqyP@T{(hR;Dm2t*5DXbBuSpS1Y@4ORnS`EElOh6! z4CzK3H<@cgb@3Vb-5O#i3oSyV)gG-I0;L=l_X0J%?8uoo-3uKeE&&owiXh!wi)~b> zJ`?|C%Kjv&V>IcL?0<=7u?yuFXvv%Y@uS&Migw%w{0Qkp^_fmxkX^XVpuI&%TJy*AU1add z-TV(}$Em#x7)81tg=-49qGZ7VIzXYL61gW&pFX7^5MYobIh~^uWF%w-;`Aj5c*v5= z4Ewtn`EvW~PqR9|QRKl_R9dYZkJB(NQIdcv{p)@d8l}E~C>2NTugMbGGOwoK9m0(TXZ0u<5N<`gqpDgr-|4wYUzu{|`0GaBD?uY_v{z&@Est zLyc|(&S~e$2N_E;SKvFimD6SVLWW4zk5F^yNA_>Gx&ec2k=Le~AS~>13mFed=t3T= zM9gMJGW+ps@!}4UawH(>WSy^W`s*$D5br(ji`LLXN7A`?yNsY-`3}Ju1rZ$lXbURx zNT~|Gpc3RO=r8DpZUH_a^+;)!x^En>84#YZ)7XVo-<}E_`FM4DNh?4M>QB-gAr@=v zl9K=9VJAmq&k<_~2&8OgMwT=rn6?r3bkkKd_fyKdEm`31;)oqKt0y@m7~-`5opNIn zaYyW2fLWylsc?ZYhW2_xiDBB$DSkO^4e_*1CdMw-u04Z#cCQgNU~Z`Gh;R--9t5$c%+O4Ci>v>8 z^KMVT$5a{F(sK@m;jRng-8Y&H-S#n|o%`0PPbfx8P(;u^2oOTdu$FNL@vZbbdus1O zpxkSt=UE4!kWL0pfPaP18s#>M*N$_-mIrxENq)Pq2e(skGQRD88Y6@fLfs@&1BDSK zv45KtiI-G$w-H3;ZW|CO@`{T5xTY{PWCiWwA{BG)MF|2}JkzDDsv`Fj<1YeWWQL{> z@Lk>pU|CWo?7tIAC{O;X>z5(rj{hmdShL|p!k%a4j{&`qhaQ!utIF4U!Bn7!lt~L< zN0NahNhYi!YKfHRmkV%Q051dp_^)x99ygN#-~y>zAe5u+xJH1xI^C*OsX<%?kQ68Q z)y33q^UzU#H;MljYLdRq#rZ%|l@K2Z=_ z1i_e@+g20+LIvCdMe2W%lQ?VluI^4(n7?rx*TQBF=eq(LcYLJciE=;2xim}!BY)91 zJRYRb(V9M5L%Zc~f`R@^DLRLRTd|mj4<{5tw@dsgrPS_VHR2&qya~OM5s9_vmllHz z96GdB8{mMB&e+PKb{MJ_B51QW1cmo` zCgLGg;+-yQB+pe<(R0&3g}=zE5i!O9)9@X902>IcPv>tyXwRiQzIJDJcG8dvfSeyL ze{pQHz(F^%%6XzXlllnaw}VgZDPgr86g|)7nP)lhsFzRFqbYh14Q?V1kZ+w7z#l}J z4gI^TL&;jOB0-wcUbX(ntbb|~LPpO3o+Ez}|4Gzg?<~!RdLwT1IM8Q^=@o?8uO=N0 zn|POypntE{SZY|8W z%3qo}JrVhu;s|%vZu@*?KS?Sho`|K)M`<*v6z#bWZnX06Wy+OL4H|M`2O8c#RhY@j z%G!L|{F?%5`PRe+8w(_O%VxSotMA*pjrjR9+Y_tyB5S6}vhEMpEwmO?T{|3I%6D80 zgoh>p3jg4`m2TgQBgVj1k(lbr4NGDcp$nLH61Rq$t{4JU2#X3D!@18f%h85Q=zM7Zub0ky6Fwr{i*=k%s61VHKeCD>ek(jd!nV*n%IxAtWL-QYH)E__P zH_jd=rvDrweW#XMOIt;1FjOe|SI`cXew6_3IP>`EKsFIWC9mCP-Sl6|q^UjDGrOhD zz7XK!n_qMt1J!hkq?$B)GNhb@SdmR4bw!kE>BGFE38sMNRT0dWo>#nw`DT-L_I|RK4BF?ZO+^CdnUro^@Mx_wGTVbCtwqO3nWAc)e#R`RCChu7iuz z^GXjvhIoO0*Rgjmzj!9hi20r>Em=0be72#a4CaTNuAXV@`a z7K&t_DjG(_hYLlo9Td&0LsjPJmQYm>nIBokjXJB&h3tRv!g_yr;j1xiPk`2uo)?L~ zkFJ2VMKWG1f-jZc*CJlVVc9tyH>Tw%%;5Yv-gfm?Q_o18>~ ziWHNKWh^bZ@V8DKIASBvhY%XwKzoeedV{J8=uA-MH*BxSj}aHBeQqUb+JA7AJ}ch* zUaLKkbCS``Tvw?=;A_-2>ui4XIF`c+Tj}E|(!nl#m z8d930|G|NGv%jM^X2-bPeO+c+l${FQBhn|9TS{b_jni}3)N}(hGXgVgk`AY?$e}a| z4iVK6iLo?BS`G}Pshyi}ZyetPETcUsj~jE{H^EQDx{;jPByS?j?W)ZDBi7QrC8v0&j-3|P;w2J}1f%Rb8UaT6~lZox-{H3WqyT{4S z3pwVf0AyC&p6k}+75wuBWc8IzO=U#TbJde7r_0~c%e#KZB`fUBK_Ma1t|C{LQK|o) zZ>1>daQzm0y)x!|+HtvhClV6*!+~Zly5m0og~~)#6e&NWx|-TR?fFDG;BEx1I*lh{ z_JyMIb;DL3uMCRo^WU7J zcNPw*sWOUAk4U3QI1^Xa@oa9cEIRb`CwMd0Y}P|RKHqu%+@+J1rz|6qoisYX9Ggy3 zW|EfT9DHyfvd?5U9mOXdHugBSUaMW^_B`K8?Hl|X)fdF;)%86Y_Gi%kc=IOoF%Nf3 zoA}jyC%y1&m3tNko2T{iG=!FA_ns3|3Jo89CpH=_M>HoZFm!Qj?(V-s?UecE2s@GX z;cHT8a7p#+*S5m)A*!M)bAjt>YD$?ZWh)H!TWL~zhJ=8YYOYkLX#c%oyxd0RC9CP` z-0PKFzkH?A!xd?MZNE5vxY8}UwVILUoo(Ub!{~KIj^uxZJ&g9%>MJi#+Wobd_siK2 zm=eA|T{XL{&1j?P3}ybui9E%f{XZthHxUu-zs|;Nd%@=YDlU#z;mb#pxgZH<-_1+l zJW}~MRo#~M+`6OW>zw;koU412W6|P+2f9&8nKIJJn>jJE^6pi3g5mjrY{|B*S#Kh8uQ>N$wVC*ibBc}h zBVQ~thS^<3+sqnf>UfBNwA2r8$9l?jev;+vqo2_({P#uWmpKJuL7 z37Q!u(rO0;e4l9zz@4wW=`uF0!XaaYnPVCFQ>cb^Sywd}b_n z$@u{Xr{#Ebxi?nXtM%=|M2zgq(YW-wIY+OW%l7k6cuHz!D0vNO7<2b?2UZ;TlLb|J zkEN3&Pf5(Eet_8I?wXpVwOt^2_By*Rm5X5aK0}Em;%hLUa$wlnYKSsFMHr{5#BJkq zX<9}3T{q3WJ%&#Fs{<1#f&+9!aYLMTIm6Bh*=_pz`Z2MYfx_BJFQ;u@RI{v}+_FUQ zPHqs6F18Q6>m&Ordy(?|igTfvu+ks67QZ{@|J$wo*@+VWe=rh!e75|56-@spjnVvH zD%|-FkQMfS`}IHc5#kppcxnHazsjOD>M8&Em?!?PdDHn<@sv!HcSAOGWfuPdgZ}z` zZ`z+?_f-+|g{6W2?Z5rS5TS&I%CBfV<$%|}cR}_vLX>!S9WUN4y=xA+>=Rrm=MsLn z%p2=AT6sI6KQP6O$fG(BrMC}C+Rt-tpJUsY6cXBYJMYsPn1-mn*Vi>qOI?wv;0Wix z?r?CcKld^xp4TF79)li={LT6HH1 zXSQsLHB9(3oWa5G`r98qo@xK2xQe~^P*vaVB01>y4eiers}Bx}KS>sJ-hsz@=t?Ij zt-ZH%D)4rj`+~>ggO$5)3GdM8Xj{>WOxF%ej6Kz1xN<5o=IC55my{-&j}~{Ee^cKg zXSnQm)MuSHqj0bH?XOexqK2-Yh@cWKnd@Ur&T4XcqPhD!%`%T~Z_d?UZXJ}yAo4>6 zd|NI}&R#CPc78-|YtIWwH-^fTvevATj`}3#fq`YsZ1?x6bcP;#EShTvRU2NcJN}!| z_PUIvId$zeYf1udXQI*^yJe7lSb{yFGI7P!TJEEkLo_9Rn#Rq0cK1Wvt{*Owb=CBP zcPhwDLVcpMT3)4<&>x$@{Bi7)E)gbpaE~ZSm)$;BrSNjkwqmO3rrmuJQ-@E<#?vXZFciL^<$FoIZUHD>eto|b8!`n zkQ`GgcdO2e$M+hG?ePa46r%I*8y9DQi=4wN=KH(h;{n&wO?AEAb8RUa>s2bXm(ORaN7wHH9{nmIhO_ zL@C+&n1>sr9bX-ydi%+qkWteJPhXA18M4K==gzA~G#uDjb-<1M(A zY`xp1s)$BM1TQUB-~|qYj`9h88=J|f^3o$|YEzi-&2v>-uy}|=_(tp3UQ9Kp&o+}H zcm)nHemOhQ8aHx3*^s|JuVPq~)zIt6;6AHC`|f%FQ_;n?ZsXgTZ?$F_4m0U6?0;$} z&T=GcIWTAG*V85I)bSCSVC`n5o@GTW>~jeh<9f4#9wlSL3)9J?ad8W$ZDdaT%PyD> zzPv^u$-O0FsVD4JW!Lpjmx{7iGw;T?DG@r?NBCF{7v>+d;C6U5dbIB@+@j-2Xe0pADQ=gno-oeV3QPL)A5?VPs!lcmA?#xvcR_=bgsOpHKi zdsh?XdD{;Uzhoq6 zSa2$Q*EvwA{z`-@2hq&X@irQSCX5!uxOF?qX^XCX`uhIh;}Ab{{|e^w&uMWZZu+n_ zi$2t~tf`g#)cA^i4ZUCC_enQYNZIIwW0=mXN~u)UJUv(X2S)-i9K@R#!<9fVx6XJX zDk#*D*F74g)X4%}#G#(Uyn97XrB=Dm#j@jmMIo^JMt9cp=0kIu;fWH;{G03ZshR(+ z1$bzl!plbui?cDIq)AFLD03&*r}qUZ;#<~Mgdd;?Qhe~!vcLY_K6*riF$r!ru^i+b zYj5a)=CWh*oY7W__I$gJ`0tJ~0$zcYmDw9$F#N!prYs`{O}R9&-+S0ObSiLiexPEW zI=ZYn`cp$&AA-WI2`lWLgB6{4MOcXTE-88ok9yumA3WaldMopb0;kT8mnK-d&p6tv@H%UsmxBS*yZFWM7+$ZC-C& z%>9e|t9Na|<_7OyESLODJ0oGto~2UU#?TA>x&q}7zQiu^0T+?Gy0>S$?>_G2xpfOu zYw1>=J8421XEG-t6*6U>$IQdecU=GBe(w8z zp7(v9wZ8R!@4MD#wNm{2T-SB(bMIpx``G*BHmfSi`)q}=rwBOfMYp=UMYXpsS-iGZ zBV(Lc`uDRf0OIRKF}#ld6~_KIxF1>C!b_ozj1cqmW`SRWaM#D;@?{zVLCCnMG_J!P zAr7V}tyWoV30UYnpTalj*-Ve1*_58^m*sP=t?H{3w#Bix){-{l4~#l&9^}szx0`s) zGj>+Qp3v6WrV&y#F*)~psm{Qymj90$$Ndb4xgD@S@(`0*^`ciVB8^+I$8en-bsMCY zZe+}U?;CRSzMD&j$AhhP7Ypo6$yv=E$3afqjdUq%w~;X3fADV6e5gX4)2ubGmEj-j zQv2S+^(UW-^K4z|`eRS~{9iQ75B+?(8g?A{{2a?>_~>#42hORf>h)7Wn~9Ve_Is|g zoQ$U32)HNDFRVZl7%XblGuG=lCR>@MwvyqBMfWF7EF1`qIiUj{?eS6V#0JJ|+EXm+ z?yvBoslJsg*EaP+X78cfUWTuSKQj-8VcGU^(eb2Nz8>@p9uzi%ffZ4t=cg}=<0SNh zhMs9BJd`TGnW-9Ej===g^sPF1xIEm__Ky9Yu0<#$_4Bd|v7eSf9blS411hfksB1aQt? z01u&KlbW9^E5(`P*i=7IY8Te!=Gyz`s|C-O4f*>IGIbp|Fkd#OcI0GX5h=9_&_!-N z&YQi{ogZniacB&|Y&#ThXEv_@-?H)Ta9lK9+BO=m-y9x)840J<)&n;W5s8-79^)Yv zQjVS9V@$_wa-;YIdw4nae|(q~r9Q}igm~&Sv;tScW)hrB8JtPWSrkJUkLb?Gt?aKX zslWFygf7k}y`%lbYF76o{B9g%goS-U8;1PSukC$d$yuWB{TCg#HwA2;U&z+K7b4)ht zL$jk-5ls*t<3!88eM<+^Uri@9)3z--nA#FDJ1<<1_^ynOTdb-^*bk=cmVNv7JykGa z1nw(gIOv-Gh`f`TMw{XW8zr(FyOWIj_w(vs>1$K{!d|jVzU<+=OFeYQ`rnhG9^0}{ z3zTv?bn8(Uv`=5W0+B}b(?}iD`Ma_WFCO%q(1xX@Sq*!(v{v;NWKm_he#cl)f9p52 z+!pTB!`w2ryPm{dicsl4T(2l+Kz%|$=+Lb(TehsME~WS!UB*rvaM}Ovw5Cq#(OZcU zF7p)+DTIUs`cznC>l^22@px)5!(iEtwD9d739YCipX2d~d$*Tu%2hqo4<@FaV`|f` z;Oy3VotD;%J1%(k@{?WH#%+|W^%NB4&*i9!_TO{w8%s3t^(7ML?{`dHr!v&m=D?o2 zqh(*F@!~d4Lcl8e4JX;u6~^jDnQ(-P<`BRNa7XNA#d}voD0vRPhl}$2fM*>Aa$c^j zoAd|3fDzq4Ks=~>mbG168oh=|QDb!%mp2R#4=dxS1wO@h%1VaOtL*gL*{RBi6OmJ= z9Nt;>4%wWFoZ?RQq470eybP`3*pTf>oD}RabX+jPuDJS-5vOItrR16)xohVnlK(4V z>u*s%!q(APYLVfPyz|(Jn!jUc z3rObTFO{`^xOU`9+e@{%$~6fc?U|^IMs^TUcgcehMQJKW&iq0YG2fS?XFX#}W$3C( zhut9K***g>qvJufIY9p|%LSWP&O-@LuEKxn1m~UJQ!Q}DUM*`Ie}zmgsGE}?@YTVMfFy3F=fJY zIqKv5)Wl+}h|4v@a9ook8yiaH^VyaA+~{HJRroIWDPn+=@g3DA?)V!FOA#d7 zHQr>#KbQcxSt2)_U+wK(I5Cm^w97@0w!_ro7M$zdI{k#JJ-?g6-z`G%SVGh*xv{-^BBJ$4Jww0xRkM!CXTLjS zVz%%i!@eFEs17j27I%2GB>`Ai02m9bPR4Y-j{3^2)!?rTe?J)p?C@xqS_w>oTb7fP zQ{kPK1ae+(xKE>`bjx!|jd3K+s-LM-Nd1h!_9I*k!)*y4mnjKr_Jpjd4y&ZnH;z~% zD!L=b`PIktwog+ylC6IHclC~xwCUhhedIo#bjZoEMA;pw01UtlYjH|#TVU7?;Izk1 zqwPQWw;mToIVmAEH3&0N%m2LOgG@liHA*HPTbAr;@JzTw0%?lD;(=No_*3~h7X1{Hd%em zhe!lR3TicCQi}^@;@7LDGVb9$@X4!{<#~^eYpLJ7;%Ld$wic5)JijzYDGxJ@?ijaRu zbpw(ygH=m0mMa)Xz0niNADH~XxYK$e3&*9hx13(N;OqLsL4kFX>jc*(>p>E99NOn@)lhM3AVf~b<+rrC; z?=4D5D-z{S@-1%%>|GVg8;A=*X2*#@3M=CMpc#^!#bnx@H6&*h?M~Gda%}qdtJ-S} zjc%)vF!t>i>EwlP&z{mf+<@)msA=7w?#dnTc02F+z$@f>pbk(x>!>Ul zQiW~zx=+iY^R0nlaw8OHmxpKPL(WD}kSGflY}=msrtgP6$%GB3?Y;MSlZQWi*LppX zs}1Z(V1q(fvM;P8x~IxdI0jC>$dEe(A4DSUxWf)lr60I+XHaG`^SE=CCNFWy(}o`! zyoCnPSL1VQiFieSrDbos=|Kbkl86k(U0x=3JnlY2)KWOg$ls6w2 zKIp`n+l-#bN!xch$ocuQJKWG6t?MRl03yL}0lD&&Ua+5@T-M>THlXF-t1ZGlcu&9{ zEOf@Jru@4ml{a4fK-52Uw_-MakpCqG$IQKnJAO;rrZhr~+{x0)OM9LlYw;UZ#Zk#= zY11tAEy(i6c!w=Ez;E#CONUf}aF>mcdy%9Qs|?m$>Q#2roXz9pHV!jb16s1%EEig% zzSO>WI336c4@NTL52y00r@sFhj;by?5vGD8#;$26V#cf!PeRyV{G)kdKI9Is4jyt> z?0PE4ucp@$Ch_Gt9nz%ww$BI5bvBc(0Q-sGwT{wLDn{^RlN53}FWY}baz{v(61FdJ z8lgy*%))v{N5@z12NZBnOdvR<#B*~iC}rUG(U5TWPj-97Fz+VI>l%O4s9{Wa4q=ZD z5RG9vnTqkQ|Ey^@fu{Yhg!PY4_cvhX?B72~e(pN-k8SoQsJZvXsY{co)W|A*e< z!e?qF_W$9>6OG8kmH&FDA^+Bh@PF=3CyzW^@oRaZ_~<~!h~z)5Mu6xa3nxw$t&lX) z`ETEggOA;#;Ca1GT#u_)PjLPPIrTvhdPF*Q|85f-+P~k&{Vh4Y6|fjMOy;Dm>1U^6 zi_`<7{XXCkd3zeI_JElcG&(-Dd-UIV76`9xf4e7jHKO!c8aZR==XtMa@Y3F$iDE9S#75j5P$|RNYV+y} zpC`cvzb4LIR}j7Ev?F|Gl64F2@NA=xYRV9}AJQ`oEnv1YklKdfw|}+5++WL|v$ke@ z4V5UnFw!-6=4-AC>wm}VXHy|P|5)B|G7cREhZ=IWfrt6_Ks~4R>(@0$B2@udQPuFz zn7zr;a$<7)4zi&MVNk0iP96`aZvl|I9-Uq;~ICtT@ z&idRl&4=Zm7d^t$iK^xQdr~ot;Y~e+(I0=)qSz>}Bh?eR-;g8^6>(s4H^b zh=H0~nFZBWA{^&ZVfCxdr*$4_Ic=rZ6ekmUwJ1&;{1{n1!7K3t0HG(A5=|SXf*wD4 zA|8I~-3hI?^nL8250vE>CO=%<5q)L{=9#*+WjTJDX{_{Ij`^79K9Rpw{ftq)SodOC zkmfe=VE?0A=x%m*?>M7{!Rhv@M+QAfB-+t5dMM`@nEk`tORjMVuuVLDJUrW|oOLc` z>VSP8dqkUXoK~g_eEp2RW6;ed?m~*YwNvIS_pWmZcIOj>kwwexdouV?+IQn5QYfDS z`$R;RAfx5$1}xm{b0}aPDxgT81Bm-1JR%75Ld5y0K`*_TS3u+az=l;yc5e>L1V)gyP5WWoxyph)P&Rw|ACQq z6TrATWZiru9aG9x@C9&cu^C1<{rauo*x<-WVdz~NL}lB|TsRc2K|4f-GPh7Caxz1R6MDcozrGJc(3} z^Bi*X^&;4whz&FK&d;BjEmJ%rbLCLzo)Ar(k)V0_$o-FHWJFB<=&Zw{!e%qF(j zYlAYuwz~RuluWODc4I`-7;+TjEO693pFfo(m-eob`hqHy(f)(<*1;8V5UYe4Uj9mp z>a{VP959SbY_(}J$~L^`-WY(K#rAV@3Q{JVy9XReE*H9ua&TJtr;#ExJhUTFnt)r` ze(qAf+xNThXD4kZM94}a=y&gFmkU&e_=gTN3#kL})9M0`aJc0O>5+l+ZuVA(5aj|# z2GSg?8lT@rz4O}-h5dL0vFgVT!6CnXJz{%JR068KUzxUAz1g7;3(NYMR36Hl(hyI!(-?xM#!kGJ*sOYZh$#Vbyn=FS>@s7`{j;g(o-%jVo?$1-e#{Q|! zG+ExA;*LLeo@P z_$Vl9vI@-$qNIoP{D5fxSoB-16{`UXJ}~hf0{N%1v}rXloV&7%PvN%r*-Y$k*xYp- z(sR#Fj4bS+E{MXXS8JWdir{HNY-UUnMa)9viF56>GGsNm=b+5+Pltc1%6tjDFR+ml z-n4i=YL?Cjnkb*)pUB9_v<3`I?6JcrJGQrP%8a>!J0~yB#DJa5jo}I6N<{6{mp*NH@|sIxxcTk zcr!nZNAo>urIAx-@Q7oRmNOJA-55~-R#S^HKI=MTkZ+I`;oJhYC6%mXLzH+MzY0cD zGWbM`<dO*}zXSg5Hc{n6dTKgbFQ@zacMVAS)MnKc?r+qPffdkER zZ7LjbnLa_X-z2}yBchP;o9#CQPX{ea?#Fsg<{h+2Xzm#O`i3I8(9tnZlX>qR#g207 z)S0m{5-4xtNR?4{D;q(55QO2=-W>!8>X2p#8+IzQ-?`)}JaAp~6Y*>DR@-0ZbQ^VV zrf#Aje&0fg&3iBx+6m7~@j54 z++LLMA0BRW{MkQ$ZtX|~<2bH#7lwb={j6~)lx9)tVJMR!!+!+|P*S{H1_`g($Hum3 zfsHyhv*Q)~y-Ya5;f)Vg?pGRV#SxAhI&3}wz7liSbg)RXM_POuj|g(7k`T#uB6iy} zowRTHzVV$%w0Y7Hg*GDh{HN#h;<^IEWJI&_crx})UzU6N zc+g?!WAZJI@Y-uof_y}+&_`)~pN$?GOV6D|NpNr%;h@=@{eso3EIKz*Ii>mMleDJ( z(Tv=X@xlcgenk-Kr&4Y*fiQyhBida=+-&suhI{ANNfC?k4ayoICg) zT$w^ahDIsihg$8M_?OA~M*@CSzFN2{IPdU3;^WC9$2wUkRG)|%h0>O!#T)sdpVPNd z7ku}v7?b84hpdO?K!6aT3*Jwd^+B-%PLb*G?Rk~vf`vroicyp-H>2pAtC=leUV#uuISTfpPfM`L z+)8+8JMWs-1LF+_qQlVJB>jr9OJa5P2C%G|v8aZEj1(|T_9cg`Jd8B>kt zg>V|(_JKS88k|>`OjH>OHMMRnFFMBPu~E+%A3Hjx_hX97kq3;8J<+Rs+Gy#Ti-*<| z`F#>K$vRzGetsYhmRh>`6lh`ndlp~p@PjYyXurM1E~eN?jDY{W%0?i_dlXQJ2|A*Pe$eVv_0T@pX#RUR`CR(WoA~!Nh zZp0$VMPN`RdCp@z;d013KGM9yPW}a#7%?&H8;EEMQL+V~u@U$FdXQ4qE{>k9r-~c8*mNRS=NeyBz;tHlx z-Lmuy=sp7^3vtOFo5n!Wv*{TCBCsDSjfjjq{msaxQR3SlwI1pnm2_rKJJhpP%PBKYwvVaRst_fMVyRtd-C?{E~Iq0gob_R>=4Ia`WU`H)trp4M6cy z=%;x^XIXpOyO~L4B-c1c7rD>w4t6guc|Ht)WI{;*9WkUP%uj35b!Rd&l2|g|0yams zOJWTqFq(_j&=C8;2Y5hz5QeJYY^GCY`6SmQ04G|Wq!r`w{ znOE4^^OKAEMiNwj&-L>@0uLYq_G>fMMh8JqQZ_I<>Mcp=DhQ)nXfwxvQ?yo`xE4cC zMr$!svbtmllthX`n9?u*%wZs_1UVgIKljQRu3A+JsPZ3-Z6iipYzWJ@<&3e8rDyz4 zbiUrX{|=phKi4w0u*752hxBv}hbmKk*78>O=ec`76n3k-yopvsYP~*ggmz5`$F1+a z6SEqP`F#74y2Prr-i+`skyx?9#OT7%y||w*zPn2Z*I%kPDjHt9vF*Z#Fs6VXmgQo* zoy>+fT7u>_-0g6qnULjgaBPMhz%h)?JFZ1mikdCoRd;dyU4;;oI}UwmP=sJI09>lNTGcFQ-T`7Wa&|JN9JO$;*K-g!pa91#;O%-gcLOlyRZ#)G06+ba?4b;yQ2KOzIHuu4EpI~Xi2ERtDQfx<+ z^au!Hs6(n~2{1Jzi@a`19C4BA(2)vJmGt(euUGe4rMFy<45UNMkZywEg%YX5BX}Zer)$2JP#R+osYBZuL_^ z>Yjwm&#yn;ehiT|Imv-Rb@?H$JT@GEYh5xE`Q1VVGluUBT7$%x4ZNDlz{~rRF(IVN zbl2`&o|C*^bVPm#1dmERJ2>;iTXw{?9zA$5mb{`@~S_MerC|68@}|7%6P2|Mv2@qhT?#(hilUk|ElUV)Pk{`uqo zGu6Jr_T9uM#iR)f-I=F<>(lYMlpQv!@hO-%6Q(m~_g{T)&A(hR_sjo^^N*+<92l5y z2vOPiL2&jAZ8mFEkEB}z8F#bk~3+yUX zLN3RCIFh&kLRWoZ@%*)r|AA@+6Ez%=krfjzGOllFkWDM}7zm6CsTPci{&$g0fg=?1*HB{+Vq% zPUYE@F|y??e6gG3+IgnDI(V6PUBt)sqEB;1M)vOBl^h1xJ@#7>u6gnl&2Ecu+CPIg zgkXv&&-a7?^+jH_ags4=r{nvqL9Bw%4K&Zz&oSq&9qsY?f$6HLidJ3-;G~b0kYWca z<9AKwad>tt!#!K~m_hzYZ~+UO(;q8{qpC{E(RVxcCXOxv>0;X1wWxU-YUQNO*5B`q z_K%DpO@;o!uzUuyk4a(tXbR=Jb?{@b`yQj+e>on7-TyDE0V~jU6Kgd1`@dHZK!t#o z_)p?^V?R%3;uoYpq(<(y-u6tF4X~bs{Aahq_PpIV73_c!A*&$F(apTp(k~T15O{a~ zj|D@2M)RgQh@YWi$2gIecS=ZX2(PV<8l=uMA;bSu_RI;8;ShE5UkxLE9jM&`!2v%)`iwZJFj zNEmF|mRK36rB=yt;@z2T!l!8+{Mjo6Lfx-5O0hvZZ~Em-o=uBf_rg$j{<5Y~o5EZh z>(=*)mcjOv&axekf-62tbZ%gJrGqx8A>BKmsS(Qdj2=@CHPpr+X`+dIu^DA$qakF zuX3jSR8|I~!xk(3^`N!#>*ncBsmVcTGL{>RK5z14{+rt)Nyvy+q|kX`p^yo%{f4|v z>1!Vwm0^3PKgdBE^khNcr`^1{ve|PLm?PBb1i{;Fv%ZS6PybfXvk)UcU%p$l2(=?A z>i*fJ*A@*~57~`)T-?C7p41f>%+U}M6=mV(RT-j})6E^7vtxN6O)SYldJWbdKzcu( z4OtlcT@xIrx0QE>Hs)$ULkd{=%qfpVP+my=0WP`}W^CMeFM|XaCzV+PsfqhHN z;26AkiY@l#ytJ-6u`oH2U@L)`NO(bEvw!FToBCh{B))s=W__$C11Q`ft``82An>DpQ>@I7 zRz~RG4>>rwEFIbo*7Jx}9auit94R`7P^S=$c;+Qe6K4eWTyE`2)L39zTm$_ZZ`RjI zY0mp;CQL+lZX^u|Vv@Vxu*X{STQ-tsvGsZ%@isa?DLa*wvODXV8d1MZf&) z-8&pp217r9Ma9`#ERbn`L^l=cEzqJuQcHSXW=E#Hw@%Z!1OZnK<3b^B>$ObVskyXK z1C&t6qBLqwft_3%|J(@IJo&c}E9RAzv|Hr!gk3Sd)igJwaTRg=xHu`qhj`8UwjL}K zx1Pf5de3z;KfKrl{s-r6MX^Ic9i!+2-_z%y2Zi$v>H;)1!h5p;|C26p-H%w$-VNqK z7F}}4pqLk=62BLBcUZzO?20ag4;cjA8EG7X&1BIN0m(gRcG&}&7MVM2&Hi_#zN29a za#7ropV-4aR?U8h=7fE{-E@dB%8f7~Qk;(NtF>U;vfQ4#jVWkqE3OmW%TZQrf(s!r zD9U)9P&KI!5?;|Ib~Q6@58N_NMwAUCgbA) z*#DEL>afu;N{2tiFbH}PhB8e;Mxu+RD^VSc=%P#A9qIxEdZY7s%l}2)fQ*2kki7B> z?~uMrM`T;xgpc{z{C$_1pc8F=1ZGgvVIfDsg%vv+6d@zDni>Vjc*r0FmkwPNkGKqE zsuF)RLjfz_Pur<%RgYF&?51Cdxmf7L_TDqW3nqI)B;8AS&;_Hc??DBueG6PjN>{yk zF1ohF!SD-=`-I^M3LbOVjTpWW77e2J9+cg1Yf7X2KIm7G9F5stcYkS+1)O8yP2W6o z%Rwci_E<5LFb^SdFOhZqulf#TY+xZ+d^?oTNNEqsF!U~b{iBh&xymEoU(K`ppd{|M zyF3e79xxPHw*bI6$i#v!^o~(+>=@PGfuQ$Dfe>!}0>2z?oumD)9tb*#MYFe%;vpL% zI|6XCY=L7>!kO^X~j7E)m!Z$6TrL$k1fQU zY2k@>j$fPv?TXtd2$4#LHPviJP;@g=eLVpw6$#<^rC$^Gve#?E@mUTj#=~u(ep@3I z-6ZLn{y#5f82?qwV7wj?lU4n9dE)oP+81eea8SSw38z=l@WU2J z_{jPvS)|a0^BG=!p&p$FN6no?K&L_ zL^8Ic1GfXttN4$D(;-1H+I^4(V~-ZoaBD0-%6^*GXjM*`x?_Ib1J(k@pkmbJ9C|fa zn|9YgRMOeNY!XQJq9O)XUZCE%oaX^5ZzAv|v5}6QYvDuj0$D|IoNvDO`%~rUfx&js zbKx_8v1jZK5Mj_lVubA1sWq78l{Ea9l{F|;Lswd^!Is-Vapx3-3BXIa$R8V>R2WM}4T%Lf>^gT&$xV2B@)h?)p$&E!sY*kIvF z?fffXl{PJ%7s+Eq^$$5zt#T6%5!?{j>=CPwQWGrN$6qRUr)f|eF!rC{%#sB*or-O~B&m{`PzV|q3UtB&Wo zO#NgaK_aOde-an(aTE1Y7|y|2bEY}m_4Ev!2fXIuhI`p}(Xs%o6%{`{=EK(MQUXUD z6hZE6_wYuP@EnO;KFE5vQ5qtdHGfwMo z4`i(+DJhffP3N0>_$uf&F6+IaeD%z=TK>YxN&H;8y7S0328eY>c6gxUT7;zCV>UABXuq?g&rz#6$K8_?$n|=28#3EaH z%%I^SewJnIePTeM)_^HEf`l$wYmve-@yV~hUTscYz!vi$5qEj4$>zox%@+QvA+UfV zX6D$w1FXcq7Fve?EVOL3-o@CngNOx~Z{B=2P*14zJIWeQu0y6}JL-{InKVyZf7xb9 z3uiv{_+aA1lZ}5hI(WHxPk;m;&l?y}^&6}Cu8`{FptP`@?qsTQQg3N~)bm$!Xv`JI z_a37qna<*^1HVV!D|~;`uyV(#8~t~<1^qT%55MClLuayUzshD7RUAZSZu{}9WT}9~ z3+CGJh;4U1NA9ZW{GHtpuQJNFf7cEd1x<}hGjE*|T3cKh+RWlcx#iX&imo9bkaPO> z{d;AnOZN07>S}45cgZyxVX~t$J6B}o`7m-^x_cza;#BO4)zdBX^xugbm(zMHGhEXd zF(@g4E8Q%J5py@?UPsLgpy|R#Gv-_8+}wbPlX7+YiE2&VV>I{fwdAS&s4gn1(#eqF{r-KoZKm!WKK|Z%f@k-&7g_vzuGx zGm^M%)ZXE+*=?V;g8K3EVv0?Gd9OH+WdH?>JQ35)_BhSjr!jj?Osd|dc+580RPgTG zp{5B5Ig15%&|t^573ceW8#v}tMR;tj7deCI|X=WWQ3 ztIX1yhPUO}uJ$W@edOikB!|L&2ijePcAS1xe`JQP*fv_$qoayr^9rL+9$9=*rsUme ztC`_CTdorla5uH_&PyKg(cV$5grbf&x%n}EQIAK9Q6kw_*VyRWu{KyjzFB1EC8H@p z8^h7eP@ps;&7gE(mB3AA{1vvw^BvV}-e*N6OM?1dvTMoE1t%I?+_T%`r_|XkfjEuK za7_TuJ*wHVs=X)Zg>;veXyxSeO}gKwN^lnavX#O7u!9W+8`~FJ0w@4Je_fED$BGRbHrSv z_L)&yX>cWDzl>y|gO=Q+z?Jl{)7wJ`%@A8EwIUX4S&4yAe@WJ;NK94I2-EzCtC+d6 zL)??T#PH*f;p{HiVvl2<%{ktB*`AEo-1myIPw_NO7$!Lw4W`K-=Z;oN;FWn#wW^P7 zP%dqmpUO3DPBfB>)qS^n=<4v-b_{!^3s&>dPB=p&zE97m$CTH?(s6d)a!OuLFSl1G zTMOcH{j+hqh}Cm@e^nDJzG?najIH=s`CJ>>fp2qgnmBEEU4QZCo3g8dIQ=c_Z6a{` zvT9)H32k~_na$N<*(OZ7VjR}Z8E?)~W#or5!)8C^=_ik<-c-F?66UFJ0Hbl)#r1qO zZG;{Y1NxrVwydCIx#v$*=HcC|^wV zAUd_zoHpP5z!Zg*MahAIf%};rk;lRs@nt-n&_!xgr!sw>KJA;>Lu-gh`)`-F=Pnbt z24_md(Y&^K2HCz89ovqsv(G%{&vsvV=2FmZYo52WRt!f4-w5Rs{_sJ%(2(A{$~2Pd z@Zy7K-7l;5FMfF+W7##D`?^a3Gn2YKTt}OToGUYYA2*doynDxmVVh6)n6RJf5v2`( z{`->u*Y4MH)e7#3*YG~d?d^g(acN%v$$oWyzyC3sXH8R5M|^H`RpQq3`a!rYzNRjH zwdvw~Sl_ta;pZ>cgxk>m>fFkvPqRFnnSJqSa(lZe7a{L5@S^&=k@4G<2f3bRCnNv*ttJ#lRo<^FC zYa08R2JO|5uhu(%-e=pDyE&o8Q{G#(Vi<7w7hOsy-tJ4sZe(R$%N&i+UyW0}g)hv1 zgKuyPr8}X$|4uFgjh=zh@xkpLn`lj*3U!+$)-&GKr;*sCyt~uF;#=AG?*pA%HBx8| zEo0^v12znFhDd+c^pbn|etF4&_fuu6P=t(7ifO`lZ~Xw(nY({d=ae69uRHQ*ZIVSDQ-9HTwbrj&t%^-_}1l zqvI&U^E5c?48{GC?4gmCwS-yq(i-f>ta(~Osdl`s29|}vZC})n-FYTtpm^!%4WSyF z^rr3|AC=B%<{oVRcF-mCWMtW^u2y%K#nOQDQZF+km{x?EmcHJ;+Jix9#$=@T4873e zqvYe1mefJ%-DS;fqcO$n`yMl|=M($tW(Ih^)8H+u<7lL_N7$B`kvd{C@y&{^gW_Q3 z@NI?F=SD`Q7PIq<@#`M;6u~O`m+18K^CQdDE$9m#$NUgnYT_qW>>-v~b{gNfp}%^+ zbFoe)N7&PQTjyIs-RBLb4vYlu`{NeOJ!jH;dpG^z2l1DJmO?q77e9?y@LEU5sl>+C z$99p=@1ZN@dGDScD^>eXAJY}goSf2i*=FOT-(Oo@Vt7DnT1dR}Q`^xyc{tGO9Jk$d zU}*jA8f~=x?>}x~|62?2CZ=s+#D(IXI5;@xKHZyYqnbb^b0RfuU~GOWTZRM9m?9>_ z^F`r%XQ8>}jGoia;j0LWMcwvu@?xj%tpWXw5lgLEJXKYq_ETwQbL+iVqdRA^U%v3C zsF8f08p@`N`carTS4GLB_J313I@9YQ*S$vVKr7qTYTqcS-aZkXQAUA*kGDs!{xhDCZ^(7GhH$F}@Sb*k{L|ownb}qx zh}(glvS{aX{Z~||=7fEz#;Svk?QI?0Ds=N+{)3N2Dh=3H`7!JN`CaI1h|Par-(S({ z0`q>Fdt})9r?21Jzv4f_+23EMWg#!`@BjVzdai^2_rGDzPMUiW+x-6hPjry7F4f_G zxozeHEpU@w(41KJuMdq`>Q4B7@rF14cf27#n=4i9Qu$<= z>r(N*UYbifR-`Mkqm6Ljf0pN&5cc$6*LIX0H{*8Z-He`Zq0Zb5xD?AWc~6oZ(Y=o2Qr6@NYh1zGvB9j`|*FWsY0 zaB_9vW1t{z&$%@PCMr>_{;NsYwW<>#yp1IUuDS8-2-TVwEld8?3m;wzT=1a! za?2CC)8?-i8Q~t>^7hm$tjHcQ`@(MGoN+d|3G6e+Ki?UJTP_gwyJG@?6N?>T;p(T6E!Ic(Pv9~!!pvM6=U>fU#rOa8DG?*L%e z*x5Za2q6WA^hMgf+oR*-@0UF^jrt@fCvPnBmHkcSo}Mo)uHWUDCIfuTlQ*KH_p74Gp2{P??fJ}pv0F2q)9n?0E+Evs!*Ys@H z76J4836r;Y4X%mi#OQJji%HFoA0tyvTh&8vZQu2Pb;*=7h_79HdxmVG5wrA#gQG3Cd?aq-Wk3RK^QLe6hTXR_6Sw}2v z@0B!8;MC5aQy~aX&+Xoc%P&L&dz1i&$?ycuOrLGG;}^~qRVmXj`POF#TXU1W^tQTs z$Ualza;eDO1!KSJD>6Kc| zy~VHRo>QC*Oe&~7O`33CN&o5ABdc5b1D_i0vzg%~2wg zb9wD7CR9Z71CC!~_d6$auXl(>ygU`*5alUHkzasS6}{YP-C_%ktw@P&tH?=(~hkOugFyILWPbJ7jJNzzrF zn@?Uu^-GT~Ai||{-J|;mZ%KM-N=Cp2&*s}mpcZrK2!d<|7Zzy95@llIdt#zBL47yy zIYG!cWUNxYty11e$rvxY{8v2l(0OvaYgDy9gWJ zYEMYLi&mUIU5Vj?UTQCcH9-d?pW2QrCOD5J@~|4e6}WWueZASLX@%?Yu5*!F$+wkp z=Ijm%-H2@rBd1#mT~NOAJ0EF*ZExU@@Q~eVyT^+=Z>@E#>35i&P#bP@pLsbwdXqA` z?9h;TdTANyh*it`eU!;}j9a$6caZzOQDl4VtCUCN{`4Igv38rDJ4kvlbcNae{=xe> z^dT)4v~I)cZTN+_P@k_0OgQk=1=b{V?A3i+86JDXJus+*D+y<3HccK~b#<81IN0z> z(=u1?Czcsk>^zy_>0J#x$hC3(l)dLxlMANZh6g_HderLa6{DSCQt{z2`KpPoOZi`Z zCtcnljy^ zR&4kntt|O;Os&0^NiQWGW3a+lq<6D;U0WV}%-l8dd1ij^6^Gcj{A#P_2Db^jt|~E{ zuPNDhbA?i!4`qo~EB3RO{_5Hli*2_7_>mZ%RhYi3R`oJ}1(#*=?gUxvHdv-?$Q3e9 zOm}gVXEYo5nl-kR?HKh#Zh-vv2GDujvY5X3yFS;o5Dv6KCfR@Wm3T`m0+6RvmjvQ)2j))649OegSgVJI`czL(+!s z1srRQci$#sy9$|)B=Q1N_9GfWY%A#)$yDjMk`{?QKVA5qv5^=q&rgj)+PtmEA{(!K?MjNO-hu5{)6x>KLE5?5g%YkMgHedfIEB7M7it@iLzIu#vc9FMwNr4NpUEx%LNdSdYdWJojN z5Ud_mlS(#)!OsQ1k0q?T7`Xq-+hHPwS0_9@QdevG1h*Hi1herg@{{0LIE%tL zk0~$|&@olw-ggOCr}d7M!a#`V;hMaqe8WR-QpnporeC)1|NXI~f18{KHyNrH?uvkx zVjYz3Do^Ra`;lJ*^w!C=5cSA)KAWdS|Gs!L(|%K}!1~wWV|S9I3`y#w=Z#ni0-DZr zl?5hfe9C9Nctri|9shj2`_*m2qRO9gO317nyQHAozTNuBc6QOT0?R!Gg`0H7FW>H2 zXh>h?APU}8=9}mboPuH3$42B_T@w1>`SZrqhHqYKDkVFS4hWiD-eWAJu8O<1$mS^^ zCVlerYH;cB6YqklbWV=b3u~E{7rJR{r^{<$8~8toRT}DYej$7Q7|j@KS-p)}Njlfp zMH?%tkI23Ske?tU317W9m&LKTuPw~=;35T?it+C!FVTPTUS(HZB(Z<&NBnhsXd8%G!@%xwzG#26$m?*UH1^AMx2r^-edpJpXPCjA)2^Bgx9J z4M0Ss6LVLNT)e#U{j&Si$-#jQ;o1jm^JXLJow9B1vV`;01Sgem69EW4N^60N^Q*b!+vfGHL5(A zl?MJ#5y6v_l|!?C!gYKb{m#%dE^9$*(BWH3Zc6Zw9hXvtTgzc zX++=bC9BpCtXMEOV2e_Xo3kC>TwY#s3q?z&{Hr>I&P`YCKu~^I?axL_+D|}5Nn3pM z&Rcsfs}>d(k*Fef;hUy@a_{T?2{#Q(KG9>`WMQxCzH7R#R^Qoz#mf2i22VGz_9SZ} zvH_|pMFV+{h|uI7&A3Go<7rxA@oN8j?Z}N}UY)RB&tS{j+1-SRkb2pdoLpO(7x+;z zZS~vW5WRi6%PE)qs{?%!t}NUAW}G~FM`%f@^f`llqNbkSCU3rlwQEQk9M((%39Ir} z5r!WCPa8k+M7o4+yF&lLv$?~O@49P|6hf>CvF7x*WMjrjg~Ip+IFxdoQo@%#F;wBBf>kl(M zHXTsCyC09yes?J6G48uYXQXT$*1?yw(%nLedOU4)^_#3OO2RTaki9=ts2A+H{2{R zgT?x^QsDvTo@yHn`R5mkG_Gd4?Guq zh`|@0H&nCz9fRq~7aEU#MqpMN-W#xBye5!uudmBHHLP7Bn50||+G{~M*WOSlaNXAd zN(DdhY^v;V3DSw%^V)NP22ZSza^nCTDv`S`LXuF)dKHu3R^yfjE)+qPOMceqI6Fzs z<3(02Pqv!T`@0tL@cJWx#fE0O;vhn-h*b_%obgOR3IbyAHr&?<=RQvORWD>w;C1!G z?%xYqDS4GWzY1~Z@UwJIrRCCQUfzV=m#>+aJX~x6{w_mg+X$*D7Rb}9;PSdrjsvay zq3-6vmA8OgPT2lp9=f`>)Ln8VN$4Y&Gu7yT+EI;g`-S1h-PZ{{rMH2Si8l^w2 zP$63DSGf7~+faE&M&wEWEccW4Yyd;s_IX2XXD8|Rw``fo)hd4$X>vbVR$GCOcQ;kj z6{m$^*SQ_P5eh5WOg3Cev;3?%&ULkC__45pY5?C>hCQDB8?U!oiQ)h>`(rLsRnDI* zQY%JNQ&W%c99eZ{d0|5vxy$CHVNWCrK|YQvONSga&sDh3wcHNm+_Z2GR|5=U_v;r6 zJ(INB?=(e|Ee1=4hB_j80Ks?g*mI=1H&>~vSp2jH5~z!6)Iwy1i7rep-&ieKM_xJF zVuH&SSR<#|_D)afCQ7Yt?o2VZ*K2=eLS{*zFcK}M~6D@K^TtLE9cHNvwTI<%Kl|F$E9_Zue(F$)eti$44F67$SS~_6chGE%?zDpP2cOu)&rK{RHq<I+ph0$CfzTvKCW*hK!or5HN-S?`wh$u_!mgAEbhD$%f-O!`m4u3vGVu1-_V;u z!jK@}Mkboyy+?0*7FlR&FY4tqWSbdSSR@EYUph6a;Cc3}96j$*@Rwhu4+Ze~DDR&Z zW_In-2UyEr&v#2!jvX`)T=Q2#-ie|O*1&%EREGH5^2g>B`hv@u* zHmwbgr>m{>`0+=qV)UgFRaWvd`%}%bBqZnXZ7vYluygkxwa?DVN~o4~z0S}ul&)qdal7I%CM*2#q7B!n-MpE;R>@t! zfc6&%t=*RrROX-K;0`eNVpVM6PD-jYV|6NvSL5~aeF6E)oNT_%ujf@{P}-eY?4`Ft z03^<0>sp#zRrF)|if^rY)XkcFJ0`|5XN1M4hzf-WB&=O+8h4((l_cue-{R@gYIm-{sbw5qb?L)_*%)QO(uik|HhwtL3}}0# z!kyD6@X^%!?-mdHU&t$N65wBps9W)UQOV{+UUG7Bn~8Px9(T|E0_(kxw6dz=P|LnM zk_2`7ksO0nE}lqyNq>c~cvmx~z9KgRFb1QR`QbZ`%SF}sl68==nk26>V)W6Y(A)gs zrTPc&EjG^?EInt258LEqmS+{yqFqm#{rl0K3;QUm&V;!Eljr0; zNM-Aak%nY{t32oXrKIqVOIv_Xp1hBC7FwnZj7r;f^{oa=vN0?hyI%I)TCZTLz68pQ z8TG~3MlY`MiivDTgW61xKwNaY5RedbiGqh)HIR;UagG7}e~@3|5}q4iN=r+-6z^kZ zWnYp$F!PS{*zangl5|IL2(DVPqlrT-=_n;h%J!HTP?T z2iT2Aro1;krQ#H675uba=m1Rt>XG)wCW%Qty=zXtCAPR5TDB2AMqr1)5?~8j|C~`w2X^EFA854fb?kPM6h2rOO-Tmpy(hZt!Bf($mMxpP+0OWl{e4QM9S<|I^l)heOr= zfBcMHBBID%o>Eb=%Q|JL$WmlUmZ*d*DNBusQV(gNEQK&Bk$q$dF?x_K&DgW6$UgQN z4CD7X&-b~0e|*1BS65e8SLU2E=iHzB^M1cy_qk7muLXS-k%&Lsd2!NedH#c2CCBi} zJQ{;kodQAuqFDCzB*;S1uK=FP#tpU9pV&3=)D~bzUYKFnXvi4 ziY&M8I{+G)bcKP6xIO&`D%b3(hhc6&`_eWF zf0*+zOH1_1VPjv_RACF74V)PvQc_CTm)#k9gjlYfY?C~zN=V(ogXGx>5GXLw#mUhy zs{Y)()#hTYo4ZtRi=)*Qyv??CR_QQqDv4e3BrQ;3>xks3#N@2TB_uODfSkhUoRSn^ z4JO-Frf?9Bh)juz5(9@YyR>hpBhAfHu13Lyuj2A;ju*f`rZQY38M`ecp1)LaYJYK) zWJ8iwq|EXDs{D4ZJ# zxDqZl53KWNKkK(EytdamI7whmWEf{&4$Y0q1kJKNzOe|uCoDey4m0|qfQD1>nUYSb zTQGMf+dSlm{(i zV52HFm^h$6v(+7QN7k}8H+F@BZ}|h9h1G#_bC#pm7jmY@%0f#2DiDn61;Xl_sKtha z9CvNt8L*XZ==6Vh$UQkJ79Cf~ecN!LssVgnxR{0BRpmaAg=bpw7U~zu(4h9{<=vso zx=a}2_(L((I%bTTM0vm(3}GfJFE1w^UX+F6RdC+xm}?_AT8WA|K|W++uI(R!Uy-l2 zNxa~YLB%9aGERdO*q#4E3+6p=XPrTd!Ov}&VMNiwFrjP4T>g34{SwV>8UslZek^w@ zHfdlL=7_Z1H`y>nF^+5^xtRU;?f`I9nXoZN5eWq=SEflkOm8!o4H%fOIj=CgLczd~ zRdxv-{QSu+eK`9o04xxEE*m>Yw+V4U$xVNMNlYvW!iS}#vF=oiEqoPf@r?&~i1e|r zLV4)fpdkDJNkYOc-%7Fn`qeN06B?^R!-^COFsUuuXA29%6B7=(9R1koQS(||ZpEO$ zD91`jS+<`nrRTC&M^3S^-4E$2iRJks;()0HExs$? z;!F3IV6KuKmA%Q563i*m&6DP{otx`Xd;s{>FD`c0Q~ykGFO^jQ+ z1`qG$$lOpx=p(|P?CL%mx2skBl4H*thW8Np84>E*9stnNgvlV}RbkjUw|T1Bb6SNJ zfE5UhYx9ojD9LO=AMmhT%W3_ z2i0~hnMK9IsiB)dgMJWAJz4@gx(4|`9{fW;b)OeGqJro-uxtd>8dp~8Nf|&wG)*rj zKVSA&Siw~(&>ONkr&Q=4zB4kw#?QwYbR2N`$wCl~Na2tse5)ce-FZN%AZlR>|a-&2AmWv2?jNFf@GB890pvO#9WFM}W9kshcjCupL;mZjp zUTlcCPQdn5ysiM+(5db?(Dp?CL{rBDsEwqxAseaU^z}1AB4|)QH>MuZ;YJM14LeyBv1~s|{E@@053--GIv#U$Z-S+b4M>NDsFl+ob!c8uI zk(J4dB{t=Pu?U`5obu7L?eUOTqQVZf@lL(}`EaaE7UDxV3$U7_S3eobRQcOWnx$xR zA`L@01R5zc05dU>yHYFLY-h4(xeeI20^9NeFc0?`-e=rmqw+RCdn4;CuDLxb)rtTj z04nyyTjjlF*EPh^`wse-9iNKrc6h5&aeG-4rU5jC!+p1PR7Efn%=vAdAMHt1-H*l8 zPKU?I75_Pq=b*Vx51AVFo0yx7^B7Lgn47jzh}` zC%|`58w}c}tzuv383Fv(FMRB+#zZz|KZhjM|IQKCIcNm@uDr*2<3Uh>ZpS*{Sz-5j zejQ!2u2rZZ_V#@v@+}a#=r#*9Alm0|Zii>F^*>wwfvq7EM%P+cc=l37N=L_9MNJLO z*5P5e2W53P1kJ#bwL-4ou6(6YCmLzMS7l{6vV@*KbapYz`Vct@gL81u0dtgJUG+>n z`353y%}E7$y3^#v>D4wT)+2w{6zl1b6|hd>K|mu6XtL!KUx20qL7 z@lqM<#rQa#`!zpm0Uvye8J~3&8Q0mf_M&t)mXJ{&391%K0=UY-9E>+#6+u4=CGX@x zQBRj6t11ZKtqM~-t-?3e5!2Vt8U~1*Fl~WzIoZAiic197_scmgUtpv+37J9~M(OWQ zn|Kosu^K2$?T|Bu`eDIE5o=7aq0!q95!AHoQsCD^)}y*1j-$miGP7P zH?99jcNn~Dbi;R-BNw5{LN=+r@24K~DaIot5WFNRW^1ORB)#atUpWHvwVxaq;8SVb z`MDL|Sb|~*&?+8~ZG2R68?pv~14r4k1cGMCD>4@N-*&Vr(NHi@P<|ESR}0^{f@z*x zZG(dl7C&dmtErbtE4o+x?v1E=$`FyWK;?;N*G2>wKP!vm6X4H(`I#;^>gdI)iqw6t z(@D>GdHOf=LI`g)j3|Jg(DzY9DAl7L`uA&-9)&2w2Zm8{ax(0wu>~zsZwuiB(6-~= zuFx{A#Zir7pzz@@s5sFmfYSaR3{(*hfWv$>lhOP6BL4y_!OSH|N7l6Ji}Ti)R7H!& zy&K|KU)BP>%Pd9LdjS`18aj9529HwLHAoJhky^3DOHLm{=u|)0e_in7^O>P@=|8P@pZWc)8N^UXc~h>_KvF+oU#&oWDDb-GfCoCMKF5QyQa z;l>gFsZAB^P>+^uXYlGsu9_t|dsavK$zh;zBNOV!o$9-egh#P5;!H>%XV@XA_)mV1&jIz9CLnvSmq!yjcT=ihQI#Nr6b zQ1Nxc?uKgWV_&-BLUbd5Pg(I^))aF3$Oa=21Q++mtd_-oFhBjsI*{glo%5~tCYop%0i_C#i04^#F6DDKHJ(aNITTW7@hlF3*nt}3PXNRi zF$V`FDmk2u{`C0L*^wEQo!wb)o^lm#srB-zn0iOOx=&U%;;(sblR?sqec@?paQ*bv z7SUXc?RjuTqCXp->olnaOJlhoQZAK=SeRW{JT$fFI!@3b?lggngPTV$ zuG$1Ay*@xjK}=CmY;xvL<{IiUC?CYLD?L)U@O=xnt;5f!9uB$d!nS}M2u7g?pvYD3ir41VLmW5A;4Se3U$Yche%u}W zZ>7E%u9uG*skiqU#GK30`xS*66xn^t}_^V6U1rs)QgUXO8r{}VCZl*A* z@!)k{%IT4|@nPwmwN`wolF;5y>H}2v2_^`Fpy`mR7F%vEZ-fRcO3;L{-5sJ=oPu_{ z*HbVpNWTCpUrpjqJ#)RxHB{Cel8)h>~7d2VC{#`M^-0 zjr=Dl3lrQylU=zLK$z?!X$4y2QxBAi?N!e@>+S_gJB(zCCym3n*_ewU8ak6-adDz>_4MY1+qPD?`;|1*^ zTtrVbiAS6-V;@Na0qcvZobT%d>*Z<2u176kc0xmixXMO3w{k}0V`f|He7Sj2Zr`<% z&<}#z`4>ZA7SbipRB6ICr-I|o*!E`Au1wp|S}@LQ$C_nBDnXd55vn!~~HxrNyn%SEBIA)Tv?Aud#BcHnDGp zb!~m5J+0lP_4J5e{ZQo*3a%Ci241DI_O7nMj4F3&=xL$ws~(H18qVf}A4m*Md&$2t z85eNe&ePMLG!zxR?Jn0=Epa~6a@Eg$Manx(Y*J_YuwL7DkJJccMv0EUbbD0??Gmg) z82JVGvESuHE$Vv)8&&QKGz@sEFxL`(T_8ty%I9$=oOVo}?-0}J9>+X11Hn&sfSN@Y zTi`2dr)&vTFWeHmO71SV>#9K%hf8;v-Zm@aE$^#Y`K$i(T&G$|aVg_*U?hni9CerW zh;eqG`E&rTn(-!|I6}IYmq*1!5!s<#guDSSIXnBkX5!}B6MKFZBp_TcL^s=#x7xcC zDe7IjglJM+{RtKIu+6BqRn@iQuFVW316?mj`EaAdOp(l-;JaYI!+EVtFFpicC;|o{ zaC)D^5BCne3UouNv|52%4HkutI3}CSp_Bm3;~*@1if`WW5Sm#5O_#_0i(%2`&#Eqw zci)dLO$SUmK~mg8_Ctl+Veb2+*jrLOkh!4;fNGu4a!?LuNg`WNd9@Tr4lZGoQA%)Up793361Z(f)29`Z^K@|rjn7`3^vc`paC zGOf<@mU9fG5ppYeTD+34dQh?YmRh2Ty%b9S)3tYM|N5!VL=%UCuA9!F|NDl$Y;SMH zT=@r1hk>rp-%eOo$^hFmvG?Lc$?JBPI!}{rnwmIDYtNJJyhX4J$L(5WK zQ?sJAwI{4QUh?MooPwKu6xU)-)y;dNp)Ly8d7r>2i2-XZ^bwdWseG3FFW+Bg;J(iA z8}#4(Iu*`LM+-O!uBFlaG+p!mJ{TOn13N0`nlZKri-+F+FN3^)@)w}$|8m`;25Fd+ f|MGERCpV>v9?p1P?$#PZ;MXZbGlRV2&iDQg<8 +SyslogServerPort= +SyslogServerProtocol=TCP +---- + +For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format +(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`. + +[float] +===== Filebeat configuration + +Edit the `cyberarkpas.yml` configuration. The following sample configuration will accept `TCP` +protocol connections from all interfaces: + +[source,yaml] +---- +- module: cyberarkpas + audit: + enabled: true + + # Set which input to use between tcp (default), udp, or file. + # + var.input: tcp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9301 + + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + + # Uncoment to keep the original syslog event under event.original. + # var.preserve_original_event: true + + # Set paths for the log files when file input is used. + # var.paths: +---- + +For encrypted communications, use the `TLS` protocol in the Vault's `DBPARM.ini` and use `tcp` input +with `var.ssl` settings in Filebeat: + +[source,yaml] +---- +- module: cyberarkpas + audit: + enabled: true + + # Set which input to use between tcp (default), udp, or file. + # + var.input: tcp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9301 + + # With tcp input, set the optional tls configuration: + var.ssl: + enabled: true + certificate: /path/to/cert.pem + key: /path/to/privatekey.pem + key_passphrase: 'password for my key' + + # Uncoment to keep the original syslog event under event.original. + # var.preserve_original_event: true + + # Set paths for the log files when file input is used. + # var.paths: +---- + +[float] +===== Configuration options + +include::../include/config-option-intro.asciidoc[] + +*`var.input`*:: + +The input to use. One of `tcp` (default), `udp` or `file`. + + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9301`. + +NOTE: Ports below 1024 require Filebeat to run as root. + + +*`var.ssl`*:: + +Configuration options for SSL parameters to use when acting as a server for `TLS` protocol. +See https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config[SSL server configuration options.] +for a description of the available sub-options. + + +*`var.preserve_original_event`*:: + +Set to `true` to store the original syslog message under the `event.original` field. +Defaults to `false`. + + +*`var.paths`*:: + +An array of glob-based paths that specify where to look for the log files. All +patterns supported by https://golang.org/pkg/path/filepath/#Glob[Go Glob] +are also supported here. For example, you can use wildcards to fetch all files +from a predefined level of subdirectories: `/path/to/log/*/*.log`. This +fetches all `.log` files from the subfolders of `/path/to/log`. It does not +fetch log files from the `/path/to/log` folder itself. + +This setting is only applicable when `file` input is configured. + + +[float] +=== Example dashboard + +This module comes with a sample dashboard: + +[role="screenshot"] +image::./images/filebeat-cyberarkpas-overview.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 5c13a6fa57e..3e554cc6407 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -17,6 +17,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -90,6 +91,7 @@ include::modules/cisco.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] include::modules/cyberark.asciidoc[] +include::modules/cyberarkpas.asciidoc[] include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/envoyproxy.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index f4c8f79bb0c..8d0ddda9143 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -789,6 +789,32 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local +#----------------------------- CyberArk PAS Module ----------------------------- +- module: cyberarkpas + audit: + enabled: true + + # Set which input to use between tcp (default), udp, or file. + # + # var.input: tcp + + # var.syslog_host: localhost + # var.syslog_port: 9301 + + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + + # Uncoment to keep the original syslog event under event.original. + # var.preserve_original_event: true + + # Set paths for the log files when file input is used. + # var.paths: + + #---------------------------- CylanceProtect Module ---------------------------- - module: cylance protect: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 26e47f5f9f3..94340a8c11c 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -25,6 +25,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberark" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberarkpas" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5" diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl b/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl new file mode 100644 index 00000000000..abd4777a52e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl @@ -0,0 +1,161 @@ + + + + + + + + + + + + + + + + {"format":" + ","version":" + " + + + ,"raw": + + + + + + + + , + + + } + + + + + + + + > + + + + + + + " + ": + + + + + + + + + + + + + + + + + + + + + + + + + + : + + + + + + + + { + + + + :[ + + ]} + + + { + + , + + } + + + , + + + + + + + + : + + + + , + + + + + + + + + + + + + + + + + + + + " + + + + + + " + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml new file mode 100644 index 00000000000..4ebf2db818d --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml @@ -0,0 +1,24 @@ +- module: cyberarkpas + audit: + enabled: true + + # Set which input to use between tcp (default), udp, or file. + # + # var.input: tcp + + # var.syslog_host: localhost + # var.syslog_port: 9301 + + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + + # Uncoment to keep the original syslog event under event.original. + # var.preserve_original_event: true + + # Set paths for the log files when file input is used. + # var.paths: + diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/docs.asciidoc b/x-pack/filebeat/module/cyberarkpas/_meta/docs.asciidoc new file mode 100644 index 00000000000..af66f19cd4e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/_meta/docs.asciidoc @@ -0,0 +1,171 @@ +[role="xpack"] + +:modulename: cyberarkpas +:has-dashboards: false + +== Cyberark PAS module + +beta[] + +This is a module for receiving CyberArk Privileged Account Security (PAS) logs over Syslog or a file. + +The {plugins}/ingest-geoip.html[ingest-geoip] Elasticsearch plugin is required to run this module. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: audit + +[float] +==== `audit` fileset settings + +The `audit` fileset receives Vault Audit logs for User and Safe activities over the syslog protocol. + +[float] +===== Vault configuration + +Follow the steps under https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm[Security Information and Event Management (SIEM) Applications] +documentation to setup the integration: + +- Copy the https://raw.githubusercontent.com/elastic/beats/{branch}/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl[elastic-json-v1.0.xsl] XSL Translator file to +the `Server\Syslog` folder. + +- Sample syslog configuration for `DBPARM.ini`: + +[source,ini] +---- +[SYSLOG] +UseLegacySyslogFormat=No +SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl +SyslogServerIP= +SyslogServerPort= +SyslogServerProtocol=TCP +---- + +For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format +(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`. + +[float] +===== Filebeat configuration + +Edit the `cyberarkpas.yml` configuration. The following sample configuration will accept `TCP` +protocol connections from all interfaces: + +[source,yaml] +---- +- module: cyberarkpas + audit: + enabled: true + + # Set which input to use between tcp (default), udp, or file. + # + var.input: tcp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9301 + + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + + # Uncoment to keep the original syslog event under event.original. + # var.preserve_original_event: true + + # Set paths for the log files when file input is used. + # var.paths: +---- + +For encrypted communications, use the `TLS` protocol in the Vault's `DBPARM.ini` and use `tcp` input +with `var.ssl` settings in Filebeat: + +[source,yaml] +---- +- module: cyberarkpas + audit: + enabled: true + + # Set which input to use between tcp (default), udp, or file. + # + var.input: tcp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9301 + + # With tcp input, set the optional tls configuration: + var.ssl: + enabled: true + certificate: /path/to/cert.pem + key: /path/to/privatekey.pem + key_passphrase: 'password for my key' + + # Uncoment to keep the original syslog event under event.original. + # var.preserve_original_event: true + + # Set paths for the log files when file input is used. + # var.paths: +---- + +[float] +===== Configuration options + +include::../include/config-option-intro.asciidoc[] + +*`var.input`*:: + +The input to use. One of `tcp` (default), `udp` or `file`. + + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9301`. + +NOTE: Ports below 1024 require Filebeat to run as root. + + +*`var.ssl`*:: + +Configuration options for SSL parameters to use when acting as a server for `TLS` protocol. +See https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config[SSL server configuration options.] +for a description of the available sub-options. + + +*`var.preserve_original_event`*:: + +Set to `true` to store the original syslog message under the `event.original` field. +Defaults to `false`. + + +*`var.paths`*:: + +An array of glob-based paths that specify where to look for the log files. All +patterns supported by https://golang.org/pkg/path/filepath/#Glob[Go Glob] +are also supported here. For example, you can use wildcards to fetch all files +from a predefined level of subdirectories: `/path/to/log/*/*.log`. This +fetches all `.log` files from the subfolders of `/path/to/log`. It does not +fetch log files from the `/path/to/log` folder itself. + +This setting is only applicable when `file` input is configured. + + +[float] +=== Example dashboard + +This module comes with a sample dashboard: + +[role="screenshot"] +image::./images/filebeat-cyberarkpas-overview.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/fields.yml b/x-pack/filebeat/module/cyberarkpas/_meta/fields.yml new file mode 100644 index 00000000000..8ac73cb4913 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: cyberarkpas + title: CyberArk PAS + description: > + cyberarkpas fields. + fields: + - name: cyberarkpas + type: group + default_field: false + fields: + diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json new file mode 100644 index 00000000000..bac1c083f52 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json @@ -0,0 +1,1574 @@ +{ + "objects": [ + { + "attributes": { + "description": "Dashboard for CyberArk Privileged Access Security events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "cyberarkpas.audit" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "controls": [ + { + "fieldName": "observer.hostname", + "id": "1617726994032", + "indexPattern": "filebeat-*", + "indexPatternRefName": "control_0_index_pattern", + "label": " By Vault host", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "event.code", + "id": "1617811797137", + "indexPattern": "filebeat-*", + "indexPatternRefName": "control_1_index_pattern", + "label": "By event code", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": true, + "useTimeFilter": false + }, + "title": "", + "type": "input_control_vis", + "uiState": {} + } + }, + "gridData": { + "h": 9, + "i": "1007fa0d-a6a1-4682-a346-a90acc179da5", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "1007fa0d-a6a1-4682-a346-a90acc179da5", + "title": "Filters", + "type": "visualization", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "event.dataset:\"cyberarkpas.audit\" " + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "bar", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "hide_in_legend": 0, + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "rainbow", + "params": { + "colors": [ + "#68BC00", + "#009CE0", + "#B0BC00", + "#16A5A5", + "#D33115", + "#E27300", + "#FCC400", + "#7B64FF", + "#FA28FF", + "#333333", + "#808080", + "#194D33", + "#0062B1", + "#808900", + "#0C797D", + "#9F0500", + "#C45100", + "#FB9E00", + "#653294", + "#AB149E", + "#0F1419", + "#666666" + ], + "gradient": false + }, + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "split_color_mode": null, + "split_mode": "terms", + "stacked": "stacked", + "terms_field": "cyberarkpas.audit.desc", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "type": "timeseries", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + } + }, + "gridData": { + "h": 13, + "i": "f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e", + "title": "event types by time", + "type": "visualization", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "33bc0096-e418-4f81-9c7c-7fdd16cc5203": { + "columnOrder": [ + "eedd5aa8-a7c4-466a-b10b-3a8cba3bac12" + ], + "columns": { + "eedd5aa8-a7c4-466a-b10b-3a8cba3bac12": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": " ", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "eedd5aa8-a7c4-466a-b10b-3a8cba3bac12", + "layerId": "33bc0096-e418-4f81-9c7c-7fdd16cc5203" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 4, + "i": "af9e9f0b-a40c-411e-b441-2a779983ed24", + "w": 10, + "x": 0, + "y": 9 + }, + "panelIndex": "af9e9f0b-a40c-411e-b441-2a779983ed24", + "title": "Count of events", + "type": "lens", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "de047c06-a965-47aa-8a15-8b0266d5abc3": { + "columnOrder": [ + "b916e5f5-a64a-49f1-b37a-ee1825fc61a4", + "3effd03e-0ed9-4e2d-ba8e-d77ae505092e" + ], + "columns": { + "3effd03e-0ed9-4e2d-ba8e-d77ae505092e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "b916e5f5-a64a-49f1-b37a-ee1825fc61a4": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of event.outcome", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "3effd03e-0ed9-4e2d-ba8e-d77ae505092e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "b916e5f5-a64a-49f1-b37a-ee1825fc61a4" + ], + "layerId": "de047c06-a965-47aa-8a15-8b0266d5abc3", + "legendDisplay": "default", + "metric": "3effd03e-0ed9-4e2d-ba8e-d77ae505092e", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "7031905a-92ab-4e0e-aa58-72f1c07ff409", + "w": 10, + "x": 0, + "y": 13 + }, + "panelIndex": "7031905a-92ab-4e0e-aa58-72f1c07ff409", + "title": "Breakdown by outcome", + "type": "lens", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "19858811-84d1-4f50-901c-dc1451972324": { + "columnOrder": [ + "81dcff19-b14a-4e4b-999e-dbbcbdfdf816", + "e3526253-18e0-4122-b112-ee5b4b9e23d7" + ], + "columns": { + "81dcff19-b14a-4e4b-999e-dbbcbdfdf816": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of destination.user.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.user.name" + }, + "e3526253-18e0-4122-b112-ee5b4b9e23d7": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "cyberarkpas.audit" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "event.code", + "negate": false, + "params": [ + "308", + "22", + "319", + "295" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "308" + } + }, + { + "match_phrase": { + "event.code": "22" + } + }, + { + "match_phrase": { + "event.code": "319" + } + }, + { + "match_phrase": { + "event.code": "295" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "81dcff19-b14a-4e4b-999e-dbbcbdfdf816", + "81dcff19-b14a-4e4b-999e-dbbcbdfdf816", + "81dcff19-b14a-4e4b-999e-dbbcbdfdf816", + "81dcff19-b14a-4e4b-999e-dbbcbdfdf816", + "81dcff19-b14a-4e4b-999e-dbbcbdfdf816", + "81dcff19-b14a-4e4b-999e-dbbcbdfdf816" + ], + "layerId": "19858811-84d1-4f50-901c-dc1451972324", + "legendDisplay": "default", + "metric": "e3526253-18e0-4122-b112-ee5b4b9e23d7", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "a24b9c0c-da95-4016-9fe5-2c0d34005832", + "w": 11, + "x": 10, + "y": 13 + }, + "panelIndex": "a24b9c0c-da95-4016-9fe5-2c0d34005832", + "title": "Top 10 user credentials accessed", + "type": "lens", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "50325938-6a9e-4a26-946e-4468e68c6591": { + "columnOrder": [ + "8a965540-daa1-4848-80bb-96ddf53a328f", + "c05a39ad-2983-4f4a-900d-a939ecbda504", + "a808a872-71b5-4a76-a939-354f68991881" + ], + "columns": { + "8a965540-daa1-4848-80bb-96ddf53a328f": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of event.outcome", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a808a872-71b5-4a76-a939-354f68991881", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 2 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + }, + "a808a872-71b5-4a76-a939-354f68991881": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Credentials accessed", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c05a39ad-2983-4f4a-900d-a939ecbda504": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "cyberarkpas.audit" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "event.code", + "negate": false, + "params": [ + "308", + "22", + "319", + "295", + "38" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "308" + } + }, + { + "match_phrase": { + "event.code": "22" + } + }, + { + "match_phrase": { + "event.code": "319" + } + }, + { + "match_phrase": { + "event.code": "295" + } + }, + { + "match_phrase": { + "event.code": "38" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "a808a872-71b5-4a76-a939-354f68991881" + ], + "layerId": "50325938-6a9e-4a26-946e-4468e68c6591", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "splitAccessor": "8a965540-daa1-4848-80bb-96ddf53a328f", + "xAccessor": "c05a39ad-2983-4f4a-900d-a939ecbda504" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "1dc68cc6-e1b3-43ea-9b0e-f423d194b99a", + "w": 27, + "x": 21, + "y": 13 + }, + "panelIndex": "1dc68cc6-e1b3-43ea-9b0e-f423d194b99a", + "title": "Credential access by time", + "type": "lens", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "105faf70-8330-46b3-a82a-573a383068fa": { + "columnOrder": [ + "c51d6847-2fcc-4d13-a44f-49786cb979ed", + "d73b823b-ae68-4e73-bbe2-90a35bc825e7", + "c0147524-accc-4dee-a4fc-44199e3459f1" + ], + "columns": { + "c0147524-accc-4dee-a4fc-44199e3459f1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Authentications", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c51d6847-2fcc-4d13-a44f-49786cb979ed": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Users", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c0147524-accc-4dee-a4fc-44199e3459f1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 8 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "d73b823b-ae68-4e73-bbe2-90a35bc825e7": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of event.outcome", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 2 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.category", + "negate": false, + "params": [ + "authentication" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.category": "authentication" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "c0147524-accc-4dee-a4fc-44199e3459f1" + ], + "layerId": "105faf70-8330-46b3-a82a-573a383068fa", + "palette": { + "name": "status", + "type": "palette" + }, + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "splitAccessor": "d73b823b-ae68-4e73-bbe2-90a35bc825e7", + "xAccessor": "c51d6847-2fcc-4d13-a44f-49786cb979ed" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 23, + "i": "c56b3e4d-bfb6-4b06-a62b-282753b85f7a", + "w": 15, + "x": 0, + "y": 26 + }, + "panelIndex": "c56b3e4d-bfb6-4b06-a62b-282753b85f7a", + "title": "Vault Authentication attempts", + "type": "lens", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"id\":null,\"isAutoSelect\":true},\"id\":\"a3734143-d6e1-4551-b0b1-8282a37e151b\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"label\":\"filebeat-* | Source Point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"source.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"source.ip\",\"tooltipProperties\":[\"host.name\",\"source.ip\",\"source.domain\",\"source.geo.country_iso_code\",\"source.as.organization.name\"],\"id\":\"5f2b25a1-01ea-45ca-a4a2-f1a670c3b149\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":22},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"home\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"2ad8e318-4ef4-4e89-94f2-f37e395c488c\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Destination point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"destination.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"destination.ip\",\"tooltipProperties\":[\"host.name\",\"destination.ip\",\"destination.domain\",\"destination.geo.country_iso_code\",\"destination.as.organization.name\"],\"id\":\"bc95f479-964f-4498-be1e-376d34a01b0a\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":35},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#D36086\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dbb878c8-4039-49f1-b2ff-ab7fb942ba55\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Line\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"sourceGeoField\":\"source.geo.location\",\"destGeoField\":\"destination.geo.location\",\"metrics\":[{\"type\":\"count\"},{\"type\":\"sum\",\"field\":\"destination.bytes\"}],\"id\":\"faf6884d-b7cb-41dd-ab86-95970d7c59d2\",\"type\":\"ES_PEW_PEW\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineWidth\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":1,\"maxSize\":8,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"9c450fbf-b009-4b53-9810-2f47ca8dcfa8\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]}]", + "mapStateJSON": "{\"zoom\":1.24,\"center\":{\"lon\":-49.38072,\"lat\":7.87497},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "title": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 148.88690000000003, + "maxLon": 438.09868, + "minLat": -116.68142, + "minLon": -417.60444 + }, + "mapCenter": { + "lat": 43.83453, + "lon": 10.24712, + "zoom": 1 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 23, + "i": "cd1e20e7-706f-4d02-949c-d9f5908bad67", + "w": 33, + "x": 15, + "y": 26 + }, + "panelIndex": "cd1e20e7-706f-4d02-949c-d9f5908bad67", + "title": "Network sources and destinations", + "type": "map", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "028c5c1e-79f9-4999-8438-4889ac2b714c": { + "columnOrder": [ + "e55346c7-87bc-49f4-9215-8a36931d05f4", + "f2cd86e2-fb91-48b2-b8dd-e98395d28e00" + ], + "columns": { + "e55346c7-87bc-49f4-9215-8a36931d05f4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Users", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f2cd86e2-fb91-48b2-b8dd-e98395d28e00", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "f2cd86e2-fb91-48b2-b8dd-e98395d28e00": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed authentications", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.category", + "negate": false, + "params": { + "query": "authentication" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "authentication" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "f2cd86e2-fb91-48b2-b8dd-e98395d28e00" + ], + "layerId": "028c5c1e-79f9-4999-8438-4889ac2b714c", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "e55346c7-87bc-49f4-9215-8a36931d05f4", + "yConfig": [ + { + "color": "#d36086", + "forAccessor": "f2cd86e2-fb91-48b2-b8dd-e98395d28e00" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c6305b30-a7e2-4cc3-b49b-db99031f150e", + "w": 15, + "x": 0, + "y": 49 + }, + "panelIndex": "c6305b30-a7e2-4cc3-b49b-db99031f150e", + "title": "Top users by failed authentications to Vault", + "type": "lens", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "96a2c711-40a3-4dfc-87f5-4b193078e05a", + "w": 33, + "x": 15, + "y": 49 + }, + "panelIndex": "96a2c711-40a3-4dfc-87f5-4b193078e05a", + "panelRefName": "panel_9", + "title": "Credential Access", + "version": "7.12.0" + }, + { + "embeddableConfig": { + "columns": [ + "observer.hostname", + "cyberarkpas.audit.action", + "cyberarkpas.audit.issuer", + "cyberarkpas.audit.safe", + "file.path" + ], + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "6cd62115-65e7-416f-8da7-96b0d7a9d932", + "w": 48, + "x": 0, + "y": 64 + }, + "panelIndex": "6cd62115-65e7-416f-8da7-96b0d7a9d932", + "panelRefName": "panel_10", + "title": "All logs", + "version": "7.12.0" + } + ], + "timeRestore": false, + "title": "[Filebeat CyberArk PAS] Overview", + "version": 1 + }, + "coreMigrationVersion": "7.12.0", + "id": "eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "layer_2_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "layer_3_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6", + "name": "panel_9", + "type": "search" + }, + { + "id": "fec0d170-96f7-11eb-bbf8-d77aef8ad7a6", + "name": "panel_10", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2021-04-13T17:04:21.111Z", + "version": "WzM0ODYsM10=" + }, + { + "attributes": { + "columns": [ + "event.action", + "event.outcome", + "source.address", + "source.user.name", + "destination.address", + "destination.user.name", + "event.reason" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "cyberarkpas.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "cyberarkpas.audit" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.code", + "negate": false, + "params": [ + "308", + "319", + "295", + "22", + "38", + "300", + "302" + ], + "type": "phrases", + "value": "308, 319, 295, 22, 38, 300, 302" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "308" + } + }, + { + "match_phrase": { + "event.code": "319" + } + }, + { + "match_phrase": { + "event.code": "295" + } + }, + { + "match_phrase": { + "event.code": "22" + } + }, + { + "match_phrase": { + "event.code": "38" + } + }, + { + "match_phrase": { + "event.code": "300" + } + }, + { + "match_phrase": { + "event.code": "302" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Credential Access logs [Filebeat CyberArk PAS] ECS", + "version": 1 + }, + "coreMigrationVersion": "7.12.0", + "id": "a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-04-13T13:24:02.327Z", + "version": "WzI4NzgsM10=" + }, + { + "attributes": { + "columns": [], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"cyberarkpas.audit\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "All logs [Filebeat CyberArk PAS] ECS", + "version": 1 + }, + "coreMigrationVersion": "7.12.0", + "id": "fec0d170-96f7-11eb-bbf8-d77aef8ad7a6", + "migrationVersion": { + "search": "7.9.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2021-04-13T13:24:02.327Z", + "version": "WzI4NzksM10=" + } + ], + "version": "7.12.0" +} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml b/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml new file mode 100644 index 00000000000..9dcb53669fd --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml @@ -0,0 +1,97 @@ +- name: audit + default_field: false + type: group + description: > + Cyberark Privileged Access Security Audit fields. + fields: + - name: action + type: keyword + description: A description of the audit record. + - name: ca_properties + type: flattened + description: Account metadata. + - name: category + type: keyword + description: The category name (for category-related operations). + - name: desc + type: keyword + description: A static value that displays a description of the audit codes. + - name: extra_details + type: flattened + description: Specific extra details of the audit records. + - name: file + type: keyword + description: The name of the target file. + - name: gateway_station + type: ip + description: The IP of the web application machine (PVWA). + - name: hostname + type: keyword + description: The hostname, in upper case. + example: MY-COMPUTER + - name: iso_timestamp + type: date + description: The timestamp, in ISO Timestamp format (RFC 3339). + example: 2013-6-25T10:47:19Z + - name: issuer + type: keyword + description: The Vault user who wrote the audit. This is usually the user who performed the operation. + - name: location + type: keyword + description: The target Location (for Location operations). + ignore_above: 4096 + doc_values: false + index: false + - name: message + type: keyword + description: A description of the audit records (same information as in the Desc field). + - name: message_id + type: keyword + description: The code ID of the audit records. + - name: product + type: keyword + description: A static value that represents the product. + - name: pvwa_details + type: flattened + description: Specific details of the PVWA audit records. + - name: raw + type: keyword + description: > + Raw XML for the original audit record. + Only present when XSLT file has debugging enabled. + ignore_above: 4096 + doc_values: false + index: false + - name: reason + type: text + description: The reason entered by the user. + norms: false + - name: rfc5424 + type: boolean + description: Whether the syslog format complies with RFC5424. + example: yes + - name: safe + type: keyword + description: The name of the target Safe. + - name: severity + type: keyword + description: The severity of the audit records. + - name: source_user + type: keyword + description: The name of the Vault user who performed the operation. + - name: station + type: ip + description: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP. + - name: target_user + type: keyword + description: The name of the Vault user on which the operation was performed. + - name: timestamp + type: keyword + description: The timestamp, in MMM DD HH:MM:SS format. + example: Jun 25 10:47:19 + - name: vendor + type: keyword + description: A static value that represents the vendor. + - name: version + type: keyword + description: A static value that represents the version of the Vault. diff --git a/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml b/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml new file mode 100644 index 00000000000..0cc1c5003c1 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml @@ -0,0 +1,32 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" +ssl: {{ .ssl | tojson }} + +{{ end }} + +tags: +{{ if .preserve_original_event }} + - preserve_original_event +{{ end }} +{{ range $i, $tag := .tags }} + - {{$tag}} +{{ end }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml b/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml new file mode 100644 index 00000000000..ec5c565ba0f --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml @@ -0,0 +1,1106 @@ +--- +description: Pipeline for CyberArk PAS + +processors: + # + # Set ECS event.ingested + # + - set: + field: event.ingested + value: '{{{_ingest.timestamp}}}' + + # + # Set event.original from message, unless reindexing. + # + - rename: + field: message + target_field: event.original + if: 'ctx.event?.original == null' + + # + # Parse syslog headers (if any) and extract JSON payload. + # + - grok: + field: event.original + patterns: + # RFC5424 from Cyberark. + # UseLegacySyslogFormat=No + # <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...} + - "^<%{NONNEGINT:log.syslog.priority}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" + + # Legacy format. + # UseLegacySyslogFormat=Yes + # Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...} + - "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}" + + # Catch-all mode, just JSON payload. + - "%{JSON_PAYLOAD:_tmp.payload}" + pattern_definitions: + JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}' + on_failure: + - fail: + message: "unexpected event format: {{{_ingest.on_failure_message}}}" + + - json: + field: _tmp.payload + target_field: _tmp.json + on_failure: + - fail: + message: "malformed JSON event: {{{_ingest.on_failure_message}}}" + + - rename: + field: _tmp.json.syslog.audit_record + target_field: cyberarkpas.audit + on_failure: + - fail: + message: "unexpected event structure: {{{_ingest.on_failure_message}}}" + + + # + # Remove all empty fields + # + - script: + lang: painless + description: 'Removes empty audit fields' + source: >- + ctx.cyberarkpas.audit.entrySet().removeIf(entry -> entry.getValue() == ""); + + - rename: + field: _tmp.json.raw + target_field: cyberarkpas.audit.raw + ignore_missing: true + + # The following processors populate @timestamp from the different sources that can exist in an event. + # In the following order of precedence: + # - IsoTimestamp field (expected ISO8601). Present when new syslog format is used (rfc5424: yes). + # - Timestamp (expected MMM dd HH:mm:ss). Also present only when new syslog format is used. + # - Syslog header timestamp. Either ISO8601 or legacy MMM dd HH:mm:ss, depending on the syslog format in use. + # - Original @timestamp from Filebeat. + - date: + if: 'ctx.cyberarkpas.audit.IsoTimestamp != null' + field: cyberarkpas.audit.IsoTimestamp + target_field: _tmp.timestamp + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: "failed to parse ISO timestamp field: {{{cyberarkpas.audit.IsoTimestamp}}}: {{{_ingest.on_failure_message}}}" + + - date: + if: 'ctx._tmp.timestamp == null && ctx.cyberarkpas.audit.Timestamp != null' + field: cyberarkpas.audit.Timestamp + target_field: _tmp.timestamp + formats: + # This is the default format. + - 'MMM dd HH:mm:ss' + # Drop a few other formats in case the above fails. + - ISO8601 + - 'MMM d HH:mm:ss' + - "EEE MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + - append: + field: error.message + value: "failed to parse timestamp field: {{{cyberarkpas.audit.Timestamp}}}: {{{_ingest.on_failure_message}}}" + + - date: + if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null' + field: _tmp.syslog_ts + target_field: _tmp.timestamp + formats: + # This is the default format. + - 'MMM dd HH:mm:ss' + # Drop a few other formats in case the above fails. + - ISO8601 + - 'MMM d HH:mm:ss' + - "EEE MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + - append: + field: error.message + value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" + + - date: + if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null' + field: _tmp.syslog_ts + target_field: _tmp.timestamp + timezone: '{{{event.timezone}}}' + formats: + # This is the default format. + - 'MMM dd HH:mm:ss' + # Drop a few other formats in case the above fails. + - ISO8601 + - 'MMM d HH:mm:ss' + - "EEE MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + - append: + field: error.message + value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" + + - set: + field: '@timestamp' + value: '{{{_tmp.timestamp}}}' + ignore_empty_value: true + override: true + + # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty + # into an object under cyberarkpas.audit.CAProperties: + # + # input: + # "cyberarkpas.audit.CAProperties.CAProperty": [ + # { + # "Name": "PolicyID", + # "Value": "LINUX-SSH" + # }, + # { + # "Name": "UserName", + # "Value": "test12" + # } + # output: + # "cyberarkpas.audit.CAProperties": + # { + # "PolicyID": "LINUX-SSH", + # "UserName": "test12" + # } + - foreach: + field: cyberarkpas.audit.CAProperties.CAProperty + ignore_missing: true + processor: + set: + field: 'cyberarkpas.audit.CAProperties.{{{_ingest._value.Name}}}' + value: '{{{_ingest._value.Value}}}' + on_failure: + - append: + field: error.message + value: "failed to process CAProperties array: {{{_ingest.on_failure_message}}}" + - remove: + field: cyberarkpas.audit.CAProperties.CAProperty + ignore_missing: true + + # Parse key-value pairs at ExtraDetails: + # input: + # "cyberarkpas.audit.ExtraDetails": "Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=[...]", + # + # output: + # "cyberarkpas.audit.ExtraDetails": + # { + # "Command": "ls \"/var/tmp\"", + # "ConnectionComponentId": "PSMP-SSH", + # "DstHost": [...] + # + # The original string can contain escaped separators, \= and \; + - kv: + field: cyberarkpas.audit.ExtraDetails + field_split: '(? + String to_snake_case(String s) { + /* faster code path for strings that won't need an underscore */ + if (s.chars().skip(1).noneMatch(Character::isUpperCase)) { + return s.toLowerCase(); + } + int run = 0; + boolean first = true; + StringBuilder result = new StringBuilder(); + for (char c : s.toCharArray()) { + char o = Character.toLowerCase(c); + if (c != o) { + if (run == 0 && !first) { + result.append('_'); + } + run ++; + } else { + if (run > 1) { + char prev = result.charAt(result.length()-1); + result.setCharAt(result.length()-1, (char)'_'); + result.append(prev); + } + run = 0; + first = false; + } + result.append(o); + } + return result.toString(); + } + def keys_to_snake_case_recursive(Map object) { + return object.entrySet().stream().collect( + Collectors.toMap( + e -> to_snake_case(e.getKey()), + e -> e.getValue() instanceof Map? keys_to_snake_case_recursive(e.getValue()) : e.getValue() + ) + ); + } + ctx.cyberarkpas.audit = keys_to_snake_case_recursive(ctx.cyberarkpas.audit); + + # + # Convert rfc5424 field to boolean. + # + - script: + description: 'Converts the rfc5424 audit field to a boolean' + lang: painless + source: > + def value = ctx.cyberarkpas.audit.rfc5424; + ctx.cyberarkpas.audit["rfc5424"] = value == 'yes'; + + ######################################################## + # ECS enrichment + # + # All processors from this point use the snake_case form + # to access Cyberark fields. + ######################################################## + + - set: + field: event.kind + value: event + + - lowercase: + field: cyberarkpas.audit.action + target_field: event.action + ignore_missing: true + + # Severity to number + # + # Possible values: + # Info -> 0 + # Error -> 7 + # Critical -> 10 + - set: + field: event.severity + value: 2 + if: 'ctx.cyberarkpas.audit.severity == "Info"' + - set: + field: event.severity + value: 7 + if: 'ctx.cyberarkpas.audit.severity == "Error"' + - set: + field: event.severity + value: 10 + if: 'ctx.cyberarkpas.audit.severity == "Critical"' + - set: + field: event.type + value: error + if: 'ctx.event?.severity > 6' + + - rename: + field: cyberarkpas.audit.message_id + target_field: event.code + ignore_missing: true + + - set: + field: source.address + value: '{{{cyberarkpas.audit.station}}}' + ignore_empty_value: true + + - set: + field: destination.address + value: '{{{cyberarkpas.audit.gateway_station}}}' + ignore_empty_value: true + + - set: + field: file.path + value: '{{{cyberarkpas.audit.file}}}' + if: 'ctx.cyberarkpas.audit?.file != null' + + # + # Observer fields + # + - rename: + field: cyberarkpas.audit.vendor + target_field: observer.vendor + ignore_missing: true + - rename: + field: cyberarkpas.audit.product + target_field: observer.product + ignore_missing: true + - rename: + field: cyberarkpas.audit.version + target_field: observer.version + ignore_missing: true + - rename: + field: cyberarkpas.audit.hostname + target_field: observer.hostname + ignore_missing: true + # Use hostname from syslog if audit record's Hostname field is missing. + - rename: + field: _tmp.hostname + target_field: observer.hostname + ignore_missing: true + if: 'ctx.observer?.hostname == null' + # + # Enrichment based on message_id + # + # This script is overly complicated (read_field) because at this time + # there is no processor that allows to set one field from a source + # field using indirection (it is possible with rename, but that + # removes the original field). + # + # Once something like this is possible: + # set: + # target_field: '{{{_ingest.value.to}}}' + # copy_from: '{{{_ingest.value.from}}}' + # + # ... this script can be updated to just create two output lists, one + # for value-to pairs, another for value-from pairs. + # + - script: + lang: painless + description: 'ECS enrichment based on message_id' + params: + # 4 - User Authentication + # + # Always a failure. + "4": + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["authentication"] + - set: event.type + value: ["error"] + - set: event.action + value: "authentication_failure" + - set: event.outcome + value: "failure" + + # 7 - Logon + # + # User logged on to the PVWA. + "7": + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: [ "authentication", "session"] + - set: event.type + value: [ "start"] + - set: event.action + value: "authentication_success" + - set: event.outcome + value: "success" + + # 8 - Logoff + # + # User logged of from the PVWA. + "8": # Logoff + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: [ "authentication", "session"] + - set: event.type + value: ["end"] + - set: event.outcome + value: "success" + + # 19 - Full gateway connection. + "19": + - set: source.user.name + from: cyberarkpas.audit.source_user + - set: user.name + from: cyberarkpas.audit.source_user + - set: destination.user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["network"] + - set: event.type + value: ["start"] + - set: event.outcome + value: "success" + + # 22 - CPM Verify Password + # + # Password on a target host is verified. + "22": + # Address of device that hosts the account. + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["admin", "info"] + + # 23 - Action on closed safe + # + # Nothing remarkable. + # + # "23": + + # 24 - CPM Change Password + "24": + - set: destination.address # This could be host.* or user.target.* (doesn't exists). + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change"] + + # 31 - CPM Reconcile Password + # + "31": + - set: destination.address # This could be host.* or user.target.* (doesn't exists). + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change"] + + # 32 - Add Owner + # + # Change owner of a Safe. + # source_user performs the action, docs suggest otherwise. + "32": + - set: user.name + from: cyberarkpas.audit.issuer + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.category + value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? + - set: event.type + value: ["admin", "change"] + - set: event.outcome + value: "success" + + # 33 - Update Owner + # + # Same as above + "33": + - set: user.name + from: cyberarkpas.audit.issuer + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.category + value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database? + - set: event.type + value: ["admin", "change"] + - set: event.outcome + value: "success" + + # 38 - CPM Verify Password Failed + # + # Like 22 but failed. + "38": + # Address of device that hosts the account. + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + value: "failure" + - set: event.reason + from: cyberarkpas.audit.ca_properties.cpm_error_details + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["error"] + + # 50 - Store File + # + # I don't think it makes much sense to enrich Vault file events as "file" category. + # This will involve probably constructing a file.path prefixed by the safe name. + # Then these file events may be treated as file events in SIEM, which can have + # unwanted consequences. + # "50": + + # 57 - CPM Change Password Failed + "57": + - set: destination.address # This could be host.* or user.target.* (doesn't exists). + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + value: "failure" + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change", "error"] + - set: event.reason + from: cyberarkpas.audit.ca_properties.cpm_error_details + + # 60 - CPM Reconcile Password Failed + "60": + - set: destination.address # This could be host.* or user.target.* (doesn't exists). + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + value: "failure" + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change", "error"] + - set: event.reason + from: cyberarkpas.audit.ca_properties.cpm_error_details + + # 130 - CPM Disable Password + "130": + - set: event.outcome + value: "failure" + - set: user.target.name + from: cyberarkpas.audit.ca_properties.user_name + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["user", "change"] + - set: event.reason + from: cyberarkpas.audit.ca_properties.cpm_error_details + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + + # 174 - Change User (untested) + "174": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "change"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 175 - Change Your User (untested) + "175": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "change"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 176 - Delete User (untested) + "176": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "deletion"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 177 - Delete Your User (untested) + "177": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "deletion"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 173 - Add User (alternative to 180, untested) + "173": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "creation"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 180 - Add User + "180": + - set: user.target.name + from: cyberarkpas.audit.source_user + - set: event.type + value: ["user", "creation"] + - set: event.category + value: ["iam"] + - set: event.outcome + value: "success" + + # 295 - Retrieve Password succeeded + "295": + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["admin", "access"] + - set: event.outcome + value: "success" + - set: event.reason + from: cyberarkpas.audit.reason + + # 300 - PSM Connect + "300": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: event.category + value: ["session"] + - set: event.type + value: ["start"] + - set: event.outcome + value: "success" + + # 302 - PSM Disconnect + "302": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: _tmp.duration_hms + from: cyberarkpas.audit.extra_details.session_duration + - set: event.category + value: ["session"] + - set: event.type + value: ["end"] + - set: event.outcome + value: "success" + + # 308 - Use Password + "308": + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["admin", "access"] + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: event.reason + from: cyberarkpas.audit.reason + + # 309 - Undefined user logon + # + "309": + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["authentication"] + - set: event.type + value: ["error"] + - set: event.action + value: "authentication_failure" + - set: event.outcome + value: "failure" + + # 361 - Keystroke logging + "361": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: event.category + value: ["session"] + - set: event.type + value: ["info"] + + # 412 - Keystroke logging (same as 361?) + "412": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: event.category + value: ["session"] + - set: event.type + value: ["info"] + + # 359 - SQL Command + "359": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: event.category + value: ["database"] + - set: event.type + value: ["access"] + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + + # 411 - Window Title + "411": + - set: destination.address + from: cyberarkpas.audit.extra_details.dst_host + - set: destination.user.name + from: cyberarkpas.audit.extra_details.user + - set: source.address + from: cyberarkpas.audit.extra_details.src_host + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: network.application + from: cyberarkpas.audit.extra_details.protocol + - set: process.pid + from: cyberarkpas.audit.extra_details.process_id + - set: process.name + from: cyberarkpas.audit.extra_details.process_name + - set: event.category + value: ["process"] + - set: event.type + value: ["access", "info"] + + # 414 - CPM Verify SSH Key + # + # SSH-key on a target host is verified. + "414": + # Address of device that hosts the account. + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: event.outcome + from: cyberarkpas.audit.ca_properties.cpm_status + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["admin", "info"] + + # 428 - Retrieve SSH Key + "428": + - set: destination.address + from: cyberarkpas.audit.ca_properties.address + - set: destination.user.name + from: cyberarkpas.audit.ca_properties.user_name + - set: source.user.name + from: cyberarkpas.audit.issuer + - set: user.name + from: cyberarkpas.audit.issuer + - set: event.category + value: ["iam"] + - set: event.type + value: ["admin", "access"] + - set: event.outcome + value: "success" + - set: event.reason + from: cyberarkpas.audit.reason + + source: > + def clone(def val) { + return val instanceof List? new ArrayList(val) : val; + } + def read_field(def map, String name) { + if (map == null || !(map instanceof Map)) return null; + int pos = name.indexOf("."); + return pos == -1? map[name] + : read_field(map[name.substring(0, pos)], name.substring(pos+1)); + } + String msgID = ctx.event?.code; + def actions = params.get(msgID); + if (actions == null) return; + List values = new ArrayList(); + for (def item : actions) { + def val = item.value; + if (val == null && (val = read_field(ctx, item.from)) == null || val == "") continue; + values.add([ + "to": item.set, + "value": clone(val) + ]); + } + if (!values.isEmpty()) ctx._tmp["values"] = values; + + - foreach: + field: _tmp.values + ignore_missing: true + processor: + set: + field: '{{{_ingest._value.to}}}' + copy_from: '_ingest._value.value' + ignore_empty_value: true + override: true + + # + # Force event.outcome: unknown in case it gets a value other than one of the allowed. + # + - set: + field: event.outcome + value: 'unknown' + if: 'ctx.event?.outcome != null && !["success", "failure"].contains(ctx.event.outcome)' + + + # + # Set event.duration from the session duration ("hh:mm:ss") present in some messages. + # + - script: + lang: painless + description: 'Set event.duration from the session duration ("hh:mm:ss")' + if: "ctx._tmp?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + long nanos = parse_hms(ctx._tmp.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + + # + # Populate ip/domain fields from address. + # + - grok: + field: source.address + patterns: + - '(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})' + ignore_failure: true + - grok: + field: destination.address + patterns: + - '(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})' + ignore_failure: true + + # + # Populate related.ip + # + - append: + field: related.ip + value: '{{{source.ip}}}' + if: 'ctx.source?.ip != null' + allow_duplicates: false + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: 'ctx.destination?.ip != null' + allow_duplicates: false + - append: + field: related.ip + value: '{{{cyberarkpas.audit.station}}}' + if: 'ctx.cyberarkpas.audit.station != null' + allow_duplicates: false + - append: + field: related.ip + value: '{{{cyberarkpas.audit.gateway_station}}}' + if: 'ctx.cyberarkpas.audit.gateway_station != null' + allow_duplicates: false + + # + # Populate related.user + # + - append: + field: related.user + value: '{{{user.name}}}' + if: 'ctx.user?.name != null' + allow_duplicates: false + - append: + field: related.user + value: '{{{source.user.name}}}' + if: 'ctx.source?.user?.name != null' + allow_duplicates: false + - append: + field: related.user + value: '{{{destination.user.name}}}' + if: 'ctx.destination?.user?.name != null' + allow_duplicates: false + - append: + field: related.user + value: '{{{user.target.name}}}' + if: 'ctx.user?.target?.name != null' + allow_duplicates: false + + # + # sometimes application is capitalized. + # + - lowercase: + field: network.application + ignore_missing: true + + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # + # Set host.name + # This sets host.name from observer.hostname when the original event from Filebeat didn't + # have a host.name. This is the case of forwarded events (the tag "forwarded" is present). + # + - set: + field: host.name + value: '{{{observer.hostname}}}' + ignore_empty_value: true + if: 'ctx.host?.name == null' + + - network_direction: + ignore_missing: true + internal_networks: + - loopback + - private + - unspecified + + # + # Cleanup + # + - remove: + field: _tmp + ignore_missing: true + + - remove: + field: event.original + ignore_missing: true + if: 'ctx.tags == null || !ctx.tags.contains("preserve_original_event")' + +on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + + - remove: + field: _tmp + ignore_missing: true + + - set: + field: event.kind + value: pipeline_error diff --git a/x-pack/filebeat/module/cyberarkpas/audit/manifest.yml b/x-pack/filebeat/module/cyberarkpas/audit/manifest.yml new file mode 100644 index 00000000000..025a519a5b7 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/manifest.yml @@ -0,0 +1,22 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cyberarkpas.audit", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9301 + - name: input + default: tcp + - name: ssl + - name: preserve_original_event + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log new file mode 100644 index 00000000000..cb662d0ec48 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log @@ -0,0 +1,6 @@ +<5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[Address]","ExtraDetails":"","Message":"Add File Category","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 105\n Add File Category\n Info\n PSMPApp_VAGRANT\n Add File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n _PSMLiveSessions_1\n \n \n \n Add File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json new file mode 100644 index 00000000000..8318232cba4 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json @@ -0,0 +1,300 @@ +[ + { + "@timestamp": "2021-03-08T18:24:49.000Z", + "cyberarkpas.audit.action": "Add File Category", + "cyberarkpas.audit.category": "Address", + "cyberarkpas.audit.desc": "Add File Category", + "cyberarkpas.audit.file": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:49Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add File Category", + "cyberarkpas.audit.reason": "Value=[Address]", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:24:49", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "add file category", + "event.code": "105", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:54.000Z", + "cyberarkpas.audit.action": "Add File Category", + "cyberarkpas.audit.category": "_PSMLiveSessions_1", + "cyberarkpas.audit.desc": "Add File Category", + "cyberarkpas.audit.file": "Root\\PSMPApp_localhost.localdomain.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:54Z", + "cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain", + "cyberarkpas.audit.message": "Add File Category", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:54", + "event.action": "add file category", + "event.code": "105", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMPApp_localhost.localdomain.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 665, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T18:46:48.000Z", + "cyberarkpas.audit.action": "Add File Category", + "cyberarkpas.audit.category": "_PSMLiveSessions_1", + "cyberarkpas.audit.desc": "Add File Category", + "cyberarkpas.audit.file": "Root\\PSMServer.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:48Z", + "cyberarkpas.audit.issuer": "PSMApp_VAGRANT", + "cyberarkpas.audit.message": "Add File Category", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:46:48", + "event.action": "add file category", + "event.code": "105", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMServer.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1342, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:17:26.000Z", + "cyberarkpas.audit.action": "Add File Category", + "cyberarkpas.audit.category": "LogonDomain", + "cyberarkpas.audit.desc": "Add File Category", + "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:26Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add File Category", + "cyberarkpas.audit.reason": "Value=[ASR-CYBERARK-WI]", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:17:26", + "event.action": "add file category", + "event.code": "105", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSM-ASR-CYBERARK-WI", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1983, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:20:12.000Z", + "cyberarkpas.audit.action": "Add File Category", + "cyberarkpas.audit.category": "_PSMLiveSessions_1", + "cyberarkpas.audit.desc": "Add File Category", + "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z", + "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN", + "cyberarkpas.audit.message": "Add File Category", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:20:12", + "event.action": "add file category", + "event.code": "105", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2624, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T16:59:58.000Z", + "cyberarkpas.audit.action": "Add File Category", + "cyberarkpas.audit.category": "_PSMLiveSessions_1", + "cyberarkpas.audit.desc": "Add File Category", + "cyberarkpas.audit.file": "Root\\PSMPApp_VAGRANT.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:58Z", + "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT", + "cyberarkpas.audit.message": "Add File Category", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 105\n Add File Category\n Info\n PSMPApp_VAGRANT\n Add File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n _PSMLiveSessions_1\n \n \n \n Add File Category\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 08:59:58", + "event.action": "add file category", + "event.code": "105", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMPApp_VAGRANT.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3275, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log new file mode 100644 index 00000000000..14adbc29da4 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log @@ -0,0 +1,6 @@ +<5>1 2021-03-08T18:25:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:25:52","IsoTimestamp":"2021-03-08T18:25:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"Administrator","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[components] Old Value=[Address]","ExtraDetails":"","Message":"Update File Category","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_VAGRANT\n Update File Category\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.session\n 81.32.170.205\n \n PSMStatus\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"81.32.170.205","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMApp_ASR-WIN\n Update File Category\n \n \n PSMLiveSessions\n Root\\PSM-ASR-CYBERARK-WI.LiveSessions\n 34.66.114.180\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"34.66.114.180","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:38\n 2021-03-14T13:49:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_SSH\n Update File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json new file mode 100644 index 00000000000..2fd7243dc82 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json @@ -0,0 +1,298 @@ +[ + { + "@timestamp": "2021-03-08T18:25:52.000Z", + "cyberarkpas.audit.action": "Update File Category", + "cyberarkpas.audit.category": "Address", + "cyberarkpas.audit.desc": "Update File Category", + "cyberarkpas.audit.file": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:25:52Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Update File Category", + "cyberarkpas.audit.reason": "Value=[components] Old Value=[Address]", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:25:52", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "update file category", + "event.code": "106", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T18:46:48.000Z", + "cyberarkpas.audit.action": "Update File Category", + "cyberarkpas.audit.category": "_PSMLiveSessions_1", + "cyberarkpas.audit.desc": "Update File Category", + "cyberarkpas.audit.file": "Root\\PSMServer.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:48Z", + "cyberarkpas.audit.issuer": "PSMApp_VAGRANT", + "cyberarkpas.audit.message": "Update File Category", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:46:48", + "event.action": "update file category", + "event.code": "106", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMServer.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 697, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:20:12.000Z", + "cyberarkpas.audit.action": "Update File Category", + "cyberarkpas.audit.category": "_PSMLiveSessions_1", + "cyberarkpas.audit.desc": "Update File Category", + "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z", + "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN", + "cyberarkpas.audit.message": "Update File Category", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:20:12", + "event.action": "update file category", + "event.code": "106", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1347, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T17:38:26.000Z", + "cyberarkpas.audit.action": "Update File Category", + "cyberarkpas.audit.category": "PSMStatus", + "cyberarkpas.audit.desc": "Update File Category", + "cyberarkpas.audit.file": "root\\87012dcc-8290-11eb-949e-080027efd402.session", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:26Z", + "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT", + "cyberarkpas.audit.message": "Update File Category", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_VAGRANT\n Update File Category\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.session\n 81.32.170.205\n \n PSMStatus\n \n \n \n Update File Category\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMRecordings", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:26", + "event.action": "update file category", + "event.code": "106", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "root\\87012dcc-8290-11eb-949e-080027efd402.session", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2007, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T20:10:33.000Z", + "cyberarkpas.audit.action": "Update File Category", + "cyberarkpas.audit.category": "_PSMLiveSessions_1", + "cyberarkpas.audit.desc": "Update File Category", + "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:10:33Z", + "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN", + "cyberarkpas.audit.message": "Update File Category", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMApp_ASR-WIN\n Update File Category\n \n \n PSMLiveSessions\n Root\\PSM-ASR-CYBERARK-WI.LiveSessions\n 34.66.114.180\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.66.114.180", + "cyberarkpas.audit.timestamp": "Mar 11 12:10:33", + "event.action": "update file category", + "event.code": "106", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3611, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.66.114.180" + ], + "service.type": "cyberarkpas", + "source.address": "34.66.114.180", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "34.66.114.180", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T13:49:38.000Z", + "cyberarkpas.audit.action": "Update File Category", + "cyberarkpas.audit.category": "_PSMLiveSessions_1", + "cyberarkpas.audit.desc": "Update File Category", + "cyberarkpas.audit.file": "Root\\PSMPApp_SSH.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:38Z", + "cyberarkpas.audit.issuer": "PSMPApp_SSH", + "cyberarkpas.audit.message": "Update File Category", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:38\n 2021-03-14T13:49:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_SSH\n Update File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 06:49:38", + "event.action": "update file category", + "event.code": "106", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMPApp_SSH.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5211, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log new file mode 100644 index 00000000000..92fadaab728 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log @@ -0,0 +1 @@ +<5>1 2021-03-15T10:22:24Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:24\n 2021-03-15T10:22:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 107\n Delete File Category\n Info\n Administrator\n Delete File Category\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n LastFailDate\n \n Old Value=[1615803137]\n \n Delete File Category\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:24","IsoTimestamp":"2021-03-15T10:22:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"107","Desc":"Delete File Category","Severity":"Info","Issuer":"Administrator","Action":"Delete File Category","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"LastFailDate","RequestId":"","Reason":"Old Value=[1615803137]","ExtraDetails":"","Message":"Delete File Category","GatewayStation":"10.0.1.20"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json new file mode 100644 index 00000000000..262c670a528 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json @@ -0,0 +1,51 @@ +[ + { + "@timestamp": "2021-03-15T10:22:24.000Z", + "cyberarkpas.audit.action": "Delete File Category", + "cyberarkpas.audit.category": "LastFailDate", + "cyberarkpas.audit.desc": "Delete File Category", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:22:24Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File Category", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:22:24\n 2021-03-15T10:22:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 107\n Delete File Category\n Info\n Administrator\n Delete File Category\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n LastFailDate\n \n Old Value=[1615803137]\n \n Delete File Category\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.reason": "Old Value=[1615803137]", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 15 03:22:24", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "delete file category", + "event.code": "107", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log new file mode 100644 index 00000000000..b3191445d81 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log @@ -0,0 +1 @@ +<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 124\n Rename File\n Info\n Administrator\n Rename File\n \n \n PSM\n Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"124","Desc":"Rename File","Severity":"Info","Issuer":"Administrator","Action":"Rename File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File","GatewayStation":"10.0.1.20"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json new file mode 100644 index 00000000000..0b008d88f7a --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json @@ -0,0 +1,49 @@ +[ + { + "@timestamp": "2021-03-14T13:42:20.000Z", + "cyberarkpas.audit.action": "Rename File", + "cyberarkpas.audit.desc": "Rename File", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:42:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Rename File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 124\n Rename File\n Info\n Administrator\n Rename File\n \n \n PSM\n Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 14 06:42:20", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "rename file", + "event.code": "124", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log new file mode 100644 index 00000000000..d9c83a42d98 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log @@ -0,0 +1 @@ +<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 125\n Rename File (Cont.)\n Info\n Administrator\n Rename File (Cont.)\n \n \n PSM\n Operating System-UnixSSH-34.71.250.247-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File (Cont.)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-34.71.250.247-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json new file mode 100644 index 00000000000..9f23e422362 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json @@ -0,0 +1,49 @@ +[ + { + "@timestamp": "2021-03-14T13:42:20.000Z", + "cyberarkpas.audit.action": "Rename File (Cont.)", + "cyberarkpas.audit.desc": "Rename File (Cont.)", + "cyberarkpas.audit.file": "Operating System-UnixSSH-34.71.250.247-PSMConnect", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:42:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Rename File (Cont.)", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 125\n Rename File (Cont.)\n Info\n Administrator\n Rename File (Cont.)\n \n \n PSM\n Operating System-UnixSSH-34.71.250.247-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File (Cont.)\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 14 06:42:20", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "rename file (cont.)", + "event.code": "125", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Operating System-UnixSSH-34.71.250.247-PSMConnect", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log new file mode 100644 index 00000000000..eeacd9685bc --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:33:34Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:33:34","IsoTimestamp":"2021-03-10T18:33:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"126","Desc":"Unlock File","Severity":"Info","Issuer":"Administrator","Action":"Unlock File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Unlock File","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json new file mode 100644 index 00000000000..76a9cffafb9 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json @@ -0,0 +1,43 @@ +[ + { + "@timestamp": "2021-03-10T18:33:34.000Z", + "cyberarkpas.audit.action": "Unlock File", + "cyberarkpas.audit.desc": "Unlock File", + "cyberarkpas.audit.file": "Root\\PVConfiguration.xml", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:33:34Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Unlock File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 10 10:33:34", + "event.action": "unlock file", + "event.code": "126", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PVConfiguration.xml", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log new file mode 100644 index 00000000000..3f6ae5f7871 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log @@ -0,0 +1 @@ +<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 130\n CPM Disable Password\n Error\n PasswordManager\n CPM Disable Password\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Disable Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json new file mode 100644 index 00000000000..0f598e7e3f3 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json @@ -0,0 +1,76 @@ +[ + { + "@timestamp": "2021-03-15T12:57:13.000Z", + "cyberarkpas.audit.action": "CPM Disable Password", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_disabled": "(CPM)MaxRetries", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615813031", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "5", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart", + "cyberarkpas.audit.desc": "CPM Disable Password", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "5", + "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T12:57:13Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Disable Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 130\n CPM Disable Password\n Error\n PasswordManager\n CPM Disable Password\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Disable Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 05:57:13", + "event.action": "cpm disable password", + "event.category": [ + "iam" + ], + "event.code": "130", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "ELASTIC\\bart" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log new file mode 100644 index 00000000000..77869bddde4 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log @@ -0,0 +1 @@ +<7>1 2021-03-11T18:45:23Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:45:23\n 2021-03-11T18:45:23Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 178\n Get User's Details\n Error\n Administrator\n Get User's Details\n Master\n \n \n \n 127.0.0.1\n \n \n \n \n \n Get User's Details\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:45:23","IsoTimestamp":"2021-03-11T18:45:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"178","Desc":"Get User's Details","Severity":"Error","Issuer":"Administrator","Action":"Get User's Details","SourceUser":"Master","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Get User's Details","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json new file mode 100644 index 00000000000..0b5f7793f35 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json @@ -0,0 +1,43 @@ +[ + { + "@timestamp": "2021-03-11T18:45:23.000Z", + "cyberarkpas.audit.action": "Get User's Details", + "cyberarkpas.audit.desc": "Get User's Details", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:45:23Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Get User's Details", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:45:23\n 2021-03-11T18:45:23Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 178\n Get User's Details\n Error\n Administrator\n Get User's Details\n Master\n \n \n \n 127.0.0.1\n \n \n \n \n \n Get User's Details\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.source_user": "Master", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 10:45:23", + "event.action": "get user's details", + "event.code": "178", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": "error", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log new file mode 100644 index 00000000000..78ec9f57fe6 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log @@ -0,0 +1,12 @@ +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json new file mode 100644 index 00000000000..3f89812c054 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json @@ -0,0 +1,704 @@ +[ + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPApp_localhost.localdomain", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPApp_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMPApp_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPGW_localhost.localdomain", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 581, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPGW_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMPGW_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T09:11:35.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMP_ADB_localhost.localdomain", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:35", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1161, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMP_ADB_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMP_ADB_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T17:59:19.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:19Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMApp_VAGRANT", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 09:59:19", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1743, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMApp_VAGRANT" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMApp_VAGRANT" + }, + { + "@timestamp": "2021-03-10T17:59:27.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:27Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMGw_VAGRANT", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 09:59:27", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2309, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMGw_VAGRANT" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMGw_VAGRANT" + }, + { + "@timestamp": "2021-03-10T22:19:06.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:06Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMApp_ASR-WIN", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:19:06", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2874, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "related.user": [ + "PSMApp_ASR-WIN" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMApp_ASR-WIN" + }, + { + "@timestamp": "2021-03-10T22:19:15.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:15Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMGw_ASR-WIN", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:19:15", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3440, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "related.user": [ + "PSMGw_ASR-WIN" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMGw_ASR-WIN" + }, + { + "@timestamp": "2021-03-11T16:59:36.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:36Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPApp_VAGRANT", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 08:59:36", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4005, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPApp_VAGRANT" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMPApp_VAGRANT" + }, + { + "@timestamp": "2021-03-11T16:59:36.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:36Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 08:59:36", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5419, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPGW_VAGRANT" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMPGW_VAGRANT" + }, + { + "@timestamp": "2021-03-14T12:57:16.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPGW_SSH", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:16", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6831, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "related.user": [ + "PSMPGW_SSH" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMPGW_SSH" + }, + { + "@timestamp": "2021-03-14T12:57:16.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPApp_SSH", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:16", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8235, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "related.user": [ + "PSMPApp_SSH" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMPApp_SSH" + }, + { + "@timestamp": "2021-03-14T12:57:21.000Z", + "cyberarkpas.audit.action": "Add User", + "cyberarkpas.audit.desc": "Add User", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:21Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add User", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMP_ADB_asr-cyberark-psm-ssh", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:21", + "event.action": "add user", + "event.category": [ + "iam" + ], + "event.code": "180", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 9641, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "related.user": [ + "PSMP_ADB_asr-cyberark-psm-ssh" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.target.name": "PSMP_ADB_asr-cyberark-psm-ssh" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log new file mode 100644 index 00000000000..93d8a45a00e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json new file mode 100644 index 00000000000..6c43cfdf699 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json @@ -0,0 +1,49 @@ +[ + { + "@timestamp": "2021-03-10T18:15:44.000Z", + "cyberarkpas.audit.action": "Update Safe", + "cyberarkpas.audit.desc": "Update Safe", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:15:44Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Update Safe", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:15:44", + "event.action": "update safe", + "event.code": "181", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log new file mode 100644 index 00000000000..21a17a2c729 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log @@ -0,0 +1,2 @@ +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} +<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 185\n Add Safe\n Info\n PSMPApp_VAGRANT\n Add Safe\n \n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Add Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json new file mode 100644 index 00000000000..e84c490f628 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json @@ -0,0 +1,97 @@ +[ + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Safe", + "cyberarkpas.audit.desc": "Add Safe", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Safe", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add safe", + "event.code": "185", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T17:38:13.000Z", + "cyberarkpas.audit.action": "Add Safe", + "cyberarkpas.audit.desc": "Add Safe", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:13Z", + "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT", + "cyberarkpas.audit.message": "Add Safe", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 185\n Add Safe\n Info\n PSMPApp_VAGRANT\n Add Safe\n \n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Add Safe\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMRecordings", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:13", + "event.action": "add safe", + "event.code": "185", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 560, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log new file mode 100644 index 00000000000..3f7fa511cc8 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log @@ -0,0 +1,2 @@ +<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} +<5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 187\n Add Folder\n Info\n PVWAAppUser\n Add Folder\n \n \n PSMUnmanagedSessionAccounts\n Root\\2\\\n 10.0.1.20\n \n \n \n \n \n Add Folder\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2\\","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json new file mode 100644 index 00000000000..35bafcb8bf3 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json @@ -0,0 +1,93 @@ +[ + { + "@timestamp": "2021-03-10T09:11:40.000Z", + "cyberarkpas.audit.action": "Add Folder", + "cyberarkpas.audit.desc": "Add Folder", + "cyberarkpas.audit.file": "Root\\Scripts\\", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:40Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Folder", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPADBridgeConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:40", + "event.action": "add folder", + "event.code": "187", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Scripts\\", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T18:01:14.000Z", + "cyberarkpas.audit.action": "Add Folder", + "cyberarkpas.audit.desc": "Add Folder", + "cyberarkpas.audit.file": "Root\\2\\", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:01:14Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Add Folder", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 187\n Add Folder\n Info\n PVWAAppUser\n Add Folder\n \n \n PSMUnmanagedSessionAccounts\n Root\\2\\\n 10.0.1.20\n \n \n \n \n \n Add Folder\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMUnmanagedSessionAccounts", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 11 10:01:14", + "event.action": "add folder", + "event.code": "187", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\2\\", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 589, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log new file mode 100644 index 00000000000..88926eb1571 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log @@ -0,0 +1,9 @@ +<5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T08:31:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:50","IsoTimestamp":"2021-03-10T08:31:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"PasswordManager","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T22:37:00Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:37:00","IsoTimestamp":"2021-03-10T22:37:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.10","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:05\n 2021-03-11T17:38:05Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 127.0.0.1\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}} +<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:22\n 2021-03-11T17:48:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 10.0.2.2\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}} +<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:02:57\n 2021-03-11T18:02:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PVWAGWUser\n \n \n \n 35.192.121.42\n \n \n \n \n \n Full Gateway Connection\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_SSH\n \n \n \n 81.32.170.205\n \n \n \n \n \n Full Gateway Connection\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"34.71.250.247"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json new file mode 100644 index 00000000000..9faecd9b6ef --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json @@ -0,0 +1,579 @@ +[ + { + "@timestamp": "2021-03-08T18:07:51.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:07:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWUser", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:07:51", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "Administrator", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser", + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "PVWAGWUser", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-09T08:32:51.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T08:32:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWUser", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 09 00:32:51", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "Administrator", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 611, + "log.syslog.priority": "5", + "network.direction": "inbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser", + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "PVWAGWUser", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-09T10:14:58.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:14:58Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWUser", + "cyberarkpas.audit.station": "37.223.7.45", + "cyberarkpas.audit.timestamp": "Mar 09 02:14:58", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "Administrator", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1226, + "log.syslog.priority": "5", + "network.direction": "inbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "37.223.7.45", + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser", + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "37.223.7.45", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "37.223.7.45", + "source.user.name": "PVWAGWUser", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-10T08:31:50.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:31:50Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWUser", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 00:31:50", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "PasswordManager", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1839, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser", + "PasswordManager" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PVWAGWUser", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-10T22:37:00.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:37:00Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWUser", + "cyberarkpas.audit.station": "10.0.1.10", + "cyberarkpas.audit.timestamp": "Mar 10 14:37:00", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "Administrator", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2452, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.10", + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser", + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.10", + "source.ip": "10.0.1.10", + "source.user.name": "PVWAGWUser", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-11T17:38:05.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:05Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:05\n 2021-03-11T17:38:05Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 127.0.0.1\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:05", + "destination.address": "81.32.170.205", + "destination.geo.city_name": "Barcelona", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 41.3891, + "destination.geo.location.lon": 2.1611, + "destination.geo.region_iso_code": "ES-B", + "destination.geo.region_name": "Barcelona", + "destination.ip": "81.32.170.205", + "destination.user.name": "Administrator", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3063, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "81.32.170.205" + ], + "related.user": [ + "PSMPGW_VAGRANT", + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "PSMPGW_VAGRANT", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMPGW_VAGRANT" + }, + { + "@timestamp": "2021-03-11T17:48:22.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:22Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:22\n 2021-03-11T17:48:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 10.0.2.2\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT", + "cyberarkpas.audit.station": "10.0.2.2", + "cyberarkpas.audit.timestamp": "Mar 11 09:48:22", + "destination.address": "81.32.170.205", + "destination.geo.city_name": "Barcelona", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 41.3891, + "destination.geo.location.lon": 2.1611, + "destination.geo.region_iso_code": "ES-B", + "destination.geo.region_name": "Barcelona", + "destination.ip": "81.32.170.205", + "destination.user.name": "Administrator", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4581, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "81.32.170.205" + ], + "related.user": [ + "PSMPGW_VAGRANT", + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "PSMPGW_VAGRANT", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMPGW_VAGRANT" + }, + { + "@timestamp": "2021-03-11T18:02:57.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:02:57Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:02:57\n 2021-03-11T18:02:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PVWAGWUser\n \n \n \n 35.192.121.42\n \n \n \n \n \n Full Gateway Connection\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWUser", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 11 10:02:57", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "Administrator", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6097, + "log.syslog.priority": "5", + "network.direction": "inbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42", + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser", + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "source.user.name": "PVWAGWUser", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-14T13:49:35.000Z", + "cyberarkpas.audit.action": "Full Gateway Connection", + "cyberarkpas.audit.desc": "Full Gateway Connection", + "cyberarkpas.audit.gateway_station": "34.71.250.247", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:35Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Full Gateway Connection", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_SSH\n \n \n \n 81.32.170.205\n \n \n \n \n \n Full Gateway Connection\n 34.71.250.247\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPGW_SSH", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 14 06:49:35", + "destination.address": "34.71.250.247", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.71.250.247", + "destination.user.name": "Administrator", + "event.action": "full gateway connection", + "event.category": [ + "network" + ], + "event.code": "19", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7607, + "log.syslog.priority": "5", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.71.250.247" + ], + "related.user": [ + "PSMPGW_SSH", + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "PSMPGW_SSH", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMPGW_SSH" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log new file mode 100644 index 00000000000..46036841299 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log @@ -0,0 +1 @@ +<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"202","Desc":"Old Backup Files Deletion Start","Severity":"Info","Issuer":"Batch","Action":"Old Backup Files Deletion Start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Old Backup Files Deletion Start","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json new file mode 100644 index 00000000000..8e24b5e0d54 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-09T10:17:54.000Z", + "cyberarkpas.audit.action": "Old Backup Files Deletion Start", + "cyberarkpas.audit.desc": "Old Backup Files Deletion Start", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Old Backup Files Deletion Start", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 09 02:17:54", + "event.action": "old backup files deletion start", + "event.code": "202", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log new file mode 100644 index 00000000000..015edc3e25e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log @@ -0,0 +1 @@ +<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"203","Desc":"Old Backup Files Deletion End","Severity":"Info","Issuer":"Batch","Action":"Old Backup Files Deletion End","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Old Backup Files Deletion End","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json new file mode 100644 index 00000000000..0c1dbfbdb61 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-09T10:17:54.000Z", + "cyberarkpas.audit.action": "Old Backup Files Deletion End", + "cyberarkpas.audit.desc": "Old Backup Files Deletion End", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Old Backup Files Deletion End", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 09 02:17:54", + "event.action": "old backup files deletion end", + "event.code": "203", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log new file mode 100644 index 00000000000..4c7b137fe67 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log @@ -0,0 +1 @@ +<5>1 2021-03-25T09:20:07Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 05:20:07\n 2021-03-25T09:20:07Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 20\n Partial Gateway Connection\n Info\n PSMGw_COMP01\n Partial Gateway Connection\n Administrator\n \n \n \n 10.0.0.15\n \n \n \n \n \n Partial Gateway Connection\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 05:20:07","IsoTimestamp":"2021-03-25T09:20:07Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"20","Desc":"Partial Gateway Connection","Severity":"Info","Issuer":"PSMGw_COMP01","Action":"Partial Gateway Connection","SourceUser":"Administrator","TargetUser":"","Safe":"","File":"","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Partial Gateway Connection","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json new file mode 100644 index 00000000000..3c54667a525 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json @@ -0,0 +1,42 @@ +[ + { + "@timestamp": "2021-03-25T09:20:07.000Z", + "cyberarkpas.audit.action": "Partial Gateway Connection", + "cyberarkpas.audit.desc": "Partial Gateway Connection", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T09:20:07Z", + "cyberarkpas.audit.issuer": "PSMGw_COMP01", + "cyberarkpas.audit.message": "Partial Gateway Connection", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 05:20:07\n 2021-03-25T09:20:07Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 20\n Partial Gateway Connection\n Info\n PSMGw_COMP01\n Partial Gateway Connection\n Administrator\n \n \n \n 10.0.0.15\n \n \n \n \n \n Partial Gateway Connection\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Administrator", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 05:20:07", + "event.action": "partial gateway connection", + "event.code": "20", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "10.0.0.15" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.0.15", + "source.ip": "10.0.0.15", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log new file mode 100644 index 00000000000..f3949f536de --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log @@ -0,0 +1,2 @@ +Apr 07 09:51:42 VAULT {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","IsoTimestamp":"2021-03-16T15:01:00Z","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=radiussrv.cyberark.local;username=test12;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"test12"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastSuccessVerification","Value":"1604943844"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"}]}}}} +<5>1 2021-03-15T10:22:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:44\n 2021-03-15T10:22:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask\n address=34.123.103.115;username=testark;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:44","IsoTimestamp":"2021-03-15T10:22:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json new file mode 100644 index 00000000000..a549886a098 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json @@ -0,0 +1,149 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "CPM Verify Password", + "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1604943844", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "test12", + "cyberarkpas.audit.desc": "CPM Verify Password", + "cyberarkpas.audit.extra_details.address": "radiussrv.cyberark.local", + "cyberarkpas.audit.extra_details.username": "test12", + "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.reason": "ImmediateTask", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Linux", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.4", + "destination.address": "radiussrv.cyberark.local", + "destination.domain": "radiussrv.cyberark.local", + "destination.user.name": "test12", + "event.action": "cpm verify password", + "event.category": [ + "iam" + ], + "event.code": "22", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "info" + ], + "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.4" + ], + "related.user": [ + "PasswordManager", + "test12" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.4", + "source.ip": "10.2.0.4", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T10:22:44.000Z", + "cyberarkpas.audit.action": "CPM Verify Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "CPM Verify Password", + "cyberarkpas.audit.extra_details.address": "34.123.103.115", + "cyberarkpas.audit.extra_details.username": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:22:44Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:22:44\n 2021-03-15T10:22:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask\n address=34.123.103.115;username=testark;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 03:22:44", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "cpm verify password", + "event.category": [ + "iam" + ], + "event.code": "22", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "info" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2648, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.123.103.115" + ], + "related.user": [ + "PasswordManager", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log new file mode 100644 index 00000000000..51629665b2b --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log @@ -0,0 +1,3 @@ +<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} +<7>1 2021-03-14T12:07:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:07:27\n 2021-03-14T12:07:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n PasswordManager\n Action On Closed Safe\n \n \n AccountsFeedADAccounts\n \n 10.0.1.20\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:27","IsoTimestamp":"2021-03-14T12:07:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"PasswordManager","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"AccountsFeedADAccounts","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} +<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n Administrator\n Action On Closed Safe\n \n \n PSMPConf\n \n 34.71.250.247\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json new file mode 100644 index 00000000000..a8ef4bc0bdb --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json @@ -0,0 +1,137 @@ +[ + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Action On Closed Safe", + "cyberarkpas.audit.desc": "Action On Closed Safe", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Action On Closed Safe", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "action on closed safe", + "event.code": "23", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": "error", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:07:27.000Z", + "cyberarkpas.audit.action": "Action On Closed Safe", + "cyberarkpas.audit.desc": "Action On Closed Safe", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:07:27Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Action On Closed Safe", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:07:27\n 2021-03-14T12:07:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n PasswordManager\n Action On Closed Safe\n \n \n AccountsFeedADAccounts\n \n 10.0.1.20\n \n \n \n \n \n Action On Closed Safe\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "AccountsFeedADAccounts", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 14 05:07:27", + "event.action": "action on closed safe", + "event.code": "23", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": "error", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 599, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:57:16.000Z", + "cyberarkpas.audit.action": "Action On Closed Safe", + "cyberarkpas.audit.desc": "Action On Closed Safe", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Action On Closed Safe", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n Administrator\n Action On Closed Safe\n \n \n PSMPConf\n \n 34.71.250.247\n \n \n \n \n \n Action On Closed Safe\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:16", + "event.action": "action on closed safe", + "event.code": "23", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": "error", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2101, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log new file mode 100644 index 00000000000..f50102d48f7 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log @@ -0,0 +1,4 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 24\n CPM Change Password\n Info\n PasswordManager\n CPM Change Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Change Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","IsoTimestamp":"2021-03-16T15:01:00Z","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=radiussrv.cyberark.local;username=test12;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"test12"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastSuccessVerification","Value":"1604943844"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1604944158"}]}}}} +<5>1 2021-03-08T19:20:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:05","IsoTimestamp":"2021-03-08T19:20:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountA;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T23:39:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:28","IsoTimestamp":"2021-03-10T23:39:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountB;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"25"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615419568"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-15T10:12:24Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:24\n 2021-03-15T10:12:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 24\n CPM Change Password\n Info\n PasswordManager\n CPM Change Password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n ImmediateTask\n address=components;username=x_accountA;\n CPM Change Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:24","IsoTimestamp":"2021-03-15T10:12:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountA;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"28"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615803143"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json new file mode 100644 index 00000000000..3cf879a9996 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json @@ -0,0 +1,292 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "CPM Change Password", + "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_change": "1604944158", + "cyberarkpas.audit.ca_properties.last_success_verification": "1604943844", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "test12", + "cyberarkpas.audit.desc": "CPM Change Password", + "cyberarkpas.audit.extra_details.address": "radiussrv.cyberark.local", + "cyberarkpas.audit.extra_details.username": "test12", + "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Change Password", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 24\n CPM Change Password\n Info\n PasswordManager\n CPM Change Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Change Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.reason": "ImmediateTask", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Linux", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.4", + "destination.address": "radiussrv.cyberark.local", + "destination.domain": "radiussrv.cyberark.local", + "event.action": "cpm change password", + "event.category": [ + "iam" + ], + "event.code": "24", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.4" + ], + "related.user": [ + "PasswordManager", + "test12" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.4", + "source.ip": "10.2.0.4", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "test12" + }, + { + "@timestamp": "2021-03-08T19:20:05.000Z", + "cyberarkpas.audit.action": "CPM Change Password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.index": "1", + "cyberarkpas.audit.ca_properties.last_success_change": "1615231204", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "27", + "cyberarkpas.audit.ca_properties.user_name": "x_accountA", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "CPM Change Password", + "cyberarkpas.audit.extra_details.address": "components", + "cyberarkpas.audit.extra_details.username": "x_accountA", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:05Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Change Password", + "cyberarkpas.audit.reason": "ImmediateTask", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 11:20:05", + "destination.address": "components", + "destination.domain": "components", + "event.action": "cpm change password", + "event.category": [ + "iam" + ], + "event.code": "24", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2757, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "x_accountA" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "x_accountA" + }, + { + "@timestamp": "2021-03-10T23:39:28.000Z", + "cyberarkpas.audit.action": "CPM Change Password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.index": "2", + "cyberarkpas.audit.ca_properties.last_success_change": "1615419568", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "25", + "cyberarkpas.audit.ca_properties.user_name": "x_accountB", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "CPM Change Password", + "cyberarkpas.audit.extra_details.address": "components", + "cyberarkpas.audit.extra_details.username": "x_accountB", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:28Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Change Password", + "cyberarkpas.audit.reason": "ImmediateTask", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 15:39:28", + "destination.address": "components", + "destination.domain": "components", + "event.action": "cpm change password", + "event.category": [ + "iam" + ], + "event.code": "24", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4099, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "x_accountB" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "x_accountB" + }, + { + "@timestamp": "2021-03-15T10:12:24.000Z", + "cyberarkpas.audit.action": "CPM Change Password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.index": "1", + "cyberarkpas.audit.ca_properties.last_success_change": "1615803143", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "28", + "cyberarkpas.audit.ca_properties.user_name": "x_accountA", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "CPM Change Password", + "cyberarkpas.audit.extra_details.address": "components", + "cyberarkpas.audit.extra_details.username": "x_accountA", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:24Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Change Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:12:24\n 2021-03-15T10:12:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 24\n CPM Change Password\n Info\n PasswordManager\n CPM Change Password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n ImmediateTask\n address=components;username=x_accountA;\n CPM Change Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 03:12:24", + "destination.address": "components", + "destination.domain": "components", + "event.action": "cpm change password", + "event.category": [ + "iam" + ], + "event.code": "24", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5441, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "x_accountA" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "x_accountA" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log new file mode 100644 index 00000000000..7284820d8e4 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log @@ -0,0 +1,4 @@ +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json new file mode 100644 index 00000000000..74637ba020f --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json @@ -0,0 +1,190 @@ +[ + { + "@timestamp": "2021-03-10T09:11:21.000Z", + "cyberarkpas.audit.action": "Add/Update Group", + "cyberarkpas.audit.desc": "Add/Update Group", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add/Update Group", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMMaster", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:21", + "event.action": "add/update group", + "event.code": "259", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:21.000Z", + "cyberarkpas.audit.action": "Add/Update Group", + "cyberarkpas.audit.desc": "Add/Update Group", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add/Update Group", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMAppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:21", + "event.action": "add/update group", + "event.code": "259", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 585, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:35.000Z", + "cyberarkpas.audit.action": "Add/Update Group", + "cyberarkpas.audit.desc": "Add/Update Group", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add/Update Group", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:35", + "event.action": "add/update group", + "event.code": "259", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1172, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T17:59:29.000Z", + "cyberarkpas.audit.action": "Add/Update Group", + "cyberarkpas.audit.desc": "Add/Update Group", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:29Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add/Update Group", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMLiveSessionTerminators", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 09:59:29", + "event.action": "add/update group", + "event.code": "259", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1765, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log new file mode 100644 index 00000000000..bff61c277da --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log @@ -0,0 +1,14 @@ +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMP_ADB_AppUsers\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json new file mode 100644 index 00000000000..131df5259cd --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json @@ -0,0 +1,667 @@ +[ + { + "@timestamp": "2021-03-10T09:11:22.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMAppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "PSMPApp_localhost.localdomain", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:22", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:22.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWAccounts", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "PSMPGW_localhost.localdomain", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:22", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 616, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:35.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "PSMP_ADB_localhost.localdomain", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:35", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1234, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T17:58:01.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:01Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMMaster", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "Administrator", + "cyberarkpas.audit.timestamp": "Mar 10 09:58:01", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1857, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T17:59:29.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:29Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMAppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "PSMApp_VAGRANT", + "cyberarkpas.audit.timestamp": "Mar 10 09:59:29", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2455, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T17:59:30.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:30Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWAccounts", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "PSMGw_VAGRANT", + "cyberarkpas.audit.timestamp": "Mar 10 09:59:30", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3056, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:17:15.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:15Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMMaster", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.target_user": "Administrator", + "cyberarkpas.audit.timestamp": "Mar 10 14:17:15", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3659, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:19:16.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:16Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMAppUsers", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.target_user": "PSMApp_ASR-WIN", + "cyberarkpas.audit.timestamp": "Mar 10 14:19:16", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4257, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:19:16.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:16Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWAccounts", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.target_user": "PSMGw_ASR-WIN", + "cyberarkpas.audit.timestamp": "Mar 10 14:19:16", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4858, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T16:59:38.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:38Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMAppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "PSMPApp_VAGRANT", + "cyberarkpas.audit.timestamp": "Mar 11 08:59:38", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5461, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T16:59:38.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:38Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWAccounts", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "PSMPGW_VAGRANT", + "cyberarkpas.audit.timestamp": "Mar 11 08:59:38", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6945, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:57:17.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:17Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWAccounts", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.target_user": "PSMPGW_SSH", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:17", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8433, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:57:17.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:17Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMAppUsers", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.target_user": "PSMPApp_SSH", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:17", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 9913, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:57:21.000Z", + "cyberarkpas.audit.action": "Add Group Member", + "cyberarkpas.audit.desc": "Add Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:21Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Group Member", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMP_ADB_AppUsers\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.target_user": "PSMP_ADB_asr-cyberark-psm-ssh", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:21", + "event.action": "add group member", + "event.code": "265", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 11389, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log new file mode 100644 index 00000000000..7b0f9be88a0 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log @@ -0,0 +1,2 @@ +<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json new file mode 100644 index 00000000000..9fe62e5d167 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json @@ -0,0 +1,97 @@ +[ + { + "@timestamp": "2021-03-10T17:59:48.000Z", + "cyberarkpas.audit.action": "Remove Group Member", + "cyberarkpas.audit.desc": "Remove Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:48Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Remove Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMMaster", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.target_user": "Administrator", + "cyberarkpas.audit.timestamp": "Mar 10 09:59:48", + "event.action": "remove group member", + "event.code": "266", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:19:23.000Z", + "cyberarkpas.audit.action": "Remove Group Member", + "cyberarkpas.audit.desc": "Remove Group Member", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:23Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Remove Group Member", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMMaster", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.target_user": "Administrator", + "cyberarkpas.audit.timestamp": "Mar 10 14:19:23", + "event.action": "remove group member", + "event.code": "266", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 607, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log new file mode 100644 index 00000000000..ea1458e5874 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log @@ -0,0 +1 @@ +<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json new file mode 100644 index 00000000000..6fd2e81ca83 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json @@ -0,0 +1,50 @@ +[ + { + "@timestamp": "2021-03-10T17:59:33.000Z", + "cyberarkpas.audit.action": "Remove Owner", + "cyberarkpas.audit.desc": "Remove Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:33Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Remove Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Administrator", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 09:59:33", + "event.action": "remove owner", + "event.code": "273", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log new file mode 100644 index 00000000000..b4e7a9ada36 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log @@ -0,0 +1 @@ +<5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 278\n Add Rule\n Info\n PVWAAppUser\n Add Rule\n Administrator\n \n PSMUnmanagedSessionAccounts\n Root\\2\n 10.0.1.20\n \n \n \n Allow\n \n Add Rule\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"278","Desc":"Add Rule","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Rule","SourceUser":"Administrator","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Allow","ExtraDetails":"","Message":"Add Rule","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json new file mode 100644 index 00000000000..4cfd55c4722 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json @@ -0,0 +1,46 @@ +[ + { + "@timestamp": "2021-03-11T18:01:14.000Z", + "cyberarkpas.audit.action": "Add Rule", + "cyberarkpas.audit.desc": "Add Rule", + "cyberarkpas.audit.file": "Root\\2", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:01:14Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Add Rule", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 278\n Add Rule\n Info\n PVWAAppUser\n Add Rule\n Administrator\n \n PSMUnmanagedSessionAccounts\n Root\\2\n 10.0.1.20\n \n \n \n Allow\n \n Add Rule\n \n \n\n", + "cyberarkpas.audit.reason": "Allow", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMUnmanagedSessionAccounts", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Administrator", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 11 10:01:14", + "event.action": "add rule", + "event.code": "278", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\2", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log new file mode 100644 index 00000000000..8a37e23616a --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log @@ -0,0 +1,2 @@ +<5>1 2021-03-05T11:00:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 03:00:06","IsoTimestamp":"2021-03-05T11:00:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"288","Desc":"Auto Clear Users History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History start","GatewayStation":""}}} +Mar 08 03:00:20 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"288","Desc":"Auto Clear Users History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History start","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json new file mode 100644 index 00000000000..0ed48dfb9c0 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json @@ -0,0 +1,75 @@ +[ + { + "@timestamp": "2021-03-05T11:00:06.000Z", + "cyberarkpas.audit.action": "Auto Clear Users History start", + "cyberarkpas.audit.desc": "Auto Clear Users History start", + "cyberarkpas.audit.iso_timestamp": "2021-03-05T11:00:06Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Auto Clear Users History start", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 05 03:00:06", + "event.action": "auto clear users history start", + "event.code": "288", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T03:00:20.000-02:00", + "cyberarkpas.audit.action": "Auto Clear Users History start", + "cyberarkpas.audit.desc": "Auto Clear Users History start", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Auto Clear Users History start", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "event.action": "auto clear users history start", + "event.code": "288", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 604, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log new file mode 100644 index 00000000000..8d873525e41 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log @@ -0,0 +1,2 @@ +<5>1 2021-03-05T11:00:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 03:00:06","IsoTimestamp":"2021-03-05T11:00:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"289","Desc":"Auto Clear Users History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History end","GatewayStation":""}}} +Mar 08 03:00:20 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"289","Desc":"Auto Clear Users History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History end","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json new file mode 100644 index 00000000000..4476ba0f803 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json @@ -0,0 +1,75 @@ +[ + { + "@timestamp": "2021-03-05T11:00:06.000Z", + "cyberarkpas.audit.action": "Auto Clear Users History end", + "cyberarkpas.audit.desc": "Auto Clear Users History end", + "cyberarkpas.audit.iso_timestamp": "2021-03-05T11:00:06Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Auto Clear Users History end", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 05 03:00:06", + "event.action": "auto clear users history end", + "event.code": "289", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T03:00:20.000-02:00", + "cyberarkpas.audit.action": "Auto Clear Users History end", + "cyberarkpas.audit.desc": "Auto Clear Users History end", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Auto Clear Users History end", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "event.action": "auto clear users history end", + "event.code": "289", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 598, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log new file mode 100644 index 00000000000..2c7336ea820 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log @@ -0,0 +1 @@ +<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"290","Desc":"Auto Clear Safes History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Safes History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Safes History start","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json new file mode 100644 index 00000000000..0feb0516dab --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-09T09:00:47.000Z", + "cyberarkpas.audit.action": "Auto Clear Safes History start", + "cyberarkpas.audit.desc": "Auto Clear Safes History start", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Auto Clear Safes History start", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 09 01:00:47", + "event.action": "auto clear safes history start", + "event.code": "290", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log new file mode 100644 index 00000000000..8731e1e4ed9 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log @@ -0,0 +1 @@ +<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"291","Desc":"Auto Clear Safes History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Safes History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Safes History end","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json new file mode 100644 index 00000000000..0e37b256a45 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-09T09:00:47.000Z", + "cyberarkpas.audit.action": "Auto Clear Safes History end", + "cyberarkpas.audit.desc": "Auto Clear Safes History end", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Auto Clear Safes History end", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 09 01:00:47", + "event.action": "auto clear safes history end", + "event.code": "291", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log new file mode 100644 index 00000000000..2ea7c7cf132 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log @@ -0,0 +1,10 @@ +<5>1 2021-03-08T10:19:42Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 02:19:42","IsoTimestamp":"2021-03-08T10:19:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615198782"},{"Name":"CurrInd","Value":"2"}]}}}} +<5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}} +<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} +<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} +<5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Groups\\WindowsGroup\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615722505"},{"Name":"CurrInd","Value":"2"}]}}}} +<5>1 2021-03-15T10:12:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:21\n 2021-03-15T10:12:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:21","IsoTimestamp":"2021-03-15T10:12:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615754905"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-15T13:13:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:13:01\n 2021-03-15T13:13:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n Administrator\n Store password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n \n \n \n \n Store password\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:13:01","IsoTimestamp":"2021-03-15T13:13:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json new file mode 100644 index 00000000000..c3afc5ec8df --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json @@ -0,0 +1,521 @@ +[ + { + "@timestamp": "2021-03-08T10:19:42.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.curr_ind": "2", + "cyberarkpas.audit.ca_properties.in_process": "ChangeTask", + "cyberarkpas.audit.ca_properties.last_success_change": "1615198782", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T10:19:42Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 02:19:42", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Groups\\WindowsGroup", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T18:24:49.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:49Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:24:49", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 907, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T19:20:02.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.in_process": "ChangeTask", + "cyberarkpas.audit.ca_properties.index": "1", + "cyberarkpas.audit.ca_properties.last_success_change": "1614785704", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.sequence_id": "26", + "cyberarkpas.audit.ca_properties.start_change_not_before": "1615231182", + "cyberarkpas.audit.ca_properties.user_name": "x_accountA", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:02Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 11:20:02", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1541, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T14:38:57.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.curr_ind": "1", + "cyberarkpas.audit.ca_properties.in_process": "ChangeTask", + "cyberarkpas.audit.ca_properties.last_success_change": "1615387136", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T14:38:57Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 06:38:57", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Groups\\WindowsGroup", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2960, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T17:58:06.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\PSMServer", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:06Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 09:58:06", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMServer", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3867, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:17:26.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:26Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:17:26", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSM-ASR-CYBERARK-WI", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4455, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T23:39:25.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.in_process": "ChangeTask", + "cyberarkpas.audit.ca_properties.index": "2", + "cyberarkpas.audit.ca_properties.last_success_change": "1614868762", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.sequence_id": "24", + "cyberarkpas.audit.ca_properties.start_change_not_before": "1615419536", + "cyberarkpas.audit.ca_properties.user_name": "x_accountB", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:25Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 15:39:25", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5053, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T11:48:26.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.curr_ind": "2", + "cyberarkpas.audit.ca_properties.in_process": "ChangeTask", + "cyberarkpas.audit.ca_properties.last_success_change": "1615722505", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T11:48:26Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Groups\\WindowsGroup\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 14 04:48:26", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Groups\\WindowsGroup", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6472, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-15T10:12:21.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.in_process": "ChangeTask", + "cyberarkpas.audit.ca_properties.index": "1", + "cyberarkpas.audit.ca_properties.last_success_change": "1615231204", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.sequence_id": "27", + "cyberarkpas.audit.ca_properties.start_change_not_before": "1615754905", + "cyberarkpas.audit.ca_properties.user_name": "x_accountA", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:21Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:12:21\n 2021-03-15T10:12:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 03:12:21", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8761, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-15T13:13:01.000Z", + "cyberarkpas.audit.action": "Store password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615813465", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Store password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:13:01Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:13:01\n 2021-03-15T13:13:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n Administrator\n Store password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n \n \n \n \n Store password\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 15 06:13:01", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "store password", + "event.code": "294", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 12415, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log new file mode 100644 index 00000000000..b7413a20012 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log @@ -0,0 +1,13 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 295\n Retrieve password\n Info\n Prov_PVWA\n Retrieve password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.3\n \n \n \n AIM password request\n \n Retrieve password\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"295","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Retrieve password","Severity":"Info","Issuer":"Prov_PVWA","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.3","Location":"","Category":"","RequestId":"","Reason":"AIM password request","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Nobody"}]}}}} +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 295\n Retrieve password\n Info\n adm2\n Retrieve password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Show Password)\n \n \n Show Password\n \n\n \n Retrieve password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"295","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Retrieve password","Severity":"Info","Issuer":"adm2","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Show Password)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Show Password"}}},"ExtraDetails":"","Message":"Retrieve password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} +<5>1 2021-03-08T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:16:51","IsoTimestamp":"2021-03-08T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\testobject","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"test"},{"Name":"Address","Value":"test"},{"Name":"CPMDisabled","Value":"testing"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-08T19:19:59Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:19:59","IsoTimestamp":"2021-03-08T19:19:59Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"CPMStatus","Value":"success"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615198782"},{"Name":"CurrInd","Value":"2"}]}}}} +<5>1 2021-03-10T14:40:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:40:37","IsoTimestamp":"2021-03-10T14:40:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Application provider background refresh job","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T18:27:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:27:57","IsoTimestamp":"2021-03-10T18:27:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"test","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-10T18:28:07Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:28:07","IsoTimestamp":"2021-03-10T18:28:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"test","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-10T23:39:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:22","IsoTimestamp":"2021-03-10T23:39:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"CPMStatus","Value":"success"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}} +<5>1 2021-03-11T16:41:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:41:21\n 2021-03-11T16:41:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n Administrator\n Retrieve password\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n lksajdflkasdf\n \n Retrieve password\n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:41:21","IsoTimestamp":"2021-03-11T16:41:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"lksajdflkasdf","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-11T16:50:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:28\n 2021-03-11T16:50:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n PVWAAppUser\n Retrieve password\n \n \n PSM\n Root\\PSMServer\n 10.0.1.20\n \n \n \n \n \n Retrieve password\n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:28","IsoTimestamp":"2021-03-11T16:50:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PVWAAppUser","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-11T16:54:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:54:20\n 2021-03-11T16:54:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n Administrator\n Retrieve password\n \n \n PSM\n Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\n 127.0.0.1\n \n \n \n sdfsdf\n \n Retrieve password\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:54:20","IsoTimestamp":"2021-03-11T16:54:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"sdfsdf","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"PSMApp_VAGRANT"},{"Name":"Address","Value":"centos8"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json new file mode 100644 index 00000000000..e3afb5cf05a --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json @@ -0,0 +1,880 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_disabled": "No Reason", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.customer": "Nobody", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH", + "cyberarkpas.audit.ca_properties.user_name": "admin2", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "Prov_PVWA", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 295\n Retrieve password\n Info\n Prov_PVWA\n Retrieve password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.3\n \n \n \n AIM password request\n \n Retrieve password\n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.reason": "AIM password request", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Linux", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.3", + "destination.address": "radiussrv.cyberark.local", + "destination.domain": "radiussrv.cyberark.local", + "destination.user.name": "admin2", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "AIM password request", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.3" + ], + "related.user": [ + "Prov_PVWA", + "admin2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.3", + "source.ip": "10.2.0.3", + "source.user.name": "Prov_PVWA", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Prov_PVWA" + }, + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "dbserver.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.customer": "EvilCorp", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1604944215", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "DBServer", + "cyberarkpas.audit.ca_properties.policy_id": "WIN-SERVER-LOCAL", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "1", + "cyberarkpas.audit.ca_properties.user_name": "Administrator2", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "cyberarkpas.audit.gateway_station": "10.2.0.3", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "adm2", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Show Password", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 295\n Retrieve password\n Info\n adm2\n Retrieve password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Show Password)\n \n \n Show Password\n \n\n \n Retrieve password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.reason": "(Action: Show Password)", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Windows", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.6", + "destination.address": "dbserver.cyberark.local", + "destination.domain": "dbserver.cyberark.local", + "destination.user.name": "Administrator2", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "(Action: Show Password)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 2272, + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.6", + "10.2.0.3" + ], + "related.user": [ + "adm2", + "Administrator2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.6", + "source.ip": "10.2.0.6", + "source.user.name": "adm2", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "adm2" + }, + { + "@timestamp": "2021-03-08T18:16:51.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "test", + "cyberarkpas.audit.ca_properties.cpm_disabled": "testing", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.user_name": "test", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\testobject", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:16:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.reason": "testing", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 10:16:51", + "destination.address": "test", + "destination.domain": "test", + "destination.user.name": "test", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "testing", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\testobject", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5424, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "Administrator", + "test" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-08T19:19:59.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.in_process": "ChangeTask", + "cyberarkpas.audit.ca_properties.index": "1", + "cyberarkpas.audit.ca_properties.last_success_change": "1614785704", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.sequence_id": "26", + "cyberarkpas.audit.ca_properties.start_change_not_before": "1615231182", + "cyberarkpas.audit.ca_properties.user_name": "x_accountA", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:19:59Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.reason": "CPM", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 11:19:59", + "destination.address": "components", + "destination.domain": "components", + "destination.user.name": "x_accountA", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "CPM", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6304, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "x_accountA" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-08T19:20:02.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.curr_ind": "2", + "cyberarkpas.audit.ca_properties.last_success_change": "1615198782", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:02Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.reason": "CPM", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 11:20:02", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "CPM", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Groups\\WindowsGroup", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7735, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-10T14:40:37.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Active", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.index": "1", + "cyberarkpas.audit.ca_properties.last_success_change": "1615231204", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "27", + "cyberarkpas.audit.ca_properties.user_name": "x_accountA", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T14:40:37Z", + "cyberarkpas.audit.issuer": "Prov_COMPONENTS", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.reason": "Application provider background refresh job", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 06:40:37", + "destination.address": "components", + "destination.domain": "components", + "destination.user.name": "x_accountA", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "Application provider background refresh job", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8612, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "Prov_COMPONENTS", + "x_accountA" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "Prov_COMPONENTS", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Prov_COMPONENTS" + }, + { + "@timestamp": "2021-03-10T18:27:57.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "169.254.180.25", + "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2", + "cyberarkpas.audit.ca_properties.user_name": "PSMAdminConnect", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\PSMAdmin", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:27:57Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.reason": "test", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 10 10:27:57", + "destination.address": "169.254.180.25", + "destination.ip": "169.254.180.25", + "destination.user.name": "PSMAdminConnect", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "test", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\PSMAdmin", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 9938, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "169.254.180.25" + ], + "related.user": [ + "Administrator", + "PSMAdminConnect" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-10T18:28:07.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "169.254.180.25", + "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2", + "cyberarkpas.audit.ca_properties.user_name": "PSMConnect", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\PSMServer", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:28:07Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.reason": "test", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 10 10:28:07", + "destination.address": "169.254.180.25", + "destination.ip": "169.254.180.25", + "destination.user.name": "PSMConnect", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "test", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\PSMServer", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 10705, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "169.254.180.25" + ], + "related.user": [ + "Administrator", + "PSMConnect" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-10T23:39:22.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.in_process": "ChangeTask", + "cyberarkpas.audit.ca_properties.index": "2", + "cyberarkpas.audit.ca_properties.last_success_change": "1614868762", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.sequence_id": "24", + "cyberarkpas.audit.ca_properties.start_change_not_before": "1615419536", + "cyberarkpas.audit.ca_properties.user_name": "x_accountB", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:22Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.reason": "CPM", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 15:39:22", + "destination.address": "components", + "destination.domain": "components", + "destination.user.name": "x_accountB", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "CPM", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 11468, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "x_accountB" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-10T23:39:25.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.curr_ind": "1", + "cyberarkpas.audit.ca_properties.last_success_change": "1615387136", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:25Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.reason": "CPM", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 15:39:25", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "CPM", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Groups\\WindowsGroup", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 12899, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-11T16:41:21.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "169.254.180.25", + "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2", + "cyberarkpas.audit.ca_properties.user_name": "PSMAdminConnect", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\PSMAdmin", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:41:21Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:41:21\n 2021-03-11T16:41:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n Administrator\n Retrieve password\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n lksajdflkasdf\n \n Retrieve password\n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "lksajdflkasdf", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 08:41:21", + "destination.address": "169.254.180.25", + "destination.ip": "169.254.180.25", + "destination.user.name": "PSMAdminConnect", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "lksajdflkasdf", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\PSMAdmin", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 13776, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "169.254.180.25" + ], + "related.user": [ + "Administrator", + "PSMAdminConnect" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T16:50:28.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "169.254.180.25", + "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2", + "cyberarkpas.audit.ca_properties.user_name": "PSMConnect", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\PSMServer", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:50:28Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:50:28\n 2021-03-11T16:50:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n PVWAAppUser\n Retrieve password\n \n \n PSM\n Root\\PSMServer\n 10.0.1.20\n \n \n \n \n \n Retrieve password\n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 11 08:50:28", + "destination.address": "169.254.180.25", + "destination.ip": "169.254.180.25", + "destination.user.name": "PSMConnect", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\PSMServer", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 15710, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "169.254.180.25" + ], + "related.user": [ + "PVWAAppUser", + "PSMConnect" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PVWAAppUser", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAAppUser" + }, + { + "@timestamp": "2021-03-11T16:54:20.000Z", + "cyberarkpas.audit.action": "Retrieve password", + "cyberarkpas.audit.ca_properties.address": "centos8", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.user_name": "PSMApp_VAGRANT", + "cyberarkpas.audit.desc": "Retrieve password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:54:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Retrieve password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:54:20\n 2021-03-11T16:54:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n Administrator\n Retrieve password\n \n \n PSM\n Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\n 127.0.0.1\n \n \n \n sdfsdf\n \n Retrieve password\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "sdfsdf", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 08:54:20", + "destination.address": "centos8", + "destination.domain": "centos8", + "destination.user.name": "PSMApp_VAGRANT", + "event.action": "retrieve password", + "event.category": [ + "iam" + ], + "event.code": "295", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "sdfsdf", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 17606, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1" + ], + "related.user": [ + "Administrator", + "PSMApp_VAGRANT" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log new file mode 100644 index 00000000000..74928df0a23 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log @@ -0,0 +1,17 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"300","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} +<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:20\n 2021-03-11T17:38:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:56\n 2021-03-11T17:46:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:34\n 2021-03-11T17:48:34Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:56\n 2021-03-11T17:54:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:37\n 2021-03-11T17:56:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:25\n 2021-03-11T20:23:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:37\n 2021-03-14T13:49:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:50:43\n 2021-03-14T13:50:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:56\n 2021-03-15T10:31:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:39\n 2021-03-15T10:33:39Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:00\n 2021-03-15T10:35:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:31\n 2021-03-15T13:18:31Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:06\n 2021-03-15T14:08:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:28\n 2021-03-15T14:08:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:09\n 2021-03-15T14:11:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:51\n 2021-03-16T10:04:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json new file mode 100644 index 00000000000..f8e788c087e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json @@ -0,0 +1,1481 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_disabled": "No Reason", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.customer": "Tesla", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH", + "cyberarkpas.audit.ca_properties.user_name": "admin2", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "radiussrv.cyberark.local", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "35fac41e-22b5-11eb-83ca-000c297aae88", + "cyberarkpas.audit.extra_details.src_host": "10.2.0.6", + "cyberarkpas.audit.extra_details.user": "admin2", + "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Linux", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.7", + "destination.address": "radiussrv.cyberark.local", + "destination.domain": "radiussrv.cyberark.local", + "destination.user.name": "admin2", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "network.application": "ssh", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.6", + "10.2.0.7" + ], + "related.user": [ + "Administrator", + "admin2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.6", + "source.ip": "10.2.0.6", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:38:20.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "87012dcc-8290-11eb-949e-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:20\n 2021-03-11T17:38:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:20", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2566, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:46:56.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "ba22b012-8291-11eb-b981-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:56Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:46:56\n 2021-03-11T17:46:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:46:56", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5086, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:48:34.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "f6acbf00-8291-11eb-b9ba-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "10.0.2.2", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:34Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:34\n 2021-03-11T17:48:34Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:48:34", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7606, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:54:56.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "d8ff4d32-8292-11eb-b962-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "10.0.2.2", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:54:56Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:54:56\n 2021-03-11T17:54:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:54:56", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 10124, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:56:37.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "173dd46a-8293-11eb-afcb-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "10.0.2.2", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:37Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:56:37\n 2021-03-11T17:56:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:56:37", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 12642, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T20:23:25.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "988b22e8-82a7-11eb-83b9-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "10.0.2.2", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:25Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:23:25\n 2021-03-11T20:23:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 12:23:25", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 15160, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-14T13:49:37.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:37Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:37\n 2021-03-14T13:49:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 06:49:37", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 17678, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-14T13:50:43.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "47747796-03e1-4a11-af39-ab56c00e7732", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:50:43Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:50:43\n 2021-03-14T13:50:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 06:50:43", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 21194, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:31:56.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:31:56Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:31:56\n 2021-03-15T10:31:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 03:31:56", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 24710, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:33:39.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:39Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:33:39\n 2021-03-15T10:33:39Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 03:33:39", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 27706, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:35:00.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:35:00Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:35:00\n 2021-03-15T10:35:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 03:35:00", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 30702, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T13:18:31.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "692fe25f-f940-4170-8ea4-5241b35173f0", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:18:31Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:18:31\n 2021-03-15T13:18:31Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 06:18:31", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 33698, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T14:08:06.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "f5725611-ca57-4a2a-a089-f45b3174a358", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:06Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:06\n 2021-03-15T14:08:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 07:08:06", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 36226, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T14:08:28.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "7db90436-8a1a-4203-9a96-65137625ab2d", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:28Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:28\n 2021-03-15T14:08:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 07:08:28", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 38754, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T14:11:09.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:11:09Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:11:09\n 2021-03-15T14:11:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 07:11:09", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 42532, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-16T10:04:51.000Z", + "cyberarkpas.audit.action": "PSM Connect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615888216", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "4", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Connect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "8b222ac9-c2ad-49ea-9c4e-6829940f58d4", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T10:04:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Connect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 16 03:04:51\n 2021-03-16T10:04:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 16 03:04:51", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm connect", + "event.category": [ + "session" + ], + "event.code": "300", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 46310, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log new file mode 100644 index 00000000000..c172f644c9f --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log @@ -0,0 +1,16 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"302","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} +<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:47:01\n 2021-03-11T17:47:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:40\n 2021-03-11T17:48:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:55:02\n 2021-03-11T17:55:02Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:42\n 2021-03-11T17:56:42Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:30\n 2021-03-11T20:23:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:54\n 2021-03-14T13:49:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:51:35\n 2021-03-14T13:51:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:30\n 2021-03-15T10:33:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:34:50\n 2021-03-15T10:34:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 04:12:09\n 2021-03-15T11:12:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:36\n 2021-03-15T13:18:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:11\n 2021-03-15T14:08:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:36\n 2021-03-15T14:08:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:00:21\n 2021-03-15T15:00:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json new file mode 100644 index 00000000000..8aa327ff1a4 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json @@ -0,0 +1,1417 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_disabled": "No Reason", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.customer": "Tesla", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH", + "cyberarkpas.audit.ca_properties.user_name": "admin2", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "radiussrv.cyberark.local", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:07", + "cyberarkpas.audit.extra_details.session_id": "35fac41e-22b5-11eb-83ca-000c297aae88", + "cyberarkpas.audit.extra_details.src_host": "10.2.0.6", + "cyberarkpas.audit.extra_details.user": "admin2", + "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Linux", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.7", + "destination.address": "radiussrv.cyberark.local", + "destination.domain": "radiussrv.cyberark.local", + "destination.user.name": "admin2", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 7000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "network.application": "ssh", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.6", + "10.2.0.7" + ], + "related.user": [ + "Administrator", + "admin2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.6", + "source.ip": "10.2.0.6", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:38:26.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:13", + "cyberarkpas.audit.extra_details.session_id": "87012dcc-8290-11eb-949e-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:26Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:26", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 13000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2634, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:47:01.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:11", + "cyberarkpas.audit.extra_details.session_id": "ba22b012-8291-11eb-b981-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:47:01Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:47:01\n 2021-03-11T17:47:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:47:01", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 11000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5222, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:48:40.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:12", + "cyberarkpas.audit.extra_details.session_id": "f6acbf00-8291-11eb-b9ba-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "10.0.2.2", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:40Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:40\n 2021-03-11T17:48:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:48:40", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 12000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7810, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:55:02.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:12", + "cyberarkpas.audit.extra_details.session_id": "d8ff4d32-8292-11eb-b962-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "10.0.2.2", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:55:02Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:55:02\n 2021-03-11T17:55:02Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:55:02", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 12000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 10396, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:56:42.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:12", + "cyberarkpas.audit.extra_details.session_id": "173dd46a-8293-11eb-afcb-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "10.0.2.2", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:42Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:56:42\n 2021-03-11T17:56:42Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:56:42", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 12000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 12982, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T20:23:30.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "ssh", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:12", + "cyberarkpas.audit.extra_details.session_id": "988b22e8-82a7-11eb-83b9-080027efd402", + "cyberarkpas.audit.extra_details.src_host": "10.0.2.2", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:30Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:23:30\n 2021-03-11T20:23:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 12:23:30", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 12000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 15568, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-14T13:49:54.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:18", + "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:54Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:54\n 2021-03-14T13:49:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 06:49:54", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 18000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 18154, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-14T13:51:35.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:54", + "cyberarkpas.audit.extra_details.session_id": "47747796-03e1-4a11-af39-ab56c00e7732", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:51:35Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:51:35\n 2021-03-14T13:51:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 06:51:35", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 54000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 21738, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:33:30.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:01:35", + "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:30Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:33:30\n 2021-03-15T10:33:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 03:33:30", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 95000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 25322, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:34:50.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:01:13", + "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:34:50Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:34:50\n 2021-03-15T10:34:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 03:34:50", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 73000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 28386, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T11:12:09.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:37:10", + "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T11:12:09Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 04:12:09\n 2021-03-15T11:12:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 04:12:09", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 2230000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 31450, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T13:18:36.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:05", + "cyberarkpas.audit.extra_details.session_id": "692fe25f-f940-4170-8ea4-5241b35173f0", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:18:36Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:18:36\n 2021-03-15T13:18:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 06:18:36", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 5000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 34514, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T14:08:11.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:06", + "cyberarkpas.audit.extra_details.session_id": "f5725611-ca57-4a2a-a089-f45b3174a358", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "adrian", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:11Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:11\n 2021-03-15T14:08:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 07:08:11", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 6000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 37110, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T14:08:36.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:09", + "cyberarkpas.audit.extra_details.session_id": "7db90436-8a1a-4203-9a96-65137625ab2d", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:36Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:36\n 2021-03-15T14:08:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 07:08:36", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 9000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 39706, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T15:00:21.000Z", + "cyberarkpas.audit.action": "PSM Disconnect", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615819476", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "1", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "PSM Disconnect", + "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:49:12", + "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:00:21Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "PSM Disconnect", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 08:00:21\n 2021-03-15T15:00:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 08:00:21", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "psm disconnect", + "event.category": [ + "session" + ], + "event.code": "302", + "event.dataset": "cyberarkpas.audit", + "event.duration": 2952000000000, + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 43552, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log new file mode 100644 index 00000000000..1469d6ed00a --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log @@ -0,0 +1 @@ +<5>1 2021-03-25T09:20:56Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 05:20:56\n 2021-03-25T09:20:56Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 304\n PSM Upload Recording\n Info\n PSMApp_COMP01\n PSM Upload Recording\n \n \n PSMRecordings\n Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\n 10.0.0.15\n \n \n \n \n DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\n PSM Upload Recording\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 05:20:56","IsoTimestamp":"2021-03-25T09:20:56Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"304","Desc":"PSM Upload Recording","Severity":"Info","Issuer":"PSMApp_COMP01","Action":"PSM Upload Recording","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;","Message":"PSM Upload Recording","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json new file mode 100644 index 00000000000..14603f0592b --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json @@ -0,0 +1,52 @@ +[ + { + "@timestamp": "2021-03-25T09:20:56.000Z", + "cyberarkpas.audit.action": "PSM Upload Recording", + "cyberarkpas.audit.desc": "PSM Upload Recording", + "cyberarkpas.audit.extra_details.dst_host": "rhel7.cybr.com", + "cyberarkpas.audit.extra_details.logon_account": "logon", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_duration": "00:00:46", + "cyberarkpas.audit.extra_details.session_id": "a4636750-50a2-492e-984c-e08743d8a883", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "root", + "cyberarkpas.audit.file": "Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T09:20:56Z", + "cyberarkpas.audit.issuer": "PSMApp_COMP01", + "cyberarkpas.audit.message": "PSM Upload Recording", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 05:20:56\n 2021-03-25T09:20:56Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 304\n PSM Upload Recording\n Info\n PSMApp_COMP01\n PSM Upload Recording\n \n \n PSMRecordings\n Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\n 10.0.0.15\n \n \n \n \n DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\n PSM Upload Recording\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMRecordings", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 05:20:56", + "event.action": "psm upload recording", + "event.code": "304", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "10.0.0.15" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.0.15", + "source.ip": "10.0.0.15", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log new file mode 100644 index 00000000000..8c77aabf909 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log @@ -0,0 +1,11 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 308\n Use Password\n Info\n adm2\n Use Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Connect)\n \n Use Password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"308","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Use Password","Severity":"Info","Issuer":"adm2","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)","ExtraDetails":"","Message":"Use Password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} +<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:12\n 2021-03-11T17:38:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:49\n 2021-03-11T17:46:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n FOR FUN.\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:27\n 2021-03-11T17:48:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n For fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:49\n 2021-03-11T17:54:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n Because I say so\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:30\n 2021-03-11T17:56:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n for fun\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:17\n 2021-03-11T20:23:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n testing\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:54\n 2021-03-15T10:31:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:26\n 2021-03-15T14:08:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:49\n 2021-03-16T10:04:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json new file mode 100644 index 00000000000..953a5211a77 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json @@ -0,0 +1,867 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "dbserver.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.customer": "EvilCorp", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1604944215", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "DBServer", + "cyberarkpas.audit.ca_properties.policy_id": "WIN-SERVER-LOCAL", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "1", + "cyberarkpas.audit.ca_properties.user_name": "Administrator2", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "cyberarkpas.audit.gateway_station": "10.2.0.3", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "adm2", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 308\n Use Password\n Info\n adm2\n Use Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Connect)\n \n Use Password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.reason": "(Action: Connect)", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Windows", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.6", + "destination.address": "dbserver.cyberark.local", + "destination.domain": "dbserver.cyberark.local", + "destination.user.name": "Administrator2", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "(Action: Connect)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.6", + "10.2.0.3" + ], + "related.user": [ + "adm2", + "Administrator2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.6", + "source.ip": "10.2.0.6", + "source.user.name": "adm2", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "adm2" + }, + { + "@timestamp": "2021-03-11T17:38:12.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:12Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:12\n 2021-03-11T17:38:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "fun and profit", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:12", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.reason": "fun and profit", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2883, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:46:49.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:49Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:46:49\n 2021-03-11T17:46:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n FOR FUN.\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "FOR FUN.", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 09:46:49", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.reason": "FOR FUN.", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5109, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:48:27.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:27Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:27\n 2021-03-11T17:48:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n For fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "For fun and profit", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.2.2", + "cyberarkpas.audit.timestamp": "Mar 11 09:48:27", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.reason": "For fun and profit", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7323, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:54:49.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:54:49Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:54:49\n 2021-03-11T17:54:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n Because I say so\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "Because I say so", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.2.2", + "cyberarkpas.audit.timestamp": "Mar 11 09:54:49", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.reason": "Because I say so", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 9555, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:56:30.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:30Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:56:30\n 2021-03-11T17:56:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n for fun\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "for fun", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.2.2", + "cyberarkpas.audit.timestamp": "Mar 11 09:56:30", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.reason": "for fun", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 11783, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T20:23:17.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:17Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:23:17\n 2021-03-11T20:23:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n testing\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "testing", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.2.2", + "cyberarkpas.audit.timestamp": "Mar 11 12:23:17", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.reason": "testing", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 13993, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-14T13:49:35.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.gateway_station": "34.71.250.247", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:35Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 14 06:49:35", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 16203, + "log.syslog.priority": "5", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:31:54.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.gateway_station": "34.71.250.247", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:31:54Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:31:54\n 2021-03-15T10:31:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 15 03:31:54", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 19395, + "log.syslog.priority": "5", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T14:08:26.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.gateway_station": "34.71.250.247", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:26Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:26\n 2021-03-15T14:08:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 15 07:08:26", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 22067, + "log.syslog.priority": "5", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-16T10:04:49.000Z", + "cyberarkpas.audit.action": "Use Password", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615888216", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "4", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Use Password", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.gateway_station": "34.71.250.247", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T10:04:49Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Use Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 16 03:04:49\n 2021-03-16T10:04:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 16 03:04:49", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "use password", + "event.category": [ + "iam" + ], + "event.code": "308", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 25521, + "log.syslog.priority": "5", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log new file mode 100644 index 00000000000..18c5b7e67fb --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log @@ -0,0 +1,5 @@ +<7>1 2021-03-08T18:31:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:31:52","IsoTimestamp":"2021-03-08T18:31:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansr","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}} +<7>1 2021-03-08T18:32:03Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:03","IsoTimestamp":"2021-03-08T18:32:03Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansra","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}} +<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:43:26\n 2021-03-11T16:43:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n PSMAdmin\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}} +<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:28\n 2021-03-11T17:46:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n adrian\n Undefined User Logon\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Undefined User Logon\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"81.32.170.205"}}} +<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:28:00\n 2021-03-14T13:28:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n testark\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"34.71.250.247"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json new file mode 100644 index 00000000000..06947792b70 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json @@ -0,0 +1,299 @@ +[ + { + "@timestamp": "2021-03-08T18:31:52.000Z", + "cyberarkpas.audit.action": "Undefined User Logon", + "cyberarkpas.audit.desc": "Undefined User Logon", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:31:52Z", + "cyberarkpas.audit.issuer": "adriansr", + "cyberarkpas.audit.message": "Undefined User Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:31:52", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "authentication_failure", + "event.category": [ + "authentication" + ], + "event.code": "309", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "related.user": [ + "adriansr" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "adriansr" + }, + { + "@timestamp": "2021-03-08T18:32:03.000Z", + "cyberarkpas.audit.action": "Undefined User Logon", + "cyberarkpas.audit.desc": "Undefined User Logon", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:32:03Z", + "cyberarkpas.audit.issuer": "adriansra", + "cyberarkpas.audit.message": "Undefined User Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:32:03", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "authentication_failure", + "event.category": [ + "authentication" + ], + "event.code": "309", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 589, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "related.user": [ + "adriansra" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "adriansra" + }, + { + "@timestamp": "2021-03-11T16:43:26.000Z", + "cyberarkpas.audit.action": "Undefined User Logon", + "cyberarkpas.audit.desc": "Undefined User Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:43:26Z", + "cyberarkpas.audit.issuer": "PSMAdmin", + "cyberarkpas.audit.message": "Undefined User Logon", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:43:26\n 2021-03-11T16:43:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n PSMAdmin\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 08:43:26", + "event.action": "authentication_failure", + "event.category": [ + "authentication" + ], + "event.code": "309", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1179, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMAdmin" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMAdmin" + }, + { + "@timestamp": "2021-03-11T17:46:28.000Z", + "cyberarkpas.audit.action": "Undefined User Logon", + "cyberarkpas.audit.desc": "Undefined User Logon", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:28Z", + "cyberarkpas.audit.issuer": "adrian", + "cyberarkpas.audit.message": "Undefined User Logon", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:46:28\n 2021-03-11T17:46:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n adrian\n Undefined User Logon\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Undefined User Logon\n 81.32.170.205\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 09:46:28", + "destination.address": "81.32.170.205", + "destination.geo.city_name": "Barcelona", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 41.3891, + "destination.geo.location.lon": 2.1611, + "destination.geo.region_iso_code": "ES-B", + "destination.geo.region_name": "Barcelona", + "destination.ip": "81.32.170.205", + "event.action": "authentication_failure", + "event.category": [ + "authentication" + ], + "event.code": "309", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2627, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "81.32.170.205" + ], + "related.user": [ + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "adrian" + }, + { + "@timestamp": "2021-03-14T13:28:00.000Z", + "cyberarkpas.audit.action": "Undefined User Logon", + "cyberarkpas.audit.desc": "Undefined User Logon", + "cyberarkpas.audit.gateway_station": "34.71.250.247", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:28:00Z", + "cyberarkpas.audit.issuer": "testark", + "cyberarkpas.audit.message": "Undefined User Logon", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:28:00\n 2021-03-14T13:28:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n testark\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n 34.71.250.247\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 14 06:28:00", + "destination.address": "34.71.250.247", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.71.250.247", + "event.action": "authentication_failure", + "event.category": [ + "authentication" + ], + "event.code": "309", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4089, + "log.syslog.priority": "7", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.71.250.247" + ], + "related.user": [ + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "testark" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log new file mode 100644 index 00000000000..f2577708d06 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"310","Desc":"Monitor DR Replication start","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication start","GatewayStation":""}}} +Mar 08 02:48:07 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"310","Desc":"Monitor DR Replication start","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication start","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json new file mode 100644 index 00000000000..5b958288c53 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json @@ -0,0 +1,75 @@ +[ + { + "@timestamp": "2021-03-04T19:10:01.000Z", + "cyberarkpas.audit.action": "Monitor DR Replication start", + "cyberarkpas.audit.desc": "Monitor DR Replication start", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor DR Replication start", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:01", + "event.action": "monitor dr replication start", + "event.code": "310", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T02:48:07.000-02:00", + "cyberarkpas.audit.action": "Monitor DR Replication start", + "cyberarkpas.audit.desc": "Monitor DR Replication start", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor DR Replication start", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "event.action": "monitor dr replication start", + "event.code": "310", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 598, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log new file mode 100644 index 00000000000..1e3812c2a8b --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"311","Desc":"Monitor DR Replication end","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication end","GatewayStation":""}}} +Mar 08 02:48:07 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"311","Desc":"Monitor DR Replication end","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication end","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json new file mode 100644 index 00000000000..e4999439bea --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json @@ -0,0 +1,75 @@ +[ + { + "@timestamp": "2021-03-04T19:10:01.000Z", + "cyberarkpas.audit.action": "Monitor DR Replication end", + "cyberarkpas.audit.desc": "Monitor DR Replication end", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor DR Replication end", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:01", + "event.action": "monitor dr replication end", + "event.code": "311", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T02:48:07.000-02:00", + "cyberarkpas.audit.action": "Monitor DR Replication end", + "cyberarkpas.audit.desc": "Monitor DR Replication end", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor DR Replication end", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "event.action": "monitor dr replication end", + "event.code": "311", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 592, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log new file mode 100644 index 00000000000..41f67cb2add --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json new file mode 100644 index 00000000000..d46cdf31a02 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json @@ -0,0 +1,50 @@ +[ + { + "@timestamp": "2021-03-10T18:16:45.000Z", + "cyberarkpas.audit.action": "Reset User Password Detailed Information", + "cyberarkpas.audit.desc": "Reset User Password Detailed Information", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:45Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Reset User Password Detailed Information", + "cyberarkpas.audit.reason": "Password changed", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMGw_VAGRANT", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:16:45", + "event.action": "reset user password detailed information", + "event.code": "316", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log new file mode 100644 index 00000000000..f52711e43b9 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json new file mode 100644 index 00000000000..0d82c44a4ec --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json @@ -0,0 +1,49 @@ +[ + { + "@timestamp": "2021-03-10T18:16:45.000Z", + "cyberarkpas.audit.action": "Reset User Password", + "cyberarkpas.audit.desc": "Reset User Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:45Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Reset User Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMGw_VAGRANT", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:16:45", + "event.action": "reset user password", + "event.code": "317", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log new file mode 100644 index 00000000000..ec268677c60 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log @@ -0,0 +1 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 31\n CPM Reconcile Password\n Info\n PasswordManager\n CPM Reconcile Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.4\n \n \n \n ImmediateTask\n address=dbserver.cyberark.local;username=Administrator2;\n CPM Reconcile Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","IsoTimestamp":"2021-03-16T15:01:00Z","Version":"11.6.0000","MessageID":"31","Desc":"CPM Reconcile Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Reconcile Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=dbserver.cyberark.local;username=Administrator2;","Message":"CPM Reconcile Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json new file mode 100644 index 00000000000..60aaf45b24e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password", + "cyberarkpas.audit.ca_properties.address": "dbserver.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.customer": "EvilCorp", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1604944215", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "DBServer", + "cyberarkpas.audit.ca_properties.policy_id": "WIN-SERVER-LOCAL", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "1", + "cyberarkpas.audit.ca_properties.user_name": "Administrator2", + "cyberarkpas.audit.desc": "CPM Reconcile Password", + "cyberarkpas.audit.extra_details.address": "dbserver.cyberark.local", + "cyberarkpas.audit.extra_details.username": "Administrator2", + "cyberarkpas.audit.file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 31\n CPM Reconcile Password\n Info\n PasswordManager\n CPM Reconcile Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.4\n \n \n \n ImmediateTask\n address=dbserver.cyberark.local;username=Administrator2;\n CPM Reconcile Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.reason": "ImmediateTask", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Windows", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.4", + "destination.address": "dbserver.cyberark.local", + "destination.domain": "dbserver.cyberark.local", + "event.action": "cpm reconcile password", + "event.category": [ + "iam" + ], + "event.code": "31", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.4" + ], + "related.user": [ + "PasswordManager", + "Administrator2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.4", + "source.ip": "10.2.0.4", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "Administrator2" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log new file mode 100644 index 00000000000..e58b64d6750 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log @@ -0,0 +1 @@ +<5>1 2021-03-11T16:21:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:21:37\n 2021-03-11T16:21:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 326\n CPM Auto-detection Start\n Info\n PasswordManager\n CPM Auto-detection Start\n \n \n PasswordManager_info\n \n 10.0.1.20\n \n \n \n \n ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\n CPM Auto-detection Start\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:21:37","IsoTimestamp":"2021-03-11T16:21:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"326","Desc":"CPM Auto-detection Start","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Auto-detection Start","SourceUser":"","TargetUser":"","Safe":"PasswordManager_info","File":" ","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":" ","ExtraDetails":"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;","Message":"CPM Auto-detection Start","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json new file mode 100644 index 00000000000..c488fa9349d --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json @@ -0,0 +1,47 @@ +[ + { + "@timestamp": "2021-03-11T16:21:37.000Z", + "cyberarkpas.audit.action": "CPM Auto-detection Start", + "cyberarkpas.audit.desc": "CPM Auto-detection Start", + "cyberarkpas.audit.extra_details.ad_process_id": "2b2d3024-be5a-4b57-9f64-3813fb56e9b9", + "cyberarkpas.audit.extra_details.ad_process_name": "LDAP Based Windows Local Administrator Account Provisioning", + "cyberarkpas.audit.file": " ", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:21:37Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Auto-detection Start", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:21:37\n 2021-03-11T16:21:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 326\n CPM Auto-detection Start\n Info\n PasswordManager\n CPM Auto-detection Start\n \n \n PasswordManager_info\n \n 10.0.1.20\n \n \n \n \n ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\n CPM Auto-detection Start\n \n \n\n", + "cyberarkpas.audit.reason": " ", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PasswordManager_info", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 11 08:21:37", + "event.action": "cpm auto-detection start", + "event.code": "326", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": " ", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log new file mode 100644 index 00000000000..8055d656a08 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log @@ -0,0 +1 @@ +<5>1 2021-03-11T16:21:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:21:37\n 2021-03-11T16:21:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 327\n CPM Auto-detection End\n Info\n PasswordManager\n CPM Auto-detection End\n \n \n PasswordManager_info\n \n 10.0.1.20\n \n \n \n \n ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\n CPM Auto-detection End\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:21:37","IsoTimestamp":"2021-03-11T16:21:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"327","Desc":"CPM Auto-detection End","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Auto-detection End","SourceUser":"","TargetUser":"","Safe":"PasswordManager_info","File":" ","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":" ","ExtraDetails":"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;","Message":"CPM Auto-detection End","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json new file mode 100644 index 00000000000..5c67acde9f2 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json @@ -0,0 +1,47 @@ +[ + { + "@timestamp": "2021-03-11T16:21:37.000Z", + "cyberarkpas.audit.action": "CPM Auto-detection End", + "cyberarkpas.audit.desc": "CPM Auto-detection End", + "cyberarkpas.audit.extra_details.ad_process_id": "2b2d3024-be5a-4b57-9f64-3813fb56e9b9", + "cyberarkpas.audit.extra_details.ad_process_name": "LDAP Based Windows Local Administrator Account Provisioning", + "cyberarkpas.audit.file": " ", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:21:37Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Auto-detection End", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:21:37\n 2021-03-11T16:21:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 327\n CPM Auto-detection End\n Info\n PasswordManager\n CPM Auto-detection End\n \n \n PasswordManager_info\n \n 10.0.1.20\n \n \n \n \n ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\n CPM Auto-detection End\n \n \n\n", + "cyberarkpas.audit.reason": " ", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PasswordManager_info", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 11 08:21:37", + "event.action": "cpm auto-detection end", + "event.code": "327", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": " ", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log new file mode 100644 index 00000000000..6aee911c509 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log @@ -0,0 +1,16 @@ +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json new file mode 100644 index 00000000000..8cff9f6ba31 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json @@ -0,0 +1,993 @@ +[ + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Master", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "Master" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Master" + }, + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Administrator", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 568, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Administrator" + }, + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Batch", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1143, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "Batch" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Batch" + }, + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Operators", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1710, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "Operators" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Operators" + }, + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Backup Users", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2281, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "Backup Users" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Backup Users" + }, + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Auditors", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2855, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "Auditors" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Auditors" + }, + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "DR Users", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3425, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "DR Users" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "DR Users" + }, + { + "@timestamp": "2021-03-10T09:11:20.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Notification Engines", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:20", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3995, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "Notification Engines" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Notification Engines" + }, + { + "@timestamp": "2021-03-10T09:11:22.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMPApp_localhost.localdomain", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:22", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4577, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PSMPApp_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PSMPApp_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T09:11:23.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMAppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:23", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5170, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PSMAppUsers" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PSMAppUsers" + }, + { + "@timestamp": "2021-03-10T09:11:23.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Vault Admins", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:23", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5751, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "Vault Admins" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Vault Admins" + }, + { + "@timestamp": "2021-03-10T09:11:23.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAAppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:23", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6325, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PVWAAppUsers" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PVWAAppUsers" + }, + { + "@timestamp": "2021-03-10T09:11:36.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:36Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPADBUserProfile", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAGWAccounts", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:36", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6907, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PVWAGWAccounts" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PVWAGWAccounts" + }, + { + "@timestamp": "2021-03-10T09:11:37.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:37Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPADBridgeConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMP_ADB_localhost.localdomain", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:37", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7493, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PSMP_ADB_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PSMP_ADB_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T09:11:38.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:38Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPADBridgeCustom", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:38", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8093, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PSMP_ADB_AppUsers" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PSMP_ADB_AppUsers" + }, + { + "@timestamp": "2021-03-10T17:59:32.000Z", + "cyberarkpas.audit.action": "Add Owner", + "cyberarkpas.audit.desc": "Add Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:32Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Add Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMApp_VAGRANT", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 09:59:32", + "event.action": "add owner", + "event.category": [ + "iam" + ], + "event.code": "32", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8682, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PSMApp_VAGRANT" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PSMApp_VAGRANT" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log new file mode 100644 index 00000000000..16ec40c4f3c --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log @@ -0,0 +1,7 @@ +<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:14\n 2021-03-11T17:38:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 33\n Update Owner\n Info\n PSMPApp_VAGRANT\n Update Owner\n Auditors\n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Update Owner\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json new file mode 100644 index 00000000000..ef5d1eddfff --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json @@ -0,0 +1,436 @@ +[ + { + "@timestamp": "2021-03-10T18:16:49.000Z", + "cyberarkpas.audit.action": "Update Owner", + "cyberarkpas.audit.desc": "Update Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:49Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Update Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAAppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:16:49", + "event.action": "update owner", + "event.category": [ + "iam" + ], + "event.code": "33", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PVWAAppUsers" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PVWAAppUsers" + }, + { + "@timestamp": "2021-03-10T18:16:50.000Z", + "cyberarkpas.audit.action": "Update Owner", + "cyberarkpas.audit.desc": "Update Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:50Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Update Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMApp_VAGRANT", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:16:50", + "event.action": "update owner", + "event.category": [ + "iam" + ], + "event.code": "33", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 578, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PSMApp_VAGRANT" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PSMApp_VAGRANT" + }, + { + "@timestamp": "2021-03-10T18:16:51.000Z", + "cyberarkpas.audit.action": "Update Owner", + "cyberarkpas.audit.desc": "Update Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Update Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMAppUsers", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:16:51", + "event.action": "update owner", + "event.category": [ + "iam" + ], + "event.code": "33", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1165, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PSMAppUsers" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PSMAppUsers" + }, + { + "@timestamp": "2021-03-10T18:16:51.000Z", + "cyberarkpas.audit.action": "Update Owner", + "cyberarkpas.audit.desc": "Update Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Update Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PSMMaster", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:16:51", + "event.action": "update owner", + "event.category": [ + "iam" + ], + "event.code": "33", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1742, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "PSMMaster" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PSMMaster" + }, + { + "@timestamp": "2021-03-10T18:16:53.000Z", + "cyberarkpas.audit.action": "Update Owner", + "cyberarkpas.audit.desc": "Update Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:53Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Update Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMUniversalConnectors", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Vault Admins", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:16:53", + "event.action": "update owner", + "event.category": [ + "iam" + ], + "event.code": "33", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2317, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator", + "Vault Admins" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "Vault Admins" + }, + { + "@timestamp": "2021-03-10T22:19:18.000Z", + "cyberarkpas.audit.action": "Update Owner", + "cyberarkpas.audit.desc": "Update Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:18Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Update Owner", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "PVWAAppUsers", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:19:18", + "event.action": "update owner", + "event.category": [ + "iam" + ], + "event.code": "33", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2914, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "related.user": [ + "Administrator", + "PVWAAppUsers" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator", + "user.target.name": "PVWAAppUsers" + }, + { + "@timestamp": "2021-03-11T17:38:14.000Z", + "cyberarkpas.audit.action": "Update Owner", + "cyberarkpas.audit.desc": "Update Owner", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:14Z", + "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT", + "cyberarkpas.audit.message": "Update Owner", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:14\n 2021-03-11T17:38:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 33\n Update Owner\n Info\n PSMPApp_VAGRANT\n Update Owner\n Auditors\n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Update Owner\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMRecordings", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.source_user": "Auditors", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:14", + "event.action": "update owner", + "event.category": [ + "iam" + ], + "event.code": "33", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "change" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3492, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPApp_VAGRANT", + "Auditors" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMPApp_VAGRANT", + "user.target.name": "Auditors" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log new file mode 100644 index 00000000000..726201faa4d --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log @@ -0,0 +1 @@ +<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"355","Desc":"Monitor License Expiration Date start","Severity":"Info","Issuer":"Batch","Action":"Monitor License Expiration Date start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor License Expiration Date start","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json new file mode 100644 index 00000000000..4cecbceb396 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-09T10:17:54.000Z", + "cyberarkpas.audit.action": "Monitor License Expiration Date start", + "cyberarkpas.audit.desc": "Monitor License Expiration Date start", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor License Expiration Date start", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 09 02:17:54", + "event.action": "monitor license expiration date start", + "event.code": "355", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log new file mode 100644 index 00000000000..a5ed2fa3bef --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log @@ -0,0 +1 @@ +<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"356","Desc":"Monitor License Expiration Date end","Severity":"Info","Issuer":"Batch","Action":"Monitor License Expiration Date end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor License Expiration Date end","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json new file mode 100644 index 00000000000..181d9a733e7 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-09T10:17:54.000Z", + "cyberarkpas.audit.action": "Monitor License Expiration Date end", + "cyberarkpas.audit.desc": "Monitor License Expiration Date end", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor License Expiration Date end", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 09 02:17:54", + "event.action": "monitor license expiration date end", + "event.code": "356", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log new file mode 100644 index 00000000000..50743ea86e7 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"357","Desc":"Monitor FW rules start","Severity":"Info","Issuer":"Batch","Action":"Monitor FW rules start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW rules start","GatewayStation":""}}} +Mar 08 02:32:56 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"357","Desc":"Monitor FW rules start","Severity":"Info","Issuer":"Batch","Action":"Monitor FW rules start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW rules start","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json new file mode 100644 index 00000000000..a3b04bd34cf --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json @@ -0,0 +1,75 @@ +[ + { + "@timestamp": "2021-03-04T19:10:01.000Z", + "cyberarkpas.audit.action": "Monitor FW rules start", + "cyberarkpas.audit.desc": "Monitor FW rules start", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor FW rules start", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:01", + "event.action": "monitor fw rules start", + "event.code": "357", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T02:32:56.000-02:00", + "cyberarkpas.audit.action": "Monitor FW rules start", + "cyberarkpas.audit.desc": "Monitor FW rules start", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor FW rules start", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "event.action": "monitor fw rules start", + "event.code": "357", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 580, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log new file mode 100644 index 00000000000..cbda469d1fc --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"358","Desc":"Monitor FW Rules end","Severity":"Info","Issuer":"Batch","Action":"Monitor FW Rules end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW Rules end","GatewayStation":""}}} +Mar 08 02:32:56 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"358","Desc":"Monitor FW Rules end","Severity":"Info","Issuer":"Batch","Action":"Monitor FW Rules end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW Rules end","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json new file mode 100644 index 00000000000..a5af60dcea0 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json @@ -0,0 +1,75 @@ +[ + { + "@timestamp": "2021-03-04T19:10:01.000Z", + "cyberarkpas.audit.action": "Monitor FW Rules end", + "cyberarkpas.audit.desc": "Monitor FW Rules end", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor FW Rules end", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:01", + "event.action": "monitor fw rules end", + "event.code": "358", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T02:32:56.000-02:00", + "cyberarkpas.audit.action": "Monitor FW Rules end", + "cyberarkpas.audit.desc": "Monitor FW Rules end", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Monitor FW Rules end", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "event.action": "monitor fw rules end", + "event.code": "358", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 574, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log new file mode 100644 index 00000000000..3006cd28bbd --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log @@ -0,0 +1,10 @@ +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:45Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:45\n 2021-03-25T14:56:45Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:45","IsoTimestamp":"2021-03-25T14:56:45Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:54Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:54\n 2021-03-25T14:56:54Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:54","IsoTimestamp":"2021-03-25T14:56:54Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:58:02Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:58:02\n 2021-03-25T14:58:02Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:58:02","IsoTimestamp":"2021-03-25T14:58:02Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:57:05Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:57:05\n 2021-03-25T14:57:05Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:57:05","IsoTimestamp":"2021-03-25T14:57:05Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:58:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:58:44\n 2021-03-25T14:58:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:58:44","IsoTimestamp":"2021-03-25T14:58:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json new file mode 100644 index 00000000000..aae4123d3cb --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json @@ -0,0 +1,852 @@ +[ + { + "@timestamp": "2021-03-25T14:56:44.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "SELECT USER FROM DUAL", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "69B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "4T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:56:44", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:56:44.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "BEGIN DBMS_OUTPUT.DISABLE\\; END\\;", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "123B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "4T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:56:44", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 3579, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:56:44.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID)", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "187B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "4T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:56:44", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 7188, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:56:44.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES')", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "380B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "4T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:56:44", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 11047, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:56:44.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus])", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "596B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "4T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:56:44", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 14960, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:56:45.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "SELECT DECODE('A','A','1','2') FROM DUAL", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "727B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "5T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:45Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:45\n 2021-03-25T14:56:45Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:56:45", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 18707, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:56:54.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP])", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "800B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "14T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:54Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:54\n 2021-03-25T14:56:54Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:56:54", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 22326, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:58:02.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "SELECT * FROM DBA_USERS", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "1097B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "82T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:58:02Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:58:02\n 2021-03-25T14:58:02Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:58:02", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 26101, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:57:05.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%])", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "948B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "25T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:57:05Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:57:05\n 2021-03-25T14:57:05Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:57:05", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 29690, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-25T14:58:44.000Z", + "cyberarkpas.audit.action": "SQL Command", + "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "XE", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011984", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "1521", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "Oracle;DB", + "cyberarkpas.audit.ca_properties.user_name": "HR", + "cyberarkpas.audit.desc": "SQL Command", + "cyberarkpas.audit.extra_details.command": "select distinct owner from all_objects", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus", + "cyberarkpas.audit.extra_details.data_base": "XE", + "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "cyberarkpas.audit.extra_details.sql_offset": "1153B", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.user": "HR", + "cyberarkpas.audit.extra_details.vid_offset": "124T", + "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:58:44Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "SQL Command", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:58:44\n 2021-03-25T14:58:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Oracle", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 10:58:44", + "destination.address": "oracle.cybr.com", + "destination.domain": "oracle.cybr.com", + "destination.user.name": "HR", + "event.action": "sql command", + "event.category": [ + "database" + ], + "event.code": "359", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access" + ], + "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 33467, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "HR" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log new file mode 100644 index 00000000000..6c959f21d65 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log @@ -0,0 +1,7 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"361","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} +<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:49\n 2021-03-14T13:49:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:32:04\n 2021-03-15T10:32:04Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:47\n 2021-03-15T10:33:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:08\n 2021-03-15T10:35:08Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:18\n 2021-03-15T14:11:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:45:51\n 2021-03-15T14:45:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json new file mode 100644 index 00000000000..2824c5c7f3e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json @@ -0,0 +1,649 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "Keystroke logging", + "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_disabled": "No Reason", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.customer": "Tesla", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH", + "cyberarkpas.audit.ca_properties.user_name": "admin2", + "cyberarkpas.audit.desc": "Keystroke logging", + "cyberarkpas.audit.extra_details.command": "ls \"/var/tmp\"", + "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "radiussrv.cyberark.local", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "499852f2-22b5-11eb-8bff-000c297aae88", + "cyberarkpas.audit.extra_details.src_host": "10.2.0.6", + "cyberarkpas.audit.extra_details.ssh_offset": "3642B", + "cyberarkpas.audit.extra_details.user": "admin2", + "cyberarkpas.audit.extra_details.vid_offset": "125T", + "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Keystroke logging", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Linux", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.7", + "destination.address": "radiussrv.cyberark.local", + "destination.domain": "radiussrv.cyberark.local", + "destination.user.name": "admin2", + "event.action": "keystroke logging", + "event.category": [ + "session" + ], + "event.code": "361", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "network.application": "ssh", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.6", + "10.2.0.7" + ], + "related.user": [ + "Administrator", + "admin2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.6", + "source.ip": "10.2.0.6", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-14T13:49:49.000Z", + "cyberarkpas.audit.action": "Keystroke logging", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Keystroke logging", + "cyberarkpas.audit.extra_details.command": "sudo su", + "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.ssh_offset": "1309B", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.extra_details.vid_offset": "10T", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:49Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Keystroke logging", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:49\n 2021-03-14T13:49:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 06:49:49", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "keystroke logging", + "event.category": [ + "session" + ], + "event.code": "361", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2724, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:32:04.000Z", + "cyberarkpas.audit.action": "Keystroke logging", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Keystroke logging", + "cyberarkpas.audit.extra_details.command": "sudo su", + "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.ssh_offset": "1312B", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.extra_details.vid_offset": "6T", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:32:04Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Keystroke logging", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:32:04\n 2021-03-15T10:32:04Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 03:32:04", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "keystroke logging", + "event.category": [ + "session" + ], + "event.code": "361", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6380, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:33:47.000Z", + "cyberarkpas.audit.action": "Keystroke logging", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Keystroke logging", + "cyberarkpas.audit.extra_details.command": "sudo su", + "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.ssh_offset": "1309B", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.extra_details.vid_offset": "7T", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:47Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Keystroke logging", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:33:47\n 2021-03-15T10:33:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 03:33:47", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "keystroke logging", + "event.category": [ + "session" + ], + "event.code": "361", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 9514, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T10:35:08.000Z", + "cyberarkpas.audit.action": "Keystroke logging", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Keystroke logging", + "cyberarkpas.audit.extra_details.command": "sudo su", + "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.ssh_offset": "1309B", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.extra_details.vid_offset": "7T", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:35:08Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Keystroke logging", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:35:08\n 2021-03-15T10:35:08Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 03:35:08", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "keystroke logging", + "event.category": [ + "session" + ], + "event.code": "361", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 12648, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T14:11:18.000Z", + "cyberarkpas.audit.action": "Keystroke logging", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Keystroke logging", + "cyberarkpas.audit.extra_details.command": "sudo su", + "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.ssh_offset": "1309B", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.extra_details.vid_offset": "8T", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:11:18Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Keystroke logging", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:11:18\n 2021-03-15T14:11:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 07:11:18", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "keystroke logging", + "event.category": [ + "session" + ], + "event.code": "361", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 15782, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T14:45:51.000Z", + "cyberarkpas.audit.action": "Keystroke logging", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615819476", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "1", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "Keystroke logging", + "cyberarkpas.audit.extra_details.command": "(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;", + "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH", + "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115", + "cyberarkpas.audit.extra_details.managed_account": "Yes", + "cyberarkpas.audit.extra_details.protocol": "SSH", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", + "cyberarkpas.audit.extra_details.src_host": "81.32.170.205", + "cyberarkpas.audit.extra_details.ssh_offset": "296291B", + "cyberarkpas.audit.extra_details.user": "testark", + "cyberarkpas.audit.extra_details.vid_offset": "2081T", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:45:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Keystroke logging", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:45:51\n 2021-03-15T14:45:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 15 07:45:51", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "testark", + "event.action": "keystroke logging", + "event.category": [ + "session" + ], + "event.code": "361", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 19698, + "log.syslog.priority": "5", + "network.application": "ssh", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ], + "related.user": [ + "Administrator", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log new file mode 100644 index 00000000000..54143042844 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log @@ -0,0 +1,5 @@ +<5>1 2021-03-11T16:31:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:31:13\n 2021-03-11T16:31:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:31:13","IsoTimestamp":"2021-03-11T16:31:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-11T16:31:23Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:31:23\n 2021-03-11T16:31:23Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:31:23","IsoTimestamp":"2021-03-11T16:31:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-11T19:40:52Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:40:52\n 2021-03-11T19:40:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:40:52","IsoTimestamp":"2021-03-11T19:40:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T12:04:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:04:35\n 2021-03-14T12:04:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:04:35","IsoTimestamp":"2021-03-14T12:04:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T12:04:53Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:04:53\n 2021-03-14T12:04:53Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:04:53","IsoTimestamp":"2021-03-14T12:04:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json new file mode 100644 index 00000000000..afc569ca43a --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json @@ -0,0 +1,227 @@ +[ + { + "@timestamp": "2021-03-11T16:31:13.000Z", + "cyberarkpas.audit.action": "BLService Audit Record", + "cyberarkpas.audit.desc": "BLService Audit Record", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:31:13Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy", + "cyberarkpas.audit.message": "BLService Audit Record", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:31:13\n 2021-03-11T16:31:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 08:31:13", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "blservice audit record", + "event.code": "385", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T16:31:23.000Z", + "cyberarkpas.audit.action": "BLService Audit Record", + "cyberarkpas.audit.desc": "BLService Audit Record", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:31:23Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy", + "cyberarkpas.audit.message": "BLService Audit Record", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:31:23\n 2021-03-11T16:31:23Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 08:31:23", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "blservice audit record", + "event.code": "385", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3510, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T19:40:52.000Z", + "cyberarkpas.audit.action": "BLService Audit Record", + "cyberarkpas.audit.desc": "BLService Audit Record", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T19:40:52Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy", + "cyberarkpas.audit.message": "BLService Audit Record", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 11:40:52\n 2021-03-11T19:40:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 11:40:52", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "blservice audit record", + "event.code": "385", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7018, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:04:35.000Z", + "cyberarkpas.audit.action": "BLService Audit Record", + "cyberarkpas.audit.desc": "BLService Audit Record", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:04:35Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy", + "cyberarkpas.audit.message": "BLService Audit Record", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:04:35\n 2021-03-14T12:04:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 14 05:04:35", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "blservice audit record", + "event.code": "385", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 10528, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:04:53.000Z", + "cyberarkpas.audit.action": "BLService Audit Record", + "cyberarkpas.audit.desc": "BLService Audit Record", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:04:53Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy", + "cyberarkpas.audit.message": "BLService Audit Record", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:04:53\n 2021-03-14T12:04:53Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 14 05:04:53", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "blservice audit record", + "event.code": "385", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 14040, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log new file mode 100644 index 00000000000..211d487b613 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log @@ -0,0 +1,15 @@ +<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:19:58\n 2021-03-15T13:19:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:25:32\n 2021-03-15T13:25:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n\n address=34.66.114.180;username=bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=34.66.114.180;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:33:26\n 2021-03-15T13:33:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:04:11\n 2021-03-15T15:04:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:35:01\n 2021-03-15T16:35:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T16:56:29Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:56:29\n 2021-03-15T16:56:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:56:29","IsoTimestamp":"2021-03-15T16:56:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827245"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:01:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:01:07\n 2021-03-15T17:01:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:01:07","IsoTimestamp":"2021-03-15T17:01:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827554"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"mariadb"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:05:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:05:47\n 2021-03-15T17:05:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:05:47","IsoTimestamp":"2021-03-15T17:05:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827864"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:10:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:10:25\n 2021-03-15T17:10:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:10:25","IsoTimestamp":"2021-03-15T17:10:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615828174"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:28:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:28:07\n 2021-03-15T17:28:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:28:07","IsoTimestamp":"2021-03-15T17:28:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829287"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:33:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:33:17\n 2021-03-15T17:33:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:33:17","IsoTimestamp":"2021-03-15T17:33:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829597"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:38:27\n 2021-03-15T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:38:27","IsoTimestamp":"2021-03-15T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829907"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T18:00:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:00:07\n 2021-03-15T18:00:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:00:07","IsoTimestamp":"2021-03-15T18:00:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615831206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:05:16\n 2021-03-15T18:05:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 02:50:19\n 2021-03-16T09:50:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json new file mode 100644 index 00000000000..6e9afaabf56 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json @@ -0,0 +1,1196 @@ +[ + { + "@timestamp": "2021-03-15T13:19:58.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615814397", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:19:58Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:19:58\n 2021-03-15T13:19:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 06:19:58", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "destination.user.name": "ELASTIC\\bart", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T13:25:32.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615814709", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_dn": "ELASTIC.local", + "cyberarkpas.audit.ca_properties.user_name": "bart", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.username": "bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:25:32Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:25:32\n 2021-03-15T13:25:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n\n address=34.66.114.180;username=bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 06:25:32", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "destination.user.name": "bart", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4191, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T13:33:26.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615815206", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:33:26Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:33:26\n 2021-03-15T13:33:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 06:33:26", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "destination.user.name": "ELASTIC.local\\bart", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8413, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T15:04:11.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615820651", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "1", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "1", + "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:04:11Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 08:04:11\n 2021-03-15T15:04:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 08:04:11", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "destination.user.name": "ELASTIC.local\\bart", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 12652, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T16:35:01.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615826099", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "2", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "2", + "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T16:35:01Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 09:35:01\n 2021-03-15T16:35:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 09:35:01", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "destination.user.name": "ELASTIC.local\\bart", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 16937, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T16:56:29.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "10.0.1.20", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615827245", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "root", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "10.0.1.20", + "cyberarkpas.audit.extra_details.username": "root", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T16:56:29Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 09:56:29\n 2021-03-15T16:56:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 09:56:29", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "root", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Database-MySQL-10.0.1.20-root", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 21222, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "root" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T17:01:07.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "10.0.1.20", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.dsn": "mariadb", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615827554", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "root", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "10.0.1.20", + "cyberarkpas.audit.extra_details.username": "root", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:01:07Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:01:07\n 2021-03-15T17:01:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 10:01:07", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "root", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Database-MySQL-10.0.1.20-root", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 25232, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "root" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T17:05:47.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "10.0.1.20", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.dsn": "DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615827864", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "root", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "10.0.1.20", + "cyberarkpas.audit.extra_details.username": "root", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:05:47Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:05:47\n 2021-03-15T17:05:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 10:05:47", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "root", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Database-MySQL-10.0.1.20-root", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 29415, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "root" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T17:10:25.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "10.0.1.20", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.dsn": "DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615828174", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "root", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "10.0.1.20", + "cyberarkpas.audit.extra_details.username": "root", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:10:25Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:10:25\n 2021-03-15T17:10:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 10:10:25", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "destination.user.name": "root", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Database-MySQL-10.0.1.20-root", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 33542, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "root" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T17:28:07.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "127.0.0.1", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "test", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615829287", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.port": "3306", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "root", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "127.0.0.1", + "cyberarkpas.audit.extra_details.username": "root", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:28:07Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:28:07\n 2021-03-15T17:28:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 10:28:07", + "destination.address": "127.0.0.1", + "destination.ip": "127.0.0.1", + "destination.user.name": "root", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Database-MySQL-10.0.1.20-root", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 37627, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "127.0.0.1" + ], + "related.user": [ + "PasswordManager", + "root" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T17:33:17.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "127.0.0.1", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "test", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.dsn": "mysql", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615829597", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.port": "3306", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "root", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "127.0.0.1", + "cyberarkpas.audit.extra_details.username": "root", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:33:17Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:33:17\n 2021-03-15T17:33:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 10:33:17", + "destination.address": "127.0.0.1", + "destination.ip": "127.0.0.1", + "destination.user.name": "root", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Database-MySQL-10.0.1.20-root", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 41831, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "127.0.0.1" + ], + "related.user": [ + "PasswordManager", + "root" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T17:38:27.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "127.0.0.1", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "test", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.dsn": "Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615829907", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.port": "3306", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "root", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "127.0.0.1", + "cyberarkpas.audit.extra_details.username": "root", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:38:27Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:38:27\n 2021-03-15T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 10:38:27", + "destination.address": "127.0.0.1", + "destination.ip": "127.0.0.1", + "destination.user.name": "root", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Database-MySQL-10.0.1.20-root", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 46092, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "127.0.0.1" + ], + "related.user": [ + "PasswordManager", + "root" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T18:00:07.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "test", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.dsn": "mysql", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615831206", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.port": "3306", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "root", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234", + "cyberarkpas.audit.extra_details.username": "root", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T18:00:07Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 11:00:07\n 2021-03-15T18:00:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 11:00:07", + "destination.address": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234", + "destination.domain": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234", + "destination.user.name": "root", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Database-MySQL-10.0.1.20-root", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 50461, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager", + "root" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-15T18:05:16.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615831516", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "3", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "3", + "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T18:05:16Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 11:05:16\n 2021-03-15T18:05:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 11:05:16", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "destination.user.name": "ELASTIC.local\\bart", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 55122, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-16T09:50:19.000Z", + "cyberarkpas.audit.action": "CPM Verify Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615888216", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask", + "cyberarkpas.audit.ca_properties.retries_count": "4", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart", + "cyberarkpas.audit.desc": "CPM Verify Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "4", + "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T09:50:19Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 16 02:50:19\n 2021-03-16T09:50:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 16 02:50:19", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "destination.user.name": "ELASTIC.local\\bart", + "event.action": "cpm verify password failed", + "event.category": [ + "iam" + ], + "event.code": "38", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 59407, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log new file mode 100644 index 00000000000..1bc88cc1bbe --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log @@ -0,0 +1 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 411\n Window Title\n Info\n adm2\n Window Title\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.5\n \n \n \n \n Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\n Window Title\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"411","Desc":"Window Title","Severity":"Info","Issuer":"adm2","Action":"Window Title","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.5","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;","IsoTimestamp":"2021-03-16T17:11:42Z","Message":"Window Title","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json new file mode 100644 index 00000000000..365c217d660 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json @@ -0,0 +1,84 @@ +[ + { + "@timestamp": "2021-03-16T17:11:42.000Z", + "cyberarkpas.audit.action": "Window Title", + "cyberarkpas.audit.ca_properties.address": "dbserver.cyberark.local", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.customer": "EvilCorp", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1604944215", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "DBServer", + "cyberarkpas.audit.ca_properties.policy_id": "WIN-SERVER-LOCAL", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "1", + "cyberarkpas.audit.ca_properties.user_name": "Administrator2", + "cyberarkpas.audit.desc": "Window Title", + "cyberarkpas.audit.extra_details.command": "shutdown.exe, Shutdown Event Tracker", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-RDP", + "cyberarkpas.audit.extra_details.dst_host": "dbserver.cyberark.local", + "cyberarkpas.audit.extra_details.process_id": "4144", + "cyberarkpas.audit.extra_details.process_name": "shutdown.exe", + "cyberarkpas.audit.extra_details.protocol": "RDP", + "cyberarkpas.audit.extra_details.psmid": "PSMServer_88f6598", + "cyberarkpas.audit.extra_details.rdp_offset": "218B", + "cyberarkpas.audit.extra_details.session_id": "a1f46060-1de4-4f56-a8ba-71fdf3140ac1", + "cyberarkpas.audit.extra_details.src_host": "10.2.0.6", + "cyberarkpas.audit.extra_details.user": "Administrator2", + "cyberarkpas.audit.extra_details.vid_offset": "12T", + "cyberarkpas.audit.file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T17:11:42Z", + "cyberarkpas.audit.issuer": "adm2", + "cyberarkpas.audit.message": "Window Title", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 411\n Window Title\n Info\n adm2\n Window Title\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.5\n \n \n \n \n Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\n Window Title\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "Windows", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.5", + "destination.address": "dbserver.cyberark.local", + "destination.domain": "dbserver.cyberark.local", + "destination.user.name": "Administrator2", + "event.action": "window title", + "event.category": [ + "process" + ], + "event.code": "411", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "access", + "info" + ], + "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "network.application": "rdp", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "process.name": "shutdown.exe", + "process.pid": "4144", + "related.ip": [ + "10.2.0.6", + "10.2.0.5" + ], + "related.user": [ + "adm2", + "Administrator2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.6", + "source.ip": "10.2.0.6", + "source.user.name": "adm2", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "adm2" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log new file mode 100644 index 00000000000..e10964e76c2 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log @@ -0,0 +1 @@ +<5>1 2021-03-25T11:29:37Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 07:29:37\n 2021-03-25T11:29:37Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 412\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n MSSQL\n Root\\Database-MSSql-epmsvr01.cybr.com-sa\n 10.0.0.15\n \n \n \n \n Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 07:29:37","IsoTimestamp":"2021-03-25T11:29:37Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"412","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"MSSQL","File":"Root\\Database-MSSql-epmsvr01.cybr.com-sa","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MSSql"},{"Name":"UserName","Value":"sa"},{"Name":"Address","Value":"tgtsvr01.cybr.com"},{"Name":"Database","Value":"master"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580240"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1616011980"},{"Name":"Tags","Value":"SQL;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json new file mode 100644 index 00000000000..685a4a0586a --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json @@ -0,0 +1,85 @@ +[ + { + "@timestamp": "2021-03-25T11:29:37.000Z", + "cyberarkpas.audit.action": "Keystroke logging", + "cyberarkpas.audit.ca_properties.address": "tgtsvr01.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "master", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011980", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580240", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "MSSql", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.tags": "SQL;DB", + "cyberarkpas.audit.ca_properties.user_name": "sa", + "cyberarkpas.audit.desc": "Keystroke logging", + "cyberarkpas.audit.extra_details.command": "SHOW DATABASES\\;", + "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLServerMgmtStudio", + "cyberarkpas.audit.extra_details.data_base": "master", + "cyberarkpas.audit.extra_details.dst_host": "tgtsvr01.cybr.com", + "cyberarkpas.audit.extra_details.protocol": "SQLNet", + "cyberarkpas.audit.extra_details.psmid": "PSMServer", + "cyberarkpas.audit.extra_details.session_id": "975edc19-ad10-4b42-8098-f26afab40fac", + "cyberarkpas.audit.extra_details.src_host": "127.0.0.1", + "cyberarkpas.audit.extra_details.txt_offset": "702B", + "cyberarkpas.audit.extra_details.user": "sa", + "cyberarkpas.audit.extra_details.vid_offset": "33T", + "cyberarkpas.audit.file": "Root\\Database-MSSql-epmsvr01.cybr.com-sa", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T11:29:37Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Keystroke logging", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 07:29:37\n 2021-03-25T11:29:37Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 412\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n MSSQL\n Root\\Database-MSSql-epmsvr01.cybr.com-sa\n 10.0.0.15\n \n \n \n \n Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "MSSQL", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 07:29:37", + "destination.address": "tgtsvr01.cybr.com", + "destination.domain": "tgtsvr01.cybr.com", + "destination.user.name": "sa", + "event.action": "keystroke logging", + "event.category": [ + "session" + ], + "event.code": "412", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "Root\\Database-MSSql-epmsvr01.cybr.com-sa", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.application": "sqlnet", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "127.0.0.1", + "10.0.0.15" + ], + "related.user": [ + "Administrator", + "sa" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log new file mode 100644 index 00000000000..d1548afa3c1 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log @@ -0,0 +1 @@ +<5>1 2021-03-25T10:04:06Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 06:04:06\n 2021-03-25T10:04:06Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 414\n CPM Verify SSH Key\n Info\n PasswordManager\n CPM Verify SSH Key\n \n \n Linux SSH Keys\n Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\n 10.0.0.15\n \n \n \n VerificationPeriod\n address=rhel7.cybr.com;username=firecall1;\n CPM Verify SSH Key\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 06:04:06","IsoTimestamp":"2021-03-25T10:04:06Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"414","Desc":"CPM Verify SSH Key","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify SSH Key","SourceUser":"","TargetUser":"","Safe":"Linux SSH Keys","File":"Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"VerificationPeriod","ExtraDetails":"address=rhel7.cybr.com;username=firecall1;","Message":"CPM Verify SSH Key","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"firecall1"},{"Name":"Address","Value":"rhel7.cybr.com"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"SequenceID","Value":"2"},{"Name":"CPMStatus","Value":"success"},{"Name":"ExtraPass3Name","Value":"Operating System-UnixSSH-rhel7.cybr.com-root"},{"Name":"ExtraPass3Folder","Value":"Root"},{"Name":"ExtraPass3Safe","Value":"Linux Root"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616666646"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1582315464"},{"Name":"Tags","Value":"SSH"},{"Name":"Privcloud","Value":"privcloud"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json new file mode 100644 index 00000000000..fe2d5aedaf7 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json @@ -0,0 +1,80 @@ +[ + { + "@timestamp": "2021-03-25T10:04:06.000Z", + "cyberarkpas.audit.action": "CPM Verify SSH Key", + "cyberarkpas.audit.ca_properties.address": "rhel7.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.extra_pass3_folder": "Root", + "cyberarkpas.audit.ca_properties.extra_pass3_name": "Operating System-UnixSSH-rhel7.cybr.com-root", + "cyberarkpas.audit.ca_properties.extra_pass3_safe": "Linux Root", + "cyberarkpas.audit.ca_properties.last_success_change": "1582315464", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616666646", + "cyberarkpas.audit.ca_properties.last_task": "VerifyTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "2", + "cyberarkpas.audit.ca_properties.tags": "SSH", + "cyberarkpas.audit.ca_properties.user_name": "firecall1", + "cyberarkpas.audit.desc": "CPM Verify SSH Key", + "cyberarkpas.audit.extra_details.address": "rhel7.cybr.com", + "cyberarkpas.audit.extra_details.username": "firecall1", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T10:04:06Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Verify SSH Key", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 06:04:06\n 2021-03-25T10:04:06Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 414\n CPM Verify SSH Key\n Info\n PasswordManager\n CPM Verify SSH Key\n \n \n Linux SSH Keys\n Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\n 10.0.0.15\n \n \n \n VerificationPeriod\n address=rhel7.cybr.com;username=firecall1;\n CPM Verify SSH Key\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "VerificationPeriod", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Linux SSH Keys", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 06:04:06", + "destination.address": "rhel7.cybr.com", + "destination.domain": "rhel7.cybr.com", + "destination.user.name": "firecall1", + "event.action": "cpm verify ssh key", + "event.category": [ + "iam" + ], + "event.code": "414", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "info" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "10.0.0.15" + ], + "related.user": [ + "PasswordManager", + "firecall1" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.0.15", + "source.ip": "10.0.0.15", + "source.user.name": "PasswordManager", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log new file mode 100644 index 00000000000..8c7361274f6 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log @@ -0,0 +1 @@ +<5>1 2021-03-11T16:50:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:17\n 2021-03-11T16:50:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 427\n Store SSH Key\n Info\n Administrator\n Store SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n \n \n Store SSH Key\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:17","IsoTimestamp":"2021-03-11T16:50:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"427","Desc":"Store SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Store SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store SSH Key","GatewayStation":"10.0.1.20"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json new file mode 100644 index 00000000000..50385a481b0 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json @@ -0,0 +1,49 @@ +[ + { + "@timestamp": "2021-03-11T16:50:17.000Z", + "cyberarkpas.audit.action": "Store SSH Key", + "cyberarkpas.audit.desc": "Store SSH Key", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:50:17Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store SSH Key", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:50:17\n 2021-03-11T16:50:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 427\n Store SSH Key\n Info\n Administrator\n Store SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n \n \n Store SSH Key\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 08:50:17", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "store ssh key", + "event.code": "427", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log new file mode 100644 index 00000000000..1420d0a428e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log @@ -0,0 +1,3 @@ +<5>1 2021-03-11T17:43:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:43:44\n 2021-03-11T17:43:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)for fun and profit\n \n \n for fun and profit\n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:43:44","IsoTimestamp":"2021-03-11T17:43:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)for fun and profit","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"for fun and profit","RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T21:08:48Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:08:48\n 2021-03-11T21:08:48Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Connect)testing(Connection to address: 34.123.103.115)\n \n \n testing\n Connect\n \n \n 34.123.103.115\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:08:48","IsoTimestamp":"2021-03-11T21:08:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)testing(Connection to address: 34.123.103.115)","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"testing","RetrieveAction":"Connect"},"ConnectionDetails":{"ConnectionAddress":"34.123.103.115"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:52Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:52\n 2021-03-15T13:18:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)\n \n \n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:52","IsoTimestamp":"2021-03-15T13:18:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json new file mode 100644 index 00000000000..23d05a8184d --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json @@ -0,0 +1,233 @@ +[ + { + "@timestamp": "2021-03-11T17:43:44.000Z", + "cyberarkpas.audit.action": "Retrieve SSH Key", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Retrieve SSH Key", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:43:44Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Retrieve SSH Key", + "cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Retrieve SSH key", + "cyberarkpas.audit.pvwa_details.retrieve_reason.general.user_reason": "for fun and profit", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:43:44\n 2021-03-11T17:43:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)for fun and profit\n \n \n for fun and profit\n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "(Action: Retrieve SSH key)for fun and profit", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 09:43:44", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "retrieve ssh key", + "event.category": [ + "iam" + ], + "event.code": "428", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "(Action: Retrieve SSH key)for fun and profit", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "10.0.1.20" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T21:08:48.000Z", + "cyberarkpas.audit.action": "Retrieve SSH Key", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Retrieve SSH Key", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:08:48Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Retrieve SSH Key", + "cyberarkpas.audit.pvwa_details.retrieve_reason.connection_details.connection_address": "34.123.103.115", + "cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Connect", + "cyberarkpas.audit.pvwa_details.retrieve_reason.general.user_reason": "testing", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 13:08:48\n 2021-03-11T21:08:48Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Connect)testing(Connection to address: 34.123.103.115)\n \n \n testing\n Connect\n \n \n 34.123.103.115\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 13:08:48", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "retrieve ssh key", + "event.category": [ + "iam" + ], + "event.code": "428", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2618, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "10.0.1.20" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-15T13:18:52.000Z", + "cyberarkpas.audit.action": "Retrieve SSH Key", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Retrieve SSH Key", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:18:52Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Retrieve SSH Key", + "cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Retrieve SSH key", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:18:52\n 2021-03-15T13:18:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)\n \n \n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "(Action: Retrieve SSH key)", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 15 06:18:52", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "destination.user.name": "adrian", + "event.action": "retrieve ssh key", + "event.category": [ + "iam" + ], + "event.code": "428", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.reason": "(Action: Retrieve SSH key)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "admin", + "access" + ], + "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5399, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "34.123.103.115", + "10.0.1.20" + ], + "related.user": [ + "Administrator", + "adrian" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.user.name": "Administrator", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log new file mode 100644 index 00000000000..2101b711cb2 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log @@ -0,0 +1 @@ +<5>1 2021-03-14T12:06:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:06:35\n 2021-03-14T12:06:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 449\n Create Discovery Succeeded\n Info\n Administrator\n Create Discovery Succeeded\n \n \n \n \n 10.0.1.20\n \n \n \n Status:Success; Discovery:; Reason:;\n \n Create Discovery Succeeded\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:06:35","IsoTimestamp":"2021-03-14T12:06:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"449","Desc":"Create Discovery Succeeded","Severity":"Info","Issuer":"Administrator","Action":"Create Discovery Succeeded","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Status:Success; Discovery:; Reason:;","ExtraDetails":"","Message":"Create Discovery Succeeded","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json new file mode 100644 index 00000000000..17b939fab90 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json @@ -0,0 +1,42 @@ +[ + { + "@timestamp": "2021-03-14T12:06:35.000Z", + "cyberarkpas.audit.action": "Create Discovery Succeeded", + "cyberarkpas.audit.desc": "Create Discovery Succeeded", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:06:35Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Create Discovery Succeeded", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:06:35\n 2021-03-14T12:06:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 449\n Create Discovery Succeeded\n Info\n Administrator\n Create Discovery Succeeded\n \n \n \n \n 10.0.1.20\n \n \n \n Status:Success; Discovery:; Reason:;\n \n Create Discovery Succeeded\n \n \n\n", + "cyberarkpas.audit.reason": "Status:Success; Discovery:; Reason:;", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 14 05:06:35", + "event.action": "create discovery succeeded", + "event.code": "449", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log new file mode 100644 index 00000000000..918e0a5df3a --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log @@ -0,0 +1,3 @@ +<5>1 2021-03-08T10:19:42Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 02:19:42","IsoTimestamp":"2021-03-08T10:19:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=2;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=1;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 459\n General Audit\n Info\n PasswordManager\n General Audit\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\n 10.0.1.20\n \n \n \n Dual account rotation\n DualAccountStatus=Active;Index=2;\n General Audit\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=2;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"25"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615419568"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json new file mode 100644 index 00000000000..d607b784f41 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json @@ -0,0 +1,177 @@ +[ + { + "@timestamp": "2021-03-08T10:19:42.000Z", + "cyberarkpas.audit.action": "General Audit", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Active", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.index": "2", + "cyberarkpas.audit.ca_properties.last_success_change": "1614868762", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "24", + "cyberarkpas.audit.ca_properties.user_name": "x_accountB", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "General Audit", + "cyberarkpas.audit.extra_details.dual_account_status": "Active", + "cyberarkpas.audit.extra_details.index": "2", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T10:19:42Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "General Audit", + "cyberarkpas.audit.reason": "Dual account rotation", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 02:19:42", + "event.action": "general audit", + "event.code": "459", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T14:38:57.000Z", + "cyberarkpas.audit.action": "General Audit", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Active", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.index": "1", + "cyberarkpas.audit.ca_properties.last_success_change": "1615231204", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "27", + "cyberarkpas.audit.ca_properties.user_name": "x_accountA", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "General Audit", + "cyberarkpas.audit.extra_details.dual_account_status": "Active", + "cyberarkpas.audit.extra_details.index": "1", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T14:38:57Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "General Audit", + "cyberarkpas.audit.reason": "Dual account rotation", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 06:38:57", + "event.action": "general audit", + "event.code": "459", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1325, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T11:48:26.000Z", + "cyberarkpas.audit.action": "General Audit", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.cpm_status": "success", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.dual_account_status": "Active", + "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup", + "cyberarkpas.audit.ca_properties.index": "2", + "cyberarkpas.audit.ca_properties.last_success_change": "1615419568", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.retries_count": "-1", + "cyberarkpas.audit.ca_properties.sequence_id": "25", + "cyberarkpas.audit.ca_properties.user_name": "x_accountB", + "cyberarkpas.audit.ca_properties.virtual_username": "virtual", + "cyberarkpas.audit.desc": "General Audit", + "cyberarkpas.audit.extra_details.dual_account_status": "Active", + "cyberarkpas.audit.extra_details.index": "2", + "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T11:48:26Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "General Audit", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 459\n General Audit\n Info\n PasswordManager\n General Audit\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\n 10.0.1.20\n \n \n \n Dual account rotation\n DualAccountStatus=Active;Index=2;\n General Audit\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "Dual account rotation", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 14 04:48:26", + "event.action": "general audit", + "event.code": "459", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2650, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log new file mode 100644 index 00000000000..3888e2be150 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:14:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:14:35","IsoTimestamp":"2021-03-10T18:14:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"467","Desc":"The component public key for JWT authentication was updated","Severity":"Info","Issuer":"PasswordManager","Action":"The component public key for JWT authentication was updated","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"The component public key for JWT authentication was updated","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json new file mode 100644 index 00000000000..18f132b64b3 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-10T18:14:35.000Z", + "cyberarkpas.audit.action": "The component public key for JWT authentication was updated", + "cyberarkpas.audit.desc": "The component public key for JWT authentication was updated", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:14:35Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "The component public key for JWT authentication was updated", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 10:14:35", + "event.action": "the component public key for jwt authentication was updated", + "event.code": "467", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log new file mode 100644 index 00000000000..2fe8ec3c4c7 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log @@ -0,0 +1,2 @@ +<7>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"479","Desc":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","Severity":"Error","Issuer":"Builtin","Action":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","GatewayStation":""}}} +Mar 08 07:46:54 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"479","Desc":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","Severity":"Error","Issuer":"Builtin","Action":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json new file mode 100644 index 00000000000..e127969e7f2 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json @@ -0,0 +1,77 @@ +[ + { + "@timestamp": "2021-03-04T19:10:01.000Z", + "cyberarkpas.audit.action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "cyberarkpas.audit.desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z", + "cyberarkpas.audit.issuer": "Builtin", + "cyberarkpas.audit.message": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:01", + "event.action": "security warning - the signature hash algorithm of the vault certificate is sha1.", + "event.code": "479", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": "error", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T07:46:54.000-02:00", + "cyberarkpas.audit.action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "cyberarkpas.audit.desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "cyberarkpas.audit.issuer": "Builtin", + "cyberarkpas.audit.message": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "0.0.0.0", + "event.action": "security warning - the signature hash algorithm of the vault certificate is sha1.", + "event.code": "479", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": "error", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 760, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log new file mode 100644 index 00000000000..fb620b8f180 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log @@ -0,0 +1 @@ +<5>1 2021-03-10T08:31:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:49","IsoTimestamp":"2021-03-10T08:31:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"482","Desc":"Update existing Add Account Bulk Operation succeeded","Severity":"Info","Issuer":"PVWAAppUser","Action":"Update existing Add Account Bulk Operation succeeded","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update existing Add Account Bulk Operation succeeded","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json new file mode 100644 index 00000000000..51dc1afc051 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-10T08:31:49.000Z", + "cyberarkpas.audit.action": "Update existing Add Account Bulk Operation succeeded", + "cyberarkpas.audit.desc": "Update existing Add Account Bulk Operation succeeded", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:31:49Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Update existing Add Account Bulk Operation succeeded", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 00:31:49", + "event.action": "update existing add account bulk operation succeeded", + "event.code": "482", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log new file mode 100644 index 00000000000..283cc15f94e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log @@ -0,0 +1,2 @@ +<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}} +<7>1 2021-03-11T18:03:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:03:43\n 2021-03-11T18:03:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 4\n User Authentication\n Error\n Administrator\n User Authentication\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n User Authentication\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:03:43","IsoTimestamp":"2021-03-11T18:03:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":"10.0.1.20"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json new file mode 100644 index 00000000000..4e6f09eab4a --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json @@ -0,0 +1,114 @@ +[ + { + "@timestamp": "2021-03-10T18:42:36.000Z", + "cyberarkpas.audit.action": "User Authentication", + "cyberarkpas.audit.desc": "User Authentication", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:42:36Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "User Authentication", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:42:36", + "event.action": "authentication_failure", + "event.category": [ + "authentication" + ], + "event.code": "4", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T18:03:43.000Z", + "cyberarkpas.audit.action": "User Authentication", + "cyberarkpas.audit.desc": "User Authentication", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:03:43Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "User Authentication", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:03:43\n 2021-03-11T18:03:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 4\n User Authentication\n Error\n Administrator\n User Authentication\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n User Authentication\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 10:03:43", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "authentication_failure", + "event.category": [ + "authentication" + ], + "event.code": "4", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 584, + "log.syslog.priority": "7", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log new file mode 100644 index 00000000000..f3d9bd31a39 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log @@ -0,0 +1,6 @@ +<5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T18:36:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:36:22","IsoTimestamp":"2021-03-10T18:36:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:27\n 2021-03-11T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n PSMPApp_VAGRANT\n Store File\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\n 81.32.170.205\n \n \n \n \n \n Store File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n Administrator\n Store File\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Store File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":"10.0.1.20"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json new file mode 100644 index 00000000000..7b217c835ff --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json @@ -0,0 +1,278 @@ +[ + { + "@timestamp": "2021-03-08T18:24:50.000Z", + "cyberarkpas.audit.action": "Store File", + "cyberarkpas.audit.desc": "Store File", + "cyberarkpas.audit.file": "Root\\YWRtaW5pc3RyYXRvcg==", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:50Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Store File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAPrivateUserPrefs", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 10:24:50", + "event.action": "store file", + "event.code": "50", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\YWRtaW5pc3RyYXRvcg==", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:21.000Z", + "cyberarkpas.audit.action": "Store File", + "cyberarkpas.audit.desc": "Store File", + "cyberarkpas.audit.file": "Root\\syntaxparser-conf.json.1.1", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:21", + "event.action": "store file", + "event.code": "50", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\syntaxparser-conf.json.1.1", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 597, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T18:36:22.000Z", + "cyberarkpas.audit.action": "Store File", + "cyberarkpas.audit.desc": "Store File", + "cyberarkpas.audit.file": "Root\\PVConfiguration.xml", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:36:22Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 10 10:36:22", + "event.action": "store file", + "event.code": "50", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PVConfiguration.xml", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1194, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:17:56.000Z", + "cyberarkpas.audit.action": "Store File", + "cyberarkpas.audit.desc": "Store File", + "cyberarkpas.audit.file": "ROOT\\PVConfiguration.xml", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:56Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:17:56", + "event.action": "store file", + "event.code": "50", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "ROOT\\PVConfiguration.xml", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1782, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T17:38:27.000Z", + "cyberarkpas.audit.action": "Store File", + "cyberarkpas.audit.desc": "Store File", + "cyberarkpas.audit.file": "root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:27Z", + "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT", + "cyberarkpas.audit.message": "Store File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:27\n 2021-03-11T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n PSMPApp_VAGRANT\n Store File\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\n 81.32.170.205\n \n \n \n \n \n Store File\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMRecordings", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:27", + "event.action": "store file", + "event.code": "50", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2374, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T19:45:26.000Z", + "cyberarkpas.audit.action": "Store File", + "cyberarkpas.audit.desc": "Store File", + "cyberarkpas.audit.file": "Root\\PVConfiguration.xml", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T19:45:26Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Store File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n Administrator\n Store File\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Store File\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 11:45:26", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "store file", + "event.code": "50", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PVConfiguration.xml", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3898, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log new file mode 100644 index 00000000000..8cd3214a84f --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-GenericWebApp.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} +<5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"AppProviderConf","File":"Root\\main_appprovider.conf.Win64.11.04","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json new file mode 100644 index 00000000000..d6498eae71e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json @@ -0,0 +1,84 @@ +[ + { + "@timestamp": "2021-03-04T19:10:05.000Z", + "cyberarkpas.audit.action": "Retrieve File", + "cyberarkpas.audit.desc": "Retrieve File", + "cyberarkpas.audit.file": "Root\\Policies\\Policy-GenericWebApp.ini", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Retrieve File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PasswordManagerShared", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:05", + "event.action": "retrieve file", + "event.code": "51", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Policies\\Policy-GenericWebApp.ini", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-04T19:11:23.000Z", + "cyberarkpas.audit.action": "Retrieve File", + "cyberarkpas.audit.desc": "Retrieve File", + "cyberarkpas.audit.file": "Root\\main_appprovider.conf.Win64.11.04", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:23Z", + "cyberarkpas.audit.issuer": "Prov_COMPONENTS", + "cyberarkpas.audit.message": "Retrieve File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "AppProviderConf", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:11:23", + "event.action": "retrieve file", + "event.code": "51", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\main_appprovider.conf.Win64.11.04", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 625, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log new file mode 100644 index 00000000000..d9d8af79da4 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log @@ -0,0 +1,10 @@ +<5>1 2021-03-08T18:32:43Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:43","IsoTimestamp":"2021-03-08T18:32:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-08T18:38:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:38:21","IsoTimestamp":"2021-03-08T18:38:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"VaultInternal","File":"Root\\Operating System-WinServerLocal-components-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinServerLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"LogonDomain","Value":"COMPONENTS"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-08T19:20:04Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:04","IsoTimestamp":"2021-03-08T19:20:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PasswordManager","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"Root\\Test_4","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} +<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:59:57\n 2021-03-11T18:59:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n PSMApp_ASR-WIN\n Delete File\n \n \n PSMSessions\n Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\n 35.192.121.42\n \n \n \n \n \n Delete File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} +<5>1 2021-03-11T19:32:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:32:12\n 2021-03-11T19:32:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 127.0.0.1\n \n \n \n \n \n Delete File\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:32:12","IsoTimestamp":"2021-03-11T19:32:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"_PSMLiveSessions_1","Value":""},{"Name":"_PSMLiveSessions_2","Value":""},{"Name":"_PSMLiveSessions_3","Value":""},{"Name":"_PSMLiveSessions_4","Value":""},{"Name":"_PSMLiveSessions_5","Value":""}]}}}} +<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:40\n 2021-03-11T21:06:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\Operating System-WinDomain-35.192.121.42-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-35.192.121.42-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"35.192.121.42"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T21:06:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:50\n 2021-03-11T21:06:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSM-ASR-CYBERARK-WI\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:50","IsoTimestamp":"2021-03-11T21:06:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"10.128.0.65"},{"Name":"LogonDomain","Value":"ASR-CYBERARK-WI"}]}}}} +<5>1 2021-03-14T12:10:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:10:17\n 2021-03-14T12:10:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:10:17","IsoTimestamp":"2021-03-14T12:10:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-15T15:09:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:09:00\n 2021-03-15T15:09:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-Oracle-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:09:00","IsoTimestamp":"2021-03-15T15:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-Oracle-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<5>1 2021-03-15T15:13:59Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:13:59\n 2021-03-15T15:13:59Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-MySQL-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:13:59","IsoTimestamp":"2021-03-15T15:13:59Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json new file mode 100644 index 00000000000..571cc11784d --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json @@ -0,0 +1,502 @@ +[ + { + "@timestamp": "2021-03-08T18:32:43.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal", + "cyberarkpas.audit.ca_properties.user_name": "adriansr", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:32:43Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Test", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:32:43", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T18:38:21.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.ca_properties.address": "components", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.logon_domain": "COMPONENTS", + "cyberarkpas.audit.ca_properties.policy_id": "WinServerLocal", + "cyberarkpas.audit.ca_properties.user_name": "adriansr", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\Operating System-WinServerLocal-components-adriansr", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:38:21Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "VaultInternal", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:38:21", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WinServerLocal-components-adriansr", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 871, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T19:20:04.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\Test_4", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:04Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PasswordManager_workspace", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 11:20:04", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Test_4", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1796, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T18:59:57.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:59:57Z", + "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:59:57\n 2021-03-11T18:59:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n PSMApp_ASR-WIN\n Delete File\n \n \n PSMSessions\n Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\n 35.192.121.42\n \n \n \n \n \n Delete File\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 11 10:59:57", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2391, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T19:32:12.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.ca_properties.__psm_live_sessions_1": "", + "cyberarkpas.audit.ca_properties.__psm_live_sessions_2": "", + "cyberarkpas.audit.ca_properties.__psm_live_sessions_3": "", + "cyberarkpas.audit.ca_properties.__psm_live_sessions_4": "", + "cyberarkpas.audit.ca_properties.__psm_live_sessions_5": "", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\PSMPApp_VAGRANT.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T19:32:12Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 11:32:12\n 2021-03-11T19:32:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 127.0.0.1\n \n \n \n \n \n Delete File\n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 11:32:12", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMPApp_VAGRANT.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3907, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T21:06:40.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.ca_properties.address": "35.192.121.42", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.user_name": "PSMConnect", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:06:40Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 13:06:40\n 2021-03-11T21:06:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\Operating System-WinDomain-35.192.121.42-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 13:06:40", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6037, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T21:06:50.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.ca_properties.address": "10.128.0.65", + "cyberarkpas.audit.ca_properties.logon_domain": "ASR-CYBERARK-WI", + "cyberarkpas.audit.ca_properties.user_name": "PSMConnect", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:06:50Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 13:06:50\n 2021-03-11T21:06:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSM-ASR-CYBERARK-WI\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 13:06:50", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSM-ASR-CYBERARK-WI", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8223, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:10:17.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.ca_properties.address": "169.254.180.25", + "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2", + "cyberarkpas.audit.ca_properties.user_name": "PSMAdminConnect", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\PSMAdmin", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:10:17Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:10:17\n 2021-03-14T12:10:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSM", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 14 05:10:17", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMAdmin", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 10117, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-15T15:09:00.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.ca_properties.address": "10.128.0.7", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "test", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.policy_id": "Oracle", + "cyberarkpas.audit.ca_properties.port": "3306", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\Database-Oracle-10.128.0.7-adrian", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:09:00Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 08:09:00\n 2021-03-15T15:09:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-Oracle-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 15 08:09:00", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Database-Oracle-10.128.0.7-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 12005, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-15T15:13:59.000Z", + "cyberarkpas.audit.action": "Delete File", + "cyberarkpas.audit.ca_properties.address": "10.128.0.7", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.database": "test", + "cyberarkpas.audit.ca_properties.device_type": "Database", + "cyberarkpas.audit.ca_properties.policy_id": "MySQL", + "cyberarkpas.audit.ca_properties.port": "3306", + "cyberarkpas.audit.ca_properties.user_name": "adrian", + "cyberarkpas.audit.desc": "Delete File", + "cyberarkpas.audit.file": "Root\\Database-MySQL-10.128.0.7-adrian", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:13:59Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Delete File", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 08:13:59\n 2021-03-15T15:13:59Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-MySQL-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 15 08:13:59", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "delete file", + "event.code": "52", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Database-MySQL-10.128.0.7-adrian", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 14321, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log new file mode 100644 index 00000000000..2131bafce3e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log @@ -0,0 +1 @@ +<7>1 2021-03-25T12:00:08Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 08:00:08\n 2021-03-25T12:00:08Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 57\n CPM Change Password Failed\n Error\n PasswordManager\n CPM Change Password Failed\n \n \n Linux Accounts\n Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\n 10.0.0.15\n \n \n \n ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\n address=rhel7.cybr.com;username=firecall2;\n CPM Change Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 08:00:08","IsoTimestamp":"2021-03-25T12:00:08Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"57","Desc":"CPM Change Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Change Password Failed","SourceUser":"","TargetUser":"","Safe":"Linux Accounts","File":"Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002","ExtraDetails":"address=rhel7.cybr.com;username=firecall2;","Message":"CPM Change Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"firecall2"},{"Name":"Address","Value":"rhel7.cybr.com"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"ExtraPass3Name","Value":"Operating System-UnixSSH-rhel7.cybr.com-root"},{"Name":"ExtraPass3Folder","Value":"Root"},{"Name":"ExtraPass3Safe","Value":"Linux Root"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1616673608"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessVerification","Value":"1616580255"},{"Name":"CPMErrorDetails","Value":"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1616011989"},{"Name":"LastSuccessReconciliation","Value":"1576120341"},{"Name":"UseSudoOnReconcile","Value":"No"},{"Name":"Tags","Value":"SSH"},{"Name":"Privcloud","Value":"privcloud"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json new file mode 100644 index 00000000000..eaf206946a9 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json @@ -0,0 +1,85 @@ +[ + { + "@timestamp": "2021-03-25T12:00:08.000Z", + "cyberarkpas.audit.action": "CPM Change Password Failed", + "cyberarkpas.audit.ca_properties.address": "rhel7.cybr.com", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.extra_pass3_folder": "Root", + "cyberarkpas.audit.ca_properties.extra_pass3_name": "Operating System-UnixSSH-rhel7.cybr.com-root", + "cyberarkpas.audit.ca_properties.extra_pass3_safe": "Linux Root", + "cyberarkpas.audit.ca_properties.last_fail_date": "1616673608", + "cyberarkpas.audit.ca_properties.last_success_change": "1616011989", + "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1576120341", + "cyberarkpas.audit.ca_properties.last_success_verification": "1616580255", + "cyberarkpas.audit.ca_properties.last_task": "ChangeTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.privcloud": "privcloud", + "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.tags": "SSH", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "No", + "cyberarkpas.audit.ca_properties.user_name": "firecall2", + "cyberarkpas.audit.desc": "CPM Change Password Failed", + "cyberarkpas.audit.extra_details.address": "rhel7.cybr.com", + "cyberarkpas.audit.extra_details.username": "firecall2", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2", + "cyberarkpas.audit.iso_timestamp": "2021-03-25T12:00:08Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Change Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 08:00:08\n 2021-03-25T12:00:08Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 57\n CPM Change Password Failed\n Error\n PasswordManager\n CPM Change Password Failed\n \n \n Linux Accounts\n Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\n 10.0.0.15\n \n \n \n ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\n address=rhel7.cybr.com;username=firecall2;\n CPM Change Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "Linux Accounts", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.0.15", + "cyberarkpas.audit.timestamp": "Mar 25 08:00:08", + "destination.address": "rhel7.cybr.com", + "destination.domain": "rhel7.cybr.com", + "event.action": "cpm change password failed", + "event.category": [ + "iam" + ], + "event.code": "57", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2", + "fileset.name": "audit", + "host.name": "VLT01", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "observer.hostname": "VLT01", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "12.0.0000", + "related.ip": [ + "10.0.0.15" + ], + "related.user": [ + "PasswordManager", + "firecall2" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.0.15", + "source.ip": "10.0.0.15", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "firecall2" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log new file mode 100644 index 00000000000..9b834634185 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log @@ -0,0 +1,3 @@ +<5>1 2021-03-04T19:25:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:25:02","IsoTimestamp":"2021-03-04T19:25:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"PasswordManager","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}} +Mar 08 03:10:31 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"PasswordManager","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}} +<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"Batch","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"System","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json new file mode 100644 index 00000000000..21d71f71183 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json @@ -0,0 +1,116 @@ +[ + { + "@timestamp": "2021-03-04T19:25:02.000Z", + "cyberarkpas.audit.action": "Clear Safe History", + "cyberarkpas.audit.desc": "Clear Safe History", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:25:02Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Clear Safe History", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PasswordManager_workspace", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:25:02", + "event.action": "clear safe history", + "event.code": "59", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T03:10:31.000-02:00", + "cyberarkpas.audit.action": "Clear Safe History", + "cyberarkpas.audit.desc": "Clear Safe History", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Clear Safe History", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "PasswordManager_workspace", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "event.action": "clear safe history", + "event.code": "59", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 604, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-09T09:00:47.000Z", + "cyberarkpas.audit.action": "Clear Safe History", + "cyberarkpas.audit.desc": "Clear Safe History", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z", + "cyberarkpas.audit.issuer": "Batch", + "cyberarkpas.audit.message": "Clear Safe History", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "System", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "0.0.0.0", + "cyberarkpas.audit.timestamp": "Mar 09 01:00:47", + "event.action": "clear safe history", + "event.code": "59", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1110, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "0.0.0.0" + ], + "service.type": "cyberarkpas", + "source.address": "0.0.0.0", + "source.ip": "0.0.0.0", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log new file mode 100644 index 00000000000..2a5483207bf --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log @@ -0,0 +1,9 @@ +<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:12:22\n 2021-03-11T21:12:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:18:15\n 2021-03-14T13:18:15Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T13:46:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:46:13\n 2021-03-14T13:46:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:46:13","IsoTimestamp":"2021-03-14T13:46:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 07:49:11\n 2021-03-14T14:49:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:18\n 2021-03-15T10:12:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T10:12:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:19\n 2021-03-15T10:12:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:19","IsoTimestamp":"2021-03-15T10:12:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:04:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:04:27\n 2021-03-15T13:04:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:04:27","IsoTimestamp":"2021-03-15T13:04:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T14:44:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:44:37\n 2021-03-15T14:44:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:44:37","IsoTimestamp":"2021-03-15T14:44:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json new file mode 100644 index 00000000000..3b1ee72f9de --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json @@ -0,0 +1,756 @@ +[ + { + "@timestamp": "2021-03-11T21:12:22.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615497142", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:12:22Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 13:12:22\n 2021-03-11T21:12:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 11 13:12:22", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "ELASTIC\\bart" + }, + { + "@timestamp": "2021-03-14T13:18:15.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615727895", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "2", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "2", + "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:18:15Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:18:15\n 2021-03-14T13:18:15Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 14 06:18:15", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3917, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "ELASTIC\\bart" + }, + { + "@timestamp": "2021-03-14T13:46:13.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.123.103.115", + "cyberarkpas.audit.extra_details.username": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:46:13Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:46:13\n 2021-03-14T13:46:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 14 06:46:13", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7864, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.123.103.115" + ], + "related.user": [ + "PasswordManager", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "testark" + }, + { + "@timestamp": "2021-03-14T14:49:11.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615733350", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "3", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "3", + "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T14:49:11Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 07:49:11\n 2021-03-14T14:49:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 14 07:49:11", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 11884, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "ELASTIC\\bart" + }, + { + "@timestamp": "2021-03-15T10:12:18.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615803137", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "4", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "4", + "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:18Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:12:18\n 2021-03-15T10:12:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 03:12:18", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 15847, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "ELASTIC\\bart" + }, + { + "@timestamp": "2021-03-15T10:12:19.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615803137", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "1", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.123.103.115", + "cyberarkpas.audit.extra_details.retriescount": "1", + "cyberarkpas.audit.extra_details.username": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:19Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:12:19\n 2021-03-15T10:12:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 03:12:19", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 19810, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.123.103.115" + ], + "related.user": [ + "PasswordManager", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "testark" + }, + { + "@timestamp": "2021-03-15T12:57:13.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.66.114.180", + "cyberarkpas.audit.ca_properties.cpm_disabled": "(CPM)MaxRetries", + "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615813031", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180", + "cyberarkpas.audit.ca_properties.policy_id": "WinDomain", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "5", + "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.66.114.180", + "cyberarkpas.audit.extra_details.retriescount": "5", + "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart", + "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T12:57:13Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 05:57:13", + "destination.address": "34.66.114.180", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 38.6583, + "destination.geo.location.lon": -77.2481, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.66.114.180", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 23876, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.66.114.180" + ], + "related.user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "ELASTIC\\bart" + }, + { + "@timestamp": "2021-03-15T13:04:27.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615813465", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "0", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.123.103.115", + "cyberarkpas.audit.extra_details.username": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:04:27Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:04:27\n 2021-03-15T13:04:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 06:04:27", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 27968, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.123.103.115" + ], + "related.user": [ + "PasswordManager", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "testark" + }, + { + "@timestamp": "2021-03-15T14:44:37.000Z", + "cyberarkpas.audit.action": "CPM Reconcile Password Failed", + "cyberarkpas.audit.ca_properties.address": "34.123.103.115", + "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "cyberarkpas.audit.ca_properties.cpm_status": "failure", + "cyberarkpas.audit.ca_properties.creation_method": "PVWA", + "cyberarkpas.audit.ca_properties.device_type": "Operating System", + "cyberarkpas.audit.ca_properties.last_fail_date": "1615819476", + "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764", + "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask", + "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH", + "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask", + "cyberarkpas.audit.ca_properties.retries_count": "1", + "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes", + "cyberarkpas.audit.ca_properties.user_name": "testark", + "cyberarkpas.audit.desc": "CPM Reconcile Password Failed", + "cyberarkpas.audit.extra_details.address": "34.123.103.115", + "cyberarkpas.audit.extra_details.retriescount": "1", + "cyberarkpas.audit.extra_details.username": "testark", + "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:44:37Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "CPM Reconcile Password Failed", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:44:37\n 2021-03-15T14:44:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n", + "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "partner", + "cyberarkpas.audit.severity": "Error", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 15 07:44:37", + "destination.address": "34.123.103.115", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.123.103.115", + "event.action": "cpm reconcile password failed", + "event.category": [ + "iam" + ], + "event.code": "60", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "failure", + "event.reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "user", + "change", + "error" + ], + "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 32131, + "log.syslog.priority": "7", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20", + "34.123.103.115" + ], + "related.user": [ + "PasswordManager", + "testark" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager", + "user.target.name": "testark" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log new file mode 100644 index 00000000000..0d2f4d0e96e --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log @@ -0,0 +1,8 @@ +<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-11T16:50:29Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:29\n 2021-03-11T16:50:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PVWAAppUser\n Create File Version\n \n \n PSMSessions\n Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\n 10.0.1.20\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:29","IsoTimestamp":"2021-03-11T16:50:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PVWAAppUser","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_VAGRANT\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-14T12:07:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:07:32\n 2021-03-14T12:07:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PasswordManager\n Create File Version\n \n \n AccountsFeedDiscoveryLogs\n Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\n 10.0.1.20\n \n \n \n \n \n Create File Version\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:32","IsoTimestamp":"2021-03-14T12:07:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PasswordManager","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"AccountsFeedDiscoveryLogs","File":"Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:27\n 2021-03-14T12:57:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_SSH\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json new file mode 100644 index 00000000000..0656cfa58ab --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json @@ -0,0 +1,382 @@ +[ + { + "@timestamp": "2021-03-10T09:11:54.000Z", + "cyberarkpas.audit.action": "Create File Version", + "cyberarkpas.audit.desc": "Create File Version", + "cyberarkpas.audit.file": "Root\\PSMPApp_localhost.localdomain.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:54Z", + "cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain", + "cyberarkpas.audit.message": "Create File Version", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:54", + "event.action": "create file version", + "event.code": "62", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMPApp_localhost.localdomain.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T17:58:05.000Z", + "cyberarkpas.audit.action": "Create File Version", + "cyberarkpas.audit.desc": "Create File Version", + "cyberarkpas.audit.file": "Root\\SessionControl", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:05Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Create File Version", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMNotifications", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 09:58:05", + "event.action": "create file version", + "event.code": "62", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\SessionControl", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 664, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T18:46:47.000Z", + "cyberarkpas.audit.action": "Create File Version", + "cyberarkpas.audit.desc": "Create File Version", + "cyberarkpas.audit.file": "Root\\PSMServer.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z", + "cyberarkpas.audit.issuer": "PSMApp_VAGRANT", + "cyberarkpas.audit.message": "Create File Version", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:46:47", + "event.action": "create file version", + "event.code": "62", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMServer.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1284, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:20:12.000Z", + "cyberarkpas.audit.action": "Create File Version", + "cyberarkpas.audit.desc": "Create File Version", + "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z", + "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN", + "cyberarkpas.audit.message": "Create File Version", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:20:12", + "event.action": "create file version", + "event.code": "62", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1912, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T16:50:29.000Z", + "cyberarkpas.audit.action": "Create File Version", + "cyberarkpas.audit.desc": "Create File Version", + "cyberarkpas.audit.file": "Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:50:29Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Create File Version", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:50:29\n 2021-03-11T16:50:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PVWAAppUser\n Create File Version\n \n \n PSMSessions\n Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\n 10.0.1.20\n \n \n \n \n \n Create File Version\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 11 08:50:29", + "event.action": "create file version", + "event.code": "62", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2550, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T16:59:58.000Z", + "cyberarkpas.audit.action": "Create File Version", + "cyberarkpas.audit.desc": "Create File Version", + "cyberarkpas.audit.file": "Root\\PSMPApp_VAGRANT.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:58Z", + "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT", + "cyberarkpas.audit.message": "Create File Version", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_VAGRANT\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n \n \n \n \n Create File Version\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 08:59:58", + "event.action": "create file version", + "event.code": "62", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMPApp_VAGRANT.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4100, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:07:32.000Z", + "cyberarkpas.audit.action": "Create File Version", + "cyberarkpas.audit.desc": "Create File Version", + "cyberarkpas.audit.file": "Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:07:32Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Create File Version", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:07:32\n 2021-03-14T12:07:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PasswordManager\n Create File Version\n \n \n AccountsFeedDiscoveryLogs\n Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\n 10.0.1.20\n \n \n \n \n \n Create File Version\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "AccountsFeedDiscoveryLogs", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 14 05:07:32", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "create file version", + "event.code": "62", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5652, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:57:27.000Z", + "cyberarkpas.audit.action": "Create File Version", + "cyberarkpas.audit.desc": "Create File Version", + "cyberarkpas.audit.file": "Root\\PSMPApp_SSH.LiveSessions", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:27Z", + "cyberarkpas.audit.issuer": "PSMPApp_SSH", + "cyberarkpas.audit.message": "Create File Version", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:27\n 2021-03-14T12:57:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_SSH\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n \n \n \n \n Create File Version\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PSMPLiveSessions", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:27", + "event.action": "create file version", + "event.code": "62", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PSMPApp_SSH.LiveSessions", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 7298, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log new file mode 100644 index 00000000000..82be0d698c1 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log @@ -0,0 +1,12 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 7\n Logon\n Info\n adm2\n Logon\n \n \n \n \n 10.2.0.6\n \n \n \n \n \n Logon\n 10.2.0.3\n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"adm2","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.2.0.3","IsoTimestamp":"2021-03-16T15:01:00Z"}}} +<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PasswordManager","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T19:10:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:20","IsoTimestamp":"2021-03-04T19:10:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"SCIM-user","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T19:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:20","IsoTimestamp":"2021-03-04T19:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-05T10:18:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 02:18:50","IsoTimestamp":"2021-03-05T10:18:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json new file mode 100644 index 00000000000..8702306a8d5 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json @@ -0,0 +1,659 @@ +[ + { + "@timestamp": "2021-03-16T15:01:00.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.gateway_station": "10.2.0.3", + "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z", + "cyberarkpas.audit.issuer": "adm2", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 7\n Logon\n Info\n adm2\n Logon\n \n \n \n \n 10.2.0.6\n \n \n \n \n \n Logon\n 10.2.0.3\n \n", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.2.0.6", + "destination.address": "10.2.0.3", + "destination.ip": "10.2.0.3", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "input.type": "log", + "log.offset": 0, + "network.direction": "internal", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.6.0000", + "related.ip": [ + "10.2.0.6", + "10.2.0.3" + ], + "related.user": [ + "adm2" + ], + "service.type": "cyberarkpas", + "source.address": "10.2.0.6", + "source.ip": "10.2.0.6", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "adm2" + }, + { + "@timestamp": "2021-03-04T19:10:05.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:05", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1132, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-04T19:10:20.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:20Z", + "cyberarkpas.audit.issuer": "SCIM-user", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:20", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1671, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "SCIM-user" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "SCIM-user" + }, + { + "@timestamp": "2021-03-04T19:11:20.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:20Z", + "cyberarkpas.audit.issuer": "PVWAGWUser", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:11:20", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2204, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-04T19:11:23.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:23Z", + "cyberarkpas.audit.issuer": "Prov_COMPONENTS", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:11:23", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2738, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "Prov_COMPONENTS" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Prov_COMPONENTS" + }, + { + "@timestamp": "2021-03-05T10:18:50.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-05T10:18:50Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 05 02:18:50", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3277, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PVWAAppUser" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAAppUser" + }, + { + "@timestamp": "2021-03-08T18:07:51.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:07:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:07:51", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3812, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-09T08:32:51.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T08:32:51Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 09 00:32:51", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4358, + "log.syslog.priority": "5", + "network.direction": "inbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "10.0.1.20" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-09T10:14:58.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:14:58Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "37.223.7.45", + "cyberarkpas.audit.timestamp": "Mar 09 02:14:58", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4908, + "log.syslog.priority": "5", + "network.direction": "inbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "37.223.7.45", + "10.0.1.20" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "37.223.7.45", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "37.223.7.45", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-10T09:11:48.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:48Z", + "cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:48", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5456, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMP_ADB_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMP_ADB_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T09:11:48.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:48Z", + "cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:48", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6014, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPApp_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMPApp_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T09:11:49.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:49Z", + "cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:49", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6571, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPGW_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMPGW_localhost.localdomain" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log new file mode 100644 index 00000000000..308e66ee8c0 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log @@ -0,0 +1,18 @@ +<5>1 2021-03-04T19:16:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:16:19","IsoTimestamp":"2021-03-04T19:16:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-04T19:16:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:16:19","IsoTimestamp":"2021-03-04T19:16:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAAppUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +Mar 08 02:54:46 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T08:29:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:19","IsoTimestamp":"2021-03-10T08:29:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T08:29:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:28","IsoTimestamp":"2021-03-10T08:29:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PasswordManager","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:54\n 2021-03-11T16:59:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:55\n 2021-03-11T16:59:55Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMApp_ASR-WIN\n Set Password\n \n \n \n \n 34.66.114.180\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.66.114.180","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMP_ADB_asr-cyberark-psm-ssh\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json new file mode 100644 index 00000000000..40989a6cec0 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json @@ -0,0 +1,781 @@ +[ + { + "@timestamp": "2021-03-04T19:16:19.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:16:19Z", + "cyberarkpas.audit.issuer": "PVWAGWUser", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:16:19", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-04T19:16:19.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:16:19Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:16:19", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 556, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-08T02:54:46.000-02:00", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.issuer": "PVWAGWUser", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1113, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T08:29:19.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:29:19Z", + "cyberarkpas.audit.issuer": "Prov_COMPONENTS", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 00:29:19", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1571, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T08:29:28.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:29:28Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 00:29:28", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2132, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:52.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:52Z", + "cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:52", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2693, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:52.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:52Z", + "cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:52", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3272, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T09:11:55.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:55Z", + "cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:55", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3850, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T18:46:47.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z", + "cyberarkpas.audit.issuer": "PSMApp_VAGRANT", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:46:47", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4430, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T18:46:47.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z", + "cyberarkpas.audit.issuer": "PSMGw_VAGRANT", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:46:47", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4994, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:20:12.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z", + "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:20:12", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5557, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:20:12.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z", + "cyberarkpas.audit.issuer": "PSMGw_ASR-WIN", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:20:12", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6121, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T16:59:54.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:54Z", + "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:54\n 2021-03-11T16:59:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 08:59:54", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6684, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T16:59:55.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:55Z", + "cyberarkpas.audit.issuer": "PSMPGW_VAGRANT", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:55\n 2021-03-11T16:59:55Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 08:59:55", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8094, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T20:10:33.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:10:33Z", + "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMApp_ASR-WIN\n Set Password\n \n \n \n \n 34.66.114.180\n \n \n \n \n \n Set Password\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.66.114.180", + "cyberarkpas.audit.timestamp": "Mar 11 12:10:33", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 9502, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.66.114.180" + ], + "service.type": "cyberarkpas", + "source.address": "34.66.114.180", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "34.66.114.180", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:57:25.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z", + "cyberarkpas.audit.issuer": "PSMPGW_SSH", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:25", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 10910, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:57:25.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z", + "cyberarkpas.audit.issuer": "PSMPApp_SSH", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:25", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 12310, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-14T12:57:25.000Z", + "cyberarkpas.audit.action": "Set Password", + "cyberarkpas.audit.desc": "Set Password", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z", + "cyberarkpas.audit.issuer": "PSMP_ADB_asr-cyberark-psm-ssh", + "cyberarkpas.audit.message": "Set Password", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMP_ADB_asr-cyberark-psm-ssh\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:25", + "event.action": "set password", + "event.code": "88", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 13712, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log new file mode 100644 index 00000000000..55eeab9c1a7 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log @@ -0,0 +1,15 @@ +<5>1 2021-03-08T18:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:19:15","IsoTimestamp":"2021-03-08T18:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-08T18:59:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:59:23","IsoTimestamp":"2021-03-08T18:59:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T08:28:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:28","IsoTimestamp":"2021-03-10T08:28:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PasswordManager","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T08:28:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:29","IsoTimestamp":"2021-03-10T08:28:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}} +<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:28\n 2021-03-11T17:48:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 10.0.2.2\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}} +<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:49:06\n 2021-03-11T17:49:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n PSMPGW_VAGRANT\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:20\n 2021-03-14T12:57:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:36\n 2021-03-14T13:49:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"34.71.250.247"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json new file mode 100644 index 00000000000..57d8a3fe68f --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json @@ -0,0 +1,845 @@ +[ + { + "@timestamp": "2021-03-08T18:19:15.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:19:15Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 10:19:15", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-08T18:59:23.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:59:23Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 08 10:59:23", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 540, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-10T08:28:28.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:28Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 00:28:28", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1080, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-10T08:28:29.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:29Z", + "cyberarkpas.audit.issuer": "Prov_COMPONENTS", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 00:28:29", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1622, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "Prov_COMPONENTS" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Prov_COMPONENTS" + }, + { + "@timestamp": "2021-03-10T08:28:30.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:30Z", + "cyberarkpas.audit.issuer": "PVWAGWUser", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 00:28:30", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2164, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-10T08:28:30.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:30Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 10 00:28:30", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 2701, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PVWAAppUser" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAAppUser" + }, + { + "@timestamp": "2021-03-10T09:11:33.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:33Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:11:33", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3239, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-10T09:12:20.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:12:20Z", + "cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:12:20", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 3783, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMP_ADB_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMP_ADB_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T09:12:27.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:12:27Z", + "cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 01:12:27", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4344, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPGW_localhost.localdomain" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMPGW_localhost.localdomain" + }, + { + "@timestamp": "2021-03-10T22:17:27.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:27Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:17:27", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 4903, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:38:13.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:13Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 09:38:13", + "destination.address": "81.32.170.205", + "destination.geo.city_name": "Barcelona", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 41.3891, + "destination.geo.location.lon": 2.1611, + "destination.geo.region_iso_code": "ES-B", + "destination.geo.region_name": "Barcelona", + "destination.ip": "81.32.170.205", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 5447, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "81.32.170.205" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:48:28.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.gateway_station": "81.32.170.205", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:28Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:28\n 2021-03-11T17:48:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 10.0.2.2\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.2.2", + "cyberarkpas.audit.timestamp": "Mar 11 09:48:28", + "destination.address": "81.32.170.205", + "destination.geo.city_name": "Barcelona", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 41.3891, + "destination.geo.location.lon": 2.1611, + "destination.geo.region_iso_code": "ES-B", + "destination.geo.region_name": "Barcelona", + "destination.ip": "81.32.170.205", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 6833, + "log.syslog.priority": "5", + "network.direction": "outbound", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.2.2", + "81.32.170.205" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.2.2", + "source.ip": "10.0.2.2", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-11T17:49:06.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:49:06Z", + "cyberarkpas.audit.issuer": "PSMPGW_VAGRANT", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:49:06\n 2021-03-11T17:49:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n PSMPGW_VAGRANT\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 11 09:49:06", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 8217, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "related.user": [ + "PSMPGW_VAGRANT" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PSMPGW_VAGRANT" + }, + { + "@timestamp": "2021-03-14T12:57:20.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:20Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:20\n 2021-03-14T12:57:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Logoff\n \n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "34.71.250.247", + "cyberarkpas.audit.timestamp": "Mar 14 05:57:20", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 9587, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "34.71.250.247" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "34.71.250.247", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "34.71.250.247", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + }, + { + "@timestamp": "2021-03-14T13:49:36.000Z", + "cyberarkpas.audit.action": "Logoff", + "cyberarkpas.audit.desc": "Logoff", + "cyberarkpas.audit.gateway_station": "34.71.250.247", + "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:36Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Logoff", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:36\n 2021-03-14T13:49:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n 34.71.250.247\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 14 06:49:36", + "destination.address": "34.71.250.247", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "34.71.250.247", + "event.action": "logoff", + "event.category": [ + "authentication", + "session" + ], + "event.code": "8", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "end" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 10955, + "log.syslog.priority": "5", + "network.direction": "external", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205", + "34.71.250.247" + ], + "related.user": [ + "Administrator" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "Administrator" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log new file mode 100644 index 00000000000..f3062f7ea56 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log @@ -0,0 +1,4 @@ +<5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 98\n Open File (Write Only)\n Info\n Administrator\n Open File (Write Only)\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Open File (Write Only)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":"10.0.1.20"}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json new file mode 100644 index 00000000000..cff0fe7eb5f --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json @@ -0,0 +1,187 @@ +[ + { + "@timestamp": "2021-03-08T18:24:50.000Z", + "cyberarkpas.audit.action": "Open File (Write Only)", + "cyberarkpas.audit.desc": "Open File (Write Only)", + "cyberarkpas.audit.file": "Root\\YWRtaW5pc3RyYXRvcg==", + "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:50Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Open File (Write Only)", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAPrivateUserPrefs", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 08 10:24:50", + "event.action": "open file (write only)", + "event.code": "98", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\YWRtaW5pc3RyYXRvcg==", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T18:44:08.000Z", + "cyberarkpas.audit.action": "Open File (Write Only)", + "cyberarkpas.audit.desc": "Open File (Write Only)", + "cyberarkpas.audit.file": "ROOT\\PVConfiguration.xml", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:44:08Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Open File (Write Only)", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "81.32.170.205", + "cyberarkpas.audit.timestamp": "Mar 10 10:44:08", + "event.action": "open file (write only)", + "event.code": "98", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "ROOT\\PVConfiguration.xml", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 633, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "81.32.170.205" + ], + "service.type": "cyberarkpas", + "source.address": "81.32.170.205", + "source.geo.city_name": "Barcelona", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 41.3891, + "source.geo.location.lon": 2.1611, + "source.geo.region_iso_code": "ES-B", + "source.geo.region_name": "Barcelona", + "source.ip": "81.32.170.205", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-10T22:17:40.000Z", + "cyberarkpas.audit.action": "Open File (Write Only)", + "cyberarkpas.audit.desc": "Open File (Write Only)", + "cyberarkpas.audit.file": "ROOT\\PVConfiguration.xml", + "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:40Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Open File (Write Only)", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "35.192.121.42", + "cyberarkpas.audit.timestamp": "Mar 10 14:17:40", + "event.action": "open file (write only)", + "event.code": "98", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "ROOT\\PVConfiguration.xml", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1261, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "35.192.121.42" + ], + "service.type": "cyberarkpas", + "source.address": "35.192.121.42", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 38.6583, + "source.geo.location.lon": -77.2481, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "35.192.121.42", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-11T19:45:26.000Z", + "cyberarkpas.audit.action": "Open File (Write Only)", + "cyberarkpas.audit.desc": "Open File (Write Only)", + "cyberarkpas.audit.file": "Root\\PVConfiguration.xml", + "cyberarkpas.audit.gateway_station": "10.0.1.20", + "cyberarkpas.audit.iso_timestamp": "2021-03-11T19:45:26Z", + "cyberarkpas.audit.issuer": "Administrator", + "cyberarkpas.audit.message": "Open File (Write Only)", + "cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 98\n Open File (Write Only)\n Info\n Administrator\n Open File (Write Only)\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Open File (Write Only)\n 10.0.1.20\n \n\n", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "127.0.0.1", + "cyberarkpas.audit.timestamp": "Mar 11 11:45:26", + "destination.address": "10.0.1.20", + "destination.ip": "10.0.1.20", + "event.action": "open file (write only)", + "event.code": "98", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\PVConfiguration.xml", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1889, + "log.syslog.priority": "5", + "network.direction": "internal", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "127.0.0.1", + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log new file mode 100644 index 00000000000..ad94c953cc7 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log @@ -0,0 +1 @@ +<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"99","Desc":"Open File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\EPMConfiguration.xml","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json new file mode 100644 index 00000000000..431b5c10a27 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json @@ -0,0 +1,43 @@ +[ + { + "@timestamp": "2021-03-04T19:10:05.000Z", + "cyberarkpas.audit.action": "Open File", + "cyberarkpas.audit.desc": "Open File", + "cyberarkpas.audit.file": "Root\\EPMConfiguration.xml", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Open File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PVWAConfig", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 11:10:05", + "event.action": "open file", + "event.code": "99", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\EPMConfiguration.xml", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log new file mode 100644 index 00000000000..e454ec622b8 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log @@ -0,0 +1 @@ +Mar 08 03:41:01 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-BusinessWebsite.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json new file mode 100644 index 00000000000..14b87c8867c --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2021-03-08T03:41:01.000-02:00", + "cyberarkpas.audit.action": "Retrieve File", + "cyberarkpas.audit.desc": "Retrieve File", + "cyberarkpas.audit.file": "Root\\Policies\\Policy-BusinessWebsite.ini", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Retrieve File", + "cyberarkpas.audit.rfc5424": false, + "cyberarkpas.audit.safe": "PasswordManagerShared", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "event.action": "retrieve file", + "event.code": "51", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Policies\\Policy-BusinessWebsite.ini", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log new file mode 100644 index 00000000000..f5774af5ef9 --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log @@ -0,0 +1,4 @@ +<5>1 2021-03-04T17:27:14Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:14","IsoTimestamp":"2021-03-04T17:27:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T17:27:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:21","IsoTimestamp":"2021-03-04T17:27:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PasswordManager","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T17:27:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:21","IsoTimestamp":"2021-03-04T17:27:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-GenericWebApp.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} +<5>1 2021-03-04T17:27:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:33","IsoTimestamp":"2021-03-04T17:27:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json new file mode 100644 index 00000000000..f3c5e458aef --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json @@ -0,0 +1,193 @@ +[ + { + "@timestamp": "2021-03-04T17:27:14.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:14Z", + "cyberarkpas.audit.issuer": "PVWAGWUser", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 09:27:14", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 0, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PVWAGWUser" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAGWUser" + }, + { + "@timestamp": "2021-03-04T17:27:21.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:21Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 09:27:21", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 534, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PasswordManager" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PasswordManager" + }, + { + "@timestamp": "2021-03-04T17:27:21.000Z", + "cyberarkpas.audit.action": "Retrieve File", + "cyberarkpas.audit.desc": "Retrieve File", + "cyberarkpas.audit.file": "Root\\Policies\\Policy-GenericWebApp.ini", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:21Z", + "cyberarkpas.audit.issuer": "PasswordManager", + "cyberarkpas.audit.message": "Retrieve File", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.safe": "PasswordManagerShared", + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 09:27:21", + "event.action": "retrieve file", + "event.code": "51", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.severity": 2, + "event.timezone": "-02:00", + "file.path": "Root\\Policies\\Policy-GenericWebApp.ini", + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1073, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ] + }, + { + "@timestamp": "2021-03-04T17:27:33.000Z", + "cyberarkpas.audit.action": "Logon", + "cyberarkpas.audit.desc": "Logon", + "cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:33Z", + "cyberarkpas.audit.issuer": "PVWAAppUser", + "cyberarkpas.audit.message": "Logon", + "cyberarkpas.audit.rfc5424": true, + "cyberarkpas.audit.severity": "Info", + "cyberarkpas.audit.station": "10.0.1.20", + "cyberarkpas.audit.timestamp": "Mar 04 09:27:33", + "event.action": "authentication_success", + "event.category": [ + "authentication", + "session" + ], + "event.code": "7", + "event.dataset": "cyberarkpas.audit", + "event.kind": "event", + "event.module": "cyberarkpas", + "event.outcome": "success", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "start" + ], + "fileset.name": "audit", + "host.name": "VAULT", + "input.type": "log", + "log.offset": 1698, + "log.syslog.priority": "5", + "observer.hostname": "VAULT", + "observer.product": "Vault", + "observer.vendor": "Cyber-Ark", + "observer.version": "11.7.0000", + "related.ip": [ + "10.0.1.20" + ], + "related.user": [ + "PVWAAppUser" + ], + "service.type": "cyberarkpas", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", + "tags": [ + "cyberarkpas.audit", + "forwarded" + ], + "user.name": "PVWAAppUser" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberarkpas/fields.go b/x-pack/filebeat/module/cyberarkpas/fields.go new file mode 100644 index 00000000000..2e48ca8da6d --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package cyberarkpas + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "cyberarkpas", asset.ModuleFieldsPri, AssetCyberarkpas); err != nil { + panic(err) + } +} + +// AssetCyberarkpas returns asset data. +// This is the base64 encoded gzipped contents of module/cyberarkpas. +func AssetCyberarkpas() string { + return "eJy0V0tv2zgQvudXzDEF6iDPLqJDASPZoFnEiBF72+5ejDE5kohQosChrOjfF9TDiWUpTeyUJ4uP+b55j0fwSGUAolySRfuYIR8AOOU0BXDlN8f2Eabj2QGAJBZWZU6ZNICvBwDw8hmEirTkowNofgXVjRGkmFAXwC9XZhRAZE2eNTuSQsy1W1TvAwhRMzVHrcjm81ku5lK59e6rMvpB60dbmrXrquENU6tWSlNEEsZCEDPMSORWuRLGnsML/dv10g5bvIVH2zhq2T1SWRgrO2cbHMcvP8GE4GKqTQGWhLHyqBdU4CKzJiPrFHEvdqjROUrpdXQhTJ46SMihRIdDYI4iY8tddZzHtJZRiYTD0Nj11siSRkcSvD7on/CnfiJe6u6GZodOCVihzglcjA6k4kxjyYDDXhBGEvfToSdncSHJodJ7OGGWkVChErU8aOT1xcIAj1Bp2sc3lUsaOIc2IleJ7AeL0FGB5aKy5kDcq+x3kLfTFrCgJWCWaSUqeZCgiFVKcDj9/mM8EAexYed/7aN0K+MzqBTyLCMfkNxRGoCeMMl8CZ38N7q6n0z/nf/90MtJsVk4lRA7TLrq18Qkui7jLVZrCRWt29k9zNsdCI1N0MHhw80VnJ2dXX4a5Hp6fHI2+jI6vZifHAfnfwUnl/8PcOac7D5W/O5LNORMForYQGGNo+ewPYJ5rBgUQ845al1WR+vbGVmvE8lqe539/T7XRgwH3BvZNsF914iqy9D6a7D8AKgoNZYWuDQrCuD8+PJLF8qIRVVYeLtTVQJSSU99R616CTFjtHNE/7aNMByyT3OV1mHkryH7IPM3r4lF3eQGMq6ht1BdFu9rAkYS3F6/o7Rl1shcuI8s+pYyS0yp44pEgzAAvyo+ssB3SruvcG8xgsViVwN87RwCPGABPyd3vprUaWdVpFLUrwwdft2nuoTGcFDElMLP2d286hMQI4OkZR5FKo2AUlxq2hLx51PIEvJAfXD01I2hreCsnwOljixJWD4Xq64qqbFJL8k1k1BcnJ+e91JZGqMJuzQ32PyIycVUu4dL1iZqa78wSaYVMRTKxfBwc+VhBttA2RkNW3qM4UfPCzMMB+YFphX52XofwFbGOwoHm9wKWnj3fZSqnV73ru6197QUWpP4vLO0CQcF8jOVI7gxtq4rTMy+l30G53twobSGZf3YEmoQWvlUbset22k/8dq/f8qOnn+sRPyqTv28Xh213joPbExbk8kErq/h27dgMglmsybnBrPrnzyF0wtoJ6xelitKpdnZcG/oXjVAv4lWZHmvf6ZvQK8QNhx7dPArAAD//75ppq4=" +} diff --git a/x-pack/filebeat/module/cyberarkpas/module.yml b/x-pack/filebeat/module/cyberarkpas/module.yml new file mode 100644 index 00000000000..411b4945cde --- /dev/null +++ b/x-pack/filebeat/module/cyberarkpas/module.yml @@ -0,0 +1,3 @@ +dashboards: + - id: eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6 + file: Filebeat-cyberarkpas-audit.json diff --git a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled new file mode 100644 index 00000000000..3e78f4a0f35 --- /dev/null +++ b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled @@ -0,0 +1,27 @@ +# Module: cyberarkpas +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-cyberarkpas.html + +- module: cyberarkpas + audit: + enabled: true + + # Set which input to use between tcp (default), udp, or file. + # + # var.input: tcp + + # var.syslog_host: localhost + # var.syslog_port: 9301 + + # With tcp input, set the optional tls configuration: + #var.ssl: + # enabled: true + # certificate: /path/to/cert.pem + # key: /path/to/privatekey.pem + # key_passphrase: 'password for my key' + + # Uncoment to keep the original syslog event under event.original. + # var.preserve_original_event: true + + # Set paths for the log files when file input is used. + # var.paths: +