From 0edd90d8950c79835dcf054a1c0c5a0ab65e3976 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Mon, 23 Mar 2020 11:59:20 -0500 Subject: [PATCH] [Filebeat] Improve AWS cloudtrail field mappings (#17155) * Improve AWS cloudtrail field mappings - sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type - sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id - sessionIssuer.userName -> user.name - sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn - sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id - add aws.cloudtrail.console_login.additional_eventdata.mobile_version - add aws.cloudtrail.console_login.additional_eventdata.login_to - add aws.cloudtrail.console_login.additional_eventdata.mfa_used - copy source.address to source.ip if value is an IP address Closes #16086 Closes #16110 (cherry picked from commit 57e194beb3336e8d0d5aac038f8f1430c77a9bf9) --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 82 +++++++++++++++++++ .../module/aws/cloudtrail/_meta/fields.yml | 50 +++++++++++ .../module/aws/cloudtrail/ingest/pipeline.yml | 67 ++++++++++++++- .../add-user-to-group-json.log-expected.json | 1 + .../test/assume-role-json.log-expected.json | 1 + .../change-password-json.log-expected.json | 2 + .../cloudtrail/test/console-login-json.log | 1 + .../test/console-login-json.log-expected.json | 53 ++++++++++++ .../create-access-key-json.log-expected.json | 1 + .../test/create-group-json.log-expected.json | 2 + .../create-key-pair-json.log-expected.json | 1 + .../test/create-trail-json.log-expected.json | 1 + .../test/create-user-json.log-expected.json | 1 + ...-virtual-mfa-device-json.log-expected.json | 1 + ...activate-mfa-device-json.log-expected.json | 1 + .../delete-access-key-json.log-expected.json | 1 + .../test/delete-bucket-json.log-expected.json | 1 + .../test/delete-group-json.log-expected.json | 2 + ...lete-ssh-public-key-json.log-expected.json | 1 + .../test/delete-trail-json.log-expected.json | 1 + .../test/delete-user-json.log-expected.json | 1 + ...-virtual-mfa-device-json.log-expected.json | 1 + .../enable-mfa-device-json.log-expected.json | 1 + ...ove-user-from-group-json.log-expected.json | 1 + .../test/start-logging-json.log-expected.json | 1 + .../test/stop-logging-json.log-expected.json | 1 + .../update-access-key-json.log-expected.json | 1 + ...out-password-policy-json.log-expected.json | 1 + .../test/update-group-json.log-expected.json | 2 + ...pdate-login-profile-json.log-expected.json | 1 + ...date-ssh-public-key-json.log-expected.json | 2 + .../test/update-trail-json.log-expected.json | 2 + .../test/update-user-json.log-expected.json | 1 + ...load-ssh-public-key-json.log-expected.json | 1 + x-pack/filebeat/module/aws/fields.go | 2 +- 36 files changed, 286 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 051874c3b1a..0741ea61f45 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -274,6 +274,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add `o365audit` input type for consuming events from Office 365 Management Activity API. {issue}16196[16196] {pull}16244[16244] - Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907] - Added new module `o365` for ingesting Office 365 management activity API events. {issue}16196[16196] {pull}16386[16386] +- Improve AWS cloudtrail field mappings {issue}16086[16086] {issue}16110[16110] {pull}17155[17155] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 8d1be818e9f..8bb5157b137 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1155,6 +1155,48 @@ type: keyword -- +[float] +=== session_issuer + +If the request was made with temporary security credentials, an element that provides information about how the credentials were obtained. + + +*`aws.cloudtrail.user_identity.session_issuer.type`*:: ++ +-- +The source of the temporary security credentials, such as Root, IAMUser, or Role. + +type: keyword + +-- + +*`aws.cloudtrail.user_identity.session_issuer.principal_id`*:: ++ +-- +The internal ID of the entity that was used to get credentials. + +type: keyword + +-- + +*`aws.cloudtrail.user_identity.session_issuer.arn`*:: ++ +-- +The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials. + +type: keyword + +-- + +*`aws.cloudtrail.user_identity.session_issuer.account_id`*:: ++ +-- +The account that owns the entity that was used to get credentials. + +type: keyword + +-- + *`aws.cloudtrail.error_code`*:: + -- @@ -1314,6 +1356,46 @@ type: keyword -- +[float] +=== console_login + +Fields specific to ConsoleLogin events + + +[float] +=== additional_eventdata + +Additional Event Data for ConsoleLogin events + + + +*`aws.cloudtrail.console_login.additional_eventdata.mobile_version`*:: ++ +-- +Identifies whether ConsoleLogin was from mobile version + +type: boolean + +-- + +*`aws.cloudtrail.console_login.additional_eventdata.login_to`*:: ++ +-- +URL for ConsoleLogin + +type: keyword + +-- + +*`aws.cloudtrail.console_login.additional_eventdata.mfa_used`*:: ++ +-- +Identifies whether multi factor authentication was used during ConsoleLogin + +type: boolean + +-- + [float] === cloudwatch diff --git a/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml index c9ed891f6d2..2d3fe16a9fb 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml @@ -51,6 +51,33 @@ description: >- The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk. + - name: session_issuer + type: group + description: >- + If the request was made with temporary security + credentials, an element that provides information about + how the credentials were obtained. + fields: + - name: type + type: keyword + description: >- + The source of the temporary security credentials, such + as Root, IAMUser, or Role. + - name: principal_id + type: keyword + description: >- + The internal ID of the entity that was used to get + credentials. + - name: arn + type: keyword + description: >- + The ARN of the source (account, IAM user, or role) + that was used to get temporary security credentials. + - name: account_id + type: keyword + description: >- + The account that owns the entity that was used to get + credentials. - name: error_code type: keyword description: >- @@ -133,3 +160,26 @@ description: >- Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. + - name: console_login + type: group + description: >- + Fields specific to ConsoleLogin events + fields: + - name: additional_eventdata + type: group + description: > + Additional Event Data for ConsoleLogin events + fields: + - name: mobile_version + type: boolean + description: >- + Identifies whether ConsoleLogin was from mobile version + - name: login_to + type: keyword + description: >- + URL for ConsoleLogin + - name: mfa_used + type: boolean + description: >- + Identifies whether multi factor authentication was + used during ConsoleLogin diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index ddfff12c891..eef0c339b99 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -55,6 +55,27 @@ processors: field: "json.userIdentity.invokedBy" target_field: "aws.cloudtrail.user_identity.invoked_by" ignore_failure: true + - rename: + field: "json.userIdentity.sessionIssuer.type" + target_field: "aws.cloudtrail.user_identity.session_issuer.type" + ignore_failure: true +# userIdentity.sessionIssuer.userName is only set with assumed roles. + - rename: + field: "json.userIdentity.sessionIssuer.userName" + target_field: "user.name" + ignore_failure: true + - rename: + field: "json.userIdentity.sessionIssuer.principalId" + target_field: "aws.cloudtrail.user_identity.session_issuer.principal_id" + ignore_failure: true + - rename: + field: "json.userIdentity.sessionIssuer.arn" + target_field: "aws.cloudtrail.user_identity.session_issuer.arn" + ignore_failure: true + - rename: + field: "json.userIdentity.sessionIssuer.accountId" + target_field: "aws.cloudtrail.user_identity.session_issuer.account_id" + ignore_failure: true - rename: field: "json.eventSource" target_field: "event.provider" @@ -67,14 +88,20 @@ processors: field: "json.awsRegion" target_field: "cloud.region" ignore_failure: true - - geoip: - field: "json.sourceIPAddress" - target_field: "source.geo" - ignore_failure: true - rename: field: "json.sourceIPAddress" target_field: "source.address" ignore_failure: true + - grok: + field: source.address + ignore_failure: true + patterns: + - ^%{IP:source.ip}$ + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_failure: true + ignore_missing: true - user_agent: field: "json.userAgent" target_field: "user_agent" @@ -204,6 +231,38 @@ processors: if (ctx.json?.requestParameters.newUserName != null) { addRelatedUser(ctx, ctx.json.requestParameters.newUserName); } + + - script: + lang: painless + ignore_failure: true + source: >- + if (ctx.json?.eventName != 'ConsoleLogin') { + return; + } + Map aed_map = new HashMap(); + if (ctx.json?.additionalEventData?.MobileVersion != null) { + if (ctx.json.additionalEventData.MobileVersion == 'No') { + aed_map.put("mobile_version", false); + } else { + aed_map.put("mobile_version", true); + } + } + if (ctx.json?.additionalEventData?.LoginTo != null) { + aed_map.put("login_to", ctx.json.additionalEventData.LoginTo); + } + if (ctx.json?.additionalEventData?.MFAUsed != null) { + if (ctx.json.additionalEventData.MFAUsed == 'No') { + aed_map.put("mfa_used", false); + } else { + aed_map.put("mfa_used", true); + } + } + if (aed_map.size() > 0) { + Map cl_map = new HashMap(); + cl_map.put("additional_eventdata", aed_map); + ctx.aws.cloudtrail.put("console_login", cl_map); + } + - remove: field: - "json" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json index 8d4de2e8d85..9b36d634481 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -26,6 +26,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index 5764198ad93..78ad7dc6984 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -33,6 +33,7 @@ "source.geo.location.lon": 106.5531, "source.geo.region_iso_code": "CN-CQ", "source.geo.region_name": "Chongqing", + "source.ip": "123.145.67.89", "user.id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", "user_agent.device.name": "Spider", "user_agent.name": "aws-cli", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json index d967399e83f..02532f93aa8 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json @@ -25,6 +25,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -56,6 +57,7 @@ "log.offset": 720, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log index 8ba60a6408c..457343adddd 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log @@ -1,2 +1,3 @@ {"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JohnDoe","accountId":"111122223333","userName":"JohnDoe"},"eventTime":"2014-07-16T15:49:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.110","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","requestParameters":null,"responseElements":{"ConsoleLogin":"Success"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/s3/","MFAUsed":"No"},"eventID":"3fcfb182-98f8-4744-bd45-10aEXAMPLE"} {"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JaneDoe","accountId":"111122223333","userName":"JaneDoe"},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"} +{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName","arn":"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName","accountId":"123456789012","accessKeyId":"AKIAIOSFODNN7EXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"20131102T010628Z"}},"sessionIssuer":{"type":"Role","principalId":"AROAIDPPEZS35WEXAMPLE","arn":"arn:aws:iam::123456789012:role/RoleToBeAssumed","accountId":"123456789012","userName":"RoleToBeAssumed"}},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json index dc6f299be05..6735d4bbe9a 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -2,6 +2,9 @@ { "@timestamp": "2014-07-16T15:49:27.000Z", "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/s3/, MobileVersion=No, MFAUsed=No}", + "aws.cloudtrail.console_login.additional_eventdata.login_to": "https://console.aws.amazon.com/s3/", + "aws.cloudtrail.console_login.additional_eventdata.mfa_used": false, + "aws.cloudtrail.console_login.additional_eventdata.mobile_version": false, "aws.cloudtrail.event_version": "1.05", "aws.cloudtrail.response_elements": "{ConsoleLogin=Success}", "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe", @@ -23,6 +26,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "192.0.2.110", + "source.ip": "192.0.2.110", "user.id": "AIDACKCEVSQ6C2EXAMPLE", "user.name": "JohnDoe", "user_agent.device.name": "Other", @@ -36,6 +40,9 @@ { "@timestamp": "2014-07-08T17:35:27.000Z", "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}", + "aws.cloudtrail.console_login.additional_eventdata.login_to": "https://console.aws.amazon.com/sns", + "aws.cloudtrail.console_login.additional_eventdata.mfa_used": false, + "aws.cloudtrail.console_login.additional_eventdata.mobile_version": false, "aws.cloudtrail.error_message": "Failed authentication", "aws.cloudtrail.event_version": "1.05", "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}", @@ -58,6 +65,7 @@ "log.offset": 658, "service.type": "aws", "source.address": "192.0.2.100", + "source.ip": "192.0.2.100", "user.id": "AIDACKCEVSQ6C2EXAMPLE", "user.name": "JaneDoe", "user_agent.device.name": "Other", @@ -67,5 +75,50 @@ "user_agent.os.name": "Windows", "user_agent.os.version": "7", "user_agent.version": "24.0." + }, + { + "@timestamp": "2014-07-08T17:35:27.000Z", + "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}", + "aws.cloudtrail.console_login.additional_eventdata.login_to": "https://console.aws.amazon.com/sns", + "aws.cloudtrail.console_login.additional_eventdata.mfa_used": false, + "aws.cloudtrail.console_login.additional_eventdata.mobile_version": false, + "aws.cloudtrail.error_message": "Failed authentication", + "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}", + "aws.cloudtrail.user_identity.access_key_id": "AKIAIOSFODNN7EXAMPLE", + "aws.cloudtrail.user_identity.arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName", + "aws.cloudtrail.user_identity.session_context.mfa_authenticated": "false", + "aws.cloudtrail.user_identity.session_issuer.account_id": "123456789012", + "aws.cloudtrail.user_identity.session_issuer.arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed", + "aws.cloudtrail.user_identity.session_issuer.principal_id": "AROAIDPPEZS35WEXAMPLE", + "aws.cloudtrail.user_identity.session_issuer.type": "Role", + "aws.cloudtrail.user_identity.type": "AssumedRole", + "cloud.account.id": "123456789012", + "cloud.region": "us-east-2", + "event.action": "ConsoleLogin", + "event.category": "authentication", + "event.dataset": "aws.cloudtrail", + "event.id": "11ea990b-4678-4bcd-8fbe-625EXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName\",\"arn\":\"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName\",\"accountId\":\"123456789012\",\"accessKeyId\":\"AKIAIOSFODNN7EXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"20131102T010628Z\"}},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE\",\"arn\":\"arn:aws:iam::123456789012:role/RoleToBeAssumed\",\"accountId\":\"123456789012\",\"userName\":\"RoleToBeAssumed\"}},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.100\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}", + "event.outcome": "failure", + "event.provider": "signin.amazonaws.com", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 1355, + "service.type": "aws", + "source.address": "192.0.2.100", + "source.ip": "192.0.2.100", + "user.id": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", + "user.name": "RoleToBeAssumed", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0", + "user_agent.os.full": "Windows 7", + "user_agent.os.name": "Windows", + "user_agent.os.version": "7", + "user_agent.version": "24.0." } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json index d186d96fd9c..43fa88f05f0 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -31,6 +31,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json index 389a0c3cacd..1e07ca70e81 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -28,6 +28,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Other", @@ -61,6 +62,7 @@ "log.offset": 903, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index e5009e5eff7..1c66362a9fc 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -31,6 +31,7 @@ "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", "source.geo.region_name": "Virginia", + "source.ip": "72.21.198.64", "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json index 215f12dc6cd..7c9bc46ca8d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json @@ -29,6 +29,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json index fa4ae874868..2a0bd3b19cd 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -25,6 +25,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json index e083f283902..e46d89a5c6d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -27,6 +27,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json index fa4c622a977..34ac136cd52 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -30,6 +30,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json index a48b71415c7..698cae731a1 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -30,6 +30,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json index df70f16ad50..31274005d66 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json @@ -26,6 +26,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", "user.id": "AIDAQRSTUVWXYZEXAMPLE:devdsk", "user_agent.device.name": "Spider", "user_agent.name": "aws-cli", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json index 22fb61cafcc..6e058b71108 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -27,6 +27,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Other", @@ -60,6 +61,7 @@ "log.offset": 747, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_PRINCIPLE", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json index afd79ac5600..b39ab00d2e2 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -30,6 +30,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json index b672da4fb73..b55a58cfc54 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json @@ -25,6 +25,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json index e368aaa27cf..8d3c1a55edc 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -30,6 +30,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json index 654c89f9a19..81eae87f97c 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -27,6 +27,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json index 3c662013a64..0692ebb0222 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -29,6 +29,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json index c3690e2ebb1..36772d56aaf 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -30,6 +30,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json index ce898dd8eff..d71f69eb606 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json @@ -28,6 +28,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json index 023f0d11d79..a313846b14c 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json @@ -28,6 +28,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json index 939fdfbe9f1..b67deb55c2e 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -30,6 +30,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json index 89eb5f8fa63..c643a0df09f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json @@ -27,6 +27,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json index ca6b0f783e8..4f51063cadf 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -24,6 +24,7 @@ "log.offset": 0, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -58,6 +59,7 @@ "log.offset": 683, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json index 19b4208c57e..44d123d3591 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -30,6 +30,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json index 479fafa3ca3..fa9671014a7 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -30,6 +30,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", @@ -67,6 +68,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index 1eb130c2a62..fec80eef8de 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -33,6 +33,7 @@ "source.geo.location.lon": -119.7143, "source.geo.region_iso_code": "US-OR", "source.geo.region_name": "Oregon", + "source.ip": "205.251.233.182", "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -71,6 +72,7 @@ "log.offset": 766, "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json index 81a1d43be16..ace5d1290d2 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -28,6 +28,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json index a07d6334639..bbed1e444f6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json @@ -31,6 +31,7 @@ ], "service.type": "aws", "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go index f3d84e53119..b2ac0ac3729 100644 --- a/x-pack/filebeat/module/aws/fields.go +++ b/x-pack/filebeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzMW91zGzeSf/df0eWXyFUkr+Kkrq50lauiZfnCjWJrRTrZfRqDQJPECgQmAEY0/ddvNYD5IGeG+iCZLB9sijPT+HWjv9EzhHvcXgLbuFcAXnqFlzD+ffoKwKJC5vAS5ujZKwCBjluZe2n0JfzfKwCAX40oFMLCWFgxLZTUS1Bm6WBhzZrIjF4BLCQq4S7DA0PQbI3lcvTx2xwvYWlNkadfOtahz4dApqIc1hmlq80lmstwZQrhLZOqutS1In32uS0/AhesUD4LS1zCgimHO5c7wTYBGxvwXhGWGWHZgd4Fv8kCPqD22QNaJ43euaPk5B63G2PF3rUDwOgzW2ETUaIPZgF+hQQwLkzo18yPOqEVDm0mBWov/bYT2r6Q28CGnciI8iQRBlS4JijcaM+kdiDQM6kcsLkpfMBLq4FZtGhNxr9CCRD8inlYM4HhEYt/FOj8AJgWsFlJvgJuMdzLlIMNWmyRKxyKEUwW4HGdG8vstvVMuGcQVihxu5XZOFiZDf3aotkiYObEJYrR3q1dStLcDZJB6+JhHWlvR8cNcUeShANjPVvesG67r6nPR9JWjBLKeM2+GQ136ExhOcJHtka4GN99fFMCzK3UXOZM7e05Z0rti7WBmnN0LrvHbSa78J0Kf1yHCMHkfUS4YS4oDngDTi51U0P7ATt0ZLQZGQZ+9b2Qu6zwqYAniyaWADSIcyP9qmEGDnlhu1QCdlWczK0yjMB6bs2DFOhA6uhryA3Vlp147KRbiY5bZB5FcLV+ZRw2l+x4tM+UmsJdL1jGCr8iKpyod979uFY8VdCQtOOBqQJBOvCW/k/iN8YHpwjGBqcWvm+I1V5inZ4piajeUKacCTLc4TVuL+sWO31+/TAGgQ+S4/+C8Su0G+lwEKNjW2Gbcg17RVormO8DH2V64IbnCJTIBCfv5Rphs8JoXW3dbUtMOle0HXHNi9QP5h5FNu/S+1O5C1qqdGyURzi0JPe+cOYKvgLWpfVQes7rq7cwLryBKWchZUsZyrVizksO75Bp55m67w77aK2xGTdif3eeno50R/0md2GRSv2Tslr0hdUu+BC6fgjfGp1jy1NCnBwGE4N+g0i5aQegJlpZzixbo0e7v2/HirQmPCBhMr0dJLdJ+u3IC0dP3hdvaqQuN9phlpz3qYGW9KvgQI6KcXrGlap+j8BXTC/RwUV0+YN2ipaTvQ9IpQUqJNOPRN5088WEkHSdqSwkvILtZP/HsjauyJMfYo3AFtPrKoRp42mzfFKaFqFS64ytRHVYpVopzLE7FANTABwTwIVEt6M44bbSgOco9bKd7TKlUMASNVrmw/PSRdI9xhzKn47c9ihL3sVf5raNLSkBisZeWeTGih41yuXRNdqjOMe3k6pQY84ZLutYHa5v3DiXV0ypFqXAwYz4PCDrNdNsGawv2sIp7QDeGaOQ6R412qyQsoiGtKWDfUOEBsJ4V58JMJEZrbpr0qO3osYqHZic9IR2hACHpYe0dH2h15+G6qXbj76kbh6Dki74j4p2KjVQgNS1aJ9bWJ6vmqtKuPHdx3bG0qjLTKE7PNqpYIzjAlSNmTLGJ2Bmo9Get+R+RDTBOVWWYsudjLVSaNVdXrKNGya/OwzILinYDOnR8HePBnKZSzL2XgEfYzB3mFukBCP6LlbLONi+RY7yIfhX6Q4Zc+IreqQstX7O52Or/JOWG4DUXBWCcuQNofZWLpdoY1jodrKx1Ig6VKg+plbMokg8nVTs//958r4RvebbZpfPGyi0/KNAtS1Vqnm9m6HUcg3CoVKEsvSYUyUv7mIe6Q0IuVigpT9iB3n3k1TAdYvkIecZapEbeWqR7O3wb7dXUC5E1hR7fymHSYVfKKsC2+0YRM97A0yHurdZtFTFV1loTX+oed1pSW+Y56tX++z9NS3p3wnLoy3pKh/jb/963FTAhmMGqRs8PLWjLvOMCWHRvdyNdCbIUnu0Gj0k6nUwCaqFtq0MqOZPl+aSvUxYN++edeDQChhHC6bZwVCGCZgzxTTHnqL4qGS/E0Czeb0DIAjp4S3c0I/v0o89Dsozu0Sfhe0ZtXOiIyGO7z6WCONCUQ/qY7VHK3TK/rCdrRyJK2hPotyK3AjcaI28P83NrfGGm/3QciSokmr3nl6svM+pUPY876n6q76LNZQgS73MvFzjyCHvRLpQhu2XQ0/RO+OZin1HqcEhN1o4cFJz3JNerOtjiS9dLeNCe6lA7kRZqjKWtCWUh8wZv0fdU5Wmi/9BbDbYoCsJIHip1M4PzjPrXWp1UP71SFfqL+aw6l41965Km3a43N3LIB4le7PfWnSRr3V3zFKm1Wt5HlfJkJo7pWEtlZKJ2UHiNsI3OWrcYYgr4/Zb5ZXnVC4jP+ZW7B7Py0d5vDG7mUK1JAmam3Ue2oF7fIHp0NIVczBH1IDOs7mSbtXHWml+cr9aP9LDTW73s4hSiWpNj6XTYx64RJgb+/KGTrcXNtaX5eix6Mhlj6rGpvPMF+64I4ZOyJEwEOG2eV40r7YNND5A8ZDs1xsb2ypfeqF/6S79nMq4zFenDtTT6Q1EuvGgT2oygv8KP1eb0JPaEKbzRGpavorWz8bFV8ahzjhaf9aMK64DtI5chBNQSM2LeCTfUIKXwndoJTuxcCNN0MV6jvbMvEjNzTqEV+UypvDUzoSKpyXa1B42i+DBwzqNiDrfdqXwpR1HrsI5V+K4PxzRN5F1tVmP5INgB+Ixf+9BYBnHY5ocnUuHMRDtq4jx5R/D8fqbHs5oteFEfIEVMtFXda2phEaR2UJROiVNxzjH0Wl7pFpvcsidClUdZgcIu+fZckEJL92TLvccwMQkCb8iL9rDGkcCT+2ukngcItgJdfWx8MXC2A2zYgAL+RXFsIwMg50Ji9Fo9GYEEw+c6XKwDRw+oGUqiqfHDi0KaZH7rLAn9iaf726Shw4ST+uEs6b434a5SgQHTt5HFpl78TFYJ7Q4DBDpljMB1WYkdAsmVRNXFdt+iIcgZ++zTH8IfUC05YDXc5ou84Lfo8+6jhuO9QpMGy05U3FmqD7jCGuVf6TDhgijJ1UL187XGYr0oyfYHzlLtka7vWRS9w8prI3HrCcZb/38FMvPc2ZjrHxycw/ajYY/bVOr9cIEBINhUM9C7053lc3us00QtECPwXlLrnLnaKJqk3efTCCrG/PdUKtD1tOKtz7UDa0vAas4DQYCuWKU+DMH00/j21F15wDurqez0c+z2W22Rr8yYlQeIobphQH8fv1uOpldH7rFWHg3nl39PHp/fXM9ux59eve366tZN+v3eOLo/Poet6+bMyh1DKbQgJpqGhFAvh6+Lt1wLSphMI6xeCq5WZhvrcaPDmtaYeVpebmLhIef7yY7HJHsK8eSJsS6oVFVl8Vi7oSdCl2s0UoecTTLzfrc+cBozwkG77orocoMr0OgvTICm/usTYrAhvPC2t5eyNajy1zf4MiLJZaKm6rHFtYJBfoA8Gt5PhtEWjeGH9BStttk4xta0+NG5v+ilMrJb92SPaYtRUSrkBvWoboraGBvVyQ8GRplZ5HkTv9rP9RKDQsllyvfOPYNac13DnK0Lqek8KFHQ31hdcasKbT40+Az31Bgl1OwbqTmW1PYxyYbF2jtqSP0TokTdPMurZOqsMfr1PB6DVseM4j1RGifHdrhmFY6WCKm2bOTF67lTNvkfdlOrCLPU4NNIjERj4WclTlxZkMMfB2y9behFMO3YZS60kb86lGLOuGCyfueBpxcauYLi+d50asiX8ppAFO5/C2gpS8/DtqvoTQzxh0n8eK8MnYnM1fI1lz/sV1G5MTc1FAF4eCGbdHCxXR686ZsidZztrg0XlZvi5D6T7tYows9nYaa5XAsc7bT6uoVjZ0F0wtm48Kvfg62Gield++JVuwG8PcC7XYaU2+67w/6u8zFL3KLQ9INFJTivXn51garioueVhbVoE6plqlRSV87hmxgr813FmuaWaZdOPyIijYt3x+5mN1M31TerKFpqW+5f9DXGH1aKLN5eoeiNVfz1B7Fb7dXQEs9qzdxFiESkg+E5MYsXblEeLdyawra7fQ2RZgYStOO8Q2LUr7SwdvqAUpLqGRkwAvnzbrviR5dOcEEZHdmHWblqsnH8nSy3IK+VrtHuzhHh7juE2j0G2Pv67UCtjgKF2ZQLFssJE/n2caKw33Xs7Rby+nCrlH3hG8A46ur69sZea676/5iWZnloWLuxUiVWS7Jk6ZSLgm33N4BfPplAB8/vR/PxiHU/jK5pe992+4802fd9XKJINrv2pJ9gVYMytysoi1daC0Gr7c1Rc9c0L3PnOVMiO6A8ZJeXc4o/A8VPqCCC2PlUmqm3pS9zfaRemKnH6Fw/k9BKKgY1DF0N2CW7uIgzoecn1FjwrAr2WH18v1JvYcr5hpP73Zr/HGBc7LgeZ4tFFue2LPMpV8zd5+KtSpwGKXMhjzO7OoWwrKX8Pan6T8/Dr7/H/pvOL76ZfD9Tx8mHwc//nQ3nXVDPt+AZZTaJUxuH34c0L//HWq46w/j0at/BwAA//+LQ/E/" + return "eJzcXN9z47Zzf7+/YicvX9+MpE4umU7HnXRG5/M1apyLa+mS9omBwJWEGgIYALRO99d3FgApUgQl25IuneohkUVy8dnF/sbyhvCI22tgG/sGwAkn8RrGf0zfABiUyCxewxwdewOQo+VGFE5odQ3/9gYA4FedlxJhoQ2smMqlUEuQemlhYfSayIzeACwEytxe+weGoNgaq+Xo47YFXsPS6LKIvyTWoc9HT6am7NcZxavNJZrLcKnL3BkmZH0ptSJ99rmtPjkuWCld5pe4hgWTFluXk2CbgLXxeG8Iy4ywtKCn4DdZwCdULntCY4VWrTsqTh5xu9Em37t2ABh9ZitsIor0QS/ArZAAhoUJ/Zq5URJaadFkIkflhNsmoe0LuQtsmERGlCeRMKDENUHhWjkmlIUcHRPSApvr0nm8tBroRYfWZPwrVADBrZiDNcvRP2LwrxKtGwBTOWxWgq+AG/T3MmlhgwY75EqL+QgmC3C4LrRhZtt5xt8z8CtUuO1Kbyys9IZ+7dDsENBz4hLz0d6tKSVp7gbJoHPxsI50tyNxQ9iRKGHPWM+WN6zb7Gvqy5F0FaOCMl6zr1rBA1pdGo7wia0RrsYPn95WAAsjFBcFk3t7zpmU+2JtoOYcrc0ecZuJFL5z4Q/rECGYfAgIN8x6xQGnwYqlampoP2CLlow2I8PAL64XcsoKnwt4smhi8UC9ODfCrRpmYJGXJqUS0FZxMrfaMDzrhdFPIkcLQgVfQ25oZ9mRxyTdWnTcIHOYe1frVtpic8nEo32m1BTuesEyVroVUeFEPXn3ca14rqAhascTkyWCsOAM/T+KX2vnnSJo452a/74hVnuJJT1TFNFuQ5m02suwxWvYXpYWO31+/TiGHJ8Ex38F7VZoNsLiIETHrsI25er3irQ2Z64PfJDpgRteIlAi4528E2uEzQqDdXV1tysxYW3ZdcQ7XoR60o+YZ/OU3p/LXdBSlWOjPMKiIbn3hTNb8hWwlNZD5Tlvb97BuHQappz5lC1mKLeSWSc4vEemrGPy8bjr8RIy/988T5JWDODPD9jwTE/TE7jhAs4lRsyoTYdNIKhSLzlm4UFrNyB39NmiGZAWPWh5xPzr0JyOsZdgWiiHRjFJ0TZy3swIm7F3iem9h7YuHWYxnf1cgrPxw6eKo7izV4xzXaqwLT5K+H0xWuLbXlIpMRxRjiMSCCC+3RbHBQMneqPs+Xe5rseM0SbjOt+32ecXY+map+nb/SJ18I8e0KArjbLej9H1Q/jWaC1bnhPi5DCYUPI0iNSm1g810soKZtgaHZr9qHWqSHeEByRMpraDqA3kty1FghBN+rLtHVJbaGUxiwHk3EAr+nWAojSNcXrGVoH+EYGvmFqihauQ8A66BWpB2Y43+RwlUuITiLxN88XyXNB1JjNf7ues1fs4lbVxTZ6yMNZI60NzobZMpR1tlotK0yFUaR25siiqwyrV8Tyn7lBIyz3gUP4uBNqW4oQAGw14jkItu7U+kxJzWKJCw5x/XthAuseYffMnkSCcZMlt/FVl39iSCmDe2CuDXJu8R40KcXKH6ijO8f2kblMxazUXu0rFX9/YcSFumJQdSp6DGfF5QNZrptjSW1+whXPaAbzXWiJTPWq0WSHVUA1pCwv7hggNhOGuPhNgeaaVTHfkTt6KHVZhQRekJ7QjBNgvPaSldxd6/anPV9J+9DVdwzFIYb3/qGnHRgvmINROtC9tq12ul1U3sMYPn7r12rNyqXPAGMfcaZcdVxKkTCpR3J214XhENN451ZZiqp0M9Zo/qLi+Zhs7jH536JFdU7AZ0qP+7x4N5KIQZOy9Aj7FYB6wMEgJRvBdbCdjb/sGOYon71+FPWTMka/gkbLY+L6cj63zT1puAEJxWeZCLWFDqJ0RyyWaEBbSTjY0WoIOlbKPqRUzmEeezir2f/88+dCIXvNt84zDaSiV+KtEua1Uqnk9zVA8cPLCYeuQpYecKnpxG/JIpyEXiwUa+iOcn7U/UQV6qoqngmeo8kKLc4tkb4d/v7+BaiGypnDyEXOY2NDwbRbPdjcG0fNOA1O+69csWurWU9Vmmv6Q5pVrZbXETOqlSOcLrwkA8bTNFsjFQnACeRMWuqN14m6+1Pkfz48Po+4iT/vgXaJ8683oA6XLVAQc5+EQH01e1nouJPbkaW1O5iFbObEwTyQNLW4o8fdaFpDBIWQVE15nMqe/QV/h88NdZwcOC3jBstIeOSi4mGjXpXQCFow7Kh13zXzyVJuefjDEM03IS0NePslq6yx9w1yrJ/h3nqX/QViOnqXXpRR/9/fjvr15F+YjhGrw8NxRAFFkLM8N2tdnAMnaNjRI0UGkvssDfVTARvumlqacP1+aS/Y6Yd29f9GkRCfXO1kwzaMXqVkOcyaZ4tjTzzqpTk8CaJ66twB4IT29gzv68X38sSe3cMws0WV+e0bdcuZEiI0edFgo6MFuHuhoc40KN+wWGifi8toTKXeSbqQkRCHvr1ALo53mej8rPBFURTW9p1cr5wrQBhwvehp2dcvUaKpthVpmTqxxZJEnkS6kZvudjOfonXZMhgNTocAi14pyK6E47kkvtORCd07YnYxL5YQE0UqQGRhc0pZQCTFn/BFVT0MpXvw/xGaDDboSAYITUrZ+sI4ZZ2OXkkqnIw3lv5nDuvHc3Lu64mlx2d5LLx4pegvXnegCX+t0zJK60yZ9GVfRkJo7pWAtpBSR2UHkNsDXBSpsMcSltvtnt7XnlDYjP2ZX7BEvy0c1lzG7m0K9JAma63XhO/l7fIFOaOmKWZgjKkDr2FwKu+pjrTI/sV+xnOjhJvf7WUSlRDtND12PYx64Qlho8/pebNoLa+OqTtKp6Mhlj+ozCeuYK+1pp4NJyIEwEOGueV41r3YNNDxA8ZDs12kTOqJ/9kL/M921sTLjolidO1BPp3cQ6IZaRCgygn/yP9eb0JPaEKbLRGpavo7WL8bFV9qiyjgad9GMK6wDtI5Y+NEtiH3HcNLdUILXwrdoBDuzcANNUOV6jubCvAjF9dqHV2kzJvHczoSKpyWaeLKjF96D+3UaEXW+TaXwlR0HrvwRdeS4PxzRtzxLtZpO5INge+Ihf+9BYBjHU/qTyaX9/KpydcT487+G4/VXNZzRasNJ/ieskOV9VdeaSmjMM1NKSqeETkyDnZy2B6q7Tfa5UynrKTwPoT2IJxaU8NI98XLP2WlIkvAL8rI7ZXoi8NiproiH6cdWqNtNdFwttNkwkw9gIb5gPqwiw6A1Gjoajd6OYOKAM1VN5IPFJzRMBvH02KHBXBjkLivNmb3J54e76KG9xOM6/piYV+2vWgQHhmZGBpl99Ql2ElqY4wl0q3GeejMiugUTsomrjm0/hPPLi/dZpj/4Fj6aajL9JU2Xeckf0WWpk8JTvQJTWgnOZBh23h1P+rX25t4CjJ5UzV+7XGco0A+eYH9iNdoa7faSCdU/X7TWDrOeZLzz83MsvyiYCbHy2c096DYavtmm1uv54SUGQ6+epWqPpVfnVBcb/umAHoN1vjfeOlWsT7jSh4rIdmdqaaj1fMR5xbubx/CtrxxWYYwdcuSSUeLPLEx/G9+P6jsH8HA7nY1+ns3uszW6lc5H1fm/HzwawB+376eT2e2hW7SB9+PZzc+jD7d3t7Pb0W/v/+P2ZpZm/RHPHJ2/e8Ttd83xsV0MptCAimqa3IP8bvhd5YZ3oso1hgk0RyU38y/m1JODhzWtNOK8vDwEwsPPD5MWRyT72rHE4c40NKrqslDMnbFToco1GsEDjma5uRsZOTCVd4aZ2XQlVJvhrQ+0NzrH5j4rHSOw5rw0prcXsnVoM9s38/VqicXipu6x+XV8gT4A/FKNVniR7hrDT2go222y8RWN7nEj8/+hlMqKr2nJntKWIqJ1yPXrUN3lNbC3K+Kf9I2yi0iy1f/aD7VCwUKK5co1JjZ8WvMPCwUaW1BS+NSjoa40KmNGlyr/ZvCZayiwLShYN1LzrS7NsaHkBRpz7gjdKnG8bj7EdWIVdrxO9e8Fs+UpM5TPhPbZohmOaaWDJWKcLDh74VqNo04+VO3EOvI8N9hEEpP8WMhZ6TNnNsTAlyFbfx2KfPjOvwNWayN+cajyXcIFkw89DTixVMyVpm+u5NRGUUW+ktMApmL5u0dLX34cdN/uaGaMLSfx6rwydCczW4rOC4mndhmRE3NTTRWEhTu2RQNX0+nd26oluhuRx6V2on7NldR/mmKNLvR0GlpDIadNlafjRjytrt8tbU+hhDfjx6Vb/extNbzk0L4nWLEdwH+WaLbTkHrTfX/R31UuflUYHJJuYE4p3tvXb623qrDoeWVRz9hVahkblfT1yHyck/Yy1jQzTFl/+BEUbVq92HU1u5u+rb1ZQ9Ni33L/oK8xtbiQevP8DkVnrua5PYrf72+AlnpRb+IiQiQkHwnJnV7aagn/j0JsdUm7HV+E8hNDcVA5vBxVyVdYeFc/EOYVt8CAl9bpdd8TPbpyhuHldGbtx1zroeXqdLLagr5Wu0OzuESHeNcnUOg22jzu1vLYwhSrn0ExbLEQPJ5na5Mf7rtepN1aDQan3lKJ+AYwvrm5vZ/5l2Zv+4tlqZeHirlXI5V6uSRPGku5KNxqewfw2y8D+PTbh/Fs7EPtL5N7+t637dYxddFdr5bwov1HV7Kv0IpBlZvVtIX1rUXv9ba67JkLenSZNZzleTpgvKZXVzAK/0OJTyjhShuxFIrJt1Vvs3ukHtnpR5hb900Q5lQMqhC6GzArd3EQ51PBL6gxfk6d7LD+V4PO6j1sOVd4fre7wx8WuCQLjhfZQrLlmT3LXLg1s4+xWKsDh5ZSb8jjzG7uwS97De9+mv73p8H3/0L/G45vfhl8/9PHyafBjz89TGdpyJcbsAxSu4bJ/dOPA/rvP/sa7vbjePTmfwMAAP//jE4gsA==" }