From 0cc29cf19f55d2373a36d2a9d29729216df11881 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:15:11 +0200 Subject: [PATCH 01/18] Feature: SentinelOne Singularity --- SentinelOne/identity/CHANGELOG.md | 8 +++ SentinelOne/identity/_meta/fields.yml | 39 ++++++++++ SentinelOne/identity/_meta/logo.png | Bin 0 -> 27937 bytes SentinelOne/identity/_meta/manifest.yml | 8 +++ .../identity/_meta/smart-descriptions.json | 46 ++++++++++++ SentinelOne/identity/ingest/parser.yml | 67 ++++++++++++++++++ SentinelOne/identity/tests/test_alert_1.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_10.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_11.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_12.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_13.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_14.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_15.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_16.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_2.json | 22 ++++++ SentinelOne/identity/tests/test_alert_3.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_4.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_5.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_6.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_7.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_8.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_9.json | 34 +++++++++ 22 files changed, 850 insertions(+) create mode 100644 SentinelOne/identity/CHANGELOG.md create mode 100644 SentinelOne/identity/_meta/fields.yml create mode 100644 SentinelOne/identity/_meta/logo.png create mode 100644 SentinelOne/identity/_meta/manifest.yml create mode 100644 SentinelOne/identity/_meta/smart-descriptions.json create mode 100644 SentinelOne/identity/ingest/parser.yml create mode 100644 SentinelOne/identity/tests/test_alert_1.json create mode 100644 SentinelOne/identity/tests/test_alert_10.json create mode 100644 SentinelOne/identity/tests/test_alert_11.json create mode 100644 SentinelOne/identity/tests/test_alert_12.json create mode 100644 SentinelOne/identity/tests/test_alert_13.json create mode 100644 SentinelOne/identity/tests/test_alert_14.json create mode 100644 SentinelOne/identity/tests/test_alert_15.json create mode 100644 SentinelOne/identity/tests/test_alert_16.json create mode 100644 SentinelOne/identity/tests/test_alert_2.json create mode 100644 SentinelOne/identity/tests/test_alert_3.json create mode 100644 SentinelOne/identity/tests/test_alert_4.json create mode 100644 SentinelOne/identity/tests/test_alert_5.json create mode 100644 SentinelOne/identity/tests/test_alert_6.json create mode 100644 SentinelOne/identity/tests/test_alert_7.json create mode 100644 SentinelOne/identity/tests/test_alert_8.json create mode 100644 SentinelOne/identity/tests/test_alert_9.json diff --git a/SentinelOne/identity/CHANGELOG.md b/SentinelOne/identity/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/SentinelOne/identity/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml new file mode 100644 index 000000000..36e8acf65 --- /dev/null +++ b/SentinelOne/identity/_meta/fields.yml @@ -0,0 +1,39 @@ +sentinelone.identity.attackSurfaces: + description: '' + name: sentinelone.identity.attackSurfaces + type: keyword + +sentinelone.identity.classification: + description: '' + name: sentinelone.identity.classification + type: keyword + +sentinelone.identity.confidenceLevel: + description: '' + name: sentinelone.identity.confidenceLevel + type: keyword + +sentinelone.identity.id: + description: '' + name: sentinelone.identity.id + type: keyword + +sentinelone.identity.name: + description: '' + name: sentinelone.identity.name + type: keyword + +sentinelone.identity.result: + description: '' + name: sentinelone.identity.result + type: keyword + +sentinelone.identity.status: + description: '' + name: sentinelone.identity.status + type: keyword + +sentinelone.identity.storyLineId: + description: '' + name: sentinelone.identity.storyLineId + type: keyword diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..bad66643418120e4e1dbdc385258d64188b37661 GIT binary patch literal 27937 zcmeFXWl)>Z_bwWsNb%ss358Oe0!50JAO#AfkO0A*;!@m;1-C+Jp-`X{2<}$gU5a~g zhZ0;*`a3dn=YQ|FJ9FmDoOcF3ZgGG;YE^RN7<7HRNA3U{2%Z-h+?=KpR?NlHClmpQ5 zH+?bvZQ42`!z_bG+OU>N`)r*pD>z0#80RJzJB^xOlGMADcc$4xcy9iN>iwp~5!1Le zTk&qm?%~nR)%Kymdm-1S#R_r5Uc;^c(Eok@uLb^(wE!Gr#|;Z%ZSNg1dtsS#eh>0y z-fEpg>WOtdeBrExhp3bY0y;7IW6ir}Klt7qIo$0Bh5z~~SJt2UwQ(l~b8g$zvvhz*4SXpDgnZGl!$_7bTNX)7_7O!fWG8t#1f zZA*cRbk0?YR}W^^W8ATTJI za}5CoGjs!@5Z>LGGAwmA?uasAaF?Gh#t$25Y9Pew-#kH3o)2VUn&1gs)N-9KD9F^}4+mV-5E%2#dCg=H0H$oKYI3^RnQB zE{-|Fx zFn}iv@BB7dvQwI9Jko&!_Kgc)0on(z?yO7aHRJ5p_SEM_RoePMz=DSN^Yok&C+FUao{9HW!jv{&o1$Oy6_ z!O;O1c19@#pt7^}&!1sn1bXQt6*l|3WFi!BxKK#=;|4G_U+xXu>_lTo zqW)v(KK)cov|#|F6!nqYJi_`4_V6UtI@zZ@$tx~|^;u{)Rd5t(VE^218+_Pw?2Z{% z7LPyxe;P>G6CR&7@U_UUp?TV#HG9J>P+q7tqv@(U{E4$+38XZ6-KV4oFt=qO5;<3S zW3yqNe69hd!{j~~qx}>(kWETa_!??5(fa74+gI_eHX&d> zw1k;7@-d80nzU_;aBVesh_`6-@rA0KV%n}R-R+p}3rW($9oc;r6+ku&SlrndZhyDc zOW=-4tR-tQKdKtp@k_2>wT{0mQqY;rftGp{wj^&2MqtKbuLiX}F4rvGGwDEBe?ilP z=zCPS|7mZ+tS0Y=k7vR)+ea&rR8O=>2xBl~g`GOaaBmsTo9eBIo@QI14J#BF=0cuX ziS@}!OZ`0$*ZXo&>uOqfuns}tyY~qbqW}WA^WqV>$C{_3o;W@|L+ppO?pV7i z3>uuGp4L#pR(McT*-TP$Kn#@ogXcPzq#c@p2rH3n441KnQt9@{n+4_+IZ{22siy47 ztg5Zz59~k8h!i%-FTAEwn3}3Ycv!PxXk^eb6W92^;P5}53t|KbVJ)1yN3!CW5rQAV zP{0(}y7?1fntq4Qu(f9`4-&qOuvG@&8StNdSH;r&uU{smDXkYK(b2fEV5K{nQ}ToO zD}=@qBj>ae6ue*qLmRufo_3F7BV?ff=g8cb8fLIRQFeXvfBN&Ct3yWmddK#J}wBoTRy4QVD8pv=1Y4`kS2&=iH8 z7H~2}EF6KD3&fy;WYQ6Dtd$U*OwQ)q(wFn&8Iuz3CyFXm@HbS{Xm9EfneuQ4zxF9y zgl#y}V6U?9i)VVGy!8BQ3h3;gW>2Bby=%s2@PG=4l`Zr|%ta2YI7df~!gVHB_r+|u zl|AFIb7sVS`jeX+NPy5DKvcfEB(C%v!s#X#hMAx0dz7prbJ7HZ5OH$_e!bUUxRUT4 zE^tfh>spD_b7eOX%!Wh8Ms=&t@b(U_ehErZ8%+hx_hyeSSuAKXs|ReJA7#uQ{&NWR zO%4DcROE&47D+pNreZzYH!fMeIacc-RI63K-0vc)P;4Z`6F+Pr3#HKPTx&}rb>g() z{!&OI;nuGG<*9K&RYtf4N$kVXRT}XDqD}uZL-UpE^kMTwEo>p4SW{NOR;9?4qxO&! zKv;peCPec}>NMJ3WNDV3Ad|=z;C8ae|86^X{Pj^Zt@SBnz5`g}`Zsi_gHAE?6?a;u z#HVkbb!pgPMIba0P$qRad>=t{E7j&mw7k_t3O(J=IzNt4Y2_q=|1yFOi%@~pRv!z~d`Owrdy5|lY1EJC9 zXKmm<5Fj3U_&nGbGR)zL@V421;cYj!F?RW9s#x^zuT%j(>KqR@OY9N>ek!Ml_Izey zEN9a;?T#KEt$9VfpwkyG9<7KEL$sYfVugm}wC)q@v|&9hBSGkS&1%WUA8=W^Bqih#8SEt4{@S$3y1D16(f)^m z@n2=K1a;AvYAl`tI{ST*A7MeE!2ksw(-}NLk5#Vli^Zdvs4(J|3;9c3JF%V*%<+_3 z6}6^WrY7wsghLsZu@*-Nv=8{_RXnG{m@=eZyt?OC#4s)&h8DI_mfhYK=BX_lpQ365 zwwxqpPG1V>V)eBv1B5Z`vZi1Zt@59}4}N3tFxyPX*xjF6W8+238w2tQ3Y|k%O?mO0 zB+|phBWFX`_y%IrRN9T6->P>QJJ>=8?=`3UNL3$c@V|Z|wQ+R?48(b~hr^EG*nTV4CFBB6Zw# zY3hjO!=`3igtXmHqV77L3*%%Q6ZTywchwlt%U=Yo)OvF)z-oqnNNn}mbDTMRoncH7 zNW=oeDAX7-()jE1L12o4PeW6`P=l?%%Vz)f@?uFU@zqW&OU$B`wF%x|efko&!UgFE zAE6{j)%m@BR&mTHm}%)Ria2C79~Wh1t5bYSC;pW-T2ARZ0?#rDGe(BdHfaN z;J*I}HT7^@L@6l%t}^|{ZP~i}GYkq^KNsZlQ`OX|!X%MdpAWnaQX3Kr_n#B?pF4hX z!UCh@-p0DI*z`-Skf!~IkYr6 z!$?c>-1ul#wi1H()}KRdf@jd!_TJtmx1Ocp*|+1|&qZ{RixtD2YP25-dQweGA=Md4 zHcabhC2@o{#IQ=`V0s912q=%uQVoCKS`D(x51BJ4T zNs_q^>Z&h#%h}Y&MIm6ZXk^DpG6wi3ke7%kBpBT*sFveCH;O8_tNgpl?*2xVzB48& zb&b0ZgSKim;2Y%ORL7QsujR6)l_t1OFa%ghsrRw**Uu?`({A~q(WuGTEcKkg!jEU} zH@4a}&p`0UXcsQ|5+79oBqAlT_uuZLrK#q}!+*1h0Z3~pF(G~@MKTa6dj`Vy5^#>I zC+*bg_x?_MrUaE_RDGic+Y>Wxva-?F7<_LF6$nt#? zl2f~_rh+HZWyP?_ik0I!@;vIwJmTK7#cu_U=PQ*?8H9phv5Y8*xCXa$*oAVc&r6jw* z7-1*1;XkpWK14~}mg_mr%ydhVL6ZJKq_@7@anVOhZPtdLP_}vI2V7S7UVR5UN|JTV zqM++f*R|QZje7ayjt~eh%%bckzr|-ZWL14Bw5Ar;*p+eto7^6Qe`U1-)bWdJRXz?% zYFSskAGc1}|H+ubS+r?uV=u6mQCHCf9CIOTeG+f&27i_(DarecIZPCs9;r8fJY^@~ z5%qO)9|fl^gEluuz2-hQuFk={&-NwV#@WkUt}!5k{I1g?hQxJ#yToRl3Izt2=@9=0 zM81B@s+sc{snvDB&>xJP%&E9;$%0C?)MSSbz$CVkOSPNxMkk(o?0)~1F{PZTNy!}T z-PUR9X|kVAd6jE9j9Lx%v~?VV*>aRGK^u9FKF#f$ z2V3f5*jbynMtV9(8pa0ei-+eA{IgqY1Ms3RRyfe+;EN5LEG$QPHy4{PO~uf|IQv(L zg)}}V9S%1^B$szR9PaI7k!^F&@(4y*B2I%dya&fZ-~qz%BD~v&Vx<%)0`Vy9GsLDI zJ)7*hf&Le`Bw=|-0wNUrije8W**Y(PMXLdm7-v!35%Q=r$l*T1)`#C z?)K;YWeW0g)Q$z^wOu5~`C9`Vq$EM#BS?0>cRQ%q8YQ3QLsR_oCAz;ShjA2qH1bHx zN97ffTkj-kH{7q8D!}f(n#-AJ^4P!e|8smBMeecM%fsE;P0fh6!gnA|3xswsa%Y#g z9@<6|*yggzdH*b`VUt!Jm)@Fhj8@zGPAn^zY z{U;?p>jwLzw)YfJfl>|E-wJ3KK2!x>eC)CRO(T7E|&dX-<4&%pWk*6 ze9Yj0E&J)K_*!7is+HfjOHGdXy#BCrrXYmPlaNZLF=TcmLz4rRo1s+C(58yxX@dZu zXd7Kakf};3Lr*^-e&sdr3(0Hyo76PVuy#D-O|op->Kmb%nPB-UWoI1YJT30`6M-dV zo_3Ag0W_(Ilwe66ux&i8|4K=^{NGnLF~clTOXr;Da>j~PF!Y8H`N4Luo8m zI?&?GoiwvPhAAFFdzj=lXhV3;an2epkVbPdRaEG-1+>eoS^nLl)T!=ce&b~ZE4ngc zBZzi9w(oQ}cv=^-x{({kK;UE#%j;~}cVCKO;S>0aC9xmI{C$09K8u$2>-n8-6&3Wb%>QQ2%VRDvSs6VrZB^KrY^(% zr^9ip;gZ~-Yzbl@8BqmNo}W&z@M&$+i+tpun2iHZv-pUv1w#=AD?I-t3E{pOGp!an z1S57exN&SC@0xh(i>Wkwn_kSh_>I3bGnStqK)=P&-QjK@Uy8)p=e!!^`6kaXXBP)W z6_xW(aepfoW0qAB0IYk5fDJ@wtR91Gia>Z}Djz>i7HdY)>X`v4&1ysCE1>ZK&A8iQ zo7p4a#V#~%WyiO%n)*n5V?Kspq%|yaC|TF@rhMJ4e-pX|$t{c9_M)Wl!N>hmz;(X; zxb^5adJua5Z(T$QO5Sj?iD`#saM`|np#H0crS$2?^8Fu85Hb#fYD}hZ+6;PAV_jEx z6dZ!Hi%oRkWjC48VI!t{7bO=AZfYwn1%r7CfFFRsWHblHXrI#DE)_PDZa7BBx8UgN zgTnJg(4MLoeui)DvXHL};o&kaKe8bW{w-@KIL5p;QmPLI`^8Gifwf4`I6%O1#=*B3 z%KgvaJpYEtnxZ86V-)bU@5K{=f~HJ)VKJ*e{9@(4f)|B7(e}%hYJHE1{yrA^43XSOqQWN(Wh=@^X=2bW_vXJz zZY`lm_v5ikFJ!I!Q7~K`(KmHuX&-rr;Tk3|TjujsD zkD}}X6*hB;$b+%;_ILYCp#L}vTI+$E*r(RoM^ML>9JgP%y!a*Ang5kRIonaha>UxC zZq&=JVDw}Ej{tA+>lF-s{}=kafAiYiE&EDkfK|Jgv1Mp)8M;Xh9gepRXig}&oLz15 zkr0~MTO%*FKw}y9{I_|T{5MMM%BCq2duF(bCl0#COBt*UvI(?$oIRO6&2%j(_5Vtv z1LYW`&+YKDQEeP(vY6sfahLX%SYc7HurZimax*B%j}RP;&QQ>Y5ZNWeql~O&tDQ8( zuh&-4D^Z`bBrHOB2ca>_%=Il-drogG(0|O@=U4_gBtJ7F<^A z=Qx4-aq;KqxOMWBT z+(JsUe&0o|f=VIrqc*0VX|XN(XnLjWnHCgeq-lB5bB6kX<5V>E3+O_SxLu5r7?*xu z^BeyG_YJXCoA8_5r(4KTSBv7E2T+C$AR_T}UfNd~eD<&IWqsxyZL>^8ZSxoK$M~LB{@;W{cXQIcw%ct5DY#;0~BE`%=xyH>H81g z?8%SlVYE+QE@M@0D&o^o5DZ4M@Re9=9#gdA`r6qWiO5g-cj%)j z7YuL8#Jx+sA81siV9C3Cl;{7?VD$eU9%Y&R?%D`THx45x1;q1i}jc4_w~;>@$vnQx>bvq;sSmRQp?FjltUm`GG(n zBn^!gbRhDKgZ6k^PhFyv!2=!t;#|#oM@zkNYf<9DdH;9hi!JLe+rRQ7j;ET)1sIB^ zDIigP$n+Hr2bmk?KffogMJ2~Z39vCX3B<7_q&48)o|~Vvq0s@JVgAbuG|X7wP1hbO z%2vRXbC{5^cAu5Q`#{#YFvddsm}%R6KR&2r*H2f;*V!d{YMqKG*lokrJnz-Tj1&PMB*@ViN|#@CqS_ z(ZdEEPWF~K&MOs*9^~1ti_0q>bYNn(L6gS~h(pXmazkjwfWbzN_&v!_K}t+QP)PrGFE?` zg%8K{9LltO?<1SECu1jX05$85QRw`T`s{vDy{enzSW!01(WDhCUDoO?`IXk&Pwo70 z$#|}Ff1Xk=dyA}qLpM6a6d9UjQ%YV{kW&_Ppp##r?&PlSS06ux(~yu znFpwja$1gh3&U3_zPye0WuyHjyc2gY2^I??oAk!iCxGo%Jsat8S0l? z$smtWeI2t@gYKxIEA$f<+Cx$^Bw^=PECcCpl-@o+S9qi2n%2L9oMkNaw_-E0<-uQ# z!PNbBqgy&JUzKvauQq`tYjTQHVuub(~v8?AWmLsAK9ZZY_o zFlI5F_MD%mlDhD-EbKI$7Q4umuxEPlHe#td%-Y`c-=OKk05DwDvymp0CTK^NZ_4Jg zbiJ?~pub=Hq|Wdyp_VQO-p*L|^)q}T*-Sj?oqa9oI6QVMPl1=-!L;M%gP8hPdzGwkJYS&< zA_wiaHI}I_U8+&&hhna)9;k3^P#4!}ElE3_d``!}3~rb;ge)cVJkre_QKJAS6N{zb zz`7RrxSLM{ASa92s!PFkjz|(0i>8H93%v!8?@? z!IDCLLa4a|xg0*mFlJaCFOqQS&0W0Jk20n&1g;kYVeT!V#q&=!Pc)5RxZc&Cj2r@kmaa!TZ_&<|tt)gF9>Mt)6 z9kl`SFiJ%%KY2&E0{9;swhKL56Y?6Dee#mdmPk7+5npcyODTB(-=_CS9u!LYW1Gz6 zU*#K#vG6@|sypX(ndK(Maf&8L#c^Zp%;t_vx=z0IftG1u_qLl7D>k1$Nxv>!s``ld zm(7_?GX!kY1<#zC%#aGW8AlFO&WI1x6-B?S>~*FS^^^Kh!=D*Sgi#$>y&>Ee*`=%! zoNw9}cG8M`@vO*o#J*WFyGFsU)OWE^>~T5M?~x-dE=0Zn`aJzw!xTqELcbUhqh(cMD4IW7vY>2sZp5DL80P3{35=nJ;&A#%Q+t{kPY^~ z9>MWW=rezY_(J+mI6B{ae9m32QvA`Gr|u&SdkPHQPZyRO4@Pr(&|-72pj|Qw;+n6EURJ?)8{!_*@>JP^a^_9Gihuh$Z=V(h_clrppCzu}cLHYn(HAUgsZg=th z&9ppzh6jncZt&4n+eUNt937f!CklS5mlED90t1eOz-oejt8u~meS!bSGKcYT<3d*$ z-9jmO2dp|)u$NX!(FVVgAShX@135U4+#f^gJC2oyMqxVO5#nC;ABYuN8HPS%vfq&< zgD9d~y}PVTZGOZ@ZG1<5;0sf!)bKE>vLW#EE0WV@xV2|;eB$eDi+UY+3##wahW#Wg zfY;RPm9o)tR}Bq9w9N8wfyDGgWJrn^EtUV7c{Ay9Z~34$puXqhuv|MS`-JaK7;U|n zOf$9o1UKyXXAm&uHlX~Ot-wAfj}z@i4E^|(v~SkO+HkPT#k0i@Ph zJ*6ifyE27Qv&w3j=nB$C?)S6E;i!uk_E!i|QfB~bAl6JOs>hBu_0qa*4VULA10nve zdYE}5>Mp^uHE8&VVrnUBsT!W4WRH#4#mvv^(#>p6GKD`uPy$ymcKlQbg$>yBIiF-> zmv;%o>rfHw9eNIgQ`LNPX6yD4StJGRa-tWDwUUE+W@zC$>lPI9AR<(wLDd>c-pw)< ziccy^g(_+LwPxDp3@rNb0pRwwIBOxF>T9Iz3a1@mAo)$7^Q`pQnA}BuRn%K_3wH$` zg6@E_9$S_N=1IHGUyMx6t_KiViKtt%An;@4nSYK3TL2@2Hs*bdXWHSDR8fKy7_DJc zJsZqrJ5I#I?I@{VH!Kg61MXxH6k4p)@=x#k^m+iE8j>!f)U*fpP;#MHwH2-H9HdAB z>w~VS*;*(v-h=I>bjmY)p|s4OKZh@kTr0)6QsQySQkkq`x_r6s%55(s_dzC8^kXuA zyi%-X43ZgqI@-pJG9{$F_efmI%>aR^)d)&_jguis&#L%v3p1QQ$NL8}>GjKQD3Sn- zV6N=8f8`ep_k%x`4p_%4Rt~otmD3w)S2_|x&Hz$#7M=VjW(BPL3Zy4yJ{Bo@?^{AJ zeuzHhklDtpEGvDO*q_))HTZiNk*|2k_Su@UZnO7G=9P7sv(mNyvYB{! zd0o>t$5%i%+J74Q3(0B-6H9oE`ttQqRCv1Gq-<+CImii96yah2XG=D>qK^KD@*B(s zq2bUGz6m>%DtD5p@|czYi#n%$SEI#;I@W{t0>CpYG>i%-+!~pjEsEz~Kcm>=_)Zlo z+;swok^i=I7T){gDf4@8g(YS(y>~sxTe0UnP5eKqw`l#@P@`W<$$>3owH#FH~a1cRHjF*E=@#i0wE7@Y%3X%&1BDo)a~QSoZ1%a zHu~u@QVDvZI82zyYwZ2;r6QNYhY5&duMjO&k^Uw-vYqjDf@V}bbL-ggip9|+y1!DA z3!aFBJ?JJPkPX+ZcO{~3=U@?`>wd{LXkjEqHO2MYBwh?(K6(e7UlB5q@@$ zp)Yavmms!m#^UX~v97Hlq$vwwv)?11T0i_}cdpvBZ^3>RXX(I*e2dSr`+0GWEi3sq zNjG6R9t${Io_}BF;AFGq;o0*d;4zhCIf3u+2gu&D)D7ZlQ)TrT73t)=?qB-ePUQuV zEp@a6HtrwU4@Bf^r>?7k>o$*b{Bc&+KNsEnk?xMoJSoMe4%FSxc)rurH|-wjpH#sV z81($s=200Id{~G{A5$f9T9`NoC+qP^B`aH?Foug-e2e6k@3CBcl2PQGMJd8M23<=5 zQu-ZV2HziyhAle`G$`I@Cf^zxzyAvPWcI0LCNcv#=_(%Kou{QSu33F~nQbTz2_F5@ zv)?f9?_<6`?Qx~Sdo`XR{1tJHk5<$9gU@0!Dw$f%9;gJ>ojQHT^JnQXL;KegkG^qI z3|DbXcqitzC3BDx!v}M(TqtGU8z%?&;sk!>HpXCm*;4EV6vs6>oo%u*7;97@he*>_ z{bmBX^@a2QO}^NkNvR*3zb6?4B8Y%<03=J1P6(b!aVRus?$)9@B5~m@3pLNbHZj_1 z(!KIuRPz~VD2!W5Yoi46w4oEn-G}{$(>mrsde9jS(dB>zmuFyk*u0Ny~o;)S;-B8#KI%}V!3X_j&DvCe21=C0fkTh z?8`kIGpc5Mp&Qbd*g90S^OImQr?jN9c|&<=`YRVF_Wa^`_ov&Um#8u2=DDVJ<_}f^ zBHr`T0jB>=S#qJ}(b?GSvu~S+8E4W~F~O;XvO>i9>wD6D ztF*qsA6z2HE^;;EWre}Kgw6|_PBWWMy_?O_mB)DzBlO~^3d7oD1P)fxLPS2>v>_Ku zpp`!VNy|geZtNbtoe~DVK%g*{T2@66DA0CQX6ESV4twM#U0ih##~ z?c5#uqsy8E*lOi|oT1}nFD|yshV3sdO=JHZ7ZW;@gqPFBO8ajLh96z@wl1D&<$tT@ zN0?9qDXV7r(VKrs4VC4E@3MdT9Pq)UXUC{N<80orHX4CLhaPH^rcN(@L%`Jkws=6i zN4g9Uq(nc$@Gyj~PD9fiNSrCq>+pA8?q;&TjbFTOHmpUUpZuQ$#y8HFZz zJ#OV?Wq=+x6L9QlgCBT;=3nkEm5`n)Y9w#?EZ*li_jmjrHy{p%X*o@_fQD^{VQmtE z7JY9GU5g=$=w!kWGr(_&qUpq!)GpT{bl?u-$Mc>;UoK-r-}OLT2O`q7yuJ~=MmLeM zKZbG}3kR@dH~*)2Lz2JiTfG#qxIUkfmO}?dbk?t8iAJq_4dnA^C(6U z=I@qkoFPZU9GB6PWw=)*;VeIXmL5;fNP8WKIeppuV1&L5RZRSx&x^Em(|euf7=;9$nb z0Gq$#r>fV%O%Bw>#CJ5tUgS%;3dfuXyGJP*e5f3ZC>uYMn3_VuGP}Nein=9;&(5&w z<`$Q|2t=A@o8|Qg>b?ulP@7B5&Z<8jk5@;!;qc?w*qAnYS4-yyU#|5fz9=;lj!sAP z>g*7K&aF#nR&J5}b{9t^^;XMp^Oi zs_>iXb#72!zInj|-l>&<$|MUa8u{c`a!3-D~P zl?bTjFu&P1dTh_}rigpeCUA0})PxOsEBft?^!NJW_Zrc0am$Nt>3i5O9&6nM>i&Rb zHra}}mgP%&OM+8X*_ZhuKc_I1t{)jerP;HO9H&W_YV7AEz?)>1N4y(g?BPj_j34 zYn~bOr^5RB`lM;h3~j&~-a)|D71ql7(3nQcTk0x7X`AI{KSd9V@dvA|=uAAy5smGV zany%Dd0Vtw7a3ay6D4b8ZUZvdI=qAGPo;k@Gl3Zs(JNluv(&iJS@A@7`X+cXw!TS8 zNJwC<@XAQ-NHl~@`FAi%y0i~}xJGwP4)&~@O}yFf>J6R*^uzCbjCVep0PDw5zXA@- z=@4`F#+XHK_`HN4J&V{3$H-A(OFkh0a5xpdE`_a}jUGD+RjI$54A6)QAd(NLOJw8) zdRcHLH}v!~GMo`L{x~HaL#}%*y$9T<4p}M&-Kw^1|9YP_qGolg_?Ah`<$Id_*QJ9N zE8bpqiffhcw-UUdhg7Af_f2UBEbxdRB^ULWyhGlPTh+dbT|U7%-n!S;-T@tEo=aR> ze~&;F>09ggfD5DUI|QP^!PImW47}3h{mf-(RUC@=5zOp)JUBRb&}1{e)Z}9YSQt?8 ze0UBj0x_X}X z6aC~9H2ey8rD2AApi-5mWPH2wX$bh(1;*6nF%SjAu!uxPpx)|N=i)sTpll~wJ~(9lLWHcGI-G2_dZde_o< zSl`8+N5QTwSE)$1uP53B(S}tK`MQ2g#xb31rA41ztNBGp%JEr0CS?6tAh?a%!!a9D zy4gX=RoCirXcZcP*jgTjl;axdpJjNi@}E?4=BPZVVp^Au_lPa5)c^q8?ZQUZRi{U# z#}7fDlyem{PNc-k)$hCKc#@Ty{LRhRvtrj;o$2#A>3e1?twu6lX~QgzsGE--(vbJA z8)va=3p2r+6N0|oPpmpII*&f&y&^J^dFPbxdW~X$uKt)%1NF_fs;bD`^zYKV!aX&#cqajxq9z;(jemW&heBN9LvG|-txm%8YO zK{$XOP^JQPq)2d7RabwgBR{}AQR(e8EnkaWGgomH2QcGd<|Ccyt>kz=H`*U9HPs5u zEq8WyJ}D8{ib(CjP{QZ8 z12P79^q<7_Jky#isQ!kGL_{NZ7Y-L21GG>x86M)8Kfvu~S4#r5o{_O#CnOIu( zgiyN_tTJt=BYA=&F%gm9$&{X>{pD8=h@Fki?tXoJy&^X^cY2c-YV$F4ksY)LXaxqr zL#tn2)6M5aE^=N=7J9EWxa~Fj4e-=*f5TUBSdOKmuQ<$S5Cqgz{_I7z;Lk;q_Yln^d#kjl0O_f%;;iF*wrR0-ix zy*q$za3@g*sVpe~K;Hua+yGRuE`yMUX?^C`)m7>e=zSW18J~hYpp!{}XcOlqXI4-E zM%i!p%?&?cKm!^jMzw3LXrDy9G7m5XxyV38FypVTt~3=_|GKhl-Ua$|e(U@7BHR z9;NPj)c_SJpK9K3?b^M|=f<5+-vyK^7%|6d2HiSsulBJ?Zxo-_I~#cPT^qACn-@3D zUEJ~26vm*X#9mlbA-~+TH)^5&WG#AlMeG}V|KfB0LR<=j}njK(!h#q55;kgqe>VF!v=(DeSXj&HzQ zb#)PxuIRqk(jMSfD~%xbr-vr$k1nb0m@_6c*&ou#GVwZ&jjSv!{g>_1UYYp%-a5pt zNhpFdh*#7G<{~CD3s(o~`7aXM*F#d+$ReKiI7<~FNm^HzABfOq{QG?5MnuLC3!oUw zAo)kh1h$8EggS%H9)$qpHRJNdgTL;@70yxg$3i8FPMWn=VPgGh9z)tw8;MyORHzoG@RpaM zUds0ww2u4BPiPVywAav;q#_J*`7w8v)VH2C9T&|=)n>~)GqatlK+R`ygL_EqELF{# zupqeOrS9-I>qAGDw}?$2ihL3j8TP%nx@%x`loUX3`+*-QwqV{^FtGoO^HK;_@y= zfC*jH8V}^Wj<1;l5z2*_)IG)iPOG?nkAL-D0Q0|krRSTe zAm#wA@o_+Ne{o`BLiBa9+zM)0LaDBY`r2&M%aJcaS6&3x#R;o6J+NUvq{7s7inJ|jBs(}b(8YAF0us!M+y*x1kF zdb#XPO_+ncl5~Dm*S$T((7u$!7vjtehf_mCG3VtsqLRp$K9{!}&M9zVOnAq#=GF%z z;llB{3$V(wLz3?_owQ~j73`@CXZstRCwa?M=BrtSuR_Ph{*2IeDHR9SoQjbaUg`J3 zM-;6E$e7yO7j8ESLM}d+mzQhORtK=LOCIIkxF7Y2$4@8Mye$G9)>*_Y1F?c{`^sL( z6#3G}Iy0M+u49UJV|3o$HT+4)d6k&txU;?%p#u$xSqox|p7eMX?<)fgLp;G1&!hhE zJ%S+_9U~sEpdf+z+rk0HXvyzXdBY!R_ctA*HE4qV3@4t4PfFY06sR6ZRhGO?iypJ*>`t-$JZ{H1!aGtvSD2Rd$rL zUaiC8hn3c#D;2&bAwb{&Z=+qGyH%!N&DD^jzo0kzO#{>Sv!^|Y0T%kc?%d4{@wqJsw?uOnxChc>810Lm`Ky@g3--Gs1rULS<00QnTKf z$L21nJj_N63azo(_54_|iYzD3`{|IGnRXFNFZPjWZ|=94=D7!p%e#e`#Z|AR`sSm6 z0v=or8YU(qk@fCo#*nt)kIW&?^rE4LlQscqQEd|^&9+n*&+E)Ng|9@u8hEakNcuP! zObv^h_oFiK5`Jq@%F-B{n^P#p(fd7QVEK5QHP{abNJ~F>$jQm6^E3_9pkM$Jz2W<+ z?wj$n<9mqwJru+E@2xvUJeM3%DLQevdLwwF{*>&3D!~fF^D%P{^yQVtIEpdj{EjkU zwwUdUsv+*m`)UX6$x=X_iG#yo<3(MMq{H>FN3-S`!NR}HgRt?i37oFj+FOsw{U!^T zfZG$}Gymzc_nlh6^@-&?&E$8jF;o3)kTb^jQ5DmYn<;dD(I_@mGNK!0%yNMvviVC- z%T(B7&diU&_&M|2(my^cYB7Si+I-)+?&kipJ-f5uF4qmxyeWz;Pg^ zgw&Vg^Zb=8w7z?vdsA7>7`!V1h>nT*Mrel2Nav*Xv4?Klt;xyhX`R(foKL*}?UUzd zxMZj;lH8T$#+OjX_L<<9r$nr$gyC(9k%|SL_Ln4RT#)Y=>Q|KCvf}_h)O5baXLj^n zG`=;aUVx^Df_&=L&-E+d%G1u(T2;2Bts~VuJ>IkN=bW2~+ZGW$tD^3w9G$|Yg+6&w zH6BMxU(m{hD9|cJ-_ISCFf+DGT>#%gnuD%PfZS7a@91G&QR9O5TX1_v_7?xO5sY8# zVhO&C;AJilopLR(_v+2aE0%+st*V9xZ?qr%hH;D6n!+ivY*XCSc`-m;^ziQhTmwSc zlA87EZZ&Pzx{E6uI?_6OmoYdpk3pB8843y%mjs$BXM3JfO0#hCK8iQ%S;}O1;@4Dt zo--xdAu!#F*W3D*j4znJR2#eER1>^BivNkKbS%5>T967j=#H9#1xU95HSSi%?Th85($flQD$a z&ns}cmc5JU+#C4FwcYqraA#=e%ZGtBXfC=yv9=T40z_sO{2GFIb)r-8*%Bn+Urq}>e&&S(LmZ<^;+j3hN>B)fg1)pda8VYL zJ-|qqZMq&%hC2QeT(bA;JqKe;=AQUP8Ev!s#o=O)oGpgI)Gn97*fa)gcrHvcymHo; z@Momph@6#oxj38fAA>_cDff`$`%ltP<)@kE(flD0W|$Hh?5S(_KfghDROWf(FV|Bq zq#$+$$$~JimhFe3{g%1A;-Rfji%Q)d8F3gg`=oB{K}EQdP_y_(Tgu4ZeSz*G<9(+D zXMZu`WR||~VHx<|rM0|yJUwQcOmJ9Ro9tH2Yl+-oT3^%4Pe@3oA<)_46{stMwc%8l z!-s+M1ZqQuN&thL|GF?~HufGLtK>W=#);r{{0z6hoZq=WweTeKzk8$mZ zTZ=xJpI#2|zV;itakmn`tB;6?H~;{~!pL*Hb4#&`(4&K6YM#*2wjUq!qXq48Q~|k< z|7+WnEidY}-bhQW0?t?_=@L1)4%ewUvwAyTYehb}LFa%yucaEwqx_GN5{i%BW=f>I zQq?ICO{NvKP;@ylIGEk5usiruZu@TApp)AmRvBz8r_ND9v2s!DWA3=%PCzZp2;$Wwv$SQebAKg*mX%_r{&24*q!iaT zwTBLui}~omw!z_7mbZf6uO>A<@(+?s7B20`F}Trj-Ei>u=s*aaYKdUgS1i4RXlQu3Py>+O3`PE+-apzNOZpJQenJHp62oLg*j4ep9O96xxy~OO*~uO z7I{ic8zUDqC)2q;R@yAK7!rSmh5~=hp?*D_`UP}7Zbn`^6WmZDD&ImGaM|P&s*VG& zjg2RE#euW))|m(RoO+OLT|JlAeBAd0^H_TH;?-lapXf+8i0>h%@m72a~cbRR_(Y`9jEyMiv}spPsQ|@;g;i@+R-C^Ci^X~ zC60%!T3_bL`x2idG8xCVtuM@W)d@c?paaNoeyz%VEYJbzQqO*!xY!~-a zAB#ZY1{29xrdP22`w<@Qg>s*VX3eqtuR8WgCyBoSiLK**GE8?uIWbb;HzTjCZs%st zp-+2~NSx?>0U#?_W0U1;?|a0N%}*bRFUJ$l3j&}oDKzVE5`P#cx36i@6MuI+wYnt{ z5{Eq%K5SZ`@uEIaN#hnX+`u*3Il{bZ=MA_n$j`1Awa%^RA>Yk$Km6M=W|v0yhV9n~ zU9YBcsUDdO)je;8iPO6rc`wa~^zE z06^EET7dZ2{$`TlNhN4}qAZ^0wDpOZahCST&`3*Gay#N#y3=bHPwVYv27wX8eOMZC z7-h@1;U7n1)|Hm{F_?kKrG(+jXD{a*#!(q;ru{B{LWGC4ww9J}j=H}qv;A6@{c$Nj zs&m&d{G{cOx?`g50^e+1I;h_yZ|$A+Ta$0t#z&)w zfTRL~pdc+FAgQD@0wYFucZ?2cP(r0k8a76ch9M!LgdiX}q^15k>LV*<{ZuS%em_vfSOCwcsD4ul?*MdN;$reRd^%-+W%5Ouje8DO7O^sYW6Fvy`9+v z4^(B6dHb$Duvgnz1-m4Q5n(^BuNP364y`Z%E}tnUC&b|>QRFx}7J+2JfP>l)7=o&8 z^|AwP2$+q!x9*=i^yz1VGu^cH{rP6C#%yRQ%wQouKeSub9tVi3SeF#%e|&A9`eNql zo7ihb4&U_~Ph_2*=+}?s32&e9o|;2C(J{WeX4C%gs~v=___&_z=TRV3`JW}Teqd$5 zfwKc+*QPO!*;m?BBnBc&cjH?5O$PAv!j3=T!kRD7=iP6?yRMKgKvNa+mrP);Na?17 zQUtBy#)>f;^2|^?JUlk9+Zp~61yh?o&wa$`TscFR;!Al#2hy$_G}`@idT?q0D)|9< z=1>W$j88*x>iI&~uR<36{sA=z43e8_#9)R>-V8|IF@?94V+eRbq=oJ^RTa!jVo77Z$5-M zN}j*WJ3>>uLU6plpK?=K>>3cQnMrnB|LpIggQ>NWkdCJy5bAsk7_#eiBfYTFY z1ild1?1J4T<&Rpuu~Zg9N($!t&)*-DY?vpK2Gd$H$TZKc!d8--vF-Yg3H1&`ZnZ>R zx>o80iK_?a=VpnCZuZ6+p*!Al7X_sbH|`3A&@-tT2zWhz+tz~iSHjcDw7E3RFj5$r zP!(P_lac#Yrgmu`-&>_~zE{rj9XugAnkdSNXJ*-%3@lCktTq2*tQ(T&$2RCPdL@I2 z`55lTj50pQpbM1xA=yP6efsBA2&gj=#=-mt#2#U)lRM2Y`I}eI*BbL&K(|-evY>sA3ok+|Rf!RIku2Wwq_a_kg)s zo?K5zwi*rbl^D;g0iVtU?czOyGqXGgWlo=p8}LIgRtbG!Ki_E{-%8(diIm8hTM~qv z$oHRgOg^c|vM(--HUwrk^sRbkW@3vZ4_eq8KG=yh0?m>2qb+Z>la)um5%UKh1DNle za}WLd_o?Rx_Z8NSseS&#l>GWwbCbA2CiME>kruKBjNthx!e?x^4anH!^jhc3A0+^r zFEI>SnAY^+eq$mATY#4$Z#kt!MZz|!*y(0aPOcvQQdsyz7u;Dpg#{w1yq(XN4V^I@ z-#Z2wg88!EZY2#>%H~S>uCzn<{``usED#u-p>~o|ErboE3d}$>{ZF++x}( zzvuVfH!lUJjlrmCxhc86?wBV)$>ooAZC;$#tDg3{Y{xm%WV-nUc{(+t^7=eA@rUhC zVLKX&;(io+@PD1_f!=pJw-5jJY7|IHY-N<92;X=VC_z0q_a=c~OMl_%fzOPpkcb+X z2j4J2-yJd`O+amd_gW&aYYsA>eoe`WCZqGVHZ(L0-)$LOuZQ00Sx$QtHKX-RS7N<1 zR5tBxS7B}bWW6gO_Y;JpguZ_rXY5pP)H3FmG(c*;l`Ngy#ud)RsL2{SQ$;;VVwQz? z7mn*!tjNyQ6-bc$Lyfp`cS}qD`4mw^+aNeUD#+rKw_&#w|8=9;kDwA_#vT@Tjpb>) zRLmE1nfsk4MS;B18gb)sef%EL57FfvvI9S1BklDlWE?n<;4=RvA8z}FG_{P*?LY*~ z=R7bzKCXvwP5f}uI6=is)rjy>m#o~GQN5u6&u0kZ<{iJ{^Rl9+7-Ig$gF&@4tbAvW8%*B!O6J*?B=du;hcM&I3K_Ff|w;swd_8}=b?1&JqhkjaY_aS z^b5LqqpZl%_ep#s+KzsH=k4S($7FJSO!Srxoe(Tl>dLq?DMBK#M%#FM>l84ae2xW6 zp_m)~l(5D3Ce^=mxYQm*1XV(krt0m+_#@%3t$#VI9cCfDz`n76gP8ppik*H+K zZT{&e1F;ZF_OQj%royE^r%gQn(F^jhxzku}uleB^)h81=o&&abH#avU3k#nBhUrTO ztyS2pvm#JhTbCz4VMDnze%uxJU?$njgD!n?m*T!!wo5Kext(#s>Q?|$LOc)9-~2$J zl5x0h_K73HbY^??{QYxo_^lX@w(n#A3o*$=Q{nc|sU>|rEnYev#!e3=lJY!1$jI!d zp!ESG4yBEh&LqC_uN0To_Uup37b#XFmgr8{JH;_VFSlct|NKHsuPAEc-jpYEv5n=Z zm!{Zt944C6-y?_n zLJfAMj6jeh2xocL#OAui?^hwkSLcM&Pvzp?^hTlMVpNS`7hCzse!qkr$cuGf`y~+XjoRjjqn#-C)99m z8M3AqQI)TC(M*bcSxhz+jw0W>M*`hO0s(=gJsw{lxUpm6r^ZHL+V2)oi1Ek==*ZtCmP7Vx%voClFzk>~;A@zp-8k&1Vm7bVp zwtAyNyID-Z7P&RtoR6*0p@kx)?1un@1=cHPl2>q==-zK`i(~U;tGYj*EN7-((^y_| zsbd_@yOIPm^LEkq3trq4l#(*>?k82Ysj9k8J`F+MfSI+y5HOy8>2}sOBWMA%W`7L0 z+Y|&pKNALOBKjSQ6%zqvYFX4%=D|19@{YAJzpHH+x_V$>U?v_M2O2N!M`f%{ijTGz zL3Ot^kX?aIklgxA3Z2zZB%K;DsKPP8F|)oOMidL_y!A2~snMOan0^Elb#tAH=-UMc z0&xG~p~uwW@aso(9K4r60sCA)k(DPbs?6%vR*ZIu?xoijY|B5wn7ntsZ$zNl_r0=V?h4HC~F`m!%3q8|bd3n=qBX`B$Jhn8o$WOF*-NU9&WkpEwzQPvY_8N*( zG2y+S!&SrJ^#(8NVFXn=0Gc6rclk#&S(D3by(4aL5Qldn^?Hmp^&P9Z8t2{m_a^s` z{5y_D6%V8V<{V8(m%+lX=snpyaJ}HIGD)lRs zYCmnc`j`?*7N0>w&39cjqfYA+Jj=f;-kjbwt4F)C^$^rGwQUW}iF4t`nS!$qfbk#- zOU}`jD2Xsl38qd{JzBPn4(9mZqS4hE+|-KPM5K(a6Gg*gty`68OvmQ6KkUdMJif6E z#EaQ?YPp#K=IQWTBnj&N@-8TaNlT{NbFJtFDgS-F#5)rs`u_Cn?y7k1HR>;X?lWn7 zT2Zo(dt4UWUxX-?dTp4`x@z2eHnopejC8XNqn#7)*f~d=ZXbO}4|_1}lBhaB2D$2z zl}!7YT%pw2g6}=1$wLVXg~@~(KXIgHnII~;slp0;{UMsh~K&-`Vej(cb#qwE+PP#&bs zb1}b#>3~R<#OJp(Y2%0$@=^X4yv`rHLg^v{UT|}8`WCOf<&5V)4_>>~a~dPBb5d08 zY9VmO^y776a)PQy!RXt<%>XWv zdgbi>;Rg=^`$AGEOWl)BjUmR4R{BQ}qr2R1E&{19x^lnL0zE*dL9bQ9iSCtuAHc|T z20?Y#ZHeE1b-5z|?(9_N+a|BfY^2?i6WPKohFDVE-d{40v1SCl=>YAc?KZv#pzSgT0+TKY(#tiSCHSsFfDQhGSeCZ(!cVUPD zmxGLr%*N>7snNu;p8Y`31bv_hdsmSdjJ!z#c01iDdi$3N6)lu5?^l$4F_RqnYb0uA z)8eDncvVFpwFA>DIR4BjjH{D1VS57Q#`)OT5+UcrNo+`7Vm~pX#i1+vlI?;V;o4z{ zNX34A+U*oAcYzuH$6R2kAd-1%(NH(B*RzlX7%1Wse~HhKJ`y35dP2UG&!*}>X3`V< zn^{7_LZrrmylfZc?v%6>*#-UNb`vV4=2PGZnt25KtxV8}Q?rn9Vj^(vUC9pmWjoZA z&~9K>?i5CiLwUKj98+wL(>$w#`v{8jlJIE>#dV4qg5f|!- z?!bG!&&gB$YWAc9eDs8uEzI0=$|TVJ$^fy)4na4d6$%7CDm~X*w=Y%exbxyy9-WRb zgT>2leLtbD4o@`rCaTq7P0syyx6ht7Jv*4vS&f?}MIN6h&98aA>RVu-!^hUTHCCdD zx=DCyyd!2#i}?0M1O@9%6^6~Nr^ZezUP*sm`h4TN?pvwnG?Wp%Lr!d{k(rY-pGM}@ zk6%L0`*4LCiFPhuU#xL0;!Acl(+UT7p)^DP$NuP?LREvG6>k ze}?s8{KPH?^$>J#xWs%BE{f1zfMD+qc+yRZ(8!)$T#{#4LDFbuh73%Z$yY8oXs&_KH@IPhIh zdw`j#4rlAV+$Xg(e_GdWf-aVXvfe(X{QB2wi2ENLaHcdUF0V&-hdI!KE5jU z69wuV9TahcS1W1n4P0mI*ZD{QXmz2tj4yFBfTd}=2h!dmk{VOve11dsj7T;+e{qp< zWG$A6ct)aIRsoebxaj9HpWb4P?o#KRpXO#me{j)XX;4x_z#H{< zY<&2t=erEe>v@7I-`(lOnYc=`%XxFy8Oz!AuCQLw2<$oBPaF*PTiq=6q=@y*CwJ`Osqa6D`9Bb`1XbFAxvl z{@njYK;y;q(h3|Q5$*#1H9ygH`$4m*oDS(MCpt%Hm3EzM0=ZRI~$3JWWe#{G{8D>t^9mm7Udcl=A zlbX3nKEO?lP7+>yJq&+2^Gc9$P#CYHaB=^|i!nz(<2Pr)JdBx8NkI`>i}+>FrA%lN zYQR0yyPjz&3R+1Xd7`8gn=-P&oosr=2zpIky{8~aocA^|x~pQ}@A4*tv$I6h=o+df zlp3ro@j29*bMDjIr;qQZ&ftFxTuEp?cQK+2YYx+xIN_&$>-qc++h$-sv>Jmo-vhTp zXcPP0D)s{Omu;n;G|}3>!e|HQ!>z`yOSg(ayQ?g>{}NY^#JyUtH$TF9AlRkHV(`@~ zi6Ln~ppPxOgov_nYH~cdaI|OaKrEGz@;mqiwX>oTej$P8R~%CtWY_VL0!0Mz73H~J z!+9T4)s&T#v$JU{Vbd453uHTU$dAU;e8Z_b*&%9&EE?|I{=EQrXO!m<6FKd~A3ZH9 z{b7pgjYsG@nD{vQKeMURK@%=D*8U*eATW4W1?Mqn&y4_6$dcibbbA7+-C&7iYuC!P7 zx8dgAZ*1WH*1&KUh;N;Ojp@WmXvlVHM$`VwV<~qLG1Q?jXmB0hreXHkn0=b^*|{Hc z80FjNBNsvpo$e$#_1ub>)nW7xe)97t14*68H0!qSm!rVNm}dN1$o^z@oI~l@wUM&I zDJ(1;=3vhVNn2{zoVjcINpFt<& zFEOF7fYTul#(_YV2GrE-+vc>D0?MLdz|w1ZwsNh&A^5!Ko?Z|3gC1|cb~41o40HaU zOi5#?(_BIqk$YapBikmKrCyfZsRi)9uHKezNLUU8$RFnoT~DeeOTVqE3vHOcyY_JZ zUbv$pNPlFsHB5`6pEnqLWyIQ-n~ z(~hJP_QuG~04-It)@|Feg1uvbr|C-)m?fOt=1(30!Dgv!!Y{^dBNwC{>%vlb< z=z^niGIP*ZSUN(UHAT7P!O~3NR2c-Y{x8{%*SWnuA$-T=pzeOR6ve7OIDiliS?HUlH}tC-BqPk?zCQ(&vJ9{Bf9 zMORmsQw!iRq+W^o4gUs~ru3L3B2t6JACZ1V+FN@@jT}_u5@=0P^*8XJ&kmB-p{7n& z3mkH9{eD>oLY#5%+}E)#qu?i;xp>a+Pk5s3+1sB*i6ZGeV_jd zIS6*<6a2JOWHS!5_tWM^8EM5}xJIRGR=;gEv+uDI&v{=2q_HcO zl#T(odO$OXnl^hGGO(`^hCLC!Ve~608}+h2AOPCF9XCl?S&Eqcr0lO94SfHuIlAs8OH$jq zQdV%)W!@UP1{0;kqXRjF55y<3@CA{uZN@D#ebr9s)HYWug3bw{9lX80!w&6*=#haa z$ucM~TlHBv9FHH>Yd-?;deuQ(-tWaaT734!w`A^;QRdHmQ^M@++a zM5Y|kRyDLAj1B{K2>XP=;*5X_OR9jUtjUCQS_J$57Qo0c4K4f7i5OE~1wi!av9UVl zU0rTJ@jhWN6?>HC`q1y=i3UKgILuuLxK*<$1?{~p$@fb$^VB%^AAR|~TRhR15_~oZ z)P@=}kA%A?woiKjzjaL2J5F(}hVyf!JY8TYa7?Rm{s)hnxqmRyQ8WYJZeee55}rRp zMJeT@KrcFjt_C9J=znMX&ajinA%EbChekK+Imv395quCXWOD9OdmDUL^wW^dO~tr- zQxIw{!Zw%K)b@U9(U}<$`hukxW{!DFkTC@56v-QE^i}fa+#BAz%Kvl7&nW69Zq?gg z?{?{X^HULMrX)l~r;i?*1IXQySr1mxA#zs_At@yE-jG+n!xW58AF^REL9*s)qLslv zycCESJXvq0v(#^%zZCq{6h3g$VIP#AQAuTjTe!fbE63_bM%<|dbzk6;;|Ix#&>54G zllP-LqC5X%X?_2rU^3bZ0C()Mqy#WN33O$p68WP1VqqIv*0TL|i0E6QM6I!YD25Wa z1oGt=NVD>0f?KZe@0Ff6kjrI1^zCP;+D=rlax!lK2F`6V(;4jI!kh8-=@P(Gm(2z2 zttlK|mt%^J4)n*euDAe2_*Ci zTWyg&m%{jsotU+UV9#}p7cYRLG6Z0eP@JEKh^Q_b^|*|SU_kf?Jw5j&(#9f&l)c?= z|LV`$+8W;*%HS!6hU)nN7UqZF{<15FHU?qxWAO)HcE}UN9(R;%hN!S=ImuHSmyPG} z9d@7QpWc`;p;-238#V=o;^R;H#AnXi_~0tGHQwuD9ha8@EzhLs5pT;UleIV=xKj!C zQ&tzG}7-uci+D`bDOo?rG^jf*;39$KsW0 z{%n;T*y2aDgSlyNI>1sRfQVDL0ofd@=X60W-BMbF;FC#!Bvg&_m%91by4N!a(7RBd zeu~UX6C;#=Ujn`oph6w$hZjWdqp1A zl`j>IOS+pULa#gxRSv8|9Xs>6?>U=gs6Ulud;d({D>^?-7syFRm;k7A%8zw7D3g8p zs<=$}d=;`G+Vx{xF1`gkF1G^4`6{K&JONCry;$jF-pKQL`|WI;T)S$`4%~JgLH<{Q ze`QyxP`@zA^r-p091?p3n3pVlgXaNiNz5+#nt|{%`mkKLCeZ&2MJX8h0c|)w9m3ahh3oy({*Qgz($4swK~wmJsxdF zjngNUb}g4(>|9nY<>3@c+tAEp`#3M0Hxz8vAWjaGHTLX%)CiyTBk0zq#!Hu*KbLBZ z&Mq4j+f`DIpv}#(v$N}x+%Io_G&pZEz;|v%WU0M3;#6!r6{7`2ZImsdspYS>&a&0) zC+Oe$J*kAvfN0m5RK;?0B6r(3fp~|s2wkGIE*Q_o|QK+%EEWFQ*W^Uf4qjl&F=pgV=7nGKKv z;X495H7mb9p(=J{%O)KyJ&+C-1XXbuENWr9{C3WcUK6|(`)gy?{ca~m?cYU!-fQ^Z z?$Pg{JsYSBS=51q(0+#|*QvEb?+Y6)@U<-C+CiOgUZ?_Kc2yopKjM~rrO5dgR?4a% z*8JC>Jf1)6v5A`QGwKQKgqVi?HP$Jdgv&!Z9h?2UX}Y~N+OJpiUoCecYJR|Ir=;C$T?WFSWTsaWNfZx2;rOU`j53yUT4*k5 zVeb&hb1pWGkQA6xL(Oi&e@RaCdU?Ui_7|vkh3@)WKI@|Y8%2sEwX?T3mWhGExVvl! zq$~^quQVlrzSdc7b(iu_!J9MeU0i~kyPhIiUFk4HcDLmKN=H|3Zfcl`GAl%rg=hb$ z;hW({-~Q2*4Z*MvB)bxyz5;b^#qALt_wIaDy{y=I48{?MXAr)5k*`^V zTeO@S+iqJ^QAJsjQoSNw-kqKsvlGf<9KSgxnP ziZ&Giyvs%?D@ourkOn~~UF&d=@bKspgvT*}7fCHLFakBCHve&ef*bdo_wy9iY^Y`- z`-Zdw?Xwp+dcFCw+OZi%>ro<)uS)HT;8?sqpoYpvhTY!yM2d!LD;)5%#e#iRW;6;- zb3hA!u{Yk2q}FIpq%bD$OxU^~)84@Ym!Hx+rOcraN&*5SvgEEe#>|Y2?XkOUz@pW~ zyQZx@#hI)9y~LIw&%J?-+!lyi3Gcfwf`B4L3$`=F=2fw@`-}}`?#NfM{)mxLvfp>H z0VGA$&8}#ZCrI2Bo&N@mi-s+Ig^7*+{2APA{jqdCu2iQ|kV=Jy&OS-Tf-rn!-75ceuVY)J@af{xO~L z^=e(%2ZDNG68?wFm~UeE@4x`5u0c*g0VrCIY!8%&f)v5bRI}7Ee+xbcqJTKm*+JIJ zo|6t?@RRQ8BR#IJ- + SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. + +data_sources: diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json new file mode 100644 index 000000000..ad570cb92 --- /dev/null +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -0,0 +1,46 @@ +[ + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name}", + "conditions": [ + { + "field": "sentinelone.identity.name" + } + ] + } +] \ No newline at end of file diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml new file mode 100644 index 000000000..507745cb7 --- /dev/null +++ b/SentinelOne/identity/ingest/parser.yml @@ -0,0 +1,67 @@ +name: identity +pipeline: + - name: json_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + + - name: detected_at + filter: "{{json_event.message.detectedAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.detectedAt}}" + output_field: timestamp + + - name: started_at + filter: "{{json_event.message.firstSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.firstSeenAt}}" + output_field: timestamp + + - name: last_seen_at + filter: "{{json_event.message.lastSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.lastSeenAt}}" + output_field: timestamp + + - name: set_meta_fields +stages: + set_meta_fields: + actions: + - set: + event.kind: "alert" + event.category: "intrusion_detection" + event.type: "info" + observer.vendor: "SentinelOne" + observer.product: "Singularity Identity" + + "@timestamp": "{{detected_at.timestamp}}" + event.start: "{{started_at.timestamp}}" + event.end: "{{last_seen_at.timestamp}}" + + event.provider: "{{json_event.message.detectionSource.product}}" + event.reason: "{{json_event.message.description}}" + + process.command_line: "{{json_event.message.process.cmdLine}}" + process.parent.name: "{{json_event.message.process.parentName}}" + + file.path: "{{json_event.message.process.file.path}}" + file.name: "{{json_event.message.process.file.path | basename}}" + file.hash.sha1: "{{json_event.message.process.file.sha1}}" + file.hash.sha256: "{{json_event.message.process.file.sha256}}" + file.hash.md5: "{{json_event.message.process.file.md5}}" + + sentinelone.identity.id: "{{json_event.message.id}}" + sentinelone.identity.name: "{{json_event.message.name}}" + sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" + sentinelone.identity.status: "{{json_event.message.status}}" + sentinelone.identity.classification: "{{json_event.message.classification}}" + sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" + sentinelone.identity.result: "{{json_event.message.result}}" + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json new file mode 100644 index 000000000..1e8b5bf2b --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T05:35:09Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T05:35:09Z", + "type": "info" + }, + "@timestamp": "2024-11-22T05:35:09Z", + "file": { + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe", + "path": "c:\\windows\\system32\\net1.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain" + }, + "related": { + "hash": [ + "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "ba485919-e4c1-4496-9e2f-feb320f6841a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_10.json b/SentinelOne/identity/tests/test_alert_10.json new file mode 100644 index 000000000..deb56e2a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_10.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:09:48.731000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:09:48.731000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:09:48.731000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-7b49-71f0-89e0-f52562c26e53", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json new file mode 100644 index 000000000..a4d81025f --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d00e-7616-81b9-fcb227ebb13d", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json new file mode 100644 index 000000000..1618da843 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-eb28-7a57-9c27-87843b2cec61", + "name": "AD Service Account Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json new file mode 100644 index 000000000..a31ef954f --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json new file mode 100644 index 000000000..7b9fc10e1 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-cb9b-770e-96ee-632d4d21520b", + "name": "AD ACL Enumeration", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json new file mode 100644 index 000000000..d8a7c1f8a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d4ba-7131-9e08-defa8b3aeb52", + "name": "Domain Users Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json new file mode 100644 index 000000000..8a5217a55 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_16.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json new file mode 100644 index 000000000..6d697a5be --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -0,0 +1,22 @@ +{ + "input": { + "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}" + }, + "expected": { + "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}", + "event": { + "category": "intrusion_detection", + "kind": "alert", + "type": "info" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "name": "Mocked api" + } + } + } +} diff --git a/SentinelOne/identity/tests/test_alert_3.json b/SentinelOne/identity/tests/test_alert_3.json new file mode 100644 index 000000000..cbc475032 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_3.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:37.779000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:37.779000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:37.779000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_4.json b/SentinelOne/identity/tests/test_alert_4.json new file mode 100644 index 000000000..64efcfc10 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_4.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:17.184000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:17.184000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:17.184000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935358-ee81-7eb7-b57f-022c6f0019a9", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json new file mode 100644 index 000000000..f1339df60 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:54:58Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:54:58Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:54:58Z", + "file": { + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe", + "path": "c:\\windows\\system32\\cmd.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"" + }, + "related": { + "hash": [ + "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "0193534d-63c1-7497-b854-b883425af3f5", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json new file mode 100644 index 000000000..e43c64e20 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-abf7-7457-8467-e3443470e6f3", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json new file mode 100644 index 000000000..d4acce26a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-b05a-7d28-a929-5294ee16628a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_8.json b/SentinelOne/identity/tests/test_alert_8.json new file mode 100644 index 000000000..384a41648 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_8.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:07.655000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised for default administrator account logon anywhere in the domain.", + "start": "2024-11-22T09:45:07.655000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:07.655000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935342-d073-7ed0-8c5e-2373fc013310", + "name": "Default Admin Account Usage", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_9.json b/SentinelOne/identity/tests/test_alert_9.json new file mode 100644 index 000000000..74ab3a7f3 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_9.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:10:09.467000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:10:09.467000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:10:09.467000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file From e898b653c1cbe982f1f50db26b795f2e018db548 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:20:13 +0200 Subject: [PATCH 02/18] Apply linter --- SentinelOne/identity/_meta/smart-descriptions.json | 2 +- SentinelOne/identity/ingest/parser.yml | 2 +- SentinelOne/identity/tests/test_alert_2.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json index ad570cb92..e09c5db80 100644 --- a/SentinelOne/identity/_meta/smart-descriptions.json +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -43,4 +43,4 @@ } ] } -] \ No newline at end of file +] diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 507745cb7..79cd3ec9f 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -64,4 +64,4 @@ stages: sentinelone.identity.classification: "{{json_event.message.classification}}" sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" sentinelone.identity.result: "{{json_event.message.result}}" - sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" \ No newline at end of file + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json index 6d697a5be..39420a5e0 100644 --- a/SentinelOne/identity/tests/test_alert_2.json +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -19,4 +19,4 @@ } } } -} +} \ No newline at end of file From 5421cd89a9054a25770e7ce2e8e8ef1c1c018655 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:21:17 +0200 Subject: [PATCH 03/18] Fix datasources --- SentinelOne/identity/_meta/manifest.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 449172f8a..33be89396 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -6,3 +6,4 @@ description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. data_sources: + Application logs: activites performed on SentinelOne infrastructure are logged From a284a656b8d0f342bbdb8a6e70cb8332adc31db6 Mon Sep 17 00:00:00 2001 From: vg-svitla <131353512+vg-svitla@users.noreply.github.com> Date: Thu, 28 Nov 2024 14:14:52 +0200 Subject: [PATCH 04/18] Update SentinelOne/identity/_meta/manifest.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- SentinelOne/identity/_meta/manifest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 33be89396..1d18ad943 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -1,6 +1,6 @@ uuid: b502e522-6996-4b12-9538-f69326b68243 -name: identity -slug: identity +name: SentinelOne Singularity Identity +slug: sentinelone-singularity-identity description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. From b0a30f3d53175743ba460104746263e2d78444db Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Thu, 28 Nov 2024 15:28:49 +0200 Subject: [PATCH 05/18] Fix review comments --- SentinelOne/identity/ingest/parser.yml | 10 +++++----- SentinelOne/identity/tests/test_alert_1.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_11.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_12.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_13.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_14.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_15.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_16.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_5.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_6.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_7.json | 14 ++++++-------- 11 files changed, 65 insertions(+), 85 deletions(-) diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 79cd3ec9f..90577404d 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -51,11 +51,11 @@ stages: process.command_line: "{{json_event.message.process.cmdLine}}" process.parent.name: "{{json_event.message.process.parentName}}" - file.path: "{{json_event.message.process.file.path}}" - file.name: "{{json_event.message.process.file.path | basename}}" - file.hash.sha1: "{{json_event.message.process.file.sha1}}" - file.hash.sha256: "{{json_event.message.process.file.sha256}}" - file.hash.md5: "{{json_event.message.process.file.md5}}" + process.executable: "{{json_event.message.process.file.path}}" + process.name: "{{json_event.message.process.file.path | basename}}" + process.hash.sha1: "{{json_event.message.process.file.sha1}}" + process.hash.sha256: "{{json_event.message.process.file.sha256}}" + process.hash.md5: "{{json_event.message.process.file.md5}}" sentinelone.identity.id: "{{json_event.message.id}}" sentinelone.identity.name: "{{json_event.message.name}}" diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json index 1e8b5bf2b..8d5dcf96a 100644 --- a/SentinelOne/identity/tests/test_alert_1.json +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T05:35:09Z", - "file": { - "hash": { - "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" - }, - "name": "net1.exe", - "path": "c:\\windows\\system32\\net1.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain" + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain", + "executable": "c:\\windows\\system32\\net1.exe", + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json index a4d81025f..84d64cee6 100644 --- a/SentinelOne/identity/tests/test_alert_11.json +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json index 1618da843..3e75c9e78 100644 --- a/SentinelOne/identity/tests/test_alert_12.json +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json index a31ef954f..d94a9c18b 100644 --- a/SentinelOne/identity/tests/test_alert_13.json +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json index 7b9fc10e1..f8a4295bb 100644 --- a/SentinelOne/identity/tests/test_alert_14.json +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json index d8a7c1f8a..3d07d62a5 100644 --- a/SentinelOne/identity/tests/test_alert_15.json +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json index 8a5217a55..0a9dc292d 100644 --- a/SentinelOne/identity/tests/test_alert_16.json +++ b/SentinelOne/identity/tests/test_alert_16.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json index f1339df60..6e14dbe24 100644 --- a/SentinelOne/identity/tests/test_alert_5.json +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:54:58Z", - "file": { - "hash": { - "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" - }, - "name": "cmd.exe", - "path": "c:\\windows\\system32\\cmd.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "\"C:\\Windows\\system32\\cmd.exe\"" + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", + "executable": "c:\\windows\\system32\\cmd.exe", + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json index e43c64e20..5b987ddc2 100644 --- a/SentinelOne/identity/tests/test_alert_6.json +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json index d4acce26a..6fc5195cb 100644 --- a/SentinelOne/identity/tests/test_alert_7.json +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ From 81af8ce7ab0e33cdb80e2a599e2a417641a45c5d Mon Sep 17 00:00:00 2001 From: Erwan Chevalier Date: Fri, 29 Nov 2024 16:20:57 +0100 Subject: [PATCH 06/18] fix(suricata): missing rdp smart description --- .../suricata/_meta/smart-descriptions.json | 16 ++++++ Suricata/suricata/tests/rdp.json | 57 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 Suricata/suricata/tests/rdp.json diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index fc89638e0..b330a23c1 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -198,6 +198,22 @@ } ] }, + { + "value": "RDP traffic from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "action.type", + "value": "rdp" + } + ], + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "requested" + } + ] + }, { "value": "Traffic flow from {source.ip} with {user_agent.original} to {destination.ip} with {http.request.method} request to {url.original}", "conditions": [ diff --git a/Suricata/suricata/tests/rdp.json b/Suricata/suricata/tests/rdp.json new file mode 100644 index 000000000..131dd7025 --- /dev/null +++ b/Suricata/suricata/tests/rdp.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Suricata", + "dialect_uuid": "331fa58d-8cf9-454a-a87f-48a3dc07d4d3" + } + } + }, + "expected": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "event": { + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-29T15:08:06.239558Z", + "action": { + "type": "rdp" + }, + "destination": { + "address": "10.0.1.4", + "ip": "10.0.1.4", + "port": 3389 + }, + "host": { + "ip": "14.225.46.243" + }, + "network": { + "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=", + "protocol": "TCP", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, + "related": { + "ip": [ + "10.0.1.4", + "14.225.46.243" + ] + }, + "source": { + "address": "14.225.46.243", + "ip": "14.225.46.243", + "port": 58953 + } + } +} \ No newline at end of file From da65007e11116a5b5a457a097df379c56cd4d66b Mon Sep 17 00:00:00 2001 From: vg-svitla <131353512+vg-svitla@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:24:03 +0200 Subject: [PATCH 07/18] Update SentinelOne/identity/_meta/manifest.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- SentinelOne/identity/_meta/manifest.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 1d18ad943..e8b52a2d5 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -1,6 +1,8 @@ uuid: b502e522-6996-4b12-9538-f69326b68243 -name: SentinelOne Singularity Identity +name: SentinelOne Singularity Identity [ALPHA] slug: sentinelone-singularity-identity +automation_connector_uuid: 2d772558-821d-4663-87bd-af28bbb8415a +automation_module_uuid: ff675e74-e5c1-47c8-a571-d207fc297464 description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. From c97f9cc3ebe0cc7aa224c75fb383f2bbbb3ff18e Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Mon, 2 Dec 2024 17:26:30 +0200 Subject: [PATCH 08/18] Fix comments --- SentinelOne/identity/tests/test_alert_16.json | 47 ------------------- SentinelOne/identity/tests/test_alert_2.json | 31 ++++++++++-- 2 files changed, 28 insertions(+), 50 deletions(-) delete mode 100644 SentinelOne/identity/tests/test_alert_16.json diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json deleted file mode 100644 index 0a9dc292d..000000000 --- a/SentinelOne/identity/tests/test_alert_16.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "input": { - "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" - }, - "expected": { - "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", - "event": { - "category": "intrusion_detection", - "end": "2024-11-22T08:45:50Z", - "kind": "alert", - "provider": "Identity", - "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", - "start": "2024-11-22T08:45:50Z", - "type": "info" - }, - "@timestamp": "2024-11-22T08:45:50Z", - "observer": { - "product": "Singularity Identity", - "vendor": "SentinelOne" - }, - "process": { - "command_line": "Sharphound.exe", - "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe" - }, - "related": { - "hash": [ - "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - ] - }, - "sentinelone": { - "identity": { - "attackSurfaces": [ - "IDENTITY" - ], - "classification": "ENUMERATION", - "confidenceLevel": "MALICIOUS", - "id": "01935310-dc47-75de-8925-5f026bd5a705", - "name": "LDAP Search Detected", - "status": "NEW" - } - } - } -} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json index 39420a5e0..0a9dc292d 100644 --- a/SentinelOne/identity/tests/test_alert_2.json +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -1,21 +1,46 @@ { "input": { - "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}" + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" }, "expected": { - "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}", + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", "event": { "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", "type": "info" }, + "@timestamp": "2024-11-22T08:45:50Z", "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, "sentinelone": { "identity": { - "name": "Mocked api" + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" } } } From 9daca2729d6227513899135a5e32b0eb8337b757 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 2 Dec 2024 18:41:51 +0100 Subject: [PATCH 09/18] fix(CybeReason): fix the identifier of the connector associated to the intake --- CybeReason/malop-json/_meta/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CybeReason/malop-json/_meta/manifest.yml b/CybeReason/malop-json/_meta/manifest.yml index f1b4f8074..e4cdd5419 100644 --- a/CybeReason/malop-json/_meta/manifest.yml +++ b/CybeReason/malop-json/_meta/manifest.yml @@ -1,7 +1,7 @@ uuid: 9f89b634-0531-437b-b060-a9d9f2d270db name: Cybereason EDR slug: cybereason-malop-json -automation_connector_uuid: ff092b32-68dc-11ee-8c99-0242ac120002 +automation_connector_uuid: 8128d255-22df-4f4c-96af-ca6c1123f4cf automation_module_uuid: b96361fb-a01b-4ae7-8927-9622b9ea0acf description: >- From 82eeda946e6c3e4819b3cf7808c6d5f0623bc8fc Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 3 Dec 2024 17:30:15 +0100 Subject: [PATCH 10/18] fix(SentinelOne): fix the logo for identity --- SentinelOne/identity/_meta/logo.png | Bin 27937 -> 1853 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png index bad66643418120e4e1dbdc385258d64188b37661..817c84f53c5bbb9277dd6ba33f3ccb0ab2078e36 100644 GIT binary patch literal 1853 zcmcJQ|6kHc8o)vMl7e`(t6qwxU3Ha(r=~6z23nin0>#|&3#IL9qF^hK2x)>@)NU!6 z$)+oT>z5Uc*y1!bInK5fEtGXNF~z#XL_+CA?e;p|{c!)o{xHuo&&>0hndd#v%yTt? zc*Moo(-{N;xx_>tA_H1!ZyR8M#A#tcAP^i9bBJ)P=-UMY=}L0epZov)GCg}x(zvfB zCl?m)(i)iiZp&5v;pn}&iOpHnA1iY_l+@YKa>*scuB&RzHmUoKx`t=(NHNv?gdNvH z2-(hlH+C^o(_f-b%?)?G7c+-B;`bj6NaTZ}Pm14sY30x1aCOyLTN&i<%-}0uA$7*x z_?vB@qjHCRUCw`qL1C;Rnq1CCr+r#?5PrE$tYPEOMJI`Ch(<;HI)c1Qw-#0yClV zJQ!%j*G@Y6XCE6s$zZ!n(%ScE3e@=l___8p;SA4^$`eavzWw0+r+DIqZhVE~>M}T7 zCI_Z)9G>bMH^5o-$Vf=LgoazP2g+6*u$XiD0sg8p7L%+W;1QvW^jwAEBGHYJzFT1^ zgDn|3f(6t*p>5W!!%K(H4>+sPUW73MIefbNKH<}Wa2iv>pQ>-~3x#%CDLMkP+RL(aAGs)=#O9cdQi58%fEes(aHicurGZb{tb66K_2QUYhP~ zJbSQeNL(fFP3)daq^=+a+tuRzqmLFp3xd9gyh%XS2$;j(txmZ zf8ov=1Gc7A#?wn&uSW-1sq!%qjPtK2Y!bUvo_y?VuylgaoZ8y_9UR>5AfyA zc0ju}>(23kkWVvRf!k4KJSX?chK@ap_;kB64}7Izp`DO%3ZownbCSFhfNc*jBu-Gq0uJy{xmns28V zq4Ogt?$xze+St6QTsdBFK#d8v3ZpOt!Jfw$8F2RWi>Rgz`$II+ZFm8hSHIhsK$b-L zWVWEN)!R%$xE`;1)Cf5D0Z$Ojjdag&BVk`!8Yt0}p&0VMooecKUEI>`} zW*E&E_zot&N9ysI9e8%aMg>2e#=}SoGaS3V1yM3MfSv+TA_FY}9Wni`F*Xsn%M#CD zXDYiYl*PUGy=T=ERC0?+D}jg^S+Pr(uf?E%iI46Te=12 zR+#}i32vgwCTAjihtU$|u@IW?oU3l{C|!@w$Kg8@Clvgt3%o^1L#AVw4Mf4$_rVwi z;BIwl$rRl9+L7g?g?MRZp{7j;g($*L>rGQd+g=e{uf2CA2jkgN>BjlRBaPOG4%?=p rHgIkF*!Nse!&b*XsyzI^@|X`UDnrM|o3!VFvIvSfOgtoy%qaUEoY88+ literal 27937 zcmeFXWl)>Z_bwWsNb%ss358Oe0!50JAO#AfkO0A*;!@m;1-C+Jp-`X{2<}$gU5a~g zhZ0;*`a3dn=YQ|FJ9FmDoOcF3ZgGG;YE^RN7<7HRNA3U{2%Z-h+?=KpR?NlHClmpQ5 zH+?bvZQ42`!z_bG+OU>N`)r*pD>z0#80RJzJB^xOlGMADcc$4xcy9iN>iwp~5!1Le zTk&qm?%~nR)%Kymdm-1S#R_r5Uc;^c(Eok@uLb^(wE!Gr#|;Z%ZSNg1dtsS#eh>0y z-fEpg>WOtdeBrExhp3bY0y;7IW6ir}Klt7qIo$0Bh5z~~SJt2UwQ(l~b8g$zvvhz*4SXpDgnZGl!$_7bTNX)7_7O!fWG8t#1f zZA*cRbk0?YR}W^^W8ATTJI za}5CoGjs!@5Z>LGGAwmA?uasAaF?Gh#t$25Y9Pew-#kH3o)2VUn&1gs)N-9KD9F^}4+mV-5E%2#dCg=H0H$oKYI3^RnQB zE{-|Fx zFn}iv@BB7dvQwI9Jko&!_Kgc)0on(z?yO7aHRJ5p_SEM_RoePMz=DSN^Yok&C+FUao{9HW!jv{&o1$Oy6_ z!O;O1c19@#pt7^}&!1sn1bXQt6*l|3WFi!BxKK#=;|4G_U+xXu>_lTo zqW)v(KK)cov|#|F6!nqYJi_`4_V6UtI@zZ@$tx~|^;u{)Rd5t(VE^218+_Pw?2Z{% z7LPyxe;P>G6CR&7@U_UUp?TV#HG9J>P+q7tqv@(U{E4$+38XZ6-KV4oFt=qO5;<3S zW3yqNe69hd!{j~~qx}>(kWETa_!??5(fa74+gI_eHX&d> zw1k;7@-d80nzU_;aBVesh_`6-@rA0KV%n}R-R+p}3rW($9oc;r6+ku&SlrndZhyDc zOW=-4tR-tQKdKtp@k_2>wT{0mQqY;rftGp{wj^&2MqtKbuLiX}F4rvGGwDEBe?ilP z=zCPS|7mZ+tS0Y=k7vR)+ea&rR8O=>2xBl~g`GOaaBmsTo9eBIo@QI14J#BF=0cuX ziS@}!OZ`0$*ZXo&>uOqfuns}tyY~qbqW}WA^WqV>$C{_3o;W@|L+ppO?pV7i z3>uuGp4L#pR(McT*-TP$Kn#@ogXcPzq#c@p2rH3n441KnQt9@{n+4_+IZ{22siy47 ztg5Zz59~k8h!i%-FTAEwn3}3Ycv!PxXk^eb6W92^;P5}53t|KbVJ)1yN3!CW5rQAV zP{0(}y7?1fntq4Qu(f9`4-&qOuvG@&8StNdSH;r&uU{smDXkYK(b2fEV5K{nQ}ToO zD}=@qBj>ae6ue*qLmRufo_3F7BV?ff=g8cb8fLIRQFeXvfBN&Ct3yWmddK#J}wBoTRy4QVD8pv=1Y4`kS2&=iH8 z7H~2}EF6KD3&fy;WYQ6Dtd$U*OwQ)q(wFn&8Iuz3CyFXm@HbS{Xm9EfneuQ4zxF9y zgl#y}V6U?9i)VVGy!8BQ3h3;gW>2Bby=%s2@PG=4l`Zr|%ta2YI7df~!gVHB_r+|u zl|AFIb7sVS`jeX+NPy5DKvcfEB(C%v!s#X#hMAx0dz7prbJ7HZ5OH$_e!bUUxRUT4 zE^tfh>spD_b7eOX%!Wh8Ms=&t@b(U_ehErZ8%+hx_hyeSSuAKXs|ReJA7#uQ{&NWR zO%4DcROE&47D+pNreZzYH!fMeIacc-RI63K-0vc)P;4Z`6F+Pr3#HKPTx&}rb>g() z{!&OI;nuGG<*9K&RYtf4N$kVXRT}XDqD}uZL-UpE^kMTwEo>p4SW{NOR;9?4qxO&! zKv;peCPec}>NMJ3WNDV3Ad|=z;C8ae|86^X{Pj^Zt@SBnz5`g}`Zsi_gHAE?6?a;u z#HVkbb!pgPMIba0P$qRad>=t{E7j&mw7k_t3O(J=IzNt4Y2_q=|1yFOi%@~pRv!z~d`Owrdy5|lY1EJC9 zXKmm<5Fj3U_&nGbGR)zL@V421;cYj!F?RW9s#x^zuT%j(>KqR@OY9N>ek!Ml_Izey zEN9a;?T#KEt$9VfpwkyG9<7KEL$sYfVugm}wC)q@v|&9hBSGkS&1%WUA8=W^Bqih#8SEt4{@S$3y1D16(f)^m z@n2=K1a;AvYAl`tI{ST*A7MeE!2ksw(-}NLk5#Vli^Zdvs4(J|3;9c3JF%V*%<+_3 z6}6^WrY7wsghLsZu@*-Nv=8{_RXnG{m@=eZyt?OC#4s)&h8DI_mfhYK=BX_lpQ365 zwwxqpPG1V>V)eBv1B5Z`vZi1Zt@59}4}N3tFxyPX*xjF6W8+238w2tQ3Y|k%O?mO0 zB+|phBWFX`_y%IrRN9T6->P>QJJ>=8?=`3UNL3$c@V|Z|wQ+R?48(b~hr^EG*nTV4CFBB6Zw# zY3hjO!=`3igtXmHqV77L3*%%Q6ZTywchwlt%U=Yo)OvF)z-oqnNNn}mbDTMRoncH7 zNW=oeDAX7-()jE1L12o4PeW6`P=l?%%Vz)f@?uFU@zqW&OU$B`wF%x|efko&!UgFE zAE6{j)%m@BR&mTHm}%)Ria2C79~Wh1t5bYSC;pW-T2ARZ0?#rDGe(BdHfaN z;J*I}HT7^@L@6l%t}^|{ZP~i}GYkq^KNsZlQ`OX|!X%MdpAWnaQX3Kr_n#B?pF4hX z!UCh@-p0DI*z`-Skf!~IkYr6 z!$?c>-1ul#wi1H()}KRdf@jd!_TJtmx1Ocp*|+1|&qZ{RixtD2YP25-dQweGA=Md4 zHcabhC2@o{#IQ=`V0s912q=%uQVoCKS`D(x51BJ4T zNs_q^>Z&h#%h}Y&MIm6ZXk^DpG6wi3ke7%kBpBT*sFveCH;O8_tNgpl?*2xVzB48& zb&b0ZgSKim;2Y%ORL7QsujR6)l_t1OFa%ghsrRw**Uu?`({A~q(WuGTEcKkg!jEU} zH@4a}&p`0UXcsQ|5+79oBqAlT_uuZLrK#q}!+*1h0Z3~pF(G~@MKTa6dj`Vy5^#>I zC+*bg_x?_MrUaE_RDGic+Y>Wxva-?F7<_LF6$nt#? zl2f~_rh+HZWyP?_ik0I!@;vIwJmTK7#cu_U=PQ*?8H9phv5Y8*xCXa$*oAVc&r6jw* z7-1*1;XkpWK14~}mg_mr%ydhVL6ZJKq_@7@anVOhZPtdLP_}vI2V7S7UVR5UN|JTV zqM++f*R|QZje7ayjt~eh%%bckzr|-ZWL14Bw5Ar;*p+eto7^6Qe`U1-)bWdJRXz?% zYFSskAGc1}|H+ubS+r?uV=u6mQCHCf9CIOTeG+f&27i_(DarecIZPCs9;r8fJY^@~ z5%qO)9|fl^gEluuz2-hQuFk={&-NwV#@WkUt}!5k{I1g?hQxJ#yToRl3Izt2=@9=0 zM81B@s+sc{snvDB&>xJP%&E9;$%0C?)MSSbz$CVkOSPNxMkk(o?0)~1F{PZTNy!}T z-PUR9X|kVAd6jE9j9Lx%v~?VV*>aRGK^u9FKF#f$ z2V3f5*jbynMtV9(8pa0ei-+eA{IgqY1Ms3RRyfe+;EN5LEG$QPHy4{PO~uf|IQv(L zg)}}V9S%1^B$szR9PaI7k!^F&@(4y*B2I%dya&fZ-~qz%BD~v&Vx<%)0`Vy9GsLDI zJ)7*hf&Le`Bw=|-0wNUrije8W**Y(PMXLdm7-v!35%Q=r$l*T1)`#C z?)K;YWeW0g)Q$z^wOu5~`C9`Vq$EM#BS?0>cRQ%q8YQ3QLsR_oCAz;ShjA2qH1bHx zN97ffTkj-kH{7q8D!}f(n#-AJ^4P!e|8smBMeecM%fsE;P0fh6!gnA|3xswsa%Y#g z9@<6|*yggzdH*b`VUt!Jm)@Fhj8@zGPAn^zY z{U;?p>jwLzw)YfJfl>|E-wJ3KK2!x>eC)CRO(T7E|&dX-<4&%pWk*6 ze9Yj0E&J)K_*!7is+HfjOHGdXy#BCrrXYmPlaNZLF=TcmLz4rRo1s+C(58yxX@dZu zXd7Kakf};3Lr*^-e&sdr3(0Hyo76PVuy#D-O|op->Kmb%nPB-UWoI1YJT30`6M-dV zo_3Ag0W_(Ilwe66ux&i8|4K=^{NGnLF~clTOXr;Da>j~PF!Y8H`N4Luo8m zI?&?GoiwvPhAAFFdzj=lXhV3;an2epkVbPdRaEG-1+>eoS^nLl)T!=ce&b~ZE4ngc zBZzi9w(oQ}cv=^-x{({kK;UE#%j;~}cVCKO;S>0aC9xmI{C$09K8u$2>-n8-6&3Wb%>QQ2%VRDvSs6VrZB^KrY^(% zr^9ip;gZ~-Yzbl@8BqmNo}W&z@M&$+i+tpun2iHZv-pUv1w#=AD?I-t3E{pOGp!an z1S57exN&SC@0xh(i>Wkwn_kSh_>I3bGnStqK)=P&-QjK@Uy8)p=e!!^`6kaXXBP)W z6_xW(aepfoW0qAB0IYk5fDJ@wtR91Gia>Z}Djz>i7HdY)>X`v4&1ysCE1>ZK&A8iQ zo7p4a#V#~%WyiO%n)*n5V?Kspq%|yaC|TF@rhMJ4e-pX|$t{c9_M)Wl!N>hmz;(X; zxb^5adJua5Z(T$QO5Sj?iD`#saM`|np#H0crS$2?^8Fu85Hb#fYD}hZ+6;PAV_jEx z6dZ!Hi%oRkWjC48VI!t{7bO=AZfYwn1%r7CfFFRsWHblHXrI#DE)_PDZa7BBx8UgN zgTnJg(4MLoeui)DvXHL};o&kaKe8bW{w-@KIL5p;QmPLI`^8Gifwf4`I6%O1#=*B3 z%KgvaJpYEtnxZ86V-)bU@5K{=f~HJ)VKJ*e{9@(4f)|B7(e}%hYJHE1{yrA^43XSOqQWN(Wh=@^X=2bW_vXJz zZY`lm_v5ikFJ!I!Q7~K`(KmHuX&-rr;Tk3|TjujsD zkD}}X6*hB;$b+%;_ILYCp#L}vTI+$E*r(RoM^ML>9JgP%y!a*Ang5kRIonaha>UxC zZq&=JVDw}Ej{tA+>lF-s{}=kafAiYiE&EDkfK|Jgv1Mp)8M;Xh9gepRXig}&oLz15 zkr0~MTO%*FKw}y9{I_|T{5MMM%BCq2duF(bCl0#COBt*UvI(?$oIRO6&2%j(_5Vtv z1LYW`&+YKDQEeP(vY6sfahLX%SYc7HurZimax*B%j}RP;&QQ>Y5ZNWeql~O&tDQ8( zuh&-4D^Z`bBrHOB2ca>_%=Il-drogG(0|O@=U4_gBtJ7F<^A z=Qx4-aq;KqxOMWBT z+(JsUe&0o|f=VIrqc*0VX|XN(XnLjWnHCgeq-lB5bB6kX<5V>E3+O_SxLu5r7?*xu z^BeyG_YJXCoA8_5r(4KTSBv7E2T+C$AR_T}UfNd~eD<&IWqsxyZL>^8ZSxoK$M~LB{@;W{cXQIcw%ct5DY#;0~BE`%=xyH>H81g z?8%SlVYE+QE@M@0D&o^o5DZ4M@Re9=9#gdA`r6qWiO5g-cj%)j z7YuL8#Jx+sA81siV9C3Cl;{7?VD$eU9%Y&R?%D`THx45x1;q1i}jc4_w~;>@$vnQx>bvq;sSmRQp?FjltUm`GG(n zBn^!gbRhDKgZ6k^PhFyv!2=!t;#|#oM@zkNYf<9DdH;9hi!JLe+rRQ7j;ET)1sIB^ zDIigP$n+Hr2bmk?KffogMJ2~Z39vCX3B<7_q&48)o|~Vvq0s@JVgAbuG|X7wP1hbO z%2vRXbC{5^cAu5Q`#{#YFvddsm}%R6KR&2r*H2f;*V!d{YMqKG*lokrJnz-Tj1&PMB*@ViN|#@CqS_ z(ZdEEPWF~K&MOs*9^~1ti_0q>bYNn(L6gS~h(pXmazkjwfWbzN_&v!_K}t+QP)PrGFE?` zg%8K{9LltO?<1SECu1jX05$85QRw`T`s{vDy{enzSW!01(WDhCUDoO?`IXk&Pwo70 z$#|}Ff1Xk=dyA}qLpM6a6d9UjQ%YV{kW&_Ppp##r?&PlSS06ux(~yu znFpwja$1gh3&U3_zPye0WuyHjyc2gY2^I??oAk!iCxGo%Jsat8S0l? z$smtWeI2t@gYKxIEA$f<+Cx$^Bw^=PECcCpl-@o+S9qi2n%2L9oMkNaw_-E0<-uQ# z!PNbBqgy&JUzKvauQq`tYjTQHVuub(~v8?AWmLsAK9ZZY_o zFlI5F_MD%mlDhD-EbKI$7Q4umuxEPlHe#td%-Y`c-=OKk05DwDvymp0CTK^NZ_4Jg zbiJ?~pub=Hq|Wdyp_VQO-p*L|^)q}T*-Sj?oqa9oI6QVMPl1=-!L;M%gP8hPdzGwkJYS&< zA_wiaHI}I_U8+&&hhna)9;k3^P#4!}ElE3_d``!}3~rb;ge)cVJkre_QKJAS6N{zb zz`7RrxSLM{ASa92s!PFkjz|(0i>8H93%v!8?@? z!IDCLLa4a|xg0*mFlJaCFOqQS&0W0Jk20n&1g;kYVeT!V#q&=!Pc)5RxZc&Cj2r@kmaa!TZ_&<|tt)gF9>Mt)6 z9kl`SFiJ%%KY2&E0{9;swhKL56Y?6Dee#mdmPk7+5npcyODTB(-=_CS9u!LYW1Gz6 zU*#K#vG6@|sypX(ndK(Maf&8L#c^Zp%;t_vx=z0IftG1u_qLl7D>k1$Nxv>!s``ld zm(7_?GX!kY1<#zC%#aGW8AlFO&WI1x6-B?S>~*FS^^^Kh!=D*Sgi#$>y&>Ee*`=%! zoNw9}cG8M`@vO*o#J*WFyGFsU)OWE^>~T5M?~x-dE=0Zn`aJzw!xTqELcbUhqh(cMD4IW7vY>2sZp5DL80P3{35=nJ;&A#%Q+t{kPY^~ z9>MWW=rezY_(J+mI6B{ae9m32QvA`Gr|u&SdkPHQPZyRO4@Pr(&|-72pj|Qw;+n6EURJ?)8{!_*@>JP^a^_9Gihuh$Z=V(h_clrppCzu}cLHYn(HAUgsZg=th z&9ppzh6jncZt&4n+eUNt937f!CklS5mlED90t1eOz-oejt8u~meS!bSGKcYT<3d*$ z-9jmO2dp|)u$NX!(FVVgAShX@135U4+#f^gJC2oyMqxVO5#nC;ABYuN8HPS%vfq&< zgD9d~y}PVTZGOZ@ZG1<5;0sf!)bKE>vLW#EE0WV@xV2|;eB$eDi+UY+3##wahW#Wg zfY;RPm9o)tR}Bq9w9N8wfyDGgWJrn^EtUV7c{Ay9Z~34$puXqhuv|MS`-JaK7;U|n zOf$9o1UKyXXAm&uHlX~Ot-wAfj}z@i4E^|(v~SkO+HkPT#k0i@Ph zJ*6ifyE27Qv&w3j=nB$C?)S6E;i!uk_E!i|QfB~bAl6JOs>hBu_0qa*4VULA10nve zdYE}5>Mp^uHE8&VVrnUBsT!W4WRH#4#mvv^(#>p6GKD`uPy$ymcKlQbg$>yBIiF-> zmv;%o>rfHw9eNIgQ`LNPX6yD4StJGRa-tWDwUUE+W@zC$>lPI9AR<(wLDd>c-pw)< ziccy^g(_+LwPxDp3@rNb0pRwwIBOxF>T9Iz3a1@mAo)$7^Q`pQnA}BuRn%K_3wH$` zg6@E_9$S_N=1IHGUyMx6t_KiViKtt%An;@4nSYK3TL2@2Hs*bdXWHSDR8fKy7_DJc zJsZqrJ5I#I?I@{VH!Kg61MXxH6k4p)@=x#k^m+iE8j>!f)U*fpP;#MHwH2-H9HdAB z>w~VS*;*(v-h=I>bjmY)p|s4OKZh@kTr0)6QsQySQkkq`x_r6s%55(s_dzC8^kXuA zyi%-X43ZgqI@-pJG9{$F_efmI%>aR^)d)&_jguis&#L%v3p1QQ$NL8}>GjKQD3Sn- zV6N=8f8`ep_k%x`4p_%4Rt~otmD3w)S2_|x&Hz$#7M=VjW(BPL3Zy4yJ{Bo@?^{AJ zeuzHhklDtpEGvDO*q_))HTZiNk*|2k_Su@UZnO7G=9P7sv(mNyvYB{! zd0o>t$5%i%+J74Q3(0B-6H9oE`ttQqRCv1Gq-<+CImii96yah2XG=D>qK^KD@*B(s zq2bUGz6m>%DtD5p@|czYi#n%$SEI#;I@W{t0>CpYG>i%-+!~pjEsEz~Kcm>=_)Zlo z+;swok^i=I7T){gDf4@8g(YS(y>~sxTe0UnP5eKqw`l#@P@`W<$$>3owH#FH~a1cRHjF*E=@#i0wE7@Y%3X%&1BDo)a~QSoZ1%a zHu~u@QVDvZI82zyYwZ2;r6QNYhY5&duMjO&k^Uw-vYqjDf@V}bbL-ggip9|+y1!DA z3!aFBJ?JJPkPX+ZcO{~3=U@?`>wd{LXkjEqHO2MYBwh?(K6(e7UlB5q@@$ zp)Yavmms!m#^UX~v97Hlq$vwwv)?11T0i_}cdpvBZ^3>RXX(I*e2dSr`+0GWEi3sq zNjG6R9t${Io_}BF;AFGq;o0*d;4zhCIf3u+2gu&D)D7ZlQ)TrT73t)=?qB-ePUQuV zEp@a6HtrwU4@Bf^r>?7k>o$*b{Bc&+KNsEnk?xMoJSoMe4%FSxc)rurH|-wjpH#sV z81($s=200Id{~G{A5$f9T9`NoC+qP^B`aH?Foug-e2e6k@3CBcl2PQGMJd8M23<=5 zQu-ZV2HziyhAle`G$`I@Cf^zxzyAvPWcI0LCNcv#=_(%Kou{QSu33F~nQbTz2_F5@ zv)?f9?_<6`?Qx~Sdo`XR{1tJHk5<$9gU@0!Dw$f%9;gJ>ojQHT^JnQXL;KegkG^qI z3|DbXcqitzC3BDx!v}M(TqtGU8z%?&;sk!>HpXCm*;4EV6vs6>oo%u*7;97@he*>_ z{bmBX^@a2QO}^NkNvR*3zb6?4B8Y%<03=J1P6(b!aVRus?$)9@B5~m@3pLNbHZj_1 z(!KIuRPz~VD2!W5Yoi46w4oEn-G}{$(>mrsde9jS(dB>zmuFyk*u0Ny~o;)S;-B8#KI%}V!3X_j&DvCe21=C0fkTh z?8`kIGpc5Mp&Qbd*g90S^OImQr?jN9c|&<=`YRVF_Wa^`_ov&Um#8u2=DDVJ<_}f^ zBHr`T0jB>=S#qJ}(b?GSvu~S+8E4W~F~O;XvO>i9>wD6D ztF*qsA6z2HE^;;EWre}Kgw6|_PBWWMy_?O_mB)DzBlO~^3d7oD1P)fxLPS2>v>_Ku zpp`!VNy|geZtNbtoe~DVK%g*{T2@66DA0CQX6ESV4twM#U0ih##~ z?c5#uqsy8E*lOi|oT1}nFD|yshV3sdO=JHZ7ZW;@gqPFBO8ajLh96z@wl1D&<$tT@ zN0?9qDXV7r(VKrs4VC4E@3MdT9Pq)UXUC{N<80orHX4CLhaPH^rcN(@L%`Jkws=6i zN4g9Uq(nc$@Gyj~PD9fiNSrCq>+pA8?q;&TjbFTOHmpUUpZuQ$#y8HFZz zJ#OV?Wq=+x6L9QlgCBT;=3nkEm5`n)Y9w#?EZ*li_jmjrHy{p%X*o@_fQD^{VQmtE z7JY9GU5g=$=w!kWGr(_&qUpq!)GpT{bl?u-$Mc>;UoK-r-}OLT2O`q7yuJ~=MmLeM zKZbG}3kR@dH~*)2Lz2JiTfG#qxIUkfmO}?dbk?t8iAJq_4dnA^C(6U z=I@qkoFPZU9GB6PWw=)*;VeIXmL5;fNP8WKIeppuV1&L5RZRSx&x^Em(|euf7=;9$nb z0Gq$#r>fV%O%Bw>#CJ5tUgS%;3dfuXyGJP*e5f3ZC>uYMn3_VuGP}Nein=9;&(5&w z<`$Q|2t=A@o8|Qg>b?ulP@7B5&Z<8jk5@;!;qc?w*qAnYS4-yyU#|5fz9=;lj!sAP z>g*7K&aF#nR&J5}b{9t^^;XMp^Oi zs_>iXb#72!zInj|-l>&<$|MUa8u{c`a!3-D~P zl?bTjFu&P1dTh_}rigpeCUA0})PxOsEBft?^!NJW_Zrc0am$Nt>3i5O9&6nM>i&Rb zHra}}mgP%&OM+8X*_ZhuKc_I1t{)jerP;HO9H&W_YV7AEz?)>1N4y(g?BPj_j34 zYn~bOr^5RB`lM;h3~j&~-a)|D71ql7(3nQcTk0x7X`AI{KSd9V@dvA|=uAAy5smGV zany%Dd0Vtw7a3ay6D4b8ZUZvdI=qAGPo;k@Gl3Zs(JNluv(&iJS@A@7`X+cXw!TS8 zNJwC<@XAQ-NHl~@`FAi%y0i~}xJGwP4)&~@O}yFf>J6R*^uzCbjCVep0PDw5zXA@- z=@4`F#+XHK_`HN4J&V{3$H-A(OFkh0a5xpdE`_a}jUGD+RjI$54A6)QAd(NLOJw8) zdRcHLH}v!~GMo`L{x~HaL#}%*y$9T<4p}M&-Kw^1|9YP_qGolg_?Ah`<$Id_*QJ9N zE8bpqiffhcw-UUdhg7Af_f2UBEbxdRB^ULWyhGlPTh+dbT|U7%-n!S;-T@tEo=aR> ze~&;F>09ggfD5DUI|QP^!PImW47}3h{mf-(RUC@=5zOp)JUBRb&}1{e)Z}9YSQt?8 ze0UBj0x_X}X z6aC~9H2ey8rD2AApi-5mWPH2wX$bh(1;*6nF%SjAu!uxPpx)|N=i)sTpll~wJ~(9lLWHcGI-G2_dZde_o< zSl`8+N5QTwSE)$1uP53B(S}tK`MQ2g#xb31rA41ztNBGp%JEr0CS?6tAh?a%!!a9D zy4gX=RoCirXcZcP*jgTjl;axdpJjNi@}E?4=BPZVVp^Au_lPa5)c^q8?ZQUZRi{U# z#}7fDlyem{PNc-k)$hCKc#@Ty{LRhRvtrj;o$2#A>3e1?twu6lX~QgzsGE--(vbJA z8)va=3p2r+6N0|oPpmpII*&f&y&^J^dFPbxdW~X$uKt)%1NF_fs;bD`^zYKV!aX&#cqajxq9z;(jemW&heBN9LvG|-txm%8YO zK{$XOP^JQPq)2d7RabwgBR{}AQR(e8EnkaWGgomH2QcGd<|Ccyt>kz=H`*U9HPs5u zEq8WyJ}D8{ib(CjP{QZ8 z12P79^q<7_Jky#isQ!kGL_{NZ7Y-L21GG>x86M)8Kfvu~S4#r5o{_O#CnOIu( zgiyN_tTJt=BYA=&F%gm9$&{X>{pD8=h@Fki?tXoJy&^X^cY2c-YV$F4ksY)LXaxqr zL#tn2)6M5aE^=N=7J9EWxa~Fj4e-=*f5TUBSdOKmuQ<$S5Cqgz{_I7z;Lk;q_Yln^d#kjl0O_f%;;iF*wrR0-ix zy*q$za3@g*sVpe~K;Hua+yGRuE`yMUX?^C`)m7>e=zSW18J~hYpp!{}XcOlqXI4-E zM%i!p%?&?cKm!^jMzw3LXrDy9G7m5XxyV38FypVTt~3=_|GKhl-Ua$|e(U@7BHR z9;NPj)c_SJpK9K3?b^M|=f<5+-vyK^7%|6d2HiSsulBJ?Zxo-_I~#cPT^qACn-@3D zUEJ~26vm*X#9mlbA-~+TH)^5&WG#AlMeG}V|KfB0LR<=j}njK(!h#q55;kgqe>VF!v=(DeSXj&HzQ zb#)PxuIRqk(jMSfD~%xbr-vr$k1nb0m@_6c*&ou#GVwZ&jjSv!{g>_1UYYp%-a5pt zNhpFdh*#7G<{~CD3s(o~`7aXM*F#d+$ReKiI7<~FNm^HzABfOq{QG?5MnuLC3!oUw zAo)kh1h$8EggS%H9)$qpHRJNdgTL;@70yxg$3i8FPMWn=VPgGh9z)tw8;MyORHzoG@RpaM zUds0ww2u4BPiPVywAav;q#_J*`7w8v)VH2C9T&|=)n>~)GqatlK+R`ygL_EqELF{# zupqeOrS9-I>qAGDw}?$2ihL3j8TP%nx@%x`loUX3`+*-QwqV{^FtGoO^HK;_@y= zfC*jH8V}^Wj<1;l5z2*_)IG)iPOG?nkAL-D0Q0|krRSTe zAm#wA@o_+Ne{o`BLiBa9+zM)0LaDBY`r2&M%aJcaS6&3x#R;o6J+NUvq{7s7inJ|jBs(}b(8YAF0us!M+y*x1kF zdb#XPO_+ncl5~Dm*S$T((7u$!7vjtehf_mCG3VtsqLRp$K9{!}&M9zVOnAq#=GF%z z;llB{3$V(wLz3?_owQ~j73`@CXZstRCwa?M=BrtSuR_Ph{*2IeDHR9SoQjbaUg`J3 zM-;6E$e7yO7j8ESLM}d+mzQhORtK=LOCIIkxF7Y2$4@8Mye$G9)>*_Y1F?c{`^sL( z6#3G}Iy0M+u49UJV|3o$HT+4)d6k&txU;?%p#u$xSqox|p7eMX?<)fgLp;G1&!hhE zJ%S+_9U~sEpdf+z+rk0HXvyzXdBY!R_ctA*HE4qV3@4t4PfFY06sR6ZRhGO?iypJ*>`t-$JZ{H1!aGtvSD2Rd$rL zUaiC8hn3c#D;2&bAwb{&Z=+qGyH%!N&DD^jzo0kzO#{>Sv!^|Y0T%kc?%d4{@wqJsw?uOnxChc>810Lm`Ky@g3--Gs1rULS<00QnTKf z$L21nJj_N63azo(_54_|iYzD3`{|IGnRXFNFZPjWZ|=94=D7!p%e#e`#Z|AR`sSm6 z0v=or8YU(qk@fCo#*nt)kIW&?^rE4LlQscqQEd|^&9+n*&+E)Ng|9@u8hEakNcuP! zObv^h_oFiK5`Jq@%F-B{n^P#p(fd7QVEK5QHP{abNJ~F>$jQm6^E3_9pkM$Jz2W<+ z?wj$n<9mqwJru+E@2xvUJeM3%DLQevdLwwF{*>&3D!~fF^D%P{^yQVtIEpdj{EjkU zwwUdUsv+*m`)UX6$x=X_iG#yo<3(MMq{H>FN3-S`!NR}HgRt?i37oFj+FOsw{U!^T zfZG$}Gymzc_nlh6^@-&?&E$8jF;o3)kTb^jQ5DmYn<;dD(I_@mGNK!0%yNMvviVC- z%T(B7&diU&_&M|2(my^cYB7Si+I-)+?&kipJ-f5uF4qmxyeWz;Pg^ zgw&Vg^Zb=8w7z?vdsA7>7`!V1h>nT*Mrel2Nav*Xv4?Klt;xyhX`R(foKL*}?UUzd zxMZj;lH8T$#+OjX_L<<9r$nr$gyC(9k%|SL_Ln4RT#)Y=>Q|KCvf}_h)O5baXLj^n zG`=;aUVx^Df_&=L&-E+d%G1u(T2;2Bts~VuJ>IkN=bW2~+ZGW$tD^3w9G$|Yg+6&w zH6BMxU(m{hD9|cJ-_ISCFf+DGT>#%gnuD%PfZS7a@91G&QR9O5TX1_v_7?xO5sY8# zVhO&C;AJilopLR(_v+2aE0%+st*V9xZ?qr%hH;D6n!+ivY*XCSc`-m;^ziQhTmwSc zlA87EZZ&Pzx{E6uI?_6OmoYdpk3pB8843y%mjs$BXM3JfO0#hCK8iQ%S;}O1;@4Dt zo--xdAu!#F*W3D*j4znJR2#eER1>^BivNkKbS%5>T967j=#H9#1xU95HSSi%?Th85($flQD$a z&ns}cmc5JU+#C4FwcYqraA#=e%ZGtBXfC=yv9=T40z_sO{2GFIb)r-8*%Bn+Urq}>e&&S(LmZ<^;+j3hN>B)fg1)pda8VYL zJ-|qqZMq&%hC2QeT(bA;JqKe;=AQUP8Ev!s#o=O)oGpgI)Gn97*fa)gcrHvcymHo; z@Momph@6#oxj38fAA>_cDff`$`%ltP<)@kE(flD0W|$Hh?5S(_KfghDROWf(FV|Bq zq#$+$$$~JimhFe3{g%1A;-Rfji%Q)d8F3gg`=oB{K}EQdP_y_(Tgu4ZeSz*G<9(+D zXMZu`WR||~VHx<|rM0|yJUwQcOmJ9Ro9tH2Yl+-oT3^%4Pe@3oA<)_46{stMwc%8l z!-s+M1ZqQuN&thL|GF?~HufGLtK>W=#);r{{0z6hoZq=WweTeKzk8$mZ zTZ=xJpI#2|zV;itakmn`tB;6?H~;{~!pL*Hb4#&`(4&K6YM#*2wjUq!qXq48Q~|k< z|7+WnEidY}-bhQW0?t?_=@L1)4%ewUvwAyTYehb}LFa%yucaEwqx_GN5{i%BW=f>I zQq?ICO{NvKP;@ylIGEk5usiruZu@TApp)AmRvBz8r_ND9v2s!DWA3=%PCzZp2;$Wwv$SQebAKg*mX%_r{&24*q!iaT zwTBLui}~omw!z_7mbZf6uO>A<@(+?s7B20`F}Trj-Ei>u=s*aaYKdUgS1i4RXlQu3Py>+O3`PE+-apzNOZpJQenJHp62oLg*j4ep9O96xxy~OO*~uO z7I{ic8zUDqC)2q;R@yAK7!rSmh5~=hp?*D_`UP}7Zbn`^6WmZDD&ImGaM|P&s*VG& zjg2RE#euW))|m(RoO+OLT|JlAeBAd0^H_TH;?-lapXf+8i0>h%@m72a~cbRR_(Y`9jEyMiv}spPsQ|@;g;i@+R-C^Ci^X~ zC60%!T3_bL`x2idG8xCVtuM@W)d@c?paaNoeyz%VEYJbzQqO*!xY!~-a zAB#ZY1{29xrdP22`w<@Qg>s*VX3eqtuR8WgCyBoSiLK**GE8?uIWbb;HzTjCZs%st zp-+2~NSx?>0U#?_W0U1;?|a0N%}*bRFUJ$l3j&}oDKzVE5`P#cx36i@6MuI+wYnt{ z5{Eq%K5SZ`@uEIaN#hnX+`u*3Il{bZ=MA_n$j`1Awa%^RA>Yk$Km6M=W|v0yhV9n~ zU9YBcsUDdO)je;8iPO6rc`wa~^zE z06^EET7dZ2{$`TlNhN4}qAZ^0wDpOZahCST&`3*Gay#N#y3=bHPwVYv27wX8eOMZC z7-h@1;U7n1)|Hm{F_?kKrG(+jXD{a*#!(q;ru{B{LWGC4ww9J}j=H}qv;A6@{c$Nj zs&m&d{G{cOx?`g50^e+1I;h_yZ|$A+Ta$0t#z&)w zfTRL~pdc+FAgQD@0wYFucZ?2cP(r0k8a76ch9M!LgdiX}q^15k>LV*<{ZuS%em_vfSOCwcsD4ul?*MdN;$reRd^%-+W%5Ouje8DO7O^sYW6Fvy`9+v z4^(B6dHb$Duvgnz1-m4Q5n(^BuNP364y`Z%E}tnUC&b|>QRFx}7J+2JfP>l)7=o&8 z^|AwP2$+q!x9*=i^yz1VGu^cH{rP6C#%yRQ%wQouKeSub9tVi3SeF#%e|&A9`eNql zo7ihb4&U_~Ph_2*=+}?s32&e9o|;2C(J{WeX4C%gs~v=___&_z=TRV3`JW}Teqd$5 zfwKc+*QPO!*;m?BBnBc&cjH?5O$PAv!j3=T!kRD7=iP6?yRMKgKvNa+mrP);Na?17 zQUtBy#)>f;^2|^?JUlk9+Zp~61yh?o&wa$`TscFR;!Al#2hy$_G}`@idT?q0D)|9< z=1>W$j88*x>iI&~uR<36{sA=z43e8_#9)R>-V8|IF@?94V+eRbq=oJ^RTa!jVo77Z$5-M zN}j*WJ3>>uLU6plpK?=K>>3cQnMrnB|LpIggQ>NWkdCJy5bAsk7_#eiBfYTFY z1ild1?1J4T<&Rpuu~Zg9N($!t&)*-DY?vpK2Gd$H$TZKc!d8--vF-Yg3H1&`ZnZ>R zx>o80iK_?a=VpnCZuZ6+p*!Al7X_sbH|`3A&@-tT2zWhz+tz~iSHjcDw7E3RFj5$r zP!(P_lac#Yrgmu`-&>_~zE{rj9XugAnkdSNXJ*-%3@lCktTq2*tQ(T&$2RCPdL@I2 z`55lTj50pQpbM1xA=yP6efsBA2&gj=#=-mt#2#U)lRM2Y`I}eI*BbL&K(|-evY>sA3ok+|Rf!RIku2Wwq_a_kg)s zo?K5zwi*rbl^D;g0iVtU?czOyGqXGgWlo=p8}LIgRtbG!Ki_E{-%8(diIm8hTM~qv z$oHRgOg^c|vM(--HUwrk^sRbkW@3vZ4_eq8KG=yh0?m>2qb+Z>la)um5%UKh1DNle za}WLd_o?Rx_Z8NSseS&#l>GWwbCbA2CiME>kruKBjNthx!e?x^4anH!^jhc3A0+^r zFEI>SnAY^+eq$mATY#4$Z#kt!MZz|!*y(0aPOcvQQdsyz7u;Dpg#{w1yq(XN4V^I@ z-#Z2wg88!EZY2#>%H~S>uCzn<{``usED#u-p>~o|ErboE3d}$>{ZF++x}( zzvuVfH!lUJjlrmCxhc86?wBV)$>ooAZC;$#tDg3{Y{xm%WV-nUc{(+t^7=eA@rUhC zVLKX&;(io+@PD1_f!=pJw-5jJY7|IHY-N<92;X=VC_z0q_a=c~OMl_%fzOPpkcb+X z2j4J2-yJd`O+amd_gW&aYYsA>eoe`WCZqGVHZ(L0-)$LOuZQ00Sx$QtHKX-RS7N<1 zR5tBxS7B}bWW6gO_Y;JpguZ_rXY5pP)H3FmG(c*;l`Ngy#ud)RsL2{SQ$;;VVwQz? z7mn*!tjNyQ6-bc$Lyfp`cS}qD`4mw^+aNeUD#+rKw_&#w|8=9;kDwA_#vT@Tjpb>) zRLmE1nfsk4MS;B18gb)sef%EL57FfvvI9S1BklDlWE?n<;4=RvA8z}FG_{P*?LY*~ z=R7bzKCXvwP5f}uI6=is)rjy>m#o~GQN5u6&u0kZ<{iJ{^Rl9+7-Ig$gF&@4tbAvW8%*B!O6J*?B=du;hcM&I3K_Ff|w;swd_8}=b?1&JqhkjaY_aS z^b5LqqpZl%_ep#s+KzsH=k4S($7FJSO!Srxoe(Tl>dLq?DMBK#M%#FM>l84ae2xW6 zp_m)~l(5D3Ce^=mxYQm*1XV(krt0m+_#@%3t$#VI9cCfDz`n76gP8ppik*H+K zZT{&e1F;ZF_OQj%royE^r%gQn(F^jhxzku}uleB^)h81=o&&abH#avU3k#nBhUrTO ztyS2pvm#JhTbCz4VMDnze%uxJU?$njgD!n?m*T!!wo5Kext(#s>Q?|$LOc)9-~2$J zl5x0h_K73HbY^??{QYxo_^lX@w(n#A3o*$=Q{nc|sU>|rEnYev#!e3=lJY!1$jI!d zp!ESG4yBEh&LqC_uN0To_Uup37b#XFmgr8{JH;_VFSlct|NKHsuPAEc-jpYEv5n=Z zm!{Zt944C6-y?_n zLJfAMj6jeh2xocL#OAui?^hwkSLcM&Pvzp?^hTlMVpNS`7hCzse!qkr$cuGf`y~+XjoRjjqn#-C)99m z8M3AqQI)TC(M*bcSxhz+jw0W>M*`hO0s(=gJsw{lxUpm6r^ZHL+V2)oi1Ek==*ZtCmP7Vx%voClFzk>~;A@zp-8k&1Vm7bVp zwtAyNyID-Z7P&RtoR6*0p@kx)?1un@1=cHPl2>q==-zK`i(~U;tGYj*EN7-((^y_| zsbd_@yOIPm^LEkq3trq4l#(*>?k82Ysj9k8J`F+MfSI+y5HOy8>2}sOBWMA%W`7L0 z+Y|&pKNALOBKjSQ6%zqvYFX4%=D|19@{YAJzpHH+x_V$>U?v_M2O2N!M`f%{ijTGz zL3Ot^kX?aIklgxA3Z2zZB%K;DsKPP8F|)oOMidL_y!A2~snMOan0^Elb#tAH=-UMc z0&xG~p~uwW@aso(9K4r60sCA)k(DPbs?6%vR*ZIu?xoijY|B5wn7ntsZ$zNl_r0=V?h4HC~F`m!%3q8|bd3n=qBX`B$Jhn8o$WOF*-NU9&WkpEwzQPvY_8N*( zG2y+S!&SrJ^#(8NVFXn=0Gc6rclk#&S(D3by(4aL5Qldn^?Hmp^&P9Z8t2{m_a^s` z{5y_D6%V8V<{V8(m%+lX=snpyaJ}HIGD)lRs zYCmnc`j`?*7N0>w&39cjqfYA+Jj=f;-kjbwt4F)C^$^rGwQUW}iF4t`nS!$qfbk#- zOU}`jD2Xsl38qd{JzBPn4(9mZqS4hE+|-KPM5K(a6Gg*gty`68OvmQ6KkUdMJif6E z#EaQ?YPp#K=IQWTBnj&N@-8TaNlT{NbFJtFDgS-F#5)rs`u_Cn?y7k1HR>;X?lWn7 zT2Zo(dt4UWUxX-?dTp4`x@z2eHnopejC8XNqn#7)*f~d=ZXbO}4|_1}lBhaB2D$2z zl}!7YT%pw2g6}=1$wLVXg~@~(KXIgHnII~;slp0;{UMsh~K&-`Vej(cb#qwE+PP#&bs zb1}b#>3~R<#OJp(Y2%0$@=^X4yv`rHLg^v{UT|}8`WCOf<&5V)4_>>~a~dPBb5d08 zY9VmO^y776a)PQy!RXt<%>XWv zdgbi>;Rg=^`$AGEOWl)BjUmR4R{BQ}qr2R1E&{19x^lnL0zE*dL9bQ9iSCtuAHc|T z20?Y#ZHeE1b-5z|?(9_N+a|BfY^2?i6WPKohFDVE-d{40v1SCl=>YAc?KZv#pzSgT0+TKY(#tiSCHSsFfDQhGSeCZ(!cVUPD zmxGLr%*N>7snNu;p8Y`31bv_hdsmSdjJ!z#c01iDdi$3N6)lu5?^l$4F_RqnYb0uA z)8eDncvVFpwFA>DIR4BjjH{D1VS57Q#`)OT5+UcrNo+`7Vm~pX#i1+vlI?;V;o4z{ zNX34A+U*oAcYzuH$6R2kAd-1%(NH(B*RzlX7%1Wse~HhKJ`y35dP2UG&!*}>X3`V< zn^{7_LZrrmylfZc?v%6>*#-UNb`vV4=2PGZnt25KtxV8}Q?rn9Vj^(vUC9pmWjoZA z&~9K>?i5CiLwUKj98+wL(>$w#`v{8jlJIE>#dV4qg5f|!- z?!bG!&&gB$YWAc9eDs8uEzI0=$|TVJ$^fy)4na4d6$%7CDm~X*w=Y%exbxyy9-WRb zgT>2leLtbD4o@`rCaTq7P0syyx6ht7Jv*4vS&f?}MIN6h&98aA>RVu-!^hUTHCCdD zx=DCyyd!2#i}?0M1O@9%6^6~Nr^ZezUP*sm`h4TN?pvwnG?Wp%Lr!d{k(rY-pGM}@ zk6%L0`*4LCiFPhuU#xL0;!Acl(+UT7p)^DP$NuP?LREvG6>k ze}?s8{KPH?^$>J#xWs%BE{f1zfMD+qc+yRZ(8!)$T#{#4LDFbuh73%Z$yY8oXs&_KH@IPhIh zdw`j#4rlAV+$Xg(e_GdWf-aVXvfe(X{QB2wi2ENLaHcdUF0V&-hdI!KE5jU z69wuV9TahcS1W1n4P0mI*ZD{QXmz2tj4yFBfTd}=2h!dmk{VOve11dsj7T;+e{qp< zWG$A6ct)aIRsoebxaj9HpWb4P?o#KRpXO#me{j)XX;4x_z#H{< zY<&2t=erEe>v@7I-`(lOnYc=`%XxFy8Oz!AuCQLw2<$oBPaF*PTiq=6q=@y*CwJ`Osqa6D`9Bb`1XbFAxvl z{@njYK;y;q(h3|Q5$*#1H9ygH`$4m*oDS(MCpt%Hm3EzM0=ZRI~$3JWWe#{G{8D>t^9mm7Udcl=A zlbX3nKEO?lP7+>yJq&+2^Gc9$P#CYHaB=^|i!nz(<2Pr)JdBx8NkI`>i}+>FrA%lN zYQR0yyPjz&3R+1Xd7`8gn=-P&oosr=2zpIky{8~aocA^|x~pQ}@A4*tv$I6h=o+df zlp3ro@j29*bMDjIr;qQZ&ftFxTuEp?cQK+2YYx+xIN_&$>-qc++h$-sv>Jmo-vhTp zXcPP0D)s{Omu;n;G|}3>!e|HQ!>z`yOSg(ayQ?g>{}NY^#JyUtH$TF9AlRkHV(`@~ zi6Ln~ppPxOgov_nYH~cdaI|OaKrEGz@;mqiwX>oTej$P8R~%CtWY_VL0!0Mz73H~J z!+9T4)s&T#v$JU{Vbd453uHTU$dAU;e8Z_b*&%9&EE?|I{=EQrXO!m<6FKd~A3ZH9 z{b7pgjYsG@nD{vQKeMURK@%=D*8U*eATW4W1?Mqn&y4_6$dcibbbA7+-C&7iYuC!P7 zx8dgAZ*1WH*1&KUh;N;Ojp@WmXvlVHM$`VwV<~qLG1Q?jXmB0hreXHkn0=b^*|{Hc z80FjNBNsvpo$e$#_1ub>)nW7xe)97t14*68H0!qSm!rVNm}dN1$o^z@oI~l@wUM&I zDJ(1;=3vhVNn2{zoVjcINpFt<& zFEOF7fYTul#(_YV2GrE-+vc>D0?MLdz|w1ZwsNh&A^5!Ko?Z|3gC1|cb~41o40HaU zOi5#?(_BIqk$YapBikmKrCyfZsRi)9uHKezNLUU8$RFnoT~DeeOTVqE3vHOcyY_JZ zUbv$pNPlFsHB5`6pEnqLWyIQ-n~ z(~hJP_QuG~04-It)@|Feg1uvbr|C-)m?fOt=1(30!Dgv!!Y{^dBNwC{>%vlb< z=z^niGIP*ZSUN(UHAT7P!O~3NR2c-Y{x8{%*SWnuA$-T=pzeOR6ve7OIDiliS?HUlH}tC-BqPk?zCQ(&vJ9{Bf9 zMORmsQw!iRq+W^o4gUs~ru3L3B2t6JACZ1V+FN@@jT}_u5@=0P^*8XJ&kmB-p{7n& z3mkH9{eD>oLY#5%+}E)#qu?i;xp>a+Pk5s3+1sB*i6ZGeV_jd zIS6*<6a2JOWHS!5_tWM^8EM5}xJIRGR=;gEv+uDI&v{=2q_HcO zl#T(odO$OXnl^hGGO(`^hCLC!Ve~608}+h2AOPCF9XCl?S&Eqcr0lO94SfHuIlAs8OH$jq zQdV%)W!@UP1{0;kqXRjF55y<3@CA{uZN@D#ebr9s)HYWug3bw{9lX80!w&6*=#haa z$ucM~TlHBv9FHH>Yd-?;deuQ(-tWaaT734!w`A^;QRdHmQ^M@++a zM5Y|kRyDLAj1B{K2>XP=;*5X_OR9jUtjUCQS_J$57Qo0c4K4f7i5OE~1wi!av9UVl zU0rTJ@jhWN6?>HC`q1y=i3UKgILuuLxK*<$1?{~p$@fb$^VB%^AAR|~TRhR15_~oZ z)P@=}kA%A?woiKjzjaL2J5F(}hVyf!JY8TYa7?Rm{s)hnxqmRyQ8WYJZeee55}rRp zMJeT@KrcFjt_C9J=znMX&ajinA%EbChekK+Imv395quCXWOD9OdmDUL^wW^dO~tr- zQxIw{!Zw%K)b@U9(U}<$`hukxW{!DFkTC@56v-QE^i}fa+#BAz%Kvl7&nW69Zq?gg z?{?{X^HULMrX)l~r;i?*1IXQySr1mxA#zs_At@yE-jG+n!xW58AF^REL9*s)qLslv zycCESJXvq0v(#^%zZCq{6h3g$VIP#AQAuTjTe!fbE63_bM%<|dbzk6;;|Ix#&>54G zllP-LqC5X%X?_2rU^3bZ0C()Mqy#WN33O$p68WP1VqqIv*0TL|i0E6QM6I!YD25Wa z1oGt=NVD>0f?KZe@0Ff6kjrI1^zCP;+D=rlax!lK2F`6V(;4jI!kh8-=@P(Gm(2z2 zttlK|mt%^J4)n*euDAe2_*Ci zTWyg&m%{jsotU+UV9#}p7cYRLG6Z0eP@JEKh^Q_b^|*|SU_kf?Jw5j&(#9f&l)c?= z|LV`$+8W;*%HS!6hU)nN7UqZF{<15FHU?qxWAO)HcE}UN9(R;%hN!S=ImuHSmyPG} z9d@7QpWc`;p;-238#V=o;^R;H#AnXi_~0tGHQwuD9ha8@EzhLs5pT;UleIV=xKj!C zQ&tzG}7-uci+D`bDOo?rG^jf*;39$KsW0 z{%n;T*y2aDgSlyNI>1sRfQVDL0ofd@=X60W-BMbF;FC#!Bvg&_m%91by4N!a(7RBd zeu~UX6C;#=Ujn`oph6w$hZjWdqp1A zl`j>IOS+pULa#gxRSv8|9Xs>6?>U=gs6Ulud;d({D>^?-7syFRm;k7A%8zw7D3g8p zs<=$}d=;`G+Vx{xF1`gkF1G^4`6{K&JONCry;$jF-pKQL`|WI;T)S$`4%~JgLH<{Q ze`QyxP`@zA^r-p091?p3n3pVlgXaNiNz5+#nt|{%`mkKLCeZ&2MJX8h0c|)w9m3ahh3oy({*Qgz($4swK~wmJsxdF zjngNUb}g4(>|9nY<>3@c+tAEp`#3M0Hxz8vAWjaGHTLX%)CiyTBk0zq#!Hu*KbLBZ z&Mq4j+f`DIpv}#(v$N}x+%Io_G&pZEz;|v%WU0M3;#6!r6{7`2ZImsdspYS>&a&0) zC+Oe$J*kAvfN0m5RK;?0B6r(3fp~|s2wkGIE*Q_o|QK+%EEWFQ*W^Uf4qjl&F=pgV=7nGKKv z;X495H7mb9p(=J{%O)KyJ&+C-1XXbuENWr9{C3WcUK6|(`)gy?{ca~m?cYU!-fQ^Z z?$Pg{JsYSBS=51q(0+#|*QvEb?+Y6)@U<-C+CiOgUZ?_Kc2yopKjM~rrO5dgR?4a% z*8JC>Jf1)6v5A`QGwKQKgqVi?HP$Jdgv&!Z9h?2UX}Y~N+OJpiUoCecYJR|Ir=;C$T?WFSWTsaWNfZx2;rOU`j53yUT4*k5 zVeb&hb1pWGkQA6xL(Oi&e@RaCdU?Ui_7|vkh3@)WKI@|Y8%2sEwX?T3mWhGExVvl! zq$~^quQVlrzSdc7b(iu_!J9MeU0i~kyPhIiUFk4HcDLmKN=H|3Zfcl`GAl%rg=hb$ z;hW({-~Q2*4Z*MvB)bxyz5;b^#qALt_wIaDy{y=I48{?MXAr)5k*`^V zTeO@S+iqJ^QAJsjQoSNw-kqKsvlGf<9KSgxnP ziZ&Giyvs%?D@ourkOn~~UF&d=@bKspgvT*}7fCHLFakBCHve&ef*bdo_wy9iY^Y`- z`-Zdw?Xwp+dcFCw+OZi%>ro<)uS)HT;8?sqpoYpvhTY!yM2d!LD;)5%#e#iRW;6;- zb3hA!u{Yk2q}FIpq%bD$OxU^~)84@Ym!Hx+rOcraN&*5SvgEEe#>|Y2?XkOUz@pW~ zyQZx@#hI)9y~LIw&%J?-+!lyi3Gcfwf`B4L3$`=F=2fw@`-}}`?#NfM{)mxLvfp>H z0VGA$&8}#ZCrI2Bo&N@mi-s+Ig^7*+{2APA{jqdCu2iQ|kV=Jy&OS-Tf-rn!-75ceuVY)J@af{xO~L z^=e(%2ZDNG68?wFm~UeE@4x`5u0c*g0VrCIY!8%&f)v5bRI}7Ee+xbcqJTKm*+JIJ zo|6t?@RRQ8BR#IJ Date: Tue, 3 Dec 2024 17:57:02 +0100 Subject: [PATCH 11/18] chore(Microsoft): rename the Microsoft Defender XDR format --- Microsoft/microsoft-365-defender/_meta/manifest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Microsoft/microsoft-365-defender/_meta/manifest.yml b/Microsoft/microsoft-365-defender/_meta/manifest.yml index 1c858333a..d2e9192ce 100644 --- a/Microsoft/microsoft-365-defender/_meta/manifest.yml +++ b/Microsoft/microsoft-365-defender/_meta/manifest.yml @@ -1,11 +1,11 @@ uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f -name: Microsoft 365 Defender +name: Microsoft Defender XDR / Microsoft 365 Defender slug: microsoft-365-defender automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac description: >- - Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. + Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. From c03be93f20e239d55f6dc312cc7579e47d1c92a4 Mon Sep 17 00:00:00 2001 From: rombernier Date: Wed, 4 Dec 2024 16:49:13 +0100 Subject: [PATCH 12/18] update HA procy --- HAProxy/haproxy/CHANGELOG.md | 4 +++ HAProxy/haproxy/ingest/parser.yml | 2 +- HAProxy/haproxy/tests/access4.json | 45 ++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 HAProxy/haproxy/tests/access4.json diff --git a/HAProxy/haproxy/CHANGELOG.md b/HAProxy/haproxy/CHANGELOG.md index 60e2c8a26..9896476a3 100644 --- a/HAProxy/haproxy/CHANGELOG.md +++ b/HAProxy/haproxy/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## 2024-12.04 - 1.0.1 + +- Add support for aktci at the end of the log + ## 2024-03.04 - 1.0.0 ### Added diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index 98783cd3d..e1f5a3c88 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?( aktci:\"%{IP:aktci}\")?' - name: json filter: "{{grok.message.json_msg | length > 0}}" diff --git a/HAProxy/haproxy/tests/access4.json b/HAProxy/haproxy/tests/access4.json new file mode 100644 index 000000000..89630f6bc --- /dev/null +++ b/HAProxy/haproxy/tests/access4.json @@ -0,0 +1,45 @@ +{ + "input": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "sekoiaio": { + "intake": { + "dialect": "HAProxy", + "dialect_uuid": "ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9" + } + } + }, + "expected": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1060, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "90.83.225.109" + ] + }, + "source": { + "address": "90.83.225.109", + "ip": "90.83.225.109", + "port": 54761 + }, + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "original": "/path/get/resource", + "path": "/path/get/resource" + } + } +} \ No newline at end of file From d6c0b58dcc4ebd765b594f8bc1121b35800a695b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 6 Dec 2024 10:44:29 +0100 Subject: [PATCH 13/18] Fix quotes problem in reason message --- .../paloalto-ngfw/ingest/parser.yml | 2 +- .../tests/test_system_event_13.json | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 944713355..c6cf58abe 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -626,7 +626,7 @@ pipeline: AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}" REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}' REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}" - REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}" + REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?" REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}" REASON5: 'authenticated for user %{WORD:user}\. auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.' filter: '{{parsed_event.message.get("EventDescription") != None}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json new file mode 100644 index 000000000..780d2a093 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -0,0 +1,74 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + }, + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00" + }, + "expected": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-26T21:10:01.627000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "1.7.4.2", + "ip": "1.7.4.2" + }, + "log": { + "hostname": "FWPAN00", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FWPAN00", + "product": "PAN-OS", + "serial_number": "02410100000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FWPA" + }, + "server": { + "profile": "RADIUS_RSA" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.5.5", + "1.7.4.2" + ], + "user": [ + "test000555" + ] + }, + "source": { + "address": "1.2.5.5", + "ip": "1.2.5.5" + }, + "user": { + "name": "test000555" + } + } +} \ No newline at end of file From 4c7891951ac1ac6dcfc605331cda92476af2c577 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 6 Dec 2024 10:48:35 +0100 Subject: [PATCH 14/18] Apply linter --- .../paloalto-ngfw/tests/test_system_event_13.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json index 780d2a093..b4429340a 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -1,12 +1,12 @@ { "input": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", "sekoiaio": { "intake": { "dialect": "Palo Alto NGFW", "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" } - }, - "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00" + } }, "expected": { "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", From e7c29187f511ca9f20cce388986d707577befc53 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 10 Dec 2024 11:17:39 +0100 Subject: [PATCH 15/18] fix(HAproxy): change the way to handle additional information --- HAProxy/haproxy/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index e1f5a3c88..557604c8a 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?( aktci:\"%{IP:aktci}\")?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?%{GREEDYDATA}' - name: json filter: "{{grok.message.json_msg | length > 0}}" From b597fe1c7d554917f5fe9b702553d9a03c05a535 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 10 Dec 2024 12:31:20 +0100 Subject: [PATCH 16/18] fix(Suricata): fix smart-description --- Suricata/suricata/_meta/smart-descriptions.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index b330a23c1..432cf533d 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -151,8 +151,7 @@ "value": "query" }, { - "field": "action.type", - "value": "dns" + "field": "dns.question.name" } ], "relationships": [ From e927ad7740757db69157c57ffde80af5277eb184 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 15:07:44 +0100 Subject: [PATCH 17/18] Pradeoo: fix on Pradeo MTD parser for application compliance --- Pradeo/pradeo-mtd/ingest/parser.yml | 20 +++---- .../tests/application_compliance_updated.json | 55 +++++++++++++++++++ 2 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 Pradeo/pradeo-mtd/tests/application_compliance_updated.json diff --git a/Pradeo/pradeo-mtd/ingest/parser.yml b/Pradeo/pradeo-mtd/ingest/parser.yml index 239ce01d4..c10d3c444 100644 --- a/Pradeo/pradeo-mtd/ingest/parser.yml +++ b/Pradeo/pradeo-mtd/ingest/parser.yml @@ -176,16 +176,16 @@ stages: pradeo.device.mdmId: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.externalId}}" pradeo.device.emm: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.emm}}" pradeo.compliance.matchedResponseRules: "{{json_event.message.content.deviceApplication.compliance.matchedResponseRules}}" - pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.application.id}}" - pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.application.package.package}}" - pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.application.package.system}}" - pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.application.version}}" - pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.application.versionCode}}" - pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.application.name}}" - pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.application.md5}}" - pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.application.sha1}}" - pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.application.sha256}}" - pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.status}}" + pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.id}}" + pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.package}}" + pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.system}}" + pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.version}}" + pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.versionCode}}" + pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.name}}" + pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.md5}}" + pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha1}}" + pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha256}}" + pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.status}}" - filter: '{{json_event.message.type == "DeviceComplianceUpdated"}}' set: event.category: ["process"] diff --git a/Pradeo/pradeo-mtd/tests/application_compliance_updated.json b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json new file mode 100644 index 000000000..916f71473 --- /dev/null +++ b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "sekoiaio": { + "intake": { + "dialect": "Pradeo MTD", + "dialect_uuid": "3cedbe29-02f8-42bf-9ec2-0158186c2827" + } + } + }, + "expected": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "event": { + "action": "DeviceApplicationComplianceUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-27T04:10:33.460000Z", + "pradeo": { + "application": { + "id": "azertyuiop", + "md5": "0fccfdefc882c4be6d2a938001184e08", + "name": "App", + "package": "com.app.test", + "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac", + "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8", + "system": "Android", + "version": "491.0.0.58.78", + "versionCode": "457215664" + }, + "device": { + "byod": false, + "coupled": true, + "declaredModel": "MODEL 01", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z", + "declaredOperatingSystemVersion": "10.0.0", + "id": "device_id01", + "lastConnection": "2024-11-27T04:07:32Z", + "name": "John", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-11-27T04:10:33.460000Z", + "id": "1234567890", + "source": "system", + "type": "DeviceApplicationComplianceUpdated" + } + } + } +} \ No newline at end of file From 6335db5a7e01d89222de436ad488b49a3bc3ae93 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Tue, 10 Dec 2024 16:26:06 +0200 Subject: [PATCH 18/18] Fix: SentinelOne smart descriptions --- .../_meta/smart-descriptions.json | 52 ++++++++++ .../tests/process_processcreation_2.json | 96 +++++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json diff --git a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json index 9a4b1bf43..9acf6e91d 100644 --- a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json +++ b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json @@ -682,6 +682,58 @@ } ] }, + { + "value": "Process {process.command_line} was created by {process.user.name}", + "conditions": [ + { + "field": "event.action", + "value": "Process Creation" + }, + { + "field": "process.user.name" + }, + { + "field": "process.command_line" + } + ], + "relationships": [ + { + "source": "process.user.name", + "target": "process.parent.command_line", + "type": "created" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.title", + "type": "has process title" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "has name" + }, + { + "source": "process.command_line", + "target": "process.title", + "type": "has title" + }, + { + "source": "process.command_line", + "target": "process.name", + "type": "has name" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "created" + }, + { + "source": "process.user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "Process {process.command_line} was created by {user.name}", "conditions": [ diff --git a/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json new file mode 100644 index 000000000..62320459c --- /dev/null +++ b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json @@ -0,0 +1,96 @@ +{ + "input": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}" + }, + "expected": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}", + "event": { + "action": "Process Creation", + "category": [ + "process" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-05T08:18:51.479000Z", + "agent": { + "version": "23.3.1.7037" + }, + "deepvisibility": { + "agent": { + "managment_url": "mgm-testing-test.sentinelone.net", + "trace_id": "XXXXXXX-XXXXXXXX-XXXXXXX", + "uuid": "xxxx-XXXXXX-XXXXx-xxxxx" + }, + "event": { + "category": "process", + "type": "Process Creation" + }, + "host": { + "os": { + "revision": "14.7.1 (23H222)" + } + }, + "process": { + "target": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "storyline_id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "title": "curl", + "working_directory": "/usr/bin" + } + } + }, + "host": { + "name": "LMFR0205", + "os": { + "family": "osx", + "name": "OS X" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "pid": 30273, + "start": "2024-12-05T08:18:51.479000Z", + "title": "curl", + "user": { + "name": "test.user" + }, + "working_directory": "/usr/bin" + }, + "related": { + "hash": [ + "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42", + "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "fe61928bbd84ed16fc4f934307bf2f16" + ] + }, + "url": { + "domain": "test.test", + "original": "https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "path": "/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "port": 443, + "scheme": "https", + "subdomain": "test" + } + } +} \ No newline at end of file