From b80c7ef9c246c8a75fa90d43bbb1293f2418d548 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Mon, 13 Jul 2020 17:12:09 -0500 Subject: [PATCH] Add text & flattened fields in aws cloudtrail fileset (#19121) (#19809) AWS cloudtrail events have the following fields where the subfields are highley variable: requestParameters, responseElements, additionalEventData and serviceEventDetails. multi_fields added to following fields - aws.cloudtrail.request_parameters - aws.cloudtrail.response_elements - aws.cloudtrail.additiona_eventdata - aws.cloudtrail.service_event_details flattened version of the fields are stored here: - aws.cloudtrail.flattened.request_parameters - aws.cloudtrail.flattened.response_elements - aws.cloudtrail.flattened.additiona_eventdata - aws.cloudtrail.flattened.service_event_details Closes #18866 (cherry picked from commit d16ecc9c891f37bddb5773fe092e8bb3c1436214) --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 71 +++++++++++++++++++ libbeat/mapping/field.go | 2 +- libbeat/tests/system/beat/beat.py | 2 +- .../module/aws/cloudtrail/_meta/fields.yml | 40 +++++++++++ .../module/aws/cloudtrail/ingest/pipeline.yml | 59 +++++++++------ .../add-user-to-group-json.log-expected.json | 2 + .../test/assume-role-json.log-expected.json | 23 ++++++ .../test/console-login-json.log-expected.json | 12 ++++ .../create-access-key-json.log-expected.json | 5 ++ .../test/create-group-json.log-expected.json | 7 ++ .../create-key-pair-json.log-expected.json | 4 ++ .../test/create-trail-json.log-expected.json | 14 ++++ .../test/create-user-json.log-expected.json | 6 ++ ...-virtual-mfa-device-json.log-expected.json | 3 + ...activate-mfa-device-json.log-expected.json | 2 + .../delete-access-key-json.log-expected.json | 2 + .../test/delete-bucket-json.log-expected.json | 1 + .../test/delete-group-json.log-expected.json | 2 + ...lete-ssh-public-key-json.log-expected.json | 2 + .../test/delete-trail-json.log-expected.json | 1 + .../test/delete-user-json.log-expected.json | 1 + ...-virtual-mfa-device-json.log-expected.json | 1 + .../enable-mfa-device-json.log-expected.json | 2 + ...ove-user-from-group-json.log-expected.json | 2 + .../test/start-logging-json.log-expected.json | 1 + .../test/stop-logging-json.log-expected.json | 1 + .../update-access-key-json.log-expected.json | 3 + ...out-password-policy-json.log-expected.json | 6 ++ .../test/update-group-json.log-expected.json | 4 ++ ...pdate-login-profile-json.log-expected.json | 1 + ...date-ssh-public-key-json.log-expected.json | 6 ++ .../test/update-trail-json.log-expected.json | 16 +++++ .../test/update-user-json.log-expected.json | 2 + ...load-ssh-public-key-json.log-expected.json | 8 +++ x-pack/filebeat/module/aws/fields.go | 2 +- 36 files changed, 291 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6cd24ae5354..69f9c7846ac 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -514,6 +514,7 @@ field. You can revert this change by configuring tags for the module and omittin - Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379] - Improve ECS categorization field mappings in azure module. {issue}16155[16155] {pull}19376[19376] - Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956] +- Add text & flattened versions of fields with unknown subfields in aws cloudtrail fileset. {issue}18866[18866] {pull}19121[19121] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 279c95df72b..7ad5301d789 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1228,6 +1228,13 @@ type: keyword -- +*`aws.cloudtrail.request_parameters.text`*:: ++ +-- +type: text + +-- + *`aws.cloudtrail.response_elements`*:: + -- @@ -1237,6 +1244,13 @@ type: keyword -- +*`aws.cloudtrail.response_elements.text`*:: ++ +-- +type: text + +-- + *`aws.cloudtrail.additional_eventdata`*:: + -- @@ -1246,6 +1260,13 @@ type: keyword -- +*`aws.cloudtrail.additional_eventdata.text`*:: ++ +-- +type: text + +-- + *`aws.cloudtrail.request_id`*:: + -- @@ -1342,6 +1363,13 @@ type: keyword -- +*`aws.cloudtrail.service_event_details.text`*:: ++ +-- +type: text + +-- + *`aws.cloudtrail.shared_event_id`*:: + -- @@ -1400,6 +1428,49 @@ type: boolean -- +[float] +=== flattened + +ES flattened datatype for objects where the subfields aren't known in advance. + + +*`aws.cloudtrail.flattened.additional_eventdata`*:: ++ +-- +Additional data about the event that was not part of the request or response. + + +type: flattened + +-- + +*`aws.cloudtrail.flattened.request_parameters`*:: ++ +-- +The parameters, if any, that were sent with the request. + +type: flattened + +-- + +*`aws.cloudtrail.flattened.response_elements`*:: ++ +-- +The response element for actions that make changes (create, update, or delete actions). + +type: flattened + +-- + +*`aws.cloudtrail.flattened.service_event_details`*:: ++ +-- +Identifies the service event, including what triggered the event and the result. + +type: flattened + +-- + [float] === cloudwatch diff --git a/libbeat/mapping/field.go b/libbeat/mapping/field.go index 7b2ba52e618..0e91c3ba8f5 100644 --- a/libbeat/mapping/field.go +++ b/libbeat/mapping/field.go @@ -138,7 +138,7 @@ func (f *Field) validateType() error { if f.Format != "" { return fmt.Errorf("no format expected for field %s, found: %s", f.Name, f.Format) } - case "object", "group", "nested": + case "object", "group", "nested", "flattened": // No check for them yet case "": // Module keys, not used as fields diff --git a/libbeat/tests/system/beat/beat.py b/libbeat/tests/system/beat/beat.py index 23a0bdbb4ba..65e0a6d5ad5 100644 --- a/libbeat/tests/system/beat/beat.py +++ b/libbeat/tests/system/beat/beat.py @@ -571,7 +571,7 @@ def extract_fields(doc_list, name): aliases.extend(subaliases) else: fields.append(newName) - if field.get("type") in ["object", "geo_point"]: + if field.get("type") in ["object", "geo_point", "flattened"]: dictfields.append(newName) if field.get("type") == "object" and field.get("object_type") == "histogram": diff --git a/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml index 72db20adc8b..d4bd04b548b 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml @@ -90,16 +90,28 @@ type: keyword description: >- The parameters, if any, that were sent with the request. + multi_fields: + - name: text + type: text + default_field: false - name: response_elements type: keyword description: >- The response element for actions that make changes (create, update, or delete actions). + multi_fields: + - name: text + type: text + default_field: false - name: additional_eventdata type: keyword description: >- Additional data about the event that was not part of the request or response. + multi_fields: + - name: text + type: text + default_field: false - name: request_id type: keyword description: >- @@ -149,6 +161,10 @@ description: >- Identifies the service event, including what triggered the event and the result. + multi_fields: + - name: text + type: text + default_field: false - name: shared_event_id type: keyword description: >- @@ -183,3 +199,27 @@ description: >- Identifies whether multi factor authentication was used during ConsoleLogin + - name: flattened + type: group + description: >- + ES flattened datatype for objects where the subfields aren't known in advance. + fields: + - name: additional_eventdata + type: flattened + description: > + Additional data about the event that was not part of the + request or response. + - name: request_parameters + type: flattened + description: >- + The parameters, if any, that were sent with the request. + - name: response_elements + type: flattened + description: >- + The response element for actions that make changes (create, + update, or delete actions). + - name: service_event_details + type: flattened + description: >- + Identifies the service event, including what triggered the + event and the result. diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 8bc80b251aa..36773124439 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -135,25 +135,37 @@ processors: field: "json.errorMessage" target_field: "aws.cloudtrail.error_message" ignore_failure: true + - rename: + field: json.requestParameters + target_field: "aws.cloudtrail.flattened.request_parameters" + if: ctx.json.requestParameters != null - script: lang: painless source: | - if (ctx.json.requestParameters != null) { - ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString(); + if (ctx.aws.cloudtrail.flattened.request_parameters != null) { + ctx.aws.cloudtrail.request_parameters = ctx.aws.cloudtrail.flattened.request_parameters.toString(); } ignore_failure: true + - rename: + field: json.responseElements + target_field: "aws.cloudtrail.flattened.response_elements" + if: ctx.json.responseElements != null - script: lang: painless source: | - if (ctx.json.responseElements != null) { - ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString(); + if (ctx.aws.cloudtrail.flattened.response_elements != null) { + ctx.aws.cloudtrail.response_elements = ctx.aws.cloudtrail.flattened.response_elements.toString(); } ignore_failure: true + - rename: + field: json.additionalEventData + target_field: "aws.cloudtrail.flattened.additional_eventdata" + if: ctx?.json?.additionalEventData != null - script: lang: painless source: | - if (ctx.json.additionalEventData != null) { - ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString(); + if (ctx.aws.cloudtrail.flattened.additional_eventdata != null) { + ctx.aws.cloudtrail.additional_eventdata = ctx.aws.cloudtrail.flattened.additional_eventdata.toString(); } ignore_failure: true - rename: @@ -196,11 +208,15 @@ processors: field: "json.recipientAccountId" target_field: "aws.cloudtrail.recipient_account_id" ignore_failure: true + - rename: + field: json.serviceEventDetails + target_field: "aws.cloudtrail.flattened.service_event_details" + if: ctx.json.serviceEventDetails != null - script: lang: painless source: | - if (ctx.json.serviceEventDetails != null) { - ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString(); + if (ctx.aws.cloudtrail.flattened.service_event_details != null) { + ctx.aws.cloudtrail.service_event_details = ctx.aws.cloudtrail.flattened.service_event_details.toString(); } ignore_failure: true - rename: @@ -226,14 +242,11 @@ processors: } ctx.related.user.add(userName); } - - - - if (ctx.json?.requestParameters.userName != null) { - addRelatedUser(ctx, ctx.json.requestParameters.userName); + if (ctx?.aws?.cloudtrail?.flattened?.request_parameters?.userName != null) { + addRelatedUser(ctx, ctx.aws.cloudtrail.flattened.request_parameters.userName); } - if (ctx.json?.requestParameters.newUserName != null) { - addRelatedUser(ctx, ctx.json.requestParameters.newUserName); + if (ctx?.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null) { + addRelatedUser(ctx, ctx.aws.cloudtrail.flattened.request_parameters.newUserName); } - script: @@ -244,18 +257,18 @@ processors: return; } Map aed_map = new HashMap(); - if (ctx.json?.additionalEventData?.MobileVersion != null) { - if (ctx.json.additionalEventData.MobileVersion == 'No') { + if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.MobileVersion != null) { + if (ctx.aws.cloudtrail.flattened.additional_eventdata.MobileVersion == 'No') { aed_map.put("mobile_version", false); } else { aed_map.put("mobile_version", true); } } - if (ctx.json?.additionalEventData?.LoginTo != null) { - aed_map.put("login_to", ctx.json.additionalEventData.LoginTo); + if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.LoginTo != null) { + aed_map.put("login_to", ctx.aws.cloudtrail.flattened.additional_eventdata.LoginTo); } - if (ctx.json?.additionalEventData?.MFAUsed != null) { - if (ctx.json.additionalEventData.MFAUsed == 'No') { + if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.MFAUsed != null) { + if (ctx.aws.cloudtrail.flattened.additional_eventdata.MFAUsed == 'No') { aed_map.put("mfa_used", false); } else { aed_map.put("mfa_used", true); @@ -598,8 +611,8 @@ processors: return; } - if (ctx.event.action == 'ConsoleLogin' && ctx.json?.responseElements.ConsoleLogin != null) { - ctx.event.outcome = Processors.lowercase(ctx.json.responseElements.ConsoleLogin); + if (ctx.event.action == 'ConsoleLogin' && ctx?.aws?.cloudtrail?.flattened?.response_elements.ConsoleLogin != null) { + ctx.event.outcome = Processors.lowercase(ctx.aws.cloudtrail.flattened.response_elements.ConsoleLogin); } def hm = new HashMap(params.get(ctx.event.action)); diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json index 2e17074f136..2f49aa15134 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -2,6 +2,8 @@ { "@timestamp": "2014-03-25T21:08:14.000Z", "aws.cloudtrail.event_version": "1.0", + "aws.cloudtrail.flattened.request_parameters.groupName": "admin", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.request_parameters": "{groupName=admin, userName=Bob}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", "aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index ddbff377e96..3bdb628e7fb 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -3,6 +3,29 @@ "@timestamp": "2019-10-02T22:12:29.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.durationSeconds": 3600, + "aws.cloudtrail.flattened.request_parameters.incomingTransitiveTags.Department": "Engineering", + "aws.cloudtrail.flattened.request_parameters.roleArn": "arn:aws:iam::111111111111:role/JohnRole2", + "aws.cloudtrail.flattened.request_parameters.roleSessionName": "Role2WithTags", + "aws.cloudtrail.flattened.request_parameters.tags": [ + { + "key": "Email", + "value": "johndoe@example.com" + }, + { + "key": "CostCenter", + "value": "12345" + } + ], + "aws.cloudtrail.flattened.request_parameters.transitiveTagKeys": [ + "Email", + "CostCenter" + ], + "aws.cloudtrail.flattened.response_elements.assumedRoleUser.arn": "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags", + "aws.cloudtrail.flattened.response_elements.assumedRoleUser.assumedRoleId": "AROAIFR7WHDTSOYQYHFUE:Role2WithTags", + "aws.cloudtrail.flattened.response_elements.credentials.accessKeyId": "ASIAWHOJDLGPOEXAMPLE", + "aws.cloudtrail.flattened.response_elements.credentials.expiration": "Oct 2, 2019 11:12:29 PM", + "aws.cloudtrail.flattened.response_elements.credentials.sessionToken": "AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN", "aws.cloudtrail.recipient_account_id": "111111111111", "aws.cloudtrail.request_parameters": "{incomingTransitiveTags={Department=Engineering}, transitiveTagKeys=[Email, CostCenter], durationSeconds=3600, roleArn=arn:aws:iam::111111111111:role/JohnRole2, roleSessionName=Role2WithTags, tags=[{value=johndoe@example.com, key=Email}, {value=12345, key=CostCenter}]}", "aws.cloudtrail.response_elements": "{assumedRoleUser={assumedRoleId=AROAIFR7WHDTSOYQYHFUE:Role2WithTags, arn=arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags}, credentials={accessKeyId=ASIAWHOJDLGPOEXAMPLE, sessionToken=AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN, expiration=Oct 2, 2019 11:12:29 PM}}", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json index b15334c1510..4d715f61769 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -6,6 +6,10 @@ "aws.cloudtrail.console_login.additional_eventdata.mfa_used": false, "aws.cloudtrail.console_login.additional_eventdata.mobile_version": false, "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.additional_eventdata.LoginTo": "https://console.aws.amazon.com/s3/", + "aws.cloudtrail.flattened.additional_eventdata.MFAUsed": "No", + "aws.cloudtrail.flattened.additional_eventdata.MobileVersion": "No", + "aws.cloudtrail.flattened.response_elements.ConsoleLogin": "Success", "aws.cloudtrail.response_elements": "{ConsoleLogin=Success}", "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe", "aws.cloudtrail.user_identity.type": "IAMUser", @@ -52,6 +56,10 @@ "aws.cloudtrail.console_login.additional_eventdata.mobile_version": false, "aws.cloudtrail.error_message": "Failed authentication", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.additional_eventdata.LoginTo": "https://console.aws.amazon.com/sns", + "aws.cloudtrail.flattened.additional_eventdata.MFAUsed": "No", + "aws.cloudtrail.flattened.additional_eventdata.MobileVersion": "No", + "aws.cloudtrail.flattened.response_elements.ConsoleLogin": "Failure", "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}", "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JaneDoe", "aws.cloudtrail.user_identity.type": "IAMUser", @@ -98,6 +106,10 @@ "aws.cloudtrail.console_login.additional_eventdata.mobile_version": false, "aws.cloudtrail.error_message": "Failed authentication", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.additional_eventdata.LoginTo": "https://console.aws.amazon.com/sns", + "aws.cloudtrail.flattened.additional_eventdata.MFAUsed": "No", + "aws.cloudtrail.flattened.additional_eventdata.MobileVersion": "No", + "aws.cloudtrail.flattened.response_elements.ConsoleLogin": "Failure", "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}", "aws.cloudtrail.user_identity.access_key_id": "AKIAIOSFODNN7EXAMPLE", "aws.cloudtrail.user_identity.arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json index 18b45ecf039..9736605a6b2 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -3,6 +3,11 @@ "@timestamp": "2020-01-08T20:43:06.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", + "aws.cloudtrail.flattened.response_elements.accessKey.accessKeyId": "EXAMPLE_KEY_ID", + "aws.cloudtrail.flattened.response_elements.accessKey.createDate": "Jan 8, 2020 8:43:06 PM", + "aws.cloudtrail.flattened.response_elements.accessKey.status": "Active", + "aws.cloudtrail.flattened.response_elements.accessKey.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{userName=Bob}", "aws.cloudtrail.response_elements": "{accessKey={accessKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Active, createDate=Jan 8, 2020 8:43:06 PM}}", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json index 3234c0421f3..c3a33c948e4 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -3,6 +3,12 @@ "@timestamp": "2020-01-09T01:48:44.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP", + "aws.cloudtrail.flattened.response_elements.group.arn": "arn:aws:iam::0123456789012:group/TEST-GROUP", + "aws.cloudtrail.flattened.response_elements.group.createDate": "Jan 9, 2020 1:48:44 AM", + "aws.cloudtrail.flattened.response_elements.group.groupId": "EXAMPLE_ID", + "aws.cloudtrail.flattened.response_elements.group.groupName": "TEST-GROUP", + "aws.cloudtrail.flattened.response_elements.group.path": "/", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}", "aws.cloudtrail.response_elements": "{group={path=/, groupName=TEST-GROUP, groupId=EXAMPLE_ID, arn=arn:aws:iam::0123456789012:group/TEST-GROUP, createDate=Jan 9, 2020 1:48:44 AM}}", @@ -50,6 +56,7 @@ "aws.cloudtrail.error_message": "Group with name TEST-GROUP already exists.", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 249abdeb3ff..5783ade81ed 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -2,6 +2,10 @@ { "@timestamp": "2014-03-06T17:10:34.000Z", "aws.cloudtrail.event_version": "1.0", + "aws.cloudtrail.flattened.request_parameters.keyName": "mykeypair", + "aws.cloudtrail.flattened.response_elements.keyFingerprint": "30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21", + "aws.cloudtrail.flattened.response_elements.keyMaterial": "", + "aws.cloudtrail.flattened.response_elements.keyName": "mykeypair", "aws.cloudtrail.request_parameters": "{keyName=mykeypair}", "aws.cloudtrail.response_elements": "{keyMaterial=, keyFingerprint=30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21, keyName=mykeypair}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json index fda411e58d4..e358d16bc72 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json @@ -3,6 +3,20 @@ "@timestamp": "2020-01-08T15:30:25.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.enableLogFileValidation": true, + "aws.cloudtrail.flattened.request_parameters.includeGlobalServiceEvents": true, + "aws.cloudtrail.flattened.request_parameters.isMultiRegionTrail": true, + "aws.cloudtrail.flattened.request_parameters.isOrganizationTrail": false, + "aws.cloudtrail.flattened.request_parameters.kmsKeyId": "", + "aws.cloudtrail.flattened.request_parameters.name": "TEST-trail", + "aws.cloudtrail.flattened.request_parameters.s3BucketName": "TEST-cloudtrail-bucket", + "aws.cloudtrail.flattened.response_elements.includeGlobalServiceEvents": true, + "aws.cloudtrail.flattened.response_elements.isMultiRegionTrail": true, + "aws.cloudtrail.flattened.response_elements.isOrganizationTrail": false, + "aws.cloudtrail.flattened.response_elements.logFileValidationEnabled": true, + "aws.cloudtrail.flattened.response_elements.name": "TEST-trail", + "aws.cloudtrail.flattened.response_elements.s3BucketName": "TEST-cloudtrail-bucket", + "aws.cloudtrail.flattened.response_elements.trailARN": "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", "aws.cloudtrail.read_only": false, "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{isMultiRegionTrail=true, s3BucketName=TEST-cloudtrail-bucket, name=TEST-trail, enableLogFileValidation=true, kmsKeyId=, isOrganizationTrail=false, includeGlobalServiceEvents=true}", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json index f27a92b8e2a..2fee7445e82 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -2,6 +2,12 @@ { "@timestamp": "2014-03-24T21:11:59.000Z", "aws.cloudtrail.event_version": "1.0", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", + "aws.cloudtrail.flattened.response_elements.user.arn": "arn:aws:iam::123456789012:user/Bob", + "aws.cloudtrail.flattened.response_elements.user.createDate": "Mar 24, 2014 9:11:59 PM", + "aws.cloudtrail.flattened.response_elements.user.path": "/", + "aws.cloudtrail.flattened.response_elements.user.userId": "EXAMPLEUSERID", + "aws.cloudtrail.flattened.response_elements.user.userName": "Bob", "aws.cloudtrail.request_parameters": "{userName=Bob}", "aws.cloudtrail.response_elements": "{user={path=/, userName=Bob, arn=arn:aws:iam::123456789012:user/Bob, userId=EXAMPLEUSERID, createDate=Mar 24, 2014 9:11:59 PM}}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json index c761e2b1fa8..aa2b7a2bc63 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -3,6 +3,9 @@ "@timestamp": "2019-11-27T15:10:15.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.path": "/", + "aws.cloudtrail.flattened.request_parameters.virtualMFADeviceName": "Alice", + "aws.cloudtrail.flattened.response_elements.virtualMFADevice.serialNumber": "arn:aws:iam::0123456789012:mfa/Alice", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{path=/, virtualMFADeviceName=Alice}", "aws.cloudtrail.response_elements": "{virtualMFADevice={serialNumber=arn:aws:iam::0123456789012:mfa/Alice}}", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json index 999845aa0c7..3c062a8ef23 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -3,6 +3,8 @@ "@timestamp": "2020-01-10T00:34:02.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.serialNumber": "arn:aws:iam::0123456789012:mfa/Alice", + "aws.cloudtrail.flattened.request_parameters.userName": "Alice", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Alice, userName=Alice}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json index 3a83a6462c8..2ea8b42fa6c 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -3,6 +3,8 @@ "@timestamp": "2020-01-08T19:09:36.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.accessKeyId": "EXAMPLE_ID", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{accessKeyId=EXAMPLE_ID, userName=Bob}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json index 907f50b22ad..a75b479f1f7 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2016-11-14T17:25:45.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.04", + "aws.cloudtrail.flattened.request_parameters.bucketName": "my-test-bucket-cross-account", "aws.cloudtrail.recipient_account_id": "777788889999", "aws.cloudtrail.request_parameters": "{bucketName=my-test-bucket-cross-account}", "aws.cloudtrail.user_identity.access_key_id": "AKIAQRSTUVWXYZEXAMPLE", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json index d7c23d427f1..687e4602194 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2020-01-09T02:25:44.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", @@ -49,6 +50,7 @@ "aws.cloudtrail.error_message": "Cannot delete entity, must detach all policies first.", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json index 2b9cd5792ef..8c3897af795 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -3,6 +3,8 @@ "@timestamp": "2020-01-10T16:07:08.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.sSHPublicKeyId": "EXAMPLE_KEY_ID", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json index 48e2714075c..09ad2ddf9d4 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2020-01-09T20:09:51.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.name": "arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail", "aws.cloudtrail.read_only": false, "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{name=arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail}", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json index 1811a7d887e..b97cdbab3df 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2020-01-03T15:50:52.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "123456789012", "aws.cloudtrail.request_parameters": "{userName=Bob}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json index 7b39f1a96e5..d770587f648 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2020-01-10T00:34:02.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.serialNumber": "arn:aws:iam::0123456789012:mfa/Alice", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Alice}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json index e38b35717f0..1f9d3a519bb 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -3,6 +3,8 @@ "@timestamp": "2019-11-27T15:11:09.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.serialNumber": "arn:aws:iam::0123456789012:mfa/Bob", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{serialNumber=arn:aws:iam::0123456789012:mfa/Bob, userName=Bob}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json index 3fed65070a1..c4ce4c167be 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -3,6 +3,8 @@ "@timestamp": "2020-01-06T15:19:50.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.groupName": "Admin", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{groupName=Admin, userName=Bob}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json index 2fe5ca36f20..586c1ee9421 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2020-01-08T15:30:25.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.name": "TEST-trail", "aws.cloudtrail.read_only": false, "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{name=TEST-trail}", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json index 392b10b690b..b3670ee5fac 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2020-01-09T16:46:16.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.name": "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", "aws.cloudtrail.read_only": false, "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{name=arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail}", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json index ada3eb55246..0c517b2c688 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -3,6 +3,9 @@ "@timestamp": "2020-01-10T15:01:23.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.accessKeyId": "EXAMPLE_KEY_ID", + "aws.cloudtrail.flattened.request_parameters.status": "Inactive", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{accessKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json index 66b8412ad7a..e08eea3d071 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json @@ -3,6 +3,12 @@ "@timestamp": "2020-01-10T18:05:33.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.allowUsersToChangePassword": true, + "aws.cloudtrail.flattened.request_parameters.minimumPasswordLength": 12, + "aws.cloudtrail.flattened.request_parameters.requireLowercaseCharacters": true, + "aws.cloudtrail.flattened.request_parameters.requireNumbers": true, + "aws.cloudtrail.flattened.request_parameters.requireSymbols": true, + "aws.cloudtrail.flattened.request_parameters.requireUppercaseCharacters": true, "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{minimumPasswordLength=12, requireSymbols=true, allowUsersToChangePassword=true, requireLowercaseCharacters=true, requireNumbers=true, requireUppercaseCharacters=true}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json index cf64cc25309..09c00b8d57b 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -3,6 +3,8 @@ "@timestamp": "2020-01-09T02:23:11.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP", + "aws.cloudtrail.flattened.request_parameters.newGroupName": "TEST-GROUP2", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP, newGroupName=TEST-GROUP2}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", @@ -47,6 +49,8 @@ "aws.cloudtrail.error_message": "Group with name TEST-GROUP already exists.", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.groupName": "TEST-GROUP2", + "aws.cloudtrail.flattened.request_parameters.newGroupName": "TEST-GROUP", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{groupName=TEST-GROUP2, newGroupName=TEST-GROUP}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json index 721989b0bca..174bae15aa1 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -3,6 +3,7 @@ "@timestamp": "2020-01-10T18:25:42.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{userName=Bob}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json index 6428dcb1478..204ae7e2e1e 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -3,6 +3,9 @@ "@timestamp": "2020-01-10T16:06:54.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.sSHPublicKeyId": "EXAMPLE_KEY_ID", + "aws.cloudtrail.flattened.request_parameters.status": "Inactive", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", @@ -50,6 +53,9 @@ "@timestamp": "2020-01-10T16:06:54.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.sSHPublicKeyId": "EXAMPLE_KEY_ID", + "aws.cloudtrail.flattened.request_parameters.status": "Inactive", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{sSHPublicKeyId=EXAMPLE_KEY_ID, userName=Bob, status=Inactive}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index b1ec026e680..c9ee01ef238 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -5,6 +5,7 @@ "aws.cloudtrail.error_message": "Unknown trail: myTrail2 for the user: 123456789012", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.04", + "aws.cloudtrail.flattened.request_parameters.name": "myTrail2", "aws.cloudtrail.recipient_account_id": "123456789012", "aws.cloudtrail.request_parameters": "{name=myTrail2}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", @@ -51,6 +52,21 @@ "@timestamp": "2020-01-08T20:58:45.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.enableLogFileValidation": false, + "aws.cloudtrail.flattened.request_parameters.isMultiRegionTrail": true, + "aws.cloudtrail.flattened.request_parameters.kmsKeyId": "", + "aws.cloudtrail.flattened.request_parameters.name": "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", + "aws.cloudtrail.flattened.request_parameters.s3BucketName": "test-cloudtrail-bucket", + "aws.cloudtrail.flattened.request_parameters.snsTopicName": "", + "aws.cloudtrail.flattened.response_elements.includeGlobalServiceEvents": true, + "aws.cloudtrail.flattened.response_elements.isMultiRegionTrail": true, + "aws.cloudtrail.flattened.response_elements.isOrganizationTrail": false, + "aws.cloudtrail.flattened.response_elements.logFileValidationEnabled": false, + "aws.cloudtrail.flattened.response_elements.name": "TEST-trail", + "aws.cloudtrail.flattened.response_elements.s3BucketName": "test-cloudtrail-bucket", + "aws.cloudtrail.flattened.response_elements.snsTopicARN": "", + "aws.cloudtrail.flattened.response_elements.snsTopicName": "", + "aws.cloudtrail.flattened.response_elements.trailARN": "arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail", "aws.cloudtrail.read_only": false, "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{isMultiRegionTrail=true, s3BucketName=test-cloudtrail-bucket, snsTopicName=, name=arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail, enableLogFileValidation=false, kmsKeyId=}", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json index c1f5e2b8b19..08769b6dcca 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -3,6 +3,8 @@ "@timestamp": "2020-01-08T20:53:12.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.newUserName": "Robert", + "aws.cloudtrail.flattened.request_parameters.userName": "Bob", "aws.cloudtrail.recipient_account_id": "123456789012", "aws.cloudtrail.request_parameters": "{newUserName=Robert, userName=Bob}", "aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json index a111370b004..0464fe184a8 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json @@ -3,6 +3,14 @@ "@timestamp": "2020-01-10T16:06:40.000Z", "aws.cloudtrail.event_type": "AwsApiCall", "aws.cloudtrail.event_version": "1.05", + "aws.cloudtrail.flattened.request_parameters.sSHPublicKeyBody": "ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain", + "aws.cloudtrail.flattened.request_parameters.userName": "Alice", + "aws.cloudtrail.flattened.response_elements.sSHPublicKey.fingerprint": "de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de", + "aws.cloudtrail.flattened.response_elements.sSHPublicKey.sSHPublicKeyBody": "ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain", + "aws.cloudtrail.flattened.response_elements.sSHPublicKey.sSHPublicKeyId": "EXAMPLE_KEY_ID", + "aws.cloudtrail.flattened.response_elements.sSHPublicKey.status": "Active", + "aws.cloudtrail.flattened.response_elements.sSHPublicKey.uploadDate": "Jan 10, 2020 4:06:40 PM", + "aws.cloudtrail.flattened.response_elements.sSHPublicKey.userName": "Alice", "aws.cloudtrail.recipient_account_id": "0123456789012", "aws.cloudtrail.request_parameters": "{sSHPublicKeyBody=ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain, userName=Alice}", "aws.cloudtrail.response_elements": "{sSHPublicKey={sSHPublicKeyBody=ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain, sSHPublicKeyId=EXAMPLE_KEY_ID, uploadDate=Jan 10, 2020 4:06:40 PM, fingerprint=de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de, userName=Alice, status=Active}}", diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go index f1ad3e120c0..5b8a3d61898 100644 --- a/x-pack/filebeat/module/aws/fields.go +++ b/x-pack/filebeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzMXN9z27aTf89fsdOXrzMj6aZp5+bGN70ZxXGuurqpz1LauycWAlcSzhDAAqAV5a+/WQCkSBGUbEtqvnpIbJFcfHaxv7H0EB5xew1sY98AOOEkXsP4j+kbAIMSmcVrmKNjbwBytNyIwgmtruE/3gAA/KrzUiIstIEVU7kUaglSLy0sjF4TmdEbgIVAmdtr/8AQFFtjtRx93LbAa1gaXRbxm8Q69PnoydSU/TqjeLW5RHMZLnWZO8OErC+lVqTPPrfVJ8cFK6XL/BLXsGDSYutyEmwTsDYe7w1hmRGWFvQU/CYL+ITKZU9orNCqdUfFySNuN9rke9cOAKPPbIVNRJE+6AW4FRLAsDChXzM3SkIrLZpM5KiccNsktH0hd4ENk8iI8iQSBpS4JihcK8eEspCjY0JaYHNdOo+XVgO96NCajH+FCiC4FXOwZjn6Rwz+VaJ1A2Aqh81K8BVwg/5eJi1s0GCHXGkxH8FkAQ7XhTbMbDvP+HsGfoUKt13pjYWV3tC3HZodAnpOXGI+2rs1pSTN3SAZdC4e1pHudiRuCDsSJewZ69nyhnWbfU19OZKuYlRQxmv2VSt4QKtLwxE+sTXC1fjh09sKYGGE4qJgcm/POZNyX6wN1JyjtdkjbjORwncu/GEdIgSTDwHhhlmvOOA0WLFUTQ3tB2zRktFmZBj4xfVCTlnhcwFPFk0sHqgX50a4VcMMLPLSpFQC2ipO5lYbhme9MPpJ5GhBqOBryA3tLDvymKRbi44bZA5z72rdSltsLpl4tM+UmsJdL1jGSrciKpyoJ+8+rhXPFTRE7XhiskQQFpyh/6P4tXbeKYI23qn5nzfEai+xpGeKItptKJNWexm2eA3by9Jip8+vH8eQ45Pg+O+g3QrNRlgchOjYVdimXP1ekdbmzPWBDzI9cMNLBEpkvJN3Yo2wWWGwrq7udiUmrC27jrjNT2WE/l5zkKE+O3wJR+ewR3i9TfbSi+Ht+eGs+hyyRTge3qrPc8wQXiBniNoTY0wMLIeVZgC25KuDJJmFB63dgIz4s0UzIIN+0LLHaJoCqINaOjpdWhBCOTSKSYpZURrNvKoZwZbYryfQ1r3jbKdziUtzO374VHEZNeCKca5LFbbO+1+/d0ZLfHuQXEo8RxTpGVIJYL6NKsTFA2d6o+zltKHiV6gn/Yh5Nk95tHMlZrRUtetUsVk0FOH6CgcydmCp/AKqHPX25h2MS6dhypkvjmMteCuZdYLDe2TKOiYf0wUWGqNNxnW+7/meX/il66smd36ROtGIccWgK42yPjLQ9UP41mgtW54T4uQwmFBeNYjUDqkfaqSVFcywNTo0+/t2qkh3hAckTKa2g2gLFAUtxdYQo/sy+x1SW2hlMYsh+dxAK/p1yKeUkHF6xlaq/ojAV0wt0cJVSK4H3WK4oMzKO8EcJVKSFYi8TfPF8lzQdSYz31rIWavPcipr45o8ZXysUUKERkbtl5R2tFkuKk2HUKV15NyjqA6rVMcHn7pDoQTwgEOpvRBoW4oTUpNowHMUatntKzApMYclKjTM+eeFDaR7jNk3mhJp1kmW3MZfdREaW1IBzBt7ZZBrk/eoUSFO7oYdxTm+n9QtMWat5mJXFfnrGzsuxA2TskPJczAjPg/Ies0UW3rrC7ZwTjuA91pLZKpHjTYrpHqtIW1hYd8QoYEw3NVnAizPtJLp7t/JW7HDKizogvSEdoQA+6WHtPTuQq8/9Rlc2o++pkM5Bims9x817djUwRyE2on2pS28y/XN6mbZ+OFTN2N5VlZ5DhjjmDnuaohKgpRHJsrnszY3j4jGO6faUky1k6EC9oci19dsY4fR7w49smsKNkN61P/eo4FcFIKMvVfApxjMAxYGKcEIvovtZOxt3yBH8eT9q7CHjDnyFTxSFpvsl/Oxdf5Jyw1AKC7LnHLkDaF2RiyXaEJYSDvZ0NQJOlTKPqZWzGAeeTqr2P/z8+RDI3rNt83zFKehVOKvEuW2Uqnm9TRD8XDLC4dKEcrSQ04VvbgNeaTTkIvFAg39Es7q2p+oAjYtkqeCZ6jyQotzi2Rvh3+/v4FqIbKmcMoSc5jYHvJllWe7G4PoeaeBKd9hbBYtdfFVFVrTH9K8cq2slphJvRTpfOE1ASCe7NkCuVgITiBvwkJ3tE7czZc6/+P58WHUXeRpH7xLlG+9GX2gdJmKgOM8HOKjyctaz4XEnjytzck8ZCuntkW7SUOLG0r8vZYFZHAIWcWE15nM6YPwz9P4//xw19mBwwJesKy0Rw4lLibadSmdgAXjjkrH3cEBeapNT0cE4vkp5KUhL59ktXVuv2Gu1U39luf2fxCWF53bH+qKJE7rjhhuG0RFfNQRHPJ3315itzfvwhSIUA3gzxWcKDKW5wbt63OPZFUdGtjoIFLfZaA+HqFJSFPOny/N5WVkeff+RWrXSUJPlluzKyo1y2HOJFMcexptJzUQkgCaowctAF5IT+/gjr58H7/sSXocM0t0md+9UbfOOhFi47ggLBTUZDcUdbTrRxUldiugE3F57YmUO9UAUnakkPeXzoXRTnO9n66eCKqimt7Tq5VzBWgDjhc9ncS6l2s0Fd1CLTMn1jiyyJNIF1KzF/pbr3faMRlOjYUCi1wrSvqE4rgnvdArDG1DYXcyLpUTEkQrc2dgcElbQrXNnPFHVD2drnjxn4jNBht0JQIEJ6RsfWEdM87G9inVdEc63d+Yw7oj3ty7uhRrcdneSy8eKXor6p3oAl/rdEiTutO/fRlX0ZCaO6VgLaQUkdlB5DbA1wUqbDHEpbb7R/S155Q2Iz9mV+wRL8tHNZwyu5tCvSQJmut14Y8Y9vgCndDSFbMwR1SA1rG5FHbVx1plfmK/lDrRw03u95OMSol2mh7aMcc8cIWw0Ob1TeK0F9bGVS2uU9GRyx7VhyXWMVfa044tk5ADYSDCXfO8al7tGmh4gOIh2a/TJrRq/+yF/me6nWRlxkWxOnegnk7vINANRZJQZAT/4r+uN6EntSFMl4nUtHwdrV+Mi6+0RZVxNO6iGVdYB2gdsfDzaxAbomEAoaEEr4Vv0Qh2ZuEGmqDK9RzNhXkRiuu1D6/SZkziuZ0J1VZLNPHISS+8B/frNCLqfJtK4Ss7Dlz5s/PIcX84op/yLNUDO5EPgu2Jh/y9B4FhHE9pnCaX9kO8ytUR48//GY7XX9VwRqsNJ/mfsEKW91Vda6qwMc9MKSmdEjox/Hdy2h6o7jbZ506lrAdkPIT2jIxYUMJL98TLPYe6IUnCL8jL7qjticBjC70iHkZAW6FuN2pytdBmw0w+gIX4gvmwigyD1nzsaDR6O4KJA85U9VoCWHxCw2QQT48dGsyFQe6y0pzZm3x+uIse2ks8ruPPr3nVl6tFcGCaZ2SQ2XO/aBJGjALlatKo3o6Ib8GEbCKro9sP4Wj1Wzdipj/4wwc01fz+S7oy85I/ostSZ5ynug2mtBKcyTASvjtY9WvtzTAGGD25nL92udZRoB9cxf4EczRGUoYlE6p/MmqtHWY92Xrn6+e4hqJgJgTTZzcHoduJ+Ns2tV7Pj10xGHr1LFV7eL86YbvY2FIH9Bis81391nlofTaXPg5FtjsNTEOtJzvOK97dJInvjeWwCsP+kCOXjCoDZmH62/h+VN85gIfb6Wz082x2n63RrXQ+qiYX/MjUAP64fT+dzG4P3aINvB/Pbn4efbi9u53djn57/1+3N7M064945vD93SNuv2sOvu2CNMUOVFT05B7kd8PvKi+9E1WuMczOOarJmX99qZ55PKxppRHn5eUhEB5+fpi0OCLZ146lc0bShEZlXxaqvTO2MlS5RiN4wNGsR3fDLgfmCc8w7ZsulWozvPVx+Ebn2NxnpWOA1pyXxvQ2S7YObWb7ptVeLbFY/dRNOL+Or+AHgF+qoRAv0l3n+AkNpcNNNr6i0T1uZP5/lHNZ8TUt2VP6VkS0Drl+HSrMvAb2tk38k76TdhFJthpk+6FWKFhIsVy5xqyJT2v+YaFAYwvKGp96NNSVRmXM6FLlfxt85hoKbAsK1o3cfatLc2yceoHGnDtCt2ogr5sPcZ1Yph0vZP3b02x5yvTnM6F9tmiGY1rpYA0ZZyLOXtlWg7STD1W/sY48zw02kcQkPxZyVvrMmQ0x8GXI1l+HIh++8+9v1NqIXxyqfJdwweRDT4dOLBVzpembiDm1k1SRr+Q0gKlY/u7R0g8/Drpv5TQzxpaTeHVeGdqXmS1F57XNU9uQyIm5qaYKwsId26KBq+n07m3VM90N9+NSO1G/DEzqP02xRhd6WhGtcZbT5uHTcSMeZ9dv4LbnZ8LfDxiXbvWzt9Xwekb7nmDFdgD/XaLZTkPqTff9Rb9XufhVYXBIuoE5pXhvX7+13qrComduDFTTgZVaxk4m/Xhkss9JexlrmhmmrD8dCYo2rV7Qu5rdTd/W3qyhabGxuX8S2Ji3XEi9eX4D41JzOb/f3wAheVHr4iIyJiQfCcmdXtpqCf+XNba6JGWIb3h5xuMEdnjrqxK/sPCufiAMYm6BAS+t0+u+J3pU6QxT2enE28/v1tPY1elmtQV9rXqHZnGJDvOujaDQbbR53K3lsYXxXD/DYthiIXg8D9cmP9y3PS/MvYnn1Os3Ed8Axjc3t/cz/w71bX8tLfXyUK33aqRSL5fkaGOlF4Vbbe8AfvtlAJ9++zCejX0k/mVyTz/3bbt1TF1016slvGj/0ZXsK7RiUKVuNW1hfefRO8WtLnvmih5dZg1neZ6OJ69p5RWMsoOhxCeUcKWNWArF5Nuq9dk9ko/s9CPMrftbEOZUK6oQ2RswK3dxEOdTwS+oMX4An+yw/tNLZ/UetpwrPL/b3eEPC1ySBceLbCHZ8syeZS7cmtnHWMvVgUNLqTfkcWY39+CXvYZ3P03/99Pg+3+j/4bjm18G3//0cfJp8ONPD9NZGvLlBjSD1K5hcv/044D+/Vdf4t1+HI/e/H8AAAD//6QmZ2g=" + return "eJzMXF9z4zZwf79PsZOX2DOSOrlkOh130hmdz9eocS6upUvaJwYCVxJqCGAA0Drdp+8sAFKkSEqyReVOD4nPpBa/Xex/LDyEJ9zeANvYNwBOOIk3MP5z+gbAoERm8Qbm6NgbgBQtNyJzQqsb+I83AAC/6TSXCAttYMVUKoVagtRLCwuj10Rm9AZgIVCm9sZ/YQiKrbFYjj5um+ENLI3Os/iblnXo88GTKSn7dUbxaXWJ6jJc6jx1hglZPmpbkT773BafFBcsly7xS9zAgkmLtcetYKuAtfF4bwnLjLDUoLfBr7KAz6hc8ozGCq1qbxScPOF2o0269+wAMPrMVlhFFOmDXoBbIQEMCxP6NXOjVmi5RZOIFJUTbtsKbV/ITWDDVmREeRIJA0pcExSulWNCWUjRMSEtsLnOncdLq4FeNGhNxr9BARDcijlYsxT9Vwz+naN1A2Aqhc1K8BVwg/5dJi1s0GCDXG4xHcFkAQ7XmTbMbBvf8e8M/AoFbrvSGwsrvaHfNmg2COg5cYnpaO/VNiWp7gbJoPHwsI40t6PlhbAjUcKesY4tr1i32dfUlyNpKkYBZbxmX7SCR7Q6NxzhI1sjXI0fP14XADMjFBcZk3t7zpmU+2KtoOYcrU2ecJuINnx94Q/rECGYvA8IN8x6xQGnwYqlqmpoN2CLlow2IcPAz64TcpsVngp4sqhi8UC9ODfCrSpmYJHnpk0loK7iZG6lYXjWM6OfRYoWhAq+htzQzrIjj610S9Fxg8xh6l2tW2mL1SVbvtplSlXhrhcsYblbERVO1FvfPq4VpwoaonY8M5kjCAvO0P+j+LV23imCNt6p+Z83xGonsVbPFEW021AmrfYyrPEatpe1i50+v30YQ4rPguO/g3YrNBthcRCiY1Nhq3L1e0VamzLXBT7I9MALLxEokfFO3ok1wmaFwbqautuUmLA2bzriOj+FEfp3zUGGuuzwJRz1YY/wepvspBfD2+nhrPgcskU4Ht6KzylmCC+QM0TtiTEmBpbDSjMAm/PVQZLMwqPWbkBG/MmiGZBBP2rZYTRVAZRBrT06XVoQQjk0ikmKWVEa1byqGsGW2K0nUNe942y35xKX5nb8+LHgMmrAFeNc5ypsnfe/fu+Mlnh9kFybeI4o0glSCWC+jirExQNneqPs5bSh4FeoZ/2EaTJv82h9JWa0VLHrVLFZNBThugoHMnZgbfkFFDnq3e1bGOdOw5QzXxzHWvBOMusEh3fIlHVMPrUXWGiMNgnX6b7nO73wa6+vqtz5RcpEI8YVgy43yvrIQM8P4VujtWzZJ8TJYTChvKoQKR1SN9RIK8mYYWt0aPb37VyR7ggPSJhMbQfRFigKWoqtIUZ3Z/brXDqRHK3zDqX6HQ+PNDGqYrKZVhaTmA/0LaWCfplvUD7KOH3HFnb2hMBXTC3RwlXI7AfNSjyjtM574BQlUoYXiFx/g0JlaSoIHJOJb6qkrNZhOleu45I85bqsUjyFFk7pkZV2pKYumkuDUGFvFNbiPn2D0iwsuRH6ztXNUHl5aYUOx0KgrdlryAij35yjUMtmO4dJiSksUaFhzn9f2EC6w4f6/l5LdnuWA63jL5o3FX0oAKYVRTHItUnbYbJMnN2EPIpz/DApO5HMWs3Frhj1zzd2nIlbJmWDkudgRnwekPWaKbb0ficYYp9GCO+0lshUhxptVkhlckXawsK+F4AKwvBWVzBjaaKVbG+6nr0VO6zCgs5IT2hHCLBfekhL7x50YQyJc3sEeU1jeAxSWO+8Stqxl4YpCLUT7Us7p5drV5Y9yvHjx2aieFIy3weMcUzYd6VbIUFK31u6Fr32lI+Ixjun0lJMsZOh8eDPom5u2MYOo98demQ3FOmG9FX/7w4N5CITZOydAj7HYB4xM0h5XfBdbCdjb/sGOYpn71+FPWTMka/gkZJ4tnE5H1um/bTcAITiMk+pNNkQamfEcokmhIV2Jxt6aUGHcvktJrF2xQymUaC97vl/fpq8r4TO+bZ6huY05Er8naPcFvpcfd4uzXig6XeGyk+qzEIqG0OIDbWD05CKxQIN/SOcz9Y/Uf9su5I9ZzxBlWZa9C2SPfX64+EWioXIlMPJWkygYkvQl9Ke7WYApO87DUz5rnK1UC0L7qK4nv7YzivXymqJidRL0Z6svCb6xNNcmyEXC8EJ5G1Y6J7Wibv50shzvDI4jLqJvD0A7EqEO2/D76lQoNrrOA+H+KjystZzIbEjSaxzMg+pUsc7J7fCmxlLjRsqebyWBWRwCFnBhNeZxOmD8Ps57Pn0eN/YgcMCXrAkt0cOoi4mWu/XYcG4o4p9d1hEnmrT0QWDeGYOaW4oxHSyWrC4kMw5VA0eX2+2d9MdUV8e+3SD5K7n/4fceQZN6OzZfB4UHZhB9b2DJ6U3irwYS5+Z4o1quFfz7uK9yeUxEz+vCwCndQJe0Fp7DY/dXdoeGm2n97v6hd5X9wte1AF7WarZH8c9Jp5wNPmsTXxtmKudw33Nia8/CcuLJr4O9dNbUuMjvqEOoiDeFBzyt19fYne3b8P8oFAV4KcKTmQJS1OD9vXlU0N8u6NPdBCp74po713QtEhTzk+X5vIysrx/9yK1a9TRZ8utep4mNUthziSF0Y4jmrN6oK0AqkNrNQBeSM9v4Z5++S7+sqN0csws0SV+90bNVtGZECsHzWGhoCa7cdrOMFamrMKSl95v4pyJy2tPpNxoaCDVWAp5d/cvM9pprveL3jNBFVTb9/Rq5VxG8dDx7PrIKaDRHK0Vapk4scaRRd6KdCE1e6G/9XqnHZNh3kgosMi1otJRKI570gsZVki2hN3JOFdOSBC1+p+BwSVtCUXJOeNPqDqa9fHhN8RmhQ16EgGCE1LWfmEdM87GRImyg87mckjbvjKHZUJX3buyoVPjsr6XXjxSdDYFd6ILfK3bQ5rUjSOol3EVDam6UwrWQkoRmR1EbgN8nfk6qsIQl9ruD3eVnlPahPyYXbEnvCwfxVjj7H4K5ZIkaK7Xmc+O9/gC3aKlK2ZhjqgArWNzKeyqi7XC/MR+PXqmh5s87CcZhRLtND10lI954AJhps3rz7navbA2rujSn4uOXPaoLDGtYy635w28tEIOhIEIN83zqvq0aaDhCxQPyX6dNuG06a9O6H+1cmytTLjIVn0H6un0HgLd0GoRiozgX/yvy03oSG0I02UiNS1fRusX4+IrbVElHI27aMYV1gFaRyz85DPEM50wulZRgtfCt2gE61m4gSaofD1Hc2FehOJ67cOrtAmT2LczodpqiSaemuuF9+B+nUpEnW/bUvjCjgNXvhkUOe4OR/RTmrQ1Es/kg2B74iF/70BgGMdzjl9al/bXP5QrI8Zf/zMcr7+o4YxWG07Sv2CFLO2qutZUYWOamFxSOiV0y9j42Wl7oLrbZJ875bIcrfQQ6tOVYkEJL70TH3fMpYQkCT8jz5uXNM4EHg/iCuLh8kAt1O2GFK8W2myYSQewEJ8xHRaRYVC7WTEaja5HMHHAmSoutIHFZzRMBvF02KHBVBjkLslNz97k0+N99NBe4nEdP4LDi+5+KYIDc6Ajg8z2fUUxDKcGysWMarkdEd+CCVlFVka3H8N0yNduxEx/9L1PNMXNr5d0ZeY5f0KXtI1pnOs2mNJKcCbDZaLdbIhfa2/6PcDoyOX8s8u1jgL94Cr2775EYyRlWDKhunokBtfaYdKRrTd+fYpryDJmQjA9uTkIzU7EP7ap5Xr+xIDB0KtnrurXvopz+sPdkz4D2Bis82eDtamK8oS/fagC2W6moB1qOZzWr3h3w3C+N5bCKlwTgxS5ZFQZMAvT38cPo/LNATzeTWejX2azh2SNbqXTUTF85ac+B/Dn3bvpZHZ36BVt4N14dvvL6P3d/d3sbvT7u/+6u521s/6EPYfv755w+131yHAXpCl2oKKiJ/Ugvxt+V3jpnahSjeHU0VFNzvzF1/IQ77Cm5Ub0y8tjIDz89DipcUSyLx1L44ykCo3KviRUez22MlS+RiN4wFGtR3fzei2nsD3eE2kvlUozvPNx+FanWN1npWOA1pznxnQ2S7YObWK7Bm5fLbFY/ZRNOL+Or+AHgJ+L40Uv0l3n+BkNpcNVNr6g0R1uxM8IJFZ8aZfsOX0rIlqGXL8OFWZeAzvbJv6bvpN2EUnWGmT7oVYoWEixXLnKxJpPa763kKGxGWWNzx0a6nKjEmZ0rtJ/DD5zFQW2GQXrSu6+1bk5HEMMLtCYviN0rQbyuvkY14ll2vFC1v/dDbY8Z4D9RGifLJrhmFY6WEPGyareK9viLsDkfdFvLCPPqcEmkpikx0LOSvec2RADn4ds/WUo0uFbf/Ov1Eb87FClu4QLJu87OnRiqZjLTddc3bmdpIJ8IacBTMXyD4+Wfvhp0LzPWc0Ya07i1XllaF8mNheNC//ntiGRE3NTTRWEhXu2RQNX0+n9ddEz3Y1F4VI7Uf4ZCVL/aRtr9KCjFVEbijvvSk973IjH2eXfbqhP4YW/PDPO3eoXb6thuqj+TrBiO4D/ztFspyH1pvf+pn8XufhVZnBIuoEppXjXr99ab1Vh0Z4bA8WMcaGWsZNJPx6ZD3bSXsaaZoYp609HgqJNi6vdV7P76XXpzSqaFhub+yeBlanthdSb0xsYl5rL+ePhFgjJi1oXF5ExIflASO710hZL+L/JtNU5KUO8G+wZj5dIwn3hQvzCwtvyC2GcewsMeG6dXnd9o0OVerhY0p54+1sA5YWS4nSz2IKuVr1Ds7hEh3nXRlDoNto87dby2MKQv59hMWyxEDyeh2uTHu7b9gtz795E2w3CiG8A49vbu4eZ/+sbd921tNTLQ7Xeq5FKvVySo42VXhRusb0D+P3XAXz8/f14NvaR+NfJA/3cte3WMXXRXS+W8KL9vinZV2jFoEjdStrC+s6jd4pbnXfMFT25xBrO0rQ9nrymlZcxyg6GEp9RwpU2YikUk9dF67N5JB/Z6UaYWvePIEypVlQhsldgFu7iIM7njF9QY/w1HrLD8o/29eo9bD5X2L/b3eEPC1ySBcezZCHZsmfPMhduzexTrOXKwKGl1BvyOLPbB/DL3sDbn6f/+3Hww7/R/4bj218HP/z8YfJx8NPPj9NZO+TLDWgGqd3A5OH5pwH99199iXf3YTx68/8BAAD//624A44=" }